Two security researchers stumbled onto something that should have required a warrant — or at least a login. Sam Curry and Maik Robert found a publicly accessible web address streaming live San Francisco police drone feeds. Color video. Thermal imaging. GPS coordinates. Pilot names and email addresses. All of it wide open, like leaving your Find My Friends on for the entire internet. They reported it to Skydio, the San Mateo-based drone maker whose X10 system powers SFPD’s fleet, and the link went offline. But the damage to public trust was already airborne. This incident joins a troubling pattern of covert digital monitoring failures — reminiscent of how a surveillance app was built to covertly target individuals with little public oversight.
The Gap Between Transparency and a Live Feed
SFPD publishes flight logs after the fact — this exposed active operations in real time.
SFPD already runs a transparency portal where you can review drone flight data retroactively. That’s a different category entirely from what this link provided: live operational surveillance. The exposed feed reportedly captured arrests, detentions, apartment windows, and alleyway sweeps — footage sweeping up bystanders far beyond any targeted investigation.
Here’s what was visible through that exposed URL:
- Live color and thermal video streams
- GPS coordinates, altitude, speed, and heading data
- Battery levels and flight telemetry
- Operator names and email addresses
SFPD called it an “internal restricted link” that was “improperly obtained and accessed by individuals without authorization.” The researchers say they bypassed no authentication whatsoever. That distinction matters enormously. This wasn’t a sophisticated breach. It was a door left unlocked — the difference between a polished product demo and a production environment nobody bothered to secure. If you’re reconsidering your own exposure after reading this, it may be worth reviewing what home security systems experts recommend for closing similar gaps at a personal level.
A Fleet That Grew 10x Before the Guardrails Caught Up
When one misconfigured URL can expose a citywide sensor network, scaling fast becomes a serious liability.
Since voters passed Proposition E in March 2024, SFPD’s drone fleet reportedly ballooned from 6 units to 63, logging more than 1,400 flights. These drones now operate alongside automated license plate readers and fixed cameras — a growing sensor network where one weak link can expose the entire mesh.
Privacy advocates have described police drone data as a “toxic asset,” according to public reporting, arguing that even routine flights capture vast amounts of incidental personal information. That risk compounds sharply if AI tools are eventually used to search or analyze archived footage at scale. This pattern echoes broader concerns about government platforms secretly tracking users without adequate disclosure or safeguards.
SFPD says it tightened sharing protocols after the exposure. Retention rules, access controls, and the prospect of AI-powered search across archived footage, however, remain unresolved. The department’s own policy requires deleting non-evidentiary footage within 30 days. Whether that standard is enforced — and by whom — remains an open question for municipal oversight bodies and residents alike.




























