I wrote to Flock's privacy contact to opt out of their domestic spying program

Posted by speckx 8 hours ago

I wrote to Flock's privacy contact to opt out of their domestic spying program(honeypot.net)

453 points | 186 commentspage 3

lacker 6 hours ago|

Isn't that how it should work?

If you write the police and ask them to delete all their data about you, that isn't a thing that they do. It shouldn't matter if the police store their data on AWS or their own servers.

Flock is a tool used by the police so it should work the same way.

nerevarthelame 6 hours ago|

You're right are exemptions for both GDPR [0] and the CCPA [1] where organizations aren't obligated to comply with erasure requests if it would limit their ability to prevent or investigate crimes, fraud, or similar matters.

But that's not what Flock is claiming. They're claiming that they don't even have to consider the request because they don't own the data.

[0] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...

[1] https://www.clarip.com/data-privacy/ccpa-erasure-exemptions/

mmmlinux 7 hours ago||

Lot of Flock Defenders in here.

pwython 5 hours ago|

Not Flock defenders, just people explaining how this is not a CCPA violation. I could set up 100 cameras around town (with property owners permission) and record cars driving by, birds, etc all day. Then I could sell access to that footage to whoever I want. If they want to scrape license plates that's up to the customer and their problem. Or if they want to track birds, cool, that could be in the frame too.

kstrauser 5 hours ago||

It gets a little weird when you explicitly market them for a purpose, though. Flock doesn't advertise a fleet of cameras suitable for birdwatching or other random activities. They market them specifically for the collection and processing of PII.

By analogy, Google Docs isn't marketed for healthcare use. If you wanted, you could put a bunch of PHI in a Google doc and it wouldn't be their responsibility. They certainly didn't tell you to do that. However, if they marketed Google Docs as a great place to store PHI, yeah, then suddenly they're on the hook for complying with the relevant laws like HIPAA.

(Although in this case Google will sign a HIPAA business associate agreement with you and voluntarily agree to comply. They still don't market it that way, or at least don't predominantly do so.)

rbbydotdev 5 hours ago||

it would be nice if flock did not and could not exist

carabiner 5 hours ago||

It's not much worse than all the tracking adtech used by FAANG industry. Smartest people in the world working on these systems.

kstrauser 5 hours ago|

I'd contend that it absolutely is. Adtech is creepy and invasive and weird. Flock is going a step further and actively tracking our movement through the cities where we live.

I don't like either of those activities, but I think one of them is much worse.

jakeydus 5 hours ago||

One is making implicit assumptions based on data available to it. The other is literally saying "hey they're right here at this time". At least adtech has _some_ level of obfuscation to it.

But I'm with you both suck.

annoyingnoob 7 hours ago||

I've had the same kind of response from Email providers like Sendgrid, they claim its not their data. There is no way to have Sendgrid block you in their entire network, you have to play whack-a-mole with their customers. Seems like a flaw in these privacy laws when you can't ask the actual record holder to remove the records.

nour833 6 hours ago||

[dead]

ranger_danger 8 hours ago|

To me this sounds like the equivalent of visiting a website that sells your data, and then asking AWS to delete your personal data when it actually belongs to a customer of theirs and only resides within their private storage.

Would you ask your local ISP to delete data they provided to Tinder like your IP address? That doesn't make sense to me.

monooso 7 hours ago||

As I understand it, the author wrote to Flock as they are the entity collecting the PII. Your analogy would only make sense if the author had written to Flock's customers (and even then it's a rather strained comparison).

ranger_danger 6 hours ago||

> they are the entity collecting the PII

I'm not convinced this is the case. It might be equipment made by them, but does that necessarily mean they were ever even in possession of the data in question?

Would you ask the manufacturer of your oven what you ate for dinner last week? No, you're just using an appliance that they made.

In the case of Flock I don't think we have any evidence of whether Flock themselves ever hold or store any data produced by their devices when operated by a customer.

terrabitz 8 hours ago|||

Yeah I was getting the same feeling. I wonder if an equivalent request to California police agencies that contract Flock technologies would work though.

OkayPhysicist 7 hours ago||

Probably not, as the law enforcement agencies get a bunch of exceptions to the CCPA.

alt227 7 hours ago||

Yes, I have asked multiple companies to destroy my data under GDPR. Its quite common in Europe.