How a Misconfigured Demo Exposed Flock Safety’s 83,000-Camera Nationwide Tracking System
Imagine a surveillance network of 83,000 cameras sweeping every road you drive. Behind Flock Safety’s $7.5 billion valuation lies a massive AI-driven platform that streams license-plate reads and sensor data not just to police departments but to HOAs and private businesses. Last week, we found their development Storybook demo indexed by Google 5,000 lines of unprotected code, map keys, and UI components laying bare how deeply this system tracks your movements and how casually it guards your privacy.
Quick facts
- Public domain:
https://dev-search-component-demo.flocksafety.com/ - Key demo routes:
/api?story=fs-vehicle-fingerprint-drawer--demo-component,/api?story=fs-map-and-devices-drawer--real-time,/api?story=fs-map-legend--legend-demo - Hard-coded secrets: ArcGIS key
AAPKa8ee2a57f5f5471abafab205116ec554_FXd_MZBm…(~995k credits) - Open FeatureServer:
https://services8.arcgis.com/…/develop_flock_safety_cameras/FeatureServer - Source Code Leak:
Over 5000 lines of code were exposed including their vehicle tracking algorithm
Vehicle-matching algorithm in full
These cameras create a "vehicle fingerprint" for every car they see and use a confidence based scoring, using these 10 identifiers.
| Vehicle trait | Default threshold |
|---|---|
| License plate | Full-string match |
| Make | 0.75 |
| Color | 0.75 |
| Body type | 0.75 |
| Roof rack | 0.55 |
| Back rack | 0.50 |
| Bumper stickers | 0.55 |
| Window stickers | 0.55 |
| Tool box | 0.55 |
| Times seen | “Number of times seen” in detection details |
ArcGIS key: unlimited scope, no origin lock
The ArcGIS token isn’t limited to simple map tiles: it enables advanced spatial services. Geocoding translates addresses to coordinates, routing computes optimal paths, network analysis solves service-area coverage, and GeoEnrichment overlays demographic data. In a surveillance context, this power lets operators pinpoint cameras near sensitive locations, model patrol routes, and instantly retrieve population stats around a given coordinate.
- Premium-service scope: geocoding, routing, network analysis, GeoEnrichment,
- No referrer/IP restriction: works via
curloutside the domain - Cost impact: ~\$100K at Esri’s rate
- Live GeoEnrichment: returns demographic data (TOTPOP, AVGHHSZ, etc.)
Beyond plates: people, drones, audio
While license-plate recognition is the core feature, Storybook demos reveal a much broader surveillance capability. Several components toggle searchType: SearchType.People, showing that the same search stack might track individual people or persons over time, not just cars. The map legend includes icons for audio-detection pods and drones alongside live-stream and LPR cameras, confirming Flock Safety’s platform ingests diverse sensor data. Following its 2024 acquisition of Aerodome, Flock appears to be integrating persistent aerial feeds into the same interface, effectively combining road-based, airborne, and acoustic monitoring into a unified search tool.
The core problem
If a company whose entire business model is built on collecting and securing sensitive data can't even secure its own source code, search interface, or critical admin-level API keys, how can we possibly trust them with a nationwide database of our movements? Many privacy advocates have argued that continuous, 24/7 location tracing should require a warrant to uphold Fourth Amendment protections and prevent unchecked mass surveillance.