San Francisco police found that their Flock Safety license plate reader network was queried 299 times for agencies that were not supposed to use it, according to a KTVU report citing an SFPD release. The searches were made over roughly a year by the Northern California Regional Intelligence Center, known as NCRIC, on behalf of federal and out-of-state agencies.
The number is small as a share of total activity. SFPD said the improper queries represented 0.005% of searches during the period, according to KTVU. The legal problem is not solved by the denominator. The whole point of California’s access limits is to keep federal and out-of-state agencies from using local plate-reader systems as a back door.
Automatic license plate reader systems, or ALPRs, photograph plates and log time and location data. Police can search those records later, or receive alerts when a plate matches a list. Flock has built its business around selling that infrastructure to police departments, homeowners associations and private camera owners, then turning the footage into a searchable network.
Flock says the software did not fail
Flock spokesperson Paris Lewbel told KTVU the San Francisco searches did not result from a software bug, a platform problem, unauthorized access, or a failure of Flock’s system. He also said no federal or out-of-state agency had direct access to SFPD’s Flock system or any California Flock system, according to KTVU.
That defense narrows the issue rather than ending it. If federal and out-of-state agencies could not log in directly, then the disputed searches appear to have been run through a permitted user with access to SFPD’s network. That is the boring, ugly version of surveillance abuse: no hacker hoodie, no zero-day, just an authorized user doing something the rules were meant to prevent.
Flock previously said in February that it had disabled its national lookup feature for all California agencies and believed its privacy protections complied with state law, local policy and community expectations, according to KTVU. The San Francisco audit does not prove that statement was false. It does show that disabling one feature does not stop a local user from running a query for somebody else.
Audit found the problem after the fact
SFPD identified the activity during a routine compliance audit in May, according to the department’s release cited by KTVU. Techdirt reported that SFPD cut off access after the audit findings.
The episode lands amid wider scrutiny of Flock’s police network. Techdirt has reported that federal lawmakers have asked the company and its law enforcement partners for answers, and that some cities have tried to remove or disable Flock cameras after public criticism or evidence of misuse.
The 0.005% figure also deserves a raised eyebrow. An audit designed to catch searches routed around access rules will not necessarily catch every questionable search by an authorized officer. Techdirt has reported separate allegations involving police use of ALPR systems to track former partners, protesters and abortion-related investigations. Plaintiffs suing California over ALPR use have alleged more than 1.6 million illegal searches statewide over the same period, according to Techdirt.
Flock’s position, as described by KTVU, is that its platform worked as designed. SFPD’s audit says improper searches still happened. For San Franciscans whose cars are logged by these cameras, the distinction may not be comforting. A surveillance system can follow the login rules and still be used to do the thing the law was written to stop.
This story draws on original reporting from Techdirt.