Lawmakers ask FTC to probe Flock Safety’s cybersecurity practices
Congressional Democrats want the Federal Trade Commission (FTC) to investigate the police surveillance technology company Flock Safety for reportedly poor cybersecurity practices.
Flock Safety does not require law enforcement customers to use multi-factor authentication (MFA), and its voluntary authentication mechanism does not “natively support” phishing- resistant MFA, according to a letter Sen. Ron Wyden (D-OR) and Rep. Raja Krishnamoorthi (D-IL) sent on Monday to FTC Chairman Andrew Ferguson.
At least 35 Flock customer accounts have reportedly been stolen by hackers, according to the letter, which cited data from the cybersecurity company Hudson Rock. Phishing-resistant MFA can help shield accounts from breaches.
Flock’s automated license plate reader cameras are now used in more than 8,000 communities nationwide and have become controversial as reports have surfaced of their being used in investigations of abortion patients and undocumented immigrants.
Flock accounts can be used to track the locations of millions of Americans at any time, the letter notes.
“Flock has received vast sums of taxpayer money to build a national surveillance network,” the letter says. “But Flock’s cavalier attitude towards cybersecurity needlessly exposes Americans to the threat of hackers and foreign spies tapping this data.”
In at least four instances, the FTC has issued enforcement actions against companies for failing to use MFA, the letter says, citing agency settlements with Uber, Cheff, Drizly and Blackbaud.
Flock’s lack of mandatory MFA has allowed law enforcement to see other agencies’ Flock data through improper password sharing, the letter said. As a result, federal agents can access Flock’s systems using passwords belonging to other users without detection, raising “serious questions about the effectiveness of Flock’s cybersecurity defenses,” the letter says.
A spokesperson for the FTC did not respond to a request for comment. Flock Safety also did not respond to a request for comment.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.