Where does privacy go to die? For gun owners and concealed carry applicants and permit holders in the Golden State, the answer must surely be California.
Under California law, applicants and holders of concealed carry licenses are required to provide sensitive personal information to the state: besides name, address, place of birth, and phone number, individuals must disclose their occupation, driver’s license or state ID number, and physical descriptors (race, sex, height, weight, hair color, eye color). Mandatory reporting is also required for every person who lawfully purchases a firearm or ammunition: what was purchased, when and where it was bought, and more. The information so collected is maintained in California Department of Justice (DOJ) databases.
In 2021, California Governor Gavin Newsom (D) signed a bill into law that authorizes the DOJ to turn over the information in these databases to third parties – the “California Firearm Violence Research Center” at the University of California Davis, and “any other nonprofit bona fide research institution accredited by the United States Department of Education or the Council for Higher Education Accreditation.” The law directs that “[m]aterial identifying individuals shall only be provided for research or statistical activities and shall not be … used for purposes other than research or statistical activities,” but includes no penalties for misuse or any enforcement mechanism for this provision.
On behalf of anonymous plaintiffs, the NRA filed a lawsuit against the state in federal court, alleging that handing over sensitive, identifying personal information to organizations that have no duty to safeguard it violated state and federal laws. California’s filing in response, dated February 9, 2022 and seeking to dismiss the lawsuit, asserted that the plaintiffs “worry that their records will become public, increasing the risk that they will be harassed and targeted for crime. Those concerns are entirely speculative. Ironically, researchers could probably use the very information Plaintiffs want suppressed to test their theory.” Even assuming the concern over public disclosure was reasonable, “the State’s interest in addressing firearm violence through research unquestionably outweighs whatever interest of a constitutional magnitude (if there even is one) that Plaintiffs have in keeping their information private.”
Shortly after that flippant dismissal of security concerns as baseless and “speculative,” the DOJ’s own newly-unveiled “2022 Firearms Dashboard Portal” exposed the personal information (name, address, age, Criminal Identification Index (CII) number and license type) of every concealed carry permit (CCW) holder in California. A statement by the Fresno County Sheriff’s Office advised that the DOJ had shuttered the site upon learning of the data breach, but “portions of private information may have been posted on social media websites. It is unknown exactly how much time the information was accessible.” The State Attorney General’s Office was expected to “institute a program to reduce any harm or damages to CCW holders that resulted from the breach.”
A statement issued by the DOJ on the breach confirmed that it was much more damaging. It included the data for individuals who had been granted or denied a permit between 2011 and 2021 (names, date of birth, gender, race, driver’s license number, addresses, and criminal history) and potentially extended to the “following dashboards: Assault Weapon Registry, Dealer Record of Sale, Firearm Certification System, and Gun Violence Restraining Order dashboards.” Attorney General Rob Bonta, the defendant in the NRA case, was quoted in the statement as saying, “The California Department of Justice is entrusted to protect Californians and their data. We acknowledge the stress this may cause those individuals whose information was exposed. I am deeply disturbed and angered.”
If that wasn’t enough to put paid to the California government’s assertions that fears of unauthorized access and misuse are unfounded and overblown, it now appears that another repository of secured, sensitive information maintained by the State has been inappropriately accessed and used by law enforcement, in direct violation of the applicable rules. According to the Electronic Frontier Foundation (EFF), a nonprofit group defending privacy rights and other civil liberties in the digital world, the “Los Angeles County Sheriff’s Department (LACSD) committed wholesale abuse of sensitive criminal justice databases in 2023, violating a specific rule against searching the data to run background checks for concealed carry firearm permits.”
The database at issue is the California Law Enforcement Telecommunications System (CLETS), which the EEF describes as containing “a lot of sensitive information” across a variety of databases, including records from the Department of Motor Vehicles, the National Law Enforcement Telecommunications System, Criminal Justice Information Services, and the National Crime Information Center.
According to a 2019 DOJ manual on CLETS, the controls against unauthorized use include a requirement that “[a]ll persons having access to information from the CLETS … undergo a background security clearance to determine their suitability for logical or physical access to the CLETS. This includes, at minimum, the required state and federal fingerprint-based criminal offender record information search,” and sign a user agreement statement. “Access is restricted to “authorized law enforcement, criminal justice personnel or their lawfully authorized designees;” the information from CLETS is “confidential and for official use only;” and CLETS cannot be used for “licensing, certification or employment purposes.” Further, “[s]ecurity and awareness training shall be required for all personnel who have direct or indirect access to CLETS systems,” and the training “must include the requirement that CLETS information shall only be obtained in the course of official business.”
Due to the nature of the database information, law enforcement agencies with access to CLETS must inform the DOJ of any investigations and discipline related to misuse of the system. “Misuse” specifically includes “[q]uerying the Automated Criminal History System for licensing, employment or certification purposes (e.g., Carry Concealed Weapon permits),” and “[q]uerying yourself, family members, romantic partners, business associates, friends, neighbors” and the like.
The EFF periodically files freedom of information requests for the reports on misuse. The information on mandatory reporting for 2024 is due imminently, but the 2023 information reveals a “record 7,275 violations across California,” with the bulk of those being the LACSD’s 6,789 abuses. Singling out this misuse of CLETS for concealed carry permit research as one of the “highest profile” instances in 2023, the EFF notes that the “LACSD retrained all staff and implemented new processes. However, state Justice Department officials acknowledged that this problem was not unique, and they had documented other agencies abusing the data in the same way.” (Emphasis added.)
The sanctions imposed for 2023 violations included 24 officers being suspended, six officers resigning, and nine being fired. Interestingly, the 2023 suspensions represent nearly half of all of the suspensions (55) that resulted for misuse over a four-year period (2019 to 2023).
The critical fact underlying CLETS misuse is that it only came to light because of a mandatory reporting requirement. Unlike the CLETS system, which controls access continuously through a background security clearance, training, and other restrictions, it is not at all clear whether anything remotely approaching these (obviously not foolproof) access and misuse safeguards apply to UC Davis and whatever other entity receives the DOJ information. As the EFF findings demonstrate, even the many rules against misuse of CLETS were of limited effectiveness and failed to prevent a “wholesale abuse of sensitive criminal justice databases” in 2023. In the case of the DOJ database information that’s available to public researchers, how would anyone know there’s been unauthorized use, a data breach, or inappropriate disclosure?
As the EFF accurately observes, “CLETS is only one of many massive databases available to law enforcement, but it is one of the very few with a mandatory reporting requirement for abuse; violations of other systems likely never go reported to a state oversight body or at all. The sheer amount of misuse should serve as a warning that other systems police use, such as automated license plate reader and face recognition databases, are likely also being abused at a high rate – or even higher, since they are not subject to the same scrutiny as CLETS.”
Despite the assurances of California officials on the importance of “protecting” residents and their data, the reality is that government data leaks and actual misuse are far from isolated occurrences. And, given the magnitude of recent misuse and breaches, any privacy California’s legitimate firearm owners have managed to hang onto by now will continue to take a backseat to whatever gun control agenda the Golden State is pushing.
More Like This From Around The NRA
