<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom">
    <channel>
        <title>Footnote4a — Audit Log Analysis</title>
        <link>https://footnote4a.org/category/audit-log-analysis</link>
        <description>Footnote4a reporting filed under Audit Log Analysis</description>
        <lastBuildDate>Mon, 18 May 2026 17:00:00 GMT</lastBuildDate>
        <docs>https://validator.w3.org/feed/docs/rss2.html</docs>
        <generator>https://github.com/jpmonette/feed</generator>
        <language>en</language>
        <copyright>© 2026 Footnote4a — Audit Log Analysis</copyright>
        <atom:link href="https://footnote4a.org/feed/audit-log-analysis.xml" rel="self" type="application/rss+xml"/>
        <item>
            <title><![CDATA[New Castle, PA put Flock in its only Majority-Minority Neighborhood]]></title>
            <link>https://footnote4a.org/news/new-castle-pa-flock-audit</link>
            <guid isPermaLink="false">https://footnote4a.org/news/new-castle-pa-flock-audit</guid>
            <pubDate>Mon, 18 May 2026 17:00:00 GMT</pubDate>
            <description><![CDATA[Nearly three years of Flock event logs show New Castle, Pennsylvania concentrated all 31 of its surveillance devices in the city's only majority-minority census tract, and shows a group of officers running scores of plates through permanent, private watchlists without associated cases.]]></description>
            <content:encoded><![CDATA[<p>New Castle, Pennsylvania — a city of about 22,000 in Lawrence County, roughly 60 miles northwest of
Pittsburgh — has deployed its entire police surveillance network inside a single census tract: the
only one in the city where white residents are not a majority. A Flock event log spanning June 2023
through April 2026 also shows that its sole license plate reader and one pan-tilt-zoom camera both
face the same basketball court, and that a group of officers has run scores of license plates
through private watchlists — almost none carrying a case number, and many set never to expire.</p>
<p>The latest available information indicates the department holds a contract with Flock for a single
LPR camera, one PTZ camera, and twenty-nine Raven “gunshot” detectors.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup></p>
<p><a href="http://HaveIBeenFlocked.com">HaveIBeenFlocked.com</a> typically limits itself to analyzing LPR logs and license plate queries — not
because the other logs the system produces aren’t interesting, but because the site wasn’t built to
ingest them automatically. When one resident examined Dunwoody’s event logs, his analysis showed
Flock employees were <a href="https://jasonhunyar.substack.com/p/why-are-flock-employees-watching-720">watching children inside a community center</a>. Thousands of other,
unexamined logs exist.</p>
<p>The event log analyzed here was obtained from New Castle PD through a Pennsylvania Right-to-Know
request; the <a href="https://www.muckrock.com/foi/new-castle-27904/right-to-know-request-flock-audits-210029/#files">request and released files are on MuckRock</a>. It runs from June 28, 2023
through April 27, 2026 — nearly three years — and includes detailed hotlist entries, network
sharing, and configuration updates.</p>
<h2>The Hardware</h2>
<p>New Castle PD’s Flock account includes 31 active devices. Most of them — 29 — are Raven units,
Flock’s acoustic detection sensors.</p>
<p><img src="https://footnote4a.org/blog/new-castle-pa-flock-audit/map.png" alt="Map of New Castle PA census tracts and demographics"></p>
<p>All 31 devices — the ALPR, the surveillance camera, and all 29 gunshot detectors — are located in or
immediately adjacent to census tract 42073000400.</p>
<p>That tract has a population of 1,776. It is the only census tract in New Castle where white
residents are not a majority. Its demographic profile compared to the rest of the city:</p>
<table>
<thead>
<tr>
<th>Tract</th>
<th>Population</th>
<th>White</th>
<th>Black</th>
<th>Hispanic</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>42073000400 (surveilled)</strong></td>
<td><strong>1,776</strong></td>
<td><strong>48.3%</strong></td>
<td><strong>35.9%</strong></td>
<td><strong>5.6%</strong></td>
</tr>
<tr>
<td>42073000100</td>
<td>4,343</td>
<td>84.7%</td>
<td>5.8%</td>
<td>2.8%</td>
</tr>
<tr>
<td>42073000200</td>
<td>2,020</td>
<td>77.1%</td>
<td>4.7%</td>
<td>10.8%</td>
</tr>
<tr>
<td>42073000300</td>
<td>3,698</td>
<td>68.1%</td>
<td>17.6%</td>
<td>3.1%</td>
</tr>
<tr>
<td>42073000600</td>
<td>950</td>
<td>72.7%</td>
<td>10.5%</td>
<td>7.4%</td>
</tr>
<tr>
<td>42073000700</td>
<td>1,808</td>
<td>72.0%</td>
<td>16.9%</td>
<td>3.0%</td>
</tr>
<tr>
<td>42073000800</td>
<td>4,020</td>
<td>79.6%</td>
<td>10.7%</td>
<td>1.9%</td>
</tr>
<tr>
<td>42073000900</td>
<td>1,692</td>
<td>66.2%</td>
<td>18.9%</td>
<td>4.2%</td>
</tr>
<tr>
<td>42073001000</td>
<td>1,619</td>
<td>84.4%</td>
<td>4.2%</td>
<td>1.4%</td>
</tr>
<tr>
<td>42073010202</td>
<td>4,983</td>
<td>94.7%</td>
<td>0.3%</td>
<td>1.4%</td>
</tr>
<tr>
<td>42073010600</td>
<td>2,260</td>
<td>91.8%</td>
<td>3.2%</td>
<td>0.8%</td>
</tr>
<tr>
<td>42073010700</td>
<td>2,746</td>
<td>84.6%</td>
<td>6.0%</td>
<td>1.7%</td>
</tr>
<tr>
<td>42073010800</td>
<td>6,234</td>
<td>92.9%</td>
<td>1.1%</td>
<td>1.4%</td>
</tr>
<tr>
<td>42073011000</td>
<td>4,798</td>
<td>94.0%</td>
<td>0.5%</td>
<td>0.9%</td>
</tr>
<tr>
<td>42073011100</td>
<td>3,961</td>
<td>92.7%</td>
<td>1.2%</td>
<td>1.1%</td>
</tr>
<tr>
<td>42073011300</td>
<td>4,158</td>
<td>94.9%</td>
<td>0.3%</td>
<td>1.2%</td>
</tr>
</tbody>
</table>
<p>Tract 42073000400 has the highest Black population share in Lawrence County by a wide margin. The
next-highest tract in New Castle is at 18.9%. The city’s whiter, more suburban tracts — most with
Black populations under 5% — have no Flock devices at all.</p>
<p>The other two devices are:</p>
<ul>
<li><strong>One Falcon</strong> (ALPR): <code>#01 Lowery St @ W Falls St SB</code> — the department’s only license plate
reader, with live video and vehicle description alert capability.</li>
<li><strong>One PTZ</strong> (connected via Wing): <code>C001 W North St Park PTZ</code> — a pan-tilt-zoom surveillance camera
at W North Street Park, capable of live streaming and free-form visual search of people.</li>
</ul>
<p><img src="https://footnote4a.org/blog/new-castle-pa-flock-audit/cameras.png" alt="Flock devices"></p>
<p>Both face the same basketball court.</p>
<h2>The watchlists: private, undocumented, and tracking individuals</h2>
<p>Flock’s event log records when anyone creates or modifies a custom hotlist. These hotlists — which
can be “personal” to a single Flock user or shared among many agencies — generate an alert whenever
a tracked plate is spotted by any camera on the Flock network.</p>
<p>New Castle PD officers maintain two categories of hotlists. One category is lists of plates tied to
active cases, with case numbers, defined expiration dates, and organization-wide visibility. Several
officers — Hailey Houk, Branddon Hallowich, Eric Kerr, Peter Mendicino — use the system this way.</p>
<p>The second category is different. Seven officers — Amanda Ventura, Justin Manns, Lawrence Krauss,
Devin Murphey, Benjamin Cunningham, Theo Weaver, and Mark Workman — each operate a private hotlist,
several of them shared among the group rather than with the department. The lists carry their
operators’ own names: <code>Ventura</code>, <code>Manns</code>, <code>KRAUSS</code>, <code>NCPD#23</code> (Murphey), <code>cunningham</code>, <code>Weaver</code>, and
<code>Workman</code>.</p>
<p>Across the log, officers added 99 plate entries to those seven lists. <strong>Just four carry a case
number.</strong> The other 95 do not. Twenty-eight are set never to expire.</p>
<p>The <code>Ventura</code> list is the most extensively documented: 31 entries added between March 2024 and April
2026, and <strong>not one of them carries a case number.</strong> Many give a person’s name as the sole stated
reason for surveillance — entries reading <code>Narcotics. [name]</code> set to expire <em>never</em>, or
<code>narcotics, [name]</code>, also <em>never</em>. Others name an individual with no stated reason at all. One
entry’s reason is simply <code>Picking up kids</code>, expiry <em>never</em>; another is the street address
<code>707 S Cascade</code>.</p>
<p>The expiry field is where the absence of process becomes concrete. A plate tied to an active case
expires when the case closes. An entry that names a private individual and is set to expire <em>never</em>
is a permanent surveillance designation, attached to a person, that no one is scheduled to review.</p>
<p>Two <code>Ventura</code> entries are worth quoting in full. One gives its reason as <code>High theft probably</code> —
surveillance premised, by the officer’s own notation, on a hunch. Another gives its reason as
<code>welfare</code>. Neither carries a case number.</p>
<p>The <code>Manns</code> list holds 34 entries over a similar period — 33 with no case number — tagged with names
and terse notes such as <code>narc complaint</code>, <code>Fbi narc</code>, and <code>homicide</code>. It is shared with Ventura. One
<code>Manns</code> entry inverts the form entirely: a string that looks like a case number, <code>24-0000082</code>, is
typed into the <em>reason</em> field, while the actual case field sits empty — a small sign of how loosely
the structured fields are treated.</p>
<p>The <code>cunningham</code> list is the starkest: seven entries, every one with the reason <code>narcotics</code>, six of
the seven set to expire <em>never</em>, and not a case number among them.</p>
<p><code>NCPD#23</code>, Murphey’s list, tracks two Ohio plates under the reason <code>Nephew</code>. Richard Conti added the
same two Ohio plates to a group list named <code>Fitty</code> a short time later — that time with a narcotics
case number attached. Conti also created a vehicle description alert — a Flock feature that
generates real-time notifications when a specific vehicle appears on a camera — named <code>Nephew</code>,
targeting a blue Mazda sedan on the Lowery St ALPR during evening and overnight hours. He deleted
the alert less than a minute after creating it.</p>
<h2>Late-night camera access</h2>
<p>The event log also records when officers opened a live view of the park PTZ camera. Of the 77
recorded accesses, the great majority fall in ordinary business and evening hours, by
administrators. Every access in the small hours of the morning belongs to one of two officers:
Amanda Ventura or Lawrence Krauss.</p>
<p>The pattern is tight. Late on December 30, 2025, Krauss opened the camera four times in roughly nine
minutes, beginning at 11:47pm. Five days later, just after midnight on January 4, 2026, Ventura
opened it eleven times in forty-five seconds: 12:19:01am to 12:19:46am.</p>
<p>The log shows what preceded that burst: at 12:04am, Krauss had added a plate, <code>MWR4095</code>, to his
<code>KRAUSS</code> list, reason “Stolen”; at 12:11am, Ventura added the <em>same</em> plate to the department’s
shared list, reason “Stolen out of NCPD”; eight minutes later she was hammering the live camera. Two
officers and one vehicle, inside twenty minutes after midnight.</p>
<p>The pattern recurs on April 22, 2026, when Ventura accessed the camera three times between 3:52am
and 4:32am. Krauss, for his part, has also shared plates into Ventura’s personal watchlist, tracking
some of the same individuals.</p>
<h2>What the department shares — and with whom</h2>
<p>New Castle PD operates a single Flock network, “New Castle PA PD,” and its administrator, Anthony
Lagnese, is responsible for the bulk of the department’s sharing of it. The log records more than
300 network shares of New Castle’s camera data, extending feed and hotlist access to over 100 named
law enforcement agencies across Pennsylvania and Ohio. Recipients include the Lawrence County
District Attorney, the Allegheny County District Attorney, the Montgomery County Detective Bureau,
“Pennsylvania State PD,” and dozens of municipal departments as far afield as Pittsburgh, Bethel
Park, and a string of eastern Ohio agencies.</p>
<p>In March 2026, the department’s live stream interface also surfaced a camera it had no obvious
connection to: a camera that appears to be a <a href="https://www.google.com/maps/@33.1490035,-83.2581801,3a,44.7y,73.28h,83.37t/data=!3m7!1e1!3m5!1s7Z2VR97LE-gKib34jNIqEA!2e0!6shttps:%2F%2Fstreetviewpixels-pa.googleapis.com%2Fv1%2Fthumbnail%3Fcb_client%3Dmaps_sv.tactile%26w%3D900%26h%3D600%26pitch%3D6.629824615625253%26panoid%3D7Z2VR97LE-gKib34jNIqEA%26yaw%3D73.27538059677269!7i16384!8i8192?entry=ttu&amp;g_ep=EgoyMDI2MDUxMy4wIKXMDSoASAFQAw%3D%3D">RedSpeed automated speed enforcement
camera</a>, located on a highway in central Georgia, hundreds of miles from New Castle.</p>
<p>Why a Pennsylvania department’s interface surfaced a Georgia speed camera is not explained anywhere
in the log. The most benign reading is also the most damning one: that Flock’s network sharing is
indiscriminate enough to put an unrelated camera, in another state, into a small-city police
department’s live feed by default.</p>
<p>This website <a href="speed-cameras">previously documented</a> that RedSpeed has a Flock integration. New
Castle’s log entries seemingly confirm that traffic enforcement cameras can be, and are, used for
live-streaming video.</p>
<h2>What wasn’t answered</h2>
<p>The event log does not record what happened when a tracked plate was spotted. It does not show
whether the named individuals on the <code>Ventura</code> and <code>Manns</code> lists were ever stopped, arrested, or
surveilled in person. It does not show whether any supervisor reviewed or approved any of the
private hotlists.</p>
<p>That last gap is the point. Oversight of a watchlist depends on two things: a case number that ties
an entry to a documented investigation, and an expiration date that forces the entry to be
revisited.</p>
<p>Ninety-five of the ninety-nine entries on these seven lists have no case number; twenty-eight have
no expiration. Even if the department wanted to audit its own use of the system — and even if it
would disclose basic case information to the public — there is nothing to audit against. An entry
reading <code>welfare</code>, attached to a named person, set to expire never, is unreviewable by design. The
absence of case numbers makes oversight structurally impossible.</p>
<p>The only thing the logs do show is that New Castle PD pointed its only two cameras at a single
basketball court, and that for nearly three years, officers have been adding entries — most of them
permanent, almost none documented — to private watchlists connected to a national surveillance
network, in the one neighborhood that is, by a wide margin, the most heavily Black in the county.</p>
<p>Through <a href="https://archive.is/eeP96">its blog</a>, Flock says it “aims to advance both safety and equity together” through
“data-driven responses.” This is what that looks like in Pennsylvania.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>Ravens can detect sounds beyond gunshots, including squealing tires, metalworking, and screaming
children. Flock manages trigger events. Nobody else knows what triggers are defined at any given
time. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[The More the Logs Change, the More the Oversight Stays the Same]]></title>
            <link>https://footnote4a.org/news/immutable-redux</link>
            <guid isPermaLink="false">https://footnote4a.org/news/immutable-redux</guid>
            <pubDate>Wed, 08 Apr 2026 22:00:00 GMT</pubDate>
            <description><![CDATA[Flock Safety audit log entries — including unique IDs and timestamps — change between downloads, with 3-7% of records swapping daily. Because of course they do.]]></description>
            <content:encoded><![CDATA[<p>I’ve probably mentioned the mutability of the “permanent audit log” <a href="colwell-files">once</a> or
<a href="secret-searches-part2">twice</a> before. There is even a <a href="hibf:/irregular-records">record irregularities
report</a> where you can watch entries change organizations, time, and users.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup> Now,
Flock is stepping up its mutations game. The unique event identifiers that are supposed to be the
rug tying the room together now fluctuate in the audit logs.</p>
<h2>The Search IDs</h2>
<p>Around the time <a href="colwell-files">Flock made heavy-handed edits</a> to existing government records, it
added, or started to expose, an “id” field along with search results. From the outset,
<a href="http://haveibeenflocked.com">haveibeenflocked.com</a> has ignored that field because Flock can’t be trusted to keep anything stable.
As we’ll see here.</p>
<p>I don’t use Flock’s IDs and instead rely on
<a href="hibf:/about/duplicate-handling">other methods to handle duplicate entries</a>, so I mostly ignore them. Then I
received an email from someone who paid more attention. He had been manually downloading audit logs
from transparency portals and comparing the files, noticing that entries change more than they
should.</p>
<p>To be honest, I didn’t really believe him at first. It sounded implausible even for Flock to do
something so technically terrible. Egg on my face.</p>
<p>Transparency portal search logs now typically look something like this:</p>
<pre><code class="language-csv">e71b39a6-3cc8-4161-b4ec-e62c6e1cd135,***,2026-03-04T20:37:04.924Z,6050,invest
</code></pre>
<p>Because <a href="secret-searches-part2">cops can’t be trusted with cop data</a>, Flock’s network logs look
about the same. In addition to the ID, they have a name of an agency. The idea is that an auditing
PD will pick up the phone, relay the ID in their network log to the named agency, and verify that
“invest” was a legitimate search.</p>
<p>With about 6,000 agencies doing 10,000+ searches per day, that’s a lot of phone calls.</p>
<p>This idea is obviously completely divorced from reality to begin with, but it’s being used — to
great effect — to convince uncritical elected officials of the existence of accountability.</p>
<p>Now, I’m not sure what cops are supposed to do.</p>
<h2>The Time and ID Changes</h2>
<p>The transparency portal logs are produced on a 30 day rolling basis. So, if you downloaded the same
log a day apart, you’d expect to see 29 days worth of identical records with one day trimmed and one
day added. However …</p>
<p>On March 23, 2026, West Des Moines’ log showed these two searches:</p>
<pre><code class="language-csv">e71b39a6-3cc8-4161-b4ec-e62c6e1cd135,***,2026-03-04T20:37:04.924Z,6050,invest
bc377b4b-2261-4fe1-a96c-ebb59217c061,***,2026-03-04T21:00:31.190Z,6051,invest
</code></pre>
<p>Two searches on March 4, both labeled “invest,” one at 8:37pm (UTC), and one at 9pm (UTC).</p>
<p>On March 24, 2026, they are both gone. In their place are two new searches:</p>
<pre><code class="language-csv">9c685baa-cf80-478c-acf1-2df174a1d686,***,2026-03-04T20:26:48.972Z,6050,invest
ec162dff-51b1-4de6-be2d-16a2b2cd8411,***,2026-03-04T21:39:47.263Z,6051,invest
</code></pre>
<p>The also both happened on March 4, and are both labeled “invest,” but now one happened at 8:26pm
(UTC) and the other at 9:39pm (UTC). That’s a significant difference.</p>
<p>If the same change happened in network logs, and if anyone had made that phone call about search ID
<code>e71b39a6-3cc8-4161-b4ec-e62c6e1cd135</code>, they would have to make another phone call about the search
that replaced it: <code>9c685baa-cf80-478c-acf1-2df174a1d686</code>.</p>
<p>The problem appears broad. In the March 23 – 24 comparison alone (about 200 lines total) there were
multiple changes:</p>
<pre><code class="language-text">-b76afd28-1246-4b3d-91d7-5f14642dd191,***,2026-02-25T20:56:59.751Z,2,Windsor Heights Fresh Stolen
+72db34f8-dd39-4d5d-814c-c968cb5e58b2,***,2026-02-25T20:52:17.101Z,2,Windsor Heights Fresh Stolen

-e71b39a6-3cc8-4161-b4ec-e62c6e1cd135,***,2026-03-04T20:37:04.924Z,6050,invest
-bc377b4b-2261-4fe1-a96c-ebb59217c061,***,2026-03-04T21:00:31.190Z,6051,invest
+9c685baa-cf80-478c-acf1-2df174a1d686,***,2026-03-04T20:26:48.972Z,6050,invest
+ec162dff-51b1-4de6-be2d-16a2b2cd8411,***,2026-03-04T21:39:47.263Z,6051,invest

-b8afc2dc-434c-41e3-8614-92134e713de8,***,2026-03-05T07:58:19.466Z,1169,
+3c652fad-db99-472f-bf7a-16430beb949d,***,2026-03-05T07:01:14.526Z,1169,

+8e10d1fb-2b66-4a0a-b4a8-2ef4b4f33899,***,2026-03-15T05:12:16.454Z,1,invest
-95134732-9341-420e-b830-901856bd4a75,***,2026-03-15T05:39:30.257Z,1167,invest

-e6941d9c-fbf2-4cbb-a54b-7c5d1fd391cb,***,2026-03-19T18:49:41.776Z,1166,
-d277a79e-0a14-4ccd-a561-8df2cfb7ca10,***,2026-03-19T19:00:37.487Z,1166,
+6f9738b1-1fbf-498a-b026-c8eda3d3aece,***,2026-03-19T18:22:11.557Z,2,
+18bf73c6-e37c-4246-ab1c-f98aae2849a6,***,2026-03-19T19:14:27.501Z,1166,
</code></pre>
<p>In this one file, about 7% of records changed within 24 hours.</p>
<h2>Clanker Analysis</h2>
<p>Asking the clanker to analyze the changes over multiple files it wrote a little Python script and
produced:</p>
<h3>WDM (8 snapshots, Mar 16 - Apr 4)</h3>
<p><strong>Non-rolling change rate per snapshot pair: 2.6% - 7.1%</strong> (avg ~5%)</p>
<table>
<thead>
<tr>
<th>Comparison</th>
<th>Removed</th>
<th>Added</th>
<th>Modified</th>
<th>Rate</th>
</tr>
</thead>
<tbody>
<tr>
<td>03-16 → 03-22</td>
<td>4</td>
<td>4</td>
<td>0</td>
<td>3.3%</td>
</tr>
<tr>
<td>03-22 → 03-23</td>
<td>7</td>
<td>7</td>
<td>0</td>
<td>6.6%</td>
</tr>
<tr>
<td>03-23 → 03-24</td>
<td>7</td>
<td>7</td>
<td>0</td>
<td>6.7%</td>
</tr>
<tr>
<td>03-24 → 03-25</td>
<td>8</td>
<td>8</td>
<td>0</td>
<td>7.1%</td>
</tr>
<tr>
<td>03-25 → 03-26</td>
<td>6</td>
<td>6</td>
<td>0</td>
<td>5.2%</td>
</tr>
<tr>
<td>03-26 → 03-27</td>
<td>3</td>
<td>3</td>
<td>0</td>
<td>2.6%</td>
</tr>
<tr>
<td>03-27 → 04-04</td>
<td>4</td>
<td>4</td>
<td>0</td>
<td>3.3%</td>
</tr>
</tbody>
</table>
<p>Key patterns:</p>
<ul>
<li><strong>Removals always equal additions</strong> — records are being swapped, not just deleted or added. This
is highly suspicious and suggests some kind of rotation/replacement mechanism.</li>
<li><strong>No field modifications</strong> — records are never edited in place; they vanish and a different record
with the same date appears.</li>
<li><strong>17 “flickering” records</strong> that disappear and reappear across snapshots. Example: <code>95134732...</code>
(date 03-15) appears in only the 03-23 and 03-25 snapshots out of 8 — pattern <code>..Y.Y...</code></li>
</ul>
<h3>Johnston (3 snapshots)</h3>
<p>Similar pattern: 3.9% - 8.2% non-rolling change rate, removals always equal additions, 2 flickering
records.</p>
<h2>The Takeaway (AI)</h2>
<p>When it was done running its script, it gave its unsolicited, but almost accurate “key takeaway”:</p>
<blockquote>
<p>The audit logs are <strong>not immutable</strong>. Every day, ~3-7% of records within the overlapping date
window are swapped out (equal number removed and added, zero modifications). Some records flicker
in and out across multiple snapshots, meaning the same record can be removed, reappear, and be
removed again. This is consistent with records being retroactively added/removed from the audit
log on an ongoing basis.</p>
</blockquote>
<h2>The Actual Takeaway</h2>
<p>This is the straightforward explanation, but it’s not necessarily what’s happening. What could be
happening is that Flock, like Axon, is distributing its database in an effort to sidestep
accountability and ownership by conflating data control and data ownership.</p>
<p>I’ve called this nonsense out before as Flock saying the kitchen is not a central repository for
pots and pans, because it has multiple cupboards.</p>
<p>But it may be what we’re seeing here. The log could be pulling in different entries from different
“cupboards”, and not all “cupboards” may be available each time the log runs.</p>
<p>A distributed explanation is not any better than deleting and adding records in a centralized
database. In fact, it would be a very fundamental, very fatal, flaw for records that are supposed to
be immutable — like audit records — to have multiple copies in multiple places without a single
authoritative copy.</p>
<p>Apparently log entries can go missing without Flock’s system throwing an error. If you can’t be sure
that your log is complete, you can’t rely on it to show whatever it is you’re auditing for — it may
have been deleted.</p>
<p>If you’re getting new results every day, your previous audits are automatically invalid and
unreliable. A search that occurred at 9pm may look valid, but if a police officer goes off shift at
9:30pm and the next day the log shows the search happened at 9:45pm, that’s potentially unflagged
off-duty use of a police system.</p>
<p>It could also cut the other way: the officer’s shift might not start until 9:30pm, and the logs will
show improper use the first time around, but not the second (if anyone looks).</p>
<h2>Network Logs</h2>
<p>These observations are from transparency portal logs, which are largely performative to begin with.
Whether the same holds in a network audit remains to be confirmed.</p>
<p>Examining older network logs, which did not have the IDs, entries can be seen disappearing between
runs. Because I do not have enough overlapping data to fully confirm, I can only say that it seems
very likely that the observed ID changes in West Des Moines and Johnston show a structural problem
that has existed for a while now.</p>
<p>This finding alone should be cause to invalidate all prior audits, as well as all future audits
until Flock addresses the problem.</p>
<p>States with mandatory audits, like Minnesota, and police departments with audit requirements, will
have to redo their audits after it’s fixed. That’s a lot of phone calls.</p>
<p>That is, if they want to make good on their promises of accountability and oversight.</p>
<p>I won’t be waiting by the phone.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>The <a href="hibf:/irregular-records">irregular records report</a> was a little unstable because of all
the redactions. As of today, it tries to be a little smarter about identifying duplicates even
with limited data. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[Flock's FreeForm Free-For-All]]></title>
            <link>https://footnote4a.org/news/freeform-freeforall</link>
            <guid isPermaLink="false">https://footnote4a.org/news/freeform-freeforall</guid>
            <pubDate>Tue, 10 Mar 2026 02:00:00 GMT</pubDate>
            <description><![CDATA[An analysis of 3,217 FreeForm search logs from 124 agencies reveals that Flock's "content moderation" blocks constitutionally sound searches while approving nationwide dragnets targeting military affiliation, political expression, and people wearing jeans.]]></description>
            <content:encoded><![CDATA[<p>Flock’s “FreeForm” search lets users search for more than license plates: it can filter for makes,
models, dents, stickers, roof racks, and so on. Through <a href="https://archive.vn/sL5j6">its ethics page</a>, Flock tells a
story about the feature being safe and respectful of legal, constitutional, and ethical boundaries.
The logs say otherwise.</p>
<p>After writing <a href="costs">yesterday’s feature announcement</a> about the <a href="hibf:/cost">new cost estimate
feature</a>, as an afterthought I did a quick query to see how many agencies used “FreeForm” and
how often it’s used. The result: 6,736 “FreeForm” searches in 2025 across 121 agencies. At a $50,000
annual subscription MSRP, that works out to roughly $900 per search.</p>
<p>Naturally, I wanted to know what, if anything, makes these searches so valuable.</p>
<h2>Flock’s FreeForm</h2>
<p>Flock writes that “Flock’s ALPR system cannot be used to search for human characteristics, like race
or gender” on <a href="https://archive.vn/sL5j6">its ethics page</a>. In another <a href="https://archive.is/eeP96">recent blog post</a>, recently <a href="racist-cops">discussed
here</a>, Flock takes it a step further:</p>
<blockquote>
<p>Flock products do not identify race. They do not target neighborhoods based on demographics. They
do not rely on subjective descriptions. They do not expand broad discretionary stops.</p>
<p>Instead, they narrow law enforcement action to vehicles that have been objectively linked to
reported crimes.</p>
</blockquote>
<p>The <a href="https://archive.vn/vhyiH">FreeForm product page</a> even promises that “[m]oderation tools help prevent biased or
inappropriate searches and support responsible, community-trusted policing.”</p>
<p>That narrative is echoed throughout Flock’s website, and aggressively carried out by its 200 sales
staff.</p>
<p>In Q2 of 2025, <a href="https://archive.vn/aVOjM">Flock launched a new feature</a> that “is all about one thing: speed. Speed to
leads.”</p>
<blockquote>
<p>In a move that will transform the largest network of LPR cameras in the nation, Flock announced
that every existing Flock LPR camera can soon become video-enabled at no cost to the customer.</p>
<p>FreeForm, Flock’s AI-powered search tool, now works not only on owned LPR cameras but also on
shared ones. It also supports video searches—meaning you can now search for characteristics on
people* (e.g., “man in blue hoodie with backpack”) just like you would search for vehicles. You
can even set alerts on these searches: think “green ATV on a trailer” or “person in orange vest,”
so you’re notified in real time when there’s a match.</p>
<p>Plus, FreeForm is now compatible with third-party video feeds (e.g., Genetec, Milestone), so
agencies can leverage its power without needing to switch platforms.</p>
</blockquote>
<p>It notes that “people characteristics cannot be searched on LPR feeds, only video feeds”.</p>
<p>The <a href="hibf:/moderation-logs">FreeForm report</a> (was “Moderation Report”) has been online for a while, but
with few search entries and no documentation I never paid much attention it.</p>
<p>Now, almost a year after Flock’s Q2 2025 product announcement, we have a collection of searches from
network logs provided by Flock LPR-system users — searches that show lookups for
“objectClass:person” and “objectClass:people.”</p>
<h2>The Constitution</h2>
<p>The 2020 <a href="https://www.congress.gov/crs_external_products/LSB/HTML/LSB10524.web.html">memo to Congress</a> “Racial Profiling: Constitutional and Statutory Considerations
for Congress,” written after the death of George Floyd, gives an overview of the boundaries of
permissible searches.</p>
<p>The Equal Protection Clause “bars most law-enforcement decisions based on race,” and this
prohibition holds “even if members of a given race are responsible for more crimes in a particular
neighborhood.”</p>
<p>Courts have also held that “an officer cannot meet the Fourth Amendment standard by relying on a
person’s racial appearance, alone, as grounds for reasonable suspicion.” But an officer may include
race when “searching for a person matching a suspect’s description and part of that description is
the suspect’s race.”</p>
<h2>The Searches: Dragnets and Military Personnel</h2>
<p>After analyzing 3,217 searches from 124 agencies — 3,184 of which Flock’s moderation allowed, 19 it
blocked, and 14 it warned about — it’s clear that the “FreeForm” system that’s implemented is not
the one that Flock describes, or the one the Constitution requires. Instead, it is a digital
free-for-all where cops go on fishing expeditions based on protected characteristics. Flock even
blocks the most obviously constitutional searches.</p>
<p>Houston PD searched 53,017 devices across 3,734 networks for “white car with black front bumper”
(reason: murder investigation). That is a description so generic and a dragnet so wide that it would
match tens of thousands of vehicles nationally.</p>
<p>Houston PD also searched that same 53,000-device scope for “Marine Corps” and “volkswagen jetta U.S.
marine corps” — the first of which is a bare military affiliation search with no vehicle descriptor
at all.</p>
<p>“Marine Corps” as a standalone search term, run across the entire Flock network, is functionally a
request to identify every vehicle in America displaying USMC insignia — which would include many
active service members and their families.</p>
<p>Since December 2025, Flock <a href="secret-searches-part2">redacts its network logs</a> before providing them
to its customers whose data is being searched. Those customers can’t see who ran the search. Flock,
and many of its customers on the nationwide network, maintain no policies requiring background checks
or prohibiting account sharing. That’s a “local decision,” says Flock.</p>
<p>We can’t say, or even begin to speculate, who searched the country for “Marine Corps” and for what
purpose. All we know is that someone did, and that Flock’s AI-moderator approved it.</p>
<p>Louisville Metro PD regularly searched 39,000–42,000 devices across 2,600–2,800 networks. One
search: “overloaded waste hauler” — a code enforcement query — hit 39,751 devices across 2,672
networks. Louisville is using Flock’s AI-powered search to run municipal waste-hauling compliance
checks through a nationwide surveillance apparatus.</p>
<p>O’Fallon, Missouri PD — a city of about 90,000 people — searched 41,054 devices across 2,707
networks for the person descriptor “jeans.” No case number. Reason: “inv.” That search hit cameras
in thousands of jurisdictions across the country, looking for Americans in blue jeans.</p>
<p>Corona, California PD consistently searched 11,400+ devices across 370+ networks for person searches
including “a person,” “police badge,” and “fire” — the first of which is literally searching for the
existence of a human being.</p>
<p>All of these are overbroad fishing expeditions using a mass surveillance system. There is no valid
investigative purpose in looking up “a person” or “jeans.” Retrieving the location history of every
US Marine in the nation does not prevent crime, it hurts national security.</p>
<h2>The Moderation System: No on “white male” — Yes on “tweaker”</h2>
<p>The most constitutionally defensible person search in the entire dataset was the California Highway
Patrol’s prompt:</p>
<blockquote>
<p>Looking for a white male about 6ft 1in tall, longer brown hair almost to his shoulders, slender
build, will have been wearing blue jeans, boots with white paint stains on the toes and possibly
carrying a black helmet</p>
</blockquote>
<p>This was a search across only 91 devices and 3 networks. It is a textbook individualized suspect
description: race as one of many physical identifiers, exactly as Fourth Amendment jurisprudence
permits. It was run in a narrow area where this suspect was likely to be found.</p>
<p>Flock rejected the search. The most probable explanation, based on other searches, is that it saw
“white male.”</p>
<p>Meanwhile, Florence, South Carolina PD searched for “all” (objectClass:people, reason: Robbery) — a
search that matches literally every person on camera. Also allowed from Florence: “people,”
“hoodie,” “jacket,” “jeans,” “Red.” These were searched across only 1 device and 1 network,
suggesting Florence was early in deployment or testing, but the moderation system approved them
regardless.</p>
<p>O’Fallon MO PD’s “jeans” search hit 41,054 devices. If Florence’s identical search was allowed on 1
device, there’s no scale-based restriction either.</p>
<p>Hemet, California PD searched for “tweaker on bike” across 1,581 devices and 30 networks. No reason
given. No case number. “Tweaker” is a slang pejorative for methamphetamine users. This is the
definition of a “subjective and invasive search” — targeting people by perceived social status and
assumed drug use.</p>
<p>Unlike the search for a highly specific white male, the moderation system allowed this search for
any tweaker.</p>
<h2>The First Amendment</h2>
<p>An objection that’s often raised is Flock’s (admitted) ability to search for bumper stickers and other
characteristics. Flock regularly claims that it is only the existence of a bumper sticker that can be
queried, not its content. That is not what the logs indicate.</p>
<p>Spokane County WA SO searched for “american flag,” “coexist sticker,” and “trump flag” on vehicles.
All three triggered a <code>warn</code> status. The reason fields — “freeform suspicious search test” —
indicate Spokane was deliberately testing the moderation boundaries.</p>
<p>What happens when Flock’s AI-moderator issues a warning is not entirely clear. From earlier analysis
of frontend code, it is a dialog that can be clicked through. It’s possible that someone gets a
notification or an email. We don’t know.</p>
<p>Flock’s system knew these searches were problematic, and it flagged them, but it did not block them,
as its product pages promised.</p>
<p>Corona CA PD searched for “american flag” on people and got blocked. The same agency searched for
“american flag” on vehicles and got warned.</p>
<p>O’Fallon MO PD searched for “vehicle with flag” across 40,235 devices and 2,642 networks. Allowed.
No warning. The generic “flag” search is arguably broader and more concerning than the specific
“american flag” or “trump flag” searches that triggered warnings.</p>
<p>CHP searched for “Hells Angels” as a vehicle descriptor nine times (8 allowed, 1 warned from San
Jose PD). The allowed searches used reasons like “Investigative Follow-up” and “Traffic Collision.”
Searching for vehicles displaying Hells Angels insignia — rather than a specific vehicle involved in
a specific incident — targets organizational membership.</p>
<p>If CHP wanted a specific motorcycle involved in a traffic collision, the search would describe the
motorcycle, not the association. Seven of the nine Hells Angels searches hit only 190 devices and 1
network, suggesting a narrow local scope — but the moderation principle is the same regardless of
scale.</p>
<h2>Audit Logs and Objectivity</h2>
<p>Of course, the majority of these searches do not have case numbers. We know by now that the claim
that “every search made within the Flock platform is logged and auditable, creating a tamper-proof
trail of accountability” is completely false. The sensitivity of the data being searched here — like
“Marine Corps” — highlights how important it is to be able to audit a search’s full context.</p>
<p>Only 85 of 3,217 searches — 2.6% — had a plate field that could have contained a value. None of the
problematic searches discussed above were among them.</p>
<p>The “objective criteria” Flock allows include a descriptor like “tweaker” but not a detailed
description of a white male. It allows searching for every white car, or every military member in
the nation, and only lightly wags its finger at you when searching for protected political speech.</p>
<p>Flock’s AI-based moderation appears inconsistent and insufficient. It certainly won’t lead to
“responsible, community-trusted policing.”</p>
<p>This is an insecure, unaccountable, and unrestricted dragnet that can be — and <em>is</em> — used to mass
surveill Americans based on their political, professional, and religious affiliations, their
protected personal characteristics, and their expression of speech. It is exactly what the
Constitution prohibits.</p>
<p>For each of those searches, lawful or not, Flock collects $900.</p>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[New California Report, Old Flock Shenanigans]]></title>
            <link>https://footnote4a.org/news/ca-queries</link>
            <guid isPermaLink="false">https://footnote4a.org/news/ca-queries</guid>
            <pubDate>Fri, 06 Mar 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[I think you should go home now, Flock! Get back on San Vicente. Take it to the 10, switch over to 405 North and let it dump you onto Mulholland — where you belong!]]></description>
            <content:encoded><![CDATA[<p>Another California post. Flock CEO Garett Langley is grateful to “<a href="https://www.youtube.com/watch?v=fVCVQcd9PLc#t=12m30">live in a beautifully,
democratic, capitalistic country where we [can] fight in court</a>.” So am I — I express my
gratitude by throwing Flock’s own logs onto the burning dumpster fire ignited by not one but <em>two</em>
active class action lawsuits against Langley’s company.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup></p>
<p>First, a new report: <strong><a href="hibf:/ca-out-of-state-queries">California Out-of-State Queries</a></strong>.</p>
<p>A note on what’s here and what isn’t: some older California-specific reports were removed after
suspected changes on Flock’s end began producing incorrect results. This report replaces them with
a narrower, more defensible dataset.</p>
<p>This report contains all external searches seen by California agencies for which we have log files
(which isn’t many, but if you have some, or you want to <a href="hibf:/about/audit-logs">go file some requests</a>,
send them to <a href="mailto:humans@haveibeenflocked.com">humans@haveibeenflocked.com</a>!).</p>
<div class="chart-placeholder" data-chart="ca-agencies-queried"></div>
<p>The ~14.5M out of state searches currently documented in the report come from the four agencies listed
above. Other agencies which contributed data that showed no out of state searches were the
California Highway Patrol (for the period 2024-11-25 — 2025-12-01) and Buena Park, CA PD (for the
period 2026-01-19 — 2026-02-23).</p>
<div class="chart-placeholder" data-chart="ca-weekly-searches"></div>
<p>The point of the report is that it shows searches of cameras placed in California, that have
collected data about Californians; it will tell you if a query from a non-California agency “hit” a
California agency.</p>
<p>The report’s “source agency” column will tell you which agency reported the search. And, yes, every
single one of these 14.5M+ searches may violate California’s prohibition on sharing ALPR information
with agencies outside the state (SB34).<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup></p>
<p>February 11, 2025, is the date <a href="california-cjis">was reported to have disabled all out-of-state access</a>
for non-California agencies. For Santa Cruz and Capitola, the only non-California agency appearing in
the logs after that data is Blue Lake Rancheria Tribal PD. <a href="https://therecord.media/california-lawsuit-el-cajon-police-out-of-state-searches-flock-database">El Cajon is being sued by the AG</a>.</p>
<p>Seaside strangely reported only a handful of searches. On inspection:</p>
<table>
<thead>
<tr>
<th>Search time (UTC)</th>
<th>Reason</th>
<th>Organization</th>
</tr>
</thead>
<tbody>
<tr>
<td>2025-01-21 22:32:00</td>
<td>25-866</td>
<td>Bloomfield NM PD</td>
</tr>
<tr>
<td>2025-01-21 22:32:13</td>
<td>25-866</td>
<td>Bloomfield NM PD</td>
</tr>
<tr>
<td>2025-02-03 21:34:22</td>
<td>Plate associated to <abbr class="md-tooltip" data-tooltip="Organized Crime Drug Enforcement Task Forces">OCDETF</abbr> case</td>
<td>Deactivated Users</td>
</tr>
<tr>
<td>2025-02-03 21:34:57</td>
<td>Plate associated to <abbr class="md-tooltip" data-tooltip="Organized Crime Drug Enforcement Task Forces">OCDETF</abbr> case</td>
<td>Deactivated Users</td>
</tr>
<tr>
<td>2025-02-04 17:20:56</td>
<td>Associated to OKC <abbr class="md-tooltip" data-tooltip="Organized Crime Drug Enforcement Task Forces">OCDETF</abbr> case</td>
<td>Deactivated Users</td>
</tr>
<tr>
<td>2025-02-04 17:21:15</td>
<td>Associated to OKC <abbr class="md-tooltip" data-tooltip="Organized Crime Drug Enforcement Task Forces">OCDETF</abbr> case</td>
<td>Deactivated Users</td>
</tr>
<tr>
<td>2025-02-04 17:21:54</td>
<td>Associated to OKC <abbr class="md-tooltip" data-tooltip="Organized Crime Drug Enforcement Task Forces">OCDETF</abbr> case</td>
<td>Deactivated Users</td>
</tr>
<tr>
<td>2025-02-04 17:22:16</td>
<td>Associated to OKC <abbr class="md-tooltip" data-tooltip="Organized Crime Drug Enforcement Task Forces">OCDETF</abbr> case</td>
<td>Deactivated Users</td>
</tr>
</tbody>
</table>
<p>We have very limited logs for Seaside (approx. 2025-01-20 — 2025-02-17), so it’s possible that far
more searches of Seaside by non-California agencies have occurred outside that limited visible
window.</p>
<p>Nothing confirms “Deactivated Users” is not a California agency, but <abbr class="md-tooltip" data-tooltip="Organized Crime Drug Enforcement Task Forces">OCDETF</abbr> (Organized Crime Drug
Enforcement Task Forces) was an independent <a href="https://www.justice.gov/archives/ocdetf/about-ocdetf">federal agency under the US Department of
Justice</a>, recently <a href="https://www.justice.gov/media/1403456/dl?inline">dissolved</a> and rehomed under the Department of Homeland
Security.</p>
<p>Whatever federal access <abbr class="md-tooltip" data-tooltip="Organized Crime Drug Enforcement Task Forces">OCDETF</abbr> had to California ALPR data through Flock now presumably belongs to
DHS. Whether “Deactivated Users” represents side-door access that Flock obscured by omitting the
agency name, or straightforward federal access, the result is the same: Californians’ data ended up
with the federal government through Seaside PD and Flock.</p>
<p>And, of course, New Mexico is definitely not in California — there’s a whole Arizona in between.</p>
<p>Another thing that stands out about these searches is that they both covered about 300 networks
(316 for the NM search, 335–336 for the <abbr class="md-tooltip" data-tooltip="Organized Crime Drug Enforcement Task Forces">OCDETF</abbr> ones), suggesting 1:1 sharing agreements.</p>
<p>That certainly seems like a possibility, because according to its transparency portal, Seaside CA PD
currently grants access to the following non-California agencies:</p>
<ul>
<li>Goshen Village NY PD</li>
<li>Blue Lake Rancheria Tribal PD</li>
<li>CA Iipay Nation of Santa Ysabel</li>
<li>Decommissioned Org / Demo</li>
</ul>
<p>The only 7 documented searches from Goshen, NY (pop. 5,777) happened between 11/12/2022 and
4/1/2023.</p>
<p>The likeliest explanation: Seaside granted access to what it believed to be Orange County,
California, but ended up sharing California data with Orange County New York’s county seat: Goshen.</p>
<p>In case you’re curious, these are the states that most searched California records:</p>
<div class="chart-placeholder" data-chart="ca-queried-states"></div>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>One by <a href="https://footnote4a.org/blog/ca-queries/edelson.pdf">Edelson, in Contra Costa County</a> and another by <a href="https://www.classlawgroup.com/flock-safety-license-plate-reader-cameras-lawsuit">GibbsMura in San
Francisco county</a>. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>SB34 has a logging requirement. Whether Flock’s audit logs satisfy it is a separate
question. <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[The Northern California Fusion Center: A High School Case Study]]></title>
            <link>https://footnote4a.org/news/ncric</link>
            <guid isPermaLink="false">https://footnote4a.org/news/ncric</guid>
            <pubDate>Thu, 26 Feb 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[NCRIC's post-SB 34 policy changes stripped security requirements and audit oversight while its log data shows explosive, bot-like search activity from anonymous accounts—raising the question of whether California's largest fusion center is laundering out-of-state access to ALPR data.]]></description>
            <content:encoded><![CDATA[<p>About a week ago, I had the pleasure of speaking with a number of students from Sequoia Union High
School District in California who were working on an article about surveillance and Flock. They
asked great questions about their local fusion center, the Northern California Regional Intelligence
Center (NCRIC), as well as about California’s <a href="https://www.leginfo.ca.gov/pub/15-16/bill/sen/sb_0001-0050/sb_34_bill_20151006_chaptered.html">SB 34</a>—a 2015 law that, among other things,
prohibits public agencies from sharing ALPR data except with other public agencies, and requires
operators to maintain security procedures, access logs, and retention
limits.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup></p>
<p>Questions I could not answer in detail, but that are important and deserve answers.</p>
<p>I’ve written about fusion centers before, in the post about the federal <a href="https://footnote4a.org/news/riss-shell-game">Regional Information
Sharing Systems®</a> (RISS) program—which are federally-funded,
quasi-privately-operated “fusion centers before it was cool”. That post was mainly in the abstract.
Let’s examine what’s happening at NCRIC.</p>
<h2>Fusion centers and data sharing</h2>
<p>NCRIC is a practical example of what can go wrong when we take promises about data retention and
security at face value, and what happens when we write poorly drafted bills—like <a href="https://www.legis.iowa.gov/legislation/BillBook?ga=91&amp;ba=hf2161">HF 2161</a>
chugging along here in Iowa, with the <a href="https://www.legis.iowa.gov/lobbyist/reports/declarations?ga=91&amp;ba=HF2161">ACLU of Iowa’s support</a>.<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup></p>
<p>Data dissemination centers like RISS “permit federated searching across many systems without
requiring the RISSNET user to have a separate user account for each partner system.” But that
website copy is about as far as we get—while federally funded,<sup class="footnote-ref"><a href="#footnote3">[3]</a><a class="footnote-anchor" id="footnote-ref3"></a></sup> these centers are operated
as private corporations and are therefore not subject to the Freedom of Information
Act.<sup class="footnote-ref"><a href="#footnote4">[4]</a><a class="footnote-anchor" id="footnote-ref4"></a></sup><sup class="footnote-ref"><a href="#footnote5">[5]</a><a class="footnote-anchor" id="footnote-ref5"></a></sup></p>
<p>But we don’t have to speculate for too long. The state of Colorado lays it all out cleanly for its
Auto Theft Intelligence Coordination Center (ATICC):</p>
<blockquote>
<p>The goal of this project is to share license plate recognition data among all contributing
agencies that have established this  Memorandum  of  Understanding  with  the  Colorado  ELSAG
EOC, managed by the Colorado State Patrol (CSP) ATICC.</p>
<p>Participating agencies will share license plate reader (LPR) information for replication to the
data warehouse or as part of a central querying system hosted by the Colorado ELSAG EOC and will
have the capability to query all LPR based information from around the State of Colorado which is
stored within the warehouse</p>
</blockquote>
<p>Simple as that. Drop everything in CSP’s bucket, and take what you need. Cop-communism.</p>
<p>In case you’re wondering, ELSAG cameras are a Leonardo product.<sup class="footnote-ref"><a href="#footnote6">[6]</a><a class="footnote-anchor" id="footnote-ref6"></a></sup> They offer stationary
surveillance cameras (with cool-sounding names like “The Street Sentry™” and “The Fixed Plate
Hunter™”), as well as mobile cameras <a href="https://archive.is/jf89J">disguised as roof-mounted skiboxes or construction
barrels</a>.</p>
<p>In the MoU, the “Denver Police Department agrees to share ALPR data with other law enforcement
agencies utilizing the Colorado ELSAG EOC”, where it can be stored for up to three years.<sup class="footnote-ref"><a href="#footnote7">[7]</a><a class="footnote-anchor" id="footnote-ref7"></a></sup></p>
<p>Although Colorado State Patrol was short-sighted enough to name its own entity after a vendor
product,<sup class="footnote-ref"><a href="#footnote8">[8]</a><a class="footnote-anchor" id="footnote-ref8"></a></sup> ATICC explicitly commits to “obtaining the cooperation of any third-party contractor or
vendor” that provides license plate reader systems in Colorado. Presumably this includes Flock.</p>
<p>@<a href="https://footnote4a.org/blog/ncric/csp-sharing.pdf" class="collapsible">Colorado ELSAG EOC MoU</a></p>
<p>The “data warehouse” used by CSP, while only one component of a fusion center, is a much more
descriptive term for what’s really happening at the backdoor of these systems.</p>
<h2>The Northern California Regional Intelligence Center (NCRIC)</h2>
<p>Colorado is not just similar to NCRIC—it’s the template for what NCRIC is almost certainly doing but
refusing to document. NCRIC gives itself permission to store ALPR data for up to 12 months, and
broadly disseminate it.</p>
<blockquote>
<p>The [ALPR] information is also retained for a fixed retention period, though it is only
reaccessible by law enforcement given a legitimate law enforcement purpose.</p>
</blockquote>
<p>The FAQ specifies that only users with a need-to-know have access, but, from context, it’s clear that
NCRIC’s version of “need-to-know” is clearly not particularized and apparently extends to all ALPR
data, forever.</p>
<p>Although the <a href="https://footnote4a.org/blog/ncric-alpr-faq-2015.pdf">previous version of NCRIC’s FAQ</a> was more explicit that
“most ALPR data will be stored for 12 months,” the current FAQ is silent on retention. The FAQ
drones on for a bit, carefully evading its own questions, but at the end of it all, the agency
essentially gives itself carte blanche to do what Colorado spelled out more clearly.</p>
<p>@<a href="https://footnote4a.org/blog/ncric/ncric-alpr-faq-2021.pdf" class="collapsible">NCRIC ALPR FAQ</a></p>
<p>The policy reveals more. Especially in light of SB 34.</p>
<p>In October 2023, the California Office of the Attorney General <a href="https://oag.ca.gov/news/press-releases/attorney-general-bonta-advises-california-law-enforcement-legal-uses-and">issued bulletins gently reminding
police laws exist</a>, and that they are not supposed to be sending ALPR data from California
to out of state agencies.<sup class="footnote-ref"><a href="#footnote9">[9]</a><a class="footnote-anchor" id="footnote-ref9"></a></sup> Exactly six months later NCRIC disappears from non-California
log files.</p>
<p>NCRIC updated its ALPR policy accordingly, but in a way that created performative compliance and
resulted in less oversight.</p>
<ul>
<li>It removed the specific security requirements for data storage—SECRET-level clearances, 24/7
security personnel, multiple secured doors—replacing them with a passing reference to “secure
systems.”</li>
<li>It removed the requirements for multi-factor authentication and encryption.</li>
<li>It removed the requirement for audit logs to contain a “justification for access.”</li>
<li>It weakened retention limits from a hard cap (“shall not be retained longer than 12 months” with
explicit purge requirements) to an aspirational ceiling (“supports a maximum retention period of
365 days”), and outsourced the actual operative limit to whichever vendor NCRIC happens to be
using.</li>
<li>It authorized sourcing ALPR information from private sources, including “parking, tolling, private
security, or other sources”—where the 2021 policy explicitly prohibited sharing data with
commercial entities.</li>
<li>It introduced contradictory language on visual confirmation of plate reads: one section retains the
2021 standard (“to the fullest extent possible”), while another weakens it to “should visually
confirm.”</li>
<li>It dropped the annual training recertification requirement entirely.</li>
</ul>
<p>The FAQ changed in parallel. The 2015 FAQ described a multi-factor authentication process
requiring a randomly generated PIN sent to a government email account. The current FAQ reduces
this to “a unique username and login.” That downgrade is worth keeping in mind when we get to
the part about user “a.”</p>
<p>@<a href="https://footnote4a.org/blog/ncric/ncric-alpr-policy-2021.pdf" class="collapsible">NCRIC ALPR Policy 2021</a>
@<a href="https://footnote4a.org/blog/ncric/ncric-alpr-policy-2024.pdf" class="collapsible">NCRIC ALPR Policy 2024</a></p>
<p>Where the policy did not change much was its audit requirements. Those are still essentially
non-existent, requiring only a report based on a “sampling” (it does not say the sampling must
be random) be sent to the NCRIC director.</p>
<h2>The Logs: Counting Searches</h2>
<div class="chart-placeholder" data-chart="ncric-weekly"></div>
<div class="chart-placeholder" data-chart="ncric-users"></div>
<p>To get the cleanest possible data, these charts are based on only two sets of log files: Louisville,
KY from March 2022 through April 29, 2024, and Capitola, CA from that date onward.</p>
<p>The charts show a highly suspicious trend. Here it is, close up, based on only Capitola data:</p>
<div class="chart-placeholder" data-chart="ncric-daily"></div>
<p>Between January 1, 2024 and May 1, 2024, the enforcement date, the number of searches NCRIC does is
low, peaking at around 170. Activity stays around that level until the beginning of June, when both
the number of users, but especially the number of searches see explosive growth.</p>
<p>NCRIC more than doubles the number of active users, going from having 5–20 weekly active users to a
consistent ~40. What’s more, individual users go from doing ~5 searches/week to ~60 searches/week.</p>
<p><a href="hibf:/pd/8565-ncric/insights">NCRIC’s insights page</a> immediately reveals why: NCRIC’s users are nearly
all identified with single, lowercase letters like “a.” or “c.”. These users show remarkably
consistent around-the-clock activity.</p>
<p>NCRIC’s users are either bots, or shared accounts.</p>
<h2>The Plausible Backdoor: Who is “a.”?</h2>
<p>Of course, NCRIC’s deliberate avoidance of oversight and accountability is not direct evidence that
it is sharing data in violation of California law—cops will be cops. But its behavior and context do
lead directly to that question.</p>
<p>It’s possible that NCRIC was suddenly motivated to start doing some police work, and that it has
absolutely terrible internal security practices. Maybe it logs in a terminal “a” and when the next
person reports for their shift, they don’t log in with their own credentials and simply continue
working.</p>
<p>It would violate every basic tenet of information security, not to mention, most likely, several
federal and state laws, but it’s a possibility.</p>
<p>The other, in my opinion more plausible, explanation is that NCRIC shares its user accounts with
external, out-of-state agencies—<a href="https://www.9news.com/article/news/local/local-politics/loveland-police-sharing-license-plate-reader-data-border-patrol/73-807d8c95-5904-4b55-be83-27aafee9638d">just like Loveland, CO</a> was caught doing last year.</p>
<p>Another possible explanation is that these accounts are automated and serve to fill NCRIC’s data
warehouse. Of course, that leads to a follow-up question: who can access the warehouse?</p>
<h3>The Missing RISS</h3>
<p>It is also worth noting that the other relevant fusion center, the <a href="https://www.riss.net/centers/wsin/">Western States Information
Network®</a> (RISS), is conspicuously the only RISS absent from Flock’s audit logs. The other
five are accounted for.</p>
<p>Unlike the FBI, which simply <a href="hibf:/pd/9138">stopped showing up in log files after July 2023</a>,<sup class="footnote-ref"><a href="#footnote10">[10]</a><a class="footnote-anchor" id="footnote-ref10"></a></sup>
WSIN does not show up in our data at all. This is the same center that covers Washington: the state
most covered by the logs we have. Either WSIN is the only RISS without Flock access, or it is not
being logged as “WSIN” or some other cognizable variant.</p>
<h2>What the Logs Can’t Show</h2>
<p>The logs can tell us that NCRIC stripped its own security and audit requirements immediately after
California started enforcing its privacy laws. They can tell us that anonymous, bot-like accounts
began running searches around the clock within weeks. They can tell us that the one RISS center
covering the most-logged state in our dataset is conspicuously absent from every log file we have.</p>
<p>What the logs can’t tell us is why — and that’s exactly the point. NCRIC designed its policies to
ensure that no one, including its own director, has the information needed to answer that question.</p>
<p>The “sampling”-based audits don’t require randomness. The access logs don’t require justification.
The retention policy doesn’t require limits.</p>
<p>This is not a gap in oversight. It is the deliberate architecture of unaccountability. When a fusion
center rewrites its policies to remove the very mechanisms that would detect abuse, the question is
no longer whether the data is being shared in violation of California law.</p>
<p>The question is whether anyone with authority to act will bother to find out.</p>
<p>The students from Sequoia Union asked the right questions. The fact that a group of high schoolers
can identify the problems that California’s oversight apparatus declines to investigate is not a
compliment to the students — though they’ve earned one.</p>
<p>It’s an indictment of everyone else.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>Even though it may be too late for <em>their</em> deadline, maybe the information can help
someone else. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>The bill permits copying or warehousing of the data within 24 hours of capture, and
then fails to restrict the copied data. The Iowa State Police Association, Axon, and Motorola
all oppose the bill. Flock is undecided. <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote3" class="footnote-item"><p>Through the Omnibus Crime Control and Safe Streets Act of 1968, whose Section 524(b)
(amended by the Crime Control Act of 1973) resulted in 28 CFR Parts 20 &amp; 23, causing the FBI’s
<a href="https://footnote4a.org/news/federal-insecurity">CJIS Security Policy</a>. <a href="#footnote-ref3" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote4" class="footnote-item"><p>A RISS center was also behind the FBI’s directive to make searches as “<a href="https://footnote4a.org/news/fbi-investigation">vague as
permissible</a>.” <a href="#footnote-ref4" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote5" class="footnote-item"><p>Yet that distinction is only made when it suits—laws that prohibit sharing intelligence data
with private corporations go unenforced, as does Flock’s stated policy on giving private
businesses access to its “law enforcement network.” <a href="#footnote-ref5" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote6" class="footnote-item"><p>Leonardo’s <a href="https://footnote4a.org/blog/leonardo-data-privacy.pdf">Data Privacy statement</a> contains much of the
same vague “local control” and “ethics” language as Flock’s. <a href="#footnote-ref6" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote7" class="footnote-item"><p>Denver’s own retention policy caps at one year—but the warehouse is governed by ATICC’s policy,
which defers to the three years set in § 24-72-113 C.R.S. <a href="#footnote-ref7" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote8" class="footnote-item"><p>A vendor product with a “®” after its name, no less. <a href="#footnote-ref8" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote9" class="footnote-item"><p>It should be noted that police across the state only violated the privacy of millions
of Californians for nearly a decade; it’s not like they <a href="https://globalnews.ca/news/6107615/shoplifter-standoff-home-destroyed/">shoplifted from Walmart</a>. <a href="#footnote-ref9" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote10" class="footnote-item"><p>And claims not to understand what a “contract” is, in response to a FOIA request. <a href="#footnote-ref10" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[Who Watches the Watchers? Not the ACLU.]]></title>
            <link>https://footnote4a.org/news/aclu-plates</link>
            <guid isPermaLink="false">https://footnote4a.org/news/aclu-plates</guid>
            <pubDate>Wed, 25 Feb 2026 20:00:00 GMT</pubDate>
            <description><![CDATA[Unredacted audit logs aren't a leak—they're the only functional check on surveillance abuse]]></description>
            <content:encoded><![CDATA[<div class="markdown-alert markdown-alert-note">
<p class="markdown-alert-title">Note</p>
<p>May 1, 2026, update: In a follow-up conversation, the ACLU expresses an
overall desire <em>for</em> transparency and oversight. Its current position may
therefore not be fully encapsulated by this post.</p>
<p>I believe the critique in this post remains valid in its appropriate context,
but it should not be blindly assumed to apply to ACLU’s current ongoing
efforts. Be critical of both the ACLU and this post before deciding your own
position.</p>
<p>See also <a href="eff-aclu-logs">this follow-up post</a>.</p>
</div>
<p>In January, after a Joplin police officer was fired for stalking via Flock’s license plate reader
system, I wrote about <a href="https://footnote4a.org/news/404-eff-plates">why I publish unredacted audit logs</a>. The argument was
simple: as long as Flock can collect this information without restriction, the public must be able to
see how it’s used.</p>
<p>Today, the <a href="https://www.aclu.org/news/privacy-technology/alpr-as-public-data">ACLU has joined EFF in calling for laws</a> that would make that oversight illegal.
It did so on the same day that criminal charges were filed against a Milwaukee police officer for
misuse of the system — as a direct result of the very thing the ACLU is trying to ban.</p>
<h2>The ACLU’s Position</h2>
<p>ACLU and EFF’s assertion that records documenting police activity should be kept behind lock and key
in a police station is, frankly, preposterous. The suggestion has no business coming from
organizations that purport to fight for civil rights and police accountability.</p>
<p>In making its recommendation, ACLU misrepresents the actions of police and the contents of the logs:</p>
<blockquote>
<p>The release of this kind of data is a significant privacy problem. To be clear, web sites have
every right to publish data that has been released by government agencies or that they have
otherwise legitimately obtained; the fault here is the police departments that collected this data
on innocent drivers not suspected of any wrongdoing and then released it unredacted. But this kind
of data could be used by all manner of parties to find out things about the lives of those they’re
interested in \— everyone from abusive romantic partners and stalkers, to political or business
rivals, to everyday busy-bodies and who-knows-who-else.</p>
</blockquote>
<p>Characterizing audit logs as data the police collects on innocent drivers is flat out wrong. Yes,
police <em>do</em> collect data on innocent drivers. But that is not the data that’s in the audit logs.</p>
<p>What’s in the audit logs is what a Flock user—possibly, but not necessarily, a police
officer—entered into the “search” box. For example, there is a result for the plate “<a href="https://haveibeenflocked.com/?l=-"><code>-</code></a>.”
Probably not a valid plate anywhere. I’ve also had to block a few novelty plates, like
<a href="https://www.hoonigan.com/"><code>HOONIGAN</code></a>, from reports because cops keep looking it up.</p>
<p>What <em>is</em> in the logs is search terms being entered into a privately owned and operated, and largely
unregulated, database. Even if you were to make sharing those logs illegal, it does not solve the
issue—the information, by the very nature of the system, is in the hands of a private third party.</p>
<p>The ACLU then tries to compare records of government officials’ search queries to bodycam footage of
private citizens. Video footage of people interacting with police and evidence that someone typed
the word “investigation” into a search box are not the same thing.</p>
<p>Following those dubious claims, the author walks the statement back by saying that “any logs by
officers of the purposes of their searches (which would be subject to existing open-records
exemptions for active investigations) should be considered public records.”</p>
<p>This is exactly how we end up with audit logs like the ones currently served up by Flock’s
ironically-named transparency portals:</p>
<p><img src="https://footnote4a.org/blog/aclu-plates/portal-log.png" alt="Transparency portal logs"></p>
<p>Flock summarizes it correctly in its form email: “<a href="https://footnote4a.org/blog/aclu-plates/flock-portal.pdf">There is nothing the public can gain from this
report</a>.” (“However, if you find your department’s users are not consistently searching off
of incident/case numbers, that may be a reason to hide the Search Audit.”)</p>
<h2>The Contradiction</h2>
<p>The whole system hinges on <em>not</em> containing sensitive information. According to Flock and police,
there are no privacy concerns when you take millions of photos of license plates on public roads.
It’s why a private company can collect the information under color of law and process it without
having probable cause or oversight, and it’s why police can search that same data without warrants.</p>
<p>That framework simply can’t co-exist with the idea that that same information is somehow too
sensitive for public consumption. To claim otherwise is, at best, mistaken.</p>
<p>As it says in this site’s FAQ: I am willing to accept the premise that all of this audit data is too
sensitive to publish, but, if accepting that premise, then the actual photos must be too sensitive
as well. Ban neither or both, but don’t mistake a defense of public oversight for a defense of this
website’s right to exist.</p>
<h2>The Alternatives Don’t Work</h2>
<p>Hiding audit logs for vague privacy concerns is a lazy approach. This website does not display
license plate numbers anywhere. Instead, it provides “identifier” numbers that correspond to license
plates. It’s not a complete solution, but it’s one that’s adequate for identifying patterns of
misuse and abuse.</p>
<p>Flock knows this. It previously took a similar approach to usernames in its transparency portal
logs: instead of identifying a user by name, it identified users with a string of numbers and
letters. While you may not see that Officer Jones did something suspicious, if Officer AF983-90D43
did, that’s still something that can be investigated.</p>
<p>Flock removed those IDs from the logs.</p>
<p>The ACLU’s recommendation that “people should be able to request their own data” is equally
shortsighted. The data is, at least on paper, owned by 6,000 different agencies. Should we all be
doing monthly open records requests to those agencies? Without an up-to-date customer list, how
would we even know where to file the requests? How do we prove to Flock that it’s “our” data? Do we
send Flock, a private mass surveillance company, a photo copy of our ID and car registration?</p>
<p>Meanwhile, police departments across the country write policies saying they will manually audit
hundreds of thousands of searches by downloading a CSV, going through it line-by-line, and making
tens of thousands of phone calls to other departments to ask whether the “investigation” at 4:37pm
last Wednesday was a legitimate search. Closing the chief’s office door won’t get him to suddenly
make the calls.</p>
<p>The real problem isn’t that there is an attempt at public oversight — it’s that every other oversight
mechanism is failing. State and local governments, police agencies, Flock, the FBI, the EFF, and the
ACLU could all actually be working on this problem.</p>
<p>This website shows that national searches are impossible to keep up with due to sheer volume. The
underlying cause is a system that is <a href="search-reasons">disproportionate by default</a>—one that
encourages getting nationwide 30-day location histories for the slightest of reasons, or no reason
at all.</p>
<p>It also shows that some form of oversight may be possible, if we want it to be possible. But we need
to ditch Flock and solve the actual problems.</p>
<h2>ACLU &amp; EFF’s changing position</h2>
<p>In 2014, <a href="https://www.aclusocal.org/news/la-cops-should-release-automatic-license-plate-reader-records/">ACLU SoCal and EFF sued the Los Angeles Police Department and Los Angeles Sheriff’s
Department</a> for ALPR records.</p>
<p>The organizations sought actual ALPR data rather than audit logs, and, after their request for the
data was denied under California’s Public Records Act, they wrote (emphasis mine):</p>
<blockquote>
<p>[T]he intrusive nature of ALPRs and their potential for abuse creates a strong public interest in
disclosure of data that would help shed light on how police are actually using the technology.</p>
<p>…</p>
<p>The data will reveal whether police seem to be targeting political demonstrations to help identify
protestors, or other locations such as mosques, doctors’ offices or gay bars that might yield
highly personal information.</p>
<p><strong>Californians can only properly weigh in on whether police should be using ALPRs and what
policies might be necessary if they understand how police actually use the technology.</strong></p>
</blockquote>
<p>It has been twelve years — we still don’t have that necessary transparency.</p>
<p>ACLU and EFF reversing their position is inexplicable.</p>
<p>@<a href="https://footnote4a.org/blog/aclu-plates/eff-aclu_alpr_opening_brief.pdf" class="collapsible">ACLU SoCal &amp; EFF v. LAPD &amp; LASD</a></p>
<h2>179 Searches, Zero Oversight</h2>
<p>On the same day the ACLU published its recommendation, a criminal complaint was filed in Milwaukee
against MPD police officer Josue Ayala. An excerpt:</p>
<blockquote>
<p>Through the website <a href="http://www.haveibeenflocked.com">www.haveibeenflocked.com</a>, VICTIM ONE became aware that City of Milwaukee
Police Officer Josue Ayala used the Flock system, a license plate recognition platform, to run the
license plate on VICTIM ONE’S personal vehicle to obtain location information for VICTIM ONE on
numerous occasions. VICTIM ONE believed that Officer Ayala ran VICTIM ONE’S license plate over 100
times.</p>
<p>City of Milwaukee Police Detective Tehrangi Chapman conducted follow up investigation by having an
audit trail run in the FLOCK system for the time frame of March 26, 2025, through May 26, 2025.
During that time frame City of Milwaukee Police Officer Josue Ayala ran the license plate of
VICTIM ONE a total of 55 times. The audit trail revealed that Officer Josue Ayala also conducted a
search of a second license plate number belonging to VICTIM TWO a total of 124 times during the
same time frame. During the time frames that Officer Ayala conducted the searches of each license
plate, Officer Ayala was on duty working for the City of Milwaukee Police Department.</p>
<p>The Flock system requires the user to enter a reason for the license plate search. On each
occasion that Officer Ayala used the Flock system to search for license plate of VICTIM ONE or
VICTIM TWO, Officer Ayala listed the reason for conducting the search as “investigation”</p>
</blockquote>
<p>I’ll spare the technical details here, but the discrepancy between the victim’s reported number
(over 100) and the audit’s number (55) is <a href="https://footnote4a.org/news/secret-searches">explained by redactions</a>; the
inaccuracy is a direct consequence of deliberate obfuscation.</p>
<p>The policy violation should have been caught by Milwaukee PD during its regular audits.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup></p>
<p>If the CJIS framework applies, which Flock often implies, this should have been caught by the
Wisconsin Department of Justice, which oversees Milwaukee PD. If the DOJ had missed it, the FBI’s
CJIS division should have caught it.</p>
<p>If these were state or nationwide searches, as most searches are, this should also, independently,
have been caught by all the other involved departments.</p>
<p>No independent auditors exist, nor does Flock audit anything.</p>
<p>In fact, <a href="fbi-investigation">the FBI and Flock’s recent changes</a> were explicitly designed to make it
more difficult to catch exactly this type of violation.</p>
<p>Nobody in an ostensibly multi-layered system of oversight caught the problem; once again it was a
private citizen—the victim in this case—who had to do the job public officials promised they’d do.
And again, the problem came to light as a result of complete, unredacted audit log
information—including license plate numbers.</p>
<p>In January, public audit logs got an officer fired. Today, they got one criminally charged. The ACLU
wants to make sure there isn’t a third time.</p>
<p>Now that Flock has deleted the information that made both cases possible, any future similar
incidents will almost certainly go unnoticed. As long as there are no alternatives for effective
oversight, and as long as there is unregulated privatized surveillance, public audits are the best
we can hope to do.</p>
<p>I will continue advocating for exactly that.</p>
<div class="markdown-alert markdown-alert-note">
<p class="markdown-alert-title">Note</p>
<p><strong>Update 2/25 11pm</strong>: The ACLU of Wisconsin issued its own response to the Ayala charges, calling
for transparency standards including “annual public reporting on surveillance technology
acquisition and use across the state.” The statement cites a Wisconsin Examiner report that MPD
logged “investigation” as its search justification over 1,000 times in 2025 — a statistic derived
from the same audit log data the national ACLU wants exempted from public records.</p>
</div>
<hr>
<p class="text-sm">2/28/2025: Updated with ACLU/EFF lawsuit information.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>I’m simply assuming Milwaukee PD has a policy to regularly audit logs. If not, it does not
diminish the point. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[Disproportionate by Default: The Reason Behind the Reason Field]]></title>
            <link>https://footnote4a.org/news/search-reasons</link>
            <guid isPermaLink="false">https://footnote4a.org/news/search-reasons</guid>
            <pubDate>Mon, 26 Jan 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Police routinely retrieve 30-day location histories for minor infractions, welfare checks, and "stranger danger"—not because investigations require it, but because it is the default setting.]]></description>
            <content:encoded><![CDATA[<p>Last week, the <a href="http://haveibeenflocked.com">haveibeenflocked.com</a> system ingested its 100 millionth record of a Flock search. I’ve
been vocal about the lack of transparency and how widespread abuse appears to be, even based on the
limited information we have. But what if we were to ignore that? What if we look at the system and
pretend that it is used as intended? The logs tell a story that is perhaps even more disturbing:
police will examine your long-term location history for any reason or no reason at all.</p>
<h2>Location histories and the Fourth Amendment</h2>
<p>The most pertinent discussion, or lack thereof, can be found in the lower court’s holding in
<em>Carpenter v. United States</em>, which SCOTUS described as:</p>
<blockquote>
<p>The Court declines to say whether there is any sufficiently limited period of time “for which the
Government may obtain an individual’s historical [location information] free from Fourth Amendment
scrutiny.” But then it tells us that access to seven days’ worth of information does trigger
Fourth Amendment scrutiny […] Why seven days instead of ten or three or one? And in what
possible sense did the government “search” five days’ worth of location information it was never
even sent? We do not know. — Carpenter v. United States, 585 U.S. 296, 395–96, 138 S. Ct. 2206,
2266–67, 201 L. Ed. 2d 507 (2018) (internal citations omitted)</p>
</blockquote>
<p>There was clearly <em>some</em> concern at the Supreme Court and among the parties regarding the length of
the location history. The Supreme Court’s holding in <em>Carpenter</em> was narrow and it declined to
address the confusion, writing in a footnote that “[i]t is sufficient for our purposes today to hold
that accessing seven days of CSLI constitutes a Fourth Amendment search.”</p>
<p>Whether a cut-off exists under which retrieving location history data  would no longer be a Fourth
Amendment search, or where that cut-off would be, were not questions addressed by the Court, but in
<em>Carpenter</em>, seven days of location history was enough.</p>
<p>Although Flock downplays the completeness of its data and the general usefulness and accuracy of its
“critical tool” when it comes to defending it in the face of <em>Carpenter</em>, a federal court in Virginia
has already found that 176 Flock cameras in Norfolk, VA “plausibly violate” the Fourth Amendment.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup></p>
<p>Courts have not yet addressed Flock’s actual network density, suspected to include <a href="https://footnote4a.org/news/network-size">more than a
quarter million cameras</a>.</p>
<h2>Disproportionate by Default</h2>
<p>Flock’s lookup tool, which is used for exact plate searches across the state- and nationwide
networks, offers users limited options for the length of the requested location history: 1 day, 7
days, or 30 days.</p>
<p>Its “search” tool, which can search for partial plates, vehicle characteristics, and use “freeform”
text queries, is not restricted in that way. It can do both longer and shorter searches.</p>
<p>It is unclear whether there is a default setting for either, what the default setting is if there is
one, or who would configure the default setting. I do not recall ever seeing an ALPR policy or city
council minutes that discuss this.</p>
<p>Examining per-state data for lookups<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup> yields the following results:</p>
<div class="chart-placeholder" data-chart="state-mode-distribution"></div>
<p>Considering this chart, a per-state or per-organization default setting seems unlikely, however,
the uniformity of location history lengths has changed over time:</p>
<div class="chart-placeholder" data-chart="uniformity-area"></div>
<div class="chart-placeholder" data-chart="uniformity-stats"></div>
<p>The high uniformity suggests a system-wide default that users are accepting. The sudden change in
mid-2025, where users begin choosing different lengths for location history, may be part of the same
systemwide changes that <a href="https://footnote4a.org/news/august-2025-drop">appeared in Santa Cruz in August</a>.</p>
<p>The suddenness of the shift in uniformity suggests that Flock switched to a 7-day default around
that time and users are less accepting of that default than they were of the earlier, 30-day
default.</p>
<p>Regardless of any default, individual users still passively or actively choose to retrieve these
histories without much apparent concern for proportionality. A seven- or thirty-day location history
because an officer can’t be bothered to select a more appropriate menu option strays far from the
reasonableness the Fourth Amendment demands.</p>
<p>Finally, for all searches in our database that have timeframe information, the average length of location
histories retrieved is 18 days, 5 hours, 39 minutes. That includes “search” queries as well as “lookup”
and other types of queries.</p>
<h2>Before the Dropdown</h2>
<p>But why are users pulling these long-term histories? “Every search must be accompanied by a reason.”
Before switching to dropdowns in January 2026, Flock users were free to enter their own reasons.
Although they often did not—beyond “inv” or “sus”—the reasons that were entered do provide a glimpse
into what might trigger long-term lookups of location histories.</p>
<ul>
<li><em>Suspicious Person on Campus</em>: 30 days</li>
<li><em>stranger danger</em>: 30 days</li>
<li><em>Suspicious Auto (bullet holes)</em>: 30 days<sup class="footnote-ref"><a href="#footnote3">[3]</a><a class="footnote-anchor" id="footnote-ref3"></a></sup></li>
<li><em>fishing violation</em>: 33 days, 1 hour</li>
<li><em><abbr class="md-tooltip" data-tooltip="Hit and run">h&r</abbr> vehicle</em>: 217 days</li>
<li><em>lowes theft</em>: 366 days</li>
</ul>
<p>It’s hard to come up with a reason why, or how this would contribute to the investigations described.</p>
<h2>Dropdown Reasons</h2>
<p>Maybe Flock’s new <a href="hibf:/dropdown-reasons">reason dropdown</a> will live up to the marketing hype and
provide more transparency. To be clear: these are the reasons that someone, somewhere, found
acceptable enough as a reason for location history retrieval.</p>
<h3>Traffic Infractions and DUIs</h3>
<p>Through the dropdown, the <a href="hibf:/pd/3158-texas-department-of-public-safety/audit?q=Traffic%20Infraction">Texas Department of Public Safety</a> states it frequently uses the
system for “Traffic Infraction - Criminal Justice Purpose.”</p>
<div class="chart-placeholder" data-chart="traffic-history-bar"></div>
<p>Although we can’t know what “Traffic Infraction - Criminal Justice Purpose” actually <em>means</em>, we
know that most traffic infractions are short-lived; where someone had lunch last week has little
probative value in cases where someone failed to stop at a stop sign.</p>
<p>Regardless, the vast majority of Texas DPS’s traffic-related location history retrievals exceeded
the seven-day threshold the Supreme Court found implicated the Fourth Amendment in <em>Carpenter</em>.</p>
<p>DPS pulled histories exceeding 250 days in several cases.</p>
<p>The <a href="hibf:/pd/196-california-highway-patrol/audit?q=DUI">California Highway Patrol</a> similarly uses Flock for DUI investigations.</p>
<div class="chart-placeholder" data-chart="dui-history-bar"></div>
<p>California, of course, has much stricter controls on ALPRs and the Ninth Circuit tends to be more
privacy-friendly than its counterparts elsewhere in the country. This may explain why CHP’s use
appears much more restrained than Texas’.</p>
<p>But that restraint is relative—CHP still retrieved location histories for seven or more days in more
than half of the DUI investigations where it used Flock. What evidentiary value this could possibly
have is anyone’s guess.</p>
<h3>Welfare Checks</h3>
<p>Perhaps even more concerning is the <a href="hibf:/pd/1278-harris-county-sheriffs-office/audit?q=welfare">Harris County, Texas, Sheriff’s Office</a> use of Flock
for welfare checks.</p>
<div class="chart-placeholder" data-chart="welfare-history-bar"></div>
<p>Welfare checks are not criminal investigations, and they are not generally triggered by accusations
of any crime. They are also not the same as missing persons cases. They can range from neighborly
concern to someone actively threatening suicide. In these cases, there may be a clear defense for
the legality of retrieving a person’s <em>current</em> location to prevent harm, but the government does
not need to know where they’ve previously been.</p>
<p>Yet here too, for more than half of “Welfare Checks” the Harris County, Texas, Sheriff’s Office
retrieves location histories of seven days or more: a length the Supreme Court found sufficient to
trigger the Fourth Amendment.</p>
<p>And they’re doing it in cases where there is no criminal investigation, and no evidence of a crime.</p>
<h2>The Reason Behind the Reason</h2>
<p>The implications of some of these long-term searches are concerning.</p>
<p>While a DUI suspect’s long-term location history seems like a mostly pointless violation of rights,
what possible conclusion could someone draw from a shoplifter’s vehicle’s location a year ago? How
does knowing where the “suspicious person on campus” has been decrease the suspiciousness of his
actions today?</p>
<p>A 30-day history will tell you at a glance the general area where a person lives and works. That
reveals information about their socio-economic status and, in many cases to a degree of statistical
certainty, their race. Maybe the reasoning is that a person who lives a wealthy suburb is less
“suspicious” when they’re walking around campus, while someone from the wrong side of the tracks
presents more “stranger danger.”</p>
<p>Whether it’s laziness or active profiling, the system is designed to make disproportionate
surveillance the path of least resistance. Flock could have defaulted to 1 day. They could have
required more justification for longer histories. Instead, they built a system where retrieving a
month of someone’s movements requires less thought than ordering a cup of coffee.</p>
<p>The Fourth Amendment doesn’t distinguish between malice and indifference. Neither should we.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>The <em>Schmidt v. Norfolk</em> case is ongoing; Flock argues that its network doesn’t provide
actual location histories and is attempting to distinguish it from arguably more accurate
cell-tower dumps. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>This chart shows the most common location history length for organizations, based on
organizations that have performed at least 1,000 searches, for states with more than 10
matching organizations. Likely data issues (not conforming to the 1, 7, 30 rule) were discarded. <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote3" class="footnote-item"><p>Even if this isn’t a high schooler with bullethole stickers, shooting your own car is not
illegal, nor is being shot at. This Flock user spotted what he believed could be the victim of a
crime and flagged the victim as “suspicious” tells a story about modern policing. <a href="#footnote-ref3" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[Public Policy vs. Private Sharing: California Rebuilds the National Network]]></title>
            <link>https://footnote4a.org/news/shadow-network</link>
            <guid isPermaLink="false">https://footnote4a.org/news/shadow-network</guid>
            <pubDate>Thu, 22 Jan 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[With states enacting bans on interstate dissemination of ALPR data and the public's interest in oversight and accountability, Flock and police are getting creative. Flock built the tools to rebuild what state legislatures dismantled—one checkbox at a time.]]></description>
            <content:encoded><![CDATA[<p>When a Flock user performs a search, that search is logged in accounts belonging to the agencies
that originally funded the cameras.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup> It ends up in “Network Audit” logs, some of which
are published on this website. This is true whether it is a “<abbr class="md-tooltip" data-tooltip="Total Analytics Law Officers Network: Flock&#39;s embarrassingly tacticool name for its nationwide/statewide data brokerage network.">TALON</abbr>” (nationwide or statewide)
lookup, or a “1:1” search. As states have tightened laws, the “1:1” numbers have been increasing,
suggesting that a shadow network is being created to evade privacy laws and public oversight.</p>
<p><img src="https://footnote4a.org/blog/shadow-network/sharing.jpg" alt="Automatic sharing options in Flock software"></p>
<p>The screenshot is from a <a href="https://www.youtube.com/watch?v=S34n0_TBFgo">Flock training video</a> which shows a Flock user interface for
automatic data sharing. The video was <a href="https://data.aclum.org/2025/10/07/flock-gives-law-enforcement-all-over-the-country-access-to-your-location/">posted by ACLU of Massachusetts</a> in October 2025, but
various dates in the video suggest it was recorded in May 2024.</p>
<h2>California’s Workaround</h2>
<div class="chart-placeholder" data-chart="shadow-network-california"></div>
<p>After Flock disabled the “nationwide network” for its California customers “1:1” sharing exploded.
Rather than—or more likely, in addition to—switching to the statewide network, agencies in
California increased the number of partner networks they added—from fewer than 7 new partnerships per
week on average to more than 40.</p>
<p>When searches are done through a 1:1 sharing connection they are only logged in the originating
agency’s “Organization Audit” and in the receiving agency’s “Network Audit.” This is unlike national
searches, which are broadcast to the world and will almost certainly make their way into someone’s
open records request. Agencies aren’t limited to actually <em>performing</em> 1:1 searches. They can trawl
through data from all of their 1:1 connections seamlessly.</p>
<p>This leads to situations like those in <a href="https://transparency.flocksafety.com/pittsboro-in-pd">Pittsboro, IN</a>, where the agency entered into 3,968
partner agreements for a system it only used 17 times in the last 30 days.<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup> A
slightly-outdated <a href="hibf:/sharing">visualization of the 1:1 sharing network</a> is available.</p>
<p>The data for this is hard to come by. Uncertainties persist due to <a href="https://footnote4a.org/news/august-2025-drop">what are presumably major data
issues</a> in Flock’s log files, as well as seemingly arbitrary redaction of
the <code>total_devices_searched</code> and/or <code>total_networks_searched</code> columns both by Flock and agencies.</p>
<p>The available data does, however, support the idea that Flock and police have been building a shadow
network, and that some restricted agencies, like those in California, have been using it.</p>
<p>The trend is not explained by Flock growing its customer base, or the overall number of networks. In
fact, nationally <a href="hibf:/statistics/weekly?metric=networks">the number of networks appears to be stagnating</a>.<sup class="footnote-ref"><a href="#footnote3">[3]</a><a class="footnote-anchor" id="footnote-ref3"></a></sup></p>
<h2>The Data Problem</h2>
<div class="chart-placeholder" data-chart="shadow-network-dominant-size"></div>
<p>The data must be interpreted with the caveat that Flock’s audit logs appear to be extremely unreliable.</p>
<p>We’ve seen the <a href="https://footnote4a.org/news/august-2025-drop">search inversion in August 2025</a> and the accompanying drop
in log entries. Examining counts more broadly shows even more bizarre outliers, and inexplicable
patterns.</p>
<p>The chart above shows the most popular (approximate) network pool size for “search” queries in three
populous states. While Illinois and California at least appear plausible, the same can’t be said for
Texas’ odd saw-pattern; I can see no plausible reason why agencies would suddenly search 50% fewer
networks for a week.</p>
<p>There is no evidence that these anomalies have bothered auditors in any way, or that any questions
have been asked. Flock certainly has not addressed it in a blog post or customer update.</p>
<h2>The Telltale Ratios</h2>
<p>Another piece of the puzzle that suggests this workaround is in active use is usage patterns.</p>
<div class="chart-placeholder" data-chart="shadow-network-sync-boxplot"></div>
<p>The chart shows the proportion of queries made through 1:1 search connections versus <abbr class="md-tooltip" data-tooltip="Total Analytics Law Officers Network: Flock&#39;s embarrassingly tacticool name for its nationwide/statewide data brokerage network.">TALON</abbr> (the
nationwide network). California agencies use 1:1 searches for 31% of their queries—three times the
rate of unrestricted states like Texas (11%) or Arizona (3%). Minnesota and Virginia, which have
also enacted restrictions on ALPR, show similarly elevated rates. This pattern is consistent with
restricted agencies routing queries through 1:1 partnerships to bypass network limitations.</p>
<p>The scale of some agencies’ 1:1 networks is staggering. We have seen 358 agencies in California do
searches on (a median of) 449 networks. These numbers seem realistic in the context of a national
estimate of ~5,000–6,000 agencies.</p>
<div class="chart-placeholder" data-chart="shadow-network-ca-agencies"></div>
<p>Yet El Cajon PD searches 3,584 networks through 1:1 connections—ten times the number of in-state
agencies. The California Highway Patrol searches 2,181, and the Riverside County District Attorney
searches 2,896.</p>
<p>These outliers use a shadow network reaching 60–95% of <abbr class="md-tooltip" data-tooltip="Total Analytics Law Officers Network: Flock&#39;s embarrassingly tacticool name for its nationwide/statewide data brokerage network.">TALON</abbr>’s nationwide coverage, all while
technically using “bilateral” sharing agreements.</p>
<h2>Secrets and Silence</h2>
<p>It’s important to note at this stage that although these 1:1 agreements are often understood to be
reciprocal in nature, it is unclear whether they in fact are. <a href="https://jsis.washington.edu/humanrights/2025/10/21/leaving-the-door-wide-open/">Washington University research</a>
notes that the “shifting and sometimes inaccurate statements made by Flock about its product’s
sharing features” contribute to this confusion.</p>
<p>To further frustrate analysis, Flock does not make its product documentation available to the
public, and agencies do not generally release it responsive to public records requests. It is
therefore unclear if the restrictions seen in the (presumptive) May 2024 video still apply, or if,
in 2026, agencies can automatically accept requests from anyone, anywhere.</p>
<p>Still, while the exact scope and mechanism remain unknown, the available information does
demonstrate the existence of a shadow network, powered by some form of “auto-accept” or similar
feature.</p>
<p>California agencies are not, on average, hammering out between six and forty new agreements in any
given week. Going by recent public records responses, agencies are not exchanging emails about these
partnerships, let alone validating policies are in place. It has all the hallmarks of a checkbox.</p>
<p>That checkbox appears to be a “set and forget.” Nothing suggests that administrators are notified
when a request is auto-accepted. The <a href="https://jsis.washington.edu/humanrights/2025/10/21/leaving-the-door-wide-open/">Washington University report</a> highlights that many police
chiefs were entirely unaware that third parties had access until notified by the researchers, who
reviewed the logs.</p>
<p>Flock’s CEO Langley told us that “it is a local decision. Not my decision, and not Flock’s decision.”</p>
<p>What he built, buoyed by the FBI’s <a href="https://footnote4a.org/news/fbi-investigation">unsubtle threat of retaliation for complying with public records
requests</a>, does create local decision-makers—ones who’ve decided that
laws are optional and silence is policy.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>This is awkward phrasing for a reason: Flock owns and controls the cameras;
when talking about “agencies’ cameras” or “the city’s data” it’s shorthand for the legal reality
that <a href="https://footnote4a.org/news/trojan-contracts">Flock customers have no ownership stake in, or control over, either the devices or the
data</a>. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>Check out <a href="https://eyesonflock.com/">EyesOnFlock</a> and sort by “Orgs shared.” <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote3" class="footnote-item"><p>Disable the “max” line for easier viewing. That outlier is discussed in <a href="https://footnote4a.org/news/network-size">another post</a>. <a href="#footnote-ref3" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[FBI Circulates Bulletin: Keep Flock Searches Vague, Punish Transparency]]></title>
            <link>https://footnote4a.org/news/fbi-investigation</link>
            <guid isPermaLink="false">https://footnote4a.org/news/fbi-investigation</guid>
            <pubDate>Sat, 17 Jan 2026 09:00:00 GMT</pubDate>
            <description><![CDATA[A Houston HIDTA bulletin, forwarded by the FBI to its intelligence community, instructs Flock users to enter vague search reasons and exclude agencies that comply with public records laws.]]></description>
            <content:encoded><![CDATA[<p>Late last year, <a href="https://footnote4a.org/news/cyble-part4">shortly before Flock started filing takedown notices</a>, the
Houston Investigative Support Center and Investigative Research Team put together an “Officer Safety
Situational Awareness Bulletin” about this project, recommending Flock users keep the reasons they
enter as vague as possible (“e.g., ‘Investigation’”). The FBI’s Gang division in Atlanta forwarded
it to the FBI’s broader “intelligence community.”</p>
<p>The FBI agent provided a summary of the bulletin in his email (emphasis added):</p>
<blockquote>
<p>The website lists the total number of searches by an officer, when those searches were conducted,
case numbers, the officer’s work schedule, how long they have been employed by the agency, and
partial personal identifying information. This poses a significant officer safety risk to law
enforcement personnel because suspects can determine if they are the target of a criminal
investigation and potentially retaliate against law enforcement and/or those cooperating with law
enforcement. <strong>Flock has committed to removing officer usernames from future audits.</strong></p>
</blockquote>
<p>@<a href="https://footnote4a.org/blog/fbi-investigation/fbi-email_Redacted2.pdf" class="collapsible">December 11, 2025 email from FBI</a>
@<a href="https://footnote4a.org/blog/fbi-investigation/bulletin.pdf" class="collapsible">Houston <abbr class="md-tooltip" data-tooltip="High Intensity Drug Trafficking Area">HIDTA</abbr> Officer Safety Situational Awareness Bulletin December 2025</a></p>
<div class="markdown-alert markdown-alert-note">
<p class="markdown-alert-title">Note</p>
<p><abbr class="md-tooltip" data-tooltip="Personally Identifying Information">PII</abbr> was originally included in this email release, but was redacted before publication here. The
record was released responsive to a public records request by <a href="https://www.sassisouth.org/">Southerners Against Surveillance
Systems &amp; Infrastructure</a> and <a href="https://www.lucyparsonslabs.com/">Lucy Parsons Labs</a>.</p>
</div>
<h2>Under Federal Pressure</h2>
<p>This email was sent shortly after <a href="https://footnote4a.org/news/colwell-files">Flock’s email blast announcing reduced audit
capabilities</a> (“Flock has committed to removing officer usernames from future
audits”). The agent who sent the email is based in Atlanta (as is Flock’s HQ). Flock used the same
“officer safety” language.</p>
<p>Flock’s <a href="https://footnote4a.org/news/secret-searches-part2">removal of critical auditing capabilities</a> was clearly done in
coordination with the FBI.</p>
<p>The FBI-endorsed bulletin recommends that, in configuring data sharing, agencies “exclude the
states/agencies that release their audit logs.”</p>
<p>Information exchange happens on an ongoing reciprocal basis; the proposal is, in effect, to reduce
the operational capabilities of the Flock system for states with effective open record laws, and
specifically for agencies in compliance with those laws.</p>
<p>The FBI encourages agencies to violate the law by quietly threatening retaliation against those who
don’t.</p>
<p>Follow the law, lose network access.</p>
<h2>The Good Recommendations</h2>
<blockquote>
<p>Recipients of this bulletin should ensure that their agency Flock Administrators check that the
agency Flock settings have limited searches to sharing within state only or exclude the
states/agencies that release their audit logs. … Flock users should also limit their searches to
“My Network” or draw a geofence around the area they wish to search. This will mitigate the risk
of information being released by an outside agency that has different criteria as to what is
redacted when responding to FOIA requests.</p>
</blockquote>
<p>Agreed. Police should not default to pulling nationwide location histories for reasons like
“graffiti”, “trespassing,” or “expired tag.” They should not be pulling <em>any</em> location history, of
course, but current scopes are especially hard to justify as serving a legitimate investigative
purpose.</p>
<p>The nationwide lookup is often cited as a “why we need Flock.” Apparently, when faced with a risk of
oversight, that need evaporates. Police seem to prefer less intelligence over more accountability.</p>
<p>Regardless, although the reasons for wanting to reduce the scope and breadth of warrantless searches
differ, we can at least agree this outcome is an improvement.</p>
<p>To further improve its recommendation, the FBI might consider suggesting following its own security
policy. If the data and audit logs Flock stores are in fact <abbr class="md-tooltip" data-tooltip="Criminal Justice Information">CJI</abbr>—as Flock and agencies claim whenever
convenient—access and dissemination would be strictly limited to those with prior approval and a
particularized “need to know.”</p>
<p>That does not include <a href="http://haveibeenflocked.com">haveibeenflocked.com</a>. It also does not include Flock or random users on the
nationwide network (i.e. “paying customers Flock says are probably cool.”)</p>
<h2>The Bad Recommendations</h2>
<blockquote>
<p>Flock Administrators/users should ensure that the reason for the query be as vague as permissible
(e.g., “Investigation”).</p>
</blockquote>
<p>This is one to take to your city council.</p>
<p>Elected officials have been promised that agencies have the ability to see the reasons for a search.
The FBI is now telling agencies across the country not to enter meaningful reasons.</p>
<p>We’ve long known that <a href="hibf:/reason-cloud">entered reasons are borderline meaningless</a>, but now, in addition
to <a href="https://footnote4a.org/news/secret-searches-part2">Flock’s new anti-transparency measures</a>, it is federal policy.</p>
<h2>The Ugly Recommendation</h2>
<blockquote>
<p>[A]gency Flock Administrators should coordinate with their respective Legal Departments to ensure
that law enforcement sensitive information is redacted prior to releasing information.</p>
</blockquote>
<p>The information on this website is lawfully obtained via public records. This isn’t in dispute: even
after filing its takedown requests stating the opposite, <a href="https://footnote4a.org/news/cyble-part4">Flock admits as much</a>.</p>
<p>Additionally, there is a basic legal reality that <a href="https://footnote4a.org/news/404-eff-plates">license plates are not categorically exempt from
open records requests</a>. If Flock (a private corporation) can have access to
the data, so can you.</p>
<p>Houston <abbr class="md-tooltip" data-tooltip="High Intensity Drug Trafficking Area">HIDTA</abbr> appears to agree. Its recommendation is <em>not</em> “you should never release license
plates.” Its phrasing signals an awareness that license plates are not categorically “law
enforcement sensitive” or confidential for the purpose of public records requests.</p>
<p>At no point does the bulletin suggest that logs were leaked or improperly redacted.</p>
<p>Instead, the bulletin recommends agencies “coordinate with their legal departments.” On this too, we
can agree, but for different reasons. The question posed to lawyers should be if sending “law
enforcement sensitive” information to an unregulated private company to be disseminated through a
“nationwide sharing” network where tens (if not hundreds) of thousands of people have access, would
violate state law and federal regulations.</p>
<p>The question should not be the one implied—how agencies can get away with disclosing “sensitive”
information to a group of individuals managed exclusively by Flock, while keeping it hidden from
“activists” and “self-styled privacy advocates.”</p>
<h2>The “Self-Styled Advocates”</h2>
<blockquote>
<p>A group of self-styled privacy advocates have filed a series of Freedom of Information Act (FOIA)
requests with law enforcement agencies around the country to obtain agency Flock audit logs.</p>
</blockquote>
<p>In context, “self-styled” is a deliberate pejorative. It is spook-speak used to delegitimize. It
implies those seeking accountability aren’t experts or journalists, but meddling hobbyists.</p>
<p>Police use the language of counter-terrorism to describe citizens exercising a statutory legal
right. In their framing, a citizen with a PDF reader is a “threat actor,” and a public record is a
“vulnerability.”</p>
<p>At the same time, everything, including the actual surveillance data can be disclosed without
restriction to Flock, everyone on the national network (as managed by Flock), Flock’s
subcontractors, Flock’s <a href="https://footnote4a.org/news/overseas-data">gig-workers in the Phillipines</a>, and the <a href="https://footnote4a.org/news/dps-denmark">Danish
corporation Flock uses to record user sessions</a>.</p>
<p>We’re coming up on <a href="https://footnote4a.org/news/federal-insecurity">a year since several P1 <abbr class="md-tooltip" data-tooltip="Criminal Justice Information System Security Policy">CJISSECPOL</abbr> violations</a> were
reported to Flock. Flock still hasn’t announced a patch. A <a href="https://nexanet.ai/blog/53-times-flocksafety-hardcoded-the-password-for-americas-surveillance-infrastructure">vulnerability exposing real-time
locations for officers</a> went unfixed for months. If we are to take the FBI at its word,
these vulnerabilities pose less of a threat to officers than public accountability.</p>
<p>Maybe the actual security problem here is the government contracting out the creation of a massive
surveillance database based on a company’s claim that it has a “<abbr class="md-tooltip" data-tooltip="Criminal Justice Information System">CJIS</abbr> ACE Compliance Seal” (provided
by Diverse Computing, Inc., of Tallahassee, FL).</p>
<p>Regardless, I want to assure the FBI that there is no “group of self-styled privacy advocates.” A
handful of individuals have sent me audit logs, and I’ve pulled a few directly off Muckrock. The
persistent belief that this project publishes information from many sources is mistaken.</p>
<p>Although as of right now there are 93M records in the database, they cover a limited time period and
were sourced from a handful of releases. At the bottom of the <a href="hibf:/statistics/daily">daily statistics
pages</a> you can see the number of sources that cover a given month, and the number
of search records for that month.</p>
<p>In months with more sources we see significantly more searches logged, yet out of the ~6,000 or so
agencies using the system, we have logs from maybe a dozen for any given month.</p>
<p>This information is continuously being disseminated to Flock and by Flock. Anyone with access to the
Flock system can get more complete, and more accurate, logs than this project has.</p>
<p>If your position is that “a group of self-styled privacy advocates”—which is really one developer in
rural Iowa and the folks who have sent him emails—can use inaccurate, incomplete data to derive so
much information that it “poses a significant officer safety risk,” what do you think a Flock
employee or contractor—or someone exploiting documented, unpatched security vulnerabilities—could do
with realtime access to accurate information?</p>
<p>Agencies are right to be worried. They’re wrong to worry about the messenger while ignoring the problem.</p>
<h2>What You Can Do</h2>
<h3>Get Answers from Public Officials</h3>
<ul>
<li>Does your PD follow the FBI’s recommendation to enter vague search reasons like “Investigation,”
or does it require specific reasons and case numbers for every query?</li>
<li>Has your PD stopped searching data from jurisdictions that comply with public records laws?</li>
<li>Since Flock has removed officer usernames from audit logs, how does your city verify that
individual officers aren’t using this system for personal or other impermissible reasons?</li>
<li>Do Flock or the FBI have the right to dictate which public records your city is allowed to release?</li>
</ul>
<h3>Get Answers from the Public Record</h3>
<p>Even without the logs, it’s worth finding out if your city complies with open records laws, if only
so the FBI will continue to recommend that your city be excluded from future searches.</p>
<p>The FBI suggesting consequences for complying with transparency laws underscores the need to remind
these self-appointed surveillance authorities that, in free societies, we don’t treat the rule of
law as optional for police.</p>
<h3>Tired of Self-Styling? Get Self-Certified</h3>
<p><a href="hibf:/about/audit-logs">Demanding transparency</a>, speaking at <a href="https://alpr.watch/">local meetings</a>,
and writing <a href="https://www.commoncause.org/find-your-representative/">your representatives</a> is a lot of
work. You may want to be more than just a self-styled privacy advocate.</p>
<p>That’s why <a href="http://haveibeenflocked.com">haveibeenflocked.com</a> is offering you the opportunity to become a Certified Privacy
Advocate. If the government is going to pathologize transparency, you might as well have the
credentials to back it up.</p>
<p>This certificate is every bit as legitimate as <a href="https://footnote4a.org/news/federal-insecurity">a commercial <abbr class="md-tooltip" data-tooltip="Criminal Justice Information System">CJIS</abbr> seal</a>
and it may even fit in a frame if you print it correctly.</p>
<p><strong><a href="https://ko-fi.com/s/b75c5f1286">Get certified today</a>!</strong></p>
<p>Pay what you want to print as many certificates as you like, or don’t pay at all. If you frame it
and hang it anywhere good, <a href="mailto:humans@haveibeenflocked.com">send me a picture</a>.</p>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[Florida Sheriff Uses Flock as Lie Detector, Asks County to Suppress Discussion]]></title>
            <link>https://footnote4a.org/news/fl-hernando-sheriff</link>
            <guid isPermaLink="false">https://footnote4a.org/news/fl-hernando-sheriff</guid>
            <pubDate>Thu, 15 Jan 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Hernando County's sheriff wants commissioners to help "minimize public discussion" of ALPR surveillance—and won't explain why in writing. Buried in his email is an admission he uses Flock data to dismiss witness testimony.]]></description>
            <content:encoded><![CDATA[<p>Local news outlet <a href="https://www.rnews.news/">R News</a> recently reported that <a href="https://www.rnews.news/story/2026/01/06/news/sheriffs-email-to-bocc-leaked-to-r-news-warned-commissioners-of-felony-penalties-over-flock-program/1105.html">Hernando County,
Florida’s sheriff asked the county to suppress public discourse on ALPRs</a>.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup> In an email, the
sheriff asked commissioners for their “help in minimizing the public discussion on this topic.”
Regarding why, he wrote, “I do not want to go into details in writing, but I can give specific examples
if you would like to set up a meeting.”</p>
<p>Although the obvious headline in that debacle is the attempt to suppress public discussion and the
outright rejection of transparency, another part of the sheriff’s email is perhaps even more
disturbing:</p>
<blockquote>
<p>The technology has also allowed us to conduct truth verification on victim and witness statements,
allowing us to determine very quickly that one or more victim or witness was giving us false
information about what actually occurred. This keeps us from wasting valuable resources on chasing
false leads or, worse yet, investigating crimes that never occurred. — Sheriff Al Nienhuis in his
March, 2024 email to Hernando County Board of County Commissioners.</p>
</blockquote>
<p>The sheriff suggests he is willing to dismiss cases and leads based on information from Flock.</p>
<p>Does that mean he will not investigate when a citizen reports a vehicle is involved in a crime, but
Flock didn’t detect it? Will he dismiss valid witness statements when a plate is misread? When a bug
in the Flock software doesn’t register it?</p>
<p>We have no idea how accurate Flock’s technology is exactly. That’s both “for obvious reasons” and
because it is being used without oversight or external audits. Governments will spend millions on
these contracts without asking the question. Still, all technology is fallible, and we know Flock
neither contractually guarantees any level of accuracy, nor permits validation of accuracy.</p>
<p>Flock is not contractually obligated to disclose information about inaccuracies, outages, or errors.
It is negatively incentivized to do so; its customers don’t like hearing results are inaccurate,
they prefer to assume they are.</p>
<p>The idea that a sheriff would use the system for “truth verification” and to direct resources should
be deeply disturbing to anyone who values the integrity of criminal investigations.</p>
<p>A search result proves nothing. A lack of search results proves nothing. It’s Flock making an
unverified, and unverifiable, claim on the basis of a <a href="https://footnote4a.org/news/federal-insecurity">compromised system</a>.</p>
<p>Courts and police should treat it that way.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>Hernando County is on Florida’s gulf coast, north of Tampa. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[Flock Decides Cops Can't Be Trusted with Cop Data]]></title>
            <link>https://footnote4a.org/news/secret-searches-part2</link>
            <guid isPermaLink="false">https://footnote4a.org/news/secret-searches-part2</guid>
            <pubDate>Mon, 29 Dec 2025 22:30:00 GMT</pubDate>
            <description><![CDATA[Flock unilaterally stripped officer names, license plates, and filters from the audit logs it provides to police agencies—the same logs the company touts as 'immutable' and 'tamper-proof.']]></description>
            <content:encoded><![CDATA[<p>Ah, Christmas. This year, Flock brings us the gift of contractual liability, and, if our elected
officials and state auditors are starting 2026 with fresh energy, a whole lot of canceled mass
surveillance contracts. Thanks, <s>Flo</s>Santa!</p>
<div class="markdown-alert markdown-alert-note">
<p class="markdown-alert-title">Note</p>
<p><strong>Update Jan 7, 2026</strong>: Flock’s VP of Solutions, Chris Colwell, sent out an email blast on
December 9<sup>th</sup> of last year. Its content is largely the same as that in <a href="https://footnote4a.org/news/colwell-files">his December 8 email</a>
but it offers greater specificity about Flock’s unilateral decision to remove the audit trail.</p>
<p>In the email, Colwell writes: <em>“Network Audits will no longer include officer name, specific plates
searched, vehicle fingerprint, and open text search reason to protect active investigations and
ensure officer safety”</em></p>
<p>@<a href="https://footnote4a.org/blog/colwell-files/email.pdf" class="collapsible">December 8, 2025 email</a>
@<a href="https://footnote4a.org/blog/colwell-files/email2.pdf" class="collapsible">December 9, 2025 email</a></p>
</div>
<p>Only a week ago, I wrote a post titled
“<a href="https://footnote4a.org/news/trojan-contracts">Flock is altering the deal. Pray it does not alter it further</a>.”</p>
<p>It has altered it further.</p>
<p>Flock already <a href="https://footnote4a.org/news/burden-of-compliance">removed useful information</a> from its ironically-named
Transparency Portals to deal with what the company termed “the burden of compliance.”</p>
<p>Then, as the new info box added to
<a href="https://footnote4a.org/about/name-resolution">the haveibeenflocked.com name resolution page</a> has noted since earlier this
month:</p>
<blockquote>
<p>Our ability to identify officers was clearly effective. In a direct attempt to stop us from
providing transparency, Flock and police departments have dropped the unique IDs (UUIDs) in the
transparency portals entirely. They now simply replace them with the word
“<span class="smallcaps">redacted</span>” in the public audit logs, effectively preventing
oversight and individual accountability.</p>
</blockquote>
<p>Now, Flock has extended that “functionality” to its own customers.</p>
<p>We learned from the company’s new, <a href="https://footnote4a.org/news/cyble-part3">nonsensical takedown notice</a> that it
considers audit logs to “pose an immediate threat to public safety and expose law enforcement
officers to danger.”</p>
<p>Apparently, that threat is also posed by Flock’s customers — the police officers themselves.</p>
<p>The vendor — still a privately-owned corporation — has decided it no longer trusts police with
information about who has searched “<a href="https://footnote4a.org/news/trojan-contracts">their data</a>.”</p>
<p>“Don’t worry,” Flock tells cops, “it’s for your own good.”</p>
<p>At least, that’s what we hear from an officer responding to an open records request:</p>
<blockquote>
<p><strong>Flock Safety updated the system on 12/11/2025 to protect officer safety and active
investigations, Network Audit Logs no longer include officer names, license plate, or vehicle
fingerprint information.</strong> This is a system update from Flock Safety not [Local] Police.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup>
With recent concerns about Flock [Local] Police conducted a review of shared networks and removed
all out of state access to our system.</p>
</blockquote>
<p>This, of course, comes on the heels of Flock’s announcement that the reason field
<a href="https://footnote4a.org/news/official-use-only">is now a dropdown</a>, from which you may select one of Flock’s expertly
curated pre-approved reasons.</p>
<p>Which followed shortly after the announcement that
<a href="hibf:/moderation-logs">Flock does not log searches that are flagged as problematic</a>. Select another
justification and try again.</p>
<p>If you’re a cop or a city, you no longer get to know who searched the data collected in your town.
You don’t even get to know what was being searched for. If the company feels like it, you may get
one of a handful of pre-approved reasons.</p>
<p>But only if the anonymous other party feels like making a selection — simply clicking something that
will be accepted by the system is also an option … it’s not like anyone is logging your name.</p>
<p>Here are log entries from three different agencies (from before the dropdown was implemented):</p>
<pre><code class="language-csv">Name, Org Name, Total Networks Searched, Total Devices Searched, Time Frame, License Plate, Reason, Case #, Filters, Search Time, Search Type, Text Prompt, Moderation
&quot;REDACTED&quot;,&quot;Shelby Township MI PD&quot;,4341,&quot;4341&quot;,&quot;03/31/2024, 07:22:46 PM UTC
22:46 PM UTC&quot;,&quot;REDACTED&quot;,&quot;COM-13-24&quot;,&quot;&quot;,&quot;REDACTED&quot;,&quot;04/01/2024, 07:22:59 PM UTC&quot;,&quot;lookup&quot;,&quot;&quot;,&quot;&quot;
...
&quot;REDACTED&quot;,&quot;Houston TX PD&quot;,5888,&quot;5888&quot;,&quot;09/27/2024, 05:00:45 AM UTC
10/04/2024, 05:00:45 AM UTC&quot;,&quot;REDACTED&quot;,&quot;INV&quot;,&quot;&quot;,&quot;&quot;,&quot;10/04/2024, 05:00:47 AM UTC&quot;,&quot;lookup&quot;,&quot;&quot;,&quot;&quot;
...
REDACTED,[Federal] US Postal Inspection Service,3241,54164,&quot;11/10/2025, 11:00:24 PM UTC
11/17/2025, 11:00:24 PM UTC&quot;,REDACTED,4238996,4238996,REDACTED,&quot;11/17/2025, 10:30:32 PM UTC&quot;,lookup,,
</code></pre>
<p>Newly missing:</p>
<ul>
<li>Name (“Operator name” as it’s referred to on this site)</li>
<li>License plate<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup></li>
<li>Filters</li>
</ul>
<p>Whether the “Text Prompt” and “Moderation” fields are empty because they’re unredacted, or because
they’re simply empty and haven’t been replaced with the word <span class="smallcaps">redacted</span>
is unclear.</p>
<p>Anyway — it’s almost becoming a predictable pattern, but bear with me once again as I quote Flock’s
CEO and then tell you he lied:</p>
<blockquote>
<p>Why Auditing is Crucial: To underscore accountability, every single search conducted in the Flock
LPR system is saved in an audit report. Every time a search is run on the Flock system, that
search and search reason is preserved permanently in the audit trail of every agency whose camera
was included in the search. — Garrett Langley, “Setting the Record Straight: Statement on Flock
Network Sharing, Use Cases, and Federal Cooperation”, June 2025.</p>
</blockquote>
<p>Actually, to change it up a little, let me also cite the section “Flock’s privacy-by-design and
accountability” from the company’s November 11, 2025, impossibly boringly-titled blog post,
“Automated License Plate Readers and the Fourth Amendment: A Public‑Safety‑by‑Design Perspective
from Flock”:</p>
<blockquote>
<p>Immutable accountability: Every user action and search reason is recorded in an indefinitely
available audit trail.</p>
</blockquote>
<p>And, because it’s Christmas, let’s throw in the company’s “Ethical Creed,” which it actually
publishes on its webpage:</p>
<blockquote>
<ol>
<li>Transparency and accountability build trust between communities, government, and law
enforcement – making communities safer and more equitable.</li>
<li>Democratic decision making and local autonomy should be encouraged and respected.</li>
<li>With the right technical and policy safeguards, public safety technology will not infringe on
constitutionally protected rights.</li>
</ol>
</blockquote>
<p>In this case, the “immutable record” that is supposed to “build trust” has been altered (again).</p>
<p>Not through “democratic decision-making” or “local autonomy,” but through a decision to modify the
service contracted for—a decision made unilaterally by Flock, without consulting its customers,
while they are probably spending time with their families.</p>
<p>Because, apparently, what Flock wants now trumps “safer” and “more equitable” communities, and even
if it causes a little light infringement on constitutional rights, if we can drop those annoying
safeguards that keep <a href="https://footnote4a.org/news/dupage-county">exposing the company’s poor practices</a>, maybe it’s worth
it. For <s>Shareholder va</s>Officer Safety.</p>
<p>All that is to say: Flock has expunged the “<a href="https://footnote4a.org/news/secret-searches/">permanent record</a>.”</p>
<p>If Flock was talking about your city council when whoever they pay to write blogposts wrote:</p>
<blockquote>
<p>Every search made within the Flock platform is logged and auditable, creating a tamper-proof trail
of accountability. Agencies can trace back who accessed what information, when, and why. This
audit feature is a critical deterrent against misuse and is often cited in public hearings as a
reason for community support. — Flock, “The Power of Connected Intelligence”, September 18, 2025.</p>
</blockquote>
<p>Then now is the time to let them know that Flock has committed a material breach of the contract —
it reneged on the democratically-approved deal (however tenuous that approval might be sometimes).</p>
<p>Your city council may have even said, “I trust our local police department.”</p>
<p>Flock does not.</p>
<p>The company lied to you <a href="https://footnote4a.org/news/federal-insecurity">about data security</a>,
<a href="https://footnote4a.org/news/staunton-attack">about compliance</a>, <a href="https://footnote4a.org/news/secret-searches">about transparency</a>, and even
<a href="https://footnote4a.org/news/amber-reasons">about finding missing children</a>.</p>
<p><a href="https://footnote4a.org/news/trojan-contracts">They took your city’s data</a> and are now selling it.</p>
<p>Just like they said they wouldn’t.</p>
<p>For your safety.</p>
<hr>
<p>PS: Flock chose not to redact case numbers (yet). Naturally, even while importing a heavily redacted
dataset, the importer called out an instance where
<a href="hibf:/search?q=linx">someone pasted an entire LINX entry about a fatal hit-and-run into the case number field</a>—officer
name, defendant name, date of birth, charges, and all. The haveibeenflocked system truncated and
partially redacted the entry for privacy, which is more than Flock managed. This is exactly the kind
of reckless incompetence Flock is trying to hide. Unfortunately, they can’t even do that right.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>Although I generally have no issues naming officers and agencies acting in their official
capacity, I am concerned this officer or agency could face backlash from Flock and its partners
for doing something decent—I am therefore choosing not to publish names at this time. For
officer safety. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>If you’re thinking about getting “REDACTED” as a plate: New York, New Mexico, Ohio, and possibly
Indiana appear to permit 8 characters on their vanity plates. Send me a picture. <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[3,466 Searches, Zero Hits: How Flock Failed an Amber Alert]]></title>
            <link>https://footnote4a.org/news/amber-reasons</link>
            <guid isPermaLink="false">https://footnote4a.org/news/amber-reasons</guid>
            <pubDate>Sun, 28 Dec 2025 00:00:00 GMT</pubDate>
            <description><![CDATA[Police searched Flock's license plate database over 3,000 times during a nine-week Amber Alert. The system had spotted the suspect before he even reached his target. In the end, a woman at a Nebraska truck stop did what billions of plate scans couldn't.]]></description>
            <content:encoded><![CDATA[<p>Being a “force multiplier” for finding missing children and acting on Amber alerts is perhaps the
most frequently cited reason for adopting Flock’s mass surveillance system. However, following an
Amber alert in Wisconsin, police in 23 states would search the Flock system over 2,000 times for the
wrong plate. Two months later, a woman spots the teen at a truck stop in Nebraska and calls in the
tip that would see her reunited with her parents.</p>
<p>In the summer of 2024, months before the amber alert, sixteen-year-old Sophia “did not return home
one night.” She kept in touch with her parents by phone and told them she was staying with a friend
in town. Her parents talked to local police and they decided not to report her as missing, believing
her to still be in the area.</p>
<p>In December that same year, police in Arkansas were performing a compliance check on Gary Day— a
forty-year-old man who was in the middle of a six year probationary sentence for endangering the
welfare of a minor.</p>
<p>Day’s charges stemmed from <a href="https://www.kait8.com/2019/10/18/baby-found-with-fractured-femur-couple-faces-charges/">his four-month-old baby being found with a fractured femur in
2020</a>. In 2023, he was charged with battering his then four-year-old son—those charges had
been dropped a few months prior to the December compliance check.</p>
<p>Police discovered Sophia when she attempted to escape out the backdoor. Although a condition of
Day’s probation was that he not leave Arkansas, Sophia told police that he had come to get her from
Wisconsin five months earlier. She was three months pregnant at the time of that interview.</p>
<p>Day was charged with interference with child custody and contributing to the delinquency of a minor
and released on bond, while Sophia was returned to her parents’ custody in Beaver Dam, Wisconsin.</p>
<p>A month later, Sophia’s parents contact Beaver Dam PD—they had caught Sophia messaging with Day
online. The parents share the contents of that conversation with police.</p>
<blockquote>
<p>“I stayed out past curfew. Probation. And didn’t notice. Im done. Fuck. Fucking ankle monitor is
flashing and vibrating”. — Gary Day message to Sophia</p>
</blockquote>
<p>Around 10 PM the next day a black Buick registered to Gary Day’s mother is spotted by a Flock camera
in southeast Missouri, heading north toward Wisconsin. It has Arkansas plate
<a href="hibf:/statistics/surveillance/6ba9ae56">BBR 20L</a>.</p>
<p>The next morning, February 3 at 5:20 AM, Sophia’s sister spots the same car near their home. At 7:48
AM, their home surveillance system records Day walking near the house. At 8:30 AM, Day’s car is
spotted by WI DOT cameras. They capture the black Buick traveling southbound on Highway 151 near Sun
Prairie, WI. It has Pennsylvania plate <a href="hibf:/statistics/surveillance/dbd326a9">KGW 5186</a>.</p>
<p>At an unspecified time that same day, Sophia’s father sends local police the surveillance footage
and reports the pregnant Sophia as missing. She was believed to have gone with Day — possibly to
Arkansas.</p>
<p>That evening, at 8:08 PM, an Amber Alert is broadcast. The alert includes information on the Buick,
and notes that it is “known to use multiple license plates,” listing Arkansas plate BBR 20L and
Pennsylvania plate KGW 5186.</p>
<p>After the alert is issued, numerous agencies inside and outside of Wisconsin, including Milwaukee’s
STAC<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup> fusion center and the Missouri highway patrol, begin searches for Day’s Arkansas plate—
the first plate listed in the Amber alert, but not the plate he was most recently seen with.</p>
<p>The Pennsylvania plate seen on the Buick as it was leaving Wisconsin does not appear in search logs
until the next day around noon—more than 24 hours later—when the Beaver Dam, WI, PD decides to look
it up for the first time.</p>
<p>In total, the logs show 3,466 searches for the BBR 20L and KGW 5186 plate between February 3 and
March 27. Day and Sophia were found on April 2.</p>
<p>Sophia tells police she and Day had stayed at hotels in various locations. She testifies they
abandoned the Buick near a Culver’s in Avondale, Arizona. That particular Culver’s is right between
I-10 and a Park &amp; Ride facility. It seems like a plausible location to ditch a car, and explains why
a 16-year-old from Wisconsin would recall the name “Avondale.”</p>
<p>Based on Sophia’s accounting of the overnight stays, they would have been in Arizona on or around
February 8 or 9.</p>
<p>Milwaukee-based CBS 58 reports, however, that Sarpy County Sheriff Greg London, “learned the two had
hitchhiked with a trucker after <a href="https://www.youtube.com/watch?v=rfHqQE89NV8">Day’s car broke down in Idaho</a>.”</p>
<p>The <a href="https://footnote4a.org/blog/amber-reasons/2025CF000054-amended-complaint.pdf">criminal complaint</a> itself is highly detailed. To an extent. Although email
addresses and exact times for phone calls and license plate cameras are noted, it is conspicuously
vague about how and where the car was recovered.</p>
<p>It provides Sophia’s highly detailed, plausible-sounding statement, following it up with a single,
passive sentence, “law enforcement located the vehicle near that area.” There is no mention of who
located it, when it was located, or the condition it was located in.</p>
<p>It leaves open the possibility that the vehicle was flagged by the P&amp;R owner, or, if they left it at
Culver’s or at one of the hotels, a business owner, shortly after February 8.</p>
<p>The complaint is also silent on whether the license plates were recovered with the vehicle—a strange
omission for a prosecutor who is about to argue a flight risk exists based on those same plates.</p>
<p>A similarly vague incident occurs where the complaint includes Sophia’s statement that “they stopped
at an unknown Walmart in Missouri where Gary bought food using his EBT card.”</p>
<p>It does not specify which Walmart, or whether the electronic transaction, where a fugitive used a
government-issued benefit card, triggered an alert.</p>
<p>The prosecutor uses the same passive voice when she writes, “Gary Day and [Sophia] were located in
Sarpy County, Nebraska.”</p>
<p>Omitting that it was a woman at a truck stop who called it in.</p>
<p>After Nebraska police responded, they notified Beaver Dam PD that <a href="https://www.wbay.com/2025/04/03/missing-beaver-dam-teen-sophia-franklin-found-amber-alert-canceled/">Sophia had been found on April 2,
at 11:40 PM</a> — after WISN 12 ran an item marking <a href="https://www.youtube.com/watch?v=Rr-YpIIc-9s">Sophia’s 17th birthday</a>.</p>
<p>Below are the searches of the Flock system during the nine-week manhunt.</p>
<div class="chart-placeholder" data-chart="amber-alert-searches"></div>
<div class="chart-placeholder" data-chart="amber-alert-daily"></div>
<p>They don’t tell a story of a system that is effective at locating missing children.</p>
<p>A man transported a child across state lines without her parents’ knowledge and got her pregnant.</p>
<p>While he is on probation.</p>
<p>Then, a few months later, he does the same thing <em>again</em>.</p>
<p>Flock’s system spots him <em>in a state he is not supposed to be in</em>, and <em>before he gets to
Wisconsin</em>.</p>
<p>There is no Amber alert yet, so Flock does not detect this.<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup></p>
<p>At the time Flock spots Day’s car in Missouri, he is either still wearing his ankle monitor, or he
removed it.</p>
<p>He gets to Wisconsin, to the home of someone he has a no-contact order for.</p>
<p>No-contact orders aren’t automatically placed in Flock’s system—no alert is sent.</p>
<p>His car is spotted with a different plate mere hours after he is spotted violating both the
no-contact order and his probation.</p>
<p>Not by a Flock camera, but by a DOT camera. That plate, however, is not used for lookups until more
than a day later.</p>
<p>Police effectively stop searching only days after the alert is broadcast.</p>
<p>When Sophia is ultimately found, it’s not through Flock, or any other form of digital
surveillance.<sup class="footnote-ref"><a href="#footnote3">[3]</a><a class="footnote-anchor" id="footnote-ref3"></a></sup></p>
<p>Day’s ankle monitor being cut off or leaving the state could have triggered a reaction from Arkansas
probation or Wisconsin authorities on February 2—before he ever reached Sophia’s home in Beaver Dam.</p>
<p>When that monitor tripped, police could have manually placed a hotlist entry in the system.</p>
<p>The EBT transaction also could have sent police directly to a specific Walmart, where Day and Sophia
were standing at the register.</p>
<p>In the nine weeks the Amber Alert was active, billions of license plates—<a href="https://www.nbcnews.com/tech/tech-news/flock-police-cameras-scan-billions-month-sparking-protests-rcna230037">approximately forty
billion plates</a> by Flock alone—and financial transactions were entered into police
databases, on the promise that they are a “force multiplier” to find missing children like Sophia.</p>
<p>In the end, the only effective force multiplier was a woman at a truck stop in Nebraska who paid
attention to the news and the people around her.</p>
<h2>Additional Reporting</h2>
<ul>
<li><a href="https://www.jsonline.com/story/news/2025/02/05/beaver-dam-amber-alert-man-faces-felonies-in-missing-girl-case/78246544007/">https://www.jsonline.com/story/news/2025/02/05/beaver-dam-amber-alert-man-faces-felonies-in-missing-girl-case/78246544007/</a></li>
<li><a href="https://www.jsonline.com/story/news/crime/2025/02/07/amber-alert-arkansas-man-connected-to-missing-beaver-dam-wisconsin-teen-convicted-of-harming-child/78326952007/">https://www.jsonline.com/story/news/crime/2025/02/07/amber-alert-arkansas-man-connected-to-missing-beaver-dam-wisconsin-teen-convicted-of-harming-child/78326952007/</a></li>
<li><a href="https://www.wisn.com/article/beaver-dam-amber-alert-for-16-year-old-girl-extended-to-arkansas/63692596">https://www.wisn.com/article/beaver-dam-amber-alert-for-16-year-old-girl-extended-to-arkansas/63692596</a></li>
<li><a href="https://www.kare11.com/article/news/nation-world/police-continue-amber-alert-search-pregnant-wisconsin-teen/89-1d5266cb-555c-42e4-a587-eb8418c292be">https://www.kare11.com/article/news/nation-world/police-continue-amber-alert-search-pregnant-wisconsin-teen/89-1d5266cb-555c-42e4-a587-eb8418c292be</a></li>
<li><a href="https://www.youtube.com/watch?v=aOet6Sv9sb0">https://www.youtube.com/watch?v=aOet6Sv9sb0</a></li>
<li><a href="https://www.wmtv15news.com/2025/04/03/missing-beaver-dam-teenager-found-safe-after-nearly-two-months/">https://www.wmtv15news.com/2025/04/03/missing-beaver-dam-teenager-found-safe-after-nearly-two-months/</a></li>
</ul>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>Southeastern Wisconsin Threat Analysis Center <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>Proactive hotlisting of thousands is a constitutional rot, but reactive surveillance marketed as
a “force multiplier” is a commercial fraud. On February 2, Flock’s system silently recorded a
documented predator in Missouri, doing nothing because the paperwork of an Amber Alert hadn’t
yet caught up to the reality of the crime. Selling a dragnet on the promise of child safety,
while it functions only as a digital archive of failures, is a cynical exploitation of public
trauma to bypass privacy concerns. <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote3" class="footnote-item"><p>It is a virtual certainty that police obtained access to Day’s and Sophia’s electronic accounts. <a href="#footnote-ref3" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[ACLU and University of Iowa Conduct Case Study in Institutional Contempt]]></title>
            <link>https://footnote4a.org/news/iowa-logs</link>
            <guid isPermaLink="false">https://footnote4a.org/news/iowa-logs</guid>
            <pubDate>Fri, 12 Dec 2025 00:00:00 GMT</pubDate>
            <description><![CDATA[Iowa agencies invent confidentiality exemptions, contradict their own legal obligations, and face zero consequences. A statewide ALPR records request exposes the system.]]></description>
            <content:encoded><![CDATA[<p>The ACLU of Iowa and the University of Iowa submitted public records requests to agencies across the
state for information on ALPR systems.
<a href="https://footnote4a.org/blog/iowa-logs/Final-Report-ALPRs-in-Iowa.pdf">View the full report here</a>. The result: predictable
denials, dubious legal assertions, and—remarkably—the first release of actual logs in Iowa.</p>
<h2>Through the Curtain</h2>
<p>The report summarizes what agencies provided:</p>
<blockquote>
<p>In total, we obtained records of 13 search logs, 4 organizational audit logs, and 15 transparency
portals. Agencies often claimed that these categories were confidential. For example, 10 agencies
claimed their search logs were confidential, 10 claimed their audit logs were confidential, and 2
nonsensically claimed their transparency portals were confidential.</p>
</blockquote>
<p>Translation for <a href="http://haveibeenflocked.com">haveibeenflocked.com</a> terminology:</p>
<ol>
<li>
<p><strong>Portal logs</strong>: Thirteen of 48 agencies provided heavily redacted portal logs containing only
user UUIDs (e.g., <code>1dde314b-b11e-4ca1-be02-c74876615f97</code>), search dates, camera counts, and
reasons.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup> Agencies: Carlisle, Clinton, Clive, Coralville, Council Bluffs, Davenport, Dubuque,
Indianola, North Liberty, Story County, Urbandale, University of Iowa, West Des Moines.</p>
</li>
<li>
<p><strong>Organization audit logs</strong>:
<a href="hibf:/pd/7284-warren-county-ia-so/audit">Warren County Sheriff’s Department</a> was the only agency to
provide these.</p>
</li>
<li>
<p><strong>Network logs</strong>: Zero agencies provided these.</p>
</li>
</ol>
<p>The “transparency” portal serves its actual purpose: transparency theater. The agencies successfully
exploited information asymmetry to misrepresent compliance—even the ACLU and University of Iowa
accepted heavily redacted portal logs as legitimate disclosure and moved on.</p>
<h2>Behind the Curtain</h2>
<p>The report notes agencies “nonsensically” claimed transparency portals as confidential—only one
agency, Davenport, actually made this claim explicitly, though several claimed they didn’t maintain
the portal. This is despite the portals being accessible on the public internet and explicitly
displaying the notice: “Data is owned by [agency].”</p>
<p>Davenport’s blanket denial:</p>
<blockquote>
<p>Reference FOIA request PD-1759-2025, the items requested are confidential under Iowa state code
and are guarded under previous rulings by the Iowa Public Information Board (IPIB).</p>
</blockquote>
<p>This is lazy fabrication. Iowa law provides no confidentiality for these records. The Iowa Public
Information Board has issued no formal guidance on these items. The legal term for this response is
“making shit up”—evidenced by the complete failure to cite any actual legal basis.</p>
<p>Davenport PD’s response is a bureaucratic middle finger to the public and the law they claim to
uphold.<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup></p>
<p>Minor gripe: The Freedom of Information Act (FOIA) is federal. In Iowa, it’s the Iowa Open Records
Act, or Chapter 22. If you’re going to ignore the law’s substance, at least get its name right.</p>
<h2>How to Violate the Law Two Ways at Once</h2>
<p>Clive deserves its own section for accidentally admitting to law violations through contradictory
claims.</p>
<p>In response to the request for search logs, Clive wrote:</p>
<blockquote>
<p>The City does not maintain this type of record. Even if the City were found to maintain such a
record based on its ability to access the Flock Safety system, the information requested is
considered “intelligence data” such that it constitutes a “confidential record” that is prohibited
from disclosure pursuant to Iowa Code Section 22.7(55) and Iowa Code Chapter 692…</p>
</blockquote>
<p>This contradicts Iowa Code Chapter 692, which <em>requires</em> agencies to maintain logs.</p>
<p>Specifically, Chapter 692 mandates that for every dissemination of intelligence data, “[t]he agency
maintains a list of the agencies, organizations, or persons receiving the intelligence data and the
date and purpose of the dissemination.”</p>
<p>Clive knows this. In October 2024, it denied a request for these exact logs by asserting the same
basis for confidentiality and adding:</p>
<blockquote>
<p>The City strictly complies with its requirements under Iowa Code Chapter 22 and Iowa Code Chapter
692, and accordingly, it must respond in the negative to this request.</p>
</blockquote>
<p>By now denying it maintains
<a href="hibf:/pd/3342-clive-ia-pd/audit">the logs it claims it must keep but cannot disclose</a>, Clive admits to
violating the law—one way or another. They are either failing to create mandatory intelligence
records, or they are lying about their existence to avoid public scrutiny.</p>
<h2>Whose Law is it Anyway?</h2>
<p>These nonsensical denials obscure ongoing violations of state and federal law. Agencies routinely
disclose legally protected intelligence data, criminal justice information, and criminal history
information to commercial and government partners in violation of statutory restrictions.</p>
<p>This falls under the purview of the Iowa Public Information Board and the Iowa Department of Public
Safety. Neither has shown any inclination to enforce compliance, so agencies fabricate legal
justifications to deny public access to records.</p>
<p>If a member of the public attempts to complain, the Iowa Public Information Board sends this notice:</p>
<blockquote>
<p>The IPIB normally allows brief (under five minutes) comments from the parties. If you wish to
speak at the meeting, please reply to this email and indicate your agreement to this statement:</p>
<p><strong>__</strong> I want to address the Board and respond to any questions Board members may have when the
initial processing of this complaint is considered. In the event this complaint proceeds to a
contested case, I waive any objection that I might have concerning personal investigation of this
complaint by a Board member.</p>
</blockquote>
<p>The waiver pairs well with this email from Clive’s city attorney to IPIB director Erika
Eckley,<sup class="footnote-ref"><a href="#footnote3">[3]</a><a class="footnote-anchor" id="footnote-ref3"></a></sup> after Eckley refused to investigate a complaint about Clive’s false assertion of
confidentiality:</p>
<p><img src="https://footnote4a.org/blog/iowa-logs/stanger.png" alt="Email reading &quot;Thank you Ericka[sic]. Nice job on this one =)&quot;"></p>
<p>Welcome to Iowa, where the exemptions are made up and the law doesn’t matter.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>Most responses appear to predate Flock’s recent portal redactions, so this information may no
longer be available. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>For context: Davenport, Scott County, the Iowa Department of Public Safety, and the Iowa Public
Information Board have spent years blocking the release of inspection and investigation reports
after an
<a href="https://www.thegazette.com/news/building-collapse-police-report-still-not-public-as-iowa-public-information-board-declines-to-rule/">apartment building collapse killed several people</a>.
Strong evidence suggests the city knew about the problems but failed to prevent the deaths. The
families still don’t get answers. <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote3" class="footnote-item"><p>Now director of the Iowa Ethics and Campaign Disclosure Board. <a href="#footnote-ref3" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[AMBER Alert: Santa Cruz Logs (Update: Logs Still Missing, Presumed Dead)]]></title>
            <link>https://footnote4a.org/news/august-2025-drop</link>
            <guid isPermaLink="false">https://footnote4a.org/news/august-2025-drop</guid>
            <pubDate>Tue, 09 Dec 2025 00:00:00 GMT</pubDate>
            <description><![CDATA[Have you seen this search log? 80% of Santa Cruz's logs disappear without a trace, and are presumed dead.]]></description>
            <content:encoded><![CDATA[<p>In the <a href="https://footnote4a.org/news/santa-cruz-ca">Santa Cruz data import post</a>, I noted a precipitous drop in search
volume starting in August 2025. The data showed a 75% decline that month, with further decreases
immediately following.</p>
<div class="chart-placeholder" data-chart="santa-cruz-monthly"></div>
<p>Looking into this further raises more questions than it answers.</p>
<h2>The Setup</h2>
<p>On August 8, 2025, Santa Cruz PD search traffic plummeted, yet the number of agencies conducting
searches remained roughly the same.</p>
<p>As a <a href="hibf:/about/search-types">quick refresher</a>, according to Flock documentation, the primary tools in
the system are:</p>
<ul>
<li><strong>Lookup:</strong> A state- or nationwide “text-only” full license plate query to obtain a 1, 7, or
30-day history.</li>
<li><strong>Search:</strong> A query to find full or partial plates, filter by car model/make, or spot bumper
stickers on networks with <a href="hibf:/sharing">reciprocal footage sharing enabled</a>.</li>
</ul>
<p>Agencies that shared footage with Santa Cruz continued searching via “portal” queries, but statewide
reciprocal access via “network” queries stopped abruptly (or appeared to).</p>
<p>The new, much shorter list of agencies Santa Cruz shares data with is seemingly standard.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup></p>
<details>
<summary><strong>Click to view the full list of agencies (Warning: Long)</strong></summary>
<div class="columns-4 text-sm">
San Jose State University CA<br>
Albany CA PD<br>
Alhambra CA PD<br>
Anaheim CA PD<br>
Angels Camp CA PD<br>
Antioch CA PD<br>
Arcadia CA PD<br>
Atwater CA PD<br>
Auburn CA PD<br>
Avenal CA PD<br>
Azusa CA PD<br>
Bakersfield CA PD<br>
Baldwin Park CA PD<br>
Barstow CA PD<br>
Bear Valley Springs CA PD<br>
Beaumont CA PD<br>
Bell CA PD<br>
Bell Gardens CA PD<br>
Belmont CA PD<br>
Belvedere CA PD<br>
Benicia CA PD<br>
Beverly Hills CA PD<br>
Bishop CA PD<br>
Blue Lake Rancheria Tribal PD<br>
Brawley CA PD<br>
Brentwood CA PD<br>
Brisbane CA PD<br>
Buena Park CA PD<br>
Burbank CA PD<br>
Burlingame CA PD<br>
Butte County CA SO<br>
CA Iipay Nation of Santa Ysabel<br>
Cal Fire<br>
Cal State Fullerton (CA)<br>
Calexico CA PD<br>
California Department of Corrections<br>
California Department of Fish & Wildlife (CA)<br>
California Highway Patrol<br>
California State Parks<br>
California State University Long Beach Campus PD<br>
Calistoga CA PD<br>
Campbell CA PD<br>
Capitola CA PD<br>
Carmel CA PD<br>
Cathedral City CA PD<br>
Central Marin CA PD<br>
Cerritos College CA PD<br>
Chino CA PD<br>
Chula Vista CA PD<br>
Citrus Heights CA PD<br>
City of Lemoore CA<br>
City of Riverside CA PD<br>
Clayton CA PD<br>
Clearlake CA PD<br>
Cloverdale CA PD<br>
Colma CA PD<br>
Colton CA PD<br>
Colusa CA PD<br>
Concord CA PD<br>
Contra Costa County CA SO<br>
Corcoran CA PD<br>
Corona CA PD<br>
Coronado CA PD<br>
Costa Mesa CA PD<br>
Cotati CA PD<br>
Culver City CA PD<br>
Cypress CA PD<br>
Danville CA PD<br>
Del Norte County CA SO<br>
Delano CA PD<br>
Desert Hot Springs CA PD<br>
Dinuba CA PD<br>
Dixon CA PD<br>
Downey PD CA<br>
Dublin CA PD (ACSO)<br>
East Bay Parks CA PD<br>
East Palo Alto CA PD<br>
El Centro CA PD<br>
El Cerrito CA PD<br>
El Dorado County CA SO<br>
El Monte CA PD<br>
El Segundo CA PD<br>
Elk Grove CA PD<br>
Emeryville CA PD<br>
Escalon CA PD<br>
Escondido CA PD<br>
Fairfield CA PD<br>
Folsom CA PD<br>
Fontana CA PD<br>
Foothill-DeAnza CA PD<br>
Fort Bragg CA PD<br>
Foster City CA PD<br>
Fountain Valley CA PD<br>
Fowler CA PD<br>
Fremont CA PD<br>
Fresno CA PD<br>
Fullerton CA PD<br>
Galt CA PD<br>
Garden Grove CA PD<br>
Gilroy CA PD<br>
Glendora (CA) PD<br>
Grass Valley CA PD<br>
Greenfield CA PD<br>
Gustine PD CA<br>
Hanford CA PD<br>
Hercules CA PD<br>
Hermosa Beach PD CA<br>
Hillsborough CA PD<br>
Hollister CA PD<br>
Humboldt County CA SO<br>
Imperial City CA PD<br>
Imperial County CA SO<br>
Indio CA PD<br>
Irvine CA PD<br>
Irwindale CA PD<br>
Kern County CA SO<br>
Kings County CA DAs Office<br>
Kings County Sheriff's Office CA<br>
Kingsburg CA PD<br>
La Habra CA PD<br>
La Mesa CA PD<br>
La Verne CA PD<br>
Laguna Beach CA PD<br>
Lake County CA SO<br>
Lakeport CA PD<br>
Lancaster CA PD<br>
Lathrop CA PD<br>
Lincoln CA PD<br>
Livermore CA PD<br>
Livingston CA PD<br>
Lodi CA PD<br>
Lompoc CA PD<br>
Los Alamitos PD CA<br>
Los Altos CA PD<br>
Los Angeles CA PD<br>
Los Angeles County CA SD<br>
Los Angeles Port Police CA<br>
Madera CA PD<br>
Madera County SO CA<br>
Manteca CA PD<br>
Marin County CA DA<br>
Marin County CA SO<br>
Marina CA PD<br>
McFarland CA PD<br>
Mendocino County SO-CA<br>
Mendota CA PD<br>
Menifee CA PD<br>
Menlo Park CA PD<br>
Merced County CA SO<br>
Mill Valley CA PD<br>
Milpitas CA PD<br>
Modoc County CA SO<br>
Montclair CA PD<br>
Monterey CA PD<br>
Monterey County CA SO<br>
Monterey County District Attorney's Office<br>
Monterey Park CA PD<br>
Moraga CA PD<br>
Morgan Hill CA PD<br>
Mountain View CA PD (Santa Clara County)<br>
Murrieta CA PD<br>
Napa CA PD<br>
Napa County CA SO<br>
National City CA PD<br>
NCRIC<br>
Nevada County CA SO<br>
Newark CA PD<br>
Newport Beach PD CA<br>
Novato CA PD<br>
Oakland CA PD<br>
Oakley CA PD<br>
Oceanside CA PD<br>
Ontario CA PD<br>
Orange CA PD<br>
Orange County (CA) DA Office<br>
Orange County Fire Authority (CA)<br>
Orange County SO CA<br>
Oxnard CA PD<br>
Pacific Grove CA PD<br>
Pacifica CA PD<br>
Palm Springs CA PD<br>
Palo Alto CA PD<br>
Pasadena CA PD<br>
Petaluma CA PD<br>
Placentia CA PD<br>
Placer County CA DA Office<br>
Placer County CA SO<br>
Pleasant Hill CA PD<br>
Pleasanton CA PD<br>
Port of Stockton CA PD<br>
Porterville CA PD<br>
Redding PD - CA<br>
Redondo Beach CA PD<br>
Redwood City CA PD<br>
Reedley CA PD<br>
Rialto PD CA<br>
Ridgecrest CA PD<br>
Rio Hondo College PD CA<br>
Rio Vista CA PD<br>
RIV CO ARSON TF CA PD<br>
Riverside County CA District Attorney<br>
Riverside County CA SO<br>
Rocklin CA PD<br>
Rohnert Park Department of Public Safety (CA)<br>
Round Valley Indian Tribes CA<br>
Sacramento CA DA<br>
Sacramento CA PD<br>
Salinas CA PD<br>
San Benito County SO CA<br>
San Bernardino CA PD<br>
San Bernardino Community College CA PD<br>
San Bernardino County CA SO<br>
San Bruno CA PD<br>
San Diego CA PD<br>
San Diego County CA SD<br>
San Diego Harbor CA PD<br>
San Fernando CA PD<br>
San Francisco CA PD<br>
San Francisco District Attorney CA<br>
San Gabriel CA PD<br>
San Joaquin CA DA<br>
San Joaquin County CA SO<br>
San Joaquin Delta College PD (CA)<br>
San Jose - Evergreen Community College Campus PD CA<br>
San Jose CA PD<br>
San Leandro CA PD<br>
San Luis Obispo CA PD<br>
San Luis Obispo County (CA) Sheriff<br>
San Mateo CA PD<br>
San Mateo County CA SO<br>
San Pablo CA PD<br>
San Pasqual CA PD<br>
San Rafael CA PD<br>
Santa Ana CA PD<br>
Santa Barbara County CA SO<br>
Santa Clara CA PD<br>
Santa Monica CA PD<br>
Santa Rosa CA PD<br>
Sausalito CA PD<br>
Seal Beach CA PD<br>
Seaside CA PD<br>
Selma CA PD<br>
Sequoias Community College District CA PD<br>
Shafter PD CA<br>
Signal Hill CA PD<br>
Simi Valley CA PD<br>
Soledad CA PD<br>
Sonoma County CA SO<br>
South Gate CA PD<br>
South Pasadena CA PD<br>
Stallion Springs CA PD<br>
Stanford University CA PD<br>
Stockton CA PD<br>
Suisun City CA PD<br>
Sunnyvale CA PD<br>
Sutter County CA SO<br>
Taft CA PD<br>
Tehachapi CA PD<br>
Tehama County CA SO<br>
Tiburon CA PD<br>
Town of Los Gatos CA<br>
Tracy CA PD<br>
Trinity County SO CA<br>
Truckee CA PD<br>
Tulare CA PD<br>
Tulare County CA SO<br>
Turlock CA PD<br>
Tustin CA PD<br>
Ukiah CA PD<br>
Union City CA PD<br>
University of California<br>
Berkeley<br>
University of the Pacific (CA)<br>
Upland CA PD<br>
Vacaville CA PD<br>
Vallejo CA PD<br>
Ventura CA PD<br>
Ventura County CA SO<br>
Ventura County District Attorney's Office CA<br>
Visalia CA PD<br>
Watsonville CA PD<br>
West Covina CA PD<br>
West Valley Mission College Dist Campus (CA)<br>
Westminster CA PD<br>
Wheatland CA PD<br>
Whittier CA PD<br>
Williams CA PD<br>
Willits CA PD<br>
Winters CA PD<br>
Woodlake CA PD<br>
Woodland CA PD<br>
Yolo County CA SO<br>
Yuba City CA PD<br>
Yuba County Sheriffs Office<br>
</div>
</details>
<h2>The Missing Searches</h2>
<p>The weekly view shows the longer-term trend across nearly a year of data:</p>
<div class="chart-placeholder" data-chart="santa-cruz-weekly-lookup-search"></div>
<p>At the beginning of the year, as discussed in <a href="https://footnote4a.org/news/santa-cruz-ca">the previous post</a>, Santa
Cruz—like many other agencies—still permitted the national free-for-all. When Santa Cruz restricted
nationwide sharing, ‘Lookup’ tool usage dropped, and ‘Search’ became dominant.</p>
<p>In July, however, ‘Lookup’ tool usage briefly returned to approximately pre-March levels. Before
July 11, search queries sat at 7k–15k/day. Then, ‘Lookup’ queries spiked dramatically up to 20k/day,
while ‘Search’ plummeted.</p>
<p>On August 8, ‘Lookup’ queries crashed to near-zero while ‘Search’ continued at its reduced level.</p>
<p>The number of organizations with access and the number of devices searched remained stable
throughout this period. Yet, ‘Lookup’ searches across all organizations spiked by ~400–500% in July,
while the overall volume of searches remained stable.</p>
<p>I compared the numbers from 81 California agencies publishing logs via transparency portals.</p>
<div class="chart-placeholder" data-chart="netportal-weekly"></div>
<p>One of these things is not like the others. The chart above shows all queries of &gt;10,000 devices
(i.e., those that are presumably statewide searches). It shows that the number of organizations
shown in Santa Cruz’s log files drops from approximately 250 to 200, but remains largely stable at a
number consistent with California.</p>
<p>The number of searches from the 81 transparency portals remains stable at around 5,000. This stands
in stark contrast to the 4–5x decrease in “traffic” that simultaneously occurs in Santa Cruz’s
network logs.</p>
<h2>Update: Capitola, CA</h2>
<p>For my fellow Midwesterners: Capitola is a suburb of Santa Cruz and, apparently, California’s oldest
beach resort town.</p>
<p>Although the complete import is still running (sadly <a href="https://footnote4a.org/news/secret-searches">without reasons</a>), a
preliminary analysis of the raw data shows a pattern that’s strikingly similar<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup> to Santa
Cruz’s:</p>
<div class="chart-placeholder" data-chart="capitola-monthly"></div>
<div class="chart-placeholder" data-chart="capitola-weekly-lookup-search"></div>
<p>It shows the same high (out-of-state) volume prior to February, then a drop, an inversion of Lookup
and Search in July 2025, and then a cliff, with nearly identical volumes across the board.</p>
<div class="chart-placeholder" data-chart="capitola-weekly"></div>
<p>Because the cities are so close, it’s theoretically possible that there is some degree of
coordination or even collusion regarding log file release, but that seems highly unlikely for a
number of reasons.</p>
<h3>The July Timeframe Anomaly</h3>
<p>The “Lookup” tool is documented as supporting only 1, 7, or 30-day timeframes via a dropdown
selector. Non-California data confirms this: in Lynnwood, WA, 98.8% of lookups use standard
timeframes. The remaining variance comes from undocumented options<sup class="footnote-ref"><a href="#footnote3">[3]</a><a class="footnote-anchor" id="footnote-ref3"></a></sup> (6h, 12h, 14d) and sketchy
“month ago” logic that seems to sometimes yield 31 days instead of 30.</p>
<div class="chart-placeholder" data-chart="lookup-timeframe"></div>
<p>The chart above shows the weekly timeframe compliance rate. Before July, 96–98% of lookups use
standard timeframes (green).<sup class="footnote-ref"><a href="#footnote4">[4]</a><a class="footnote-anchor" id="footnote-ref4"></a></sup> Starting July 7, compliance drops to ~75% as ~25% of “Lookups”
suddenly have impossible timeframes: 105 days, 121 days, even 365+ days.<sup class="footnote-ref"><a href="#footnote5">[5]</a><a class="footnote-anchor" id="footnote-ref5"></a></sup></p>
<p>This strongly suggests the July “inversion” (where Lookup suddenly spiked and Search dropped) is
actually a misclassification: searches that should be labeled “Search” (1:1, flexible timeframes)
were incorrectly labeled as “Lookup” (statewide, 1/7/30-day only).<sup class="footnote-ref"><a href="#footnote6">[6]</a><a class="footnote-anchor" id="footnote-ref6"></a></sup></p>
<h3>The August Cliff as Correction Attempt</h3>
<p>If the July inversion was a misclassification bug, the August 8 cliff may have been a botched
attempt to fix it.</p>
<p>If the fix had been surgical—un-“flipping” the classifications—we’d expect the charts above to
continue showing the same ~100–120k weekly overall volume, but with the blue and orange bars flipped
back to their pre-July configuration.</p>
<p>Instead, “Search” volume remained roughly on par with the pre-July “Lookup” volume, while Lookups
dropped by 98%<sup class="footnote-ref"><a href="#footnote4">[4:1]</a><a class="footnote-anchor" id="footnote-ref4:1"></a></sup>. The top Lookup users (CHP, Riverside County, and Orange County) essentially
stopped appearing in the network audit logs.</p>
<p>In fact, 175 organizations disappeared from the “Lookup” logs completely, even though most of them
remained in the “Search” logs.</p>
<h2>What This Means</h2>
<p>The pattern is consistent with a ham-fisted correction attempt that, instead of fixing July’s
Search–Lookup inversion, dropped all real Lookup tool usage from the network audit log.</p>
<p>We don’t have the most recent data, but given that the original problem started 4–5 months ago, it’s
entirely possible that this situation persists today, and the state of California is not logging
statewide searches.</p>
<p>This tracks with previous observations: Flock does not invest in QA, and police don’t audit the
logs.</p>
<p>Based on my years in the tech industry, I would classify this as a legit five-alarm fire. Once an
issue this serious—with the potential for liability and severe effects on the criminal justice
system and civil liberties—is discovered, nobody is going home until it’s fixed.<sup class="footnote-ref"><a href="#footnote7">[7]</a><a class="footnote-anchor" id="footnote-ref7"></a></sup></p>
<p>That’s not what happened with Flock in California.</p>
<p>Either Flock has ignored reports of this problem, or, in the entire state of California, not a
single police officer responsible for overseeing these systems has noticed that “their” logs got
187’d by their own vendor.</p>
<p>Neither situation is a great look.</p>
<p>Think of that next time you hear “we control the data” and “we audit the system.”</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>According to the <a href="https://transparency.flocksafety.com/santa-cruz-ca-pd">Santa Cruz Transparency Portal</a>, as of December 9, 2025. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>The lack of reasons and license plates makes it impossible to compare the datasets properly, but
Capitola shows 4.4% more lookups and 5.3% more searches over the same period; these are actually
distinct datasets. <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote3" class="footnote-item"><p>The most recent user guide I have is from 2023. None of the agencies I have sent open records
requests to have had documentation about the system. <a href="#footnote-ref3" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote4" class="footnote-item"><p>While unacceptable for most purposes, 97% accuracy on basic accountability is pretty good for
Flock. <a href="#footnote-ref4" class="footnote-backref">↩︎</a> <a href="#footnote-ref4:1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote5" class="footnote-item"><p>An alternative or supplementary explanation is that Flock quietly increased the periods police
can search, sidestepping democratic oversight. <a href="#footnote-ref5" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote6" class="footnote-item"><p>There is some evidence to suggest that this sudden inversion affected the entire Flock network,
not just California. It also appears like it may coincides with a massive, across-the-board
increase in (logged) search volume. There is insufficient data available at this time to draw
complete conclusions. <a href="hibf:/about/audit-logs">Help us out: get more logs</a>! <a href="#footnote-ref6" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote7" class="footnote-item"><p>Or at least put back together enough with duct tape to implement a real fix the next day. <a href="#footnote-ref7" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[Secret Searches]]></title>
            <link>https://footnote4a.org/news/secret-searches</link>
            <guid isPermaLink="false">https://footnote4a.org/news/secret-searches</guid>
            <pubDate>Tue, 09 Dec 2025 00:00:00 GMT</pubDate>
            <description><![CDATA[Not all audit data is created equal. Some agencies release complete records; others redact key information. Here's how to understand what you're seeing.]]></description>
            <content:encoded><![CDATA[<p>When you search for a license plate on <a href="http://haveibeenflocked.com">haveibeenflocked.com</a>, you might notice some records have
complete information—the operator’s name, the reason for the search, the case number—while others
show placeholder text or black boxes.</p>
<p>You may also have noticed what appear to be duplicate searches, or higher numbers of searches than
you might expect. This isn’t a bug. It’s a reflection of the accuracy of the logs, and of how
different agencies handle their audit data before releasing it.</p>
<p>This post explains why information is missing, how we handle duplicates, and how to interpret what
you see. For agency-specific details, check the <a href="hibf:/sources">source statistics page</a>.</p>
<h2>Why Is Information Missing?</h2>
<p>There are two distinct reasons you might see incomplete data: source redactions, where agencies
redact information before its release, or redactions by the <a href="http://haveibeenflocked.com">haveibeenflocked.com</a> website. This post
discusses the former; for details on the latter, see
<a href="hibf:/about/redactions">the “about redaction” page</a>.</p>
<h3>Source Redactions: Flock</h3>
<p>Flock audit logs are partially redacted or obscured by default. Full names of operators are included
only in “organizational audit logs.” Those are only accessible to the operator’s agency. Names of
operators from other agencies searching the data are obscured; the “network audit log” only shows
abbreviated names like “J. Smi.”</p>
<p>Sometimes the “Smi” in “J. Smi” is a middle name, sometimes it isn’t. Sometimes it’s “S. Joh.” Some
agencies are staffed entirely by mononymic <a href="hibf:/pd/8565-ncric/audit">&quot;a&quot;s and &quot;j&quot;s</a> who appear to be on
the clock 24/7. Others are staffed by people like “<a href="hibf:/search?q=b.+47">B. 478</a>” who do a lot of “inv”
work.</p>
<p>Whether this is a deliberate choice because agencies don’t trust each other with their employees’
names, a way to create a degree of plausible deniability, or simply a terrible technical design
choice is unclear. What is clear is that none of Flock’s customers appear to consider it an issue
that there is no way to determine who the “a” or “b” is that’s looking up location histories. They
find that “inv” is a good enough reason to disclose detailed location histories, regardless of “a”'s
identity.</p>
<p>In transparency portals, Flock goes even further. By default, it omits operator names, case numbers,
search timeframes, search types, filters, and text prompts. There is no way to tell whether your
local agency is doing <a href="https://www.govtech.com/biz/flock-safety-gives-users-expanded-vehicle-location-abilities">convoy analysis</a>, whether it’s pulling long-term location histories
based on bumper stickers, or whether it’s looking for people wearing a <a href="hibf:/moderation-logs">red shirt</a>.</p>
<p>Flock and its customers consider this lack of transparency a feature; one the company recently
expanded because
“<a href="burden-of-compliance">the burden of compliance shouldn’t stand in the way of public safety</a>.”</p>
<h3>Source Redactions: Agencies</h3>
<p>When agencies address city councils or the public in general, invariably there are no privacy
concerns in relation to bulk collection and sharing of license plates. Flock also claims not to
handle PII, a false statement that agencies are happy to parrot. Agencies have no issue with
<a href="https://footnote4a.org/news/overseas-data">shipping all of this information overseas</a>, <a href="https://gainsec.com/2025/11/05/formalizing-my-flock-safety-security-research/">placing it in a system with
gaping security holes</a>, or even with
<a href="https://footnote4a.org/news/dupage-county">Flock publishing details on murder investigations, including the victim’s Gmail password</a>.</p>
<p>When a citizen requests that same data, however, it tends to be confidential. In those instances
where audit logs are disclosed, they are often disclosed with the columns for “sensitive
information” (like license plates), PII (like operator names), and criminal justice information
(like search reasons and case numbers) removed.</p>
<p>It leaves a log that, at best, informs you that someone did something at some time for some reason.</p>
<p><a href="https://footnote4a.org/news/august-2025-drop">Well</a>, <a href="hibf:/irregular-records">maybe</a>.</p>
<p>This is what oversight and transparency looks like to police.</p>
<h2>Working With Duplicate Information</h2>
<p>This is the ideal scenario. Agency A releases a network audit for the month of August, and it
perfectly matches the audit released by Agency B. This happens sometimes.</p>
<p>Whenever we import a record, we create a fingerprint for that record<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup>. If a future import
generates the same fingerprint, we don’t store the record again, only the fact that it’s available
from more than source. Whenever you see “2(+) sources” in a result, that’s what happened.</p>
<p>For every search of the national network, you would expect that search to show up in every
participating agency’s network.</p>
<p>That’s what Flock claims, and that’s what haveibeenflocked’s system was designed to accommodate.</p>
<p>As it turns out, that was an overly optimistic design choice.</p>
<p>Selecting June 2025 as an example:</p>
<ul>
<li>There are 1,907,643 unique searches/fingerprints for that month<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup></li>
<li>We have multiple sources that cover that month.</li>
<li>The most records in a single source is 382,998.</li>
</ul>
<p>This means that either:</p>
<ul>
<li>No single source shows all the searches on the national network.</li>
<li>Sources show different information about the same searches.</li>
</ul>
<p>Both appear to be true.</p>
<h2>Missing Information</h2>
<p>When a search record for a national search is completely missing, it either means that the
“national” search wasn’t actually national (which may lead to false negatives in investigations), or
<a href="https://footnote4a.org/news/august-2025-drop">not all searches are logged</a>.</p>
<p>While philosophically we may struggle to reconcile this with the idea of responsible use of the
system, technically it is easy to deal with: we simply detect the unique fingerprint and add the
record as a search. B.'s your uncle.</p>
<p>But partial records are where it gets trickier. Because our fingerprint is based on the exact text
of the record, changing even one letter changes the fingerprint. This is the technically sound way
to treat audit records: any tampering is guaranteed to be immediately evident.</p>
<p>But, when Agency A reports a search with the reason “Investigation,” and Agency B redacts that
reason to “Inv” or blanks it out completely, our system sees two mathematically distinct
fingerprints. It treats them as two separate searches, even though they likely represent the same
event.</p>
<h2>Contradictory Information</h2>
<p>At the same time, we regularly see searches that are
<a href="hibf:/irregular-records">logged differently between different organizations</a>.</p>
<p>These variations and irregularities range from small changes in organization names (“University of
Iowa PD IA” vs. “University of Iowa (IA) PD”), to completely different organizations or operators.</p>
<p>It’s critical to understand that this is the same data Flock and its customers claim is permanent,
immutable and provides the information suitable to perform audits. It’s the exact same information
your local police department uses for its audits, and the exact same information available to third
party auditors (if such a thing exists).</p>
<p>If Flock used a system to prevent tampering and guarantee their authenticity, something which is
standard when dealing with secure audit logs, even small variations in logs would not be possible.</p>
<p>Those types of systems are standard. Literally. ISO 27001 and SOC 2—both standards Flock claims it
complies with—require audit logs to be protected against tampering to ensure integrity and
accuracy.<sup class="footnote-ref"><a href="#footnote3">[3]</a><a class="footnote-anchor" id="footnote-ref3"></a></sup></p>
<p>The logical conclusion, that Flock’s lack of controls permits data errors, deliberate obfuscations,
technical issues, or conversion problems, is off the table. Flock and police have told thousands of
elected officials across the country, as well as the general public, that these audit logs are a
complete and reliable method for oversight and accountability, and that they fully comply with ISO
27001 and SOC 2.</p>
<p>Because HIBF can’t audit Flock’s systems to show otherwise, and agencies tasked with oversight
don’t, we have to assume that Flock and police are not lying to the public about these records, or
falsely purporting them to be more accurate or fit for purpose than they actually are.</p>
<p>So, as contradictory as it might appear to you and me, if Flock says that the exact same plate was
searched for by two different people, working for two different agencies, in two different states,
using the exact same case number, the evidence we have <em>forces us to conclude</em> that’s what happened.</p>
<h2>The Choice</h2>
<p>So then, how do we handle this? This is a choice.</p>
<p>We can:</p>
<ol>
<li>Discard the record entirely.</li>
<li>Try to figure out if it’s a duplicate, based on available information—a task that is already
virtually impossible even <em>without</em> redactions due to the unreliability of the data.</li>
<li>Assume that the information shows what the agency purports it to show: someone did something at
some time for some reason.</li>
</ol>
<p>There are arguments to be made for each option.</p>
<p>To maximize the utility of available data—even when those data are limited—we rejected option 1.</p>
<p>To minimize the chance of introducing additional errors, we did not select option 2.</p>
<p>Leaving option 3: present the data as-is, treating it as a new search because it could be.</p>
<h2>The Problem</h2>
<p>The problem with that choice is that it can, and does, lead to both over- and underreporting.</p>
<p>But redacted data is still valuable. Even when agencies hide operator names or reasons, the record
proves that surveillance occurred—a specific vehicle was searched at a specific time by a specific
organization.</p>
<p>When a license plate is hidden, we may not see stalking, but the reason may indicate improper
access. When a case number is missing, we know the agency is uninterested in relating searches to
legitimate investigations.</p>
<p>Agencies committed to transparency would not stand for Flock’s baked-in redactions, but would also
disclose the remainder.</p>
<h2>The Solution</h2>
<p>We preserve and display what’s available while being transparent about gaps and limitations.</p>
<p>Check the <a href="hibf:/sources">source statistics page</a> to see which agencies provide complete data and which
choose to redact key fields.</p>
<p>Without complete information, haveibeenflocked or its users will be inclined
<a href="https://footnote4a.org/news/flock-infer">to infer the missing data</a>.</p>
<p>We strongly encourage agencies to tell their side of the story by disclosing complete records.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>Technically, an MD5 hash of the complete record. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>Based on &gt;50,000 devices searched. <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote3" class="footnote-item"><p>ISO27k1 control A.12.4.2 in ISO27001 (“Logging facilities and log information shall be protected
against tampering and unauthorized access.”); SOC.2 CC7.2 (Processing Integrity) (“must
implement controls to ensure the completeness, accuracy, and validity of data.”) <a href="#footnote-ref3" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA[The Memory Hole: Flock's Three-Step Plan to Kill Transparency]]></title>
            <link>https://footnote4a.org/news/revised-edition</link>
            <guid isPermaLink="false">https://footnote4a.org/news/revised-edition</guid>
            <pubDate>Fri, 14 Nov 2025 09:00:00 GMT</pubDate>
            <description><![CDATA[Flock removes device counts, blocks transparency tools, and disables Wayback Machine archiving. Their three-step plan to eliminate oversight.]]></description>
            <content:encoded><![CDATA[<p>Earlier this week, I wrote about Flock’s new anti-transparency push, and its efforts to combat what
it calls “<a href="burden-of-compliance">the burden of compliance</a>.” Flock has doubled down by removing device counts from
public audit logs, blocking external transparency tools, and disabling archival of its pages on
<a href="http://archive.org">archive.org</a>’s <a href="https://web.archive.org/">Wayback Machine</a>.</p>
<p>Through incorporation by reference of its website, Flock maintains a significant part of its
customer contract in a place that only it can modify:</p>
<p><img src="https://footnote4a.org/blog/record-straight/reinstall.png" alt="Reinstall Fee Schedule" width="500"></p>
<p>The reinstall fee schedule contains prices for things like “Camera replacement as a result of
vandalism, theft, or damage” and “Replacement Cable(s).”</p>
<p>It’s worth noting that Flock maintains full ownership and control of the cameras. The reinstall fee
schedule is essentially an insurance policy, underwritten by the customer, for which Flock can set
the terms and coverage schedule on its website.</p>
<p>I have written on modifying “attachments” to the contract before in a legal brief:<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup><sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup></p>
<blockquote>
<p>Adding, changing, or removing an entry in the Deployment Plan creates significant contractual
obligations for [Flock’s customer], including, without limitation, providing electrical power and
permits, ensuring legal compliance, paying all applicable taxes, and “any other services performed
[by] Flock in connection with the installation of the Hardware.”</p>
<p>…</p>
<p>The Agreement, Deployment Plan, and Reinstall Fee Schedule combined create an instrument
expressing offer, acceptance, consideration, and assent, representing significant governmental
interest and functional ownership, expressly incorporated into the main agreement document.</p>
</blockquote>
<p>It is clearly wildly irresponsible for governments to agree to contractual terms that can be
unilaterally modified, without notice, by its vendor; including when those terms are published on a
vendor-managed website.</p>
<p>But they do. <em>En masse</em>.</p>
<p>Even worse, governments have argued<sup class="footnote-ref"><a href="#footnote2">[2:1]</a><a class="footnote-anchor" id="footnote-ref2:1"></a></sup> that by storing a contract on a vendor’s website in this
way, it becomes exempt from open records laws:</p>
<p><img src="https://footnote4a.org/blog/record-straight/reinstall-possess.png" alt="No possession of deployment plan or reinstall fee schedule" width="600"></p>
<p>When customers don’t save the terms of the contracts they sign, the only way for them, and the
public, to access the terms at the time of signing is through tools like the <a href="https://web.archive.org/">Wayback
Machine</a>.</p>
<p>When they are incorporated by reference into government contracts, vendor websites become part of
the public record. Altering, destroying, or removing items in the public record is a crime in many
jurisdictions.<sup class="footnote-ref"><a href="#footnote3">[3]</a><a class="footnote-anchor" id="footnote-ref3"></a></sup></p>
<p>And, even more importantly: secret contracts run counter to just about every principle of
transparency in government. They are a path leading directly to corruption and violations of rights.</p>
<p>Hiding contracts is one prong of Flock’s three-step assault. It has banned <a href="https://eyesonflock.com">EyesOnFlock</a> from
accessing transparency portal information. Like this site, <a href="https://eyesonflock.com">EyesOnFlock</a> downloads log files from
public transparency portals to aggregate information and offer it to the public in an
easy-to-consume, and, above all, immutable<sup class="footnote-ref"><a href="#footnote4">[4]</a><a class="footnote-anchor" id="footnote-ref4"></a></sup> format.</p>
<p>The portals are publicly posted on the internet, where there is no expectation of privacy; as such,
one would expect that private entities gathering and distributing portal information in bulk would
not be a concern for the company.</p>
<p>But, even when able to access the portals, the audit logs posted there<sup class="footnote-ref"><a href="#footnote5">[5]</a><a class="footnote-anchor" id="footnote-ref5"></a></sup> contain severely
limited information.</p>
<p>In school, we are taught the 5 W’s that are needed to tell a story or describe an event. This is
what that looks like for Flock:</p>
<ul>
<li><em>“Who?”</em> This is answered with a UUID (e.g. <code>f3af60c5-f4e1-4c50-af64-cb1bbdbf5acf</code>).</li>
<li><em>“When?”</em> A time, without a timezone, is Flock’s answer.</li>
<li><em>“What?”</em> No search terms (license plate, text prompt, or filters) are ever included.</li>
<li><em>“Where?”</em> No <a href="hibf:/about/search-types">search type</a> is included. The device count has now been set to 0. It is
<a href="https://footnote4a.org/news/flock-infer">impossible to infer</a> if the search was local, statewide, or nationwide.</li>
<li><em>“Why?”</em> With Flock’s new feature rollout, agencies can, and do, <a href="burden-of-compliance">redact reasons and case
numbers</a>.</li>
</ul>
<p>And, finally, Flock’s blocking of the <a href="https://web.archive.org/">Wayback Machine</a> is not limited to portals and
contract terms. It also blocks its prior statements:</p>
<p><img src="https://footnote4a.org/blog/record-straight/excluded.png" alt="&quot;Setting the record straight&quot; exclusion" width="700"></p>
<p>That in itself is evidence enough that the company wants to revise history and control the
narrative.</p>
<p>The company actively develops features to remove information from public logs, and pro-actively
works to remove its statements, logs, and even contractual terms from public view.</p>
<p>By actively concealing information about government contracts and activities from the public, the
company is not only plausibly violating the law, it prevents the residents who are being watched by
its cameras and judged by its AI algorithms from participating in the local decision-making process
that it (implausibly) claims to value.</p>
<p>Flock is not the passive agent operating in the shadow of government that it claims to be.</p>
<p>It actively manufactures the shadows.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>Back when the contract explictly incorporated the Deployment Plan, before Flock changed it to
the vague “attachment.” <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>The Iowa Public Information Board agrees that vendor-maintained contracts should be secret, and
is currently defending that position before the Iowa Court of Appeals (case 24-2039). <a href="#footnote-ref2" class="footnote-backref">↩︎</a> <a href="#footnote-ref2:1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote3" class="footnote-item"><p>In Arizona, for example, “conceal[ing], remov[ing] or otherwise impair[ing] the
availability of any public record” is a class 6 felony that can result in prison sentences of
over five years. [Correction 3/12/2026: presumptive sentence of 1 year, maximum of 2 years; 5.75
years with prior felonies under aggravated sentencing]. Ariz. Rev. Stat. Ann. § 13-2407 (2024) <a href="#footnote-ref3" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote4" class="footnote-item"><p>By Flock. <a href="#footnote-ref4" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote5" class="footnote-item"><p>By, as far as we know, less than 300 (around 5%) of active agencies. <a href="#footnote-ref5" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
        <item>
            <title><![CDATA["The Burden of Compliance Shouldn't Stand in the Way of Public Safety"]]></title>
            <link>https://footnote4a.org/news/burden-of-compliance</link>
            <guid isPermaLink="false">https://footnote4a.org/news/burden-of-compliance</guid>
            <pubDate>Tue, 11 Nov 2025 13:40:00 GMT</pubDate>
            <description><![CDATA[Flock launches anti-oversight campaign as audit logs expose questionable agency actions. The company blocked transparency tools hours after publication.]]></description>
            <content:encoded><![CDATA[<p>Just as audit logs are beginning to lead to oversight and surface questionable agency actions and
potential violations of law, Flock has now moved to curb that oversight by implementing new features
to reduce transparancy and limit oversight.</p>
<p class="bg-amber-400/10 p-2 pl-4 mr-20 border-l-4 border-amber-500 rounded-lg"><em>Update</em>: A few hours after this article was published, Flock appears to have blocked
pro-transparency site <a href="https://eyesonflock.com">EyesOnFlock</a> from accessing Flock Transparency
Portals.</p>
<p>In 2021, when the company launched its first transparency portal, it wrote:</p>
<blockquote>
<p>“We place privacy, transparency, and bias mitigation at the forefront of our product development,
and are constantly engineering new features that encourage and align with our ethical principles.&quot;
— Matt Feury, CTO Flock Safety, <em>Flock Safety and Piedmont Police Launch First-Ever LPR
Transparency Portal</em>, June 10, 2021.</p>
</blockquote>
<p>Two years later, the language hadn’t changed much:</p>
<blockquote>
<p>Flock Safety enables robust auditing of its platform to promote accountability and transparency.
All searches conducted on any LPR device require a search reason and are saved in an
indefinitely-available audit trail. – Flock Safety, <em>Flock Safety Achieves SOC 2 Type II
Certification</em>, June 20, 2023</p>
</blockquote>
<p>Until now, it used this language to bolster transparency theater and maintain the illusion that the
company was amenable to oversight.</p>
<p>Now, another two years later, it has launched a new blog series, <em>Policy Pulse</em>. In it, the company
fully abandons its previous performative ethics to adopt an aggresive anti-oversight stance, writing
in its inaugural post:</p>
<blockquote>
<p>We’re presenting this new blog series, Policy Pulse, because the burden of compliance - navigating
this messy lattice of rules and oversight - should not stand in the way of public safety</p>
</blockquote>
<p>In part three, still couched in the language of performative transparency, Flock announces new
features informed by its new position:</p>
<blockquote>
<p>At Flock Safety, transparency is not a bug, but a feature. It’s baked into all the products we
ship. For law enforcement agencies, transparency is not a catchphrase. In the past, law
enforcement agencies had little choice in how public search audits were exported from the
Transparency Portal … Now, that changes … With a single decision, they can … remove both
[search reason and case number] entirely. — Flock Safety, <em>Policy Pulse: Transparency, Control,
and the Path Forward</em>, October 30, 2025</p>
</blockquote>
<p>These new transparency features are aimed at reducing questions, not at providing answers.</p>
<p>The information available through the transparency portals was always limited. The most important
questions were never answered: who is looking at the data, and why?</p>
<p>With these new redactions and obfuscations applied, it leaves only the time that a search was
conducted.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup></p>
<p><img src="https://footnote4a.org/blog/secret-searches/audit-results.png" alt="Redacted and obfuscated audit log" width="500"></p>
<p>As questions continue to be raised, Flock continues to walk back its earlier stated commitment to
transparency and oversight — no longer a goal, but a burden.</p>
<p>The company has often said that it’s only a tool-provider, or a passive facilitator of its
customers’ actions. In <em>Policy Pulse</em>, however, it goes beyond that, by acknowledging a level of
responsibility that it “will not shrink from.”</p>
<p>A responsibility to help its users avoid the burden of compliance.</p>
<p>Flock has always operated a private surveillance network configured in such a way that it optimally
avoids public oversight. <em>Policy Pulse</em> is its admission.</p>
<p>The data is owned by the customer, so Flock can’t disclose it. But customers say only Flock has the
data, so they can’t disclose it.</p>
<p>License plates and ALPR data are not private or sensitive information, so there is no issue with
Flock storing them.</p>
<p>But audit logs that contain queries that <em>could</em> contain license plates numbers are private and
sensitive information, so they can’t be disclosed.</p>
<p>For all its waxing philosophically about democracy and sovereignty, the “path forward,” as the new
blog series calls it, pretends that the core values of American democracy, and the notion that
democratically enacted laws and regulation are a burden “that should not stand in the way of public
safety,” can be reconciled. That is not the case.</p>
<p>The path foward is for democratic governments, by the people, for the people, to build public trust
by first demanding, and then publishing, a complete and unvarnished view of the activities those
governments engage in on behalf of the people they claim to serve.</p>
<p>Not more obscurity, and less democratic oversight.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>Arguably, not even that, because Flock does not specify the timezone. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>audit-log-analysis</category>
        </item>
    </channel>
</rss>