Back to news

The Data-Sharing Shell Game: Flock, RISS, and the Federal Surveillance Backdoor

Despite Illinois' TRUST Act ban on immigration data sharing, ICE maintains backdoor access to Flock's database through RISS and local agencies.

by H.C. van Pelt 4 min read
immigrationfederal

In 2024, Illinois passed the Illinois TRUST Act (5 ILCS 805), which prohibits Illinois police from sharing data for civil immigration purposes. Earlier this year, media reported that ICE had direct and indirect access to Flock’s database — a database widely used in Illinois. Flock’s leadership team responded first by blaming police, then by blaming its employees, and, when the media storm had passed, by quietly resuming sharing with immigration agencies through the backdoor.

Flock’s issues with data sharing are broad. While the company claims that its customers own the data, its customers vacillate between claims that they own and control access to the data,[1] have no effective ownership, and claims that they are “raw, non-governmental data held by a third-party vendor.”

Flock also frequently claims that users must be a “sworn law enforcement officer for purposes of accessing our law enforcement network.” Flock maintains this stance, despite it being easily disproven by examining the list of its customers on this site.

In June, Flock responded to allegations of improper sharing with a statement, which summarized its point as: “it is a local decision. Not my [Flock CEO Garrett Langley’s] decision, and not Flock’s decision.”

In August, after Illinois Attorney General Giannoulias recognized violations of the IL TRUST Act, the company reversed course. It “paused a pilot program” after the AG’s audit uncovered that “[Flock] company leadership was unaware of a pilot program with the US Customs and Border Patrol Protection Agency.”

This is the same leadership that claims its customers control the data.

But, despite being flagged as “Inactive,” Border Patrol can be seen running searches. ICE also continues to have broad indirect access to Flock’s database through third parties, and through its 287(g) program, which pays state and local agencies for access to their officers and investigative tools and capacity.

Over 1,000 Searches conducted on behalf of ICE's HSI division

The separate pathways to unoverseeable data sharing converge and culminate in Flock’s agreements with the Regional Information Sharing Systems (RISS) Program — a federally funded program to “provid[e] adaptive solutions and services that facilitate information sharing” with over 10,000 member agencies “in all 50 states, the District of Columbia, U.S. territories, England, New Zealand, and parts of Canada.”

Five out of six[2] regional RISS centers have direct access to the Flock database:

  • MAGLOCLEN: Middle Atlantic-Great Lakes Organized Crime Law Enforcement Network®
  • RMIN: Rocky Mountain Information Network®
  • MOCIC: Mid-States Organized Crime Information Center®
  • NESPIN: New England State Police Information Network®
  • ROCIC: Regional Organized Crime Information Center®

Tools like RISSIntel™ (“Criminal Intelligence Database Solving Cases Through Information Sharing”) “permit federated searching across many systems without requiring the RISSNET user to have a separate user account for each partner system.”

This is, of course, completely antithetical to the idea that Flock customers maintain control of data.

Exacerbating matters, RISS centers are private non-profit corporations, not government agencies. Its users are not “sworn law enforcement officer[s] for purposes of accessing our [Flock’s] law enforcement network.”

NESPIN business registration MOCIC business registration ROCIC business registration RMIN business registration MAGLOCLEN business registration

The federated RISS centers exist for a single purpose: to “facilitate information sharing.”

Because the data are ostensibly owned by government agencies, they are public records. That means RISS centers are not in any way restricted by copyright law[3], and don’t require a licensing agreement with Flock. Because the corporations are private, there is no effective oversight.

These partnerships obliterate Flock’s defense that information sharing is a local decision.

Flock’s contradictory public statements are a smokescreen for the simple truth: by integrating with a federally-funded, private network of information-sharing centers (RISS), local control remains an illusion — data flows through Flock’s corporate partners to thousands of agencies at the local, state, federal, and even international level.

As long as Flock does not actively prevent this type of information-laundering, the company’s statements about data ownership, sharing control, and compliance with state law are entirely meaningless.

This isn’t a local decision, a bug, or a rogue pilot program. It is a fundamental design feature — one that Flock actively creates and supports.

  1. “The ALPR data may be shared only [after] [t]he request is reviewed by the Investigations Division Commander or the authorized designee and approved before the request is fulfilled” ↩︎

  2. The sixth is WSIN (Western States Information Network®). It’s worth noting Flock does not maintain consistent naming conventions. Let me know if you find WISN. ↩︎

  3. Arguably, if ALPR data is factual information, copyright laws would not apply regardless. ↩︎