In yet another failure to follow the rules, the San Francisco Police Department is collaborating with the regional fusion center with nothing in writing—no agreements, no contracts, nothing— governing the relationship, according to new records released to EFF in its ongoing complaint against the agency.
This means that there is no document in place that establishes the limits and responsibilities for sharing and handling criminal justice data or intelligence between SFPD and the fusion center and other law enforcement agencies who access sensitive information through its network.
SFPD must withdraw immediately from any cooperation with the Northern California Regional Information Center (NCRIC). Any moment longer it continues to collaborate with NCRIC puts sensitive data and the civil rights of Bay Area residents at severe risk.
Fusion centers were started in the wake of 9/11 as part of a Department of Homeland Security program to improve data sharing between local, state, tribal, and federal law enforcement agencies. There are 79 fusion centers across the United States, each with slightly different missions and responsibilities, ranging from generating open-source intelligence reports to monitoring camera networks. NCRIC historically has served as the Bay Area hub for sharing data across agencies from automated license plate readers (ALPRs), face recognition, social media monitoring, drone operations, and "Suspicious Activity Reports" (SARS).
NCRIC requires all participating agencies to sign a data sharing agreement and non-disclosure agreement ("Safeguarding Sensitive But Unclassified Information"), which is consistent with federal guidelines for operating a fusion center. EFF has independently confirmed with NCRIC staff that SFPD has not signed such an agreement. This failure is even more surprising considering that SFPD has had two liaisons assigned to the fusion center and the police chief has served as chair of NCRIC's executive board.
In December 2020, EFF filed a public records request under the San Francisco Sunshine Ordinance, following a San Francisco Chronicle report suggesting that an SFPD officer had submitted a photo of a suspect to the fusion center's email list and received in response a match generated by face recognition, which would potentially violate San Francisco's face recognition ban. We sought records related to this particular case, but more generally, we sought communications related to other requests for photo identification submitted by SFPD, communications about face recognition, and any agreements between SFPD and NCRIC.
When SFPD failed to comply with our records request, we filed a complaint with the San Francisco Sunshine Ordinance Task Force, the citizen body assigned to oversee violations of open records and meetings laws. Many new documents were released and SFPD was found by the task force to have violated both the Sunshine Ordinance and the California Public Records Act. One document was missing though: the fusion center agreement.
New records released in the complaint now explain why: no such agreements exist. SFPD didn't sign any, according to multiple emails sent between staff.
SFPD can't simply solve this problem by signing the boilerplate agreement tomorrow. Any formal partnership or data-sharing relationship with NCRIC would have to go through the process required by the city's surveillance oversight ordinance, which requires public input into such agreements and the board of supervisors’ approval. SFPD should expect public opposition to its involvement with the fusion center, just as there was opposition to its involvement in the FBI's Joint Terrorism Task Force.
Even if that process were to move forward, the public must be involved in crafting the exact language of the agreement. For example, when the Bay Area Rapid Transit (BART) Police Department pursued an agreement with NCRIC, the grassroots advocacy group Oakland Privacy (an Electronic Frontier Alliance member) helped negotiate an agreement with stronger considerations for civil liberties and privacy.
This isn't the first time SFPD has played fast and loose with data regulations. EFF is currently suing the department for accessing a live camera network to spy on protesters without first following the process required by the surveillance oversight ordinance. EFF has also filed a second Sunshine Ordinance complaint against SFPD for failing to produce a mandated ALPR report in response to a public records request.
This latest episode re-emphasizes that SFPD has not earned the trust of the people when it comes to its use of technology and data. SFPD should be cut off from NCRIC immediately, and the Board of Supervisors should treat any claim about accountability from SFPD with skepticism. SFPD has proven it doesn't believe rules matter, and that should always be a deal-breaker when it comes to surveillance.