Live feeds from five San Francisco Police Department drones were accessible through a public web address without a password, exposing police operations, thermal and color video, flight locations and identifying information about the officers piloting them.
The exposure was discovered by security researchers Sam Curry and Maik Robert, according to a July 13 investigation by WIRED. They found a sharing link associated with SFPD’s Skydio drone system that reportedly required no authentication and had been configured to remain active for a year.
No sophisticated intrusion was necessary. Anyone who possessed the address could reach the feeds.
The researchers said they notified Skydio approximately two days after finding it. Access was then removed. But during roughly 48 hours in June, they preserved a limited record of what had been visible: 60 videos from 20 flights.
Each mission produced three views—a conventional color camera, a thermal camera that rendered people as heat signatures, and a view from the drone’s rooftop docking station. The exposed material also included location metadata and the names and email addresses of drone pilots.
The footage showed police tracking vehicles and individuals, conducting searches and making arrests. It also captured everything around those operations: streets, apartment buildings, rooftops, courtyards, cars and bystanders who did not appear to be suspected of anything.
That distinction is the story. The leak did not merely reveal police evidence. It revealed the surveillance surrounding the evidence.
SFPD calls it unauthorized access
SFPD told WIRED that the address was an internal restricted link used to coordinate law-enforcement and public-safety operations. The department said it had been improperly obtained and accessed without authorization.
That may describe who was supposed to use the link. It does not explain why the link itself reportedly demanded no authentication.
It also sits uneasily beside SFPD’s published surveillance-policy document. The document classifies drone video and thermal imagery as Level 3 data; limits access to approved personnel for investigative purposes; requires protection against unauthorized disclosure and unwarranted access; and says proper administrative, technical and physical safeguards must exist before data is shared. It separately says drone data associated with a criminal investigation will not be accessible to the public.
The document’s cover still lists review by the Committee on Information Technology and Board of Supervisors as “to be determined,” while SFPD’s public drone page says the department has a “robust policy” protecting constitutional rights. Oversight should establish which provisions were formally operative when the link was created. Either way, those provisions define the standard SFPD publicly represented: how did a system supposedly governed by restricted access produce a year-long sharing link that, according to the researchers, admitted anyone who possessed its address? Calling the URL “restricted” describes an intention. Authentication, expiration controls and access logs determine whether it was restricted in practice.
Skydio’s ReadyLinks feature allows users to generate shareable access to stored video or live drone data. Those links can be protected by an authentication code and limited by an expiration date. According to the researchers, the SFPD link had neither meaningful protection: no code and an expiration set one year into the future.
Curry and Robert attributed the exposure to the way SFPD configured or used Skydio’s system, rather than a breach of Skydio. But a product serving police agencies also raises a design question: should a live law-enforcement surveillance feed ever be capable of being shared through a long-lived, unauthenticated link?
Security that depends entirely on nobody discovering a URL is not much security.
Six drones became 98
San Francisco voters authorized expanded police-drone use through Proposition E in March 2024. The program launched with six aircraft and initially focused on pursuits, searches, robberies, critical incidents and planned operations.
It expanded rapidly.
SFPD’s official equipment report says the department possessed 98 drones in 2025, up from 63 owned and seven leased the year before. The department reported approximately 1,122 deployments during 2025. Public flight logs show thousands more deployments during the first half of 2026.
Police say drones help officers locate suspects, monitor dangerous situations and reduce the need for risky vehicle pursuits. A drone can reach a scene before an officer, provide information from a distance and sometimes determine that no intervention is required.
Those are real benefits. They do not resolve what happens to everything the drone records along the way.
SFPD policy addresses authorized uses, retention and public reporting. Flight logs are public. Video is generally treated differently: the existence of a flight may be disclosed while the public receives little sense of the aircraft’s complete field of view.
The exposed feeds supplied that missing perspective. A drone dispatched for one person can record many others. It can see over fences, across rooftops and into the geography surrounding a call. Thermal imaging adds a layer invisible to ordinary street-level observation.
The system does not collect only the target. It collects the route to the target, the scene around the target and people who happen to be nearby.
The review cannot stop at SFPD
Police are not San Francisco’s only public drone users. The city has published department-specific drone policies for the Fire Department, Recreation and Parks, the Port and the Public Utilities Commission. Their approved or contemplated uses include fire reconnaissance, search and rescue, disaster response, environmental monitoring, surveying, infrastructure inspection and promotional footage.
Those missions are not equivalent to police surveillance, and there is no evidence in the reported SFPD incident that another department exposed its feeds. But the underlying risk travels with the technology: public employees and contractors can record people, homes, vehicles, precise locations and sensitive infrastructure, then store or share that material through vendor platforms.
San Francisco’s June 2026 draft citywide drone policy expressly seeks to prevent “operational fragmentation and inconsistent practices” across departments. It would require a central registry of city drones, department program managers, designated data stewards and privacy officers, secure storage, documented sharing, automated deletion and quarterly retention audits. It also reaches contractors and vendor-provided cloud services.
That framework is still a draft; its approval field is blank, and existing programs would receive 180 days after adoption to comply. The SFPD exposure is reason not to wait. The city’s chief information security officer or another independent auditor should inventory every city-owned, city-operated and contracted drone system now, then test actual configurations against written rules. The review should include user privileges, dormant accounts, public-link settings, authentication, expiration defaults, access logs, cloud storage, retention, deletion, incident response and vendor contracts. Its findings can be published without disclosing credentials, vulnerabilities or sensitive flight details.
Other cities already flying—and where to ask questions
San Francisco is part of a much larger municipal expansion. The following is a verified sample, not a national census. “DFR” means Drone as First Responder: aircraft are positioned to launch toward selected calls for service, often before officers arrive. A conventional UAS program generally deploys drones from responding units for particular incidents.
Residents do not need to begin by demanding flight video. They can ask each agency for its current policy; drone and vendor inventory; sharing-link settings; authorized-user list; access and configuration audits; retention schedule; breach-notification procedure; contracts; and aggregate flight data. The question is not whether every program has failed. It is whether each agency has tested the controls whose failure San Francisco just demonstrated.
The transparency paradox
The public learned more about the practical reach of SFPD’s drone program through a security failure than through its formal transparency process.
That is not an argument for publishing the leaked footage. Doing so would repeat the privacy violation, expose sensitive police operations and potentially identify people who were never charged with anything. The researchers were right to report the link and have it closed.
It is an argument for asking why accidental exposure provided a clearer picture than deliberate oversight.
A credible drone program needs more than rules governing when police may launch. It needs secure-by-default sharing, short expirations, mandatory authentication, access logs, automatic revocation and independent audits. It also needs reporting that tells residents not only how many flights occurred, but what categories of people and places were incidentally recorded, how long that material survived and who could retrieve it.
Police departments increasingly describe drones as first responders. That description should carry the same expectations applied to every other responder: authorization, chain of custody, privacy controls, supervision and an account of what went wrong.
In San Francisco, five flying cameras were watching the city. For months, the door to watching along appears to have been a link.
WCID: If you may have been recorded or exposed
- Ask SFPD to determine whether your footage was affected. Give the date, approximate time, location and incident number, if known; ask whether the flight was available through the exposed ReadyLink, whether access logs show third-party viewing, how the footage was classified and retained, and whether the department concluded that notice to affected people was required. Send the inquiry to
SFPDChief@sfgov.org, the address designated in the drone policy for privacy concerns, and keep the response. - File a policy-based complaint. San Francisco’s independent Department of Police Accountability accepts complaints alleging that an SFPD member failed to perform a duty properly. Identify the policy provisions at issue—restricted access, protection against unauthorized disclosure and safeguards before sharing—instead of alleging a crime or naming an officer without evidence. Ask DPA to determine who created or approved the link, what training applied and whether supervisors audited its settings.
- Request the compliance record, not another copy of the footage. Through SFPD’s public-records portal, seek the link’s approval record, configuration history, authorized-recipient list, access audit, incident review, corrective-action plan and communications with Skydio. The department may redact security-sensitive or investigative material, but a narrowly framed request creates a reviewable record without extending the privacy violation.
- Demand the oversight the policy already promises. The policy requires SFPD’s annual drone report to disclose internal-audit results, policy violations and corrective actions, followed by a public meeting. Ask the Police Commission to place this incident on an agenda and require an independent, public accounting of those points—not merely an assurance that the link was disabled.
- Make the review citywide. Send the same request to the Committee on Information Technology at
coit.staff@sfgov.org: publish the complete departmental and contractor drone registry contemplated by the 2026 draft; independently audit every platform’s sharing and retention configuration; identify which departmental policies are current; and publish remediation deadlines. An SFPD-only review would leave the same class of risk untested elsewhere. - If the exposure caused a concrete injury or loss, get legal advice promptly. Possible claims depend on what was recorded, who accessed it and the harm that followed. San Francisco’s claims instructions warn that some claims involving personal injury or property damage must be presented within six months. Filing an oversight complaint does not necessarily preserve a civil claim or extend a deadline.
Sources and reporting note
The exposure was originally reported by WIRED in “A Leak of San Francisco Police Drone Footage Exposes the New Reality of Urban Surveillance,” published July 13, 2026. Program figures and policy context come from SFPD’s 2025 AB 481 annual report, the city’s SFPD drone policy, the department’s official drone-program page, departmental policies and the June 2026 draft citywide UAS policy, and public flight-log reporting.
The BL:UF did not access, retain or republish the exposed footage, URL, operational coordinates or personal contact information. Details of the exposure are attributed to WIRED and the researchers it interviewed.
Visual package
Hero: sfpd-drone-leak-hero.png. Use a 16:9 crop. Credit: “Original illustration for The BL:UF.” The conceptual feed panels are not leaked footage and should not be captioned as documentary images.
Supporting visual: A simple diagram showing police drone → shareable cloud link → open web, with authentication shown as the missing control. This communicates the failure without reproducing sensitive material.
Do not use: The leaked arrest footage, thermal images of identifiable people, precise flight coordinates, pilot contact details or screenshots revealing the exposed address.



