Someone at the San Francisco Police Department wanted to share a link to some of its drone feeds. So they generated one, set it to expire in a year, and skipped the part where you put a password on footage of people’s living rooms. That link found its way into a public archive of web addresses used by security researchers, which is where two of them found it and started watching along with whoever else already had.
Sam Curry and Maik Robert pulled down roughly 48 hours of SFPD drone operations from mid-June before the feed went dark. The researchers reported the exposed public link to Skydio, the company whose software the department runs, around two days after discovering it, and it was then quickly taken offline. By then, according to WIRED, “the link appeared to have already exposed the drone feeds for six months,” with “no assurance that Curry and Robert were the only ones who had been watching.”
Sixty videos from twenty separate flights, every mission recorded three ways, a color camera, a thermal view that turns people into heat blooms, and a feed from the drone’s rooftop dock. Second-by-second telemetry came with it, more than 5,000 GPS coordinates tracing over 44 miles of flight and logging each drone’s altitude, speed, heading, and battery level from takeoff to landing. Six pilots had their names and work email addresses spill out too.
What the cameras recorded is the part that should worry anyone who lives beneath them. The footage looked into dozens of apartments, caught hundreds of people and vehicles, and captured the clear faces of dozens of residents who were doing nothing more suspicious than existing outdoors.
WIRED observed that “the innocuous appearance of many of the videos raises questions about whether the surveillance was necessary.” Take the call logged as an “auto boost/strip,” police shorthand for stealing a car to strip it for parts. A drone tailed two young men in a vehicle, one of them flagged as a “suspicious person in a vehicle,” until the pair parked, walked onto a basketball court, and started playing. The drone left.
Another flight answered an alleged “prowler.” The drone found a young person sitting on a rooftop in headphones, hovered, zoomed in, and flew off. Curry called it “an invasion of privacy” and “uncomfortable.” As he described it, “This person thinks they’re by themselves on this roof and has gotten away from everybody, and then there’s a police drone watching them.”
The department has rules for exactly this. SFPD’s drone policy tells operators to keep cameras trained on what a mission requires, to hold down the inadvertent collection of data about uninvolved people and places, and to turn the lens away from spots where people expect privacy.
The leaked videos ran entire missions from takeoff to landing and captured streets, rooftops, courtyards, parked cars, and apartment windows belonging to people who were not the subject of any operation.
Skydio makes the drones and the software, and it has built a business on being the American answer to Chinese-made DJI after agencies dropped those over security worries.
More than 400 public safety agencies now fly its hardware, and the sales pitch rests on domestic gear keeping the data safer. The company recently closed a $110 million funding round at a $4.4 billion valuation and is angling toward an eventual IPO, a figure that leans on the belief its systems are harder to breach than the alternatives.
SFPD says it is investigating how the link got loose, and the drones are still up. The feed that leaked showed active operations in real time, which hands defense attorneys a fresh question about how secure any of the department’s drone data ever was.




