Auditing access to "cloud-based" automated license plate readers is hard
When I stayed up too late writing "Can City of Alameda trust Flock Safety?", I didn't directly cite Alameda Police Department's annual audit memo in order to give the City time to fix it.
The published audit memo PDF had not been properly redacted. While the text appeared to be blacked out, it was still selectable. After performing select/copy/paste, the names of APD officers and the partial contents of their searches through Flock Safety became visible.
City staff fixed the document today and if you download exhibit 1 attached to the "Recommendation to Accept the Annual Automated License Plate Readers Data Report from the Alameda Police Department" staff report, you won't be able to view the officer names, incident/case numbers, the officer's legal citation, or search strings (some of which are license plate numbers and some of which are vehicle makes or colors).
Coincidentally, over the weekend I thought about chatting about this with an expert on data privacy. An expert who's managed insider-threat detection teams at a large consumer tech company. But he didn't end up bringing his kid to my kid's birthday party, so this blog post isn't based on expert insights. Instead you'll get my own take-aways.
APD's audit of its own staff's search of the platform is a good-faith effort but is ceremonial. You don't even have to view the redacted contents to reach this conclusion — all you have to do is count the number of lines:
- When preparing the audit memo for the 2024 calendar year, APD staff audited 10 searches out of 1,637 total search queries.
- When preparing this new audit memo for the 2025 calendar year, APD staff audited 10 searches out of 10,413 total search queries.
While the number of searches grew more than sixfold, APD's policy doesn't specify the number of searches to audit relative to the search volume:
The audit shall randomly select at least ten detection browsing inquiries conducted by Department employees during the preceding 12-month period and determine if each inquiry meets the requirements established in this policy.
So just like the previous year, APD audited exactly 10 searches in absolute terms, even as the sampled percentage dropped significantly.
If a large tech co. performed data-access audits in such small and fixed terms, then they wouldn't be able to catch needles in haystacks such as employees or subcontractors being paid by foreign intelligence services to surveil customers. (For a sense of the scenarios these consumer tech corp. insider-threat detection programs are trying to prevent, see the Wikipedia article titled "Saudi infiltration of Twitter.")
In fairness, APD's concerns are less about vetting their officers' usage of the platform (since the officers are presumably already well vetted) and more about ensuring they are documenting each search as related to an open investigation linked to a relevant statutory authority.
And yet, it's the chain of contractors including Flock Safety that often represents the most substantive risk to private data platforms.
If a Flock Safety staffer or one of their contractors made an honest mistake and publicly shared a sample of names of officers and their search queries for Alameda's ALPR data, how would Flock Safety address the problem? The city's publicly posted contract with Flock Safety makes no mention of situations like this. There isn't even, based on my read, a clause in the contract requiring Flock Safety to notify the City in case of data exposure. The City may have to fall back on a "compliance with all applicable laws" clause would likely incorporate state-level data breach notification statutes. That's likely better than nothing, but it's still not a specific contractual commitment from Flock Safety to report potential breaches in a set time period, with certain reporting requirements, and required cures.
APD's audit of its own usage of Flock Safety is — after fixing the redaction issue — a reasonable start. But it doesn't answer the questions that need to be answered to know what Flock Safety is potentially doing with Alameda's ALPR data.