Amid growing concerns about the widespread use of automated license plate readers (LPRs) by law enforcement and others, new information reveals that US Customs and Border Protection is sharing detailed LPR data on border crossings with the insurance industry. Forbes reports that a Freedom of Information Act request submitted by the Electronic Privacy Information Center (EPIC) reveals the agency has been handing the data over to the National Insurance Crime Bureau (NICB) since as early as 2005.

The NICB is a non-profit organization funded by the insurance industry and others in order to fight insurance fraud and crime, and the "memorandum of understanding" (below) between it and the UCB grants it access to the data both to identify theft patterns and deter the export of stolen vehicles. The data can also be used to help spot "owner-give-up" insurance fraud, when someone fakes a theft in order to collect the insurance cash. Individual insurance companies get access to the data through the NICB, although the Bureau says only "Special Investigation Units" within those companies are permitted to see it.

So just how much data are we talking about? The NICB says roughly 15 million scans a month, reports Ars Technica; scans that contain detailed time, date, and GPS data on individual border crossings. While recovering the thousands of stolen cars shipped to Mexico every year is a worthwhile goal, there are real privacy concerns — particularly since the memorandum allows the NICB to hand the data off to third-party "data processing services." As EPIC attorney Ginger McCall explains to Forbes, "This is warrantless collection of very private data, location data about where you’ve been and when," adding, "it’s being shared with unknown organizations, not just in the government where there may be Privacy Act protections, but outside the government with third parties, possibly in contravention of the Privacy Act."

Perhaps the biggest concern is the lack of transparency. Customs and Border Protection says it holds onto the data for two years and the NCIB for only one, but since the information can be shared with third-party organizations, it's not clear how binding those limits are in practice. As an ACLU blog post points out, "the only auditing and accountability mechanisms required are self-policing and self-reporting."