Full Report
There are over a dozen cases around the country where police officers are using the Flock surveillance camera system to obsessively and illegally stalk people. Alternate link.
Analysis Summary
# Incident Report: Unauthorized Use of Flock Surveillance System for Stalking
## Executive Summary
Law enforcement officers across multiple jurisdictions have been identified using the Flock Safety automated license plate reader (ALPR) system to illegally track and stalk individuals for personal reasons. These incidents represent a significant "insider threat" where authorized users bypassed the intended public safety purpose of the tool to commit privacy violations and harassment. The compromises highlight a systemic failure in internal auditing and the "political will" to enforce strict access controls on sensitive surveillance data.
## Incident Details
- **Discovery Date:** Multiple reports surfaced June 16, 2026 (largely via 404 Media)
- **Incident Date:** Ongoing; cases span several months prior to discovery
- **Affected Organization:** Over a dozen law enforcement agencies (LEAs)
- **Sector:** Public Sector / Law Enforcement
- **Geography:** United States (Nationwide)
## Timeline of Events
### Initial Access
- **Date/Time:** Variable (Repeated occurrences over several months)
- **Vector:** Authorized Administrative/User Access
- **Details:** Officers utilized valid credentials to access the Flock Safety database. Instead of searching for plates linked to active investigations, they entered plates belonging to personal acquaintances, ex-partners, or targets of obsession.
### Lateral Movement
- **Details:** Not applicable in the traditional network sense; however, the abuse involved moving from legitimate investigative workflows to unauthorized personal surveillance within the same application.
### Data Exfiltration/Impact
- **Details:** Real-time and historical location data of private citizens was exfiltrated (viewed and tracked) without a warrant or legal justification.
### Detection & Response
- **Detection:** Primarily discovered through external scrutiny, victim reports, or secondary criminal investigations rather than automated internal triggers.
- **Response:** Officers in several cases have been arrested or faced disciplinary action after the stalking behavior was identified by outside parties or through manual audits following complaints.
## Attack Methodology
- **Initial Access:** Valid User Credentials (Insider Threat).
- **Persistence:** Long-term access maintained through employment status.
- **Privilege Escalation:** Abuse of "implicit trust" where officers have the authority to search any plate without physical or digital "stop-gaps."
- **Defense Evasion:** Exploiting the lack of real-time auditing and the high volume of legitimate searches to hide illicit activity.
- **Discovery:** Use of Flock’s search and "hotlist" features to locate specific individuals.
- **Collection:** Gathering location history, timestamps, and movement patterns of vehicles.
- **Impact:** Psychological harm to victims, privacy erosion, and violation of the Fourth Amendment.
## Impact Assessment
- **Financial:** Potential for significant civil litigation costs and settlements against municipalities.
- **Data Breach:** Exposure of PII (Locational data tied to license plates) for an undisclosed number of victims.
- **Operational:** Diversion of police resources toward personal vendettas; potential loss of access to surveillance tools if legislative bans follow.
- **Reputational:** Severe erosion of public trust in law enforcement and private surveillance vendors like Flock.
## Indicators of Compromise
- **Behavioral Indicators:**
- High-frequency searches for specific license plates not associated with open case files.
- Off-duty or after-hours access to the surveillance portal.
- Creation of "Hotlist" alerts for personal acquaintances.
## Response Actions
- **Containment:** Suspension of access for suspected officers; deletion of unauthorized search histories.
- **Eradication:** Termination of employment for offending officers and criminal charges in specific jurisdictions.
- **Recovery:** Reviewing and tightening departmental policies regarding ALPR usage.
## Lessons Learned
- **The Insider Threat:** Even robust security systems are vulnerable if the authorized users are the threat actors.
- **Audit Lag:** Internal detection failed in most cases; the abuse was only halted after it had persisted for months.
- **Vendor Responsibility:** Surveillance vendors (Flock) provide powerful tools that require more than just "optional" auditing logs; they require proactive misuse detection.
## Recommendations
- **Strict Access Controls:** Require a valid case number and supervisor approval for all ALPR searches.
- **Proactive Auditing:** Implement automated AI-driven alerts to flag anomalous search patterns (e.g., searching for the same civilian plate daily).
- **Transparency:** Maintain public-facing logs of how often the system is used and for what general purposes (without compromising active cases).
- **Legislation:** Support "Warrant Required" policies for non-emergency historical location data access to ensure judicial oversight.