EPIC Coalition Targets ALPR Creep With a Tolling-Only Line

EPIC and more than 40 groups are urging Congress to limit automatic license plate readers to tolling. The practical issue is purpose control, not just data

2026-05-29 GIGATAP Team #opsec
#digital-rights#privacy#surveillance

The EPIC coalition push matters because it targets the allowed use of automatic license plate readers, not just their abuse. If the amendment advances, ALPR systems tied to federal transportation policy would be limited to tolling rather than broad location surveillance.

What changed in the EPIC coalition push#

EPIC says it joined more than 40 civil society groups in urging the U.S. House Committee on Transportation and Infrastructure to support an amendment to the Highway Bill. The amendment, introduced by Reps. Scott Perry and Chuy García, would ban the use of automatic license plate readers for any purpose other than tolling.

That is the core fact. This is not a report of a law taking effect. It is a pressure campaign around an amendment before a congressional committee. The source frames the amendment as a response to the rapid growth of ALPR surveillance technology in recent years.

The distinction matters. Many privacy fights focus on access rules after collection: who can query the database, under what standard, and for how long. This proposal goes earlier in the chain. It would narrow the permitted purpose of collection itself.

For security operations and privacy risk reviews, that is the sharper control. A retention limit can reduce damage after data is gathered. A purpose limit can prevent whole classes of data from being gathered under a vague public-safety label in the first place.

Why automatic license plate readers create a different privacy risk#

Automatic license plate readers do not just identify a car at one point in time. At scale, they can turn ordinary driving into a location trail. The privacy risk comes from repetition, aggregation, and sharing.

A single scan may look mundane. A network of scans can reveal patterns: where someone sleeps, works, worships, receives medical care, meets other people, or crosses jurisdictional lines. That is why ALPR policy cannot be judged only by the sensitivity of one photograph or one plate number.

The EPIC coalition angle also points to a governance problem. Transportation infrastructure is often justified through operational need: tolling, traffic management, public safety, and enforcement. Once sensors are installed, the boundary between a narrow function and a general surveillance system can blur unless the permitted use is written tightly.

A tolling-only rule is narrow by design. It accepts that some plate reading may be necessary for a specific transportation function, while rejecting the conversion of that same infrastructure into a wider location-tracking layer. Whether Congress adopts that line is unresolved. But as a policy test, it is clear enough to evaluate.

What to check before acting on this#

Readers should not treat this as an immediate compliance change. The source says EPIC and other groups urged the committee to support an amendment. It does not say the amendment has passed, that the Highway Bill has been finalized with this language, or that existing ALPR deployments have already been banned.

For organizations, journalists, and local advocates tracking the issue, the useful operational checks are more concrete:

  • Identify whether ALPR systems are used for tolling only, law enforcement, parking, traffic analytics, or mixed purposes.
  • Check who owns the cameras, who operates the database, and who can query the records.
  • Review retention periods. Short retention does not solve every issue, but indefinite or poorly defined retention raises the risk.
  • Look for sharing arrangements across agencies, contractors, or regional networks.
  • Ask whether the policy limits collection, limits use after collection, or only limits public disclosure.
  • Track whether federal transportation funding, highway programs, or local procurement rules are tied to ALPR deployment.

The key question is not simply whether ALPR exists. It is whether the system has a narrow operating purpose and enforceable limits. A camera used to bill a toll is a different risk profile from a camera network used to build searchable movement histories.

What not to overclaim#

The source material is limited. It supports a clear claim that EPIC joined more than 40 groups urging support for a tolling-only ALPR amendment. It does not support claims about the amendment’s chances, final statutory text, enforcement mechanics, or direct impact on any specific vendor deployment.

It also does not, by itself, prove that every ALPR use is unlawful or that every transportation agency is misusing the technology. The stronger point is narrower: without strict purpose limits, ALPR infrastructure can shift from a transportation tool into a surveillance database.

That is enough to make the amendment worth watching. In privacy policy, the practical fight is often over defaults. Is collection exceptional and tied to a defined task, or is mass collection normal until someone proves harm? The EPIC coalition is pushing for the first model.

Why this belongs in security operations#

This is a digital rights story, but it also belongs in security operations. Location data is sensitive operational data. It can expose employees, activists, officials, sources, patients, customers, and ordinary residents. Once collected and shared, it becomes part of the attack surface.

Security teams often think in terms of system compromise. Privacy risk adds a second question: what damage can occur even when the system works as designed? An ALPR network can create risk without a breach if too many actors can search it, retain it, or reuse it for purposes far beyond tolling.

The same principle appears in open source security work: artifacts, logs, telemetry, and access records are useful only when their trust model is explicit. Collection without purpose control becomes liability. For related security-governance context, see GigaTap’s coverage of OpenSSF’s April signal on operational security artifacts: https://gigatap.top/en/articles/openssfs-april-signal-make-security-artifacts-operational

Practical takeaway#

The immediate action is not panic. It is inventory.

If you work around transportation, municipal technology, privacy review, or security operations, ask what ALPR systems are present, what purpose they serve, and what prevents later expansion. If the answer is only policy language about responsible use, that is weak. If the answer is a hard purpose limit, narrow access, short retention, and auditable controls, the risk is more bounded.

The EPIC coalition effort is notable because it argues for a bright line: license plate readers for tolling, not general surveillance. That line may or may not survive Congress. But it is a useful standard for anyone reviewing ALPR deployments now.