Leonardo’s SignalTrace: How License Plate Readers Became Phone-Tracking Surveillance Nodes

Every time you drive past a roadside camera, it already records your license plate. Now a surveillance company wants those same cameras to capture something far more intimate: the unique identifier of your phone.

Leonardo, a surveillance firm, is deploying technology called SignalTrace that would retrofit automatic license plate readers (ALPRs)—devices already installed across the U.S.—with sensors capable of sweeping up Bluetooth identifiers from mobile phones, wearables, and other connected devices inside passing vehicles. The system transforms what were once single-purpose license-tracking cameras into dual-layer surveillance nodes that can identify both the car and the people inside it.

ALPRs have been a standard fixture of American law enforcement infrastructure for years. Police departments use them to locate stolen vehicles, find suspects, and track movements. But SignalTrace fundamentally changes what these cameras can do. By adding Bluetooth-detection sensors, Leonardo’s technology would allow law enforcement to identify specific drivers or passengers—not just the vehicle itself. A camera on a highway overpass or parking lot entrance could now log the Bluetooth MAC address (a unique identifier) of your phone, your AirPods, your smartwatch, or your car’s infotainment system as you pass.

The capability is straightforward in its mechanics but profound in its scope. Research published in IEEE Xplore has documented how WiFi and Bluetooth MAC addresses enable mobile device identification and location surveillance. Bluetooth signals broadcast constantly and can be detected from a distance. Unlike license plates, which are meant to be public identifiers, Bluetooth MAC addresses are not designed to be surveillance targets. Most people have no idea their devices are broadcasting these identifiers, let alone that roadside cameras might be collecting them.

How Does This Mirror Cambridge Analytica’s Data Collection Methods?

This mirrors a pattern we’ve seen before in mass-data surveillance: the gradual expansion of collection infrastructure. During the Cambridge Analytica scandal, the company harvested personal data at scale—not through one dramatic breach, but through a Facebook app that collected information on millions of users and their friends without explicit consent. The mechanism was different, but the principle was identical: leverage an existing platform or infrastructure to gather behavioral data on populations, then use that data to identify and track individuals. SignalTrace follows the same playbook, except the infrastructure is physical and the data collection is automated.

What Legal Framework Governs Roadside Bluetooth Collection?

The legal framework governing SignalTrace remains unclear. ALPRs themselves operate in a gray zone—some states have passed regulations requiring data deletion after a set period, while others allow indefinite retention. Bluetooth tracking adds another layer of ambiguity. There is no federal law explicitly prohibiting law enforcement from collecting Bluetooth identifiers via roadside sensors, nor is there clear guidance on how long such data can be retained or who can access it.

What makes SignalTrace particularly concerning is the assumption of consent embedded in its design. Your phone broadcasts a Bluetooth identifier because Bluetooth is a useful technology for connecting to headphones, cars, and watches. You don’t opt in to roadside surveillance when you enable Bluetooth; you’re simply using a feature designed for proximity-based connections. Leonardo’s system exploits that assumption, converting a tool for personal convenience into a tracking mechanism.

Why Should You Be Concerned About Movement Profiling?

The practical implications ripple outward. A person attending a protest, visiting a medical clinic, or meeting with a journalist could be tracked across the city through their Bluetooth signature. Law enforcement could build detailed movement profiles of individuals without warrants, subpoenas, or even suspicion of a crime. The data could be aggregated, cross-referenced, and used to infer associations, relationships, and behaviors—the same type of psychographic profiling that made Cambridge Analytica’s methods so potent.

This type of surveillance infrastructure creates what privacy researchers call shadow profiles—detailed records of individuals who never consented to tracking. A 2022 IEEE Security & Privacy study demonstrated that even when phones randomly change their MAC addresses for privacy protection, sophisticated tracking systems can still maintain persistent identification through device fingerprinting techniques.

The Business Case for Surveillance Expansion

Leonardo’s pitch to law enforcement is straightforward: more data, more capability, more reach. But the company is not creating demand from scratch. ALPRs are already deployed widely, and police departments are already accustomed to using them. SignalTrace is simply an upgrade—a way to extract additional surveillance value from infrastructure that already exists and is already normalized.

This represents the same incremental expansion strategy that has characterized the growth of digital surveillance. Each new capability builds on existing infrastructure, making adoption easier and resistance harder. The transition from license plate tracking to personal device tracking becomes a simple software upgrade rather than a fundamental policy decision about surveillance expansion.

The question now is whether regulators and legislators will act before SignalTrace becomes as ubiquitous as the license plate readers it enhances. Some states may move to restrict Bluetooth collection; others may embrace it. But the window for prevention is narrow. Once this technology is installed at scale, the surveillance architecture becomes harder to dismantle.