Privately-owned CCTV cameras are far greater in number than those owned or operated by police. Photo / Michael Craig
Police are considering auditing their use of the privately-owned surveillance network they accessed by creating a false report of a stolen car.
The Herald revealed this week that detectives had invented the false crime during their hunt for the three women whose trip to Northland in October sparked a regional lockdown after one tested positive for Covid-19.
Documents released through the Official Information Act show officers involved in the hunt - dubbed Operation Hiking by police - made casual references to accessing the network by reporting a vehicle or vehicles linked to the women as "stolen".
Once the network alerted police to a sighting, detectives then talked about removing the "stolen" status from the vehicle.
By doing so, it offered a fast-track to systems operated by Auror and Safer Cities, private companies with thousands of surveillance cameras in service stations, shopping malls, supermarkets and big box retail stores across the country.
The powerful cameras scan and register number plate information which can either be searched by police or registered to issue an alert if the car is spotted.
In a statement to the Herald, the Office of the Privacy Commissioner said it had questions about the robustness of the police review and audit processes.
"Police is reported to have misled the agency responsible for the Safer Cities ANPR database by stating that the information was required for a purpose that is different to the purpose for which it was ultimately sought.
"Should this be the case, this collection may have bypassed the privacy protections that Safer Cities and Police agreed to in allowing Police to access the ANPR database at the time."
Automated number plate recognition (ANPR) is information increasingly provided to third parties.
Use of ANPR data to identify an individual is covered by the Privacy Act and other relevant legislation and powers, such as search and surveillance.
"The reported incident, together with systemic issues uncovered in the recent OPC/IPCA Joint Inquiry, has raised questions in our minds regarding the robustness of [the] police review and audit processes and practice with respect to appropriate use of ANPR platforms, both those owned by Police and those provided by third parties," the Office of the Privacy Commissioner said.
Police have updated its policies and procedures manual with respect to use of ANPR.
"We have asked police to confirm to what extent the new policy has been implemented, particularly monitoring and audit of access and use and the provision of training to staff," the Office of the Privacy Commissioner said.
"We have asked police to provide us with assurance regarding the robustness of their ANPR access and use monitoring and auditing practice. We have also asked for information regarding the provision of training to staff in the appropriate use of ANPR."
In the wake of the Herald's story, Police Minister Chris Hipkins said he would also be seeking assurances from police.
"They are having a look now to find out exactly what happened to make sure that everybody who uses the platform knows exactly what the rules and the procedures around the use of it are."
A spokeswoman for Auror also said the company would be checking with police whether its system was being used properly.
A police spokesman has now said the same question could be asked by police who had already taken the step of reminding its staff of its policy on using systems with automatic number plate recognition (ANPR) capabilities.
New information from police headquarters showed that around 6000 staff had the ability to access ANPR systems and carried out around 327,000 checks each year. Police and council operate a fraction of the thousands of ANPR-capable cameras in the country.
"Work will also begin on a review of training in the use of ANPR technology. Police are also looking to conduct an audit to confirm that the platform – which is a highly valuable investigative tool – is being used appropriately."
The spokesman said police had also reviewed their training guidelines for staff which "specifically highlights that vehicles should not be classified 'stolen' in NIA [National Intelligence Application] if the sole purpose is to track that vehicle when it hasn't been reported as stolen".
When the Herald asked police about using the exploit to access the Auror and Safer Cities' VGRID system in October, a spokesman said that for "third-party ANPR systems … only vehicles with stolen alerts entered will be automatically detected".
"A vehicle should not be entered into a police database as stolen unless circumstances indicate it is stolen."
In the case of Operation Hiking, police said it would have been "preferable" to have entered the vehicles as "seeking" and not "stolen" although it would have restricted the ability to get alerts to police-owned systems.
It also emerged that police could have lawfully approached Auror with an individual car registration number to ask it be searched for on the basis "a serious risk to public health existed". Doing so would have had the same outcome although - it appeared - with more paperwork involved.
It has emerged the women - described as prostitutes at one stage and accused of using false information - faced no charges because police found they were pursuing legitimate business activities when one of them became sick.
It also emerged that the travel exception they got to travel through the border should have been declined but was approved by a government worker by mistake, leading to the lockdown.
Barrister Felix Geiringer - who had successfully challenged police over a Privacy Act exploit to get banking information - said the onus lay with the companies that held the information to believe there was good reason to make it available to police.
In this instance, he said it could be that police misusing the system in this case could require greater levels of information to be disclosed in future to justify access.