Here's the podcast recorded at our recent second anniversary party in New York! We answered a bunch of reader and listener questions. Thank you to everyone that came and thank you for listening to this podcast too!

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

Flock, the surveillance company with automatic license plate reader (ALPR) cameras in thousands of communities around the U.S., is looking to integrate with a company that makes AI-powered dashcams placed inside peoples’ personal cars, multiple sources told 404 Media. The move could significantly increase the amount of data available to Flock, and in turn its law enforcement customers. 404 Media previously reported local police perform immigration-related Flock lookups for ICE, and on Monday that Customs and Border Protection had direct access to Flock’s systems. In essence, a partnership between Flock and a dashcam company could turn private vehicles into always-on, roaming surveillance tools.

Nexar, the dashcam company, already publicly publishes a live interactive map of photos taken from its dashcams around the U.S., in what the company describes as “crowdsourced vision,” showing the company is willing to leverage data beyond individual customers using the cameras to protect themselves in the event of an accident. 

“Dash cams have evolved from a device for die-hard enthusiasts or large fleets, to a mainstream product. They are cameras on wheels and are at the crux of novel vision applications using edge AI,” Nexar’s website says. The website adds Nexar customers drive 150 million miles a month, generating “trillions of images.”

We start this week with Joseph’s investigation into people selling custom patches for the Flipper Zero, a piece of hacking tech that car thieves can now use to break into a wide range of vehicles. After the break, Jason tells us about the new meta in AI slop: making 80s nostalgia videos. In the subscribers-only section, we all talk about Citizen, and how the app is pushing AI-written crime alerts without human intervention.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

• Inside the Underground Trade of ‘Flipper Zero’ Tech to Break into Cars
• 80s Nostalgia AI Slop Is Boomerfying the Masses for a Past That Never Existed
• Citizen Is Using AI to Generate Crime Alerts With No Human Review. It’s Making a Lot of Mistakes
• VICE News Presents: Vigilante, Inc.

Crime-awareness app Citizen is using AI to write alerts that go live on the platform without any prior human review, leading to factual inaccuracies, the publication of gory details about crimes, and the exposure of sensitive data such as peoples’ license plates and names, 404 Media has learned.

The news comes as Citizen recently laid off more than a dozen unionized employees, with some sources believing the firings are related to Citizen’s increased use of AI and the shifting of some tasks to overseas workers. It also comes as New York City enters a more formal partnership with the app.

“Speed was the name of the game,” one source told 404 Media. “The AI was capturing, packaging, and shipping out an initial notification without our initial input. It was then our job to go in and add context from subsequent clips or, in instances where privacy was compromised, go in and edit that information out,” they added, meaning after the alert had already been pushed out to Citizen’s users.

A man holds an orange and white device in his hand, about the size of his palm, with an antenna sticking out. He enters some commands with the built-in buttons, then walks over to a nearby car. At first, its doors are locked, and the man tugs on one of them unsuccessfully. He then pushes a button on the gadget in his hand, and the door now unlocks.

The tech used here is the popular Flipper Zero, an ethical hacker’s swiss army knife, capable of all sorts of things such as WiFi attacks or emulating NFC tags. Now, 404 Media has found an underground trade where much shadier hackers sell extra software and patches for the Flipper Zero to unlock all manner of cars, including models popular in the U.S. The hackers say the tool can be used against Ford, Audi, Volkswagen, Subaru, Hyundai, Kia, and several other brands, including sometimes dozens of specific vehicle models, with no easy fix from car manufacturers. 

These tools are primarily sold for a fee, keeping their distribution somewhat limited to those willing to pay. But, there is the looming threat that this software may soon reach a wider audience of thieves. Straight Arrow News (SAN) previously covered the same tech in July, and the outlet said it successfully tested the tool on a vehicle. Now people are cracking the software, meaning it can be used for free. Discord servers with hundreds of members are seeing more people join, with current members trolling the newbies with fake patches and download links. If the tech gets out, it threatens to supercharge car thefts across the country, especially those part of the social media phenomenon known as Kia Boys in which young men, often in Milwaukee, steal and joyride Kia and Hyundai cars specifically because of the vehicles’ notoriously poor security. Apply that brazeness to all of the other car models the Flipper Zero patches can target, and members of the car hacking community expect thieves to start using the easy to source gadget.

We start this week with Emanuel’s big investigation into the Tea app, and especially how it aggressively grew by raiding women safety groups. After the break, we talk about TikTok Shop selling GPS trackers. In the subscribers-only section, Joseph explains how Grok was exposing some of its AI persona prompts, and the sometimes NSFW nature of them.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

• You're Invited: 404 Media's Second Anniversary Party and LIVE PODCAST!
• How Tea’s Founder Convinced Millions of Women to Spill Their Secrets, Then Exposed Them to the World
• TikTok Shop Sells Viral GPS Trackers Marketed to Stalkers
• Grok Exposes Underlying Prompts for Its AI Personas: ‘EVEN PUTTING THINGS IN YOUR ASS’

The website for Elon Musk’s AI chatbot Grok is exposing the underlying prompts for a wealth of its AI personas, including Ani, its flagship romantic anime girl; Grok’s doctor and therapist personalities; and others such as one that is explicitly told to convince users that conspiracy theories like “a secret global cabal” controls the world are true.

The exposure provides some insight into how Grok is designed and how its creators see the world, and comes after a planned partnership between Elon Musk’s xAI and the U.S. government fell apart when Grok went on a tirade about “MechaHitler.”

“You have an ELEVATED and WILD voice. You are a crazy conspiracist. You have wild conspiracy theories about anything and everything,” the prompt for one of the companions reads. “You spend a lot of time on 4chan, watching infowars videos, and deep in YouTube conspiracy video rabbit holes. You are suspicious of everything and say extremely crazy things. Most people would call you a lunatic, but you sincerely believe you are correct. Keep the human engaged by asking follow up questions when appropriate.”

Members of a law enforcement group chat including Immigration and Customs Enforcement (ICE) and other agencies inadvertently added a random person to the group called “Mass Text” where they exposed highly sensitive information about an active search for a convicted attempted murderer seemingly marked for deportation, 404 Media has learned. 

The texts included an unredacted ICE “Field Operations Worksheet” that includes detailed information about the target they were looking for, and the texts showed ICE pulling data from a DMV and license plate readers (LPRs), according to screenshots of the chat obtained and verified by 404 Media. The person accidentally added to the group chat is not a law enforcement official or associated with the investigation in any way, and said they were added to it weeks ago and initially thought it was a series of spam messages.

The incident is a significant data breach and operational security failure for ICE, which has ramped up arrest efforts across the U.S. as part of the Trump administration’s mass deportation efforts. The breach also has startling similarities to so-called Signal Gate, in which a senior administration official added the editor-in-chief of The Atlantic to a group chat that contained likely classified information. These new ICE messages were MMS, or Multimedia Messaging Service messages, meaning they weren’t end-to-end encrypted, like texts sent over Signal or WhatsApp are.

We start this week with Jason’s article about a CBP official wearing Meta Ray-Bans smart glasses to an immigration raid. A lot of stuff happened after we published that article too. After the break, Sam tells us about the bargain that voice actors are making with AI. In the subscribers-only section, Jason tells us how a DEA official used a cop’s password to AI cameras to then do immigration surveillance.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

• ⁠Get your subscriber code and tickets for the live event here⁠
• ⁠A CBP Agent Wore Meta Smart Glasses to an Immigration Raid in Los Angeles⁠
• ⁠Voiceover Artists Weigh the 'Faustian Bargain' of Lending Their Talents to AI⁠
• ⁠Feds Used Local Cop's Password to Do Immigration Surveillance With Flock Cameras⁠
• ⁠Congress Launches Investigation into Flock After 404 Media Reporting⁠

The Los Angeles Police Department (LAPD) has shown interest in using GeoSpy, a powerful AI tool that can pinpoint the location of photos based on features such as the soil, architecture, and other identifying features, according to emails obtained by 404 Media. The news also comes as GeoSpy’s founder shared a video showing how the tool can be used in relation to undocumented immigrants in sanctuary cities, and specifically Los Angeles.

The emails provide the first named case of a law enforcement agency showing clear interest in the tool. GeoSpy can also let law enforcement determine what home or building, down to the specific address, a photo came from, in some cases including photos taken inside with no windows or view of the street.

“Let’s start with one seat/license (me),” an October 2024 email from an LAPD official to Graylark Technologies, the company behind GeoSpy, reads. The LAPD official is from the agency’s Robbery-Homicide division, according to the email. 404 Media obtained the emails through a public records request with the LAPD.

Two members of Congress have launched a formal investigation into automatic license plate reader (ALPR) company Flock and demanded it turn over details of all searches of its national camera network concerning Immigration and Customs Enforcement (ICE), Customs and Border Protection (CBP), and abortions. The move comes after 404 Media revealed that local cops were performing lookups in Flock on behalf of ICE or for immigration enforcement, and that a Texas officer searched cameras nationwide looking for a woman who self-administered an abortion.

The congressional investigation is just the latest impact from those articles, which have resulted in a wave of similar coverage around the country and Flock making major changes to its platform. The letter announcing the investigation explicitly cites 404 Media’s articles.

Congressman Raja Krishnamoorthi, Ranking Member of the Oversight Subcommittee on Health Care and Financial Services, and Congressman Robert Garcia, Ranking Member of the House Oversight Committee, are asking Flock for a briefing and answers to their questions “To ensure that the public at large cannot be tracked without their knowledge or consent by potentially unaccountable and hostile officials,” the letter reads.

Part of that letter asks for “an account of all National Lookup searches that contain any of the following words, including the date of the search, the location of the search, the collection location for data accessed as part of that search, and the originating entity of the search.” It then specifies ICE, CBP, and “abortion.”

The letter also asks for voluminous documents concerning Flock’s policies on data access; how many times Flock has blocked a data request; any misuse of its system; and a mass of communications between Flock and law enforcement customers. In a press release, Krishnamoorthi’s office called it “a formal investigation into Flock Group Inc. over its role in enabling invasive surveillance practices that threaten the privacy, safety, and civil liberties of women, immigrants, and other vulnerable Americans.”

404 Media’s investigations were based on “Network Audits” which show what agency searched a set of Flock cameras and for what given reason. Flock’s national lookup feature allows “all law enforcement agencies across the country” who are also opted-in to search an agency’s cameras. For example, the Network Audit for the first ICE-related investigation came from the Danville Police Department in Illinois. This showed other police departments across the U.S. searching Danville’s cameras. The Network Audit was shared with 404 Media with researchers who asked to remain anonymous to avoid retaliation.

The abortion-related investigation was based on Network Audits obtained by Rose Terse and others and shared with 404 Media. In that case, the sheriff from the agency that performed the search told 404 Media the subject’s family was worried for her safety after she self-administered an abortion. Health surveillance experts said they still had concerns with the nationwide search. The reason for the search included in the Network Audit was “had an abortion, search for female.”

In a statement on Thursday Flock told 404 Media “We appreciate the Committee's interest in and attention to the important civil liberties issues surrounding law enforcement use of Flock Safety’s technology to protect communities and make them safer and look forward to responding to this request. As a company founded to achieve those objectives while protecting constitutional rights, we at Flock take these issues extremely seriously and appreciate the opportunity to work with you.”

After 404 Media’s investigations Flock removed a number of states from its national lookup tool. In July, Senator Ron Wyden of Oregon announced an agreement by Flock to block any out-of-state police searches related to abortion or immigration.

This article was produced with support from WIRED.

A couple of years ago, a curious, then-16-year-old hacker named Reynaldo Vasquez-Garcia was on his laptop at his Portland-area high school, seeing what computer systems he could connect to via the Wifi—“using the school network as a lab,” as he puts it—when he spotted a handful of mysterious devices with the identifier “IPVideo Corporation.”

After a closer look and some googling, Garcia figured out that a company by that name was a subsidiary of Motorola, and the devices he’d found in his school seemed to be something called the Halo 3C, a “smart” smoke and vape detection gadget. “They look just like smoke detectors, but they have a whole bunch of features like sensors and stuff,” Garcia says. 

As he read more, he was intrigued to learn that the Halo 3C goes beyond detecting smoke and vaping—including a distinct feature for discerning THC vaping in particular. It also has a microphone for listening out for “aggression,” gunshots, and keywords such as someone calling for help, a feature that to Vasquez-Garcia immediately raised concerns of more intrusive surveillance.

A researcher has found that more than 130,000 conversations with AI chatbots including Claude, Grok, ChatGPT, and others are discoverable on the Internet Archive, highlighting how peoples’ interactions with LLMs may be publicly archived if users are not careful with the sharing settings they may enable.

The news follows earlier findings that Google was indexing ChatGPT conversations that users had set to share, despite potentially not understanding that these chats were now viewable by anyone, and not just those they intended to share the chats with. OpenAI had also not taken steps to ensure these conversations could be indexed by Google.

Immigration and Customs Enforcement (ICE) is looking to buy iris scanning technology that its manufacturer says can identify known persons “in seconds from virtually anywhere,” according to newly published procurement documents.

Originally designed to be used by sheriff departments to identify inmates or other known persons, ICE is now likely buying the technology specifically for its Enforcement and Removal Operations (ERO) section, which focuses on deportations.

“This one-of-a-kind system allows sheriffs and other law enforcement agencies to quickly authenticate the identity of the person in their custody and provides record information from other jurisdictions across the country once the offender is registered in the system,” a brochure for one of the technology products, called the Mobile Offender Recognition & Identification System, or MORIS, reads. The procurement documents say ICE is also seeking to buy access to the Inmate Recognition & Identification System, or I.R.I.S., and marketing material available online says the two work in tandem with one another. I.R.I.S. claims to be the “only national, web-based iris biometric network” in that material.

Both products are made by BI2 Technologies, a company based in Massachusetts.

On Wednesday ICE posted an announcement saying it intended to award a sole source purchase order to BI2 for licenses to both I.R.I.S and MORIS. According to BI2 marketing material, MORIS is available on Apple and Android devices. That material says it can identify an offender already enrolled in a national database.

“The Inmate Identification and Recognition System (I.R.I.S.™) positively identifies offenders using the most anatomically unique biometric—the iris,” a page on BI2’s website reads. It says that Sheriff’s Offices have been using I.R.I.S for making arrests, inmate intaking and booking, releasing inmates, and authenticating an individual. “At the root of iris recognition’s accuracy is the data-richness of the iris itself. The I.R.I.S.™ system captures over 265 points of unique characteristics in formulating its algorithmic template,” the website adds.

BI2’s system connects to multiple databases according to previous media reports, including the Sex Offender Registry and Identification System, Child Project, Senior Safety Net (a registry used to identify enrolled seniors who may be lost due to dementia) and I.R.I.S. itself. 

In a 2017 press release, Sean G. Mullin, president of BI2 Technologies, said the company’s technology “will provide each Sheriff with immediate access to national, state and local criminal justice and law enforcement databases. This will enable Sheriff’s staff to positively identify previously enrolled individuals in seconds, regardless of the often fraudulent identity presented.”

Initially, this appeared to be BI2’s first contract with ICE, according to federal procurement databases. An ICE source also said they had never heard of ICE working with BI2. 404 Media granted the source anonymity because they weren’t permitted to speak to the press. DHS then said ICE has worked with the company before.

“U.S. Immigration and Customs Enforcement (ICE) utilizes technologies like MORIS and IRIS. ICE has previously contracted with BI2 Technologies,” DHS Assistant Secretary Tricia McLaughlin said in a statement.

404 Media previously reported on Mobile Fortify, a new ICE facial recognition app that officials can install on their work issued phones which queries a wealth of state and federal databases at once to reveal someone’s identity and whether they had been marked for deportation. That included images collected by Customs and Border Protection (CBP) when people enter or exit the United States.

Update: This piece has been updated to include a statement from DHS.

We start this week with Joseph’s story about nearly 100,000 ChatGPT conversations being indexed by Google. There’s some sensitive stuff in there. After the break, Emanuel tells us about Wikipedia’s new way of dealing with AI slop. In the subscribers-only section, Sam explains how we got to where we are with Steam and Itch.io; that history goes way back.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

• Nearly 100,000 ChatGPT Conversations Were Searchable on Google
• Wikipedia Editors Adopt ‘Speedy Deletion’ Policy for AI Slop Articles
• The Anti-Porn Crusade That Censored Steam and Itch.io Started 30 Years Ago

Immigration and Customs Enforcement (ICE) is urgently looking for a company to help it “dominate” digital media channels with advertisements in an attempt to recruit 14,050 more personnel, according to U.S. government contracting records reviewed by 404 Media. The move, which ICE wants to touch everything from social media ads to those played on popular streaming services like Hulu and HBO Max, is especially targeted towards Gen Z, according to the documents.

The push for recruitment advertising is the latest sign that ICE is trying to aggressively expand after receiving a new budget allocation of tens of billions of dollars, and comes alongside the agency building a nationwide network of migrant tent camps. If the recruitment drive is successful, it would nearly double ICE’s number of personnel.

“ICE has an immediate need to begin recruitment efforts and requires specialized commercial advertising experience, established infrastructure, and qualified personnel to activate without delay,” the request for information (RFI) posted online reads. An RFI is often the first step in the government purchasing technology or services, in which it asks relevant companies to submit details on what they can offer the agency and for how much. The RFI adds “This effort ties to a broader national launch and awareness saturation initiative aimed at dominating both digital and traditional media channels with urgent, compelling recruitment messages.”

A researcher has scraped nearly 100,000 conversations from ChatGPT that users had set to share publicly and Google then indexed, creating a snapshot of all the sorts of things people are using OpenAI’s chatbot for, and inadvertently exposing. 404 Media’s testing has found the dataset includes everything from the sensitive to the benign: alleged texts of non-disclosure agreements, discussions of confidential contracts, people trying to use ChatGPT to understand their relationship issues, and lots of people asking ChatGPT to write LinkedIn posts.

We start this week with Emanuel’s and Joseph’s coverage of Tea, a women’s dating safety app that was breached multiple times. After the break, Sam and Emanuel talk about how a new UK law about age verification is impacting peoples’ ability to see footage about current events. In the subscribers-only section, Jason explains that LeBron James is not in fact pregnant.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

• Women Dating Safety App 'Tea' Breached, Users' IDs Posted to 4chan
• A Second Tea Breach Reveals Users’ DMs About Abortions and Cheating
• UK Users Need to Post Selfie or Photo ID to View Reddit's r/IsraelCrimes, r/UkraineWarFootage
• LeBron James' Lawyers Send Cease-and-Desist to AI Company Making Pregnant Videos of Him

A user of women’s dating safety app Tea has filed a class action lawsuit after the app repeatedly exposed users’ sensitive data, including selfies, photographs of IDs, and more than a million direct messages sent by users. Both data breaches were first revealed by 404 Media.

The plaintiff, California resident Griselda Reyes, “seeks to hold the Defendant responsible for the harms it caused and will continue to cause” her and “thousands of other similarity situated persons in the massive and preventable cyberattack,” the lawsuit reads.

Tea, the viral women’s dating safety app, has turned off direct messages after 404 Media revealed that a vulnerability allowed unauthorized parties to gain access to users’ direct messages, including many in which women discussed their abortions, cheating partners, and phone numbers they sent to one another.

Kasra Rahjerdi, the independent security researcher who first flagged the issue to 404 Media, shared a cache of more than a million Tea direct messages that 404 Media then verified. He said the security issue lasted until late last week. Tea announced late Monday it was turning off direct messages altogether.