Two Colorado cities abandon Flock oversight

Denver operates Flock cameras without a finalized contract. Boulder admits it won't audit search logs. Colorado's open records laws make oversight nearly impossible.

by H.C. van Pelt7 min read

While Boulder admits to not performing any oversight, Denver has taken corporate mass surveillance to the next level: the Mile High City allows Flock to operate its network without any contractual safeguards whatsoever. After the city’s contract expired in October 2025, media reports that the city’s mayor has signed a new contract. That turns out not to be the whole truth: there is no new contract.

A flow diagram titled "The Colorado Accountability Gap." On the left, green arrows labeled "Public Tax Dollars" and "Resident Privacy & Data" flow into a black box labeled "Private Corporate Operation (Flock Safety)." On the right, three red exit arrows show the breakdown: the top arrow to "Signed Gov. Contract" is shattered and labeled "VOID (Denver)"; the middle arrow to "Public Audit Logs" hits a brick wall labeled "CCJRA & Agency Discretion (Boulder)"; and the bottom arrow points to a leaking cloud icon labeled "Unregulated Data Sharing (Feds, Third Parties)." The footer reads: "Result: Taxpayer-Funded Infrastructure, Zero Taxpayer Control."

The transition from public oversight to private operation has created a “surveillance black box” where the legal safeguards promised by officials simply fail to materialize.

Denver goes Private

After a series of CORA requests, in which the Denver City Attorney bizarrely claimed not to be the custodian of his own records, Denver Public Safety provided a stack of non-responsive documents, Denver Technical Services claimed not to have a copy, and the Mayor outright ignored the request, the City Auditor’s office finally wrote: “The city and county of Denver does not release contracts that are being negotiated. If the contract does become final, it then can be released.”

The City Attorney’s Office, meanwhile, claimed it is “not the ‘custodian’” of the contract—despite the Denver City Charter requiring that office to prepare and approve all city contracts. The Department of Public Safety provided only the expired agreement, which terminated October 30, 2025, and declined to produce the extension the mayor announced three weeks earlier.

The various creative denials appear to agree on one thing: the contract is not final and effective, despite previous announcements from the mayor’s office heavily implying that it is.

This of course comes after the city subscribed to Flock’s drone service without telling its own surveillance task force.

Although substantial public funds were used to install more than a hundred cameras, Flock still owns them, and now appears to be operating them entirely outside of any active government contract.

This stands in stark contrast to the mayor’s statement, which claimed Flock would be subject to penalties if the company shared data with federal authorities, in violation of Colorado law.

Although there are restrictions on what and how Colorado state and local agencies can share information with the federal government, there appear to be no laws that prohibit Flock, a private corporation, from disseminating that same data. Without a contract, there is nothing to stop the company from selling the data to ICE or other interested third parties.

Denver residents are now in the worst of both positions: taxpayer funds paid for the infrastructure, but no taxpayer-enforceable agreement governs how it operates. The city has outsourced surveillance to a private company and then removed itself from the chain of accountability entirely.

If Flock shares data with federal agencies tomorrow, Denver has no contractual remedy. If the mayor’s promised penalties exist anywhere, they aren’t in a signed document the city is willing to produce.

Boulder Abandons Oversight

Meanwhile in Boulder, in response to a request for a month of network audit logs, BPD puts a couple of interesting statements together:

Given the scope of your request, we cannot, and will not, contact each individual agency listed to inquire as to the status of their investigation as that would cause “unnecessary interference with the regular discharge of the duties of the custodian or their office” (C.R.S. §24-72-304(1)). … We are providing the requested records, but the names of the law enforcement personnel, associated license plate numbers, case numbers, and reasons for the request are redacted as the release of this information would be contrary to public interest.

BPD admits here that it doesn’t know what’s in the search logs and it has no intention of auditing them.

None of this lines up with statements on its public website:

The Boulder Police Department uses Flock solely for legitimate law enforcement purposes, including criminal investigations, finding missing or endangered persons, Amber Alerts, and tracking stolen vehicles. Officers must have a clear justification for any search they run.

BPD does not know if this is how the cameras in Boulder are being used by other departments.

All requests to share access to our data must be approved by a supervisor, logged, and tracked through strict audit trails.

But BPD will never look at these audit trails.

Each user must have a unique login, and there is a complete audit trail of all searches conducted in the system.

Either BPD did not intend this statement to apply to users with access from outside BPD, or it shows why BPD should examine its “complete audit trail.” Account sharing is rampant.

Multiple safeguards protect against misuse: supervisory approval is required for external data sharing and all searches are logged.

This is not much of a safeguard when nobody looks at the logs.

Flock’s focus on legitimate law enforcement purposes, combined with their willingness to implement features like automatic blocking of immigration-related searches and enhanced audit controls, aligns with Boulder’s commitment to responsible policing and community values.

This “blocking” is a keyword-based warning notice that isn’t logged. A user can enter a different reason, or enter no meaningful reason at all, and try again. BPD will never use the “enhanced audit controls” (whatever those may be) to question whether “inv” is an immigration search.

There is no oversight.

Colorado’s Open Records Laws are Broken

As an Iowan, my experience with the Colorado Open Record Act (CORA) is limited. I find Iowa’s open records act frustrating, because it is widely ignored and not enforced by state agencies, but CORA turns out to be fundamentally broken.

In a bizarre twist, whether a public record should be released depends more on who holds the record than on what the record is or contains. In addition to Denver’s outlandish ideas on custodianship, which I doubt would survive a court hearing if challenged, there is a brokenness to CORA in that records held by police are not governed by CORA, but by the Colorado Criminal Justice Records Act (CCJRA).

The CCJRA sets no deadlines and allows a high level of discretion for agencies on whether to release records. As you can tell from Boulder’s response, which took nearly two months, we can’t trust police with that type of discretion.

The Colorado Freedom of Information Council is pushing for changes to the law.

Read Colorado FOIC’s Guide to the Criminal Justice Records Act

If you’re in Colorado, or even if you’re not, please consider making a donation to the Colorado FOIC or supporting their work to get this flawed piece of legislation fixed.

Without transparency, BPD and Flock have to perform their own audits.

They have already said they “cannot and will not.”