My testimony at Dunwoody, GA city council hearing regarding a Flock Safety contract.

[0:00]About a year ago, I started formally researching the security posture of the police surveillance industry. Myself, John Gains and Joshua Michael found close to 60 security vulnerabilities within or closely related to Flock Safety's ecosystem. We were able to connect to and completely take control of the ALPR cameras. Uh we could view or modify the footage. We could install malware on them. We could view the hard coded credentials that led to other places, and there is even one that allowed us to track the real-time GPS location of police vehicles. I published a selfie video literally pulled from one of the newly deployed flock cameras right down the road at Peachtree Creek Greenway, and showcased how easily I was able to access zoomed-in footage of every single person who walked on that trail over the last 30 days without using a password. Some of these findings were reported to Flock directly, and some of them are now published and flagged by MITRE, which is part of Homeland Security to manage cybersecurity threats. Some of these are still rated today as high or critical vulnerabilities. Members of the U.S. Congress have cited my research in a published letter to the FTC calling for a formal investigation into Flock's negligence as a risk to national security. So how did Flock respond to all this? Fake news. The CEO himself claimed that Flock had never been hacked, and he spent his time sending unsolicited emails to law enforcement agencies around the country telling them that their agency was under coordinated attack by activist groups who want to defund the police, weaken public safety, and normalize lawlessness. This was Flock's response to a formal report about security vulnerabilities. I watched Flock representatives stand up at City Hall meetings just like this one, look people dead in the eyes, and despite evidence verified by MITRE, claim that Flock has never been hacked. Yeah, there are not documented breaches online. There's documented, uh, attempts to intrude on a single camera online. And that is like saying if someone hacks into your iPhone, Apple has been breached. It's simply a different concept. I'm sitting over here fidgeting while your surveillance vendor keeps changing the definitions of "data" and "security breach". So now we're all here. And we could go to the nearest Falcon camera right now, and I will lend you a laptop and walk you through the quick process of seeing if just one of these vulnerabilities have been fixed. I want someone to help me understand, given the evidence that we produced, how anyone would think that signing more contracts with any third-party surveillance vendor would be a good idea without setting up an independent security and ethics audit first. I can't open a barber shop or a Chick-fil-A without a safety inspection.