I am standing on the corner of Harris Road and Young Street outside of the Crossroads Business Park in Bakersfield, California, looking up at a Flock surveillance camera bolted high above a traffic signal. On my phone, I am watching myself in real time as the camera records and livestreams mewithout any password or loginto the open internet. I wander into the intersection, stare at the camera and wave. On the livestream, I can see myself clearly. Hundreds of miles away, my colleagues are remotely watching me too through the exposed feed.Flock left livestreams and administrator control panels for at least 60 of its AI-enabled Condor cameras around the country exposed to the open internet, where anyone could watch them, download 30 days worth of video archive, and change settings, see log files, and run diagnostics.Unlike many of Flocks cameras, which are designed to capture license plates as people drive by, Flocks Condor cameras are pan-tilt-zoom (PTZ) cameras designed to record and track people, not vehicles. Condor cameras can be set to automatically zoom in on peoples faces as they walk through a parking lot, down a public street, or play on a playground, or they can be controlled manually, according to marketing material on Flocks website. We watched Condor cameras zoom in on a woman walking her dog on a bike path in suburban Atlanta; a camera followed a man walking through a Macys parking lot in Bakersfield; surveil children swinging on a swingset at a playground; and film high-res video of people sitting at a stoplight in traffic. In one case, we were able to watch a man rollerblade down Brookhaven, Georgias Peachtree Creek Greenway bike path. The Flock camera zoomed in on him and tracked him as he rolled past. Minutes later, he showed up on another exposed camera livestream further down the bike path. The cameras resolution was good enough that we were able to see that, when he stopped beneath one of the cameras, he was watching rollerblading videos on his phone. 0:00 /0:16 1 The exposure was initially discovered by YouTuber and technologist Benn Jordan and was shared with security researcher Jon GainSec Gaines, who recently found numerous vulnerabilities in several other models of Flocks automated license plate reader (ALPR) cameras. They shared the details of what they found with me, and I verified many of the details seen in the exposed portals by driving to Bakersfield to walk in front of two cameras there while I watched myself on the livestream. I also pulled Flocks contracts with cities for Condor cameras, pulled details from company presentations about the technology, and geolocated a handful of the cameras to cities and towns across the United States. Jordan also filmed himself in front of several of the cameras on the Peachtree Creek Greenway bike path. Jordan said he and Gaines discovered many of the exposed cameras with Shodan, an internet of things search engine that researchers regularly use to identify improperly secured devices.After finding links to the feed, immediately, we were just without any username, without any password, we were just seeing everything from playgrounds to parking lots with people, Christmas shopping and unloading their stuff into cars, Jordan told me in an interview. I think it was like the first time that I actually got like immediately scared I think the one that affected me most was as playground. You could see unattended kids, and thats something I want people to know about so they can understand how dangerous this is. In a YouTube video about his research, Jordan said he was able to use footage pulled from the exposed feed to identify specific people using open source investigation tools in order to show how trivially an exposure like this could be abused.Benn JordanLast year, Flock introduced AI features to Condor cameras that automatically zoom in on people as they walk by. In Flocks announcement of this feature, it explained that this technology zooms in on a suspect exiting one car, stealing an item from another, and returning to his vehicle. Every detail is captured, providing invaluable evidence for investigators. On several of the exposed feeds, we saw Flock cameras repeatedly zooming in on and tracking random people as they walked by. The cameras can be controlled by AI or manually.The exposure highlights the fact that Flock is not just surveilling carsit is surveilling people, and in some cases it is doing so in an insecure way, and highlight the types of places that its Condor cameras are being deployed. Condor cameras are part of Flocks ever-expanding quest to prevent crime, and are sometimes integrated with its license plate cameras, its gunshot detection microphones, and its automated camera drones.Cooper Quintin, senior staff technologist at the Electronic Frontier Foundation, told me the behavior he saw in videos we shared with him shows that Flock's ambitions go far beyond license-plate surveillance. They want to be a nation-wide panopticon, watching everyone all the time. Flock's goal isn't to catch stolen cars, their goal is to have total surveillance of everyone all the time." 0:00 /1:03 1 The cameras were left not just livestreaming to the internet for anyone who could find the link, but in many cases their administrative portals were left open with no login credentials required whatsoever. On this portal, some camera settings could be changed, diagnostics could be run, and text logs of what the camera was doing were being streamed, too. Thirty days of the cameras archive was left available for anyone to watch or download from any of the cameras that we found. We were not able to geolocate every camera that was left unprotected, but we found cameras at a New York City Department of Transportation parking lot, on a street corner in suburban New Orleans, in random cul-de-sacs, in a Lowes parking lot, in the parking lot of a skatepark, at a pool, outside a parking garage, at an apartment complex, outside a church, on a bike path, and at various street intersections around the country.Quintin told me the situation reminds him of ALPR cameras from another company that were left unprotected a decade ago.This is not the first time we have seen ALPRs exposed on the public internet, and it won't be the last. Law enforcement agencies around the country have been all too eager to adopt mass surveillance technologies, but sometimes they have put little effort into ensuring the systems are secure and the sensitive data they collect on everyday people is protected, Quintin said. Law enforcement should not collect information they cant protect. Surveillance technology without adequate security measures puts everyones safety at risk.It was not always clear which business or agency owned specific cameras that were left exposed, or what type of misconfiguration led to the exposure, though I was able to find a $348,000 Flock contract for Brookhaven, Georgia, which manages the Peachtree Creek Greenway, and includes 64 Condor cameras."This was a limited misconfiguration on a very small number of devices, and it has since been remedied," a Flock spokesperson told 404 Media. It did not answer questions about what caused the misconfiguration or how many devices ultimately were affected.Do you know anything else about surveillance? I would love to hear from you. Using a non-work device, you can message me securely on Signal at jason.404. Otherwise, send me an email at jason@404media.co.In response to Jordan and Gaines earlier research on vulnerabilities in other Flock cameras, Flock CEO Garrett Langley said in a LinkedIn post that The Flock system has not been hacked. We secure customer data to the highest standard of industry requirements, including strict industry standard encryption. Flocks cloud storage has never been compromised. The exposure of these video feeds is not a hack of Flocks system, but demonstrates a major misconfiguration of at least some cameras. It also highlights a major misconfiguration in its security that persisted for at least days.When I was making my last video [about Flock ALPR vulnerabilities], it was almost like a catchphrase where I'd say like, I don't see how it could get any worse. And then something would happen where you'd be like, wow, they pulled it off. They made it worse, Jordan said. And then this is like the ultimate one. Because this is completely unrelated [to my earlier research] and I dont really know how it could be any worse to be honest.In a 2023 video webinar introducing the Condor platform to police, Flock executives said the cameras are meant to be paired with their ALPR cameras and are designed to feed video to FlockOS, a police panel that allows cops to hop from camera to camera in real time across a mapped-out view of their city. In Bakersfield, which has 382 Flock cameras according to a transparency report, one of the Condor cameras we saw was located next to a mall that had at least two Flock ALPR cameras stationed at the entrances to the mall parking lot.Kevin Cox, a Flock consultant who used to work for the Grand Prairie, Texas Police Department, said in the webinar that he built an intel center with a high density of Flock cameras in that city. I am passionate about this because Ive lived it. The background behind video [Condor] with LPR is rich with arrests, he said. That rich experience of seeing what happened kind of brings it alive to [judges]. So video combined with the LPR evidence of placing a vehicle at the scene or nearby is an incredibly game changing experience into the prosecutorial chain of events.You can look down a tremendous distance with our cameras, to the next intersection and the next intersection, he said. The camera will identify people, what theyre wearing, and cars up to a half a mile away. Its that good. 0:00 /0:08 1 Condor cameras in a Flock demo showing off its AI tracking features In the webinar Cox pulled up a multiview panel of a series of cameras and took control of them, dragging, panning, and zooming on cameras and hopping between multiple cameras in real time. Cox suggested that police officers could either use Flocks cameras to pinpoint a person at a place and time and then use it to request cell tower dumps from wireless companies, or could use cell GPS data to then go into the Flock system to track a person as they moved throughout a city. If you can place that persons cell phone and then the Condor video and Falcon LPR evidence, it would be next to impossible to beat that in court, he said, adding that some towns may just want to have always-on, always recording video of certain intersections or town squares. Theres endless endless uses to what we can do with these things.On the webinar, Seth Cimino, who was a police officer at the Citrus Heights, California police department at the time but now works directly for Flock, told participants that officers in his city enjoyed using the cameras to zoom in on crimes.There is an eagerness amongst our staff that are logged in that have their own Flock accounts to be able to monitor our ALPR and pan tilt zoom Condor cameras throughout the community, to a point where sometimes our officers are beating dispatch with the information, he said. If theres an incident that occurs at a specific intersection or a short distance away where our Condor cameras can zoom in on that area, it allows for real time overwatch [] as I sit here right now with youhow cool is this? We just had a Flock alert here in the city. I mean, it just popped up on my screen!Samantha Cole contributed reporting.