Footnote4a

Mass surveillance, government contracts, and other bedtime reading.

Lorem Ipsum Is the Most Honest Thing on Flock's Trust Center

Flock launched a half-finished Trust Center full of placeholder text and unvetted claims — an unintentional demonstration of the access control failures it was built to deny.

by H.C. van Pelt
5 min read

Flock has been repeatedly criticized — by myself and others — for not adhering to the basic principles of security, let alone the actual requirements set out by federal regulations and security frameworks like ISO27k1, and SOC2. There have been multiple incidents where production data has been used and leaked in development, or vice versa. Flock refuses to acknowledge or learn from past mistakes. To assuage our fears about control failures, it has now launched the development version of its new Trust Center to production.

Its newly-launched Trust Center answers such hard-hitting questions as “Is this mass surveillance?” with:

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

Though, to be fair, that answer is better than the complete fabrication elsewhere on its page that says “Flock does not operate a centralized or open surveillance database. Each customer environment is independent.”

The meaning of “centralized database” is clearish — Flock likely tries to distinguish it from a decentralized database. In this case, that claim is similar to claiming your kitchen is not a centralized place for your pots and pans because you have multiple cupboards.

“Global database” is equally almost-apparent. What the new term “open database” (it also appears on another page) is supposed to mean is murky. Maybe it will clarify later, or maybe the murkiness is the point.

In any case, it will be interesting to see what elements survive contact with the legal team. One page makes claims about academic research partnerships and third-party audits — neither appears to exist in any meaningful way:

Independent audits

Another page claims that the GDPR is “The world’s strictest standard for data privacy.” Which is not only incorrect, but shows a complete lack of understanding of what GDPR actually is and how it works (it is a regulation that sets a floor, not a ceiling — member states can and do impose stricter requirements).

Anyway …

The fact that a half-finished set of pages found their way to production is embarrassing but not, in itself, a major issue. I can’t judge that too harshly because I pretty much develop in production all the time.

Where it becomes an issue is when you’re looking at organization-wide controls and data governance, as in SOC2 or ISO27k1, which Flock cites in support of its being deserving of trust.

These are essentially wireframed pages. Who deployed them to production? The answer to that question is almost certainly some web developer or marketing associate working on the page layout and design.

Did Legal or Compliance approve statements like “Lorem ipsum” for public consumption? My magic 8-ball says “absolutely not.” Did the product team review the system description for accuracy? “Try again.”

The release of these pages is a symptom of Flock’s broader problem: it fails to implement meaningful controls on access while claiming it has them in its marketing materials. This page is one example.

Another is this screenshot from a video showing a Flock customer service representative with full access to the admin interface for what appears to be every single Flock customer:

Admin access

According to Flock’s lorem-ipsum-heavy Trust Center, we are looking at independent customer environments with proper access controls, and definitely not a centralized or open surveillance database where a low-level Flock employee can click a button to obtain access.

The secondary problem in that screenshot (there are more in the complete video, but more on that later) is that Flock apparently classified the Olympia Fields IL Park District as “Law Enforcement.”

Presumably that means that it has access to the database that stores information from Flock’s national network of 250,000+ cameras (more on that later too).

This is a problem because the Park District does not appear to be a law enforcement agency at all — it manages playgrounds, picnic shelters, and a disc golf course.[1]

But once again, nobody appears to have caught the error, despite all the safeguards, constraints, audits, and controls that Flock touts in its trust centers, old and new.

An agency has access to data it’s not supposed to have, which shows up in a video recorded by someone who can access data they’re not supposed to have access to. The Trust Center, which was also published by someone who should not have published it to an environment they should not have access to, says everything is fine.

Flock can’t be trusted. No amount of lorem ipsuming will change that.

  1. Park Districts in Illinois are independent municipal corporations that can employ police officers, but only a handful do so — Olympia Fields Park District does not appear to be one of those few. ↩︎