Dangerous data

A persistent problem

Our investigation into federal civil lawsuits brought by people who said officers’ database misuse had contributed to civil rights violations against them points to patterns of mistakes and abuses – ones that have persisted over years and have extended across the US. While our investigation concerned only police and not immigration authorities or intelligence agencies, readers of the report should consider the potential implications of these often-flawed databases, or the harms that can be wrought even with accurate data, for those targeted by ICE or other federal bodies. Recent debates continue to raise issues such as ICE’s problematic contracts with private companies, warrantless searches of potentially sensitive information, and the role of AI companies in mass surveillance.

Government agencies in the US and elsewhere need to be much more transparent about what data they hold or have access to, and what they use it for - and much stricter rules are needed to limit police access to records and ensure that any data held is accurate. Changes to the law will be needed to stop the rights violations, empower people and courts to fight back, and correct gaps such as the ‘data broker loophole’. The need for such changes has been known for some time, with attempts underway at both state and federal levels.

The depth of the problem

To understand the impact of police (mis)use of data, we examined records from more than 130 federal civil lawsuits in the US that provided evidence of police misuse of large datasets. Over-reliance on datasets is flawed in principle: it can be a distraction or a diversion for officers who are at risk of succumbing to ‘automation bias’, accepting the result of lookups in place of other available evidence. It can also feed into confirmation bias or enable harmful shortcuts leading to wrong decisions. Our research highlights the devastating real-world consequences that poor dataset-based policing can have: wrongful detention, unjustified imprisonment, and injury, as well as the indignities and other dangers of race- or gender-related harms. 

While the events in these cases were often disputed, our analysis relies – wherever possible – on facts that were agreed between the parties or other evidence from the case record. Many of the cases were ultimately dismissed after a judge found that the officers had ‘qualified immunity’ – a controversial concept that has been the subject of intense public debate in the US since the killing of Minnesotan George Floyd and related protests in 2020. Indeed, the judge in one of these cases fiercely criticised the ‘qualified immunity’ rule before concluding that he had no choice but to apply it.

Police officers in the US are able to look up information in government and private-sector databases without a warrant or any other court order. The databases frequently hold flawed, outdated or simply erroneous information, but can be shockingly detailed in terms of the purported information they contain. Every move you make (in both the real world and online) can end up being recorded in databases that police officers can access, almost at will. Your license plate records, your history of other interactions with law enforcement, your family and business relationships, your social media materials. Information that used to require a trip to the archives can now be accessed with the touch of a button.

This almost unrestricted access has led to abuses of power, particularly against people who faced racism, sexism or other bias in the first place. Officers can and do look up Black people, women and others who are simply driving by, or who catch their eye for any reason at all.

Our report describes nearly 40 of those cases, including both harrowing individual stories and themes and trends in police activity. These incidents form a pattern of law enforcement failure. It shows that people in authority can and will abuse their access to personal data if few or no strong deterrents stand in their way. And the brunt of the impact is often felt by those already disempowered to stand up to it.

The roots of mass surveillance policing

Today’s widespread use of police databases is rooted in a decades-long expansion of surveillance powers. Following 9/11, the US government adopted sweeping data collection initiatives, including both a secret surveillance initiative by the NSA, and the Department of Homeland Security’s Multi-state Anti-Terrorism Information Exchange (MATRIX). While some of these programmes have been officially dismantled, the normalisation of mass data collection remains, and it has become easy to forget that programmes such as MATRIX were once highly controversial.

Federal and state law enforcement databases with names such as NCIC, CLEAN, NLETS, JNET, and LEADS can contain biometric data, information about race/ethnicity, driving records, and even records of previous interactions with police (such as arrests) that did not result in convictions. These databases may also incorporate data from private-sector sources, blurring the lines between state and corporate surveillance.

Private-sector databases can play a significant role in the harms we describe: they are lawful in the US, but officers can and do misuse them. Technology companies with a history of data accumulation profit by selling access to data and surveillance tools to police forces. Private databases such as TLOxp, CLEAR, Accurint, and Spokeo offer police access to startlingly detailed personal information that may include race, physical description, biometric data, social media (including dating sites), financial and location data, records about vehicles, gun licenses, educational and employment information, and links between people and their family or purported ‘associates’.

In practice, there is nothing to stop police from using this data to profile people in ways that infringe upon their rights. For people in the US, it is virtually impossible to keep this data out of the hands of data broker companies, and from there it can easily flow into the hands of law enforcement. Many private companies market large collections of personal data specifically to police, and based on court records and purchase orders, we know police are buying.

Race and gender

Many of the federal civil rights lawsuits we examined were brought by Black people. In several of these cases, police looked up the licence plates of vehicles driven by Black drivers (or with Black passengers), then pulled the drivers over for questioning. The resulting encounters had harmful consequences – or alleged consequences – ranging from death to arrests or detentions based on mistaken identity, being held at gunpoint, and negative media headlines that persist to this day. In depositions and other statements, Black people who claimed in court that they had experienced such violations described fear and derailed lives. While we cannot know the motivations of individual officers, the number of these cases that involved Black plaintiffs is striking and raises concerns for us about the possibility that officers can look up people’s data based on nothing more than racial bias. In practice, there is little or nothing to stop them from doing so.

We also found plaintiffs alleging that officers had looked up women for no legitimate law enforcement reason, including on the basis of sexual interest. Officers have been prosecuted for stalking or assaulting women they have looked up in databases, and there are documented cases of officers collectively looking up the driver’s licence information (including photos) of women, including their fellow officers, hundreds or thousands of times. Again, we see the potential for abuse: when officers are given warrantless access to thousands or millions of women’s personal data, some will misuse it, including in ways that are seriously intrusive – or worse.

The consequences of bad data policing

The real-world impact of the misuse of these databases can be catastrophic. Innocent people have been jailed for months due (they have later claimed) to incorrect or misleading database entries or a failure to use them as intended. Officers have used database access for personal vendettas, stalking and harassment. Some examples from our investigation include:

• Nathaniel Maybin, Jr., a Black man who was arrested in Philadelphia for an armed assault he did not commit and was detained in jail for more than 17 months.
• A South Carolina woman suffering from a heroin addiction who was allegedly sexually assaulted by a police officer who had looked up her background - resulting in a $500,000 jury verdict against the authorities. (The officer was prosecuted but died before that process was resolved.)
• Cornell McKay, a Black man in Missouri who was sentenced to 12 years in prison and spent three years in detention before his conviction – based on a flawed investigation – was overturned.
• Burrell Ramsey-White, a Black man who was driving in a Boston neighborhood where someone had reported a man looking into car windows. Police chased and ultimately shot and killed Ramsey-White after the licence plate of the car he was driving was connected to a warrant (though not one for Ramsey-White).
• Karl Augustus, a Black man who became a target for police simply for driving a ‘nice’ car in Los Angeles’ Skid Row and was surrounded by officers with their guns drawn – and a helicopter – after a database search wrongly led the police to conclude that the car might be stolen.
• Robert Tolan, a Black man who was shot in the chest after a message had been automatically broadcast to police about him based on an error in a licence-plate database lookup.
• A Black woman who was legally blind and a stroke survivor, and who was handcuffed and detained in Maryland although she had done nothing wrong after police pulled over a car in which she was a passenger.
• Alix Kendall, a female Minnesota TV news broadcaster, who learned that police officers and other government employees had secretly looked up her driver’s licence information – including her picture – nearly 4,000 times.

People who were victims of, or witnesses to, crimes have also claimed harms due to database misuse. The damage extends beyond physical and legal repercussions: victims have reported negative impacts on their dignity, mental health, family life, educational progress and careers.

Inaccuracies and assumptions

Our research reveals a number of deep-seated problems with how US police are interacting with these databases.

Firstly, the cases suggest to us that data in police databases is often of poor quality and riddled with inaccuracies. However, there is no general requirement for accuracy or for errors to be corrected. To make matters worse, ordinary people often have no access to these records, meaning they cannot challenge or correct erroneous entries. The result is the classic data problem: if you put garbage in, you’ll get garbage out. And in this instance, ‘garbage out’ can mean lengthy detentions, being surrounded by officers with their guns drawn, or worse, as described above.

But even when the data is technically accurate, our research raises concerns that attitudes towards its use may be deeply flawed. As we’ve seen from the examples above, plaintiffs claim that police officers feel entitled to look up personal data out of idle curiosity or for personal, political or even sexual reasons such as tracking people they are romantically involved with or attracted to, or people who belong to races that have long been the targets of discrimination and violence.

Officers also appear to make assumptions that things they read in the database must be true and reliable because they appear on a screen. Misinterpretation and ‘databased-inspired’ leaps of logic that fall flat can result in arrests and other harms based on mistaken identity. Confirmation bias appears to play a key role: some cases suggest to us that officers trust database records even when they contradict real-world evidence. Yet, even when a database comes up clean, this may not deter an officer from pursuing their line of action. In other words, the database may hurt you – and it’s unlikely to help you. 

Very little accountability

Our research also points to a serious lack of accountability for police misuse of datasets. In the US, the legal doctrine of ‘qualified immunity’ means that officers are in a relatively safe position when it comes to this unsafe practice. Officers are shielded from legal consequences because the law puts in place a particularly high bar for them to have been found to have acted wrongly. Similar doctrines often prevent plaintiffs from successfully suing their departments, as well.

This immunity may have contributed to a fundamental change in policing tactics: namely, suspicionless database lookups being used as fishing exercises, just in case you get a hit rather than having a valid pre-existing reason to investigate someone. As legal scholar Wayne Logan has put it, mass data policing has "fostered a revolution in policing akin to that of the introduction of patrol cars and two-way radios.”

Conclusion: A global warning?

The ease with which US police can look up and misuse information in databases to make humiliating and downright bad decisions – sometimes causing long-term damage to people’s lives – is harmful to privacy and other freedoms. Just because someone has previously shared some information about themselves (whether with a company, on social media, or to the government directly), that doesn’t mean that information is then ‘fair game’ to be used in police investigations – without a warrant, forever, and potentially accompanied by many inaccuracies. The right to privacy still applies. And the idea that database information is infallible and can be trusted without scrutiny must be put to an end.

More effective limits are needed on what kinds of personal information police in the US – and everywhere – can view, when and why. Our report recommends new rules to break the pattern of law lagging behind technology. These must cover:

• the collection of data, including restrictions on the collection of bulk personal datasets
• access to data by officers, which must be legally necessary and authorised by a court or some very similar body that can provide independent scrutiny and meaningful protections against abuses
• presentation and correction of data
• transparency about use of data
• the use of warrants to access data collected by private companies
• limitations on the types of data private companies can make accessible to law enforcement, whether for payment or for free

The US is not alone in this trend. The UK and the EU are also expanding law enforcement’s data access powers, introducing facial recognition surveillance and proposing scanning private messages. Without urgent intervention, the normalisation of unchecked data collection will continue to threaten civil liberties worldwide.

Technology should never be a tool for oppression. If we fail to act, the policing of the future will continue to be defined by mass data collection over which we are powerless, along with suspicion and systemic injustice.