Discussion

Honeypot.net

kstrauser: I wrote this. I had/have absolutely no expectation that Flock would comply with my request, but figured I should try anyway For Science. Their reply rubbed me wrong, though. They seem to claim that there are no restrictions on their collection and processing of PII because other people pay them for it. They say:> Flock Safety’s customers own the data and make all decisions around how such data is used and shared.which seems to directly oppose the CCPA. It's my data, not their customers'.Again, I didn't really expect this to work. And yet, I'm still disappointed with the path by which it didn't work.

carefree-bob: They were saying "don't write to us, talk to the people who own the cameras and ask them to delete the data". A company that manufactures video cameras is not the one to talk to when someone records you, talk to the person who recorded you.But a reasonable person would say -- the data is stored on Flock servers, not with the camera owners. And Flock would say, just because we sell data storage functionality to camera owners doesn't mean we own the data, anymore than a storage service you rent a space from owns what you put in that space.But then an even more reasonable person would say: the infrastructure is designed in such a way as to create inadvertent sharing, and the system has vulnerabilities that compromise the data, so Flock has responsibility for setting up the system in such a way that it's basically designed to violate privacy.And that is the main criticism of Flock. You need to have a more nuanced criticism. It would be really interesting to see this litigated.

barelysapient: If that's a valid excuse than the CCPA isn't worth the paper its written on.

dylan604: The rule of any documentation is that it is out of date as soon as the ink is dry. By the time a regulation is enacted, workarounds/loopholes have already been found (if not intentionally worked into it).

ldoughty: I think you're going to have a hard time with this...Flock seems to leave the data in ownership of the government. They are just providing the service of being custodians for storing and accessing that data.You probably would get a similar response by submitting your request to Amazon web services or Google cloud or whoever has Flocks data: "sorry, we're just holding the data on behalf of Flock"In either my example case or your stated case, you would have a very hard time convincing the host business to destroy their customers data without a court order or court case that shows their policy is invalid and they must comply.Not a lawyer, just noting the parallel.I do appreciate that Flock's response says that they cannot use the data they've collected for other purposes.. which further reinforces my cloud storage analogy -- the cloud vendor can't look at your data you upload to storage to e.g. build profiles on you/your business.

calmbonsai: Per my understanding of the law for these sorts of data collectors, at least in the U.S., you need to contact the local municipalities (Flock's customers) for this redaction and the jurisprudence is governed at the state and municipal level.The best source of this information is https://deflock.org/ . FWIW, this is run by a neighbor in Boulder, CO which has been wrestling with the use of these cameras.

nainachirps_: I am not a lawyer myself but can't one argue that this company has duty to ensure that data it is processing for client is legally obtained.If they are processing data after being told it was not obtained with consent do they not have any liability?

fudgy73: AFAIK Flock owns the cameras and leases them out [0].[0] https://www.flocksafety.com/blog/flock-safety-does-my-neighb...

ranger_danger: To me this sounds like the equivalent of visiting a website that sells your data, and then asking AWS to delete your personal data when it actually belongs to a customer of theirs and only resides within their private storage.Would you ask your local ISP to delete data they provided to Tinder like your IP address? That doesn't make sense to me.

monooso: As I understand it, the author wrote to Flock as they are the entity collecting the PII. Your analogy would only make sense if the author had written to Flock's customers (and even then it's a rather strained comparison).

everdrive: Nice work all the same. These systems need to be prodded and tested. Even unsuccessful results such as this tell us something about the situation we're in.

Glyptodon: I think you should write them back and ask that they provide you with a customer list and continually update you as they get new customers so that you may follow the advice they've given you.

kstrauser: Ooh. I like this.

kube-system: Why? The response is predictable. No company is going to give you a customer list.

creddit: Totally but it's even worse than that. Let's say you have a camera and take a photo in public and it included a car's license plate. It's as if the person who owned that car could write you a letter to force you to delete the image.

mminer237: If you go to Rent-A-Center and rent a DSLR, that doesn't make Rent-A-Center responsible for the pictures taken by their cameras.

yabutlivnWoods: Your example is apples and oranges. Flock maintains private infrastructure that stores data.If the DSLR uploaded them to Rent-A-Center owned/leased servers it would in fact require Rent-A-Center to take the necessary steps.As Rent-A-Center would be the only group with proper access to data storage they would have inserted themselves into the chain of custody, and thereby have such obligation to ensure others data is wiped from systems they control.

ratdragon: maybe eff.org would be able to help you lawyer up or otherwise to push this forward. good luck!

halJordan: It easily goes both ways. But we do sue American gun makers for deaths caused by lunatics. We sue drug makers for drugs prescribed by a doctor. We sue cloud providers for not reporting illegal photos. Printers are forced to id every printed page to combat counterfeiting. Banks are forced to do close accounts even though it's not their dirty money

mindslight: Isn't this just the routine fascist playbook at this point? Start by declaring that the law doesn't even apply to them, on whatever flimsiest of bases.Personally I would really like to see torts for attorneys who willfully promulgate blatantly incorrect legal interpretations - they're effectively providing incorrect legal advice. A non-attorney is likely to believe such advice coming from a member of the Bar, and the net goal is to discourage the target from seeking further legal advice.

SoftTalker: An attorney whom you have not engaged in counsel is not providing legal advice.

wcv: Flock has stonewalled with the "we are not the controllers" excuse here in MN too. We have similar rights to opt-out and delete under the MCDPA [0].[0] https://ag.state.mn.us/Data-Privacy/Consumer/

snowwrestler: It’s not clear to me that it is actually your data. If I take a picture of you in a public place, I own the picture, not you.But maybe I am unclear on how Flock works.

bjt: Setting aside Flock, the "ownership" situation is not as clear as you say above.What you own is the image copyright. But the right to copy is only one of the rights at issue.Under various state laws (California in particular), you might not be entitled to do all the things with that picture that you could do of one that doesn't have my likeness. Privacy laws like the CCPA are one possible carve-out. A "right of publicity" is another.There's an old saying about property law that "property is a bundle of sticks". The bundle can be subdivided.https://www.law.cornell.edu/wex/publicity

annoyingnoob: I've had the same kind of response from Email providers like Sendgrid, they claim its not their data. There is no way to have Sendgrid block you in their entire network, you have to play whack-a-mole with their customers. Seems like a flaw in these privacy laws when you can't ask the actual record holder to remove the records.

ldoughty: But the data collected is property of the government and flock is not allowed to use that data for additional business gain (according to their statements)...So they can't sell the fact that you're at Target at 8:00 p.m. on Thursday to anybody... Nor build profiles to sell to advertisers... And if that's the case that's very similar to cloud storage vendors.If I access hacker news, and the record of my visit is stored in an AWS S3 bucket, I can't submit to AWS to delete my visitor record, even though the server, network cards, wires, and storage medium are AWS property, it was hacker news' website that generated that record and their responsibility to take my request to delete it.. AWS' stance would rightly be "talk to the website operator for CCPA requests"

thaumaturgy: Except that Flock very clearly benefits financially from having direct access to this data: owning (and in their own documentation, they very clearly do own it) a network of 80,000 surveillance devices across the country, and owning every single transit point for the data they collect, is what gets them to a $7.5 billion valuation from investors.The fact of the matter is that Flock is playing two-step with the concept of "ownership" of data. They disclaim ownership as a way to leave local agencies holding the bag for liabilities, but they fight tenaciously to retain complete and unfettered access to that data.(After organizing a community group that won Flock contract cancellations in multiple jurisdictions in Oregon, I went on to coauthor state legislation regulating ALPRs. I am very well familiar with all the dirty ball they play.)Also, Flock's cameras collect more data than is provided to police agencies. Who owns that data, I wonder?

necovek: That makes them a data broker in my reading, and at least in California, Data Broker legislation should apply. CA Data Broker registry gives me access denied, but that could be because I am outside US.

tptacek: Wait, is it your data? If you drive your car in front of a Ring camera on my house (I don't have a Ring camera don't @ me), is it your claim that you own the data on that camera?

kstrauser: Did you put up a Ring camera on a stand in front of your house for the specific purpose of selling that I drove past at this specific timestamp? If so, yes. The CCPA[0] gives me explicit legal rights:* The right to know about the personal information a business collects about them and how it is used and shared;* The right to delete personal information collected from them (with some exceptions);* The right to opt-out of the sale or sharing of their personal information including via the GPC;This isn't someone incidentally taking pictures of license plates in an otherwise noncommercial setting. It's a company literally created to collect and sell PII. Laws are different for them than for us.[0]https://oag.ca.gov/privacy/ccpa

snowwrestler: “Personal information” has a legal definition and photos of you in a public street might not satisfy it, regardless of the photographer’s intent.

kstrauser: I think it'd be challenging to rule that a license plate number is not personally identifiable information, when the same regulations often state that an IP address is.

uoaei: "Anyone could have been driving my car, you can't positively identify me in the driver's seat with the evidence you have submitted" is routinely used to toss out cases involving traffic violations. It's not necessarily common but it does happen. By this logic a license plate does not personally identify the person driving, only the person the car is registered to.

lcnPylGDnU4H9OF: Right, but in this context the license plate number is still personal information, just of a different person.

uoaei: Then the key aspect of our discussion is the "identifiable" part, which you've left out.

lcnPylGDnU4H9OF: Are you now saying that one cannot possibly "identify" the "person" who owns a vehicle, solely with the "information" on a license plate?

hmokiguess: https://www.flocksafety.com/legal/lpr-policy> In accordance with its Terms and Conditions, Flock Safety may access, use, preserve and/or disclose the LPR data to law enforcement authorities, government officials, and/or third parties, if legally required to do so or if Flock has a good faith belief that such access, use, preservation or disclosure is reasonably necessary to comply with a legal process, enforce the agreement between Flock and the customer, or detect, prevent or otherwise address security, privacy, fraud or technical issues. Additionally, Flock uses a fraction of LPR images (less than one percent), which are stripped of all metadata and identifying information, solely for the purpose of improving Flock Services through machine learning.In this document, to which they linked in their reply, it says clearly "address ... privacy ... issues."Does your case not constitute a privacy issue? I would say so.Continuing down below, their claim on "Trust Us" about how they employ machine learning would need some proper transparency into how can that be guaranteed.

FireBeyond: > Continuing down below, their claim on "Trust Us" about how they employ machine learning would need some proper transparency into how can that be guaranteed.Wait til you see their "Transparency Portal" which, if my County and neighboring can be used as a sample size, doesn't even name at least 30% of agencies using Flock.

tptacek: AWS also maintains private infrastructure that stores data. Go write them asking to purge data pertaining to you from S3 and see how that goes.

danudey: If AWS maintained private infrastructure that stored and indexed data associated with people's license plates and vehicles and then charged customers to do searches against that data then yes, you could write them to ask them to purge data pertaining to you.If Flock was just an opaque cloud storage service for law enforcement to back up their mass surveillance to then sure, your argument would have merit; it's not, it's a giant database of photos, locations, times, license plate information, and likely a lot more. They're not selling cloud storage, they're selling (leasing?) surveillance devices and tools.

_moof: They seem to be implying that because they are a "service provider," they aren't responsible for complying with CCPA rules even though they are the ones with the data.Does this hold water? I'm reading the CCPA rules now but if anyone knows, it would save me some tedious research.

tomwheeler: The standard of proving someone's guilt in a crime or civil infraction is higher than the one for inferring that someone could plausibly be the person you want. This is the basis of parallel construction, wherein a government agency plays a game of "pin a crime on the suspect."

kube-system: I don't think they need your permission to use ALPR on your publicly displayed license plate.> (2) (A) “Personal information” does not include publicly available information [...]> (B) (i) For purposes of this paragraph, “publicly available” means any of the following:> (I) Information that is lawfully made available from federal, state, or local government records.> (II) Information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer

_moof: The information being collected isn't your license plate, it's your location. (Still might not be personal information.)

necovek: Personal information usually does include photos of someone in public without their consent: exceptions usually hold for taking photos of people where it is in the public interest to be able to show them or impractical to get consent. This covers large gatherings and celebrities, but a portrait photo of a stranger might put you on the wrong side of the law.Obviously, the idea is to not disallow having someone take a photo of you as a background, passing figure as they take a front-and-center photo of their family, but not allow you to be the main subject unknowingly and especially when you object explicitly.On the other hand, a photographer still owns the copyright to a photo, so a subject (including in a portrait) cannot claim it or distribute it without permission even if they can potentially stop the photographer from distributing that photo.IANAL, but you are not by default allowed to use anyone's "likeness" for your individual profit.

patrickmay: > Personal information usually does include photos of someone in public without their consentThis is not the case in the United States. There is no presumption of privacy in public. In fact, there is a whole genre known as "street photography" that involves taking pictures in public without explicit consent of the subjects.

ezfe: I guess if one likens it to AWS S3 holding your data on behalf of Apple it makes sense

ScoobleDoodle: I looked it up at https://cppa.ca.gov/data_broker_registry/ and didn't find Flock / Flock Safety in that list of the currently registered 566 data brokers.

tptacek: Because Flock isn't a data broker. Flock's customers own their data, not Flock, and they use Flock's platform voluntarily to share data with other customers.

cwillu: Equivocation. My stock broker doesn't own my stocks either, they merely hold my assets in a brokerage account.

unethical_ban: This is worth validating independently, but to be clear:Are you saying Flock itself does not have access to any of the data, and that the data they store on behalf of local governments is not fed into any central datalake? That every organization's data is completely, unalterably separate from everyone else's?If so, that makes the panopticon slightly less powerful.

close04: So… Flock uses their own platform and top to bottom tech stack to do everything technically? Your local PD doesn’t use random cameras (like Reolink), doesn’t run a custom software stack (like Frigate in a container on some random VM hosted with AWS), doesn’t store the data wherever (like Backblaze)? The customers just have to install the Flock cameras and “order” the subsequent data from Flock?Sounds to me like it’s Flock’s data. If this was EU they’d be the processor and the customer would be the controller. I’m sure the US found a creative definition for this that would be completely unacceptable if the data was, say, drugs.

charcircuit: >It's my data, not their customers'.Just because data is about you, that doesn't mean it is your data.

john_strinlai: under the california consumer privacy act (ccpa), personal data is:"Personal information is information that identifies, relates to, or could reasonably be linked with you or your household."just because data is about you, does mean you have the rights set forth in the ccpa (know, delete, correct, limit exposure, etc.).

carabiner: It's not much worse than all the tracking adtech used by FAANG industry. Smartest people in the world working on these systems.

kube-system: The CCPA explictly says:> “Personal information” does not include [...] Information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer

tptacek: California has an entire statute regulating ALPR information, so we don't need to derive this axiomatically.

jnovek: I don’t care. I don’t care who owns the data. If I can’t easily get private information like my movements removed from a database like this, the legislation does not sufficiently protect me.It should absolutely be Flock’s responsibility to remove my data and we should absolutely require it by law. Full stop.

danudey: The laws say that data about you is your data, information about you is your information. No one is saying that you "own the data", but by virtue of the data being personal information about you specificially you are allowed to exert control over that data, such as asking for it to be deleted.

kasey_junk: That view of data ownership is _highly_ jurisdiction dependent and is not the overwhelming norm in the US.

captaincrisp: While that's definitely true, in this particular case he's invoking his rights under CCPA.

tptacek: The law cares about lots of things we don't care about.

nekusar: The only opt-out the citizenry has is with any of the following: 2x4 rebar spraypaint spray foam battery powered metal cutter And bash those pieces of shit to chunks or completely ruin the lens and solar.Republican community? They love corporate surveillance. Democrat community? They too love corporate surveillance.There is no "Peoples' Party" that rejects this garbage.

MengerSponge: https://www.techspot.com/news/108045-lidar-great-cars-but-ca...It would be a pity if someone made dense point clouds of these devices.

maccam912: One could start doing tours of their city to show tourists where each and every camera is. They're kinda small though, it might be worth a strong laser pointer so you can direct their attention to the cameras easily...

kstrauser: I'd contend that it absolutely is. Adtech is creepy and invasive and weird. Flock is going a step further and actively tracking our movement through the cities where we live.I don't like either of those activities, but I think one of them is much worse.

valeriozen: The AWS analogy breaks down because AWS doesn't encourage customers to pool their S3 buckets into a nationwide searchable index.Flock operates a federated network. If you drive past an unmarked camera, you have absolutely no way of knowing which specific HOA or town leased it so how are you realistically supposed to know who the "data controller" is to send your ccpa or deletion request to?

giancarlostoro: Start standing in front of the cameras looking sketchy long enough till police are sent out to ya, then ask the cop who called.

kstrauser: I wouldn't be so sure. In this specific case, they told me to ask their customers to comply with my CCPA rights. Without that information, it's impossible for me to exercise those rights. IANAL, but that sounds like a pursuable path.

kube-system: I don't see any provision in CCPA that requires that. And outside of an explicit requirement to do so, nobody is required to help you.Edit: from https://oag.ca.gov/privacy/ccpa> If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.

bloppe: Perhaps the next step is writing to your state representative, or to Alastair Mactaggart, and complain about this hole in the legislation.

rbbydotdev: it would be nice if flock did not and could not exist

lazide: A reasonably nuanced defense could likely claim that to be able to do what you want, would have much worse side effects on privacy.For example, would you want to be able to tell Public Storage (or some other storage unit place) to remove any naked photos of you stored anywhere in their storage units?For them to actually be able to do that would require they have nigh omniscience on everything stored by/for everyone in every one of their storage units. Even inside closed boxes.Now, it's not the same thing of course - but hopefully you understand what I'm referring to?

LadyCailin: Except that the analogy is that they already have, or can easily create, that list. If they couldn’t, their value proposition would be lame. “We know you’re looking for a specific license plate, here’s a million hours of footage from all over the city, have at looking through it all.”

lazide: Only for paying customers, which you aren't of course. If those customers paid public storage to inventory their stuff, then that inventory is their property. Surely it would be inappropriate to use their inventory data to find your naked photos. A violation of privacy even. (/s, kinda)I was enumerating the likely defense, not that it's valid.

tptacek: They're invoking a right they do not in fact have under CCPA. Flock is a service provider under CCPA, and isn't required to respond to their request so long as they're operating under the terms of their contract with the municipality (which is, in turn, exempt from CCPA.)