Hi neighbors,
Yesterday, we discussed the "one-to-one" problem—the risk that our local data, shared with a partner, could be exposed to federal agencies through a "backdoor" sharing agreement. We argued that trust is not enough and that without enforceable policy, the system is a gamble.
Recently, a shocking new article from 404 Media provides a chilling, real-world case study that once again confirms this problem. It proves that the "backdoor" is not a hypothetical concern; it's a known vulnerability that is being actively exploited.
The Case of Palos Heights, Illinois
Just this month, a report revealed that a federal Drug Enforcement Administration (DEA) agent in Illinois used a local police officer’s password to access the Flock license plate reader system. The DEA agent used the login to search for someone suspected of an “immigration violation.” The DEA agent did this without the knowledge of the local officer, who had shared his password with his task force team for what he believed were drug-related investigations.
The details are stunning:
The Violation: The search for an immigration violation is illegal under Illinois state law, which prohibits local police from participating in immigration enforcement.
The Loophole: The DEA, which does not have a contract with Flock, gained access to the system by simply using a local cop's password.
The Lack of Guardrails: This casual password sharing—a direct violation of Flock’s terms of service—shows that the company's rules are, as we feared, non-enforceable. When confronted, Flock's chief communications officer has previously stated the company's position: "It is not the responsibility of a private vendor to be policing the police." This incident is a perfect illustration of that policy in action.
The Palos Heights Police Department’s internal investigation confirmed the incident, and in a series of group chats, officers joked about the password sharing, with the DEA agent texting, "I hope you don’t get in trouble cause of my mistake... Trust is broken…Ps, can you Flock a plate for me."
Officers joking about password sharing after getting caught
This isn't about one rogue officer. It's about a system that lacks the basic safeguards to prevent misuse.
Why This Matters for Mountlake Terrace
This incident proves two critical points from our last newsletter:
1. The "One-to-One" Problem is Real: We showed that a data-sharing partner like Puyallup has direct sharing agreements with federal agencies. The Palos Heights case shows exactly how those agreements can be abused. Our data, if shared with a partner, could be accessed through a backdoor by federal agencies, bypassing any local policy or law.
2. Audits and MOUs are Not Enough: The only reason this was publicly uncovered was because an audit was launched in response to a public records request. This reinforces our concern that misuse will only be caught by chance, and that the "only remedy" is to cut off access after the fact.
How to Prevent This Here
The silver lining from this disturbing report is that it provides a roadmap for additional safeguards we should demand in Mountlake Terrace. Following the incident, the Palos Heights Police Department made several immediate changes:
Enabled Two-Factor Authentication: This simple measure makes it impossible for another person to use a shared password to log in without a second verification step.
Limited Access: The department cut off its national sharing and restricted access to only agencies within Illinois.
Initiated Regular Audits: They decided to start monthly reviews of their own Flock searches to ensure compliance.
These are some of the bare minimums of safeguards that should be in place before any camera goes live.
Every day we’re seeing a new vulnerability in Flock’s system, a new way it’s being abused, and yet another safeguard that is not implemented by default. So of course, the most straightforward way to prevent any risk of Flock data being shared with federal agencies for immigration purposes is for Mountlake Terrace to not move forward with the installation.
— Dustin
