The Facts

What Birmingham residents need to know about the surveillance network watching our streets—the scale, the risks, and the questions our city won't answer.

What Are Flock Safety Cameras?

Flock Safety cameras are Automated License Plate Readers (ALPRs) that capture and store data about every vehicle that passes by. They record license plate numbers, vehicle make, model, color, and timestamps with GPS coordinates. This data is stored in a nationwide network accessible to thousands of law enforcement agencies across the country.

Unlike red light or speed cameras that are triggered by violations, Flock cameras record every vehicle, every time—whether you're committing a crime or just driving to work.

Birmingham's Flock Camera Deployment: A Timeline of Expansion

Birmingham's surveillance network has grown dramatically with little public input:

2018: Initial pilot program began October 2, 2018, with a five-year term.

2020: City Council approved adding 10 Flock Safety cameras in September 2020 at an estimated monthly cost of $2,291.67 through Alabama Power.

July 2025: City Council approved a massive $9.7 million contract to add more than 100 new surveillance cameras and license plate readers citywide. Mayor Randall Woodfin stated the cameras would be "spread out citywide" with Alabama Power and Birmingham Police working together on deployment locations.

December 2025: City Council approved installation of four new cameras (two pan-tilt-zoom and two license plate readers) in the Rockford neighborhood near 653 Rockhurst Drive, 700 Rockford Circle, and 825 Rockford.

Current Status: Nearly 1500 Flock cameras now operate in the Birmingham Metro area, including Jefferson and Shelby counties. The exact number of cameras in Birmingham proper remains unclear to the public.

The Scale of Surveillance: Regional Deployment

The Birmingham area has become one of the most heavily surveilled regions in Alabama:

• Birmingham Metro: Nearly 1500 Flock cameras across the region
• Shelby County Sheriff's Office: 169 Flock cameras as of April 2024
• Jefferson County: Number of cameras unknown—no public information available
• Birmingham Police Department: Exact camera count undisclosed

For context, Norfolk, Virginia—population 238,000—has 176 cameras and is facing a federal lawsuit over Fourth Amendment violations. Birmingham's metro population is approximately 1.1 million, suggesting the surveillance network here may be even more extensive per capita.

Privacy & Constitutional Concerns: A Looming Fourth Amendment Crisis

Legal experts and federal courts have raised serious concerns that mass ALPR surveillance may violate the Fourth Amendment's protection against unreasonable searches.

"The government's unrestrained power to assemble data that reveal private aspects of identity is susceptible to abuse."

Key Legal Precedents

United States v. Jones (2012, U.S. Supreme Court): Justice Sotomayor noted in her concurring opinion that GPS monitoring creates "a precise, comprehensive record of a person's public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations." She warned that the government's "unrestrained power to assemble data that reveal private aspects of identity is susceptible to abuse" and may "alter the relationship between citizen and government in a way that is inimical to democratic society."

Carpenter v. United States (2018, U.S. Supreme Court): The Court ruled that cell site location information requires a warrant because tracking someone's movements over time violates Fourth Amendment protections. The Court recognized that while individuals may not have privacy in a single instance of being in public, they do have privacy in "the whole of their physical movements."

Commonwealth v. McCarthy (2020, Massachusetts Supreme Court): "With enough cameras in enough locations, the historic location data from an ALPR system in Massachusetts would invade a reasonable expectation of privacy and would constitute a search for constitutional purposes." The court found that 31 days of location tracking was sufficient to constitute a Fourth Amendment search.

The Norfolk Lawsuit: A Test Case for ALPR Networks

In February 2025, a federal judge ruled that a lawsuit challenging Norfolk, Virginia's 176 Flock cameras could proceed. Chief Judge Mark Davis wrote that "a reasonable person could believe that society's expectations, as laid out by the Court in Carpenter, are being violated by the Norfolk Flock system."

The lawsuit revealed shocking surveillance statistics:

Judge Davis noted that the complaint alleged facts "notably similar to those in Carpenter that the Supreme Court found to clearly violate society's expectation of privacy: law enforcement secretly monitoring and cataloguing the whole of tens of thousands of individual's movements over an extended period."

The federal government has since filed a statement defending Norfolk's surveillance system, and the case is ongoing with a trial date in 2026.

What Courts Are Saying

Multiple judges have expressed concern about mass ALPR surveillance:

• Norfolk Circuit Court Judge Jamilah LeCruise (2024): "The citizens of Norfolk may be concerned to learn the extent to which the Norfolk Police Department is tracking and maintaining a database of their every movement for 30 days."
• U.S. District Judge Mark Davis (2025): Even if not unconstitutional now, the need for warrants "could change as more cameras are added."

At least 8 cities have canceled Flock contracts due to privacy concerns, including Austin, Texas; Denver, Colorado; and Sedona, Arizona.

Federal Data Sharing: The ICE Connection

One of the most alarming aspects of Flock's surveillance network is the documented sharing of local data with federal immigration enforcement—often without local agencies' knowledge or consent.

What We Know About Federal Access

August 2025: After months of denials, Flock Safety admitted to running "pilot programs" with U.S. Customs and Border Protection (CBP) and Homeland Security Investigations (HSI). The company claimed to pause these programs amid mounting privacy concerns.

The National Lookup Tool: 75% of Flock's 7,000+ law enforcement customers have enrolled in the "National Lookup Tool," which allows out-of-state agencies to access local data. Birmingham's participation status in this network remains unclear.

Default Contract Terms: Flock's standard agreement grants the company a "worldwide, perpetual, royalty-free" license to share customer data for "investigative purposes"—even if local departments think they've restricted access.

Overseas Data Processing: December 2025 reports revealed that Flock uses workers in the Philippines to annotate surveillance data, raising serious concerns about data privacy and security.

Documented Federal Access Incidents

Washington State (2025): University of Washington research found that at least 8 local law enforcement agencies had enabled direct sharing with Border Patrol. Additionally, 10 agencies had "back door" Border Patrol access to their data even though they hadn't explicitly authorized it.

San Francisco (2025): Out-of-state police ran more than 1.6 million illegal searches of San Francisco's Flock database, including at least 19 searches marked as related to ICE—in direct violation of California sanctuary laws.

Illinois (2025): Despite Illinois' sanctuary state status, Flock shared data with federal agencies. Illinois Secretary of State Alexi Giannoulias accused Flock of breaking state law.

Colorado (2025): After assuring the Loveland Police Department that federal agencies had no access, Flock admitted in November 2025 that Border Patrol had been given accounts with the ability to request access from local agencies. At least 25 Colorado departments agreed to share data.

Critical Finding: Flock did not inform any of its thousands of law enforcement customers about the CBP pilot program until it was discovered by journalists.

What This Means for Birmingham

We don't know:

• Whether Birmingham has enrolled in Flock's National Lookup Tool
• Which federal agencies can access Birmingham residents' location data
• Whether Birmingham's contract allows the city to prevent Flock from sharing data with federal agencies
• If ICE, CBP, or other federal agencies have already accessed Birmingham's surveillance data

What we do know:

• Flock's standard contract language gives the company broad rights to share data
• Multiple cities discovered federal access only after investigative reporting
• Even when agencies believe they've restricted access, "back door" access has occurred

Documented Abuses of ALPR Systems

The power to track anyone, anytime, without oversight has led to widespread abuses across the country:

"When officers have unfettered access to location tracking with no oversight, abuse follows."

Police Stalking and Harassment

Kansas City, Missouri: Police Chief Stacey Graves used Flock cameras to track his ex-girlfriend 228 times. He was later fired.

Georgia: A police chief was arrested for using ALPR systems to stalk and harass individuals.

Pattern: These are not isolated incidents. When officers have unfettered access to location tracking with no oversight, abuse follows.

Targeting Reproductive Healthcare

Texas (2024-2025): A Texas sheriff searched the nationwide Flock database for a woman who had obtained an abortion. Court documents and Flock's own data contradicted claims that this was a "missing person" search—search terms explicitly referenced abortion and reproductive healthcare. The sheriff later considered bringing criminal charges.

This incident demonstrates how ALPR networks can be weaponized against individuals exercising constitutionally protected rights.

False Positives and Wrongful Stops

California: A family was held at gunpoint on hot pavement after an ALPR mistakenly identified their burgundy Lexus as a stolen gray GMC truck—the system misread a "7" as a "3." Officers failed to verify the alert. The incident resulted in a $1.9 million settlement.

Multiple Jurisdictions: A 12-year-old child was handcuffed after an ALPR misread a license plate, leading to a wrongful stop.

Immigration Enforcement in Sanctuary Cities

Westchester County, New York: Federal immigration officials accessed ALPR data despite the county's sanctuary status.

Multiple Jurisdictions: Local police have conducted searches on behalf of ICE agents, sometimes using vague search terms like "law enforcement" or "ICE ASSIST" to obscure the true purpose.

Critical Cybersecurity Vulnerabilities

In November 2025, independent security researcher Jon Gaines (GainSec) published a comprehensive whitepaper documenting 51 vulnerabilities in Flock Safety's camera systems. The research, which has been submitted to MITRE for CVE assignment, reveals serious security weaknesses that raise concerns about data integrity, unauthorized access, and the reliability of evidence.

Device-Level Security Failures (Require Physical Access)

Physical Access Vulnerabilities: Security researchers demonstrated that someone with physical access to a Flock camera can gain root-level control of the device. While cameras are mounted on utility poles in public locations, this access requires:

• Physically reaching the camera
• Knowledge of specific button sequences or use of USB devices
• Time to perform the exploit (30 seconds to several minutes depending on model)

Important Context: Flock Safety responded that "exploitation of these vulnerabilities would not only require physical access to a device, but also require intimate knowledge of internal device hardware." However, the research demonstrates these exploits are achievable by individuals with moderate technical knowledge.

Local Data Storage Issues: Images captured by cameras are stored unencrypted on the local devices themselves. While Flock states that data transmitted to and stored in their cloud infrastructure is encrypted, the local storage vulnerability means:

• Anyone gaining physical access can extract unencrypted images
• Local device integrity cannot be assured
• Chain of custody for evidence may be compromised

Exposed USB Ports: Camera models have accessible USB-C ports that can be exploited with inexpensive tools to gain device control.

Software and Infrastructure Vulnerabilities

Outdated Operating System: Cameras run Android 8.1.0—an operating system discontinued in 2021 with no further security updates. This version has 64 documented critical vulnerabilities (CVEs) that will never be patched.

Hardcoded Credentials (CVE-2025-47823): Security analysis revealed hardcoded passwords in the camera firmware, including:

• Java Keystore file (flock_rye.bks) bundled in application
• Keystore password (flockhibiki17) hardcoded in plaintext in the code
• Hardcoded WiFi network names the cameras will automatically connect to

These cannot be changed by customers and represent permanent security weaknesses.

Network Security Concerns: During diagnostic and setup modes, researchers documented credentials transmitted in cleartext, creating opportunities for man-in-the-middle attacks under certain network conditions.

Authentication and Access Control Weaknesses

Multi-Factor Authentication Not Mandatory: Until November 2024, Flock did not enable multi-factor authentication (MFA) by default. As of November 2025:

• MFA is now default for new customers
• 97% of existing law enforcement customers have enabled MFA
• 3% of agencies (potentially dozens of departments) still rely solely on username and password

Stolen Credentials in Circulation:

• Police login credentials have been found for sale on Russian dark web forums
• Hudson Rock (cybersecurity firm) identified stolen Flock credentials in malware databases
• At least one documented case: DEA used a stolen police officer's password to access Flock cameras without the officer's knowledge

Evidence Integrity Concerns

With root access to local devices (via physical compromise), an attacker could potentially:

• Modify locally stored images before they're uploaded
• Delete specific captures from local storage
• Install malware that alters future captures

Critical Question: Can courts and investigators trust that ALPR evidence hasn't been tampered with, given these device-level vulnerabilities?

Federal and Expert Response

Congressional Action: In November 2025, Senator Ron Wyden (D-OR) and Representative Raja Krishnamoorthi (D-IL) sent a formal letter to the Federal Trade Commission requesting an investigation into Flock Safety's cybersecurity practices. The lawmakers stated that the company's failure to require multi-factor authentication, combined with stolen credentials on the dark web, exposes the surveillance network to "hackers and spies."

Flock's Response: The company stated that the documented vulnerabilities "have no impact on our customers' ability to carry out their public safety objectives" and emphasized that physical access is required for device-level exploits. Flock continues to remediate findings through hardware and software updates.

Independent Security Assessment: The research has been formally documented and submitted to MITRE's CVE database, with disclosure windows extending through February 2026 as additional vulnerabilities are processed.

What This Means for Birmingham

Questions Birmingham Must Answer:

• Have Birmingham's Flock cameras been independently tested for these known vulnerabilities?
• What protections exist to detect if cameras have been physically compromised?
• How is evidence integrity verified before use in court proceedings?
• What security updates has Flock deployed to Birmingham's cameras?
• Does Birmingham require multi-factor authentication for all users accessing the Flock system?

Alabama Law: Unanswered Questions About Compliance

Alabama has specific laws governing ALPR use—laws that appear to be widely ignored.

What Alabama Law Requires

Alabama Administrative Code 265-X-6-.08 - Capturing Agency Policy:

Every law enforcement agency using ALPRs must:

1. Adopt and publicize a written policy governing ALPR use before capturing any data
2. The policy must address:
   • Database usage and comparisons
   • Data retention periods
   • Data sharing with other agencies
   • Training requirements for operators

Alabama Administrative Code 265-X-6-.07 - Audit Requirements:

The Alabama Law Enforcement Agency (ALEA) CJIS Division must audit all capturing agencies at least once every three years to ensure compliance.

Alabama Administrative Code 265-X-6-.04 - Usage and Sharing:

• ALPR data can only be used for "criminal justice or public safety purposes"
• Data cannot be shared for non-criminal justice purposes
• Data cannot be sold to any entity for any reason
• Agencies must maintain access logs and dissemination logs

Alabama Administrative Code 265-X-6-.06 - Retention:

ALPR data must be retained for no more than five years, after which it must be destroyed or erased.

The Transparency Problem

Despite these clear legal requirements, Birmingham and surrounding agencies have failed to provide basic transparency:

No Published Policies Found For:

• Birmingham Police Department
• Jefferson County Sheriff's Office
• Shelby County Sheriff's Office

Alabama Cities With Published Flock Transparency Portals:

• Margaret, AL
• Moundville, AL
• Huntsville-Madison County Airport

The contrast is striking: Some smaller Alabama municipalities have embraced transparency and published detailed policies, while Birmingham—the state's largest city—operates in near-total secrecy.

Questions Birmingham Must Answer

1. Where is Birmingham's published ALPR policy? Alabama law requires it to be adopted and publicized before using ALPRs.

2. When was Birmingham's last ALEA audit? The law requires audits every three years. Has Birmingham been audited? What were the findings?

3. How long is Birmingham's data retention period? Is it Flock's 30-day default, or the five-year maximum allowed by Alabama law?

4. Who audits the system for compliance? What accountability measures exist to prevent misuse?

The Cost of Surveillance

Birmingham has committed massive public resources to this surveillance infrastructure:

What else could $9.7 million fund?

• School counselors and resources
• Mental health crisis response teams
• Community violence intervention programs
• Traditional policing with accountability measures

Instead, Birmingham chose mass surveillance with no public debate about costs, effectiveness, or civil liberties implications.

What Needs to Happen Now

Birmingham residents deserve transparency and accountability. Here's what must change:

Immediate Actions Required

1. Publish ALPR Policies: Birmingham Police, Jefferson County SO, and Shelby County SO must immediately publish comprehensive ALPR policies as required by Alabama law.

2. Disclosure of Data Sharing Settings: The public must know whether Birmingham's data is accessible through Flock's National Lookup Tool and which agencies—including federal agencies—have access.

3. Independent Security Audit: Given the documented vulnerabilities, Birmingham must conduct an independent security assessment of its Flock cameras.

4. ALEA Audit Results: Publish results from ALEA's required three-year audits, or explain why audits haven't been conducted.

5. Cost Transparency: Provide complete accounting of all costs, including per-camera expenses, maintenance fees, and total contract amounts.

Long-Term Reforms Needed

1. Public Oversight Board: Create an independent civilian review board with authority to audit ALPR use and investigate complaints.

2. Strict Use Policies: Limit ALPR searches to serious crimes with documented probable cause.

3. Data Retention Limits: Reduce retention period to 30 days maximum for non-investigative data.

4. Ban on Federal Sharing: Prohibit sharing of ALPR data with federal immigration enforcement agencies.

5. Regular Transparency Reports: Publish quarterly reports on system usage, access patterns, and any misuse incidents.

6. Community Input: Hold public hearings before any expansion of the surveillance network.

Sources and Additional Reading

• Alabama Administrative Code Chapter 265-X-6: https://admincode.legislature.state.al.us/api/chapter/265-X-6
• Institute for Justice Norfolk Lawsuit: https://ij.org/case/norfolk-alpr/
• University of Washington ALPR Research: https://jsis.washington.edu/humanrights/2025/10/21/leaving-the-door-wide-open/
• Flock Security Vulnerabilities Research: https://www.privacyguides.org/news/2025/11/17/ben-jordan-exposes-severe-security-vulnerabilities-in-flock-surveillance-cameras/
• DeFlock - Community Mapping Project: https://deflock.me/
• Atlas of Surveillance: https://www.atlasofsurveillance.org/

This is not a partisan issue. This is a constitutional issue. This is a Birmingham issue.