Argues the move from queryable archive to live feed is not an incremental upgrade but a fundamental change in what the system is. A real-time tap functionally creates a national vehicle tracking system operated by a private company on behalf of any federal agency that requests it.
Points out that Flock cameras are sold to towns as local community safety tools, but the backend stitches them into a national lookup system with permissive default sharing. The result is surveillance infrastructure that nobody voted to build, assembled one city council meeting at a time.
Cites a pattern of recent incidents — officers running Flock queries for ICE without warrants, Texas officers searching plates of a woman who had an abortion, and a Kansas deputy stalking an ex — all of which were retrospective. Granting real-time access removes the friction that currently limits these abuses to after-the-fact lookups.
By submitting the Wired piece to Hacker News and driving it to 140 points, signal-boosted the framing that the FBI request is a privacy escalation worth public scrutiny rather than a routine law-enforcement tool upgrade.
Wired's security roundup this week surfaced a quietly significant request: the FBI wants near real-time access to the United States' sprawling network of automated license plate readers (ALPRs). The dominant player here is Flock Safety, whose stationary cameras now blanket more than 5,000 communities and capture an estimated billion-plus vehicle observations per month. Today, federal agents can query that data — but with lag, paperwork, and through local police departments who own the cameras. The new ask collapses that into a live tap.
The shift from "queryable archive" to "live feed" is not a marginal upgrade — it is a categorical change in what the system is. A historical database answers "where was this car last Tuesday?" A real-time feed answers "where is this car right now, and alert me when it moves." That second capability is, functionally, a national vehicle tracking system operated by a private company on behalf of any federal agency that asks nicely.
The request lands in a year already thick with ALPR scandals. 404 Media has documented police officers running Flock searches on behalf of ICE without warrants. Texas officers were caught running plate searches for a woman who'd had an abortion. A sheriff's deputy in Kansas reportedly used the system to stalk an ex. Each of these incidents involved retrospective queries. The FBI's request is for the upgrade that makes preemptive surveillance trivial.
The technical architecture here is worth pausing on, because it explains why the privacy debate keeps losing. Flock cameras are sold to municipalities as community safety infrastructure — solve car thefts, find Amber Alerts, recover stolen tags. Each town owns its cameras. But Flock's backend stitches them into a national lookup system by default, with sharing toggles that lean permissive. The result is a federated surveillance network that nobody voted to build, assembled one city council meeting at a time.
Flock's own transparency report admits the system performed 4.9 billion vehicle searches in 2024 across roughly 5,000 agencies — meaning the average plate captured by their cameras is queried at least once a year, often by agencies thousands of miles from where it was recorded. That number alone should reframe how engineers think about ALPR data: it is not exhaust, it is a queryable graph of where every car in America has been.
The FBI's pitch leans on the usual cases — fugitive recovery, child abduction, counterterrorism. These are real. But the consistent pattern with bulk surveillance tools is mission creep through API access. Once the pipe exists, agencies plug into it for purposes the original consent never covered. The Section 702 FISA program was justified by counterterrorism and ended up being queried for tens of thousands of US persons annually for routine criminal investigations. There is no architectural reason to expect ALPR data to follow a different trajectory.
For practitioners, the comparison to adtech location data is instructive. The bulk SDK location market spent a decade selling "anonymized" movement data to anyone with a credit card, including federal agencies routing around warrant requirements (see the 2020 Venntel/CBP revelations). ALPR is structurally worse in one specific way: it does not require the target to carry a phone, install an app, or accept terms of service. A car is a sufficient consent token. The privacy story of the 2010s was "don't carry a phone to the protest." The privacy story of the late 2020s is "don't drive to it."
The community reaction on Hacker News (140 points, ~400 comments at time of writing) split along predictable lines, but one practitioner thread is worth surfacing: several commenters who work on or near law enforcement integrations pointed out that the technical work to enable real-time access is trivial — Flock already pushes alerts via webhooks for hot-listed plates. The FBI is essentially asking to be added as a tenant on a system whose live-streaming primitives already exist. The barrier was policy, not engineering.
If you ship anything that touches vehicle data, location data, or movement inference, three things change.
First, assume the federal threat model is now "live feed," not "subpoena." If your product ingests, derives, or correlates with vehicle movement — fleet telematics, insurance UBI, parking apps, EV charging analytics, traffic ML training data — your retention policy is your customers' privacy policy. "We delete after 90 days" reads differently when there's a public-sector parallel system keeping the same data forever and selling live access. Shorten windows. Add purge-on-request. Document what you don't keep.
Second, vehicle plate strings are now PII in everything but name. Treat them with the same hygiene as email addresses or phone numbers: hash at ingest if you can, never log them in plaintext, and audit who on your team can query by plate. Several state AGs (notably California and Massachusetts) are circling regulations that would make this explicit. The cheapest compliance win for the next 18 months is a one-line policy: plates are PII, treat them as such, and the audit log proves it.
Third, if you're building community safety, civic tech, or public-sector dashboards, recognize that the Flock model — sell hard to municipalities, federate the backend, expose to federal partners — is now the playbook. Customers will start asking pointed questions about data residency, sharing toggles, and federal access. The vendors who win this segment over the next three years will be the ones who can answer "what would it take for the FBI to read this?" with something other than "depends on the warrant."
The FBI request will almost certainly be granted in some form, because the alternative — agencies waiting hours for data that already exists in a queryable database — is politically untenable the next time a child is abducted. The real fight is over the logging, audit, and minimization layers: who gets to see the queries, what happens to non-target data, how long the join keys persist. Those are engineering questions, not constitutional ones, and they will be decided by the defaults that Flock and its competitors ship. Watch the SDK changelogs more carefully than the press releases.
We really should build an open source ALPR system of cameras that gives real time information on the position of every law enforcement vehicle. Including the cars driven by the officers to and from work. That would have been helpful in finding license violations in California by ICE officers.EDIT: W
There’s a lot of local US candidates running this year on pushing back on the federal government. Realistically there’s not a ton that can be done at the level of a mayor or even state senator. However removing local passive surveillance is something that can make a genuine impact. I’d love to see p
This article is literally blogspam of an article that got significant front-page coverage:https://news.ycombinator.com/item?id=48184350
Is this as a backup for the system that reads the rfid in our tires?/ I assumed this had long been the case
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
SCOTUS has already ruled that tracking people's movement over time without a warrant is a Fourth Amendment violation.https://en.wikipedia.org/wiki/Carpenter_v._United_States