I wrote to Flock's privacy contact to opt out of their domestic spying program
A California resident attempted to leverage CCPA rights to opt out of Flock Safety's ubiquitous license plate tracking, only to be met with a legalistic denial claiming Flock merely acts as a "service provider" for its customers. This refusal has ignited a heated Hacker News debate on the efficacy of privacy laws against corporate surveillance, the definition of personal identifiable information (PII) in public spaces, and the true accountability of data processors.
The Lowdown
The author initiated a privacy request to Flock Safety, a company widely known for its network of automated license plate readers (ALPRs), seeking to have all data pertaining to them, their vehicle, and household members deleted under the California Consumer Privacy Act (CCPA). Flock's response, however, explicitly denied the request, asserting that they act solely as a "service provider" and "processor" for their customers, who are the ultimate "owners and controllers" of the collected data.
Key points from Flock Safety's response and the author's observations include:
- Flock claimed inability to fulfill the request directly, directing the author to contact the specific organizations (e.g., local police, HOAs) that engaged Flock's services.
- They emphasized that customer contracts govern their data processing, customers own the data, and Flock does not sell data for its own commercial purposes.
- Flock stated that ALPRs only capture publicly available vehicle characteristics, not sensitive personal information like names or addresses.
- The data is used by customers for security and crime-solving, with a default retention period of 30 days, though customers can adjust this.
- The author, a non-lawyer, believes Flock's interpretation of CCPA is inaccurate and is contemplating legal consultation, highlighting a perceived loophole in privacy legislation.
The Gossip
Service Provider Squabble
Commenters extensively debated Flock's defense of being a mere "service provider" and whether this legalistic interpretation absolves them of CCPA responsibilities. Many found this argument disingenuous, suggesting it's a loophole that undermines privacy laws. Comparisons were drawn to cloud providers like AWS, questioning if they too could simply punt privacy requests to their customers, while others argued the analogy holds, as Flock primarily provides infrastructure rather than owning the data's purpose.
Public PII Predicament
A significant thread revolved around whether publicly visible information, like license plates and vehicle images, constitutes "personally identifiable information" (PII) under CCPA. Some argued that once information is public, there's no expectation of privacy, citing CCPA clauses about publicly available data. Others countered that while individual public instances might not be PII, the systematic collection and aggregation of such data by Flock across time and location creates a comprehensive profile that certainly qualifies as PII, thereby invoking privacy rights.
The Gauntlet of Opt-Out
The practical challenges of exercising opt-out rights against a distributed surveillance network were a major concern. If individuals must contact every single municipality or entity that uses Flock's services, the process becomes prohibitively difficult. Commenters proposed various solutions, from Flock providing a customer list to automating requests to municipalities, and some expressed cynicism about the legal system's ability to enforce these rights, citing personal experiences of having similar requests go nowhere.
Flock's Fickle Footing
Discussion centered on Flock's true role and financial incentives beyond being a mere service provider. Critics argued that Flock's business model involves owning the cameras and infrastructure, extracting information via machine learning, and benefiting directly from the network's existence, making their data ownership claims dubious. They contended that Flock attempts to distance itself from liability while maintaining significant control and access to the collected data, acting more like a data broker than a simple custodian.