Recommendations for Accountability

What Policy 427.5(e) Requires

"All ALPR system audits should be conducted on a regular basis."

What This Means

Independent review verifying that:

• Every search has a documented reason and corresponding case/call number
• No "blanket searches" are occurring
• Officers aren't searching family members, neighbors, or personal acquaintances without legitimate reason
• External agencies aren't conducting fishing expeditions

Why It Protects the 99%

Without audits, there's no way to verify the system isn't being misused. Policy requires documented justification for every search - audits ensure that requirement is actually being followed, not just written in a policy manual.

Implementation

• Quarterly audits conducted by independent party (not the department)
• Random sample of 10% of searches reviewed
• Results presented to Public Safety Committee in public meeting
• Violations trigger immediate review and corrective action

What It Is

Flock Safety offers a public transparency portal that displays usage statistics and search activity. It's already included in Grafton's contract at no additional cost.

Wisconsin Communities Using It

• Wisconsin Rapids - Population 17,500 (comparable to Grafton)
• Maple Bluff - Population 1,300
• Altoona - Population 8,000

If Maple Bluff (population 1,300) can provide transparency, so can Grafton.

What Residents Could See

• Number of searches performed monthly
• Number of alerts generated
• General categories of search reasons (stolen vehicle, missing person, investigation, etc.)
• External agency access patterns

Why It Protects the 99%

Transparency creates accountability. When usage data is public, departments must be prepared to justify search patterns to residents. Secrecy enables abuse; sunlight prevents it.

Implementation

• Village Board authorizes Police Chief to enable portal
• Link added to village website
• No cost - already included in contract

Current Situation

When asked which agencies access Grafton's camera data, the department responded:

"The Department does not maintain a record tracking the number of times external agencies have accessed data."

Grafton shares data with 591 agencies across 32+ states, but has no record of who's searching it, how often, or why.

Why This Matters

Every time an external agency searches Grafton's cameras, they're tracking where Grafton residents have been driving. That could include:

• Medical appointments
• Political meetings or protests
• Religious services
• Attorney visits
• Any other constitutionally protected activity

Agencies 1,800 miles away can search this data without warrants, without probable cause, without reasonable suspicion - just by checking a box.

What Good Tracking Looks Like

• Log which agency accessed data
• When they accessed it
• What they searched for (license plate or vehicle description)
• General reason category (investigation type)

Why It Protects the 99%

If you don't track access, you can't identify patterns of misuse. Are certain agencies conducting hundreds of searches? Are searches related to legitimate local crimes, or fishing expeditions? Without logging, there's no way to know.

Implementation

• Enable logging in Flock system (built-in feature)
• Quarterly report to Public Safety Committee showing top accessing agencies and search volumes
• Flag agencies with unusual patterns for review

The Netflix Principle

Your Netflix subscription expires unless you actively renew it. Agency access to Grafton residents' location data should work the same way.

Current System

591 agencies have access to Grafton's cameras. Once granted, that access appears to be permanent. There's no annual review, no expiration, no requirement to re-justify access.

Proposed System

Annual access renewal with justification:

• Every agency must re-apply for access each year
• Application must explain why access to Grafton specifically is needed
• Chief reviews and approves/denies
• Public Safety Committee reviews list annually
• Access expires automatically if not renewed

Questions to Ask Each Agency

• How many searches of Grafton data did you conduct last year?
• How many led to arrests or investigations?
• What's your geographic jurisdiction, and how does Grafton fall within it?
• Do you have your own ALPR cameras?

Why It Protects the 99%

Many of the 591 agencies probably never search Grafton data. Others may have legitimate occasional need. A few may be conducting high-volume searches that deserve scrutiny. Annual renewal identifies which is which and removes agencies that can't justify continued access.

Implementation

• Policy amendment requiring annual renewal
• Chief sends renewal request to all 591 agencies in January
• Agencies have 30 days to respond with justification
• Non-respondents lose access automatically
• Public Safety Committee reviews and approves final list in March

What Gets Reported

Similar to how the Finance Committee receives quarterly budget reports, the Public Safety Committee should receive quarterly ALPR reports showing:

• Usage statistics - Number of searches, alerts, hot list matches
• Effectiveness data - Arrests resulting from cameras, case clearances
• External agency access - Top 10 accessing agencies and search volumes
• Audit results - Compliance with search documentation requirements
• Policy violations - Any instances of misuse and corrective action taken
• Cost analysis - Annual cost divided by arrests = cost per arrest

Why It Protects the 99%

The Village Board is accountable to residents. If trustees receive regular reports on ALPR usage, they can:

• Identify patterns of concern
• Ask questions about effectiveness
• Adjust policy if needed
• Provide transparency to residents who elect them

Currently, the Board approved a 5-year, $88,150 contract with no ongoing oversight. That's not how we run other village programs - it shouldn't be how we run surveillance.

Implementation

• Add to Public Safety Committee standing agenda (January, April, July, October)
• 5-minute presentation from Chief or designee
• Written report provided to trustees and posted on village website
• Public comment period after each report

Current Policy

Grafton retains ALPR data for 30 days. That means every vehicle captured is stored for a full month, searchable by 591 agencies, before automatic deletion.

The New Hampshire Model

New Hampshire's "flag-and-discard" approach:

• 3 minutes - Non-matching plates deleted after 3 minutes
• Indefinite - Plates matching hot lists (stolen vehicles, wanted suspects) retained for investigation

Result: Stolen vehicles still recovered, wanted suspects still caught, but innocent residents' data not stored for 30 days.

Grafton vs. New Hampshire: A Comparison

Why Grafton's 30-Day Retention Is Problematic

• Creates searchable database - Every vehicle that entered Grafton over past month is stored and searchable
• Enables retrospective investigations - Officers can search historical movements without warrants or individual suspicion
• Allows characteristic-based searches - Can search by vehicle features (bumper stickers, roof racks, damage) to identify specific individuals
• Accessible to 591 agencies - Data can be used for investigations completely unrelated to Grafton
• No individual suspicion required - Searches don't require probable cause or reasonable suspicion

New Hampshire proves you can catch criminals without mass surveillance. The 3-minute model still alerts on stolen vehicles and wanted suspects in real-time, but doesn't create a retrospective database of innocent people's movements.

Grafton's Compromise: 14 Days

Even if Grafton isn't ready for the New Hampshire model, reducing retention to 14 days would:

• Still cover the window for most investigations (hit-and-runs, thefts, etc.)
• Reduce exposure for innocent residents by 50%
• Demonstrate commitment to minimizing surveillance of the 99%
• Align with best practices in other communities

Question for the Department

"How many cases in the past year required ALPR data older than 14 days?"

If the answer is "zero" or "very few," then 30 days isn't necessary - it's just surveilling innocent residents longer than needed.

Why It Protects the 99%

Every day of retention is another day that 591 agencies can search where innocent Grafton residents have been driving. If 14 days accomplishes the same investigative goal as 30 days, the shorter period protects privacy without sacrificing effectiveness.

Implementation

• Policy amendment changing retention from 30 to 14 days
• Coordinate with Flock to update system settings
• Track effectiveness for 6 months to verify 14 days is sufficient
• Re-evaluate if evidence shows longer retention is truly needed

The Critical Security Gap

Flock Safety does not require multi-factor authentication (MFA) for legacy accounts. Only new customers as of November 2024 have MFA enabled by default.

This means some of the 591 agencies with access to Grafton's data may be using accounts protected only by passwords - no second authentication factor.

The Risk

Without MFA, a single phishing email to an officer in Houston could compromise their Flock account. That compromised account could then:

• Search Grafton's entire database
• Download bulk data on Grafton residents
• Access 30 days of location history on every vehicle captured
• Share that data with anyone - including foreign actors, criminals, or stalkers

We would never know this happened because the department doesn't track external agency access.

Real-World Scenario

Officer in Texas receives phishing email that looks like it's from Flock Safety.

"Click here to verify your account or access will be suspended."

Officer clicks, enters password. Attacker now has access.

Attacker logs into Flock, searches Grafton database, downloads location data on political activists, journalists, or anyone else they're interested in.

No alert. No notification. No way to know it happened.

The Constitutional Issue

We're collecting warrantless location data on innocent Grafton residents - including where they go to medical appointments, political meetings, religious services, attorney visits - and sharing it with 591 agencies.

If that data gets breached because an agency 1,800 miles away didn't enable basic multi-factor authentication, whose responsibility is that? Who's liable? Who protects our residents?

You can't justify warrantless surveillance on the grounds of "public safety" if you're not even securing the data you collect.

What We Don't Know

• Which of the 591 agencies have enabled MFA
• Which are using legacy accounts without MFA
• What their password security practices are (complexity requirements, rotation policies)
• If any accounts have already been compromised
• Whether agencies share login credentials among multiple officers

Why It Protects the 99%

Innocent residents shouldn't have their location data exposed to hackers, stalkers, or foreign actors because an agency in another state didn't enable basic cybersecurity. MFA is the industry standard for protecting sensitive data - law enforcement shouldn't get a pass.

What Needs to Happen

1. Verify Grafton PD has MFA enabled - Confirm our own house is in order first
2. Require all 591 agencies to enable MFA - Make it a condition of network access
3. Annual certification - Each agency must certify MFA is active and no shared credentials
4. Revoke access for non-compliance - Any agency that won't certify loses access immediately
5. Breach notification protocol - If any agency reports a compromise, Grafton residents must be notified

Industry Standards

Multi-factor authentication is required by:

• Banking and financial services (federal regulation)
• Healthcare (HIPAA security requirements)
• Government contractors (NIST 800-171)
• Critical infrastructure (CISA guidelines)

If your bank requires MFA to protect your account balance, shouldn't we require it to protect 30 days of your location history?

Implementation

• Immediate: Chief verifies Grafton PD account has MFA enabled
• 30 days: Notice sent to all 591 agencies requiring MFA certification
• 60 days: Agencies must submit written certification or lose access
• Ongoing: Annual re-certification required
• Policy: Breach notification protocol added to Policy 427

The Bottom Line

This isn't optional. This is basic cybersecurity for sensitive law enforcement data.

If we're going to collect warrantless location data on innocent residents and share it with 591 agencies, the absolute minimum requirement is that those agencies use industry-standard authentication security.

Anything less is negligence.

These can be implemented today with no budget impact:

1. Enable MFA for Grafton Police Department accounts
   • Verify all GPD officers have multi-factor authentication enabled on Flock accounts
   • No shared login credentials
   • Chief certifies compliance in writing
2. Enable transparency portal
   • Already included in Flock contract - no additional cost
   • Wisconsin Rapids, Maple Bluff, and Altoona already use it
   • Displays usage statistics publicly
   • Link added to village website
3. Require MFA for all 591 external agencies
   • Notice sent to all agencies: enable MFA within 30 days or lose access
   • Written certification required from each agency
   • Non-compliant agencies automatically revoked

Timeline: Can be completed within 30 days

These can be implemented using existing volunteer oversight structures:

1. Conduct independent audit using civilian oversight
   • Policy 427.5(e) already requires this
   • Use existing Public Safety Committee or appoint ad-hoc civilian oversight committee
   • Committee reviews random sample of 10% of searches quarterly
   • Verify every search has documented reason and case number
   • Committee presents findings to Village Board publicly
   • Cost: $0 (volunteer committee members)
   • Alternative: Hire professional auditor for $5,000-$10,000 if Village prefers third-party review
2. Implement access logging
   • Enable Flock's built-in logging feature
   • Track which external agencies search Grafton data, when, and what they searched for
   • Generate monthly reports for Chief and civilian oversight committee review
   • Cost: Staff time to configure (likely $0, already in Flock system)
3. Update Policy 427 with specific audit requirements
   • Define what "regular" audits means (quarterly recommended)
   • Specify search justification standards
   • Prohibit vague reasons: "investigation" or "." are not acceptable justifications
   • Require specific case numbers and incident descriptions
   • Grant civilian oversight committee authority to review compliance
   • Cost: Staff time for policy review and Village Board approval

Timeline: Complete within 60 days

Budget Impact: $0 using volunteer civilian oversight (or $5,000-$15,000 if Village opts for professional third-party auditor)

These involve policy changes and ongoing processes with no budget impact:

1. Annual sunset clause for agency access
   • All 591 agencies must re-justify access every January
   • Application must explain why access to Grafton specifically is needed
   • Chief reviews and approves/denies
   • Public Safety Committee reviews and approves final list
   • Access automatically expires if not renewed
2. Quarterly reporting to Village Board
   • Add to Public Safety Committee standing agenda (Jan, Apr, Jul, Oct)
   • 5-minute presentation from Chief showing:
     • Number of searches performed
     • Alerts generated
     • Arrests resulting from cameras
     • External agency access statistics
     • Audit compliance results
   • Written report posted on village website
   • Public comment period
3. Reduce retention from 30 to 14 days
   • New Hampshire model proves 3 minutes works; 14 days is compromise
   • Coordinate with Flock to update system settings
   • Track effectiveness for 6 months to verify 14 days is sufficient
   • Re-evaluate if evidence shows longer retention truly needed
   • Reduces surveillance window by 50% for innocent residents

Timeline: Full implementation within 6 months

Budget Impact: Zero - these are policy and operational changes

1. Independent Civilian Oversight

Law enforcement should not be the only entity reviewing its own surveillance practices. Independent civilian oversight ensures:

• Searches are conducted for legitimate law enforcement purposes
• Policy violations are identified and corrected
• Community values are reflected in ALPR usage
• Public trust through transparent, accountable review

Implementation: Quarterly audits by independent third party, results presented to Public Safety Committee in public meeting.

2. Public Reporting on Usage Statistics and Effectiveness

Grafton residents pay $17,500/year for this system. We deserve to know:

• How many searches are performed
• How many result in arrests or case clearances
• What the hit rate is (what percentage of captures are actual suspects vs. innocent people)
• Cost-per-arrest analysis
• Which external agencies are accessing our data and how often

Implementation: Enable Flock's transparency portal (already in contract, zero cost) + quarterly written reports to Village Board.

3. Warrant Requirements for Historical Searches

Real-time alerts for stolen vehicles and wanted suspects don't require warrants - officers are responding to immediate threats.

But searching historical data is different. When officers search backwards through the database to see where someone was days or weeks ago, that's retrospective surveillance of their movements. Under Carpenter v. United States (2018), that level of comprehensive location tracking requires a warrant.

What this means:

• Real-time alerts: No warrant needed (stolen car passes camera, alert fires immediately)
• Historical searches: Warrant required (searching where someone was 2 weeks ago)
• Vehicle fingerprint searches: Warrant required (searching by bumper stickers, roof racks to identify specific individuals)

Implementation: Update Policy 427 to require judicial authorization for any search of data older than 24 hours, except for ongoing missing persons cases.