Who Really Controls San Diego’s License Plate Data?

Ubicquia, Flock Safety, Car Theft, and the Vote City Council Is Rushing

Bill Paul

I. Why this matters right now

San Diego is about to decide whether to keep expanding a citywide network of smart streetlights and automated license plate readers (ALPR) operated by two private vendors:

  • Ubicquia, which supplies the “smart streetlight” hardware and cloud management platform.
  • Flock Safety, whose ALPR network now spans thousands of agencies nationwide and runs on Amazon Web Services (AWS).[1][2][3]

In 2023, the City entered into a five-year agreement worth roughly $12 million with Ubicquia for 500 smart streetlight cameras paired with Flock ALPR technology.[1][3][4]

On paper, the City “owns” the data. The official press release says the City will control “Smart Streetlight and ALPR data,” and the contract sets short retention windows: 30 days for ALPR images and 13 days for streetlight video.[1][5]

In practice:

  • Data from San Diego’s poles flows into vendor-controlled cloud platforms (Ubicquia’s and Flock’s), not a City-owned data center.
  • Flock’s system is part of a national ALPR network that has already been misused for immigration and abortion-related investigations in other states.
  • San Diego’s own Police Practices & Accountability Board (PAB) has publicly said SDPD and Flock are not in compliance with the City’s TRUST surveillance ordinance.[6][7][8]

December 9th’s vote is not just about catching car thieves. It’s about whether San Diego wants to lock itself deeper into an infrastructure it does not fully control.

II. “It helps us catch car thieves”: what Chief Wahl is selling vs. what the numbers say

In recent TV appearances, Police Chief Scott Wahl has framed ALPR as a car-theft solution: the system helps catch car thieves and drives auto theft down.

City communications echo that. A November 2025 City blog post describes ALPR as “highly effective” and claims that since the system rolled out citywide:[2][5]

  • ALPR has supported roughly 600 investigations.
  • It has recovered over $5.8 million in stolen property.
  • It has recovered more than 440 stolen vehicles.
  • Motor vehicle theft has dropped about 20% in San Diego.

On TV, that becomes a simple story:

These cameras catch car thieves and brought theft down by 20%.

Let’s assume—generously—that this is mostly true, and then ask whether the trade is worth it.

A. How much value is actually at stake?

The California Highway Patrol’s 2023 Vehicle Theft Fact Sheet puts the average loss per stolen vehicle at about $8,872.[9]

If ALPR helped recover about 440 stolen vehicles, that’s roughly:

440 × $8,872 ≈ $3.9 million in avoided loss on vehicles alone

The City’s claim of $5.8 million in recovered property likely includes higher-value vehicles and non-vehicle stolen property recovered during ALPR-initiated stops.[2][5]

So the order of magnitude is: ALPR is being credited with several million dollars in recovered property over roughly the first couple of years.

B. What are we paying?

The combined smart streetlight + ALPR system is not cheap:

  • City Council approved a multi-year, approximately $12 million network of 500 smart streetlight / ALPR nodes.[1][3][4]
  • City documents and news coverage show an initial multi-million-dollar outlay (roughly $3.5–4 million) to get the first wave installed and online.[3][4]

Very rough napkin math:

  • First ~1–2 years: $3.5–4 million spent → ~440 vehicles recovered
    • That’s $8,000–$9,000 in contract cost per “ALPR-assisted” recovered vehicle so far.
  • If you smear the full $12 million across the same 440 vehicles (ignoring future recoveries, just to show scale), you get ~$27,000 per recovered vehicle over the life of the deal.

Those are crude numbers, but they make one thing clear: we are paying millions in public money to recover millions in property—roughly the same order of magnitude.

C. Many stolen cars are already recovered without ALPR

Nationally, a large share of stolen vehicles are recovered even without systems like Flock:

  • The National Insurance Crime Bureau and related sources peg recovery rates somewhere between 50–60% nationally, and some datasets show over 80% recovered when you include all conditions and jurisdictions.[10][11][12]

In other words:

  • Even in places with minimal ALPR deployment, a majority of stolen vehicles eventually come back through traditional policing, manufacturer tracking (OnStar, app-based systems), LoJack-style hardware, and basic public tips.

ALPR can still add value—it can help recover some vehicles faster or recover cars that might otherwise vanish—but its incremental impact is necessarily smaller than the raw “440 recovered vehicles” number implies.

D. Auto theft was already dropping before you credit ALPR

City messaging highlights a ~20% drop in motor vehicle theft and strongly links it to ALPR.[2][5][13]

But during the same period:

  • Nationally, vehicle thefts fell by about 16–17% from 2023 to 2024, the largest drop in 40 years, according to NICB.[11]
  • That decline is widely attributed to Hyundai/Kia anti-theft software updates, focused enforcement, and other national-scale factors.[11][14]
  • California as a whole also saw double-digit improvements in vehicle-theft metrics as CHP and local task forces intensified their work.[9][12]

So San Diego’s ~20% drop is real, but it sits on top of a broader national and statewide downturn in auto theft that would have reduced crime whether ALPR existed or not.

If those broader trends would have produced, say, a 12–17% drop on their own, ALPR’s incremental contribution is likely the small difference between that baseline and 20%—a few percentage points, not the entire 20%.

E. The real trade: marginal theft reduction vs. permanent surveillance

Even if you give ALPR half the credit for San Diego’s drop in vehicle theft (which is generous), the trade still looks like this:

  • San Diego spends tens of millions over time (contracts, operations, legal exposure).
  • In return, it gets a modest additional reduction in car theft and some faster closure on serious cases.

In exchange, the City also:

  • Builds a citywide, always-on vehicle tracking grid,
  • Hooks itself into a national Flock platform that has already been used in immigration and abortion-related investigations, and
  • Grants private vendors perpetual rights over aggregated movement patterns and platform telemetry.

The question is not “Does ALPR ever help catch car thieves?”—it clearly does.

The question is:

Is that incremental benefit worth the financial cost and the long-term data-control and civil-liberties costs of this system?

III. How the system actually works: from streetlight to AWS

To answer that, you need to see the plumbing.

A. Hardware on the pole

San Diego’s deployment combines:

  • Ubicquia UbiHub smart streetlight devices
    Mounted on existing poles, these units:
    • Provide power and LTE backhaul;
    • Include an integrated “situational awareness” video camera;
    • Offer ports for powering and networking additional devices, including ALPR cameras.[1][3][4]
  • Flock Safety ALPR cameras
    Typically Flock’s Falcon-series law-enforcement units, mounted under or near the streetlight head, capturing license plates, timestamps, and GPS coordinates.[2][5]

B. Data flow in plain language

  1. On the street
    • A car passes under a smart streetlight.
    • Ubicquia’s camera records general video of the scene.
    • Flock’s ALPR camera records still images + plate + time + location.
  2. At the pole
    • Ubicquia’s hardware provides power and LTE connectivity.
    • Flock’s camera stores images briefly on the device.
  3. To the cloud
    • Data travels over Ubicquia’s carrier partners to:
      • Ubicquia’s UbiVu platform (device management, health, some video routing), and
      • Flock’s cloud on Amazon Web Services (AWS), including AWS GovCloud for criminal-justice-sensitive data.[2][3][5]
  4. Storage & retention
    • ALPR images: City policy says they’re available for 30 days and then must be automatically deleted.
    • Situational awareness video: 13-day retention, then deletion.
    • The contract states that “deleted” footage and images must not be stored or retained in any manner.[5]
  5. Access & sharing
    • SDPD accesses the system through web portals integrated with City single sign-on, searching plates, reviewing footage, and exporting clips for cases.[2][5]
    • Flock’s platform provides cross-jurisdiction search features (sometimes called “National Lookup”), allowing other agencies to query San Diego cameras if configuration and state law permit it.[9][15][16]

The physical cameras sit on City poles. The brains and data sit in Ubicquia and Flock’s cloud infrastructure.

IV. What the contracts say – and what they quietly give away

The City’s official talking points emphasize a few strong-sounding protections:

  • The City “owns” City Data (ALPR images, video, etc.).
  • Vendors are not allowed to “sell” City Data.
  • ALPR and video data must be auto-deleted after short retention windows.[1][5][7]

Those points are true—but incomplete.

A. City Data vs. Aggregated Data vs. platform telemetry

The Ubicquia contract defines separate buckets of data, including:[5][7][19]

  • City Data – footage and records directly associated with San Diego.
  • Aggregated Data – data derived from City Data and other customers’ data, stripped of direct identifiers and combined.
  • Product Platform Data / Support and Maintenance Data – telemetry like device health, usage statistics, GPS of poles, software versions, etc.

The key clause:

  • The City grants Ubicquia a “non-exclusive, perpetual, irrevocable, worldwide, royalty-free, fully paid license” to use City Data as part of Aggregated Data for purposes including:
    • Improving Ubicquia’s services,
    • Developing new products, and
    • Crime-prevention efforts.

That means:

Even after San Diego’s raw footage and plate images are deleted, Ubicquia (and by extension Flock as a subcontractor) can continue using the patterns they extracted from that data indefinitely.

The TRUST SD “People’s Surveillance Impact Report” flags this as a serious concern: residents’ movement patterns can be embedded in vendor models and datasets “forever,” even after individual records are gone.[7][19]

B. Retention rules are only as strong as configuration and security

On paper:

  • ALPR images older than 30 days, and video older than 13 days, “shall not be stored or retained in any manner.”
  • Devices are supposed to overwrite local storage at those intervals.[5]

In reality, those promises depend on:

  1. Proper vendor configuration and honest reporting; and
  2. No unauthorized copies or leaks.

If:

  • A device is misconfigured,
  • A cloud backup is mis-scoped, or
  • A camera is compromised in the field,

then data can exist outside the official retention path.

Nothing in the contract magically deletes copies that leave the official pipeline.

V. What vendors keep, even after deletion

Even if Ubicquia and Flock follow the letter of the contract perfectly, they retain:

  1. Aggregated movement data
    • Patterns of when and where vehicles travel, not tied to specific license plates but still extremely valuable for analytics and product development.
  2. Platform telemetry
    • Uptime by neighborhood, frequency of searches, types of queries SDPD runs, and more.
  3. Network-level insight
    • Because Flock operates in thousands of communities, it can see cross-jurisdictional patterns (e.g., routes of frequently stolen models, common dump locations) that no single city—including San Diego—can fully audit.[2][15][16]

The City, by contrast, is limited to:

  • A 30-day rolling slice of plate-level data,
  • A 13-day slice of video, and
  • Whatever the vendors choose to expose via dashboards and reports.

VI. Misuse elsewhere: immigration, abortion, and “leaving the door wide open”

To understand the risk, it’s not enough to say “this could be abused.” We have real examples where Flock data already has been.

A. Illinois: CBP access and an abortion investigation

In August 2025, Illinois Secretary of State Alexi Giannoulias released the results of an audit into ALPR misuse:[9][17][18]

  • The state discovered that U.S. Customs and Border Protection (CBP) had gained access to Illinois ALPR data despite a 2023 law that prohibits sharing license-plate data with out-of-state or federal agencies for immigration or abortion-related investigations without a court order.
  • The audit found that Flock Safety “failed to implement sufficient safeguards” to prevent such access.
  • Giannoulias ordered Flock to shut off CBP’s access to Illinois data.

Earlier that summer, AP reporting revealed:[18]

  • A Texas sheriff used a Flock-enabled national ALPR search to look for a woman who had self-managed an abortion, triggering outrage in Illinois and prompting the broader audit.

In response:

  • Flock announced it had paused cooperation with federal agencies on certain pilot programs and added keyword filters (e.g., “abortion,” “immigration,” “ICE”) to block some sensitive searches.[8][18]

But those safeguards were added after misuse was exposed. They did not prevent the abuses in the first place.

B. Washington: “Leaving the Door Wide Open”

In October 2025, the University of Washington Center for Human Rights published a report titled “Leaving the Door Wide Open: Flock Surveillance Systems Expose Washington Data to Immigration Enforcement.”[11][16]

The report found:

  • At least eight Washington law-enforcement agencies were effectively giving federal immigration authorities direct access to their Flock data.
  • Some local agencies claimed they did not understand how Flock’s “National” search tools were configured and did not fully grasp who could query their data.

Flock responded with a public statement, acknowledging the concerns raised by the report and outlining changes to its configuration and governance model.[6]

Again, the pattern is the same:

The default system is open and interconnected. Restrictions tighten only when outside investigators or regulators force the issue.

San Diego is currently part of that same network.

VII. Security concerns: when “delete after 30 days” isn’t enough

Policy and configuration are one side of the risk. Technical security is the other.

Independent researchers and security-focused creators have published demonstrations—like the widely shared “We Hacked Flock Safety Cameras in Under 30 Seconds” video—showing how Flock devices in the field can potentially be compromised with relatively little time and access.

/

In public statements responding to various reports, Flock has:[6]

  • Acknowledged that independent research identified security issues in its systems.
  • Said that firmware patches and mitigations were deployed to address those vulnerabilities.

You don’t need to adjudicate the entire technical debate to see the problem for San Diego:

  • If a camera or local node can be compromised at the edge, then regulatory promises about “we delete after 30 days” only cover official storage.
  • A bad actor—whether a rogue insider, a contractor, or an external attacker—can in principle siphon off video and plate data before it ever reaches the official retention and deletion pipeline.

So even in a world where Ubicquia and Flock are honest and diligent, field-level risk remains.

VIII. San Diego’s own track record and oversight gap

Even if you ignore Illinois and Washington, San Diego itself has already had serious problems with this vendor ecosystem.

A. The previous smart streetlight fiasco

San Diego’s first smart streetlight program was marketed as a way to study traffic and air quality. Residents later learned that police were using those cameras for investigations without robust public debate.[4]

When the City tried to shut the program down:

  • It found that turning the system off was not a simple City decision.
  • Coverage at the time described how the vendor effectively held the “off switch,” and disabling access required negotiation and technical changes controlled by the vendor, not the City.[4]

We are now back with Ubicquia and Flock, promising a better-governed version of a similar system.

The structure—vendor-owned platform, city as tenant—has not fundamentally changed.

B. PAB and TRUST SD: we’re not in compliance already

San Diego adopted the TRUST Ordinance to regulate surveillance technology and require public reporting and Council approval.[7][19]

In 2025, the Police Practices & Accountability Board looked at SDPD’s ALPR Annual Surveillance Report and concluded that SDPD and Flock were not in compliance with the ordinance’s transparency and reporting requirements.[6][7]

The TRUST SD coalition’s ALPR “People’s Surveillance Impact Report” likewise highlights:[7][19]

  • Gaps in the City’s reporting and oversight,
  • The inability of residents to meaningfully opt out, and
  • The risk of normalizing pervasive vehicle tracking across the city.

In plain English:

We’re being told to expand a system that our own oversight bodies say we aren’t governing correctly now.

IX. So is this worth it?

Putting it all together:

  1. What we’re buying
    • A $12 million, five-year contract for 500 Ubicquia/Flock nodes with ALPR and cameras.[1][3][4]
    • A pipeline from San Diego’s streets into vendor-controlled cloud platforms and a national ALPR network.
  2. What we get
    • A 30-day rolling window of searchable plate data and 13 days of video.
    • Real investigative wins: hundreds of vehicles recovered and some serious cases advanced or solved.[2][5]
  3. What vendors keep
    • Perpetual rights to Aggregated Data derived from San Diegans’ movements.
    • A richer network dataset that increases the value of their product to thousands of other agencies.
  4. What’s already gone wrong elsewhere
    • Flock data used by CBP and out-of-state sheriffs in ways that undermined state laws protecting against immigration and abortion-related surveillance.
    • Flock having to halt pilot programs with federal agencies and bolt on new safeguards after the fact.[8][9][16][18]
  5. What’s not working here
    • Local oversight boards (PAB, TRUST SD) say SDPD + Flock are not in compliance with our own surveillance ordinance right now.[6][7][19]
    • We already learned once that we didn’t really control when a smart streetlight system was on or off.[4]
  6. The car theft piece, in context
    • ALPR is likely one of many reasons auto theft is down in San Diego.
    • But nationwide and statewide trends—including anti-theft fixes and dedicated task forces—would have driven theft down even without this system.[9][11][12][14]
    • The incremental benefit from ALPR is real but much smaller than the full 20% headline suggests.

The actual question in front of Council

The decision is not:

“Do you support catching car thieves?”

The real question is whether the marginal improvement in car-theft outcomes and case clearances from this specific Ubicquia + Flock system is worth:

  • Continuing a $12 million long-term contract,
  • Entrusting vendors with perpetual rights over aggregated movement data,
  • Keeping San Diego plugged into a national ALPR network that has already been misused for immigration and abortion enforcement, and
  • Expanding a system that our own oversight bodies say we aren’t currently in compliance with.

A reasonable answer, based on the evidence, is no.

San Diego can:

  • Pursue car-theft reduction through targeted operations, manufacturer partnerships, and narrowly scoped technology;
  • Mandate independent security and governance audits instead of relying solely on vendor assurances;
  • Renegotiate any future data-sharing systems to eliminate perpetual “Aggregated Data” rights and tightly restrict cross-jurisdictional access;
  • And insist that any system we deploy comes with a City-controlled off switch, both technically and contractually.

Until those conditions are met, expanding the Ubicquia + Flock system is less a public-safety plan and more a long-term bet on a surveillance infrastructure the City does not truly govern.

References

1. CHP – “2023 California Vehicle Theft Facts” (fact sheet, 2023).
PDF: https://www.chp.ca.gov/contentassets/b654520539d84b198842cea7293f2935/2023-vehicle-theft-fact-sheet.pdf California Highway Patrol

    2. City of San Diego – “San Diego Police Get Final Approval to Deploy Smart Streetlight, Automated License Plate Recognition Technologies” (press release, Nov. 14, 2023).
    PDF: https://www.sandiego.gov/sites/default/files/2023-11/20231114%20San%20Diego%20Police%20Get%20Final%20Approval%20to%20Deploy%20Smart%20Streetlight%2C%20Automated%20License%20Plate%20Recognition%20Technologies.pdf San Diego Official Website

    3. City of San Diego – “City Council to Hold Annual Review of Highly Effective License Plate Reader Technology” (Inside San Diego blog, Nov. 5, 2025).
    https://www.insidesandiego.org/city-council-hold-annual-review-highly-effective-license-plate-reader-technology Inside San Diego

    4. GovTech – “San Diego OKs $12M Police Surveillance Network” (Nov. 2023).
    https://www.govtech.com/public-safety/san-diego-oks-12m-police-surveillance-network NBC Chicago

    5. City of San Diego – “Smart Streetlight, License Plate Reader Technology Helping Solve Crimes” (Mayor’s site, Oct. 14, 2024).
    https://www.sandiego.gov/mayor/smart-streetlight-license-plate-reader-helping-solve-crimes San Diego Official Website

    6. SDPD – Amended ALPR Annual Report (Aug. 1, 2025).
    PDF: https://www.sandiego.gov/sites/default/files/2025-08/amended-alpr-annual-report.pdf San Diego Official Website

    7. Police Practices & Accountability Board – “Final PAB Recommendation re: 2025 ALPR Annual Report” (Nov. 5, 2025).
    PDF: https://www.sandiego.gov/sites/default/files/2025-11/pab-recommendation-amended-2025-alpr-annual-surveillance-report.pdf San Diego Official Website

    8. TRUST SD / San Diego TRUST Ordinance background and ALPR critiques – “TRUST People’s Surveillance Impact Report for ALPR” (Mar. 11, 2025).
    PDF: https://sandiegotrust.org/TRUST-Peoples-Surveillance-Impact-Report-ALPR.pdf TRUST SD Coalition

    9. AP News – “License plate camera company halts cooperation with federal agencies among investigation concerns” (Aug. 26, 2025).
    https://apnews.com/article/cc5f29df94a29ee2c6c2feb2151c8f5e AP News

    10. Illinois Secretary of State – “Giannoulias’ Audit Finds License Plate Reader Company in Violation of State Law” (Aug. 25, 2025).
    https://www.ilsos.gov/news/2025/august-25-2025-giannoulias-audit-finds-license-plate-reader-company-in-violation-of-state-law.html Illinois Secretary of State

    11. NICB – “NICB West Region Task Forces – Vehicle Recovery Work” (blog).
    https://www.nicb.org/news/blog/nicb-west-region-task-forces-vehicle-recovery-work National Insurance Crime Bureau

    12. Insurance Information Institute – “Facts + Statistics: Auto theft” (2024 NICB-based data).
    https://www.iii.org/fact-statistic/facts-statistics-auto-theft III

    13. CHP – “Auto Theft” portal and related vehicle-theft data resources.
    https://www.chp.ca.gov/notify-chp/Auto-Theft/ California Highway Patrol

    14. Times of San Diego – “Committee Approves Continued Use of Surveillance Tech in San Diego” (Nov. 13, 2025).
    https://timesofsandiego.com/crime/2025/11/13/committee-approves-continued-use-of-surveillance-tech-in-san-diego/ Times of San Diego

    15. NICB – “Vehicle Thefts in United States Fell 17% in 2024” (news release, Mar. 18, 2025).
    https://www.nicb.org/news/news-releases/vehicle-thefts-united-states-fell-17-2024 National Insurance Crime Bureau

    16. News From The States – “Hundreds of police departments use camera company accused of breaking state law” (Aug. 27, 2025).
    https://www.newsfromthestates.com/article/hundreds-police-departments-use-camera-company-accused-breaking-state-law News From The States

    17. UW Center for Human Rights – “Leaving the Door Wide Open: Flock Surveillance Systems Expose Washington Data to Immigration Enforcement” (Oct. 21, 2025).
    https://jsis.washington.edu/humanrights/2025/10/21/leaving-the-door-wide-open/ JSIS

    18. NBC Chicago – “Company violated Illinois law by sharing license plate data with Customs and Border Protection: Giannoulias” (Aug. 25, 2025).
    https://www.nbcchicago.com/news/local/company-violated-illinois-law-by-sharing-license-plate-data-with-customs-and-border-protection-giannoulias/3814914/ NBC Chicago

    19. GovTech – “Flock Pledges Changes After Illinois Data-Sharing Accusation” (Aug. 26, 2025).
    https://www.govtech.com/biz/flock-pledges-changes-after-illinois-data-sharing-accusation GovTech

    20. TRUST SD – additional ALPR community reporting and ordinance context, as cited within the TRUST ALPR report.
    (Same PDF as [7], plus related materials on sandiegotrust.org.) TRUST SD Coalition