When the AI flagged the wrong plate, who has the receipt?
Automated license-plate readers author assertions, propagate them across the multi-agency network, and control the only audit log. When a wrong assertion is emitted, the record cannot be silently rewritten only because, today, there is no architectural path for the wider network to recognize a correction at all.
ALPR networks propagate wrong plate assertions today because no architectural path exists for the wider network to recognize a correction. AAM is that path.
- The propagation gap. ALPR systems author assertions, propagate them across the multi-agency network, and control the only audit log. When a wrong assertion lands in a hot-list match, the record cannot be silently rewritten — but neither can the correction propagate.
- Five Knox event types. alpr_plate_observed_assertion · alpr_hot_list_match_emitted · alpr_driver_evidence_anchored · alpr_resolution_attempt_recorded · alpr_data_correction_propagated. Anchored to Bitcoin at every state change.
- For the regulator and the court. FRE 902 self-authentication architecture. DOJ Civil Rights, state AGs, plaintiff bar, and IG-audit reviewers replay the chain without trusting the ALPR vendor or any partnering agency.
- Vendor-neutral. Above any ALPR vendor, any partner-agency network, any data-sharing pipeline. Same primitive across every deployment.
- Posture. Defensive-only. Bonis records the assertion and the correction; never accesses ALPR feeds, never spoofs plates, never advocates as policy.
The vendor authors the assertion, propagates it, and owns the only audit of it.
An ALPR system reads a passing plate, matches it against an agency hot-list, and emits an alert to an officer-facing screen. The originating assertion may be sourced from a court data-entry record, a warrant, a BOLO, an NCIC entry, an NCMEC entry, or — when the plate is obscured, missing, or unreadable — an ML-inferred composite-feature classification of make, color, and decals. The cached match propagates to dozens of partner agencies that have never seen the originating record.
When the assertion is wrong, the cached row continues to fire. Even after the originating agency admits the alert was wrong and suppresses it locally, there is no architectural path to remove the record from the wider hot-list. The driver keeps getting stopped. The vendor controls the only audit log that would prove the pattern of harm. No independent third party has published a measured false-positive rate; the absence of an independent measure is itself the audit-permanence gap.
AAM closes the gap without coupling to any single ALPR architecture. The audit primitive is content-addressed: the SHA-256 of the assertion, the chain-of-command stamp identifying the emitting system and the policy under which it acted, and the sequence link to the previous event in the relevant stream. Knox anchors each, aggregates the hourly Merkle root, and publishes the root to the Bitcoin blockchain. The vendor cannot silently rewrite a history that exists outside its own systems; the originating authority can, finally, propagate a correction that downstream consumers can verify.
Cherry Hills Village, Colorado — a court data-entry error that the network cannot un-make.
Kyle Dausman, a resident of Cherry Hills Village, Colorado, has been repeatedly stopped by police because of a hot-list entry tied to a court data-entry error originating in Gilpin County, Colorado. Colorado plates use both the letter O and the numeral 0; the originating data-entry layer confused Dausman’s plate with a wanted man’s.
Cherry Hills Village PD admitted the alert was wrong and suppressed it in their own system. They had no path to remove him from the wider multi-agency network. Dausman has been told by the originating county’s court and sheriff’s dispatch that he needs the suspect’s name to clear his own record, and that the suspect’s name cannot be shared. The error originated at one county’s court data-entry layer, propagated through the ALPR vendor’s hot-list to dozens of partner agencies, and persists.
The case is reported by 9news.com (Denver, Colorado). It is cited here as public-record proof of the structural pattern AAM closes — not as an engagement claim. No partnership, customer status, prospect status, counsel relationship, or operational involvement with Mr. Dausman, Cherry Hills Village PD, Gilpin County, or any vendor is implied or claimed.
The architectural reading: a Knox-anchored assertion at the court data-entry moment, a Knox-anchored cross-validation receipt at the dispatch-emission moment, and a Knox-anchored data-correction propagation event at the moment the originating authority finally clears the record — together produce a chain that any downstream agency can verify without trusting the vendor or any single agency. The driver, separately, instruments their own dashcam and stop-record emit path so the pattern of repeated stops on the same wrongly-flagged vehicle is provable across multiple stops, not assumed from one-off recollection.
Every interaction at the ALPR audit surface becomes a Knox event.
The ALPR audit surface is small, structured, and content- addressable. Five interaction shapes map to canonical Knox event types — each with a chain-of-command stamp and content- addressed pointers to the underlying record.
A vendor commits a plate observation or composite-feature classification — plate text, vehicle make and color and decals, confidence — with a chain-of-evidence pointer to the originating sensor and authority record. ML-inferred composite-feature matches that arrive without an underlying plate read are anchored as such, distinguishable from plate-OCR observations on the chain.
A vendor commits a hot-list dispatch toward an officer-facing alert with a cross-validation reference to the originating authority record — warrant, BOLO, NCIC entry, court data-entry source. Downstream agencies caching the match can verify the chain back to the originating record rather than relying on the cached row.
A driver commits a SHA-256 hash of dashcam video, phone audio, or stop-record artifact at the moment of a stop. The receipt outlives the device. Across multiple stops on the same wrongly-flagged vehicle, the chain produces FRE 902(13) and 902(14) self-authentication evidence of pattern of harm rather than single-incident recollection.
Every contact attempt with court, dispatch, vendor, or agency to clear an alert known to be wrong is anchored. The pattern of attempts becomes provable from the chain alone — when the driver called, who they spoke with, what they were told, and the cumulative count of unsuccessful resolution attempts across the multi-agency network.
The eventual network-wide propagation of a correction from the originating authority record outward to all caching agencies is anchored. The chain records when (and IF) the correction reached each agency, so the gap between authority-record correction and downstream-cache correction is measurable rather than guessed.
The questions are predictable. The records should be too.
Once an ALPR-implicated stop, harassment pattern, or wrongful-stop civil-rights matter is being investigated, the same five questions arrive on every case. AAM primitives produce records architected to answer each one without re-trusting the ALPR vendor, the originating agency, or any downstream caching agency.
What did the ALPR system actually claim, and when?
The plate-observation anchor and the hot-list-match anchor commit the SHA-256 of the assertion artifact at the moment of emission. The vendor record and the public-chain record can be cross-checked. A subsequent silent rewrite of the assertion does not propagate to the public chain.
Did the cached match cross-validate against the originating record before reaching an officer?
The hot-list-match anchor commits the cross-validation reference, or the absence of it. SOWs that require independent verification before alert emission have a chain-based compliance check; SOWs that lack the requirement have a chain-based evidentiary gap.
Has this vehicle been stopped before on the same wrongly-flagged record?
The driver-evidence anchor and resolution-attempt anchors are sequence-linked across stops. Pattern of harm across multiple stops on the same vehicle is provable from the chain — not reconstructed from one-off recollection or single-incident dashcam footage.
When did the driver attempt to resolve the alert, and with whom?
The resolution-attempt anchor commits each contact with court, dispatch, vendor, and agency. The cumulative count and timeline of unsuccessful resolution attempts is recoverable independent of any single agency’s own logs.
When did the network finally correct the record, and at which agencies?
The data-correction-propagation anchor records when the correction reached each caching agency. The gap between originating-authority correction and downstream-cache correction — for some records, a gap that may be permanent — is observable rather than assumed.
What composing AAM above an ALPR pipeline gives you.
Vendor-neutral
Any ALPR pipeline, authored by any vendor, can be paired with Knox by instrumenting an emit path on the operator’s side. The vendor pipeline does not need to know about Knox, consent to Knox, or be modified for Knox.
Independently verifiable
Anchors are published to the Bitcoin blockchain via OpenTimestamps. Verification does not require Bonis, the ALPR vendor, or any agency to be online, in business, or cooperative. The receipt outlives the vendor.
Tamper-evident architecture
Anchors and the affidavits derived from them are architected to meet the self-authentication requirements of FRE 902(13) and 902(14). Admissibility in any given matter remains a determination of the presiding court; the structural requirements are met by construction.
Post-quantum resilient
Assertion-class commitments may carry post-quantum signatures via Knox Agent #11 Layer 4 — ML-DSA-44 / 65 / 87 (NIST FIPS 204) and SLH-DSA-128s / 192s / 256s (NIST FIPS 205). The audit chain remains verifiable under threat models that assume future quantum-capable adversaries — relevant for civil-rights records that may be litigated decades after the originating stop.
Cross-checkable with vendor logs
The vendor’s own audit log continues to operate as designed. The public-chain record provides an independent comparison point. Divergence between the two — silent rewrites, late additions, selective retention — is detectable rather than assumed.
Citizen-side and procurement-side
The same primitive serves the wrongly-flagged driver anchoring their dashcam and the agency procurement office evaluating ALPR vendor responses to a SOW that requires tamper-evident chain-of-custody. The audit layer is vendor-neutral and audience-neutral; the records are the same.
The pattern is in the public record.
The structural conflict — vendor as both author of the assertion and sole custodian of the audit log, with no architectural correction path across the multi-agency network — is documented across multiple high-profile records. Each is sourced to public regulator findings, court filings, civil- rights litigation, or independent journalism. None of the below names a Bonis prospect, partner, or customer; they are cited as public-record proof of the gap that AAM closes.
Cherry Hills Village, Colorado — court data-entry error propagation
A driver has been repeatedly stopped because of a hot-list entry tied to a Gilpin County, Colorado court data-entry error confusing his plate with a wanted man’s (Colorado plates use both letter O and numeral 0). Local PD admitted the alert was wrong but had no path to remove him from the wider multi-agency network. Reported by 9news.com.
Police use of LPR data to stalk romantic interests
The Institute for Justice has documented at least 14 incidents in which police officers used license-plate-reader data to stalk romantic interests or personal contacts. The vendor-controlled audit log records the search; the architecture provides no independent attestation surface available to the persons whose plates were searched.
Virginia State Crime Commission — ALPR annual report
The Virginia State Crime Commission published its 2024 annual report on law-enforcement use of automated license-plate readers, reviewing data-handling, retention, and oversight practices across Virginia agencies. The report is on the Commission’s public website.
ACLU — civil-society organizing on ALPR oversight
The ACLU has published organizing guides for communities and elected officials evaluating the deployment of mass-surveillance license-plate-reader systems. The guides are referenced here as a public civil-society authority on the architectural questions the audit layer is built to answer.
Independent verifiability is becoming a procurement and constitutional question.
Fourth Amendment scholarship
Persistent ALPR observation, hot-list matching, and multi-agency aggregation are an active subject of Fourth Amendment doctrine — including questions of mosaic surveillance, reasonable suspicion grounded in vendor- emitted alerts, and the evidentiary footing of stops initiated by ALPR-driven hot-list matches.
4th Amendment · ALPR doctrine · in development§1983 / Bivens / FTCA exposure
Civil-rights litigation under 42 U.S.C. §1983, Bivens, or the Federal Tort Claims Act increasingly turns on whether the agency had a reasonable basis for the stop and whether the underlying assertion can be independently verified. Vendor-controlled audit logs cap the evidentiary record at the vendor’s discretion.
42 U.S.C. §1983 · civil-rights statute · in forceGSAR 552.239-7001 — Basic Safeguarding of AI Systems
The General Services Administration acquisition clause addressing American AI eligibility, 72-hour CISA incident reporting, eyes-off data handling, traceability, and 90-day artifact preservation. ALPR is one class of AI system the clause governs at the procurement layer.
GSAR 552.239-7001 · AI safeguarding clauseState ALPR statutes and AG oversight
Multiple states have enacted ALPR-specific statutes governing retention, sharing, and oversight; State Attorneys General have opened investigations into inter-agency data-sharing patterns. The architectural target — independent chain-of-custody — fits the public oversight direction-of-travel rather than displacing it.
State statutes · AG oversight · jurisdiction-specificOne HTTP call per ALPR event.
The operator does not have to wait for an ALPR-specific Knox SDK to ship. The public anchor endpoint is already live, and any pipeline that can issue an HTTP POST can pair its event surface with Knox today — whether the operator is the ALPR vendor, the agency, the IG office, the procurement office, or the wrongly-flagged driver.
Audit-permanence layer, not enforcement, not counter-surveillance.
Bonis does not access ALPR cameras, does not read or transmit camera feeds, does not intercept vendor data without consent, does not disable, modify, or interfere with any ALPR pipeline in any way, does not provide counter-surveillance or plate-spoofing or detection-evasion tooling, and does not advocate against ALPR programs as policy. Knox is invitational: a vendor, agency, regulator, IG office, plaintiff’s bar firm, civil-rights organization, or wrongly-flagged driver who wants a tamper-evident record of every assertion, dispatch, stop, resolution attempt, and correction event instruments their own emit path. Bonis produces the audit primitive; lawful authority — courts, federal IG offices, DOJ, state AGs, agency procurement, and the constitutional rights of the persons stopped — decides what to do with the resulting evidence.