Deflock Tucson

Flock Tells Customers to Disable Nationwide Lookup After Public Records Expose Search Activity

Attribution: https://haveibeenflocked.com/news/colwell-files

Author: H.C. van Pelt

Flock’s VP of Engineering advises police customers to disable nationwide sharing after public records requests expose search activity. The company’s solution: “redaction capabilities” coming in 2026.

Three weeks ago, Flock’s Vice President of Solution Engineering, Chris Colwell, sent out an email blast suggesting Flock users temporarily disable their product’s core feature, national sharing. Why? Because we’ve been showing you how those customers are using the network. Not to worry though, Flock’s chief engineer assures his police customers, “we are actively developing product and policy improvements, focusing on redaction capabilities.”

We are aware that agencies across the country, particularly in states with broad public-records laws, are seeing increased PRA/FOIA activity seeking, among other things, LPR search logs.[1]

Recently, a third-party website began aggregating search information that appears to have been released through these public-records processes. We recognize that seeing investigative search activity displayed publicly can raise understandable concerns about officer safety, investigative integrity, community perception, and compliance with state law.

Read the full email

Yes, Chris. Those concerns have been the point all along.

He promises new tools for 2026, and continues:

Until these new [redaction] tools are available, we recommend: Reviewing your sharing settings and considering a temporary shift from Nationwide Lookup to Statewide Lookup, if that better aligns with your agency’s legal guidance and operational risk posture.

This recommendation—and this plan to bury the bodies—is an outright admission that the Flock system is so critically flawed, and so widely abused, that it cannot survive public scrutiny.

Of course, activists everywhere commend the recommendation to leave the nationwide network. Flock has spent years claiming this network is essential for public safety. Will we have anarchy in the streets, or will it turn out to have been optional all along?

Anyway. Let’s talk about hiding the evidence.

Officer safety and investigative integrity

First, let’s define what we’re talking about with these terms.

Many states have statutes similar to this one from Texas:

“Criminal history record information” means information about individuals collected by criminal justice agencies consisting of identifiable descriptions and notations of arrests; detentions; the filing of complaints, indictments, or informations and dispositions arising from complaints, indictments, or informations; sentences; correctional status; and release. It includes identification information, such as fingerprint records or photographs

A person commits an offense if the person knowingly or intentionally obtains criminal history record information … uses the information for an unauthorized purpose, or discloses the information to a person who is not entitled to the information.

This would appear to cover most of the information in this search log entry:

Houston disclosing CHRI

The only item that was redacted by Flock and Houston PD was the license plate. This person’s name, date of birth, phone number, and criminal history (“AGG ASSAULT DEADLY WEAPON”) were all entered into an insecure system and then fired off to 3,000+ agencies.[2]

Not Houston. Houston hides who it shares data with.

In the statute’s terms: the information was knowingly or intentionally disclosed to 3,000+ persons not entitled to the information. Not by the officer entering the information, but by Flock—an unauthorized person that first knowingly or intentionally obtained the information, and then re-disclosed it.

This continues to happen, even after a 157-page multi-jurisdictional report on an active gang-related murder investigation got leaked, and, just yesterday, a LINX report on a fatal hit-and-run surfaced after it was pasted into a case number field.

CHRI, CJI, intelligence data … various terms and statutes apply depending on the exact information, context, and state. But the general pattern holds: statutes criminalize indiscriminately sharing this type of information.

So … might I be so bold as to suggest not indiscriminately sharing such information? Not with Flock, and not with the nationwide network.

I’m not a cop, but I think not criming could also help with the whole “reducing crime” thing.

Just a thought.

Compliance with state law

While I somewhat enjoy the idea that snarky blog posts and reposting audit logs proximately cause police to violate the law, I’m sure that’s not what Chris means.

The only possible “concern” he could be referring to is the concern that this website would be publishing evidence that agencies are not compliant with state law. This is a valid concern. See above.

The solution is the same as before: stop breaking the law.

A pattern emerges.

Community Perception

And finally, the only concern worth taking seriously: “community perception.”

This is valid.

The community will not perceive it as a positive that the system they were promised would be used to find missing children, is actually being used for reasons like “Operation Homeless Intel- Make your own case!”, to perform blatantly unconstitutional searches, or to investigate “gypsy crap”.

The community may also take a dim view of Flock users obtaining a 30-day history of someone’s whereabouts simply because they were “‘suspicious’ per a karen.”

Flock and police promised the community these things would not happen.

They promised “the system requires a detailed search reason” and that these “detailed reasons” would be stored in a “permanent log file.” Police chiefs stood before city councils, assuring them logs would be audited regularly. Many even adopted policies to that effect.

Yet, this website shows nationwide searches for “inv” and “sus” have consistently made it past the scrutiny of every single police chief who promised the community that “we own the data and we have full control over who gets access.”

There have been hundreds, if not thousands, of these promises. ALPR policies that require audits are everywhere. Every day, these policies collectively promise, police officers across the country will audit hundreds of thousands of searches.

Every single “sleepy Virginia town” that commits to reviewing nationwide search logs is committing to reviewing around 150,000 searches every single week. In each of these audits, every single instance of “sus” or “inv” should—ironically—be considered suspicious and be investigated.

Even assuming only a fraction of Flock’s customers commit to audits, on average there should be approximately two million phone calls or emails between police departments demanding answers about “inv” and “sus” every single day.

I have not heard of one.

Hundreds of thousands of entries containing only "inv", "sus", or "test". Or, you can “Make your own case!” in "Operation Homeless Intel".

“Agencies own and control the data” (but “for clarity,” that’s not in the TOS).

And now, the “permanent, immutable audit logs” are on the 2026 roadmap to redact.

Community perception is a valid concern when such a massive breach of trust is put on full display.

Redaction: Why not?

I want to touch on redaction. It’s not complicated. It’s not expensive. This website’s entire redaction library, which is relatively complex because it aims to balance privacy with transparency, comes in at less than 1,000 lines of code. It takes seconds to process millions of records on a small laptop.

It takes even less code to truncate a field so you can’t paste entire reports in there.

For any non-programmers who might be reading this, this is literally, without exaggeration, the single change needed, and the one Flock has failed to implement for years now:

<input type="text" />                  <!-- ❌ active murder investigations are compromised -->
<input type="text" maxlength="420" />  <!-- ✅ professional-grade solution engineering -->

That’s it. maxlength="420".

420 characters is more than enough to accommodate the typical “reason” length of 7 characters. Even if a cop decided to go a little cray-cray and write an actual justification, 400 characters would accommodate it. They can use the remaining 20 for their badge number.

You’re welcome, seven-billion-dollar tech company.

You can pull my address from Flock Nova and mail me a check.

But instead of making this simple change, Flock hangs on to its unrestricted fields. There is not even a “hey maybe don’t enter this,” like there is for searches that might more overtly violate law.

Now, when these problems are finally coming to light, Flock’s solution is to go into the archives and ham-fistedly replace entire categories of data—which its customers need to be able to access to comply with state, local, and federal law (not to mention the ALPR policy promising audits)—in its “immutable” and “permanent” logs and replace them with the word “REDACTED.”[^redacted]

Right now, this change appears to affect existing records. Altering public records is a criminal act in many, if not most, states. If Flock is actually making the information available to police and police are ticking (or leaving ticked) the “hide information” boxes, they may run afoul of open records laws. Either way, it looks like someone is about to take on some extra liability (hint: Flock added a new paragraph to its ToS on December 19—guess what it’s about?).[3]

Flock is handing police a shovel to bury the records while quietly changing the contract to say the legal fallout is not on Flock.

The solution Flock is implementing is overly complex and costly. Scroll up. Does that need to be delivered in “Early 2026,” after the lawyers have had time to review and deploy the TOS change, or could it have been implemented before Colwell’s email was even done sending?

Who needs redaction when you have AI?

The reason why Flock will not redact anything is its business model. It is causing the company’s constructs to collapse.

Flock does not, as it likes to pretend, exist only in the abstract. Its cameras aren’t only found along country roads, magically snapping pictures of “only license plates” in its stated effort to eliminate crime.

Flock doesn’t exist to eliminate crime. It exists to make money. It has a fiduciary duty to its shareholders to prioritize profit. To make a profit, it requires unregulated data, free and clear, unencumbered by public records law or restrictions on criminal justice information.

It requires data it can feed into LLMs. Data it can mine. Data it can convert into “actionable insights” and then sell. It doesn’t matter how the data gets there, what the quality of that data is, how secure it is or what it’s being used for.

Amassing vast amounts of data is a substitute for expensive manual training that often requires sending your data abroad. And what better way to gather that data than convincing the government to pay you to pepper public places with cameras and microphones? What better way to be exempt from permits and licensure?

These days, everyone has AI. It’s the data that differentiates. It’s the data Flock has seized for its own use. Colwell knowingly misleads his customers when he says “all Flock data is owned and controlled by the agency that collected it.”

Flock’s customers don’t collect data when they use Falcon/LPR. Flock does. This isn’t pedantry: it’s language in a mass email from a high-level Flock executive about legal compliance.

Flock’s terms of service state, “for clarity”:

Customer Data does not include the underlying raw Footage captured by the Flock Hardware […] “Footage” means still images, video, audio, and other raw data captured by the Flock Hardware or Customer Hardware via the Flock Services.

So instead of addressing any of the actual problems, which would mean collecting less data or deleting some of the data, Flock’s solution is to hide the data from its customers.

The Sunlight Phase

When I launched this project, I included a statement on the front page titled “Should you be publishing this information?” It argued that sunlight is the best disinfectant.

Flock’s recommendation to shut down the nationwide network proves it.

This website aggregates and reformats already-public information. This information represents a fraction of what’s being shared with Flock and its government, commercial, and private partners on a daily basis.

Policies exist to prevent the release of this information—they are not adhered to. Laws and regulations exist to enforce the policies—they go unenforced. Police, Flock, and politicians have been ignoring these problems for years while your private movements continue to be collected, catalogued, sold and traded.

This website exposes the problem because, as the old saying goes, sunlight is the best disinfectant. Law enforcement and legislation are needed to address the cause of the problem, and we highly encourage you to bring this site to the attention of your legislators.

We believe mass surveillance has no place in a free society, and this data should not be collected to begin with. If it is collected, warrants should be used, lookups should be rare, and police and private parties, like Flock and HaveIBeenFlocked.com, should not be permitted to act without functional restraints or oversight.

We have entered the sunlight phase.

In his email, Colwell writes that the new “enhancements” are planned for early 2026. That gives them about 48 hours to find a new way to hide the truth.

We’ll be here. Filing open records requests.

  1. If you contributed to this, thank you! If you haven’t done so yet, check out the page on audit logs, visit Muckrock, and find state-specific information from your local freedom of information council, ACLU, or other public interest or journalism organization. ↩︎
  2. The number in this particular log entry is suspicious. 3,160 devices in 3,160 networks. Could be a parsing error, could be the logs not telling the truth. ↩︎
  3. 9.4 Customer Indemnity. To the extent permitted by law, Customer shall indemnify and hold harmless Flock against any damages, losses, liabilities, settlements, and expenses in connection with any claim or action that arises from an alleged violation of Customer Obligations, Customer’s Installation Obligations, Customer’s sharing of any Customer Data, including any claim that such actions violate any applicable law or third party right. ↩︎

Leave a Reply

Your email address will not be published. Required fields are marked *