Principles of the Law, Policing

(a) A policing database is an electronic or paper database controlled by a government agency that contains information resulting from, or used as a basis for engaging in, any of the policing functions identified in § 1.01.

(b) A policing database should be created only if necessary to facilitate a legitimate policing objective.

(c) Any policing database that contains information about identified or identifiable individuals should be governed by written policy or policies that specify:

• (1) the purpose of the data collection, including the criteria for inclusion in the database;
• (2) the scope of data to be collected, including the types of individuals, locations, or records that will be the focus of the database; and
• (3) the limits on data retention, the procedures for ensuring the accuracy and security of the data, the circumstances under which the data can be accessed, and mechanisms for ensuring compliance with these rules, consistent with the Principles in the remainder of this Chapter.

(d) Databases that aggregate data from more than one jurisdiction generally should be authorized by statute or ordinance governing all affected jurisdictions.

Comment:

a. Scope of policing databases. In pursuing the legitimate policing objectives set out in § 1.01(a), agencies typically will collect and maintain data about their activities. In the past this largely was done in paper-based files, but today virtually every agency uses electronic and digital databases. Agencies are increasingly also purchasing data relevant to the policing function from private companies. To the extent that an agency maintains control over the data it has collected or purchased, these Principles apply. Thus, for instance, these Principles apply to fusion centers that bring together, under agency control, information from a number of different sources. They also apply to data collected and controlled by police but maintained by third parties, such as cloud-computing services. (If data instead is maintained outside agency auspices, such as with a bank, a communications carrier, or a utility company, these Principles do not apply. Still, an agency’s access to databases that it does not control—whether through purchase, compulsory process, or some other mechanism—should be in accordance with the Principles in Chapters 2, 3, and 5.)

Consistent with the definition of policing agencies in § 1.01, these Principles apply not only to databases maintained by traditional law-enforcement or national-security agencies, but also to databases maintained by agencies like the Internal Revenue Service, the Securities Exchange Commission, or state health and safety departments to the extent that those agencies use the information in their databases to investigate individuals for wrongdoing that can lead to criminal or administrative penalties. In contrast, this Chapter does not govern databases maintained by agencies like state divisions of motor vehicles that do not carry out policing functions.

Policing databases might contain a wide array of information.

Casefiles contain information about an investigation of a particular individual, including evidence gathered during an investigation; citations or warrants; information about detentions, arrests, prosecutions, and convictions; information relevant to civil or administrative cases or incidents (such as calls for medical assistance or investigations of regulatory violations) that involve the police; and also include information that is linked to a specific crime rather than to an individual, such as files describing stolen property or other unsolved crimes.

Watchlists contain information about known or suspected offenders or other people “reasonably suspected” of belonging to groups that policing agencies believe should be monitored. Examples include no-fly lists, sex-offender registries, and so-called “gang databases.” They also include missing-person lists.

Programmatic databases contain information about individuals obtained as a result of suspicionless programs of the type discussed in Chapter 5. These include DNA, fingerprint, and other identification databanks; images obtained through camera surveillance; vehicle-travel data from license-plate-recognition systems; and information gleaned from inspection programs, drug testing, or roadblocks. These types of databases also may include data acquired—through purchase or otherwise—from third parties, including license-plate records and financial records purchased from a private vendor.

Consensual databases contain information about individuals who voluntarily have provided personal information in connection with various public-safety programs (e.g., anti-kidnapping fingerprint programs, crime-alert programs, and specialized police-protection programs).

Finally, multijurisdictional databases contain combinations of these databases from a number of police jurisdictions, aggregated and intended for access by other agencies. Obvious examples are the fingerprint, arrest, and conviction databases maintained by the federal government. More recent examples include metadata collected by federal national-security agencies, fusion centers that bring together information from a number of jurisdictions and make that information accessible statewide, and the growing use of target databases for facial-recognition analysis.

One type of police-maintained database that is not meant to fall within the ambit of this Chapter is a database containing files on investigations of police misconduct, or related files (such as “Brady lists” that describe officer conduct that is material to challenging the prosecution’s case). Although such a file could contain information “resulting from or used as a basis of [a] policing function” such as search or seizure, surveillance or questioning witnesses, and thus could be said to fall within the definition in subsection (a), the information in such files is aimed at the police themselves, not the public. Police misconduct files are governed by special confidentiality rules. They are also often the subject of litigation that may call for different rules about purging and de-identification than those that apply to files on citizens. More generally, aggregate, de-identified information about police practices might need to be retained for research purposes. Chapters 13 and 14 deal with issues surrounding the collection of information relevant to disciplining and researching the police.

b. The need for regulation. Casefiles, watchlists, and programmatic, consensual and multijurisdictional databases can be crucial to implementing the policing objectives set out in § 1.01(a). By facilitating identification, easing access to investigative information and evidence, and enabling the use of algorithms, they can enhance the efficiency of legitimate policing objectives. For these reasons, virtually every agency relies on all or most of these five types of databases.

At the same time, the creation and maintenance of databases by agencies can raise several concerns: unnecessary accumulation of information about blameless individuals (including people who are stopped for no legitimate reason); discriminatory or otherwise improper collection of data; misuse of data; mistakes based on inaccurate data; inadvertent disclosures; and security breaches (especially when the databases are computerized). These concerns are particularly acute when agencies accumulate information about individuals that relates to allegations of criminal activity. If such information is inaccurate or maintained beyond the period relevant to law enforcement, it can lead to inferences that are unjustified and to police actions that should not occur, including stops and arrests. Innocent individuals can have their lives upended because of bureaucratic errors or inertia.

Accordingly, this Chapter requires written policies promulgated pursuant to § 1.06 that make clear the purpose and content of each database and that protect against inaccuracy and unauthorized access. The various issues raised by subsection (c)(3) should be addressed by statute or ordinance, although specific details can of course be left to regulation.

c. Identified or identifiable information. This Chapter governs only databases containing information about “identified” or “identifiable” individuals. As defined in the Principles of the Law, Data Privacy, “identified” data is “directly linked to a specific person,” while data is “identifiable” when “there is a moderate probability that it could be linked to a specific person” (as might be the case with a database that lists addresses but no names). Id. § 2(b)(2). The Principles in this Chapter do not apply to “nonidentifiable” data, which the Principles of the Law, Data Privacy, define as data that has a “low probability” of being associated with a known person, id. § 2(b)(3), and might include data about crime “hot spots” or information about patterns of vehicular accidents. Although in theory almost any anonymized data can be re-identified, data for which there is a low probability of identification does not raise sufficient concerns about privacy to warrant coverage under this Chapter.

d. Multijurisdictional databases. Subsection (d) stipulates that when information from multiple jurisdictions is collected in a database, the policy governing its scope and use should be adopted through statutory enactment that applies to all affected jurisdictions (except, of course, those outside the United States). Given the number of people involved and the diverse interests likely to be implicated, any plan to house in one database identified or identifiable data from a number of jurisdictions should be subject governance by the democratic process. Thus, the purpose and scope of DNA databases, fusion centers, and federal-identification and metadata programs should be determined by a legislative body accountable to all persons whose data might be in the database. Although such legislation often may have to come from Congress, to the extent that federal regulation would run afoul of the constitutional anti-commandeering doctrine prohibiting unfunded federal mandates, it may have to originate at the state or local level.

Reporters’ Notes

1. Police-maintained databases. Organized repositories of information—today usually called databases—have long been maintained by policing agencies. Paper-based systems housing criminal and fingerprint records were used throughout the 20th century. Samuel Walker, Popular Justice: A History of American Criminal Justice 160 (2d ed. 1998). As early as the 1930s, the Federal Bureau of Investigation established the first criminal-evidence laboratory, which facilitated analysis of fingerprints, hair, blood, and firearms. Id.

Since the advent of computerization, and especially since the 1990s, the capacity, scope, and accessibility of policing databases have increased significantly. Such databases now exist at the federal, state, and local levels. Criminal records (over 20 million in number) have become available to virtually every police department in the United States through the federal National Instant Criminal Background Check System, and in 2019 were accessed over 28 million times. See 2019 NICS Operations Report, www.fbi.gov/file-repository/2019-nics-operations-report‌.pdf/view. Also available from federal sources are immigration, gang, wanted-person, sex-offender, violent-offender, and stolen-gun, vehicle and boat files; files that are accessed by law enforcement up to 17 million times a day. National Crime Information Center (NCIC), Fed. Bureau of Investigation, [https://perma.cc/8GJW-N8R2]. Since the late 1990s, biometric databases providing digitized images of fingerprints and other identifying features have become accessible through the National Criminal Information Center (NCIC). Fingerprints and Other Biometrics, Fed. Bureau of Investigation, [https://perma.cc/S924-BWM2]; Stephanie Hitt, NCIC 2000, FBI L. Enforcement Bulletin, July 2000, at 12, [https://perma.cc/MDU7-QKSP]. More recently, the Combined DNA Index System (CODIS) containing the DNA of almost 15 million offenders has come online. CODIS-NDIS Statistics, Fed. Bureau of Investigation, available at www.‌fbi.gov/‌services/laboratory/biometric-analysis/codis/ndis-statistics. Facial-recognition technology provides the FBI with over 50 million facially recognizable profiles that over the two-year period ending in April 2019 were accessed by police over 150,000 times. See Nathan Ingraham, FBI’s Facial Recognition Database Will Contain 52 Million Images by 2015, The Verge (Apr. 14, 2014), [https://perma.cc/TMG8-USKS]; Kimberly del Greco, Deputy Ass’t Director, Criminal Justice Division, FBI, Statement Before the House Oversight and Reform Committee (June 4, 2019), available at www.fbi.gov/news/testimony/facial-recognition-technology-ensuring-transparency-in-government-use. And Customs and Border Protection use this technology to identify passengers over three million times a year. Lori Aratani, Facial-Recognition Scanners at Airports Raise Privacy Concerns, Wash. Post (Sept. 15, 2018), https//perma.cc/Y2ME-ZZE3]. The FBI is spending more than a billion dollars expanding its Next Generation Identification system to include not only fingerprints and photos, but iris scans, palm prints, gait and voice recordings, scars, tattoos, and DNA legitimately obtained through other means. Criminal Justice Information Services, https://www.fbi.gov/services/cjis/fingerprints-and-other-biometrics/ (accessed May 5, 2021). This Chapter refers to these various types of programs as “multijurisdictional” databases and states that they should generally be authorized by statute or regulation at the federal level and, if used by state policing agencies, legislation or regulation within the particular state as well.

The National Security Agency (NSA) and other federal agencies tasked with protecting national security maintain numerous other types of databases that likewise are multijurisdictional. Probably the best known federal-data national-security accumulation effort is the NSA’s “metadata” program—made famous following the revelations by Edward Snowden—which collected phone numbers and email addresses from overseas communications. Glenn Greenwald & Spencer Ackerman, NSA Collected US Email Records in Bulk for Over Two Years Under Obama, The Guardian (June 27, 2013), [https://perma.cc/GFE6-72KT]. Although that data-collection program was reportedly terminated, the NSA still has the capacity to collect the content as well as the related metadata of communications between national-security targets and other parties, including American citizens. Charlie Savage, Disputed NSA Phone Program is Shut Down, Aides Say, N.Y. Times (Mar. 4, 2019), [https://www.nytimes.com/‌2019/03/04/us/politics/nsa-phone-‌records-program-shut-down.html]. A separate effort is the federal Terrorist Watchlist, which contains over one million names (although its constitutionality has been called into question in light of its scope). Timothy Bella, The FBI’s Watchlist Violates the Constitution, Federal Judge Says, Wash. Post, Sept. 5, 2019.

Most states maintain their own databases with respect to DNA, fingerprints, and other biometric information. See Stephen Mercer & Jessica Gabel, Shadow Dwellers: The Underregulated World of State and Local DNA Databases, 69 N.Y.U. Ann. Sur. Am. L. 639 (2014). A separate development is the aggregation and sharing of private and public data through “fusion centers.” Seeded by federal funding after the Sept. 11, 2001, terrorist attacks, but run by state law-enforcement agencies, these centers gather or coordinate information from a huge number of public and private database systems, including those that record judicial decisions, real-estate and financial transactions, vehicle travel, and public-health information. Recommendations for Fusion Centers: Preserving Privacy and Civil Liberties While Protecting Against Crime and Terrorism, The Constitution Project 4 (2012), [https://perma.cc/2H6L-6JAJ]

Local police departments also maintain a number of data lists on gang membership, crime hotspots, gun-crime violators, arsonists, and the like. K. Babe Howell, Gang Databases: Labeled for Life, 35 Champion 28 (2011); N.Y. Police Dep’t, NYC Crime Map, [https://perma.cc/5PVQ-3SM9] (cataloging crime by geographic location); Wash. DC Police Crime Mapping, D.C. Metro. Police Dep’t, [https://perma.cc/2RMF-4JNH] (providing a crime map searchable by geographic location and crime type, including gun crimes, arson, and other violent crimes). Technology also allows police departments to capture car license-plate numbers, faces, and social-media traffic. Nancy G. La Vigne et al., Urban Inst., Using Public Surveillance Systems for Crime Control and Prevention: A Practical Guide for Law Enforcement and Their Municipal Partners 3-5, 25-27 (2011), [https://perma.cc/4R46-ACM7] (describing license-plate-reading systems); Clare Garvie, Alvaro Bedoya & Jonathon Frankle, Georgetown Law Ctr. on Privacy & Tech., The Perpetual Lineup 2, 22-23 (2016), [https://perma.cc/5QLT-VBVP]; John Buntin, Social Media Transforms the Way Chicago Fights Gang Violence, Gov’t Tech. (Sept. 30, 2013), [https://perma.cc/CPW3-MSLL]; Chicago Police Dep’t, General Order G10-01, Gang Violence Reduction Strategy (Dec. 31, 2015), [https://perma.cc/K5VJ-NC2M] (“The Department GVRS . . . is comprised of multiple components: information gathering, analysis, dissemination of intelligence, linking of gangs to their factions, social network mapping, and a variety of mission-specific operations focused on targeted gang members and their associates.”).

2. Third-party databases. Private institutions and public entities other than policing agencies also maintain databases that can be useful to law enforcement, but typically are not controlled by the policing agency in the sense used in this Chapter. Those include databanks containing bank records, phone records, cell-site location information (CSLI), internet-service-provider logs, credit-card records, utility records, and travel logs. See generally Daniel J. Solove, Digital Dossiers and the Dissipation of Fourth Amendment Privacy, 75 S. Cal. L. Rev. 1083, 1089-1095, 1101 (2002). Additionally, government agencies other than those involved in policing house a trove of personal information of potential use to law enforcement, including tax records, division-of-motor-vehicle records, social-security records, property records, and dozens of others. See, e.g., Dalia Naamani-Goldman, Anti-terrorism Program Mines IRS’ Records, L.A. Times, (Jan. 15, 2007), [https://perma.cc/U434-DVUN] (describing a mining program named REVEAL that allowed the FBI to access 16 private and public databases, including those maintained by the Social Security Administration for investigative purposes). See also Susan Stellin, Security Check Now Starts Long Before You Fly, N.Y. Times (Oct. 21, 2013), [https://perma.cc/GMF5-KWAC] (describing the TSA’s pre-screening program, which involves obtaining information about passengers from both government and private databases and, in some instances, sharing information about passengers with private entities such as debt collectors); Rachel Levinson-Waldman, What the Government Does with Americans’ Data, Brennan Ctr. for Justice (Oct. 8, 2013), [https://perma.cc/EA3X-HZZT] (describing a number of instances in which the government mines data from both government and private databases). If police access those types of databases, including databases maintained by other government agencies, the Principles in Chapter 2, Chapter 3 (when suspicion-based) and Chapter 5 (when suspicionless) apply.

3. The uses and abuses of police databases. The value to law enforcement of police databases is enormous, especially as policing increasingly moves toward technologically based crime fighting. Home Affairs Select Comm., A Surveillance Society? Fifth Report of Session 2007-08 (UK HC 2008-09 58-I) (“The foundation for all new technologies is the database.”); see also Herring v. United States, 555 U.S. 135, 155 (2009) (Ginsburg, J., dissenting) (“Electronic databases form the nervous system of contemporary criminal justice operations.”). The advantages of national and local criminal record, watchlist, and surveillance and facial-recognition databases are well known. Easy access to data about criminal activity facilitates “hot-spot” policing, investigations of suspects, and pretrial detention and sentencing decisions. As detailed here and in Chapter 5, DNA and other identification databases and databases from surveillance programs can significantly increase the efficiency and accuracy of crime-scene investigations.

Ranged against these benefits of police-maintained databases are several potentially serious costs. Minimizing those costs is the focus of the remaining Principles in this Chapter.

The overarching danger inherent in government collection of information, especially now that computerization has facilitated the process vastly, is the temptation to create and maintain voluminous records about everyone, threatening individual security and privacy. This concern was captured by then-Judge William Rehnquist, when he stated “most of us would feel that . . . a dossier on every citizen ought not to be compiled even if manpower were available to do it.” William H. Rehnquist, Is an Expanded Right of Privacy Consistent with Fair and Effective Law Enforcement? Or: Privacy, You’ve Come a Long Way, Baby, 23 U. Kan. L. Rev. 1, 10 (1974). With the advent of modern computers, the availability of human capital no longer is an issue. Even when data collection is limited, it can be immensely revealing about everyday life. For instance, although metadata typically only consists of phone numbers, IP addresses, length of call, and other non-content information, former NSA General Counsel Stewart Baker stated that “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” Alan Rusbridger, The Snowden Leaks and the Public, The N.Y. Review of Books (Nov. 21, 2013), [https://perma.cc/MTM5-AJYG]. Congress acknowledged the menace associated with expansive government data collection when in 2003 it defunded, by voice vote, the post-Sept. 11, 2001, program known as “Total Information Awareness,” the icon for which depicted an all-seeing eye looking out over the globe, accompanied by the maxim “Knowledge is Power.” Senate Rebuffs Domestic Spy Plan, Reuters, Jan. 23, 2003, available at http://www.wired.com/‌politics/law/news/‌2003/01/57386.

Bolstering this general worry about government data collection are several, more specific concerns. One potential downside of law-enforcement databases is the temptation of agency personnel to misuse database information. J. Edgar Hoover’s illegal use of FBI files is well known. See Curt Gentry, J. Edgar Hoover: The Man and the Secrets 51 (1991) (describing Hoover’s use of information in FBI files to blackmail, discredit, or destroy his adversaries). Many more recent abuses have been documented, including illicit use of national-security databases, vehicle databases, and local police databases. See, e.g., Rachel Levinson-Waldman, Hiding in Plain Sight: A Fourth Amendment for Analyzing Public Government Surveillance, 66 Emory L.J. 527, 553 (2017) (detailing government efforts to obtain and retain data on political opponents, protesters, and religious groups); Amy Pavuk, Law-Enforcer Misuse of Driver Database Soars, Orlando Sentinel (Jan. 22, 2013), [https://perma.cc/B8XP-4PJ4] (detailing abuse of driver databases); James Hamilton & Steve Blum, Top Ten List of Police Database Abuses, Rense.com (June 12, 2002), [https://perma.cc/E4HB-ASQP] (detailing sale of police data to organized-crime syndicates, probing of political opponents, and stalking of acquaintances); Camaj v. Dep’t of Homeland Sec., 542 F. App’x 933, 933 (Fed. Cir. 2013) (per curiam) (immigration officer admitted to 314 unauthorized queries).

A second specific concern associated with police databases is that they facilitate privacy invasions by others. As the multiple successful attacks on government databases by foreign and domestic hackers attest, aggregation of data in one place facilitates identify theft and other invasions. Michael Schmidt, David E. Sanger & Nicole Perlroth, Chinese Hackers Pursue Key Data on U.S. Workers, N.Y. Times (July 9, 2014), [https://perma.cc/27NE-FVE9]; David E. Sanger, Russian Hackers Broke Into Federal Agencies, Officials Suspect, N.Y. Times, Dec. 13, 2020, www.‌nytimes.com/2020/12/13/us/politics/russian-hackers-us-government-treasury-commerce.‌html. Police departments have not been immune from such incursions. See Kevin Collier, Crippling Ransomware Attacks Targeting U.S. Cities on the Rise, CNN Politics (May 10, 2019) (reporting that at least 45 police and sheriff offices have been subject to ransomware attacks since 2013), https://‌‌‌‌www.cnn.com/2019/05/10/politics/ransomware-attacks-us-cities/index.html. Along the same lines, several scholars have warned about the “massive and disturbing” infringement that could result from hacking into DNA databases. Stephen Mercer & Jessica Gabel, Shadow Dwellers: The Underregulated World of State and Local DNA Databases, 69 N.Y.U. Ann. Surv. Am. L. 639, 687 (2014).

A third concern is the potential for mistakes based on erroneous data. See generally Wayne A. Logan & Andrew Guthrie Ferguson, Policing Criminal Justice Data, 101 Minn. L. Rev. 541 (2016); Herring v. United States, 555 U.S. 135, 155 (2009) (Ginsburg, J., dissenting). No-fly lists contain a notorious number of false positives, including the late Senator Ted Kennedy and former assistant U.S. attorney general Jim Robinson. See ACLU, U.S. Government Watchlisting: Unfair Process and Devastating Consequences (Mar., 2014), [https://perma.cc/DJH2-A8ZH]. States often report lengthy backlogs in updating and correcting criminal-history database information. Bureau of Justice Statistics, U.S. Dept. of Justice, Survey of State Criminal History Information Systems, 2014, at 7 (Jan. 2015), [https://perma.cc/X3XL-DZC4]. Gang databases can include individuals who are not in fact gang members. Eric J. Mitnick, Procedural Due Process and Reputational Harm: Liberty as Self-Invention, 43 U.C. Davis L. Rev. 79, 126 (2009). Accuracy concerns are exacerbated by the fact that many of those local databases are set up with the help of for-profit enterprises that may not be cautious about the information collected. Laboratory Services, Fed. Bureau of Investigation, [https://perma.cc/5AAG-YEEY].

The effects of database inaccuracy can be serious. Data errors routinely result in wrongful stops, searches, and arrests. Wayne J. Pitts, From the Benches and the Trenches: Dealing with Outstanding Warrants for Deceased Individuals: A Research Brief, 30 Just. Sys. J. 219, 220 (2009). For instance, in St. Louis, Missouri, erroneous warrants resulted in a number of individuals collectively spending more than 2,000 days in jail from 2005 to 2013, or an average of about three weeks per person. Robert Patrick & Jennifer S. Mann, Jailed by Mistake, St. Louis Post-Dispatch (Oct. 26, 2013), [https://perma.cc/N3RR-P7KR]. Similarly, watchlist errors can have negative effects on a person’s ability to work, as well as to travel and even to vote. Margaret Hu, Big Data Blacklisting, 67 Fla. L. Rev. 1735, 1777-1792 (2016) (documenting impact of no-work, no-vote, no-citizenship, no-fly, and terrorists watchlists); Barry Friedman, Unwarranted: Policing Without Permission ch. 11 (2015). In a suit brought by 23 individuals who experienced secondary screenings at airports and border crossings, a federal district court ruled that the federal Terrorist Screening Database triggers due process protections because it involves more than a “de minimis” deprivation of liberty. Elhady v. Kable, 391 F.Supp.3d 562, 582 (E.D. Va. 2019).

A fourth and related concern is the phenomenon known as mission creep. Government programs initially aimed at gathering information about “subversives” often have expanded to vacuum up data about individuals simply because they protested against government policies. Seth Rosenfeld, Subversives: The FBI’s War on Student Radicals, and Reagan’s Rise to Power 16, 213-214 (2012). Fusion centers, initially designed as counterterrorism units, now routinely are used in ordinary investigations. Danielle Keats Citron & Frank Pasquale, Network Accountability for the Domestic Intelligence Apparatus, 62 Hastings L.J. 1441, 1463-1466 (2011) (describing privacy, mission creep, and transparency concerns); Staff of S. Permanent Subcomm. on Investigations, 112th Cong., Fed. Support for and Involvement in State and Local Fusion Centers (Comm. Print 2012) (criticizing fusion centers for producing intelligence of “uneven quality,” and for collecting information unrelated to terrorist activities). See also Daniel B. Wood & Alison Tully, Why L.A. Police Nixed Plan to Map Muslims, Christian Sci. Monitor (Nov. 20, 2007), [https://perma.cc/2YYB-JPKZ] (describing how the Los Angeles Police Department discontinued a plan to map Muslim enclaves in the city after Muslim and other religious leaders discovered the plan and mounted protests). Similarly, municipal camera systems originally set up to deter violent crime and property theft have been used as means of identifying the homeless and vagrants and removing them from public areas. Clive Norris, From Personal to Digital: CCTV, the Panopticon and the Technological Mediation of Suspicion and Social Control, in Surveillance and the Social Sorting: Privacy Risk and Automatic Discrimination 28 (David Lyon ed., 2003).

Finally, casefile and watchlist databases can memorialize the results of biased and racially discriminatory policing. This can lead to further unjustified police confrontations or other adverse effects. See Floyd v. City of New York, 959 F. Supp. 2d 540, 558 (S.D.N.Y. 2013) (noting that the central flaw in the database of recorded stop-and-frisks performed by the NYPD was the fact that the officers controlled the record and thus inaccurately minimized the number of unconstitutional stops). See generally Sarah Brayne, Predict and Surveil: Data, Discretion and the Future of Policing (2021) (recounting how the Los Angeles Police Department directs its officers to fill out reports on every encounter that include, inter alia, identification of people who are subject to illegitimate stops or happen to be with such people, which information is then entered into a database and used to justify subsequent encounters).

4. Law regarding database scope. These potential problems with databases suggest that although their value can be substantial, their creation and maintenance should be monitored carefully. The U.S. Supreme Court has had little to say about the legality of databases maintained by policing agencies, but the Court—as well as individual justices—have at times acknowledged the regulatory problems they pose. See, e.g., Whalen v. Roe, 429 U.S. 589, 605 (1977) (noting “the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files.”); United States v. Jones, 565 U.S. 400, 416 (Sotomayor, J., concurring) (“I would ask whether people reasonably expect that their movements will be recorded and aggregated in a manner that enables the Government to ascertain, more or less at will, their political and religious beliefs, sexual habits, and so on.”).

Federal and state statutes recognize the need for controls on data accumulation by the police. The Privacy Act requires that federal agencies only maintain information that is “relevant and necessary to accomplish a purpose” that the agency is required to accomplish, Privacy Act, 5 U.S.C. § 552a(e)(1) (2012). Although the Act provides exemptions for any agency “which performs as its principal function any activity pertaining to the enforcement of criminal laws,” those exemptions make clear that the information retained should pertain to an “identifiable individual” in specific criminal cases or consist of “investigatory material compiled for law enforcement purposes,”—stipulations that are analogous to the casefiles and watchlists described in the Comments to this Section. Id. at (j), (k). The Act also regulates the retention of data regarding the exercise of First Amendment activities. 5 U.S.C. § 552a(e)(7). More specific federal laws regulate police access to various kinds of third-party records, including medical records, cable-television-subscriber histories, and financial records. See Erin Murphy, The Politics of Privacy in the Criminal Justice System, 111 Mich. L. Rev. 485 (2013) (describing more than a dozen federal privacy statutes). States and localities have adopted various provisions as well. See, e.g., Freedom of Association and Assembly Protection Act, Md. Code Ann., Pub. Safety § 3-701(d)(1)-(2) (West 2017) (regulating police retention of information about protected First Amendment activities); District of Columbia First Amendment Assemblies Act of 2004, D.C. Code § 5-331.02 et seq. (West 2017) (same). These various statutes, however, are piecemeal at best. And often the protections they afford are limited in scope. See, e.g., Cal. Civ. Code § 1798.90.51 (West 2017) (requiring vehicle-location information be collected with “respect for individuals’ privacy and civil liberties,” but providing no substantive limitations on such collection); see also Sarah Brayne, The Criminal Law and Law Enforcement Use of Big Data, 154 Ann. Rev. L. & Soc. Sci. 293, 301 (2018) (because of “dragnet surveillance techniques that make possible everyday mass surveillance at an unprecedented scale, the threshold for inclusion in police databases is lower in the age of big data.”). These Principles set out a framework for regulating police databases in a manner that preserves their utility for legitimate policing objectives while minimizing the various harms that their use can impose.