“Every city has a right”

America is built on principles of freedom, and every city has a right to make that choice. When a community pulls back on public safety they achieve less surveillance, but the people who are made to suffer aren’t the affluent ones, it’s the people who live in neighborhoods where they can’t afford safety…

“[E]very city has a right to make that choice” is Langley flat-out catering to his customer base. The U.S. Constitution — specifically the Fourth Amendment — as well as many state constitutions are intended to constrain government. Local governments don’t have unlimited power.

The other issue here is that “the people who live in neighborhoods” are left out of the conversation and the decision to deploy surveillance entirely. They suddenly discover “LPR” cameras pointed at their basketball court because Flock’s own sales pitch — second image below — says these deployments are a way for departments to get video surveillance without having to go through a public hearing.

“Flock LPR” cameras are named to trick people into believing they’re license plate readers. Instead, they capture video and data to be fed into a sprawling national system centered on Flock’s “Nova” intelligence product.

In Langley’s world, the cops get to choose. The people aren’t even told.

Safety-as-a-Service (for a Recurring Fee)

South Africa has over 600,000 private security guards. More than its police and military combined. The wealthy live behind nine-foot walls and electric fences. Safety exists, if you can afford it. If you can’t, crime is simply the cost of being alive.

The true hypocrisy, however, is not the price tag for “All of Us”, but the invocation of South Africa’s “pay to stay safe” system. Langley cites it as an example of inequality; at the same time, Flock partners with the South African company Vumacam to profit off the creation of a new era of “digital apartheid” in South Africa.

Via Ricky Croock's LinkedIn (spelled as "Ricky Crook" here).

Vumacam places Flock cameras in affluent suburbs and sells that data to private security contractors. Those corporations, which are even less accountable than the government, in turn sell their services to South Africa’s upper-class.

Langley stands on-stage in feigned indignation, as his $8.4 billion company collects on “the cost of being alive.”

The Digital Standing Army

Langley lauds police forces in other countries and considers the U.S. system of local police to be a “unique problem we have created for ourselves”. He is wrong. It’s not a problem, but a solution.

The founding generation was deeply divided on standing armies. At the time, the local militia kept the peace — professional police didn’t arrive in the U.S. until 1838. A common wisdom was that the more local the militia, the less likely it would be to turn on the people.

What the founders feared from a standing army has arrived in a different form: increasingly militarized and high-tech police. Langley describes his vision as one where any police officer anywhere in the country can “share” and “cooperate” across borders and jurisdictions.

What that means in practice is that any police department in the nation has the capability to dispatch one of Langley’s drones based on reports from his national “Nova” system, fed by hundreds of thousands of his cameras.

Even Hamilton, a proponent of standing armies, warned that nations attached to liberty will, in time, give up freedom for safety — a dynamic that scales down to any institution sold as protection.

Police now believe they depend on Flock. That means its CEO can not only afford safety — he can demand it from the standing army he helped create.

What to do about it

The camera on your corner was approved by someone. Find out who, and when they’re up for election.

• Check whether your city uses Flock.
• Request public records for contracts, data-sharing and demo agreements, and log files.

Public hearings and records requests are the only reason any of this is visible at all. Keep showing up.

The company got caught sending data to Upwork contractors and Denmark. The CEO declares Flock is under attack. The CISO denies high-profile, very real security issues. The permit manager installs cameras without adequate permits in California, Iowa, and other states. The VP of Solution Engineering redacts information from log files. The Chief Legal Officer appears on niche livestreams. And marketing, seemingly sponsored by the City of Dunwoody, pumps out questionable videos.^[1]

You’d think Flock has enough to worry about at home. Now it’s going international.

We already know what Flock’s jurisdictional sprawl looks like domestically. The Virgin Islands Police Department — a Caribbean territory under an active DOJ consent decree for unconstitutional policing — was caught querying Flock cameras in Rogers, Arkansas for stolen vehicles and traffic violations. No one in Flock’s 5,000+-agency network — including Flock and the state agencies responsible for criminal justice information — has flagged that absurdity.

Now take that indifference and remove the American legal framework entirely.

Flock’s first(?) international reseller is Vumacam. A Johannesburg-based company that has been accused of building a digital apartheid, charged by regulators for operating without a license, and caught making false claims under oath about data protection compliance.

Sounds about right.

The Partner: Ricky Croock

Flock’s partner page lists Vumacam as a “channel provider”:

Vumacam is Flock Safety’s reseller partner in South Africa. The partnership extends Flock’s technology internationally, fostering safer communities abroad.

Via Ricky Croock's LinkedIn (spelled as "Ricky Crook" here).

Vumacam operates a network of over 7,000 cameras across South Africa’s Gauteng province — the majority concentrated in Johannesburg. The company was founded by Ricky Croock, a former private security operator who previously ran CSS Tactical, a company providing armed response, guarding, and CCTV services.

If you thought the Flock model couldn’t get worse: Croock found a way. Vumacam builds and maintains the camera infrastructure — poles, cameras, connectivity — and then sells access to private security companies, who pay a monthly fee for video feeds in their patrol areas.

The network includes over 2,000 automatic license plate recognition cameras that, as of 2021, scanned an estimated 9.68 million vehicle registrations per day. That figure has likely grown substantially alongside the network’s expansion to 7,000 cameras.

If this sounds like Flock, that’s because it is.

Croock and Vumacam’s History

The critical reporting on Vumacam is extensive, spanning investigations by MIT Technology Review, Daily Maverick, VICE, and the Pulitzer Center.

Operating Without Registration

South Africa’s Private Security Industry Regulatory Authority (PSIRA) charged both Vumacam and Croock personally with a code of conduct violation for operating a security business while unregistered with the authority.^[2] Police opened a parallel criminal investigation. Vumacam subsequently registered, but PSIRA confirmed both the criminal case and the code of conduct probe remained active.

For a company building a city-wide surveillance network, the sequence is notable: deploy first, register later. Flock has its own version of this approach where hundreds of cameras were installed on public roads without permits across Florida, Illinois, South Carolina, Texas, and North Carolina, with an Illinois DOT official receiving a thinly veiled threat that Flock would send “about 30 different police chiefs” to the office if permits weren’t fast-tracked. And that’s just the states that have taken some form of action.

Lying Under Oath

In a sworn affidavit to the Gauteng High Court, Croock stated that Milestone VMS — the video management software Vumacam uses — was “certified GDPR-compliant under the General Data Protection Regulation applicable under European Union law.” Daily Maverick’s investigation found this was not true. EuroPriSe, the certification body, had not officially accredited Milestone; the application was still pending.

Croock also told the court that Milestone “ensures responsible use of data by end users.” Milestone’s documentation says the opposite: users, not the software, bear responsibility for compliance.

We’ve heard these types of assertions before. Flock’s CEO Garrett Langley told the public that Flock had no federal contracts. That was also not true. Flock was running a pilot program giving Customs and Border Protection and ICE direct access to data from its cameras. After information about the program became public, Flock stated it shut it down, but quietly continued to run it.

And, of course, Flock has also claimed all sorts of compliance, including compliance with HECVAT, which is a vendor evaluation form, and CJIS ACE — a commercial certificate, every bit as valid as the official Certified Privacy Advocate Certificate from haveibeenflocked.com.

“We don’t track people or cars”

Exactly like Flock claims in the US, Vumacam has publicly claimed its system “does not track people or cars.” The company’s marketing materials also echo Flock’s — which makes sense, given it is a reseller — and show that the system can retrospectively map a vehicle’s complete movements over 30 days. Precisely the definition of tracking.

Private security companies can add registration numbers to watchlists without court orders. Police can request location data through private security databases without subpoenas or warrants.

That’s true in America and South Africa.

Digital Apartheid

The “digital apartheid” criticism is the most damning line of criticism against Vumacam, and it’s also the most structurally relevant to understanding what Flock’s technology does, both domestically and abroad.

A SafeCity pole in Sandton, in northern Johannesburg.

Vumacam deployed its cameras almost exclusively in affluent, predominantly white suburbs of Johannesburg because that’s where paying customers were. Poor Black townships were left uncovered, not out of principle, but because there was no revenue model — nobody hires ADT or other security companies there. The result is a surveillance geography that maps onto apartheid-era spatial divisions with uncomfortable precision.

Flock declines to release its camera locations and many cities have refused to release Deployment Plans and other documentation. Efforts like Deflock are underway and are beginning to draw Flock devices on the same maps as America’s apartheid-era redlined districts.

A leaked shift report from Fibrehoods, a Vumacam partner, documented 14 incidents flagging 28 people as “suspicious.” — a term that’s commonly found in Flock logs as a “justification” for retrieving 30-day location histories. All 28 “suspicious” persons in the shift report were Black. The suburbs in question were majority-white.

Michael Kwet, a visiting fellow at Yale Law School who studies the South African surveillance industry, drew a direct line to the apartheid-era dompas — the internal passport system that restricted Black people’s movement in white enclaves. Vumacam (x Flock)'s AI-powered camera network recreates this digitally: Black residents in historically white suburbs are surveilled, flagged, and tracked.

Police in the US say they need Flock to stop them from pulling Black people out of cars at gunpoint. South Africa shows what actually happens when surveillance infrastructure is deployed by private companies in a society with deep racial stratification.

Intent is irrelevant. The business model is what matters.

Why This Partnership Matters

Flock’s domestic troubles are well-documented on this site and elsewhere. Secret data sharing, secret employee access to camera networks, cameras installed without permits, a CEO who goes ballistic rather than address concerns, and these types of hits keep on coming while the company only offers empty promises through increasingly snazzy marketing videos.

The Vumacam partnership introduces something new. The Virgin Islands querying Arkansas cameras was a preview — absurd, unmonitored, jurisdictionally incoherent, but still technically domestic. It’s the diet version of what’s happening in South Africa.

In the United States, Flock’s surveillance network technically operates within — however loosely and poorly enforced — a framework of Fourth Amendment protections, state privacy laws, US DoJ policies, FOIA requests, city council votes, and the kind of public pressure that gets contracts canceled.

In South Africa, Vumacam successfully sued the Johannesburg Roads Agency when the agency tried to suspend its camera permits, and the court ruled that the JRA’s job was to protect road infrastructure, not human rights. No civil society organization has brought a subsequent case. The Information Regulator’s investigation into POPIA compliance appears to have produced no public enforcement action.

Flock gets to sell its technology into this environment through a reseller. It is insulated from direct accountability while Vumacam gets access to the surveillance platform of a $7.5 billion company backed by Andreessen Horowitz and Founders Fund.

Vumacam wants to be Flock as much as Flock wants to be Vumacam.

The Response

SafeCity — featured in the backdrop for the event photo where Flock, Matrix, and Vumacam promote the partnership — is Vumacam’s premium product tier. It is the pitch to government. In February 2024, Vumacam announced a partnership with the Gauteng provincial government giving officials access to a network of over 6,000 cameras and “advanced crime-fighting technologies.”

Response times dropped, the company says, from 18–30 minutes to 5–10 minutes.

Last month, in March 2026, apartheid police commander Eugene de Kock, nicknamed “Prime Evil” testified in court about the atrocities he committed in the name of public safety.

Now, South Africa evaluates a high-tech mass surveillance network that replicates apartheid-era movement controls and lack of oversight that let Prime Evil act with impunity when his security forces abducted, tortured and killed activists.

When Flock’s critics — “activists” mounting a “coordinated attack” according to its CEO — warn about what happens when surveillance infrastructure scales without democratic oversight, they don’t speak in hypotheticals.

Johannesburg proves the outcome: Apartheid 2.0, powered by Flock.

The contract governing this arrangement contains no data retention policy for the surveillance layer, no restrictions on who can access it, no privacy provisions for the people being filmed, and not even a reference to Flock’s terms of service. The word “privacy” does not appear — except once, regarding credit card processing when subjects pay for the privilege of their surveillance.

The pricing page of RedSpeed’s winning proposal says it plainly: “Flock Wing License(s) Included.”

What Hillsborough County Bought

In 2024, the Hillsborough County Sheriff’s Office solicited proposals for automated speed enforcement in school zones (RFP 2024-003). RedSpeed Florida won the contract. Its 80-page proposal made the Flock integration central to its pitch.

On page 5, a letter on Flock Safety letterhead, signed by Todd Troutman, Senior Accounts, confirms the partnership:

Flock Safety and Redspeed have partnered together to support many different agencies. Flock Safety is able to provide an additional layer of software to the Redspeed cameras (speed and red light). This allows the Redspeed cameras to be turned into ALPRs that push images into Flock Safety’s cloud and allow agencies with access to those cameras to search for vehicles.

…

In order for the two systems to work together, Redspeed will provide Flock with RTSP streams for the given cameras. From there, Flock Safety will integrate the camera stream into the Flock system thus allowing the software to be on the camera, turning it into an ALPR. The camera is then plotted on the Flock Safety map in the application to appropriately locate where the cameras are.

…

As of March 2024, Redspeed is the only company with whom Flock has partnered with to offer Wing LPR integration on school zone enforcement and/or red light cameras.

@Flock Safety Letter to RedSpeed (from HCSO RFP 2024-003)

RedSpeed’s transmittal letter was even more direct:

ONLY RedSpeed can offer integration with Flock. We have enclosed a letter from Flock confirming this fact. We have collaborated closely with Flock to optimize interoperability… We have successfully integrated over 100 Flock systems in current installations; our competitors have integrated zero Flock systems. Only RedSpeed offers this direct integration, and Flock is included in the RedSpeed price. Integrated Flock means RedSpeed’s cameras are feeding the Wing System for enforcement synergy. It also means fewer poles and solar panels.

Enforcement. Synergy.

RedSpeed’s proposal includes a competitive comparison table highlighting “True integration with Rekor/Flock/Vigilant” as a checkmark for RedSpeed and a red “denied” for “All Competitors.”

The proposal emphasizes that RedSpeed cameras deliver “lane-specific, high resolution (3000x5000 pixels, 30 frames per second), video cameras” — and that RedSpeed “provides the ability to live stream video from all cameras (no still cameras).” It also states that RedSpeed “provides at least 45 days of storage” and “Flock ALPR at all locations, included in the RedSpeed Price.”

RedSpeed’s stake in all this is straightforward. It offers a “turnkey” service — everything from taking a picture to swiping a credit card — for “35% of the Governing Body’s Statutory share of collected revenue.” In Hillsborough County alone, more than 105,000 violations have been issued since fall 2024, generating over $6 million in paid fines; a local magistrate called it a rip-off.

@RedSpeed Full Proposal — HCSO RFP 2024-003 (80 pages)

In Alpharetta, GA, it was structured a little different: the county had to pay 2% extra to give the data to Flock. Maybe that’s Georgia-based Flock’s home field advantage at play.

The Silent Contract

What matters most about the Hillsborough procurement is what the contract doesn’t say.

The HCSO-RedSpeed contract consists of three incorporated documents:

1. The RFP solicitation (HCSO RFP 2024-003, 39 pages)
2. The draft contract template (11 pages)
3. RedSpeed’s proposal (80 pages, including the Flock letter)

@HCSO RFP 2024-003 — Final Solicitation @HCSO RFP 2024-003 — Draft Contract

The Request for Proposals

The RFP explicitly required ALPR capability (Part D, Section 3):

Qualified, proposing firms must demonstrate competence and experience with Automated Speed Enforcement Systems and Automated License Plate Reader systems

It required video, not stills (Part C, Section 3.A):

Video Technology is required. Still shots are not acceptable. Respondent proposer must utilize radar and/or laser automated speed detection systems.

And it required subcontractor disclosure (Part B, Section 5):

If a Proposer intends to use subcontractors, the Proposer must identify in the Proposal the names of the subcontractors and the portions of the work the subcontractors will perform.

What was not in the RFP were any specifications for how ALPR data should be governed, stored, retained, shared, or deleted.

What the draft contract covers

The draft contract is an 11-page template with fill-in-the-blank fields. It covers: term (3 years + three 1-year extensions), insurance requirements, E-Verify compliance, subcontracting (generic), public records obligations (per Florida § 119.0701), indemnification, and confidentiality — but only of “Sheriff Operations” (Section 23).

What the draft contract does NOT cover

• Data retention for ALPR/LPR captures
• Data sharing restrictions (who can access Flock’s system)
• Privacy policy for citizens whose vehicles are scanned
• Flock Safety’s terms of service or Master Service Agreement
• Any reference to Flock’s default data practices (30-day rolling delete, Section 4.3 perpetual anonymized data license, Section 5.3 law enforcement disclosure rights)
• Ownership of ALPR data (distinct from violation/citation data)
• Audit rights over the ALPR system
• Restrictions on out-of-state or federal agency access
• Any framework governing the surveillance layer at all

@Flock Default MSA — Oakland CA, Sept 2025

Nothing in the contract says HCSO gets any rights to the video or the ALPR data. If HCSO wants to access that, they presumably have to do what anyone else can do: pay Flock and ask nicely.

@SFist — SFPD Flock Data Accessed 1.6M Times by Federal Agencies @ACLU — Flock Can Share Data Even When PDs Opt Out

The sheriff’s RFP was specific enough to guarantee the desired outcome. The final tabulation sheet published by HCSO shows RedSpeed with the highest evaluation score of 95.95, ahead of Blue Line Solutions (91.75) and Conduent (77.6).

@HCSO RFP 2024-003 — Tabulation Sheet @Creative Loafing Tampa — Flock Integrated Speed Cameras in School Zones

Wing: The Platform That Turns Any Camera Into a Flock Camera

RedSpeed’s pitch works because of Wing: Flock’s product line for converting third-party cameras into Flock surveillance nodes. The branding is a somewhat confusing patchwork of overlapping names, and Flock has removed several of its Wing-related pages from its website, but the product is still sold and deployed.

The Pitch

In October 2020, Flock Safety announced Wing with a press release headline that said, plainly:

FLOCK SAFETY ANNOUNCES THE WING INTEGRATION TO DISTILL 1000s OF HOURS OF IP CAMERA FOOTAGE INTO SEARCHABLE IMAGES THAT SOLVE CRIME

The subhead: “Software transforms existing IP cameras into cameras that can see like a detective”

Wing takes video from existing cameras — IP cameras, security cameras, traffic cameras — and runs Flock’s AI on it, letting users search for white sedans, unicycles, or people wearing jeans.

Cameras connect via standard RTSP (Realtime Streaming Protocol), a camera standard that’s supported by many commercial surveillance cameras as well as consumer products like doorbells and $35 surveillance cameras.

The Wing Ecosystem

In an August 2025 OMNIA Partners cooperative purchasing pricelist, Wing LPR is listed as: Flock Safety Wing™ LPR (wing_integration, $3,000/yr per camera): “Video software integration transforms traditional IP cameras into Flock Safety enabled LPR cameras. Includes Vehicle Fingerprint™ computer vision and Advanced Search Package (Convoy Analysis, Multi Geo Search, Visual Search)”

@OMNIA Partners — Flock Pricing, Aug 2025

The same catalog lists the Wing product family: Wing Livestream ($500/yr), Wing Replay ($1,000/yr with 7-day footage retention), Wing Gateway 2.0 (8–32 stream hardware at $3,650–$8,250 + subscription), Wing Cloud Live Only ($90/yr), and an Inbound Vehicle Images API ($1,500–$2,500/yr) for ingesting pre-processed plate reads from third-party LPR systems.

The “Wing Livestream” product price matches the $500 feature that turns Flock’s LPR into live video surveillance — that’s “something you can take advantage of without going to council,” according to Flock Safety’s Kevin Cutler.

Flock misleadingly tells the public it sells “LPR” cameras — a product name, not a description — while it consolidates its network into a single searchable database.

The network from that Superbowl Ring commercial, promising to find your dog is already deployed nationwide on speed cameras, parking enforcement cameras, and “CCTV” sytems on your basketball and pickleball courts.

Wing in Practice

On June 27, 2025, Flock published a blog post titled “Video Without Limitations: Flock Safety’s Newest Solutions for Law Enforcement” showcasing Wing Gateway 2.0 and Wing Gateway Outdoor.

@vFlock Safety — Video Without Limitations Webinar (Wing segment, 13:36–end) @Flock Blog — Video Without Limitations

In the October 2024 webinar (full video), Trevor Pennypacker, Sr. Product Manager at Flock, is excited to tell Flock’s customers that you can connect “parking lots, restaurants, traffic cameras, really anything.”

The City of Bloomington, IL executed an agreement that explicitly includes Wing LPR in its order form:

• “Flock Safety Wing™ LPR — Included — 10 Included”
• “Flock Safety Wing™ VMS — Included — 100 Included”
• “Professional Services — Wing Implementation Fee — $500.00”

@Bloomington IL — Wing LPR Relevant Pages (9 pages)

The branding, boundaries, and availability of Wing products is all somewhat shifting and murky — from Wing Gateway 2.0 to Wing Cloud to Wing LPR — but the core functionality is what matters: third-party cameras are being turned into Flock nodes, and Flock actively markets and sells that functionality.

The Scan-Everything Architecture

RedSpeed’s cameras are always on during enforcement hours. They capture continuous HD video of every vehicle passing through the field of view — in a school zone, recording parents, teachers, students, buses, and anyone else on the road. “Video Technology is required. Still shots are not acceptable.”

The RTSP stream — all of it, not just violators — is fed to Flock. The Flock letter confirms this is by design: the cameras are “turned into ALPRs that push images into Flock Safety’s cloud and allow agencies with access to those cameras to search for vehicles.” Since then, Flock rolled out FreeForm, its AI-powered search capability that can find people by physical description: “man in blue shirt and cowboy hat,” “dressed in all black clothing and black face mask,” or — as one Dunwoody PD officer tried — “GRINCH.”

Vehicle Fingerprint

The Vehicle Fingerprint technology alone extracts far more than license plates: plate number and state registration, vehicle make, model, color, and body type, missing or covered plates, bumper stickers and decals, roof racks, bike racks, trailer hitches, and aftermarket wheels.

@Flock Blog — Vehicle Fingerprint: When Plate Data Fails

But that’s only part of the picture. Flock CEO Garrett Langley has previously stated that the system indexes everything, filtering only problematic searches — or attempting to filter them, anyway.

Where that data goes

No matter how you feel about red-light or speed cameras as a policy matter, it is hard to justify turning a safety measure for school zones into a surveillance dragnet whose recordings are fed to a private corporation with no contractual restrictions on use. In San Francisco, SFPD’s Flock cameras were searched 1.6 million times by out-of-state and federal agencies — in apparent violation of California law. EFF’s analysis of 12 million Flock searches nationwide found hundreds related to protest activity, immigration enforcement, and discriminatory targeting. A Norfolk, Virginia resident sued after learning Flock cameras had logged his location 526 times in four months.

@SFist — SFPD Flock Data Accessed 1.6M Times by Federal Agencies @ACLU — Flock Can Share Data Even When PDs Opt Out

The Legal Tension

Florida’s prohibition on “remote surveillance”

Florida law explicitly prohibits using school zone speed cameras for “remote surveillance” and restricts the permitted uses of recorded footage:

(15)(a) A speed detection system in a school zone may not be used for remote surveillance. The collection of evidence by a speed detection system to enforce violations of ss. 316.1895 and 316.183, or user-controlled pan or tilt adjustments of speed detection system components, do not constitute remote surveillance. Recorded video or photographs collected as part of a speed detection system in a school zone may only be used to document violations of ss. 316.1895 and 316.183 and for purposes of determining criminal or civil liability for incidents captured by the speed detection system incidental to the permissible use of the speed detection system.

(15)(b) Any recorded video or photograph obtained through the use of a speed detection system must be destroyed within 90 days after the final disposition of the recorded event.

— Fla. Stat. § 316.1896(15)

Two questions that nobody appears to have asked, let alone answered:

First, does feeding the full RTSP stream to Flock — where it is processed by AI, matched against vehicle databases, and made searchable by thousands of agencies for purposes wholly unrelated to speed enforcement — constitute “remote surveillance” under the statute? The statute defines what is not remote surveillance (evidence collection for speed violations, PTZ adjustments), but the legislative history does not address third-party AI processing of the video feed.

Second, the statute requires destruction of recorded video within 90 days of final disposition, and vendors must certify destruction annually. But once the RTSP stream enters Flock’s system, it is processed into Vehicle Fingerprint data, plate reads, and searchable metadata governed by Flock’s own retention policies — not the county’s.

Altumint, a competing speed camera vendor in Florida, hinted at a loophole when it drew a distinction explicitly. Its chief revenue officer told the Independent Florida Alligator in March 2026 that Altumint’s cameras “only capture a license plate if the vehicle is speeding more than 10 miles over the speed limit,” whereas RedSpeed’s Flock ALPR cameras “can document every license plate that passes by.” He added: “Even in a school zone, you could be going 25 in a 15 … but I can’t capture that plate. ALPR can capture that plate.”

Whether derivative data (plate reads, AI-extracted vehicle descriptions) qualifies as “recorded video or photograph” under the statute is untested. The statute’s drafters were contemplating a camera vendor that stores and deletes footage. They were not contemplating a speed camera sending data to a second vendor that ingests the same stream in real time and converts it into a permanent surveillance record.

No Florida court has addressed either question. No Attorney General opinion appears to exist. The statute was enacted in 2023 (HB 657). Florida is one of RedSpeed’s biggest markets.

What Flock Tells Everyone Else

Across dozens of municipal FAQ pages and Transparency Portals, Flock provides standardized language:

Flock Safety cameras are not used to enforce traffic violations such as speeding, running red lights, or other moving violations. The cameras do not capture vehicle speed and are solely used for investigative purposes related to public safety.

@Leander TX — Flock FAQ @Columbia MO — Flock FAQ @Everett WA — Flock FAQ

Technically, that appears to be true. “Flock Safety cameras” are not used for traffic enforcement — RedSpeed’s cameras are. But they operate on Flock technology, within the Flock network.

Flock’s Transparency Portals go further. The Thomasville, GA PD portal explicitly lists “speed detection” as a prohibited use of Flock technology, and confirms that the system is used “for law enforcement purposes only.”

Meanwhile, RedSpeed’s speed detection cameras are feeding RTSP streams directly into this same network via Wing LPR. Data from a speed detection system enters a platform that lists speed detection as a prohibited use.

It’s not our cameras

The Flock letter on page 5 of the HCSO proposal says Flock provides “an additional layer of software to the Redspeed cameras (speed and red light).” The transmittal says “Integrated Flock means RedSpeed’s cameras are feeding the Wing System for enforcement synergy.” The pricing says “Flock Wing License(s)” are included in a speed enforcement contract.

Flock’s defense rests on a technicality: its cameras don’t capture speed; its technology is merely consuming the video feed from someone else’s speed cameras and processing it for entirely different purposes. Whether that distinction will satisfy a legislature, or the parents whose children are being filmed remains to be seen.

The Partner Page

RedSpeed claimed to be the only Flock-integrated vendor for school zone enforcement as of March 2024. As of March 2026, Flock’s partner program page lists several other automated traffic enforcement companies as “Channel Providers.”

Maybe Flock gave them different territories, outside school zones.

@Flock Partner Program — ATE Channel Providers

The Broader Pattern

The GSP Ticket

On December 26, 2025, Georgia State Patrol ticketed a motorcyclist for holding a cell phone while riding. The citation read: “CAPTURED ON FLOCK CAMERA 31 MM 1 HOLDING PHONE IN LEFT HAND.”

GSP called it a “unique circumstance.” The ticket was dropped in court. EFF described the incident as an example of the mission creep it has “long warned about” with surveillance infrastructure.

It is the kind of one-off incident Flock can dismiss. Its long-standing RedSpeed partnership is not.

Brookhaven, GA

In Brookhaven, GA’s words, RedSpeed cameras feed “real-time alerts” into “Brookhaven’s existing License Plate Reader (LPR) platform to identify sex-offenders, protective orders, and wanted persons for increased safety in school zones.”

Even if you are a concerned parent thinking sounds like a good idea, the practical value of such a system is questionable at best. Police are not going to act on these “real-time alerts” each time anyone under a protective order — many of which are not the result of any criminal activity, let alone any criminal activity involving children — drives through a school zone.

The system’s real-time capabilities, like watchlists and speeding tickets, are secondary. The real value is in gathering massive amounts of videos and photos of everyone entering a school zone — parents, teachers, students.

RedSpeed’s strong marketing emphasis on video quality (15 Megapixels, 30 frames per second), raises questions as well. If a regular Flock LPR, which RedSpeed says is of “lower quality,” is accurate enough to perform ALPR and create evidence, how is a camera where you can count the pimples on your middle schooler’s nose an advantage?

The point isn’t better traffic enforcement: it’s high-definition video surveillance.

@Brookhaven GA — RedSpeed Flock Integration (Wayback Machine, Oct 2020)

Tampa’s Piggyback

In Hillsborough County’s seat, Tampa, RedSpeed scored third on an RFP but the council unanimously voted for the contract anyway. Creative Loafing Tampa noted that there was “no indication in the backup materials why the third place proposal was chosen.”

Before the vote, Creative Loafing reported, “several council members noted they spoke with the Chief and were assured the data wouldn’t be inappropriately shared.” Council member Lynn Hurtak said “the only time they are allowed to use this technology is to share it with other agencies when they have an open case.”

If that’s the policy, it isn’t in the sheriff’s contract.

Making the Quiet Part Loud

Flock quietly sells Wing integration in the background while partners like RedSpeed bundle it for easy consumption by sheriffs and police chiefs. Contracts are kept minimal — no data governance, no privacy language, no mention of the surveillance layer. The RFP asks for ALPR. The proposal delivers Flock. The contract says nothing about what Flock does with the data. Nobody on city council asks, because the pitch is about school safety and the cameras are “violator-funded.”

Across the country, communities have begun pushing back against Flock’s surveillance network. Austin, Cambridge, Eugene, Evanston, and dozens of other jurisdictions have canceled, paused, or refused to renew Flock contracts after audits revealed immigration enforcement access, discriminatory searches, and data sharing that violated state law.

Those fights were about Flock cameras communities knew they were buying. The unified Wing network is different: residents are now told they’re getting school zone speed cameras, but the video is being routed into a national surveillance network with no contractual guardrails; or they’re being told they’re getting license plate readers only to find them watching them shoot hoops.

Flock, RedSpeed, the Sheriff, and elected officials are tired of the push-back. They’re actively restructuring to keep the public under surveillance and in the dark. We can’t let them.

Flock Intelligence does not appear in any audit log before August 2025, and it is absent from the org audit entirely. It only shows up in the network audit, meaning it searches Dunwoody’s cameras from outside the department.

The searches

Over 80% of Flock Intelligence’s queries are FreeForm searches — the AI-powered text prompt feature analyzed in detail here. That earlier analysis showed that Flock’s moderation system warns about political searches but does not block them. Flock Intelligence’s searches confirm that pattern.

Political expression

Among the 170 unique text prompts, a cluster targets vehicles by political expression:

• “a truck with a trump flag on it” — warn
• “red honda accord with a trump bumper sticker” — warn
• “green car with trump bumper sticker” — warn
• “vehicle with trump bumper sticker” — warn
• “a SUV with a yellow don’t tread on me flag” — warn
• “a red nissan rogue with a don’t tread on me flag” — warn
• “don’t tread on me flag” — warn
• “american flag” — warn
• “a car with a british flag” — warn
• “dallas cowboy flag”
• “vehicle with a Dallas Cowboys star sticker”
• “vehicle with a Falcons logo”

Every political expression search was warned — and every one went through. The sports team searches passed without even a warning, which tells you where the moderation system draws its lines and how firmly it enforces them.

What got blocked

The moderation system blocked searches describing occupants:

• “car with two occupants” — block
• “car with 2 occupants” — block
• “4 door truck with 4 individuals” — block
• “four people inside car” — block
• “green vehicle with a roof rack 4 individuals inside” — block

And a handful of subjective descriptors:

• “green car with trashy stickers on it” — block
• “orange car with person and red shift” — block
• “crazy looking car” — block

Other warned searches include “pink breast cancer awareness plate,” “pink ribbon sticker on plate,” and “german shepard in back of pickup truck.”

So: searching for a specific political candidate’s bumper sticker gets a warning and goes through. Searching for “crazy looking car” gets blocked. That is the moderation hierarchy Flock built.

Recurring patterns

Some searches recur across months in ways that suggest either ongoing tracking:

“Black Mercedes GL450 4MATIC” appears in October, November, and December. In December it evolves into “black Mercedes-Benz GLB 250 SUV” and several variations — the same vehicle tracked across a quarter, description refined over time.

“Armored truck OR Brinks truck” (and variations) appears every month from August through December. This is the most consistent search pattern in the dataset.

“White Dodge Charger with black roof and black stripe” recurs October through December with slight wording changes.

Again, this is not a police agency. It is a private party performing long-term surveillance on locations of Mercedes and cash-in-transit vehicles.

Possible reasons range from harmless testing queries (over multiple months — so that seems unlikely), to employees selling intelligence to criminal actors, to some sort of commercial service.

Person searches

Three prompts target people rather than vehicles:

• “white t-shirt” (objectClass:person)
• “person on scooter” / “person with scooter” (objectClass:person)
• “yellow backpack” (objectClass:person)

All were allowed by moderation.

Other Flock organizations in Dunwoody’s logs

Flock Intelligence is not the only Flock-affiliated entity searching Dunwoody’s cameras. Four others that we’ve seen previously appear here as well:

“Flock City PD - Law Enforcement Demo” searches Dunwoody’s network every month of the year. That is a demo environment running against a live police department’s surveillance data — not a sandbox.

“Flock RTCC” — Real-Time Crime Center — searched Dunwoody’s network in January and March.

“Flock Safety - Admins” and “Flock Safety - Engineering” are self-explanatory: Flock employees with direct access to customer camera networks.

In total, Flock-affiliated entities account for over 1,000 searches of a single police department’s camera network in 2025.

What is Flock Intelligence?

It is not listed as a law enforcement agency. It does not appear on Flock’s public-facing product pages.

Its operator identities, search filters, and case numbers are all redacted in the logs Flock provides to its own customers. Dunwoody PD cannot audit who at Flock Intelligence searched their network, what they were looking for, or why.

As I publish this, at 6:10pm (CDT) on March 23, 2026, Dunwoody PD and Dan Haley — Flock’s chief legal officer — are telling the City Council that access is only granted to police agencies, and only for criminal investigative purposes.

Again, police and Flock say one thing, the logs say another.

Someone, somewhere — who is not police — is tracking live data about these vehicles.

March 24, 2026 update: Removed claims about Flock Nova pending further verification.

Even if the original footage is available to Flock, you may get an edited or altered version (e.g. cropped or with watermarks overlaid), or a reduced-resolution version. You may also get it late, or never, and the conditions for access are at Flock’s discretion.

Although Flock revised its terms again soon after, restoring on-paper “ownership” to the customer but giving itself broader license to do what it wants with copies, the prediction held. An open records response from Missouri shows the result of Flock’s policy of “ownership.”

The Original Footage

The request was made by Deflock Joplin, the group responsible for the January 2026 headline “Joplin officer no longer employed after alleged misuse of license plate tracking system.” The records request is straightforward:

Recordings from the Flock LPR camera located at 4th and Maiden Ln from 2/16/2026 starting at 5:00 PM lasting until 6:00 PM. This camera is on the south west corner of the intersection facing a southern direction. The records requested should include stills, video, and all other records generated by the camera. I request the data from Flock OS and the camera’s internal storage.

The City of Joplin charged $23.57 for the request and fulfilled it a couple of weeks after receiving payment with a file “Flock_Safety_Search_Image_Results_3-9-2026_1-22-54PM.” The city did not include 40 minutes of footage/images, stating “we are currently experiencing a technical issue affecting this functionality.”

While technical issues that prevent a city from accessing “its” data would be a cause for concern, rumor has it that the “technical issues” in question occurred somewhere between the keyboard and the chair, and the city did not understand how to save images. The city did supply the missing 40 minutes once the discrepancy was pointed out.

World’s Fastest Truck

As far as we know, Flock cameras take a series of images and/or a short video clip when they detect motion. Flock and police often emphasize that it’s “only the license plate” or “just the back of the vehicle.” Of course, the laws of physics dictate that you can’t know what’s in a picture before you take it. This truck is a demonstration:

These two images were taken in rapid succession. It’s hard to even tell the vehicles are in a different location, but you can see the “Flock Safety” watermark is positioned differently.^[1]

These images are clearly of the front of the vehicle. But that’s not the interesting part.

Metadata and Time Confusion

Some of these images have been used as evidence at criminal trials, many in the “over 30 cases” that Flock likes to falsely cite as upholding the constitutionality of its cameras. The timestamps on the Joplin images should give anyone relying on that evidence pause.

The filename for both images contains “2026-02-16T23-39-42.219+00-00”, suggesting the images were taken less than 0.0005 seconds apart. That is neither possible, nor true, based on what’s in the images: we can see the car moving maybe 10 feet. Tacomas don’t typically travel at hypersonic speeds exceeding Mach 17.

The timestamp in the picture is “2/16/2026 17:39:42 CDT.” This is an odd mix. The date is unmistakably American (mm/dd/yyyy), but the time is 24 hours rather than am/pm. On February 16, that’s not confusing. Four days earlier, it might have been.

But even more confusing is that the timezone is labeled as CDT, or Central Daylight Savings Time (UTC-5). Daylight savings is not in effect in the middle of February in Missouri, when CST (UTC-6) is in effect. The image is ambiguous as to whether it shows an image taken at 5:39pm or 4:39pm.

The timestamp in the filename (23:39:42.219 UTC) suggests the labeling (“CDT”) is off, but we’ve already established that it is not possible for the timestamp to be accurate for both images until we have hypersonic Tacomas.

The (EXIF) metadata has been scrubbed, so there is no third hint.

That leaves these images without a reliable timestamp. These aren’t abstract concerns — they cast doubt not only on the accuracy of these files, but on the accuracy of every other image produced by the same system.^[2]

The only way we can determine the time with any certainty is by looking at the position of the sun and the 5:59pm sunset noted in the almanac for Joplin, MO, on February 16.

AI-based surveillance so high-tech you need a sundial to make sense of it.

License Plate Detection

The other piece of metadata in the image, below the timestamp, is a license plate: 0FH D30. According to lookupaplate.com, the plate corresponds to a 2014 Toyota Tacoma with an extended cab.^[3] The plate is also formatted per Missouri’s light truck standards, with a renewal date in April (F) and a last sale date likely in 2023 or 2024 (H).

The quality of these images is extremely low (second image), to the point where they no longer contain the license plate information.

Everyone who has ever used a computer knows that the “zoom and enhance” from movies and TV shows isn’t really a thing. Sure, you can backhack and extrapolate some data, but here too the laws of physics get in the way.

Access to the Image

If we assume Flock abides by the laws of physics — if no others — then the only sensible conclusion is that the license plate encoded in the bottom-right of the frame was not derived from these images at all, but from some other image that the City of Joplin theoretically owns, but can’t access.

This also independently follows from the fact that the images have watermarks and metadata overlays, assuming those are not created by the hardware itself.^[4]

The requester was precise and asked for “the data from Flock OS and the camera’s internal storage” to ensure he got the actual image, and not only a presentation version.

A high-resolution version must exist somewhere. Flock generally suggests that the city owns the original image and that it will be retained until the end of the retention period. That is to say, Flock should not be deleting its customers’ data without authorization.

Joplin provided the images shown and states that “[t]he Sunshine Law does not require the Department to obtain duplicate copies of the same data directly from the vendor or from the camera’s internal storage in addition to what we can access via our portal.”

In other words, there are no originals, but even if there were, the city can’t access them.

Not even Joplin, the ostensible owner of the images, is allowed to look at them.

Below is an AI-enhanced image, where Google’s “Nano Banana” (a generative AI upscaling model) has filled in the blanks by making up what could have been in the picture.

This image does not show the actual content of the original, but it shows a level of clarity and detail that is much closer to the original image captured than the blurry version that Joplin can access and provided in response to the request.

The Tacoma is not an outlier; there are cars (picture 1, picture 2), SUVs, and — just to cover “we don’t photograph people” — a motorcyclist. None of these plates are legible.

The Original Logs

The ownership problem extends beyond images. Logs suffer the same fate. I’ve written at length about Flock unilaterally removing log data, and how that cuts against both the supposed immutability of the logs, as well as customer ownership.

I’ve alluded to how, in some states, it may fall under statutes prohibiting the alteration or destruction of public records, and written about how Flock inserts itself in open records requests even when law prohibits doing so. I won’t rehash all of that here.

Instead, I give you the Flock “Customer Guidance for Preserving and Requesting Flock Data for Public Records Requests”:

@Customer Guidance for Preserving and Requesting Flock Data for Public Records Requests

It’s a guide on how to submit requests for data via Kodex, which, according to Flock, “is a secure digital platform for managing, processing, and responding to data and legal requests.”

Flock uses the system for “Legal requests,” which apparently includes open records requests, “Preservation requests,”^[5] and “Quick questions.”

Once the ostensible owner of the records requests “their” records from Flock, “Flock’s Evidence Division and Engineering Team will review your request, pull available data, and transmit the completed data package through Kodex.”

Flock does note that “our Evidence Policy asks for 14 calendar days to fulfill requests. If data is needed sooner, we are motivated to help customers to meet any FOIA/PRA deadlines they are facing.”

Government agencies are responsible for their own deadlines. In states with statutory deadlines, and even those without, the requirement is not “respond within 10 days, or later is fine too if your vendor is not feeling it.”

In fact, a 14 calendar day limit exceeds the statutory deadline in several states, and entering into a contract that formally requires non-compliance with law is a legally dubious proposition.

Ownership in Name Only

Officials tell the public that Flock’s cameras “take a picture of the back of the vehicle” and “only capture license plates.” They assure us the image does not include the vehicle’s occupants.

Cities like Joplin genuinely can’t access all of “their” information. They uncritically accept blurry images with derived license plates, and if they want the originals, they must ask the vendor nicely and wait at least 14 days — or less, if the Spirit so happens to move Flock.

The ownership is a fiction. The customer has never possessed the original image or the original log. If it can even obtain it at all, it can’t do so independently; it can only submit a formal request to Flock — which will respond on its own timeline, in whatever format it chooses.

That’s not ownership. That’s a favor.

And this is the evidence that’s putting people in prison.

Deflock Joplin published its own analysis of the images, where they raise some excellent points.

Note: The images in this article are post-processed for web delivery. They may be of slightly lower quality than the originals. The originals are available via MuckRock.

Its newly-launched Trust Center answers such hard-hitting questions as “Is this mass surveillance?” with:

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

Though, to be fair, that answer is better than the complete fabrication elsewhere on its page that says “Flock does not operate a centralized or open surveillance database. Each customer environment is independent.”

The meaning of “centralized database” is clearish — Flock likely tries to distinguish it from a decentralized database. In this case, that claim is similar to claiming your kitchen is not a centralized place for your pots and pans because you have multiple cupboards.

“Global database” is equally almost-apparent. What the new term “open database” (it also appears on another page) is supposed to mean is murky. Maybe it will clarify later, or maybe the murkiness is the point.

In any case, it will be interesting to see what elements survive contact with the legal team. One page makes claims about academic research partnerships and third-party audits — neither appears to exist in any meaningful way:

Another page claims that the GDPR is “The world’s strictest standard for data privacy.” Which is not only incorrect, but shows a complete lack of understanding of what GDPR actually is and how it works (it is a regulation that sets a floor, not a ceiling — member states can and do impose stricter requirements).

Anyway …

The fact that a half-finished set of pages found their way to production is embarrassing but not, in itself, a major issue. I can’t judge that too harshly because I pretty much develop in production all the time.

Where it becomes an issue is when you’re looking at organization-wide controls and data governance, as in SOC2 or ISO27k1, which Flock cites in support of its being deserving of trust.

These are essentially wireframed pages. Who deployed them to production? The answer to that question is almost certainly some web developer or marketing associate working on the page layout and design.

Did Legal or Compliance approve statements like “Lorem ipsum” for public consumption? My magic 8-ball says “absolutely not.” Did the product team review the system description for accuracy? “Try again.”

The release of these pages is a symptom of Flock’s broader problem: it fails to implement meaningful controls on access while claiming it has them in its marketing materials. This page is one example.

Another is this screenshot from a video showing a Flock customer service representative with full access to the admin interface for what appears to be every single Flock customer:

According to Flock’s lorem-ipsum-heavy Trust Center, we are looking at independent customer environments with proper access controls, and definitely not a centralized or open surveillance database where a low-level Flock employee can click a button to obtain access.

The secondary problem in that screenshot (there are more in the complete video, but more on that later) is that Flock apparently classified the Olympia Fields IL Park District as “Law Enforcement.”

Presumably that means that it has access to the database that stores information from Flock’s national network of 250,000+ cameras (more on that later too).

This is a problem because the Park District does not appear to be a law enforcement agency at all — it manages playgrounds, picnic shelters, and a disc golf course.^[1]

But once again, nobody appears to have caught the error, despite all the safeguards, constraints, audits, and controls that Flock touts in its trust centers, old and new.

An agency has access to data it’s not supposed to have, which shows up in a video recorded by someone who can access data they’re not supposed to have access to. The Trust Center, which was also published by someone who should not have published it to an environment they should not have access to, says everything is fine.

Flock can’t be trusted. No amount of lorem ipsuming will change that.

• Data Privacy
• Facts vs Myths
• Civil rights
• Law enforcement

The events in the video take place at Flock’s offices in an anonymous industrial building at 1310 Seaboard Industrial Blvd NW, Atlanta, GA — Google Maps confirms the building is surrounded by Flock equipment and is identified as a drone launch site.

Now, the film.

Flock’s story starts when a hoodie-clad man rolls up to the crime scene in his brand-new Mazda.

He gets out and approaches the building’s front door, tactical Halligan bar in hand.

Unfortunately for the would-be ne’er-do-well, a blue light comes on.

On the screen it says “From detection to decision.”

The camera pans from the blue light to a Flock Falcon license plate reader, which definitely only captures license plates and not people.

It’s a little unclear if the “detection” is the blue light, and the “decision” is the license plate reader, or if there’s something else going on.

Never mind. A Realtime Crime Center!

The interface shows 3 license plates with real Phoenix, AZ, locations. They are flagged as “Expired Driver’s License”, “Suspended”, and “Invalid License” — exactly the category of high-level crime that Flock believes warrants placing a nation under surveillance.^[1]

A man with a moustache clicks “Dispatch drone.”

This time, the ALPR list shows license plates annotated “Invalid License”, “Sex Offender”, “Expired Tag”, and “Expired Driver’s License.” Those CJI tidbits slide off the screen and cut to a drone being released from a box.

If it was your license plate broadcast alongside “Sex offender”: congratulations, you get to talk to a lawyer.

“Drone as Automated Security deployed”, the on-screen letters inform us.

The drone takes off and spots the Mazda parked under a streetlamp about twenty feet away.

Technologia.

The Mazda appears to be parked more than 12 inches from the curb.

Dramatic music intensifies.

“Thermal night vision capabilities.”

The Mazda is still parked under the streetlamp.

Now we see a digitally altered black-and-white image. Thermal vision, presumably — though it reads as a color-filter pass on regular footage.

Halligan-bar-man is doing something with the door. The drone switches back to normal vision, because the other vision was garbage.

Our hero, the drone, sneaks up on Halligan-man as the letters assure us of “Presence that de-escalates.”

Halligan-bar-man flips out.

He runs away, toward his Mazda.

Someone somewhere gets a phone notification: “Global Logistics has invited you to spectate a flight on Flock DFR.”

Grab the popcorn, we’re spectating.

The drone watches our man peel off past several Flock ALPRs and PTZs.

Now we’re back at dispatch in Phoenix, walkie-talkie’ing Dunwoody PD, which recently paused its Flock contract “over data use concerns.”

Officer Dunwoody manages his drone from the car laptop en route to the crime scene. Operating aircraft you can’t see while you’re driving a vehicle is safe, right? Must be — the FAA allows it.

Meanwhile, for reasons only known to hoodie-man, he has circled back and parked at Flock Central — 1310 Seaboard Industrial Blvd NW — the drone’s home base. He is ready to surrender his life of crime and be arrested for the one offense he committed: parking too far from the curb.

Music crescendos.

He gets out of his new Mazda, wireless CarPlay still connected, hands to the sky.

Handcuffs.

We got him, boys.

“Flock Drone as Automated Security”

“One click automated operation”

Dead stick logo.

Civil rights organizations appear not to have caught on. At the time of writing, they are still voicing support for a bill that threatens to severely undermine the privacy rights of everyone in the country.

A Private Network on Public Infrastructure

The legal theory under which camera-operators and police operate is that they are photographing vehicles on public roadways, and that the images therefore don’t implicate privacy interests.

Flock’s cameras sit on public utility poles, installed under public permits, paid for under public contracts — infrastructure a purely private company could never obtain on its own. The data flows into a corporate-owned database that participating agencies can query nationwide. Flock is not a government agency; it’s a vendor that has successfully made itself look like public infrastructure.

The data is public enough to collect from every street corner without a warrant; when requested under open records laws, those same images and records tend to magically transform into sensitive intelligence not fit for public consumption.^[2] When a Washington state court found that version of Schrödinger’s photographs — public enough to gather on every corner, too sensitive to disclose to the public whose streets paid for them — to be legally incoherent, police across the state cancelled their ALPR contracts, ostensibly to protect Washingtonian privacy.

Vendors and police have so far resisted both horns of this dilemma. There is no warrant requirement for collection, no meaningful FOIA access, and agencies can look up anyone’s long-term, nationwide location history without judicial oversight. The data is pooled nationally. A camera in Des Moines contributes plate reads to the same database as a camera in Houston.

This is not an Iowa database. It is a national one.

How Iowa Becomes a National Gateway

Readers outside the Hawkeye State may not be aware that Des Moines is a — perhaps the — major insurance hub in the United States, home to Principal Life, Transamerica, Wellmark, EMC, United Fire, and dozens of others. Iowa-domiciled insurers account for roughly 2–4% of total US premiums, heavily concentrated in life, annuity, and commercial lines.

The amendment doesn’t restrict ALPR data access to Iowa insurers, Iowa plates, or Iowa accidents. It opens the tap to any “insurance carrier, or an insurance support organization” — nationally, without geographic limitation.

Flock and similar vendors maintain a pooled database of plate reads contributed by agencies across the country. An Iowa city enters into an agreement with Flock. Under the amended bill, that city may now lawfully share the data — location history, timestamps, images — with insurers for “adjudicating insurance claims,” even if the data was originally collected nowhere near Iowa. Iowa’s authorization is the fig leaf that legitimizes access to a database populated by agencies in California, Texas, and New York.

That’s data laundering: a permissive jurisdiction provides the legal cover that turns a publicly-subsidized national surveillance network into a commercial data product. Iowa’s overrepresentation in the insurance industry means the companies most likely to exploit this are disproportionately headquartered in the same state that just handed them the keys.

The phrase “insurance support organization” makes this worse. In insurance law, that covers data aggregators, claims analytics firms, and infrastructure providers like Verisk/ISO — entities whose business is pooling and reselling data across the industry. Data that enters that pipeline does not stay in the lane it entered through.

The amendment doesn’t just give insurers access to ALPR data; it gives the entire insurance data ecosystem access to ALPR data.

Next time you’re involved in a car accident, the insurer may pour through your location history to find reasons not to pay. Stopped at a bar the night before, even for a diet soda? That may become an argument. If your employer’s insurer is watching while you recover from an injury, think twice before leaving the house to pick up your prescription.

What the Amendment Actually Removed

The original bill named a legal threshold: no one could access ALPR data more than 24 hours after capture without a magistrate-issued search warrant or a county attorney’s subpoena for a specific plate. In practice, the subpoena option gutted the warrant requirement before the ink dried — a county attorney can issue one without judicial oversight, meaning the same prosecutorial office that wants the data could authorize its own access. But even that weak threshold is gone.

In its place: a requirement to log a “call for service number or case number” before searching. That’s an administrative record-keeping requirement, not a legal threshold. No independent review, no probable cause, no judicial oversight.

The original bill also flatly prohibited sharing data with any nongovernmental third party. The amendment replaced that prohibition with an explicit whitelist that includes insurers, or anyone who promises to use the data “for the sole purpose of protecting public safety, conducting criminal investigations, or ensuring compliance with federal, state, or local law.” What was a ban became an authorization.

The penalty regime was similarly softened. Violations now require proof of “willful and intentional” conduct, and the aggravated misdemeanor threshold requires the violation also be committed “for personal gain or while violating any other provision of law.” Routine unauthorized sharing — the kind driven by bureaucratic carelessness or vendor pressure — is unlikely to be prosecuted at all.

The Lobbying Picture

The lobbying declarations for this bill tell a more complicated story than the civil liberties coalition supporting it would suggest.

The Iowa Association for Justice, Institute for Justice, the American Civil Liberties Union of Iowa (ACLU-IA), and Americans For Prosperity are all registered For the bill. AFP’s registration predates the amendment by two weeks; ACLU-IA’s and IJ’s were filed the same day the amendment dropped in committee. Whether their support reflects the amended text or the original is a question worth asking them directly.

Flock itself is registered as Undecided. So is RELX Inc. — the parent company of LexisNexis Risk Solutions, one of the largest data brokers in the country. LexisNexis Risk Solutions sells comprehensive consumer risk profiles to insurers, compiled from court records, motor vehicle databases, property records, and commercial data sources. It has no reason to be watching this legislation unless the amendment’s “insurance support organization” carve-out is relevant to its business — which it plainly is. That it hasn’t registered in support suggests either that the bill doesn’t go far enough, or that it’s waiting to see which way it moves. The National Insurance Crime Bureau — explicitly named in the amendment’s carve-out — is also Undecided.

The Iowa State Sheriffs’ & Deputies’ Association, the Iowa State Police Association, and the Iowa Peace Officers Association are all registered Against. So are Axon Enterprise and the Security Industry Association — Flock’s commercial competitors, whose objections are about market share, not civil liberties.

No group is opposing the bill on civil liberties grounds.

What This Bill Actually Does

It authorizes local Iowa governments to deploy a privately-operated surveillance network on public infrastructure — then share the resulting data with the commercial insurance industry, nationally, with no warrant requirement, no meaningful penalty for abuse, and no restriction on which insurers, in which states, beyond the three enumerated purposes.

Iowa is not regulating mass surveillance. Iowa is commercializing it.

Cross-posted from Footnote 4A, where I cover Flock, privacy, and public-private surveillance infrastructure more broadly. Flock-specific posts live on haveibeenflocked.com.

Several California agencies have reported discovering that data was shared in violation of SB 34—although I have not yet been able to verify the exact number, I’ve heard as many as 63 California agencies have been confirmed affected. This certainly seems plausible with separate reports coming out of Mountain View, Santa Cruz, Santa Clara County, and Ventura County.

In earlier reporting by Los Gatan, Santa Cruz said that Flock had notified them of an issue. In response to a CPRA request, Santa Cruz denies the existence of that email.^[1] However, Santa Cruz Chief of Police Bernie Escalante did deliver the following statement at a November 18, 2025, Santa Cruz city council meeting:

We were recently made aware that Flock Safety identified violations of SB 34 and SB 54 within their system architecture that inadvertently affected agencies across California, including the City of Santa Cruz.

The issue arose when a national search tool within the Flock Safety system was activated which inadvertently permitted law enforcement agencies outside the state of California to search all agencies across the country including agencies within the state of California.

These violations were not known to Santa Cruz Police Department and were not the result of any deliberate attempt by city staff to circumvent the California law.^[2] We have been notified by Flock that these violations ceased on February 11, 2025.

Additionally, since this date, Flock has added multiple layers and filters of security to ensure this does not occur again in the future. Since February 11, 2025, Flock has made several changes to their system to ensure this does not occur again and to ensure that the Santa Cruz police department is not in violation of state law—both SB 34 and SB 54.

So far, Flock has deactivated the national search tool for agencies within the state of California, revoked all permissions for any California agency to create a 1:1 relationship with any agency outside the State of California and added filter protections against any searches that include anything related to ICE, broder patrol, immigration, or any other word or phrase like this type of search.

Flock continues to look for additional ways to improve or modify their system to ensure the security of their data is within the laws of the state of California.

— SCPD Statement, Santa Cruz City Council Meeting, November 18, 2025

A lot of this statement is demonstrably false.

As we know, 1:1 sharing is alive and well in California.

Yet this is the statement SCPD made in November last year, about an action Flock had taken some time before February 2025—a little over a year before today’s blog post, where it announces, for the most part, the same problem and the same changes.

Either Flock kept all of this under wraps for over a year,^[3] or it happened again, because Flock is once again engaging damage control mode on its blog, announcing many of the same “new” features the SCPD announced were introduced in February 2025.

Of course, it’s Flock, so “damage control” means “hand me a shovel so I can keep digging.”

Flock Knows, You Don’t.

some CA law enforcement agencies, including Ventura County, in 2025 had their camera networks inadvertently accessible^[4] to out-of-state law enforcement agencies for a period of time.

Flock immediately downplays and obfuscates what happened. Agencies “had their cameras accessible.” That doesn’t mean anything. “For a period of time.” Equally meaningless. How much data was shared in violation of state law? For how long?

Flock knows what happened, and, according to SCPD, even notified agencies back in 2025, but it has decided you don’t get to know.

[Flock] made every effort possible to determine the cause of each reported instance of inadvertent sharing. Unfortunately, due to earlier limitations in technical logging, in some cases it is impossible to determine a specific cause.

Let’s assume for a second that this is true. Let’s say Flock is careless and does not log who makes changes to a critical toggle.

If a cause can’t be determined, it can only mean one thing: there are multiple options.

It means Flock customers are not the only ones in control. It means that the pitch that “you own 100% of your data, and you are in control”, as well as “it’s a local decision” is completely, utterly, false. There is no other explanation.

Flock, in this same blog post, nonetheless continues to assert that “cities and counties retain 100% control over their LPR data and determine who it is shared with.”

Clearly not.

The Logging Requirement

Flock not having logging would in itself be yet another admission that it does not follow the CJIS security policy, like it implies when it flaunts its “CJIS ACE Certificate” from its commercial partner in Florida.

The CJIS Security Policy v6.0 has several relevant requirements:

• AU-2 (Event Logging) and CM-3 (Configuration Management) require exactly the type of logging Flock claims not to have.
• 4.2.5.1 (Justification) and AU-3 (Content of Audit Records) require the purpose of a query. Flock’s NIBRS-based justification requirement is not an enhancement — it is the minimum that should have been in place from the outset.
• CA-3(d) (Secondary Dissemination) — secondary dissemination must be logged; those logs must include the requester’s authorization.

In Flock’s half-baked defense, it does fall on the agencies to verify that Flock abides by the terms of the contract it signed, and to make sure their vendor isn’t simply having its rank-and-file employees sign a form that exposes them, not the company to liability when violations inevitably happen.

Flock Promises More Violations

For those who have been following along for a while, the gradual narrowing is interesting to watch. In a span of weeks, Flock’s messaging shifted from “Flock does not sell data,” to “Flock does not sell data to the federal government” to “Flock does not sell data to DHS agencies.”

When even the postal service does civil immigration enforcement it becomes hard to track.

“Flock has always provided agencies with tools to comply with state law and relied on each agency and its legal counsel to determine how those tools should be configured,” said Dan Haley, Chief Legal Officer at Flock Safety.

Dan clearly did not read the 345 words in the blog post preceding that statement, announcing that Flock, in fact, did not always provide those tools but is now adding them.

Flock Safety and California law enforcement agencies remain committed to ensuring that investigative technologies are used responsibly, lawfully, and with appropriate oversight. The system in place today includes standardized compliance protections designed to prevent unauthorized federal access through lookup networks and to provide clear audit trails for every search conducted.

This statement deserves highlighting. Flock once again promises to prevent only unauthorized federal access, and only if that unauthorized access happens through lookup networks.

This is a highly relevant distinction; at the time of writing, even a cursory inspection of Transparency Portals shows Flock still permits sharing data with non-California agencies. And, no, I’m not talking about El Cajon’s open defiance of the AG, I’m talking about Lake County, Piedmont, San Francisco, and so on.

California Attorney General Bonta clarified in his October 2023 bulletin that SB34 prohibits sharing with any entity that is not a public agency. He included the definition:

“Public agency” is defined as “the state, any city, county, or city and county, or any agency or political subdivision of the state or a city, county, or city and county, including, but not limited to, a law enforcement agency.”

Because this definition excludes non-California agencies, it forms the basis for SB 34 being understood to prohibit sharing outside of California.

What this definition also does not include are tribal nations and private university police — neither are subdivisions of the State of California. Yet both appear on Flock’s California agency lists: Blue Lake Rancheria Tribal PD, the Iipay Nation of Santa Ysabel, Stanford University PD, and the University of the Pacific. All are permitted to access California ALPR data under Flock’s “guardrails.”

These agencies also fit neatly into Flock’s promise, because arguably, although they have access to the lookup network, they could be said not to be “federal agencies.” Of course, they also aren’t “public agencies,” and all of this still violates the law.

Flock’s guardrails are carefully designed — not to prevent unlawful sharing, but to redefine what counts as sharing. Each iteration narrows the promise while leaving the violation intact: not “we don’t share data,” but “we don’t share data with DHS agencies through lookup networks in ways we can’t characterize as something else.”

The question for California agencies isn’t whether Flock “remains committed” to lawful use. It’s how many times they’re willing to take that commitment at face value before they check the audit logs — assuming, of course, that Flock has started writing them.

(Perhaps this is why Flock is now facing a class action in California.)

For decades, policing often relied heavily on eyewitness descriptions.

An officer might hear:

“We’re looking for a white Ford.”

“The suspect was driving a blue Jeep.”

What happened next?

Officers would stop every vehicle matching that general description in the area. That meant multiple drivers, often entirely innocent, were pulled over and had unwelcome interactions with law enforcement simply because their car looked similar. Those stops could lead to frustration, fear, and unnecessary escalation. And historically, those broad stop practices have disproportionately affected communities of color.

This is exactly the kind of dynamic that creates distrust.

Flock changes that.

Instead of stopping every white Ford or blue Jeep in a radius, officers receive alerts only when a specific license plate associated with a reported crime is detected. Not every vehicle of a certain color. Not every driver in a neighborhood. Just the one vehicle that matches the reported plate. That’s precision policing. It reduces unnecessary stops. It reduces guesswork. It reduces broad, discretionary sweeps. And that reduction in discretion helps reduce bias.

The passage directly echoes a comment made last week by Skylor Hearn on a privacy-focused livestream hosted by VPN company vp.net. Hearn appeared alongside Dan Haley, Flock’s Chief Legal Officer. Hearn told the audience:

In the old days… it was the citizen, one of you, reporting what you saw in a flash, in a horrific moment in your life, and you described generally a light-colored car. And so we’re stopping every light-colored car that’s going down the road in that area. And 99% of those people in those cars had nothing to do with that crime, but we’re pulling you over sometimes at gunpoint, taking you out… The technology gives us the ability to be more select and discretionary in those same kind of encounters. So we’re not indiscriminately just stopping everyone that resembled the citizen’s call. This gives us another tool to help us be more sniper than shotgun.

Same argument, same structure, same anecdote. Cops used to pull over every white car at gunpoint; now Flock saves them from themselves.

Hearn was introduced on the stream as “Chief Deputy, Chambers County Sheriff’s Office.” That’s true — he holds that title.

What the hosts neglected to mention is that Hearn is also the Executive Director of the Sheriffs’ Association of Texas, a registered lobbyist for Clearview AI in 2020–2021, and a former government affairs adviser at K&L Gates, where Clearview AI was his client.

He joined Clearview in-house in 2022 as its Director of Government Affairs, spending his time testifying in state legislatures against banning or restricting police use of facial recognition technology.

When a viewer asked Hearn directly about his Clearview AI and K&L Gates history, he disclosed it — framing it all as “public policy work” and talking about “misconceptions about technology.” He did not use the word “lobbyist.”

So a man who is simultaneously a Flock subscriber and the Sheriffs’ Association’s legislative director sat down with Flock’s Chief Legal Officer on a livestream, and a week later their shared talking point appeared on Flock’s corporate blog.

The best argument this team could muster asks us to accept the premise they’re selling: that police officers are simply incapable of conducting constitutional traffic stops without an AI to chaperone them.

Their proposed solution to police violating one group’s rights? Let Flock violate everyone’s.

The Fourth Amendment does not have a carve-out for good intentions, and mass surveillance is not a civil rights program.

In response to an open records request, the DOT initially said it didn’t know how many of these investigations led to convictions — or even to license denials. It could confirm only that between January 2022 and November 2025, there were 192 such cases.

The DOT promised to compile outcome data by early January and delivered—albeit a bit late. The spreadsheet tells a remarkable story: of the 192 investigations, 28 led to no action of any kind, and only 14 resulted in criminal charges. The spreadsheet does not record whether any of those charges led to convictions.^[1]

This has been happening since at least 2008. And, of course, the FBI has been tapping into Iowa’s database since at least 2014.

Iowa is not unique, but its story illustrates, in granular detail, how the federal government and state DMVs have quietly built one of the largest surveillance infrastructures in American history — and how the agencies operating it have no idea whether it works.

How It Started

In 2005, Congress passed the REAL ID Act. A year later, the Iowa DOT awarded a $1.4 million contract to Digimarc for facial recognition technology. The system was sold to the public as a fraud-prevention tool, but the contract embedded capabilities well beyond that purpose:

Iowa DOT will implement both “one-to-one” and “one-to-many” facial recognition as part of its driver license enrollment process.

“One-to-one” matching — comparing a renewal photo to the applicant’s prior photo — is the anti-fraud use case the DOT advertised. “One-to-many” matching is something else entirely: it scans each new portrait against the full database of driver’s license images. As the press release noted:

Each night, the Biometric Identification system checks each newly captured portrait against the full database of driver license images as another means to catch attempts by a single individual to get a driver license under multiple names.

The DOT pitched this to the public as a civil anti-fraud measure. But it also built out infrastructure with latent capabilities for criminal investigation— and, as it turns out, civil immigration enforcement—capabilities it would formalize with law enforcement partners in the years to come.

By 2007, the nightly scans were operational. Digimarc, the original vendor, was subsequently acquired through a chain of corporate mergers: first by Safran’s Morpho division (later MorphoTrust USA), then by IDEMIA, which continues to partner with the Iowa DOT as of 2024.

The algorithm has changed hands repeatedly, but neither the DOT nor any external body has ever tested its accuracy for the purpose Iowa uses it — flagging potential fraud from a pool of millions.

The FBI Moves In

In 2014, the Iowa Department of Public Safety signed an agreement with the DOT to pay for an upgrade to its facial recognition system in exchange for access to it.

According to Georgetown Law’s The Perpetual Lineup, this gave DPS authorized personnel the ability to run face recognition searches against Iowa’s driver’s license photos.^[2]

That same year, the DOT signed its first Memorandum of Understanding with the FBI, granting the Bureau access to those same photos through its Facial Analysis, Comparison, and Evaluation (FACE) Services unit. A 2016 GAO report confirmed that the FBI could request searches of Iowa’s driver’s license database.

The Iowa MoU was updated in 2018, superseding the original agreement. Under its terms, the FBI submits a probe photo to the DOT, the DOT searches its facial recognition database, and returns a set of candidate photos and identities. The DOT agreed to process up to 15 photo requests per day, but the number it actually processes is not known.

Iowa is hardly alone. In response to a FOIA request about Iowa’s program, the FBI provided a stack of MoUs from other states instead of the Iowa-specific records that would have been responsive.^[3] Those documents show that at least fifteen states have signed similar agreements with the FBI.

By May 2019, 21 states had partnered with FBI FACE Services, giving the Bureau access to over 641 million photos across all searchable repositories.

@MoUs provided by the FBI

The Nightly Dragnet, to Start With

The nightly scan is called the Automated Biometric Identification System (ABIS). It has been running every night for eighteen years, telling the DOT’s Bureau of Investigation & Identity Protection (BIIP) who to investigate next — not because there is any indication of fraud, but purely on the output of a commercial facial recognition algorithm.

These investigations are warrantless and deeply invasive. DOT procedure specifies:

When a driver’s license case is first assigned for investigation, the Investigator shall gather all pertinent documents and information related to the investigation.

This includes the complete driving and vehicle ARTS records, specific driving violation records, Accurint check from DPS, or a CLEAR report from a Bureau investigator and criminal history to start with.

— Iowa DOT, Procedures Related to Driver License Investigations, p. 176

@Procedures Related to Driver License Investigations, p. 176

A commercial algorithm — for which we have no data regarding accuracy or bias — says your photo looks like one of millions of others. On that basis alone, a DOT investigator pulls your credit history, utility bills, social media posts, criminal history, and every other detail they can find about you into a file. “To start with.”

Although we still don’t have no data on the DOT’s system’s accuracy, we at least have part of the story now: DOT records show that of 192 investigations opened between January 2022 and November 2025 (excluding 19 still-open cases and one duplicate):^[4]

• 28 investigations (16%) resulted in no action whatsoever. No administrative sanction, no criminal referral. The algorithm flagged these people, an investigator pulled their credit histories and criminal records, and then closed the file. Whether the subjects were ever told they’d been investigated is unknown.

• 130 investigations (76%) resulted in administrative action only — mostly license cancellations, but also 20 cases where the sole action was “Merge Records,” which appears to be database housekeeping.

• 14 investigations (8%) resulted in criminal charges. That is 3.5 per year. The charges are overwhelmingly misdemeanors: “Fraudulent Application for DL/ID,” “False Application for DL/ID,” perjury. A handful involved more serious offenses — identity theft, forgery, fraudulent practice. One case resulted in no Iowa charges at all; the subject was extradited to Nebraska on an existing warrant.

• Zero convictions are recorded. The DOT’s spreadsheet tracks charges filed, not final outcomes. After eighteen years and 192 documented investigations, the agency still cannot say whether a single criminal referral from its facial recognition program has ever resulted in a conviction.

One additional detail stands out: in April 2025, an administrative action reads “Notified Homeland Security and IA DOR.”

The nightly scan, sold to the public as a fraud-prevention tool, appears to have been used for federal immigration enforcement, as those agencies continue to push facial recognition mobile app on local police.

Blind Faith in a Blind System

Facial recognition algorithms are notoriously biased, performing worse on people with brown or black skin than on those with white skin. This is a technical reality, not an advocacy position.

In 2016, the Government Accountability Office examined the FBI’s facial recognition program and made six recommendations. The GAO found that the FBI had tested its system’s detection rate only for candidate lists of 50, and had no data on accuracy for smaller list sizes that users regularly requested. The GAO also recommended the FBI determine whether the external state systems it relies on — systems like Iowa’s — were sufficiently accurate.

The FBI disagreed. It told the GAO that its testing satisfied requirements for providing investigative leads and that the Bureau lacked authority to set accuracy requirements for external systems.

Three of the six GAO recommendations dealt with accuracy—a massive red flag for a system that flags and investigates people based on algorithmic photo matches selected from millions of candidates.

Two more dealt with transparency: the FBI had failed to publish required Privacy Impact Assessments^[5] and a System of Records Notice^[6] — legally mandated disclosures for a program handling tens of millions of Americans’ photos. DOJ eventually published the missing documents, though years late.

By 2019, only one of the six recommendations had been fully implemented. The FBI had begun conducting user audits but still had not tested accuracy for smaller candidate lists, had not assessed external partner systems, and had not conducted the recommended annual operational reviews. The GAO maintained all five remaining recommendations were valid.

Iowa, for its part, did no better. In response to public records requests:

• The Iowa DOT and DPS each confirmed that the FBI never shared results of any accuracy tests.
• The Iowa DOT, despite having a “facial recognition analyst” on staff, never performed its own accuracy testing.
• Neither the DOT nor DPS ever solicited or received reports about the system’s accuracy from the vendor. Their only information comes from general materials provided, or published online, by the vendor.
• DPS “[had] not yet adopted a final policy” governing its use of facial recognition, on the grounds that it was waiting to determine “what uses may be accurate or inaccurate, reliable or unreliable, appropriate or inappropriate.”^[7] That was in 2016. A decade later, it still hasn’t looked at system accuracy—knowledge it claims is a prerequisite to regulation.

The FBI did not respond to a FOIA request (other than with the stack of MoUs from other states that were not part of the request).

As the ACLU of Minnesota summarizes: “Facial recognition automates discrimination.” The agencies either believe their algorithm is infallible, or they don’t care whether it’s accurate as long as it gets them an occasional result. Substantial academic and technical literature on algorithmic bias goes ignored, as does the federal government’s own accountability office.

The Bigger Picture: National Mass Surveillance

Iowa’s nightly scan is one node in a much larger system — one that has been expanding steadily and is now accelerating.

The infrastructure began with REAL ID and the MoUs that gave the FBI access to state driver’s license databases. In December 2025, Iowa was one of four states that agreed to help the Trump administration gain access to state driver’s license data through NLETS.^[8]

The deal was part of a settlement that allowed Iowa to upload its voter rolls to the federal government for citizenship verification through SAVE,^[9] after the Secretary of State had flagged over two thousand potential non-citizen voters by cross-referencing voter rolls with DOT records — driver’s license application data that was, in many cases, years out of date.

Subsequent federal verification through SAVE confirmed only 277, roughly 12% of those flagged based on the DOT’s REAL ID records.

Meanwhile, DHS has also declared that REAL ID—the system it spent twenty years building these invasive, networked fraud-prevention and citizenship-verification systems for—is not fit for purpose.

In a December 2025 court filing, a DHS official stated that “REAL ID can be unreliable to confirm U.S. citizenship” in response to a lawsuit by an American citizen who was detained twice during immigration raids despite presenting his valid REAL ID.

What immigration enforcement now demands is being filled by facial recognition. ICE agents carry Mobile Fortify, a smartphone app that reportedly scans faces against over 200 million images across DHS, FBI, and State Department databases.

DHS does not let subjects decline to be scanned, and photos — including those of U.S. citizens — are stored for fifteen years. CBP has gone further, releasing Mobile Identify, a separate facial recognition app available to state and local police agencies deputized for immigration enforcement through 287(g) agreements.

The federal government and state DMVs spent twenty years laying the groundwork for all of this while Presidents, Governors, and members of Congress rotated in and out of service. The MoUs. The nightly scans. The databases quietly compiled from photos taken to get permission to drive — or, for non-operator ID holders, simply to prove who they are.

Iowa’s program is not an outlier. It is the foundation. It is twenty years of federally funded research, data collection, and algorithmic lineups that, by the government’s own accounting, is unreliable and serves no significant public purpose.

Iowa’s DOT does not limit itself to approving questionable permits for police surveillance cameras and waiving roadside safety standards to accommodate them. Through its Motor Vehicle Division, it also operates one of the most invasive automated surveillance programs in the state.

For 3.5 criminal charges per year — overwhelmingly misdemeanors, with no recorded convictions — and 28 investigations that led nowhere at all, every new driver’s license photo in Iowa enters the nightly automated lineup, and, along with it, the database that federal, state, and local police across the country can access on demand.

Whether you’re an immigrant or have never left Ottumwa, if IDEMIA’s computer says you’re a suspect, the government will find out everything there is to know about you—to start with.

Back in November, I wrote about the Iowa DOT’s lack of a consistent permitting process. Further research shows that the DOT also lacks a verification process and an inspection process. The permits it does issue are approved based on plans that violate the safety standards printed on the application itself.

In the article What Is the Clear Zone and Why Is It Critical to Roadway Safety?, John Carlton, a licensed Professional Engineer, discusses “why the clear zone is important to the safety of roadway users and provide examples of commonly experienced violations that have resulted in personal injury litigation.”

This table is included on DOT’s standard utility accommodation form and shows the clear zone distances (ADT = Average Daily Traffic). The numbers matter: they are the minimum distance between a roadside obstacle and the travel lane that gives a driver a reasonable chance of recovery in a run-off-road event.

The Missing Permits

As noted in the previous article, the information in the permit applications for roadside cameras is sketchy at best. In some cases, they’re sketched-up screenshots of Google Maps by a Sheriff’s Deputy, and signed off on by the Sheriff, with little to no helpful descriptive information.

The plans above were submitted to, and approved by, the Iowa DOT.

The middle image shows the clearest violation: the minimum “acceptable clear zone” area, listed on the very form the permit was submitted on, is 12 feet. The plan shows “10–12 feet.” The DOT approved it anyway.

The Missing Failsafes

But at least there are failsafes. On paper. After construction, the DOT’s regulations require an “as-built” plan to be submitted with a certified engineer’s stamp. If a plan is not submitted, the DOT is authorized to perform an inspection at the permittee’s expense. This would uncover any shoddy work by unqualified site planners and straighten out any problems with approvals.

It turns out that the DOT does not follow its own regulations. Instead, it has replaced regulation with policy. In the words of my formal complaint:

For equipment installed under the utility accommodation program, Iowa Admin. Code 761—115.7(8) (2025) requires the utility owner “to submit to the department an as-built plan in an electronic format in accordance with department specifications.”

Iowa DOT writes that it maintains a policy that “[w]hen not submitted we accept the permitted plans as the asbuilt plan if the permittee did not contact us with a change.”

Iowa DOT confirms that for this installation “no as-builts were submitted,” and explains that “we identify the permitted plans as the as-builts.”

In other words: Iowa DOT does nothing, even when the camera is obviously installed in a way that appears unsafe. If it is somehow compliant, there is no information in any of the DOT’s records that would demonstrate that compliance.

It approves permits proposing non-compliant installations for “utilities” that are owned by private corporations and deliver no service to the public, based on the say-so of police officers and sheriff’s deputies.

To make matters worse, Flock—the contractor listed on many of these permits—is not even a licensed contractor in the State of Iowa.

The DOT’s Response

I brought these issues to the attention of Iowa DOT director Scott Marler.^[1]

@January 12, 2026, letter to the Iowa DOT @Exhibit A — 22A-2024-016 @Exhibit B — 33A-2024-014 @Exhibit C — Installation @Exhibit D — Carlisle PD @Exhibit E — Checklist @[Exhibit F — Altoona PD TCD Application](/blog/dot-permits-pt2/F-Altoona PD TCD Application Signed_08302022.pdf){.collapsible} @Exhibit G — Flock @[Exhibit H — DOT Emails](/blog/dot-permits-pt2/H-DOT Emails.pdf)

His responses met expectations:

The Iowa Department of Transportation acknowledges receipt of your request, sent to Director Marler on January 12, 2026.

We understand the importance of establishing a formal policy for license plate readers and have been actively working on this matter since last fall. At that time, we prohibited any additional installations of LPR’s on DOT ROW until the policy is put in place.

We aim to finalize our ALPR policy by the end of February. We appreciate your expertise and insights on this subject and will ensure that our policy team has access to review your contributions.

To which I replied:

Thank you for the response. While I appreciate that the Department is drafting a specific ALPR policy, the core of my concern is not a lack of policy, but a systemic failure to enforce existing Iowa Code and Administrative Rules.

The DOT recently finalized its EO10 review, affirming that the existing regulations—including those governing the Utility Accommodation Program and contractor licensing—are necessary and effective. A new policy cannot retroactively excuse the Department’s decision to ignore those regulations and standards.

Regarding the “prohibition” on new installations, there appears to be a disconnect. Since the date you claim a prohibition was enacted, Flock has expanded its network along the I-380 corridor in Cedar Rapids, including in the I-380 ROW on state-owned land, and in other municipalities.

If the DOT has been working on this issue since last fall, it raises the question of why the Department continues to allow unlicensed contractors to perform work and why these specific permits were not stayed or denied.

By declining to act in a meaningful way while unsafe installations (like the non-compliant “breakaway pole” on Hwy 52) put drivers at risk, the DOT is tacitly approving these hazards. In doing so, the Department assumes significant legal and financial liability for the State should a collision involving this equipment occur and foreseeably result in injury or death.

Note the DOT’s claim that it “prohibited any additional installations” since last fall. Since that date, Flock has expanded its camera network along the I-380 corridor in Cedar Rapids—including on state-owned land in the I-380 right-of-way—and in other municipalities. The moratorium appears to exist only in the DOT’s correspondence.

The DOT’s final response:

We greatly appreciate the time and effort you have invested in bringing these matters to our attention. Please be assured that we are investigating your allegations.

I will be sending in an open records request for the DOT’s new policy at the end of the month for Part III in this series, unless someone beats me to it.

If you’re in Iowa and you crash your car into a roadside camera, be sure to tell your lawyer about this post.

Permit Documents

The table below lists every LPR permit I have obtained from the Iowa DOT. This may be a complete set; it is emphatically not a complete accounting of cameras installed in DOT right-of-way. Many appear to lack permits entirely.

@[April 8, 2022 — IA-136 LPR](/dot-permits/2022.04.08 - IA-136 LPR.pdf){.collapsible} @[April 8, 2022 — US-30 LPR](/dot-permits/2022.04.08 - US-30 LPR.pdf){.collapsible} @[August 30, 2022 — Altoona PD — TCD Application CCP](/dot-permits/2022.08.30 - Altoona PD - TCD Application CCP.pdf){.collapsible} @[August 30, 2022 — Altoona PD — TCD Application](/dot-permits/2022.08.30 - Altoona PD - TCD Application.pdf){.collapsible} @[January 2023 — Council Bluffs US-275 — LPR TCD](/dot-permits/2023.01 - Council Bluffs US-275 - LPR TCD.pdf){.collapsible} @[January 17, 2023 — Council Bluffs — Admin](/dot-permits/2023.01.17 - Council Bluffs - Admin.pdf){.collapsible} @[January 24, 2023 — Council Bluffs US-275 — LPR TCD Approved](/dot-permits/2023.01.24 - Council Bluffs US-275 - LPR TCD Approved.pdf){.collapsible} @[May 8, 2023 — Permit](/dot-permits/2023.05.08 - Permit.pdf){.collapsible} @[May 30, 2023 — South Sioux City PD — Woodbury County](/dot-permits/2023.05.30 - South Sioux City PD - Woodbury County.pdf){.collapsible} @[October 6, 2023 — Ankeny PD — LPR Application](/dot-permits/2023.10.06 - Ankeny PD - LPR Application.pdf){.collapsible} @[October 6, 2023 — TCD Application](/dot-permits/2023.10.06 - TCD Application.pdf){.collapsible} @[December 22, 2023 — 85A-2023-034 — Story County US-30](/dot-permits/2023.12.22 - 85A-2023-034 - Story County US-30.pdf){.collapsible} @[December 22, 2023 — Story County Flock TCD](/dot-permits/2023.12.22 - Story County Flock TCD.pdf){.collapsible} @[January 2024 — Pleasant Hill PD](/dot-permits/2024.01 - Pleasant Hill PD.pdf){.collapsible} @[January 2024 — Pleasant Hill US-65](/dot-permits/2024.01 - Pleasant Hill US-65.pdf){.collapsible} @[January 23, 2024 — Pleasant Hill IA-163](/dot-permits/2024.01.23 - Pleasant Hill IA-163.pdf){.collapsible} @[2024 — Indianola — LPR Application](/dot-permits/2024 - Indianola - LPR Application.pdf){.collapsible} @[May 10, 2024 — 483754 — Marshalltown PD IA-14](/dot-permits/2024.05.10 - 483754 - Marshalltown PD IA-14.pdf){.collapsible} @[May 10, 2024 — 502480 — Newton PD](/dot-permits/2024.05.10 - 502480 - Newton PD.pdf){.collapsible} @[June 2024 — Altoona](/dot-permits/2024.06 - Altoona.pdf){.collapsible} @[June 25, 2024 — Polk City PD](/dot-permits/2024.06.25 - Polk City PD.pdf){.collapsible} @[October 25, 2024 — 96A-2024-011 — Winneshiek County IA-9 Decorah](/dot-permits/2024.10.25 - 96A-2024-011 - Winneshiek County IA-9 Decorah.pdf){.collapsible} @[October 25, 2024 — Fayette County IA-150 West Plum St](/dot-permits/2024.10.25 - Fayette County IA-150 West Plum St.pdf){.collapsible} @[October 25, 2024 — Fayette County US-18 E Bradford St](/dot-permits/2024.10.25 - Fayette County US-18 E Bradford St.pdf){.collapsible} @[November 4, 2024 — 33A-2024-014 — Fayette County IA-150 Major Rd](/dot-permits/2024.11.04 - 33A-2024-014 - Fayette County IA-150 Major Rd.pdf){.collapsible} @[November 4, 2024 — Fayette County IA-3 W Ave](/dot-permits/2024.11.04 - Fayette County IA-3 W Ave.pdf){.collapsible} @[November 15, 2024 — Fayette County IA-3 S Avenue](/dot-permits/2024.11.15 - Fayette County IA-3 S Avenue.pdf){.collapsible} @[2024 — 19A-2024-008 — Fayette County US-63](/dot-permits/2024 - 19A-2024-008 - Fayette County US-63.pdf){.collapsible} @[2024 — 19U-2024-009 — Fayette County US-63 NHSX](/dot-permits/2024 - 19U-2024-009 - Fayette County US-63 NHSX.pdf){.collapsible} @[2024 — 19U-2024-009 — Fayette County US-63](/dot-permits/2024 - 19U-2024-009 - Fayette County US-63.pdf){.collapsible} @[2024 — 22A-2024-016 — Fayette County US-52](/dot-permits/2024 - 22A-2024-016 - Fayette County US-52.pdf){.collapsible} @[2024 — 33A-2024-009 — Fayette County US-18](/dot-permits/2024 - 33A-2024-009 - Fayette County US-18.pdf){.collapsible} @[2024 — 33A-2024-010 — Fayette County IA-150](/dot-permits/2024 - 33A-2024-010 - Fayette County IA-150.pdf){.collapsible} @[2024 — 33A-2024-013 — Fayette County IA-3](/dot-permits/2024 - 33A-2024-013 - Fayette County IA-3.pdf){.collapsible} @[2024 — 33A-2024-014 — Fayette County IA-150](/dot-permits/2024 - 33A-2024-014 - Fayette County IA-150.pdf){.collapsible} @[2024 — 33A-2024-015 — Fayette County IA-3](/dot-permits/2024 - 33A-2024-015 - Fayette County IA-3.pdf){.collapsible} @[2024 — 3A-2024-008 — Fayette County US-18](/dot-permits/2024 - 3A-2024-008 - Fayette County US-18.pdf){.collapsible} @[2024 — 45U-2024-004 — Fayette County US-63](/dot-permits/2024 - 45U-2024-004 - Fayette County US-63.pdf){.collapsible} @[2024 — 96A-2024-011 — Fayette County IA-9](/dot-permits/2024 - 96A-2024-011 - Fayette County IA-9.pdf){.collapsible} @[December 16, 2024 — Sioux City PD IA-12](/dot-permits/2024.12.16 - Sioux City PD IA-12.pdf){.collapsible} @[December 16, 2024 — Storm Lake PD — PTZ and LPR](/dot-permits/2024.12.16 - Storm Lake PD - PTZ and LPR.pdf){.collapsible} @[December 16, 2024 — Woodbury County SO](/dot-permits/2024.12.16 - Woodbury County SO.pdf){.collapsible} @[February 11, 2025 — Wapello County SO](/dot-permits/2025.02.11 - Wapello County SO.pdf){.collapsible} @[February 20, 2025 — 91A-2025-006 — Warren County SO](/dot-permits/2025.02.20 - 91A-2025-006 - Warren County SO.pdf){.collapsible} @[February 20, 2025 — Carlisle PD](/dot-permits/2025.02.20 - Carlisle PD.pdf){.collapsible} @[May 11, 2025 — 29A-2025-001 — Burlington US-34](/dot-permits/2025.05.11 - 29A-2025-001 - Burlington US-34.pdf){.collapsible} @[2025 — 33A-2025-002 — Fayette County IA-150](/dot-permits/2025 - 33A-2025-002 - Fayette County IA-150.pdf){.collapsible} @[2025 — 36A-2025-004 — Fremont County](/dot-permits/2025 - 36A-2025-004 - Fremont County.pdf)

Let’s start with the TV-ad. A DeFlock Discord user posted the following screenshots, saying an ad showed on his Smart TV to tell him “We’re all lucky other cities in Massachusetts haven’t followed Cambridge’s lead in removing these lifesaving devices, else a serial killer would get you!”

The TV ad appears to actually exist. It quotes an op-ed published in the Boston Globe and republished on Flock’s website:

[L]eft-leaning jurisdictions have turned against Flock cameras lately, concerned that the data they generate could be used by immigration authorities to find immigrants living in the country without authorization. We’re all pretty lucky, though, that other cities in Massachusetts haven’t followed Cambridge’s lead, or else a serial killer might still be on the loose.

This is a multi-billion dollar organization that has historically steered (more or less) clear of politics—at least publicly. Until now.

The Op-Ed

I want to briefly touch on the content of Alan Wirzbicki’s reposted op-ed itself. The rhetorical strategy is the typical cherry-picking. Select a success story—in this case, a murderer being apprehended—and use it to justify the entire system as though it is the only possible thing that could have possibly led to this outcome. It’s a tired and dishonest argument.

left-leaning jurisdictions have turned against Flock cameras lately, concerned that the data they generate could be used by immigration authorities to find immigrants living in the country without authorization.

It’s true that left-leaning jurisdictions have this concern. It’s a concern that is founded in multiple high-profile incidents where Flock transfered information to the federal government without permission and in violation of law. The guardrails failed. Flock failed.

But “the left” is not the only group disturbed by mass surveillance. In other cases, police have used electronic and mass surveillance to target right-wing groups.

These cameras don’t discriminate. They’ll track Antifa. They’ll also track the Proud Boys.

They will track law-abiding citizens on their way to Planned Parenthood or the gun store.

Left, right, we’re all suspects.

The author of the op-ed seems to have a brief moment of clarity when he notes that, despite Flock’s assurances, the guardrails on this technology are fundamentally worthless:

[G]uardrails or no, it’s hard for me to believe that municipalities could actually prevent immigration authorities from accessing their Flock data if the feds really wanted it badly enough.

But then he goes on:

But at least to me, license plate readers are a much less threatening form of government surveillance than, say, facial recognition software and cameras that scan crowds of people.

He fails to connect his own dots. Regardless of what Flock offers as a service today, the capability to record conversations and apply facial recognition across 250,000+ cameras and microphones is there for the taking “if the feds really wanted it badly enough.”

Whether you’re in a “left-leaning” or a “right-leaning” city, once the cameras are up and the data is being harvested, one thing is certain: there’s no take-backsies when the next guy takes office.

• Part I: Flock and Cyble Inc. Weaponize “Cybercrime” Takedowns to Silence Critics (Dec. 16)
• Part II: Flock and Cyble Inc. Continue to File False Notices (Dec. 17)
• Part III: Flock and Cyble Inc. Pile on the Allegations with no Evidence in Sight (Dec. 29)
• Part IV: Flock and Cyble: Aligned Values (Dec. 31)

The tl;dr is that Flock hired^[1] Cyble to file takedown notices. This site’s original host, Cloudflare, put a “phishing” interstitial on the site on December 16. The site moved to Hetzner while the takedown was appealed. Cyble filed a complaint with Hetzner a day later.

Hetzner is still conducting its review (while the site remains online).

Cloudflare’s review is now complete:

Upon further investigation, we have granted your appeal and we can confirm the restricted access to the reported URL was removed on 01/08/2026.

Separately, we had contacted you regarding a potential violation of our Developer Platform Terms of Service, which prohibit “content that discloses sensitive personal information.” This was in response to a report claiming that “the website publicly and deliberately releases extensive sensitive information obtained from Flock.”

Thank you for providing additional information, including a Flock Safety customer communication stating that, “Based on what we have seen, websites like the one circulating online are using agency-released public-records data.”

Based on our review, including the additional information provided, we found insufficient evidence of a violation.

Thank you for your understanding and patience while we worked through this process.

The “Flock Safety customer communication” Cloudflare cites is included below; it was obtained via an Illinois FOIA request by Lucy Parsons Labs and published on Muckrock.

@Flock customer email

Cloudflare got this one right. So did Flock’s own customer communications team, apparently.

Hetzner’s review continues while the site remains online.

To everyone who has continued to demand transparency and accountability while Flock invokes “officer safety” as a silencing mechanism: this is what winning looks like. It’s not a final victory—just one less vector for censorship.

The public records remain public.

We’re just getting started.

The executive summary:

• Flock’s “never been hacked” claim is scoped to exclude hardware, contractors, and access abuse
• Security vulnerabilities reported in February 2025 remain unpatched as of November 2025
• Offshore Upwork contractors review surveillance footage without disclosed vetting
• CJIS-required encryption is absent from Flock devices
• No evidence of a Flock data breach notification to Iowa agencies despite documented vulnerabilities and foreign contractor access.

Flock Security Vulnerabilities: Still Unpatched a Year Later

Flock writes that “the theoretical vulnerabilities described were highly technical and would have required physical access.” It does not write that these “theoretical vulnerabilities” no longer exist.

The issues were reported to Flock in February 2025. In November 2025, they were confirmed to still exist.

Flock writes in the past tense, but gives no indication that use of this tense is warranted.

A typical “trust us, we’re fine” security blog post follows a predictable pattern, to the point where I’m certain there is a CISO-central where you can download form letters:

• We were made aware of a vulnerability on [date].
• We worked with researcher A to develop a fix that we rolled out [shortly after].
• We carefully examined our logs and determined no data was compromised. (Alt: We determined that a limited set of data may have been accessed. Affected customers were notified in a separate email).
• No action is required. (Alt: We recommend that you take X action immediately. We have disabled Y until you do).

Instead, nine months after Jon Gaines “worked with Flock throughout the study” (according to Flock’s blog post), his report states, “the vendor has not confirmed whether any of the reported issues have been remediated or are planned for remediation.”

The only action Flock has taken is to downplay the severity and exaggerate the complexity for the better part of a year.

Flock’s CJIS Compliance Failures

There are several (well… many) issues with Flock’s compliance issues, but the most straightforward one is that the vulnerabilities Flock discusses in this post show that Flock devices are not encrypted.

Encryption is a hard requirement for CJISSECPOL.

Who Can Access Flock Safety License Plate Data?

While its overseas workers may access the data for other reasons, Flock states in its blog post that “Flock employees do not access customer data except in tightly controlled, audited circumstances for support or maintenance.”

Critically, the company does not define what those “tightly controlled, audited circumstances” look like, who validates those controls, or who performs the audits. We can only assume it’s Flock doing all of this in secret.

However, in its contract, Flock defines circumstances other than “support or maintenance” where its employees may access and disseminate information, including when Flock has a “good faith belief” that doing so is necessary for basically any reason.

Flock Offshore Contractors, Background Checks, and Foreign Data Access

We know Flock images and audio are reviewed by foreign Upwork contractors. Flock has not publicly acknowledged or commented on that fact. Flock hid the evidence after Wired and 404Media reached out for comment.

As of January 6, 2026, Flock’s Upwork Enterprise Portal is still online.

After national media reported on these contractors who are reviewing images and audio files, Flock did not respond at all.

It did not put out a statement that its foreign contractors undergo rigorous vetting or that the data collected by 250,000+ devices is not available to foreign actors.

It is also unclear if Flock considers Upwork contractors on the other side of the globe to be operating under “tightly controlled, audited circumstances.”

Flock Data Retention and Deletion Questions

Based on my experience, “what happens after the retention period?” question is an actual “Frequently Asked Question.” To my knowledge, Flock has not answered it beyond “data is automatically deleted” (generally passively voiced).

The process for deletions, and, equally importantly, the process for validating whether deletions are complete and irreversible, remains a mystery to this day.

This is a critical question because the storage solution the company uses, AWS S3, offers versioning and “soft deletes,” a feature where a “deletion marker” is stored alongside the actual file (possibly in low-cost archival storage).

This makes the file appear deleted to everyone, including the software, except S3-administrators for whom restoring the file is a matter of either removing the marker, or copying the file while ignoring the marker.

Of course, this is in addition to the contract granting Flock the “non-exclusive, royalty-free, irrevocable, worldwide license to use the Customer Data,” for which Flock has not even begun answering the question.

Flock Breach Notification: Iowa Case Study

A public records request to the Iowa Department of Public Safety, which is responsible for overseeing CJISSECPOL, indicates that neither Flock, nor any of its Iowa customers, made the mandatory disclosures following the February 2025 vulnerability findings, or the findings that overseas workers have access.

It is likely no different in other jurisdictions.

“Has Flock Been Hacked?” — What They’re Actually Saying

This article was a trip. It comes on the heels of a December 8, 2025 mass email in which Flock’s Head Solutioneer, Chris Colwell, defensively states that Flock has never been hacked and that the information published on “a third-party website [that] began aggregating search information” was instead obtained via public record requests.

Maybe Colwell got the “Has Flock Been Hacked?” question via e-mail. Maybe he didn’t. Either way, it’s oddly defensive posturing for a company whose CEO sends out mass emails saying it “adheres to the highest security standards, including: NDAA, SOC2 (Type II), SOC3, ISO 27001, HECVAT, [and] FERPA.”

Some of those aren’t even security standards, as I discussed in a previous post.

How Flock Defines “Hacked” and “Breach”

Flock’s cloud infrastructure has never been compromised. There has never been an incident in which customer data was accessed or exfiltrated by an attacker. This is not a matter of semantics or technical spin; it reflects Flock’s actual security record since its inception.

Immediately, Flock’s statements are limited to the “cloud platform.” This excludes:

• Hardware vulnerabilities
• Network compromises.
• Data accessed through legitimate but abused access controls
• Third-party integrations or contractors.

Industry standards consider a “breach” or a “compromise” to be any incident where an unauthorized party has access, when data is disclosed without authorization, or when data control is lost. Flock’s definition is limited to “customer data was accessed or exfiltrated.”

This narrow definition of “hacking” excludes:

• Authorized access later deemed improper (rogue employee, abusive search).
• Data shared under coerced or misunderstood “consent.”
• Access by contractors they failed to disclose.
• Exploitation of legitimate credentials.

Flock’s “Customer Data” Definition Excludes Footage

“Customer data” appears to be an attempt at contractual finagling. If you’ve watched Benn Jordan’s video you know that Benn was able to view a live feed of actual cameras being used to support real-life operations.

This is the current definition of “customer data”:

“Customer Data” means the images, audio and/or video segments made available to Customer through the Web Interface in connection with the Flock Services, together with the metadata … For clarity, Customer Data does not include the underlying raw Footage captured by the Flock Hardware

By that definition, unauthorized persons downloading footage is not a “breach” or “access to customer data” because “customer data” does not include footage.

There was still a public Internet livestream of a man being hauled off in an ambulance.

Shortly before Flock aired that livestream, Cedar Rapids indicated to the ACLU of Iowa and University of Iowa researchers that its Flock contract has different language:

“Customer Data” means the data, media, and content provided by Customer through the Services. For the avoidance of doubt, the Customer Data will include the Footage.

Under Flock’s definition, the public exposure of a man being loaded into an ambulance was not a “breach” because raw footage isn’t “customer data.” Under Cedar Rapids’s contract, it was. Flock gets to claim a clean security record by choosing which definition applies after the fact.

Flock further muddies the waters in its blog post when it writes “Every Flock customer, whether a city, county, law enforcement agency, neighborhood, school, or business, retains full ownership and control of the data collected on their behalf.”

These statements can’t all be true at the same time. It doesn’t matter to Flock because Google’s AI won’t pick up on it. Poisoning the SEO-well with corporate disinformation is a business decision.

Flock Data Types: Strategic Obfuscation

Flock does not maintain a centralized database of license plate reader data across customers. We do not sell or monetize vehicle data, and we do not share customer data without the customer’s explicit authorization.

In two sentences, no fewer than three types of data are introduced:

• License plate reader data
• Vehicle data
• Customer data

To know whether the statement could potentially be true requires knowing the definitions of these terms.

“We do not sell or monetize vehicle data” or “Flock does not maintain a centralized database of license plate reader data across customers” certainly do not sound true, but there is undoubtedly a reason why the company chose to distinguish between “license plate reader data,” “vehicle data,” and “customer data” all in one paragraph. And it’s not “for clarity.”

Perhaps the most baffling statement in the whole post is this one:

LPRs do not capture point-in-time images of vehicles on public roadways

I’m sure this too depends on some obscure, unspecified definition of “point-in-time image.” Maybe it means that you can’t tell the Flock system “find me a picture of a car with plate 739APD at 10:45am last Saturday” because you can only tell it “give me a 30-day location history for plate 739APD.”

Who knows. Even ardent Flock-fans can see that this statement is, at best, grossly misleading.

The important thing is that Flock asked itself “Has Flock Been Hacked?” and then proceeded to dodge the question as though it were participating in a Senate confirmation hearing rather than writing corporate fluff on its own blog.

What Flock Safety Should Disclose

First, CJISSECPOL requires compliance documentation to be submitted to the state’s CSA and the FBI. For security vulnerabilities, this includes mitigation plans and/or compensatory controls. This mandatory compliance documentation is public record. Disclose it.

Second, some security vulnerabilities require additional disclosure. The complete lack of encryption, for example, is fundamentally incompatible with CJISSECPOL, which requires using a NIST-validated encryption module. Name the modules.

Prove, or better yet, have an independent third party audit, AWS S3 configurations to confirm that buckets are unversioned, and there are no “soft deletes.”

Release the CVE numbers. Flock claims it “registered relevant vulnerabilities with the National Vulnerability CVE database via MITRE.” If true, those identifiers are public. Name them. If this set is limited to the four issues previously registered, then Flock’s position is that the remaining 50+ findings in Jon Gaines’ report are not “relevant.” This is a concerning attitude when it comes to security.

Disclosing public compliance records and confirming which vulnerabilities have been patched, by tracking them in a public vulnerability database or otherwise, does a lot more than writing an SEO-optimized blog post that relies purely on semantics and technical spin to say nothing of value.

Relying on security through obscurity is its own documented security vulnerability.

Relying on security through denial is even worse.

flocksafety.com homepage touting 5,000+ and "networks searched" showing 6,385

On its website’s main landing page, Flock claims it is “Trusted by 5,000+ law enforcement agencies.” That number roughly lines up with the 5,730 agencies seen in search logs, and the ~6,400 “networks searched” we see in network audit logs.^[1]

Brookfield’s “ICE detainer” search, however, reveals a much bigger number: 25,263.

This search was logged twice, once at 04:10:13, and once at 04:10:31:^[2]

• Name: “REDACTED”
• Organization: “North MO DTF Brookfield MO PD”
• Networks Searched: 25,263
• Devices Searched: “257,806”
• Time Frame: 10/30/2025, 10:06:10 PM UTC to 10/31/2025, 04:06:10 AM UTC
• License Plate: “REDACTED”
• Reason: “ICE detainer”
• Case #: “643”
• Filters: “REDACTED”
• Search Time: 10/31/2025, 04:10:13 AM UTC
• Type: “lookup”
• Text Prompt: None
• Moderation: An issue was identified that caused the system to initiate unprocessed search activity on a larger set of cameras than intended by the user. No footage or data from these devices was accessed or viewed. The underlying bug has been fixed, and additional safeguards have been implemented to prevent recurrence.

The moderation field, which generally contains only the word allow, and is assumed to be the outcome of Flock’s AI moderator checking for problematic searches, appears to contain a manually entered case note instead.^[3]

The critical phrase is: “No footage or data from these devices was accessed or viewed.”

This implies that the 257,806 devices across 25,263 networks weren’t supposed to be searched, but they actually do exist and have search and view capabilities.

This is both interesting and problematic. It is interesting because the size of Flock’s network is the subject of some speculation. We can draw inferences from “total devices/networks searched,” but we don’t know what individual agencies searched, or can access.

There are agencies that contractually have no restrictions on which Flock networks or cameras they access, but these agencies don’t appear to conduct searches of significantly more networks or devices than others. It’s possible that, in those cases, Flock only grants access to a subset of its cameras, despite the terms.

@Johnson County, IA MoU (unrestricted access)

Of course, the company treats audit logs—marketed as building community trust through transparency— in much the same way as the CIA treats its “South America” Rolodex.

Still, knowing the background, we can continue inferring based on these new log entries showing 257,806 devices and 25,263 networks. The (plausible) facts:

1. More than a quarter million Flock “devices” exist on Flock’s network.
2. Because this was a search for a plate, and the note mentions “footage” and “viewing,” all 257,806 “devices” are likely cameras (Falcon, Condor, Wing, etc.).
3. There are fewer than 25,263 agencies in the country;^[4] the ~5,000–6,000 Flock-using agencies is well-supported.
4. Even if the majority of ~6,000 agencies would have multiple networks, it would not come close to the 25,263 number.

The only reasonable conclusion, based on the available information, is that the 25,263 number includes Flock’s retail customers, like Lowe’s, Academy Sports, and FedEx.

But there’s another implication: California, Illinois, and Virginia have enacted laws restricting immigration-related searches of their ALPR data. If Flock’s bug exposed cameras in those states to an “ICE detainer” search—even if, as the company claims, “no footage or data was accessed or viewed”—that’s a potential violation of state law that Flock has disclosed to no one except through a log entry nobody was meant to read.

The fact that these 257,806 devices are collecting over twenty billion plate scans every month is interesting and terrifying in itself, but not a complete shock.

What is more shocking is that once again, Flock’s poor security practices are revealed.

Even assuming the implausible note is true, and these (presumed) retail devices were not searched, the capability is clearly there.

That means Flock’s access control is done through various vendor-managed flags and roles, rather than through secure measures like encryption.

When a retailer or government believes it is sharing “its data” with local police, rather than having Flock register a secure password or encryption key for the local agency, it’s a permission checkbox: “go ahead and disclose it, Flock.”

That is not control, and it’s not security.^[5] It’s trusting a vendor that has shown it can’t be trusted. It leaves the door wide open to unauthorized access, uncontrolled dissemination, and software bugs.

In all likelihood, Flock did not proactively disclose this incident or the details of its investigation and remediation steps.^[6] Instead, it chose to edit the “immutable” logs and updated the “moderation” field. The logs don’t indicate the (supposedly) intended search scope, nor is there any way to verify if any other edits were made.

Flock’s customers—whether private retailers or California cops—simply have no way of knowing if this search touched or disclosed data from “their” networks.

All we have is a statement hidden in a log file that nobody reads, in a field not intended for it, where the company assures us, without providing evidence, that multiple states’ prohibitions on immigration-related searches were not violated through this search.

What’s more, Flock, a single private corporation, now operates a camera for every 1,000 American adults.

The company wants there to be many more, all built on the same fundamentally flawed security framework: “trust Flock.”

This search demonstrates—again—why we can’t allow that.

Note

This article was updated on January 17, 2026 to include the ROCIC/FBI emails in the timeline. See this article for more detail.

Yesterday, I received a Flock customer email blast where the company recommends leaving the nationwide network to evade transparency. It was sent out by Chris Colwell, Flock’s Vice-President of “Solutions Engineering”^[1]. Colwell assures his police customers that “Flock has not been breached or compromised” and that the data published on this site is “agency-released public-records data.”

That’s the version for Flock’s customers.

Behind the scenes, Flock and Cyble—companies birthed from the same Atlanta-area Y Combinator network—are weaponizing opposing claims to silence a critic.

I wasn’t going to spend more time on Flock’s internal contradictions, but the sheer coordination of this effort deserves a spotlight. It’s important that people know the type of company that local elected officials are choosing to do business with, and that police are choosing to trust.

Flock knows they are on thin ice. If they filed meritless abuse notices themselves, they would be wide open to a claim of tortious interference with a contract. A court case would open them up to discovery—an expensive process where Flock’s internal communications would become public.^[2]

So they use fellow Y Combinator company Cyble to do their dirty work. Send notices to take down a critical website. Censorship-laundering. Of course, that can only really work if you keep your plausible deniability plausible.

Flock being Flock … well, let’s go through it.

The Timeline

• December 8: Flock sends out a mass email: “Flock has not been breached or compromised.” and “websites like the one circulating online are using agency-released public-records data.”
• December 8: I receive a “Forgotten email notification” for the Cloudflare account.^[3]
• Before December 10, 2025: Houston HIDTA sends out a “Situational Awareness Bulletin” about haveibeenflocked.com.
• December 10, 2025: ROCIC^[4] forwards the Houston bulletin to its coordinators.
• December 11: The FBI sends out an email to agencies stating “Flock has committed toremoving officer usernames from future audits.”
• December 12: I receive an email: “Cloudflare has received information that the following URL violates Cloudflare’s Developer Platform Terms of Service, which prohibit content that discloses sensitive personal information”
• December 16: Cloudflare slaps a “phishing interstitial” on the site and forwards a report submitted by Thomas Siah, of Cyble:

Logs or other evidence of abuse: The mentioned website is wrongfully using our client’s registered trademark in the fake web page. The use of the Client’s registered trademark descriptively in the reported URL in order to disguise or phish the general public has not been authorized by our client.

• December 19: Siah sends a report to Hetzner claiming: “The website publicly and deliberately releases extensive, sensitive information obtained from Flock” and “Additionally, the website may be used to phish the general public on the name of Flock Safety which is a serious concern to notify you.”^[5]

• December 29: Siah “supplements” the complaint by claiming “the website publicly and deliberately discloses extensive, sensitive information obtained from Flock and its automated license plate reader (ALPR) systems with the apparent intent to undermine law enforcement operations.”

Thomas Siah: The Real Agentic?

Cyble’s core offering and flagship product revolve around autonomous brand repcybersecurity threat enforcement by using agentic AI to send takedown notices.

This works for Cyble, because, in 2022, the company “Enter[ed] into a Threat Intelligence Contributor Partnership with VirusTotal” — meaning Google-owned VirusTotal will consider reports from Cyble’s platform credible.

The fact that no automated notices appear to have been submitted and VirusTotal comes back clean for haveibeenflocked.com means that “Cyble Vision” or “Blaze AI” or whatever other label they slapped on ChatGPT did not flag the website and did not send an automated report.

But Flock didn’t go to the Cyble website and hit “checkout” to be assigned an AI bot and (probably) an agent in Bengaluru being paid starvation-wages.^[6] The person who filed the complaints with Cloudflare and Hetzner, Thomas Siah, was recently promoted(?) from being Cyble’s “Head of Business Development, APAC,” to being its “Vice-President of Partner Success.”

If Cyble’s AI is as “agentic” as their marketing claims, why did a Vice President have to manually file a report? Either the AI knows I’m not a threat, or the AI is a façade for manual censorship.

Whichever of these may be true, Cyble’s Singapore-based VP of Partner Success—and former Head of Business Development for the Asia-Pacific region—Thomas Siah, has no business handling low-level complaints for Flock.

Cyble is not a small company. It has offices and employees on multiple continents, and, according to a quick search, has raised north of $40M in funding. And it’s no secret that “AI” companies often use cheap offshore labor (Flock uses contractors for its AI detection). Cyble, very likely, is not the exception to this faux-rule.

But Siah is not cheap offshore labor. He is a high-level executive with a company that likely carries a nine-figure valuation. It makes no sense for someone at the senior executive level in Singapore to involve himself in managing a complaint against a website with a $10 hosting bill.

Unless that high-level executive coincidentally(?) graduated from the same Business Systems program at Monash University in Melbourne, Australia, as Eric Tan, Flock’s former CIO.^[7]

Or unless the high-level executive works for another Y Combinator-backed company. And that company, despite its main office being in Cupertino and its incorporation in Delaware, has its formal headquarters in Alpharetta, next door to Flock. At an address registered to Cyble’s co-founder and current COO Manish Chachada, who lists 25 years of “Full-time Senior Finance Executive” experience in the Atlanta area on his public LinkedIn page.

It probably also helps for the executive filing the complaint to be in Singapore, outside the reach of American courts.^[8]

Y Combinator, Reddit, and Speaking Out

This network of Y Combinator alumni—the tight-knit network both Flock and Cyble are part of—talks about “aligned values” while it funds the surveillance infrastructure and the machinery to silence its critics.

Flock’s first investors were Y Combinator’s President and CEO Garry Tan, and Reddit co-founder Alexis Ohanian. This led to Flock CEO Garrett Langley interviewing Ohanian for Flock’s blog.^[9]

In the interview, Langley starts a question with “One thing that Y Combinator pushes is the relationship between co-founders.” YC partner Ohanian responds to that sentiment by doubling down: “Where we align is where I really push founders to make sure they are aligned—on their values.”

Flock’s and Cyble’s values are aligned.

Stickied to the top of Alexis Ohanian’s Reddit profile is “An Open Letter to the Reddit Community,” which railed against Donald Trump’s January 2017 executive order directing DHS, the FBI, and intelligence agencies to implement:

a process to evaluate the [visa] applicant’s likelihood of becoming a positively contributing member of society and the applicant’s ability to make contributions to the national interest; and a mechanism to assess whether or not the applicant has the intent to commit criminal or terrorist acts. — EO 13769, “Protecting the Nation From Foreign Terrorist Entry Into the United States”, January 27, 2017

Ohanian strongly—and rightly—condemned the order, calling it “deeply un-American.”

Six months later, either not connecting dots or ignoring them, he first invested in Flock.

"Where we align is where I really push founders to make sure they are aligned—on their values. Specifically, complementary values and how founders work together."
— Alexis Ohanian, Reddit Co-Founder and Flock investor, July 2, 2019

Two years later, he told Garrett Langley “I have a Flock camera outside my home … I had the search on vehicle color and it was able to pull up every white car that had passed by my camera.” Shortly after that interview, his company contributed to another Flock funding round, alongside defense investors Bedrock and Peter Thiel’s Founders Fund.

He then founded Seven Seven Six and invested in Flock again—this time, joined by Andreessen Horowitz.

His 2017 pro-immigrant, anti-authoritarian post is still stickied to his Reddit profile:

Right now, Lady Liberty’s lamp is dimming, which is why it’s more important than ever that we speak out and show up to support all those for whom it shines—past, present, and future. I ask you to do this however you see fit, whether it’s calling your representative (this works, it’s how we defeated SOPA + PIPA), marching in protest, donating to the ACLU, or voting, of course, and not just for Presidential elections. — /u/kn0thing, An Open Letter to the Reddit Community, January 30, 2017

I am an immigrant speaking out against surveillance technology and the company deploying it.

A company that directly implements the 2017 executive order by using “predictive intelligence” to find “suspicious travel patterns” to find if anyone — not just immigrants — “has the intent to commit criminal or terrorist acts.”

A deeply un-American company, whose only “aligned value” is profit.

We donated to the ACLU because we knew they would call this what it is: “authoritarian tracking infrastructure.”

We protested SOPA and PIPA because we knew large corporations send bullshit notices about trademarks and phishing to shut down their critics.

Meanwhile, Flock has been using its investment money to detect human voices, hire sitting mayors, develop person-tracking, and pay Thomas Siah to shut down websites … for officer safety.

Lady Liberty’s lamp isn’t dimming—it’s being used to read your plates.

This morning, Cyble sent a follow-up notice to Hetzner, the German cloud provider currently hosting this website. In it, they claim that this “website poses an immediate threat to public safety and exposes law enforcement officers to danger, in clear violation of our client’s users’ rights and its intellectual property rights.”

Cyble does not offer any evidence, nor any details regarding Flock’s apparently exclusive intellectual property right on posing a threat to public safety.

Part 2.5: Oops, I missed a part

(Edit: December 29, 3:45 pm, Cornfield Standard Time): Apparently, I missed an attachment that was sent along with the first statement to Hetzner. In the interest of fair reporting, I decided to edit this post and include it here rather than burying it in an old post. I want to be sure I provide an accurate view of the weight of the evidence presented by Flock, via Cyble:

Don’t attempt to adjust your screen — they did, in fact, send it as a JPEG. The QR code contains the text https://haveibeenflocked.com/.

The screenshot appears to show most of this website’s IP-address in the frontpage input box, with a message saying it’s not a valid license plate.^[1] I have no idea why.

The text in the screenshot is a little hard to read because of the watermarking, but if you zoom in, you’ll see the following notice:

GlobalEyez appears to be a Cologne-based “brand protection” company that charges $20 for the “Screenseal” tool used here.

It’s a tool that certifies the integrity and authenticity of screenshots. You know, to be able to prove in court that images are genuine; a higher standard than Flock applies to its own ALPR images.

It looks like that $20 was simply too much for Cyble ($44.8M raised) or a16z-backed Flock ($655.6M raised) to bear. They pirated software to file a complaint about intellectual property infringement.

Part III: Cyble’s Second Attempt

What follows is Cyble’s full second statement, as well as my response.

Hetzner’s email:

Dear Mr van Pelt,

We have received an abuse report for your IP address 5.78.142.181.

This is the complainant’s answer:

---

We are writing to update you on our complaint regarding this website, which presents a significant security risk to our client and its users. The website poses an immediate threat to public safety and exposes law enforcement officers to danger, in clear violation of our client’s users’ rights and its intellectual property rights.

The website publicly and deliberately discloses extensive, sensitive information obtained from Flock and its automated license plate reader (ALPR) systems with the apparent intent to undermine law enforcement operations. It hosts three searchable databases that expose critical operational intelligence. Such disclosure of sensitive data substantially heightens the risk to officers and the public and necessitates urgent remedial action.

Please be informed that our client is a renowned company in US and directly works with govt agencies.

Attached is the letter from our Client in support of the complaint for your reference.

In view of the above, kindly suspend the services and stop the hosting of the website at the earliest convenience.

---

We will need a reply from you within the next 24 hours.

Response

Dear Hetzner,

The complainant’s latest response significantly shifts his allegations, effectively abandoning the original claims of “phishing” and “trademark infringement.” He has now pivoted to vague, unsubstantiated accusations regarding “public safety” and “intellectual property.”

The complainant refers to a “letter from our Client in support of the complaint for your reference.” This letter was not included in the notice sent to me. I cannot respond to claims I have not seen, and I request that Hetzner forward this document immediately if it is being used to evaluate this complaint.

The complainant mischaracterizes the data on my website. These are not “sensitive information obtained from Flock”; they are public records released by government agencies under state public records laws. These records document the use of surveillance technology by public tax-funded entities. The publication of such records is a protected journalistic activity.

As Mr. Siah points out, his alleged client “directly works with govt agencies.” Had any of these agencies believed they were endangered by my speech, or that I am engaged in any criminal act such as interfering with law enforcement operations, they would surely have knocked on my door.

Instead, Mr. Siah—who is not, to my knowledge, an attorney—asks you to accept an informal complaint on behalf of his employer (Cyble), on behalf of their client (Flock), on behalf of an unnamed agency allegedly “in danger” from information he has not identified, on a website he has not meaningfully described. This is a transparent attempt to use a hosting provider’s phishing complaint process to bypass the legal standards required for a court-ordered takedown—standards Mr. Siah knows he could not possibly meet.

While the complainant also newly mentions “intellectual property rights,” he has failed to identify any specific copyrighted material or patented technology being infringed. Mr. Siah appears simply to be trawling through legal theories and accusations, hoping one will stick—an ironic strategy for a complaint filed under “phishing.”

In summary, this complaint should be dismissed as frivolous. The complainant has failed to identify any violation of Hetzner’s Terms of Service, any applicable law, or any actual abuse. If the complainant or his alleged client, or their alleged government clients, wish to challenge my exercise of free speech or my lawful publication of public records, avenues exist outside Hetzner’s phishing complaint process.

I will update this post when Hetzner responds. In the meantime, the site remains online, the public records remain searchable, and the audit logs continue to tell stories the company would rather you not read—like yesterday’s article on how 3,466 Flock searches failed to find a missing teen, while a woman at a Nebraska truck stop succeeded, or the newly-published logs showing a Texas officer justified a 30-day nationwide location history lookup with the reason “gypsy crap.”

Part III + ½: Support from Flock

It turns out Flock already sent a statement in support of haveibeenflocked.com to its customers.

I forwarded it to Hetzner:

Dear Hetzner,

Please find attached a customer communication from Flock Safety discussing my website—the same website Cyble alleges “discloses extensive, sensitive information obtained from Flock.”

In this email, dated December 8, 2025, Chris Colwell, Flock’s Vice President of Solution Engineering, writes to “provide factual context about what is happening”:

Recently, a third-party website began aggregating search information that appears to have been released through these public-records processes.

And, under “What’s happening”:

Based on what we have seen, websites like the one circulating online are using agency-released public-records data.

The email lists customer “concerns.” Causing “concerns” about government surveillance is a side effect of legitimate, transparent reporting. It is neither “phishing,” nor a violation of Hetzner’s Terms of Service.

Flock’s own communications confirm what I have stated from the outset: my website publishes government records released through public records processes. This is protected journalism, not “phishing.”

Nevertheless, nine days after Flock’s email, Cyble filed a phishing complaint with Hetzner. Instead of presenting any evidence of any violation, Cyble made various unsupported allegations about copyright and trademarks.

Flock knew the nature of my website before it sent Cyble to file the complaint. It was a deliberate fabrication to shut down reporting on the company’s activities.

I ask again that this baseless complaint be dismissed. No evidence of any violation has been presented, and the complainant’s own client has contradicted the allegations in writing.

I also respectfully suggest that Hetzner consider whether Cyble should remain a trusted source for abuse reports, given their demonstrated willingness to misuse this process against legitimate customers.

Finally, in the interest of transparency and potential further actions, I request that Hetzner forward the attachment referenced—but not included—in the previous notification.

Good looking out, Flock.

This reasoning is an annoying legal anachronism. It relies on a version of the law that died in 1967.

The government’s focus on the “public” nature of the road is exactly the “misleading” formulation the Supreme Court warned about in Katz v. United States, a case often erroneoulsy cited in support of the “public roads” argument.

In that case, the government argued that a phone booth was a public area and therefore not “constitutionally protected.” The Court rejected that geography-based argument as a distraction:

For the Fourth Amendment protects people, not places. […] This effort to decide whether or not a given ‘area,’ viewed in the abstract, is ‘constitutionally protected’ deflects attention from the problem presented by this case. — 389 U.S. 347, 351 (1967).

While the majority established the “people, not places” rule, Justice Harlan’s concurrence in Katz created the two-pronged test courts use today to determine if a search occurred:

1. Subjective: Did the person exhibit an actual expectation of privacy?
2. Objective: Is that expectation one that society recognizes as “reasonable”?

Crucially, Harlan noted that even in areas accessible to the public (like a telephone booth), an individual can still hold a constitutionally protected interest in their privacy.

In 2018, the Court addressed this again in Carpenter v. United States — Another case that often comes up in the Flock debate.

The government argued that location records weren’t protected because they were held by a third party (Sprint) and tracked movement in the public sphere.

The Court flatly disagreed, echoing the logic of the Katz Court when addressing both elements of that claim:

A person does not surrender all Fourth Amendment protection by venturing into the public sphere. — 585 U.S. 296, 310 (2018).

And,

[The “third-party business records”] distinction does not negate Carpenter’s anticipation of privacy in his physical location. — 585 U.S. 296, 311 (2018).

The Court made it clear: just because your privacy interests are “diminished” in public does not mean the Fourth Amendment “falls out of the picture entirely.”

That message in Carpenter echoed Katz: People, not places.^[1]

Whether the data is collected by a third-party contractor, obtained through commercial channels, or recorded on a public street, the legal line is consistent: The protection follows the person.

The argument that “there is no privacy on a public road” is a relic of pre-1967 thinking.

The full text of the abuse notice is below, as well as the complete response.

Stay tuned.

Notice (Part 2)

Form Data
===============================================
Name: Thomas Siah
E-Mail: response@cyble.com
Language: en
Forward report: ALLOWED
===============================================
Abuse data
===============================================
Source: haveibeenflocked.com
Category: phishing
Description:
------------------------------------

Cyble Inc. represents Flock Group Inc. (hereinafter ‘our Client’),in the monitoring and worldwide enforcement of its brand presence.

Our Client is the registered owner of the trademark “Flock Safety” including USA under registration number 6842958. Please see the official website https://www.flocksafety.com/.

We recently became aware of the URL of which you are the named administrative contact. The website publicly and deliberately releases extensive, sensitive information obtained from Flock .

Additionally, the website may be used to phish the general public on the name of Flock Safety which is a serious concern to notify you.

Infringing URLs : 
5.78.142.181

The Response

Dear Hetzner Abuse Team,

This complaint should be dismissed. It is the second frivolous takedown attempt by the same complainant within days, and—like the first—it fails to identify any specific violation of Hetzner’s Terms of Service, any applicable law, or any actual abuse.

The complaint is labeled “phishing” but describes no phishing. The complainant:

• Identifies no deceptive content
• Identifies no attempt to harvest credentials or sensitive data
• Identifies no impersonation of Flock Safety
• Provides no evidence supporting his speculation that the site “may be used to phish”

The site’s only input fields accept license plate numbers (which are hashed client-side before transmission and cannot be harvested) and general search queries. There is no login, no credential collection, no payment processing.

The complainant mentions Flock’s trademark registration but alleges no trademark infringement. Any references to Flock Group, Inc. constitute nominative fair use—the same principle that permits Consumer Reports to name the products it reviews.

The website is a transparency and accountability tool. It indexes government records released through public records requests (FOIA equivalents), makes them searchable, and provides interpretive analysis.

These records—typically audit logs showing how law enforcement agencies use Flock’s surveillance network—are released by government entities, not obtained through any unauthorized means.

This is journalism, and it serves the public interest. Flock’s practices are subjects of legitimate public concern, as documented by:

• ACLU: https://www.aclu.org/news/privacy-technology/flock-roundup
• EFF: https://www.eff.org/deeplinks/2025/11/how-cops-are-using-flock-safetys-alpr-network-surveil-protesters-and-activists
• 404 Media: https://www.404media.co/ice-taps-into-nationwide-ai-enabled-camera-network-data-shows/
• Wired: https://www.wired.com/story/flock-uses-overseas-gig-workers-to-build-its-surveillance-ai/
• US News: https://www.usnews.com/news/us/articles/2025-11-20/georgia-police-chief-charged-with-using-license-plate-readers-to-stalk-and-harass-people

Examples of the government-released records indexed on the site:

• https://www.muckrock.com/foi/mount-prospect-8189/flock-safety-alpr-audits-2025-mount-prospect-police-department-186694/files/
• https://www.muckrock.com/foi/prosser-8485/flock-safety-search-audits-network-sharing-and-general-order-prosser-police-department-186565/

Flock itself publicly extols such transparency, describing audit logs on its own website as “the living record that shows every search, every audit, every moment where technology intersects with justice.” (https://www.flocksafety.com/blog/policy-pulse-transparency-control-and-the-path-forward)

The complainant, Thomas Siah of Cyble Inc., has now submitted two successive takedown requests in short order. Neither complaint:

• Demonstrates any relationship between Cyble Inc. and Flock Group, Inc.
• Establishes authority to act as Flock’s agent
• Identifies any specific unlawful content
• Provides evidence of any actual abuse

This is a transparent attempt to use Hetzner’s abuse process to suppress speech critical of a surveillance company—the kind of abuse that hosting provider policies are not designed to facilitate.

I respectfully request that Hetzner dismiss this complaint and note the pattern of frivolous submissions from this complainant.

The warning that Flock sends America equally applies to its own customers. Flock doesn’t limit itself to gig-workers in the Philippines classifying screams heard on American streets; it records its users’ screens and sends those recordings to commercial vendors in Denmark and the United States.

If you have recently attended a city council meeting discussing surveillance, you’ll have noticed that Flock, police, and their council members, often dismiss warnings of harm and abuse as speculative. The overarching theme is that police encourage elected officials to react to violations, not to expend effort trying to prevent them.

But the Internet is not a big truck. You can’t put the toothpaste back in its tubes. That’s why we have rules, regulations, and safeguards: to prevent harm from occurring. Here in Iowa, we have Chapter 692. Federally, we have the FBI’s NCIC (CJIS) framework. These frameworks require contracts, audits, and, perhaps most importantly, continuous careful monitoring and oversight.

The letter below, sent today to the Iowa Department of Public Safety, details how Flock’s security failures not only undermine the integrity of the federal NCIC system but also allow individual users to “silence” felony warrants organization-wide without approval.

Maybe Flock’s CEO’s “it is a local decision. Not my decision, and not Flock’s decision” extends to federal warrants and mitigating critical P1 vulnerabilities.^[1] For obvious reasons, federal law would disagree.

The Complaint

I normally don’t post direct copies of my communications with Iowa agencies. What you see posted here tends to be summaries and excerpts. Not because I think they should be secret, but because there are quite a few. Responses are few and tend to be highly inconsistent.

The letter below is an episode in a long, continuing series that began well before the Iowa Department of Public Safety determined Flock operates a federally regulated system.

Iowa DPS has been ignoring most of my letters and complaints for a few years now.

This one documents some fairly egregious violations.

Are you a defense attorney looking to prove a police officer went on an unconstitutional fishing expedition, or entered a bunch of bullshit into the hotlist system? Congrats, you can subpoena the screen recordings directly from Flock’s vendors.

The harm itself has been done. It can’t be undone. It can only be mitigated.

But it won’t be.

December 17, 2025

To the Iowa Department of Public Safety:

I am writing to formally notify the Department, in its capacity as the CJIS Systems Agency (CSA), of active security incidents involving the unauthorized transmission of Criminal Justice Information (CJI) and the existence of multiple software mechanisms undermining the integrity of the NCIC system.

These violations involving Flock Group, Inc. (dba “Flock Safety”) are distinct from the federal grant and CJIS Security Policy (CJISSECPOL) compliance issues I reported in separate communications in October, November, and December. Although the Department found in September 2025 that this vendor operates a regulated criminal justice information system, these unauthorized disseminations of CJI are occurring regardless of the system’s formal classification.

The Department must address these critical data spills under both its contractual obligations and authority as the CSA in the FBI’s CJIS program, and its distinct statutory authority under Iowa Code Chapter 692 to oversee statutory restrictions on the dissemination of intelligence data and criminal history information.

UNAUTHORIZED TRANSMISSION TO FOREIGN AND COMMERCIAL ENTITIES

The Flock platform integrates third-party surveillance code that bypasses privacy controls and transmits CJI to unauthorized vendors. Several of Flock’s applications load executable code directly from servers operated by “Fullview,” a Danish corporation. Fullview is designed to “see the user[']s screen to be contextually aware,” granting unvetted foreign nationals access to active CJIS sessions. In addition to Fullview, Flock enables the behavioral analytics vendor “Fullstory” to separately record user sessions. While Fullstory includes limited “masking” functionality, Flock’s “hotlist” application contains custom code (see Appendix A) that is explicitly programmed to capture raw HTML code—including the CJI it may contain—and transmit it to third-party servers before masking can occur.

On December 1, 2025, national media—including Wired and 404Media—confirmed Flock as using “Upwork” contractors in the Philippines, to manually annotate images and audio. This practice creates a pathway through which images and audio recordings are made accessible to unvetted foreign nationals for manual review. Dissemination of CJI in this way is a direct violation of CJISSECPOL’s controls on foreign national access.

The system transmits user identities (names, emails, agency affiliations) to Twilio Segment along with behavioral metadata (see Appendix B). This mechanism becomes critical considering the May 2025 “Altoona/Texas” incident I reported on November 29, wherein an officer entered full names, dates of birth, and criminal history details regarding an active Texas investigation into a non-validated Flock “reason” field. Because Segment links specific user identities to these metadata fields, the automated fanning out of this data via commercial connectors creates an uncontrolled dissemination vector. This subjects sensitive investigative data to commercial data mining and persists it on systems not authorized to process CJI.

SYSTEMIC FAILURE TO MONITOR

In addition to the publicly disclosed “foreign worker” vulnerability, “P1” (as defined by CJISSECPOL) vulnerabilities came to light in May and November of 2025. Flock published these via NIST’s National Vulnerability Database and through direct customer advisories.

The Department appears to have taken no documented action in response to these disclosures by its vendor. On December 8, 2025, the Department responded to my open records request, stating it possessed “no responsive documents” regarding Flock vulnerabilities or incidents between February 1 and November 26, 2025.

The absence of any records or correspondence regarding confirmed breaches constitutes an admission of systemic failure. It demonstrates a total collapse of the “continuous monitoring” required by CJISSECPOL. Each of the 50+ Iowa Contracting Government Agencies (CGAs) should have disclosed these incidents to the CSA. Any audit DPS conducted after February 2025 should have revealed these issues. The Department neither asserts implausible ignorance, nor does it act.

UNILATERAL, UNMONITORED SUPPRESSION OF NCIC ALERTS

The software includes an alert suppression feature permitting individual users to permanently silence NCIC alerts organization-wide (see Appendix C). This allows a single user to unilaterally blind an entire agency to active warrants for violent felonies or stolen vehicles, creating operational risks to officer safety and liability for the Department.

The suppression mechanism lacks a mandatory multi-step approval workflow, and there is no evidence that it generates CJIS-compliant audit logs accessible to the Local Agency Security Officer (LASO). Without LASO-accessible logs, the CGA or Department cannot verify how many valid NCIC hits have been hidden from Iowa officers.

ACTIONS REQUIRED

The Department cannot claim this system is compliant for grant purposes while continuing to ignore active data breaches. The Department also remains statutorily obligated to enforce compliance with Iowa Code Chapter 692, under which the same set of facts gives rise to distinct violations.

In addition to the actions previously requested of the Department and the Bureau, I request the Department immediately take the following actions:

• Order the immediate cessation of data connections to third-party session recording tools, including Denmark-based “Fullview,” until these entities have demonstrated they meet the requirements for handling Iowa CJI.
• Order the immediate cessation of the use of offshore annotation for Iowa data until the vendor demonstrates that no unvetted foreign nationals have access to Iowa intelligence data or media.
• Direct the vendor to disable the “NCIC Suppression” feature statewide until it is proven that compliant audit logging is active and accessible to LASOs, and that no valid warrants have been permanently silenced to date.
• Treat the transmission of unmasked hotlist data to Fullstory/Fullview and the offshore access as a confirmed “Information Spillage” event and initiate the mandatory incident response capability to assess the scope of the data loss.
• Order the preservation of all vendor logs related to “suppressed hits” and transmitted metadata to prevent the spoliation of evidence regarding silenced NCIC alerts and Information Spillage.

I request a substantive response within fifteen calendar days.

CC: Rusty Ringler, Bureau Chief & CSO
Catherine Lucas, General Counsel
FBI Information Security Officer
FBI CJIS Audit Team

APPENDIX A: FULLSTORY CODE IN “HOTLIST” APPLICATION

// Attaches click listener to all events, calling ‘restart’
static handleClicks() {
  document.addEventListener(“click”, this.restart.bind(this), { capture:
!0 });
}
// ‘restart’ calls sendClickedElement
static restart(e) {
  this.timerRef && (window.clearTimeout(this.timerRef), this.timerRef = null),
    this.startTimer(),!this.isRecording && (FS.restart(),
    this.sendClickedElement(e), this.isRecording = !0)
}
// Sends t.outerHTML (before masking) to Fullstory
static sendClickedElement(e) {
  let t = e.target, a = t && t.outerHTML ? t.outerHTML : “<html not found>“,
    i = a.length > this.CLICKED_ELEMENT_HTML_LIMIT ?
    ““.concat(a.slice(0, this.CLICKED_ELEMENT_HTML_LIMIT), “...(too many
    characters)”) : a;

  FS.event(this.restartEventName, {
    clickedElementOuterHTML_str: i
  })
}

APPENDIX B: TWILIO SEGMENT INTEGRATION

// Initialize Segment
t0 = a(52295).b.load({ writeKey: e6.segmentKey });

// Identify the user by name, email, organization
MY = () => {
let e = (0, ej.v9)(tq.selectors.selectAccount);

(0, eC.useEffect)(() => {
e && (t0.identify(e.id, {
  name: e.name,
  email: e.email,
  organizationId: e.organizationId,
  organizationName: e.orgName,
  organizationType: e.orgType
}), t0.group(e.organizationId, {
  organizationName: e.orgName,
  organizationType: e.orgType
}))
}, [e])
}

// Create a Raven export tracking event associated with the user
t0.track(“Raven PDF Export Selected”)

// Track a user-associated event for the hotlist application
ad = () => ({
  track: (0, eC.useCallback)((e, t) => {
  t0.track(e, { ...t, hostName: “hotlistBeta” })
}, []),
trackDebounced: (0, eC.useMemo)(() => (0, as.debounce)((e, t) => {
  t0.track(e, { ...t, hostName: “hotlistBeta” })
}, 2e3), [])
})

Note: This code demonstrates the mechanism by which user identities and behavioral events are transmitted to Segment. The “Altoona/Texas” incident referenced above demonstrates that users enter CJI into the metadata fields that this system captures and transmits.

APPENDIX C: NCIC SUPPRESSION

// Suppression API endpoint
async function oY(e) { // CREATE suppressed hit
  let t = await aI("POST", e),
  a = await fetch("".concat(e6.apiUrl,
  "/api/v1/organization/suppressedHits"), t);
}

// UI text confirming organization-wide scope
children: "Suppressed hits will not send alerts to any user in your organization.";

// NCIC as suppressible source type
sourceName: "NCIC",
reason: "Sex Offender",

// Suppressed hits silently filtered from notification stream
if ("suppressionId" in t && t.suppressionId) break;

// Logging goes to Segment analytics, not CJIS-compliant audit system
n("Suppressed Hit Saved", {
suppressedHitSettings: { expiration: e.expiry || "none" }
});

Note: This code demonstrates that (1) any user with the canManageSuppressedHits permission can suppress alerts organization-wide without approval workflow; (2) NCIC is a suppressible source type; (3) suppressed alerts are silently dropped from the notification stream; and (4) logging to commercial analytics (Twilio Segment), not CJIS-compliant audit infrastructure.

Cyble, claiming to act on behalf of Flock, filed a series of demonstrably false abuse reports with our hosting provider, Cloudflare, to scrub this site from the internet. Their strategy? Accuse us of “phishing” and “trademark infringement” to hide the information we publish.

The Evidence

Here is the text of the actual report Cyble filed against us:

Report ID: 440e11…
Logs or other evidence of abuse: The mentioned website is wrongfully using our client’s registered trademark in the fake web page. The use of the Client’s registered trademark descriptively in the reported URL in order to disguise or phish the general public has not been authorized by our client. The website publicly and deliberately releases extensive, sensitive information obtained from Flock.
Reported URLs: hxxps://haveibeenflocked[.]com/
Below are the report submitter’s details:
Submitter’s Name: Thomas Siah
Submitter’s Email Address: response@cyble.com

Throwing Mud at the Wall

Looking at the report, it is difficult to tell what the actual complaint is.

Are we infringing on a trademark?

Are we running a “fake website”?

Are we “disguising or phishing the general public”?

Or is the real issue that we are publishing public records—which they falsely claim were “obtained from Flock”—that expose the rampant abuse of Flock’s mass surveillance platform?

Cyble’s representative, Thomas, is simply making every allegation possible in the hope one will stick, regardless of the evidence. Apparently, filing false reports against critics is a winning strategy for them.

Update: Cloudflare Responds

Hedwig (Cloudflare)

Dec 18, 2025, 9:16 AM PST

To Whom It May Concern:

If you can show this information is publicly available and/or shared with the consent of the person, please provide us with a link to the original public sources or documentation verifying this consent.

Regards, Cloudflare Trust & Safety

What “this information” refers to, or how showing the sources (which are available here) would help establish this is not a phishing website is anyone’s guess.

We Aren’t Going Anywhere

Ultimately, this is a minor inconvenience. It took me about an hour—after I finished playing my video game^[1]—to change the code and migrate the site off Cloudflare’s infrastructure.

The suspension has been appealed, but we aren’t waiting for permission to exist.

Update: The site has been fully moved over. If we are blocked again it should be straightforward to move anywhere.

Come hang out on Discord with other people who believe in oversight, accountability, and the rule of law.

We will continue to expose Flock for what it is: a company so contemptuous of civil liberties that its CEO will paint active citizenship as terrorism, and now, apparently, cybercrime.

Ghost in the Machine: The “Face Detection” Switch

With that out of the way, this is the list of triggers defined for Flock devices, as found in one of their web applications:

• Manual
• Common alarm
• Motion detection
• Input switch alarm
• Video loss
• Audio detection
• Pos info
• Scheduled recording
• Face detection
• Cross line detection
• Intrusion detection

Some of these are marketed features; like alerts when video signals are lost, or when persons cross a boundary defined on Flock’s PTZ cameras. This list is not device-specific^[1], so “Audio detection” is presumably for the Raven scream detector.

As far as this author is aware, “Face detection” is not an advertised feature of any Flock product.

But it’s on the trigger list.

Is it in operational use? If so, by what device(s)?

Contracting government agencies signed away their right to know. And Flock certainly wouldn’t tell us if they did have the feature in active use.

Faceless Identity in 2kB or less

Maybe it doesn’t matter — we know that Flock’s outsourced data labeling platform classifies photos and screams, but that same analysis also revealed that it lets our foreign friends train another feature: ReID. A machine learning algorithm that tracks persons as they move between cameras.

While details on Flock’s actual implementation are sparse, examining an open source project like torch-reid as a model implementation reveals the broader implications.

ReID works by creating a vector, a small (~2kB) file representation of a person. Because of their small size, a virtually unlimited number of these vectors can be stored at extremely minimal cost. The latest 1TB iPhone can hold the vector for every American, Mexican, and Canadian alive, and would still have room for Facebook.

These vectors are not “photos.” They’re very likely also not contractually “Footage.” Whatever rights your PD thinks it has, it probably does not include vectors.

This is combined with soft biometrics, which includes things like clothing (color, type), apparent gender, accessories, and body mechanics (height, body shape, etc.).

That process is much cruder than facial recognition.

The type of data lines up perfectly with the search we’ve seen in moderation logs, where we have someone searching for a “red shirt”:

And with Flock’s advertised person search features:

Where ReID becomes highly accurate (and concerning) is through temporal correlation. Once you know a specific person is at a specific location—maybe because they were seen exiting or, possibly, even driving a vehicle with a license plate tied to a person—you can track them.

No face required.

The quasi-good news is that under laws like Illinois’ Biometric Information Privacy Act, this is likely considered biometric data and its collection is therefore heavily regulated.

Cities with strong protections include Portland, OR, San Francisco, CA, Boston, MA, and New York City. States include Illinois, Texas, and Washington.

The bad news, as always, is that the government does nothing to enforce its own laws.

The End of Public Anonymity

With this, Flock has placed itself into an even more precarious legal situation. Already in trouble after classifying itself as a CJIS compliant entity, now, it’s not only collecting biometrics, it’s tracking people walking.

There is no “driving is a privilege” defense. Existing in public is a fundamental right.

For now, until the government acts, all we can do is wear specific adversarial clothing to defeat ReID and don ski masks to defeat facial recognition.

This is the future your money is buying from Flock.

The FBI sets rigid standards for handling “criminal justice information” (CJI). CJI includes things like criminal histories, fingerprint databases, investigative files, and so on.

These standards are mainly codified in the CJI Systems Security Policy (CSP): 461 pages of technical and operational security standards.

Otten signed a federal addendum certifying CJIS compliance for Story County, Iowa, invalidating the company’s years of “we don’t handle sensitive information” claims. Worse, he signed it despite knowing that Flock’s devices fail the FBI policy’s most basic security requirements.

Either Flock handles criminal justice information and is dangerously non-compliant, or it doesn’t and its security chief just lied to the federal government.

There is no third option.

Certified, Sealed, and Delivered

Despite their insistence on “public plates on public roads,” Flock and its customers have asserted confidentiality for ALPR data, audit logs, training materials, compliance, and so on, even going so far as to devise a theory of Schrödinger’s Public Record, where a record’s confidentiality hinges on whether the government has observed the record.^[1]

But, the most formal step it had taken up until now was contracting with Diverse Computing, Inc., out of Tallahassee, Florida, to be awarded that company’s “CJIS ACE Compliance Seal.”

That certification is not approved or monitored by the federal government, and it is not a requirement to handle CJI. It’s a purely commercial service the company ostensibly provides as reassurance for the participant and, perhaps more importantly, their downstream customers.

Regardless of how meaningful earning a “CJIS ACE Compliance Seal” from a for-profit Florida-based institution is, there is no formal oversight of the certification program and the seal carries no legal weight. While the education and the vetting could have value, the “seal” itself is a purely performative marketing gimmick.

Now, however, Flock has gone beyond placing a seal on its website, and it has formally admitted to handling CJI. More importantly, it has committed to following the CSP’s security requirements:

This was not a document signed between well-meaning but uninformed county staff and a junior member of the Flock sales team.

Flock and the county signed this document after the Iowa Department of Public Safety investigated a complaint about Story County applying funding awarded for a criminal justice information system to a Flock contract, without having the (CSP) records to show for it.^[2]

Flock’s Senior Director Cybersecurity and Risk Management, Robert Otten, sat across the table:

The 10-foot Pole Defense

Flock and the county signed this document in September, 2025, in the middle of an ongoing disclosure period during which Flock has not fixed numerous critical vulnerabilities in its systems. As Flock’s head of security, and designated “Security Officer” for the FBI, Otten was aware of these vulnerabilities and Flock’s non-compliance when he certified the opposite.

Those of us who, like Otten, have been in the tech game for a little while, will remember 2018: the year of Meltdown and Spectre. This set of vulnerabilities, formally CVE-2017-5754, wreaked havoc on security teams globally: these were highly sophisticated bugs in common hardware (mainly Intel processors) allowing an attacker to read the plaintext in memory.

These hardware vulnerabilities led to teams forgoing weeks of sleep and family time to roll out patches and secure the systems in their server environments. It was a Big Deal.

But while Meltdown required Ph.D-level knowledge, and near nation-state resources to effectively exploit at scale, Flock’s vulnerabilities require YouTube and a ladder.

In a post titled “Gunshot Detection and License Plate Reader Security Alert,” dated May of 2025—months before certifying compliance to the county and the federal government—Flock actively attempted to downplay the severity of some of these vulnerabilities.

Flock doubled down in November 2025, with its “Response to Compiled Security Research on Flock Safety Devices.” This blog post makes the bold claim that “[t]he researcher has been in contact with Flock Safety … and notified Flock of findings earlier in 2025,” but that as of November its response was that, “Overall, none of the vulnerabilities detailed in the report have an impact on our customers’ ability to carry out their public safety objectives”^[3] (emphasis in original).

Flock acknowledged the vulnerabilities in its hardware platforms. Unlike Meltdown, these don’t require advanced knowledge of how CPUs work. The attack that allows you to read the sensitive information requires either (1) a USB cable, or (2) a laptop with WiFi and knowledge about how many times to push a button^[4]. And unlike the entire cybersecurity community back in 2018, Flock did nothing.

Flock’s defense is that it requires “knowledge of device debugging,” the bare minimum standard for any software developer. There are easy-to-follow step-by-step instructions in the official developer documentation, and basic five-minute tutorial videos are available on YouTube.

We may as well leave the keys on the dashboard and claim car thefts aren’t a problem, because opening the door and starting the car requires “knowledge of motor vehicles.”

What’s more, although the devices are left unattended on the side of the road, Flock defends their security by arguing that they are placed “several feet above normal height.” The context is too telling to exclude:

As responsible stewards of customer data, upon notification we analyzed the impact of these vulnerabilities and subsequently have made the following submissions to Mitre for inclusion in the National Vulnerability Database.

• Debug interface enabled (CWE-1191)
• Hardcoded credentials (CWE-798, CWE-259)
• Hardcoded connection details ( CWE-798, CWE-259)
• Clear Text Storage of Code (CWE-312)

These are not material vulnerabilities, and both severity and likelihood to be exploited are low. The exploitation of these vulnerabilities require physical access to a device and knowledge of device debugging. If a person was able to gain physical access to the device (which is typically placed on a pole several feet above normal height), they would still not be able to gain access to footage, as the data is only stored for a very limited time duration on the device following its transmission to the cloud.

We don’t have to debate the definition of “limited time” when an attacker can install software with full camera and network access, nor do we have to contemplate the efficacy of height when malicious actors presumably have access to basic ladder or truckbed technology.

Whether they can be exploited, whether they require device access, whether they come on a stick or are deep-fried, those issues don’t concern the CSP, which, in federal government fashion, lays out extensive pass/fail compliance requirements. Notably, the US Department of Justice didn’t create a 5-second-rule for confidential data.

To name but a few of the areas of the CSP where Flock has been out of compliance, and was out of compliance at the time of certification:

• “Protect the confidentiality and integrity of the following information at rest: CJI when outside physically secure locations using cryptographic modules which are [federally] certified.”
• “Prevent non-privileged users from executing privileged functions.”
• “Enable user authentication and encryption mechanisms for the management interface of the [wireless access point].”
• “Place [wireless access points] in secured areas to prevent unauthorized physical access and user manipulation”

These aren’t speculative, debatable, or matters of questionable degree or urgency. These are formally FBI-classified, highest priority, violations of federal laws and regulations.^[5]

Not something to cover under your finest blog bullshit.^[6]

Denial, Deflection, and Dumb Sensors

Given Flock’s stance thus far, I do not expect the company to take ownership now (or ever)—they will either argue that its head security honcho, Otten, had no idea what he was doing when he signed the contract with Story County, or, more likely, it will argue that the devices sprinkled roadside are not covered by the CSP. Neither argument is plausible.

Plausible Deniability, Implausible Competence

Otten, as head of security, was aware of the highly-publicized vulnerabilities. No company puts out press releases on issues this serious without a C-suite signoff. Especially not a company whose business relies on a government clientele that tends to value the appearance of legal and regulatory compliance.

Flock’s own blog post admits that GainSec has been in direct contact with Flock about these vulnerabilities “since earlier this year” (which Gaines notes as February, 2025). Many of the issues Gaines reported were not confirmed as fixed, and some were outright confirmed as “not fixed” as of November 2025. In the middle of that period, Otten certified compliance anyway.

The alternative hypothetical “Otten is incompetent” defense centers on his failure to understand what Criminal Justice Information is, or his inability to read the terms of a two-page contract addendum.

These defenses might carry some weight if he had been a junior sales exec. They fall flat when the person signing the contract has been the company’s top security director for years, after gaining extensive experience in companies like CLEAR and KPMG.

Public Records, Private Denials

Asserting that photos, videos, and audio recordings taken in public places are not CJI is a potentially persuasive position. For it to become a credible one, it requires answering a few simple questions—among them: why did Flock agree to be bound to CSP? And why did the Iowa Department of Public Safety require Flock to do so?

Even if we ignore reality, and assume that Flock’s position has all along been that it is not operating a criminal justice information system, handling CJI, or otherwise subject to the requirements of the CSP^[7], its Head of Security provided a certification of its compliance with federal CJI regulations, knowing either that the system did not comply, or that it did not handle CJI in the first place—a falsehood either way.

That action alone invites scrutiny under federal false statements statutes, and it should be seen as an indicator of the level of trust that city councils should be placing in this company.

If they’ll lie to the feds, they’ll lie to you.

Head in the Cloud

This will, undoubtedly, be Flock and its customers’ primary defense. They will argue until they are blue in the face that that the “ALPR Cameras”^[8] are dumb devices that don’t process or store CJI data (except temporarily, as Flock claims on its blog) (and unencrypted as GainSec’s research found).

Let’s get that out of the way.

GainSec’s research also confirmed others’ earlier findings: the devices are powered by an unsupported development kit version of Android. Android comes standard with all the tools needed for things like wireless networking and accessing remote servers and services.

If you want to visualize what’s happening here: as a fully-functional computer system, from a security (and CSP) perspective, a “camera” running Android is not the functional equivalent of a “dumb” webcam, but the functional equivalent of a MacBook Pro^[9].

Now, imagine these MacBooks are up on poles, scattered throughout cities and along rural roads, with their WiFi networks accessible to any passer-by. Imagine they are directly connected, and provisioned with credentials (not stored with encryption, and transmitted in the clear) to access a database that contains all the (claimed) CJI that Flock collects nationwide—billions upon billions of datapoints on everyone’s day-to-day movements.

And now imagine that the company’s primary response for more than six months, and counting, has been, “well, sure, that looks bad, but what you’re not realizing is that these MacBooks are on poles. Not just any old poles, but above-normal-height poles. Also, the system still works, soooo … why is this a problem?”

Even if you wanted to argue that the data collected by Flock is not CJI, the CSP governs entire systems, not individual servers. Access terminals must follow the system’s security policy.

Putting them up on a stick and leaving them out in the country is not conducive to system security.

Silver Lining, Lead Security

“CSP permits cloud services,” will be the other retort. It does. It also sets clear rules for cloud services and provides helpful, illustrative scenario-based examples.

Here’s one such example:

The cloud provider, however, does not have unescorted logical or physical access to any information system resulting in the ability, right, or privilege to view, modify, or make use of unencrypted CJI as the SaaS provider maintains the encryption keys. In this scenario, the agency would be required to comply with Section 5.12 for employees of the SaaS provider with access to CJI but would not need to do so for employees of the cloud provider used by the SaaS provider.

In other words, given that Flock employees do have access to unencrypted data, both in the Falcon devices, and likely also in the cloud services, this would plainly require its employees to comply with Section 5.12 (or, as it’s known in version 6: Policy Area PS (Personnel Security), Control PS-3).

That specific control requires state and federal-level fingerprint-based background checks, disqualifies felons, requires formal sign-off for misdemeanors, and so on.

Agencies must also have signed acknowledgements of the CSP on file for all contractor employees, they must have “Information Exchange Agreements” with other agencies in place (there is no exception for a “Nationwide sharing” checkbox), and all security vulnerabilities must be fixed within 90 days (or 15 days for P1 violations, like those reported in February 2025).

Federal Offense, Federal Oversight

Your local PD is nominally in charge of oversight. But they’re not the only ones watching.

Under the CSP, the state’s CSA and the FBI may conduct scheduled and unscheduled audits of Flock’s systems and facilities, and the government is no longer constrained and limited to angry letters, separate agreements, or investigations hidden behind the veil of corporate secrecy. And it doesn’t stop in Iowa.

Because Flock is organizationally, architecturally, and operationally monolithic, CSAs in other states are authorized to act. They have a few options:

1. They can audit or investigate Flock customers and the Flock system for facilitating an unauthorized connection to a criminal information (SA-9, “External System Services”).
2. Regardless of contractual ownership provisions, CJI is statutorily owned by the FBI or state; a CSA is authorized to inspect how it’s processed.
3. As the “friendliest” option, one specifically designed with vendors like Flock in mind, the CSP provides a reciprocity framework for audits. A CSA may request another CSA audit the system, and CSAs may rely upon each others’ audits. (SA-9(c)(4))

If you are in a state where Flock is used, your state’s CSA can act, should it choose (or be forced) to do so.

The End of the (Root) Shell Game

Flock has played its regulatory shell game to the point of absurdity: telling cities it’s just a camera, telling police it’s a crime-fighting supercomputer, and telling the public that their own private information is a commodity to be bundled and made available in a Spotify-like subscription package (because we promised we won’t sell it!). By signing this federal addendum, the music stops.

They have admitted their devices are terminals for a federal criminal justice network. They have admitted their staff requires the same vetting as a detective or an analyst. And thanks to their own sloppy engineering, they have demonstrated they cannot meet the standards they just swore to uphold.

The question now isn’t whether Flock is compliant; it’s which state Attorney General will be the first to prosecute, and will they prosecute Flock, or will it be the cities and police departments under whose watch this all occurred?

To encourage your Attorney General in their efforts, start requesting and forwarding evidence of local agency CJIS (non-)compliance: security addenda, management control agreements, certifications from Flock employees, audit results, review schedules, et cetera.

Local agencies can either produce the security addendum, in which case Flock’s failure to address the glaring security holes stands as irrefutable evidence of non-compliance and failures of oversight, or they can’t produce the documents, in which case they are running a non-compliant connection to a system Flock swore was secure.

Flock must pick its poison.

The Receipts

• Criminal Justice Information Services Security Amendment between Story County and Flock (9/15/2025)
• Criminal Justice Information Services (CJIS) Security Policy v6.0 (12/27/2024)

Ever wonder how Flock’s AI cameras distinguish between different types of vehicles? How they differentiate between children screaming and adults screaming? It’s not magic — it’s a process called “data annotation” which uses an army of offshore gig workers to manually pore over images, videos, and sound files.

This post will be heavy on images and other data pulled directly from Flock’s annotation app.

They largely speak for themselves.

The “Springbank” Annotation Tool^[1]

Flock created this tool so its Upwork team, mostly foreign gig workers, can review images and audio files taken by the 80,000+ cameras and microphones liberally sprinkled throughout American cities.

To put it in Flock’s own words:

Work is assigned to annotators with varying priority. For annotators that work on multiple different projects, this priority can change frequently. It is best to follow the outlined workflow to ensure the highest priority work is getting completed first, in addition to checking UpWork.

The company tracks metrics on its Upwork contractors who work to assign labels to ALPR images and sound files:

Flock’s performance dashboard shows its top annotators include workers we’ve confirmed are based in the Philippines, along with contractors whose names suggest Eastern European origins.

Do the math: 80,000 cameras generating thousands of images daily, processed by contractors bidding the lowest hourly rates. That’s potentially millions of American surveillance moments flowing through laptops in Manila and god-knows-where-else. No security clearances. No background checks. No oversight.

Flock CEO Garrett Langley tells city councils his cameras ‘don’t identify or track people.’ But Flock’s own training materials instruct offshore contractors to do exactly that — label every person.

The company built an entire workflow around human identification while swearing to American communities they’d never do it.

The campaigns also include audio annotation campaigns. While Flock publicly markets Raven for gunshot detection, the annotation categories reveal far broader audio surveillance.

Flock’s microphones aren’t limited to gunshot detection; they record conversations near ATMs, discussions outside abortion clinics, prayers at mosque entrances.

This annotation goes far beyond gunshot detection. Training documentation has detailed instructions and audio samples for annotators to label and categorize:

Flock even remarks to its team of annotators that:

Given how hard it can be to distinguish between children and adult screaming, please make use of the certainty dropdown shown on the right.

Somewhere in Asia or Eastern Europe, someone is listening to American children in distress, cataloguing their terror for a few dollars an hour.

The (National) Security Issues

This is the surveillance equivalent of letting Huawei run our 5G networks. Foreign nationals now possess detailed movement patterns of FBI agents driving to work, military personnel visiting family, and intelligence officers meeting sources. In any other context, we’d call this intelligence collection. Here, we call it ‘data annotation.’

There is no oversight on these apps, or on these workers. Flock’s contract permits this use of the data, and Flock’s customers assign irrevocable, worldwide licenses to Flock specifically for this purpose.

The apps do not have to conform to any security standards, and, while there may be contractual terms, it is unlikely that Flock effectively oversees data security for data in the hands of its contractors.

Even if it wanted to, Flock would have very limited ability to enforce its employment agreements in many of these countries.

While Senator Wyden writes stern letters about police departments forgetting to enable two-factor authentication, Flock’s contract explicitly authorizes this overseas data hemorrhage. Every city council that approved these cameras blessed this arrangement. They traded your privacy for crime statistics, then acted shocked when the bill came due.

Flock Safety turned American streets into a foreign intelligence goldmine. Your mayor signed the contract. Your police chief installed the cameras. And tonight, someone eight time zones away will watch your neighbors come home, label their faces, and move on to the next task.

Request your city’s Flock contract. Search for Section 4.1, and the ‘worldwide license’ clause:

Customer hereby grants to Flock a limited, non-exclusive, royalty-free, irrevocable, worldwide license to use the Customer Data and perform all acts as may be necessary for Flock to provide the Flock Services to Customer.

And look for Section 4.3, which promises that “These images [for machine learning] are never sold or shared with third parties.” Apparently, foreign contractors reviewing your family’s daily movements don’t count as ‘third parties’ in Flock’s dictionary.

Then ask your mayor why Bulgarian freelancers need to analyze your daughter’s walk to school.

[!note] The information in this post was sourced exclusively from documents posted publicly online by Flock. None of the contractors leaked information, and no unauthorized systems access was involved.

Flock’s issues with data sharing are broad. While the company claims that its customers own the data, its customers vacillate between claims that they own and control access to the data,^[1] have no effective ownership, and claims that they are “raw, non-governmental data held by a third-party vendor.”

Flock also frequently claims that users must be a “sworn law enforcement officer for purposes of accessing our law enforcement network.” Flock maintains this stance, despite it being easily disproven by examining the list of its customers on this site.

In June, Flock responded to allegations of improper sharing with a statement, which summarized its point as: “it is a local decision. Not my [Flock CEO Garrett Langley’s] decision, and not Flock’s decision.”

In August, after Illinois Attorney General Giannoulias recognized violations of the IL TRUST Act, the company reversed course. It “paused a pilot program” after the AG’s audit uncovered that “[Flock] company leadership was unaware of a pilot program with the US Customs and Border Patrol Protection Agency.”

This is the same leadership that claims its customers control the data.

But, despite being flagged as “Inactive,” Border Patrol can be seen running searches. ICE also continues to have broad indirect access to Flock’s database through third parties, and through its 287(g) program, which pays state and local agencies for access to their officers and investigative tools and capacity.

The separate pathways to unoverseeable data sharing converge and culminate in Flock’s agreements with the Regional Information Sharing Systems (RISS) Program — a federally funded program to “provid[e] adaptive solutions and services that facilitate information sharing” with over 10,000 member agencies “in all 50 states, the District of Columbia, U.S. territories, England, New Zealand, and parts of Canada.”

Five out of six^[2] regional RISS centers have direct access to the Flock database:

• MAGLOCLEN: Middle Atlantic-Great Lakes Organized Crime Law Enforcement Network®
• RMIN: Rocky Mountain Information Network®
• MOCIC: Mid-States Organized Crime Information Center®
• NESPIN: New England State Police Information Network®
• ROCIC: Regional Organized Crime Information Center®

Tools like RISSIntel™ (“Criminal Intelligence Database Solving Cases Through Information Sharing”) “permit federated searching across many systems without requiring the RISSNET user to have a separate user account for each partner system.”

This is, of course, completely antithetical to the idea that Flock customers maintain control of data.

Exacerbating matters, RISS centers are private non-profit corporations, not government agencies. Its users are not “sworn law enforcement officer[s] for purposes of accessing our [Flock’s] law enforcement network.”

The federated RISS centers exist for a single purpose: to “facilitate information sharing.”

Because the data are ostensibly owned by government agencies, they are public records. That means RISS centers are not in any way restricted by copyright law^[3], and don’t require a licensing agreement with Flock. Because the corporations are private, there is no effective oversight.

These partnerships obliterate Flock’s defense that information sharing is a local decision.

Flock’s contradictory public statements are a smokescreen for the simple truth: by integrating with a federally-funded, private network of information-sharing centers (RISS), local control remains an illusion — data flows through Flock’s corporate partners to thousands of agencies at the local, state, federal, and even international level.

As long as Flock does not actively prevent this type of information-laundering, the company’s statements about data ownership, sharing control, and compliance with state law are entirely meaningless.

This isn’t a local decision, a bug, or a rogue pilot program. It is a fundamental design feature — one that Flock actively creates and supports.

On February 8, 2022, Metra Police was still investigating the case as a missing person. They saved screenshots of the man when he appeared in footage captured at the Round Lake Metra Station on the morning of January 29. They do not secure the footage.

When his body was finally discovered—not by police who were called to the location but by a random passer-by—police pulled out all the stops to try to get evidence.

The Events: As told by Cell Phones

Although the ground had thawed, the case had frozen over. Much of the evidence that existed in January was lost by March. The snow melted and took the blood that Wayne PD had ignored with it. The video file Metra PD never bothered to save had long been overwritten. But Frank’s OnePlus cellphone is still on him. Police obtain a search warrant at the same time they notify the family.

The family, who had already been looking for Frank, hand police a cloned phone, his Google password, the name of a suspect—let’s call him Marco—and information about text messages that were suspicious at best.

Frank’s mother had also received a Facebook message from another person, telling her that the people Frank lived with know what happened. Police got a warrant for the sender’s Facebook account.

Police then use the password and information provided by the family and determine that Frank was part of a group that consisted of Frank, Marco, and brothers Sam and Albert.

Location records obtained through cell phone warrants show that on the morning of the 29^th, Frank took the train to Grayslake, spent some time there, and then took a bus to Marco’s house in Round Lake Beach.

That same morning, phone records show, Rob and Sam traveled to Hammond, IN, on the Eastern edge of Chicagoland, together.

Around lunchtime, Marco, Rob, and Sam meet up.

They spend some time in the Villa Park area. Sam then travels to Hammond and back while Marco and Rob stay in Villa Park. A few hours later, around 3pm, Sam leaves Villa Park again and returns to his home in Round Lake Beach.

That evening, around 7:30pm, Rob and Marco leave Villa Park to go to Marco’s home in Round Lake Beach. On their way out, they stop at a gas station and meet with a man, Eric. Shortly after they get to Round Lake Beach, Frank, who lives a few blocks away, joins them at Marco’s.

Marco and Rob then drive to Sam’s home, briefly meet up with him, and return to Marco’s home. Frank had stayed there the whole time.

All three then head to the Grand Victoria Casino in Elgin together, around 10pm on January 29^th. About an hour later, Wayne PD receives the phone call about multiple gunshots, roughly eight miles from the casino.

Frank had been murdered.

Evidence, Informants, and Raids

When Wayne PD investigates, they decide not to pursue multiple gunshots and fresh blood trails. Thirty-three days later, when Frank’s body is finally found, the casino and the city had already recycled their virtual surveillance video tapes.

Over the next few days, police receive records from the search warrants, and the ATF submits six casings (five .380 caliber and one .40 caliber) to its national database, suggesting that at least two firearms were used.

Two days after the body is discovered, Rob changes his Facebook profile picture to Santa Muerte, Our Lady of Death, wearing a red sash, and imposed against a backdrop of AK-47s. The government has, at times, argued Santa Muerte is “a tool of the drug trade,” but that seems an oversimplification.

Praying to Santa Muerte for protection—including from legal trouble—is practiced in some Mexican traditions, and there is some evidence that some gang members in the United States have picked up this custom—or at least the Santa Muerte imagery.

Rob, Frank, and the others belonged to the Mexican Playboy Sureños (PBS/Sur 13) street gang.

Meanwhile, police continue trawling for evidence beyond the name of the suspect that the family provided. ALPR turns up nothing; with the exception of a Walgreens video showing Rob’s truck driving by, and another business provides video showing some unidentifiable vehicles on the road where Frank’s body was found, they find little.

By mid-March, police apply for a search warrant for all location data from every Android phone in a two kilometer (1.25 miles) radius around the location where Frank’s body was found.

ASA Louis Nuckolls approved the warrant and Judge Mackay signed off on it. Google, however, resisted it and called it overbroad. The company convinced police to narrow it to a much more reasonable 200 meters (~650 feet).

Google provided two phones with “obfuscated device IDs” within that narrowed 200m radius. Police deemed them irrelevant because they were too far from the scene of the crime. They did not investigate these devices further.

Sam was a top contact for both Marco and Rob and had talked to Frank 17 times in the month of January. He was saved in Frank’s phone as “Ced.”

At this time, an anonymous informant tells police that Frank had been “beefing” with his fellow gang members, and that PBS was responsible for Frank’s death. The informant said that a man known as “Cedric” had ordered Frank killed. Another man, “Hammer,” had also been involved. He gave police a street for “Hammer” — the same as Marco’s.

By March 31^st, police serve pen register orders on the cell phone provider, and they start live-tracking Rob and Marco’s phone locations.

On April 7, SWAT raids three addresses. At the first, they arrest Marco and seize Albert’s phone. At the second, they arrest Rob and seize his truck.

At the third address, where Frank used to rent a room from Marco’s brother and his partner (who shares a last name with Sam), they arrived at 5am, surrounded the home, and ordered the residents outside. Inside, they find Sam’s elderly father, in a “urine-soaked bed.” The report does not note whether the man’s non-verbal state and immobility was a result of the armed raid.

They interview Marco’s brother (who has a “conejo,” bunny tattoo to signify PBS/Sur 13 membership). They also seize 11 electronic devices and 29 memory cards.

Since then, Marco has been in the DuPage County jail, pending trial.

In 2024, Rob was sentenced to nine years on unrelated drug charges. He does not appear to have been charged or publicly identified in relation to this murder.

There are no reports that Albert or Sal have been arrested or charged.

Marco has a court date set for November 13, 2025.

A Trail Gone Cold, A Dragnet Too Late

The story of this investigation is one of critical, early failures. On January 29, 2022, after a resident reported gunshots, Wayne PD responded, found blood in the snow, and, per media reporting, did nothing more. They did not return. They did not find Frank’s body, which lay just 20–30 feet from the road.

This inaction continued when Frank’s family reported him missing. The family, not the police, provided detectives with a cloned copy of Frank’s cellphone, his Google password, and the name of a suspect, “Marco.” The family even pointed out the suspicious text messages they had found and received.

Despite these critical leads, the file shows a pattern of neglect. On February 8, Metra PD found footage of Frank at the Round Lake station. They saved only screenshots of Frank and allowed the full video file to be overwritten and lost forever.

It wasn’t until a month later, when a random passer-by stumbled upon Frank’s body, that police began an investigation in earnest.

By then, the case was cold. The blood trail was gone, melted with the snow. The virtual surveillance tapes from the Grand Victoria Casino and nearby businesses — which digital forensics would later prove were key locations — had been recycled.

Instead of “good old-fashioned police work”—like searching 30 feet from a blood trail—the state relied on massive, retroactive digital dragnets. They served a geofence warrant for a two-kilometer radius around the crime scene, covering nearly five square miles. It was an act so “overbroad” that Google pushed back and convinced police to narrow the search to 200 meters. Even then, the warrant yielded two “obfuscated device IDs” which police did not deem relevant.

This “too much, too late” approach defined the outcome. The digital information seems to evidence Rob and Sam’s extensive involvement: they were with Frank all day, at the casino just before the murder, and Rob’s phone traveled with Marco’s to the Munger Road area just after Frank’s phone went silent. Despite this data, only Marco was charged.

According to media reporting, the prosecutor alleged at Marco’s arraignment that Marco called “another gang member” immediately after the murder, around 11pm. The file indicates Marco made a 31-second phone call to his roommate Albert at 12:15am, from the Round Lake Beach area, shortly before he arrived home.

However, the file, but not the reporting on the prosecutor’s statements, shows that Rob received a six-second call from a number with a northern Illinois area code at 11:03pm, while Rob and Marco were still in the area where Frank’s body was found. The number is identified in the investigative file, but there is no mention of its owner, or of attempts to find its owner.

The file also shows that there was extensive contact between a number police identify as possibly belonging to Eric, the man from the gas station, in the hour leading up to the murder.

But not any time before or after.

Eric is unable to pick Marco, Rob, or Frank in a photo line-up. He is treated as a witness and is not investigated further.

This investigative file doesn’t tell the story of an under-resourced police department; it tells the story of a well-equipped multi-jurisdictional team of investigators that didn’t bother with a missing persons investigation and let the evidence grow cold.

When they finally acted, their high-tech dragnet was an imperfect substitute, apparently leaving them with a case against one man while the others implicated by the same data faced no charges, or even, by all appearances, any thorough investigation.

Now, to be clear: the harms of mass surveillance notwithstanding, police have a moral duty to use the technology available to them. They should not be faulted merely for using surveillance— in fact, they should have used that capability to find Frank when he was first reported missing, when it mattered most.

But what they also had a duty to do was look for Frank. First, when he was missing. Then, when they found blood while Frank’s lifeless body was a mere twenty feet from the road.

The broad, long-term phone warrants, and especially the ~5 sq. mile search warrant, show that mass surveillance can’t be left unchecked in the hands of police. These warrants need meaningful oversight, not rubberstamping prosecutors and judges or the best moral judgment of multinational corporations.

Mass surveillance is not a substitute for work. Frank’s family was left in the dark for thirty-three days while police and others had video of him. While police found his blood. While they were within mere feet of his dead body.

Marco now sits in jail while others go uninvestigated. “We got him.”

At the end of the day, surveillance technology may be a “force multiplier,” but this case shows that force multiplying zero will always stay zero.

How this story became public reveals an even deeper failure →

A redacted copy of the file is available for download here. As the original file was a single, unformatted blob (from being pasted into a single data field), the version provided has been re-formatted for readability (e.g., restoring line breaks and lists) to more closely match the original document’s structure.

Although this case has previously been reported on, and despite the original source file being public, I chose to redact the file and use aliases in the article. Despite the obvious limitations of this approach, it is an effort to mitigate any potential additional harm, while still illuminating this ongoing problem with Flock and other unregulated surveillance technology.^[1]

I first reached out to the DuPage County public defenders’ office, which is defending “Marco,” on October 14, 2025. My call was returned on October 23, with a vague “I’ll look into it.” There is no additional information as of November 8, and the source file remains online.

I reached out to “Rob”'s attorney around the same time in October. He did not return my call.

After receiving the file, the DuPage County Clerk of Court responded: “Case filings may be obtained or viewed in the Clerk’s Office in person or online via dupagecircuitclerk.gov using the i2File or Attorney Access links” (Filings for this case are unavailable online).

How it got there is a story of systemic failure and negligence.

According to the Flock audit logs processed on this website, an officer, John Alipour (technically, “J. Ali”), with the DuPage Forest Preserve PD shared the entire 157-page file with Flock by looking for a license plate and pasting the file into the “Reason” field.

Flock’s system, which the company claims is “CJIS certified”^[1], saw no problem with a massive, sensitive file being provided as a simple “Reason” for a search. At the time of writing, the median length for search reasons is 7 characters, and 81% of Alipour’s agency’s reasons are a single word long.

But the real problem is that Flock’s customers allow Flock to create audit log entries — which are the customer’s files — without any oversight. Because the customer is a government, their files are public records.

On receipt of the 157-page search reason, Flock’s system proceeded to automatically enter it into 200 of its customers’ public records.

It would be like if you made a Word document writeable for Flock and told Flock “okay, just write everything your customers say in this file,” without giving anyone any further instructions. Except instead of a Word document, it’s the Flock software’s “Insights” tab with audit logs.

This was not just one policeman’s error. It was a complete failure of infrastructure and oversight that began with allowing Flock to handle data and create government records.

Compounding the problem is that Flock’s platform, apparently, has no technical safeguards to prevent a 157-page investigative file from being uploaded into a single text field.^[2]

Yes, the officer’s act was a gross violation of security policies, and, likely, law^[3][4][5][6] and prosecutorial ethics^[7].

Yes, the releasing agency did not properly review and redact hundreds of thousands of log entries before releasing them.

But the bigger picture is that this is a symptom of government’s continuing failure to perform meaningful oversight of private-sector police and surveillance technology.

All of this was foreseeable.

But now, even if anyone had caught it sooner, the toothpaste is out of the tube.

The file exposed a murder investigation that let its evidence melt with the snow →.

A redacted copy of the file is available for download here. As the original file was a single, unformatted blob (from being pasted into a single data field), the version provided has been re-formatted for readability (e.g., restoring line breaks and lists) to more closely match the original document’s structure.

@IL AG response to leaked investigative notes

Thank you for your recent letter regarding the above-named business [Flock].

We wish to express our appreciation for your cooperation in bringing this matter to our attention. and we have recorded the information that you have provided in our complaint files for possible future use in enforcing Illinois’ consumer protection laws. It is only through the assistance of concerned citizens that we can effectively do our job of enforcing Illinois’ consumer protection laws.

The person named in the file remains in the DuPage county jail, held on a $1M bond and awaiting trial for murder.

For most of us anyway.

Rules for the Rest of Us

The Iowa DOT publishes a Design Manual that covers construction in the state right-of-way.

In it, you’ll find such statements as:

The Right of Way Design Section’s basic purpose is to produce and maintain a set of right of way plans for a project that are accurate, legible, clear and concise so as to be understood by landowners and Department personnel alike.

The DOT also operates a utility accommodation program, which the DOT helpfully describes as “the process that occurs when utilities are placed within the highway rights-of-way.”

The DOT operates an online utility permitting system and publishes a handbook that contains statements like:

115.15(7) Engineering. The utility owner is to retain the services of a licensed, professional engineer familiar with the requirements for utility work to be accomplished in Iowa.

Then there are 511 forms for lane closures, requirements about insurance, traffic restrictions, MUTCD compliance, MASH ratings, engineering standards, and various other things that are far beyond this simple poster’s paygrade.

Aren’t we all engineers when you think about it?

With that in mind, I present the site plan submitted to, and approved by, the Iowa DOT for Project Number FN-150-6(3)–21-33.

Deputy Sergeant Schveiger, who I assume is a licensed, professional engineer, assures us in the permit that the “wooden 18 ft breakaway pole” will be “put into the ground” behind the guardrail and that the Flock device will be “place on top of [the] pole approximately 11–12 ft in the air with two metal bands.”

Further, from Engineer/Sergeant Schveiger’s drawing, it is plainly visible that the pole is to be placed directly behind the guard rail and inside the guardrail’s deflection zone, where the “ground” is made of concrete.

A wooden breakaway pole is uncommon for equipment. Typically, those are smaller posts, used for signs. Equipment, including ALPRs, is typically placed on MASH-rated aluminum or composite poles, which Flock can helpfully provide — for a fee.

Due to its height, the proposed 18 foot wooden pole cannot be both a breakaway pole and support any sort of equipment. Now, without giving the DOT a pass for approving the permit, I’ll give Engineer/Sergeant Schveiger the benefit of the doubt and assume that “18 foot” is a typo. The main question — whether the pole is MASH-rated — remains unanswered.

However, that question does not matter. Even if it were a breakaway pole, by placing it directly behind a guardrail, that guardrail is turned from a shock-absorbing, protective barrier, engineered to deflect several feet and absorb the energy of a crashing vehicle, into a rigid wall.

The application was approved by the county. Not the county engineer or anyone whose position would give them insight on traffic engineering. Nor anyone with at least an appearance of neutrality. Instead, it was approved by Fayette County Sheriff Marty Fisher.

Then Nick Sorenson, the DOT’s “Engineering Operations Technician,” approved this death trap, based on the permit submitted — Microsoft Paint and all.

And it only gets worse from here.

All Roads Are Basically the Same, Right?

Different cities and different DOT districts take different approaches. Some submit one-liners on handwritten forms, others forward the more extensive Flock-produced plans that don’t follow DOT standards. The only thing they have in common is that the DOT approves them all.

Council Bluffs keeps it short and sweet in its permit application:

Installation of a Flock Safety license plate reader camera system with pole

That’s it.

Carlisle’s permit goes into slightly more detail than Council Bluffs’, and, to Carlisle’s credit, it even mentions they will be using a (MASH-rated, breakaway) Redi Torque assembly.

Installation of 2 ALPR cameras in DOT ROW installed (2) or X2 Redi Torque - Soil Plate and solar powered on behalf or Carlisle PD ... Falcon 2.2 - 16 mm - Verizon CAT 4 (7611) 65W Solar Panel cameras installed on behalf of Carlisle PD

Unfortunately, despite the technobabble, just like in Council Bluffs, the permit does not identify where the devices are to be installed.

Gary Kretlow Jr., Iowa DOT’s Engineering Technician Senior, approved it anyway.

After all, all roads are basically the same, right?

White Lies and Permit Applications

In an entirely unnecessary move, Storm Lake, home of Tyson Foods and its many immigrant laborers, takes it a step further and decides to lie on its permit application. Why not?

Cameras will be managed according to the restrictions of the devices. All replacement or maintenance of the devices and their supporting structures will be the responsibility of the Storm Lake Police Department.

Storm Lake is, in fact, the only party contractually prohibited from replacing or maintaining “the devices and their supporting structures”:

Customer is not permitted to remove, reposition, re-install, tamper with, alter, adjust or otherwise take possession or control of Flock Hardware. Customer agrees and understands that in the event Customer is found to engage in any of the foregoing restricted actions, all warranties herein shall be null and void, and this Agreement shall be subject to immediate termination for material breach by Customer.

“But,” I hear you say, “they can still be responsible without doing the work themselves!”

That would typically be true. Except the contractual prohibition on, basically, touching the device is exacerbated by the fact that Flock is under no obligation to maintain or fix it.

Flock shall use reasonable efforts consistent with prevailing industry standards to maintain the Services in a manner which minimizes errors and interruptions in the Services ... In the event that Flock Hardware is lost, stolen, or damaged, Customer may request a replacement of Flock Hardware at a fee according to the reinstall fee schedule.

In the event that Customer chooses not to replace lost, damaged, or stolen Flock Hardware, Customer understands and agrees that Flock is not liable for any resulting impact to Flock Service, nor shall Customer receive a refund for the lost, damaged, or stolen Flock Hardware.

A Process for Some, a Rubber Stamp for Others

The Iowa DOT’s robust permitting process, with its reams of engineering standards, safety manuals, and requirements for licensed professionals, is a façade.

The evidence shows a two-tiered system. For the public and legitimate utilities, there are rules. For police agencies, there are approvals.

If you are a utility, you must hire an engineer. If you’re with the sheriff’s office, you can use MS Paint on a Google Maps screenshot and call it a site plan. The DOT will approve it.

The department will approve dangerously incomplete applications that fail to state where the equipment will even be installed. It will approve applications containing obvious, verifiable falsehoods about maintenance and liability. And it will sign off on plans that turn engineered safety barriers into rigid, vehicle-impaling deathtraps.

Just as police are not keeping us safe with mass surveillance, the DOT is not ensuring safety with mass approvals of equipment in the right-of-way. It abandons its most basic public duty in favor of providing a fast lane for surveillance, one dangerously stupid permit at a time. a time.