Flock Security Accessed Kids' Gymnastics Cameras Without Permission—And the City Renewed Their Contract Anyway

What Happened

Flock Security, one of the largest providers of automatic license plate reader (ALPR) technology and networked camera systems to law enforcement and municipalities, accessed live camera feeds from a children's gymnastics facility without permission or knowledge from the facility owner. The footage was used as a sales demonstration to show potential clients what their surveillance system could do. No consent was obtained before accessing the cameras. No notification was given to parents, coaches, or staff that their children and the facility's interior spaces were being used in a corporate pitch.

The breach was eventually discovered by the city, which had contracted with Flock for these camera systems. Despite learning about this privacy violation involving minors, the city renewed Flock's contract anyway. This decision raises urgent questions about government oversight, corporate accountability, and who actually protects data when it involves children.

Why This Matters

This incident exposes three critical failures in how surveillance technology is deployed and governed in America.

First: Inadequate Contractual Safeguards

Flock's contract apparently contained no explicit restrictions on accessing live feeds or using footage for internal purposes like sales demos. This is shocking given the sensitive nature of surveillance infrastructure. If a major government contractor can access restricted camera feeds for marketing purposes without triggering immediate consequences, the contracts themselves are broken. Municipalities are essentially handing over surveillance infrastructure with minimal guardrails on corporate behavior.

Second: Children's Privacy Was Treated as Acceptable Risk

The gymnastics facility is a space where minors change clothes, practice in minimal athletic wear, and are in vulnerable positions. Using live feeds from such spaces for a corporate sales pitch is not a gray area—it's a fundamental privacy violation with potential legal implications under child protection laws. That the city did not immediately terminate the contract suggests a troubling calculus: the convenience of the surveillance system outweighed the violation of children's privacy.

Third: The Oversight Gap Is Systemic

This wasn't a lone employee acting rogue. Sales demos are planned events. Multiple people at Flock knew about this. The city's procurement and legal teams apparently did not discover this until after the breach was already happening. This suggests that no one is systematically auditing what government surveillance contractors actually do with the access they're given. The city discovered the problem only after it escalated—not through proactive oversight.

The Broader Business Context

Flock Security has built its business on positioning itself as a trusted partner to law enforcement and municipal governments. ALPR technology and integrated camera networks are now standard in hundreds of cities nationwide. Flock's value proposition depends on being seen as a reliable, trustworthy vendor that law enforcement can depend on.

This breach damages that brand promise. If Flock can access any camera feed in their network at any time without restriction or logging, then every municipality using their system has just realized they've handed surveillance infrastructure to a company with unclear internal controls. The incident raises the question: what else has Flock accessed? For what purposes? And how would anyone know?

For surveillance startups and civic tech founders, this is a cautionary tale. The regulatory environment is tightening. City councils, privacy advocates, and legal watchdogs are now hyperaware of surveillance contractor behavior. A single breach involving children's privacy can trigger state investigations, federal scrutiny, and loss of major contracts.

What Needs to Change

For Municipalities

Cities must demand explicit contractual language prohibiting unauthorized access to camera feeds. Contracts should require logging of every access to live or recorded footage, with regular audits. Penalties for violations should be severe enough to matter—automatic contract termination, not renewal. Cities should also conduct independent security audits of surveillance vendors before renewing agreements.

For Regulators

State attorneys general and federal agencies should establish minimum standards for surveillance contractor behavior. If a contractor accesses feeds without authorization, that should trigger investigations. Laws specifically protecting children's privacy in surveillance footage need to be clarified and enforced. Procurement rules should require documented security certifications before a city can contract with surveillance vendors.

For Surveillance Companies

Flock and competitors need bulletproof internal controls. Access to camera feeds should require multi-level approval, even for employees. Every access should be logged and auditable. Sales demos should never use real, live footage from active deployments. The compliance risk of accessing restricted feeds without permission is existential—one major violation can tank a company's reputation with its entire customer base.

The Bottom Line

Flock Security's unauthorized access to gymnastics facility cameras is not a minor oversight. It's evidence that the surveillance technology industry lacks the internal discipline to handle sensitive data responsibly. A city that renews a contract after discovering such a breach is signaling that it doesn't take privacy seriously. And founders building in this space should understand: regulatory reckoning is coming. The companies that survive will be those with genuinely locked-down compliance cultures, not just promises of security.

Now you know more than 99% of people. — Sara Plaintext