According to TechCrunch, Senators Ron Wyden (D-OR) and Raja Krishnamoorthi (D-IL) have called for an FTC investigation into Flock Safety over cybersecurity failures that expose its nationwide license plate scanning network to hackers. The lawmakers revealed that Flock doesn’t require multi-factor authentication for its law enforcement customers, despite evidence that stolen police logins have appeared on Russian cybercrime forums. Flock operates one of America’s largest camera networks with access to over 5,000 police departments and billions of license plate photos. While the company claims 97% of law enforcement customers now use MFA after enabling it by default in November 2024, that leaves approximately 3%—potentially dozens of agencies—without this basic security protection. This security gap raises fundamental questions about the future of mass surveillance infrastructure.
The Systemic Nature of This Security Failure
What makes this security lapse particularly concerning is how it reflects a broader pattern in surveillance technology deployment. Companies like Flock often prioritize rapid market expansion over robust security protocols, creating what security experts call “technical debt” in critical infrastructure. The fact that federal agencies have already abused access demonstrates how porous these systems become without proper authentication controls. This isn’t just about individual account security—it’s about protecting an entire surveillance ecosystem that tracks millions of Americans’ movements daily.
Implications for Surveillance Regulation
The lawmakers’ FTC referral signals a potential regulatory shift in how surveillance technology will be governed. We’re likely to see increased scrutiny of not just Flock but the entire surveillance-as-a-service industry. The FTC’s authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, could become a powerful tool for regulating cybersecurity standards in this sector. This case may establish precedent requiring mandatory security controls for any company handling sensitive location data at scale.
Broader Industry Impact and Market Response
This incident will force the entire surveillance technology sector to reevaluate their security postures. Competitors like Motorola Solutions, Genetec, and other ALPR (Automatic License Plate Recognition) providers will face pressure to implement stricter authentication requirements. More importantly, we’ll likely see insurance providers and enterprise customers demanding higher security standards as part of their procurement processes. The market advantage may shift toward companies that can demonstrate robust security architectures rather than just extensive camera networks.
The 12-24 Month Outlook
Looking ahead, I predict mandatory cybersecurity frameworks specifically for surveillance technology will emerge within the next two years. We’ll see state and local governments imposing stricter contracting requirements, potentially including third-party security audits and liability provisions for data breaches. The remaining 3% of Flock customers without MFA will likely face pressure from their own oversight bodies to enable these protections. More fundamentally, this incident may accelerate calls for comprehensive federal privacy legislation that addresses not just data collection but the security infrastructure protecting that data.
Long-term Infrastructure Security Concerns
The most significant implication extends beyond Flock to the entire concept of networked surveillance infrastructure. As these systems become more interconnected—sharing data across jurisdictions and even with private entities—the security of the weakest link determines the security of the entire network. A single compromised police department login could potentially expose search capabilities across multiple states. This creates a national security concern that transcends individual company policies and points toward the need for standardized, mandatory security protocols across the surveillance technology ecosystem.
