404 Media

2026-01-27 14:26:59

Police Told to Be ‘as Vague as Permissible’ About Why They Use Flock

Police officers are being told to “be as vague as permissible” about why they are using the Flock surveillance system in order to not leak sensitive information via public records requests, according to records obtained using a public records request. The warning originated from a Houston-area police intelligence center that includes members of the FBI and ICE and suggests without evidence that people are using a website called HaveIBeenFlocked.com to “potentially retaliate against law enforcement.”

The warnings were shared with 404 Media by researchers from Southerners Against Surveillance Systems and Infrastructure and Lucy Parsons Lab after our article about police unwittingly leaking the details of millions of surveillance targets nationwide due to public records redaction errors made by several Flock automated license plate reader system customers. This data was aggregated into a searchable tool called HaveIBeenFlocked.

Rather than looking at this incident as a huge operational security failure associated with using a massive commercial surveillance system, police see this as something that puts their officers directly in harm’s way. The data released by police departments includes the agency doing a search, the officer’s name, time of search, the license plate searched, and a “reason” field, which is the justification for doing a specific search.

In an “Officer Safety Situational Awareness Bulletin,” the Houston Investigative Support Center, an intelligence apparatus consisting of members of Houston-area police departments, the FBI, the Drug Enforcement Administration, and Immigration and Customs Enforcement’s Homeland Security Investigations told members that HaveIBeenFlocked “poses a significant officer safety risk to law enforcement personnel because suspects can determine if they are the target of an investigation and potentially retaliate against law enforcement and/or those cooperating with law enforcement.”

It goes on to say in a “recommendations for Flock Users/Agency Administrators” section that “Flock Administrators should ensure that the reason for the query be as vague as permissible,” with a suggestion being that cops just write “investigation” as the reason for a search.

"A group of self-styled privacy advocates have filed a series of Freedom of Information Act (FOIA) requests with law enforcement agencies around the country to obtain agency Flock audit logs," the warning reads. "The Flock system itself has not been compromised. Currently, this information appears to be coming from Washington State, Colorado, California, Georgia, Illinois, and Virginia. Agencies in these states held data from other jurisdictions pertaining to inquiries that had been made against the national Flock platform. The data on the website is not 'real time' and, as of December 8, 2025, the most recently confirmed data appeared to be from late October 2025."

A member of the FBI also sent the warning from the Houston Investigative Support Center to Atlanta-area police, according to an email obtained via public records request and shared with 404 Media. In another email, the Georgia Bureau of Investigation-GISAC, which is an Atlanta-area fusion center, issued a similar warning and said that a fusion center in Illinois had done the same. Fusion centers are intelligence sharing centers in which state and local police partner with federal agencies. "This website, and others like it, poses obvious risks to officer safety, operational security, and investigative integrity. Do not use your department systems to check these sites, as their ability to pull data and leave behind code is suspect." This email also warns agencies they "should consider reviewing their current license plate reader permissions and seek guidance from their respective customer service representative for any software they have."

The Georgia fusion center warning was then further shared by a member of the United States Department of Justice, the emails show.

The flurry of warnings highlight just how bad of an operational security screwup Flock's information sharing design was, leaving the investigations of thousands of police departments vulnerable to a redaction error by any single one of its customers. It further highlights how law enforcement see themselves as being consistently and universally under threat from the people it is supposed to protect. This is a narrative we have seen tragically play out in Minneapolis as legal observers shot dead in the streets by ICE have been branded "domestic terrorists" who were threatening ICE agents by the Trump administration despite video evidence showing this was not the case.

ICE has also been obsessed with not revealing the identity of its officers, with its agents wearing masks during raids, refusing to give their names or ID numbers, and the agency refusing to reveal the names of agents during court proceedings. The warnings issued by fusion centers about Flock show that this obsession with secrecy and officer anonymity is filtering down to the state and local level, because Flock is most often used by local police.

The suggestion that officers should be as “vague as permissible” about why they are using Flock is also a problem. Police currently do not get a warrant to use Flock, and have revealed that they use it for legitimate investigations, but also for all sorts of other purposes. Flock search audit logs have been used to reveal officers who have used the system to allegedly illegally stalk people and have been used to reveal informal cooperation between local police and ICE, as well as the search for a woman who had an abortion. We revealed last year that some of these searches were illegal in some states where they were conducted. An analysis by the Electronic Frontier Foundation, meanwhile, showed that many police officers do not put any reason at all for their Flock search.

Flock Officer Safety-Situational Awareness Bulletin - Houston HIDTA - December 2025 Redacted | DocumentCloud

DocumentCloud

Police Said They Surveilled Woman Who Had an Abortion for Her 'Safety.' Court Records Show They Considered Charging Her With a Crime

Court records show that the narrative Flock and a Texas Sheriff's Office has told the public isn't the whole story, and that police were conducting a 'death investigation' into the abortion.

^{Jason Koebler (404 Media)}

404 Media

2026-01-14 15:29:17

Cop Used Flock to Wrongfully Accuse a Woman Then Refused to Look at Evidence That Exonerated Her, Body Camera Shows

A police officer in Colorado used evidence from Flock cameras to wrongfully accuse an innocent woman for package theft, then yelled at her on the phone when she told him she had evidence that exonerated her, according to body camera footage obtained by 404 Media.

The nightmare situation happened in September in Columbine Valley, Colorado and was first reported by The Colorado Sun, which obtained Ring camera footage from the woman, Chrisanna Elser, that showed an initial interaction with Sergeant Jamie Milliman at her home. 404 Media has obtained body camera footage of that interaction as well as footage from a phone call Milliman made to Elser after he gave her a court summons.

The incident highlights not only the extreme extent to which America’s cities and towns are surveilled, but also the fact that police believe this surveillance evidence, which in this case was used to wrongfully summons Elser to court, is infallible and bulletproof. It also shows that anyone can be caught in America’s surveillance dragnet; there is no safety in the idea that you have nothing to worry about if you have nothing to hide.

“You know we have cameras in that town. You can’t get a breath of fresh air in or out of that place without us knowing,” Milliman told Elser and her husband at her home, referring to Flock automated license plate reader cameras in the nearby town of Bow Mar. He then told her the town’s Flock cameras had recorded her vehicle entering and leaving the town 20 times in the last month, including on Tuesday, September 22 “from 11:52 until 12:09, exactly,” he said. “Like I said, nothing gets in or out of the town without us knowing about it … I have you on camera walking up, ringing the doorbell, taking the package, and literally running away. I have you on camera doing this … I get that this is a shock to you, but I am telling you, this is a lock, 100 percent no doubt she did this.”

But Elser didn’t do it. Elser was visiting her tailor’s home for a dress fitting, and didn’t steal the package. She had her Ring camera footage from her tailor’s house and footage from her Rivian vehicle to show that she didn’t steal the package, which she told Milliman on a phone call obtained by 404 Media.

“Why don’t you come on down and look at the video?” Elser said. Milliman refused to look at the video, and said “The next person you can tell is the judge or your lawyer. This is how this works. The judge or your lawyer.”

Elser asked to speak to his supervisor.

“I am the supervisor. That is it. There is no one else to talk to,” he said. “It is on camera many times. You’ve been served a summons … I will bring all of my evidence, the many, many, many, many videos, and you can bring yours. And if a judge says you didn’t do it then you didn’t do it.”

“What are going to be the repercussions when this is proven incorrectly and you’re wasting my fucking time?” Elser’s husband told Milliman on the call.
youtube.com/embed/oBDuW7gCczs?…
Elser and her husband also asked Milliman to show them the evidence he had, or to answer basic questions such as what the woman on the Flock cameras was wearing in the department’s video footage. “You’ll have to go to court for this information,” he said. “I can tell you. I am not going to tell you. I can tell you, but I am not going to tell you.”

“I’m going to go to the local police department,” Elser said.

“This is the local police department. I am the jurisdiction,” he responded.

“I want to talk to somebody today,” Elser said.

“Well, that is not going to happen. It’s not going to happen,” Milliman said.

“Yes, it can happen,” Elser said.

“I didn’t say it couldn’t happen. I said it’s not going to happen,” he said.

“No, no, it can happen,” Elser said.

“I agree it can, but it’s not going to,” he said. “You’re not talking to anybody else.”

Elser continues to explain that she has footage from her vehicle showing where she was, and that she was at her tailor’s house, not stealing a package.

“By the way, if your truck has GPS, I will simply request records from Rivian and do a court order to have those sent to me. I don’t care where your truck was. I care where you were. Your truck didn’t take the package, you did. Do you understand that? Your truck did not ring the doorbell. Your truck did not walk away with the package. You did. It doesn’t matter where the truck was. It matters where you were.”

“But you’re showing me a picture of my truck,” Elser said. “You didn’t show me a picture of me.”

Later in the conversation, Milliman says “I have been doing this for 27 years. I have probable cause because I saw you. You can laugh and giggle all you want, but I have video of you. This is going nowhere because you’re not being truthful with me. If you want to be truthful with me, you know how to get a hold of me. Other than that, you have a good rest of your day.” He then hangs up the phone.
youtube.com/embed/Yz16swILvzE?…
Milliman was disciplined with “extra training” after the incident, according to The Colorado Sun. A reprimand letter given to Milliman and obtained by The Colorado Sun noted that he exhibited “rude behavior,” and that his actions were “unprofessional and inconsistent with the standards expected of a sworn officer.” Milliman and the Columbine Valley police department did not respond to a request for comment.

Elser shared an additional voicemail with 404 Media that Milliman left her a day after the call in which he refused to look at her evidence. In this follow-up call, Milliman completely changed his tone and said he would be willing to look at her evidence: “Yesterday when we had talked, you had mentioned that you had some exonerating video and I mentioned you had my email. I would love to see it,” the voicemail says. “In the interest of justice and to make things right, I would love to go above and beyond and see anything that could possibly take away my probable cause for issuing the summons.”

Two weeks later, she sent an email to police chief Bret Cottrell containing evidence from her Rivian's cameras, her tailor's Ring camera, and a detailed timeline of events. Cottrell responded and said that they would be dropping the case: “After reviewing the evidence you have provided (nicely done btw), we have voided the summons that was issued," he wrote. "We have double checks with Jefferson County courts and the case was not yet entered into the system, therefore, there is no record on file. Thank you for getting back to us with the evidence you said you would be able to provide.”

In a phone interview, Elser told 404 Media that it feels like “they’ll talk to convicted murderers and rapists in a nicer way than they’ll talk to me about a $25 package and me saying ‘I have evidence I can show you and we can end this.’”

She said that she eventually saw video of the person taking the package.

“From a distance, I’m like, ‘kind of it was like my outfit I was wearing at the time,’ but my truck isn’t there at all, she had a shaved head, she’s much younger, had earrings on and all that,” she said. Elser said that before this experience, she was “very big on surveillance, and knowing we have cameras in our house because if something happens, I wanna know how it happens. Maybe not even a crime against me, but maybe my animals knocked something over and I wanted to know who.” She said that she has dash cams because she’d been involved in multiple hit-and-run car accidents.

“Honestly, I was one of those people that believed, ‘well, if you’re not doing anything wrong, what’s the big deal?’ But here’s a situation where I was doing absolutely nothing wrong, and I almost lost my entire career over this,” she said. “I’ve lost trust for law enforcement … I mean I love the Flock stories where they help out with saving a kid, and I look at them and go ‘yeah, you did that, but you’re not using the technology right.’”

“The overreach of this technology is the biggest concern. Just having it out there is scary, it’s too much,” she added. “It’s changed my mind immensely.”

Colorado officer who used AI cameras to falsely accuse woman of theft disciplined with extra training

Columbine Valley’s police chief said the sergeant’s demeanor was “inconsistent with the standards expected of a sworn officer"

^{Olivia Prentzel (The Colorado Sun)}

404 Media

2026-01-13 15:43:09

Police Unmask Millions of Surveillance Targets Because of Flock Redaction Error

A handful of police departments that use Flock have unwittingly leaked details of millions of surveillance targets and a large number of active police investigations around the country because they have failed to redact license plates information in public records releases. Flock responded to this revelation by threatening a site that exposed it and by limiting the information the public can get via public records requests.

Completely unredacted Flock audit logs have been released to the public by numerous police departments and in some cases include details on millions Flock license plate searches made by thousands of police departments from around the country. The data has been turned into a searchable tool on a website called HaveIBeenFlocked.com, which says it has data on more than 2.3 million license plates and tens of millions of Flock searches.

The situation highlights one of the problems with taking a commercial surveillance product and turning it into a searchable, connected database of people’s movements and of the police activity of thousands of departments nationwide. It also highlights the risks associated with relying on each and every law enforcement customer to properly and fully redact identifiable information any time someone requests public records; in this case, single mistakes by individual police departments have exposed potentially sensitive information about surveillance targets and police investigations by other departments around the country.

Flock is aware of the exposure enabled by its own product design and has tried to do damage control with its law enforcement customers by blaming “increased public records act/FOIA activity seeking by the public,” according to an email Flock sent to police obtained via public record request. Flock has threatened Cris van Pelt, the creator of HaveIBeenFlocked, by going after his web hosts and claiming that he has violated their intellectual property rights and is posting information that “poses an immediate threat to public safety and exposes law enforcement officers to danger.” In recent weeks Flock severely limited the amount of information available on its audit logs, which are designed to be a transparency tool, raising questions about how much information journalists, regulators, and government agencies will be able to get about police use of Flock cameras in the future.

“I set up HaveIBeenFlocked to show how pervasive and prevalent this monitoring is, and to show just how many searches are getting done. That information, by itself, is shocking,” van Pelt told 404 Media. “To me, as a private citizen, that’s shocking, and I think that’s kind of what Flock is trying to hide or bury.” van Pelt added that he is committed to keeping the website online.

As 404 Media has reported before, Flock’s automated license plate reader cameras are connected to local, state, and/or national “networks” of cameras. When a police officer runs a search seeking the locations of a specific license plate, they are usually not just searching cameras owned by their own jurisdiction, they are usually searching all Flock cameras in that state or in the country. Each individual search creates a record of that search on as many as 80,000 different cameras around the country.

As a compliance and transparency measure, these search records can be obtained through a “search audit,” which are essentially huge spreadsheets of specific Flock searches that contain not just the searches of local police but of all police who have ever searched that camera. Using this data, we have previously been able to report that local police are regularly giving Immigrations and Customs Enforcement side-door access to Flock cameras, and we also reported that Texas searched tens of thousands of cameras nationwide for a woman who self-administered an abortion. Flock search audits have also been used to catch police who have allegedly illegally stalked people or otherwise abused the system.
An example of what search audits look like. License plate redaction done by 404 Media
Because these search audits are important tools for police transparency and accountability, they have become a popular type of public record to request for journalists, concerned citizens, privacy experts, city councils, and government regulators. In the vast majority of cases, the police departments releasing the search audit files redact the surveillance target’s license plate number. But in recent months, at least four police departments have released full Flock search audits without redacting anything at all, revealing information about a mix of more than a million individual surveillance targets, suspects, and crime victims. This means that any individual Flock customer could accidentally leak the specific search targets for millions of Flock searches nationwide; any single failure point anywhere in the country could dox the police activity and surveillance targets of other police departments elsewhere.

With the license plate information, you can determine not just what police are using Flock for, but who they are using it against. An unredacted search log file obtained by 404 Media shows more than 700,000 individual searches from June 2025 alone, performed by hundreds of law enforcement agencies nationwide, including hundreds of searches performed by US Border Patrol agents. They show the specific date and time of a search, the name of the officer who did the search, sometimes show the specific case number of a search, the police-stated “reason” of a search, as well as the number of Flock cameras searched. Crucially, they also show the license plate, allowing someone to connect a specific license plate and therefore person to reasons like “drug trafficking,” “fugitive,” “narc,” immigration enforcement, “homicide,” “oil and gas theft,” etc. As the Electronic Frontier Foundation found, they also expose the victims of a host of biased policing tactics and dubious searches, including hundreds of searches of “No Kings” protesters, audit log reasons that included “possible gypsy,” and the search for a woman who had a self-administered abortion.

“EFF has had this [unredacted] information but we’ve chosen not to publish it or share it because of concerns about doxing people—our policy is not to release data of surveillance victims,” Cara Gagliano, a senior staff attorney at the EFF, told me.

404 Media has also had unredacted versions of some of these files for months but has not published any of them. At first, just one or two police departments failed to do redactions. In recent weeks, however, it has become clear that many police departments are not redacting license plates; this led van Pelt to create HaveIBeenFlocked.com, a website that collates many of these search audit logs and allows people to search individual license plates to determine if they have been run through the Flock system, and if so, where and when. The number of police departments who have now released fully unredacted logs has become so numerous that it can no longer be ignored, and the releases have caused Flock to drastically reduce the amount of information that can be obtained from a search audit.

Rather than simply making sure that search audits exported for public records requests do not include license plates or are redacted by default, Flock has totally overhauled how the search logs work; in a December email to police customers obtained by 404 Media, Flock said that “to protect officer safety and active investigations, Network Audit Logs will no longer include: officer names, specific plates searched, vehicle fingerprint information.”

To be clear, Flock is not turning on license plate redaction by default: It is fully withholding officer names and license plate information from the police departments themselves.

“Flock is doing their best to have it both ways where they have no responsibility and also no accountability to the communities where their cameras are placed,” Chris Gilliard, privacy expert and author of the forthcoming Luxury Surveillance, told 404 Media. “Shoddy data hygiene by law enforcement is not seen as a threat or danger but accountability and transparency are.”
The letter from Cyble
In recent weeks, Flock, via a third party company called Cyble, has threatened van Pelt by filing bogus intellectual property takedown requests with Cloudflare and Hetzner, two of his web hosts. Takedown requests filed by Cyble state the site “presents a significant security risk to our client and its users. The website poses an immediate threat to public safety and exposes law enforcement officers to danger, in clear violation of our client’s users’ rights and its intellectual property rights. The website publicly and deliberately discloses extensive, sensitive information obtained from Flock and its automated license plate reader systems with the apparent intent to undermine law enforcement operations. It hosts three searchable databases that expose critical operational intelligence. Such disclosure of sensitive data substantially heightens the risk to officers and the public and necessitates urgent remedial action.”

“Please be informed that our client is a renowned company in the US and directly works with government agencies,” it continues. “In view of the above, kindly suspend the services and stop the hosting of the website at the earliest convenience.”

The EFF’s Gagliano told 404 Media that, though the EFF hasn’t published license plate information, “these takedowns are bogus. They’re blatantly misrepresenting saying this data is obtained from Flock—no, it’s data obtained from public records. There are issues around deciding whether you should make it all widely available, but it was received from public government agencies and Flock really doesn’t have much standing to be taken down.”

Cloudflare refused to take action on HaveIBeenFlocked, saying that it “found insufficient evidence of a violation,” according to an appeal email van Pelt shared with 404 Media.

Flock told 404 Media in an email “That website that is doxxing cops during active investigations. Today, we're busy working with journalists to cover the fact that our technology was pivotal in cracking open the case that found the Brown university / MIT serial killer in New England. If you'd like to report the news that matters, we'd be happy to speak to you about bringing justice to victims instead of activists trying to let murderers go free.” Cyble did not respond to a request for comment.

In a December email to police customers titled “What you Need to Know About Recent Online Disclosures,” a Flock executive said “We are aware that agencies across the country, particularly in states with broad public-records laws, are seeing increased PRA/FOIA activity seeking, among other things, LPR search logs. Recently, a third-party website began aggregating search information that has been released through these public-records processes.

We recognize that seeing investigative search activity displayed publicly can raise understandable concerns about officer safety, investigative integrity, community perception, and compliance with state law.”

The email added “To be clear: Flock has not been breached or compromised. We are CJIS compliant. Regardless, we are continuing to make changes to our Product to better protect you and your officers.”

That much is true, because in this case the sensitive material released was taxpayer-funded public records willingly released by police departments around the country.

On the HaveIBeenFlocked website, van Pelt defends his decision to run the site: “This website aggregates and reformats already-public information. This information represents a fraction of what's being shared with Flock and its government, commercial, and private partners on a daily basis,” he wrote. “Policies exist to prevent the release of this information—they are not adhered to. Laws and regulations exist to enforce the policies—they go unenforced. Police, Flock, and politicians have been ignoring these problems for years while your private movements continue to be collected, catalogued, sold and traded.”

“This website exposes the problem because, as the old saying goes, sunlight is the best disinfectant. Law enforcement and legislation are needed to address the cause of the problem, and we highly encourage you to bring this site to the attention of your legislators,” he added. “We believe mass surveillance has no place in a free society, and this data should not be collected to begin with. If it is collected, warrants should be used, lookups should be rare, and police and private parties, like Flock and HaveIBeenFlocked.com, should not be permitted to act without functional restraints or oversight.”

A police accountability advocate who has seen the unredacted search audits but asked to remain anonymous because Flock has suggested such people are attacking the company and the police told 404 Media that the situation highlights broader problems with Flock.

"It could lead one to the conclusion that if that is an unacceptable outcome for customers, maybe they shouldn't be participating in a nationwide surveillance system," they said. "The platform is designed to collect as much data as possible. They want to make that as widely accessible and searchable as possible. They need the network effect so they can continue collecting data for their AI models. So, I struggle with the company’s framing of what’s happened. That framing is an attempt to dodge accountability for what their platform is doing which is collecting data without people's (and often informed elected officials') consent."

Flock going after HaveIBeenFlocked on dubious intellectual property grounds is similar to its strategy against DeFlock, a website that hosts an open source map of ALPR locations.

In a separate December email to Jim Williams, the police chief of Staunton, Virginia, Flock CEO Garrett Langley claimed that public records were being weaponized against the company. Langley claimed the company and police are under “coordinated attack” by activists “trying to turn a public records process into a weapon against you and against us.”

“Flock is building tools to help you fight the real crime affecting communities across the country. Many activists don't like that. Let's call this what it is: Flock, and the law enforcement agencies we partner with, are under coordinated attack. The attacks aren't new. You've been dealing with this for forever, and we've been dealing with this since our founding, from the same activist groups who want to defund the police, weaken public safety, and normalize lawlessness. Now, they're producing YouTube videos with misleading headlines,” Langley wrote. “They're also trying to turn a public records process into a weapon against you and against us. Make no mistake, we're fighting this fight for you, and, I hope, with you. I remain committed to building world-class technology to help you keep your communities safe. And doing so in a transparent, secure, and privacy centric way.”

Williams responded to Langley:

“As far as your assertion that we are currently under attack, I do not believe that this is so. I have dedicated the last 41 years of my life to serving the citizens of the City of Staunton as a police officer, the last 22 as the police chief,” he wrote. “What we are seeing here is a group of local citizens who are raising concerns that we could be potentially surveilling private citizens, residents and visitors and using the data for nefarious purposes. These citizens have been exercising their rights to receive answers from me, my staff, and city officials, to include our elected leaders. ln short, it is democracy in action.”

In a press release, the Staunton called Langley’s email “unsolicited” and said “The City of Staunton wants to make it clear that the Flock Safety CEO’s narrative does not reflect the city’s values.” Staunton canceled its Flock contract days later.

Flock Threatens Open Source Developer Mapping Its Surveillance Cameras

The surveillance camera company Flock sent DeFlock a cease-and-desist. DeFlock is fighting back.

^{Jason Koebler (404 Media)}

404 Media

2025-12-22 16:05:19

Flock Exposed Its AI-Powered Cameras to the Internet. We Tracked Ourselves

I am standing on the corner of Harris Road and Young Street outside of the Crossroads Business Park in Bakersfield, California, looking up at a Flock surveillance camera bolted high above a traffic signal. On my phone, I am watching myself in real time as the camera records and livestreams me—without any password or login—to the open internet. I wander into the intersection, stare at the camera and wave. On the livestream, I can see myself clearly. Hundreds of miles away, my colleagues are remotely watching me too through the exposed feed.

Flock left livestreams and administrator control panels for at least 60 of its AI-enabled Condor cameras around the country exposed to the open internet, where anyone could watch them, download 30 days worth of video archive, and change settings, see log files, and run diagnostics.

Unlike many of Flock’s cameras, which are designed to capture license plates as people drive by, Flock’s Condor cameras are pan-tilt-zoom (PTZ) cameras designed to record and track people, not vehicles. Condor cameras can be set to automatically zoom in on people’s faces as they walk through a parking lot, down a public street, or play on a playground, or they can be controlled manually, according to marketing material on Flock’s website. We watched Condor cameras zoom in on a woman walking her dog on a bike path in suburban Atlanta; a camera followed a man walking through a Macy’s parking lot in Bakersfield; surveil children swinging on a swingset at a playground; and film high-res video of people sitting at a stoplight in traffic. In one case, we were able to watch a man rollerblade down Brookhaven, Georgia’s Peachtree Creek Greenway bike path. The Flock camera zoomed in on him and tracked him as he rolled past. Minutes later, he showed up on another exposed camera livestream further down the bike path. The camera’s resolution was good enough that we were able to see that, when he stopped beneath one of the cameras, he was watching rollerblading videos on his phone.

0:00
/0:16
1×

The exposure was initially discovered by YouTuber and technologist Benn Jordan and was shared with security researcher Jon “GainSec” Gaines, who recently found numerous vulnerabilities in several other models of Flock’s automated license plate reader (ALPR) cameras. They shared the details of what they found with me, and I verified many of the details seen in the exposed portals by driving to Bakersfield to walk in front of two cameras there while I watched myself on the livestream. I also pulled Flock’s contracts with cities for Condor cameras, pulled details from company presentations about the technology, and geolocated a handful of the cameras to cities and towns across the United States. Jordan also filmed himself in front of several of the cameras on the Peachtree Creek Greenway bike path. Jordan said he and Gaines discovered many of the exposed cameras with Shodan, an internet of things search engine that researchers regularly use to identify improperly secured devices.
youtube.com/embed/vU1-uiUlHTo?…
After finding links to the feed, “immediately, we were just without any username, without any password, we were just seeing everything from playgrounds to parking lots with people, Christmas shopping and unloading their stuff into cars,” Jordan told me in an interview. “I think it was like the first time that I actually got like immediately scared … I think the one that affected me most was as playground. You could see unattended kids, and that’s something I want people to know about so they can understand how dangerous this is.” In a YouTube video about his research, Jordan said he was able to use footage pulled from the exposed feed to identify specific people using open source investigation tools in order to show how trivially an exposure like this could be abused.
Benn Jordan
Last year, Flock introduced AI features to Condor cameras that automatically zoom in on people as they walk by. In Flock’s announcement of this feature, it explained that this technology “zooms in on a suspect exiting one car, stealing an item from another, and returning to his vehicle. Every detail is captured, providing invaluable evidence for investigators.” On several of the exposed feeds, we saw Flock cameras repeatedly zooming in on and tracking random people as they walked by. The cameras can be controlled by AI or manually.

The exposure highlights the fact that Flock is not just surveilling cars—it is surveilling people, and in some cases it is doing so in an insecure way, and highlight the types of places that its Condor cameras are being deployed. Condor cameras are part of Flock’s ever-expanding quest to “prevent crime,” and are sometimes integrated with its license plate cameras, its gunshot detection microphones, and its automated camera drones.

Cooper Quintin, senior staff technologist at the Electronic Frontier Foundation, told me the behavior he saw in videos we shared with him “shows that Flock's ambitions go far beyond license-plate surveillance. They want to be a nation-wide panopticon, watching everyone all the time. Flock's goal isn't to catch stolen cars, their goal is to have total surveillance of everyone all the time."

0:00
/1:03
1×

The cameras were left not just livestreaming to the internet for anyone who could find the link, but in many cases their administrative portals were left open with no login credentials required whatsoever. On this portal, some camera settings could be changed, diagnostics could be run, and text logs of what the camera was doing were being streamed, too. Thirty days of the camera’s archive was left available for anyone to watch or download from any of the cameras that we found. We were not able to geolocate every camera that was left unprotected, but we found cameras at a New York City Department of Transportation parking lot, on a street corner in suburban New Orleans, in random cul-de-sacs, in a Lowes parking lot, in the parking lot of a skatepark, at a pool, outside a parking garage, at an apartment complex, outside a church, on a bike path, and at various street intersections around the country.

Quintin told me the situation reminds him of ALPR cameras from another company that were left unprotected a decade ago.

“This is not the first time we have seen ALPRs exposed on the public internet, and it won't be the last. Law enforcement agencies around the country have been all too eager to adopt mass surveillance technologies, but sometimes they have put little effort into ensuring the systems are secure and the sensitive data they collect on everyday people is protected,” Quintin said. “Law enforcement should not collect information they can’t protect. Surveillance technology without adequate security measures puts everyone’s safety at risk.”

It was not always clear which business or agency owned specific cameras that were left exposed, or what type of misconfiguration led to the exposure, though I was able to find a $348,000 Flock contract for Brookhaven, Georgia, which manages the Peachtree Creek Greenway, and includes 64 Condor cameras.

"This was a limited misconfiguration on a very small number of devices, and it has since been remedied," a Flock spokesperson told 404 Media. It did not answer questions about what caused the misconfiguration or how many devices ultimately were affected.

💡
Do you know anything else about surveillance? I would love to hear from you. Using a non-work device, you can message me securely on Signal at jason.404. Otherwise, send me an email at jason@404media.co.

In response to Jordan and Gaines’ earlier research on vulnerabilities in other Flock cameras, Flock CEO Garrett Langley said in a LinkedIn post that “The Flock system has not been hacked. We secure customer data to the highest standard of industry requirements, including strict industry standard encryption. Flock’s cloud storage has never been compromised.” The exposure of these video feeds is not a hack of Flock’s system, but demonstrates a major misconfiguration of at least some cameras. It also highlights a major misconfiguration in its security that persisted for at least days.

“When I was making my last video [about Flock ALPR vulnerabilities], it was almost like a catchphrase where I'd say like, ‘I don't see how it could get any worse.’ And then something would happen where you'd be like, wow, they pulled it off. They made it worse,” Jordan said. “And then this is like the ultimate one. Because this is completely unrelated [to my earlier research] and I don’t really know how it could be any worse to be honest.”

In a 2023 video webinar introducing the Condor platform to police, Flock executives said the cameras are meant to be paired with their ALPR cameras and are designed to feed video to FlockOS, a police panel that allows cops to hop from camera to camera in real time across a mapped-out view of their city. In Bakersfield, which has 382 Flock cameras according to a transparency report, one of the Condor cameras we saw was located next to a mall that had at least two Flock ALPR cameras stationed at the entrances to the mall parking lot.

Kevin Cox, a Flock consultant who used to work for the Grand Prairie, Texas Police Department, said in the webinar that he built an “intel center” with a high “density” of Flock cameras in that city. “I am passionate about this because I’ve lived it. The background behind video [Condor] with LPR is rich with arrests,” he said. “That rich experience of seeing what happened kind of brings it alive to [judges]. So video combined with the LPR evidence of placing a vehicle at the scene or nearby is an incredibly game changing experience into the prosecutorial chain of events.”

“You can look down a tremendous distance with our cameras, to the next intersection and the next intersection,” he said. “The camera will identify people, what they’re wearing, and cars up to a half a mile away. It’s that good.”

0:00
/0:08
1×

Condor cameras in a Flock demo showing off its AI tracking features

In the webinar Cox pulled up a multiview panel of a series of cameras and took control of them, dragging, panning, and zooming on cameras and hopping between multiple cameras in real time. Cox suggested that police officers could either use Flock’s cameras to pinpoint a person at a place and time and then use it to request “cell tower dumps” from wireless companies, or could use cell GPS data to then go into the Flock system to track a person as they moved throughout a city. “If you can place that person’s cell phone and then the Condor video and Falcon LPR evidence, it would be next to impossible to beat that in court,” he said, adding that some towns may just want to have always-on, always recording video of certain intersections or town squares. “There’s endless endless uses to what we can do with these things.”

On the webinar, Seth Cimino, who was a police officer at the Citrus Heights, California police department at the time but now works directly for Flock, told participants that officers in his city enjoyed using the cameras to zoom in on crimes.

“There is an eagerness amongst our staff that are logged in that have their own Flock accounts to be able to monitor our ALPR and pan tilt zoom Condor cameras throughout the community, to a point where sometimes our officers are beating dispatch with the information,” he said. “If there’s an incident that occurs at a specific intersection or a short distance away where our Condor cameras can zoom in on that area, it allows for real time overwatch […] as I sit here right now with you—how cool is this? We just had a Flock alert here in the city. I mean, it just popped up on my screen!”

Samantha Cole contributed reporting.

Introducing Condor Live and Recorded Video

Respond with Confidence with a cutting-edge video camera that empowers officers

^{www.flocksafety.com}

404 Media

2025-12-01 14:00:02

Flock Uses Overseas Gig Workers to Build its Surveillance AI

This article was produced with support from WIRED.

Flock, the automatic license plate reader (ALPR) and AI-powered camera company, uses overseas workers from Upwork to train its machine learning algorithms, with training material telling workers how to review and categorize footage including images people and vehicles in the U.S., according to material reviewed by 404 Media that was accidentally exposed by the company.

The findings bring up questions about who exactly has access to footage collected by Flock surveillance cameras and where people reviewing the footage may be based. Flock has become a pervasive technology in the U.S., with its cameras present in thousands of communities that cops use everyday to investigate things like car jackings. Local police have also performed numerous lookups for ICE in the system.

Companies that use AI or machine learning regularly turn to overseas workers to train their algorithms, often because the labor is cheaper than hiring domestically. But the nature of Flock’s business—creating a surveillance system that constantly monitors U.S. residents’ movements—means that footage might be more sensitive than other AI training jobs.

💡
Do you work at Flock or know more about the company? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

Flock’s cameras continuously scan the license plate, color, brand, and model of all vehicles that drive by. Law enforcement are then able to search cameras nationwide to see where else a vehicle has driven. Authorities typically dig through this data without a warrant, leading the American Civil Liberties Union (ACLU) and Electronic Frontier Foundation (EFF) to recently sue a city blanketed in nearly 500 Flock cameras.

Broadly, Flock uses AI or machine learning to automatically detect license plates, vehicles, and people, including what clothes they are wearing, from camera footage. A Flock patent also mentions cameras detecting “race.”

Screenshots from the exposed material. Redactions by 404 Media.

Multiple tipsters pointed 404 Media to an exposed online panel which showed various metrics associated with Flock’s AI training.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

Flock Uses Overseas Gig Workers to Build its Surveillance AI

^{Joseph Cox (404 Media)}

404 Media

2025-11-21 00:00:09

Cops Used Flock to Monitor No Kings Protests Around the Country

Police departments and officials from Border Patrol used Flock’s automatic license plate reader (ALPR) cameras to monitor protests hundreds of times around the country during the last year, including No Kings protests in June and October, according to data obtained by the Electronic Frontier Foundation (EFF).

The data provides the clearest picture yet of how cops widely use Flock to monitor protesters. In June, 404 Media reported cops in California used Flock to track what it described as an “immigration protest.” The new data shows more than 50 federal, state, and local law enforcement ran hundreds of searches in connection with protest activity, according to the EFF.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

Cops Used Flock to Monitor No Kings Protests Around the Country

^{Joseph Cox (404 Media)}

404 Media

2025-11-18 19:31:36

ACLU and EFF Sue a City Blanketed With Flock Surveillance Cameras

Lawyers from the American Civil Liberties Union (ACLU) and Electronic Frontier Foundation (EFF) sued the city of San Jose, California over its deployment of Flock’s license plate-reading surveillance cameras, claiming that the city’s nearly 500 cameras create a pervasive database of residents movements in a surveillance network that is essentially impossible to avoid.

The lawsuit was filed on behalf of the Services, Immigrant Rights & Education Network and Council on American-Islamic Relations, California, and claims that the surveillance is a violation of California’s constitution and its privacy laws. The lawsuit seeks to require police to get a warrant in order to search Flock’s license plate system. The lawsuit is one of the highest profile cases challenging Flock; a similar lawsuit in Norfolk, Virginia seeks to get Flock’s network shut down in that city altogether.

“San Jose’s ALPR [automatic license plate reader] program stands apart in its invasiveness,” ACLU of Northern California and EFF lawyers wrote in the lawsuit. “While many California agencies run ALPR systems, few retain the locations of drivers for an entire year like San Jose. Further, it is difficult for most residents of San Jose to get to work, pick up their kids, or obtain medical care without driving, and the City has blanketed its roads with nearly 500 ALPRs.”

The lawsuit argues that San Jose’s Flock cameras “are an invasive mass surveillance technology” that “collect[s] driver locations en masse.”

“Most drivers are unaware that San Jose’s Police Department is tracking their locations and do not know all that their saved location data can reveal about their private lives and activities,” it adds. The city of San Jose currently has at least 474 ALPR cameras, up from 149 at the end of 2023; according to data from the city, more than 2.6 million vehicles were tracked using Flock in the month of October alone. The lawsuit states that Flock ALPRs are stationed all over the city, including “around highly sensitive locations including clinics, immigration centers, and places of worship. For example, three ALPR cameras are positioned on the roads directly outside an immigration law firm.”

Andrew Crocker, surveillance litigation director for the EFF, told 404 Media in a phone call that “it’s fair to say that anyone driving in San Jose is likely to have their license plates captured many times a day. That pervasiveness is important.”
DeFlock's map of San Jose's ALPRsA zoomed in look at San Jose
A search of DeFlock, a crowdsourced map of ALPR deployments around the country, shows hundreds of cameras in San Jose spaced essentially every few blocks around the city. The map is not exhaustive.

The lawsuit argues that warrantless searches of these cameras are illegal under the California constitution’s search and seizure clause, which Crocker said “has been interpreted to be even stronger than the Fourth Amendment,” as well as other California privacy laws. The case is part of a broader backlash against Flock as it expands around the United States. 404 Media’s reporting has shown that the company collects millions of records from around the country, and that it has made its national database of car locations available to local cops who have in turn worked with ICE. Some of those searches have violated California and Illinois law, and have led to reforms from the company. Crocker said that many of these problems will be solved if police simply need to get a warrant to search the system.

“Our legal theory and the remedy we’re seeking is quite simple. We think they need a warrant to search these databases,” he said. “The warrant requirement is massive and should help in terms of preventing these searches because they will have to be approved by a judge.” The case in Norfolk is ongoing. San Jose Police Department and Flock did not immediately respond to a request for comment.

Flock Removes States From National Lookup Tool After ICE and Abortion Searches Revealed

Following 404 Media’s reporting and in light of new legislation, automatic license plate reader (ALPR) company Flock has stopped agencies reaching into cameras in California, Illinois, and Virginia.

^{Joseph Cox (404 Media)}

404 Media

2025-11-03 17:00:28

Flock Logins Exposed In Malware Infections, Senator Asks FTC to Investigate the Company

Lawmakers have called on the Federal Trade Commission (FTC) to investigate Flock for allegedly violating federal law by not enforcing multi-factor authentication (MFA), according to a letter shared with 404 Media. The demand comes as a security researcher found Flock accounts for sale on a Russian cybercrime forum, and 404 Media found multiple instances of Flock-related credentials for government users in infostealer infections, potentially providing hackers or other third parties with access to at least parts of Flock’s surveillance network.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

Flock Logins Exposed In Malware Infections, Senator Asks FTC to Investigate the Company

^{Joseph Cox (404 Media)}

404 Media

2025-10-16 13:00:05

ICE, Secret Service, Navy All Had Access to Flock's Nationwide Network of Cameras

A division of ICE, the Secret Service, and the Navy’s criminal investigation division all had access to Flock’s nationwide network of tens of thousands of AI-enabled cameras that constantly track the movements of vehicles, and by extension people, according to a letter sent by Senator Ron Wyden and shared with 404 Media. Homeland Security Investigations (HSI), the section of ICE that had access and which has reassigned more than ten thousand employees to work on the agency’s mass deportation campaign, performed nearly two hundred searches in the system, the letter says.

In the letter Senator Wyden says he believes Flock is uninterested in fixing the room for abuse baked into its platform, and says local officials can best protect their constituents from such abuses by removing the cameras entirely.

The letter shows that many more federal agencies had access to the network than previously known. We previously found, following local media reports, that Customs and Border Protection (CBP) had access to 80,000 cameras around the country. It is now clear that Flock’s work with federal agencies, which the company described as a pilot, was much larger in scope.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

ICE, Secret Service, Navy All Had Access to Flock's Nationwide Network of Cameras

^{Joseph Cox (404 Media)}