I don't care that Flock was involved, I care that there's no consequence for it when any corporation does this. How can this not result in fines or jail time?
Although I don’t like Flock, I’m a bit skeptical of the claims in the article. Most screenshots appear to be client-side JavaScript snippets, not API responses from this key.
In the bug bounty community, Google Maps API key leaks are a common false positive, because they are only used for billing purposes and don’t actually control access to any data. The article doesn’t really prove ArcGIS is any different.
Security for maps is basically impossible. Maps tend to have to be widely shared within government and engineering, and if you know what you're looking for, it's remarkably straightforward to find ways to access layers you would normally have to pay for. It's a consequence of the need to share data widely for a variety of purposes -- everything from zoning debates within a local county to maps for broadband funding across an entire country create a public need to share mapping information. Keys don't get revoked once projects end as that would result in all the previously published links becoming stale, which makes life harder for everyone doing research and planning new projects.
Moreover, university students in programs like architecture are given access to many map layers as part of the school's agreements with the organizations publishing the data. Without that access, students wouldn't be able to pick up the skills needed to do the work they will eventually be hired for. And if students can get data, then it's pretty much public.
Privacy is becoming (or already is) nearly impossible in the 21st century.
I think the issue with Flock isn't that they're a joke security wise the issue is that they exist. If you want to police somebody you don't have to police everyone. I'd argue watching my location at all times is unreasonable search.
If someone followed me around 24x7 with a notebook, transcribing all my movements and affixing carefully attached photos of me to every page, it would be called Stalking and I'm pretty sure I could win at least a restraining order against them in court.
I don't get why we treat this any differently. The only difference is they're not as obvious.
stalking requires some kind of menacing or whatnot. i seriously doubt a judge would grant a restraining order just because you think someone is following you without any interaction.
>Stalking is a crime of power and control. It is a course of action directed at an individual that causes the victim to fear for their safety, and generally involves repeated visual or physical proximity, nonconsensual communication, and verbal, written, or implied threats.
In most states that requires a license with actual professional standards being met to obtain and maintain one. It does not entitle you to harass someone.
> stalking requires some kind of menacing or whatnot.
Repetition, threats, and fear. The standard is "would most reasonable people perceive these actions in the same way?"
The better question is, in the cities that have installed flock, is the crime rate actually down? And can we make FOIA requests to see how often and for what the police have queried the system to receive data? I may not be able to challenge the existence of the system with a TRO but I can constrain police use of it; hopefully, to the point it is no longer economically viable for them to operate it.
Ok but private investigators are acceptable and stalkers are manageable individually because neither scales. You can't cover every individual in the US with a PI simultaneously.
If being pervasively spied on by an increasingly fascist government doesn't make you fear for your safety you might want to brush up on your history...
The citizens of the USA need to modernize their concept of privacy. Defining it over private/public spaces comes from a time when mass surveillance was technologically unfeasible. Technology has changed, and so must the definition of privacy.
thought experiment: >> if they do not want their conversations in their living room recorded, parsed by automated language models running in our datacenters, and added to their permanent record, they shouldn't have a window to a public space that vibrates. All we are doing is being in a public space, spending billions of VC money to point laser microphones at all homes 24/7 collecting data that anyone in this public space could have collected. You can not outlaw that without outlawing 5 year old Timmy riding his tricycle down the sidewalk, because we are using his right to see the light from his lamp being reflected by the houses, to justify why our creepy business model isn't a violation of millions of peoples privacy. You can't have a reasonable expectation of privacy that allows little Timmy to see, but forbids our corporation to spy on everyone, not in america. We also send electromagnetic waves out on one side off your house and collect them on the other, so we can see you move inside your house. It is basically like ham radio, anyone could do it, little Timmy sends electromagnetic waves through your house when he talks to his friend on a walkie talkie. You think Timmy shouldn't be allowed to have a walkie-talkie? We just send them through all the homes, all the time, everywhere. No we are not on your property all our devices are in public spaces <<
The idea that, if a single piece of information could be collected by a human in a public space, then mass scale collection of that and similar information at all times and in all public spaces, for any purpose by a fully automated behemoth is fine, is insane.
The USA needs to amend its constitution to define the right to privacy in a way that declares mass surveillance and systematic profiling using non-consensual data gathering at scale illegal for being the nefarious violation of basic human rights that it is, before they completely loose what little privacy they have left when they hole up in their homes.
I'm starting to think there should be a constitutional amendment specifying a right to privacy because the last few decades have shown they'll just keep pushing the boundaries otherwise.
The chances of a constitutional amendment, let alone one dedicated to specifically limiting the powers of law enforcement, is, and I'll go on a limb and say I'm correct in this absolute statement, 0.
There is zero chance of any amount of government in these United States cooperating in any fashion large enough to change the actual Constitution. Zero.
I'm not so sure about that. A while back Virginia managed broad bipartisan support to curtail ALPR usage. Unfortunately the governor vetoed that IIRC.
Being creeped out by corporate stalkers and an invasive government seems to be something that a lot of "regular people" of all political allegiances have in common.
An amendment requires 2/3 of the house and 2/3 of the senate -- or 34 of 50 states to call for a constitutional convention (which has never been done) -- just to float an amendment.
Then 3/4 of the states have to ratify it.
I don't think you could get half of states to agree the sky is blue let alone 3/4.
[edit] The Equal Rights Amendment has been in progress since 1972 and while they somehow managed to get 3/4 of states to agree (Virginia agreed in 2020) the 7- and later 10-year deadline built into the bill had long elapsed. And 5 states later tried to rescind their ratifications which isn't really covered in the constitution in the first place.
That one says simply:
> Equality of rights under the law shall not be denied or abridged on account of sex.
It could be done if two thirds of the states call a convention which might actually be more likely than getting Congress to agree on anything, I'm just not confident the red states would go for it.
I still think these things can be worth pushing for, it's an issue that even the older conspiracy theorists I know naturally understand. There's a persuasive use to advocating for something simple and a constitutional amendment on privacy doesn't need much explanation (unlike some laws that people propose). If it gets some support we probably won't get an amendment still but we might get some concessions (even if it's just an amendment to a budget bill, which seems to be the only thing this Congress can actually pass).
It's pretty useless. A (US) constitutional amendment would only protect Americans from US institutions.
Us foreigners still have to deal with Americans spying on us. (And other countries spying on us.) And Americans still have to deal with non-American organisations spying on them.
I have proposed elsewhere that for companies like Flock doing surveillance of the public, it should be legally required for every company executive and board member to have their cameras, ALPR systems, audio surveillance, drone systems, etc - installed outside their homes and along their routes to work and along their routes to their children's schools and their spouses workplaces - and all of that data be publicly accessible. And I'd suggest the same goes for senior management at decision makers at every town and police department and private company that signs a contract with them.
"For their own safety", as they'd have us believe.
If I was being stalked I'd rather have public surveillance data that I could compile (or pay somebody else to compile) versus relying on law enforcement, who has no duty to protect me.
Making surveillance public levels the playing field for everybody.
...people can just follow you in public. there's nothing illegal about that.
there is no reasonable expectation of privacy in a public setting, nor should there be. anyone arguing there should be is giving up basic rights because they're scared.
the issue is when public feeds get recorded and are allowed to be viewed at a later date. the data retention is the issue, not the privacy.
If nothing is recorded that helps but it's still a much bigger problem than someone following you because you can see someone that's following you and they also can't be in 50 places at once.
Has anyone had success getting their city to take down the Flock cameras? Ours just added them maybe a year and a half ago. They popped up in multiple nearby municipalities around the same time, I'm not sure if it was coordinated action or somehow pulled off at the county level.
I was one of the main organizers of a community group that successfully got Flock contracts canceled in Eugene and Springfield, Oregon. I have also presented several times to city officials in and around Portland, am currently helping groups in other cities around Oregon and elsewhere get started, and I'm working with a state legislative workgroup to begin getting some reasonable legislation in place.
The extent to which Flock manipulates police departments is really incredible. Here's a fun little factoid: Lexipol is a company which sells various pre-written policies to police departments, including an ALPR policy; Lexipol is also a parent company of Police1, which helps police departments find public grant money to purchase Flock subscriptions, and Flock in turn is heavily featured on Police1.
So, if you're a police department, you go to Police1 (Lexipol) for news and product info, they pitch you on Flock, you fill out a form, you sign a contract, and then later you need an actual ALPR policy for your department, and Lexipol sells you that, too. The policy of course is extremely friendly towards vendors like Flock.
Flock exerts a lot of influence with the police departments that subscribe to their platform. We've repeatedly had to respond to the same talking points from PDs (and some city officials) that are very clearly getting all of their info from Flock, and in some cases coached by them.
And YCombinator startup Flock Safety is extremely misleading in many of their product, service, and business statements.
Email me at [email protected]. Things are a bit busy the next few days, but we can discuss what's worked for us. Getting a win in one meeting is a long shot, but you never know -- Bend, Oregon also got theirs canceled just the other day!
I'm also spinning up a new team that will be able to more actively help people get efforts started (or keep them going). Their first meeting is coming up this week too.
Working on it in our city. Flock has been their own worst enemy—once people know the name of the company, they start seeing it in the news regularly. Start talking to people, show up at city meetings.
I mean, the product makes their jobs easier and cheaper (for investigations). People may debate that, but these things come down to efficiency.
So, whether it's vendor A or Vendor B municipalities don't care. What they want is the capability. The municipalities have the backing of the communities -with few odd exceptions because most people in most communities want LE to "catch the perps."
Sheer incompetence. I hope (probably in vain) that police departments and local governments become more savvy technical evaluators of fancy tech solutions.
There was a huge fracas re: ShotSpotter in my town, where both the municipality's CIO and auditor (+ their internal research capacity) were sidelined. It took a sad amount of handholding elected officials through ShotSpotter's technical claims for them to shelve a planned deployment.
This does link to an example real-world video showing children playing in a park, as recorded by FLOCK CAMERAS, of which the feed is publicly exposed to the Internet.
Just a reminder here of this experiment using adversarial techniques to confuse the license plate readers. Just an experiment, may not be legal in all locations, check your local laws.
https://youtu.be/Pp9MwZkHiMQ?si=nas4dOH4vKyAW_5h
I have a controversial question; In the UK, they have blade runners who take down CCTV. I would have expected a more aggressive response in the USA, considering the culture. Is this not happening?
The gutless liberals that dominate your country’s preconceptions of “the left” are not your anti-police state faction, but you do their work for them by conflating the two. The anti-police state faction are the ones habitually being physically brutalised if not outright murdered by the cops while the media wags their finger at them for their apparent lack of civility.
Many of the flock cameras in my city were disabled by bashing in the solar panels or damaging the camera lens. Unfortunately, flock's contract is such that the city pays for repairs/replacement
Given the utter lack of enforcement on actual nuisances (noise / burning violations, 'eyesore' / private property abuse via trash / abandoned things / unsanctioned business actives in residential zones, petty theft prevention / enforcement) and the aggressive enforcement on any revenue generation laws that target citizens who will responsibly pay?
I anticipate the apathy to continue, and the bill to be passed along as some form of regressive tax.
i live in oregon and a bunch of the flock cameras have been vandalized.
a lot of the oregon towns/cities decided to cancel or not renew their contracts though, so I think they just let em get broken and then didnt pay to repair them.
Somewhat, but the legal cosequences for getting caught and brought to court if you don't have a few thousand to drop on a lawyer will screw up your life. So it happens less.
Not to mention the risk of dealing with trigger happy and corrupt cops.
I mean we're also increasingly being terrorized by our new gestapo, so far with limited resistance. We aren't really the "radical freedom defenders" we like to claim to be...
> "I'm writing to you directly because I want there to be zero confusion about what's happening. Flock has never been hacked. Ever."
They are just lying at this point. If you get involved in advocacy related to flock you will likely hear their reps parrot this. Be ready to combat it with concrete examples like this!
I recall some extracted video where someone took one of Flock's adamant "it's all fixed now" PR denials and performed it into one of the still-insecure cameras.
If you have a camera and you're only taking photos. You don't have any photos of the car keys and the car going missing do you? /s
It's how urban exploration folk get away exploring abandon buildings here in the UK. If you can prove you didn't create damage to gain access; a grey area.
> Trespass (Civil Matter): In England and Wales, simple trespass is typically a civil matter between you and the landowner. You cannot be arrested for civil trespass alone, but the landowner can sue you for damages or an injunction, and police may get involved if you refuse to leave when asked.
Who could have guessed that the greedy, opportunistic, evil corporation whose sole intent is to invade our privacy in the name of "security" would be run by incompetents in the security realm?
Their CEO comes off as a real self-righteous character.
One has to wonder whether these passwords were that way purposefully to avoid accountability for privileged partners. Most of these systems are deployed with grant money that it comes from the department of justice.
“Wow, we totally didn’t know we had everything accessible on Shodan! We totally hope that no federal entities exploited this (fake tears), but I guess we can’t tell anyway! It’s not as if they found out about it from us :(”
A root-cause analysis here that's about intrinsic difficulty is misguided IMHO. Secrets and secrets-delivery are an environment service that individual developers shouldn't ever have to think about. If you cut platform/devops/secops teams to the bone because they aren't adding application features, or if you understaff or overwork seniors that are supposed to be reviewing work and mentoring, then you will leak eventually. Simple as. Cutting engineering budgets for marketing budgets and executive bonuses practically guarantees these kinds of problems. Engineering leadership should understand this and deep down, it usually does. So the most direct way to talk about this is usually acknowledging willful negligence and/or greed
> We are committed to protecting human privacy and mitigating bias in policing with the development of best-in-class technology rooted in ethical design, which unites civilians and public servants in pursuit of a safer, more equitable society.
…and of course they do the exact opposite. All a bunch of bullshit from inception.
Y combinator has funded a significant portion of the most harmful tech companies of this century. They're profoundly amoral, just like you'd expect from a profitable venture capital firm.
On the bright side, they also hire dang, so that's one against 100 million.
Most of the bad ones IPOd in 2021, when there was a huge overvaluation of speculative tech companies... Marking performance since IPO is also a bit weird since it's kind of arbitrary date in the firm's history.
They have collectively had a return of -49% when the S&P 500 have had a return of 58%. It shows that all of the value went to the VCs and the public markets were the “bigger fools”.
It's surprising to me that investors have been so wrong about combinator IPOs. I wonder if this has been driven my retail, or by the expectation of a small probability of enormous success.
Oklo seems to have recovered thanks to the AI boom and they made a deal with Meta to deliver power fir their data centers. It looks like the best performing YC stock
To be honest, I have personally funded almost all of the most harmful companies that are around today, too.
But that's because I funded pretty much all the companies via my investment in an index fund.
YC pretty much takes something like an index fund approach to startups: they finance a lot of them. So naturally they would also have a significant portion of what you deem to be harmful ones.
Given YC's leadership over the past decade or so, I don't think they have anything they'd want to speak up about. This is probably all fine with them.
I used to hold YC in very high regard, but these days I don't think they're materially different from any other investing shop when it comes to values.
Why would they speak up? Have you seen the other companies they support? Have you seen what their CEO says on X? They seem fully down with actions like this.
It's also interesting Garry Tan (YC Partner) has a lot of comments for the masses when it's on a one sided platform like X. But, will never engage here. Oh the irony.
He seems to enjoy spreading factually misguided "statistics" [0] about how Flock is "solving crime". OK buddy.
I mean, just look at how he enagages with those replies. If that's at the helm of YC? WTF.
He and the entire tech ecosystem is in a bubble where being as right wing as possible is currency. Literally middle of the road liberal pg is basically a communist compared to this ecosystem now. It’s extremely short sighted on their part as the dialectic is guaranteed to flip back the other way. Much better to hold your own genuine beliefs than to kowtow to whatever is popular at the time
With respect to a different public organization with a reach of millions of people, I reported a similar vulnerability where there was an exposed key that services sensitive data. Usually, I don't bother but this time it was bad. I now understand how these things are left exposed for several months to years despite notification. The level of burnout or ignorance that leads to these vulnerabilities elicits harsh backlash where admitting there was ever a problem is worse than exposing a vast amount of people's private data.
Not always, sometimes they like to role-play as fallen angels from fantasy books (see Palantir.) (Edit: upon review, the metaphor is strained because Sauron didn’t create the palantíri… he did control them later, and there is deeper metaphor that they are unreliable.)
Right, you don't just "good person" yourself into billions of dollars. There will always be a trail of people screwed over, or taken advantage of along the way. Or you can go the more modern way and externalize all the negative impacts of your business (e.g. scooter rental companies).
You could just read the article before knee-jerking to state repression.
> November 13, 2025 — Initial disclosure sent to Flock Safety security team
> November 14, 2025 — First follow-up requesting confirmation of receipt
> November 19, 2025 — Second follow-up; Flock Safety finally acknowledges receipt
> January 7, 2026 — Vulnerability remains unpatched (55+ days)
> I am withholding specific technical details to prevent exploitation while the vulnerability remains unpatched. However, its existence more than 55 days after responsible disclosure with no remediation, demonstrates a systemic pattern of credential mismanagement.
Does anyone else feel like the LLM-tone of this article makes it difficult to understand what's actually important in it? It's not clear to me if the issue is ongoing (like it says) or that it's been resolved by rotating the API key (like it also says). And that's like, the most basic piece of information the article could have in it.
In fairness to flock, they just hired a CISO and are actively recruiting for a head of product security and privacy as well. So I'm not surprised they're dealing with some of this.
Edit: I'm standing by it. The person they hired for it has a good track record elsewhere. And much as I don't like what Flock is building as a company, at least they're building security in now, even if it wasn't front of mind for them in the past.
That’s fairness to a new employee. Does the multibillion company of a widely-deployed sensitive product deserve a pass for having poor or nonexistent employees doing security previously? Not really IMO.
I'm fine giving the new employees a pass on this, but not the company as a whole. Not building security into a product like this from day one should be a criminal offense.
There should be no "Fairness to Flock" they're building the panopticon.
Freethinking Americans should do what they can to dismantle this overreach, lobby their city leaders with their poor track record on security and thereby safety.
In the bug bounty community, Google Maps API key leaks are a common false positive, because they are only used for billing purposes and don’t actually control access to any data. The article doesn’t really prove ArcGIS is any different.
Moreover, university students in programs like architecture are given access to many map layers as part of the school's agreements with the organizations publishing the data. Without that access, students wouldn't be able to pick up the skills needed to do the work they will eventually be hired for. And if students can get data, then it's pretty much public.
Privacy is becoming (or already is) nearly impossible in the 21st century.
privacy while engaging with the digital world is
it isn't hard to be private. you just can't live in or go near cities/towns as much.
I don't get why we treat this any differently. The only difference is they're not as obvious.
stalking requires some kind of menacing or whatnot. i seriously doubt a judge would grant a restraining order just because you think someone is following you without any interaction.
>Stalking is a crime of power and control. It is a course of action directed at an individual that causes the victim to fear for their safety, and generally involves repeated visual or physical proximity, nonconsensual communication, and verbal, written, or implied threats.
In most states that requires a license with actual professional standards being met to obtain and maintain one. It does not entitle you to harass someone.
> stalking requires some kind of menacing or whatnot.
Repetition, threats, and fear. The standard is "would most reasonable people perceive these actions in the same way?"
The better question is, in the cities that have installed flock, is the crime rate actually down? And can we make FOIA requests to see how often and for what the police have queried the system to receive data? I may not be able to challenge the existence of the system with a TRO but I can constrain police use of it; hopefully, to the point it is no longer economically viable for them to operate it.
If being pervasively spied on by an increasingly fascist government doesn't make you fear for your safety you might want to brush up on your history...
...this is completely up to interpretation. again, just being followed isn't a crime nor does it violate privacy as long as it occurs in public space.
i could say someone on the subway was stalking me because they have the same schedule as me and commute at the same time.
thought experiment: >> if they do not want their conversations in their living room recorded, parsed by automated language models running in our datacenters, and added to their permanent record, they shouldn't have a window to a public space that vibrates. All we are doing is being in a public space, spending billions of VC money to point laser microphones at all homes 24/7 collecting data that anyone in this public space could have collected. You can not outlaw that without outlawing 5 year old Timmy riding his tricycle down the sidewalk, because we are using his right to see the light from his lamp being reflected by the houses, to justify why our creepy business model isn't a violation of millions of peoples privacy. You can't have a reasonable expectation of privacy that allows little Timmy to see, but forbids our corporation to spy on everyone, not in america. We also send electromagnetic waves out on one side off your house and collect them on the other, so we can see you move inside your house. It is basically like ham radio, anyone could do it, little Timmy sends electromagnetic waves through your house when he talks to his friend on a walkie talkie. You think Timmy shouldn't be allowed to have a walkie-talkie? We just send them through all the homes, all the time, everywhere. No we are not on your property all our devices are in public spaces <<
The idea that, if a single piece of information could be collected by a human in a public space, then mass scale collection of that and similar information at all times and in all public spaces, for any purpose by a fully automated behemoth is fine, is insane.
The USA needs to amend its constitution to define the right to privacy in a way that declares mass surveillance and systematic profiling using non-consensual data gathering at scale illegal for being the nefarious violation of basic human rights that it is, before they completely loose what little privacy they have left when they hole up in their homes.
There is zero chance of any amount of government in these United States cooperating in any fashion large enough to change the actual Constitution. Zero.
Being creeped out by corporate stalkers and an invasive government seems to be something that a lot of "regular people" of all political allegiances have in common.
Then 3/4 of the states have to ratify it.
I don't think you could get half of states to agree the sky is blue let alone 3/4.
[edit] The Equal Rights Amendment has been in progress since 1972 and while they somehow managed to get 3/4 of states to agree (Virginia agreed in 2020) the 7- and later 10-year deadline built into the bill had long elapsed. And 5 states later tried to rescind their ratifications which isn't really covered in the constitution in the first place.
That one says simply:
> Equality of rights under the law shall not be denied or abridged on account of sex.
So I guess what I'm trying to say is godspeed.
Us foreigners still have to deal with Americans spying on us. (And other countries spying on us.) And Americans still have to deal with non-American organisations spying on them.
That being said I also don't wonder if there is a point where we're just crowdsourcing the police state?
"For their own safety", as they'd have us believe.
Quis custodiet ipsos custodes?
Making surveillance public levels the playing field for everybody.
there is no reasonable expectation of privacy in a public setting, nor should there be. anyone arguing there should be is giving up basic rights because they're scared.
the issue is when public feeds get recorded and are allowed to be viewed at a later date. the data retention is the issue, not the privacy.
The extent to which Flock manipulates police departments is really incredible. Here's a fun little factoid: Lexipol is a company which sells various pre-written policies to police departments, including an ALPR policy; Lexipol is also a parent company of Police1, which helps police departments find public grant money to purchase Flock subscriptions, and Flock in turn is heavily featured on Police1.
So, if you're a police department, you go to Police1 (Lexipol) for news and product info, they pitch you on Flock, you fill out a form, you sign a contract, and then later you need an actual ALPR policy for your department, and Lexipol sells you that, too. The policy of course is extremely friendly towards vendors like Flock.
Flock exerts a lot of influence with the police departments that subscribe to their platform. We've repeatedly had to respond to the same talking points from PDs (and some city officials) that are very clearly getting all of their info from Flock, and in some cases coached by them.
And YCombinator startup Flock Safety is extremely misleading in many of their product, service, and business statements.
I'm also spinning up a new team that will be able to more actively help people get efforts started (or keep them going). Their first meeting is coming up this week too.
https://www.nwprogressive.org/weblog/2025/11/a-preliminary-v...
Sedona (with a handy timeline of how they accomplished it) https://livefreeaz.com
Bend, OR https://www.opb.org/article/2026/01/08/bend-flock-cameras-ai...
Hays County, TX https://www.kxan.com/news/hays-county-votes-to-terminate-flo...
Lockhart, TX preemptively rejected them https://www.kxan.com/news/local/caldwell-county/lockhart-cit...
Working on it in our city. Flock has been their own worst enemy—once people know the name of the company, they start seeing it in the news regularly. Start talking to people, show up at city meetings.
https://www.opb.org/article/2026/01/08/bend-flock-cameras-ai...
So, whether it's vendor A or Vendor B municipalities don't care. What they want is the capability. The municipalities have the backing of the communities -with few odd exceptions because most people in most communities want LE to "catch the perps."
https://www.cityofevanston.org/Home/Components/News/News/667...
My hope is that https://www.eff.org/deeplinks/2025/11/washington-court-rules... will make Flock get the fuck out of Washington state.
Thanks for that tip, though.
There was a huge fracas re: ShotSpotter in my town, where both the municipality's CIO and auditor (+ their internal research capacity) were sidelined. It took a sad amount of handholding elected officials through ShotSpotter's technical claims for them to shelve a planned deployment.
https://news.ycombinator.com/item?id=46355548
I anticipate the apathy to continue, and the bill to be passed along as some form of regressive tax.
a lot of the oregon towns/cities decided to cancel or not renew their contracts though, so I think they just let em get broken and then didnt pay to repair them.
Not to mention the risk of dealing with trigger happy and corrupt cops.
> "I'm writing to you directly because I want there to be zero confusion about what's happening. Flock has never been hacked. Ever."
They are just lying at this point. If you get involved in advocacy related to flock you will likely hear their reps parrot this. Be ready to combat it with concrete examples like this!
The part you mentioned is at around 7:29.
House guest: but sir, where are all of your belongings?
Flock CEO: oh that, well I leave my front door open at all times. My home has never been broken into
Am i breaking into your home when you leave the door wide open? /s
It's how urban exploration folk get away exploring abandon buildings here in the UK. If you can prove you didn't create damage to gain access; a grey area.
> Trespass (Civil Matter): In England and Wales, simple trespass is typically a civil matter between you and the landowner. You cannot be arrested for civil trespass alone, but the landowner can sue you for damages or an injunction, and police may get involved if you refuse to leave when asked.
One has to wonder whether these passwords were that way purposefully to avoid accountability for privileged partners. Most of these systems are deployed with grant money that it comes from the department of justice.
https://www.ci.staunton.va.us/home/showpublisheddocument/134... (PDF)
My favorite part:
> [Activists are] also trying to turn a public records process into a weapon against you and against us.
As if people are not simply asking for something to which they are entitled through legislation.
- someone who screams about the 1st amendment whenever they’re told they’re being an asshole
Adults that didn’t grow up.
* https://medium.com/@ajay.monga73/why-developers-still-hardco...
https://www.ycombinator.com/companies/flock-safety
…and of course they do the exact opposite. All a bunch of bullshit from inception.
On the bright side, they also hire dang, so that's one against 100 million.
https://medium.com/@Arakunrin/the-post-ipo-performance-of-y-...
The most likely outcome is failure, the second most likely outcome is an acquisition. Going public is a distant third
But that's because I funded pretty much all the companies via my investment in an index fund.
YC pretty much takes something like an index fund approach to startups: they finance a lot of them. So naturally they would also have a significant portion of what you deem to be harmful ones.
I used to hold YC in very high regard, but these days I don't think they're materially different from any other investing shop when it comes to values.
He seems to enjoy spreading factually misguided "statistics" [0] about how Flock is "solving crime". OK buddy.
I mean, just look at how he enagages with those replies. If that's at the helm of YC? WTF.
[0] https://x.com/garrytan/status/1963256544524640456
> November 13, 2025 — Initial disclosure sent to Flock Safety security team
> November 14, 2025 — First follow-up requesting confirmation of receipt
> November 19, 2025 — Second follow-up; Flock Safety finally acknowledges receipt
> January 7, 2026 — Vulnerability remains unpatched (55+ days)
> I am withholding specific technical details to prevent exploitation while the vulnerability remains unpatched. However, its existence more than 55 days after responsible disclosure with no remediation, demonstrates a systemic pattern of credential mismanagement.
So annoying.
Edit: I'm standing by it. The person they hired for it has a good track record elsewhere. And much as I don't like what Flock is building as a company, at least they're building security in now, even if it wasn't front of mind for them in the past.
He's got his work cut out for him though.
This phrasing implies that the "building security in now" part improves (or decreases the awfulness of) what you don't like.
If what you don't like = bulk, systemic surveillance (of people not suspected of a crime) - how does fixing broke security make that less awful?