15 December: Privacy Advisory Commission proposal goes to Oakland Public Safety Committee


, , , , , , ,

20150915_publicsafety_02From City staffer Joe De Vries on 4 December 2015…

I am pleased to announce that the Ordinance that will create a permanent Privacy Advisory Commission is scheduled to be heard by the City Council Public Safety Committee on December 15th at 6pm in Hearing Room 1 at City Hall. This significant legislation was borne out of the work of the Advisory Committee and represents a key recommendation that committee made to the City Council in the spring. I encourage you to read the attached staff report and supporting documents and to provide your feedback to the Public Safety Committee on the 15th. The attached PDF includes, in this order; the Report, the earlier resolutions establishing the Ad Hoc Committee, the DAC Policy and the FLIR Policy, and last, the ordinance establishing the Commission. Also, the link below will direct you to the same information.

I expect Mr. De Vries to present the recommendation to the Oakland City Council’s Public Safety Committee.

I haven’t seen discussion of the new commission’s charter language. I’ll give it a quick look but more eyes are better; please comment.

Let’s see how that charter:

  • balances competing interests (like liberty vs. safety),
  • keeps the commissioners accountable to the public,
  • funds staff and operations,
  • endows it with the powers to do its job (like the security clearances to inspect how privacy is performed in practice by the OPD and other City agencies)
  • and what tools it has to effect change.

Next: Oakland FLIR privacy policy at Public Safety on Tues 15 Sept 2015


, , , , , ,

City staffer Joe DeVries emailed “The FLIR Policy that was developed by the Advisory Committee will be going before the Public Safety Committee next Tuesday September 15th at 6pm in Hearing Room 1. It is item #5 on the agenda. A link to the documents is below as well.” FLIR Agenda Report Policy and Resolution (pdf)

To catch you up:

  • The FLIR is a system that lets OPD helicopter pilots see infrared images of the ground, buildings, and warm things there. Like lost children, escaped prisoners, homeowners smoking on their front lawns, and hotspots during a firestorm.
  • OPD is updating their tech from ancient to not-obsolete.
  • The same citizen committee that proposed a privacy policy for surveillance cameras drafted suggestions for a privacy policy for the new FLIR system.
  • If you have concerns or comments, next Tuesday, 15 September, is your one real shot to support the proposed policy governing the FLIR’s use or to suggest changes.
  • If/when the Council’s Public Safety Committee approves (perhaps after some changes?), it will go to the whole council where they will approve it (or make more changes).

My two cents: This is a good policy, a simple framework. It incorporates current laws protecting unwarranted surveillance of homes. It adds procedures for oversight. Support it.

#OPD Helicopoter Pilot will brief #DAC #Privacy committee on Thermal Imaging use #FLIR #oakmtg


, , ,

This Thursday an Oakland Police Department helicopter pilot will brief the public on OPD’s use of Forward Looking Infrared (FLIR) camera systems. Stop by 25 June 2015, 6pm – 7pm, Room 4, Oakland City Hall. This may be your only chance to comment on the policy before it’s sent to the council.

Why this briefing is important now: The best privacy policies understand the flow and storage of information and the people who have an interest in that data. We drafted a privacy policy that takes OPD’s statements at face value: that they don’t want to share or preserve any imagery from FLIR systems outside the helicopter. This limits the number of people seeing the imagery, the data’s lifespan, and the size and complexity of the system. The privacy policy basically holds them to this and to a limited number of acceptable uses. This briefing lets us check our assumptions.

A FLIR privacy policy is a milestone in Oakland. It prepares the way for drafting privacy policies for:

  • Newer FLIR and other imaging systems that share image and audio live streams, snapshots, and clips over networks to other devices inside and outside the helicopter. This multiplies the number of systems and people subject to a privacy and data retention policy.
  • UAV sensor packages piloted from the ground, like most consumer and industrial drones today
  • UAVs that fly autonomously (without a human operator) using software smarts to determine where to fly and what to observe.
  • Handheld devices, like the Flir One iPhone attachment ($399)

This is the last meeting of the Ad Hoc Advisory Committee. It’s been a pleasure serving.

P.S. The ruling you’ll hear mentioned most is Kyllo v. United States, which requires a warrant for infrared search of a residence.

P.P.S. Here’s a CNN story on the use of FLIR in a Los Angeles manhunt.


Screen Shot 2015-06-20 at 7.57.11 PMCapturing the Boston Marathon bomber was a big win for police use of FLIR technology.

Screen Shot 2015-06-20 at 7.54.12 PM
Here you see a residence, a car with a hot engine, and a man standing by the car.

Screen Shot 2015-06-20 at 7.56.19 PM
Here you see a pedestrian on a sidewalk. When would this be allowed and when wouldn’t it be?

Continue reading

Is video surveillance PII? #oakmtg #dac


, ,

The City filed a Privacy Threshold Analysis with DHS last year. They wrote the DAC would collect surveillance video but no Personally Identifiable Information (PII). PII usually refers to fields of data from a form, a database record, an ID. Examples are typically Social Security Number, Drivers License, a full name, or an address.

But what about a photo or video of you walking down the street? What about an audio recording of you and your friends talking? Why aren’t those also PII? Facebook detects and matches faces. Tineye finds similar photos on the web. And the better-funded intelligence and law enforcement agencies have access to tools that identify people from photos and recordings. Software can recognize the unique shape of your ear, your distinctive gait, your height, the things that make your voice distinctive, the pattern of veins under your skin, your body art.

So why aren’t surveillance videos, like those proposed for the DAC, and surveillance audio, like that collected by Shotspotter, also consider PII? How about body cameras worn by police officers? Do privacy laws distinguish between PII in raw form and PII fully analyzed and extracted? Aren’t the handwritten name on a form and the typed version both PII?

Resolved: So let’s start considering all the raw sensor data we collect from observing people to be PII, and also all the data we derive from it.

Then let’s apply all the rules for protecting, retaining, and disclosing PII to all the data streamed from government cameras and microphones and scanners.

Download: Oakland DAC Privacy Threshold Analysis 030314

Privacy Threshold Analysis for the Domain Awareness Center supplied to the Department of Homeland Security…


@Oakland asks for your views on 7 DAC Privacy Policy recommendations


, , , , ,

Read what more than 30 people said so far.

Then take the survey and make your own comments.

Here are the seven recommendations we made to the Public Safety Committee:

  1. Establish a Standing Privacy Policy Advisory Committee of the City to provide guidance to the City Council on potential changes to either the DAC or the DAC Privacy and Data Retention Policy.

  2. Recommend to the City Administrator that a person is designated and shall serve as the Internal Privacy Officer within the DAC charged with ensuring the DAC Staff are abiding by the Policy, and that the City Auditor shall serve as the “Compliance Officer” who is responsible for reviewing the quarterly reports prepared by the Internal Privacy Officer, and that the Public Ethics Commission shall serve as an Ombudsman/Advocate to receive complaints from whistleblowers or the general public and to make policy recommendations to the Advisory Committee and City Council.

  3. Request the City Administrator or designee prepare an ordinance that makes violation of the Policy a misdemeanor punishable by fines and also enforceable by injured parties under a private right of action.

  4. Determine that changes must be proposed by/to the Privacy Advisory Committee and ratified by the City Council and that Privacy policy must be reviewed at least every year by the committee.

  5. Create a Permanent Standing Advisory Committee to examine the City as a whole and develop an overarching Privacy Policy that would reach beyond the limited scope of the DAC.

  6. Modify the City’s Whistleblower Ordinance to broaden protections and allow for more avenues to file a complaint when there is a DAC policy related potential violation.

  7. Consider establishing a Citywide Surveillance Technology Ordinance to allow for informed public debate and decision making by the City Council regarding privacy and retention policies for all Surveillance Technologies in the future.

Addressing four PEC concerns


, , , , , , , ,


Joe DeVries from the City Administrator’s office and Brian Hofer of the Ad Hoc Advisory DAC Privacy and Data Retention Committee briefed Oakland’s Public Ethics Commission Monday night and took questions. This is my recap of the PEC’s concerns and my answers where I have them.

DeVries explained how the Snowden-era public pressure combined with the DAC’s early ambitions to compel the Council’s limiting DAC coverage to the Port and a strong privacy policy. He explained the Privacy Committee’s seven requests.

Hofer reported the state of the privacy policy, now before the Council’s Public Safety Committee, open for more public comment into next month. He also spoke to the Privacy Committee’s intent to deploy a framework, a privacy structure, that could be refined and applied through the rest of Oakland government. The PEC in this framework would be one of three channels for whistleblowers to report violations of the privacy policy. The PEC would also be a public ombudsman on privacy.

The Commissioners raised four issues.

The policy may add to the PEC’s workload. The PEC’s headcount will triple this summer, from two to six staff; bigger but still small for the job. New duties and powers may stretch the new team’s capacity. What if whistleblower cases rising from the DAC privacy policy demands even more staff time? There’s no additional funding from the DAC. This could be a risk to the PEC’s ability to perform.

Not really. Let’s do some simple math.

  • Fewer employees to get in trouble. The PEC addresses complaints generated by the behavior of the 4000+ City employees. Fewer than five, likely only two or three, will be involved in using the DAC software. That’s 0.1% of the existing workload.
  • Few hours of activity. As originally scoped, the DAC would be staffed all day and night year round. Plans changed, funding was cut and now it will be an on-demand service. Oakland Police knew of 98 protests in 2014 and activated the Emergency Operations Center (where the DAC lives) for 14 of them, about 15% of the time. So let’s say they turn on the DAC for a two-hour look-see 85 times a year and for two shifts 15 times. That’s 410 hours of use a year, or 4.7% of the originally planned 8760 hours/year.
  • Small geography being watched. Oakland has 806 miles of streets. There fewer than 4 miles of street bordering the Port of Oakland. And it’s not a pedestrian hot spot. So the exposure to people who might have privacy, speech, or assembly concerns is vanishingly small. Less than 0.5% of the DAC’s original beat.
  • The PEC is just one of three whistleblower channels. The DAC Privacy Policy calls for the City Auditor and a new privacy committee/commission to also field complaints. So if workload does arise, it would likely receive just one-third of the complains.

0.1% * 4.7% * 0.5% * 33% is a vanishingly small impact. The DAC’s use and application would have to change radically for enough people to be affected by the DAC to create a material risk to the PEC’s whistleblower pipeline.

New expertise needed.  Privacy competence is not required now. PEC staff must master the laws, regulations, and practices for each area where they administer justice. This requires time and training. How could the PEC rapidly become sufficiently knowledgeable and skilled to do a good job without extra headcount and specialized experts?

Assuming even one privacy matter comes before the PEC, this is a fair concern.

The model proposed by the DAC Privacy Policy is that a standing privacy committee or commission would be a central repository for technical, legal, and policy expertise, available to the PEC and City Auditor. Even so, the PEC would want at least familiarity with any new purview asked of it.

Uneven justice for whistleblowers. The new policy calls for three different organizations provide privacy oversight, whistleblower investigations, and public ombudsman services. Today, the PEC and Auditor have different protocols and standards for administering whistleblower investigations. For instance the Auditor’s investigations may be public and optional while the PEC’s investigations are private and mandatory. Their abilities to order operational changes or to punish are different. Could we see different outcomes for the same issue depending on who the whistleblower calls?

Good question. The Policy doesn’t address this. Suggestions?

Duplication of effort. Do we really want to build the oversight, ombudsman, and whistleblower capacity three times?


It’s their duty. Government abuse of the federal and state constitutions or of the City’s charter is within scope for the PEC, City Auditor, and the new privacy committee/commission.

Variety works. City staff and the public perceive real differences between the PEC, Auditor, and the privacy group. The Auditor’s office is known for public crackdowns on waste and poor management. The PEC is known for adeptly resolving conflicts of interest and employee relations investigations. And the privacy group may be known for a focus on civil liberties. Each brand will appeal to different employees in different situations. So they are more likely, as a whole, to report abuse to someone.

Those are my answers and explanations so far. And they’re rough and incomplete, perhaps outright wrong. Are there better answers? Better questions? Or better ways of framing the problems? Chime in.

Committee mtg with @Oakland City staff on implementing the #DAC #privacy policy


, , , ,

See you at 6pm tonight at City Hall, room 4 (second floor). Focus: implementation feedback from those who’ll have to make the policy work. Where-the-rubber-meets-the-road talk.

From Joe DeVries:

I am pleased to announce that we will have several guests to discuss certain components of the draft Policy and the additional recommendations that the Advisory Committee is recommending to the City Council. The guests include our Newly Elected City Auditor Brenda Roberts, the Executive Director of our Public Ethics Commission, Whitney Barazoto, and the City’s Employee Relations Manager, Renee Mayne. Also available will be our EOC Acting Manager, Deputy Chief David Downing from OPD, and other city support staff to further discuss issues raised about the Policy.


  1. 6:00pm: Call to Order, determination of Quorum
  1. 6:05pm: Recap of discussion and action taken by the City Council Public Safety Committee on February 10th.
  • Public Comment Period with Website Presence
  • Concerns around Staffing of DAC and Auditing Procedures
  • Return on April 14th, 2015
  1. 6:15: Discussion with City Auditor Brenda Roberts regarding the Auditor’s role in the Policy

ROUGH NOTES IN MY WORDS: The City Auditor’s office is independent, so can’t be compelled what to audit or when to perform them. The Auditor will prioritize auditing what goes on at the DAC against everything else the City does, weighing the cost, time, and impact of the systems and services being audited. So, if the Council wants regularly scheduled audits to confirm that the system is being well supervised and remains aligned with the Policy’s privacy protection and liability avoidance purposes, then the City should hire an outside auditor.

The City Auditor operates a whistleblower hotline. All calls receive at least a preliminary investigation.

  1. 6:40: Discussion with the Public Ethics Commission regarding their role in the Policy (Executive Director, Whitney Barazoto)

ROUGH NOTES: A few concerns about the scale of DAC-related whistleblower activity the PEC might face without additional headcount.

The next PEC meeting (Monday, 2 March, 6:30pm Hearing Room 1) will include a presentation and Q&A with DeVries and Hofer about the Policy. From Monday’s agenda… (pdf)

“5. City of Oakland Domain Awareness Center Privacy and Data Retention Policy. During discussions of the Oakland Port Domain Awareness Center (DAC) in March 2014, the City Council adopted a resolution requiring the City Administrator’s office to convene an advisory committee to develop a data retention and privacy policy to address public concerns about the DAC and its surveillance system. The DAC Ad Hoc Privacy and Data Retention Advisory Committee has been meeting since May 2014 and developed a policy and several additional recommendations to present to City Council. Joe DeVries, Assistant to the City Administrator and staff to the Ad Hoc Advisory Committee, and Brian Hofer, the Committee Chair, will provide an overview of the issue and the advisory committee process and will share the details of the proposal that is being developed. The recommendations include a potential role for the Public Ethics Commission as an impartial oversight entity. The Commission will review and discuss this issue and may take action regarding the proposal.”

  1. 7:00: Discussion with the City’s Employee Relations Manager (Renee Mayne) regarding the impact of the proposed penalties for violations of the Policy.

ROUGH NOTES: “Employees shall follow laws with punishments up to and including termination” is common boilerplate. “Just cause” is the standard for discipline; its seven elements: fair, reasonable, known, consistent, investigation, fair investigation (and one more). employees have a property right and a due process right in their jobs.

For any change to employee penalties, unions and their bargaining units must agree to be bound by those new terms of employment. Failing that, an issue goes to arbitration. Although the City is entering collective bargaining talks, the Policy’s new terms will not be part of the negotiation.

  1. 7:30: Discussion with Deputy Chief Downing (OPD) and Cathey Eide (EOC), and Ahsan Baig (ITD) regarding functional concerns about the Policy and/or external recommendations to the Policy.

NOTES: Wants covering peaceful marches and protests to be an “acceptable use.” Same for planned “special events” like marathons and Presidential visits.

  1. 7:50: Next Steps/Adjournment.

(video) 10 February 2015: Port DAC privacy policy presented to the Oakland City Council’s Public Safety Committee


, , , , , , ,


From the agenda:

Subject: DAC Privacy And Data Retention Policy

From:Office Of The City Administrator

14-0475. Recommendation: Adopt A Resolution: 1) Affirming The Right To Privacy; 2) Establishing The City Of Oakland Domain Awareness Center (DAC) Privacy And Data Retention Policy Which Prescribes The Rules For The Use, Accessing And Sharing Of DAC Data; Establishes Oversight, Auditing And Reporting Requirements; And Imposes Penalties For Violations; 3) And Authorizing The DAC To Become Operational; And

14-0479. Receive Additional Policy Recommendations Which Require Future Council Action From The DAC Ad Hoc Advisory Committee Intended To Support The Policy, Assure Ongoing Compliance With The Policy, Establish Penalties For Policy Violations, And Potentially Extend The Components Of The Policy To A Broader Range Of City Functions