D001 Thesis - Arkansas Surveillance Wiki

# D001 — Thesis: The 1,384-Org Topology Is a Policy Failure ## Claim The Conway Police Department had — and has — every governance lever required to prevent the 1,384-relationship sharing topology that the [[SharedNetworks 2025-12-17 Snapshot|2025-12-17 SharedNetworks export]] documents. The governing local rule, [[CPD Policy 800-32 — License Plate Reader Vehicle Operations|CPD Policy 800-32]] R3 (1/18/2023, signed by Chief [[William Tapley]]), states the rule for outbound LPR data sharing in a sentence whose plain reading reaches every act of sharing the agency authorizes, including the upstream configuration decisions that license thousands of downstream queries. The agency chose not to apply that rule. The result is a governance failure attributable to Conway PD — to the chief who carries final authority over agency policy and to the Flock administrator who configured the relationships — and not to the vendor, whose product offers the menu of options the agency was responsible for narrowing. The remedy is **configuration discipline and policy enforcement**, not product redesign. To frame this as a product-design problem is to relocate accountability away from the regulated party who actually had it. ## Argument CPD 800-32 §D.4 is the governing local rule for the question, and its text is general enough — and forceful enough — to attach to the moment of platform-level configuration, not only to the moment of an individual sharing transaction. The provision reads: "LPR Data captured by the department's LPRs **may be shared** with other law enforcement agencies **if evidence of an offense is indicated**" (verbatim, Tier-1; see Evidence below). The verb is permissive ("may"), the condition is restrictive ("if evidence of an offense is indicated"), and the unit of analysis is each act of sharing. Nothing in §D.4 narrows the standard to per-event releases. The platform-level act of configuring a standing sharing relationship with a foreign sheriff's office is itself an act of authorizing LPR data to flow to that agency — every subsequent query against that relationship is an exercise of the configuration permission the administrator created. The policy's evidentiary condition therefore attaches to the configuration moment with the same force it attaches to a one-off release. The administrator could have asked, of each of the 1,384 candidate relationships, whether evidence of an offense was indicated by the counterparty's hot list or operational profile that justified the standing pipe. The administrator did not. The 1,384 relationships exist because the agency's own governing standard was never applied to the configuration moment that produced them. The configuration was a **human decision**, performed in a platform admin interface, by an identifiable Conway PD administrator. The corpus's headers scan identifies [[Lt. Andrew Burningham]] as the agency's Flock administrator and as the addressee on the bulk of platform correspondence — 330 of 389 messages in `PD-2026-354` ([[Conway Police Department]]). The platform did not configure itself. Each of the 1,384 relationships exists because a human with administrative credentials in Conway's Flock tenant — most likely Burningham, working under the chain of command that runs through Chief [[Chris Harris]] and that traces back through the policy regime [[William Tapley]] signed — either affirmatively toggled the relationship on, or left a default state in place that the same person was equally empowered to change. Either way, the configuration is the agency's. To say "the product was set that way out of the box" would be to confuse the inheritance of a default with the assumption of responsibility for it — and as a matter of policy doctrine, the moment an administrator with credentials acquires the capacity to change a setting, the setting becomes that administrator's act regardless of how it got there. The vendor's own framing concedes the point. The Flock-supplied August 2025 explainer to Burningham states explicitly that **"you are responsible for knowing your agency's laws and policies"** ([[T001 - Default-On Sharing Policy or Product Design]] §Statement A, citing the Flock SVP correspondence). Even the regulated counterparty disclaims the proposition that the vendor sets the governance posture — the agency does. CPD 800-32 §D.4 is the governance posture for Conway. The vendor offered Conway a menu; Conway was responsible for selecting from it in conformity with §D.4. Conway selected, by action or by acquiescence, an extraordinarily wide configuration. That selection is what the wiki should hold accountable, because that selection is what the agency had the authority to control. The asymmetric structure of the 1,384 relationships — 471 inbound-only and 427 outbound-only, per the [[SharedNetworks 2025-12-17 Snapshot]] — does not rescue the product-design reading; it indicts the configuration-discipline reading further. Asymmetric configurations are exactly what a per-relationship review would have surfaced and resolved, in either direction: either the asymmetry was deliberate (in which case Conway intended it and is accountable for the intent) or the asymmetry was inherited from defaults the administrator never reviewed (in which case Conway is accountable for the non-review). Both paths land in the same place: agency administrators with the authority to apply §D.4 to each relationship did not do so, and the resulting topology is the residue of that non-application. The presence in the network of counterparties like a federal Air Force base relationship with **no recorded activity** in the corpus window ([[SharedNetworks 2025-12-17 Snapshot]]) is decisive — a relationship that has never been used cannot satisfy §D.4's "evidence of an offense is indicated" standard on any reading. The relationship exists because nobody asked the §D.4 question of it. The remedy follows from the diagnosis. If the failure is in configuration discipline, the fix is the agency tightening its own administration of the policy it already has. Conway PD has the policy authority. Conway PD has the policy text. Conway PD has the chain of command — chief signs the policy, lieutenant configures the platform, both report up to a mayor who appoints the chief. None of that machinery requires vendor cooperation. Internal guidance applying §D.4 to platform configuration could be issued tomorrow as a directive from Chief Harris; a written approval workflow for adding sharing relationships could be implemented inside the agency without touching the product; the LPR supervisor's semi-annual report ([[CPD Policy 800-32 — License Plate Reader Vehicle Operations]] §D.2) could be amended to enumerate active sharing relationships and the offense-indication basis for each. None of these reforms requires Flock to redesign anything. All of them are within Conway's unilateral authority and consistent with the policy structure the agency has already adopted. The reason the topology is what it is is that the agency has not chosen to deploy these levers, not that the vendor's product makes their deployment impossible. To frame the question as one of **product design** is to advance an account in which the agency is essentially passive — a recipient of the vendor's defaults, an inheritor of the platform's affordances, a body whose only governance move would be to bargain for product changes. That account misrepresents the structure of agency authority. The agency is the regulated party under its own policy. The agency's chief signed the policy. The agency's lieutenant configured the platform. The agency holds the personnel records and the internal-directive authority and the chain-of-command supervision and the policy-revision authority and the operational reporting requirements. The vendor holds none of those things. To displace responsibility from the entity that holds every accountability lever onto the entity that holds none of them is an analytic move that does the agency's work for it. The thesis here is the opposite move: the entity with the authority is the entity with the responsibility, and Conway PD has had both. ## Evidence The load-bearing Tier-1 anchor is the verbatim text of CPD Policy 800-32 §D.4, attached to the 2025-01-23 Welcome-to-Flock onboarding email Burningham sent to Flock's Melissa Lee. The policy attachment is reproduced in full inside the raw extracted email file: > "LPR Data captured by the department's LPRs may be shared with other law enforcement agencies if evidence of an offense is indicated." > > — CPD Policy 800-32 R3 (1/18/2023), §D ("LPR Data"), paragraph 4. Source: `D:\arkansas-surveillance\extracted\conway-pd\PD-2026-354\AR - Conway PD - Welcome to Flock!.txt`, lines 257–259 (extracted text), page 3 of 4 of the embedded policy PDF. Concept anchor: [[CPD Policy 800-32 — License Plate Reader Vehicle Operations]] §Key operational rules → Section D. The standard's plain reading does not narrow the term "sharing" to per-event releases; it attaches to any act by which "LPR Data captured by the department's LPRs" comes to be available to other law enforcement agencies. Configuration of a standing sharing relationship is the act that makes the data so available; the standard reaches it. Two additional Tier-1 anchors from the same policy attachment reinforce the configuration-discipline reading: > "LPR data maintained on the LPR servers will be accessed for criminal justice reasons only, by those members authorized by the Chief of Police, or his designee, and who have been issued a username and password for access. (41.3.9b)" > > — CPD Policy 800-32 R3, §D.3. Source: same raw file, lines 252–256. This is the **access-control regime**, and it locates control of who may touch LPR data at the chief's authorization level. The same chain-of-command authority that authorizes Conway personnel to query the data is the chain-of-command authority that authorizes 1,384 counterparty agencies to query it. The policy text does not put one inside the chief's purview and the other outside it. > "APPROVED / William Tapley / Chief of Police / CPD 800-32 / R3, 1/18/2023 / Page 4 of 4" > > — Policy signature page. Source: same raw file, lines 264–270. Concept anchor: [[William Tapley]]; the policy's standing is the chief's signature, and the policy regime it establishes is the agency's binding rule until and unless a successor chief revises it. The chief's signature on §D.4 is the doctrinal fact the thesis turns on: the agency chose, through its chief's express act, to commit itself to the "evidence of an offense" standard for outbound sharing. That commitment binds the agency's administrators, including the Flock administrator whose configuration choices populated the 1,384-org topology. The identifying anchor for the configuring administrator is the headers-scan finding that [[Lt. Andrew Burningham]] is on `From:`/`To:`/`Cc:`/`Bcc:` in 330 of 389 production emails, including the full Flock administration and onboarding correspondence chains, with administrator-pole platform privileges ([[Lt. Andrew Burningham]] §Appearances in the corpus). The two-hop evidence chain (chief signs §D.4 → administrator configures the platform inside that policy regime) is anchored Tier-1 throughout. ## Anticipated counterarguments The thesis acknowledges, without engaging, several obvious counters. The first is the **literal-reading objection**: that §D.4 contemplates a per-event sharing decision (an officer deciding whether to release a specific record to a specific counterparty agency in response to a specific request), and that to extend that standard to platform-level configuration is to read into the policy a requirement its drafters did not have in view. Conway's policy in 2013 was written for a pre-cloud architecture (the policy text references "the department's computer servers"), and reading "share" as reaching standing inter-agency network relationships imports a meaning the drafters could not have anticipated. The thesis acknowledges this is an argument; it does not refute it here. The second is the **product-imposed default objection**: that the Flock product's default state when an administrator does not narrow it is some form of sharing, that "Don't share at all" is one option among five in the vendor's own configuration menu, and that the path of least resistance through the admin interface produces wide sharing even when the configuring administrator does not affirmatively select it. On this view, a policy that operates at the per-event level cannot reach back through a product whose unit of action is the standing toggle, and the gap is structural rather than disciplinary. The thesis acknowledges this is an argument; it does not refute it here. The third is the **scale-and-cognition objection**: that no human administrator can apply a per-relationship offense-indication test 1,384 times with the diligence required to make the test meaningful, that the volume of sharing relationships exceeds the cognitive scale at which a per-event policy can govern, and that this scale mismatch is itself a property of the product rather than of the administrator. The thesis acknowledges this is an argument; it does not refute it here. The antithesis will engage these counters directly. The synthesis will need to reconcile them with the policy-failure account this thesis advances.