Lawmakers Call FTC to Investigate Flock Safety Over Cybersecurity Concerns

Lawmakers are urging the Federal Trade Commission to investigate Flock Safety, a company that operates license plate-scanning cameras, over alleged failures in implementing cybersecurity protections. These concerns center around the risk that inadequate safeguards, such as the lack of enforced multi-factor authentication (MFA), could expose Flock’s large camera network to hackers and spies. This issue gained attention through a letter from Sen. Ron Wyden (D-OR) and Rep. Raja Krishnamoorthi (D-IL), urging the FTC chairman to review why Flock does not require MFA for its law enforcement users. Although MFA is available, the company reportedly confirmed to Congress that it does not make this security protection mandatory.

Risks, Evidence, and Company Response

Wyden and Krishnamoorthi highlighted significant privacy dangers stemming from these practices. If a hacker or foreign agent obtained a law enforcement customer’s password, they could access restricted areas of Flock’s website. This would allow them to search billions of photos of Americans’ license plates collected via taxpayer-funded cameras nationwide. Flock’s network is extensive, with cameras and license plate readers deployed by more than 5,000 police departments and various private businesses. These cameras track vehicles’ movements, creating a vast database of location information accessible to users with legitimate credentials.

The lawmakers referenced findings from Hudson Rock, a cybersecurity firm, indicating that some Flock law enforcement users’ credentials have already been stolen and circulated online by information-stealing malware. Furthermore, independent researcher Benn Jordan shared a screenshot with Congress, allegedly showing a Russian cybercrime forum selling access to Flock user logins.

When contacted for comment, Flock Safety stated through their chief legal officer, Dan Haley, that MFA has been set as the default for all new customers since November 2024. To date, the company claims that 97% of law enforcement customers have enabled MFA. However, this means about 3%—potentially dozens of agencies—have so far declined, each reportedly for their own reasons. Flock’s spokesperson did not provide an exact count of non-compliant agencies or clarify whether any federal agencies remain among them. Additionally, no explanation was shared regarding the company’s decision not to mandate MFA for all users.

Notably, previous reporting by 404 Media revealed a case where the U.S. Drug Enforcement Administration used a local police password to access Flock’s system during an immigration investigation, without the officer’s knowledge. Following this privacy breach, that police department enabled MFA. These incidents underscore persistent concerns about data security for vast camera networks and the risks of weak authentication for sensitive law enforcement systems.

Tags: siguria kibernetike, Flock Safety, kamerat e targave, fjalëkalime të vjedhura, autentikimi me shumë faktorë, privatësia e të dhënave