Audit flags oversight gaps in APD license plate reader pilot

A recent audit of the Austin Police Department’s License Plate Reader (LPR) program found that while the department largely complied with policies during the yearlong pilot, internal audit procedures and vendor contracts left room for improvement and potential privacy risks. The findings were presented to the City Council’s Audit and Finance Committee this week, as members consider whether to continue or modify the surveillance technology initiative.

According to the City Auditor’s Office, which reviewed the program’s first nine months of data from March to December 2024, APD logged approximately 75 million license plate scans. The system generated more than 13,000 matches for potential violations, resulting in 165 arrests and approximately 134 prosecutions, though auditors noted delays in the justice process make the prosecution figure an estimate.

A significant concern raised in the audit involved the city’s contract with the readers’ vendor, Flock Safety. The auditors flagged contract language that gives Flock a “non-exclusive, worldwide, perpetual” right to use and share anonymized data for development and law enforcement purposes.

While APD maintains that the vendor deletes Austin’s data after seven days in accordance with city policy, auditors cautioned that vague definitions and lack of specificity around “anonymization” could expose motorist data to unintended use or disclosure.

Council members expressed alarm that the contract terms may not fully align with a 2022 City Council resolution explicitly protecting against the use of LPR data in ways that could compromise free speech, reproductive access or immigration status. City legal staff acknowledged the ambiguity in the contract and indicated they had previously raised concerns during contract review.

APD emphasized that it has not shared data in violation of city policy. Askew said the department had received and processed eight data-sharing requests during the audit period, mostly from local and state law enforcement agencies and the Austin Fire Department.

These requests were judged to be in line with approved uses such as pursuing cases involving human trafficking, auto theft and arson investigations.

The audit also compared Austin’s license plate reader program with those of six peer cities, including Dallas, Houston, and Minneapolis. Austin was found to have the most frequent audit and training schedule and the shortest data retention period—seven days, compared to 30 or more in other cities.

Committee members, including Mayor Pro Tem Vanessa Fuentes and Council Member Chito Vela, questioned the long-term oversight of the program and the growing role of private sector surveillance tools. There was also a general consensus from committee members around the need for further legal review of vendor contracts and possible updates to privacy language if the program is extended.

“Council passed a resolution, city legal worked on a contract with a vendor, then we have a city auditor do an assessment of our contract to say it is not aligned with the resolution, it’s open to interpretation, and it’s too vague,” Fuentes said. “That does not give me trust as a policymaker in our city legal department if we can have an audit come back that has such a tremendous finding.”

Fuentes also expressed concern over the audit only covering nine months of data instead of the full year that was planned, which APD and audit staff attributed to a misunderstanding early in the program of how frequently information needed to be pulled from the vendor for storage and analysis.

City auditors also found that APD’s internal risk management unit conducted quarterly reviews of the program as required by City Council resolution, but noted deficiencies in the clarity, structure and consistency of these audits. Roles and responsibilities among audit staff were not well-defined, and some officers provided unclear or invalid justifications when using the system, representing a potential violation of department policy.

The audit’s sole formal recommendation called for APD to improve its audit procedures by automating data pulls, clearly defining staff roles, formalizing compliance reviews and reporting results to stakeholders on a regular timeline. Assistant Chief Sheldon Askew told committee members that APD has already implemented some of these changes and will complete others by the end of the year.

Council Member Marc Duchen questioned whether the audit had examined if other cities faced similar issues with vendor contract language and program oversight. He also asked whether the report could be updated to reflect the full year of data, beyond the nine months that were reviewed.

The original pilot was scheduled to conclude in March 2025, but Council recently approved a three-month extension that could pave the way for a vote later this summer to continue, expand, or amend the program.

Photo by genvessel – Flickr, CC BY 2.0, Link

The Austin Monitor’s work is made possible by donations from the community. Though our reporting covers donors from time to time, we are careful to keep business and editorial efforts separate while maintaining transparency. A complete list of donors is available here, and our code of ethics is explained here.