Twenty-Eight

Flock says 28 employees can access federally protected criminal justice information. Their own paperwork says otherwise.

by H.C. van Pelt10 min read

As of December 2025, these were the 28 people who have access to Flock’s data, according to Flock and Story County, Iowa. The last names have been shortened, in case the signatures weren’t strictly voluntary, but they are a matter of public record.

You can request the full, current list from any agency using Flock—federal policy requires them to have it available; the company’s concern about speculative “officer safety” scenarios apparently does not extend to its own employees, whose names and signatures are being filed into public records as a matter of course — hopefully with their knowledge and consent.

  • Aaron P.
  • Adam S.
  • (illegible)
  • Adrian W.
  • Aishwarya P.
  • Alana J.
  • Aleyandra L.
  • Alex M.
  • Alexandra B.
  • Amanda B.
  • Amy P.
  • Anthony E.
  • (illegible)
  • Arash S.
  • Baasit A.
  • Benjamin K.
  • (illegible)
  • Blake M.
  • (illegible)
  • Brandon E.
  • Brett H.
  • (illegible)
  • (illegible)
  • Carrie V.
  • (illegible)
  • Chandler E.
  • Christopher S.
  • Clinton M.

Flock employee signature

To be clear, the “illegible” signatures are completely illegible—but apparently still sufficient for Flock, Story County, Iowa, the Iowa Department of Public Safety, and the FBI.

These 28 Flock employees signed the following statement:

I hereby certify that I am familiar with the contents of (1) the Security Addendum, including its legal authority and purpose; (2) the NCIC Operating Manual; (3) the CJIS Security Policy; and (4) Title 28, Code of Federal Regulations, Part 20, and agree to be bound by their provisions.

I recognize that criminal history record information and related data, by its very nature, is sensitive and has potential for great harm if misused.

I acknowledge that access to criminal history record information and related data is therefore limited to the purpose(s) for which a government agency has entered into the contract incorporating this Security Addendum.

I understand that misuse of the system by, among other things: accessing it without authorization; accessing it by exceeding authorization; accessing it for an improper purpose; using, disseminating or re-disseminating information received as a result of this contract for a purpose other than that envisioned by the contract, may subject me to administrative and criminal penalties.

I understand that accessing the system for an appropriate purpose and then using, disseminating or re-disseminating the information received for another purpose other than execution of the contract also constitutes misuse.

I further understand that the occurrence of misuse does not depend upon whether or not I receive additional compensation for such authorized activity. Such exposure for misuse includes, but is not limited to, suspension or loss of employment and prosecution for state and federal crimes.

This certification, along with a fingerprint-based background check, is a requirement under the CJIS Security Policy:

This section’s security terms and requirements apply to all personnel who have unescorted access to unencrypted CJI. Regardless of the implementation model – physical data center, virtual cloud solution, or a hybrid model – unescorted access to unencrypted CJI must be determined by the agency taking into consideration if those individuals have unescorted logical or physical access to any information system resulting in the ability, right, or privilege to view, modify, or make use of unencrypted CJI.

CJIS Security Policy, v5.9.5, § 5.12, p. 212.

Note that the policy is explicit about “logical or physical access.”

Iowa DPS puts it in even clearer terms in a guidance document:

All private contractors who perform criminal justice functions shall acknowledge, via signing of the Security Addendum Certification page, and abide by all aspects of the CJIS Security Addendum

Iowa DPS, Requirements Document FBI CJIS Security Policy Version 5.3",[1] p. 9

There only being 28 employees who would need to certify is … at best, implausible.

Yet, after months of back and forth between Story County and the Iowa Department of Public Safety, this is the list Flock and the county attorney produced.

Who is Missing

Any Flock employees with access and a first name that starts with D–Z. Unless there aren’t any, but that seems improbable.

We know that Flock “LPR” cameras contain unencrypted photos and videos. The CJIS Security Policy is clear that anyone with physical access to CJI should be on the list; that would include all (subcontractor) installers. The alternative, that the footage stored on the devices is not CJI, renders it non-confidential and, in most states, a public record.

For the reported issue where Flock cameras were publicly exposed on the Internet, Flock’s Chief Legal Officer Dan Haley has downplayed the severity of the “not a hack” by claiming it was a “configuration error” perpetrated by Verizon.

If Verizon’s employees can configure the system to expose the information, they have access sufficient to trigger the certification requirement. Flock does not consider this to be a security incident, implying Verizon personnel have authorized access, yet they do not appear to be on the list.

The list should also include of all Flock’s Upwork contractors, whoever has access to its Danish screen-recorder, and, assuming these are Flock’s own accounts, anyone using Flock City PD - Law Enforcement Sales, Flock City PD - Law Enforcement Sales Demo, Flock RTCC, Flock Safety Admins, Flock Safety Customer, Flock Safety Engineering, Flock Safety Sales, Flock Safety Campus Security Training, Flock Safety LE Training, Flock Safety Sales, and Florida LE Flock Training, which all run on production data (i.e. real people’s movements are regularly being searched for Flock’s sales and training purposes).

Notably, Robert Otten, Flock’s “Head of Security, Risk and Compliance” (or similar titles), attested to each of the 28 signatures but did not certify his own adherence to the CJIS Security Policy. A suspicious absence, if the list were complete.

What is Missing

Around 6,000 contracts, based on Flock’s reported number of government customers. These certifications are tied to specific CJIS addenda, which are tied to specific contracts, via “the contract incorporating this Security Addendum.” Each person on the list needs to read each of Flock’s contracts and sign the certification that says they understand the “purpose” valid for each individual contract.

This is clearly unworkable; it is a recognized, and “solved” problem. Some states centralize their processing for these certifications. In those states, vendor employees can certify with the state CSA (typically state police or department of public safety), who retains their background check and information on file to share with other agencies using the same vendor.

In those states, vendor employees file a single certification with the CSA, and simply claim that they will not use it for a purpose not allowed by any of its employer’s contracts, past, present, or future, without ever seeing the contract. It’s questionable, but the FBI does not appear to have a problem with it so far.

But not all states have such a system in place. For those states, each employee needs to sign this piece of paper for each contract.

The issue is further complicated by Flock’s position that its contractual terms, which it recently altered, are negotiable and each customer can have a bespoke contract. If employees need to adhere to the terms of the contract they must, necessarily, read those contracts.

Of course, if Flock were to take the other position — that its terms are not negotiable — its contracts may qualify as contracts of adhesion, which raises its own set of problems.

Who is Not Missing

Some easy to find job titles for the folks on the list:

  • UI/UX Designer & Brand Visionary
  • User Experience and Service Designer
  • Policy Manager (former federal prosecutor, hired from the U.S. Attorney’s Office)
  • Principal Product Manager
  • Manager, Solutions Engineering

There is no reason a UI/UX designer and/or brand visionary should have access to production data. This is not only a common-sense security practice, but a requirement for both SOC.2 and ISO27001 certification—both of which Flock claims to possess.

And that’s for ordinary production data; those rules apply to companies that sell caps for your ballpoint pen or that do made-to-measure T-shirts for your dog. Here, we’re talking about federally protected criminal justice information.

In any case, apparently it’s more important for a brand visionary to have access to CJI than for the Head of Security, Risk, and Compliance.[2]

What it Means

There are only two explanations for what this list represents:

  1. Flock has narrowed CJI access to 28 people — in which case several of those people have no business being on the list, Otten’s absence is inexplicable, and the company’s field technicians, Upwork contractors, and demo account users are all operating in violation of federal law; or—
  2. Flock certifies everyone and handed over only a subset to make the records request go away.

Both explanations end in the same place.

Every day, Flock cameras record the movements of millions of people who never consented to surveillance and have no way to verify how their data is handled, needing to rely on Flock’s vague assurances that it is “CJIS certified.”

The CJIS Security Policy exists because criminal justice information and criminal history record information is dangerous when mismanaged. Flock’s own paperwork — the paperwork they produced to prove compliance — is the evidence that they aren’t complying.

And the certification itself? It’s a document that exposes individual signers to federal criminal prosecution for misuse of CJI.

When Flock runs sales demos on production data — real people, real movements, real criminal justice information — it’s not Flock’s name on the line. It’s the employee’s. The company that built the system, sold the system, and decided to use live data for training walks away clean. The designer who was told to sign something during onboarding risks federal charges.

Twenty-eight names. Some illegible, one conspicuously absent, and no reason to believe the list is even remotely complete. But every one of them signed on the dotted line — and not one of them is Flock.

I am not an attorney. This analysis reflects my interpretation of CJISSECPOL, contract language, and law, and is subject to change. Contracting agencies should consult qualified attorneys regarding their specific agreements.

  1. CJIS Security Policy 5.3 is no longer in use, but DPS does appear to publish a newer revision of its requirements document. The substance of the policy is the same between v5.3 and v5.9. ↩︎

  2. To be clear: neither role has any business accessing this data, but if you had to pick one … ↩︎