Policy Brief · Georgia General Assembly · 2027 Session
Unregulated Surveillance in Georgia
Automated Surveillance Technology, Facial Recognition, and the Case for Accountability Legislation
90,000+
ALPR cameras across 49 states
20 Billion
vehicle scans per month by the leading vendor
51
MITRE-verified security vulnerabilities
30+
municipalities terminated ALPR contracts since 2025
Executive Summary
Georgia has no law governing the deployment, security, or use of automated surveillance technology by government agencies or private actors who share data with government. A sprawling ecosystem of automated license plate readers (ALPR), AI-enhanced tracking cameras, facial recognition systems, gunshot-detection networks, and private retail surveillance platforms is being deployed on Georgia’s public roads, in its commercial spaces, and in its residential communities.
The data these systems collect is aggregated, bought, sold, and shared with law enforcement — in some cases with federal agencies — without a warrant, without meaningful notice to the public, and without basic cybersecurity standards. Independent researchers have documented dozens of critical security vulnerabilities.[1][2] Facial recognition systems have produced wrongful arrests in multiple states.[3][4] Officers have used these systems to stalk domestic partners and track reproductive healthcare.[5][6][7]
The vendor infrastructure behind these systems is owned by private companies, not Georgia communities — and those companies’ financial interests run directly counter to protecting the privacy of ordinary Georgians. This brief makes the case for comprehensive automated surveillance accountability legislation and identifies the seven core elements any effective law must address.
Section 1: The Automated Surveillance Ecosystem
The following categories of technology are currently deployed in Georgia and across the country — often with no specific statutory authorization and no public accountability framework.
1A. Automated License Plate Readers (ALPR)
Solar-powered cameras mounted on public roads photograph every passing vehicle, recording the license plate, make, model, color, bumper stickers, dents, and GPS timestamp. Data is uploaded in real time to a centralized cloud database accessible by thousands of law enforcement agencies nationwide — with no warrant required. The leading vendor (Flock Safety, headquartered in Atlanta) processes over 20 billion scans per month[8] across an estimated 90,000+ cameras in 49 states.[9] A single query can simultaneously search across tens of thousands of cameras.[10] Communities do not own the cameras or the data — they lease access from a private company.[11]
1B. AI-Enhanced Tracking Cameras (Person-Following Technology)
The newest generation of surveillance cameras — including the Flock ‘Condor’ model — are pan-tilt-zoom (PTZ) cameras that use AI to automatically identify, zoom in on, and follow individual people as they move through a space. Unlike ALPR cameras, which are triggered by vehicles, these cameras track pedestrians and individuals continuously.[12] Researchers discovered 67 publicly accessible Condor camera feeds streaming live and archived video of every person who passed — including a trail in the Peachtree Creek Greenway in Brookhaven, Georgia, and a children’s playground near the Bay Area in California — with no password required.[13]
The AI on these cameras was observed automatically zooming in on a man watching rollerblading videos on his phone on a Georgia trail, a couple arguing at a street market in Atlanta, and a person having a mental health crisis.[14] Using commercially available facial recognition software, a researcher cross-referenced individuals identified from unsecured camera feeds against open-source information — within two minutes locating personal, financial, and health information about people who had no idea they were being recorded or identified.[14] Critically, residents and passersby have no notice these cameras exist, no knowledge they are being followed, and no recourse.
1C. Facial Recognition Technology (FRT)
Facial recognition technology analyzes faces captured by surveillance cameras and attempts to match them against databases of known individuals — driver’s license photos, mugshot databases, social media images, and commercial photo databases. Law enforcement agencies across the country use FRT to generate investigative leads, and its use is expanding rapidly with no specific statutory framework in most states, including Georgia. Vendors and some law enforcement agencies are pushing toward real-time facial recognition integrated with ALPR cameras and AI tracking cameras — a system capable of tracking named individuals continuously as they move through public spaces, without any individual ever being suspected of a crime. The documented real-world consequences of deploying this technology without accountability are addressed in Section 3.
1D. Integrated Private-Sector Surveillance Networks
Government agencies are not the only source of surveillance data. Major retailers — Walmart, Home Depot, Lowe’s, and others — have deployed ALPR cameras and AI surveillance systems at their locations and share that data with law enforcement through legally compelled disclosures and voluntary cooperation agreements. This creates a parallel surveillance infrastructure funded by private companies but functionally serving as an extension of government surveillance, without any of the legal constraints that apply to government-operated systems.
- Walmart’s Customer Privacy Notice documents collection of: name, phone, address, email, device identifiers (phone/smartwatch MAC addresses), age, gender, race, household income, family health information, credit card numbers, geolocation history, photographs, audio and video recordings, shopping behavior patterns, and inferences drawn from those patterns about intelligence and aptitudes.[15] This data is shared with law enforcement through legal process.
- Home Depot and Lowe’s use ALPR cameras at their locations and have been documented sharing camera data with law enforcement.[16] Law enforcement agreements give agencies with immigration enforcement authority — including federal immigration agencies — access to this same retail camera data.[17]
- Programs like Phoenix PD’s “Virtual Block Watch” and real-time integration platforms like Fusus allow police departments to incorporate feeds from private business cameras — stores, restaurants, gas stations — into unified monitoring grids, effectively extending surveillance coverage without directly purchasing the cameras.
1E. Data Fusion: When Everything Is Combined
The most significant and least-discussed risk is data fusion — the aggregation of multiple surveillance and data streams into a single profile on an individual. New AI-powered products, such as Flock Nova, were designed to combine ALPR data, computer-aided dispatch records, criminal history databases, and video surveillance — and, until journalists exposed the practice, incorporated data purchased from large-scale data breaches.[18] Flock markets Nova as enabling investigators to link individuals through relationships or associations with a single search.
Palantir, a major government data analytics contractor, aggregates surveillance data — and, for agencies that have purchased access, commercial data broker records — into comprehensive individual profiles for law enforcement clients.[19]When ALPR history is merged with retail purchase data, facial recognition matches, phone location history, and brokered data, the result approaches a comprehensive government surveillance profile: detailed records on any individual, retrievable in seconds. This is a product being actively marketed to Georgia’s law enforcement agencies today.
“These cameras are not just reading license plates. They are AI-enhanced, person-tracking, data-fusing surveillance systems — and the data they collect is being combined with your retail shopping history, your medical information, and stolen data from hacked databases.”
Section 2: The Three Threat Vectors
Every automated surveillance system — regardless of type — faces the same three threat vectors. Each is documented, each is distinct, and each requires its own legislative remedy.
Threat Vector A: Hackers and Foreign Adversaries
Independent cybersecurity researchers have documented a pattern of catastrophic security failures across the ALPR and surveillance camera industry. These findings were verified by MITRE (the DHS-affiliated cybersecurity threat management body) and cited in a formal Congressional letter to the FTC.[1] The documented vulnerabilities are not minor — they allow an attacker to take complete control of deployed government surveillance infrastructure.
- 51 MITRE-verified vulnerabilities in the leading ALPR vendor’s ecosystem; most rated High or Critical. Some remain unpatched.[2]
- Discontinued operating systems — cameras in the field run Android Things 8.1, discontinued in 2021, with hundreds of published, unpatched vulnerabilities and no security updates.[20]
- No password required on 67 camera feeds — researchers found live and archived footage from 67 cameras publicly accessible via Shodan, a specialized IoT search engine, requiring no technical skill to access. One Georgia walking trail was among the exposed feeds. A children’s playground near the Bay Area in California was broadcasting publicly.[13]
- 30-second physical exploit — pressing a button sequence on any deployed camera grants full root control: view, modify, or delete footage; install malware; harvest Wi-Fi credentials; or convert the camera into a botnet node. A $5 USB device achieves the same result.[21]
- Identical hard-coded credentials — the same Wi-Fi password is used across all deployed cameras in the country. Discover it once; access any camera anywhere.[22]
- Unencrypted data in transit — credentials and camera data were captured in plain text by researchers intercepting network traffic.[23]
- No multi-factor authentication required — some agencies access sensitive law enforcement surveillance databases with only a username and password — a lower standard than a Gmail account.[24]
- Competing vendor precedent — Hikvision (world’s largest camera company) had 80,000 cameras compromised in 2022; Russian military used Hikvision cameras in Ukraine to plan airstrikes. A working exploit remains publicly available today.[25]
- Chinese state-sponsored intrusion — a Chinese hacking group (Flax Typhoon) has compromised ArcGIS, the geospatial platform used by the leading ALPR vendor, potentially exposing officer names, phone numbers, patrol areas, and hot-list data.[26]
- Facial recognition databases — the large biometric databases used by FRT vendors represent high-value targets for foreign intelligence services; a breach would expose the faces and identities of millions of Americans enrolled without their knowledge.[27]
Threat Vector B: Rogue and Unsupervised Insiders
Insider misuse of surveillance systems is not theoretical — it is a consistent, documented pattern across every category of surveillance technology.
- At least three Wisconsin officers faced criminal charges for misusing surveillance systems to stalk romantic partners within a twelve-month period — part of at least 14 documented cases of ALPR misuse for personal surveillance nationally.[5]
- A Milwaukee officer ran two victims’ plates collectively 179 times over two months — discovered not by the department, but by one of the victims through a third-party website. Reason code entered: “investigation.”[6]
- A Johnson County, Texas sergeant searched across tens of thousands of ALPR cameras nationwide for a woman who obtained an abortion in another state where the procedure was legal. No warrant.[7]
- Court filings alleged a Norfolk, Virginia resident’s vehicle was captured more than 475 times over four months with no documented criminal suspicion.[28]
- Facial recognition misidentification arrests — wrongful arrests of Robert Williams (Detroit), Nijeer Parks (New Jersey), and others based solely on FRT matches, with no independent verification before arrest.[29]
- Reason code fraud — “investigation” is the single most common reason code entered for ALPR searches in audited Wisconsin agencies, providing no accountability. Officers routinely enter blank fields or random strings.[30]
- Political and reproductive surveillance — documented cases of surveillance systems being used to track abortion-seekers, immigration status, and individuals at political events. The same infrastructure is available for any purpose to anyone with a badge and a password.[17]
Every agency with a documented misuse case had internal policies in place. Internal policies alone have not worked. Mandatory audit logging with specific reason codes, automatic access suspension on unauthorized queries, and meaningful criminal penalties are the only effective deterrents at scale.
Threat Vector C: The Vendors — Private Companies With Your Public Data
The least intuitive but most structurally important risk is the vendor itself. Georgia’s communities do not own the surveillance infrastructure their tax dollars fund.
- Government agencies lease, not own — under standard contracts, the agency cannot repair, modify, or remove the cameras it pays for. The vendor retains all hardware and data infrastructure rights. One contract explicitly tells police to call 911 instead of relying on the vendor in an emergency.[11]
- ~$8.4 billion valuation as of April 2026, reportedly eyeing a potential public offering — the leading ALPR vendor’s financial incentive is maximum data collection and retention, not minimum. The more data it holds, the more valuable the company.[31]
- Hacked data incorporated into AI product — the vendor’s “Flock Nova” AI was found to incorporate data purchased from large-scale security breaches. The vendor abandoned the feature only after journalists published the finding.[18]
- Cameras reinstalled without authorization — Evanston, IL terminated its Flock contract and ordered camera removal after the Illinois Secretary of State revealed that CBP had accessed Illinois camera data without authorization, in violation of state law. The vendor reinstalled all of the cameras — without the city’s permission.[32]
- Vendor installed cameras without required permits — nearly 100 cameras were installed on Lake County, FL public roads without obtaining the required county permits.[33]
- No accountability for errors — the vendor’s liability clauses protect it against virtually all claims arising from errors, including false-positive identifications that lead to innocent people being held at gunpoint. Taxpayers pay settlements; vendors do not.[34]
- Facial recognition vendors face the same structural problem: the databases they maintain — containing the biometric data of millions — are privately owned assets held under commercial contract, not public records subject to oversight or audit.[35]
Section 3: Documented Real-World Harms
Facial recognition technology carries two systemic documented problems that frame all of the case studies below. First, the National Institute of Standards and Technology (NIST) has found that many facial recognition algorithms produce false positive rates 10 to 100 times higher for darker-skinned individuals, women, and elderly people compared to lighter-skinned men — concentrating wrongful-arrest risk on communities already subject to over-policing.[36] Second, in most jurisdictions, including Georgia, law enforcement officers can run a facial recognition search without a warrant, judicial oversight, or probable cause, even when the result of a positive match may be an arrest. Each of the following harms flows directly from deploying this technology without those guardrails — and each is documented in court records, news investigations, security research, or public official statements.
▸ Aurora, Colorado — family held at gunpoint
▸ Detroit, Michigan — wrongful arrest by facial recognition
▸ New Jersey — facial recognition error, 10 days in jail
▸ Georgia walking trail and Atlanta street market — footage exposed
▸ Dunwoody, Georgia — city council hearing, documented vulnerabilities in deployed cameras
▸ Johnson County, Texas — abortion surveillance
▸ Federal immigration access without local consent — nationwide pattern
▸ Colorado — wrongful identification, system with no exit
▸ Vendor efficacy claims not independently verified
Section 4: The Broader Case — Beyond Public Safety Statistics
The Chilling Effect on Civil Life
Surveillance research consistently documents a chilling effect: awareness of surveillance causes people to self-censor, avoid political meetings, decline to seek medical care, or refrain from other constitutionally protected activities.[42] Proponents argue surveillance deters crime. What they do not discuss is what else it deters: practicing an instrument in a park, attending a religious service or a political meeting, seeking medical care, exploring an identity.
As security researcher and YouTuber Benn Jordan described after watching unsecured footage of a man sitting alone on a playground swing, filmed without his knowledge on an exposed Condor camera:[14] “It made me realize exactly why I have such a visceral objection to mass surveillance. It imposes on our right to find our own identities without judgment.” Peer-reviewed research also finds that high surveillance environments decrease well-being, morale, and workplace productivity — with monitored employees reporting mental health harm at nearly twice the rate of unmonitored employees.[42]
The “Today’s Friend, Tomorrow’s Enemy” Problem
The surveillance infrastructure being built today does not serve only the current government. It is available to every future administration, every future police chief, and every future officer who receives a password. The same system that today tracks crime suspects was used to track a woman who obtained an abortion, to stalk domestic partners, and to target individuals at political events.
As security researcher Benn Jordan argued in his public presentation of these findings:[43] “There is no civilian anywhere who is always 100% aligned with their government throughout their entire life. If mass surveillance sounds good to you today, then it probably wouldn’t have sounded good to you five years ago. And I guarantee you that it won’t sound good to you at some point in the future. This isn’t a right versus left thing or a Republican versus Democrat thing or an empathy versus logic thing. It’s an authoritarian versus individual thing.”
The “Exempt Yourself” Problem
Flock Safety markets exemption lists — license plates excluded from logging or flagging — to HOA customers to exempt residents’ vehicles. Whether government agencies use this same feature to exempt politically connected individuals or public officials from the surveillance that applies to all other Georgians is a question that open records requests should urgently address.
The Constitutional Trajectory
Courts are moving toward constitutional limits on automated surveillance, though the Supreme Court has not yet ruled directly on dragnet ALPR or FRT use. Key precedents:
- Carpenter v. United States (2018):[44] Historical cell-site location data requires a warrant. Chief Justice Roberts: “As with GPS information, the time-stamped data provides an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious, and sexual associations.’” Courts reviewing ALPR challenges have applied Carpenter’s reasoning to dragnet license plate surveillance — the Massachusetts Supreme Judicial Court held in Commonwealth v. McCarthy (2020) that sufficiently dense ALPR surveillance may constitute a search requiring a warrant.[45]
- United States v. Jones (2012):[46] Long-term GPS tracking of a vehicle (28 days) constitutes a Fourth Amendment search.
- Facial recognition and ALPR litigation: Multiple cities have settled wrongful-arrest cases based on FRT. The Institute for Justice is actively litigating the constitutional status of mass ALPR surveillance in multiple federal circuits, including the Fourth and Ninth.[47]
Section 5: Political Landscape — A Genuinely Bipartisan Issue
Cross-Partisan Support Base
- Libertarian conservatives — government surveillance, Fourth Amendment, limited government
- Progressive Democrats — disparate racial impact of facial recognition, immigration surveillance, tracking of reproductive healthcare
- Community Republicans — suburban residents who discover their tax dollars fund a private company tracking their movements without their knowledge
- Law-and-order conservatives — who want bad actors in law enforcement held accountable, and who recognize that vendor security failures could invalidate criminal prosecutions
- National security conservatives — alarmed that Chinese state-sponsored hackers have already compromised ALPR-adjacent infrastructure and that 90,000+ surveillance cameras run unsupported software exploitable by foreign adversaries
- Domestic violence advocates — documented cases of officers using ALPR to stalk former partners
- Civil rights organizations — facial recognition’s documented 10–100x higher error rates for people of color
- The Institute for Justice (conservative legal organization) — actively litigating ALPR constitutional challenges nationally
- U.S. Senators and Members of Congress, bipartisan — formally requested an FTC investigation based on documented security findings[1]
National and State Momentum
At least 30 municipalities have terminated or suspended ALPR contracts since early 2025, with more doing so as reporting on federal immigration access has grown.[48] At least a dozen states have enacted some form of facial recognition or biometric privacy law, including Illinois (BIPA),[49] Massachusetts (requiring a court order for police FRT searches),[50] and Montana and Utah. Oregon restricts FRT use in conjunction with police body cameras. Washington State enacted comprehensive ALPR privacy legislation in 2026, including a 21-day maximum data retention requirement and a warrant requirement before law enforcement can obtain data from private vendors.[51] New Hampshire requires ALPR data deletion within 3 minutes if no warrant hit — though that law is scheduled for repeal in 2027, illustrating how hard-won protections require maintenance.[52] More than a dozen states are considering bills in 2025–2026 legislative sessions. Georgia has an opportunity to lead the Southeast — or to wait until a wrongful arrest or security breach in Georgia makes legislation reactive rather than proactive.
Georgia-Specific Context
Georgia communities are already part of the national camera network. Smart streetlights with surveillance cameras are deployed in multiple Georgia municipalities. Georgia has no ALPR privacy law, no facial recognition restriction, and no automated surveillance accountability statute of any kind. The field is clear for Georgia to establish a leadership position on this issue.
Section 6: What Legislation Must Do — Seven Essential Elements
The following seven elements address the full spectrum of documented risks across all categories of automated surveillance technology. None of them ban cameras. None of them prevent law enforcement from using surveillance evidence in active criminal investigations. They establish the minimum accountability framework that responsible governance requires before deploying any automated surveillance system on public infrastructure.
Section 7: Key Drafting Principles
- Vendor-neutral, technology-neutral language. The bill must cover all Automated Surveillance Systems — ALPR, facial recognition, AI tracking cameras, integrated networks, and data fusion products — rather than any specific vendor or technology. This makes the bill durable as technology evolves, harder to attack as targeting a specific company, and applicable to successor technologies before they are widely deployed.
- This bill does not ban cameras. Every public statement and every provision should make clear: cameras are permitted, law enforcement retains access to surveillance evidence in active investigations, and the bill establishes security and accountability standards — not prohibition.
- Local governments may go further. A savings clause allowing stricter local standards preserves gains already made by communities that have acted, and avoids pre-empting more aggressive local measures that may be appropriate in dense urban environments with heavier surveillance infrastructure.
Section 8: Why Georgia — Why Now
Every year without legislation is a year in which more cameras are deployed, more biometric data is collected, more vendor contracts lock communities into proprietary systems they cannot audit, and more lobbying capital is deployed to prevent the accountability standards that would protect Georgians. The arguments for acting now are straightforward:
- The leading ALPR vendor is headquartered in Atlanta — Georgia has a direct and legitimate interest in regulating a company collecting data on Georgia residents and lobbying Georgia lawmakers with Georgia tax dollars.
- Georgia communities are already in the national surveillance network — this is not a hypothetical future problem.
- Dunwoody, GA has already had a public hearing with documented security testimony — there is an in-state political record and an identifiable constituency to build on.
- No Georgia statute addresses ALPR, facial recognition, or automated surveillance — Georgia is at a regulatory baseline of zero in an era when peer states have already acted.
- Courts are moving toward constitutional limits on this technology; Georgia legislation now establishes a protective framework rather than waiting for the Court to draw the line after a Georgia community has already been harmed.
- The national momentum of at least 30 contract terminations demonstrates that public opinion is ahead of legislative action — this is a leading issue, not a trailing one.
“You can’t open a hair salon without a license. You can’t keep a McDonald’s open without a health inspection. You can’t legally drive past a surveillance camera without a driver’s license and an inspected vehicle. But a company valued at over $8 billion can deploy nearly 90,000 surveillance cameras on public roads — running discontinued software, with no passwords, accessible to foreign hackers — and face no regulatory requirement whatsoever. That is what this legislation fixes.”
Notes & Citations
- ↑[1]Wyden & Krishnamoorthi, Letter to FTC Chair Andrew Ferguson (Nov. 3, 2025). https://www.wyden.senate.gov/imo/media/doc/wyden_letter_to_ftc_on_flockpdf.pdf
- ↑[2]GainSec white paper (v1.2, Nov. 2025): "Formalizing My Flock Safety Security Research." See also NVD and OpenCVE listings. https://gainsec.com/2025/11/05/formalizing-my-flock-safety-security-research/
- ↑[3]ACLU, Williams v. City of Detroit — Face Recognition False Arrest. Michigan Public / NPR (June 2024 settlement). https://www.aclu.org/cases/williams-v-city-of-detroit-face-recognition-false-arrest
- ↑[4]ACLU-NJ, "How Face Recognition Technology Landed One Innocent Man in New Jersey Jail for Ten Days." CNN coverage. https://www.aclu-nj.org/news/how-face-recognition-technology-landed-one-innocent-man-new-jersey-jail-ten-days/
- ↑[5]Wisconsin Examiner (Feb. 2026); Urban Milwaukee (Mar. 2026); ACLU Wisconsin. Institute for Justice — 14 documented national cases of ALPR misuse for personal surveillance. https://wisconsinexaminer.com/2026/02/26/milwaukee-officer-accused-of-misusing-flock-surveillance-cameras/
- ↑[6]Urban Milwaukee: "Milwaukee Cop Used Flock Cameras to Track Romantic Partner" (Feb. 2026). Wisconsin Examiner; TMJ4 News; FOX6 Milwaukee. https://urbanmilwaukee.com/2026/02/25/milwaukee-cop-used-flock-cameras-to-track-romantic-partner/
- ↑[7]404 Media: "A Texas Cop Searched License Plate Cameras Nationwide for a Woman Who Got an Abortion" (May 2025). EFF (original, May 2025, and follow-up with court records, Oct. 2025). https://www.404media.co/a-texas-cop-searched-license-plate-cameras-nationwide-for-a-woman-who-got-an-abortion/
- ↑[8]NBC News: "Flock police cameras scan billions per month, sparking protests" (2025). Confirmed by Flock Safety's own public statements. https://www.nbcnews.com/tech/tech-news/flock-police-cameras-scan-billions-month-sparking-protests-rcna230037
- ↑[9]ACLU of Massachusetts Data for Justice Project (July 2025): estimated nearly 90,000 cameras nationwide. NBC News coverage of same reporting. https://www.nbcnews.com/tech/tech-news/flock-police-cameras-scan-billions-month-sparking-protests-rcna230037
- ↑[10]EFF: "She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down" (May 2025). Camera count from court records in the Johnson County, TX case. https://www.eff.org/deeplinks/2025/05/she-got-abortion-so-texas-cop-used-83000-cameras-track-her-down
- ↑[11]Flock Safety Terms and Conditions. North Royalton, OH 2022 contract exhibit. ACLU: "Municipalities: Beware of Changes in Flock's Legal Terms." https://www.flocksafety.com/legal/terms-and-conditions
- ↑[12]Flock Safety product page (Condor PTZ camera). 404 Media: "Flock Exposed Its AI-Powered Cameras to the Internet" (Dec. 2025). Police1 product launch coverage. https://www.flocksafety.com/products/video-cameras
- ↑[13]GainSec: "Bird Hunting Season — Finding 67 Live Camera Feeds Accidentally Exposed by Flock Safety" (Jan. 2026). Also: 404 Media, "Flock Exposed Its AI-Powered Cameras to the Internet" (Dec. 2025). https://gainsec.com/2026/01/09/bird-hunting-season-finding-67-live-camera-feeds-and-debug-web-interfaces-accidentally-exposed-by-flock-safety/
- ↑[14]Benn Jordan (YouTube), "This Flock Camera Leak is like Netflix For Stalkers" (Dec. 2025). Primary source for the Condor camera observations, the Georgia trail location, the two-minute OSINT identification, and the Section 4 quote. https://www.youtube.com/watch?v=vU1-uiUlHTo
- ↑[15]Walmart Customer Privacy Notice (last updated March 31, 2026). https://corporate.walmart.com/privacy-security/walmart-privacy-notice
- ↑[16]404 Media: "Home Depot and Lowe's Share Data from Hundreds of AI Cameras with Cops" (Aug. 2025). https://www.404media.co/home-depot-and-lowes-share-data-from-hundreds-of-ai-cameras-with-cops/
- ↑[17]404 Media: "ICE Taps Into Nationwide AI-Enabled Camera Network." EFF (Texas abortion case). ACLU-IL (ICE/ALPR). Colorado Newsline (Denver, Aug. 2025). https://www.404media.co/ice-taps-into-nationwide-ai-enabled-camera-network-data-shows/
- ↑[18]404 Media: "License Plate Reader Company Flock Is Building a Massive People Lookup Tool, Leak Shows." 404 Media: "Flock Decides Not to Use Hacked Data in People Search Tool." GovTech coverage. https://www.404media.co/flock-decides-not-to-use-hacked-data-in-people-search-tool/
- ↑[19]The Intercept: "Palantir IRS Contract Data Mining" (Apr. 2026). ACLU: "Palantir and the Deportation Roundup." Campaign Zero: private companies building a police state. https://theintercept.com/2026/04/24/palantir-irs-contract-data/
- ↑[20]GainSec Falcon/Sparrow technical writeup (June 2025): "Grounded Flight — Root Shell on Flock Safety's Falcon/Sparrow ALPR." https://gainsec.com/2025/06/19/grounded-flight-device-2-root-shell-on-flock-safetys-falcon-sparrow-automated-license-plate-reader/
- ↑[21]GainSec: "Button Presses to Shell on Flock Safety License Plate Cameras Over Wi-Fi" (Sept. 2025). Also: 9News, "Researchers claim Flock cameras are easy to hack." https://gainsec.com/2025/09/27/button-presses-to-shell-on-flock-safety-license-plate-cameras-over-wi-fi/
- ↑[22]NVD CVE-2025-59407 (shared hard-coded Wi-Fi credentials). https://nvd.nist.gov/vuln/detail/CVE-2025-59407
- ↑[23]NVD CVE-2025-59409 (CWE-312 Cleartext Storage); GainSec "Trap Shooter" writeup (June 2025). https://nvd.nist.gov/vuln/detail/CVE-2025-59409
- ↑[24]Wyden & Krishnamoorthi, Letter to FTC Chair Andrew Ferguson (Nov. 3, 2025). https://www.wyden.senate.gov/imo/media/doc/wyden_letter_to_ftc_on_flockpdf.pdf
- ↑[25]BleepingComputer: "Over 80,000 Exploitable Hikvision Cameras Exposed Online." IPVM: Russian military use in Ukraine. https://www.bleepingcomputer.com/news/security/over-80-000-exploitable-hikvision-cameras-exposed-online/
- ↑[26]Infosecurity Magazine: "Chinese Hackers Use Trusted ArcGIS." Also: The Hacker News, BleepingComputer, CyberScoop, Dark Reading. https://www.infosecurity-magazine.com/news/chinese-hackers-use-trusted-arcgis/
- ↑[27]ACLU: "FBI Has Access to Over 640 Million Photos Through Face Recognition." ACLU: "More Than a Dozen Wrongful Arrests Due to Police Reliance on Facial Recognition." https://www.aclu.org/news/privacy-technology/fbi-has-access-over-640-million-photos-us-through
- ↑[28]NBC News: "Virginia Police Used Flock Cameras to Track Driver." IJ case page (discovery figure of 475). WHRO (2026 district court ruling). https://www.nbcnews.com/tech/security/virginia-police-used-flock-cameras-track-driver-safety-lawsuit-surveil-rcna230399
- ↑[29]ACLU (Williams v. City of Detroit); NPR; Michigan Public (2024 settlement). ACLU-NJ (Parks); CNN. https://www.aclu.org/cases/williams-v-city-of-detroit-face-recognition-false-arrest
- ↑[30]Wisconsin Examiner, data analysis (Aug. 2025); ACLU Wisconsin. https://wisconsinexaminer.com/2025/08/06/analysis-of-flock-use-by-wisconsin-cops-reveals-trends-raises-questions/
- ↑[31]Tech Startups (Apr. 2026, $8.4B valuation). TechCrunch (Mar. 2025, $7.5B). Axios (Apr. 2026, new fundraising discussions). https://techstartups.com/2026/04/17/flock-safety-hits-8-4b-valuation-as-ai-powered-police-tech-sparks-nationwide-protests/
- ↑[32]Evanston RoundTable: "Flock Safety Reinstalls Evanston Cameras" (Sept. 2025); "Flock Removes Final Two License Plate Cameras" (Mar. 2026). Daily Northwestern (cease-and-desist). https://evanstonroundtable.com/2025/09/24/flock-safety-reinstalls-evanston-cameras/
- ↑[33]WFTV News: "Surveillance Cameras Installed Along Lake County Roads Without Permission." https://www.wftv.com/news/local/lake-county/surveillance-cameras-installed-along-lake-county-roads-without-permission-be-removed/LYO3KBZUCFEOZESJ7UXBJ6CVI4/
- ↑[34]Flock Safety Terms and Conditions. NBC News / CNN: Aurora, Colorado $1.9M settlement (Feb. 2024). EFF: "The Human Toll of ALPR Errors" (Nov. 2024). https://www.nbcnews.com/news/us-news/black-family-was-removed-car-gunpoint-handcuffed-aurora-colorado-polic-rcna137444
- ↑[35]ACLU: "FBI Has Access to Over 640 Million Photos Through Face Recognition." Washington Post: "Police Conceal Use of Facial Recognition" (Oct. 2024). https://www.aclu.org/news/privacy-technology/fbi-has-access-over-640-million-photos-us-through
- ↑[36]NIST IR 8280, "Face Recognition Vendor Test (FRVT) Part 3: Demographic Effects" (Dec. 2019). https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8280.pdf
- ↑[37]NBC News: "Black family was removed from car at gunpoint, handcuffed in Aurora" (Feb. 2024). CNN (Feb. 5, 2024) confirmed $1.9M settlement. https://www.nbcnews.com/news/us-news/black-family-was-removed-car-gunpoint-handcuffed-aurora-colorado-polic-rcna137444
- ↑[38]Benn Jordan (YouTube), Dunwoody City Council testimony (early 2026). https://www.youtube.com/watch?v=I_y7OjsI1Zk
- ↑[39]9News (Denver): "9Wants to Know: Flock cameras, crime and the man who can't use his truck." Futurism coverage. https://www.9news.com/article/news/local/rime-flock-cam-pulled-over/73-e3f65018-32a5-4bb0-a4ac-26fb24dc9a15
- ↑[40]404 Media: "Researcher Who Oversaw Flock Surveillance Study Now Has Concerns About It." Techdirt: "Studies Show Flock's ALPRs Reduce Crime So Long As Flock Controls the Inputs and the Methodology" (Apr. 2024). https://www.404media.co/researcher-who-oversaw-flock-surveillance-study-now-has-concerns-about-it/
- ↑[41]Flock Safety blog post (Aug. 2024–Feb. 2025) for the 11% figure. Oaklandside: "Oakland Police End-of-Year Crime Report 2024" (Jan. 2025) for Oakland's own 2024 crime drop. https://oaklandside.org/2025/01/14/oakland-police-end-of-year-crime-report-2024/
- ↑[42]Glavin, Bierman & Schieman, "Private Eyes, They See Your Every Move: Workplace Surveillance and Worker Well-Being," Social Currents 11(4), 327–345 (2024). Büchi, Festic & Latzer, "The Chilling Effects of Digital Dataveillance," Big Data & Society (2022). https://pmc.ncbi.nlm.nih.gov/articles/PMC11300163/
- ↑[43]Benn Jordan (YouTube), "We Hacked Flock Safety Cameras in under 30 Seconds" (Nov. 2025). Primary source for the Today's Friend/Tomorrow's Enemy passage. https://www.youtube.com/watch?v=uB0gr7Fh6lY
- ↑[44]Carpenter v. United States, 585 U.S. ___ (2018), slip op. at 12. https://www.law.cornell.edu/supremecourt/text/16-402
- ↑[45]Commonwealth v. McCarthy, 484 Mass. 493 (2020). Harvard Law Review case note. https://harvardlawreview.org/print/vol-134/commonwealth-v-mccarthy/
- ↑[46]United States v. Jones, 565 U.S. 400 (2012). https://www.law.cornell.edu/supremecourt/text/10-1259
- ↑[47]IJ, Tan v. City of San Jose (N.D. Cal., filed Apr. 2026). IJ, Schmidt v. City of Norfolk (4th Cir. appeal pending). IJ Plate Privacy Project. https://ij.org/case/san-jose-license-plate-readers/
- ↑[48]NPR: "Why some cities are canceling Flock license plate reader contracts" (Feb. 2026). State of Surveillance: "The Flock Rebellion." Fortune: "Cities join Amazon in ending their partnership with Flock" (Mar. 2026). https://www.npr.org/2026/02/17/nx-s1-5612825/flock-contracts-canceled-immigration-survillance-concerns
- ↑[49]Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14. https://law.justia.com/codes/illinois/chapter-740/act-740-ilcs-14/
- ↑[50]Massachusetts G.L. c. 6, §220 (requiring a court order for police facial recognition searches). NPR coverage (May 2021). https://malegislature.gov/Laws/GeneralLaws/PartI/TitleII/Chapter6/Section220
- ↑[51]Washington SB 6002 (Driver Privacy Act), signed by Gov. Bob Ferguson (2026). ACLU-WA press release; Axios Seattle; SB 6002 bill text. https://www.aclu-wa.org/press-releases/gov-ferguson-signs-sb-6002-the-driver-privacy-act-into-law/
- ↑[52]New Hampshire RSA 261:75-b (3-minute ALPR deletion requirement, set to expire Jan. 1, 2027). NCSL ALPR State Statutes. https://law.justia.com/codes/new-hampshire/title-xxi/chapter-261/section-261-75-b/