It’s nearly impossible not to be watched these days. It can start right at home with your neighbors and their Ring cameras—a company that sold fear to the American public and is now integrating AI to turn entire neighborhoods into networked, automated surveillance systems.
Head out a bit further and you’ll likely be confronted by Flock’s network of cameras that not only track license plates, but also track people’s movements with detailed precision. And as the Trump administration raids cities across the U.S. for undocumented immigrants, tech giants like Palantir are powering tools for ICE, including one called ELITE that helps the agency pick which neighborhoods to raid.
To better understand what exactly we’re looking at in this dystopian hellscape, 404 Media’s Jason Koebler and Joseph Cox joined r/technology for an AMA.
Understandably, people are worried about violations of their privacy by companies and the government. And many wonder, is there any way to go back once we’ve released all this AI-powered, surveillance tech?
Questions and answers have been edited for clarity.
Q: How do you think we can as a society deescalate tools designed to spy on citizens? I feel like once the police state bottle is open it’s near impossible to put it back in?
JASON: This is something I grapple with a lot. For whatever reason, my reporting has gravitated to state and local surveillance tools owned by police. This is not uniformly true, but what I've seen based on watching zillions of city council meetings and reading thousands of pages of emails and public records is that police, in general, love new toys and love new gadgets. The strategy is very often ‘get the surveillance tech first and ask questions later.’ A lot of city councils are not very sophisticated about the risks of surveillance technology and a lot of them feel a lot of pressure to keep their city safe or whatever, and so they defer to the police and give them money for whatever they ask for. There are also tons of grants and pilot programs in which police can obtain technology for cheap or free, and so the posture cities take is often ‘why not try it?’ Police love telling each other about the new capabilities and tools that they've acquired, so this tech can spread from city to city very quickly.
All of this can be pretty demoralizing but something that we've seen is that when you shine even a tiny bit of light on the ways these systems work, how they can and are often abused, people learn a lot about the intricacies of them very quickly. At this point, I am getting emails and messages multiple times a week from people in a new city or town that has either decided not to buy Flock or has decided to stop working with Flock, and usually our reporting is cited in some way. The issue is that it's not just Flock, there's all sorts of surveillance tools and new companies are popping up all the time. So it does feel like it's hard to put the genie back in the bottle, but I do think that, overall, the public discussion on surveillance and privacy is getting a lot more sophisticated, and that gives me optimism.
Q: Given the breadth of these surveillance technologies, is there any hope or possibility of opting out or avoiding being “seen”? Do we accept surveillance and aggregated data about ourselves and our behavior as an inevitability?
JOSEPH: I don't think privacy is dead. I don't think people need to give up and say fine, take my data. There are concrete things people can do. But they do introduce friction. The trade off with security is efficiency. The more efficient, the less secure you might be. The more secure, the less efficient. An extreme example would be not owning a mobile phone. Well, you're immune to producing any mobile phone telecom data because you don't own one. But that's gonna be a massive pain.
Concrete things people can do:
- Explore legislation that will let you demand a company deletes your data. Google a template of the language to send, it's pretty easy
- Maybe delete your AdID in your phone, or change it. Here's how on Android. This is the digital glue advertisers, and parties that buy that data, use to stick together your device and its usage.
- Use a different email for each service. This is too much work to make constant new addresses (unless you just use one junk one). I like Apple's iCloud Hide My Email feature which gives you (they say) an unlimited number of emails to generate. Then if a website is hacked or your data sold, it is not necessarily clear that the data belongs to you. Obviously it depends on the service but I use that every day.
Q: Are new phones being built with spyware technology and how will we know? Will Independent Media be able to continue reporting if all of our technology blocks the truth from ever reaching the masses?
JOSEPH: Supply chain attacks are what really scare me. You have a device you trust, or a piece of software you download from a legitimate source, and even then someone has snuck in some malware. The biggest one right now which was reported just recently is the Notepad++ case.
That said, we haven't seen much widespread reporting about it happening to new phones (beyond there being annoying sketchy apps, that does happen). I'd flag that the Bloomberg piece claiming the Apple supply chain was somehow compromised was widely debunked by the infosec community.
Q: What can you infer from the info you learned to explain why some ICE agents just pull cars on the street to arrest people instead of going after them from their home?
JOSEPH: I think there are a few things going on. Some parts of DHS want there to be targeted raids, against specific people, specific addresses. Others (Bovino) want a more blanket, indiscriminate approach. I'd point to this really good reporting in The Atlantic about that tension inside the agency.
But other than that, data can only go so far. Data by itself can't make these agents fulfill their arbitrary and extreme quotas of how many people to detain. At some point, the mass deportation effort becomes distinctly low tech. It's almostttt like the XKCD comic about password security and wrench attacks. It basically boils down to grabbing who they can or feel they can.
Q: Do you ever hear from workers at Palantir (or other similar companies) about what things are like there?
JOSEPH: I won't talk about sources specifically, but a couple of things: some people inside Palantir are clearly motivated enough by what the company is doing with ICE to then leak details of that work to journalists. That started with this piece, Leaked: Palantir’s Plan to Help ICE Deport People. That was a pretty unusual leak in that it contained both Slack messages and an internal Palantir wiki in which company leadership explained and justified its work with ICE.
Joseph Cox
Broadly, I think a lot of people inside tech companies (both social media giants and surveillance companies) are often conflicted about their work. Some leave. Some put it out of mind and stay. Some leak.
Q: Do we know what information was handed over to Palantir from DOGE? I don’t think the majority of Americans understand just how dangerous this company is right now.
JOSEPH: I think we are still learning the specifics of that. When we reported on the ELITE the Palantir-made tool ICE is using, the user guide said the tool included data from the Department of Health and Human Services. Now, I don't think the list in the user guide is exhaustive by any stretch. It says ELITE integrates new data sources.
What new data sources has ICE gotten recently? IRS. CMS. Medical insurance databases. I'm not saying that data is being fed into ELITE. I don't know that and can't report it. But I absolutely think it's possible and would make sense.
Q: Are public record requests Flock's Achilles heel?
JASON: I think you've hit on something here—the business model of not just Flock but of a lot of surveillance companies is to go city by city pitching and selling their tech to local police officers. Because of the hollowing out of local news over the last 20 years, there have been fewer journalists paying attention to city council meetings, and a lot of this tech is acquired directly by police through discretionary budgets. So for years, surveillance companies have been able to essentially go to a couple small police departments, demo their tech, get a contract. Then, through police listservs and conferences and email chains, the police start to talk about their new toys with other districts, and companies can quickly go from having just a few contracts to having dozens, hundreds, or thousands of contracts. That is more or less what's happened with Flock—a lot of officers within the police departments that were early adopters of the tech have actually been hired by the company to be lobbyists and salespeople. I've focused a lot of my reporting over the years on this dynamic and how this usually goes.
But what has happened, as you've noted, is that because these surveillance companies are working with so many police departments and cities, they are subject to public records from all of them. When a company sells only to the federal government, they may be able to be very careful about what they say, what they put in writing, how they pitch their product etc. But when a company is hyperfocused on growth at the local level, they have to explain how their tech works over and over again, and highlight different features and capabilities. They create a lot of public records doing this, and journalists and concerned citizens have noticed this and have been vigilant about requesting documents that their tax dollars are paying for. So yes, this is how we're learning a lot about Flock, and it's also how governments that may not have known about abuses or how pervasive this tech is are learning about Flock too.
So my very long answer to your question is not that public records requests are Flock's achilles heel—I think Flock's design, business model, and approach to surveillance are its achilles heel, but that the way it operates its company across tons of cities leaves it more vulnerable than it would have expected to the transparency we all deserve, and it cannot plausibly fight against the release of public documents in thousands and thousands of cities at once.
Jason Koebler
Q: Our local PD has stated that they have control over their Flock data. To me this implies that other Flock users can’t search the ALPR data from our city. Can you talk about what in particular Flock users can search for?
JOSEPH: Yeah, the ownership of Flock data is interesting. Flock says the police own it. Police say and believe that too. I think that is correct... mostly. Until our reporting (and maybe still now) many police forces seem to fundamentally misunderstand the Flock product, especially the nationwide network. When we contacted police departments when we were verifying that local cops were doing lookups for ICE, some of them had no idea what we were talking about. We had to explain how the system worked. Then many police departments realized what was happening and changed their access policies. So, police departments do own the footage (unless it's in Washington where a court has said actually it's a public record). But they might not realize who they are accidentally giving access to their cameras to.
Q: What is the state of the Fourth Amendment in the courts (and Supreme Court clarification) regarding Flock type surveillance currently?
JASON: There are a few lawsuits. One in San Jose. There was one in Norfolk, Virginia which just got decided in the city's favor (Flock's favor). It's being appealed.
The general argument is that you don't have an expectation of privacy in public and that you can take pictures of anything from public roads (basically). Another argument is that license plates are government data, roads are funded by taxpayers and are therefore public, so no problem here. What our law hasn't grappled with is the fact that all of these are networked together and automated, so it's a little different, in my opinion, from having one discrete camera that takes one discrete picture and then has to be accessed by a human. Instead you have thousands of networked cameras building a comprehensive database over time. I feel like that's functionally something different but our laws have not evolved to deal with this yet.
Q: Have we seen any of this technology spread (or attempt to spread) beyond the US, perhaps to other governments?
JOSEPH: Yep, absolutely. The UK has a robust facial recognition program, scanning people in public constantly, for example.
I would say it is often the other way around: technology is made or used overseas then it comes to the U.S. Cobwebs, which makes the Webloc location data tool ICE has bought access to, is from Israel (they're now part of an American company called Penlink). Paragon, the spyware that ICE bought, is also from Israel.
Q: Regarding the story posted on 404 Media about Apple’s Lockdown mode, is this the first time (publicly perhaps) the government has had issues accessing a phone with that mode enabled?
JOSEPH: I believe this is the first time we've seen the government admit it cannot access an iPhone running Lockdown Mode. Maybe it is in other court documents, but I don't think it's been reported.
Joseph Cox
I don't think Apple will make changes based on this. That's for a few reasons:
- Apple has continued to make changes that thwart mobile forensics tools, like the silent reboot we revealed
- Frankly I don't think this case is high profile enough to cause that kind of response. San Bernardino was a freak, horrible event. An actual terrorist attack. That is part of why the DOJ came down so hard
- It went against their long standing ideas of just making their product more secure
Now, Cook has obviously gotten more close to President Trump. It is embarrassing. Giving him a gold statue, or whatever. But that's different from undermining their users' security (pushing the product into China and making concessions there, that's another story).
Q: What surveillance tools do you anticipate seeing develop and integrate further into American society in the next three years without legislative oversight?
JASON: I hate that this is my answer but I think that there's going to be a lot, and I am pretty concerned at what I've seen. Here we go:
- Police departments are obsessed with Drone as First Responder programs (called DFR), which are basically little autonomous drones that fly out to the location of a 911 call as the call is happening. Some reporting has shown that this ends up with lots of people getting drones sent at them when they're mowing the lawn too loudly or something. This is being integrated with ALPR cameras and other AI tools. Not into it.
- I think real time facial recognition and AI cameras that are networked together is the next big thing. New Orleans is already doing this through a quasi public “charity,” which I'm writing about for next week. We've also written about a company called Fusus which is quite concerning.
- We've seen some early AI persona bots being used by police to infiltrate social media groups. I think these are very goofy but also cops seem generally obsessed with cramming AI and facial recognition into everything they can and I think we're about to see an explosion in this space.
Q: Outside of 404 Media, what books or resources do you recommend to folks looking to learn more about surveillance in America or globally?
JOSEPH: I definitely recommend Means of Control, Byron Tau's book. He was the first journalist to report that government agencies (including ICE and CBP) were buying smartphone location data from data brokers. It's a great book to give you a true idea of the scale of the interaction between private industry and the government. This is much more important than, say, any links between, for example, Facebook and the government. Here they just literally buy the data.
For families, I think Flock is a good one. Everyone understands what it is like to drive around and how they sometimes go places they might not want others to know for personal privacy reasons. Well, are you okay with authorities being able to query that without a warrant? And are you okay with law enforcement in, say, a town in Texas being able to then look up the movements of people across the country? I think it's a pretty good tangible example that doesn't require a lot of tech stuff.
JASON: I'll add to this briefly. This is not an exhaustive list, but off the top of my head:
Zack Whitaker's This Week in Security newsletter is really good.
Our old colleague and friend Lorenzo Franceschi-Bicchierai at TechCrunch does really great work. Groups like the EFF, ACLU, Electronic Privacy Information Center, and Center for Democracy and Technology all focus on different things but are often surfacing interesting surveillance-related cases and can be helpful in terms of understanding some of the legal issues around surveillance. Lucy Parsons Lab does amazing work. The Institute of Justice is a libertarian group that always finds very interesting privacy and surveillance cases.
Jason Koebler
Another one I feel people understand immediately is Ring cameras. So many people have them, and I think a lot of people like them. But I have found Ring cameras as a useful intro point just because they are so popular. Should we be filming our neighbors at all times? Putting it on Nextdoor and social media sites? Connecting it to local police? What about the entire neighborhood's cameras? Should it go to ICE, etc? I think that unfortunately a lot of people will say ‘I want to protect my house and my family,’ but I do find it's usually possible to have a nuanced talk about Ring cameras, at least in my personal life, and that often opens people's eyes to other, similar systems.
