Last updated:

🔍 Every Documented Misuse of ALPR and Flock Cameras

An accountability file. Officers stalking ex-partners, a nationwide search to find a woman after an abortion, innocent families held at gunpoint over a misread digit, executives watching a children's gym class, and a private market selling your movements for about $20 a search. Every case sourced. Including the counter-case.

Key findings

The Institute for Justice has documented at least 24 officers caught using licence plate readers to stalk partners, exes and colleagues — a figure IJ itself calls "almost certainly an undercount," because nearly every case surfaced through a victim or a journalist rather than an internal audit. IJ separately found at least 26 wrongful stops since 2018 where innocent people were detained at gunpoint over ALPR errors; in nearly two-thirds, officers only realised after drawing their weapons. Johnson County, Texas deputies searched 83,345 cameras nationwide to find a woman after a self-managed abortion. Police defeat Flock's audit requirement by typing "investigation" 111 times and "hehehe" 20 times in a single month — both accepted. Researchers logged 51 security findings and 22 CVEs against Flock hardware, and found ~60 cameras livestreaming to the open internet with no password. 82 contracts have been cancelled across 28 states, 39 of them in the first five months of 2026. And this is not only Flock: Motorola's DRN sells plate-location searches to repo firms, insurers and private investigators for around $20, while the DEA has quietly run a national plate-tracking programme since 2008.

This is a catalogue, not an argument. Every case below is drawn from court filings, published audit logs, public-records responses, government audit reports, CVE databases or reporting by outlets that did the work — 404 Media above all. Where something is an allegation rather than a finding, it says so. Where sources conflict, it says that too. A section near the end makes the strongest honest case for the technology, because a catalogue that only points one way isn't evidence, it's advocacy.

By · Last updated July 2026

The scale

Flock Safety operates somewhere between 80,000 and 100,000 devices across more than 5,000 law enforcement agencies, performing over 20 billion scans a month. Bureau of Justice Statistics data shows how normalised this became before anyone was watching: roughly 90% of sheriffs' offices with 500+ deputies use ALPR, and 100% of police departments serving over a million residents. EFF's analysis found that more than 99.9% of collected data is unconnected to any crime; a Palo Alto portal showed under 0.5% of captures were hotlist-related. A 2020 California State Auditor review found only 0.1% of LAPD's 320 million stored images matched a hotlist.

Hold that ratio in mind. Every case below happens inside a system where 999 out of every 1,000 records concern someone who did nothing. The misuse isn't a malfunction of a targeted tool — it's the predictable behaviour of an untargeted one.

1. Officers using ALPRs to stalk

The most-documented category, and the one that recurs across every vendor and jurisdiction. IJ attorney Michael Soyfer, who represents residents suing San Jose and Norfolk: "The fundamental problem with these systems is that they place private information about people's movements over time in the hands of every officer… that predictably allows officers to abuse their access to these systems for things like stalking romantic partners."

OfficerAgencyYearConductOutcome
Michael McSherryWestmoreland County, PA2021Tracked estranged wife and her familyPleaded guilty to stalking
Victor HeiarKechi, KS — Lieutenant2023Used Flock to track estranged wifePleaded guilty — computer crime, stalking
Lee NygaardSedgwick, KS — Police Chief2023Tracked ex-girlfriend and her new partner — 160–200+ reads over monthsResigned
Robert JosettCosta Mesa, CA2023Used Flock to track a mistress and her romantic interestsPleaded guilty, April 2026
Alexander VannyRiverside County, CA — Deputy2024While facing kidnapping charges over his ex-fiancée, used Flock to track her friendConvicted at jury trial, Dec 2025
Jarmarus BrownOrange City, FL2024Ran girlfriend's plate ~69×, her mother's 24×, father's 15× — 100+ over 7 monthsArrested/charged 2025
Thadius GordonShelby County, TN — Deputy2024Tracked ex-wife 100+ timesRelieved of duty
Jaila Cole-ClarkMatteson, IL2024Hundreds of Flock searches on a former partner and their new partnerResigned mid-investigation
Roberto CedenoLouisville, KY2025Tracked ex-partner and friends hundreds of times over two monthsCharged — multiple felonies
Josue AyalaMilwaukee, WI2025179 Flock searches over two months on a woman he was dating and her exResigned; pleaded guilty to one misdemeanour count
George OppedykJerome County, ID — Sheriff2025Searched for wife's vehicle hundreds of timesIdaho AG found no crime; retired April 2026
Frank McGrathKenosha County, WI — Deputy2025Tracked a coworker he was involved withResigned with severance
Cristian MoralesMenasha, WI2025Tracked ex-girlfriendCharged — misconduct in office
Michael SteffmanBraselton, GA — Police Chief2025Stalked/harassed several people including a former partnerResigned, then arrested
Kyle RectorBonner Springs, KS — Detective2025Tracked estranged wife and two suspected new partnersCharged, March 2026
Lamar RomanMonroe County, FL — Deputy2026Hotlisted a film extra's plate after she rebuffed him — see belowArrested; fired; pretrial intervention
Chris RozarCoffee County, GA — Deputy2026Used Flock to stalk a womanFired and charged
Coty HallNiceville, FL2026Tracked another officer and their spouseFired; pleaded no contest
Tyler BryanWinnebago County, IL — Deputy2026Monitored an ex and her new partnerCharged — stalking, official misconduct
William C. CoppPrairie Grove, IL / Holiday Hills Chief2026Hundreds of searches on former partners — one ex's plate ~140× (86 off-duty)Arrested June 2026; fired
Renee DownerGwinnett County, GA2026Used LE databases including ALPR to monitor an exArrested; relieved of duty
Michael PalitzPasadena, TX — Sergeant2026Allegedly used Flock to track a female officerResigned under investigation
Kareem LynchGreer, SC — Corporal2026Used Flock to monitor a subordinate he had a prior relationship withFired after internal audit
Sebastian EcheverryGreer, SC2026Personal Flock searches including an ex-girlfriendFired

A note on what this table is: allegations, charges and convictions are not the same thing, and the outcome column says which is which. Several officers resigned or retired with no prosecution at all — Jerome County's sheriff was cleared of any crime by Idaho's Attorney General. IJ found that six of the original fourteen never faced consequences.

The detection pattern is the finding. Read the outcomes again and ask how each case was discovered. Milwaukee's came from HaveIBeenFlocked.com — a member of the public checking their own plate. Orange City's was noticed by a colleague. Braselton's and Greer's came from audit review, which shows audits can work. Most came from victims. Almost none came from the vendor. That is why 24 is a floor, not a count.

2. The film-set case: Lamar Roman

Worth telling in full, because it shows how many systems one impulse can chain together. On 3 February 2026, Monroe County deputy Lamar Eliseo Roman, 28 and married, was working security on the set of Apple TV+'s Bad Monkey in the Florida Keys. A 27-year-old woman arrived as a background performer. He catcalled her — "Oh my god, why didn't nobody tell me we were bringing models to set?" — and told her, "I need your name and number just in case I pull you over some day." She said she had a boyfriend.

Step 1ID databaseUsed a law enforcement identity database to find her driver's licence number.
Step 2DAVIDQueried Florida's DAVID database for her plate, vehicle, photograph and signature.
Step 3HotlistAdded her plate to a hotlist on the Guardian ALPR system — so the network would alert him when she drove past a camera.
16 days laterThe alert fires19 February: a reader scans her plate. Roman drove 70+ mph, passed vehicles in no-passing zones, nearly caused a head-on collision, and pulled her over.

He told investigators: "It's a tough month and I saw a shiny thing," and admitted he knew it was illegal. He was arrested on 10 March 2026 on three third-degree felony counts of misusing a law enforcement database, and fired. The woman declined to press charges; the department charged him anyway. He entered a two-year pretrial intervention agreement — if he completes it, the charges are dismissed.

A correction to how this case travels. The Tampa Bay Times headline described the victim as an "actress," and that is how the story is usually retold. She was an extra. It matters because the version where a deputy stalks a celebrity is a story about fame; the version where he stalks a background performer who turned him down is a story about what the system does for anyone who catches an officer's eye. The second is the accurate one, and it's worse.

Not to be confused with: Akron, Ohio sergeant Eric Paull, who used the Ohio Law Enforcement Gateway to run searches on ex-girlfriend Alexis Dekany, her mother and men close to her. He pleaded guilty in 2015 to aggravated assault, menacing by stalking and unauthorised database use, and was sentenced to four years. Dekany was a criminal justice student, not an actress. Paull is the stronger conviction; Roman is the ALPR case.

3. The children's gym class: Dunwoody, Georgia

Public records obtained by Dunwoody resident Jason Hunyar showed Flock Safety employees accessing cameras in children's spaces at the Marcus Jewish Community Center — to demo the product to prospective police buyers. On 23 July 2025, Flock's Randy Gluck viewed cameras labelled "Gym Mendel – 1" and "Main Pool Right." On 30 September 2025, Vice President Bob Carter accessed the "Gymnastics" camera.

CEO Garrett Langley personally apologised for "poor judgement" and Flock agreed to stop using Dunwoody footage for demonstrations. Mayor Lynn Deutsch: "we will no longer be a demonstration location for Flock." The city renewed its contract anyway in April 2026.

Attribution matters — do not merge these. This is Flock. It is not the Verkada breach, which is the incident people usually mean when they mention exposed cameras in schools and gyms: in March 2021 hacktivists exposed roughly 150,000 Verkada cameras across hospitals, schools, clinics and prisons. Two companies, two separate failures. Blurring them hands both an easy rebuttal.

4. Johnson County, Texas: 83,345 cameras to find one woman

Reported by 404 Media in May 2025; records later obtained by EFF filled in what the first story couldn't. Deputies ran two searches under a single case number, logged against a "death investigation" of a "non-viable fetus":

SearchNetworksCamerasLookback
First (previously unreported)1,29517,684~1 week
Second (the one 404 Media exposed)6,80983,345~1 month

Sheriff Adam King told 404 Media the family "was worried that she was going to bleed to death." EFF's records complicate that account: deputies had already collected evidence, had asked the district attorney about charging her, and had been told they could not. The abortion had occurred more than two weeks earlier. The search reached states where abortion is legal — Washington and Illinois cameras appear in the logs (Yakima, Prosser, Mount Prospect). Illinois Secretary of State Alexi Giannoulias said it violated Illinois law.

The ending is rarely reported: the woman later came to the sheriff's office herself — to report that the partner who had reported her abortion had assaulted her at gunpoint. He was charged. Sheriff King was subsequently charged with an unrelated felony sex offence.

5. Innocent people at gunpoint

IJ documented at least 26 cases since 2018 — most since 2023 — of innocent motorists stopped, detained at gunpoint or jailed because of ALPR error. In nearly two-thirds, officers didn't realise until after they'd drawn their guns.

Brittney Gilliam — Aurora, COA mother and four children, one aged six, forced face-down on the pavement. A Colorado plate had been flagged as a stolen Montana motorcycle. $1.9M settlement.
Denise Green — San FranciscoHeld at gunpoint because a 3 was read as a 7. $495,000 settlement.
Brian Hofer — Contra Costa, CAA privacy advocate detained on Thanksgiving because police never removed a recovered car from the hotlist. $49,500.
Jaclynn Gonzales — Española, NMDetained at gunpoint, her 12-year-old sister put in a patrol car. A 2 read as a 7.
Isoke Robinson — DetroitHandcuffed, 2-year-old placed in a patrol car, car impounded three weeks — police had used ALPR to pull every Dodge Charger near a shooting.
Sherwood, AR — Feb 2026A couple detained at gunpoint while their six-week-old baby sat alone in the car. Flock misread.
San Diego — 2024Three people arrested on a Flock "vehicle signature" hit — not even a plate match. One passenger jailed nearly a month.
Joel Feder — Plymouth, MNA motoring journalist surrounded by four squad cars because Flock read a Range Rover manufacturer plate as "34 DTM," ignoring the middle digits. A California data-entry error created nationwide false-hit risk for those fleet plates.
Two distinct failure modes, and only one is a "computer error." Misread digits are an OCR problem — arguably fixable. But Hofer was stopped because a human never updated the hotlist, and Robinson was handcuffed because police deliberately queried every car of one model near a crime. The technology performed exactly as designed in both. That's the harder problem.

6. Immigration enforcement against sanctuary policy

  • The "side door" (404 Media, May 2025): 4,000+ Flock lookups run by local police on ICE's behalf — giving federal agents access with no contract and no paper trail of their own.
  • Washington: The UW Center for Human Rights found at least eight agencies enabled direct sharing with Border Patrol in 2025, and CBP had "back door" access to at least ten more that had never authorised it.
  • San Francisco (Javorsky v. Flock, filed Feb 2026): alleges out-of-state agencies searched SFPD's database 1.6 million times in six months, and agencies from 48 states searched Los Altos's database over a million times — in violation of California's SB 34. Seeks $2,500 per violation.
  • Dayton, Ohio: An audit found Flock cameras searched 7,100+ times for immigration purposes against city policy. The city suspended the data and physically covered the cameras with black bin bags, calling the searches "egregious violations."
  • Illinois: Giannoulias's August 2025 audit found CBP accessing Illinois data despite a 2024 law barring plate data for immigration or abortion enforcement.
  • The ICE hotlist: EFF found Flock lets agencies subscribe to ICE's NCIC "Immigration Violator" file — 700,000+ administrative warrants with no judicial review. Sparks PD (NV) had it enabled while listing immigration enforcement as a prohibited use.
  • Vigilant/LEARN: An ACLU investigation found 80+ departments had configured sharing with ICE, often in likely violation of local policy — years before Flock existed.

7. "hehehe": the audit logs

Flock requires a reason for each search. It is a free-text box. The ACLU of Massachusetts found that in September 2025 alone, one Oregon department entered "investigation" 111 times and "hehehe" 20 times. Both were accepted. The ACLU of Wisconsin found Milwaukee police typed "investigation" over 1,000 times in 2025.

California's State Auditor examined four agencies in 2020 — LAPD, Fresno PD, Sacramento County SO, Marin County SO — and found "little to no auditing," deficient policies, over-retention and indiscriminate sharing. Its warning, five years before Johnson County: agencies "could misuse ALPR images to stalk an individual or observe vehicles at… clinics and political rallies."

In fairness to Flock: the audit log is real, immutable, and it works when someone reads it. Braselton, Niceville and both Greer cases were caught precisely that way. The failure isn't the log — it's that a free-text field with no validation, on an account handed out liberally, is a formality rather than a control.

8. Security failures

51 findings, 22 CVEsJon "GainSec" Gaines' white paper against Falcon/Sparrow readers, Raven gunshot detection and Bravo/Picard compute boxes. Hardcoded WiFi credentials (CVE-2025-59409), hardcoded password in gunshot devices (CVE-2025-47821), Java keystore password in the Android app (CVE-2025-59407), cleartext Auth0 secret (CVE-2025-59406). A button sequence yields a root shell in under 30 seconds.
~60 cameras livestreaming, no password404 Media, Benn Jordan and GainSec found Condor PTZ cameras open to the internet — live feeds of playgrounds and bike paths, 30-day archive download, admin control. Flock: "a limited misconfiguration."
Credentials on Russian forums35+ stolen Flock law-enforcement logins appeared for sale, Nov 2025. Flock confirmed ~3% of LE customers had no MFA.
An exposed admin API keyA misconfigured Flock demo site leaked a live admin-level ArcGIS key — 50+ private data layers, ~$120,000 in credits.
CISA on Motorola Vigilant (2024)Seven vulnerabilities: default WiFi passwords, unencrypted data, unrestricted remote access.
CBP contractor breach (2019)100,000+ plate scans and 184,000 traveller images leaked from a federal contractor.
The pattern is the story. EFF found ALPR cameras openly accessible online in 2015. CISA flagged Motorola's in 2024. Flock's Condors were livestreaming in 2025. This is not a new problem being discovered — it is a decade-old problem recurring, in a market where the response to disclosure has repeatedly been to minimise it. Flock's position is that none of GainSec's findings affect public-safety objectives and that exploitation needs physical access and intimate device knowledge. Readers can weigh that against a root shell in 30 seconds.

9. What Flock told the customers

The ACLU's July 2026 report documented a pattern of misrepresentation:

  • Oshkosh, WI: Flock's CISO told the council the system did not "create a pattern or heat map." The council approved, discovered overnight that it was false, and revoked the contract in a single day. Flock's heat map shows a vehicle's captured locations for up to a month. The company called the lie "one small misconception."
  • Loveland, CO: Flock said federal agencies no longer had access and the CEO said there were no federal contracts — then admitted CBP/DHS pilots. CEO: "We clearly communicated poorly."
  • The ACLU partnership that never existed: Flock claimed it had "partnered with the ACLU of New Mexico" and "worked with groups like the ACLU." The ACLU says neither the national organisation nor any affiliate ever partnered with Flock.
  • Cambridge, MA: After the city voted to remove cameras, it found Flock had installed two new ones without consent. The City Manager called it a "breach of trust."

10. The part nobody talks about: the private market

Focusing on Flock understates this considerably. Motorola Solutions owns both Vigilant Solutions (the law-enforcement network) and Digital Recognition Network (DRN) — a private database built largely by repo drivers with cameras on their trucks. DRN sells access to insurers, lenders, repossession firms, car dealers and private investigators. Reporting has put the price of a search at roughly $20. Vigilant's database has held billions of scans, with reports of ~100 million added daily. That data reached ICE through a Thomson Reuters CLEAR contract — meaning a sanctuary city could feed its residents to federal enforcement without ever signing anything, as researchers found in Union City, California.

The First Amendment defence. When Utah banned private ALPR use, DRN and Vigilant sued to overturn it — arguing that photographing licence plates is protected speech, and that restricting it is a content-based restriction. Their filing: because of the ban, "DRN can no longer disseminate or sell license-plate data collected by ALPR systems in Utah." Whatever you make of the argument, it clarifies what the industry believes it is doing: publishing. Maine is currently the only state that bars private ALPR use outright.

And the federal layer predates all of it. The DEA has run a National License Plate Recognition Program since 2008. ACLU FOIA records showed 343 million records, queried through an interface called DEASIL, with cameras sited along what the DEA calls drug and money trafficking corridors — aggregating federal, state, local and tribal cameras. When the Washington Post reported in 2014 that DHS had cancelled its "national license-plate tracking plan," what had actually been cancelled was one ICE solicitation. The national programme already existed. It still does.

11. What the courts and legislatures did

ActionStatus
Schmidt v. City of Norfolk (IJ) — plaintiff's car logged 475–526 times in four monthsCourt initially denied dismissal citing Carpenter, then ruled the 176-camera network constitutional — it cannot track "the whole of a person's movements." IJ is appealing.
San Jose (IJ, plaintiff Tony Tan)Ongoing
Chatrie v. United States (SCOTUS, June 2026)Geofence location searches require warrants — expected to shape ALPR litigation
Lagleva v. Marin County Sheriff (EFF/ACLU) — SB 34 violationsSettled favourably
Schott v. Babb (IJ) — Border Patrol "whisper stop"Deputy admitted "nine times out of 10, this is what happens" — searches find nothing
Washington SB 6002 (signed 30 March 2026)First comprehensive state ALPR law: 21-day retention, bans immigration use, bars cameras near schools/worship/courts/food banks, private right of action. ACLU-WA calls it "a floor, not a ceiling."
California SB 34Bars out-of-state sharing. Auditor found flagrant violation; AG bulletins forced dozens into compliance
82 contracts cancelled, 28 states39 in the first five months of 2026 alone. LAPD let its contract expire July 2026 over civil-liberties and data-ownership concerns. Ring stopped doing business with Flock.

The counter-case, made properly

A catalogue that only points one way isn't evidence. Here is the strongest honest case for ALPRs, and it is not weak.

They work. ALPRs demonstrably recover stolen vehicles, resolve AMBER Alerts and generate homicide leads that would otherwise go cold — Flock cites a week in Colorado where two AMBER Alerts and a homicide were solved. Under-resourced departments get investigative reach they could not otherwise afford. The overwhelming majority of searches are routine and legitimate, and it would be dishonest to imply otherwise from a list of the exceptions. The audit logs do catch abuse — several cases above were found exactly that way, which is an argument for the system working as intended, not against it. And Flock has responded to pressure: ending federal partnerships, apologising in Dunwoody, agreeing to policy changes.

Where that argument runs out. "Mostly used well" is not the standard we apply to mass surveillance of people suspected of nothing — and 99.9% of the records concern exactly those people. The 24 stalking cases are not a failure of the technology; they are what happens when you place every resident's movement history in the hands of every officer with a login and check it with a free-text box. The 26 gunpoint stops are not bugs either — several were the system doing precisely what it was built to do. And the vendor statistics deserve the same scepticism as everything else: Flock's claims (700,000 crimes a year, 10% of US reported crime) come from its own Impact Census, not independent peer-reviewed study. DeFlock's Will Freeman notes the absence of independent confirmation.

Both things are true at once. The technology solves real crimes, and at this scale, with this oversight, abuse is not a risk but a certainty. A serious argument has to carry both — which is what 82 councils across 28 states appear to have concluded on the evidence.

Check it yourself

Frequently asked questions

How many officers have been caught using ALPRs to stalk people?

The Institute for Justice's Plate Privacy Project had documented at least 24 cases as of its July 2026 update, a tally that grew from 14 earlier in the year as more surfaced. IJ is explicit that this is 'almost certainly an undercount,' noting that not all misconduct gets detected. The detection pattern is the tell: most cases came to light because a victim noticed and reported it, or because a third-party tool like HaveIBeenFlocked.com let someone check their own plate — not because an internal audit caught it. Only a handful were found by the agencies themselves. That means the real number is unknowable, and the 24 represents the cases where someone happened to look.

Who is the officer who stalked an actress?

That is Lamar Eliseo Roman, a Monroe County, Florida deputy. On 3 February 2026 he was working security on the set of Apple TV+'s Bad Monkey in the Florida Keys, catcalled a 27-year-old background performer and told her he needed her number 'just in case I pull you over some day.' After she said she had a boyfriend, he used an ID database to find her licence number, Florida's DAVID database for her plate and photo, then added her plate to a hotlist on the Guardian ALPR system so it would alert him. On 19 February a reader scanned her plate; he drove over 70 mph, passed in no-passing zones, nearly caused a head-on collision, and pulled her over. He told investigators: 'It's a tough month and I saw a shiny thing,' and admitted he knew it was illegal. He was arrested on 10 March 2026 on three felony counts of misusing a law enforcement database and fired. Note the detail most coverage blurred: the woman was an extra, not a famous celebrity — the Tampa Bay Times headline calling her an 'actress' is where that framing comes from.

Did a Flock executive really watch a children's gym class?

Yes, and the attribution matters because it is frequently confused with a different company. Public records obtained by Dunwoody, Georgia resident Jason Hunyar showed Flock Safety employees accessing cameras in children's spaces at the Marcus Jewish Community Center for sales demonstrations to prospective police clients. On 23 July 2025, Flock's Randy Gluck viewed cameras labelled 'Gym Mendel – 1' and 'Main Pool Right'; on 30 September 2025, Vice President Bob Carter accessed the 'Gymnastics' camera. Flock CEO Garrett Langley apologised for 'poor judgement' and the company agreed to stop using Dunwoody footage in demos. This is a Flock incident. It is not the Verkada breach — in March 2021 hacktivists exposed roughly 150,000 Verkada cameras including hospitals, schools and clinics. Separate companies, separate scandals; conflating them is how good reporting gets dismissed.

What happened in Johnson County, Texas?

Deputies searched a nationwide Flock network to find a woman who had self-managed an abortion. First reported by 404 Media in May 2025, records later obtained by EFF showed two searches under one case number tied to a 'death investigation' of a 'non-viable fetus': an earlier, previously unreported search across 1,295 networks and 17,684 cameras, then the one that made headlines — 6,809 networks and 83,345 cameras, reaching a month back and into states where abortion is legal, including Washington and Illinois. Sheriff Adam King told 404 Media the family 'was worried that she was going to bleed to death.' EFF's records complicate that: deputies had already gathered evidence, had consulted the district attorney about charging her, and had been told they could not. The abortion had happened more than two weeks before the search. Illinois Secretary of State Alexi Giannoulias said the search violated Illinois law. The woman later came to the sheriff's office to report that the partner who reported her abortion had assaulted her at gunpoint; he was charged.

How often do license plate readers get innocent people stopped at gunpoint?

The Institute for Justice found at least 26 documented cases since 2018, most of them since 2023, in which innocent motorists were stopped, detained at gunpoint, or jailed because of ALPR errors. In nearly two-thirds, officers did not realise the error until after they had drawn their weapons. Brittney Gilliam and four children including a six-year-old were forced face-down on Aurora, Colorado pavement after a Colorado plate was flagged as a stolen Montana motorcycle; the city settled for $1.9 million. Denise Green was held at gunpoint in San Francisco because a 3 was read as a 7; $495,000. In Sherwood, Arkansas in February 2026 a couple were detained at gunpoint while their six-week-old baby sat alone in their car. The failure mode is not exotic: a misread digit, or a hotlist nobody bothered to update after the car was recovered.

Do the audit logs actually work?

They exist. They are not enforced. An ACLU of Massachusetts investigation found police routinely defeat Flock's search-reason requirement by typing anything at all: in September 2025 alone, one Oregon department entered 'investigation' 111 times and 'hehehe' 20 times — both accepted by the system. The ACLU of Wisconsin found Milwaukee police logged 'investigation' as a reason more than 1,000 times in 2025. Flock points to its immutable audit log recording user, reason and parameters, which is true and genuinely useful — the Braselton and Greer cases were caught by audit review. The gap is that a free-text field with no validation is a formality, not a control, and few limits exist on who gets an account. California's State Auditor found in 2020 that the four agencies it examined conducted 'little to no auditing' at all.

Is this only about Flock?

No, and focusing solely on Flock understates the problem. Motorola Solutions' Vigilant Solutions runs a comparable law-enforcement network, and its sister company Digital Recognition Network (DRN) operates a private database built by contractors — repo drivers and others — that sells access to insurers, lenders, repossession firms, car dealers and private investigators. Reporting has described searches priced around $20. That data reached ICE through a Thomson Reuters CLEAR contract. When Utah banned private ALPR use, DRN and Vigilant sued to overturn it, arguing that photographing plates is protected First Amendment speech. Separately, the DEA has run a National License Plate Recognition Program since 2008 — the ACLU obtained records via FOIA showing 343 million records, queried through an interface called DEASIL, with cameras positioned along what the DEA calls drug and money trafficking corridors. Flock is the most visible vendor. It is not the only one, and it is not the oldest.

Are the security problems real or theoretical?

Real, repeatedly, and with a decade-long pattern. Researcher Jon 'GainSec' Gaines published 51 findings against Flock's ecosystem — 22 assigned CVEs with more pending — including hardcoded WiFi credentials, a hardcoded password in gunshot-detection devices, a Java keystore password embedded in the Android app, and a button sequence that puts a camera into hotspot mode and yields a root shell in under 30 seconds. Separately, 404 Media and researchers found roughly 60 Condor PTZ cameras livestreaming to the open internet with no password, complete with 30-day archive access and admin control. Flock called it 'a limited misconfiguration.' The pattern is what matters: EFF found ALPR cameras openly accessible online in 2015, and CISA warned of seven vulnerabilities in Motorola's Vigilant systems in 2024 — default WiFi passwords, unencrypted data, unrestricted remote access. This is not a new problem being discovered. It is an old problem recurring.

Is any of this illegal to research?

No. Every source here is public: court filings, published audit logs, public-records responses, government audit reports, CVE records and journalism. Reading them is ordinary civic literacy — the same records a defence lawyer uses to challenge an extraction's reliability, and the same ones a city council needs before a contract vote. Physically interfering with a camera is a different matter and a serious offence; several people face felony charges for cutting cameras down. Documenting a surveillance system and sabotaging one are not the same act, and conflating them is a good way to get accountability work treated as vandalism.

What is the honest case for ALPRs?

That they work, often, for the thing they are sold for. ALPRs have recovered stolen vehicles, resolved AMBER Alerts, and generated homicide leads that would otherwise have gone cold — Flock cites cases in Colorado where two AMBER Alerts and a homicide were solved in a single week. The overwhelming majority of searches are routine and legitimate. Under-resourced departments get investigative leads at a scale they could not otherwise reach. And audit logs, where they are actually reviewed, do catch abuse — several cases in the catalogue above were found exactly that way. The honest critique is not that ALPRs never work. It is that at current scale, with warrantless access and weak enforcement, insider abuse and errors against innocents stop being risks and become statistical certainties — and the record now shows the systems being turned on abortion patients, immigrants, journalists, critics and ex-partners. Both things are true. A serious argument has to hold both.