What the Flock??
Police Respond to Flock Data Breaches in our Community (and some do not). Flock data is now being sold on the Dark Web. Do you have these cameras in your hometown? Read on.
One thing’s for sure: the Flock Safety company certainly chose a good name for pun-ing around with, and this surely gives endless delight to those who are not so thrilled with their work. But the joke’s on us as mass surveillance from Amazon Ring cams, Waymos and more tech Trojan horses begin to weave ever tighter webs around us. Who can stop this?
Our cities can.
After the publication of our last article, “Our Data is Not Safe. Is Yours?”, the online news outlet Santa Cruz Local came out with a similar article that analyzed the same data from our anonymous data security expert and, thanks to some serious numbers crunching by Local reporter Jesse Kathan (who gets a salary, OK?) revealed that over 190 Capitola data searches were made by outside agencies on behalf of ICE. And yes, the Get the Flock Out team provided that data to Kathan. We first shared it publicly at the last Santa Cruz Public Safety Committee meeting.
Sarah Ryan is the new police chief in Capitola, the first female chief for that city, the daughter of two mothers, and a real winner, according to a lot of folks who know her, and a recent Lookout profile on her.
In fact, she is so well regarded by people on either side of the political spectrum that when progressive councilmember Melinda Orbach was in a contentious dispute with both local political gadfly Kevin McGuire, and members of her own council, Ryan’s name kept popping up as someone who could help mediate between parties.
So, when I sent an email to Ryan to get her response to the data breach, I was not surprised to get the following reply. (Well, actually, I was slightly surprised. This is not language one typically hears from a chief of police, and generally not in the midst of controversy).
“I would welcome further conversations about Flock technology and would like the opportunity to hear you and also to be heard. What is your schedule like next week?”
I am happy to meet personally with Sarah, but I was about to travel when this email dropped in my inbox. Nonetheless, I wanted to see if she had an immediate reply to the Flock camera data breach at her department–a breach that was relatively shocking (but honestly, not surprising from the perspective of anyone who has done research on Flock).
This was her response:
“We are aware that violations of SB 34 and the California Values Act occurred. These violations were inadvertent and were not the result of any deliberate attempt by City staff to circumvent California law. The violations ceased on February 11, 2025.
“With respect to sharing data with any federal agency, the Capitola Police Department can confirm that no member of City staff has directly shared ALPR data in violation of state law, including SB 34 and the California Values Act.
“I will be reviewing the Flock and Automated License Plate Reader (ALPR) policy to ensure that CPD continues to fully comply with the California Values Act, which prohibits the use of local resources for immigration enforcement purposes. To strengthen oversight, I have implemented a directive to conduct a monthly network audit to ensure compliance with state law. Additionally, CPD will require the completion of a data-sharing request from all agencies seeking access to our network ensuring they are going to adhere to state law.
“In accordance with City policy, CPD does not assist Immigration and Customs Enforcement (ICE) officials in enforcing civil immigration law violations.”
The rest is somewhat boilerplate:
“The City remains committed to transparency, accountability, and maintaining the trust of our community. We value our relationship with our media partners and want to ensure that the information they provide is accurate. We remain sensitive to the use of emerging technology while continuing to explore solutions that support public safety, protect individual privacy, and build community trust.
“I am happy to discuss further.”
Ryan goes into more depth in a recent Lookout article, in which she encourages the public to “give Flock a chance.” As progressive as Ryan may be, all of this is what I would call a fairly typical police reply—that is, one without a deeper understanding of what the Flock mass surveillance network and all of its breaches mean for people in our communities. It is a reply, like many others across the nation, meant to protect the city and the department and allow PDs the use of fancy, new tools to fight crime. I get it. They want to prevent and solve crimes.
But Flock has been around for nearly a decade. It was founded in 2017, and violations of state and local laws have only proliferated since then. One might reasonably ask if Flock cams are actually increasing crime in this regard. The data expert quoted in our last article, and who filed public records requests for Capitola Flock data (and Santa Cruz and Watsonville data) has also been busy filing ethics violations complaints and letters to all three local cities with Flock cameras related to various California and city codes. In closed session at their Nov. 13 meeting, the Capitola council was addressing at least one such Flock liability issue, filed by “Syd J.”
The problem, which I state again here, and have repeated now dozens of times in various forums, is that Capitola does not really control its data. The whole point of the Flock network is that it is a network. That means many other departments and agencies can access our data, because we can access theirs.
The Capitola breach is not atypical–it’s actually very, very typical and has been repeated in dozens of cities–if not thousands–in and throughout the country.
The Capitola breach is not atypical–it’s actually very, very typical and has been repeated in dozens of cities–if not thousands–in and throughout the country. Which is why Senator Ron Wydon of Oregon keeps issuing big, official statements and warnings about Flock, and is now pushing for a federal investigation into the company.
In fact, we know that although the Santa Cruz police will not release their ALPR data (see update below*), they most likely have also been sharing outside of the state, because they searched outside of state. Our friendly, neighborhood data security expert found two searches by SCPD in other states, and writes, in an email:
“Three searches of ALPR data owned by the Mukilteo, WA PD were conducted by the SCPD in January and February of 2025. As data sharing between Flock Safety customers is reciprocal, there is a near certainty that out-of-state searches were also conducted on the SCPDs Flock ALPR network, violating SB 34.”
Even if Chief Ryan conducts monthly audits (after the fact of actual searches, I assume), it remains contingent on the goodwill and integrity of all other networked police departments to be very clear about their search reasons. But many search reasons in the Flock system are just entered as “investigation.” Our own department entered one as “history.” What does that mean?
Turning Off “National Lookup” Does Not Protect Our Data
Chief Sarah states that “national lookup” has been turned off for Capitola. And Flock itself has stated that they have turned off California national lookup for all agencies here as multiplying and damning news reports have piled up from national and local news outlets.
But the California-based El Cajon police department, for example, currently shares with multiple law enforcement agencies in Washington, Illinois, Colorado, Oregon, New Mexico, Florida, Texas and beyond, as listed on their Flock-hosted “transparency portal.”
This is one reason state Attorney General Rob Bonta is currently suing El Cajon for breaching multiple state ALPR laws, specifically, the ones we may all know by heart by now, SB34 and SB54, which restrict sharing of ALPR data out of state, with federal agencies, and with immigration enforcement as part of the California Values Act (SB54).
So, has Flock turned off California interstate sharing, or not? Inquiring minds want to know.
And then there’s the sheer amount of searches that ping our local data. Even if, let’s say, the Watsonville or Santa Cruz police departments turned off “national look up” and, additionally, decided to screen every single request that came into their department, how would any human actually be able to screen the millions of requests that zap into and out of our data in the space of even just months?
Capitola was subject to nearly 8 million searches from across the United States, according to the data expert, in the time frame between Jan. 1, 2024 and Oct. 9 of 2025, a period of roughly 21 months. That’s 380,000 searches, on average, per month, and 12,700 searches daily. If a police staff member were to monitor all these incoming searches, working an 8-hour day (and I imagine searches pour in at all hours), that would entail reviewing nearly 1,600 searches per hour.
If national data sharing is now indeed turned off in Capitola (who actually controls that switch?), we can reduce that number by 50 percent (roughly the percentage of national searches performed in the time frame above), that’s still 800 searches that would require proper vetting each hour.
Who could possibly keep up with even just looking at all of them, much less determining in a responsible way whether each search was based on a “need to know” basis, as Santa Cruz Chief Escalante often claims is the bar each search must clear for his own department?
Yet, Escalante also told me that once an outside law enforcement agency requests a search on our data, that agency then is granted unlimited access to our data without further screening. This seems like a free-for-all on our personal travel data and habits.
And this is why we have search warrants.
Remember those?
Those were the days.
All these questions nagged me, and police statements didn’t square with what I had read in the Santa Cruz police department’s ALPR policy manual.
After I wrote my last article on the Capitola data breach, I sent Santa Cruz police chief Bernie Escalante the following email and excerpt from that story, and requested an explanation.
From my email: “I was reading through the ALPR manual/code for the city and what is written below is my current understanding of SCPD protocol …
“It seems to me that if, as in Capitola, there are possibly millions of searches happening with our data, one person could not possibly attend to them all.
“So what you told me [in person] makes more sense than the actual manual policy. But the manual policy seems to indicate that a person needs to sign off on every search from an outside agency of any kind. See text and my questions below.
From the article: … although the city’s ALPR manual protocol is to release data to other law enforcement agencies, apparently, on a case-by-case basis (415.8 (b) of the Santa Cruz police ALPR policy manual), according to Escalante, this only happens upon the first request by an outside agency. Thereafter, searches are not gate-kept by the Santa Cruz police–in this case, Lieutenant Karina Cecena, the administrator in charge of the Flock data portal.
[To summarize:] After an outside police agency requests access to our local database for a specified reason, they then gain unrestricted access to all our data, without having to list a specific reason (although each agency is “supposed to” on their end), nor ask for permission again.
From my email: “My basic questions:
“Is what I am stating above actually correct?
“I am unclear about policy codes: 415.6 (d) and 415.8 (a) and (b), in which it seems to be required that every search by an outside agency must include the intended purpose of obtaining the information, and each request is reviewed by the Administration Deputy Chief or designee.
“415.6 (d) states that the Admin Deputy Chief must provide written approval for each search and each must be for a ‘valid crime.’ How does the department determine a ‘valid’ crime and how is the department handling these thousands or millions of searches by outside agencies on a case by case basis if they are?
“Thank you so much.”
So far, I have not received a reply from Escalante.
It Never Flocking Stops
And the fun never ends with Flock, as news reports, video exposés and court cases emerge on a near daily basis about Flock data misdeeds and abuses. Even the police themselves are subject to being tracked and doxxed by Flock. (See more below.)
Even the police themselves are subject to being tracked and doxxed by Flock.
404 Media reports on the recent judge’s ruling in Washington, which ordered all Flock data to be released to the public (including actual photographs). These photographs revealed that many faces were captured in Flock images. The city of Redmond, WA “turned off” their cameras after ICE raids occurred in close proximity to Flock cameras.
A recent study by the University of Washington Center for Human Rights documented numerous Washington state abuses and breaches by Flock. This study is relevant to California, because WA state laws are similar regarding data sharing with immigration enforcement. From the Centralia Chronicle about this report and its aftermath:
Police officials in Renton, Auburn, Mukilteo and Lakewood, Pierce County, changed their Flock settings after the UW report showed federal agencies had accessed their Flock data. The agencies never requested permission to access their cities’ data, and the respective police departments weren’t aware it happened until after UW researchers notified them or they saw the report, the officials said. [Emphasis added]
There are also increasing anecdotal reports of officers using the data to wrongly accuse people of crimes, coming to their homes, where they have tracked their cars to ... and following certain cars because they were irritated by someone. In one case, an officer intruded into a home without a warrant. Innocent people, even whole families, have been accosted and forced to the ground by police based on faulty Flock data.
East Palo Alto has just voted to pause their Flock contract. Many cities in Washington are now doing so, like Redmond, WA. Also voted down, paused or cancelled: Eureka, CA, Huntington Park, CA, Evanston, IL, Cambridge, Mass., Denver, CO, Eugene, OR, Austin, TX, Sedona, AZ, Oak Park, IL, Stanwood, WA and likely more every week or month.
Tech Experts and Hackers Show How Flock Can Be Hacked; Data is Sold on the Dark Web
The general illegality of Flock sharing and their “side door” access programs with Customs and Border Patrol mean our data is not safe, nor within our control, as long as we are connected to this company and its networks. This recent investigative video, produced by tech expert Benn Jordan, shows just how easy it is to hack directly into a Flock camera and access its data.
While the video is 45-minutes long and highly technical (Jordan says it’s his most complex and expensive to date), I watched all of it. Here is a summary of salient points made–all of which were backed up by Jordan and other tech experts and hackers who were able to replicate what any hacker could do with a Flock camera and its data.
Access to Flock data systems, which contain personal travel data, is being sold on the dark web, including, apparently, to people or groups from foreign nations.
Flock data can be altered by hackers and therefore, legally, is not admissible in a court of law as evidence. Alternatively, data could be manipulated to frame an individual. [I added this second conclusion as a natural outcome of the first.]
Flock data is easily hacked using commonly available hacking devices, and Jordan and his team easily hacked into the cameras and accessed personal travel data within the space of 30 seconds.
In an interesting twist, police officers themselves can be tracked and doxxed using Flock data. (Jordan was able to do this with his team.)
In contradiction to Flock policy statements, faces are indeed scanned by Flock cameras, data is not deleted within 7 days from cameras, and data was not encrypted at time of investigation.
There is no hard data that proves Flock cameras reduce crime rates nor increase “clearance” rates for solving crimes. In some cases, crime rates have gone up after cameras have been installed.
The CEO of Flock has taken to calling organized Flock detractors, like the founder of the open-source Flock location website www.DeFlock.me, “terrorists” and “like antifa.” Additionally, investigators like Jordan and the founder of DeFlock.me have been stalked at their homes, and now sued by Flock in seemingly frivolous suits.
How ‘Bout: Let’s Not Go Down This Road At All
The Flock company exposes all contracted cities to various lawsuits, and I believe most Santa Cruz county constituents, of many political persuasions—while supporting public safety—did not believe they were signing up for all of this when our city councils voted to contract with Flock.
In fact, residents and citizens of cities from all parts of the political spectrum have been stepping up to block Flock across the country.
Personally, I still believe this is a Fourth Amendment issue and that our rights to privacy and freedom to travel without undue surveillance should be defended and upheld by our local electeds, especially during this deeply disturbing time under a would-be and increasingly authoritarian administration.
All these criminal violations by Flock and by law enforcement agencies are a natural consequence of this kind of mass surveillance technology and I’d oppose them under any administration. The potential for abuse is overwhelming.
Who will draw the line when the federal government has given up protecting our Constitutional rights, to due process, to privacy, to freedom of expression? The answer is right here: people in our own communities.
Who will draw the line when the federal government has given up protecting our Constitutional rights, to due process, to privacy, to freedom of expression? The answer is right here: people in our own communities.
The next Santa Cruz City Council meeting will include a Santa Cruz Police report on Flock ALPRs this coming Tuesday, Nov. 18 (meeting begins in the morning.) Public comment, also known as “Oral Communications,” is estimated to start at 11:30 am.
Update! this meeting has passed and the Santa Cruz City Council will bring a resolution back to chambers for a vote on Dec. 9. Please contact all council members and especially those you may have a relationship with to urge them to CANCEL THE FLOCK CONTRACT AND TAKE CAMERAS DOWN. Shebreh Kalantari-Johnson and Susie O’Hara are taking the lead on writing the resolution. Tell them there is no possible way to get a “safe” contract with Flock.
See this Call to Action from Get the Flock Out for more info and a Zoom link to the meeting if you cannot be there in person.
Note: Capitola has shut down the entire list of agencies they share with on their “transparency portal.” According to Chief Ryan (and as written above), they will be requesting that all departments they share data with promise to not violate state and other laws.
*Update from data security expert (confirmed by Susie O’Hara at Nov. 18 council meeting)
From an email to me: “On November 3, 2025 Watsonville Police Department reopened my original [public records] request of October 7, 2025 as it lacked the Network Audit. On November 14, 2025, the City Clerk wrote:
”’I was awaiting a response from Police and have an update for you. We’ve been working with them to obtain the requested file, however, due to technical challenges, Police has not been able to retrieve the report. They are working with Flock and have a meeting next week to troubleshoot. I expect to provide you with an update by end of day on Wednesday, after their meeting. I apologize for the delay.’
”So I expect a response tomorrow. [This email is dated Nov. 18]
“Santa Cruz: On November 3, 2025, SCPD opened a new version of my first request (initially filed on October 7, 2025 and denied on October 17 based on the investigatory exemption) and on November 13, 2025 sent this message:
“The City has extended its time to respond to your request to Monday, December 1, 2025 pursuant to the California Public Records Act, Government section 7920.000 et seq. (the “CPRA”), for the following reason
Government Code § 7922.535(c)(2) • The need to search for, collect, and appropriately examine a voluminous amount of separate and distinct records that are demanded in a single request.”
Dear Friends: I did not put this article behind a paywall, as I believe the information is important to our community and want everyone to have access to it. I spent roughly a full day-and-a-half on this article, and your support for my work is appreciated!
Thanks Ami for this amazing story. BTW, I wrote emails to each of our city council members. I hope we have an impact! Maybe they don’t want to be surveilled either.