This article includes my own security engineering informed analysis / opinion.
Flock Safety Sells Surveillance as a Service
This research started on a trip to Dearborn, MI. I was driving back to my hotel, and noticed a solar panel and a camera on a black pole. A closer look took me down a rabbit hole. So… let me introduce you to Flock Safety.
Flock Safety sells automated license plate reading, and various other surveillance capabilities to businesses, communities, but mostly law enforcement agencies. Flock’s key selling point is lightweight, managed infrastructure. Most of which is solar powered and cellular — no expensive wires.
Flock variously claims a presence in 3,000+ communities, business customers in 42 states, and 2,500+ law enforcement “relationships”. Following in the footsteps of the tech giants, it has attracted hundreds of millions of dollars in venture capital funding that allows it to slash costs for its customers to quickly gain market share.
There are plenty of other ALPR solutions on the market. What’s special about Flock is how affordable it is for law enforcement in particular. Outfitting a fleet of police vehicles with mobile ALPR cameras from Motorola, or installing fixed camera infrastructure across a city requires enormous up-front cost.
Flock Safety takes on the installation and infrastructure costs. This allows law enforcement agencies to spend the affordable subscription costs out of their existing budgets so they don’t need to ask the local government for a big capital spend on an ALPR network.
Detroit, MI PD highlights the problem in law enforcement. Detroit had Motorola mobile ALPR cameras, but they had to come to the city council to very conspicuously ask for $5 million to buy fixed ALPR cameras — the kind you’d find on the side of the road.
Following the Lack of Money
Rewind to Dearborn. Why are there ALPR cameras on a public street near my hotel? Signs that Flock Safety had worked with the City of Dearborn on a contract were scarce. No press releases, no news articles.
Luckily, a lot of good work researching law enforcement ALPR use is being done. This includes several FOIA responses that reference Flock Safety, like this request to Dearborn, MI PD. The response includes two separate purchase orders to Flock Safety in 2022, for $25,000 and $30,000.
A 2022 agreement between Evanston, IL PD and Flock Safety breaks down the costs. A ten camera deployment, zero dollars installation, $25,000 annual subscription.
A brief aside: If $25,000 a year is a big ask for an unproven technology, why not ask Flock Safety for a “90 day free trial”?
Ten cameras doesn’t sound like a lot, but that’s how Flock Safety acquires new customers for its larger platform. They suggest you to ring the perimeter of your city in cameras, leaning in to the outsider trouble narrative while minimizing initial cost.
This slide from one of their webinars shows this deployment strategy. It contains an actual installation map for their customer Piedmont, CA PD.
“Transparency”
Flock Safety plays both sides of the deal pretty well. As a vendor, they need to sell a law enforcement agency on a cheap city-wide solution, integrated into a rich “Real-Time Crime Center”. They also need to sell a community on safety, security, and most importantly, privacy.
Flock talks about its ALPR system as if it were privacy-preserving, but there seems little theoretical difference between an Amazon Blink camera and a Flock ALPR. As described, they both use Amazon Web Services with one or more layers of encryption. Images and vehicle metadata are uploaded to the cloud, and made available for searching via the Flock customer API with their paid subscription service. Flock says its differentiator is in-camera image processing.
There are two clear customer tiers, law enforcement, and everyone else. Flock’s website marketing for homeowner’s associations is quite distinct from the presentations given to law enforcement audiences. Both types of customers have real, practical barriers to installing cameras in a community, and Flock provides more than just marketing materials and feel-good copy for the public relations problem.
Admirable in design, Transparency Portals allow customers to optionally and selectively publish their ALPR use policies, statistics, and search audit logs. About 100 of these can be found by web search.
A section of the Transparency Portal is called “External organizations with access”, which likely refers to any Flock customer that has been granted explicit access to another customer’s data. The pages themselves do no define exactly what this means.
These customers are enumerated mostly by name, but that means many law enforcement agencies included in the Transparency Pages can be pinned on the map.
There are approximately 18,000 state and local police agencies in the US, which puts Flock’s reach into about 15% of them. Ranking the top ten camera counts for law enforcement agencies with Transparency Portals shows:
Customer Cameras
Flock - Admin 276
Shelby County TN SO 139
Vacaville CA PD 133
San Jose CA PD 128
Springfield IL PD 94
Vallejo CA PD 94
Tulsa OK PD 69
Baytown TX PD 58
Fairfield CA PD 56
Mooresville NC PD 52The Flock - Admin page is very odd because it has copy referring to “Colton Police Department” but it would be odd for a city like Colton, CA with a population of only 54,000 to have 276 cameras installed.
Stranger, that Transparency Portal has some very odd “External organizations with access”:
Flock — Admin, Flock LE Training — Old, Flock Safety — Customer, Flock Safety — Engineering, Flock Safety — Ops, Flock Safety — Sales, Flock Safety Campus Security Training, Flock Safety HOA — External Testing 2, Flock Safety LE Training, Flock Safety PD — External Testing, External RTCC Demo Org, Graham’s Walkthrough Demo, Indiana LE Demo, Northeast LE Training — Demo, SchoolSafety Demo Org, Western PA Demo Agency
So, it seems like this is actually some sort of catchall administrative/test account, but now we’re left to wonder which 276 cameras would be connected to this account. Do any belong to law enforcement customers? How does this reflect on Flock’s security and transparency promises?
Oversharing
The organizations above are almost entirely law enforcement entities of some type, with some interesting exceptions. Notably, Shelby County Sheriff’s Office, which was at the top of the list of installed cameras, shares data with two unusual private organizations:
FedEx Air Carrier PD, FedEx GSOC
TN - Loeb Properties Inc - Security
Organizations with shared access include airport police, park police, university and school district police, railroad police, and miscellaneous organizations such as the following:
Alabama Department of Revenue, Cal Fire, California Department of Insurance Fraud, Ector County Environmental Enforcement (TX), Fort Worth TX Code Compliance, Houston Arson Bureau TX, Houston Metro Transit Authority (TX), Illinois Gaming Board IL PD, Indiana Department of Corrections, Kansas Department of Labor KS, Michigan Department of Corrections (MDOC), Napa County (CA) Probation Department, Ohio Bureau of Workers’ Compensation (LE)
Some customers share their access with organizations clearly marked for testing, or non-production use.
Sharing to “Flock Safety PD Test Org” - Champaign IL PD, Fairfield CA PD, San Jose CA PD, Wichita KS PD, Yakima WA PD
Sharing to “Demo” - Lafayette CO PD, Costa Mesa CA PD
Sharing to “Z Do not use” - Maple Bluff WI PD
Customers also share data with the organization “FBI”, such as the following.
Lafayette CO PD, Costa Mesa CA PD, Hillsborough CA PD, Lafayette IN PD, Mansfield OH PD, Menifee CA PD, Michigan City IN PD, Oakley CA PD, Roselle IL PD , San Marino CA PD, Santa Clara CA PD, Shelby County TN SO, West Covina CA PD, Wichita KS PD, Woonsocket RI PD, Yakima WA PD
Some Transparency Portals offer a “search audit” log, with 30 days of customer search data. This data is limited, but shows key elements like how many searches are done against how many cameras, and “reason” — which is frequently just a case number.
Notable in this search audit log is some very large cameraCount numbers. Murrieta, CA PD only advertises that it has 34 cameras. Working backwards from the available data, Murrieta has only 418 cameras shared with it by other organizations that publish Transparency Pages.
However, Murrieta has audit records that assert 67,305 cameras were included in some searches. If this is accurate, then in some situations, some organizations can search what seems like every single camera Flock Safety has in the field.
Of the only 18 customers that publish search audit logs, four had searches in the last 30 days including more than 60,000 cameras.
Customer High Count
Murrieta CA PD 67305
Santa Clara CA PD 66479
Wichita KS PD 63341
Wentzville MO PD 63188
Fairfield CA PD 10056
Oakley CA PD 9847If the point of the Transparency Page is to bring confidence that this technology is not being regularly abused by customers, evidence of routine searches of the entire country for license plates by local law enforcement agencies undermines that point, and calls into question the narrative Flock Safety sells in its promises:
We build products and design systems with checks and balances to ensure the ethical use of our technology.
Upselling a Surveillance Ecosystem
Flock Safety isn’t just in this to sell ALPR cameras. Flock also entered the gunfire detection device market with a product called Raven. The cost of a Raven deployment is $35,000 a year per square mile, according to their marketing webinar.
Flock Safety also sells live video cameras, and hardware to add legacy and third party cameras which all integrate into FlockOS — the glue software for their hardware and subscription services. Flock also touts an integration with Axon mobile ALPR and body worn cameras.
Flock emphasizes the ability to detect a gunshot with Raven, capture video of the incident with Condor, then track fleeing vehicles with Falcon ALPR. This strategy supports the ideal “Real-Time Crime Center” to which law enforcement agencies seem to aspire.
Contrary Research describes one of Flock’s key business risks as an asset. Flock’s deterrent effect requires the growth of the network to remain useful, and will continue to push Flock into more and more communities.
Flock Safety has demonstrated success by reducing crime, but criminals could easily determine where cameras are located and, instead, commit crime away from where the devices are installed. This is a risk to Flock Safety in the sense that it may not fulfill its mission of solving crime if the product is just moving crime elsewhere instead of being deterred overall. However, it may also be an opportunity, as cities might feel that they are at more risk of criminal activity if neighboring cities have ALPR cameras and they don’t. The result of this could be a domino effect where cities that don’t have ALPR cameras now need them more, leading to more purchases for Flock Safety.
This push for more surveillance technology, more widely deployed, with better integration only heightens the need for Flock to deliver more security and more transparency at the same time, and perhaps focus less on improbable promises like this one:
In Summary
Flock Safety is contributing enormously to alarming growth of community surveillance that comes along with an apparent lack of public awareness the scale of this growth — driven by an inexpensive, maintenance-free subscription model.
One of the few real transparency mechanisms used to instill confidence in Flock is used only by a small percentage of law enforcement customers.
The web of data access expands well beyond what’s visible in the Transparency Portals, and so what’s shown in them is a fraction of the real nation-wide visibility Flock and its law enforcement customers have — 60,000+ cameras, each with 30 days of declared retention.
Management of production accounts looks sloppy — even by the standards of tech companies that don’t have a core privacy/security mission, and may represent a larger problem with cross-customer access controls, and the access Flock Safety employees themselves have.
Flock Safety may already be in your community. There’s a good chance you may not be aware unless you had your eyes peeled for its “discreet” technology. Hopefully now you’re a bit more prepared to ask questions and demand answers from your local leaders and law enforcement about Flock.
Flock Safety must be held accountable to its promises, and an unprecedented law enforcement surveillance boom should come with actual transparency, not what Flock Safety offers.
Follow for Part 2 looking at the technology Flock Safety uses.