CRW

Home Wiki

Flock Safety Nova uses dark web data for surveillance

View on consumerrights.wiki ↗

Contents7
  1. Background
  2. Dark web data controversy
  3. Code analysis
  4. Flock Safety's response
  5. Consumer response
  6. Congressional and legal response
  7. References

In May 2025, leaked internal communications revealed that Flock Safety, a $7.5 billion surveillance technology company, planned to incorporate data from known data breaches into its Nova law enforcement platform, allowing police to link license plate scans to personal information obtained from hacked databases.[1] After the leak, Flock told employees at an all-hands meeting that it would not use dark web data, and published a blog post titled "Correcting the Record."[2] A December 2025 analysis of Nova's front-end code found that the platform still defined a "Dark Data" source with fields for Social Security numbers, credit card numbers, and cryptocurrency wallets.[3]

Background

Flock Safety is an automated license plate recognition (ALPR) company founded in 2017 in Atlanta, Georgia.[4] The company manufactures solar-powered cameras that photograph passing vehicles and read their license plates using computer vision, operating in over 5,000 communities across 49 U.S. states as of 2025.[1] In March 2025, Flock raised $275 million at a $7.5 billion valuation led by Andreessen Horowitz.[4]

On February 13, 2025, Flock announced Nova, a data integration platform designed to combine ALPR data with records from computer-aided dispatch (CAD) systems, records management systems (RMS), and open-source intelligence (OSINT) into a single searchable interface for law enforcement.[5] A Flock employee described the tool's capability: "You're going to be able to access data and jump from LPR to person and understand what that context is, link to other people that are related to that person [...] marriage or through gang affiliation, et cetera."[1] Internal communications indicated that Nova supported 20 different data sources that agencies could toggle on or off.[1] Flock said the tool was already being used by some law enforcement agencies in an early access program.[1]

Dark web data controversy

On May 14, 2025, 404 Media published an investigation based on leaked meeting audio, Slack messages, and internal presentations from Flock Safety.[1] The report revealed that Flock employees had raised concerns about Nova incorporating data sourced from known data breaches.

One employee wrote in a Slack message: "I was pretty horrified to hear we use stolen data in our system. In addition to being attained illegally, it seems like that could create really perverse incentives."[2] In meeting audio obtained by 404 Media, an employee described three categories of data that would supplement Flock's ALPR records: data from breaches, commercially available data from credit bureaus, and public records.[1]

The employee specifically cited the Parkmobile data breach as one source Nova would ingest. In March 2021, ParkMobile, a mobile parking payment app, suffered a breach that exposed the personal data of 21 million customers, including email addresses, phone numbers, license plate numbers, dates of birth, and mailing addresses.[6] That breach data appeared on a public hacking forum the following month.[6] ParkMobile later agreed to a $32.8 million class action settlement.[7] The employee explained that Nova would ingest this data so that "we're now able to make that cognitive leap from LPR to person."[1]

The employee also named credit bureaus Equifax and TransUnion as sources of commercially available data, noting that some companies repackage customer information and sell it to law enforcement or data brokers.[1] The third category, public records, included marriage licenses, property records, and campaign finance records. Nova would also pull from law enforcement RMS and CAD systems.[1]

Code analysis

In December 2025, an independent analysis of Nova's front-end code found that the platform still contained an active "Dark Data" data source, contradicting Flock's public statements.[3] The search configuration registered Dark Data with an API endpoint at dark/getExtDarkData, storing results in a darkDocs bucket gated by a hasDarkDataAccess permission flag.[3]

The code exposed a search interface with input fields for Social Security numbers, credit card numbers, cryptocurrency wallet addresses, IP addresses, Discord and Telegram handles, and email addresses.[3] API response columns included "Crawl Date," "Leak Name," "Leak Host," and "Download Location," terminology consistent with data breach aggregation rather than public records databases.[3] Standard phone searches automatically called the Dark Data endpoint when permissions were enabled.[3]

Flock Safety's response

On May 30, 2025, Flock held an all-hands meeting where it told employees that Nova would not include dark web data.[2] An executive stated: "We took this concept of using dark web data in Nova and explored it... Then we ran it through our policy review process."[2] That same day, the company published a blog post titled "Correcting the Record: Flock Nova Will Not Supply Dark Web Data."[8]

Holly Beilin, Flock's Director of Communications, told GovTech: "We explored sourcing dark web data, but decided not to do so." She added that the leaked information "was reported prematurely, during the period when the team was still determining exactly what sources Nova would utilize."[9]

In its blog post, Flock stated that Nova would supply only public records, open-source intelligence, and license plate reader data.[8] Agencies could also connect their own RMS, CAD, and jail system data, as well as data from other agencies that agreed to share.[8] The company described a Policy Evaluation process led by its internal policy team of attorneys and product leaders, covering "legal, ethical, privacy, public opinion, and feasibility considerations."[8] Flock also stated that all actions within Nova are permanently recorded in an audit trail.[8]

Consumer response

Multiple civil liberties organizations criticized the Nova platform after the 404 Media investigation.

Beryl Lipton, Senior Investigative Researcher at the Electric Frontier Foundation (EFF), told 404 Media: "Flock has hundreds of customers, both law enforcement and private residents. This development will certainly help to bring expanded surveillance powers to police departments of all sizes that never needed this much information on any random person who happens to drive by."[1]

Jay Stanley, Senior Policy Analyst at the ACLU's Speech, Privacy, and Technology Project, stated: "[At] this moment in history, of all times, you especially don't want to be building authoritarian spying structures for law enforcement." He added: "People are being literally put behind bars for writing an op-ed," referring to Tufts University doctoral student Rumeysa Ozturk, who was detained by ICE on March 25, 2025, and held for approximately six weeks before a federal judge ordered her release on May 9, 2025, finding that her arrest appeared retaliatory for an op-ed she co-authored in a campus newspaper.[1][10]

Michael Soyfer, an attorney at the Institute for Justice, said: "Backed by billions of dollars in capital, it's working with police departments across the country to build out a massive database of people's movements and locations. All an officer or another government employee needs to do to access that database is type in a search, provide some generic reason, and hit enter." He added: "Flock's constant announcements of new and more invasive features just reinforces the need for a warrant requirement."[1]

Chad Marlow, senior policy counsel at the ACLU, told 404 Media: "It is quite troubling that Flock ALPRs are designed to produce a massive overload of surveillance data by gathering and sharing ALPR data nationwide, and now they are marketing a product to help the police deal with the data overload they created."[1]

The Nova controversy coincided with growing congressional and legal scrutiny of Flock Safety. In November 2025, Senator Ron Wyden and Representative Raja Krishnamoorthi sent a letter to FTC Chair Andrew Ferguson urging an investigation into Flock's cybersecurity practices, citing the company's failure to require multi-factor authentication and the theft of at least 35 Flock customer accounts through infostealer malware.[11] Earlier, in August 2025, Representatives Krishnamoorthi and Robert Garcia had launched a congressional investigation into Flock after reports that its ALPR data was being used for immigration enforcement and to track women crossing state lines for reproductive healthcare.[12]

The EFF and ACLU of Northern California filed a lawsuit challenging the San Jose Police Department's use of Flock cameras, documenting 3,965,519 warrantless searches of the Flock database between June 2024 and June 2025.[12][13] In February 2026, Gibbs Mura filed a class action lawsuit in San Francisco Superior Court alleging that Flock illegally shared California license plate data with federal and out-of-state agencies more than 1.6 million times, violating California's ALPR Privacy Act.[14]

In October 2025, Amazon's Ring announced a partnership with Flock Safety that would allow Ring doorbell camera owners to share footage with law enforcement agencies using Flock's platforms through Ring's Community Requests program. The partnership was cancelled in February 2026 after public backlash.[15]

References

  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 Joseph Cox (2025-05-14). "License Plate Reader Company Flock Is Building a Massive People Lookup Tool, Leak Shows". 404 Media. Archived from the original on 2025-05-14. Retrieved 2026-03-26.
  2. 2.0 2.1 2.2 2.3 Joseph Cox; Jason Koebler (2025-05-30). "Flock Decides Not to Use Hacked Data in People Search Tool". 404 Media. Retrieved 2026-03-26.
  3. 3.0 3.1 3.2 3.3 3.4 3.5 Joshua (2025-12-11). "License Plate Reader Company Flock Said It Does Not Use Dark Web Data. My Analysis of Their Code Tells a Different Story". NexaNet. Retrieved 2026-03-26.
  4. 4.0 4.1 "Accelerating Innovation: Flock Secures $275 Million to Advance Crime-Solving Technology". Flock Safety. 2025-03-13. Archived from the original on 18 April 2026. Retrieved 2026-03-26.
  5. "Flock Safety Reveals the Most Expansive AI and Data Analysis Toolset for Law Enforcement, Including Flock Nova". GlobeNewsWire. 2025-02-13. Retrieved 2026-03-26.
  6. 6.0 6.1 Brian Krebs (2021-04-12). "ParkMobile Breach Exposes License Plate Data, Mobile Numbers of 21M Users". Krebs on Security. Retrieved 2026-03-26.
  7. "ParkMobile pays... $1 each for 2021 data breach that hit 22 million". BleepingComputer. 2025-10-05. Retrieved 2026-03-26.
  8. 8.0 8.1 8.2 8.3 8.4 "Correcting the Record: Flock Nova Will Not Supply Dark Web Data". Flock Safety. 2025-05-30. Archived from the original on 2026-03-18. Retrieved 2026-03-26.
  9. Thad Rueter (2025-05-30). "Flock Safety Pushes Back on Data Breach Product Criticism". GovTech. Archived from the original on 2026-02-27. Retrieved 2026-03-26.
  10. "Tufts graduate student Rumeysa Ozturk released from immigration detention". NPR. 2025-05-09. Retrieved 2026-03-26.
  11. "Congressman Krishnamoorthi, Senator Wyden Urge FTC to Investigate Surveillance Tech Companies". Office of U.S. Representative Raja Krishnamoorthi. 2025-11-03. Retrieved 2026-03-26.
  12. 12.0 12.1 "EFF's Investigations Expose Flock Safety's Surveillance Abuses: 2025 in Review". Electronic Frontier Foundation. 2025-12-31. Retrieved 2026-03-26.
  13. "Lawsuit Challenges San Jose's Warrantless ALPR Mass Surveillance". Electronic Frontier Foundation. 2025-11-18. Retrieved 2026-03-26.
  14. "Flock Safety License Plate Reader Cameras Lawsuit". Gibbs Mura, A Law Group. Retrieved 2026-03-26.
  15. "Amazon's Ring cancels Flock partnership amid Super Bowl ad backlash". CNBC. 2026-02-12. Retrieved 2026-03-26.
Filed under