In November last year, I published “Federal Insecurity: How Flock Lies to the Feds.” Now, Flock got caught in that lie. But it promises to do better. Sort of.
Several California agencies have reported discovering that data was shared in violation of SB 34—although I have not yet been able to verify the exact number, I’ve heard as many as 63 California agencies have been confirmed affected. This certainly seems plausible with separate reports coming out of Mountain View, Santa Cruz, Santa Clara County, and Ventura County.
In earlier reporting by Los Gatan, Santa Cruz said that Flock had notified them of an issue. In response to a CPRA request, Santa Cruz denies the existence of that email.[1] However, Santa Cruz Chief of Police Bernie Escalante did deliver the following statement at a November 18, 2025, Santa Cruz city council meeting:
We were recently made aware that Flock Safety identified violations of SB 34 and SB 54 within their system architecture that inadvertently affected agencies across California, including the City of Santa Cruz.
The issue arose when a national search tool within the Flock Safety system was activated which inadvertently permitted law enforcement agencies outside the state of California to search all agencies across the country including agencies within the state of California.
These violations were not known to Santa Cruz Police Department and were not the result of any deliberate attempt by city staff to circumvent the California law.[2] We have been notified by Flock that these violations ceased on February 11, 2025.
Additionally, since this date, Flock has added multiple layers and filters of security to ensure this does not occur again in the future. Since February 11, 2025, Flock has made several changes to their system to ensure this does not occur again and to ensure that the Santa Cruz police department is not in violation of state law—both SB 34 and SB 54.
So far, Flock has deactivated the national search tool for agencies within the state of California, revoked all permissions for any California agency to create a 1:1 relationship with any agency outside the State of California and added filter protections against any searches that include anything related to ICE, broder patrol, immigration, or any other word or phrase like this type of search.
Flock continues to look for additional ways to improve or modify their system to ensure the security of their data is within the laws of the state of California.
— SCPD Statement, Santa Cruz City Council Meeting, November 18, 2025
A lot of this statement is demonstrably false.
As we know, 1:1 sharing is alive and well in California.
Yet this is the statement SCPD made in November last year, about an action Flock had taken some time before February 2025—a little over a year before today’s blog post, where it announces, for the most part, the same problem and the same changes.
Either Flock kept all of this under wraps for over a year,[3] or it happened again, because Flock is once again engaging damage control mode on its blog, announcing many of the same “new” features the SCPD announced were introduced in February 2025.
Of course, it’s Flock, so “damage control” means “hand me a shovel so I can keep digging.”
Flock Knows, You Don’t.
some CA law enforcement agencies, including Ventura County, in 2025 had their camera networks inadvertently accessible[4] to out-of-state law enforcement agencies for a period of time.
Flock immediately downplays and obfuscates what happened. Agencies “had their cameras accessible.” That doesn’t mean anything. “For a period of time.” Equally meaningless. How much data was shared in violation of state law? For how long?
Flock knows what happened, and, according to SCPD, even notified agencies back in 2025, but it has decided you don’t get to know.
[Flock] made every effort possible to determine the cause of each reported instance of inadvertent sharing. Unfortunately, due to earlier limitations in technical logging, in some cases it is impossible to determine a specific cause.
Let’s assume for a second that this is true. Let’s say Flock is careless and does not log who makes changes to a critical toggle.
If a cause can’t be determined, it can only mean one thing: there are multiple options.
It means Flock customers are not the only ones in control. It means that the pitch that “you own 100% of your data, and you are in control”, as well as “it’s a local decision” is completely, utterly, false. There is no other explanation.
Flock, in this same blog post, nonetheless continues to assert that “cities and counties retain 100% control over their LPR data and determine who it is shared with.”
Clearly not.
The Logging Requirement
Flock not having logging would in itself be yet another admission that it does not follow the CJIS security policy, like it implies when it flaunts its “CJIS ACE Certificate” from its commercial partner in Florida.
The CJIS Security Policy v6.0 has several relevant requirements:
- AU-2 (Event Logging) and CM-3 (Configuration Management) require exactly the type of logging Flock claims not to have.
- 4.2.5.1 (Justification) and AU-3 (Content of Audit Records) require the purpose of a query. Flock’s NIBRS-based justification requirement is not an enhancement — it is the minimum that should have been in place from the outset.
- CA-3(d) (Secondary Dissemination) — secondary dissemination must be logged; those logs must include the requester’s authorization.
In Flock’s half-baked defense, it does fall on the agencies to verify that Flock abides by the terms of the contract it signed, and to make sure their vendor isn’t simply having its rank-and-file employees sign a form that exposes them, not the company to liability when violations inevitably happen.
Flock Promises More Violations
For those who have been following along for a while, the gradual narrowing is interesting to watch. In a span of weeks, Flock’s messaging shifted from “Flock does not sell data,” to “Flock does not sell data to the federal government” to “Flock does not sell data to DHS agencies.”
When even the postal service does civil immigration enforcement it becomes hard to track.
“Flock has always provided agencies with tools to comply with state law and relied on each agency and its legal counsel to determine how those tools should be configured,” said Dan Haley, Chief Legal Officer at Flock Safety.
Dan clearly did not read the 345 words in the blog post preceding that statement, announcing that Flock, in fact, did not always provide those tools but is now adding them.
Flock Safety and California law enforcement agencies remain committed to ensuring that investigative technologies are used responsibly, lawfully, and with appropriate oversight. The system in place today includes standardized compliance protections designed to prevent unauthorized federal access through lookup networks and to provide clear audit trails for every search conducted.
This statement deserves highlighting. Flock once again promises to prevent only unauthorized federal access, and only if that unauthorized access happens through lookup networks.
This is a highly relevant distinction; at the time of writing, even a cursory inspection of Transparency Portals shows Flock still permits sharing data with non-California agencies. And, no, I’m not talking about El Cajon’s open defiance of the AG, I’m talking about Lake County, Piedmont, San Francisco, and so on.
California Attorney General Bonta clarified in his October 2023 bulletin that SB34 prohibits sharing with any entity that is not a public agency. He included the definition:
“Public agency” is defined as “the state, any city, county, or city and county, or any agency or political subdivision of the state or a city, county, or city and county, including, but not limited to, a law enforcement agency.”
Because this definition excludes non-California agencies, it forms the basis for SB 34 being understood to prohibit sharing outside of California.
What this definition also does not include are tribal nations and private university police — neither are subdivisions of the State of California. Yet both appear on Flock’s California agency lists: Blue Lake Rancheria Tribal PD, the Iipay Nation of Santa Ysabel, Stanford University PD, and the University of the Pacific. All are permitted to access California ALPR data under Flock’s “guardrails.”
These agencies also fit neatly into Flock’s promise, because arguably, although they have access to the lookup network, they could be said not to be “federal agencies.” Of course, they also aren’t “public agencies,” and all of this still violates the law.
Flock’s guardrails are carefully designed — not to prevent unlawful sharing, but to redefine what counts as sharing. Each iteration narrows the promise while leaving the violation intact: not “we don’t share data,” but “we don’t share data with DHS agencies through lookup networks in ways we can’t characterize as something else.”
The question for California agencies isn’t whether Flock “remains committed” to lawful use. It’s how many times they’re willing to take that commitment at face value before they check the audit logs — assuming, of course, that Flock has started writing them.
(Perhaps this is why Flock is now facing a class action in California.)
Of course, in keeping with the government’s long-standing tradition of disdain for transparency, Santa Cruz sent its CPRA response at 5:02 PM. I will update this article with an explanation of the contradiction, should the city provide one. ↩︎
Remember kids, it’s okay to break the law, as long you don’t do it on purpose. ↩︎
Which says nothing good about the California agencies that didn’t notice this in their logs for a year—as I pointed out last November. ↩︎
It could be a coincidence both Flock and SCPD both use the phrase “inadvertently accessible.” It could also not be. ↩︎