**FLOCK SAFETY EXPOSES AMERICA'S SURVEILLANCE INFRASTRUCTURE: DEFAULT ARCGIS KEY EMBEDDED IN PUBLIC-FACING JAVASCRIPT BUNDLES**

In a shocking revelation, I discovered that Flock Safety, a leading provider of surveillance infrastructure to law enforcement agencies across the United States, had hardcoded a default ArcGIS API key in their public-facing JavaScript bundles. This single credential granted access to the company's ArcGIS mapping environment and 50 private layers, consolidating sensitive data from approximately 12,000 deployments nationwide.

The exposed API key was embedded across 53 separate Flock Safety front-end bundles and environments, each instance independently granting access to their ArcGIS mapping platform. This meant that anyone with access to these publicly accessible endpoints could have exploited the vulnerability to gain unauthorized access to sensitive data.

**WHAT THIS MEANS FOR NATIONAL SECURITY**

The implications of this exposure are far-reaching and disturbing. With access to Flock Safety's ArcGIS environment, foreign intelligence services would not need to intercept communications content to gather valuable intelligence on individuals and organizations. Historical location data revealing the presence, routines, and associations of politicians, federal agents, intelligence personnel, military leadership, or special operations units constitutes intelligence in its own right.

Consider a scenario where members of SEAL Team 6 or Delta Force disappear from roadways for several days. Their absence would be a signal, and if correlated with the disappearance of other individuals, such as a primary French translator, it could indicate the initiation of a special operations mission inferred solely from movement data collected by Flock Safety's nationwide license plate reader network.

**PERSISTENT MOVEMENT TRACKING: A DOUBLE-EDGED SWORD**

Persistent and indiscriminate movement tracking enables coercion, blackmail, and influence operations that do not require access to communications content. Members of Congress, senior military leaders, diplomats, corporate executives, and their spouses and children are all placed at heightened risk.

**DOCUMENTED CASES OF FLOCK CAMERA MISUSE**

The documented history of law enforcement misuse of license plate reader systems, including Flock's own platforms, demonstrates that access to movement data is routinely weaponized for personal purposes by those entrusted with it. Recent cases include:

* **Braselton, Georgia (November 2025):** Police Chief Michael Steffman was arrested and charged with stalking, harassment, and multiple counts of misusing automated license plate recognition systems after a months-long Georgia Bureau of Investigation probe revealed he used Flock cameras to track and harass multiple individuals. * **Sedgwick, Kansas (2023-2024):** Police Chief Lee Nygaard used Flock Safety license plate readers to track his ex-girlfriend's vehicle 164 times and her new boyfriend's vehicle 64 times over a four-month period. * **Orange City, Florida (2024-2025):** Officer Jarmarus Brown was arrested and charged with stalking and unauthorized computer access after using Flock license plate readers to track his ex-girlfriend's whereabouts for approximately seven months.

**WHY THIS MATTERS: A CALL TO ACTION**

As a cybersecurity professional who has conducted dozens of compliance assessments, I can attest that the statements made by Flock Safety are familiar. Compliance frameworks are often mistaken for guarantees of security, when in reality they are scoped evaluations of specific controls, not comprehensive examinations of an organization's risk posture.

I urge policymakers to support an investigation into Flock Safety and mandate independent security audits for any vendor handling law enforcement location data. If a single cybersecurity researcher in his early twenties could gain direct technical access to an exposure of this magnitude, a well-resourced foreign adversary operating with intent could observe far more.

**WHAT YOU CAN DO**

As a resident, journalist, or policymaker, you have the power to demand change:

* **File a public records request for your city's Flock Safety contract and any internal audit logs.** * **Attend the next city council meeting where surveillance procurement is discussed.** * **Request Flock Safety's penetration test results. Demand to know where your agency's data lives and who else can access it.**