For six months, anyone with the right web link could watch San Francisco police drones in real time — no password, no hacking required.
Story Snapshot
- Live feeds from five San Francisco Police Department drones streamed openly on the internet for about six months with no password protection.
- The feeds showed color video, thermal imaging, live locations, and the names and email addresses of six drone pilots.
- Researchers watched footage of arrests, apartment visits, homeless encampment searches, and people tracked who had done nothing wrong.
- No hacking was involved — a misconfigured sharing link with no authentication code left the feeds wide open to anyone.
Anyone Could Watch — No Password Needed
Security researchers Sam Curry and Maik Robert discovered that live feeds from five San Francisco Police Department (SFPD) drones were streaming openly on the internet. The feeds required no login, no password, and no technical skill to access. The researchers simply had the web link. They reported the problem to drone maker Skydio two days after finding it, and the feed was taken offline shortly after.
The exposed stream carried both color video and thermal imaging. It also showed live location data and the names and email addresses of six SFPD drone pilots — all visible to anyone with the link. The SFPD called the link “improperly obtained and accessed by individuals without authorization.” But researchers pointed out there was nothing to bypass. The link was public, and it had no password.
What the Footage Actually Showed
Before the feed went dark, the researchers archived more than three hours of footage covering 44 miles of drone flight. They watched multiple arrests, visits to apartment buildings, searches of homeless encampments, and police tracking cars and individuals who were never connected to any crime. The faces of dozens of people — none of whom knew they were being filmed — were clearly visible.
One example stood out. The Wired investigation documented a drone deployment triggered by a “suspicious person” call that turned up nothing. A critic noted the people flagged were simply “on their way to go play some basketball.” The SFPD says its drones are only authorized for active criminal investigations, vehicle pursuits, and training. The footage suggests the reality on the ground does not always match that policy.
A Pattern Bigger Than San Francisco
This is not a one-time mistake. In 2021, 1.8 terabytes of Dallas Police Department helicopter surveillance footage leaked from an unsecured cloud server, exposing thermal imaging of private homes and backyards. A separate breach exposed a database from drone software company DroneSense that included flight paths, pilot names, and drone details for more than 200 law enforcement customers. Poor cloud security settings — not sophisticated hacking — caused all of these exposures.
A Leak of San Francisco Police Drone Footage Exposes the New Reality of Urban Surveillance | Andy Greenberg & Dhruv Mehrotra, WIRED
Just after noon on a Saturday last month, a Skydio X10 quadcopter hovered about 200 feet over a San Francisco apartment complex, watching police… pic.twitter.com/KxIZ3yKjmi
— Owen Gregorian (@OwenGregorian) July 14, 2026
There is no national framework governing how police departments store or share drone data. San Francisco voters approved expanded drone use in March 2024, and the SFPD credits drones with helping cut auto thefts by 56% and making more than 1,000 arrests since April 2024. Those results matter. But a department flying more than 600 drone missions a month while leaving live feeds unsecured for half a year raises a hard question: who is watching the watchers? The SFPD says it has tightened its sharing settings and found no evidence anyone beyond the two researchers accessed the feeds. It has not released access logs to prove it.
Sources:
reclaimthenet.org, dronexl.co, facebook.com, vexdynamics.com, live.skydio.com, sanfranciscopolice.org, eff.org, dronedj.com










