How do Flock Safety’s sharing settings and audit controls technically work, and what policy fixes have been proposed to prevent side‑door access?
Executive summary
Flock Safety’s platform enforces sharing and oversight through per‑agency “network” controls, searchable reasons and case‑number fields, and comprehensive audit logs that record every search, while the company says data encryption and AWS GovCloud segregate sensitive law‑enforcement information [1] [2] [3]. Critics and some municipalities reported unexpected cross‑jurisdictional access and abuse concerns, prompting Flock to add technical and policy mitigations — a distinct “Federal” user category, optional mandatory case‑number requirements, tighter audit export controls, proactive alerts, and calls for stronger lifecycle and CJIS‑aligned controls including enforced MFA — though public reporting does not fully disclose the low‑level implementation details of those controls or how the alleged “nationwide” toggle was enabled [4] [5] [6] [7] [8].
1. How sharing settings present to agencies and what’s logged
Flock’s interface provides dropdown search reasons plus a free‑text case number field that agencies can require their users to fill; every search in the system is saved in an audit report that Flock and agencies say is viewable in organization and network audits under the Insights tab [1] [9] [2]. Per Flock, customers “own 100% of their data” and control sharing choices — networks an agency shares and searches of those networks appear in the network audit with fields such as name, org, devices searched, reason, case number, plate and timestamp [2] [9] [10].
2. The “side‑door” problem as reported by cities and journalists
Multiple jurisdictions raised alarms that out‑of‑state or federal actors accessed local LPR data after audits surfaced broader lookups; Mountain View alleged an internal audit found a nationwide search setting had been turned on without the local agency’s consent, and Illinois audits found federal accesses that triggered state legal questions about sharing restrictions [8] [6]. Advocacy groups and local records requests via MuckRock show agencies and watchdogs routinely request organization and network audit logs to verify who searched what — an indicator that the core worry is not lack of logs but the accuracy and enforcement of sharing controls [11] [9] [12].
3. Technical protections Flock describes (encryption, segregation, audit export controls)
Flock states it stores CJIS‑class data in AWS GovCloud with KMS‑based encryption and limits encryption‑key access; it also claims private customers cannot access government CJIS and that audit trails are permanent for searches involving an agency’s cameras [3] [2] [10]. The company added tools giving agencies greater control over audit exports (so fields like Search Reason can be excluded from exports) and requires offense documentation for searches where configured, which Flock frames as reducing accidental or illicit queries [5].
4. Operational fixes and policy proposals to block “side doors”
Flock and local officials point to several fixes: designating federal accounts as a distinct “Federal” user category and removing them from automatic statewide/nationwide lookup; allowing agencies to require case numbers for all searches; pausing federal pilots while reviewing protocols; adding proactive audit alerts to flag anomalous activity; and offering tighter audit export controls to make oversight easier [4] [6] [5] [13]. Security commentators and policy analysts push complementary measures — enforceable MFA, elimination of hard‑coded credentials, periodic access reviews, anomaly detection and CJIS v6.0 lifecycle alignment — because audit logs alone don’t prevent compromised credentials or misconfigured sharing [7].
5. Where the reporting is thin and what remains unresolved
Public statements and audits confirm the existence of dropdown reasons, audit trails, federal tagging, and new export/alert features, but available reporting and Flock’s public posts do not disclose the precise authorization logic, the default state of cross‑jurisdictional toggles, the rollback/change history that produced the Mountain View allegation, nor low‑level telemetry about how and when federal users were attached to networks — gaps that mean some technical “how it happened” claims cannot be independently verified from the sources provided [1] [4] [8].
6. Bottom line: auditability vs. enforceability
Flock has built a system with visible audit logging, configurable sharing, and new controls for case numbers and export limits, and it says sensitive CJIS data is segregated and encrypted, but real prevention of side‑door access requires both those in‑platform controls and external policy enforcement: mandatory MFA, elimination of hard‑coded credentials, regular independent audits, legally binding sharing restrictions, clear labeling of federal accounts, and automated anomaly alerts — otherwise audit trails reveal misuse after the fact but do not by themselves stop it [3] [7] [5] [6].