Skip to main content
Editorial image of an urban drone surveillance control screen with privacy-focused visual elements

SFPD drone leak exposes the privacy risk of real-time urban surveillance

Wired reports that live feeds from five SFPD drones were exposed online, highlighting why access control and retention matter in public-sector drone programs.

Published

14 Jul 2026

Reading Time

4 min read

Share this article:

Contents

What Happened

Wired reported on July 13, 2026 that real-time video feeds from five San Francisco Police Department drones were exposed through a public web address connected to Skydio's platform. According to the report, security researchers Sam Curry and Maik Robert found access to live color and thermal video, telemetry such as location data, and identifying information for drone pilots, then reported the exposure before the link was taken offline.

The report says the exposed material included police drone activity around arrests, searches, vehicle tracking, rooftops, streets, apartment buildings, and bystanders. SFPD told Wired the address was an internal restricted link for law-enforcement coordination and said it had added more restrictive sharing protocols after being made aware of the vulnerability. Wired also reported that Skydio did not respond to its request for comment.

Why It Matters

The story is not only about one exposed link. It shows how urban drone programs can turn access control, link expiration, logging, and retention settings into civil-liberties issues. A drone feed can contain far more than the target of a police operation: faces, license plates, rooftops, courtyards, apartment windows, thermal images, pilot metadata, and second-by-second location traces.

Skydio's own X10 materials describe high-resolution visual cameras, radiometric thermal imaging, autonomous tracking of people and vehicles, and the ability to read a license plate from 800 feet. Those capabilities can be useful for public safety, search and rescue, and officer coordination, but they also raise the cost of weak permissions when live feeds or archives are misconfigured.

The Policy Context

SFPD's published UAS policy says drones are authorized under Proposition E for active criminal investigations and for use along with, or instead of, vehicle pursuits. The same policy says operators should keep cameras focused on areas necessary to the mission, minimize inadvertent collection about uninvolved people or places, and take reasonable precautions to avoid recording or transmitting images from places where people have a reasonable expectation of privacy.

That framework makes the Wired report especially sensitive: the issue described was not simply whether drones were allowed to fly, but whether live access to what they captured was sufficiently controlled. For agencies adopting similar systems, the operational checklist should include short-lived authenticated links, least-privilege sharing, audit logs, retention enforcement, and regular checks for public indexing or accidental exposure.

A Rapidly Growing Program

The San Francisco Chronicle reported on July 4 that SFPD drone deployments in the first five months of 2026 had already exceeded the department's 2025 total, citing public flight logs. The Chronicle also reported that most 2026 deployments were logged as criminal investigations, with training and testing as the next-largest category. That growth makes transparency and technical controls more important, because mistakes scale with usage.

What To Watch Next

The immediate questions are whether SFPD's investigation finds any additional access to the feeds, whether Skydio or SFPD changes default sharing behavior, and whether the city updates public reporting around drone use. The broader lesson is straightforward: public-sector surveillance systems need security reviews that treat video, telemetry, and metadata as sensitive data from the first day they are deployed.

Tags:

#drones #surveillance #privacy #cybersecurity #public safety #Skydio

3

views

0

shares

0

likes

Related Articles