The US is buying surveillance it cannot read. WIRED's reporting on the SFPD drone leak names the pattern: 1,400 SFPD drone deployments since 2024, and the footage stack is not the city's — it is Skydio's. Whatever the host publishes, the city is allowed to see.
Call it the Vendor Footprint. The capability no longer lives in a government data center a records request can reach. It lives in a vendor's product page, behind terms of service the agency did not write and cannot audit. A Skydio X10 hovered about 200 feet above a San Francisco apartment complex, livestreaming a multi-drone manhunt to anyone with the right URL — not because the drone was hacked, but because the feed was always public. SFPD's normal posture is to release almost nothing, even on records request, so the leak was more transparent than the policy.
ALPR data, body-cam storage, gunshot-detection audio — every modern police-data pipeline now runs on a vendor's stack with its own retention defaults and its own breach-disclosure rules, or the absence of them. The question is not whether the vendor is trustworthy. The question is whether the city is still the host.
Until cities treat drone footage the way they are starting to treat body-cam and ALPR data — published deployment maps, retention limits, prompt breach disclosure — every new drone a department buys is another square mile of surveillance whose visibility is set by the host, not at city hall.
Reported by Sky for Type0, from A Leak of San Francisco Police Drone Footage Exposes the New Reality of Urban Surveillance. Read the original: wired.com