Policy Brief · Georgia General Assembly · 2027 Session

Unregulated Surveillance in Georgia

Automated Surveillance Technology, Facial Recognition, and the Case for Accountability Legislation

90,000+

ALPR cameras across 49 states

20 Billion

vehicle scans per month by the leading vendor

51

MITRE-verified security vulnerabilities

30+

municipalities terminated ALPR contracts since 2025

Executive Summary

Georgia has no law governing the deployment, security, or use of automated surveillance technology by government agencies or private actors who share data with government. A sprawling ecosystem of automated license plate readers (ALPR), AI-enhanced tracking cameras, facial recognition systems, gunshot-detection networks, and private retail surveillance platforms is being deployed on Georgia’s public roads, in its commercial spaces, and in its residential communities.

The data these systems collect is aggregated, bought, sold, and shared with law enforcement — in some cases with federal agencies — without a warrant, without meaningful notice to the public, and without basic cybersecurity standards. Independent researchers have documented dozens of critical security vulnerabilities.[1][2] Facial recognition systems have produced wrongful arrests in multiple states.[3][4] Officers have used these systems to stalk domestic partners and track reproductive healthcare.[5][6][7]

The vendor infrastructure behind these systems is owned by private companies, not Georgia communities — and those companies’ financial interests run directly counter to protecting the privacy of ordinary Georgians. This brief makes the case for comprehensive automated surveillance accountability legislation and identifies the seven core elements any effective law must address.

Section 1: The Automated Surveillance Ecosystem

The following categories of technology are currently deployed in Georgia and across the country — often with no specific statutory authorization and no public accountability framework.

1A. Automated License Plate Readers (ALPR)

Solar-powered cameras mounted on public roads photograph every passing vehicle, recording the license plate, make, model, color, bumper stickers, dents, and GPS timestamp. Data is uploaded in real time to a centralized cloud database accessible by thousands of law enforcement agencies nationwide — with no warrant required. The leading vendor (Flock Safety, headquartered in Atlanta) processes over 20 billion scans per month[8] across an estimated 90,000+ cameras in 49 states.[9] A single query can simultaneously search across tens of thousands of cameras.[10] Communities do not own the cameras or the data — they lease access from a private company.[11]

1B. AI-Enhanced Tracking Cameras (Person-Following Technology)

The newest generation of surveillance cameras — including the Flock ‘Condor’ model — are pan-tilt-zoom (PTZ) cameras that use AI to automatically identify, zoom in on, and follow individual people as they move through a space. Unlike ALPR cameras, which are triggered by vehicles, these cameras track pedestrians and individuals continuously.[12] Researchers discovered 67 publicly accessible Condor camera feeds streaming live and archived video of every person who passed — including a trail in the Peachtree Creek Greenway in Brookhaven, Georgia, and a children’s playground near the Bay Area in California — with no password required.[13]

The AI on these cameras was observed automatically zooming in on a man watching rollerblading videos on his phone on a Georgia trail, a couple arguing at a street market in Atlanta, and a person having a mental health crisis.[14] Using commercially available facial recognition software, a researcher cross-referenced individuals identified from unsecured camera feeds against open-source information — within two minutes locating personal, financial, and health information about people who had no idea they were being recorded or identified.[14] Critically, residents and passersby have no notice these cameras exist, no knowledge they are being followed, and no recourse.

1C. Facial Recognition Technology (FRT)

Facial recognition technology analyzes faces captured by surveillance cameras and attempts to match them against databases of known individuals — driver’s license photos, mugshot databases, social media images, and commercial photo databases. Law enforcement agencies across the country use FRT to generate investigative leads, and its use is expanding rapidly with no specific statutory framework in most states, including Georgia. Vendors and some law enforcement agencies are pushing toward real-time facial recognition integrated with ALPR cameras and AI tracking cameras — a system capable of tracking named individuals continuously as they move through public spaces, without any individual ever being suspected of a crime. The documented real-world consequences of deploying this technology without accountability are addressed in Section 3.

1D. Integrated Private-Sector Surveillance Networks

Government agencies are not the only source of surveillance data. Major retailers — Walmart, Home Depot, Lowe’s, and others — have deployed ALPR cameras and AI surveillance systems at their locations and share that data with law enforcement through legally compelled disclosures and voluntary cooperation agreements. This creates a parallel surveillance infrastructure funded by private companies but functionally serving as an extension of government surveillance, without any of the legal constraints that apply to government-operated systems.

  • Walmart’s Customer Privacy Notice documents collection of: name, phone, address, email, device identifiers (phone/smartwatch MAC addresses), age, gender, race, household income, family health information, credit card numbers, geolocation history, photographs, audio and video recordings, shopping behavior patterns, and inferences drawn from those patterns about intelligence and aptitudes.[15] This data is shared with law enforcement through legal process.
  • Home Depot and Lowe’s use ALPR cameras at their locations and have been documented sharing camera data with law enforcement.[16] Law enforcement agreements give agencies with immigration enforcement authority — including federal immigration agencies — access to this same retail camera data.[17]
  • Programs like Phoenix PD’s “Virtual Block Watch” and real-time integration platforms like Fusus allow police departments to incorporate feeds from private business cameras — stores, restaurants, gas stations — into unified monitoring grids, effectively extending surveillance coverage without directly purchasing the cameras.

1E. Data Fusion: When Everything Is Combined

The most significant and least-discussed risk is data fusion — the aggregation of multiple surveillance and data streams into a single profile on an individual. New AI-powered products, such as Flock Nova, were designed to combine ALPR data, computer-aided dispatch records, criminal history databases, and video surveillance — and, until journalists exposed the practice, incorporated data purchased from large-scale data breaches.[18] Flock markets Nova as enabling investigators to link individuals through relationships or associations with a single search.

Palantir, a major government data analytics contractor, aggregates surveillance data — and, for agencies that have purchased access, commercial data broker records — into comprehensive individual profiles for law enforcement clients.[19]When ALPR history is merged with retail purchase data, facial recognition matches, phone location history, and brokered data, the result approaches a comprehensive government surveillance profile: detailed records on any individual, retrievable in seconds. This is a product being actively marketed to Georgia’s law enforcement agencies today.

“These cameras are not just reading license plates. They are AI-enhanced, person-tracking, data-fusing surveillance systems — and the data they collect is being combined with your retail shopping history, your medical information, and stolen data from hacked databases.”

Security researcher Benn Jordan, Dunwoody, GA City Council testimony, 2025

Section 2: The Three Threat Vectors

Every automated surveillance system — regardless of type — faces the same three threat vectors. Each is documented, each is distinct, and each requires its own legislative remedy.

Threat Vector A: Hackers and Foreign Adversaries

Independent cybersecurity researchers have documented a pattern of catastrophic security failures across the ALPR and surveillance camera industry. These findings were verified by MITRE (the DHS-affiliated cybersecurity threat management body) and cited in a formal Congressional letter to the FTC.[1] The documented vulnerabilities are not minor — they allow an attacker to take complete control of deployed government surveillance infrastructure.

  • 51 MITRE-verified vulnerabilities in the leading ALPR vendor’s ecosystem; most rated High or Critical. Some remain unpatched.[2]
  • Discontinued operating systems — cameras in the field run Android Things 8.1, discontinued in 2021, with hundreds of published, unpatched vulnerabilities and no security updates.[20]
  • No password required on 67 camera feeds — researchers found live and archived footage from 67 cameras publicly accessible via Shodan, a specialized IoT search engine, requiring no technical skill to access. One Georgia walking trail was among the exposed feeds. A children’s playground near the Bay Area in California was broadcasting publicly.[13]
  • 30-second physical exploit — pressing a button sequence on any deployed camera grants full root control: view, modify, or delete footage; install malware; harvest Wi-Fi credentials; or convert the camera into a botnet node. A $5 USB device achieves the same result.[21]
  • Identical hard-coded credentials — the same Wi-Fi password is used across all deployed cameras in the country. Discover it once; access any camera anywhere.[22]
  • Unencrypted data in transit — credentials and camera data were captured in plain text by researchers intercepting network traffic.[23]
  • No multi-factor authentication required — some agencies access sensitive law enforcement surveillance databases with only a username and password — a lower standard than a Gmail account.[24]
  • Competing vendor precedent — Hikvision (world’s largest camera company) had 80,000 cameras compromised in 2022; Russian military used Hikvision cameras in Ukraine to plan airstrikes. A working exploit remains publicly available today.[25]
  • Chinese state-sponsored intrusion — a Chinese hacking group (Flax Typhoon) has compromised ArcGIS, the geospatial platform used by the leading ALPR vendor, potentially exposing officer names, phone numbers, patrol areas, and hot-list data.[26]
  • Facial recognition databases — the large biometric databases used by FRT vendors represent high-value targets for foreign intelligence services; a breach would expose the faces and identities of millions of Americans enrolled without their knowledge.[27]

Threat Vector B: Rogue and Unsupervised Insiders

Insider misuse of surveillance systems is not theoretical — it is a consistent, documented pattern across every category of surveillance technology.

  • At least three Wisconsin officers faced criminal charges for misusing surveillance systems to stalk romantic partners within a twelve-month period — part of at least 14 documented cases of ALPR misuse for personal surveillance nationally.[5]
  • A Milwaukee officer ran two victims’ plates collectively 179 times over two months — discovered not by the department, but by one of the victims through a third-party website. Reason code entered: “investigation.”[6]
  • A Johnson County, Texas sergeant searched across tens of thousands of ALPR cameras nationwide for a woman who obtained an abortion in another state where the procedure was legal. No warrant.[7]
  • Court filings alleged a Norfolk, Virginia resident’s vehicle was captured more than 475 times over four months with no documented criminal suspicion.[28]
  • Facial recognition misidentification arrests — wrongful arrests of Robert Williams (Detroit), Nijeer Parks (New Jersey), and others based solely on FRT matches, with no independent verification before arrest.[29]
  • Reason code fraud — “investigation” is the single most common reason code entered for ALPR searches in audited Wisconsin agencies, providing no accountability. Officers routinely enter blank fields or random strings.[30]
  • Political and reproductive surveillance — documented cases of surveillance systems being used to track abortion-seekers, immigration status, and individuals at political events. The same infrastructure is available for any purpose to anyone with a badge and a password.[17]

Every agency with a documented misuse case had internal policies in place. Internal policies alone have not worked. Mandatory audit logging with specific reason codes, automatic access suspension on unauthorized queries, and meaningful criminal penalties are the only effective deterrents at scale.

Threat Vector C: The Vendors — Private Companies With Your Public Data

The least intuitive but most structurally important risk is the vendor itself. Georgia’s communities do not own the surveillance infrastructure their tax dollars fund.

  • Government agencies lease, not own — under standard contracts, the agency cannot repair, modify, or remove the cameras it pays for. The vendor retains all hardware and data infrastructure rights. One contract explicitly tells police to call 911 instead of relying on the vendor in an emergency.[11]
  • ~$8.4 billion valuation as of April 2026, reportedly eyeing a potential public offering — the leading ALPR vendor’s financial incentive is maximum data collection and retention, not minimum. The more data it holds, the more valuable the company.[31]
  • Hacked data incorporated into AI product — the vendor’s “Flock Nova” AI was found to incorporate data purchased from large-scale security breaches. The vendor abandoned the feature only after journalists published the finding.[18]
  • Cameras reinstalled without authorization — Evanston, IL terminated its Flock contract and ordered camera removal after the Illinois Secretary of State revealed that CBP had accessed Illinois camera data without authorization, in violation of state law. The vendor reinstalled all of the cameras — without the city’s permission.[32]
  • Vendor installed cameras without required permits — nearly 100 cameras were installed on Lake County, FL public roads without obtaining the required county permits.[33]
  • No accountability for errors — the vendor’s liability clauses protect it against virtually all claims arising from errors, including false-positive identifications that lead to innocent people being held at gunpoint. Taxpayers pay settlements; vendors do not.[34]
  • Facial recognition vendors face the same structural problem: the databases they maintain — containing the biometric data of millions — are privately owned assets held under commercial contract, not public records subject to oversight or audit.[35]

Section 3: Documented Real-World Harms

Facial recognition technology carries two systemic documented problems that frame all of the case studies below. First, the National Institute of Standards and Technology (NIST) has found that many facial recognition algorithms produce false positive rates 10 to 100 times higher for darker-skinned individuals, women, and elderly people compared to lighter-skinned men — concentrating wrongful-arrest risk on communities already subject to over-policing.[36] Second, in most jurisdictions, including Georgia, law enforcement officers can run a facial recognition search without a warrant, judicial oversight, or probable cause, even when the result of a positive match may be an arrest. Each of the following harms flows directly from deploying this technology without those guardrails — and each is documented in court records, news investigations, security research, or public official statements.

Aurora, Colorado — family held at gunpoint

Brittney Gilliam and her family, including children, were pulled from their vehicle at gunpoint in a thrift store parking lot because an ALPR camera misread a motorcycle license plate from another state. Children were handcuffed and laid on the ground. The city settled the case in February 2024 for $1.9 million, funded by taxpayers. The vendor’s contract protected it from any liability.[34][37]

Detroit, Michigan — wrongful arrest by facial recognition

Robert Williams was arrested in front of his family based solely on a facial recognition match. The match was wrong. He was held for thirty hours. No officer had independently verified the identification.[3] Detroit settled the case in 2024, agreeing to require independent corroborating evidence before any facial-recognition-based arrest — the first such settlement in the country.

New Jersey — facial recognition error, 10 days in jail

Nijeer Parks spent 10 days in jail and paid $5,000 in legal costs to clear himself after a facial recognition false match. He had been accused of shoplifting and assault. The technology had identified the wrong person.[4]

Georgia walking trail and Atlanta street market — footage exposed

The Peachtree Creek Greenway walking trail in Brookhaven, Georgia was among 67 locations where unsecured Flock Condor cameras broadcast live and archived footage publicly on the internet with no password.[13][14] A researcher viewed the footage and, using commercially available facial recognition software, identified individuals at an Atlanta street market — cross-referencing open-source records to locate personal, health, and financial information about people who had no idea they were being recorded or identified, within two minutes.[14]

Dunwoody, Georgia — city council hearing, documented vulnerabilities in deployed cameras

A security researcher presented 51 documented vulnerabilities (22 CVEs verified by MITRE) to the Dunwoody City Council when it was considering a surveillance contract renewal. He demonstrated the ability to access camera footage without a password from cameras already deployed in the city and offered to conduct a live demonstration. No independent security audit had been performed before the contract was approved.[2][38]

Johnson County, Texas — abortion surveillance

A Johnson County, Texas sergeant ran a search across tens of thousands of ALPR cameras nationwide for a woman who had obtained an abortion in another state where the procedure is legal. No warrant was obtained. Court records show officers considered charging her in a death investigation.[7]

Federal immigration access without local consent — nationwide pattern

Evanston (IL), Denver (CO), Mountain View (CA), Richmond (VA), and Syracuse (NY) all discovered federal immigration agencies had accessed their local ALPR data without authorization — in several cases in violation of state law. Denver police and the mayor’s office assured city council members that no federal immigration agencies had access; more than 1,400 immigration-related queries were later found in the system logs for that period.[17][32]

Colorado — wrongful identification, system with no exit

Kyle Dausman was repeatedly stopped by police — including twice by the same officer — because the ALPR system had incorrectly associated his plate with an outstanding warrant due to a letter/number confusion. After weeks of calls to multiple agencies, no one could remove him from the system: “I’m in the system now and there’s really no easy way to get out once you’re in it.”[39]

Vendor efficacy claims not independently verified

The vendor’s claim to solve 10% of all U.S. crime cites a study written by its own employees.[40] In Oakland, CA, a claimed 11% clearance improvement omitted that Oakland’s own violent crime fell 19% in the same period — meaning the cameras may have had little independent effect.[41] Flock’s efficacy studies are company-sponsored and subject to serious methodological questions documented by independent journalists.

Section 4: The Broader Case — Beyond Public Safety Statistics

The Chilling Effect on Civil Life

Surveillance research consistently documents a chilling effect: awareness of surveillance causes people to self-censor, avoid political meetings, decline to seek medical care, or refrain from other constitutionally protected activities.[42] Proponents argue surveillance deters crime. What they do not discuss is what else it deters: practicing an instrument in a park, attending a religious service or a political meeting, seeking medical care, exploring an identity.

As security researcher and YouTuber Benn Jordan described after watching unsecured footage of a man sitting alone on a playground swing, filmed without his knowledge on an exposed Condor camera:[14] “It made me realize exactly why I have such a visceral objection to mass surveillance. It imposes on our right to find our own identities without judgment.” Peer-reviewed research also finds that high surveillance environments decrease well-being, morale, and workplace productivity — with monitored employees reporting mental health harm at nearly twice the rate of unmonitored employees.[42]

The “Today’s Friend, Tomorrow’s Enemy” Problem

The surveillance infrastructure being built today does not serve only the current government. It is available to every future administration, every future police chief, and every future officer who receives a password. The same system that today tracks crime suspects was used to track a woman who obtained an abortion, to stalk domestic partners, and to target individuals at political events.

As security researcher Benn Jordan argued in his public presentation of these findings:[43] “There is no civilian anywhere who is always 100% aligned with their government throughout their entire life. If mass surveillance sounds good to you today, then it probably wouldn’t have sounded good to you five years ago. And I guarantee you that it won’t sound good to you at some point in the future. This isn’t a right versus left thing or a Republican versus Democrat thing or an empathy versus logic thing. It’s an authoritarian versus individual thing.”

The “Exempt Yourself” Problem

Flock Safety markets exemption lists — license plates excluded from logging or flagging — to HOA customers to exempt residents’ vehicles. Whether government agencies use this same feature to exempt politically connected individuals or public officials from the surveillance that applies to all other Georgians is a question that open records requests should urgently address.

The Constitutional Trajectory

Courts are moving toward constitutional limits on automated surveillance, though the Supreme Court has not yet ruled directly on dragnet ALPR or FRT use. Key precedents:

  • Carpenter v. United States (2018):[44] Historical cell-site location data requires a warrant. Chief Justice Roberts: “As with GPS information, the time-stamped data provides an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious, and sexual associations.’” Courts reviewing ALPR challenges have applied Carpenter’s reasoning to dragnet license plate surveillance — the Massachusetts Supreme Judicial Court held in Commonwealth v. McCarthy (2020) that sufficiently dense ALPR surveillance may constitute a search requiring a warrant.[45]
  • United States v. Jones (2012):[46] Long-term GPS tracking of a vehicle (28 days) constitutes a Fourth Amendment search.
  • Facial recognition and ALPR litigation: Multiple cities have settled wrongful-arrest cases based on FRT. The Institute for Justice is actively litigating the constitutional status of mass ALPR surveillance in multiple federal circuits, including the Fourth and Ninth.[47]

Section 5: Political Landscape — A Genuinely Bipartisan Issue

Cross-Partisan Support Base

  • Libertarian conservatives — government surveillance, Fourth Amendment, limited government
  • Progressive Democrats — disparate racial impact of facial recognition, immigration surveillance, tracking of reproductive healthcare
  • Community Republicans — suburban residents who discover their tax dollars fund a private company tracking their movements without their knowledge
  • Law-and-order conservatives — who want bad actors in law enforcement held accountable, and who recognize that vendor security failures could invalidate criminal prosecutions
  • National security conservatives — alarmed that Chinese state-sponsored hackers have already compromised ALPR-adjacent infrastructure and that 90,000+ surveillance cameras run unsupported software exploitable by foreign adversaries
  • Domestic violence advocates — documented cases of officers using ALPR to stalk former partners
  • Civil rights organizations — facial recognition’s documented 10–100x higher error rates for people of color
  • The Institute for Justice (conservative legal organization) — actively litigating ALPR constitutional challenges nationally
  • U.S. Senators and Members of Congress, bipartisan — formally requested an FTC investigation based on documented security findings[1]

National and State Momentum

At least 30 municipalities have terminated or suspended ALPR contracts since early 2025, with more doing so as reporting on federal immigration access has grown.[48] At least a dozen states have enacted some form of facial recognition or biometric privacy law, including Illinois (BIPA),[49] Massachusetts (requiring a court order for police FRT searches),[50] and Montana and Utah. Oregon restricts FRT use in conjunction with police body cameras. Washington State enacted comprehensive ALPR privacy legislation in 2026, including a 21-day maximum data retention requirement and a warrant requirement before law enforcement can obtain data from private vendors.[51] New Hampshire requires ALPR data deletion within 3 minutes if no warrant hit — though that law is scheduled for repeal in 2027, illustrating how hard-won protections require maintenance.[52] More than a dozen states are considering bills in 2025–2026 legislative sessions. Georgia has an opportunity to lead the Southeast — or to wait until a wrongful arrest or security breach in Georgia makes legislation reactive rather than proactive.

Georgia-Specific Context

Georgia communities are already part of the national camera network. Smart streetlights with surveillance cameras are deployed in multiple Georgia municipalities. Georgia has no ALPR privacy law, no facial recognition restriction, and no automated surveillance accountability statute of any kind. The field is clear for Georgia to establish a leadership position on this issue.

Section 6: What Legislation Must Do — Seven Essential Elements

The following seven elements address the full spectrum of documented risks across all categories of automated surveillance technology. None of them ban cameras. None of them prevent law enforcement from using surveillance evidence in active criminal investigations. They establish the minimum accountability framework that responsible governance requires before deploying any automated surveillance system on public infrastructure.

1. Vendor-Neutral Cybersecurity Certification. All automated surveillance vendors — ALPR, facial recognition, AI tracking cameras, integrated networks — must obtain and annually renew a state security certificate before selling to any Georgia governmental entity. Certification requires: (a) hardware running only supported operating systems with current security patches; (b) full encryption of all data at rest and in transit; (c) no hard-coded credentials shared across devices; (d) secured physical access ports; (e) multi-factor authentication required for all agency access to surveillance databases; and (f) no exposure of administrative interfaces or video feeds to the public internet without authentication. Any agency contracting with an uncertified vendor violates this Act.
2. Mandatory Independent Penetration Testing — Annual. Before any government contract and annually thereafter, every vendor must commission an independent cybersecurity firm — unaffiliated with the vendor — to conduct comprehensive penetration testing of all hardware, software, cloud infrastructure, biometric databases, and API interfaces. The full report must be submitted to the state and the contracting agency. Critical vulnerabilities must be remediated within 60 days with independent verification. Vendors may not use non-disclosure agreements to suppress public disclosure of unpatched vulnerabilities after 90 days.
3. In-the-Field Device Audits. Vendor certification tests systems in controlled conditions. Cameras in the field can be physically tampered with, software can become outdated after deployment, and network configurations can drift. Every government agency must annually inspect a random sample (at least 10%) of deployed devices to verify that security standards are being maintained in practice. Results must be reported publicly. Facial recognition systems must include accuracy audits across demographic groups — documented accuracy disparities must be disclosed to the public and to the legislature.
4. Mandatory Data Minimization and Deletion. All automated surveillance data must be permanently deleted within 30 days of collection — from all databases, backups, and vendor-held copies. Exceptions apply only for documented, active criminal investigations with written supervisory approval and a defined expiration date. Facial recognition biometric data must be deleted immediately after a negative match result. Vendors may not retain Georgia data on their own systems beyond the applicable period regardless of where those systems are located. Vendors must submit to random audits to ensure compliance.
5. Strict Access Controls, Audit Logging, and Meaningful Reason Codes. Every query of any government surveillance database must be logged with the officer’s unique identifier, a specific reason code drawn from a standardized list (vague catch-alls like “investigation” are prohibited), and a case or incident number. Facial recognition searches require supervisory pre-authorization. Audit logs must be tamper-evident, preserved for three years, and treated as public records. Pattern-of-life tracking requires a warrant. Warrantless use of surveillance data for immigration enforcement, political surveillance, or reproductive healthcare tracking is expressly prohibited.
6. Comprehensive Public Transparency Requirements. Before deploying any automated surveillance system: public hearing with 14-day notice; full contract posted publicly. Annually: public report covering total devices deployed, total queries by reason code, data sharing with other agencies, any federal access, any security incidents, field audit results, and accuracy statistics for any facial recognition system. All vendor contracts are public records; no confidentiality clause may shield security practices, breach history, or data-sharing arrangements from disclosure.
7. Meaningful Penalties — Civil, Criminal, and Administrative. The penalty structure must make compliance cheaper than violation: substantial civil fines per day for unpatched critical vulnerabilities; criminal penalties against anyone who misuses surveillance systems for stalking, harassment, or warrantless political or reproductive surveillance; vendor certification revocation for repeated violations. A private right of action for affected individuals — with mandatory attorney’s fees — so enforcement does not depend solely on government agencies auditing themselves; and enhanced penalties for vendors who contractually limit their own liability while simultaneously lobbying against the accountability standards that would protect the public from their negligence.

Section 7: Key Drafting Principles

  • Vendor-neutral, technology-neutral language. The bill must cover all Automated Surveillance Systems — ALPR, facial recognition, AI tracking cameras, integrated networks, and data fusion products — rather than any specific vendor or technology. This makes the bill durable as technology evolves, harder to attack as targeting a specific company, and applicable to successor technologies before they are widely deployed.
  • This bill does not ban cameras. Every public statement and every provision should make clear: cameras are permitted, law enforcement retains access to surveillance evidence in active investigations, and the bill establishes security and accountability standards — not prohibition.
  • Local governments may go further. A savings clause allowing stricter local standards preserves gains already made by communities that have acted, and avoids pre-empting more aggressive local measures that may be appropriate in dense urban environments with heavier surveillance infrastructure.

Section 8: Why Georgia — Why Now

Every year without legislation is a year in which more cameras are deployed, more biometric data is collected, more vendor contracts lock communities into proprietary systems they cannot audit, and more lobbying capital is deployed to prevent the accountability standards that would protect Georgians. The arguments for acting now are straightforward:

  • The leading ALPR vendor is headquartered in Atlanta — Georgia has a direct and legitimate interest in regulating a company collecting data on Georgia residents and lobbying Georgia lawmakers with Georgia tax dollars.
  • Georgia communities are already in the national surveillance network — this is not a hypothetical future problem.
  • Dunwoody, GA has already had a public hearing with documented security testimony — there is an in-state political record and an identifiable constituency to build on.
  • No Georgia statute addresses ALPR, facial recognition, or automated surveillance — Georgia is at a regulatory baseline of zero in an era when peer states have already acted.
  • Courts are moving toward constitutional limits on this technology; Georgia legislation now establishes a protective framework rather than waiting for the Court to draw the line after a Georgia community has already been harmed.
  • The national momentum of at least 30 contract terminations demonstrates that public opinion is ahead of legislative action — this is a leading issue, not a trailing one.

“You can’t open a hair salon without a license. You can’t keep a McDonald’s open without a health inspection. You can’t legally drive past a surveillance camera without a driver’s license and an inspected vehicle. But a company valued at over $8 billion can deploy nearly 90,000 surveillance cameras on public roads — running discontinued software, with no passwords, accessible to foreign hackers — and face no regulatory requirement whatsoever. That is what this legislation fixes.”

Synthesized from security researcher Benn Jordan's Congressional-cited research and Dunwoody, GA city council testimony, 2025

Notes & Citations

  1. ↑[1]Wyden & Krishnamoorthi, Letter to FTC Chair Andrew Ferguson (Nov. 3, 2025). https://www.wyden.senate.gov/imo/media/doc/wyden_letter_to_ftc_on_flockpdf.pdf
  2. ↑[2]GainSec white paper (v1.2, Nov. 2025): "Formalizing My Flock Safety Security Research." See also NVD and OpenCVE listings. https://gainsec.com/2025/11/05/formalizing-my-flock-safety-security-research/
  3. ↑[3]ACLU, Williams v. City of Detroit — Face Recognition False Arrest. Michigan Public / NPR (June 2024 settlement). https://www.aclu.org/cases/williams-v-city-of-detroit-face-recognition-false-arrest
  4. ↑[4]ACLU-NJ, "How Face Recognition Technology Landed One Innocent Man in New Jersey Jail for Ten Days." CNN coverage. https://www.aclu-nj.org/news/how-face-recognition-technology-landed-one-innocent-man-new-jersey-jail-ten-days/
  5. ↑[5]Wisconsin Examiner (Feb. 2026); Urban Milwaukee (Mar. 2026); ACLU Wisconsin. Institute for Justice — 14 documented national cases of ALPR misuse for personal surveillance. https://wisconsinexaminer.com/2026/02/26/milwaukee-officer-accused-of-misusing-flock-surveillance-cameras/
  6. ↑[6]Urban Milwaukee: "Milwaukee Cop Used Flock Cameras to Track Romantic Partner" (Feb. 2026). Wisconsin Examiner; TMJ4 News; FOX6 Milwaukee. https://urbanmilwaukee.com/2026/02/25/milwaukee-cop-used-flock-cameras-to-track-romantic-partner/
  7. ↑[7]404 Media: "A Texas Cop Searched License Plate Cameras Nationwide for a Woman Who Got an Abortion" (May 2025). EFF (original, May 2025, and follow-up with court records, Oct. 2025). https://www.404media.co/a-texas-cop-searched-license-plate-cameras-nationwide-for-a-woman-who-got-an-abortion/
  8. ↑[8]NBC News: "Flock police cameras scan billions per month, sparking protests" (2025). Confirmed by Flock Safety's own public statements. https://www.nbcnews.com/tech/tech-news/flock-police-cameras-scan-billions-month-sparking-protests-rcna230037
  9. ↑[9]ACLU of Massachusetts Data for Justice Project (July 2025): estimated nearly 90,000 cameras nationwide. NBC News coverage of same reporting. https://www.nbcnews.com/tech/tech-news/flock-police-cameras-scan-billions-month-sparking-protests-rcna230037
  10. ↑[10]EFF: "She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down" (May 2025). Camera count from court records in the Johnson County, TX case. https://www.eff.org/deeplinks/2025/05/she-got-abortion-so-texas-cop-used-83000-cameras-track-her-down
  11. ↑[11]Flock Safety Terms and Conditions. North Royalton, OH 2022 contract exhibit. ACLU: "Municipalities: Beware of Changes in Flock's Legal Terms." https://www.flocksafety.com/legal/terms-and-conditions
  12. ↑[12]Flock Safety product page (Condor PTZ camera). 404 Media: "Flock Exposed Its AI-Powered Cameras to the Internet" (Dec. 2025). Police1 product launch coverage. https://www.flocksafety.com/products/video-cameras
  13. ↑[13]GainSec: "Bird Hunting Season — Finding 67 Live Camera Feeds Accidentally Exposed by Flock Safety" (Jan. 2026). Also: 404 Media, "Flock Exposed Its AI-Powered Cameras to the Internet" (Dec. 2025). https://gainsec.com/2026/01/09/bird-hunting-season-finding-67-live-camera-feeds-and-debug-web-interfaces-accidentally-exposed-by-flock-safety/
  14. ↑[14]Benn Jordan (YouTube), "This Flock Camera Leak is like Netflix For Stalkers" (Dec. 2025). Primary source for the Condor camera observations, the Georgia trail location, the two-minute OSINT identification, and the Section 4 quote. https://www.youtube.com/watch?v=vU1-uiUlHTo
  15. ↑[15]Walmart Customer Privacy Notice (last updated March 31, 2026). https://corporate.walmart.com/privacy-security/walmart-privacy-notice
  16. ↑[16]404 Media: "Home Depot and Lowe's Share Data from Hundreds of AI Cameras with Cops" (Aug. 2025). https://www.404media.co/home-depot-and-lowes-share-data-from-hundreds-of-ai-cameras-with-cops/
  17. ↑[17]404 Media: "ICE Taps Into Nationwide AI-Enabled Camera Network." EFF (Texas abortion case). ACLU-IL (ICE/ALPR). Colorado Newsline (Denver, Aug. 2025). https://www.404media.co/ice-taps-into-nationwide-ai-enabled-camera-network-data-shows/
  18. ↑[18]404 Media: "License Plate Reader Company Flock Is Building a Massive People Lookup Tool, Leak Shows." 404 Media: "Flock Decides Not to Use Hacked Data in People Search Tool." GovTech coverage. https://www.404media.co/flock-decides-not-to-use-hacked-data-in-people-search-tool/
  19. ↑[19]The Intercept: "Palantir IRS Contract Data Mining" (Apr. 2026). ACLU: "Palantir and the Deportation Roundup." Campaign Zero: private companies building a police state. https://theintercept.com/2026/04/24/palantir-irs-contract-data/
  20. ↑[20]GainSec Falcon/Sparrow technical writeup (June 2025): "Grounded Flight — Root Shell on Flock Safety's Falcon/Sparrow ALPR." https://gainsec.com/2025/06/19/grounded-flight-device-2-root-shell-on-flock-safetys-falcon-sparrow-automated-license-plate-reader/
  21. ↑[21]GainSec: "Button Presses to Shell on Flock Safety License Plate Cameras Over Wi-Fi" (Sept. 2025). Also: 9News, "Researchers claim Flock cameras are easy to hack." https://gainsec.com/2025/09/27/button-presses-to-shell-on-flock-safety-license-plate-cameras-over-wi-fi/
  22. ↑[22]NVD CVE-2025-59407 (shared hard-coded Wi-Fi credentials). https://nvd.nist.gov/vuln/detail/CVE-2025-59407
  23. ↑[23]NVD CVE-2025-59409 (CWE-312 Cleartext Storage); GainSec "Trap Shooter" writeup (June 2025). https://nvd.nist.gov/vuln/detail/CVE-2025-59409
  24. ↑[24]Wyden & Krishnamoorthi, Letter to FTC Chair Andrew Ferguson (Nov. 3, 2025). https://www.wyden.senate.gov/imo/media/doc/wyden_letter_to_ftc_on_flockpdf.pdf
  25. ↑[25]BleepingComputer: "Over 80,000 Exploitable Hikvision Cameras Exposed Online." IPVM: Russian military use in Ukraine. https://www.bleepingcomputer.com/news/security/over-80-000-exploitable-hikvision-cameras-exposed-online/
  26. ↑[26]Infosecurity Magazine: "Chinese Hackers Use Trusted ArcGIS." Also: The Hacker News, BleepingComputer, CyberScoop, Dark Reading. https://www.infosecurity-magazine.com/news/chinese-hackers-use-trusted-arcgis/
  27. ↑[27]ACLU: "FBI Has Access to Over 640 Million Photos Through Face Recognition." ACLU: "More Than a Dozen Wrongful Arrests Due to Police Reliance on Facial Recognition." https://www.aclu.org/news/privacy-technology/fbi-has-access-over-640-million-photos-us-through
  28. ↑[28]NBC News: "Virginia Police Used Flock Cameras to Track Driver." IJ case page (discovery figure of 475). WHRO (2026 district court ruling). https://www.nbcnews.com/tech/security/virginia-police-used-flock-cameras-track-driver-safety-lawsuit-surveil-rcna230399
  29. ↑[29]ACLU (Williams v. City of Detroit); NPR; Michigan Public (2024 settlement). ACLU-NJ (Parks); CNN. https://www.aclu.org/cases/williams-v-city-of-detroit-face-recognition-false-arrest
  30. ↑[30]Wisconsin Examiner, data analysis (Aug. 2025); ACLU Wisconsin. https://wisconsinexaminer.com/2025/08/06/analysis-of-flock-use-by-wisconsin-cops-reveals-trends-raises-questions/
  31. ↑[31]Tech Startups (Apr. 2026, $8.4B valuation). TechCrunch (Mar. 2025, $7.5B). Axios (Apr. 2026, new fundraising discussions). https://techstartups.com/2026/04/17/flock-safety-hits-8-4b-valuation-as-ai-powered-police-tech-sparks-nationwide-protests/
  32. ↑[32]Evanston RoundTable: "Flock Safety Reinstalls Evanston Cameras" (Sept. 2025); "Flock Removes Final Two License Plate Cameras" (Mar. 2026). Daily Northwestern (cease-and-desist). https://evanstonroundtable.com/2025/09/24/flock-safety-reinstalls-evanston-cameras/
  33. ↑[33]WFTV News: "Surveillance Cameras Installed Along Lake County Roads Without Permission." https://www.wftv.com/news/local/lake-county/surveillance-cameras-installed-along-lake-county-roads-without-permission-be-removed/LYO3KBZUCFEOZESJ7UXBJ6CVI4/
  34. ↑[34]Flock Safety Terms and Conditions. NBC News / CNN: Aurora, Colorado $1.9M settlement (Feb. 2024). EFF: "The Human Toll of ALPR Errors" (Nov. 2024). https://www.nbcnews.com/news/us-news/black-family-was-removed-car-gunpoint-handcuffed-aurora-colorado-polic-rcna137444
  35. ↑[35]ACLU: "FBI Has Access to Over 640 Million Photos Through Face Recognition." Washington Post: "Police Conceal Use of Facial Recognition" (Oct. 2024). https://www.aclu.org/news/privacy-technology/fbi-has-access-over-640-million-photos-us-through
  36. ↑[36]NIST IR 8280, "Face Recognition Vendor Test (FRVT) Part 3: Demographic Effects" (Dec. 2019). https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8280.pdf
  37. ↑[37]NBC News: "Black family was removed from car at gunpoint, handcuffed in Aurora" (Feb. 2024). CNN (Feb. 5, 2024) confirmed $1.9M settlement. https://www.nbcnews.com/news/us-news/black-family-was-removed-car-gunpoint-handcuffed-aurora-colorado-polic-rcna137444
  38. ↑[38]Benn Jordan (YouTube), Dunwoody City Council testimony (early 2026). https://www.youtube.com/watch?v=I_y7OjsI1Zk
  39. ↑[39]9News (Denver): "9Wants to Know: Flock cameras, crime and the man who can't use his truck." Futurism coverage. https://www.9news.com/article/news/local/rime-flock-cam-pulled-over/73-e3f65018-32a5-4bb0-a4ac-26fb24dc9a15
  40. ↑[40]404 Media: "Researcher Who Oversaw Flock Surveillance Study Now Has Concerns About It." Techdirt: "Studies Show Flock's ALPRs Reduce Crime So Long As Flock Controls the Inputs and the Methodology" (Apr. 2024). https://www.404media.co/researcher-who-oversaw-flock-surveillance-study-now-has-concerns-about-it/
  41. ↑[41]Flock Safety blog post (Aug. 2024–Feb. 2025) for the 11% figure. Oaklandside: "Oakland Police End-of-Year Crime Report 2024" (Jan. 2025) for Oakland's own 2024 crime drop. https://oaklandside.org/2025/01/14/oakland-police-end-of-year-crime-report-2024/
  42. ↑[42]Glavin, Bierman & Schieman, "Private Eyes, They See Your Every Move: Workplace Surveillance and Worker Well-Being," Social Currents 11(4), 327–345 (2024). Büchi, Festic & Latzer, "The Chilling Effects of Digital Dataveillance," Big Data & Society (2022). https://pmc.ncbi.nlm.nih.gov/articles/PMC11300163/
  43. ↑[43]Benn Jordan (YouTube), "We Hacked Flock Safety Cameras in under 30 Seconds" (Nov. 2025). Primary source for the Today's Friend/Tomorrow's Enemy passage. https://www.youtube.com/watch?v=uB0gr7Fh6lY
  44. ↑[44]Carpenter v. United States, 585 U.S. ___ (2018), slip op. at 12. https://www.law.cornell.edu/supremecourt/text/16-402
  45. ↑[45]Commonwealth v. McCarthy, 484 Mass. 493 (2020). Harvard Law Review case note. https://harvardlawreview.org/print/vol-134/commonwealth-v-mccarthy/
  46. ↑[46]United States v. Jones, 565 U.S. 400 (2012). https://www.law.cornell.edu/supremecourt/text/10-1259
  47. ↑[47]IJ, Tan v. City of San Jose (N.D. Cal., filed Apr. 2026). IJ, Schmidt v. City of Norfolk (4th Cir. appeal pending). IJ Plate Privacy Project. https://ij.org/case/san-jose-license-plate-readers/
  48. ↑[48]NPR: "Why some cities are canceling Flock license plate reader contracts" (Feb. 2026). State of Surveillance: "The Flock Rebellion." Fortune: "Cities join Amazon in ending their partnership with Flock" (Mar. 2026). https://www.npr.org/2026/02/17/nx-s1-5612825/flock-contracts-canceled-immigration-survillance-concerns
  49. ↑[49]Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14. https://law.justia.com/codes/illinois/chapter-740/act-740-ilcs-14/
  50. ↑[50]Massachusetts G.L. c. 6, §220 (requiring a court order for police facial recognition searches). NPR coverage (May 2021). https://malegislature.gov/Laws/GeneralLaws/PartI/TitleII/Chapter6/Section220
  51. ↑[51]Washington SB 6002 (Driver Privacy Act), signed by Gov. Bob Ferguson (2026). ACLU-WA press release; Axios Seattle; SB 6002 bill text. https://www.aclu-wa.org/press-releases/gov-ferguson-signs-sb-6002-the-driver-privacy-act-into-law/
  52. ↑[52]New Hampshire RSA 261:75-b (3-minute ALPR deletion requirement, set to expire Jan. 1, 2027). NCSL ALPR State Statutes. https://law.justia.com/codes/new-hampshire/title-xxi/chapter-261/section-261-75-b/