PUBLIC - This article does not require an IPVM subscription. Feel free to share.
In a city already roiled by protests over Flock's surveillance cameras, with prior records showing Flock employees accessed live feeds and the company deploying crisis PR professionals to city meetings, Dunwoody's City Council asked a city official to conduct a security assessment of Flock before voting on a contract expansion, meant to reassure the public.
Internal emails obtained through open records requests show that the assessment was manipulated. The city's Technology Director asked Flock's salesperson to "help bring the score up." The scoring rubric was then rewritten before the public presentation: a new favorable tier was inserted, definitions were softened, and scores were improved. There is no indication these scores were ever independently verified. They were drawn from answers Flock provided about itself.
This report was based on FOIA documents shared with us by a Dunwoody resident, Jason Hunyar, who first reported on this story.
Why Dunwoody Matters to Flock
Dunwoody is a rare documented case. Most concerns about how surveillance vendors manage city relationships remain impossible to prove. Here, the records exist
Dunwoody sits less than 30 minutes from Flock's Atlanta HQ. The company more than 10x'd its federal lobbying spend in 2025, deployed senior executives to a sub-quarter-million-dollar contract meeting, and dispatched a crisis PR team to Dunwoody police headquarters while citizens were testifying before the council. That level of attention to a small municipal contract reflects how Flock perceives what a very public hometown loss would signal at a moment of broader national pressure.
Indeed, more than 60 cities have moved to terminate or pause Flock contracts. The company faces active class action lawsuits seeking billions in damages, congressional scrutiny, and organized opposition from the ACLU, EFF, and Institute for Justice.
Cities Must Do Better
Municipalities across the country routinely assess surveillance vendors by interviewing those vendors and their own police departments, then presenting the results to councils as independent analysis. That approach is inadequate for systems that affect the public safety of local communities.
Independent assessment requires independent criteria, independent evaluators, and a process in which the vendor being assessed has no role in shaping findings or improving scores. What happened in Dunwoody was the opposite of that. The council was told it received a comprehensive security assessment. The records show it received a vendor-crafted one.
Background
By early 2026, Flock's deployment in Dunwoody had already generated significant public controversy. Public records requests by local resident Jason Hunyar surfaced evidence of Flock sales employees accessing live camera feeds at community facilities, directly contradicting the company's own public statements. Separately, records showed Flock assembled a crisis communications team for a closed-door meeting at Dunwoody Police headquarters while citizens were simultaneously testifying before the city council about the company's security vulnerabilities.
The New Controversy
A recent report by Hunyar revealed a concerning development involving Flock and Dunwoody, centered on a security assessment of Flock conducted as part of the contract approval process.
During a March 2026 city council meeting, where Flock contract expansion was discussed at length, Ginger LePage, Dunwoody's Technology Director, presented her work to the City Council as a "comprehensive security assessment" of Flock, which the council asked her to do, with her conclusion being that "Flock OS 911 ... meets expectations, [there is] minimal risk, basically it's just like any other similar product." Over approximately one month, she said she had "completed interviews with the PD, completed interviews with Flock, and developed the matrix that we're about to talk about," producing a color-coded risk matrix across six categories. The assessment concluded risk was "acceptable" and recommended the council move forward with Flock's contract.
Attendees at the city council meeting were openly dismissive. Security researcher Benn Jordan called the assessment "a performative graphic to fool the public," stating he could contradict its findings "off the top of my head." Other attendees called it "a terrible sales pitch," challenged its core conclusions, including the claim that only law enforcement accessed the system, and flagged factual contradictions within the slides themselves.
However, the issues with the review go deeper as internal emails reveal a markedly different picture of how that matrix was actually prepared.
The Emails
Technical Director LePage's emails obtained through Georgia Open Records requests show that the risk matrix was built on answers provided by Flock itself:
Moreover, prior to the public presentation, LePage reached out to Flock account executive Steve Hampton and the Dunwoody Deputy PD Chief, asking them to "help bring the score up."
We do not have access to the attachments LePage sent to Flock's AE and Deputy PD Chief to confirm which aspects needed improvement. However, the original scoring matrix and the one presented at the meeting differed significantly, and the new version favored Flock. The original rubric had four tiers: Green, Amber, Red, and N/A, and the council-hearing-facing version inserted a new "Yellow" category between Green and Amber, while the definitions across all tiers were substantively softened.
For example, under the original Amber definition, a finding required partial evidence and demanded follow-up or contract language before it became enforceable. In the council version, Amber was redefined as "Meets with conditions / High Risk," while the new Yellow absorbed what the original Amber had covered, described in terms that suggested moderate rather than serious concern. Red was similarly weakened, dropping the specific "unacceptable risk/control gaps" framing in favor of softer language.
As a result of these changes, ~36% of all criteria were scored at the new level (Yellow). Under the original rubric, some of these would have been Amber or Red, producing a matrix with a higher percentage of serious risk findings rather than the moderate-concern picture presented to the council.
We believe this type of dynamic, with vendors shaping their own assessments and rubrics softened before public presentation, is not unique to Dunwoody. But it is extremely difficult to know, because finding out requires submitting public records requests, which are time-consuming and jurisdiction-specific. We have heard from sources that arrangements of this kind occur elsewhere, with various vendors, but we cannot determine the exact scale.
Existing Precedents
For Dunwoody specifically, we searched for historical precedents of similar vendor security assessments conducted by the municipality and for cases where scoring rubrics were altered between internal and public-facing versions, and found no comparable examples. It is therefore unclear to us whether this type of rubric modification is an isolated occurrence or a broader pattern. What we did find is a Dunwoody vendor security questionnaire from August 2024, which appears to be a prior version of the same type of evaluation process. That earlier questionnaire is significantly less detailed than the one used in the Flock assessment, suggesting the city's security review framework has evolved.
Why This Was Done Remains Unanswered
We do not know why Technical Director LePage reached out to Flock to ask them to raise their own scores in a city-commissioned review. We contacted LePage with several questions, including the rationale for involving a Flock representative in the assessment, whether this reflects Dunwoody's standard practice for similar vendor reviews, and how she would explain the changes to the scoring rubric between the two versions. As of publication, she / the city has not responded.
What is clear is the consequence. The council used this assessment as a material input in deciding whether to approve a contract expansion with Flock. If the assessment understated the system's true risk profile, whether through reliance on vendor self-reporting, score inflation, or rubric changes, the council may have made that decision on a materially inaccurate basis.
No Comment From Flock
We reached out to Flock, and the company's CCO, Josh Thomas, declined to provide a comment to us for this report.
Worse Than NCS4
The pattern here has a recent precedent. In 2022, IPVM documented how NCS4, a publicly funded academic center, allowed Evolv to design its own testing criteria, edit the final report through at least 14 drafts, delete findings showing its weapons-detection system failed to detect knives, and call the result's validation by a "fully independent third party". Evolv paid for the exercise, and neither party disclosed the financial relationship. Evaluators who recommended "full transparency to potential customers based on data collected" had their comments removed before publication.
The Dunwoody situation is structurally similar and, in an important respect, worse.
In the NCS4 case, Evolv was an outside sponsor buying access to a third-party process. The conflict of interest was serious, but it ran through an institution that at least nominally claimed independence, maintained its own staff, and preserved some procedural distance from the vendor. In Dunwoody, there was no intermediary. The city's own Technology Director, the person whose explicit mandate was to protect the city's interests in evaluating this vendor, asked the vendor to raise its own scores, and the criteria were changed in ways that made the findings appear less threatening before the council reviewed them.
NCS4 at least maintained the appearance of independence. Dunwoody's process did not reach that threshold. Both cases share the same core failure: an assessment presented to decision-makers as objective was shaped by the entity being assessed. NCS4 gave venues and schools a false picture of Evolv's weapons-detection capabilities. In Dunwoody, it gave the city council a false impression of whether a surveillance system that ingests residents' data was safe to expand.
Importantly, we obtained the NCS4 documents largely by chance (even after we paid nearly $1,000 to the government). NCS4 subsequently claimed the documents should not have been sent to us. Without a fortunate disclosure, this arrangement would have remained invisible to the public, as it was presumably designed to be, reinforcing that uncovering issues like the one in Dunwoody is complicated, because these reports rely on FOIAs. Related, see Flock's Achille's Heel, Argues 404 Media.
Outlook
There is one meaningful upside to the level of public controversy Flock has generated: citizens are now actively submitting records requests, and documents like these are surfacing as a result. That scrutiny is how this assessment came to light. The downside is that FOIA is slow, burdensome, and jurisdiction-by-jurisdiction — most cities will never face that level of citizen attention.