<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom">
    <channel>
        <title>Footnote4a — Policy &amp; Legal</title>
        <link>https://footnote4a.org/category/policy-legal</link>
        <description>Footnote4a reporting filed under Policy &amp; Legal</description>
        <lastBuildDate>Tue, 30 Jun 2026 04:15:00 GMT</lastBuildDate>
        <docs>https://validator.w3.org/feed/docs/rss2.html</docs>
        <generator>https://github.com/jpmonette/feed</generator>
        <language>en</language>
        <copyright>© 2026 Footnote4a — Policy &amp; Legal</copyright>
        <atom:link href="https://footnote4a.org/feed/policy-legal.xml" rel="self" type="application/rss+xml"/>
        <item>
            <title><![CDATA[The Chatrie Decision and ALPR]]></title>
            <link>https://footnote4a.org/news/chatrie-knotts</link>
            <guid isPermaLink="false">https://footnote4a.org/news/chatrie-knotts</guid>
            <pubDate>Tue, 30 Jun 2026 04:15:00 GMT</pubDate>
            <description><![CDATA[Yesterday's Supreme Court decision "will send seismic waves through our Fourth Amendment doctrine," according to Justice Alito's dissent. It could.]]></description>
            <content:encoded><![CDATA[<p>Yesterday, we discussed the <a href="schmidt-amici">amicus brief in Schmidt v. Norfolk</a> and referenced the
Supreme Court’s decision in <em>Chatrie</em>, which dropped at the same time. This article will take a
deeper look at <em>Chatrie</em>, and tell you why Flock’s next blog post will be wrong about what the
decision says.</p>
<p>Flock, and other pro-mass surveillance parties, will present <em>Chatrie</em> as reaffirming the one cited
line from <em>Knotts</em>. I don’t doubt that they have a blog post in the making highlighting this
paragraph from <em>Chatrie</em>:</p>
<blockquote>
<p>… another feature of Knotts makes it inapt here: that the surveillance there was confined to
public roads. That fact was crucial to the Court’s decision: “A person traveling in an automobile
on public thoroughfares has no reasonable expectation of privacy,” Knotts explained, because the
car is always “in plain view.” 460 U. S., at 281. By contrast, the movements that Location History
reveals are not limited to public streets. Recall what Carpenter observed: A “cell phone
faithfully follows its owner beyond public thoroughfares and into private residences, doctor’s
offices, [and] political headquarters.”</p>
</blockquote>
<p>This line of reasoning is somewhat similar to the District Court’s finding in <em>Schmidt v. Norfolk</em>,
based on <em>Carpenter</em>, and it’s pretty much what informed Flock’s oft-repeated “we don’t track
people” line.</p>
<p>The argument by itself is persuasive enough, but it can only work if you disregard the rest of the
<em>Chatrie</em> opinion as well as <em>Beautiful Struggle</em>.</p>
<p>As yesterday’s post also conceded, <em>Knotts</em> is not wrong, per se. Nobody is making the argument that
a single observation of a vehicle on a public road does not pass constitutional muster. But that’s
not what the search in <em>Chatrie</em> is about — in <em>Chatrie</em>, nobody argues that the observation and
collection of the location history data (by Google) was unconstitutional. The Supreme Court never
asks, let alone answers, that question. Both <em>Chatrie</em> and <em>Carpenter</em> found a search occurred when
the government <strong>accessed</strong> a pre-compiled, retrospective database containing location history data.</p>
<p>Both Google and Flock are private companies. A private company collecting a user’s location or
taking a picture of a vehicle on a public street is not by definition unconstitutional, nor is
aggregating that information in a national database. To be clear: I believe Flock deployments
generally aren’t legal, but my objections to the cameras themselves are largely statutory, not
constitutional.</p>
<p>In <em>Carpenter</em>, the court examined the government’s access to a historical database: the phone
company may have collected years worth of data, but the government’s act of looking at 7 days of
CSLI records triggered the Fourth Amendment. In <em>Chatrie</em>, the court works through the reasons why
location history is private and not voluntarily disclosed (in any real sense), before writing: “we
hold that police officers invade a cell-phone user’s reasonable expectation of privacy <strong>when they
access his Location History</strong>.” (emphasis added)</p>
<p>It then restates the same holding: “When the government ‘accesses historical cell phone’ location
information—Location History as much as CSLI—it ‘conducts a search under the Fourth Amendment.’”</p>
<p>Access, not collection. Even if the collection — the observation and recording of a vehicle
traveling on a public street — would be legal under <em>Knotts</em>, it’s the government’s access of the
retrospective database that creates the search under both <em>Carpenter</em> and <em>Chatrie</em>.</p>
<p>That distinction holds even if we were to assume that Flock’s retrospective database contains only
observations permissible under <em>Knotts</em> — which is something we know not to be true, because
deployments on private property exist, but is a fact that plaintiffs in <em>Schmidt</em> may have conceded.</p>
<p>But, for the sake of argument, let’s say when the Supreme Court wrote about “access” they really
meant to include something about the location where the data was collected.</p>
<p><em>Beautiful Struggle</em><sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup> held that the compilation of retrospective data itself “is enough to yield
‘a wealth of detail,’ greater than the sum of the individual trips”, and “because people’s movements
are so unique and habitual, it is almost always possible to identify people by observing even just a
few points of their location history.” The court in <em>Beautiful Struggle</em> agreed you can infer a lot
of information from a historical database; those inferences fall outside of what is exposed to the
public and would be observable under <em>Knotts</em>.</p>
<p>The Fourth Circuit did not treat that conclusion as its own intuition; it drew the principle from
the Supreme Court itself, quoting Justice Sotomayor’s observation in <em>Jones</em> that people do
not expect “that their movements will be recorded and aggregated in a manner that enables the
government to ascertain” the details of their private lives.<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup></p>
<p>It’s also an argument plaintiffs made in <em>Schmidt</em>, and the one Flock attempted to rebut on a
<a href="flock-infer">redacted page</a> with (only) the heading “The Flock Camera Data Does Not Enable an
Individual to ‘Infer’”. But the District Court found that the data <em>does</em> allow inference of certain
aspects of life. The District Court also found that the inference was not enough to trigger a
search, but <em>Chatrie</em> now rejects that quantitative test:</p>
<blockquote>
<p>… this Court has never understood Fourth Amendment protections as kicking in only once an
intrusion “goes too far,” Where the Fourth Amendment applies, it applies regardless of “the
quality or quantity of information” the government obtains. That approach makes all the more sense
when, as with Location History, law enforcement officials can select the time-limited set of
materials they want from an all-encompassing database.</p>
</blockquote>
<p>The record in <em>Schmidt</em> shows that capacity to infer exists: plaintiffs’ expert found Flock captured
78.7% of modeled routes, most of them reconstructable because they pass two or more cameras —
exactly the ability to rebuild a person’s movements that, under <em>Beautiful Struggle</em>, makes those
inferences possible.</p>
<p>Flock’s headline takeaway will be that the 1983 <em>Knotts</em> case about tracking a beeper in a car still
stands. The Fourth Circuit should conclude, as they did in 2021 in <em>Beautiful Struggle</em>, and as
the Supreme Court did yesterday in <em>Chatrie</em>, that the correct answer to that is: “so what?”</p>
<p>Flock’s best argument has always been that all it does is photograph the back of a car. But under
<em>Chatrie</em>, data collection is not the search. The search happens when the government delves into the
database built from the photographs — and into everything it lets them deduce.</p>
<p>Forty years ago, <em>Knotts</em> was about watching a car’s location on a road; now, <em>Chatrie</em> and
<em>Beautiful Struggle</em> are about accessing location histories. The fight is moving into the 21<sup>st</sup>
century: from cars and cameras to databases and computer analysis. That’s the seismic wave Alito
fears. Flock should too.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p><em>Leaders of a Beautiful Struggle v. Baltimore Police Dep’t</em>, 2 F.4th 330 (4th Cir. 2021) <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p><em>United States v. Jones</em>, 565 U.S. 400, 415 (2012) (Sotomayor, J., concurring). <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>policy-legal</category>
        </item>
        <item>
            <title><![CDATA[Sixteen States and DC File Fourth Circuit Brief in Support of Norfolk's Surveillance]]></title>
            <link>https://footnote4a.org/news/schmidt-amici</link>
            <guid isPermaLink="false">https://footnote4a.org/news/schmidt-amici</guid>
            <pubDate>Mon, 29 Jun 2026 16:00:00 GMT</pubDate>
            <description><![CDATA[Sixteen states argue that if one license-plate scan is legal, a city-wide surveillance network must be too.]]></description>
            <content:encoded><![CDATA[<p>In <em>Schmidt v. Norfolk</em>, the District Court for Virginia’s Eastern District found that the City of
Norfolk’s use of Flock LPR cameras to track plaintiffs within the city of Norfolk did not violate
the US Constitution. The Institute for Justice appealed. Sixteen states<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup> and the District of
Columbia have now filed an <em>amicus curiae</em> brief conceding a number of critical anti-surveillance
points.</p>
<p>@<a href="https://footnote4a.org/blog/schmidt-amici/gov.uscourts.ca4.181755.44.0.pdf">Brief for Amicus Curiae</a></p>
<p>For the most part, the brief follows Flock’s primary argumentative strategy: if a single observation
in public is legal, then all observations in public must be legal. It is a simplistic argument that
falls apart under any scrutiny — after all, crimes like stalking and harassment exist. It’s legal to
follow a car on the highway, but that doesn’t automatically mean it’s legal to follow your ex’s car
to the office, soccer practice, and their therapy appointments.</p>
<p>There’s misdirected effort here, too. The brief’s first argument — pages 6 through 11 — labors to
prove that a driver has no privacy interest in a license plate sitting in plain view. No one said
otherwise. The plaintiffs concede the point, and the brief quotes the concession on page 12: they
“don’t challenge the isolated use of ALPRs for capturing license plate numbers,” only Norfolk’s
aggregated, city-wide use.</p>
<p>The fact that Flock has created a nationwide database is barely discussed. That is not so much an
omission in the brief, but a result of the plaintiff barely raising it in the petition. The
Institute for Justice’s <a href="https://www.nbcnews.com/tech/tech-news/san-jose-drivers-sue-city-police-flock-cameras-rcna331750">case in San Jose, CA</a>, takes a similar approach. The Supreme Court
places weight on the scope of the tracking; it’s a test that might be easier to satisfy <em>with</em> the
nationwide network, but the IJ rightly argues even a city-wide network exceeds the Constitution’s
limits.</p>
<p>Regardless, the amici states raise the nationwide network. The article cited in the brief’s third
footnote is even headlined <em>“<a href="https://www.islandpacket.com/news/local/article314233815.html">For the Most Part, We Can Track You All Over the Country</a>.”</em> That
piece is generally critical of LPR deployments in South Carolina, and, beyond its headline,
contains lines like “[Flock] does not explain how the data is deleted.” and “Merely by driving a car
with a license plate, people are often unwittingly entered into massive databases that are then
shared, Bowers said.”</p>
<p>But the nationwide network is not the only point the “one scan is legal” argument glosses over.
Another point the brief references in a citation but skips is the one made in <em>Beautiful Struggle</em>:
that of data retention. The brief concedes 21-days of data retention, the maximum under Virginia
law<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup>. To understand why this is so relevant, we have to look at the states’ and Flock’s
talking point, lifted from <em>Carpenter</em>, about “the whole of an individual’s movements.”</p>
<p>In <em>Carpenter</em>, which was about cell phone (“CSLI”) records, the Supreme Court looked at how much
information could be obtained from cell phone records and found that it was the whole of a person’s
movements. The District Court in <em>Schmidt</em> found that tracking by ALPR didn’t go quite as far as
cell phone or ankle monitor tracking would have, and therefore it did not meet that definition.</p>
<p>But that ignores <em>Leaders of a Beautiful Struggle v. Baltimore Police Department</em>, a case the states
do cite in their brief, where the court held that <em>because</em> of the 45 day retention, BPD created a
“detailed, encyclopedic” record of movements (emphasis added):</p>
<blockquote>
<p>Carpenter applies squarely to this case. More like the CSLI in Carpenter and GPS-data in Jones
than the radio-beeper in Knotts, the AIR program “tracks every movement” of every person outside
in Baltimore. <strong>Because the data is retained for 45 days—at least—it is a “detailed,
encyclopedic,” record of where everyone came and went within the city during daylight hours over
the prior month-and-a-half.</strong> … AIR data is more like “attach[ing] an ankle monitor” to every
person in the city. “Whoever the suspect turns out to be,” they have “effectively been tailed” for
the prior six weeks. (“[P]olice need not even know in advance whether they want to follow a
particular individual, or when.”). Thus, the “retrospective quality of the data” enables police to
“retrace a person’s whereabouts,” granting access to otherwise “unknowable” information.<sup class="footnote-ref"><a href="#footnote3">[3]</a><a class="footnote-anchor" id="footnote-ref3"></a></sup></p>
<p>We do not suggest that the AIR program allows perfect tracking of all individuals it captures
across all the time it covers. … Still, the program enables photographic, retrospective location
tracking in multi-hour blocks, often over consecutive days, with a month and a half of daytimes
for analysts to work with. <strong>That is enough to yield “a wealth of detail,” greater than the sum of
the individual trips.</strong> It enables deductions about “what a person does repeatedly, what he does
not do, and what he does ensemble,” which “reveal[s] more about a person than does any individual
trip viewed in isolation.” Carpenter held those deductions go to the privacies of life, the
epitome of information expected to be beyond the warrantless reach of the government. And here, as
there, the government can deduce such information only because it recorded everyone’s movements.</p>
<p>— <em>Leaders of a Beautiful Struggle v. Baltimore Police Dep’t</em>, 2 F.4th 330, 341–42 (4th Cir. 2021)</p>
</blockquote>
<p>The <em>Carpenter</em> Court found seven days sufficient history to bring it into the territory of a
constitutional search: “It is sufficient for our purposes today to hold that accessing seven days of
CSLI constitutes a Fourth Amendment search …”. <em>Beautiful Struggle</em> said 45 days, even without
perfect tracking of individuals, was sufficient, and that the picture was “greater than the sum of
the individual trips”. Norfolk’s tracking of individual trips over multiple weeks and the 21 day
retention period falls neatly in between <em>Carpenter</em> and <em>Beautiful Struggle</em>.<sup class="footnote-ref"><a href="#footnote4">[4]</a><a class="footnote-anchor" id="footnote-ref4"></a></sup> The District
Court’s finding that this would not be a search is plainly the outlier in the series.</p>
<p>The brief also contains an interesting technical wrinkle: its citation of <em>United States v.
Chatrie</em>, 107 F.4th 319 (4th Cir. 2024). That’s a citation to the panel opinion, which was vacated
in November of 2024, when the 4th Circuit (where this brief was filed) granted an <em>en banc</em>
rehearing. The proposition they cited the case for (that geofence searches are not “searches” under
the Fourth Amendment) does not exist in the April 2025 <em>en banc</em> opinion at all.</p>
<p>Even worse for the states and their brief, that <em>en banc</em> opinion in <a href="https://www.scotusblog.com/cases/chatrie-v-united-states/"><em>Chatrie</em> was vacated by the
Supreme Court today</a> (June 29, 2026). <em>Chatrie</em> is a cell-phone case, so it does not decide
the ALPR question directly but the reasoning leaves the states no room. The Court held:</p>
<blockquote>
<p>Police officers conducted a Fourth Amendment search when they acquired Chatrie’s location data
from Google because an individual has a reasonable expectation of privacy in his cell-phone
location information.</p>
</blockquote>
<p>And, in the line that lands hardest on this brief’s “it’s only a few data points” arithmetic:</p>
<blockquote>
<p>… this Court has never understood Fourth Amendment protections as kicking in only once an
intrusion “goes too far” … Where the Fourth Amendment applies, it applies regardless of “the
quality or quantity of information” the government obtains. That approach makes all the more sense
when, as with Location History, law enforcement officials can select the time-limited set of
materials they want from an all-encompassing database.</p>
</blockquote>
<p>The brief also cites <em>Knotts</em><sup class="footnote-ref"><a href="#footnote5">[5]</a><a class="footnote-anchor" id="footnote-ref5"></a></sup> throughout — this is a 1983 case which directly undercuts the
brief’s main argument. The quote given is “A person travelling in an automobile on public thoroughfares
has no reasonable expectation of privacy in his movements from one place to another.” The more relevant
quote from the next paragraph is omitted:</p>
<blockquote>
<p>Respondent does not actually quarrel with this analysis, though he expresses the generalized view
that the result of the holding sought by the government would be that “twenty-four hour
surveillance of any citizen of this country will be possible, without judicial knowledge or
supervision.” But the fact is that the “reality hardly suggests abuse,” <em>Zurcher v. Stanford
Daily</em>; if such dragnet type law enforcement practices as respondent envisions should eventually
occur, there will be time enough then to determine whether different constitutional principles may
be applicable. Insofar as respondent’s complaint appears to be simply that scientific devices such
as the beeper enabled the police to be more effective in detecting crime, it simply has no
constitutional foundation. We have never equated police efficiency with unconstitutionality, and
we decline to do so now. — <em>United States v. Knotts</em>, 460 U.S. 276, 283–84, 103 S. Ct. 1081, 1086,
75 L. Ed. 2d 55 (1983)</p>
</blockquote>
<p>The Court found that the <em>existence</em> of tracking technology did not violate the Constitution — and
it expressly reserved the question of whether deploying that technology as a “dragnet” would.</p>
<p>The efficiency line is interesting, because the states argue it backwards here. In <em>Knotts</em>, it was
the defendant who argued that efficient, technology-driven surveillance was unconstitutional. The
Court turned that down flat: it has “never equated police efficiency with unconstitutionality.”
Efficiency isn’t the test. The states now run the mirror image — uphold our surveillance <em>because</em>
it works — and <em>Knotts</em> disposes of that just as fast. Effectiveness doesn’t decide the question in
either direction.</p>
<p>The states’ strongest appellate authority has its own fit problem. They lean on <em>United States v.
Gregory</em>, an Eleventh Circuit case, for the idea that automatic, nonstop cameras raise no Fourth
Amendment concern. But <em>Gregory</em> is a pole-camera case: fixed cameras pointed at the outside of one
house during a drug investigation. Trying to apply it to the 176-camera grid wired into a nationwide
database asks a case about a single stationary camera to answer the dragnet question <em>Knotts</em> left
open.</p>
<p>The <em>Gregory</em> panel wasn’t even fully sold — a concurring judge cautioned against assuming the
public-view doctrine “immunizes pole cameras regardless of the length of time they record,” and
noted that the Eleventh Circuit’s parallel reasoning about cell-site data was exactly what the
Supreme Court threw out in <em>Carpenter</em>.</p>
<p>The Justices rejected that efficiency rationale head-on, in another case the states cite:</p>
<blockquote>
<p>We cannot deny that our decision today will have an impact on the ability of law enforcement to
combat crime. Cell phones have become important tools in facilitating coordination and
communication among members of criminal enterprises, and can provide valuable incriminating
information about dangerous criminals. Privacy comes at a cost. … Our cases have historically
recognized that the warrant requirement is “an important working part of our machinery of
government,” not merely “an inconvenience to be somehow ‘weighed’ against the claims of police
efficiency.” Coolidge v. New Hampshire, 403 U.S. 443, 481, 91 S.Ct. 2022, 29 L.Ed.2d 564 (1971). —
Riley v. California, 573 U.S. 373, 401, 134 S. Ct. 2473, 2493, 189 L. Ed. 2d 430 (2014)</p>
</blockquote>
<p>In all, the states’ two arguments are: (1) a single capture is legal, therefore all captures are
legal; and (2) Flock’s LPR network makes police more “efficient.”</p>
<p>Neither argument actively engages with the facts of the case, which are about a city-wide mass
surveillance dragnet with long-term historic data collection and warrantless searches of that data.
If these are the best arguments the Attorneys General for sixteen states and DC can muster, and with
the <em>Chatrie</em> decision in the bank, <em>Schmidt</em> may continue to be an interesting case.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>Alabama, Alaska, Arkansas, Delaware, Georgia, Illinois, Indiana, Kansas, Louisiana,
Missouri, Nebraska, Pennsylvania, South Carolina, South Dakota, Tennessee, Utah. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>Va. Code § 2.2-5517 <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote3" class="footnote-item"><p>The “unknowable” framing descends from <em>Kyllo v. United States</em>, 533 U.S. 27 (2001),
which held that using a thermal imager to detect heat inside a home was a search because it
exposed details “that would previously have been unknowable without physical intrusion.”
<em>Carpenter</em> carried that principle into location data, and <em>Beautiful Struggle</em> applies both
here. Cf. Arizona v. Hicks, 480 U.S. 321, 324–25 (1987) (officer’s moving a turntable a few
inches to read its serial number was a “search,” even though the equipment was already in plain
view during a lawful entry; the incremental intrusion, not the object’s visibility, controlled). <a href="#footnote-ref3" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote4" class="footnote-item"><p>Technically, there is a difference between retention and access, but we know <a href="https://haveibeenflocked.com/pd/3162-norfolk-va-pd/audit?sort=date_desc">Norfolk’s
searches often exceed 21 days</a>. <a href="#footnote-ref4" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote5" class="footnote-item"><p><em>United States v. Knotts</em>, 460 U.S. 276, 281, 103 S. Ct. 1081, 1085, 75 L. Ed. 2d 55 (1983) <a href="#footnote-ref5" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>policy-legal</category>
        </item>
        <item>
            <title><![CDATA[Flock Calls ALPR Information "Wholly Irrelevant" to Lawsuit About Policy on ALPR Information]]></title>
            <link>https://footnote4a.org/news/ca-suits</link>
            <guid isPermaLink="false">https://footnote4a.org/news/ca-suits</guid>
            <pubDate>Wed, 03 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Flock's system captures over 130 data fields. In court, Flock calls them "wholly irrelevant" to a lawsuit about whether it ever disclosed collecting them.]]></description>
            <content:encoded><![CDATA[<p>The three California class actions over Flock’s automated license plate readers are now consolidated
as <em>In re Flock Group Inc. Automated License Plate Reader Litigation</em>, No. 3:26-cv-02375-VC (N.D.
Cal.), before Judge Vince Chhabria.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup> In the fight over how much of its data Flock has to hold
onto, the company has landed on a strange argument: its cameras capture “over 130 data fields,” but
those fields are, Flock says, “wholly irrelevant” to a lawsuit about the data its cameras capture.</p>
<p>@<a href="https://footnote4a.org/blog/ca-suits/39.pdf" class="collapsible">Eldridge plaintiffs’ response (consolidation, leadership, and the preservation record)</a></p>
<p>The line comes from an April letter by Flock’s lawyers, written to fend off the suggestion that Flock
had let evidence slip away. To justify keeping a smaller slice of data going forward, Flock told the
plaintiffs that most of what it collects doesn’t matter:</p>
<blockquote>
<p>… Flock’s ALPR system captures over 130 data fields, the overwhelming majority of which—fields
relating to bumper stickers, roof racks, window stickers, vehicle pose, and the like—are wholly
irrelevant to a lawsuit that concerns whether Flock posted an adequate usage and privacy policy
and whether federal or out-of-state law enforcement agencies had unauthorized access to the ALPR
data of California public entities.</p>
</blockquote>
<p>@<a href="https://footnote4a.org/blog/ca-suits/39-1.pdf" class="collapsible">Flock’s April 8, 2026, letter</a></p>
<p>California doesn’t carve out a “doesn’t matter” exception. Its ALPR law defines the regulated
information about as broadly as language allows:</p>
<blockquote>
<p>(b) “Automated license plate recognition information,” or “ALPR information” means information or
data collected through the use of an ALPR system. — Cal. Civ. Code § 1798.90.5</p>
</blockquote>
<p>If Flock’s system collects it, it’s ALPR information — plates, colors, the contents of bumper
stickers, and whatever the other hundred-odd fields hold. And California requires every ALPR
operator to publish a usage-and-privacy policy spelling out what it collects, why, how it keeps that
data accurate, and how it secures it. (Cal. Civ. Code § 1798.90.51.)</p>
<p>In February, a California appeals court held in <em>Bartholomew v. Parking Concepts</em> that running ALPRs
without a compliant policy is <em>itself</em> the harm — no need to prove your data was ever misused or
shared. Flock’s exposure doesn’t hinge on catching it red-handed but on whether its
published policy completely and accurately describes what the system does.</p>
<p>It doesn’t. Flock’s published <a href="https://archive.is/PpMlh">License Plate Reader Policy</a> (last updated November 2025) lists
eight kinds of data: a plate image, a vehicle image, vehicle characteristics like color and make,
the plate number and state, and the date, time, and camera location. In court, Flock admits to more
than 130 — and in its settlement proposal it agreed it “would not deny that it collects other
information, such as bumper stickers and roof racks.” Flock admits collecting this ALPR information
that appears nowhere in its policy.</p>
<p>@<a href="https://footnote4a.org/blog/ca-suits/39-9.pdf" class="collapsible">Flock’s April 14, 2026, email</a></p>
<p>That gap is enough to establish the violation, but it still can’t measure it. The plaintiffs also
bring privacy claims, including the tort of intrusion upon seclusion, and those turn on how
<em>offensive</em> the surveillance is. Offensiveness is judged by the manner, scope, and aggregation of
what’s collected, not by whether any single detail was visible from the street.</p>
<p>Which is exactly why “wholly irrelevant” is posturing. Flock wants the court to agree these fields
don’t belong in the case, so it only has to keep and hand over a narrow set. One group of
plaintiffs’ lawyers, trying to save <em>some</em> data, has been willing to take that deal. If the deal
goes through, Flock gets to produce tidy “samples” that will almost certainly leave out the
“offensive” parts.</p>
<p>We know Flock users have run searches for things like “<a href="https://haveibeenflocked.com/search?q=%22star+of+david%22">star of david</a>” and “<a href="https://haveibeenflocked.com/moderation-logs?q=red+corvette+with+cross+sticker+on+rear+window&amp;sort=date_desc">red corvette
with cross sticker on rear window</a>”. If I were a court considering “offensiveness”, I’d want
to hear about a database of religious expressions being built by snapping pictures of people
headed to the grocery store and subsequently sold to the government.</p>
<p>Flock says preserving what it collects on Californians would mean “petabytes of data that no one
could use.” Petabytes is the scale of a system that photographs ordinary people running errands and
records a hundred-some attributes of each car, over and over, across the state. Flock wields the
amount of data it collects as a defense. But the bigger the amount of data collected, the more
offensive the surveillance, and the more it’s worth, in real judgment dollars.</p>
<p>But that offensive defense is a misdirect. Flock won’t produce even a plain account of what the
fields are and how the search tools work. It brushes off requests for “data dictionaries and data
maps” as pointless. Most of the decade of data Flock collected is already rotated out on a
thirty-day-to-one-year clock; transient petabytes continue to cycle through Flock’s system, but
that doesn’t preclude the question of how much and what types of data have already been collected,
sold, and deleted.</p>
<p>Looking at the policy itself, it is conspicuously selective about accuracy — another element
required by California law. The policy promises that low-confidence <em>plate</em> reads aren’t passed
along, and concedes plate translation “may be incomplete or inaccurate” but says nothing about the
accuracy of the other fields — including color, which it collects and sells.</p>
<p>In October 2025, a Volusia County, Florida woman <a href="https://www.wesh.com/article/woman-wrongfully-arrested-in-deadly-i-4-crash-speaks-out-after-charges-dropped/71393304">spent more than two weeks in jail</a> after
Flock got the color of her car wrong. (For what it’s worth, Flock <a href="hotlist-mess#flock-wont-say-how-often-its-wrong">boasts that its system can tell a
motorcycle from a semitruck about 92.3% of the time</a>.)</p>
<p>The plaintiffs, for their part, are still trying to figure out who runs the case; the competing
motions go before the court on June 25. The split is basically the one above: triage down to the
data that identifies class members and move fast, or fight for the broader fields that show how far
the system actually reaches.</p>
<p>The firm pushing hardest to let the broader fields go is, as it happens, the same one whose
signature courtroom win helped establish that personal data has real value <em>as data</em>. Reasonable
people can disagree about what to save when the clock (and the legal bill) is running. But trading
away the most revealing evidence to lock in a quicker, smaller win may not be the best play.</p>
<p>The <a href="home-depot-suit">disclosure failure</a> has always done double duty for Flock: hide what the system
collects, and dodge enforcement when no one knows to ask. Now Flock wants it to pull a third shift —
wall the undisclosed fields off from the one proceeding built to drag them into the light.</p>
<p>It’s genuinely a bold strategy, Cotton. Let’s see if it pays off for them.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>The consolidated actions are <a href="https://www.courtlistener.com/docket/72512957/eldridge-v-flock-group-inc/"><em>Eldridge v. Flock</em></a>, <a href="https://www.courtlistener.com/docket/72513400/javorsky-v-flock-group-inc/"><em>Javorsky v. Flock</em></a>, and
<a href="https://www.courtlistener.com/docket/72526502/lance-dutcher-v-flock-group-inc/"><em>Dutcher v. Flock</em></a>, proceeding as <em>In re Flock Group Inc. Automated License Plate Reader
Litigation</em>, No. 3:26-cv-02375-VC. Interim lead-counsel motions are set for hearing June 25, 2026. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>policy-legal</category>
        </item>
        <item>
            <title><![CDATA[Under Construction: California Class Action Lawsuits]]></title>
            <link>https://footnote4a.org/news/home-depot-suit</link>
            <guid isPermaLink="false">https://footnote4a.org/news/home-depot-suit</guid>
            <pubDate>Sat, 02 May 2026 15:30:00 GMT</pubDate>
            <description><![CDATA[While the existing Flock suits move toward consolidation, a new one drops; this time against The Home Depot and its "gravely dangerous" use of ALPRs.]]></description>
            <content:encoded><![CDATA[<h2>The Home Depot Suit</h2>
<p>On May 1, 2026, law firms Emery | Reddy and Milberg filed <a href="https://www.courtlistener.com/docket/73287899/schmierer-v-home-depot-usa-inc/">a class action suit in the Northern District
of California against The Home Depot</a>, alleging violations of California’s ALPR privacy act and
invasion of privacy. It’s the second class action against Home Depot in two months — Bursor &amp; Fisher
beat them to it with <a href="https://www.courtlistener.com/docket/73177820/mcginity-v-the-home-depot-inc/"><em>McGinity</em></a> back in March. The two suits divide the timeline: <em>McGinity</em>
covers shoppers caught before Home Depot quietly updated its ALPR policy in late December;
<em>Schmierer</em> covers everyone since. And it lands the same week three separate Flock suits
(<a href="https://www.courtlistener.com/docket/72512957/eldridge-v-flock-group-inc/"><em>Eldridge</em></a>, <a href="https://www.courtlistener.com/docket/72526502/lance-dutcher-v-flock-group-inc/"><em>Dutcher</em></a>, and <a href="https://www.courtlistener.com/docket/72513400/javorsky-v-flock-group-inc/"><em>Javorsky</em></a>) move to consolidate in the same court.</p>
<p>The new lawsuit challenges the common assumption that private corporations can surveil their
customers and others without limitation. As it should, because that assumption is plainly incorrect.
States can and do regulate the use of video and audio recording devices on private property, and
California’s ALPR law doesn’t distinguish between private and public operators.</p>
<p>The other component — invasion of privacy — is an interesting tack. The suit alleges two slightly
different violations: a violation of the right to privacy under the California Constitution, and the
tort of “intrusion upon seclusion.” The complaint writes:</p>
<blockquote>
<p>A reasonable person visiting a hardware store does not expect that their license plate data will
be automatically captured, timestamped, stored in a national database, and made accessible to
hundreds of law enforcement agencies, including federal immigration enforcement, all while the
operator maintains a policy that omits mandatory disclosure elements and provides no meaningful
restriction on who can access the data.</p>
</blockquote>
<p>It also anticipates the obvious argument from Home Depot / Flock:</p>
<blockquote>
<p>The California Supreme Court has recognized that the relevant question in an intrusion claim is
not whether any single piece of information was publicly observable, but whether the manner, scope,
and aggregation of the intrusion would be offensive to a reasonable person.</p>
</blockquote>
<p>The complaint then lays out why a private corporation collecting data at its 233 locations in the
state, storing that data with its private vendor, and sharing it in real-time with hundreds of
police agencies, without Home Depot telling anyone about it, is offensive to Californians believing
they’re just shopping for a new toilet seat.</p>
<p>The complaint has a point, and I’m excited to see where it goes. The statutory violations alone give
a sense that Home Depot will end up out of pocket on this one, especially after <em>Bartholomew v.
Parking Concepts</em> — the February California Court of Appeal decision that held operating ALPRs
without a compliant policy is itself the harm.</p>
<p>Other private companies should take note. Flock can hammer its claims about “no reasonable
expectation of privacy” and “30+ courts have consistently affirmed that ALPR devices perform lawful
actions” all it wants; courts don’t typically look to marketing materials to find what the law is,
and neither should anyone else.</p>
<h2>The Flock Suits</h2>
<p>Home Depot will be defending itself in the same district where Flock is already in court. And the
Flock side is getting interesting. Plaintiffs’ lawyers in three existing California class action
suits are getting into a consolidation scrap. The firms handling <em>Eldridge</em> and <em>Dutcher</em> don’t like
the <em>Javorsky</em> team’s preservation strategy. The motion to consolidate puts it like this:</p>
<blockquote>
<p>[Javorsky’s] difference [in approach] has already resulted in a prolonged disagreement with Flock
regarding its retention protocols, which has likely resulted in the loss of hundreds of thousands
of data points pertaining to putative class members.</p>
</blockquote>
<p>But the more interesting bit is technical:</p>
<blockquote>
<p>Flock has represented that capturing the broader set (including the ancillary “Identifier” tags)
slows its preservation rate by roughly ten times.</p>
</blockquote>
<p>The filing does not specify what these “‘identifier’ tags” are, but dollars to donuts that we’re
talking about the searchable vectors that power FreeForm, Flock’s natural-language vehicle and
person search tool. I have discussed these before in both the <a href="dunwoody-demo#the-lede-thomas-buried">FreeForm
context</a>, where searches for “Star of David” were performed,
and the <a href="reid">ReId context</a>, where persons can be tracked across devices through soft biometric
data. The math mostly holds there; simple tags stored with the data would be fairly small, plausibly
~200 bytes, so if a vector is ~2kB, that would be about 10x larger and therefore 10x “slower.”</p>
<p>The part that doesn’t make sense in the filing is the preservation rate. It implies that
preservation can’t happen in real-time on the backend. Why not? What prevents Flock from setting up
an additional replica node? Does it not routinely keep replica copies of its data? If it doesn’t,
how does it guarantee data integrity (and thereby both completeness and accuracy)?</p>
<p>I’ve raised these questions before <a href="immutable-redux">in the context of changing log files</a>:</p>
<blockquote>
<p>A distributed explanation is not any better than deleting and adding records in a centralized
database. In fact, it would be a very fundamental, very fatal, flaw for records that are supposed
to be immutable \— like audit records \— to have multiple copies in multiple places without a
single authoritative copy.</p>
<p>Apparently log entries can go missing without Flock’s system throwing an error. If you can’t be
sure that your log is complete, you can’t rely on it to show whatever it is you’re auditing for \—
it may have been deleted.</p>
</blockquote>
<p>If a similar distributed pattern holds for the “identifiers” or vectors — which Flock’s
protestations in this new court filing seem to suggest — it would extend the integrity problem
from the audit logs to the ALPR data itself.</p>
<p>The motion takes Flock’s “10x slower” claim at face value and uses it to triage: preserve the
narrow set that identifies the class, drop the fight over ancillary fields. As a practical call
under time pressure, it makes sense. But Flock’s underlying claim is the part that should not have gone
unchallenged.</p>
<p>In particular, it’s worth considering that “ALPR information” under California law means
“information or data collected through the use of an ALPR system” — not “license plate characters.”
Whatever Flock’s cameras capture and feed into its searchable database is ALPR information, with all
the operator duties that attach. Flock stating that the broader field set slows preservation by 10x
is, in effect, telling the court those fields exist and are part of what the system collects.
They’re covered. The plates are just one column in the table.</p>
<p>The more data collected, the more there is for <em>Bartholomew</em>’s harm analysis to work on, and the more
there is for the privacy torts’ offensiveness analysis to grade as offensive. <em>In re Facebook</em> —
Edelson’s signature win — established that biometric data has value as data. None of that argues for
letting Flock walk away from the broader fields just because its architecture allegedly can’t keep
up.</p>
<p>Even a narrow set — license plates and locations, a few bytes — is apparently more than Flock can
copy or preserve at scale without slowing things down. It implies the live system runs on single
copies without the kind of redundancy that would let it verify its own data — and its distributed
database likely uses computers sitting unattended on the side of the road, intermittently accessible
through spotty mobile connections, storing unencrypted video and images, for the express purpose of
directing traffic stops, conducting searches, and providing evidence.</p>
<p>The disclosure failure has always done double duty for Flock: hide what the system collects, then
escape enforcement when nobody asks. Now Flock wants it to do triple duty: wall off the undisclosed
fields from the lawsuit, too.</p>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>policy-legal</category>
        </item>
        <item>
            <title><![CDATA[No Permit, No Problem: California Governor Hopeful Chad Bianco's 500+ Unauthorized Surveillance Cameras]]></title>
            <link>https://footnote4a.org/news/riverside-permits</link>
            <guid isPermaLink="false">https://footnote4a.org/news/riverside-permits</guid>
            <pubDate>Mon, 30 Mar 2026 14:00:00 GMT</pubDate>
            <description><![CDATA[Riverside County issued three encroachment permits for 500+ Flock surveillance cameras to the wrong permittee and based on incomplete applications. Then it let them lapse for over a year. Bianco and Flock continued to operate them.]]></description>
            <content:encoded><![CDATA[<p>Riverside County’s encroachment permit record for its Flock Safety camera deployment is a case study
in what happens when a county rubber-stamps a surveillance system and forgets to do the paperwork.
Or the oversight. Or the legal prerequisites. Or, for 13 months, the permits.</p>
<p>In 2021, the Riverside County Transportation Department issued the first of three encroachment
permits to the Riverside County Sheriff’s Department for the installation of Flock Safety cameras on
county roads. By October 2023, the Board of Supervisors had <a href="https://abc7.com/post/riverside-county-license-plate-reading-cameras-lpr-camera/14004952/">unanimously approved</a> a $6.9
million contract to expand the program to 538 cameras.</p>
<p>Four and a half years later, the <a href="https://archive.vn/uuiy3">Riverside County Sheriff’s Department’s Flock Transparency
Portal</a> shows the sheriff uses 1,718 “<abbr class="md-tooltip" data-tooltip="License Plate Reader">LPR</abbr> <a href="speed-cameras">and other cameras</a>.”</p>
<p>A <abbr class="md-tooltip" data-tooltip="California Public Records Act">CPRA</abbr> request to the Transportation Department produced three permits, a handful of emails, and a
sworn declaration that may be more interesting than the permits themselves.</p>
<h2>The Permits</h2>
<p>Riverside County Ordinance 499 governs encroachments within county highway right-of-way. Any
structure placed in the road right-of-way — including 13-foot surveillance poles with cameras and
solar panels — requires a written permit from the Director of Transportation.</p>
<p>@<a href="https://footnote4a.org/blog/riverside-permits/ordinance-499.pdf" class="collapsible">Riverside County Ordinance 499 (as amended through 499.16)</a></p>
<p>Three such permits were issued:</p>
<h3>ENC21120546 (December 10, 2021 – September 1, 2023)</h3>
<p>Originally authorized two cameras. Expanded through riders to cover 33 named locations and a blanket
permission to add more via individual location notifications (RD Form 136).</p>
<p>@<a href="https://footnote4a.org/blog/riverside-permits/enc21120546-permit.pdf" class="collapsible">ENC21120546 — Original Permit</a></p>
<p>@<a href="https://footnote4a.org/blog/riverside-permits/enc21120546-rider1.pdf" class="collapsible">ENC21120546 — Rider 1</a></p>
<p>@<a href="https://footnote4a.org/blog/riverside-permits/enc21120546-rider2.pdf" class="collapsible">ENC21120546 — Rider 2</a></p>
<h3>ENC23110539 (November 14, 2023 – November 14, 2024)</h3>
<p>An annual blanket permit covering “various county road rights of way.” This permit was explicitly
styled as an extension of the first.</p>
<p>@<a href="https://footnote4a.org/blog/riverside-permits/enc23110539-permit.pdf" class="collapsible">ENC23110539 — Second Blanket Permit</a></p>
<h3>ENC25061408 (December 5, 2025 – December 5, 2026)</h3>
<p>Another annual blanket permit, the current one. It was issued with a single RD Form 136
notification on file — one camera, in Anza — and four total documents in the folder.</p>
<p>@<a href="https://footnote4a.org/blog/riverside-permits/enc25061408-permit.pdf" class="collapsible">ENC25061408 — Current Blanket Permit</a></p>
<h2>No Permit, No Problem</h2>
<p>The second permit expired on November 14, 2024. The third was not issued until December 5, 2025.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup></p>
<p>During those 13 months, the cameras did not come down. The $6.9 million contract continued and
Flock’s operations apparently continued without interruption under Riverside County Sheriff and
Republican gubernatorial candidate Chad Bianco’s watch.</p>
<p>Ordinance 499 Section 6 prohibits anyone from “constructing, installing, operating, or maintaining”
any structure in the county right-of-way without a permit. That’s not limited to construction — it
covers the cameras just sitting there running.</p>
<p>The permits themselves reinforce this. The authorized work is not just installation — each permit
grants permission to “install, operate and maintain” the cameras. Each is “to be strictly construed
and no work other than that specifically mentioned above authorized hereby.”</p>
<p>When the permit expires, so does the authorization to operate and maintain. The first permit’s void
date was extended twice via riders — acts that only make sense if the date is an operative
constraint. And in December 2025, the county issued a replacement permit with identical scope and
authorization language. If the prior permit was still valid, the replacement was redundant.</p>
<p>The second permit’s own conditions made the obligation explicit. Condition M12 on ENC23110539
states: “Upon expiration of this permit, the permittee shall remove the temporary poles and
cable.”<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup> The current permit repeats this language and adds: “It is the Permittees
responsibility to maintain a valid permit.” The permittee did neither.</p>
<p>Nothing was removed. No extension was obtained. No replacement was issued for thirteen months.</p>
<p>The <abbr class="md-tooltip" data-tooltip="California Public Records Act">CPRA</abbr> request covered all encroachment permits issued between January 2020 and March
2026. The county produced exactly three. The county certified under oath that no other
encroachment permit, extension, or authorization exists.</p>
<h2>No Application, No Problem</h2>
<p>The county requires each permit application to be “in the name of the person, agency, entity, or
authorized agent owning the encroachment and controlling the construction of the work.” It adds that
the county “would require documentation of the Utility Owner’s authorization of a third party
seeking a Permit on behalf of the Utility Owner.”</p>
<p>The applications list “Flock Safety” as applicant and owner — correctly, since Flock owns and
installs the cameras. Three different Flock employees signed applications over the life of the
program: Danny Campos, Will Warren, and Derek Porcella.</p>
<p>But the permits were not issued to Flock. They were issued to “Riverside County Sheriff Department
C/O FLOCK SAFETY.” The Sheriff’s Department is the permittee on all three permits — holding
the obligations, the liability, the strict construction clause — despite never having applied for
them. There is no application from the Sheriff’s Department on file. No one at the Sheriff’s
Department signed anything.</p>
<p>Flock applied. The Sheriff’s Department got the permits. And no authorization exists connecting the
two. The county certified under oath that there are no letters of agency, powers of attorney, or
similar documents from Flock authorizing the Sheriff’s Department — or anyone — to hold
encroachment permits on Flock’s behalf. Nor are there any documents from the Sheriff’s Department
authorizing Flock to apply on its behalf.</p>
<p>The county seemingly decided on its own that a permit applied for by “Applicant/Owner: Flock Safety”
should be issued to the Sheriff’s Department. And Flock apparently decided that it could treat that
permit as its own and forge ahead with installation.</p>
<p>And this didn’t happen once. The third permit application was byte-for-byte identical to the second
one. The exact same PDF was filed under both permit numbers. Same date (November 7, 2023), same agent
(Derek Porcella), same Flock Safety mailing address in Atlanta, same description of work, same
signature.</p>
<p>And the same outcome: the new permit was also issued to the Sheriff’s Department, not the applicant.</p>
<p>@<a href="https://footnote4a.org/blog/riverside-permits/enc23110539-application.pdf" class="collapsible">Permit Application — ENC23110539 / ENC25061408 (dated 11/7/2023)</a></p>
<h2>No Authority, No Problem</h2>
<p>This is the part that likely matters most, legally.</p>
<p>Riverside County Ordinance 499 Section 6 states that permits “will be issued for only Utility
purposes” on county highways. The ordinance defines “Utility” as water, sewer, irrigation, gas,
petroleum, cable TV, electric, and communications facilities. Surveillance cameras are none of these.</p>
<p>For non-utility encroachments, the Director of Transportation may issue a permit if satisfied of
three things: (1) the use is in the public interest, (2) there will be no substantial injury to the
county highway or impairment of its use, and (3) the use is reasonably necessary for the functions
of the applicant.</p>
<p>Flock’s cameras are commercial surveillance products owned and operated by a private company. The
Sheriff’s Department has a software service contract to access Flock’s data — both inside and outside
Riverside County.</p>
<p>The Director’s finding that these cameras satisfy the three-prong test in Section 6 would be the
legal prerequisite for every permit in the chain. Without it, the Director had no authority to issue
any of them.</p>
<p>No such finding accompanied any permit application.</p>
<p>Whether such a finding could survive scrutiny is a separate question. Is a private company’s
occupation of public right-of-way to operate a for-profit surveillance network “in the public
interest”? Is it “reasonably necessary” for Flock’s functions that its cameras sit on county roads
rather than, say, private property with the owner’s consent?</p>
<h2>No Locations, No Problem</h2>
<p>Riverside County has contracted for over 500 Flock cameras. Not all of those are on county roads.
Some are on city streets, some on Caltrans state highway right-of-way, some on private property. The
permit documents include handwritten annotations identifying specific cameras as “NON COUNTY/city,”
“CALTRANS,” and “City St/Grand Terrace.”</p>
<p>Someone at the Transportation Department reviewed the camera deployment list, saw cameras on roads
the county doesn’t control, and marked them accordingly. But no formal record of that analysis was
ever created.</p>
<p>I asked for any records reflecting which of the 500+ cameras are within county highway right-of-way,
or any determination that specific cameras did not require a permit. Again, the county certifies
that no such records exist.</p>
<p>When the county’s records custodian was asked about the gap between 500+ contracted cameras and the
roughly 80 installations documented in the permits, the only response was informal and vague: “some
locations may not have been permitted as they could be private or non county maintained roads.”</p>
<p>That’s it. No spreadsheet, no memo, no analysis. The county issued blanket permits for “various
county roads” — possibly subject to the typical Flock “deployment plan” — but never really
determined which roads it was talking about.</p>
<h2>No Traffic Plans, No Problem</h2>
<p>Every encroachment permit in the production requires a traffic control plan under Condition C05 — a
safety document showing how workers and traffic will be protected when someone is installing
equipment in a roadway. The current permit, ENC25061408, goes further and requires the <abbr class="md-tooltip" data-tooltip="Traffic Control Plan">TCP</abbr> to be
signed by a Professional Engineer.</p>
<p>The county produced one set of traffic control plans: for the Spencer’s Crossing project, eight
cameras, prepared in February 2023 under the first permit.</p>
<p>No other traffic control plans exist.</p>
<p>That’s a 98% noncompliance rate.</p>
<h2>No Fees, No Problem</h2>
<p>Section 15 of the ordinance requires that permit fees be paid “at or after the time application is
filed, but in any event before the Permit is issued.” The fee fields on every application in the
entire production — all three permits, every application, every rider — are blank.</p>
<p>Section 16 exempts public agencies from permit processing fees if they have “lawful authority” to
use the right-of-way for the permitted purpose.</p>
<p>Flock applied in its own name. But the permits were issued to the Sheriff’s Department — a
public agency — triggering the fee exemption. A private surveillance company applied, a public
agency was listed as permittee, no fees were charged, and no one documented why.</p>
<h2>No Records, No Problem</h2>
<p>None of the above rests on inference or supposition. Each point traces back to a single document: a
Declaration of Custodian of Records executed March 23, 2026, signed under penalty of perjury by the
county’s records custodian.</p>
<p>The Declaration addresses each follow-up item individually and certifies that the county has no
responsive records. This is not a case where documents might exist but were missed. This is the
county’s official position, under oath, that these records do not exist.</p>
<p>This is not some isolated paperwork hiccup in Riverside County from a well-meaning county official
unable to find records that really exist. <a href="dot-permits">Across the country</a>, Flock cameras go up on
public roads under permits that <a href="dot-permits-pt2">no one reviews</a>, with safety standards no one
enforces, issued to applicants that no one verifies. Flock routinely operates cameras with expired
permits or <a href="colorado-oversight">without an active contract</a>. Riverside County is one of many.</p>
<p>@<a href="https://footnote4a.org/blog/riverside-permits/declaration-of-custodian-2026-03-23.pdf">Declaration of Custodian of Records — March 23, 2026</a></p>
<h2>The Law in “Law &amp; Order”</h2>
<p>Riverside County’s surveillance camera program operated for over four years under three encroachment
permits issued to an agency that never applied for them, based on applications from a company that
never received them, without the legally required public interest determination, without traffic
control plans for the vast majority of installations, without fees, and — for 13 months — without
a permit at all.</p>
<p>Each of these permits was issued to the Riverside County Sheriff’s Department. Flock — the
owner/operator listed on the permit applications — never received a permit but still installed and
continues to operate hundreds of surveillance cameras without a valid permit.</p>
<p>The $6.9 million contract belongs to Sheriff Chad Bianco’s office. The entire Flock deployment —
from the <a href="https://myvalleynews.com/blog/2021/03/04/riverside-county-sheriff-department-introduces-automated-license-plate-reader-program/">first two cameras in 2021</a> to the 1,718 “LPRs and other cameras” now
in Flock’s system under the sheriff’s name — occurred during his tenure.</p>
<p>Ordinance 499 Section 18 provides that any person who operates without a required permit, or who
violates permit conditions in a way that jeopardizes person or property, is guilty of a misdemeanor
punishable by fine, imprisonment, or both.</p>
<p>The wrong permittee is not a technicality. A 13-month gap is not a technicality. Not paying the fees
is not a technicality. These are all separate material flaws resulting in unpermitted occupation of
public right-of-way by a corporation, based on a permit issued to a sheriff tasked with enforcing
the county ordinance that makes it a crime.</p>
<h2>The Order in “Law &amp; Order”</h2>
<p>The county does not know, from its own records, which cameras needed permits. It has no mechanism to
determine which cameras are on county roads, which are on state highways, and which are on someone
else’s property.</p>
<p>The Director of Transportation issued permits to the Sheriff, who had never applied for any, without
the required public interest finding, and without traffic control plans for all but one
installation. When the second permit expired, no one acted. When a replacement was finally applied
for thirteen months later it was with the same application — literally the same file — Flock had
used for the prior permit. The new permit was also issued to the Sheriff.</p>
<p>That permit process was handled by a Permitting Manager at Flock with over a decade of experience in
right-of-way permitting. None of these issues were discovered when processing the permits or through
any audit or investigation in three years. Neither Flock’s permit expert, the Sheriff’s Department,
nor the Transportation Department raised a flag.</p>
<p>That process — namedrop Chad Bianco, skip the fees, ignore the regulations — is the law and order he
now offers California.</p>
<div class="text-sm mt-8 border-t p-2 text-secondary">
Update Mar 30, 2026: Riverside County was asked to comment, but did not provide a response.<br>
Update Mar 31, 2026: Updated title to reflect Bianco's position.<br>
</div>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>There was also a smaller, ~2.5 month, gap between the first and second permits. That
could arguably still fall under the category of “minor administrative hiccup.” <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>M12 refers to “temporary poles and cable.” Whether that applies to Flock’s permanent
camera poles or only to construction-related temporary equipment is arguable. The first permit
(ENC21120546) used different language — removal “upon the request of the <abbr class="md-tooltip" data-tooltip="Riverside County Transportation Department">RCTD</abbr>” — which is
discretionary. But ENC23110539 changed the trigger to “upon expiration,” making it automatic.
Even if M12 does not apply to Flock’s poles, both the permits’ own scope of work (“install,
operate and maintain”) and Section 6 of Ordinance 499 independently prohibit operating or
maintaining any structure in the right-of-way without a valid permit. <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>policy-legal</category>
        </item>
        <item>
            <title><![CDATA[File, Dismiss, Sue, Repeat: The Case for Dismantling Iowa's Public Information Board]]></title>
            <link>https://footnote4a.org/news/file-dismiss-sue-repeat</link>
            <guid isPermaLink="false">https://footnote4a.org/news/file-dismiss-sue-repeat</guid>
            <pubDate>Wed, 18 Mar 2026 14:00:00 GMT</pubDate>
            <description><![CDATA[The Iowa Public Information Board was created to resolve disputes and enforce transparency. In nearly 14 years, it hasn't.]]></description>
            <content:encoded><![CDATA[<p>In thirteen years of operation, the Iowa Public Information Board has built a legacy comprising a
single $1,000 fine and one declaratory order. It has not prosecuted a complaint since 2017. In 2025,
it dismissed more than 90% of complaints without a meaningful investigation.</p>
<p>The Iowa Legislature created IPIB in 2012 to give Iowans “an efficient, informal, and cost-effective
process for resolving disputes” about open records and open meetings laws — without resorting to
litigation. Nine governor-appointed members were meant to mediate and, where necessary, adjudicate
complaints about governments withholding public records or holding secret meetings. For this
purpose, the board was authorized to act as a prosecutor on the public’s behalf.</p>
<p>That is not what the board does, or what it has ever done. IPIB keeps complaints away from courts —
not to adjudicate them, but as a black hole that attracts complaints and prevents them ever escaping
to meaningful review. The board should be dismantled and Chapter 23 repealed.</p>
<h2>The Legislature’s Double-Tap</h2>
<div class="chart-placeholder" data-chart="ipib-complaints"></div>
<p>It is immediately evident from the chart above<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup> that since 2018 the number of cases IPIB has
received has remained more or less stable, but if you have attended any of the board’s meetings, you
probably heard complaints about increasing workloads.</p>
<p>The workload statement is true to an extent, but the increased workload does not stem from
complaints. In part, it stems from a law enacted in July, 2025
(<a href="https://www.legis.iowa.gov/legislation/BillBook?ga=91&amp;ba=hf706">HF 706</a>), which
“<a href="https://ipib.iowa.gov/trainings/25ao0008-training-requirements-newly-elected-and-appointed-officials">created a requirement that all newly elected and appointed officials of a government body attend training on Iowa’s Sunshine laws</a>”.</p>
<p>Iowa has 99 counties and close to 1,000 incorporated cities, in addition to myriad state and other
agencies. That’s a lot of “elected and appointed officials” who will require training.</p>
<p>IPIB is not required to actually deliver the trainings to officials, but it is required to ensure
that one approved course is available at no cost. Unfortunately for everyone involved, IPIB pays its
staff attorneys in Des Moines the same rate Iowa DOT pays its Highway Technicians (a position that
requires a GED and a CDL permit rather than a JD) in rural Washington County.</p>
<p>When any third party would need to charge more, IPIB staff providing the trainings is the only
fiscally responsible choice.</p>
<p><img src="https://footnote4a.org/blog/file-dismiss-sue-repeat-the-case/ipib-timeline.webp" alt="IPIB salary comparison"></p>
<p><em>IPIB’s (hourly) Administrative Assistant 2 retired in 2024, taking home $68,494.34 that year.</em></p>
<p>In a
<a href="https://www.legis.iowa.gov/docs/publications/SD/1522113.pdf">February 2025 budget presentation</a>,
then-director Eckley listed “Turnover” as a “challenge,” noting that “Only 1 out of 3 staff has
tenure over 1 year.”</p>
<p>That presentation was published in between the board getting
<a href="https://iowacapitaldispatch.com/2024/07/18/iowa-public-information-board-sued-over-alleged-open-meetings-violation/">sued for violating open meetings law when Eckley gave herself a 6% raise</a>,
and before Eckley resigned and
<a href="https://web.archive.org/web/20250702074043/https://www.thegazette.com/state-government/iowa-public-information-board-maps-out-open-record-training-votes-on-executive-director/">the board offered her replacement, Charlotte Miller, the pre-raise salary</a>.</p>
<p>In this context, it would be hard to fault IPIB’s attorney for considering
“<a href="https://ipib.iowa.gov/events/ipib-lunch-and-learn-training-newly-elected-and-appointed-officials-march-18-2026">Lunch and Learn</a>”
sessions as more of a networking opportunity than a job responsibility.</p>
<p>By passing HF 706 the legislature ensured IPIB remains ineffective, even if it ever decided to
change course. It redirected citizen complaint resolution time to government official training. The
board teaches a law it has no time to enforce.</p>
<p><a href="https://www.legis.iowa.gov/publications/fiscal/resources?bid=BU-85-1-963">IPIB’s budget has not meaningfully changed between 2018 and 2025</a>,
but for FY2026 it estimates
<a href="https://drive.usercontent.google.com/download?id=11_B-QvwP3fZGbdMz-h8SAOne8FIoF2WW&amp;authuser=0&amp;acrobatPromotionSource=gdrive_chrome-list">a sudden $91,259 (24%) increase</a>,
with most of that increase allocated “for hiring of contractor to implement mandatory training per
approp language and/or to help with backlog”, confirming that training and complaint-handling time
are competing for the same funds.</p>
<p>According to the <a href="https://ipib.iowa.gov/media/235/download?inline">figures presented</a> at the
February board meeting, that backlog is growing fast: between November 2025 and January 2026, 95
cases were opened while only 55 cases were closed. The figures only reflect those two states:
“opened” and “closed.” The director omitting case disposition in the presentation to the board
suggests her focus is purely quantitative, not qualitative.</p>
<p>At that same meeting, <a href="https://www.youtube.com/watch?v=p_NM1YVSWLs#t=1h11m10s">staff said</a>, “we’re
no longer drowning as much … we’re treading water” and suggested potential efficiency improvements
by pointing out “we’re doing all our own copy editing.” Institutional pressure to reduce backlogs
may explain why quality of the work-product isn’t a priority, but professional responsibility still
attaches to the individual licensed attorneys drafting deficient orders.</p>
<p>With IPIB’s entire budget swallowed by its personnel costs only to leave them treading water, there
is neither time nor money for IPIB to actually do its job of prosecuting violations.</p>
<p>If the board gives its staff nothing to do but take the government on Lunch &amp; Learn dates, can we
really expect fair outcomes? The answer is in the chart above: the number of complaints that are
actually investigated and handled is low. Very low.</p>
<h2>Complaints and Procedural Smokescreens</h2>
<p>The process IPIB must follow is outlined in Iowa Code Chapter 23. It is relatively straightforward
and probably what you would expect from a process like this.</p>
<p><img src="https://footnote4a.org/blog/file-dismiss-sue-repeat-the-case/ipib-complaint-form.webp" alt="IPIB complaint process"></p>
<p>The screening stage is intended to act as a filter for obviously deficient complaints. IPIB’s inbox
may be filled with complaints from people
<a href="https://www.youtube.com/watch?v=Ng_-HgRfGBY">caring loudly</a> about issues well outside its purview.
Initial screening is a necessary escape-hatch to allow staff to recommend directly discarding such
complaints.</p>
<p>After that initial review, “informal assistance” should be IPIB’s bread and butter. The board’s
<em>raison d’être</em> is to be an informal alternative to slow, costly litigation. Informal resolution is
step one after the initial review.<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup></p>
<p>After informal assistance,
<a href="https://www.legis.iowa.gov/docs/iac/rule/02-05-2025.497.2.2.pdf">if the complaint is not resolved</a>,
staff investigate the complaint to determine if there is probable cause to believe a violation has
occurred. During this process, IPIB can issue and enforce subpoenas to obtain necessary evidence; it
can also hear witnesses.</p>
<p>This isn’t a <em>full</em> investigation, but an investigation of probable cause. If a complainant says a
document was not produced, this would be the step in the process where IPIB might obtain a copy of
an email from the city showing that the record <em>was</em> produced.</p>
<p>Finally, if probable cause is found, the case proceeds to a contested case, and IPIB is to engage in
fact-finding and analysis of law. A contested case requires gathering evidence, hearing witnesses,
and analyzing legal frameworks.</p>
<p>All of that is what the law requires. The diagram below illustrates what actually happens.</p>
<p><img src="https://footnote4a.org/blog/file-dismiss-sue-repeat-the-case/ipib-dismissal.webp" alt="Actual IPIB complaint handling"></p>
<p>IPIB changed its primary process in November 2024. The new process is described in
<a href="https://ipib.iowa.gov/media/168/download?inline">its 2024 annual report</a> as a “new process [that]
better aligns with the requirements outlined in Iowa Code chapter 23.” In other words, the process
it used before was “less aligned”, or, in regular English: non-compliant.</p>
<p>That non-compliance was the basis for two separate district courts reversing IPIB complaints a day
apart — November 29, 2024, was a remand in <em>van Pelt v. IPIB</em>, and <em>Swarm v. IPIB</em> remanded on
November 30, 2024. In both cases, the district court agreed the dismissal was improper, reversed
IPIB’s dismissal, and remanded the complaint to IPIB for processing.</p>
<p>In <em>Swarm</em>, IPIB accepted the complaint and almost immediately dismissed it again — this time, “as
an exercise of administrative discretion.” Swarm petitioned for review of the new dismissal order
and the case is currently pending in Henry County. For <em>van Pelt</em>, IPIB appealed and lost at the
Iowa Court of Appeals. It has not yet accepted the complaint.</p>
<div class="chart-placeholder" data-chart="ipib-complaints-pct"></div>
<p>In 2023, before IPIB’s “more aligned” process, it dismissed 69% of complaints at initial screening.
In 2025, after the “alignment,” that number became 47%, but 42% were dismissed for lack of probable
cause immediately after screening, but still before investigation, and 2% were dismissed for
administrative discretion.</p>
<p>Even without additional context the numbers would be a red flag—the board is telling the public that
90% of their complaints are unfounded or not even worth looking at.</p>
<p>Reviewing a small sampling of
<a href="https://ipib.iowa.gov/rulings/formal-complaints?title=dismissal&amp;year=All&amp;instance_overrides_key=Q8AswticdpAWZXzgKEv4UeJauYsSb5SW4CqQhU8jQBM&amp;page=4">“insufficient” complaints</a>
confirms that they were not being reviewed for sufficiency at all.</p>
<p>Take, for example,
<a href="https://ipib.iowa.gov/23fc0026-sydney-crnkovichcarroll-county-sheriffs-office-dismissal-order">23FC:0026</a>.
Here, the complainant “alleged that she requested a copy of a 911 call concerning the report of a
deceased body. She alleged that the CCSO denied the request.” This alone already constitutes a valid
complaint: a record was requested, it was withheld. Was it lawfully withheld? Maybe, maybe not. That
requires an investigation.</p>
<p>However, rather than investigate, IPIB immediately dismisses the complaint for lack of sufficiency
because “it is difficult to see a public interest that is met by releasing the 911 phone call under
what would be a traumatic situation for all individuals involved.”</p>
<p>Following its determination of trauma, IPIB then decides that the “value of confidentiality” is
greater than the public interest. IPIB does not specify what that value is, or what public interests
it outweighs. It applied a balancing test to a factual record consisting of a single sentence about
the incident: “the 911 call involves an incident in which the caller found a dead body”.<sup class="footnote-ref"><a href="#footnote3">[3]</a><a class="footnote-anchor" id="footnote-ref3"></a></sup></p>
<p>IPIB never looked at whether the complaint was legally sufficient <em>on its face</em>. It instead applied
the Iowa Supreme Court’s <em>Hawk Eye</em> balancing test,<sup class="footnote-ref"><a href="#footnote4">[4]</a><a class="footnote-anchor" id="footnote-ref4"></a></sup> which weighs confidentiality interests
against public interest in disclosure. Like most balancing tests, it can only be applied when a
developed factual record is available. IPIB applied it at screening, to a single, unverified
sentence.</p>
<p>In late 2024 and throughout 2025, after the introduction of the “more aligned” process, these types
of dismissals are partly supplanted by “dismissed, no probable cause.” This sounds like an
improvement, but on closer inspection it becomes clear that it is a procedural smokescreen and a
mislabeling of what actually occurs.</p>
<p>Take, for example, complaint
<a href="https://ipib.iowa.gov/25fc0046-linda-reardongladbrook-reinbeck-community-school-district-investigative-report-and-probable">25FC:0046</a>.
This complaint survived initial screening and was accepted by the board. The next step is informal
assistance, but no informal assistance was given, and no informal resolution was ever proposed or
rejected.</p>
<p>IPIB proceeded anyway. Rather than examine “books, papers, records, electronic records and other
real evidence”, or talk to any witnesses, IPIB simply summarized the original complaint and the
school district’s response and slapped an “investigative report” label on it. It closed its eyes and
saw no probable cause.</p>
<p>The new “more aligned” process fails to see that the most significant alignment issue was never
procedural labeling, but a complete lack of informal assistance — the reason for IPIB’s existence.
Neither the old “dismiss for insufficiency” process, nor the new “dismiss for lack of probable
cause” process includes that critical step.</p>
<p>Finally,
<a href="https://ipib.iowa.gov/25fc0042-jeffrey-halteriowa-central-community-college-investigative-report-and-probable-cause-order">25FC:0042</a>
illustrates what happens when a board takes discretion beyond what the law provides. It is a
clearcut case where a college (ICCC) admits that “its Board agendas were posted online without a
physical posting”. That violates Iowa’s open meetings law. However, because “ICCC has unilaterally
taken measures to ensure all future agendas are physically posted”, IPIB still dismissed the
complaint “as an exercise in administrative discretion”.<sup class="footnote-ref"><a href="#footnote5">[5]</a><a class="footnote-anchor" id="footnote-ref5"></a></sup></p>
<p>Iowa Code Chapter 23 does not provide for administrative discretion. It authorizes IPIB to dismiss a
complaint for lack of jurisdiction, find no probable cause after investigation, or proceed to a
contested case upon finding probable cause. Dismissing an already-admitted violation appears nowhere
in the statute. IPIB relies on its Rule 497-2.2(4)©, which it was never authorized to write.<sup class="footnote-ref"><a href="#footnote6">[6]</a><a class="footnote-anchor" id="footnote-ref6"></a></sup></p>
<p>What Chapter 23 does provide for is informal assistance, which would have consisted of IPIB
discussing the proposed—and already implemented—resolution with the complainant. It might have tried
to convince the complainant that there wasn’t much more that could be gained from the complaint.
Instead, IPIB decided it was done and dismissed the case.</p>
<p>Rather than provide informal assistance, which is the reason the board exists, an increasing
majority of IPIB’s decisions fall within those three categories of dismissal.</p>
<h2>IPIB at the Court of Appeals</h2>
<p>In its appellate brief in <em>van Pelt v. IPIB</em>, the board rejected its job out loud:</p>
<blockquote>
<p>Van Pelt wistfully opines that IPIB’s failure to conduct a formal investigation of his complaint
rendered unavailable discovery methods that would have otherwise been accessible to him had he
directly filed an enforcement petition in the district court against WDM under Iowa Code section
22.10. Yet, “Iowa Code section 23.5 offers a choice to persons seeking to enforce the open records
law.”Van Pelt voluntarily chose to file a complaint with IPIB against WDM in lieu of directly
pursuing judicial enforcement of his records request in the district <a href="http://court.By">court.By</a> electing this
particular remedy, van Pelt subjected himself and his complaint to the framework IPIB implemented
through its administrative rules to review and adjudicate public records complaints.</p>
</blockquote>
<p>IPIB shamelessly used the word “wistfully” to describe a valid legal argument about its flawed
case-handling resulting in a loss of statutory rights. That word choice tells you everything about
how the board views the people it was created to serve: not as parties with enforceable rights, but
as nuisances who should have known better.</p>
<p>That same contempt surfaced when IPIB asked the District Court to stay its order:</p>
<blockquote>
<p>. . . any perceived delay in processing van Pelt’s complaint would not constitute a violation of
any applicable statutory or administrative requirement as neither Iowa Code chapter 23 nor IPIB’s
administrative rules place any deadlines upon the Board’s complaint intake and investigative
functions.</p>
</blockquote>
<p>In so many words: “even if you make us look at the complaint, we’ll take as long as we want, and
there’s nothing you can do about it.” Never mind that IPIB’s own rules require it to “promptly work
with the parties” toward an “expeditious resolution.” Following the rules it wrote does not appear
to be IPIB’s strong point.</p>
<p>The <em>van Pelt v. IPIB</em> case began life as
<a href="https://ipib.iowa.gov/23fc0104-henrik-van-peltcity-west-des-moines-dismissal-order">IPIB complaint 23FC:0104</a>.
The short version<sup class="footnote-ref"><a href="#footnote7">[7]</a><a class="footnote-anchor" id="footnote-ref7"></a></sup> is that the complainant — me — had requested a “deployment plan” for a
company’s surveillance cameras from the City of West Des Moines. That plan was incorporated by
reference into its contract with its vendor. West Des Moines responded “we didn’t download it from
the vendor website” and IPIB dismissed the complaint without further investigation.</p>
<p>I filed a case for judicial review, originally as a direct challenge to IPIB’s procedural misstep.
The trial attorney chose to go in a different, needlessly complex direction.<sup class="footnote-ref"><a href="#footnote8">[8]</a><a class="footnote-anchor" id="footnote-ref8"></a></sup> Nevertheless, the
District Court found that IPIB had not done its job and sent the complaint back to IPIB for
processing.</p>
<p>IPIB chose to appeal and lost on the grounds that the complaint was legally sufficient. But even
with an appellate opinion on the books, the board refuses to entertain even the possibility that its
process or its interpretation of law may be flawed.</p>
<p>The
<a href="https://www.iowacourts.gov/iowa-courts/court-of-appeals/court-of-appeals-court-opinions/case/24-2039">Iowa Court of Appeals opinion</a>
explained that when a government body’s contract expressly incorporates a document, that document
“belongs to” the government body under Iowa Code § 22.1(3)(a) — even if the body never retained a
physical copy.</p>
<p>The Court also held that the City, as a party to the contract “always has a right to” the entire
contract — including what is incorporated into that contract — and that under binding precedent,<sup class="footnote-ref"><a href="#footnote9">[9]</a><a class="footnote-anchor" id="footnote-ref9"></a></sup>
the City had a duty to produce it from readily available sources.</p>
<p>The opinion then closed two common defenses: first, a claim that a vendor “owns” the document.<sup class="footnote-ref"><a href="#footnote10">[10]</a><a class="footnote-anchor" id="footnote-ref10"></a></sup>
This defense fails where the government body has contractual approval rights and ongoing
obligations. Second, the claim of “I don’t have it.”<sup class="footnote-ref"><a href="#footnote11">[11]</a><a class="footnote-anchor" id="footnote-ref11"></a></sup> This defense does not work when an ongoing
contractual relationship gives the body ready access.</p>
<p>But perhaps most significantly for future IPIB complaints: the court defined the review standard for
IPIB’s initial screening. It describes it as equivalent to a motion-to-dismiss standard where all
facts are taken as true and the only question is whether the complaint is <em>legally plausible</em> on its
face — meaning “does this complaint allege anything that <em>could be</em> a violation?”</p>
<p>As long as the complaint alleges that a government body withheld a record or did not provide notice
for a meeting, the answer is almost always “yes.” IPIB cannot resolve legal or factual disputes at
the threshold stage and must investigate complaints that clear that bar.</p>
<p>At least that’s what the court says.</p>
<h2>Business as Usual</h2>
<p>In a meeting on March 12, 2026,<sup class="footnote-ref"><a href="#footnote12">[12]</a><a class="footnote-anchor" id="footnote-ref12"></a></sup> deciding on whether to seek further review by the Iowa Supreme
Court, IPIB’s AG-supplied attorney and its board members brushed the decision off as though it
contained nothing of substance, commenting
“<a href="https://www.youtube.com/watch?v=OVdHwjjwz-0#t=9m53s">this is not like we’re going to set precedent — it’s [not] going to change the way we do business.</a>”</p>
<p>To find out what “the way we do business” is, you only have to look at the February 2026 meeting
agenda. Nine cases were dismissed via the consent agenda. Some appear appropriate, like dismissals
for abandonment or lack of jurisdiction, but others, like
<a href="https://ipib.iowa.gov/25fc0184-charles-nocera-v-iowa-department-administrative-services-dismissal-order">25FC:0184</a>,
make determinations of fact and law at initial review (“Because there are no records responsive to
the complainant’s request, the Department did not violate Chapter 22 when it closed the request.”)</p>
<p>Most insidiously,
<a href="https://ipib.iowa.gov/26fc0044-rachelle-santora-v-des-moines-county-sheriffs-office-dismissal-order">one complaint</a>
was dismissed via the consent agenda through an order drafted by executive director Miller because
“complainant does not argue” a specific enough violation of Chapter 22. The complaint itself wasn’t
deficient, but the complainant didn’t do IPIB’s job making its legal argument for it.<sup class="footnote-ref"><a href="#footnote13">[13]</a><a class="footnote-anchor" id="footnote-ref13"></a></sup></p>
<p>At that same February meeting, board member Luke Martz commented to a complainant:</p>
<blockquote>
<p><em>you’re not the first person who’s come to this board frustrated with what we expect our public
officials to keep as records that they don’t… you’re not alone.</em></p>
</blockquote>
<p>He then voted to dismiss
<a href="https://ipib.iowa.gov/25fc0205-john-johnson-v-hancock-county-investigative-report-and-probable-cause-order">the complaint</a>
for lack of probable cause. IPIB had not held an evidentiary hearing, or engaged in any real
fact-finding. It did not subpoena the records to definitively answer whether they exist. The lack of
probable cause was wholly based on a passively-voiced “[no] evidence was presented to IPIB that
indicated the county was not honest about the existence of the records.”</p>
<p>The remanded <em>van Pelt</em> complaint may be on the agenda for the board’s March 19 meeting; as of March
17, IPIB has not yet confirmed the meeting date or posted the agenda on its website.</p>
<hr>
<h2>The Board’s Legacy</h2>
<p>Of all the complaints IPIB has received since its founding in 2012, it lists only four as
<a href="https://ipib.iowa.gov/rulings/contested-cases">contested cases on its website</a>. One resulted in a
$1,000 fine, one was settled, one was dismissed, and one was appealed all the way to the Iowa
Supreme Court. None of them resulted from complaints dated 2018 or later.</p>
<p>The contested case that reached the Iowa Supreme Court ultimately returned to IPIB’s complaint sink,
never to be seen again. In <em>Ripperger v. IPIB</em>,<sup class="footnote-ref"><a href="#footnote14">[14]</a><a class="footnote-anchor" id="footnote-ref14"></a></sup> the board found that the Polk County Assessor
violated chapter 22. The Supreme Court reversed in part and remanded for IPIB to resolve whether the
property owners who requested removal qualified as “persons outside of government” — a factual
question the board was specifically instructed to answer. No published order on remand appears to
exist. The case entered IPIB’s complaint process and, like the rest, simply stopped.</p>
<p>In addition to handling complaints, IPIB is also authorized to issue “declaratory orders with the
force of law determining the applicability of chapter 21 or 22 to specified fact situations”. This
allows IPIB to, for example, declare that posting a meeting notice only on a city’s TikTok-account
is not sufficient notice, even if nobody has complained about that yet.</p>
<p>IPIB has issued a declaratory order <a href="https://ipib.iowa.gov/rulings/declaratory-orders">only once</a>,
back in 2013. It has, however, produced a number of informal advisory opinions, which are similar to
declaratory orders in many ways, but are non-binding informal advice.</p>
<p>In thirteen years, IPIB’s entire record is a single $1,000 fine and one formal opinion. Even worse,
IPIB completely neglects the most powerful tool the legislature gave it: the subpoena.<sup class="footnote-ref"><a href="#footnote15">[15]</a><a class="footnote-anchor" id="footnote-ref15"></a></sup></p>
<p>That’s not a result of underfunding, staff training, or resource limitations. That’s an institution
that isn’t even trying. Even when IPIB itself determines there is probable cause that a violation
occurred, it does not act. Even when a court tells it to handle a complaint, it would rather appeal
and spend years in litigation than do its job.</p>
<p>IPIB in its entirety is perfunctory. Its board members and staff would rather “align” procedures in
ways that present the appearance of efficiency rather than address the substance of its work—or the
lack thereof.</p>
<p>The agency serves only one purpose, and it’s for the state, not the people: to serve as a
complaint-sink for Iowans who believe that access to government is a right, not a privilege to be
granted at the government’s discretion.</p>
<h2>Connecticut Makes it Work</h2>
<p>Connecticut — which has 3.7M residents compared to Iowa’s 3.2M — has had a very similar board since
1975: the Freedom of Information Commission (FOIC). The FOIC has been able to use the same tools
IPIB has to mediate two-thirds of its complaints, hold evidentiary hearings, and produce numerous
declaratory orders and contested cases each year.</p>
<p>In 2024, the FOIC
<a href="https://ctnewsjunkie.com/2025/02/19/connecticut-marks-50-years-of-foi-amid-debates-on-transparency-and-privacy/">handled 855 complaints</a>,
compared to IPIB’s 134.<sup class="footnote-ref"><a href="#footnote16">[16]</a><a class="footnote-anchor" id="footnote-ref16"></a></sup> Those numbers predate IPIB’s 2025 training mandate. That’s important,
because Connecticut abolished county governments and currently has only 169 municipal governments —
a fraction of Iowa’s.</p>
<p>With similar populations, you might expect more complaints in Iowa. More government bodies could
violate the law, and smaller cities and counties might not have dedicated legal staff, or even
full-time staff. The exact opposite is true.</p>
<p>Either Connecticut’s agencies are a lot worse at open records compliance than Iowa’s, Iowans have
less interest in local government, or — most likely — Nutmeggers have more faith in FOIC than Iowans
have in IPIB. For good reason.</p>
<p>FOIC has <a href="https://portal.ct.gov/foi/common-elements/top-menu/about-us">eight staff attorneys</a> versus
IPIB’s two. Each FOIC attorney handled 107 cases, compared to IPIB’s 67, assuming IPIB’s director
does not handle complaints. (45 if she does).
<a href="https://portal.ct.gov/foi/decisions/final-decisions-2024/final-decisions-2024">FOIC’s 2024 orders</a>
aren’t a list of procedural and discretionary dismissals either; in fact, contested case hearings
are so common in Connecticut that they’re published via
<a href="https://portal.ct.gov/foi/agenda-and-minutes/casehearings2026/contested-case-hearing-2026">weekly agendas</a>.
Iowa has not seen one since 2017.</p>
<p>Colleen Murphy joined FOIC in 1990. She became its executive director in 2005. She retired in
February of 2026. Connecticut retains staff and builds deep institutional knowledge while IPIB
greases the gears of its revolving door.</p>
<h2>IPIB’s Future</h2>
<p>IPIB could have been Connecticut. The concept was sound. The incentive structure that has been in
place for years has undone the concept and replaced it with an executive bureaucracy wholly divorced
from the institution’s original purpose.</p>
<p>For years, IPIB’s budget was flat. The recent bump was accompanied by more work. Its staff turns
over faster than it can develop institutional knowledge. Its board members are appointees with no
particular accountability to the public it supposedly serves. And the legislature, which created
IPIB as a cheap alternative to litigation, has just handed it a training mandate to fully crowd out
the complaint work it already wasn’t doing.</p>
<p>IPIB can’t stop and think about what it’s doing while it’s treading water. The legislature has shown
the opposite of an appetite for reform. The solution is to dismantle the board entirely and repeal
chapter 23.</p>
<p>We could replace it with a new agency, but there is no reason to think it would fare any better. The
statute gave IPIB everything it needed. IPIB chose not to use it.</p>
<p>Instead, training functions can be assigned to the Attorney General’s office, where they belong. The
AG knows — or should know — open records law well enough to be able to either put together a
curriculum, or to approve one to be delivered by a vendor or one of Iowa’s 15 community colleges (at
least seven of which have existing legal programs).</p>
<p>Advisory Opinions should not be handled by the AG because of its conflict of interest when defending
state agencies. If they are needed, the Office of Ombudsman, which reports to the legislature, could
take up the task
<a href="https://www.prisonlegalnews.org/media/publications/iowa_ombudsman_presentation_before_government_oversight_committee_public_records_2010.pdf">as it did before IPIB</a>.
Alternatively, advisory opinions could be assigned from a lawyer pool, similar to criminal defense
appointments.</p>
<p>Adjudication can still happen through the courts. For Iowa Open Records Act (chapter 22) cases,
discovery is often unnecessary due to the reversed burden of proof. The Iowa Supreme Court has
rule-making authority to create an expedited procedural track for Chapter 21/22 enforcement without
new legislation. The small claims process shows that courts have ample leeway in setting
expectations for plaintiffs.</p>
<p>IPIB’s declaratory orders — of which only one exists — are covered under the courts’ general
declaratory powers.</p>
<p>An informal complaints process is mostly unnecessary. Informal resolution is baked into the general
concept of settlement negotiations when a case is reviewed by a court. Governments only settle when
it hurts less than the alternative. Taxpayer-funded attorney fees keep that threshold high
regardless of forum. Fee-shifting and court-enforced fines for individuals — recently raised to
$12,500 for open meetings violations<sup class="footnote-ref"><a href="#footnote17">[17]</a><a class="footnote-anchor" id="footnote-ref17"></a></sup> — can provide pressure where IPIB won’t.</p>
<p>But resources spent on mediation would likely be better redirected to free or low-cost legal aid for
citizens, and potentially, if it can be kept sufficiently conflict-free, a general “open government
helpline” at the Attorney General’s office for both citizens and governments.</p>
<p>Dismantling the board would remove citizens’ temptation to fall into the § 23.5 false
election-of-remedies trap. Complainants already need to go to court to get IPIB to investigate.
Staying there is the more efficient option.</p>
<p><em>Swarm v. IPIB</em> illustrates the trap: Swarm’s case stems from an open meetings violation he alleges
happened in January 2022. After IPIB dismissed his complaint, Swarm sued the city for the violation,
but amended to put IPIB’s name on the suit. When he did, the city joined IPIB. Sixteen months after
Swarm filed the case, the district court heard it. It then sat on it for another ten to decide what
to do.</p>
<p>It took a full twenty-six months and going toe-to-toe with both the city and IPIB — who filed a
combined five attacks on the case before even filing an answer<sup class="footnote-ref"><a href="#footnote18">[18]</a><a class="footnote-anchor" id="footnote-ref18"></a></sup> — as a self-represented
litigant, but Swarm ultimately prevailed.<sup class="footnote-ref"><a href="#footnote19">[19]</a><a class="footnote-anchor" id="footnote-ref19"></a></sup> The complaint was then sent back to IPIB’s
“efficient, informal, and cost-effective process for resolving disputes” to finally be looked at.
IPIB instead made a near-immediate determination: “probable cause exists to believe a violation has
occurred, but, as an exercise of administrative discretion, [we] dismiss the matter.”</p>
<p>Today, more than four years since the alleged violation happened, Swarm is back in court fighting
IPIB.<sup class="footnote-ref"><a href="#footnote20">[20]</a><a class="footnote-anchor" id="footnote-ref20"></a></sup> He has made no progress whatsoever on the original complaint — Mount Pleasant and IPIB
have been spending scarce judicial resources and taxpayer money for years so that one can avoid
slapping the other’s wrist.</p>
<p>In January of 2026, Eulando Hayes also filed a lawsuit against IPIB, seemingly because of further
improper “probable cause” dismissals in
<a href="https://ipib.iowa.gov/25fc0141-eulando-hayes-v-black-hawk-county-attorney-investigative-report-and-probable-cause-order">25FC:0141</a><sup class="footnote-ref"><a href="#footnote21">[21]</a><a class="footnote-anchor" id="footnote-ref21"></a></sup>
and
<a href="https://ipib.iowa.gov/25fc0142-eulando-hayes-v-black-hawk-county-attorney-investigative-report-and-probable-cause-order">25FC:0142</a>.<sup class="footnote-ref"><a href="#footnote22">[22]</a><a class="footnote-anchor" id="footnote-ref22"></a></sup></p>
<p>When the board is dismantled, Chapter 23 should be repealed in its entirety and any pending
complaints should be dismissed without prejudice or triggering the election-of-remedies statute, to
be refiled in court.</p>
<p>It’s been more than thirteen years. The board has issued only non-binding advisory opinions, one
fine, and one declaratory order. At least two separate litigants have spent years in court in their
efforts to get IPIB to look at their complaints — so far unsuccessfully. A third just started.</p>
<p>Even if IPIB survives, the “election of remedies” in § 23.5 must go. Iowans should be able to trust
a government agency to do what it says on the tin. But when that fails — when appointees decide
doing their job is discretionary — citizens should not be left wistful, longing for a state that
believes in the laws it creates.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>The charts were created by analyzing the published orders on IPIB’s website. Because the orders
do not use a standardized format, a combination of heuristics and AI-analysis was used to detect
dispositions.
<a href="https://ipib.iowa.gov/media/168/download?inline">IPIB only began tracking outcomes in 2024</a>. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>“After accepting a complaint, the board shall promptly work with the parties, through employees
of the board, to reach an informal, expeditious resolution of the complaint.” Iowa Code § 23.9
(2026). <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote3" class="footnote-item"><p>Its § 22.7(18) analysis is independently questionable. That exemption explicitly excepts from
confidentiality information indicating “the date, time, specific location, and immediate facts
and circumstances surrounding the occurrence of a crime or other illegal act.” Iowa Code §
22.7(18)©. IPIB simultaneously claimed the 911 call was exempt under § 22.7(5) as part of a
peace officer’s criminal investigation — which would make the death precisely the kind of event
§ 22.7(18)© covers. IPIB never reconciled the tension between those two positions. <a href="#footnote-ref3" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote4" class="footnote-item"><p><em>Hawk Eye v. Jackson</em>, 521 N.W.2d 750, 753 (Iowa 1994) <a href="#footnote-ref4" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote5" class="footnote-item"><p>Yes, the order actually says “in”, not “of”. <a href="#footnote-ref5" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote6" class="footnote-item"><p>An agency shall have only that discretion delegated to it by law and shall not expand or enlarge
its discretion beyond what is delegated. Iowa Code § 17A.23 (2026). <a href="#footnote-ref6" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote7" class="footnote-item"><p>There is more to it, but that short version will do for the purpose of this article. <a href="#footnote-ref7" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote8" class="footnote-item"><p>IPIB’s dismissal rested exclusively on § 22.1 (“we don’t have the record”); the district court
examined § 22.2 (“the vendor performs a government function”). The Court of Appeals opinion
turned on § 22.1. <a href="#footnote-ref8" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote9" class="footnote-item"><p><em>Diercks v. Malin</em>, 894 N.W.2d 12 (Iowa Ct. App. 2016) <a href="#footnote-ref9" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote10" class="footnote-item"><p><em>KMEG Television, Inc. v. Iowa State Board of Regents</em>, 440 N.W.2d 382 (Iowa 1989) <a href="#footnote-ref10" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote11" class="footnote-item"><p><em>Clark v. Banks</em>, 515 N.W.2d 5 (Iowa 1994) (per curiam) <a href="#footnote-ref11" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote12" class="footnote-item"><p>The meeting was originally scheduled for March 9. IPIB rescheduled to March 12 without updating
the date on its website. A timely physical notice posted in Des Moines would satisfy the notice
requirement in an obviously unhelpful way IPIB could choose to address. <a href="#footnote-ref12" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote13" class="footnote-item"><p>It is readily apparent that the complaint is sufficient, even if the complainant cited the legal
basis incorrectly: she requested bodycam footage from the sheriff’s office, the sheriff is
subject to chapter 22, bodycam footage is a public record, bodycam footage is not categorically
confidential, and the sheriff did not provide the record. That meets and exceeds the legal
sufficiency standard. <a href="#footnote-ref13" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote14" class="footnote-item"><p><em>Ripperger v. Iowa Pub. Info. Bd.</em>, 967 N.W.2d 540 (Iowa 2021) <a href="#footnote-ref14" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote15" class="footnote-item"><p>IPIB confirmed in response to an open records request that it issued no subpoenas between July
2023 and February 2025. Its annual reports and public records reflect no subpoenas in any prior
period. <a href="#footnote-ref15" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote16" class="footnote-item"><p>IPIB’s annual report shows 134 complaints received (opened cases) in 2024. The chart above,
which is based on the number of published orders (closed cases) on the IPIB website, shows 118
complaints in 2024. <a href="#footnote-ref16" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote17" class="footnote-item"><p>HF 706, which provided the training mandate, raised the maximum fine for willfully violating
open meetings law (chapter 21) from $2,500 to $12,500 but left chapter 22 (open records)
violations at $2,500. <a href="#footnote-ref17" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote18" class="footnote-item"><p>Two separate motions to dismiss from the City (D0006, D0013), one from IPIB (D0022), a motion to
strike from the City (D0010), and a joinder (D0024). <a href="#footnote-ref18" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote19" class="footnote-item"><p><em>Swarm v. City Council of Mt. Pleasant</em>, No. CVEQ006708 (Iowa Dist. Ct. Henry Cnty. Nov. 30,
2024). <a href="#footnote-ref19" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote20" class="footnote-item"><p><em>Swarm v. Iowa Pub. Info. Bd.</em>, No. CVEQ007043 (Iowa Dist. Ct. Henry Cnty.) <a href="#footnote-ref20" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote21" class="footnote-item"><p>Here, IPIB wrote, “Because the Respondent’s access to . . . records does not amount to ownership
of the records, the request and any subsequent complaint should be directed to the proper lawful
custodian” — this appears to be facially incorrect if only because Chapter 22 does not
contemplate “ownership” per se. Its definition of a public record is “records of or belonging
to” the government, which has been read more broadly than mere ownership. <a href="#footnote-ref21" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote22" class="footnote-item"><p>“Because the records generated under these policies are akin to confidential job performance
evaluations, they fall within the categorical confidential exception under Chapter 22.7(11)(a)
and withholding the records at issue does not constitute a violation of Chapter 22” — even
though Chapter 22 permits non-disclosure of confidential public records, it does not permit
withholding records <em>akin to</em> confidential public records. IPIB did not review the records to
establish similarity but simply decided that “the respondent likely generates documents in
relation to [its] policies” and that those imaginary records could not possibly fall outside the
definition in § 22.7(11)(a). <a href="#footnote-ref22" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>policy-legal</category>
        </item>
        <item>
            <title><![CDATA[The Bill That Hides the Evidence]]></title>
            <link>https://footnote4a.org/news/the-bill-that-hides-the-evidence</link>
            <guid isPermaLink="false">https://footnote4a.org/news/the-bill-that-hides-the-evidence</guid>
            <pubDate>Sun, 08 Mar 2026 15:00:00 GMT</pubDate>
            <description><![CDATA[Iowa's proposed ALPR bill was copied from Virginia's. Virginia just proved it doesn't work.]]></description>
            <content:encoded><![CDATA[<p>One of Iowa’s proposed bills on automated license plate reader surveillance cameras (“ALPRs”),
<a href="https://www.legis.iowa.gov/legislation/BillBook?ga=91&amp;ba=hf2701">House File 2701</a>, scooched past the committee on the judiciary with the backing of the
ACLU, IJ, and AfP; the bill is modeled on Virginia’s, and would use identical mechanisms to
completely prevent oversight of police use of the technology.</p>
<p>Don’t confuse it with the <em>other</em> proposed ALPR bill, <a href="https://www.legis.iowa.gov/legislation/BillBook?ga=91&amp;ba=hf2161">House File 2161</a>, a bill that was
<a href="https://www.legis.iowa.gov/legislation/BillBook?ga=91&amp;ba=H-8006">amended</a> to <a href="hf2161-march">give the insurance industry access to surveillance data</a>.</p>
<p>H.F. 2701 doesn’t do that. At least not out loud. Its central accomplishment is eliminating
oversight.</p>
<h2>Virginia, but less transparent</h2>
<p>H.F. 2701 closely tracks Virginia’s <a href="https://lis.virginia.gov/bill-details/20251/HB2724">HB2724</a> law, which came into effect in July, 2025. Much of
the language in Iowa’s bill was lifted verbatim from Virginia’s.</p>
<p>The Richmond Times Dispatch published an article today, titled to tell Iowans in no uncertain turns
what the proposed bill really holds: “<a href="https://richmond.com/news/state-regional/government-politics/article_f35502c2-2fa4-4906-9cf7-6e915eac9ccb.html">State won’t say which law enforcement agencies are breaking
surveillance camera laws</a>.”</p>
<blockquote>
<p>Under the new laws, agencies can’t share their databases with other states or federal agencies. But
at least nine self-reported that they were still allowing federal agencies continuous access to
their databases, and another 20 were still allowing out-of-state agencies that same access, the
crime commission said in it’s*[sic]* January report.</p>
<p>The commission won’t, however, identify which agencies are violating state law – and it is not
required to release records to the public due to a longstanding exemption from public records law.</p>
</blockquote>
<p>Iowa’s proposed bill does not restrict sharing with out of state agencies, but Virginia’s outcome for
finding violations is better than the one Iowa can expect; the Iowa bill is significantly worse for
transparency.</p>
<p>Like Virginia, it would remove ALPR system audit trails, which provide information on what the system
is being used for, from oversight. Virginia requires that agencies record data about when the system
is being used for stops, and demographic data on who is being stopped. Iowa does not. Iowa requires
annual reporting too, but only of self-reported aggregates nobody can verify.</p>
<p>Where some might find it shocking that Virginia’s commission won’t answer the question “who abused
the system?”, Iowa took that same bill and surgically removed any possibility of that question being
asked.</p>
<p>The only report goes to the Department of Public Safety. This is problematic, given DPS’ history of
inaction on surveillance, and its readily-apparent conflict of interest when it comes to oversight of
local police.</p>
<p>Any reports would contain aggregates of data that isn’t required to be collected according to any
standard, or at all — like the number of stops. But even if the numbers were there, nobody could
verify them: the underlying log files are completely inaccessible to anyone except the agency
reporting, including DPS.</p>
<p>Make no mistake: Iowa police don’t want you to know about ALPRs. The <a href="https://www.aclu-ia.org/publications/automatic-license-plate-reader-report-raises-concerns-about-expansion-of-government-surveillance-in-iowa/">ACLU of Iowa/University of
Iowa’s report</a> showed widespread violations of existing open records law;<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup> <a href="https://iowacapitaldispatch.com/2026/02/25/public-information-board-shouldnt-have-dismissed-complaint-court-rules/">the Iowa Public
Information Board unlawfully refused to look into non-disclosure of ALPR contracts</a>; and the
<a href="https://www.documentcloud.org/documents/26510475-wapello-county-alpr-policy/">Wapello County Sheriff</a> and <a href="https://www.documentcloud.org/documents/26506756-flock-safety-training-guide-altoonapd/#document/p7">Altoona Police Department</a> adopted policies on
concealing ALPR use.</p>
<p>This bill allows them to hide everything. And they will.</p>
<h2>The Warrant Red Herring</h2>
<p>The Iowa bill also does away with Virginia’s “reasonable suspicion” standard, in favor of a warrant
requirement. That warrant requirement, however, is a red herring for two main reasons.</p>
<p>First, it only applies to data older than 24 hours. The first 24 hours are a free-for-all, requiring
only self-certification (in a secret log) of a vague approved purpose. During this period, data can
be accessed and copied without a warrant. If the data is copied to a location outside the ALPR
system, the bill’s protections evaporate. Agencies across the country already use this mechanism to
bypass existing retention requirements.</p>
<p>Second, the bill sets no bounds on who can issue a warrant. Any magistrate can. The magistrate does
not have to be in the same county, nor does he need to have jurisdiction over the alleged offense.
Magistrates appointed before 2009 are not even required to be lawyers—there’s no incentive to push
back on a warrant 200 miles away when you’ve been doing the same part time job for 17+ years. The
setup enables the worst kinds of forum shopping.</p>
<p>The electronic warrants system compounds the problem—it creates a system where search warrants are,
or at least can be, handled similarly to your Amazon Shopping customer service complaints.</p>
<p>The judiciary’s oversight of magistrates is voluntary. That means that unless the chief judge in the
county where the warrant was granted — which can differ from the county where it was requested — is
actively monitoring the search warrants granted in the county there is no oversight.</p>
<p>Who can complain when the use of ALPR remains hidden? Who can even find warrants when it takes
visiting all 99 county courthouses?<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup> And, critically, who could ever find out if the system was
queried without a warrant?</p>
<h2>Police don’t Police Police</h2>
<p>As the outcome in more-transparent Virginia shows, these aren’t hypothetical concerns. We can’t
trust police to “do the right thing” when it comes to oversight.</p>
<p>This bill does not aim to solve any problems, it aims to hide them. Virtually all abuses of ALPR
systems that have been uncovered have been found by journalists and members of the public;
<a href="https://www.404media.co/ice-taps-into-nationwide-ai-enabled-camera-network-data-shows/">immigration searches in Illinois</a> uncovered by a community group, <a href="https://www.kctv5.com/2026/01/12/joplin-officer-no-longer-employed-after-alleged-misuse-license-plate-tracking-system/">stalking in Joplin,
MO</a>, discovered by DeFlock Joplin, a Kansas police chief was <a href="https://www.kansas.com/news/politics-government/article291059560.html">only found to be stalking
after admitting it</a>, KCUR in Lenexa found <a href="https://www.kcur.org/politics-elections-and-government/2026-02-02/lenexa-police-investigated-column-writer-critical-failure-warn-ice-raid-councilwoman-investigation">police investigating a column author</a>, and
just <a href="https://www.wisn.com/article/website-that-started-investigation-into-officer-josue-ayala-flock-cameras/70523858">two weeks ago in Milwaukee</a>, a stalking victim found out by looking up their plate
on <a href="https://haveibeenflocked.com">haveibeenflocked.com</a>.</p>
<p>Because nobody actively monitors how these systems are being used, these abuses are not discovered in
real-time. It takes drawn-out open records processes, complex analyses, and lengthy investigations.
The bill requires logs to be destroyed within two years — or sooner, at the agency’s discretion.</p>
<p>Of course, whether the existence of evidence in a locked filing cabinet in the basement of the police
station actually matters is another question.</p>
<p>Iowa’s bill would sweep this type of evidence of abuse under the rug. It undermines Iowa’s public
records law and tacitly blesses the current complete non-enforcement of Iowa’s existing laws on
surveillance.</p>
<p>The <a href="https://www.aclu-ia.org/publications/automatic-license-plate-reader-report-raises-concerns-about-expansion-of-government-surveillance-in-iowa/">ACLU/UI report</a> revealed that over a third of Iowa agencies grant access to non-sworn
support staff, like administrative staff and clerks. The bill doesn’t address this, nor does it set
minimum security standards in statute — it delegates them to the same agency policies nobody audits.</p>
<p>The bill is silent on how Iowa enforces its restrictions on out-of-state agencies that access the
data — or on what happens when out-of-state agencies don’t comply with, for example, the requirement
to send annual audit reports to DPS.</p>
<p>If this bill passes, some will claim it as a victory. Neither the ACLU, nor the legislature, nor DPS
will have any way to verify if it was.</p>
<p>The ACLU of Iowa, Institute for Justice, and Americans for Prosperity should withdraw their support
for H.F. 2701. Virginia has proven that it places incident screens where guardrails are needed. Let’s
learn from their mistake.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>The proof is in the proposed bill: it creates new exemptions where none exist today. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>Iowa has an electronic document system but the public can’t access filings except by visiting
the courthouse where it was filed. There, you can log on to the same electronic document system
available online, with enhanced access permissions, and access filings for the county you’re in. <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>policy-legal</category>
        </item>
        <item>
            <title><![CDATA[Consumer Data Protection: California Plus, Compliance Minus]]></title>
            <link>https://footnote4a.org/news/california-plus</link>
            <guid isPermaLink="false">https://footnote4a.org/news/california-plus</guid>
            <pubDate>Sun, 08 Mar 2026 01:00:00 GMT</pubDate>
            <description><![CDATA[Flock's boilerplate denial doesn't survive the statute it claims to follow.]]></description>
            <content:encoded><![CDATA[<p>As of 2025, Consumer Data Protection Acts (CDPAs) have been enacted in twenty states.<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup> Some
share language, others don’t, but all leave the obvious tension between “consumer data protection”
and “privatized mass surveillance” unresolved.</p>
<p>I recently received a copy of Flock’s response to a CDPA request. The response was predictable:
obfuscate, misdirect, and deny.</p>
<p>In this article, we’ll pick Flock’s response apart, because the Attorney General hasn’t. Yet.</p>
<h2>CDPA 101: It’s GDPR Lite</h2>
<p>The CDPAs adopted by the various states broadly follow a pattern inspired by Europe’s General Data
Protection Regulation (GDPR). What they protect varies a little from state to state, but the general
idea is “information that is linked, or linkable, to persons.”</p>
<p>In equally broad terms, whenever a “person” (government, business, natural person, etc.) collects or
maintains protected data, they are a “controller” and someone merely handling the data is a
“processor.”</p>
<p>In states with a CDPA, you typically can do things like request your data from the controller, opt
out of certain data collection, find out how it’s being shared, and correct incorrect information.</p>
<p>Corporations in general, but mass surveillance corporations in particular, enjoy existing in liminal
spaces. Even though various state laws require the separation to be clearly defined in contracts,
the terms are often purposely left out, or, if included, left ambiguous.</p>
<p>That problem is compounded for government-funded corporate surveillance because the surveillance
devices (cameras, microphones, what have you) and software are often said to be private, while the
funding and operational infrastructure (permits, land use, and so on) is provided by the government.</p>
<p>A fun fact — and we’ll get to why it’s “fun” in a minute — is that the government itself is exempt
from the CDPA.</p>
<h2>A Response, Annotated</h2>
<blockquote>
<p>With respect to any systems over which Flock is a controller, we did not locate any data in such
systems that matched the information provided in your request</p>
</blockquote>
<p>It is unclear what systems Flock refers to, but clearly it admits it is a controller of some
systems.</p>
<p>But let’s gloss over that really, really quickly.</p>
<blockquote>
<p>With respect to any data which may temporarily be stored on Flock Safety devices, such data is
consistently written over on a rolling basis due to limited memory space on the devices and is not
stored or maintained on such devices in a manner that allows Flock Safety to directly identify,
link, or associate the data with an identifiable person. This can only be done via the Flock
Safety software systems, where, as described further below, all data is owned and managed by Flock
Safety’s customers.</p>
</blockquote>
<p>This sounds sort of meaningful, but isn’t. At least not in the way Flock would like you to believe.
Ownership and management are not factors, nor is whether Flock “identifies, links, or associates”
the data with an identifiable person. Whether the data is stored “temporarily” or whether it’s
overwritten on a rolling basis are all technical implementation detail that neither the CDPA, nor
the requester cares about.</p>
<p>What they do care about is the admission in the middle of the technobabble: Flock stores or
maintains “such data.”</p>
<blockquote>
<p>With respect to any systems where Flock Safety processes data on behalf of our customers, please
note that Flock Safety’s customers are owners and controllers of the data Flock Safety processes
on their behalf. Flock Safety is a service provider and processor for our customers and as a
result, we are unable to directly fulfill your request. We recommend contacting the organization
that engaged Flock Safety’s services to submit your request, as they are responsible for assessing
and responding to it.</p>
</blockquote>
<p>This paragraph is Flock’s key assertion. It is boilerplate crafted to dismiss requests under many
states’ CDPAs, which share the “processor” language. But it’s lazy boilerplate, because it also uses
“service provider” from California’s CCPA/CPRA.</p>
<p>If it’s too much work to craft a form letter specific to California — the most populous state in the
nation — it’s probably a safe assumption that it’s too much work to actually look for the data
requested.</p>
<blockquote>
<p>Here are a few additional points about Flock Safety’s data collection and privacy practices:</p>
</blockquote>
<p>Okay, let’s hear 'em.</p>
<blockquote>
<p>Customer Contracts: Flock Safety’s processing activity as a service provider and processor is
governed by the contract we have with our customers, which captures their instructions and the
limitations on how Flock Safety may process their data. Flock Safety’s customers own the data and
make all decisions around how such data is used and shared.</p>
</blockquote>
<p>The same boilerplate “California-plus” language: “service provider and processor.”</p>
<p>The paragraph itself — its activity is governed by the contract it has with its customers — is
meaningful. Hang on to that tidbit, we’ll come back to it.</p>
<blockquote>
<p>No Sale of Data: Because Flock Safety’s customers own the data, Flock Safety may only process the
data in accordance with our customer’s instructions, as outlined in our contracts with customers.
Flock Safety is not permitted to sell, publish, or exchange such data for our own commercial
purposes.</p>
</blockquote>
<p>Again, the causal link Flock suggests here does not exist. The CDPA places restrictions on the sale
of data, but it does not consider “ownership.” That’s deliberate, because it’s not how data sales
work in practice: people rarely sell data, they license it.</p>
<p>And while “for our own commercial purposes” is technically correct, it is misleading. As a
processor, Flock would not be permitted to “sell, publish, or exchange such data” for any reason. It
can follow the express instructions of the controller. That’s it.</p>
<p>Instead, its business model requires it to schlep around buckets full of data between customers, and
between its own systems to offer a Surveillance-as-a-Service product.</p>
<blockquote>
<p>Information Collected: Where Flock Safety’s customers leverage License Plate Reader (LPR)
technology, the LPRs do not process sensitive information like names or addresses. Instead, LPRs
only capture images taken in the public view of publicly available and visible vehicle
characteristics</p>
</blockquote>
<p>Flock’s response focuses on “LPR” cameras. Which is the most well-known of its products, but still
only a subset. Its other products, like Condor PTZ cameras, Raven microphones, and even Nova (which
“combin[es] CAD, RMS, video footage, LPR data, and even open-source intelligence [which includes
things like consumer credit reports, and, <a href="https://nexanet.ai/blog/license-plate-reader-company-flock-said-it-does-not-use-dark-web-data-my-analysis-of-their-code-tells-a-different-story">according to independent security research</a>, SSNs and other
dark web data] in one unified experience”) go unmentioned.</p>
<p>That its roadside cameras don’t process “sensitive information” is false. That term is defined by
the CDPA; in Delaware, it includes “precise geolocation data”, in Minnesota it includes “specific
geolocation data.” Both are statutorily defined terms describing a type of data captured by Flock’s
roadside cameras.</p>
<p>To make the claim true, Flock attempts to substitute its own definition of “sensitive data” for the
one provided by the statute.</p>
<p>But what matters more for the response is not whether a specific Flock product handles a specific
type of information, but whether Flock, as a company, has protected data.</p>
<p>The answer to that is “yes.”</p>
<blockquote>
<p>Purpose: Flock Safety customers use data for security purposes, including managing public safety
or responding to safety concerns and reports. Additionally, such data may be used to help solve
crimes and provide objective evidence.</p>
</blockquote>
<p>Close, but not quite. Flock’s standard contract says: “‘Permitted Purpose’ means a legitimate public
safety and/or business purpose, including the awareness, prevention, and prosecution of crime;
investigations; and prevention of commercial harm, to the extent permitted by law.”</p>
<p>The purpose itself is mostly irrelevant. The point is that the “Permitted purpose” is defined by
Flock, in its standard terms and conditions, which it can unilaterally modify. Determining the
purpose makes Flock the controller.</p>
<blockquote>
<p>Retention: By default, Flock Safety’s systems only retain data for 30 days, which means that any
data collected on behalf of customers is permanently hard deleted on a rolling 30-day basis. Flock
Safety customers may shorten or lengthen this retention period based on their local laws or
policies.</p>
</blockquote>
<p>This is an equally relevant admission: Flock sets the default retention period, and it determines
that it “permanently hard deletes” the data. Its customers can influence those terms later, but it
is, again, Flock making controller decisions.</p>
<h2>Processors vs. Controllers</h2>
<p>From Flock’s lazy boilerplate, it’s already sufficiently clear that the company (a) has the data
requested, and (b) is the controller of that data. Its response does not survive. But let’s
double-tap.</p>
<h3>All the States, None of the Work</h3>
<p>The response above was from Minnesota, but we’ll use the CDPA from Flock’s state of incorporation —
the Delaware’s Personal Data Privacy Act (DPDPA) — to walk through it. DPDPA is not only the most
fun to say, it is also functionally identical to Minnesota’s MCDPA in every way that matters here.</p>
<p>If Flock gets to write a California-plus denial, I get to write a Minnesota-plus indictment of it.</p>
<p>Flock’s California-plus language is telling in its laziness. If Flock were a processor, it would
have an obligation, under the MCDPA or DPDPA, or some other CDPA, to assist the controller with the
request. If it were a service provider, it would have that same obligation, but to the business.</p>
<p>What Flock does instead is punt, without even identifying who it claims the controller is or are —
presumably all of its Minnesota clients.</p>
<p>Minnesota gives consumers the right to a list of every third party who received their data. Flock’s
response does not even mention it. As a processor, Flock has the duty to assist the controller to
locate the list and provide it as a response.</p>
<p>That Flock’s response is lazy is unsurprising when the contact information listed on its CDPA form
is “Generitech Privacy 123 Main Street Capital City, ST, USA 10001 +1-800-000-0000
<a href="mailto:emailprivacy@generitech.com">emailprivacy@generitech.com</a>”</p>
<p>The laziness shows that it does not even attempt the bare minimum to fulfill the role it claims for
itself. The only thing it does is send out form letters as generic as 123 Main Street.</p>
<h3>The Missing Contract</h3>
<p>Remember the relevant contract claim. Flock claims there is one, which is good. But the DPDPA and
MCDPA (and others) not only require that there be a contract between a controller and a processor,
they require it to have specific content.</p>
<p>Flock’s contracts, as we have reviewed them, do not contemplate this. Here is an example of such a
missing requirement — you can look for it in the terms Flock publishes on its website:</p>
<blockquote>
<p>A contract between a controller and a processor must govern the processor’s data processing
procedures with respect to processing performed on behalf of the controller. . . . The contract
must also require that the processor to do all of the following: . . . Allow, and cooperate with,
reasonable assessments by the controller or the controller’s designated assessor, or the processor
may arrange for a qualified and independent assessor to conduct an assessment</p>
</blockquote>
<p>Flock’s contracts do not contemplate this at all. Not even close.</p>
<p>The DPDPA requires that the division of labor between a controller and processor is laid out in the
contract to avoid exactly the type of shell game Flock attempts to play.</p>
<p>That requirement is not without teeth — the law spells out the consequence of omission:</p>
<blockquote>
<p>Determining whether a person is acting as a controller or processor with respect to a specific
processing of data is a fact-based determination that depends upon the context in which personal
data is to be processed. A person who is not limited in such person’s processing of personal data
pursuant to a controller’s instructions, or who fails to adhere to such instructions, is a
controller and not a processor with respect to a specific processing of data.</p>
</blockquote>
<p>Flock’s prize for failing to have an adequate contract in place is that it becomes the controller.</p>
<h3>The Government as Controller</h3>
<p>Even if Flock’s contracts were perfect, its position would still fail. As stated earlier, the CDPA
does not apply to the government. That doesn’t mean that it is optional for the government, it means
that the statute, as a whole, does not apply to the government.</p>
<blockquote>
<p>This chapter does not apply to any of the following entities: Any regulatory, administrative,
advisory, executive, appointive, legislative, or judicial body of the State or a political
subdivision of the State, including any board, bureau, commission, agency of the State or a
political subdivision of the State, but excluding any institution of higher education.</p>
</blockquote>
<p>Even if a police department were to want to assume the role of the controller, which it doesn’t, it
could not. That’s why the language is not in the contract.</p>
<p>“A person who is not limited in such person’s processing of personal data pursuant to a controller’s
instructions . . . is a controller and not a processor”.</p>
<p>Someone who is not the controller can’t provide “a controller’s instructions.” Without those
instructions, Flock is not “limited” by them.</p>
<p>And because Flock is not limited, it is the controller, as a matter of fact as well as law.</p>
<hr>
<p>Minnesota’s cure period expired January 31, 2026.</p>
<p><a href="https://privacyportal.onetrust.com/webform/abd283d9-9d03-4d74-aa5b-3529f7216767/9669345b-843e-48d3-aa6b-5edf2d1e9c9b">File your requests</a>. Collect your California-plus denial. Encourage your AG to act.</p>
<hr>
<p class="text-xs text-muted mt-4 mx-4 text-center">Cross-posted from <a href="https://footnote4a.substack.com/p/consumer-data-protection-california">Footnote 4A</a>, where I cover Flock, privacy, and public-private
surveillance infrastructure more broadly. Flock-specific posts live on
<a href="http://haveibeenflocked.com">haveibeenflocked.com</a>.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>California (2018), Virginia (2021), Colorado (2021), Connecticut (2022), Utah (2022), Delaware
(2023), Indiana (2023), Iowa (2023), Montana (2023), Oregon (2023), Tennessee (2023), Texas
(2023), Kentucky (2024), Maryland (2024), Minnesota (2024), Nebraska (2024), New Hampshire
(2024), New Jersey (2024), and Rhode Island (2024). <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>policy-legal</category>
        </item>
        <item>
            <title><![CDATA[All the Attorney General's Men: As Transparent as a One-Way Mirror]]></title>
            <link>https://footnote4a.org/news/coralville-ag</link>
            <guid isPermaLink="false">https://footnote4a.org/news/coralville-ag</guid>
            <pubDate>Tue, 24 Feb 2026 21:00:00 GMT</pubDate>
            <description><![CDATA[How a complaint to Iowa's AG about Coralville's unenforceable ALPR policy forced a choice—and revealed the AG's selective relationship with transparency.]]></description>
            <content:encoded><![CDATA[<p>One of the very first posts on this blog was “<a href="https://footnote4a.org/news/coralville-contract">All the Chief’s Men: How Coralville’s Flock Contract
Bypassed Oversight</a>”. It described how the Coralville Chief of Police
signed a Flock contract without lawful authorization. When the Coralville public found out about the
contract, they rallied in force and briefed the Coralville city council on Flock, including its
supposed “<a href="https://www.404media.co/cbp-had-access-to-more-than-80-000-flock-ai-cameras-nationwide/">federal pilot programs</a>.” All of it fell on deaf ears. When the AG finally
stepped in and threatened to cut off state funding, the City finally listened.</p>
<h2>The Policy</h2>
<p><a href="https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:edbfe9d4-4aac-4f14-ab93-c356702c9fbc">Coralville’s ALPR policy</a>,<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup> is a typical <a href="https://www.lexipol.com/platform/policies-and-updates/">Lexipol</a>-generated exercise in legal
copy-pastery, virtually identical to <a href="https://northlibertyiowa.org/wp-content/uploads/2024/11/Automated_License_Plate_Readers__ALPRs_.pdf">neighboring North Liberty’s policy</a>,<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup>
but with the following, largely inoffensive, section:</p>
<p><img src="https://footnote4a.org/blog/coralville-ag/policy.png" alt="Coralville Policy 427.4.1" width="500"></p>
<p>That section was copy-pasted from <a href="https://public.powerdms.com/CRPDIA/tree/documents/139229">Cedar Rapids’ policy</a>, but it adds the non-sensical
“protected characteristic” of infringing on the First Amendment, and a prohibition on use “[s]olely
for immigration purposes”.</p>
<p>That “immigration purposes” clause was added in response to pressure from the public against the
backdrop of increasingly aggressive ICE raids in <a href="https://www.themarshallproject.org/2025/12/18/ice-chicago-immigration-blitz-data"><em>Operation Midway Blitz</em></a> in Chicago.</p>
<p>Coralville’s policy was always performative. Its prohibitions were unenforceable, and various
aspects made no sense or made specific reference to the laws they facially clashed with. The
Chief’s proposed policy only provided for secret oversight done exclusively within the police
department with no mandatory reporting or penalties for violations—a fact specifically called out at
the council meeting where the policy was adopted.</p>
<p>To dispel any notion that this was bad policy made in good faith: once the policy was adopted, the
city almost immediately violated its own directive not to automatically share data with agencies
outside Johnson County.</p>
<p>Residents noticed on the Coralville Flock transparency portal that Coralville PD had given Cedar
Rapids (in neighboring Linn County) access. When asked about this by the public and the media—who
all interpreted 427.7 as a ban on granting this type of unfettered, indefinite automated access to
agencies outside Johnson County—the PD justified its actions by stating that Flock’s automatic
sharing was fine because the <em>request</em> for automatic sharing had been made manually.<sup class="footnote-ref"><a href="#footnote3">[3]</a><a class="footnote-anchor" id="footnote-ref3"></a></sup></p>
<p>The Coralville Police Chief clearly has no qualms about sharing data. The Chief had already signed a
two-year deal for mass surveillance after only talking to the City Administrator and without
involving the city council, the city attorney, or finance; if he had been approached by state or
federal agencies for access to Flock, there is no doubt in my mind that he would have granted it.</p>
<p>More so if the AG would follow the state playbook of mildly threatening sanctions, up to withholding
all of a city’s state funding, for violating <a href="https://www.legis.iowa.gov/docs/code/27A.pdf">Iowa Code Chapter § 27A.4(1)</a>:</p>
<blockquote>
<p>A local entity shall not adopt or enforce a policy or take any other action under which
the local entity prohibits or discourages the enforcement of immigration laws.</p>
</blockquote>
<p>Granting access for immigration purposes would be the path of least resistance for Coralville PD and
its city administrator: the policy prevents oversight, and as long as the feds have access they
won’t complain.</p>
<p>AG Bird has so far declined to enforce Iowa’s laws prohibiting surveillance data, or its laws on
data security, consumer protection, or privacy, but she <em>has</em> threatened to use Chapter 27A to
<a href="https://www.governing.com/management-and-administration/iowa-ag-moves-to-strip-county-of-all-funding-over-immigration-post">revoke funding for an entire county</a> because its Sheriff dared distinguish between
administrative and judicial warrants on Facebook.</p>
<h2>The Gambit</h2>
<p>For us folks who like their privacy, the gambit was clear then: file a complaint with the Iowa
Attorney General about Coralville’s unlawful policy on the theory that if the AG acted, Coralville
would have a choice:</p>
<ol>
<li>Amend the policy. They’d need another public meeting, where the City Council, its Chief of
Police, and its City Administrator, would have to face an increasingly disgruntled public’s &quot;I
told you so&quot;s. They would have to tell the public they would be stripping the core protection
they had emphatically promised only a few months earlier, after ICE had ratcheted up
<a href="https://www.publicrightsproject.org/minnesota-v-noem-operation-metro-surge-fact-sheet/"><em>Operation Metro Surge</em></a> in Minneapolis.</li>
<li>Defy the Attorney General and risk being in an indefensible position in a legal battle that would
put state funding on the line for a city of 22,000 that’s already <a href="https://www.coralville.org/648/City-Debt">$340M in debt</a>, due to
questionable financial decisions involving funding a private hotel and a video game arena.</li>
<li>Cancel the contract.</li>
</ol>
<p>The violation in Coralville was much more direct than the Facebook post in rural Winneshiek County.</p>
<p>The Republican-led Capitol also has a long history of conflict with dark-blue Johnson County and its
cities—including Coralville.</p>
<p>@<a href="https://footnote4a.org/blog/coralville-ag/ag-complaint.pdf" class="collapsible">October 2, 2025, AG Complaint Re: Coralville</a></p>
<p>I submitted the complaint by email as a PDF attachment. When I followed up a month later, I received
a response:</p>
<blockquote>
<p>Thank you for contacting the Iowa Attorney General’s Office. We have reviewed your concerns. The
attachments referenced were not included with your email. Please forward those to our office so we
can have them reviewed.</p>
</blockquote>
<p>How the AG managed to review the complaint without receiving the attachments remains a mystery.</p>
<p>By January, after repeated attempts to deliver the complaint,<sup class="footnote-ref"><a href="#footnote4">[4]</a><a class="footnote-anchor" id="footnote-ref4"></a></sup> I was ready to chalk it up to
more inaction rather than lack of transparency, when I unexpectedly got word Coralville had been in
contact with the Attorney General.</p>
<p>The AG had directed Coralville to “remov[e] Section 427.4.1(d) from Policy 427 [to] resolve the
pending complaint in full.”<sup class="footnote-ref"><a href="#footnote5">[5]</a><a class="footnote-anchor" id="footnote-ref5"></a></sup></p>
<p>@<a href="https://footnote4a.org/blog/coralville-ag/ag-letter1.pdf" class="collapsible">December 16, 2025 letter from Attorney General to Coralville</a></p>
<p>Coralville city staff immediately acted to make changes to the city’s website and recommended that
the offending language be removed from the PD’s policy. The AG considered this an acceptable
solution.</p>
<p>@<a href="https://footnote4a.org/blog/coralville-ag/ag-letter2.pdf" class="collapsible">January 20, 2026 letter from Attorney General to Coralville</a></p>
<h2>The Fallout: A Cancelled Contract and Transparency</h2>
<p>Amending city policy requires council action. The Coralville City Council scheduled a work session
following its next regular council meeting to discuss the AG’s letter. The Coralville community once
again <a href="https://www.youtube.com/watch?v=_mIWPNSfCZk#t=9m57s">showed up and spoke out</a>. It was effective: the council placed “Cancel the contract”
on the agenda for its next meeting.</p>
<p>The $36,000 surveillance system that Chief Nicholson smuggled past his own city council, that the
council spent months defending with contradictory and increasingly desperate arguments, that Flock’s
own representative admitted was ungovernable by local policy — will be coming down.</p>
<p>But AG Bird did something else deserving mention: she placed my name in the opening sentence of the
letter to Coralville. It is a choice to so readily disclose the identity of a complainant against a
police department on a topic as politically charged as immigration enforcement.</p>
<p>It’s an especially unexpected level of transparency for an AG currently appealing a district court’s
order that the Iowa Public Information Board (IPIB) must do its job and handle (not validate,
<em>handle</em>) an open records complaint concerning Flock camera locations.<sup class="footnote-ref"><a href="#footnote6">[6]</a><a class="footnote-anchor" id="footnote-ref6"></a></sup></p>
<p>The Court of Appeals has been weighing that case since early last summer, which could mean the AG is
not going to get a one-page order with an easy procedural win against a <em>pro se</em> appellee. That
would be embarrassing (<em>Update 2/25</em>: Not 12 hours after posting this, the Court of Appeals affirmed
the trial court decision—i.e., I prevailed).</p>
<p>The kicker is that, in the Coralville case, the original complaint is almost certainly a
confidential public record under <a href="https://www.legis.iowa.gov/docs/code/22.pdf">Iowa Code § 22.7(18)</a>. This is the “whistleblower protection”
clause cities have used to hide community camera registries they have integrated with Axon’s Fusus
(a “fusion center” software product similar to Flock’s “FlockOS”).</p>
<blockquote>
<p>Communications not required by law … to the extent that the government body … could reasonably
believe that those persons would be discouraged from making them to that government body if they
were available for general public examination.</p>
</blockquote>
<p>But, as I’ve noted while arguing with various state and local officials: the Iowa Open Records Act
does not <em>require</em> agencies to withhold confidential public records, it merely <em>permits</em> it. The
complaint was likely protected; the AG chose to disclose it anyway—while simultaneously litigating
to <em>prevent</em> disclosure of public records in the IPIB case.</p>
<p>She exercises discretionary transparency when it serves <em>her</em>, rather than the public. She fights it
when the roles are reversed.</p>
<h2>The Cancellation</h2>
<p>The gambit worked: on February 24, Coralville <a href="https://www.youtube.com/watch?v=ZVWbSlqblIo">voted to end its contract with Flock</a>.
Within a span of weeks, both Iowa City and Coralville have instructed Flock to remove its AI
surveillance cameras from public roadways. Although Iowa City is its own island within the state,
this is a major victory in a state whose legislature is staunchly uncritical of police.</p>
<p>AG Bird got the outcome she wanted: the immigration clause is gone. But the community got the
outcome it wanted: the cameras are coming down.</p>
<p>The AG’s selective transparency—naming a complainant against a police department while fighting to
keep surveillance records secret—tells you everything you need to know about which side of the
one-way mirror she prefers to stand on.</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>In case Coralville takes down that copy, <a href="https://footnote4a.org/blog/coralville-ag/alpr-policy.pdf">use this one</a> <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>In case North Liberty takes down that copy, <a href="https://footnote4a.org/blog/coralville-ag/alpr-policy-2.pdf">use this one</a> <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote3" class="footnote-item"><p>Rather than revoking access and invoking plausible deniability, Coralville PD took a
position only defensible under an extremely strict interpretation of the policy—a legally
desperate position further solidifying the idea that CPD was misleading the public. It’s a
move that screams “Flock.” <a href="#footnote-ref3" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote4" class="footnote-item"><p>I resubmitted everything, and provided the files as a download link on November 5. I never heard back
<em>at all</em> from the AG, despite following up six times between that date and the end of the year only
to confirm receipt of the “missing” PDF. <a href="#footnote-ref4" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote5" class="footnote-item"><p>The AG also referenced a “challenged statement relating to ‘Strict Access’” on the City website.
It’s not entirely clear to me what they mean by this, but it may refer to the transparency portal. <a href="#footnote-ref5" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote6" class="footnote-item"><p>To be clear: IPIB was only ordered to accept and investigate the complaint—the court did
not address whether the complaint had merit. <a href="#footnote-ref6" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>policy-legal</category>
        </item>
        <item>
            <title><![CDATA[Two Tales of Real-World Flock Abuse]]></title>
            <link>https://footnote4a.org/news/ga-misuse</link>
            <guid isPermaLink="false">https://footnote4a.org/news/ga-misuse</guid>
            <pubDate>Thu, 08 Jan 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Two Georgia police officers face stalking charges after audit tools flagged repeated searches of the same plates. Flock's response: remove names from audit logs.]]></description>
            <content:encoded><![CDATA[<p>The Flock ecosystem relies on a specific promise: that local ‘internal affairs’
and audit logs are sufficient to prevent abuse. Recent criminal charges against
two Georgia law enforcement officers—a <a href="https://www.yahoo.com/news/articles/braselton-police-chief-resigns-announces-083652183.html">Police Chief</a> and <a href="https://www.wsbtv.com/news/local/former-georgia-sheriffs-office-employee-accused-stalking-people-using-department-flock-account/PDEZNDNDTBH5NNPGPZ7D7KPZKQ/">a
Sheriff’s Deputy</a>—suggest that this promise is hollow. Now, Flock is
moving to ensure those cases will be harder to detect.</p>
<p>First, to temper expectations: an after-the-fact justification is much easier
than identifying and validating findings regarding ongoing misconduct. These
incidents demonstrate that the tools here could be useful in some way, not that
they are fool-proof. Second, to my knowledge, neither Braselton’s Chief nor the
Echols County Deputy have been convicted of any crime. So far, wrongdoing has
been alleged, not proven.</p>
<p>With that out of the way, let’s examine the stories and the <a href="https://footnote4a.org/news/operator-insights">recently-added
operator insights pages</a>.</p>
<h2>Braselton’s Chief of Police</h2>
<blockquote>
<p>On Wednesday evening, Braselton Police Chief Michael Steffman announced he was
retiring and resigned from the department for personal reasons. He was booked
and charged, accused of using police cameras to stalk and harass people.</p>
<p>…</p>
<p>[Flock’s Josh] Thomas says Flock handed over a log that is built into the
system that allows them to see how, when and why the tech was used.</p>
</blockquote>
<p>As a sidenote: this is an interesting play from Flock—inserting themselves into
the narrative rather than relying on the “local oversight” they typically claim
is effective.</p>
<p>Opening <a href="hibf:/pd/3501-braselton-ga-pd/operators">Braselton’s operator list</a>, it is not immediately evident
that the arrested person was Michael Steffman. Another officer’s behavior raises
more red flags in the system. You will have to draw your own conclusions based
on the information available.</p>
<p>Anyway, <a href="hibf:/pd/3501-braselton-ga-pd/operator/O612Zm9F">Steffman’s Insights Page</a> shows multiple red flags on the first
page:</p>
<ul>
<li>Days Active: 101</li>
<li>Total Searches: 2,707</li>
<li>Unique Plates: 42</li>
<li>Unique Reasons: 4</li>
<li>Account Sharing Candidate (Temporal entropy 2.710)<sup class="footnote-ref"><a href="#footnote1">[1]</a><a class="footnote-anchor" id="footnote-ref1"></a></sup></li>
</ul>
<p>This already looks like someone looking up the same plates over and over at all
hours of the day without providing a valid reason.</p>
<p>But, who knows, maybe Braselton was conducting long-term surveillance for
operation “005”<sup class="footnote-ref"><a href="#footnote2">[2]</a><a class="footnote-anchor" id="footnote-ref2"></a></sup> and the Chief personally saw to it that any movement was
logged, 24/7.</p>
<p><img src="https://footnote4a.org/blog/ga-misuse/targets.png" alt="Surveillance Targets"></p>
<p>As a reminder: the “Target” column uses identifiers which represent license
plates.</p>
<p>We don’t have to get into the complexity of SAI: looking up the same license
plate 411 times should be a red flag.<sup class="footnote-ref"><a href="#footnote3">[3]</a><a class="footnote-anchor" id="footnote-ref3"></a></sup></p>
<p><img src="https://footnote4a.org/blog/ga-misuse/411.png" alt="411 Searches of 1 Plate"></p>
<p>Zooming in, we can see that we have records of searches for this plate, by
Steffman, spanning October 2024 – August 2025; those dates more likely indicate
the end of the records period on <a href="http://haveibeenflocked.com">haveibeenflocked.com</a> than the end of the
searches.</p>
<p>20% of those searches were flagged as made outside of what the system flagged as
typical hours for Steffman (12pm – 12am).</p>
<p><img src="https://footnote4a.org/blog/ga-misuse/sessions.png" alt="Isolated Sessions"></p>
<p>Looking at the isolated sessions, Steffman did further lookups in between
extended periods of non-use; suggesting he was not on-shift at the time.</p>
<p>What makes this case exceptionally unusual, besides how rare arrests for these
cases are, is that Steffman’s employee record, which is also listed on the page,
indicates that he spent the last twenty years in Braselton.</p>
<p>In the world of policing, a twenty-year veteran and Chief is usually afforded
every benefit of the doubt. Not in this case, in Flock’s home state.</p>
<p>For a department to bypass internal discipline and move straight to handcuffs
and a media circus suggests toxic politics, at best. Especially when considering
the red flags for <a href="hibf:/pd/3501-braselton-ga-pd/operator/N9wXdLJZ">other users in the
department</a>.</p>
<h2>Echols County Deputy</h2>
<p>This one is more straightforward. Echols County’s page shows “A. Ant” and “A.”
without overlapping time periods, suggesting that some time in June or July,
Anna Altobello shortened her name in the system. This appears to be a departmental
policy that tracks Flock’s <a href="https://footnote4a.org/about/name-resolution">desire to obfuscate</a>.</p>
<blockquote>
<p>The Georgia Bureau of Investigation said Anna Altobello, 33, misused Flock
Safety accounts belonging to the Echols County Sheriff’s Office to search for
tag information on people she knew personally, outside of law enforcement
purposes.</p>
<p>The GBI said it happened multiple times and Echols County Sheriff Randy
Courson asked the state agency to investigate in December.</p>
</blockquote>
<p>Looking at <a href="hibf:/pd/4870-echols-county-ga-so/operator/0004L8?sort=date_desc">“A.”'s Operator Insights page</a> reveals a similar pattern as
Steffman’s:</p>
<ul>
<li>Days Active: 91</li>
<li>Total Searches: 691</li>
<li>Unique Plates: 36</li>
<li>Unique Reasons: 3</li>
<li>Account Sharing Candidate (Temporal entropy: 2.794)</li>
</ul>
<p>Her favorite reason to use is “Case”.</p>
<p><img src="https://footnote4a.org/blog/ga-misuse/a-target.png" alt="A.'s Surveillance Target list" width="500"></p>
<p>The Surveillance Target List looks eerily similar too, with the location history
for one plate being pulled 205 times over 124 days.</p>
<p>The data on the insights page, even at a glance, is suggestive of improper use.</p>
<h2>The Null Hypothesis: A System Feature?</h2>
<p>When analyzing this much data, one must consider the Null Hypothesis: that these
patterns are not evidence of stalking, but “noise” or software artifacts.</p>
<p>Perhaps “Temporal Entropy” indicates a disorganized shift schedule, or maybe
“411 searches of one plate” is how a specific investigative workflow functions.</p>
<p>However, the nature of the data makes that difficult to accept.</p>
<p>Hundreds of searches for vague reasons is by its nature suspicious. While it’s
conceivable that a few officers would be tracking someone 24/7 for legitimate
investigative purposes, logic dictates that police work in shifts more than the
data suggests.</p>
<p>Is 400 searches for a single plate for the reason “sus” hard evidence of
anything? No. Should it be investigated? Yes.</p>
<h2>Flock’s Fix</h2>
<p>In addition to analytical tools and blog posts, this website also exists to give
stalking victims a way to discover they’re being targeted: if you enter your
license plate <a href="/">on the main page</a> and your ex’s name comes up 411 times for
“inv”, odds are you are a victim of criminal stalking.</p>
<p>So what does Flock do in response?</p>
<p>It has <a href="https://footnote4a.org/news/colwell-files">removed names and license plates from network audit
logs</a>.</p>
<p>By redacting this information, Flock is making it impossible for external
auditors, including other police departments and stalking victims, to flag
suspicious behavior.</p>
<p>That, the company argues, would jeopardize “officer safety.”</p>
<hr class="footnotes-sep">
<section class="footnotes">
<ol class="footnotes-list">
<li id="footnote1" class="footnote-item"><p>The number (between 0 and 3.18) indicates “around the clock” activity. The higher the number,
the more usage is spread out over the day rather than concentrated in certain hours (e.g. daytime)
<a href="hibf:/sharing-candidates">Read more here</a>. <a href="#footnote-ref1" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote2" class="footnote-item"><p>Maybe 005 was his badge number? We can only guess. The reason was “005.” <a href="#footnote-ref2" class="footnote-backref">↩︎</a></p>
</li>
<li id="footnote3" class="footnote-item"><p>The numbers, however, may be somewhat skewed <a href="https://footnote4a.org/news/secret-searches">because of redactions</a>. <a href="#footnote-ref3" class="footnote-backref">↩︎</a></p>
</li>
</ol>
</section>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>policy-legal</category>
        </item>
        <item>
            <title><![CDATA[Two Colorado cities abandon Flock oversight]]></title>
            <link>https://footnote4a.org/news/colorado-oversight</link>
            <guid isPermaLink="false">https://footnote4a.org/news/colorado-oversight</guid>
            <pubDate>Wed, 07 Jan 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Denver operates Flock cameras without a finalized contract. Boulder admits it won't audit search logs. Colorado's open records laws make oversight nearly impossible.]]></description>
            <content:encoded><![CDATA[<p>While Boulder admits to not performing any oversight, Denver has taken corporate mass surveillance
to the next level: the Mile High City allows Flock to operate its network without any contractual
safeguards whatsoever. After the city’s contract expired in October 2025, media reports that
<a href="https://www.9news.com/article/news/local/denver-new-flock-contract/73-e6f78040-f4f1-4148-95ed-63ad4138c6f4">the city’s mayor has signed a new contract</a>. That turns out not to be the whole truth:
there is no new contract.</p>
<p>The transition from public oversight to private operation has created a “surveillance black box”
where the legal safeguards promised by officials simply fail to materialize.</p>
<h2>Denver goes Private</h2>
<p>After a series of <abbr class="md-tooltip" data-tooltip="Colorado Open Records Act">CORA</abbr> requests, in which the Denver City Attorney bizarrely claimed not to be the
custodian of his own records, Denver Public Safety provided a stack of non-responsive documents,
Denver Technical Services claimed not to have a copy, and the Mayor outright ignored the request,
the City Auditor’s office finally wrote: “The city and county of Denver does not release contracts
that are being negotiated. If the contract does become final, it then can be released.”</p>
<p>The City Attorney’s Office, meanwhile, claimed it is “not the ‘custodian’” of the contract—despite
the Denver City Charter requiring that office to prepare and approve all city contracts. The
Department of Public Safety provided only the expired agreement, which terminated October 30, 2025,
and declined to produce the extension the mayor announced three weeks earlier.</p>
<p>The various creative denials appear to agree on one thing: the contract is not final and effective,
despite <a href="https://www.9news.com/article/news/local/denver-contract-extension-flock/73-7e60c226-ca74-4d4e-8ae0-2eb2b386fb90">previous announcements from the mayor’s office</a> heavily implying that it is.</p>
<p>This of course comes after the city <a href="https://www.9news.com/article/news/local/local-politics/denver-contract-flock-ai-drones-police-calls/73-0bcdc6c4-e98a-41bc-bd7d-7186260a2735">subscribed to Flock’s drone service without telling its
own surveillance task force</a>.</p>
<p>Although substantial public funds were used to install more than a hundred cameras, Flock still owns
them, and now appears to be operating them entirely outside of any active government contract.</p>
<p>This stands in stark contrast to the mayor’s statement, which claimed Flock would be <a href="https://www.denver7.com/news/front-range/denver/denver-bans-sharing-of-license-plate-reader-data-with-the-feds-as-part-of-five-month-flock-contract-extension">subject to
penalties</a> if the company shared data with federal authorities, in violation of Colorado law.</p>
<p>Although there are restrictions on what and how Colorado state and local agencies can share
information with the federal government, there appear to be no laws that prohibit Flock, a private
corporation, from disseminating that same data. Without a contract, there is nothing to stop the
company from selling the data to ICE or other interested third parties.</p>
<p>Denver residents are now in the worst of both positions: taxpayer funds paid for the infrastructure,
but no taxpayer-enforceable agreement governs how it operates. The city has outsourced surveillance
to a private company and then removed itself from the chain of accountability entirely.</p>
<p>If Flock shares data with federal agencies tomorrow, Denver has no contractual remedy. If the
mayor’s promised penalties exist anywhere, they aren’t in a signed document the city is willing to
produce.</p>
<h2>Boulder Abandons Oversight</h2>
<p>Meanwhile in Boulder, in response to a request for a month of network audit logs, BPD puts a couple
of interesting statements together:</p>
<blockquote>
<p>Given the scope of your request, we cannot, and will not, contact each individual agency listed to
inquire as to the status of their investigation as that would cause “unnecessary interference with
the regular discharge of the duties of the custodian or their office” (C.R.S. §24-72-304(1)). …
We are providing the requested records, but the names of the law enforcement personnel, associated
license plate numbers, case numbers, and reasons for the request are redacted as the release of
this information would be contrary to public interest.</p>
</blockquote>
<p>BPD admits here that it doesn’t know what’s in the search logs and it has no intention of auditing them.</p>
<p>None of this lines up with <a href="https://bouldercolorado.gov/services/flock-safety-cameras-and-boulder-police-department">statements on its public website</a>:</p>
<blockquote>
<p>The Boulder Police Department uses Flock solely for legitimate law enforcement purposes, including
criminal investigations, finding missing or endangered persons, Amber Alerts, and tracking stolen
vehicles. Officers must have a clear justification for any search they run.</p>
</blockquote>
<p>BPD does not know if this is how the cameras in Boulder are being used by other departments.</p>
<blockquote>
<p>All requests to share access to our data must be approved by a supervisor, logged, and tracked
through strict audit trails.</p>
</blockquote>
<p>But BPD will never look at these audit trails.</p>
<blockquote>
<p>Each user must have a unique login, and there is a complete audit trail of all searches conducted
in the system.</p>
</blockquote>
<p>Either BPD did not intend this statement to apply to users with access from outside BPD, or it
shows why BPD should examine its “complete audit trail.” Account sharing is rampant.</p>
<blockquote>
<p>Multiple safeguards protect against misuse: supervisory approval is required for external data
sharing and all searches are logged.</p>
</blockquote>
<p>This is not much of a safeguard when nobody looks at the logs.</p>
<blockquote>
<p>Flock’s focus on legitimate law enforcement purposes, combined with their willingness to implement
features like automatic blocking of immigration-related searches and enhanced audit controls,
aligns with Boulder’s commitment to responsible policing and community values.</p>
</blockquote>
<p>This “blocking” is a keyword-based warning notice that isn’t logged. A user can enter a different
reason, or enter no meaningful reason at all, and try again. BPD will never use the “enhanced audit
controls” (whatever those may be) to question whether “inv” is an immigration search.</p>
<p>There is no oversight.</p>
<h2>Colorado’s Open Records Laws are Broken</h2>
<p>As an Iowan, my experience with the Colorado Open Record Act (<abbr class="md-tooltip" data-tooltip="Colorado Open Records Act">CORA</abbr>) is limited. I find Iowa’s open
records act frustrating, because it is widely ignored and not enforced by state agencies, but <abbr class="md-tooltip" data-tooltip="Colorado Open Records Act">CORA</abbr>
turns out to be fundamentally broken.</p>
<p>In a bizarre twist, whether a public record should be released depends more on who holds the record
than on what the record is or contains. In addition to Denver’s outlandish ideas on custodianship,
which I doubt would survive a court hearing if challenged, there is a brokenness to <abbr class="md-tooltip" data-tooltip="Colorado Open Records Act">CORA</abbr> in that
records held by police are not governed by <abbr class="md-tooltip" data-tooltip="Colorado Open Records Act">CORA</abbr>, but by the Colorado Criminal Justice Records Act (<abbr class="md-tooltip" data-tooltip="Colorado Criminal Justice Records Act">CCJRA</abbr>).</p>
<p>The <abbr class="md-tooltip" data-tooltip="Colorado Criminal Justice Records Act">CCJRA</abbr> sets no deadlines and allows a high level of discretion for agencies on whether to release
records. As you can tell from Boulder’s response, which took nearly two months, we can’t trust
police with that type of discretion.</p>
<p>The <a href="https://coloradofoic.org/">Colorado Freedom of Information Council</a> is pushing for changes to the law.</p>
<p><strong><a href="https://coloradofoic.org/open-government-guide/#Colorado_Criminal_Justice_Records_Act">Read Colorado FOIC’s Guide to the Criminal Justice Records Act</a></strong></p>
<p>If you’re in Colorado, or even if you’re not, please consider making a donation to the Colorado FOIC
or supporting their work to get this flawed piece of legislation fixed.</p>
<p>Without transparency, BPD and Flock have to perform their own audits.</p>
<p>They have already said they “cannot and will not.”</p>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>policy-legal</category>
        </item>
        <item>
            <title><![CDATA["Official Police Business Only" Now Covers City Planning]]></title>
            <link>https://footnote4a.org/news/official-use-only</link>
            <guid isPermaLink="false">https://footnote4a.org/news/official-use-only</guid>
            <pubDate>Mon, 22 Dec 2025 22:00:00 GMT</pubDate>
            <description><![CDATA[The dropdown says more than the contract does.]]></description>
            <content:encoded><![CDATA[<p>With another massive security incident published, Flock announces another feature to hamper
transparency and prevent oversight. Apparently, all we need to do to fulfill the company’s stated
mission to eliminate crime is hide the evidence.</p>
<blockquote>
<p>Flock has never been hacked. Ever. … It’s tough every day waking up to stories online that are
misleading and only represent one side of the story, —
<a href="https://footnote4a.org/news/staunton-attack">Emails to Staunton, VA</a>, Garrett Langley, Flock CEO, December 8–10, 2025.</p>
</blockquote>
<p><a href="https://www.404media.co/flock-exposed-its-ai-powered-cameras-to-the-internet-we-tracked-ourselves/">Flock cameras are open for live viewing and footage downloading to anyone on the Internet</a>. No
hacking required, just type in the address; it’s one way to protect your “never been hacked” track
record. Benn Jordan brings the receipts in his video titled &quot;<a href="https://www.youtube.com/watch?v=vU1-uiUlHTo">This Flock Camera Leak is like Netflix
For Stalkers&quot;</a>.</p>
<p>But, this post is about a smaller, but still significant, post on Flock’s own blog. It’s a
screenshot included in Josh Thomas’ December 10, 2025, post titled “Offense Type Dropdown: A
Simpler, More Accurate Audit.”</p>
<p class="float-right mx-4"><img src="https://footnote4a.org/blog/official-use-only/reasons.png" alt="Dropdown showing 'City Planning/Traffic Analysis'" width="200"></p>
<p>In the blog post, Flock announces “a new, required step in every ALPR Search: Offense Type
Dropdowns,” noting “The existing Search Reason field will still be available as an optional place to
add extra detail.”</p>
<p>With this modification, Flock has materially altered its service. Cities and the public were told
“we require users to enter a reason for every search.” Even where contracts which were signed
following a democratic process, <a href="https://footnote4a.org/news/coralville-contract">which excludes quite a few contracts</a>,
Flock has thrown that democratic authorization in the dumpster and substituted its own judgment.</p>
<p>Of course, the “reason” field <a href="hibf:/reason-cloud">was always compliance theater</a>, and there is no
evidence to suggest that agencies regularly audit any search logs. Flock implemented warning popups
to suggest users select another reason when they enter terms like “immigration,” but it’s safer to
simply not to even offer the option.</p>
<p>The screenshot, however, shows a more direct violation of Flock’s prior terms of service. Although
the terms vary based on the contract (<a href="https://footnote4a.org/news/trojan-contracts">at least, for now</a>), the older
contracts prohibit use of the system other than for a “permitted purpose”:</p>
<blockquote>
<p>The purpose for usage of the equipment, the Services and support, and the Flock IP is solely to
facilitate gathering evidence that could be used in a criminal investigation by the appropriate
government agency and not for tracking activities that the system is not designed to capture
(“Permitted Purpose”) — July 2023.</p>
</blockquote>
<p>This language also appears to be what Flock CEO Garrett Langley references in <a href="https://www.politico.com/newsletters/digital-future-daily/2025/12/22/the-ceo-of-flock-downloads-on-his-surveillance-cameras-00703165">a December 22
interview with Politico</a>, when responding to the question “Do you worry about flock being
used for dragnet surveillance? For example, police identifying all the cars in the vicinity of a
protest?”</p>
<p>Langley falsely claims:</p>
<blockquote>
<p>Our contracts mandate that our products can only be used for criminal investigations. What you’re
describing, would be based on an issue that you might not trust your local police department.
[…] The police chief reports to a city council, a mayor, a city manager. My expectation is that
if a police department was violating the Constitution or local legislation, that those individuals
would be held accountable.</p>
</blockquote>
<p>Aside from misplaced optimism about accountability without transparency, the language he references
no longer appears in newer contracts. Flock has cut the “investigative purpose” language entirely:</p>
<blockquote>
<p>“Permitted Purpose” means for legitimate public safety and/or business purpose, including but not
limited to the awareness, prevention, and prosecution of crime; investigations; and prevention of
commercial harm, to the extent permitted by law. — May 2025.</p>
</blockquote>
<p>“<a href="hibf:/reason-cloud">Investigations</a>” by itself, without further context, is now a permitted purpose.</p>
<p>It’s a loophole so big you could park a truck in it, but even then, it’s difficult to reconcile
“City Planning/Traffic Analysis,” with public safety, business, or investigation.</p>
<p>Yet, it is an option in Flock’s “investigative purpose” dropdown.</p>
<p>Flock is quick to claim “local decisions” whenever misuse is documented, or to offload its own
responsibility onto public oversight that its own products actively prevents.</p>
<p>This latest feature is yet more evidence that the company is not passive: it actively facilitates
improper use of its systems, for purposes no city council approved.</p>
<p>This is the same company now asking cities to
<a href="https://footnote4a.org/news/trojan-contracts">sign contracts it can rewrite at will</a>.</p>
<p>The dropdown is the tell: Flock decides what the system is for. Your city council just pays for it.</p>
<p>5</p>
]]></content:encoded>
            <author>hcvp@haveibeenflocked.com (H.C. van Pelt)</author>
            <category>editorial</category>
            <category>policy-legal</category>
        </item>
        <item>
            <title><![CDATA[The Flock Camera Data Does Not Enable an Individual to "Infer"]]></title>
            <link>https://footnote4a.org/news/flock-infer</link>
            <guid isPermaLink="false">https://footnote4a.org/news/flock-infer</guid>
            <pubDate>Sun, 02 Nov 2025 00:00:00 GMT</pubDate>
            <description><![CDATA[Courtesy of Flock's lawyers in Schmidt v. Norfolk.]]></description>
            <content:encoded><![CDATA[<p><img src="https://footnote4a.org/blog/flock-infer.png" alt="Redacted page"></p>
]]></content:encoded>
            <author>Have I Been Flocked Team</author>
            <category>editorial</category>
            <category>policy-legal</category>
        </item>
    </channel>
</rss>