CLASSIFICATION: SUPPLY-CHAIN MAP SCOPE: United States; expanding into Canada, UK, Australia, Mexico KNOWN VENDORS: Flock Safety, Motorola Solutions / Vigilant Solutions, Rekor Systems, DRN (Digital Recognition Network), MVTRAC ESTIMATED FLEET (2026): 60,000+ fixed ALPR cameras and 100,000+ mobile units across the US --- The pitch versus the reality ALPR ("automated license plate reader") cameras are sold to municipalities and HOAs as missing-vehicle and stolen-car finders. The pitch is narrow: a camera reads every plate that passes, compares it to a hot list of stolen cars and Amber Alerts, and pings police on a hit. The reality of what these systems collect is broader. Each scan typically captures: The plate text (OCR'd) A timestamp A GPS location of the camera A photograph of the vehicle In many systems, a "vehicle fingerprint" — make, model, colour, bumper-sticker text, roof-rack profile, dent and damage signatures Those scans are retained — often for years — whether or not the vehicle was on any hot list. The aggregated archive is the actual product. The four layers of the supply chain Each layer is operated by a different commercial entity, and each layer adds resale value to the underlying scan. Who's buying, and what they get Police and federal agencies (CBP, ICE, FBI, DEA). Subscription access to the national pooled index. 404 Media and others have documented federal queries against Flock data routed through cooperating local departments, including queries unrelated to the originating department's jurisdiction. Auto repossession firms. DRN and MVTRAC sell mobile ALPR cameras to tow-truck operators who scan parking lots all day; aggregated scans then surface delinquent vehicles for nationwide recovery. Auto insurers. Movement-pattern data is purchased to detect garaging-address fraud (you told the insurer the car lives in a low-rate zip code; the scans say otherwise), unreported commercial use, and undisclosed regular drivers. Sub-prime auto lenders. Scans are used to "skip-trace" borrowers behind on loans before initiating repossession. Private investigators. Many vendors offer a verified-business tier with no probable-cause requirement. Some HOAs and CRE landlords have direct dashboards to query their own gate cameras for resident-or-guest movement patterns. What's not constrained, by default Unless your state has passed a specific ALPR statute, the following are generally not legally restricted in the United States: Retention period (vendors set their own; common defaults are 30 days for police hot-list use but 1–5 years for the broker-resale archive) Cross-jurisdictional sharing (a scan from your local HOA gate can be queried by a sheriff three states over) Federal access via cooperative agreements Resale to insurers and lenders Aggregation with cellular movement data, smart-city sensor feeds, and toll records to build composite mobility profiles Roughly a dozen states have passed ALPR-specific laws (California's Civil Code §1798.90.5 is the most-cited template). They generally restrict government retention, not commercial broker resale. What's been documented in 2025–2026 Flock audit-log leaks. Multiple records requests have surfaced individual officers running plate searches for personal reasons (ex-partners, neighbours, journalists covering the department). Documented in 404 Media's ongoing series. Federal "lookups by proxy." Federal agents without direct Flock contracts have requested local PDs run searches on their behalf, then received the results — bypassing federal procurement scrutiny. Insurance pricing models that incorporate ALPR-derived "garaging-address truthfulness" scores have been disclosed in two state insurance-commissioner filings. DeFlock, an open-source crowdsourced map of fixed ALPR camera locations, crossed 10,000 verified camera entries and now serves as a de-facto public registry that the vendors themselves never published. What you can actually do Most defences are partial. There is no consumer "opt out" of a license-plate-reader scan the way there is for some data brokers. Know what your state law says. California, New Hampshire, Maine, Vermont, Utah and several others have meaningful retention or use restrictions you can cite in records requests and complaints. File state-level Driver's Privacy Protection Act (DPPA) complaints when DMV data has been re-disclosed without permitted-use justification. Submit CCPA / CPRA requests in California (and equivalents in CO, CT, OR, TX, VA, etc.) to data brokers including DRN/MVTRAC, requiring them to disclose ALPR-derived records about your registered vehicles and to delete them. Check DeFlock before relying on a "private" route. Knowing where the cameras are at least lets you make informed choices. Petition your municipality for an audit log requirement, retention cap, and prohibition on federal-agency queries through your local PD's Flock contract. Several cities (San Marino CA, Sedona AZ, others) have done exactly this in 2025–2026. Vehicle-level mitigations (plate covers, infrared LEDs, license-plate "frames") are illegal in nearly every US state and will not actually defeat modern OCR. We do not recommend them. The bottom line A license plate is a state-issued unique identifier, broadcast continuously and visibly by law to every camera that can see it. We have built a national infrastructure that treats that identifier as a continuous location ping — and a parallel commercial market that resells the resulting movement graph to anyone who can pay. You did not consent to that market existing. The market was built around you, on a regulatory premise from the 1980s that nobody updated. We will keep mapping the supply chain as it grows.