Leading congressional figures have initiated a formal request for the Federal Trade Commission (FTC) to launch an investigation into Flock Safety, a prominent provider of license plate scanning technology. The lawmakers contend that Flock Safety has failed to implement adequate cybersecurity measures, potentially leaving its extensive network of surveillance cameras and the sensitive data they collect susceptible to exploitation by hackers and foreign intelligence agencies.

The Heart of the Allegation: Unpacking MFA and Its Importance

The core of the lawmakers’ concern, articulated in a letter addressed to FTC Chairman Andrew Ferguson, revolves around the company’s approach to multi-factor authentication (MFA). Sent by Senator Ron Wyden (D-OR) and Representative Raja Krishnamoorthi (D-IL, 8th), the communication urges the regulatory body to examine why Flock Safety does not mandate MFA for its law enforcement clientele. Multi-factor authentication is a critical security protocol designed to fortify access to digital accounts by requiring users to provide two or more verification factors to gain entry. This typically involves something the user knows (like a password) combined with something the user has (such as a code from a mobile app or a physical token) or something the user is (like a fingerprint or facial scan).

In an era rife with sophisticated cyber threats, MFA stands as a fundamental bulwark against unauthorized access, even if a user’s primary password is compromised through phishing attacks, malware, or data breaches. The congressional letter asserts that while Flock Safety does offer its law enforcement partners the capability to enable MFA, the company does not enforce its use. This omission, confirmed by Flock Safety to Congress in October, creates a significant vulnerability. Should cybercriminals or hostile state actors acquire the login credentials of a law enforcement user, they could potentially infiltrate the restricted areas of Flock’s digital platform, gaining the ability to search and track the billions of vehicle records amassed from cameras deployed across the nation.

Flock Safety’s Pervasive Network: Scale and Functionality

Flock Safety has rapidly ascended to become one of the United States’ largest operators of automated license plate recognition (ALPR) systems. Its technology is integrated into the operations of over 5,000 police departments and numerous private businesses nationwide. These ALPR cameras are strategically positioned to continuously scan the license plates of vehicles passing by. Each scan captures an image, records the vehicle’s license plate number, and timestamps its location. This vast repository of data allows law enforcement and federal agencies with authorized access to the Flock platform to conduct searches, effectively creating a detailed historical record of vehicle movements across various geographic areas.

The proliferation of ALPR technology, spearheaded by companies like Flock Safety, has been a defining trend in modern policing over the last decade. Initially lauded for its potential to aid in solving serious crimes, locating stolen vehicles, and issuing Amber Alerts, the technology offers a powerful investigative tool. However, its widespread adoption also raises significant questions about privacy and the scope of government surveillance. The "billions of photos of Americans’ license plates" mentioned by the lawmakers represent an enormous dataset capable of mapping the daily lives and routines of countless individuals, often without their explicit knowledge or consent, and funded, in part, by taxpayer dollars.

A Digital Trail of Vulnerabilities: Evidence of Compromise

The lawmakers’ concerns are not purely hypothetical. Their letter cites concrete evidence suggesting that login credentials belonging to some of Flock Safety’s law enforcement clients have already been compromised and circulated online. This evidence includes data provided by Hudson Rock, a cybersecurity firm specializing in identifying usernames and passwords stolen by sophisticated information-stealing malware. Such malware, often spread through malicious emails or infected websites, is designed to covertly exfiltrate sensitive data from compromised computers.

Further reinforcing these allegations, independent security researcher Benn Jordan reportedly furnished the lawmakers with a screenshot from a Russian cybercrime forum. This image purportedly showed active solicitations for the sale of access to Flock Safety logins, indicating a tangible market for these compromised credentials among malicious actors. These findings underscore the critical nature of robust security protocols like MFA, which could serve as a crucial barrier even if initial login details are stolen.

Adding to the documented instances of security lapses, a previous report by 404 Media revealed a concerning incident involving the U.S. Drug Enforcement Administration (DEA). The report detailed how the DEA allegedly utilized a local police officer’s password, without the officer’s knowledge, to access Flock Safety’s camera network. This unauthorized access was reportedly used to track an individual suspected of an "immigration violation." Following the revelation of this incident, the Palos Heights Police Department, whose officer’s credentials were used, swiftly implemented multi-factor authentication for its Flock Safety account, highlighting a reactive move to bolster security after a breach. This incident serves as a stark illustration of the potential for misuse and the consequences of lax security enforcement.

Industry Standards and Corporate Response: Flock’s Stance

In response to the escalating scrutiny, Flock Safety provided a statement through its chief legal officer, Dan Haley. In a letter, Haley confirmed that the company has taken steps to enhance its security posture. Specifically, he stated that multi-factor authentication was set as the default setting for all new customers beginning in November 2024. Furthermore, Haley reported that an impressive 97% of Flock Safety’s existing law enforcement clients have, to date, proactively enabled MFA on their accounts.

While these statistics might appear reassuring, they also reveal a significant remaining vulnerability. The 3% of law enforcement agencies that have yet to activate MFA represent potentially dozens of police departments, sheriff’s offices, or other public safety entities. Haley’s letter acknowledged these holdouts, attributing their decision not to enable MFA to "reasons specific to them," without elaborating on what those reasons might entail. A spokesperson for Flock Safety, Holly Beilin, did not immediately provide specific figures on the exact number of law enforcement customers still operating without MFA, nor did she confirm if any federal agencies were among this group, or clarify the company’s rationale for not making this crucial security feature universally mandatory. This leaves a critical gap in understanding why some agencies would decline a fundamental layer of digital protection, especially when handling sensitive public data.

Broader Implications: Privacy, Trust, and Oversight

The allegations against Flock Safety and the broader implications of security vulnerabilities within vast surveillance networks extend far beyond technical concerns; they touch upon fundamental aspects of privacy, public trust, and governmental oversight. The accumulation of billions of license plate scans creates an unprecedented ability to track the movements of individuals, potentially mapping out daily routines, associations, and even political activities. This level of pervasive surveillance, even when intended for law enforcement purposes, raises significant civil liberties questions, particularly concerning the Fourth Amendment’s protection against unreasonable searches and seizures. Critics argue that such extensive data collection could foster a "chilling effect," where individuals alter their behavior out of fear of being constantly monitored.

The revelation of security shortcomings within such a vital public safety system also risks eroding public trust in both law enforcement agencies and the technology providers they partner with. If the systems designed to enhance public safety are themselves vulnerable to unauthorized access by criminals or foreign adversaries, it undermines the very foundation of security they promise. This can lead to public skepticism regarding the effectiveness and ethical deployment of advanced surveillance technologies.

From a market perspective, Flock Safety’s dominant position in the ALPR sector means that any systemic vulnerability has a disproportionately large impact across the nation. This raises questions about market concentration and whether a lack of robust competition might diminish incentives for leading companies to implement the highest possible security standards without external pressure. The congressional call for an FTC investigation highlights the crucial role of regulatory bodies in overseeing technology that intersects with public safety and personal privacy. The FTC, primarily responsible for consumer protection, is being asked to extend its purview to a business-to-government (B2G) service that handles vast amounts of data pertaining to the public. This reflects a growing recognition of the need for robust federal oversight to ensure accountability and safeguard fundamental rights in an increasingly digital and surveilled society.

The Path Forward: Calls for Accountability and Enhanced Security

The demand for an FTC investigation signals a significant moment for the intersection of surveillance technology, cybersecurity, and civil liberties. Such an inquiry could lead to a range of outcomes, including potential fines, mandated security improvements, or stricter data retention and sharing policies for companies operating in this sensitive domain. The core message from lawmakers is clear: universal enforcement of strong cybersecurity measures, particularly MFA, should not be optional for systems handling sensitive data and impacting public safety.

The ongoing tension between leveraging technological advancements for public safety and safeguarding individual privacy and security remains a complex challenge. As surveillance technologies become more sophisticated and ubiquitous, the need for transparency, robust accountability mechanisms, and non-negotiable security protocols becomes paramount. The incident involving Flock Safety serves as a powerful reminder that the infrastructure of digital policing must be as resilient and secure as the data it collects, ensuring that the tools designed to protect society do not inadvertently become avenues for its compromise. The resolution of this inquiry will likely shape future standards for how public safety technology is developed, deployed, and secured in the United States.