Flock Exposed Its AI-Powered Cameras to the Internet. We Tracked Ourselves
Key topics
Also: https://www.youtube.com/watch?v=vU1-uiUlHTo – This Flock Camera Leak is like Netflix For Stalkers
A shocking exposé revealed that Flock's AI-powered cameras, used for license plate recognition, were left unsecured and exposed to the internet, prompting a journalist to track their own vehicle's movements through the publicly accessible feeds. Commenters were alarmed by the ease of access to sensitive data, with some pointing out that even if the cameras were misconfigured, the issue lies in the lack of safeguards and oversight. The discussion highlighted concerns about police misuse of such data, with some noting that the problem isn't just about "bad apples" but rather a systemic issue that affects any large group of people. As one commenter suggested, making such systems openly queryable might raise awareness about their privacy implications.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
N/A
Peak period
128
0-12h
Avg / period
22.9
Based on 160 loaded comments
Key moments
- 01Story posted
Dec 22, 2025 at 11:31 AM EST
18 days ago
Step 01 - 02First comment
Dec 22, 2025 at 11:31 AM EST
0s after posting
Step 02 - 03Peak activity
128 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Dec 28, 2025 at 5:48 PM EST
12 days ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
https://www.youtube.com/watch?v=vU1-uiUlHTo
[1]: https://lookout.co/georgia-police-chief-arrested-for-using-f... [2]: https://www.404media.co/emails-reveal-the-casual-surveillanc...
I don't know where you are, but some of the highest paid public employees in my state are police. In fact, median salaries for cops are higher than those of software engineers.
Add the fact that they get generous pensions + benefits, and can retire at 45 and draw from that pension until they die, they have it better than most of the people they police.
It's one of the only professions where you can make north of $250k+ a year doing overtime by sitting in your car playing Candy Crush all night.
Come with a pension and active lifestyle with a club(FoP) and a union in some positions, its ostensibly public service and you get to much more than peek behind the curtain.
Personally, I feel both ways about cops writ large. I feel like we could do a lot better really easily(mandatory body cam recordings please? Our guys literally just take them off.), and on the other hand I get it, they’re doing important work often enough.
Those were people with much higher scrutiny and background checking than your average cop. Those were people that themselves were more closely monitored. And yet... we want to give that to an average cop? People who have a higher than average rate of domestic abuse?
And as a result, they got rid of the cameras. Funny how that works!
What's frightening is it's not rare, it actually happens constantly, and this is just within the systems which have a high level of internal logging/user-tracking.
So now with Flock and data brokers we have authorities having access to information that was originally held behind a judge's signature. Often with little oversight, and frequently for unofficial, abusive purposes.
This reality also ties back to the discussion about providing the "good guys" encryption backdoors. The reality is that there are no "good guys", everyone exists in shades of grey, and I dare say there are people in forces whom are attracted to the power the role provides, rather than any desire for public service.
In conclusion it's a fundamental design flaw to rely on the operator being a "good guy", and that's before we get into the problem of leaks, bugs, and flaws in the security model, or in this case: complete open access to the public web - laughable, farcical, and horrifying.
What are the chances that nobody at Flock has ever abused their access?
Cynical-me assumes that if you're the sort of person who'd take a job at a company like Flock, which I and evidently a lot of other people consider morally bankrupt, then you are at least as likely as a typical cop to think that stalking your exes or random attractive people you see - is just a perk of your job, not something that should come with jail time.
Same was found in Australia when they looked into police access of data [0] [1] [2]
[0] https://www.theguardian.com/australia-news/article/2024/jun/...
[1] https://www.abc.net.au/news/2022-12-15/victoria-police-leap-...
[2] https://www.ccc.qld.gov.au/sites/default/files/Docs/Public-H...
Would not be surprised if these types of abuse serve to obfuscate other abusive uses as well and are thus part of the system operating as it should. Flood the internal logging with all kinds of this "low-level" stuff, hiding the high-level warrantless tracking.
These aren't people who should hold any kind of intel. It's an actual danger to the population to give these people this much power.
>“That’s so extreme, they just shouldn’t have power, freedom is paramount, return to normal” etc.
Sorry, too late for this. I advocated for more gentle measures 10 years ago when they were possible/plausibly effective. Just like any other infection, if you wait too long to address the problem you are forced towards extreme action. Or death. No third option.
We have met the enemy and he is us -Pogo
Julia uttered a tiny sound, a sort of squeak of surprise. Even in the midst of his panic, Winston was too much taken aback to be able to hold his tongue.
‘You can turn it off!’ he said.
‘Yes,’ said O’Brien, ‘we can turn it off. We have that privilege.’
I propose that it become mandatory for all senior managment, board members, and investors in Flock - to have these Condor camears and their ALPR cameras installed out the front of their houses, along their routes to work, along the route to nearby entertainment precincts, outside their children's school and their spouses workplace (or places they regularly visit if they don't work) - all of which must be unsecured and publicly available at all times.
(Yes I know, I'm dreaming. I reckon every Meta employee's children should be required to have un-parental-controlled access to Facebook/WhatsApp/Messenger/et al...)
https://news.ycombinator.com/item?id=44182186 https://github.com/AlexxIT/go2rtc
Etc, etc... there's a huge list.
When you all let go of these abstract objects you fetishists prop up and accept the damage it's doing to the physical world we share, then I will take this forums complaints sincerely. "The state" is its people. It's not a concept, it's "the state" of it's people's agency.
This ridiculous effort to separate ground truth into semantic bubbles, ethno objects, etc, is just delusion. Hallucination. Those ethno objects and hallucinations only exist so long as they are observed in shared physical space. The physical context comes before the semantics. Philosophy does not give rise to physics, physics gives rise to philosophy.
I’ve known of him a long time simply because of his extremely progressive views towards releasing his own music. In other words, I would not care about Benn Jordan but for the fact that he was releasing his own torrented music on WCD 15 years ago
Or, at the very least, that we can go back and look later.
> I know in theory we all can continuously download and datamine these video feeds but can everyone really?
To which my response is "this is like OSS." What I mean by that is that, in theory, people audit and review code submitted to OSS software, in reality most people trust that there are other people who do it.
> Public feeds would enable someone to document and sell people's whereabouts in real time. The fact that I could do the same or go back and look later is no defense.
This is a different argument to me and one that I'm still torn about. I think that if the feeds exist and the government and private entities have access to them, the trade-offs may be better if everyone has access to them. In my mind this results in a few things:
1. Diffusion of power - You said public feeds would enable someone to document and sell people's whereabouts in real time." Well, private feeds allow this too. I'd rather have everyone know about some misdeed than Flock or the local PD blackmail someone with it.
2. Second guessing deployment - I think if the people making the decisions know that the data will be publicly available, they're more likely to second guess deploying it in the first place.
3. Awareness - if you can just open an app on your phone and look at the feed from a camera then you become aware of the amount of surveillance you are subject to. I think being aware of it is better than not.
There's trade-offs to this. The cameras become less effective if everyone knows where they are. It doesn't help with the location selection bias - if they're only installed in areas of town where decision makers don't live and don't go, the power is asymmetric again. Plenty of other reasons it is bad. None of them worse than the original sin of installing them in the first place.
I do buy your argument that open access could help check the worst abuses. But, if widespread, it'd be so catastrophic for national security that I can't see how it would ever fly.
If I were an enemy nation state, flock would definitely be a target.
Or how it has become increasingly trivial to identify by face or license plate such that combining tools reaches "movie Interpol" levels, without any warrant or security credentials?
If Big Brother surveillance is unavoidable I don't think "everyone has access" is the solution. The best defense is actually the glut of data and the fact nobody is actively watching you picking your nose in the elevator. If everyone can utilize any camera and its history for any reason then expect fractal chaos and internet shaming.
Sure. It also lets parents watch. Or others see when parents are repeatedly leaving their kids unattended. Or lets you see some person that keeps showing up unattended and watching the kids.
> Or how it has become increasingly trivial to identify by face or license plate such that combining tools reaches "movie Interpol" levels, without any warrant or security credentials?
That already exists and it is run by private companies and sold to government agencies. That’s a huge power grab.
> The best defense is actually the glut of data and the fact nobody is actively watching you picking your nose in the elevator. If everyone can utilize any camera and its history for any reason then expect fractal chaos and internet shaming.
This argument holds whether it is public or not. It is worse if Flock or the government can do this asymmetrically than if anyone can do it IMO, they already have enough coercive tools.
... which is the expected, default use-case for a playground ...
If you leave your kids unattended at a playground I don't see how the camera changes the risk factor in any meaningful way. Either a pedophile can expect there to be unattended children or not.
Most people don’t like the idea that strangers could easily stalk their child remotely.
It’s the easy of access to surveillance technology that is different. Has nothing to do with the park being safe or not.
Try to think like an evil person with no life and very specific and demonic aims if you’re still having trouble seeing why this would be an issue.
That person already has incredible power to stalk and ruin someone's life. Making Flock cameras public would change almost nothing for that person.
I am far more worried about the amount of power it gives to police, Flock, and (less so) local government.
Stalking someone from your desk vs. IRL is a whole different ball game. Not sure why this needs explanation… anyways, the main difference is how easy it do things from your desk. For example, no one see you when you’re stalking someone from your desk. Think of the success of 4chan investigations vs. those in authority to actually do so. It’s empowering.
We live in a world of strangers, and unfortunately a % of those are the type to kill/rape other strangers. Why enable them?
Not sure who else would be empowered by making all public camera accessible at the click of a button, but I’m interested in who you think that population is.
Certainly we can agree most normal folks will not spend their time looking camera feeds of strangers?
I’m fascinated by people who stick to their theoretical principles (‘all data should be public’, etc.) no matter the real world implications, but we all have our own interests :).
Turns out, 95% of the predators already know exactly where the victims are, usually because it's their kid. Probably we want to worry about that a lot more.
Doubly so since, y'know, this only works if the predator lives close enough to act on the information before it changes - so the tiny possibility of a predator, a tiny possibility that they didn't already know this, and a tiny possibility of being able to act on the information...
If it's inappropriate for any pedo to see when kids are in a park then certainly it should inappropriate when those pedos just happen to be police officers or Flock employees. The nice thing about the "everyone has access" case is that it forces the public to decide what they think is acceptable instead of making it some abstract thing that their brains aren't able to process correctly.
People will happily stand under mounted surveillance cameras all day long, but the moment they actually see someone point a camera at them they consider that a hostile action. The surveillance camera is an abstract concept they don't understand. The stranger pointing a camera in their direction is something they can understand it makes their true feelings very clear.
We might need a little bit of "everyone has access" to convince people of the truth that "no one should have access" instead.
Cities will remove Flock cameras at the first council meeting that sits after council-members learn their families can be stalked.
I imagined a "white list" though (or whatever the new term is—"permitted list"?) so that only certain license plates are posted/tracked.
But if your spouse/SO/sister/mother/girlfriend/whatever was assaulted while jogging in a park that had Flock cameras, and it allowed law enforcement to quickly identify, track, apprehend and charge the criminal, you'd absolutely be grateful for the technology. There's nothing worse than being told "we don't have any leads" when someone you care about is attacked.
We can make up situations all day where it can or can not be validated but the reality is that this is a defacto surveillance state. If every move you make can be monitored, you should assume that the state can and will abuse it to hurt innocent people in the name of politics or whatever.
Anyhow, if you read the flock database, they're overwhelmingly not using them for the purposes of public safety or random crime.
That would seem to be very relevant information.
No, I don't want these cameras. I don't care if they make law enforcement's job easier. They are an invasion of privacy and a part of the disgusting dragnet surveillance state.
They need to go.
A decade ago, I was attacked on a public sidewalk by three men, who roughed me up a bit and stole from me. The police were utterly unhelpful, and as far as I know, they never caught anyone. But ultimately, that didn't really matter. I was traumatized for a while, but eventually worked through it. Whether or not they were caught would not have changed any part of that process.
I get that, emotionally, we want some sort of justice when things like this happen, but I am not willing to put up with even more constant surveillance in order to feel a little bit better about a bad thing that happened to me. I would much rather criminals sometimes went free.
As though personal rights/liberties are trumped by a cop needing to do paperwork or leave his desk.
Plus, when you follow this to its natural/extreme conclusion, the absolute easiest thing for law enforcement would be to arrest you for no reason at all.
The rationalization for this policy of course could simply be that probable cause is "inconvenient."
> There's nothing worse than being told "we don't have any leads" when someone you care about is attacked.
I'd argue worse is "we know exactly who did it and we're not going to do anything about it (but we would do something if you try to do something about it yourself)".
There is freedom to and freedom from as they say in The Handmaid’s Tale.
“It is better, so the Fourth Amendment teaches us, that the guilty sometimes go free than the citizens be subject to easy arrest.” - Former Supreme Court Justice William O. Douglas
Appealing to emotions, tsk tsk, but going right for the jugular? Yikes.
Also, elephant in the room: if your sister was going to be raped or beaten, it would probably be by someone in her home, in her family. Like her cop husband.
https://www.bbc.com/news/world-europe-46822472
I notice they generally watch busy roads and intersections, off and on ramps to highways, retail malls…
Smaller roads through neighborhoods were mostly unmolested.
https://news.ycombinator.com/item?id=46356182 Benn Jordan – This Flock Camera Leak Is Like Netflix for Stalkers [video] (youtube.com)
(Edit: and put that video's link in the toptext above.)
From what I understand these systems are legal because there is no expectation of privacy in public. Therefore any time you go in public you cannot expect NOT to be tracked, photographed, and entered into a database (which may now outlive us).
I think the argument comes from the 1st amendment.
Weaponizing the Bill of Rights (BoR) for the government against the people does not seem to align with my understanding of why the Bill of Rights was cemented into our constitution in the first place.
I wonder what Adams or Madison would make of it. I wonder if Benjamin Franklin would be appalled.
I wonder if they'd consider every license plate reading a violation of the 4th amendment.
Not quite. There's been precedent set that seems to imply flock and other mass surveillance drag net operations such as this do violate the forth.
It is perfectly normal to wonder what the architect of a system thinks of the current system, and entirely separate from wondering what a pair of unrelated Frenchman think of that system. Even if they are just “some ancient dead old dudes”.
I suspect they'd make a distinction between private individuals engaging in first amendment protected activity like public photography and corporations or the state doing the same in order to violate people's 4th amendment rights. We certainly don't have to allow for both cases.
The authorities absolutely kept meticulous records of ships entry and exit from any harbour as well as what was on board, what was loaded and unloaded and frequently a list of all persons onboard.
Some flag states enforce uniqueness constraints on name and home port combinations. The US does not, but that really doesn’t matter much in the real world. There just aren’t that many conflicts.
More importantly, the founding fathers very much did not extend privacy rights to ships. Intentionally so. The very first congress passed a law in 1790 that exempted ships from the requirements of needing a warrant to be searched.
The ability to track and search ships without warrants has been an important capability of the federal government from day one.
Hell, the federal register of ships is published and always has been. I don’t know how they would have felt about private cars, but the founding fathers revealed preference is that shipping and ships are not private like your other “papers and effects” are.
What do cars, wagons and carts have to do with the current conversation that is specifically about how the founding fathers treated privacy on oceangoing vessels?
I will keep that in mind on this thread about ships.
Ships - ships big enough to do material damage would be very small in # - ships big enough to do material damage would have a (somewhat?) professional crew - whatever damage they could do would always be limited to tiny areas - only where water & land meet, only where substantial public or private investment had been made in docks/etc - operators have strong financial incentive to avoid damaging ship or 3rd party property (public or private)
Cars - in some countries the ratio of cars to people is approaching 1 - a vanishingly small portion of vehicles have professional drivers - car operators expect to be able to operate at velocities fatal to others on nearly 100% of land in cities, excepting only land that already has a building on it, and sometimes not even that. - car operators rarely held liable for damage to public property, injury, or death and there's strong political pressure to socialize damage and avoid realistic risk premiums
I don't love flock but IMO the only realistic way to get rid of license plates would be mandatory speed governors that keep vehicles from going more than like 15mph. I would be fine with that, but I suspect most would not. If we expect to operate cars at velocities fatal to people outside our vehicles, then there will always be pressure to have a way of identifying bad actors who put others at risk.
I don't understand this reasoning. License plates don't stop speeding from happening. Removing license plates wouldn't prevent enforcement of speed limits either. A cop can pull over and ticket someone without a license plate just as easily as they do now.
Often, the same people crying about Flock will decry private arms ownership through mental gymnastics.
These very same ships you speak of that could do "tons of damage" had actual cannonry - with no registration or restrictions on ownership or purchase, either.
Depends how fast we lost him to porn on the internet
I think maybe the worst part is that the more we buy into this belief the more self fulfilling it becomes (see third link). But I don't expect anyone to believe me so here's several links. And I'd encourage people to push back against this misnomer. In the most obvious of cases I hope we all expect to have privacy in a public restroom. But remember that this extends beyond that. And remember that privacy is not binary. It's not a thing you have complete privacy or none (public restrooms again being an obvious example). So that level of privacy that we expect is ultimately decided by us. By acting as if it is binary only enables those who wish to take those rights from us. They want you to be nihilistic
https://www.eff.org/deeplinks/2024/09/you-really-do-have-som...
https://en.wikipedia.org/wiki/Reasonable_expectation_of_priv...
https://legalclarity.org/is-there-an-expectation-of-privacy-...
This is a common line of phrasing parroted by Flock and their supporters to no end but it's a myth. The SC, as much of a joke as they are now, established that a person has a reasonable expectation to privacy in their long term movements in Carpenter v. United States (2018). To date there is NO precedent carved out in the constitution or ANY Supreme Court case stating that people have zero expectation to privacy in public.
https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf
You must have very little imagination to see the irony of your own comment.
Specifically:
If a flock (or similar) camera is deployed on public land/infra there should exist default permission for any alternate vendor to deploy a camera in the same location.
I wonder how that could be used and/or abused and, further, what the response from a company like flock would be ...
Multiple cases have revealed that it seemed like police and Shotspotter worked hand-in-glove to tweak Shotspotter data and demographics to help shore up a case and make things appear more reliable than they were.
And multiple cases where, sufficiently pushed, DAs have dropped cases or dropped Shotspotter as evidence rather than have the narrative challenged too closely.
What was notable to me is the following, and it’s why I think a career spent on either security researching, or going to law school and suing, these vendors into the ground over 20 years would be the ultimate act of civil service:
1. It’s not just Flock cams. It’s the data eng into these networks - 18 wheeler feed cams, flock cams, retail user nest cams, traffic cams, ISP data sales
2. All in one hub, all searchable by your local PD and also the local PD across state lines who doesn’t like your abortion/marijuana/gun/whatever laws, and relying on:
3. The PD to setup and maintain proper RBAC in a nationwide surveillance network that is 100%, for sure, no doubt about it (wait how did that Texas cop track the abortion into Indiana/Illinois…?), configured for least privilege.
4. Or if the PD doesn’t want flock in town, they reinstall cameras against the ruling (Illinois iirc?) or just say “we have the feeds for the DoT cameras in/out of town and the truckers through town so might as well have control over it, PD!”
Layer the above with the current trend in the US, and 2025 model Nissan uploading stop-by-stop geolocation and telematics to cloud (then, sold into flock? Does even knowing for sure if it does or doesn’t even matter?)
Very bad line of companies. Again all is from primary sources who helped implement it over the years. If you spend enough time at cybersecurity conferences you’ll meet people with these jobs.
I enjoy some of these shows myself but it is sometimes crazy how blatant they are about it.
So even the ones that try to buck the trend end up following it.
The name "Law & Order" is a blatant example of this, as it's a phrase used by Richard Nixon during his campaign in 1968, and was widely repeated when he created justifications for starting the War On Drugs in 1970. This same phrase was later used by Reagan and H.W. Bush when they planted their positions of wanting to wield state violence against countercultures that arose. The '90s was full of change as Gen-X started to become adults and formed their own powerful countercultures, and the title of the show was an emotional appeal to conservative older people who hated that change and wanted the state to shape society instead of the other way around.
It reminds me of this meme: https://www.reddit.com/r/Cyberpunk/comments/sa0eh3/dont_crea...
Mass vandalism is the answer to this problem.
Good thing nobody tried to pop a shell on the camera OS and move laterally through the network. That would be bad.
I'm sure it's all very secure though.
309 more comments available on Hacker News