Why Are The Alameda County Sheriff And SFPD Sharing So Much Data With 287(g) agencies?

Earlier this summer, the SF Standard turned up the heat by reporting on a disturbing reality: Oakland and San Francisco have been enabling illegal out-of-state access to Californians’ license plate data through their Flock automated license plate reader (ALPR) systems.

This matters because California law is unambiguous. SB 34 (Hill) prohibits sharing ALPR information with any non-California entity. The goal is simple: protect public trust and prevent Californians’ sensitive location data from being used in ways our communities never consented to. 

What our initial review found was staggering. Based on records we obtained, the San Francisco Police Department (SFPD) appears to have shared ALPR data unlawfully millions of times, providing access to more than 4,000 out-of-state agencies. Alameda County’s system has shared with roughly 2,000 non-California agencies.

But we did not stop there.

A first-of-its-kind deep dive: how much access went to 287(g) deportation partners

We decided to dig deeper in a way we haven’t seen publicly documented before.

Among the more than 4,000 non-California agencies that received access to SFPD’s ALPR data in violation of SB 34, we estimate that at least 740 are formal members of the federal government’s 287(g) program—a program that deputizes local law enforcement to assist with immigration enforcement and deportation.

In Alameda County’s case, overall sharing volume on an annual basis is lower compared to San Francisco’s, but we currently estimate roughly 410 287(g) member agencies have been granted access.

And this isn’t a handful of one-off lookups.

We are seeing repeated, ongoing searches—tens of thousands of searches by 287(g) member agencies involving Alameda County’s data, and more than 100,000 involving San Francisco’s data.

This is what “illegal data sharing” looks like in practice: persistent, high-volume access by out-of-state agencies to Californians’ movements.

Why the real numbers may be even higher

Most investigative reporting that reviews ALPR access logs searches for keywords like “ICE,” “immigration,” “abortion,” or similar terms—and yes, those kinds of searches do appear.

But there’s a bigger problem: the transparency and auditing protections that SB 34 requires are routinely undermined.

Because SB 34 compliance around access logging is so poor—and because many agencies also violate California’s Public Records Act by unlawfully redacting required information—public oversight is often reduced to a black box. When details that SB 34 requires are missing (or unlawfully withheld), it becomes far harder to audit misuse and to quantify just how widespread illegal sharing really is.

That’s why the numbers we can see may be only a floor, not a ceiling.

To put the scale in perspective: Oakland, a much smaller city, averages roughly 48 million plate scans per month from 292 cameras and has logged at least 1.3 million apparent violations of SB 34 and Oakland’s own ALPR use policy. It is not hard to understand why we allege that San Francisco—operating around 400 ALPR cameras —could have committed millions of violations that we know about, and potentially far more that remain obscured.

A keyword suppression tool doesn’t fix this - Flock’s “solution” to these ongoing controversies. If people know certain terms will be flagged, they can simply avoid writing them down. Transparency that depends on officers volunteering incriminating detail is not transparency at all.

Who, exactly, got access?

The screenshots above are typical of what appears in monthly audit spreadsheets for SFPD and the Alameda County Sheriff’s Flock ALPR systems: page after page listing out-of-state agencies that have been allowed to query each database in violation of SB 34 and each agencies own use policy.

What has not been widely reported is what those lists reveal when cross-referenced against federal deportation partnerships.

From deep red states to local sheriffs’ offices

Many of the agencies receiving access are located in states with aggressive anti-immigrant policies—and in many cases, states that have also criminalized reproductive healthcare or restricted gender-affirming care. 

When the ability to track people’s movements is exported from California into those jurisdictions, Californians lose any meaningful control over how that data is used, shared, or weaponized.

Our review suggests that at least 740 of the out-of-state agencies with access to SFPD’s ALPR data are formal 287(g) members—agencies like the Palm Beach County (Florida) Sheriff’s Office and the Fulton County (Georgia) Sheriff’s Office, both visible in the sample screenshot.

In Alameda County’s audits, we see the same pattern at smaller scale—agencies such as the Walton County (Florida) Sheriff’s Office and the Williamson County (Tennessee) Sheriff’s Office appear as 287(g) members in the access lists, reflected in the above screenshot. We have found approximately 410 287(g) member agencies that have repeatedly accessed Alameda County’s database.

How we did the analysis (and what we’re still fighting to obtain)

We ran each monthly audit from Alameda County and San Francisco through an AI-assisted process to compare agency names against the official 287(g) member agency list. The work is not as simple as it sounds: agency names often contain duplicates and data hygiene errors (for example, multiple “Orange County” entries across different states; “Mercer” vs. “Merced” fuzzy name searches). We have taken care to account for those issues, and our estimates are conservative. 

We also want to be clear about what we can and cannot prove from the records currently available.

Because the required purpose field is often missing or redacted, we cannot confirm the reason for each of the millions of annual third-party searches. And even where a purpose is present, it does not necessarily prove the purpose is truthful. Still, when you find hundreds of thousands of searches by deportation-partner agencies into Californians’ plate data, it defies common sense to assume none relate to immigration enforcement or pursuing investigative leads as to reproductive or gender affirming care criminalized in those red states as their residents seek such services in California. Searches performed for ICE or CBP have been widely reported.

The law requires guardrails. These agencies removed them.

SB 34 doesn’t just forbid out-of-state sharing. It also requires the host agency to implement guardrails that protect the data and restrict improper access. By allowing broad, unfettered access to thousands of out-of-state agencies—including hundreds tied to 287(g)—San Francisco and Alameda County have effectively ignored the core safety mechanisms that SB 34 demands.

The predictable result is what we’re now documenting: millions of violations, and an enormous public accountability gap.

What comes next—and how you can help

When our analysis is complete, Secure Justice will submit a formal report of our findings to the California Department of Justice and to state lawmakers, and we will push for stricter controls, meaningful enforcement, and real consequences for agencies that treat privacy law as optional.

The timing of that report may be affected by ongoing public records litigation to obtain the full information SB 34 requires. But these cases generally move quickly, and we are committed to seeing this through.

This work takes time, expertise, and resources. If you believe Californians should not have their movements exported to deportation partners and out-of-state agencies—especially in direct violation of state law—please consider supporting Secure Justice today.

Donate to Secure Justice using the button below. If you can, become a monthly donor. Reliable support helps us plan investigations, bring public records cases, and hold powerful institutions accountable—again and again—until compliance is real.