According to TechCrunch, Senators Ron Wyden (D-OR) and Raja Krishnamoorthi (D-IL) have formally requested the Federal Trade Commission to investigate Flock Safety for cybersecurity failures that expose its nationwide license plate surveillance network to hackers. The lawmakers revealed that Flock confirmed to Congress in October that it doesn’t require multi-factor authentication, despite evidence that stolen police logins are already circulating online, including on Russian cybercrime forums. Flock’s chief legal officer Dan Haley responded that the company only made MFA default for new customers starting November 2024, with 97% of law enforcement customers now using it—leaving approximately 3% of agencies, potentially dozens, without this basic protection. This security gap comes as Flock operates one of the largest camera networks in the U.S., serving over 5,000 police departments and scanning billions of license plate photos that track vehicle movements across the country. The situation raises critical questions about mass surveillance security.
Sponsored content — provided for informational and promotional purposes.
The Systemic Nature of This Security Failure
What makes this situation particularly alarming is that it represents a textbook case of security theater in critical infrastructure. Flock Safety has built a surveillance system capable of tracking vehicle movements across the United States, yet treats the authentication protecting this sensitive data as optional. The company’s approach reflects a fundamental misunderstanding of modern cybersecurity principles—in systems handling sensitive law enforcement and location data, multi-factor authentication shouldn’t be a feature to enable but a foundational requirement. The fact that stolen credentials are already appearing on Russian forums indicates this isn’t a theoretical threat but an active vulnerability being exploited. When you combine massive data collection with weak access controls, you create exactly the type of systemic risk that should concern both privacy advocates and national security officials.
Broader Surveillance Industry Implications
This incident exposes a critical weakness in the rapidly expanding surveillance-as-a-service industry. Companies like Flock operate in a regulatory gray area where they collect massive amounts of sensitive data but face minimal security requirements. The 404 Media report about the DEA using a local officer’s password without their knowledge reveals another dimension—even legitimate access can become problematic when authentication controls are weak. This creates a domino effect where one compromised account can provide access to multiple agencies, blurring jurisdictional boundaries and bypassing traditional oversight mechanisms. The industry’s growth-first mentality often prioritizes customer convenience over security, creating vulnerabilities that extend far beyond individual police departments to affect national security interests.
Who Bears the Risk in This Security Gap?
The stakeholders affected by this security failure extend far beyond the law enforcement agencies using Flock’s system. First, the police departments themselves face operational security risks—if hackers can access their surveillance data, they can monitor police movements, compromise investigations, or plant false evidence. Second, federal agencies relying on this data for national security purposes now face contamination of their intelligence streams. Most concerning is the impact on ordinary citizens, whose location data spanning months or years could be exposed to malicious actors. The lawmakers’ letter correctly identifies the taxpayer funding angle—citizens are effectively paying for systems that inadequately protect their own data. This creates a perverse situation where public funds enable surveillance that then becomes vulnerable to foreign adversaries.
A Regulatory Crossroads for Surveillance Technology
This situation represents a critical test case for how regulators will handle the security of mass surveillance systems. The FTC’s response—or lack thereof—will set precedent for whether companies collecting sensitive location data face meaningful security requirements. Historically, surveillance technology has outpaced regulation, with companies operating under minimal oversight while accumulating unprecedented amounts of personal data. The voluntary approach Flock has taken, where security features are optional rather than mandatory, demonstrates why market forces alone cannot ensure adequate protection of sensitive information. As these systems become more integrated into law enforcement operations, the security standards must evolve from recommendations to requirements, with independent verification and meaningful consequences for failures.
The Path Forward for Surveillance Security
Moving forward, companies operating mass surveillance systems must adopt security-by-design principles rather than treating protection as an afterthought. This means mandatory MFA, regular security audits, breach notification protocols, and limits on data retention. The 3% of agencies still refusing MFA represent an unacceptable risk that cannot be tolerated in systems handling sensitive location data. Furthermore, the incident reveals the need for better authentication methods beyond simple username/password combinations, potentially including device certificates, hardware tokens, or biometric verification for law enforcement access. As surveillance technology becomes more pervasive, the security standards must be proportional to the sensitivity of the data being collected and the potential harm from its exposure.
