A Leak of San Francisco Police Drone Footage Exposes the New Reality of Urban Surveillance | WIRED

Created 7/14/2026 at 11:27:36 PMEdited 7/14/2026 at 11:34:17 PM

highly sensitive video of the man’s physical takedown, wasn’t voluntarily released by the SFPD—which, like most US police departments, rarely releases drone videos even in response to public records requests. Instead, it was accidentally livestreamed onto the open internet via Skydio’s website. That’s where two security researchers, Sam Curry and Maik Robert, discovered that the SFPD was leaking all of the real-time footage from five of its surveillance drones, including both color and thermal imaging, accompanying location metadata, and the drone pilots’ names and email addresses, to anyone who merely found the public web address where the videos were hosted.

Skydio, based in nearby San Mateo, is one of the leading American drone companies selling to police departments, fire departments, government agencies, and the military. Its X10 drones are part of SFPD’s drone program, which began in 2024 and is authorized for vehicle pursuits and active criminal investigations. Since then, the program has grown quickly: SFPD’s fleet has expanded from six drones to 98, and officers logged more than 1,400 launches between May 2024 and March 2026, according to a 2025 SFPD annual report and reporting from the San Francisco Chronicle.

the drone videos were exposed not as a result of any error on the part of Skydio, but rather by what seems to be a misuse of Skydio’s software by the SFPD. Skydio allows users to generate shareable links to videos or access to drones’ data streams in real time, known as ReadyLinks, with the ability to limit access to users with an authentication code or an expiration date. Someone with access to the SFPD’s instance of Skydio’s software, however, appears to have created a link last December to five of its drones’ feeds with no authentication requirement and an expiration date of one full year.

That link was then somehow added to an open-source collection of archived web URLs known as AlienVault Open Threat Exchange, typically used by security researchers, where Curry and Robert found it. In other words, the link appeared to have already exposed the drone feeds for six months by that time, with no assurance that Curry and Robert were the only ones who had been watching.

The innocuous appearance of many of the videos raises questions about whether the surveillance was necessary. In one “auto boost/strip”-related call, the drone follows two young men in their car, at least one of whom is described in police records as having been identified as a “suspicious person in a vehicle.” Then the two men emerge onto a basketball court and start playing, and the drone departs.

A drone flight in response to what police records describe as a “person with a gun” investigation seems to fixate on a seemingly intoxicated man stooped on a sidewalk. Another drone, called in response to an alleged “prowler” incident, hovers over a young person wearing headphones and sitting on the roof of a building, zooms in on them, then flies away. “That one felt like an invasion of privacy, just so uncomfortable,” Curry says. “Like this person thinks they’re by themselves on this roof and has gotten away from everybody, and then there's a police drone watching them.”

Curry and Robert say they first became curious about Skydio last month after seeing an announcement from a Florida police department that it was adopting the company’s drone system, and then learning how widely the company’s drones have been deployed across the US. As web-focused security researchers, they decided to check out the company’s systems. In one routine step, they used the tool GetAllURLs, which pulls all archived web addresses for a given domain from sources including AlienVault Open Threat Exchange, requesting all Skydio links.

Public