157 Pages of Evidence, 200 Jurisdictions, Zero Oversight
A 157-page murder investigation file with informant details leaked to 200 agencies via Flock's uncontrolled audit log system.
A 157-page active murder investigation file, complete with information about anonymous informants, gang intelligence, and detailed information on people not under suspicion, has been floating around the internet for six months.
How it got there is a story of systemic failure and negligence.
According to the Flock audit logs processed on this website, an officer, John Alipour (technically, “J. Ali”), with the DuPage Forest Preserve PD shared the entire 157-page file with Flock by looking for a license plate and pasting the file into the “Reason” field.
Flock’s system, which the company claims is “CJIS certified”[1], saw no problem with a massive, sensitive file being provided as a simple “Reason” for a search. At the time of writing, the median length for search reasons is 7 characters, and 81% of Alipour’s agency’s reasons are a single word long.
But the real problem is that Flock’s customers allow Flock to create audit log entries — which are the customer’s files — without any oversight. Because the customer is a government, their files are public records.
On receipt of the 157-page search reason, Flock’s system proceeded to automatically enter it into 200 of its customers’ public records.
It would be like if you made a Word document writeable for Flock and told Flock “okay, just write everything your customers say in this file,” without giving anyone any further instructions. Except instead of a Word document, it’s the Flock software’s “Insights” tab with audit logs.
This was not just one policeman’s error. It was a complete failure of infrastructure and oversight that began with allowing Flock to handle data and create government records.
Compounding the problem is that Flock’s platform, apparently, has no technical safeguards to prevent a 157-page investigative file from being uploaded into a single text field.[2]
Yes, the officer’s act was a gross violation of security policies, and, likely, law[3][4][5][6] and prosecutorial ethics[7].
Yes, the releasing agency did not properly review and redact hundreds of thousands of log entries before releasing them.
But the bigger picture is that this is a symptom of government’s continuing failure to perform meaningful oversight of private-sector police and surveillance technology.
All of this was foreseeable.
But now, even if anyone had caught it sooner, the toothpaste is out of the tube.
The file exposed a murder investigation that let its evidence melt with the snow →.
A redacted copy of the file is available for download here. As the original file was a single, unformatted blob (from being pasted into a single data field), the version provided has been re-formatted for readability (e.g., restoring line breaks and lists) to more closely match the original document’s structure.
Note
February 2, 2026 Update: After receiving non-responses from the DuPage Co. public defender and the DuPage Co. Clerk of Court, I sent a letter reporting the incident to the FBI, with copies to the US DoJ Office of the Inspector General, Senator Chuck Grassley (R-IA), and Illinois Attorney General Kwame Raoul. Today, two months later, I received a response to that letter.
@IL AG response to leaked investigative notes
Thank you for your recent letter regarding the above-named business [Flock].
We wish to express our appreciation for your cooperation in bringing this matter to our attention. and we have recorded the information that you have provided in our complaint files for possible future use in enforcing Illinois’ consumer protection laws. It is only through the assistance of concerned citizens that we can effectively do our job of enforcing Illinois’ consumer protection laws.
The person named in the file remains in the DuPage county jail, held on a $1M bond and awaiting trial for murder.
“To demonstrate its commitment to security, [Flock] earned the CJIS ACE Compliance Seal by partnering with Diverse Computing, a third-party service provider.” Diverse Computing is a private corporation out of Tallahassee, Florida. ↩︎
This 0-budget, 1-developer website, for example, has constraints on the amount of information shown, and it has simple but largely effective filters to redact SSNs, names, birthdates, etc.. Even though those elements shouldn’t be in the dataset to begin with. ↩︎
725 Ill. Comp. Stat. 120/4.5 (enumerating statutory rights for crime victims and witnesses, including the right to be free from harassment and intimidation) ↩︎
5 Ill. Comp. Stat. 140/7(1)(d) (exempting from public disclosure under the Freedom of Information Act any records that would “endanger the life or physical safety of any person”) ↩︎
5 Ill. Comp. Stat. 140/7(1)(c) (exempting FOIA records that would constitute a “clearly unwarranted invasion of personal privacy”), ↩︎
5 Ill. Comp. Stat. 140/2(c-5) (defining “private information” protected from disclosure to include personal addresses and telephone numbers). ↩︎
Ill. R. Pro. Conduct 3.8(b) (requiring a prosecutor to “exercise reasonable care to prevent” police officers from making public statements that the prosecutor would be prohibited from making under Rule 3.6). ↩︎