Four years ago, we asked whether the government should build a surveillance dragnet before answering basic questions about privacy, accountability, and oversight. Four years later, independent security researchers are asking a simpler question: Did anyone ever inspect the cameras at all?
You cannot leave your neighborhood without passing a Flock camera and having your activities logged in a database. No one ever consented to it, had an opportunity to vote for it, or had the ability to opt out of it. One day, they just appeared under the guise of being a public safety necessity.
Nobody Wanted the Answers
In March of 2022, we published an article titled He Sees You When You’re Sleeping. At the time, Lafayette and communities across Louisiana were rapidly embracing, and even bragging about “real-time crime centers,” camera-sharing programs, automated license plate readers (LPRs), and other forms of public surveillance.
The technology was marketed as modern, efficient, and indispensable. Critics were often dismissed as paranoid, anti-police, or resistant to innovation. Our concern was simpler. Who was watching the watchers? Independent security researcher Benn Jordan recently summarized our concern better than we ever could:
“But do you want to know what I find absolutely outrageous? That over 80,000 surveillance cameras were installed all over the country, and I’m not aware of a single public audit of the devices, the services, or the technology.”
— Security researcher Benn Jordan
We asked whether government agencies should be building vast surveillance networks before establishing meaningful safeguards, transparency requirements, and independent oversight. We questioned whether citizens understood how much information was being collected, who had access to it, how long it was retained, and how it might be used in the future.
Few People Seemed Interested in Those Questions
A year later, we revisited the subject in Watching Everyone: Louisiana’s Dragnet Is a Fourth Amendment Crisis. By then, the discussion had moved beyond philosophy and into constitutional law. Courts around the country were beginning to wrestle with whether the aggregation of location data could reveal “the whole of a person’s movements” in ways the Fourth Amendment was never intended to permit without individualized suspicion.
Again, the response was largely the same. The technology was already being deployed. The sales pitch was compelling. Crime-fighting claims were accepted largely at face value.
Then Came Another Concern
In Louisiana Tax Dollars Funding Chinese Espionage, we highlighted questions about foreign technology, supply chain risks, and the wisdom of entrusting sensitive public data to systems connected to geopolitical adversaries. The question was no longer simply whether the government should collect the information. It was whether the vendors collecting, storing, and processing that information deserved the public’s trust in the first place.
At the time, we reported several local governing authorities to the state for “foreign adversary” violations involving the use of Chinese-made LPR (License Plate Reader) cameras. As a result of our transparency work, several municipalities were compelled to put their Chinese cameras out of service.
Today, independent security researchers are raising an even more troubling possibility. What if nobody adequately vetted the technology at all?
Nobody Checked Under the Hood
Then, someone finally did. In a recently published investigation involving Flock Safety—one of the nation’s largest automated license plate reader (LPR) vendors—independent security researchers physically acquired several devices and attempted to verify the company’s security claims. According to the researchers, it did not take sophisticated nation-state resources, expensive laboratory equipment, or months of reverse engineering. What they found was not subtle, obscure, or particularly difficult to discover.
In one demonstration shown on video, researchers obtained root access to a Flock camera in roughly thirty seconds. They also demonstrated multiple paths to obtaining administrative control, each reportedly producing similar results. Some were as simple as pressing a button in a particular but guessed sequence. Another was a Rubber Ducky Attack, in which a thumb drive presents itself as a keyboard and then rapidly “types” a series of pre-arranged commands to take control of the system.
The video even demonstrated how the Flock camera was vulnerable to a TEMPEST Attack. In technical terms, it’s an ancient technique (first documented by the NSA in the 1960s) for intercepting the electromagnetic emissions that devices naturally leak. Effectively, our researchers once again demonstrated that the camera’s video feed could be intercepted from a distance without even requiring physical access to the device.
The researchers ultimately alleged a much longer list of vulnerabilities involving authentication controls, exposed credentials, insecure communications, data retention practices, and hardware security. Some of those claims remain under review. Others have reportedly been disclosed through established responsible-disclosure channels and are being cataloged as part of the cybersecurity reporting process. At the time of publication, we were unable to locate any public statement from Flock indicating when, or whether, all of the alleged vulnerabilities exist or would be addressed.
But There’s A Larger Lesson
The technical details and security vulnerabilities are quite shocking, but the larger lesson matters more. For years, public officials have assured citizens that these systems are secure, vendors have assured government agencies that their products are safe, and taxpayers have been told that surveillance networks are carefully managed, professionally maintained, and subject to appropriate safeguards.
Yet one question remains remarkably difficult to answer: Who independently verified any of those claims?
- Not the vendor selling the product.
- Not the agency purchasing it.
- Not the consultants paid to implement it.
Who, exactly, inspected these license plate cameras for vulnerabilities? Apparently, not any independent agency. Given the vulnerabilities demonstrated by researchers, one naturally wonders whether these devices were ever subjected to independent penetration testing at all. What’s worse, the government’s Wild West approach seems to suggest that no one cares.
Who’s Watching?
The same principle we apply to food safety inspections, financial audits, engineering certifications, and countless other areas where public trust is at stake. If a company wants access to sensitive public information, if its products will be used in criminal investigations, and if taxpayers are expected to finance the system, independent auditing should not be controversial. It should be the minimum standard.
There is nothing inherently wrong with a private company making money. But profit and public safety are not the same incentive structure. This is not an argument against technology but for accountability. It is not an argument against law enforcement. In fact, rank-and-file officers frequently express many of the same concerns. Cameras cannot interview witnesses, notice subtle suspicious behavior, de-escalate a volatile encounter, or provide the visible police presence that officers repeatedly tell us prevents crime in the first place. Law enforcement deserves tools that have been thoroughly tested and independently verified—not expensive substitutes for policing itself.
And it is certainly not an argument that every allegation made against every surveillance vendor is automatically true. It is an argument that the government should know whether those allegations are true before spending public money to collect your private information.
What’s The Solution?
Four years ago, we asked whether the government should build a surveillance dragnet without meaningful oversight. Four years later, we are still asking. The difference is that the questions no longer come only from privacy advocates and constitutional scholars. Now they are coming from cybersecurity experts, federal lawmakers, and independent investigators.
“You can’t open a hair salon without a license. You can’t keep a McDonald’s open without a health inspection.”
“If a company wants to offer services to the government that are related to national security, public surveillance, or processing data that will be used within the public justice system… this is not too much to ask.”
— Security researcher Benn Jordan
Four years ago, our concern was largely constitutional. Today, there are also questions of cybersecurity, procurement, foreign influence, and evidentiary integrity. Yet the underlying question remains exactly the same: Who is watching the watchers? Four years later, we are still waiting for an answer.
###
Public Impact. Private Support.
Last year, supporters of New Louisiana Foundation helped launch StateLens, a first-of-its-kind legislative transparency platform now operating in multiple states. Along the way, we’ve been humbled by support from citizens, monthly members, foundations, and several anonymous donor-advised fund (DAF) grants from supporters who prefer to remain out of the spotlight.
Some supporters choose to stand publicly with us. Others prefer to work quietly behind the scenes. Both make this work possible. If you already have a donor-advised fund, recommending a grant is a simple and tax-efficient way to support our mission. If not, becoming a monthly member remains one of the most powerful ways to sustain our work throughout the year.
Together, we’re helping citizens follow legislation, informing lawmakers, and expanding transparency tools into new states.
Whether your contribution is public or private, large or small, it helps build a more informed and engaged Louisiana.
Become a Monthly MemberContribute $10 NowMake a Tax Deductible Gift
Already have a donor-advised fund? Ask your DAF administrator about recommending a grant to New Louisiana Foundation.
