Even if You Want Surveillance, Flock is a Bad Choice
The rapid expansion of Flock camera installations and contracts has been widely noted here and elsewhere as cause for concern. Even beyond the significant risks posed by Flock to privacy and civil liberties, there lies another question: is Flock good at what it does? I've worked in software and built cybersecurity systems for the federal government, and I believe that answer is a resounding "no.” Even if (and this is a very big "if") you believe that the function served by Flock is necessary, Flock is uniquely unqualified and risky as a surveillance service provider.
I don't imagine that most Mass 50501 readers and members of the public need to dig very deep in order to find reasons to oppose the growing uses of Flock cameras. Myself and many others are less concerned with whether Flock is good at what it does, and much more concerned that what it does is bad. Dragnet facial recognition and person-tracking, the slippery slope from license plate recognition (LPR) to broader mass surveillance, dubious data sharing between municipal police forces and federal agencies like ICE (Flock continues to obfuscate their involvement with federal agencies), and the documented statements of Flock leadership all provide abundant opportunities for abuse and dystopic levels of surveillance.
Government decisionmakers, however, may never agree with those concerns. And while "elect better decision makers" is an essential long-term solution to that problem, in the short term we should also be able to make a case against Flock in terms that less sympathetic officials can understand. When we talk about "decision makers," we're not just referring to elected officials, but also police chiefs, bureaucrats like federal or state contracting officers, IT specialists at municipal departments, city or county council members or commissioners, corporations considering adopting Flock for parking lot surveillance, and so on.
Mass 50501 and many other activist groups contain many people who, as part of their daily work and life, have contact with people in roles that might influence various agencies and businesses’ decisions to deploy or expand Flock’s products. Let's break down how to lobby against Flock to an audience whose values don't align with ours. This isn't hard. Flock's data management track record and publicly-documented cybersecurity posture raise numerous red flags that should seriously concern anyone who is considering adopting or expanding Flock usage.
Flock Takes Away Control
Flock has publicly stated that the configuration and data captured by their cameras is under full control of Flock customers (agencies/police departments/corporations), and that customers can customize what data is captured and/or shared with other law enforcement organizations. In Flock’s own words: “With Flock, cities control their data and who they share it with. They always have.”
Recent history, however, tells a different story. In December of 2025, Flock mistakenly granted everyone on the internet access to a subset of Flock cameras in California, Georgia, and potentially other states. A misconfiguration resulted in those cameras’ data feeds and 30 days of previously-captured surveillance video being exposed on the web for anyone to watch.
Flock’s CEO described the discovery of this error as part of a “coordinated attack” on Flock’s systems, which is a laughable claim. The “attack” in question involved using a publicly-available internet scanner to look for unsecured, open-to-anyone Flock cameras–a process so easy that a middle schooler could perform it from any computer in a few minutes. No user name, password, or specialized tools were required; just a website in a browser that, once you know the URL, gives access to a camera. That’s not a “hack” or “attack”; that’s the digital equivalent of driving down a suburban street and noticing that several houses are empty with their front doors wide open.
Even when Flock isn’t “experimenting” on its customers and the public by leaving cameras exposed on the internet, Flock installers make serious mistakes—like installing multiple cameras in Cambridge in violation of a city order which demanded the deactivation and removal of all cameras in the city.
In light of this, the argument to make towards decision makers considering implementation of Flock cameras is simple: contrary to their marketing material, Flock takes control of surveillance data, and will experiment with or share it (potentially with the general public!) without customers’ permission or knowledge. This isn’t just a possible problem; it has happened already. Flock has made installation and data-sharing mistakes, and, like any fast-growing software startup, they will continue to take a “move fast and break things” approach.
What’s more, Flock isn’t like a CCTV camera, where once it’s installed securely, it stays secure. Flock HQ owns and stores your data, and their systems change continually, allowing them to be hacked or to develop new vulnerabilities over time. Combined with the increasing appeal of Flock as a target for hackers and the internet connectivity of their products, the risk of a Flock installation getting citizen data leaked (and public officials hauled into hostile press conferences) will only increase.
Flock’s Security Certifications Don’t Tell the Whole Story
Flock is well aware of concerns about their security track record, and seek to allay them by publishing a long list of security certifications and successful audits by third-party assessors to try to establish Flock’s reputation as a secure service provider. But what do those audits actually cover? The below section provides a basic understanding of what these certifications mean. If communicated to the right decisionmakers, this information may make the difference between a municipality choosing Flock and choosing to look elsewhere.
The first concern with many of the security audits Flock lists is around what was audited. Flock has many different product offerings and internal systems. Flock Core, Condor, FlockOS, Flock911, and gunshot detection are just a few of Flock’s many offerings. However, it’s not always clear from public documentation whether a given product was covered by a given audit—some audits were directed only to specific products and didn’t cover others. For example, “Flock Core” received the FedRAMP 20x certification but it’s unclear whether that “Flock Core” product is the same as Flock-for-commercial (the product deployed by parking enforcement app companies) or Flock-for-regional-police-departments. If those products are indeed not covered by the same certifications, Flock salespeople don’t highlight that when pitching their products. Claims like “Flock has ISO certification” sound reassuring, but conceal the important question: which Flock products were certified?
Now, it’s possible that this confusion is accidental and the listed audits cover all the different federal/state/commercial editions of Flock products that existed at the time of the audit. For the sake of everyone whose data is already captured by existing Flock systems, I hope so, but I doubt it. Many of Flock’s published security certifications were granted before many of Flock’s current products existed. For example, Flock’s SOC 2 certification was completed in 2023, but Flock products like their Flock Alpha surveillance drone or Flock Nova AI-assisted data aggregation tool (which has raised concerns about privacy and legality) were not released until years after these audits were conducted and were not mentioned in any of Flock’s published security assessment records. As a result, there is no published independent audit certifying that newer Flock products have been secured.
The issues with Flock’s security certifications don’t stop there. Many certifications on their security compliance index page are double counted to make the list longer (i.e., different documents in Flock’s ISO/IEC 27001 certifications are listed as separate credentials) and others are irrelevant to cybersecurity. For example, Flock’s NDAA certification only guarantees that Flock’s hardware isn’t sourced from banned international suppliers. That doesn’t have any bearing on whether they securely store and process surveillance data after it’s captured; U.S.-made cameras can leak information just as easily as internationally-made ones. Similarly, their VPAT certification deals with the disability accessibility of Flock’s management software, not security. However, all of these certifications are included on a webpage titled “Flock Safety’s Security Center”.
And then there’s a FedRAMP certification. FedRAMP is a common federal cybersecurity assessment that is used to determine the security and quality of software used by the government. Historically, a software company would seek FedRAMP certification by partnering with a sponsoring federal agency (e.g. the Department of Justice or Veterans’ Affairs) and engaging in a months-to-years long assessment process performed by that agency and its selected assessors, addressing any findings uncovered, and finally acquiring the certification. While FedRAMP wasn’t perfect, it was widely considered to be a respected benchmark for its thoroughness and rigor.That’s how it used to work, but that’s not the FedRAMP certification Flock received. Flock instead participated in an experimental pilot of the Trump administration’s “FedRAMP 20x” program—a new process designed to speed up the timeline of FedRAMP certification by (among other things) waiving the requirement for a federal agency sponsor to oversee certification and allowing companies to self-select the security practices they will be audited for, rather than holding them to the same standards that a federal agency has to meet. Under that pilot, Flock received a provisional, short-term certification through August of 2026, at the lowest level of FedRAMP compliance. In other words, they squeaked by the least-strict set of standards in a test run of a brand-new audit system explicitly designed for speed over rigor.
While there is a lot wrong with current federal cybersecurity certification processes, FedRAMP 20x is not the way to fix that system. Think of the old FedRAMP like the process of earning merit badges to become an Eagle Scout: you work with your scouting troop leaders (government agency sponsors and assessors) to prove your expertise at selected activities (cybersecurity), including a bunch of “baseline” activities (universal best practices) that every Eagle Scout must get a badge for. Instead of that process, the FedRAMP 20x assessment that Flock went through was more akin to someone choosing (or inventing) their own Eagle Scout badge activities, choosing anyone they wanted as their overseeing leader, and then giving themselves badges for a job well done. It’s telling that all the reporting around Flock’s successful FedRAMP 20x certification highlights how quickly the process was completed, not how well. Trump’s new “self-certification” program is certainly more rapid than the previous process, but not more secure.Taken together, all of the above issues with Flock’s security “badges” should raise serious questions in the mind of anyone considering a Flock contract or expansion. If you find yourself in a room with someone like that, make sure they know to ask Flock representatives which security certifications cover the Flock products they’re considering, and whether a given accreditation actually does anything to help security.
Flock is Not One Company
Many of the reasons Flock appeals to police departments, state governments, and businesses are the result of Flock operating like a modern, cloud-based software company. Many of the reasons that Flock is a cybersecurity nightmare waiting to happen are … the result of Flock operating like a modern, cloud-based software company.
Like most “software-as-a-service” (SaaS) companies, Flock’s product is something of a Frankenstein’s Monster: an amalgam of many vendors and internal services purchased from other businesses. To take brick-and-mortar businesses as a metaphor, Flock’s less like, say, a shoe store, and more like an entire shopping mall. Flock”-the-entity comprises all of the digital tenants, janitors, realtors, mall cops, plumbers, electricians, etc. that make that mall function. Specifically, Flock’s security documentation mentions dozens (or more) of third-party companies that store and process Flock’s surveillance data, including telemetry companies like SumoLogic that contain logs collected from Flock devices and services, cloud services providers like Amazon Web Services that store Flock recordings, and companies like Blue Eye that partner with Flock for AI analysis of captured surveillance data.
Some of the most impactful software data breaches in recent history happened when hackers picked a target and then invaded a subsidiary or internal software vendor of that target, “pivoting” from the vendor’s systems into the target’s. One of the largest breaches of credit card information in history was the result of a hacker compromising Target’s shopping point-of-sale systems by breaking into a Target facilities HVAC contractor’s network. The theft of government identity records of 22 million employees from the Office of Personnel Management in 2015 was perpetrated by hackers compromising a subcontractor.
Flock’s chimeric nature, though industry-standard for SaaS companies, creates an elevated security risk because of the data Flock handles. Like a freshly-stocked bank vault, surveillance data is an attractive target for hackers. Even if Flock had the most rigorous security practices in the world (though its track record of accidentally exposing camera feeds on the internet makes that doubtful), its growing trove of surveillance data can be breached by a cyberattack on Flock directly or on any one of its dozens of internal service providers or partners.
Conclusion
Flock is just the latest of many competing LPR/surveillance companies that police departments and municipalities are choosing between. Given the above information, potential Flock customers may choose to consider alternatives to Flock—including the alternative of municipality/police-department owned and operated camera networks whose data is not stored and processed on a central provider.
At the end of the day, even if you (or, more likely, law enforcement or local government officials you hope to persuade) hold the mistaken belief that law enforcement surveillance networks are necessary, it’s still professional malpractice to choose Flock for surveillance. Their track record of data hygiene and security is questionable at best (they’ve installed equipment against customers’ wishes, and have run undisclosed “experiments” on their customers which exposed surveillance data to the entire internet); their published cybersecurity certifications range from dubious to actively deceptive; and their chimeric composition adds further unnecessary risk for prospective customers. The message we can give decisionmakers is clear: if you contract or expand Flock presence, when—not if—it results in a data breach, the public backlash for that breach will fall directly at your doorstep, and responding with “blame Flock; everyone is using them, so it’s not my fault” won’t be sufficient to deflect blame.
Enjoyed this article? Get updates on the movement, volunteer opportunities, and more by clicking below.
