According to TechCrunch, Senators Ron Wyden (D-OR) and Raja Krishnamoorthi (D-IL) have called for an FTC investigation into Flock Safety over cybersecurity failures that expose its nationwide license plate scanning network to hackers. The lawmakers revealed that Flock does not require multi-factor authentication for law enforcement users, despite confirming to Congress in October that stolen police logins have already appeared on Russian cybercrime forums. Flock operates one of the largest camera networks in the U.S., serving over 5,000 police departments and scanning billions of license plate photos. While the company claims 97% of law enforcement customers now use MFA, approximately 3%—potentially dozens of agencies—have declined the security feature, leaving the system vulnerable to foreign spies who could access sensitive location data on American citizens. This security gap raises serious concerns about the integrity of our national surveillance infrastructure.
Sponsored content — provided for informational and promotional purposes.
The Systemic Nature of This Security Failure
What makes this situation particularly alarming is that we’re not dealing with isolated security lapses but rather a systemic design choice. Flock Safety built a massive surveillance infrastructure—essentially creating a national vehicle tracking system—without implementing fundamental security protocols as mandatory requirements. The company’s decision to make multi-factor authentication optional represents a fundamental misunderstanding of modern cybersecurity principles, especially for systems handling sensitive law enforcement data. When you’re dealing with location tracking at this scale, security cannot be an optional feature that customers can decline for “reasons specific to them,” as Flock’s chief legal officer described in the company’s response. This approach creates weak links that compromise the entire network’s integrity.
Diverse Stakeholder Impacts Beyond Law Enforcement
The ramifications extend far beyond the law enforcement agencies using the system. Every American driver whose license plate gets scanned becomes an unwitting participant in this security vulnerability. The previously reported incident where the DEA used a local officer’s credentials without their knowledge demonstrates how access can be exploited even within legitimate channels. For private businesses that host Flock cameras, this creates liability concerns about whether they’re adequately protecting community data. Municipal governments funding these systems face questions about due diligence in their procurement processes. The security gap essentially creates a backdoor that could be exploited by everyone from foreign intelligence services to domestic stalkers.
A Troubling Pattern in Surveillance Technology
This situation reflects a broader pattern in the surveillance technology industry where rapid expansion often outpaces security considerations. Companies like Flock frequently prioritize market penetration and user adoption over implementing robust security controls that might create friction for customers. The lawmakers’ letter to the FTC highlights how this creates a regulatory gap where companies can collect massive amounts of sensitive data without corresponding security obligations. What’s particularly concerning is that Flock only enabled MFA by default for new customers starting in November 2024—years after establishing their network and only after congressional scrutiny. This reactive approach to security is fundamentally inadequate for systems handling billions of location data points.
Broader Implications for Public Safety Infrastructure
The security vulnerabilities in Flock’s system have implications for how we approach public safety technology infrastructure nationwide. When surveillance systems become interconnected across jurisdictions, security weaknesses in one agency can compromise data across the entire network. The fact that stolen credentials have already appeared on Russian cybercrime forums suggests this isn’t a theoretical threat but an active security incident. For law enforcement agencies, this creates operational security concerns beyond data privacy—if adversaries can access the same tracking systems used for criminal investigations, they can potentially monitor police movements and compromise ongoing operations. The situation underscores the need for federal security standards for law enforcement technology vendors rather than leaving security decisions to individual company policies.
The Regulatory and Market Outlook
Looking forward, this case likely represents a turning point for surveillance technology regulation. The FTC investigation called for by lawmakers could establish precedent for holding surveillance companies accountable for cybersecurity failures. We may see increased scrutiny of vendor security practices during municipal procurement processes, and potentially new legislation requiring minimum security standards for systems handling sensitive law enforcement data. For Flock specifically, the company faces not just regulatory risk but also potential loss of customer trust if agencies reconsider their reliance on a system with documented security vulnerabilities. The ultimate test will be whether the company moves beyond reactive security measures to implement comprehensive, mandatory protections across its entire network.
