Investigative FAQ

What Flock Safety Won't Tell You

Flock Safety representatives make a consistent set of public claims when pitching their ALPR cameras to city councils. Nearly every one is contradicted by independently verified reporting, government documents, and the company's own code.

About this document: Every claim below was verified against at least two independent sources — congressional letters, CVE database entries, EFF investigations, leaked internal documents, court filings, local news investigations, and Flock's own marketing materials. Where a claim could not be independently verified beyond a single source, it was excluded. Last updated February 2026.
01

Flock does not sell data

Misleading

Flock's Nova platform is a commercial subscription product that aggregates OSINT, public records, and license plate reader data and sells access to law enforcement agencies. Flock's own case study with Porterville PD explicitly markets "Flock Nova OSINT" as a paid product. The company's "Correcting the Record" blog post confirms Nova supplies "public records information, Open-Source Intelligence (OSINT), and License Plate Reader (LPR) data."

Flock's privacy page claims it "does not sell data," but this appears narrowly framed around customer-owned LPR data. Nova is unambiguously a paid data product aggregating intelligence from multiple sources for commercial sale. Industry analysts at Sacra estimate Flock hit $285 million in ARR at end of 2024, charging $2,400 annually per camera.

Key Sources
  • 404 Media — Joseph Cox, "License Plate Reader Company Flock Is Building a Massive People Lookup Tool, Leak Shows" (May 14, 2025). Based on leaked internal slides, Slack messages, and meeting audio.
  • Government Technology — "Flock's Newest Police Tool Sparks Data Controversy" (May 27, 2025). EFF Senior Policy Analyst called it "precisely the kind of dystopian panopticon we've warned about."
  • Flock Safety blog — "How Porterville PD Transformed Digital Investigations with Flock Nova OSINT" (November 18, 2025). Flock's own case study confirms Nova is a paid product.
02

Flock does not collect personally identifiable information

False

While Flock's ALPR cameras capture license plates rather than names, the Nova platform explicitly collects and surfaces extensive PII — names, home addresses, phone numbers, social media profiles, and per independent code analysis, SSNs and credit card numbers.

Leaked internal presentations showed an employee stating officers would "be able to access data and jump from LPR to person." Flock's own Q2 2025 product blog describes Nova "surfacing an address from a food delivery order" and "linking a VOIP number to a suspect's Cash App profile and photo."

Flock's privacy page states its ALPR system does not collect PII — but this is narrowly limited to the camera hardware and ignores Nova, which processes all of these data types by design.

Key Sources
  • 404 Media — Leaked Flock internal presentation and Slack messages (May 14, 2025). Employee quote: "jump from LPR to person."
  • Nexanet — Independent code analysis of Nova frontend (December 11, 2025). Found search fields for SSNs, credit cards, crypto wallets, Discord/Telegram handles, and a polished "Advanced Dark Data Search" UI.
  • Flock Safety blog — Q2 2025 product launch summary. Case studies describe surfacing home addresses and Cash App profiles.
  • EFF — "2025 in Review" (December 2025). Obtained datasets representing more than 12 million searches from 3,900+ agencies.
03

Flock has never been hacked

False

In December 2025, at least 67 Flock Condor PTZ cameras were discovered livestreaming to the open internet with zero authentication — no password, no login, no encryption. Anyone could watch live feeds, download 30 days of archived footage, and access admin panels. A 404 Media reporter drove to Bakersfield, California and verified by walking in front of two cameras while watching himself on the livestream from his phone.

Separately, Senator Ron Wyden and Rep. Krishnamoorthi wrote to the FTC citing Hudson Rock data showing passwords for at least 35 Flock customer accounts were compromised by infostealer malware and found on Russian cybercrime forums. They called Flock's practices "negligent" and confirmed approximately 3% of Flock law enforcement customers lacked multi-factor authentication.

Key Sources
  • 404 Media — Jason Koebler, "Flock Exposed Its AI-Powered Cameras to the Internet" (December 2025). Reporter physically verified by walking in front of exposed cameras.
  • GainSec — Jon Gaines, "Bird Hunting Season: Finding 67 Live Camera Feeds" (January 9, 2026). Technical writeup of the discovery via Shodan.
  • TechCrunch — Zack Whittaker, "Lawmakers say stolen police logins are exposing Flock surveillance cameras to hackers" (November 3, 2025).
  • Sen. Wyden & Rep. Krishnamoorthi — Letter to FTC (November 3, 2025). Full text at wyden.senate.gov.
  • 9NEWS Denver — "Douglas County's Flock camera compromised" (December 2025). Local confirmation of exposed cameras in Colorado.
04

These cameras are secure

False

Independent security researcher Jon Gaines (GainSec) published a peer-reviewed white paper documenting 51 distinct security findings across Flock's product line, resulting in 22 CVE assignments in the MITRE/NVD databases (with 8 more pending). Vulnerabilities include a hardcoded Java Keystore password rated CVSS 9.8 Critical, unauthenticated admin API endpoints enabling remote code execution, disabled Secure Boot, and cleartext API keys embedded in production firmware.

Physical compromise is trivial: pressing a button sequence on the camera's back creates a wireless access point, enabling full device control. A USB "rubber ducky" device plugged into the exposed USB-C port achieves complete compromise in approximately 5 seconds. In a demonstration, Gaines planted fabricated images on a live device.

Separately, a default ArcGIS API key was found embedded in 53 JavaScript bundles across Flock's frontend, granting access to their mapping environment with roughly 1 million API credits.

Key Sources
  • GainSec — Jon Gaines, "Examining the Security Posture of an Anti-Crime Ecosystem" white paper (November 2025). Published on GitHub with DOI.
  • MITRE/NVD — CVE-2025-59407 (CVSS 9.8), CVE-2025-59403, CVE-2025-59404, CVE-2025-59408, CVE-2025-59409, CVE-2025-47823. Searchable at OpenCVE.
  • 9NEWS Denver — "'30 seconds with a stick' | Researchers claim Flock cameras are easy to hack." Demonstrated physical compromise on camera.
  • Nexanet — "53 Times Flock Safety Hardcoded the Password for America's Surveillance Infrastructure" (2025).
05

Flock does not use dark web data

Contradicted by Code

In May 2025, 404 Media reported that Flock's internal discussions explicitly mentioned using hacked ParkMobile data from a 2021 breach. An employee Slack message stated: "I was pretty horrified to hear we use stolen data in our system." Flock publicly announced it would not include dark web data.

Seven months later, an independent code analysis of Nova's frontend found the feature was still built: a "DarkData" search type as a primary data source, an API endpoint called dark/getExtDarkData, a permission flag hasDarkDataAccess, and a polished UI with tabs for SSN, email, IP address, crypto wallet, credit card, and Discord/Telegram handles. API response metadata included fields for "crawl date," "leak name," and "download location" — columns typical of breach data repositories.

Caveat: The presence of frontend code does not definitively prove the feature is active in production — it could be disabled server-side. However, the specificity and polish strongly suggest this went beyond experimental code.

Key Sources
  • 404 Media — "Flock Decides Not to Use Hacked Data in People Search Tool" (May 30, 2025). Executive admitted on leaked audio exploring dark web data "because investigators told us they wanted to do it."
  • Nexanet — Code analysis of Nova's codebase (December 11, 2025). Full technical writeup of the "DarkData" pipeline and UI components.
  • Government Technology — Confirmed that during early access, "some data sourced from breaches were being used" (May 30, 2025).
  • Gizmodo — "License Plate Reading Firm Reportedly Building a Surveillance Tool for Cops Using Hacked Data" (May 2025).
06

Officers are trained and searches are audited

False

Flock's own audit systems failed to flag any of the following documented abuses — every case was discovered through public records requests or outside investigations, not internal auditing. EFF's analysis found the audit log system "only tracks inputs, not contextual legitimacy" and that keyword filters are "easily defeated by entering vague reasons."

Sedgwick, Kansas Police Chief Lee Nygaard tracked his ex-girlfriend's vehicle 164 times and her boyfriend's vehicle 64 times, using fabricated justifications ("missing child," "drug investigation"). Discovered only because he was already under investigation for unrelated misconduct. No criminal charges. The Wichita Eagle (August 2024); KAKE News; KWCH (October 2023)
Braselton, Georgia Police Chief Michael Steffman arrested November 19, 2025 by the Georgia Bureau of Investigation. Charged with Violation of Oath by Public Officer (felony), Stalking, Harassing Communications, and Misuse of ALPR Systems. He had become chief in April 2025 — arrested seven months later. GBI official press release (November 19, 2025); Atlanta Journal-Constitution; FOX 5 Atlanta
Glendale, Arizona In July 2024, an investigator used an anti-Romani ethnic slur in a Flock search. EFF's analysis of 12 million+ searches found 80+ agencies used similar slurs, plus 400+ searches targeting Traveller communities. None were flagged by Flock's system. EFF, "License Plate Surveillance Logs Reveal Racist Policing Against Romani People" (November 2025); Arizona Mirror (November 2025)
Johnson County, Texas A sheriff's official ran two Flock searches noted "had an abortion, search for female" — one across 6,809 networks / 83,345 cameras. Both Flock and the sheriff initially claimed it was a welfare check. EFF later obtained a sworn affidavit proving it was a death investigation of a non-viable fetus. EFF (May & October 2025); 404 Media (May 28, 2025); court records obtained via public records request
07

Data sharing is controlled and limited

False

Senator Wyden's October 2025 investigation revealed that ICE's investigative arm performed approximately 175 searches, CBP performed roughly 200 searches, and the Secret Service and NCIS also had access — all through a "pilot" program Flock never disclosed to its local customers. Wyden wrote: "I now believe that abuses of your product are not only likely but inevitable."

404 Media reported that CBP regularly searched 80,000+ Flock cameras nationwide. One police department said it "did not know or understand that it was sharing data with CBP." Requests were simply batch-approved like any other agency.

The scale is staggering: Bridgewater, Virginia — population 6,600 — has five Flock cameras. Over 12 months, outside agencies accessed its data 6.9 million times. Over 4,600 agencies queried the data. Roughly 9 in 10 searches came from out-of-state law enforcement.

Key Sources
  • Sen. Ron Wyden — Official letter to Flock CEO (October 16, 2025). Full text at wyden.senate.gov.
  • 404 Media — "CBP Had Access to More than 80,000 Flock AI Cameras Nationwide" (August 2025).
  • 404 Media — "ICE, Secret Service, Navy All Had Access to Flock's Nationwide Network of Cameras" (2025).
  • 9NEWS Denver — Reporting on CBP accessing data via Loveland, Colorado PD (August 2025).
  • Virginia Center for Investigative Journalism (WHRO) — Bridgewater data: 6.9 million hits, 4,600+ agencies (September 2025).
  • Atlanta Community Press Collective — 47+ searches citing "ICE" from five metro Atlanta agencies (June 2025).
  • Suncoast Searchlight / Tampa Bay Times — Florida Highway Patrol: 250+ immigration searches in two months (June 2025).
08

ALPR misreads are rare and inconsequential

False

ALPR misreads have produced documented, serious harm — including families held at gunpoint and multi-million-dollar settlements.

Aurora, Colorado (2020) An ALPR misidentified Brittney Gilliam's SUV as a stolen motorcycle — same plate number, wrong vehicle type and state. Gilliam (a Black woman) and four children ages 6–17 were pulled over at gunpoint, forced to lie face-down on hot pavement, and three were handcuffed. Settlement: $1.9 million. The Denver Post (February 2024); NBC News; CBS News Colorado. Note: This involved a generic ALPR, not specifically Flock.
Española, New Mexico (2023) A Flock Safety camera misread the last digit of a plate, reading a "2" as a "7." Jaclynn Gonzales, 21, and her 12-year-old sister were held at gunpoint, handcuffed, and placed in the back of a patrol car. One month later, a 17-year-old honors student was held at gunpoint after an officer entered the wrong number into the Flock system. CBS News, "When license plate readers get it wrong" (July 2025); EFF (November 2024); KOB 4 Albuquerque
09

Flock is the most transparent public safety tool

Contradicted

Flock requires all security testing be conducted under a Master Services Agreement and NDA, effectively preventing independent researchers from publicly disclosing vulnerabilities. Security researcher Jon Gaines explicitly stated he refuses to accept bounties because they are "more and more commonly tied to NDAs."

Flock threatened the creator of HaveIBeenFlocked.com — a site that simply collated public records about Flock searches — claiming it posed "an immediate threat to public safety."

Nine Denver City Council members wrote in October 2025: "We have serious concerns about Flock Group Inc.'s ethics, transparency, and credibility. The company's CEO has made multiple false statements both publicly and directly to council members."

Key Sources
  • Flock Safety blog — "Holding Ourselves to the Highest Standard" (February 10, 2026). Explicitly states NDA + MSA required for all testing.
  • GainSec — Jon Gaines (June 2025). "I refuse to accept bounties as they are more and more commonly tied to NDAs."
  • 404 Media — "Police Unmask Millions of Surveillance Targets Because of Flock Redaction Error" (2025). Flock threatened HaveIBeenFlocked.com.
  • Denverite — "Majority of City Council blasts Denver's contract with Flock" (October 29, 2025). Nine council members' joint letter.
10

You can trust what Flock tells your council

Documented Dishonesty

In Sedona, Arizona, Flock told the city council on August 13, 2025 that "there's no data sharing going on." Six days later, on August 19, Flock admitted data sharing had in fact been occurring. Vice Mayor Holli Ploog stated on the record: "A company that tells us on August 13 that 'There's no data sharing going on, I swear,' and on August 19 admits that 'it's been going on,' is not a company that we can do business with."

The council voted unanimously to terminate. Mayor Jablow reversed his prior position, stating he had "since learned more about the overwhelming behind-the-scenes data sharing that was not disclosed to the council."

Key Sources
  • KNAU Arizona Public Radio — "Sedona council permanently ends license plate camera program" (September 11, 2025). Direct quote from Vice Mayor Ploog.
  • Sedona Red Rock News — Christopher Fox Graham, "Sedona City Council tells staff to get Flock out of town" (September 10, 2025). Mayor Jablow's reversal.
  • AZCIR — Arizona Center for Investigative Reporting (August 28, 2025). Confirmed undisclosed data-sharing.
11

Other cities are happy with Flock

Growing Cancellation Wave

As of February 2026, NPR confirmed that at least 30 localities have deactivated cameras or cancelled Flock contracts. EFF counted 23 jurisdictions by December 2025. The pace is accelerating — many cancellations occurred in late 2025 and early 2026.

Primary reasons include: undisclosed federal agency access (especially ICE and CBP), privacy and mass surveillance concerns, Flock CEO Garrett Langley's rhetoric calling critics "terroristic," unauthorized camera installations, and state sanctuary law conflicts.

Verified cancellations include: Flagstaff AZ (unanimous), Sedona AZ (unanimous), South Tucson AZ (February 2026), Cambridge MA (citing Flock's "material breach of trust"), Austin TX, Hays County TX, San Marcos TX, Eugene OR, Bend OR, Mountain View CA, Santa Cruz CA, Oak Park IL, Evanston IL, Olympia WA, Redmond WA, Lynnwood WA, Staunton VA, Windsor CT, and others.

The pattern is clear: when citizens actually get a voice on this technology, they reject it.

Key Sources
  • NPR — Jude Joffe-Block, "Why some cities are ditching their Flock license plate readers" (February 17, 2026). Confirmed 30+ localities.
  • EFF — "Procurement Power — When Cities Realized They Can Just Say No" (December 2025). Counted 23 jurisdictions.
  • State of Surveillance — "23 Communities Told Surveillance Cameras to Get Out" (2025). Detailed profiles of each cancellation.
  • City of Cambridge, MA — Official statement on ALPR contract termination (December 2025).