Flock Safety's AI Cameras Are Logging Your Plate — And Some Cities Want Out
Solar-powered cameras quietly scan licence plates on public streets across America. The data lives with local police — and federal agencies know how to ask for it.

Thousands of small, solar-powered cameras are recording the movements of American vehicles every day, and a growing number of communities are asking whether that is a bargain they want to keep.
What Flock Safety Actually Does
Flock Safety sells AI-powered licence-plate readers to city governments and police departments. Each camera captures a passing vehicle's plate, stamps it with a time and location, and checks it against law-enforcement watchlists in seconds. The company markets the product as a crime-fighting tool — useful for recovering stolen cars and locating missing persons. That pitch has worked: the cameras are now deployed in hundreds of municipalities across the United States.
The device itself is unremarkable. Bolted to a pole, pointed at a road, it runs on solar power and requires almost no maintenance. Easy to install, easy to ignore. That invisibility is part of the problem critics are raising.
The Data Trail and Who Can Follow It
Every scan creates a record. Scale that up across thousands of cameras and the aggregate becomes something qualitatively different from a single traffic stop. It becomes a searchable history of where vehicles — and by extension their owners — have been. That kind of longitudinal location data is exactly what civil-liberties organisations have warned about for years.
Flock Safety itself does not share data with federal agencies. The company has been explicit on that point. But the pathway critics describe does not require Flock to do anything. Local police departments hold the records. Federal agencies such as Immigration and Customs Enforcement can submit legal requests to those departments. The distinction between "Flock shares data" and "local police share data they got from Flock" is legally real but practically narrow.
"The infrastructure is there," is how activists have framed the concern at city-council meetings across the country. Build the network, and whoever controls local policing can move its contents upstream. That argument is resonating. Several communities have cancelled their Flock Safety contracts, and others have opened formal reviews after constituents raised objections about passive, mass surveillance of people who have committed no offence.
Flock Safety maintains that data-retention limits and access controls are built into its contracts and prevent misuse. Those controls do exist. Whether they are consistently enforced, and whether they would survive sustained political pressure from federal authorities, are questions no contract can answer in advance.
Why This Is a Security and Privacy Problem, Not Just a Policy Debate
From a security-awareness perspective, this story is not only about immigration enforcement. It illustrates a pattern that defenders of all kinds should recognise: data collected for one purpose rarely stays confined to that purpose. The technical term is "function creep," and it is one of the most consistent failure modes in information governance.
The Verizon 2024 Data Breach Investigations Report found that 68 percent of breaches involved a human element — decisions made by people, not failures of hardware. Flock's cameras do not represent a breach in the traditional sense, but they demonstrate the same underlying dynamic. A system is built, data accumulates, and the downstream uses of that data are governed by policies and relationships that can change without any technical modification to the system itself.
The control that failed here is not a firewall or an MFA prompt. It is data minimisation — the principle, codified in NIST SP 800-53 control family IP-2 and echoed in virtually every modern privacy framework, that organisations should collect only the data they need and retain it only as long as necessary. When every plate, on every street, at every moment is logged indefinitely, minimisation has not happened. That creates a reservoir of sensitive information that any actor with legal authority can tap.
What Defenders and Community Members Should Do
For security professionals advising local government clients, this incident is a reminder that procurement decisions are security decisions. Before a city signs a contract with any data-collection vendor, the following questions deserve written answers:
- What data is collected, and at what granularity?
- How long is it retained, and who controls the retention schedule?
- Under what legal standards can a third party — including a federal agency — request access?
- What notification, if any, does the vendor or department provide when such a request arrives?
For residents, civil-liberties lawyers recommend submitting public-records requests to find out whether your municipality uses Flock cameras, what the data-retention policy is, and whether any federal access requests have been received. That information is, in most states, legally obtainable.
For organisations thinking about their own internal data-governance posture, this is also a useful mirror. Companies frequently collect logs, telemetry, and behavioural data from employees and customers because storage is cheap and the data might be useful someday. "Might be useful someday" is not a retention policy. It is a liability.
Organisations that want their people to understand these dynamics — the gap between data collection, data use, and data misuse — can build that awareness through structured training. Helping employees and decision-makers recognise that every dataset has a potential second owner is one of the practical lessons a well-designed security-awareness programme puts in front of staff.
The Bigger Picture
Flock Safety is not uniquely sinister. The company is doing what it was built to do. The discomfort communities are expressing is about something upstream of the product: a collective reckoning with how much passive surveillance is acceptable on public streets, and who gets to answer that question.
Some cities are deciding the answer is: less than we currently have. Contract cancellations are a market signal. They will not by themselves resolve the underlying tension between public-safety technology and civil liberties, but they demonstrate that communities retain real power over which systems operate in their streets.
For privacy advocates, that is the takeaway worth amplifying. The law may permit mass licence-plate logging. Community contracts can limit it anyway. And residents who show up to council meetings with public-records requests in hand are exercising a form of oversight that no technical control can replicate.
If your organisation handles sensitive location data, or advises clients who do, review your data-minimisation posture now. The political climate around surveillance is shifting. Contracts signed when that climate was more permissive may not survive the next council meeting — or the next administration.
How better data-governance awareness could have changed this conversation
- Train decision-makers to ask 'who else can access this data?' before any surveillance or analytics system goes live — not after.
- Embed data-minimisation principles into procurement checklists so that collection scope and retention limits are negotiated at contract stage.
- Run scenario-based exercises that show staff how data collected for one purpose can be repurposed under legal pressure, building instincts for appropriate scepticism.
Train2Secure's security-awareness programmes include modules on data governance and privacy risk designed for both technical teams and non-technical decision-makers.
Start free — no card requiredSources & further reading
- https://www.flocksafety.com/privacy-policy
- https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- https://www.verizon.com/business/resources/T6c5/reports/2024-dbir-data-breach-investigations-report.pdf
- https://www.nbcnews.com/video/flock-s-a-i-enabled-street-cameras-see-backlash-across-the-country-266154053762
Frequently asked questions
Does Flock Safety share licence-plate data directly with federal immigration agencies?
No. Flock Safety says it does not hand data to federal agencies. However, local police departments that hold the data can receive legal requests from agencies such as ICE, making the distinction narrower in practice than it appears on paper.
Can residents find out whether their city uses Flock Safety cameras?
Yes. Submitting a public-records request to your local police department or city government is the standard route. In most U.S. states, procurement contracts and data-access policies are legally obtainable documents.
What is data minimisation and why does it matter here?
Data minimisation is the principle that organisations should collect only the data they genuinely need and keep it only as long as necessary. NIST SP 800-53 includes it as a core privacy control. Flock's system logs every plate on every street continuously, which is the opposite of minimisation — and that creates a large reservoir of sensitive information available to any party with legal standing to request it.
What should security professionals advise local government clients about surveillance procurement?
Treat procurement decisions as security decisions. Before signing a contract with any data-collection vendor, get written answers on: what data is collected, how long it is retained, who controls the retention schedule, and under what legal standards a third party can request access.



