Police falsely reported cars as stolen to gain access to powerful databases that record number plates when hunting for the women whose travel sparked the Northland Covid-19 lockdown last October.
Detectives identified the cars associated with the women then listed the vehicles as stolen which opened access to Automatic Number Plate Recognition systems operated by two private-sector companies with a massive network of CCTV cameras.
Those companies - Auror and Safer Cities - operate cameras across petrol stations, shopping malls, big box stores, supermarkets and other shared public spaces.
A lawyer says revelations that police falsely reported a car stolen to gain access to private companies' CCTV camera networks could undermine trust and cause information holders to question whether future requests from police were legitimate and lawful.
Police have confirmed that by inventing a crime and falsely listing the vehicles as "stolen" it allowed access to the powerful tracking capabilities of the privately owned systems.
Deputy Prime Minister Grant Robertson said the situation concerns him, saying he expects police to act inside the law at all times.
Robertson told AM that police had not given him a heads up about the revelations.
"I'm not aware of that story at all, obviously I recall the incident at the time and certainly the police were involved, I'm aware of that in terms of trying to locate the people in concern."
He said police falsely reporting cars as stolen was "quite clearly" concerning.
"The police have many ways that they're able to track people and follow people and get information so we always expect the police to act inside the law so clearly, I would be concerned if that were true."
The boom in privately held cameras to which police have access was spurred by the security and debt-recovery options it offers businesses signed up to the networks. It has previously sparked concern from the Privacy Commissioner.
Under information-sharing agreements, police have access to the databases and have extended the length of time the companies hold number plate information from 48 hours in 2014 out to a maximum of 12 months.
Documents released through the Official Information Act showed police from detective to detective inspector rank detailing the false registering of a car as stolen up to the point they got the information sought and then removing the "stolen" tag.
Those officers refer in emails to accessing the Auror and Safer Cities' VGRID systems which offer automatic number plate recognition. The documents show there were "hits" through the Auror system which allowed officers to track the women to a BP in Whangārei and then access CCTV footage of them at the petrol station.
One "job sheet" released with the documents showed an officer tasked with "locating the following person of interest to the investigation who had recently tested positive for Covid-19".
The document went on to list an individual's details - redacted for privacy - and said she "was most likely in possession of and operating the following vehicles", which were also listed and redacted for privacy.
The detective then stated: "After the briefing I entered a stolen alert for the [redacted] in the NIA [police's National Intelligence Application database] system should the vehicle be sighted by a police unit or ANPR capable camera systems."
Five days later, the head of the investigation dubbed Operation Hiking, Detective Inspector Aaron Proctor, was told by email the number plate had "triggered [an] ANPR camera" and the "stolen" alert had been removed.
A spokesperson for Police National Headquarters said it was not known whether officers had falsely reported cars as stolen on other occasions so as to access the powerful network of cameras.
"A vehicle should not be entered into a police database as stolen unless circumstances indicate it is stolen."
The spokesperson said police could track number plates against any vehicles across ANPR - automated recognition - cameras that were owned by police or operated by police, as is the case with some council-owned systems.
In those cases, the spokesperson said, "it is not necessary for a vehicle to be entered as stolen to generate an alert".
But police-owned and -operated systems are the smaller fraction of a nationwide CCTV network of which the largest part is privately owned cameras.
The police headquarters spokesperson said: "In respect of third-party ANPR systems, only vehicles with stolen alerts entered will be automatically detected by ANPR cameras."
"In the matter of Operation Hiking, this was a unique set of circumstances where police were aiding the Medical Officer of Health to locate persons considered at the time to be a health risk."
A spokesperson said the agreement with the third-party providers meant officers could have provided individual vehicle registration numbers to the companies to activate tracking systems because "information indicated a serious risk to public health existed".
The statement from Police National Headquarters did not explain why this did not happen.
"It would have been preferable for the vehicles' registration number to be entered as 'sought' rather than 'stolen' in NIA which would have still generated an alert on any police-owned ANPR camera."
Barrister Felix Geiringer said the onus was on the holder of the information to allow access for reasons they assessed were proper.
He said it might previously have been enough for police to simply say a vehicle was "stolen" but evidence that the companies had been misled on this occasion meant assurance might not now be enough.
Geiringer successfully took police and Westpac to task over exploiting the Privacy Act to gain access to writer Nicky Hager's personal information in the wake of the 2014 publication of the book Dirty Politics.
Police had provided banks and other companies holding data with official-looking forms which requested access to personal information citing an exception in the Privacy Act. The practice misconstrued the way the exception worked because it required those holding personal information to have information showing "reasonable grounds" before releasing it to police.
Geiringer said: "The act requires the holder to be satisfied the exception applied. [If] police come to tell you a specific car is stolen, when it was stolen, and that they're trying to recover it, [it] probably is reasonable to pass on that information.
"But they have to assess the information the police have given them and be satisfied that it provides reasonable grounds that the exception applies."
He said the discovery police had falsely reported a car stolen had the potential to change future events as it undermined the trust the information holder could have in what they were told.
"It means that it may no longer be enough for the police to assert that it's stolen. Was this a one-off, or have the police been habitually making false claims that cars were stolen? If it is the latter, then an assertion from the police may no longer provide reasonable grounds."
A spokeswoman for Auror said the company would be seeking assurance from police to make sure "correct platform procedures are followed at all times". She said it had also offered to support further training for police using the system.
She said it was unclear why police didn't access the ANPR information through the "emergency powers process" which would have been in line with the Search and Surveillance Act.
The spokeswoman said the company took privacy seriously. She also said police access to its systems - in line with the law - helped police "build stronger and safer communities".
Safer Cities was also contacted for comment for this article.