SFPD Drone Surveillance Leaked Online: A Major Privacy Breach Exposes Real-Time Operations
A critical security lapse by drone manufacturer **Skydio** led to the accidental livestreaming of real-time surveillance footage from **San Francisco Police Department (SFPD)** drones onto the open internet. This breach exposed sensitive police operations, including arrests, individual tracking, and thermal imaging, raising significant privacy concerns for both citizens and IT security professionals.
Just last month, a **Skydio X10 quadcopter** hovered 200 feet above a San Francisco apartment complex, silently observing a police pursuit. The drone, one of several deployed, tracked a suspect's SUV across the city, zooming in on its license plate and maintaining a lock on the vehicle. This aerial surveillance culminated in the man's apprehension, with multiple drones providing comprehensive coverage from various angles.
This incident, described by the **SFPD** as an alleged βauto boost/stripβ (theft of car parts), offers a stark glimpse into the increasing sophistication of drone-enabled police surveillance.

### Accidental Livestream Exposes Sensitive Data
Crucially, this detailed footage of police operations, including the physical takedown of the suspect, was not voluntarily released by the **SFPD**. Instead, it was inadvertently streamed onto the open internet via **Skydio's** website. Security researchers **Sam Curry** and **Maik Robert** discovered this critical vulnerability, finding that five **SFPD** surveillance drones were broadcasting all real-time footageβincluding color and thermal imaging, accompanying location metadata, and even the drone pilotsβ names and email addressesβto anyone who found the public web address.
Curry and Robert reported their findings to **Skydio** approximately two days after discovery, and the leak was promptly taken offline. However, during that period, the researchers witnessed multiple arrests, searches, and tracking operations from the sky, all publicly accessible.
"Thereβs a certain trust given to the police to use these things correctly," stated Curry. "When you're watching a drone feed live, you can look into dozens of different apartments, you can see police zooming in on people, you can see arrests. The fact that all of this was exposed feels like a really big issue from a privacy perspective."
### A Detailed Record of Surveillance Operations
The archived data captured by Curry and Robert provides a comprehensive record of **SFPD** drone activities over approximately 48 hours in mid-June. This includes 60 videos from 20 separate flights, with each mission recorded from three distinct feeds: a color camera, a thermal camera (rendering individuals as heat signatures), and a third view from the droneβs rooftop dock.
Analysis of the 20 color videos, using object detection software, revealed hundreds of people and vehicles filmed across these flights. In one instance, a drone hovering over a downtown intersection captured 34 individuals. Dozens of clear faces were visible across the collected footage.

In total, the archive contains over three hours of aerial color footage and a similar amount of thermal footage. It also includes second-by-second telemetry logs for every flight, encompassing more than 5,000 GPS points, tracing over 44 miles. These logs detail each droneβs latitude, longitude, altitude, speed, heading, and battery level from takeoff to landing. The names and email addresses of six **SFPD** pilots were also present within these logs.
This incident underscores the critical importance of robust security protocols for any technology deployed in public spaces, especially those involving surveillance. For IT security professionals, it serves as a stark reminder of the potential for even well-intentioned technologies to become vectors for privacy breaches if not secured meticulously.