Learn More

1
2
3

Table of Contents

Click any of the items below to jump to that section

  1. Cybersecurity Concerns
  2. Is Flock Effective?
  3. Transparency - Flock
  4. Useful Links

1. Cybersecurity Concerns

Thanks to independent researchers who took it upon themselves to ethically hack offline Flock devices, we have some insight into the security measures (or lack-therof) that Flock has gone to to protect the vast amount of personal data they collect on Americans. Below are some highlights from the published research report[1] and a video by another researcher, Benn Jordan[2] covering it, as well as Flock's official response.

The first half of the video shows a detailed account of some of the most basic security vulnerabilities found in the Flock systems, as well as demonstrates that their claims about image deletion and encryption are blatantly false. These are not small issues that can be fixed with guardrails or use-policies. In fact, Flock's security is so lacking that Oregon Senator Ron Wyden is urging the FTC to investigate Flock for "needlessly exposing Americans' personal data to theft by hackers, foreign spies, and criminals."[3]

Here are some highlights from the report:

This level of security is a joke and is a testament to a fundamental lack of organizational respect for the security and privacy of customer and public data.

Flock acknowledged and responded on their blog in May 2025[4] to the initial public disclosure from the researchers and in Nov 2025[5] to the published report. They made no attempt to discredit the research, thus legitimizing it and showing us that we can trust the information. The posts were mostly typical corporate speak but a few things stood out. The below quote, which appears in bold text on their blog, really speaks to their priorities:

"Overall, none of the vulnerabilities detailed in the report have an impact on our customers' ability to carry out their public safety objectives."[4]

Members of the general public, the ones who stand to lose the most in the event of a security breach at Flock, are not customers of Flock. So long as the customers (government agencies and private businesses) don't lose access to their tracking tools, everything else is an afterthought. But even then, one of the vulnerabilities was possible remote control by a bad actor, so their statement isn't even true. They blatantly lied to their customers.

Flock also tried to downplay the vulnerabilities in their blog posts, but they offered some weak examples:

"Exploitation of these vulnerabilities would... require physical access to a device...[4] typically placed on a pole several feet above normal height."[5]

LPR cameras are left unattended on the side of the road. It's reasonable to expect that anyone can get physical access to these devices, no Mission Impossible stunts required. Unless you consider ladders to require specialized skill and access.

Update 12/23/25: 404 Media and Benn Jordan covered another vulnerability: Flock camera live feeds streaming online for anyone to view.[15] Benn appropriately called this "Netflix For Stalkers." In the 11-minute video, he shows footage of a family loading their Lowe's purchase into their truck, a man roller blading and then watching a roller blading video on his phone, a woman running on a trail alone, and children playing in a park unsupervised. Maybe the woman feels safe running that trail alone knowing that it has cameras, but I bet she would think twice if she knew who was really watching.

2. Is Flock Effective?

coming soon. you may need to clear your browser cache, and restart your phone to see the updated page when checking back for updates

3. Transparency - Flock

Flock says that they believe in transparency, but do they meaningfully practice it?

the wayback machine flock url error: sorry, this url has been excluded from the wayback machine

The first red flag is that Flock's website is blocked on the Wayback Machine. The Wayback Machine is an internet archive that takes snapshots of webpages at different times, allowing people to see old versions of webpages in case anything changes. When eyesoffgsp.org quotes Flock's blog to demonstrate their attitude towards something, Flock could later edit the blog and there won't be a good way to prove what they originally said. In contrast, the eyesoffgsp.org code is stored on GitHub, meaning anyone can see every change that was ever made to the website.

Speaking of Flock's blog, they posted a three part series on transparency. Here's how they introduce the series:

"We're presenting this new blog series, Policy Pulse, because the burden of compliance - navigating this messy lattice of rules and oversight - should not stand in the way of public safety."[6]

If they're trying to say that they want to make transparency easier so that officers can spend more time fighting crime and less time on FOIA requests, this is the worst way to say it. The connotations imply a loathing of transparency and a hint of disregard for the rule of law and constitutional protections. But there's still two more posts, so let's see if they double down or redeem themselves:

"In the past, law enforcement agencies had little choice in how public search audits were exported from the Transparency Portal. The field of Search Reason was always included, without the option to remove it. And oftentimes, an officer may include sensitive information in this field regarding a current, active investigation."[7]

If they're trying to say that there used to not be an easy way to redact confidential info, this is the worst way to say it. It feels like coded language for an intent to make it easier for agencies to disclose as little information as possible in FOIA requests, when considering the context of how the search reason field has been used in the past, with thousands of examples of "investigation," "suspect," "donut," "asdf," and similarly vague or meaningless terms being revealed through FOIA requests.[8][9]

In order to address those concerns, Flock went on to introduce a new feature: mandatory Offense Type drop-down selection. Now, if an officer is stalking his ex-girlfriend, instead of typing "inves" as the search reason, he will just have to pick a random crime from the drop-down to pretend to be investigating. This does little to help leadership monitor use of the system, but let's look at a solution that could.

An independent analyst used sample data to build a search anomaly dashboard (below).[10] It graphs a user's historical search queries by hour and performs statistical analysis to flag suspicious search frequencies or other anomalies.

dashboard with search anomaly index score, summary, z-score, hourly activity graph, and search volume

Building on this example dashboard, the system could then have automated alerts, or weekly user analytics reports sent to supervisors for review. It's not a very big ask for a multi-billion dollar company to think of or to implement something that an independent analyst can put together in their free time. Flock could have developed analytics and reporting features years ago, but instead they've been developing new products (something that actually generates revenue). It's also worth noting that law enforcement and council leaderships have not been demanding such accountability measures as customers.

It's easy to talk about transparency, but true values are imbued into all actions big and small, from decision-making to simple word choices. Flock has demonstrated that they are unable or unwilling to put transparency first.

Update 12/17/25: Flock tried to shut down the website of the independent analyst mentioned here, by falsely accusing them of phishing and trademark infringement.[11]

Update 12/19/25: 404 Media reported back in May 2025 that Flock's upcoming product Nova uses breached data obtained from the dark web based on leaked information.[12] This would mean that officers could perform a person search in Nova and receive information about them that was leaked in a data breach. Flock tried to gaslight everyone by explaining that the dark web data discussions only surfaced because some of the agencies in the beta program asked for the option but ultimately they decided not to pursue it.[13] However, an independent researcher uncovered evidence that says otherwise.[14] By inspecting the html code of the Nova front-end website, the researcher showcases data sources explicitly named "Dark Data" with fields for social security number, credit card number, IP addresses, and other sensitive types of personal information.

4. Useful Links

deflock.me
alpr.watch
haveibeenflocked.com
eyesonflock.com
alpranalysis.com
gettheflockoutofhere.com
stopflock.com
plateprivacy.com
alprwatch.org
banishbigbrother.com

Sites like eyesoffgsp in other cities:
livefreeaz.com (Sedona, AZ)
eyesoffeugene.org (Eugene and Springfield, OR)
eyesoffcr.org (Cedar Rapids, IA)
noalprs.org (Austin, TX)
deflocklynnwood.com (Lynnwood, WA)
friendlycitydrivesfree.org (Scottsville, KY)

General surveillance related:
banfacialrecognition.com
sassisouth.org
lucyparsonslabs.com

References

  1. Gaines, Jon; Cohen, Joseph (11-05-2025). "Examining the Security Posture of an Anti-Crime Ecosystem." zenodo.
  2. Jordan, Benn (11-15-2025). "We Hacked Flock Safety Cameras in under 30 Seconds." YouTube.
  3. (11-03-2025). "Wyden, Krishnamoorthi Urge FTC to Investigate Surveillance Tech Company on Negligently Handling Americans' Personal Data." senate.gov
  4. (11-06-2025). "Response to Compiled Security Research on Flock Safety Devices." Flock Safety.
  5. (05-05-2025). "Gunshot Detection and License Plate Reader Security Alert." Flock Safety.
  6. Thomas, Josh (09-12-2025). "Policy Pulse: Compliance Doesn't Have to Be So Hard." Flock Safety.
  7. Thomas, Josh (10-30-2025). "Policy Pulse: Transparency, Control, and the Path Forward." Flock Safety.
  8. Begley, Ghisolfi, and deGrood (06-10-2025). "Houston police use a powerful surveillance tool to track vehicles. But they're not explaining why." Houston Chronicle.
  9. "Reason Search - Search the reasons given for Flock database searches." Have I Been Flocked?
  10. H.C. van Pelt (12-03-2025). "Feature: Search Anomalies and Account Sharing." Have I Been Flocked?
  11. H.C. van Pelt (12-16-2025). "Flock and Cyble Inc. Weaponize "Cybercrime" Takedowns to Silence Critics." Have I Been Flocked?
  12. Cox, Joseph (05-14-2025). "License Plate Reader Company Flock Is Building a Massive People Lookup Tool, Leak Shows." 404 media.
  13. (05-30-2025). "Correcting the Record: Flock Nova Will Not Supply Dark Web Data." Flock Safety.
  14. Joshua (12-11-2025). "License Plate Reader Company Flock Said It Does Not Use Dark Web Data. My Analysis of Their Code Tells a Different Story." Nexanet
  15. Jordan, Benn (12-22-2025). "This Flock Camera Leak is like Netflix For Stalkers." YouTube.