Category: Surveillance Oversight

Public education and local accountability resources on police technology, surveillance systems, data retention, vendor access, AI tools, automated license plate readers, and safeguards for transparency, privacy, and democratic oversight in Bend, Oregon.

  • Bend Verkada Explainer

    Bend’s Verkada Security-Camera System

    What the public record shows — and what it doesn’t

    City of Bend, Oregon · Public-Records Review · Updated 2026

    Where things standThe City of Bend has standardized on Verkada’s cloud-based security-camera platform since 2020 and continued purchasing Verkada-related installation services and hardware in 2023 and 2024. The documents reviewed so far do not prove that Bend PD has direct access to the system. They do show that key governance details — camera locations, retention settings, analytics settings, police-access rules, public-sharing rules, vendor-access limits, signage practices, and post-breach risk review — are not in the public record.

    This explainer is for Bend residents who want to understand what the City has built, what’s confirmed in writing, and what questions remain unanswered. It draws from the City’s own Council issue summaries, contracts, meeting minutes, and Verkada’s own incident report. Sources are linked at the end. Use this to inform yourself, ask better questions, or write to Council.

    01What the City Has Built

    The Bend system is not a single project but a layered platform that has been expanded through several contracts. Here’s what the public record confirms.

    A cloud-based “video-surveillance-as-a-service” platform.

    In 2020, the City adopted Verkada’s platform through a competitive bid. Unlike traditional on-site security cameras, Verkada’s system streams and stores footage in the cloud (Amazon Web Services), managed through Verkada’s “Command” platform.

    Two more authorizations in 2023 and 2024.

    In June 2023, Council authorized up to $165,000 for installation services with LTT Partners LLC, a licensed Verkada reseller and installer. In June 2024, Council authorized up to $150,000 to purchase additional Verkada-compatible cameras and hardware. Both were approved on the consent agenda.

    Integration into new City buildings.

    Verkada cameras and integrated access control are being designed into the new Public Works Campus, including the headquarters, fleet, and warm-vehicle-storage buildings.

    Cameras around the Lighthouse Navigation Center.

    The City’s January 2026 Council Goals Status Report notes that security cameras are being installed around the Lighthouse Navigation Center as part of a public-safety effort. The report does not specify whether those cameras are part of the Verkada system.

    Employee privacy protections (only).

    The City’s collective bargaining agreement with COBEA (the employees’ union) includes rules: cameras may not be placed where employees have a reasonable expectation of personal privacy, the City may not randomly review footage for discipline, and no employee can be disciplined solely on video evidence absent misconduct. These protections cover employees — not the general public.

    Worth stating plainly Security cameras at City facilities — loading docks, cash-handling areas, building entries — are a normal and reasonable thing for a city to operate. The question this explainer raises is not whether cameras should exist, but whether a cloud-based, expandable, analytics-capable surveillance platform should be operated without published rules governing how it’s used.

    02What the Public Record Doesn’t Show

    These are the governance questions the documents don’t answer. Each is something a resident might reasonably expect to be on file for a system of this kind.

    Gap 01

    Where the cameras are, and how many there are.

    The installation contract says cameras are installed “at multiple City of Bend sites on an on-call basis,” with each installation initiated by a purchase order. There is no public inventory of camera locations, counts, types, or fields of view. Because each installation is administrative — not a Council vote — individual deployments don’t return for public review.

    What this meansThe public cannot know whether a given sidewalk, alley, park, or street near a City facility is under camera coverage.

    Gap 02

    A public-facing surveillance use policy.

    Employee privacy is partially protected by union contract. There is no parallel public policy governing who within the City may view live footage, whether viewer access is audit-logged, standards for reviewing footage of community members, prohibited uses (e.g., monitoring of First Amendment activity), discipline for misuse, or annual reporting to Council.

    What this meansThe rules that govern how this system is used in practice are not visible to the public it surveils.

    Gap 03

    How long footage is kept.

    The contracts and issue summaries do not specify a retention period. Verkada cameras can be configured to retain footage anywhere from roughly 30 days up to a year, depending on model and settings. The retention setting is the single biggest factor determining how much historical movement data the system holds.

    What this meansA 30-day setting limits exposure. A 365-day setting creates a year-long behavioral record of everyone who walks past a camera.

    Gap 04

    Whether and how police access the system.

    The installation contract requires LTT Partners’ installers to be CJIS-certified (Criminal Justice Information Services) within six weeks of award. CJIS certification of installers is a meaningful clue that some work touches public-safety-sensitive environments, but it does not by itself prove Bend PD has direct, standing access to the Verkada platform, or that Verkada footage is treated as CJIS data. None of this is spelled out publicly.

    What this means“Security cameras to protect public property” and “a feed integrated into police operations” are very different programs. The record doesn’t say which one Bend has.

    Gap 05

    Which Verkada features are enabled.

    Verkada’s documentation confirms its platform supports — when enabled by a customer — People Analytics, face search across cameras, license plate recognition and plate-of-interest alerts, vehicle search by attribute, audio recording and audio analytics, and integration with access control to correlate badge swipes with video. Which of these features the City of Bend has turned on or off is not documented in the public record.

    What this meansA camera that records video is one thing. A camera plus a searchable face database across City facilities is a substantially different capability.

    Gap 06

    Community engagement before approval.

    Both the 2023 and 2024 issue summaries list “Community Outreach Process and Potential Impacts: N/A.” Both authorizations went through the consent agenda — the 2024 purchase appears grouped with routine items like fuel purchases and meter-box upgrades. No public hearing, impact analysis, or community engagement process appears in the record.

    What this meansThe expansion of a surveillance-capable platform was treated as routine procurement, not as a matter the public might want to weigh in on.

    Gap 07

    Whether the vendor was re-evaluated after a major 2021 breach.

    In March 2021, attackers compromised Verkada’s platform by exploiting a misconfigured customer-support server. They accessed live and archived video for 97 customer organizations, across approximately 4,500 cameras. Eight customers also had access-control product data accessed, including badge credentials. The breach was vendor-side, meaning customer security depended heavily on Verkada’s internal controls. The City standardized on Verkada in 2020 — before the breach — and re-authorized two more Verkada-tied contracts in 2023 and 2024, after the breach. No document in the public record shows the City re-evaluated Verkada’s security posture before those re-authorizations. In August 2024, the FTC announced a settlement requiring Verkada to implement a comprehensive information-security program with biennial third-party assessments; a separate $2.95 million civil penalty was imposed for CAN-SPAM email-marketing violations (FTC Matter 2123068; stipulated order entered Sept. 4, 2024, N.D. Cal.).

    What this meansVendor risk doesn’t disappear after a breach. A buyer that doesn’t document re-evaluation is making an implicit bet that isn’t in the record.

    Gap 08

    Public notice and signage.

    Oregon does not have a general statute requiring video-surveillance signage in public areas, though federal law restricts audio recording without notice in most contexts. Whether camera locations carry visible signage — and what those signs say about the purpose, retention period, records-request process, and complaint process — is not addressed in the project record.

    What this meansNotice is the floor of meaningful consent. It deters the conduct the City says it’s trying to deter, and it signals accountability to the people walking past.

    03Questions Worth Asking

    Whether you’re writing to Council, filing a public-records request, or just trying to understand your city better, these are reasonable, specific questions that the existing public record does not answer:

    • Where are City surveillance cameras located, and how many are there?
    • How long is footage retained on each camera?
    • Which Verkada features are enabled — face search, license plate recognition, audio, People Analytics?
    • Who can view live and recorded footage, and is that access audit-logged?
    • What policy governs sharing footage with law enforcement, outside agencies, or the public?
    • What review did the City conduct of Verkada’s security posture after the 2021 breach and 2024 FTC action?
    • What signage notifies the public that an area is under City surveillance?
    • What process exists for residents to file complaints or request specific footage?

    04Context: How Other Cities Handle This

    Several cities — including Seattle, San Francisco, Oakland, Cambridge MA, Berkeley, and the Bay Area Rapid Transit (BART) system — have adopted surveillance-technology review processes that require public documentation, hearings, or annual reporting before a surveillance technology is acquired or expanded. These ordinances typically require a written impact report covering the technology’s capabilities, retention rules, access policies, and civil-liberties risks; a public hearing before procurement; and annual use audits.

    Bend’s 2023 and 2024 Verkada-related authorizations went through the consent agenda with no documented community outreach.

    05Sources

    City of Bend documents

    · Council Issue Summary, 2023 installation contract authorization (5G): 5G_LTT_Partners_IS.pdf
    · Installation contract with LTT Partners LLC: 5G_LTT_Installation_Contract.pdf
    · Council Issue Summary, 2024 hardware purchase (5D): 5D_Issue_Summary.pdf · 5D_Issue_Summary-1.pdf
    · Hardware purchase contract: 5D_Contract.pdf
    · Council meeting minutes: Minutes-2-4.pdf
    · Public Works Campus GMP-3 amendment (Verkada integration): 8_Public_Works_Campus_KNCC_Proposed_Amendment_No._6_GMP_3.pdf
    · Council Goals Status Report, January 2026: Council_Goals_Status_Report.pdf
    · COBEA Collective Bargaining Agreement 2022–2025: 9_COBEA_2022-2025_Collective_Bargaining_Agreement.pdf
    · Update on Downtown Safety Projects: Update_on_Downtown_Safety_Projects.pdf

    Verkada and federal sources

    · Verkada Security Incident Report (March 2021 breach): Security_Incident_Report_Version1.2.pdf
    · FTC press release: “FTC Takes Action Against Security Camera Firm Verkada” (Aug. 30, 2024): ftc.gov
    · FTC case file: United States v. Verkada Inc., FTC Matter 2123068, Civil Action 3:24-cv-06153 (N.D. Cal., stipulated order entered Sept. 4, 2024): ftc.gov/legal-library

    Bend Privacy Alliance

    Protecting privacy, transparency, and civil rights in Bend.

    Share freely · No copyright claimed · Verify before you act

  • Bend Retail Surveillance Explainer

    Bend Privacy Alliance  /  Public-interest research

    Bend, Oregon  |  May 24, 2026

    Investigation · Retail surveillance · Public-private camera networks

    When store cameras
    become police infrastructure.

    Six retailers operate in Bend, Oregon. Their privacy policies describe facial recognition, license plate readers, and behavioral analytics. The city has quietly built the bridge that connects them to law enforcement. Here is what is public, what is alleged, and what is still unknown.

    Bend Privacy Alliance

    Working paper · v2.0

    Reading time · 18–22 minutes

    Companion documents: Evidence Matrix · Action Toolkit

    At a glance

    The question

    Is your trip to a Bend grocery store or hardware store also a data point in a law-enforcement system?

    What’s verified

    Across the six retailers, public policies disclose combinations of video surveillance, biometrics, license-plate capture, location and device tracking, behavioral or session analytics, and consumer profiling — though not every retailer discloses every capability at the same level of detail. Three retailers have dedicated ALPR policies; Albertsons has a California-specific ALPR policy; Fred Meyer/Kroger’s general policy discloses license-plate capture by some cameras. Three retailers disclose facial recognition explicitly.

    The Bend bridge

    Bend Police has funded FususCore bundles for up to 10 local retailers, linking private cameras to the Bend Connect system.

    What you can do

    Under the Oregon Consumer Privacy Act, you can require each retailer to tell you who they have shared your data with. Templates are in the Action Toolkit.

    Inside this issue

    1. The bridge nobody asked you to vote on
    2. What the policies actually say
    3. A short history of how Bend got here
    4. Where the data can go once it leaves the store
    5. A risk map for residents
    6. Oregon law is more powerful than most people realize
    7. What a real surveillance accountability ordinance would do
    8. What you can do this week
    9. Sources and how to verify everything in this piece

    §01

    The bridge nobody asked you to vote on

    The bridge nobody asked you to vote on

    In February 2025, the Bend Police Department launched Connect Bend — a community camera registry powered by Fusus, the public-private surveillance platform Axon acquired in 2024. By March 2026, 618 cameras were registered across the city. 174 of those had been upgraded with FususCORE devices, giving the Bend Police Department conditional access to live and recorded feeds. The platform costs the department approximately $75,000 per year and is the same Axon/Fusus infrastructure used for body cameras and digital evidence storage. (Source: The Bulletin, May 15, 2025 and March 4, 2026.)

    In November 2025, the Bend Police Department and the Deschutes County District Attorney’s Office added a grant program on top of the registry. Up to ten Bend retailers could receive a FususCORE Device Bundle — the hardware that converts a private camera into an integrated feed — through the Oregon Criminal Justice Commission’s Organized Retail Theft Grant Program. Applications were due August 3, 2025; after the one-year grant term, businesses pay $150/year to remain integrated. The headline framed it as a fight against shoplifting. (Source: The Source Weekly; Central Oregon Daily.)

    What the announcements have not emphasized is the architecture itself. Connect Bend is not a city program in the conventional sense. The website is bendconnect.org. The footer says “Powered by Axon” and “©2026 Axon Enterprise, Inc.” The contact email for unsubscribing or deleting your registry data is connect@fusus.com — a Fusus address, not a Bend city address. Data flows through FūsusCORE devices to AWS GovCloud, where it is stored in FūsusONE, a CJIS-compliant cloud environment. (Source: bendconnect.org Privacy FAQ.)

    The contract that governs each retailer’s participation is published at bendconnect.org/terms-conditions/ as a Data Share and License Agreement between the camera owner and the City of Bend. Section 5 makes a contractual promise to camera owners: “City will not share access to Owner’s camera views with members of the public, or outside of City, without the prior written consent of Owner.” Section 6 requires the camera owner to provide Bend “camera make, model, IP address, and camera and/or associated DVR/NVR login information.” Section 7 confirms that Bend, not Axon, is the physical custodian of the FūsusCORE hardware on each property.

    The contract is between the camera owner and the City. It does not bind Axon. Axon operates the platform that processes, stores, and routes the data. Axon’s contractual relationships with other agencies, its retention policies, its use of the data to train artificial intelligence models, and its own audit logs are not addressed by the agreement that the retailer signed. Customers in the parking lot are not party to the agreement at all.

    This is the bridge. Retail surveillance and police surveillance are not separate categories when the cameras are wired into the same platform. Whether the store calls it “asset protection” or the city calls it “Organized Retail Theft Grant,” the practical effect is the same: a private camera operating in a place of public accommodation becomes part of a public surveillance network, and the platform that operates it is a multi-billion-dollar publicly traded surveillance vendor headquartered in Scottsdale, Arizona.

    Bend residents have not voted on this. They are unlikely to have been notified by any retailer that has joined. The list of participating retailers, the policy governing access escalation, the retention period for the footage, the conditions under which it can be shared with federal agencies — none of that is yet in the public record. The Bend Privacy Alliance toolkit and templates published alongside this piece are designed, in part, to surface it.

    Two specific findings worth knowing

    First: the bendconnect.org footer links to a Privacy Policy at https://bendconnect.org/privacy-policy/. The page returns the “Axon Fusus Community Connect and Axon Fusus Registry Website Privacy Notice,” last updated February 21, 2025. The notice is Axon’s own corporate privacy notice for its Community Connect and Registry products — not a Bend-specific notice drafted for Bend residents or approved by the City. It describes how Axon collects, uses, discloses, transfers, and stores the personal data of users of the platform. Whether a national vendor’s standard privacy notice meets the disclosure requirements of ORS 646A.578 for a program branded as a City-of-Bend public safety program is a question the City has not addressed publicly.

    Second: the Connect Bend Privacy FAQ states that “Fūsus does not employ facial recognition technology” — but in the next answer it discloses that “Fūsus utilizes artificial intelligence to rapidly search video. All AI use cases exclude facial recognition, but may be utilized to automatically recognize weapons, vehicles of interest, etc.” “Vehicles of interest” describes automatic license plate recognition functionality and vehicle attribute identification by AI — activities that the Oregon Consumer Privacy Act treats as processing of personal data, and that the January 2026 geolocation amendments (HB 2008) treat as sensitive data when they identify a person to a radius of 1,750 feet or less.

    Why this matters now

    In January 2026, Bend’s City Council voted to suspend its Flock Safety automated license plate reader cameras after public outcry over Flock’s national track record of immigration sharing and personal misuse by police. That decision was real and the public made it happen. The retail-camera integration program is a parallel pathway that has not received the same scrutiny. It deserves the same scrutiny.

    §02

    What the policies actually say

    What the policies actually say

    This section sticks to one type of evidence: language pulled from each company’s own current, public privacy policy. These are statements the companies have committed to in writing, dated, and posted on their corporate websites between April 2025 and February 2026. They are not allegations.

    A privacy policy describes what a company reserves the right to do. It does not prove that any particular store is doing it. That is a separate question, addressed in section 5.

    The six retailers, in their own words

    CapabilityWhat the policies actually say
    Video cameras in stores and parking lotsAll six Every one of the six companies discloses CCTV and parking-lot camera operation as standard practice. This is the floor, not the ceiling.
    Facial recognition / biometric captureHome Depot Explicit: “Biometric Information — Facial recognition” is listed as a collected category in the Home Depot Privacy and Security Statement. Home Depot’s FY2023 Annual Report (SEC Form 10-K, filed March 2024) discloses that its “Computer Vision” technology has been deployed across all U.S. stores. Third-party reporting indicates the technology was expanded to self-checkout areas for loss prevention by May 2024; that specific application has not been independently confirmed from primary corporate sources.

    Walmart The Walmart Customer Privacy Notice lists collection of “voice prints, imagery of the iris or retina, face geometry, and palm prints or fingerprints.” Three-year biometric retention from last interaction.

    Fred Meyer / Kroger The Fred Meyer Privacy Policy states biometric collection including facial recognition data may occur in “select locations” with point-of-entry notice.

    Safeway / Albertsons The Albertsons Privacy Policy states: “In some states, our cameras may capture biometrics (e.g., facial recognition technology).” Entry signage required where deployed.

    Lowe’s The current Lowe’s U.S. Privacy Statement (April 2025) uses “image matching and analysis technology” on images from recorded footage in some states, applied after incidents by Asset Protection. Lowe’s does not label this as facial recognition in the current policy.
    Automated License Plate Recognition (ALPR)Lowe’s Dedicated ALPR section in the U.S. Privacy Statement. 90-day retention.
    Home Depot Dedicated ALPR section in the Privacy and Security Statement. No fixed retention period stated.
    Walmart Dedicated ALPR Privacy Notice, updated February 2026. Led by VP, Chief Safety Officer. 60-day retention.
    Safeway / Albertsons California ALPR Policy. 60-day default; 12-month retention at “high-crime” stores. Director of Corporate Asset Protection as custodian.
    Fred Meyer / Kroger Kroger has an ALPR policy applying to “select retail locations in California” (Ralphs confirmed). Fred Meyer / Oregon deployment unverified.
    In-store Wi-Fi and Bluetooth trackingAll six disclose some form of in-store device or signal tracking. Albertsons is the most explicit: for loyalty members, the policy says they collect MAC address, IP address, device identifier, and real-time device location through in-store Wi-Fi. Bluetooth tracking and motion sensors are disclosed for in-store navigation. Beacons in baskets and carts measure dwell time in front of advertising displays.
    Behavioral analytics (keystroke, cursor, scroll tracking)Lowe’s “keystroke activity and rhythms, mouse movements, scrolling and clicks.”
    Home Depot “Session replay software may be used to record and replay your interaction.”
    Fred Meyer / Kroger “keystrokes, cursor movements, scrolling activity, and click-related activity.”
    Walmart, Albertsons, Safeway Not disclosed at this granularity in their current policies.
    Inferences and profilingAll six disclose inferences-from-personal-data as a category. Albertsons goes furthest: their policy lists inferences about your “purchase preferences, interests, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
    AI / ML model training on shopper dataAlbertsons / Safeway only one of the six explicitly states data is used to “train our artificial intelligence or machine learning algorithms or models (or those provided by our service providers).” The others may do so but do not disclose it in this language.
    Smart shopping carts with cameras and sensorsAlbertsons / Safeway In some locations: “You may also see smart carts in our stores, which use cameras and sensors to tally items as you grab them off the shelf and place them in your cart. As an added bonus, you can pay through the cart and skip the checkout lines.” Bend deployment of smart carts is unverified.
    Estimated per-shopper data valueAlbertsons / Safeway The December 2025 privacy policy states: “We estimate the value of consumers’ data to be, on average, approximately $4.13 per consumer in 2024.” That figure was $1.33 in the 2022 policy version — a tripling in two years.
    Inter-retailer sharingAlbertsons / Safeway California ALPR Policy: “We may also work with other retailers to keep track of organized retail crime groups… we typically share public data such as vehicle details (make, model, and color) and license plate information.” This is unusually transparent about retailer-to-retailer surveillance coordination. The other five companies do not discuss this explicitly.

    How to read this table

    The clearest pattern: facial recognition, ALPR, in-store device tracking, and inferences are now standard disclosures in major-retailer privacy policies. The companies are not hiding it. They are simply describing it in the place fewest people read.

    What the policies do not tell you is which specific Bend, Oregon stores have any of these systems deployed today. That is the next chapter of work, and it is what Oregon’s privacy law was designed to support.

    The companies are not hiding it. They are describing it in the place fewest people read.

    §03

    A short history of how Bend got here

    A short history of how Bend got here

    Three threads converge in 2025–2026: a city-government experiment with automated license plate readers, a retail-theft grant pipeline, and a national pattern of surveillance vendors quietly accumulating local footholds. The Bend story is the local edition of a story playing out in many small American cities.

    May 2025

    Bend signs a $19,900 contract with Flock Safety

    Four Flock Falcon cameras are deployed at two intersections on Highway 97. The contract is amended in July 2025 to swap them for Falcon Long Range units, adding $4,100. Total spend: $24,000, non-refundable. (See The Source, December 9, 2025.)

    November 2025

    Bend Police and Deschutes County DA open the FususCore retail grant

    Up to ten Bend retailers are invited to apply for a FususCore Device Bundle — up to four cameras, onboard storage, one-year subscription, warranty — that connects existing store security cameras to the Bend Connect platform. Funded by the Oregon Criminal Justice Commission Organized Retail Theft Grant Program. (See Central Oregon Daily, November 12, 2025; The Source Weekly, July 10, 2025.)

    January 7, 2026

    Bend City Council votes to suspend the Flock cameras

    The decision follows public concern about Flock’s national use by federal immigration agents and reports of police misuse to track romantic partners and abortion seekers in other states. Senator Wyden publicly criticizes Flock. Other Oregon cities (Woodburn, Talent) have already pulled their Flock contracts. (See OPB, January 8, 2026; The Source, January 8, 2026.)

    March 2026

    Connect Bend reaches 618 registered cameras, 174 integrated

    A year after the program’s February 2025 launch, 618 cameras are mapped in the Connect Bend registry, with 174 fully integrated via FūsusCORE devices. Over the prior year, BPD has sent 14 community-request emails through the system. The police spokesperson confirms she is “not aware of any suspect video footage related to those requests.” (See The Bulletin, March 4, 2026.)

    May 6, 2026

    Federal immigration queries on Bend’s Flock data become public

    The Source reports that federal immigration authorities made 279 queries into Bend’s Flock Safety data during the first three weeks of June 2025, due to a BPD configuration error that left the “National Lookup” reciprocal-sharing feature on by default. The audit was prompted by an Oregon Law Center FOIA request. The data sharing happened without Oregon sanctuary-law authorization. (See The Source, May 6, 2026.)

    May 20, 2026

    Bend pivots to Axon stationary ALPR

    Rather than re-up with Flock, Bend Police propose adding stationary ALPR cameras as an amendment to the existing Axon contract (in place since 2022 for body cameras, tasers, and in-vehicle ALPR). Public comment at the May 20 City Council meeting questions why a $19,000 grant would justify a quarter-million-dollar surveillance expansion without a council vote. The Council commits to a vote and public input before the add-on is finalized. (See The Source, May 20, 2026; The Source, May 21, 2026.)

    The pattern that emerges: Bend has been responsive when residents engage on a specific surveillance vendor or contract. The Flock suspension is the proof. But the retail-camera integration pathway has not been the subject of the same public scrutiny because it operates through a different door — a grant program framed as anti-theft assistance, not surveillance procurement.

    §04

    Where the data can go once it leaves the store

    Where the data can go
    once it leaves the store

    Imagine you push a cart through a Bend Albertsons or Fred Meyer or Lowe’s. By the time you reach the parking lot, a series of systems may have captured signals about you. Each of those signals can travel through more than one downstream pipeline.

    Here is what corporate policies disclose as possible destinations for the data each retailer collects.

    First-party use

    The retailer itself

    Asset protection, loss prevention, marketing, inferences about your preferences, AI/ML model training (Albertsons explicitly).

    First-party transfer

    Affiliates and subsidiaries

    Kroger’s 84.51° subsidiary aggregates and analyzes shopper data across all Kroger banners, including Fred Meyer. Albertsons Media Collective monetizes shopper data across 2,200+ stores in 35 states.

    Third party

    Advertising and data partners

    All six retailers disclose sharing inferences, online activity, location data, and commercial information with advertising and marketing partners. Most categorize this as a “sale” or “sharing” under California and Oregon law.

    Third party

    Other retailers

    Albertsons’ California ALPR Policy explicitly discloses inter-retailer ALPR sharing for “organized retail crime groups.” Auror and similar industry platforms enable the same kind of sharing.

    Government

    Local police

    All six retailers disclose discretionary sharing with law enforcement. Where a Bend retailer has joined the FususCore / Bend Connect program, that sharing happens through an integration, not a one-off request.

    Government

    Federal agencies

    Most retailers reserve the right to share when “we believe disclosure is appropriate or necessary.” The Flock controversy demonstrated that ALPR data already feeds into systems used by ICE and other federal agencies. A FususCore / Bend Connect retailer integration could create the same pathway from inside private store networks.

    An Oregon shopper’s data has a long route

    To make the data flow concrete, here is a plausible (not hypothetical) sequence based on what each step’s company says in writing:

    1. You park outside a Bend Lowe’s. The parking-lot ALPR camera records your license plate, the make, model, and color of your vehicle, and a timestamp. Retention per Lowe’s policy: 90 days, longer if necessary.
    2. You walk in. A ceiling camera captures your image. Lowe’s U.S. Privacy Statement says that in some states, recorded footage may be analyzed using “image matching and analysis technology” by Asset Protection following an incident.
    3. You connect to the free in-store Wi-Fi to look up a product price. Lowe’s collects your device usage information.
    4. You use the mobile app. Lowe’s app collects your “keystroke activity and rhythms, mouse movements, scrolling and clicks.”
    5. You buy something with a stored credit card linked to your Lowe’s account. Inferences about your project, your home, and your buying patterns join your account profile. Lowe’s reserves the right to enrich this with public-records data including property size, year built, and number of rooms.
    6. That profile is shared, for marketing purposes, with advertising partners. Under Oregon and California law, this is generally a “sale” or “sharing.”
    7. Separately, the ALPR record may be shared with law enforcement “upon appropriate request and solely in connection with criminal investigations” — per Lowe’s own ALPR Privacy Policy. If your Bend Lowe’s is one of the retailers connected to Bend Connect through a FususCore bundle, the camera footage itself becomes accessible to Bend Police through the city’s platform.

    Every one of those steps is described, in writing, in a corporate policy. None of them require malicious intent on the part of the retailer. They are the standard architecture of modern retail surveillance.

    §05

    A risk map for residents

    A risk map for residents

    Not every form of in-store data collection is equally consequential. Privacy advocacy that treats them as equivalent loses credibility quickly. Here is a rough ordering, from least to most consequential for individual rights, based on what current corporate policies disclose and what current civil-liberties literature documents about each practice.

    Lower concern

    Aggregate camera analytics

    Counting foot traffic, measuring wait times in checkout lines, detecting spills on the floor. If actually de-identified and aggregated, this is the form of in-store analytics with the smallest civil-liberties footprint.

    Lower concern

    Loyalty program purchase history

    The trade is explicit: you give up purchase data, the retailer gives you discounts. The consent is real. The risk is concentration: 84.51° and Albertsons Media Collective aggregate this across millions of households.

    Higher concern

    Mobile app precise geolocation

    Tracks where you are with the app open, sometimes also in the background. Builds a location history. Salable to data brokers in most current privacy frameworks.

    Higher concern

    Inferences and profiling

    The data is processed to predict your interests, household composition, life-event status, and propensity to buy specific categories. Used for ad targeting, but also for differential pricing.

    Higher concern

    Automated License Plate Recognition

    Builds a record of every vehicle visit to the lot, when, and how often. When shared with police, becomes a movement-tracking system for everyone, not just suspects.

    Highest concern

    Facial recognition

    Identifies you against a watchlist or database. Once your face data is captured, you cannot change it. False-positive rates are documented to be higher for Black and Asian faces. Misidentification has already led to wrongful arrests in other jurisdictions.

    Highest concern

    Retail-to-police camera integration

    Combines all of the above into a system that operates under private-actor rules (the retailer can deploy whatever it wants) but with public-actor reach (police can pull footage through the integration). Constitutional protections that constrain government cameras do not constrain private cameras that police access.

    Why the integration is the linchpin

    Each individual surveillance practice has known harms. The harms are not new, and most of them have been the subject of state-level legislative attention. What makes the Bend Connect / FususCore arrangement different is structural: it lowers the legal and procedural friction between two systems that used to be separate.

    A private retailer’s camera is bound by the retailer’s own policy. A police camera is bound by Fourth Amendment doctrine and (where applicable) state surveillance laws. When the two are merged, the retailer’s permissive rules govern the front end and the police’s broad access governs the back end. The privacy gap appears in the middle, where neither rulebook fully applies.

    The privacy gap appears in the middle, where neither rulebook fully applies.The structural problem the Bend Privacy Alliance is describing

    §06

    Oregon law is more powerful than most people realize

    Oregon law is more powerful
    than most people realize

    The Oregon Consumer Privacy Act took effect on July 1, 2024. It is enforceable only by the Oregon Attorney General — consumers cannot file private lawsuits under it — but the rights it grants Oregon residents are unusually strong, and most residents have not exercised them.

    The Oregon-distinctive right

    Oregon law gives you a right that no other US state currently gives. Under ORS 646A.574(1)(a)(B), you can require a company that processes your data to tell you, at the company’s option, either (i) the specific third parties to which it has disclosed your personal data, or (ii) the specific third parties to which it has disclosed any personal data. The company has the option of which list to provide. The right itself is not optional.

    What this means in practice: if you file an OCPA Right to Know request with a Bend Home Depot, Lowe’s, Walmart, Fred Meyer, Safeway, or Albertsons, the company must tell you who it has shared customer data with. Not just the categories. The specific names. This is the lever that turns “advertising partners” from a vague policy phrase into a concrete list you can examine.

    The four core OCPA rights

    Right to know and access Confirmation that the company processes your data, the categories it processes, and a copy of the data in a portable format. ORS 646A.574(1)(a). Right to specific third parties The Oregon-distinctive right described above. At the controller’s option, but not optional in principle. ORS 646A.574(1)(a)(B). Right to correct and delete Correction of inaccuracies, and deletion of personal data (including derived data and data obtained from other sources). ORS 646A.574(1)(b) and (c). Right to opt out Opt out of the sale of personal data, targeted advertising processing, and profiling that produces legal or similarly significant effects. ORS 646A.574(1)(d). The company must honor Global Privacy Control browser signals.

    The 45-day clock

    Under ORS 646A.576, the company has 45 days to respond. They can take a 45-day extension if they tell you why within the first 45 days. If they go silent, you can file with the Oregon AG, which has exclusive enforcement authority under ORS 646A.583.

    What sensitive data covers

    OCPA’s definition of sensitive personal data is broader than most other state laws. It includes, in addition to the usual categories (race, ethnicity, religious beliefs, health condition, sex life, citizenship, immigration status, genetic data, biometric data, precise geolocation, child data), status as transgender or non-binary and status as a crime victim. Sensitive data has heightened protections, including opt-in consent requirements.

    What it means for retail: the inference category in Albertsons’ policy — “psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” — could, if it includes data that touches sensitive categories, trigger heightened OCPA protections. Whether it does is a question worth pressing through a Right to Know request.

    A note on what the OCPA does not do

    OCPA does not give you the right to sue the company directly. You cannot collect damages under the statute. Enforcement is by the Oregon Attorney General. This is one reason individual right-to-know responses matter so much: they create a documentary record that, if the AG eventually takes interest, can support an investigation.

    The Portland comparison

    The City of Portland prohibits private entities from using face recognition technology in places of public accommodation within city limits (Portland City Code Chapter 34.10). Bend has no equivalent. A Surveillance Technology Accountability Ordinance for Bend would be the local mechanism for closing this gap — not relying on OCPA alone, which provides individual rights but does not ban any specific technology.

    §07

    What a real surveillance accountability ordinance would do

    What a real surveillance
    accountability ordinance
    would do

    The structural argument of the Bend Privacy Alliance is that retail surveillance and public surveillance become a single accountability problem the moment they are integrated. The Surveillance Technology Accountability Ordinance and Procurement Framework already in front of the Bend City Council and Procurement Committee is one model for what such a rule could look like. The principles below are not the ordinance text; they are the policy logic the ordinance applies to all surveillance technology operated by, contracted by, or funded by the City of Bend — including FususCore integrations and retail-camera partnerships.

    Ten principles for retail-to-police camera integration

    1. Public notice before deployment. No new private camera integration into a city-managed platform without a published notice and a comment period.
    2. Council approval. City access to private camera networks requires a Council vote on the record, not an administrative grant decision.
    3. Public inventory. The City maintains and updates a public list of every retailer, business, or facility integrated into Bend Connect, FususCore, or any successor system.
    4. Retention limits. Maximum retention for any data ingested from private cameras must be defined in writing and enforced by audit.
    5. Audit logs. Every law-enforcement query against the integrated camera network is logged with a queryer ID, timestamp, and investigative justification.
    6. Named custodian. A named senior city officer is accountable for the operation of the integration, with that role published.
    7. Access controls. Training, role-based access, and removal procedures are documented and audited annually.
    8. Prohibition on face recognition. Face recognition is not deployed against integrated camera feeds without separate Council authorization following a formal procurement review.
    9. ALPR sharing limits. ALPR data is not shared with federal agencies, out-of-state agencies, or non-investigative third parties absent specific legal process.
    10. Annual transparency report. The City publishes an annual report on usage, queries, sharing events, and audit findings.

    These are the same principles that govern responsible municipal surveillance procurement in cities that have already adopted Surveillance Technology Ordinances — Oakland, Seattle, Cambridge, Nashville, San Francisco, and others. Bend has the opportunity to be the first Oregon city outside Portland to apply them comprehensively. The work in front of the Bend City Council and Procurement Committee is the vehicle.

    §08

    What you can do this week

    What you can do this week

    Most of what this piece describes can be tested by any Bend resident with a thirty-minute time investment and a willingness to wait 45 days. Here are four things that are within reach.

    Action 01

    File an OCPA Right to Know request

    Use the templates in the companion Action Toolkit to ask each of the six retailers what data they hold on you and who they have shared it with. The 45-day clock starts when they receive it. Send through their privacy portal and screenshot the confirmation.

    Action 02

    Photograph store entry signage

    Visit a Bend Home Depot, Lowe’s, Walmart, Fred Meyer, Safeway, or Albertsons. Photograph any signage at the door describing biometric capture, video surveillance, or ALPR. Note camera positions and self-checkout indicator boxes. Time and date the photos. Absence of required signage is itself a disclosure violation. Send photos to westmoreland.jonathan@gmail.com.

    Action 03

    File a Bend Police records request

    The template in the Action Toolkit asks the City of Bend for all FususCore / Bend Connect contracts, ORT grant records, retailer applications, training materials, audit logs, and communications with the six named retailers. Submit through the City’s public records portal. Request a fee waiver under ORS 192.324(5).

    Action 04

    Show up at City Council

    The next public-input opportunity on Bend’s surveillance contracts will arrive when the Axon ALPR add-on comes back for a vote. Council meetings are at City Hall, 710 NW Wall Street, typically 6 p.m. Public comment is two minutes. Written submissions in the council packet are also read.

    The toolkit and the Evidence Matrix that accompany this piece contain the legal citations, contact channels, escalation procedures, and confidence ratings for every claim made above. Use them. Verify them. Improve them. Send corrections to westmoreland.jonathan@gmail.com.

    §09

    Sources and how to verify everything in this piece

    Sources, and how to verify

    Every factual claim in this piece is traceable to a primary source: a corporate privacy policy current as of May 24, 2026, an Oregon statute or DOJ guidance page, a court docket, or local Bend reporting from named outlets. The full source ledger, with version dates, archive recommendations, and confidence ratings, is in section 9 of the companion Action Toolkit document.

    Headline citations for the claims in this piece:

    If you find an error, send a correction to the Bend Privacy Alliance at westmoreland.jonathan@gmail.com. This piece will be revised. The companion Evidence Matrix and Action Toolkit will be revised alongside it. The goal is a record that can be verified by anyone with the same documents, not an argument that depends on trust.

    6

    Retailers studied

    10

    FususCore bundles offered to Bend retailers

    45

    Days for an OCPA response

    $4.13

    Albertsons’ estimate of one consumer’s annual data value (2024)

    0

    Bend retailers publicly named as FususCore participants, to date

    The goal is a record that can be verified by anyone with the same documents, not an argument that depends on trust.

    Bend Privacy Alliance

    Civic policy and advocacy work on surveillance technology governance, consumer privacy, and civil rights in Bend, Oregon. The Alliance publishes working research, action toolkits, and investigative pieces designed to be verified by readers and improved through corrections.

    This piece is one of three companion documents on retail surveillance in Bend. The Evidence Matrix is the internal research file with confidence ratings on every claim. The Action Toolkit contains the OCPA right-to-know templates, the Bend Police public records request template, escalation language, and a full source ledger.

    Compiled May 24, 2026 · Version 1.0 · Bend, Oregon

    Verify before citing · Save sources at time of access

  • Why Bend Needs Rules for Surveillance Technology Before It Buys More

    Most people don’t think much about how the City buys technology. But some of the tools cities now use — cameras, license plate readers, drones, data dashboards — can quietly record where you go, who you’re with, and what you do, long before anyone suspects you of anything. Once a city owns a system like that, what it can do tends to grow over time through software updates and new features, often without anyone outside the vendor noticing.

    I’ve submitted two documents to the Bend City Council that are meant to put residents back in control of that process: a Surveillance Technology Accountability, Privacy, and Civil Rights Ordinance and a companion Surveillance Procurement and Contracting Framework. Here’s what they would actually do for the people who live here.

    You get a say before the City buys surveillance tools

    Under the proposed ordinance, no City department could acquire, borrow, pilot, subscribe to, or deploy surveillance technology without prior City Council approval at a public hearing — with the required reports released at least 30 days in advance so residents can read them and weigh in. That approval has to be specific: approving one tool doesn’t automatically approve another, approving hardware doesn’t approve hidden software features, and any ambiguity is resolved in favor of requiring public approval. The decision about whether Bend adopts a surveillance tool belongs to the community and its elected representatives — not to a vendor’s sales pitch or a quiet administrative purchase.

    Surveillance can’t quietly expand after it’s approved

    One of the biggest real-world risks is “mission creep” — a system bought for one narrow purpose gradually gaining new powers through updates, add-on analytics, or AI modules. The ordinance treats any meaningful expansion as a “material change” that requires fresh public approval, and it specifically says automatic, vendor-pushed, or bundled updates can’t switch on capabilities the public never approved. A camera approved as a camera doesn’t silently become a facial-recognition system.

    Protected and private activities are shielded

    The ordinance bars using surveillance to monitor or map constitutionally protected activity — protest, worship, journalism, labor organizing, political activity, legal advocacy — absent a warrant. It also protects “sensitive locations”: medical and reproductive care facilities, addiction-treatment centers, domestic-violence shelters, immigration legal-aid offices, libraries, newsrooms, polling places, and places unhoused residents rely on for shelter and survival. The City couldn’t build registries, heat maps, or profiles tracking unhoused people or anyone’s visits to these places.

    Your data can’t be sold or fed to corporate AI

    The rules prohibit the City — and its vendors — from selling, renting, or commercially exploiting surveillance data, and from using residents’ data to train or improve a vendor’s products or algorithms. They also bar using City surveillance for civil immigration enforcement except where the law specifically requires it. Data collected about Bend residents stays in service of Bend residents.

    The City — not a private company — holds the keys

    A system being “encrypted” doesn’t mean it’s secure if the vendor can still read the data. The ordinance requires that sensitive stored police data use “Exclusive Agency Key Control,” meaning no vendor, cloud host, or subcontractor can unilaterally decrypt it. License plate data that isn’t a hit gets automatically deleted within 72 hours, hot-list entries expire quickly, and bulk databases can’t be kept around for speculative future use.

    Real accountability you can check

    Every access to sensitive surveillance data has to be logged. High-risk programs get independent annual audits, and the City must publish an annual public report covering how often tools were used, how many searches were run, any misuse or breaches, and any expansions proposed or discovered. There’s a public complaint process, automatic suspension when something goes seriously wrong, and a hard rule that no existing contract is grandfathered in forever — legacy systems have to be brought into compliance or discontinued.

    The companion framework makes the promises stick

    Strong policy can still be undermined by weak contract language buried in vendor agreements. The Procurement and Contracting Framework translates these principles into the actual contracts: baseline terms requiring City ownership of data, no secondary vendor use, no silent feature activation, audit rights, deletion certification, and renewal conditioned on compliance — with even stronger terms for high-risk technologies. It also gives the City practical tools to review the contracts it already has, so the protections aren’t just aspirational.

    The bottom line

    None of this stops Bend from using technology that genuinely serves public safety. What it does is make sure that when surveillance tools are used, the public knew about it, approved it, can see how it’s working, and can shut it down if it’s misused. It puts residents — not vendors, and not default settings — in charge of decisions that affect everyone’s privacy and civil liberties.

    Read the full proposals

  • Questions Bend Residents Can Ask Council

    Questions Bend Residents Can Ask Council

    Part 10 of the Bend Surveillance Oversight series.

    You do not need to be a surveillance expert to ask reasonable questions about public technology.

    If a city uses tools that collect, store, search, analyze, or share public data, residents have a right to understand how those tools are governed.

    That applies to body cameras, fleet cameras, automated license plate readers, drones, traffic enforcement cameras, digital evidence systems, AI tools, real-time information platforms, and any other technology that affects public privacy, public records, or public accountability.

    The goal is not to attack City staff or police.

    The goal is simple:

    Public safety technology should answer to public rules.


    1. What systems exist?

    • What surveillance technologies does Bend Police currently use?
    • What systems are being considered for future use?
    • Which systems are active now?
    • Which systems are approved but not yet active?
    • Which systems are optional add-ons or future capabilities?
    • Which vendors are involved?
    • Are there third-party vendors, subcontractors, cloud providers, or software modules the public should know about?
    • Is there a plain-language public inventory residents can read?

    2. What data is collected?

    • Does the system collect video?
    • Does it collect audio?
    • Does it collect license plate data?
    • Does it collect location data?
    • Does it collect metadata?
    • Does it collect biometric data?
    • Does it analyze faces, vehicles, objects, movement, behavior, or patterns?
    • Is any data analyzed by AI or automated tools?
    • Are any features disabled but technically available?

    3. Where does the data go?

    • Where is the data stored?
    • Is it stored on City systems or vendor-controlled cloud systems?
    • Does the City own and control the data?
    • Can vendors access the data?
    • Can vendors process, export, or analyze the data?
    • Are cloud providers or subprocessors involved?
    • Can data be stored outside Oregon?
    • Can data be stored outside the United States?
    • What happens to the data when the contract ends?

    4. How long is the data kept?

    • What is the default retention period for each system?
    • Is non-evidence data automatically deleted?
    • Is non-hit ALPR data deleted quickly?
    • Who can extend retention?
    • What justification is required to extend retention?
    • Are retention changes logged?
    • Are retention settings audited?
    • Does the City publish retention rules publicly?

    5. Who can search the data?

    • Who has access to each system?
    • Are users limited by role?
    • Can every officer search the system?
    • Can supervisors search it?
    • Can dispatch search it?
    • Can prosecutors access it directly?
    • Can vendors access it?
    • Can outside agencies access it?
    • Are searches required to include a case number or incident number?
    • Are searches required to include a purpose?
    • Are all searches logged?
    • Are search logs audited?
    • What happens if someone searches improperly?

    6. Can outside agencies access it?

    • Can federal agencies access Bend surveillance data?
    • Can out-of-state agencies access it?
    • Can regional law enforcement systems access it?
    • Can fusion centers access it?
    • Can private companies access it?
    • Can vendors respond directly to outside requests?
    • Does the City require case-specific legal process before sharing?
    • Does the City require written authorization before sharing?
    • Does the City publish annual data-sharing statistics?
    • Can the City deny outside requests?
    • Can the City audit outside access?

    7. Can vendors activate new features?

    • Can vendors activate new AI features?
    • Can vendors activate analytics features?
    • Can vendors activate biometric tools?
    • Can vendors activate ALPR features?
    • Can vendors activate real-time monitoring?
    • Can vendors change retention settings?
    • Can vendors change data-sharing settings?
    • Does Council approval happen before new capabilities are enabled?
    • Does the public receive notice before major feature changes?
    • Are disabled features independently verified?

    8. What about facial recognition and biometrics?

    • Does Bend use facial recognition?
    • Does Bend plan to use facial recognition?
    • Do any current systems have facial recognition capability?
    • Are biometric features disabled?
    • Who verifies that they are disabled?
    • Would Council approval be required before biometric features are activated?
    • Would the public receive notice?
    • Would there be legal review and technical review first?

    A simple local rule would be:

    No facial recognition or biometric identification without explicit public approval.


    9. What about AI police reports?

    • Does Bend use AI-assisted police reports?
    • Does Bend plan to use AI-assisted police reports?
    • If AI is used, are original AI drafts preserved?
    • Are officer edits logged?
    • Does the final report disclose AI assistance?
    • Are prosecutors notified when AI was used?
    • Can defense attorneys obtain AI drafting records through normal discovery?
    • Can the vendor use Bend data to train AI models?
    • Has the system been independently audited?
    • Are serious incidents excluded or subject to extra safeguards?

    A simple local rule would be:

    No AI-generated police report without an audit trail.


    10. What oversight exists?

    • Has the City conducted an independent technical audit?
    • Does each system have a public use policy?
    • Does each system have a public retention policy?
    • Does each system have a public sharing policy?
    • Are complaints tracked?
    • Are violations reported publicly in aggregate?
    • Does Council review surveillance systems before renewal?
    • Does the City publish annual transparency reports?
    • Are total annual costs publicly reported?
    • Are future renewals and expansions clearly identified?

    11. What safeguards will Bend adopt?

    • Will Bend adopt a surveillance technology ordinance?
    • Will Bend require Council approval before acquisition or expansion?
    • Will Bend publish a public inventory of all surveillance technologies?
    • Will Bend require public use policies before deployment?
    • Will Bend set short retention limits?
    • Will Bend require logged searches with case numbers?
    • Will Bend restrict federal and third-party sharing?
    • Will Bend prohibit facial recognition without explicit public approval?
    • Will Bend require independent technical audits?
    • Will Bend require annual public transparency reports?
    • Will Bend prohibit vendors from activating new capabilities without City approval?
    • Will Bend require public review before contract renewal?

    A short version residents can send

    Residents who want to keep it simple can ask Council this:

    Before Bend expands police surveillance technology, will the City publish a plain-language inventory of all systems, identify what data each system collects, explain where the data is stored, disclose retention periods, require logged searches with case numbers, restrict federal and third-party sharing, prohibit facial recognition without explicit public approval, and require annual public transparency reports?

    These are not anti-police questions.

    They are public governance questions.

    If a technology is powerful enough to collect, search, store, analyze, or share public data, it is powerful enough to deserve public rules.

    Bend residents deserve clear answers before police surveillance systems expand.


    Further reading


    Series links

  • What Reasonable Safeguards Would Look Like in Bend

    What Reasonable Safeguards Would Look Like in Bend

    Part 9 of the Bend Surveillance Oversight series.

    This does not have to be a yes-or-no fight over police technology.

    Bend can support legitimate public safety tools while still requiring strong public oversight.

    The real question is not whether technology should ever be used.

    The real question is whether powerful systems are governed by clear public rules before they expand.

    Body cameras, fleet cameras, ALPRs, drones, traffic enforcement cameras, digital evidence systems, AI tools, and real-time information platforms all raise different questions.

    But they also share a common issue:

    They collect, store, search, analyze, or share public data.

    That means Bend should have a citywide surveillance technology policy.

    Not a vague promise.

    Not vendor assurances.

    Not scattered contract language.

    Not internal rules that residents cannot easily find.

    A clear public framework.


    1. Public inventory of surveillance technologies

    Bend should publish a plain-language inventory of all police surveillance technologies.

    That inventory should identify:

    • the technology name,
    • the vendor,
    • the department using it,
    • the purpose of the system,
    • what data it collects,
    • where the data is stored,
    • how long the data is retained,
    • who can access it,
    • whether outside agencies can access it,
    • whether vendors or subcontractors can access it, and
    • whether any AI, biometric, analytics, or automated decision features are enabled or available.

    Residents should not need to search scattered agendas, contracts, staff reports, and vendor documents to understand what systems exist.


    2. Council approval before acquisition or expansion

    Bend should require Council approval before any department acquires, renews, expands, or materially changes surveillance technology.

    That should include new tools, new vendors, major software modules, AI features, biometric capabilities, data-sharing expansions, and contract amendments that materially change what a system can do.

    Public approval should happen before deployment, not after the system is already operating.


    3. Public use policy before deployment

    Every surveillance technology should have a public use policy before it is deployed.

    That policy should explain:

    • the approved purpose,
    • allowed uses,
    • prohibited uses,
    • data collection rules,
    • retention rules,
    • access rules,
    • sharing rules,
    • audit procedures,
    • disciplinary consequences for misuse, and
    • how residents can find annual reports.

    The public should be able to read the rules before the technology is used.


    4. Short retention for non-evidence data

    Data retention should be limited.

    For non-evidence data, the default should be deletion after a short period unless the data is tied to a specific, documented case.

    For ALPR data, I would support a default rule like this:

    Non-hit ALPR data should automatically delete within 72 hours unless it is tied to a documented case, warrant, stolen vehicle, active investigation, or legally valid evidentiary need.

    Short retention allows legitimate use while reducing the risk that ordinary residents’ movements become long-term searchable records.


    5. Logged searches with case numbers

    If a system can be searched, every search should be logged.

    The log should identify:

    • who searched,
    • when they searched,
    • what they searched,
    • why they searched,
    • the case number or incident number,
    • whether the search produced a result, and
    • whether the result was shared.

    Search logs protect the public from misuse.

    They also protect officers who use the system properly.


    6. Limits on federal, out-of-state, private, and vendor access

    Local surveillance data should not become outside-agency data by default.

    Bend should limit access by federal agencies, out-of-state agencies, private companies, vendors, subcontractors, fusion centers, and other third parties.

    Access should require a documented purpose, legal authority, written authorization, and an auditable record.

    Broad sharing, informal access, and bulk access should be prohibited unless explicitly approved through a public process and consistent with law.


    7. No facial recognition or biometric identification without explicit approval

    Bend should prohibit facial recognition, biometric identification, biometric analytics, or similar identity-matching tools unless Council explicitly approves them after public notice, public debate, legal review, and technical assessment.

    If a system is technically capable of biometric analysis but the City says the feature is disabled, that should be independently verified.

    Disabled features should not become active through a quiet software update or vendor configuration change.


    8. AI report-writing rules

    If Bend ever uses AI to help draft police reports, the City should require strict auditability.

    The basic rule is simple:

    No AI-generated police report without an audit trail.

    That means preserving original AI drafts, officer edits, source transcripts, timestamps, final reports, supervisor edits, and disclosure that AI was used.

    Prosecutors and defense attorneys should be able to obtain relevant records through normal legal processes.


    9. Independent technical audits

    Bend should not rely only on vendor assurances.

    The City should require independent technical audits of surveillance systems.

    Audits should verify:

    • enabled features,
    • disabled features,
    • retention settings,
    • sharing settings,
    • access controls,
    • security controls,
    • vendor access,
    • subprocessor access, and
    • compliance with City policy.

    Trust is strongest when systems can be independently checked.


    10. Annual public transparency reports

    Bend should publish annual surveillance transparency reports.

    Those reports should include:

    • what systems were used,
    • what new systems were acquired,
    • how many searches occurred,
    • how many outside requests were received,
    • how many requests were approved or denied,
    • how many audits were performed,
    • whether misuse was found,
    • whether any new features were activated,
    • whether policies changed, and
    • what the total annual costs were.

    Transparency reports do not need to reveal sensitive case details.

    They should provide enough aggregate information for residents and elected officials to know whether the rules are working.


    11. Contract terms that match public policy

    Contracts should not undermine policy.

    If Bend adopts public rules, vendor contracts should match those rules.

    Contracts should prohibit vendors from changing settings, enabling features, expanding sharing, using data for product development, or using local public safety data for AI training unless the City explicitly approves it through the required public process.

    Good policy should be backed by enforceable contract language.


    12. Public review before renewal

    Surveillance technology should not renew automatically without public review.

    Before renewal, the City should publish a report explaining how the system was used, whether it met its stated purpose, what it cost, whether misuse occurred, whether audits were completed, and whether stronger safeguards are needed.

    Renewal should be a public decision, not an automatic default.


    The basic framework

    A reasonable Bend surveillance policy could be summarized like this:

    • Tell the public what systems exist.
    • Require approval before expansion.
    • Limit retention.
    • Log searches.
    • Restrict sharing.
    • Control vendor access.
    • Ban biometric use without explicit approval.
    • Audit AI tools.
    • Verify systems independently.
    • Report to the public every year.

    That is not anti-police.

    That is responsible governance.

    Powerful public safety tools should answer to public rules.


    Further reading


    Series links

  • Other Cities Are Already Asking Better Questions

    Other Cities Are Already Asking Better Questions

    Part 8 of the Bend Surveillance Oversight series.

    Bend does not need to invent police surveillance oversight from scratch.

    Other cities are already asking the same basic questions:

    • Who approves surveillance technology before it is used?
    • What data is collected?
    • How long is it kept?
    • Who can search it?
    • Can outside agencies access it?
    • Can vendors change settings or activate new features?
    • Does the public receive annual reports?
    • Can elected officials review the system before it expands?

    That is the important lesson.

    The issue is not whether every city has reached the same conclusion.

    They have not.

    The issue is that communities across the country are realizing that police technology should not expand faster than public oversight.


    Austin: surveillance technology should require public rules

    Austin offers one useful model.

    In February 2026, the Austin City Council passed a resolution called the Transparent and Responsible Use of Surveillance Technology Act, or TRUST Act.

    The resolution directed the City Manager to return with an ordinance regulating the adoption, acquisition, deployment, use, and review of surveillance technology by city departments.

    That matters because it shifts the question from one contract at a time to a broader public framework.

    Bend could take the same approach.

    The public question should not only be whether a single contract sounds reasonable.

    The broader question should be what rules apply before surveillance technology is acquired, expanded, renewed, or materially changed.


    Mountain View: vendor assurances were not enough

    Mountain View, California offers another useful lesson.

    In January 2026, the City publicly stated that it had discovered unauthorized queries and potential access to Mountain View ALPR data.

    The City said Police Department staff had met with Flock Safety leadership about “the security and control of our data,” and said it was “upset and disappointed with how our data was accessed.”

    That example matters because it shows why vendor assurances are not enough.

    The lesson for Bend is simple:

    Do not wait for a data-sharing problem before creating data-sharing rules.


    Pima County: cost and AI concerns can cross political lines

    Pima County, Arizona offers another example.

    Reporting in early 2026 described the Pima County Board of Supervisors rejecting a proposed $45 million contract expansion involving Axon technology and AI tools.

    Reported concerns included cost, AI expansion, and whether the investment made sense for the Sheriff’s Department.

    That example matters because surveillance oversight is not only a privacy issue.

    It is also a budget issue.

    Public safety dollars are limited.

    Every dollar spent on bundled technology, AI tools, cloud subscriptions, hardware refreshes, and add-on features is a dollar not spent somewhere else.

    That does not mean technology is never worth funding.

    It means elected officials should ask hard questions before long-term commitments become automatic.


    Ferndale: public pressure can lead to stronger oversight

    Ferndale, Michigan offers another useful example based on reporting about local ALPR oversight discussions.

    Reporting described residents raising concerns about license plate reader expansion and city officials discussing stronger policies.

    That is important because public oversight often improves when residents ask specific, grounded questions.

    Community engagement does not have to stop technology.

    It can improve the rules that govern technology.


    The pattern is bigger than one vendor

    This is not only about Axon.

    It is not only about Flock.

    It is not only about ALPRs.

    It is not only about body cameras.

    It is not only about AI.

    The larger issue is how cities govern powerful surveillance systems once cameras, cloud storage, software subscriptions, data-sharing, analytics, and vendor platforms become part of public safety operations.

    A city can support public safety and still insist on public oversight.

    Those goals are not opposites.


    What Bend can learn

    Bend can learn at least five things from other cities.

    1. Oversight should happen before deployment or expansion, not after controversy.
    2. Citywide rules are better than one-off contract debates.
    3. Data-sharing limits should be explicit and enforceable.
    4. Vendors should not be the only source of truth about how systems work.
    5. Annual public reporting builds trust without exposing sensitive case details.

    These examples do not prove that Bend has the same problems.

    They show why Bend should adopt safeguards before problems occur.


    Bend can ask better questions now

    Police technology can be useful.

    But useful tools still need rules.

    If other cities are asking stronger questions about surveillance technology, Bend can too.

    The question is not whether Bend should copy another city word for word.

    The question is whether Bend should create its own public framework before future expansions become harder to unwind.

    Better questions today can prevent harder problems tomorrow.


    Further reading


    Series links

  • Why Federal and Third-Party Sharing Matters

    Why Federal and Third-Party Sharing Matters

    Part 7 of the Bend Surveillance Oversight series.

    In the last post, I wrote about why ALPR scans are location records.

    A license plate reader does not just capture a plate number.

    It creates a record that a specific vehicle was seen at a specific place at a specific time.

    But there is a second question that matters just as much:

    Once a city collects surveillance data, does that data stay local?

    That question applies to ALPRs, body cameras, fleet cameras, drone video, real-time information platforms, traffic cameras, evidence systems, and other police technology.

    The concern is not only what Bend collects.

    The concern is who else can access it.


    Local data can become outside-agency data

    A resident may feel differently about local police using a tool for a specific local purpose than they do about that same data becoming available to state agencies, federal agencies, out-of-state agencies, fusion centers, private vendors, or other third parties.

    Public consent for one local use should not be treated as consent for every future use.

    That is why data-sharing rules should be explicit before technology expands.

    Local data should not become outside-agency data by default.


    The policy should be explicit

    Data-sharing rules should not be vague.

    A policy that says information may be shared “for law enforcement purposes” may sound reasonable, but it can be extremely broad.

    A stronger policy should say exactly:

    • who may access the data,
    • for what purpose,
    • under what legal authority,
    • with whose approval,
    • with what documentation,
    • for how long,
    • whether access is logged,
    • whether the public will receive aggregate reporting, and
    • whether the request can be denied.

    If the policy does not clearly prohibit broad sharing, residents cannot know where local surveillance data may eventually go.

    That uncertainty is the problem.


    Federal access requires special caution

    Federal access deserves special attention because federal priorities can change quickly.

    Local residents may support local public safety uses while objecting to unrelated federal uses, especially if those uses involve immigration enforcement, political activity, protests, reproductive health travel, religious activity, or other sensitive areas.

    A strong policy would say:

    Bend surveillance data may not be shared with federal agencies unless there is case-specific legal process, written City authorization, a documented local purpose, and an auditable record.

    That rule would not prevent lawful cooperation in a serious case.

    It would prevent broad, informal, or routine access.


    Vendor access is also third-party access

    Third-party sharing is not only about government agencies.

    Vendors are third parties too.

    If a private company hosts police data, maintains the software, provides analytics, troubleshoots systems, stores video, processes license plate reads, or manages user access, that company may have some level of technical access to the system.

    That access should be limited, logged, and auditable.

    Vendor access should never be a black box.

    Contracts should clearly define when a vendor can access data, what the vendor can do with it, whether subcontractors are involved, whether data can be used for product development or AI training, and how the City verifies compliance.


    Outside sharing can create long-term consequences

    Once data leaves a local system, it may be harder to control.

    It may be copied, retained, searched again, combined with other databases, or used for purposes residents never debated locally.

    That is why sharing limits need to be set before sharing occurs.

    The point is not to block legitimate, case-specific cooperation.

    The point is to prevent broad access, informal access, bulk sharing, or secondary uses that bypass local democratic oversight.


    What a stronger local rule could require

    A stronger Bend policy would require:

    • case-specific legal process for outside-agency access,
    • written City authorization before sharing,
    • a documented purpose for every request,
    • a case number or incident number when applicable,
    • logs showing what was shared and with whom,
    • limits on vendor access and subcontractor access,
    • prohibitions on bulk or informal sharing,
    • clear retention limits after data is shared, and
    • annual public reporting in aggregate form.

    These safeguards would not prevent legitimate public safety work.

    They would make sure powerful data-sharing systems answer to public rules.


    The basic principle

    Local surveillance data should not become outside-agency data by default.

    If Bend collects police technology data, the City should clearly define who can access it, when it can be shared, how sharing is approved, how access is logged, and how the public can verify that the rules are being followed.

    The solution is not complicated:

    No broad sharing. No informal access. No vendor black boxes. No federal access without case-specific process. Public reporting every year.

    That is how local control becomes real.


    Further reading


    Series links

  • ALPRs: License Plate Scans Are Location Records

    ALPRs: License Plate Scans Are Location Records

    Part 6 of the Bend Surveillance Oversight series.

    An automated license plate reader does not just capture a plate number.

    It creates a time-and-place record.

    And when many scans are collected over time, those records can reveal patterns about where a vehicle has been, when it was there, and how often it appeared in certain places.

    That is why ALPR data should be treated as location data.

    It is not “just a plate.”

    It is a record of movement.


    What an ALPR scan actually records

    An ALPR system typically captures:

    • the license plate number,
    • the date and time of the scan,
    • the location of the camera,
    • an image of the plate or vehicle, and sometimes
    • additional metadata about the scan.

    One scan by itself may not say much.

    But multiple scans over time can create a much richer picture.

    If a vehicle is scanned near a home, workplace, school, clinic, place of worship, political event, protest, or support meeting, the scans may reveal sensitive patterns about a person’s life.

    That is why ALPR data deserves careful limits.


    Patterns matter more than single scans

    The privacy issue is not only the plate number.

    The privacy issue is the pattern.

    A series of scans can show where a vehicle travels, how often it visits certain places, what route it takes, when it leaves, when it returns, and whether those movements change over time.

    That is a form of location tracking.

    Even if each individual scan appears routine, the system as a whole can become highly revealing.

    That is why retention periods, search rules, and sharing rules matter so much.


    This post does not claim Bend currently uses fixed ALPR technology

    This post does not claim that Bend currently uses fixed automated license plate reader technology.

    The point is broader: if Bend adopts fixed ALPRs in the future, or if related systems create similar location records, the City should have clear rules in place before deployment.

    Oversight should come first, not later.


    Short retention should be the default

    If ALPR data is retained for long periods, it becomes easier to reconstruct a person’s travel history.

    The longer the data is kept, the more it can be searched, shared, or misused later.

    A reasonable rule would be:

    Delete ALPR scans quickly unless they are tied to a legitimate, documented case.

    I would support a default retention period as short as 72 hours unless the scan is associated with a specific investigative need such as a stolen vehicle, warrant hit, active case, or clearly documented law enforcement purpose.

    That kind of rule allows legitimate use while reducing unnecessary long-term accumulation.


    Every search should be logged

    If ALPR data can be searched, every search should leave a record.

    That record should show:

    • who conducted the search,
    • when it was conducted,
    • what plate or data was searched,
    • the case number or incident number,
    • the reason for the search, and
    • whether the results were shared.

    Without logs, the public has to trust that the system is being used properly.

    With logs, the City can verify that the rules are being followed.


    Sharing should be limited and documented

    ALPR data should not flow freely to outside agencies, vendors, private companies, or federal systems without clear public rules.

    A strong policy would require:

    • a specific legal basis for sharing,
    • a documented case-related purpose,
    • written authorization,
    • an auditable record of what was shared and with whom, and
    • clear limits on bulk or informal access.

    The issue is not whether legitimate case-specific sharing can occur.

    The issue is whether local location data becomes broadly accessible by default.


    Public reports build trust

    If Bend ever uses ALPRs, the City should publish annual public reports showing:

    • how many cameras or systems were used,
    • how many scans were collected,
    • how long data was retained,
    • how many searches were conducted,
    • how many shares occurred,
    • how many outside-agency requests were received,
    • how many requests were granted or denied, and
    • whether any misuse or policy violations were found.

    These reports do not need to expose sensitive investigative details.

    They should provide enough information for residents and elected officials to understand how the system is working.


    The basic principle

    An ALPR scan is not just a plate number.

    It is a location record.

    And location records deserve strong safeguards.

    Short retention. Logged searches. Clear sharing limits. Public oversight.

    Those are not extreme demands.

    They are basic rules for a powerful system.


    Further reading


    Series links

  • AI Police Reports and the Audit Problem

    AI Police Reports and the Audit Problem

    Part 5 of the Bend Surveillance Oversight series.

    Police reports are not ordinary paperwork.

    They can shape criminal charges, court proceedings, plea negotiations, public records, insurance claims, disciplinary reviews, and a person’s ability to defend themselves.

    That is why AI-generated police reports deserve careful public oversight.

    The issue is not whether officers should use better tools.

    The issue is whether official police records remain accurate, reviewable, and auditable when artificial intelligence is involved.


    What AI police report tools do

    AI police report tools can use body-camera audio, transcripts, officer input, or other records to generate a draft narrative.

    That may sound helpful.

    Police officers spend a lot of time writing reports, and many departments are looking for tools that reduce paperwork.

    But a police report is not just a summary.

    It is an official law enforcement record.

    If AI helps write that record, the public should know:

    • what information the AI used,
    • what the AI produced,
    • what the officer changed,
    • whether the officer verified every factual statement,
    • whether the original AI draft was preserved,
    • whether errors can be reconstructed later, and
    • whether defense attorneys, prosecutors, judges, or oversight bodies can review the process.

    Without those safeguards, AI report-writing creates a serious audit problem.


    Why the original AI draft matters

    Imagine an AI tool creates a draft police report from body-camera audio.

    The officer reads it, edits it, and copies the final text into the official report system.

    Then the original AI draft disappears.

    Later, a defendant, attorney, judge, journalist, auditor, or oversight board wants to know whether a questionable sentence came from the officer, the transcript, or the AI system.

    If the original AI draft was not preserved, there may be no way to answer that question.

    That is the core problem.

    The concern is not only that AI can make mistakes.

    The concern is that AI mistakes may become embedded in official records without leaving a trace.


    What a basic audit trail should include

    A reasonable AI police report policy should require preservation of:

    • the original AI-generated draft,
    • the body-camera audio or transcript used to generate it,
    • the prompt or settings used,
    • timestamps,
    • the officer’s edits,
    • the final submitted report,
    • supervisor edits if any, and
    • a clear label showing that AI assisted in the drafting process.

    This should not be controversial.

    If AI saves time and improves accuracy, the audit trail should show that.

    If AI introduces errors, the audit trail should make those errors detectable.

    Either way, preserving the record protects the public, defendants, officers, prosecutors, and the City.


    Bend should set rules before using AI reports

    This post does not claim that Bend currently uses AI-assisted police report-writing.

    The point is that AI report-writing is already being marketed to law enforcement agencies, and cities should set rules before these tools become routine.

    Bend should not wait until after AI-generated police reports become common to decide how they should be governed.

    A strong local policy would say:

    1. No AI-generated police report may be submitted without officer review and certification.
    2. The original AI-generated draft must be preserved.
    3. All officer edits must be logged.
    4. The report must disclose that AI assisted in drafting.
    5. Prosecutors must be notified when AI was used.
    6. Defense attorneys must be able to obtain relevant AI drafting records through normal discovery.
    7. AI report tools may not be used for serious incidents unless additional safeguards are in place.
    8. The City must publish annual statistics on AI report use, error findings, officer adoption, and measured time savings.
    9. The vendor may not use Bend data to train AI models without explicit public approval.
    10. The City must independently audit the system before and after deployment.

    These rules would not ban AI.

    They would make AI accountable.


    No AI-generated police report without an audit trail

    Police reports are too important to become black boxes.

    If AI helps write an official record, the original AI output should not vanish.

    Bend residents should expect a simple rule:

    No AI-generated police report without an audit trail.


    Further reading


    Series links

  • What Happens to the Data?

    What Happens to the Data?

    Part 4 of the Bend Surveillance Oversight series.

    When people talk about police cameras, the conversation often focuses on the camera itself.

    But the camera is only the beginning.

    The more important question is what happens after data is collected.

    • Where does the video go?
    • Who stores it?
    • How long is it kept?
    • Who can search it?
    • Can it be shared?
    • Can vendors access it?
    • Can outside agencies access it?
    • Are searches logged?
    • Can the data be used later for a different purpose?

    These are the questions that turn a camera discussion into a public oversight discussion.


    Collection is only step one

    A body camera, vehicle camera, drone, traffic camera, or license plate reader may collect video, audio, images, license plate data, metadata, location information, timestamps, or other records.

    But collection is only the first step.

    After that, data may be uploaded to cloud storage, attached to case files, searched by officers, shared with prosecutors, retained for years, reviewed by supervisors, exported for court, or combined with other systems.

    A technology policy that says “we use cameras” is not enough.

    The real policy should explain what data is collected, where it is stored, how long it is retained, who can access it, when it can be searched, whether searches require a case number, whether searches are audited, whether vendors can access it, whether outside agencies can access it, whether data can be used for AI training or analytics, and whether new uses require public approval.


    Cloud storage changes the oversight question

    Many modern police technology systems rely on cloud storage and vendor-managed software.

    That can be useful.

    Cloud systems can make evidence easier to organize, share, redact, and preserve.

    But cloud storage also changes the oversight question.

    If public safety data is stored in a vendor-controlled system, residents should know what contractual rules apply.

    They should know whether the City owns the data, whether the vendor can access it, whether subcontractors are involved, whether data is encrypted, and whether the City can independently verify how the system is configured.

    This is why public policy should not rely only on verbal assurances.

    The City should publish the actual rules.


    Retention matters

    Retention is one of the most important privacy questions.

    A camera that records something and deletes it quickly is very different from a system that keeps searchable records for months or years.

    The longer data is kept, the more it can be searched later, shared later, misused later, breached later, or repurposed later.

    For Bend, a reasonable policy would be:

    Delete non-evidence data by default after a short period unless it is flagged for a specific, documented case.

    For ALPR data, I would support a default deletion period as short as 72 hours unless the scan is tied to a legitimate case, hit, warrant, stolen vehicle, or documented investigation.


    Search logs should be mandatory

    If a police technology system can be searched, the search should leave a record.

    That record should show who searched, when they searched, what they searched, why they searched, the case number or incident number, whether the search produced a result, and whether the result was shared.

    Without search logs, the public has to trust that the system is only being used properly.

    With search logs, the City can verify whether the system is being used properly.

    This protects the public.

    It also protects officers who are using the system appropriately.


    Sharing rules should be explicit

    Data-sharing rules should not be vague.

    A policy that says data may be shared “for law enforcement purposes” may sound reasonable, but it can be very broad.

    A stronger policy would say that surveillance data may not be shared with federal agencies, out-of-state agencies, private companies, or other third parties unless there is a specific legal basis, a documented case number, written authorization, and an auditable record.

    The point is not to prevent legitimate case-specific cooperation.

    The point is to prevent broad, informal, or automatic access to local surveillance data without clear public rules.


    Vendor access should not be a black box

    Vendor access is also a form of third-party access.

    If a private company hosts police data, manages software, provides analytics, troubleshoots systems, stores video, or controls user permissions, the public should know what limits apply.

    Vendor access should be limited, logged, and auditable.

    Contracts should make clear that vendors cannot use local public safety data for unrelated purposes, product development, AI training, or secondary analysis without explicit public approval.


    Public reports build trust

    The City should publish annual transparency reports for police surveillance systems.

    Those reports should include:

    • what systems were used,
    • how many searches were conducted,
    • how many times data was shared,
    • how many outside-agency requests were received,
    • how many requests were approved or denied,
    • how many audits were conducted,
    • whether any misuse was found,
    • whether any new features were activated, and
    • whether any policies changed.

    These reports do not need to expose sensitive case details.

    They should provide enough aggregate information for residents and elected officials to understand whether the rules are working.


    The basic principle

    The goal is not to prevent every use of technology.

    The goal is to make sure powerful tools answer to public rules.

    A camera policy should not stop at collection.

    It should follow the data.

    Where it goes, how long it stays, who can search it, who can share it, and how the public can verify the rules are being followed.


    Further reading


    Series links