The 4th Amendment Loophole

The promise

In 2005, federal agents attached a GPS tracker to Antoine Jones’s Jeep without a valid warrant and left it there for 28 days, logging every trip he took. Seven years later, in United States v. Jones, the Supreme Court unanimously ruled that the tracking was an unconstitutional search. Five justices went further, arguing that even collecting public movements over a long enough period amounts to a search under the 4th Amendment.

Carpenter v. United States, decided six years later, made that argument the law. The government had obtained 127 days of cell-site location data from Timothy Carpenter’s wireless carrier on the strength of a court order alone, under a lower legal standard than a warrant. The Supreme Court said that wasn’t good enough. Chief Justice Roberts, writing for the majority, recognized that aggregated location tracking reveals what the Court called the “privacies of life.” Where you go, over time, tells a story. And the 4th Amendment protects that story from warrantless government access.

Two cases, same principle. The government can’t build a map of where you’ve been without a judge signing off. And for a few years, that looked like settled law.

The workaround

Carpenter drew a clear line, but it drew it in a specific place. The ruling applies when the government compels a company to hand over data.

So what happens when nobody gets compelled? What if a private company voluntarily builds the surveillance infrastructure, collects the data on its own, and then sells access?

That’s exactly how Flock Safety’s license plate reader network works. A city buys cameras. Those cameras scan every plate that drives by on public roads. The scan data enters Flock’s cloud platform, a shared national network. Any participating agency can search any other agency’s data, and anyone who buys a subscription can query the system.

The constitutional protection from Carpenter doesn’t apply because the government never ordered the surveillance. A private company built it. The government just bought a login.

There’s a legal concept called the “third-party doctrine” that courts have used for decades to justify this kind of arrangement. If you voluntarily share information with a third party (your bank, your phone company), you’ve given up your expectation of privacy in that information. Carpenter was supposed to be chipping away at that doctrine.

But the private-company-as-middleman model sidesteps Carpenter entirely. Call it surveillance laundering. The government just goes shopping.

The doors open

In October 2025, the University of Washington Center for Human Rights published a report called “Leaving the Door Wide Open.” They’d spent months investigating how federal agencies access local police ALPR data, and they found 3 distinct mechanisms. They gave them names.

Front door. A local agency explicitly authorizes data sharing with a federal agency. In Washington state, 8 agencies opened this kind of direct access. At least they knew what they were agreeing to.

Back door. Federal agencies access data from local departments that never authorized sharing. In Washington, 10+ agencies were compromised this way, without their knowledge. Flock’s own network architecture made it possible. The system was designed so that data sharing could happen at the platform level, regardless of what any individual department thought it had agreed to.

Side door. A local officer runs a search on behalf of a federal agent. No federal account needed. No contract. No formal access request. Over 4,000 of these lookups were documented nationally by 404 Media.

The side door is the one that’s nearly impossible to prevent. A willing local officer is the entire access requirement. No technical access, no special permissions. And there’s no audit trail that distinguishes a search done for local purposes from one done on behalf of someone else.

Then there’s Colorado. In May 2025, a pilot program quietly enrolled 25 police departments in a data-sharing arrangement with federal agencies through the Flock network. None of those departments were told what they’d actually agreed to. When reporters started asking questions, Flock’s CEO denied having any federal contracts on camera. Three weeks later, the company issued a written admission that they had, in fact, signed contracts to give federal agencies access.

The specific agency matters less than the architecture that lets any agency in. The system has no guardrails. If one agency can access local surveillance data through the back door or the side door, then ANY agency can. The same architecture that lets one federal agency run warrantless searches lets every federal agency run warrantless searches.

More than 20 cities have reached the same conclusion. Denver, Cambridge, Evanston, and others have terminated or suspended their Flock contracts specifically because of this uncontrolled federal access to local data.

ALPR causes harm at the local level, too. Right here in Greenville, SC, two sisters driving a rental car were held at gunpoint after a Flock camera misidentified their plate. Both were handcuffed and put in the back of a squad car, now the basis of a lawsuit against the Greenville PD. A paperwork mistake had flagged the car as stolen. A plate scan was all it took, and nobody had to approve any of it.

The scale

The individual cases are bad enough. The aggregate picture is worse.

In San Jose, California, the EFF documented 261,000+ warrantless ALPR queries in just 14 months. In Virginia, investigators found roughly 3,000 searches on the Flock network tied to federal agency activity over a single year.

In South Carolina, the numbers are staggering. SLED (the State Law Enforcement Division) operates a centralized ALPR database that’s been collecting plate scans since at least 2019. Between 2019 and 2022, SLED logged 422 million license plate reads. Over 100 million scans per year, retained for 3 years, accessible to 2,000+ users across 99+ agencies. Fort Jackson and Parris Island are listed as contributors, military installations feeding data into a system with no statutory authorization.

This is EXACTLY the pattern the Supreme Court flagged in Carpenter. Individual plate scans might seem harmless. One camera catches you driving down Main Street. So what? But aggregated over weeks and months, those scans reveal which church you attend, which doctor you visit, whether you showed up at a political rally, a gun show, a protest, a support group, a custody hearing, etc. The Court called this the “mosaic theory.” The idea is that individually trivial data points can become a constitutional search when enough of them are assembled. The whole is more revealing than the parts, and the whole is what the 4th Amendment protects.

The Court recognized this pattern as constitutionally protected eight years ago, and the scans have been accumulating ever since.

All of it, every scan, every query, every year of retention, exists without a single South Carolina statute authorizing it. No retention limits written into law. No access controls. No warrant requirement. No penalties if someone misuses the data. SLED is operating on the honor system.

Fighting back

There are two paths to closing this gap. One runs through the courts, the other through the legislature.

The Institute for Justice is pursuing Schmidt v. City of Norfolk, the first major federal lawsuit challenging ALPR data collection under the 4th Amendment. Norfolk residents Lee Schmidt and Crystal Arrington argue that the city’s 176 Flock cameras amount to a warrantless search. In January 2026, a federal district judge disagreed, ruling the network wasn’t dense enough to reconstruct detailed movements. Even so, the judge warned that the analysis “could conceivably tip the other way” as networks grow. IJ is appealing to the Fourth Circuit, and a ruling there would be binding law in South Carolina.

But litigation takes years. Discovery, motions, appeals. The data keeps accumulating while the case works its way through the system.

The legislative path could move faster. In South Carolina, H.4675 was written to close exactly the gaps this post describes. It reads like a point-by-point response to the problems with the current system:

Bans third-party cloud storage of ALPR data, which is the infrastructure that makes the back door possible. If the data can’t live on Flock’s national network, federal agencies can’t query it through that network. That’s the provision that closes the back door. No national network, no federal query.
Requires a warrant for law enforcement to access historical plate data. This is the Carpenter principle that courts haven’t enforced for ALPR yet, written directly into state law.
21-day retention limit, compared to SLED’s current practice of holding data for 3 years with no legal basis.
Bans AI-based vehicle tracking beyond license plates, closing the door on Flock’s “Vehicle Fingerprint” feature that identifies cars by make, model, color, and accessories.
Quarterly independent audits by the SC Inspector General, with annual transparency reports.
Civil remedies for individuals whose data is misused: injunctive relief, damages, and attorney’s fees.
Illegally obtained data is inadmissible in any proceeding.
Existing contracts that violate the law are void on passage.

The bill is sponsored by 4 Freedom Caucus Republicans. Rep. Todd Rutherford, a Democrat, has been pushing separate ALPR regulation since 2020. You don’t usually see Freedom Caucus Republicans and Democratic civil liberties advocates writing parallel bills. That happens when the constitutional issue is unambiguous.

Carpenter drew the line, and H.4675 is someone finally willing to enforce it. Right now, it’s sitting in the House Judiciary Committee waiting on a vote.

Take Action

Find your city council, county council, and state legislators.