Hacker News

409

I wrote to Flock's privacy contact to opt out of their domestic spying program

by speckx1776188820172 comments
I wrote this. I had/have absolutely no expectation that Flock would comply with my request, but figured I should try anyway For Science. Their reply rubbed me wrong, though. They seem to claim that there are no restrictions on their collection and processing of PII because other people pay them for it. They say:

> Flock Safety’s customers own the data and make all decisions around how such data is used and shared.

which seems to directly oppose the CCPA. It's my data, not their customers'.

Again, I didn't really expect this to work. And yet, I'm still disappointed with the path by which it didn't work.

by kstrauser1776189637
I noticed that the company is glossed as "Flock" and not "Flock Safety (YC S17)" in posts like this and last week's "US cities are axing Flock Safety surveillance technology", https://news.ycombinator.com/item?id=47689237.

Did YC house style change a while back to drop the "(YC xxx)" annotation since so many popular firms particpate / or because it's well known?

by empathy_m1776192204
Remember that the difference between "Flock can do whatever the hell it wants" and "Flock is required to delete your data at your request" is a law. Citizens vote for legislators. If you want this to be a higher priority for your legislators, buy them off.

Or vote for/against them, that might work too.

by dsr_1776195665
Flock has stonewalled with the "we are not the controllers" excuse here in MN too. We have similar rights to opt-out and delete under the MCDPA [0].

[0] https://ag.state.mn.us/Data-Privacy/Consumer/

by wcv1776192732
I think you're going to have a hard time with this...

Flock seems to leave the data in ownership of the government. They are just providing the service of being custodians for storing and accessing that data.

You probably would get a similar response by submitting your request to Amazon web services or Google cloud or whoever has Flocks data: "sorry, we're just holding the data on behalf of Flock"

In either my example case or your stated case, you would have a very hard time convincing the host business to destroy their customers data without a court order or court case that shows their policy is invalid and they must comply.

Not a lawyer, just noting the parallel.

I do appreciate that Flock's response says that they cannot use the data they've collected for other purposes.. which further reinforces my cloud storage analogy -- the cloud vendor can't look at your data you upload to storage to e.g. build profiles on you/your business.

by ldoughty1776189989
https://www.flocksafety.com/legal/lpr-policy

> In accordance with its Terms and Conditions, Flock Safety may access, use, preserve and/or disclose the LPR data to law enforcement authorities, government officials, and/or third parties, if legally required to do so or if Flock has a good faith belief that such access, use, preservation or disclosure is reasonably necessary to comply with a legal process, enforce the agreement between Flock and the customer, or detect, prevent or otherwise address security, privacy, fraud or technical issues. Additionally, Flock uses a fraction of LPR images (less than one percent), which are stripped of all metadata and identifying information, solely for the purpose of improving Flock Services through machine learning.

In this document, to which they linked in their reply, it says clearly "address ... privacy ... issues."

Does your case not constitute a privacy issue? I would say so.

Continuing down below, their claim on "Trust Us" about how they employ machine learning would need some proper transparency into how can that be guaranteed.

by hmokiguess1776194370
Per my understanding of the law for these sorts of data collectors, at least in the U.S., you need to contact the local municipalities (Flock's customers) for this redaction and the jurisprudence is governed at the state and municipal level.

The best source of this information is https://deflock.org/ . FWIW, this is run by a neighbor in Boulder, CO which has been wrestling with the use of these cameras.

by calmbonsai1776190786
If Flock collects and processes PII data, then all their customers are "subprocessors". Flock should really have a Data Processing Agreement with their subprocessors, to legally ensure they follow the same PII handling controls as Flock does.

For example, if Flock receives a legitimate request to delete some data, then Flock must forward that request to all their Data Processors (e.g. including AWS/GCP/Cloudflare) and they must delete it as well.

by deepsun1776193029
If that's a valid excuse than the CCPA isn't worth the paper its written on.
by barelysapient1776189646
It’s fascinating how America could completely get rid of Flock cameras by sending criminals to prison and leaving them there, but we won’t do that so we have these endless arguments about these cameras.
by gguncth1776200198
Sent to Benn Jordan:

https://i.ibb.co/WWWYznHX/flock-future.png

See also a poster from IBM’s German subsidiary, circa 1934. The approximate translation: “See everything with Hollerith punch cards.”

https://www.clevelandjewishnews.com/opinion/op-eds/new-detai...

by thangalin1776203052
This reminds me of the Andrew Yang's "Data Dividend" project that ideally would have paid end users for their data rather than knowingly giving it aware for free. IMO, it was a great idea but flawed execution against all the lobbying.
by pext1776200414
Feels like a classic “we’re just the processor” answer But in reality you have no way to find or contact whoever actually controls the data, so it doesn’t really help. Kind of shows the gap between how the law works on paper vs how these systems work in practice.
by cold_tom1776198598
Flock's customers own the data the same way Uber drivers are independent contractors, i.e. it's designed for weaseling out of obligations.
by rdiddly1776195482
The concept of what constitutes a sale under CCPA is pretty expansive. An exchange of value can be a sale that occurs outside of a processing relationship. I’d say their note is inaccurate.
by sklargh1776198611
Back in 2018, CloudFormation data leaked through a public gist (misconfigured gist plugin, I thought the gist was private but it wasn't... I had change the default config) and showed up on an obscure website being served via CloudFlare. When I contacted CF, they claimed they couldn’t remove the cached content because their system “doesn’t work like that". I pushed back and then they said that they're not responsible for the content and that I should send another email to abuse@cf... to get data about the hosting provider and deal with the content provider (e.g. VPS, ISP, whatever). After a few back and forth msgs, I made it clear that if the data wasn’t taken down within a week or so, I would escalate the issue to the local and German GDPR authority (see https://www.ombudsman.europa.eu/en/european-network-of-ombud...).

And what do you know? I got not reply, but the content disappeared in ~48hrs.

by atmosx1776200173
They seem to be implying that because they are a "service provider," they aren't responsible for complying with CCPA rules even though they are the ones with the data.

Does this hold water? I'm reading the CCPA rules now but if anyone knows, it would save me some tedious research.

by _moof1776194532
An interesting quandary here is that they'd need to constantly scan for you and your vehicle, etc. so that they could know it was you then delete you. So to ensure they don't observe you, they need to observe you.
by pugworthy1776194913
Isn't that how it should work?

If you write the police and ask them to delete all their data about you, that isn't a thing that they do. It shouldn't matter if the police store their data on AWS or their own servers.

Flock is a tool used by the police so it should work the same way.

by lacker1776195653
I don't think they need your permission to use ALPR on your publicly displayed license plate.

> (2) (A) “Personal information” does not include publicly available information [...]

> (B) (i) For purposes of this paragraph, “publicly available” means any of the following:

> (I) Information that is lawfully made available from federal, state, or local government records.

> (II) Information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer

by kube-system1776192653
The only opt-out the citizenry has is with any of the following:

    2x4
    rebar
    spraypaint
    spray foam
    battery powered metal cutter
And bash those pieces of shit to chunks or completely ruin the lens and solar.

Republican community? They love corporate surveillance. Democrat community? They too love corporate surveillance.

There is no "Peoples' Party" that rejects this garbage.

by nekusar1776191037
Lot of Flock Defenders in here.
by mmmlinux1776193315
it would be nice if flock did not and could not exist
by rbbydotdev1776199856
by 1776192095
It's not much worse than all the tracking adtech used by FAANG industry. Smartest people in the world working on these systems.
by carabiner1776198921
I've had the same kind of response from Email providers like Sendgrid, they claim its not their data. There is no way to have Sendgrid block you in their entire network, you have to play whack-a-mole with their customers. Seems like a flaw in these privacy laws when you can't ask the actual record holder to remove the records.
by annoyingnoob1776193760
[dead]
by nour8331776195960
To me this sounds like the equivalent of visiting a website that sells your data, and then asking AWS to delete your personal data when it actually belongs to a customer of theirs and only resides within their private storage.

Would you ask your local ISP to delete data they provided to Tinder like your IP address? That doesn't make sense to me.

by ranger_danger1776189817