You can’t hand residents’ data to a company that won’t let you hold it.
A government can promise to protect your data only as far as it actually controls that data. In both the Bend proposal and the Deschutes County contract, it does not: the vendor holds the encryption keys, is the named data controller for operational metadata, can amend the terms unilaterally on notice, and is a US company reachable by federal process.
Short version
In both the Bend proposal and the Deschutes County contract, citizen data lives in Axon’s cloud, under Axon’s keys, governed by terms Axon can change on notice — sold by one of the largest federal public-safety contractors in the country. The government that collects the data does not control the data. That is the core defect, and it is identical for the city and the county.
Oregon’s CISO testified in writing (Feb 14 2026) that law-enforcement subscribers "do not retain encryption keys to their own data."
Axon’s own CJIS guide: "Axon securely maintains PKI encryption keys for Axon Cloud Services" — there is no customer-managed-key option in the standard offering.
Contract Exhibit B designates Axon (not the agency) as Data Controller for operational metadata.
Axon may amend the data-processing agreement and sub-processor list unilaterally, on notice; the sub-processor list includes Azure, AWS, and — notably — Flock Safety.
Axon will notify the customer of a government data request only "if permitted" — a carve-out a gag order removes.
As a US key-holder, Axon is reachable by US legal process (subpoena, Stored Communications Act order, National Security Letter, CLOUD Act) regardless of where the data physically sits.
279 federal-immigration-related queries hit Bend’s Flock data in ~3 weeks (June 2025) via a default-on sharing setting the department didn’t know was open.
Rural Organizing Project v. Oregon State Police (filed May 5 2026): ~1.4M federal immigration queries of OSP/LEDS/NLETS data in a year; ICE alone ran 176,576 — despite a no-immigration-sharing clause OSP re-signed.
Axon’s AI Ethics Board resigned en masse in June 2022 after the company overrode the board’s 8–4 vote on a Taser-equipped drone.
That same board warned Axon in 2019 that license-plate readers are "severely under-regulated" and should never be deployed without strict retention limits and a published policy first.
Decommissioned Axon body cameras were resold on eBay (2020) still holding unencrypted footage.
Dallas PD lost thousands of videos to Axon retention/auto-deletion settings (2022–23).
Axon’s "Draft One" AI report-writer deletes its own original draft "by design," defeating the audit trail.
Federal spending records show ~$147M in obligated DHS prime-contract dollars to Axon since FY2008 — ~$40M from ICE, ~$85M from CBP — with ICE obligations reaching $13.1M in FY2025.
Axon’s certifications are real: AES-256 at rest, FedRAMP High for its federal boundary, annual SOC 2 Type 2. The track record is where citizen data has actually leaked.
What officials should answer
No local government should store residents’ data in a system where the vendor holds the encryption keys and can change the data-handling terms on notice. Before any camera contract is approved or expanded, require in writing:
- 01Who holds the encryption keys.
- 02Who is the data controller for every category of data and metadata.
- 03A bar on unilateral changes to the sub-processor list without the agency’s express consent.
- 04A written commitment that the agency will be notified of any government data request, with the "if permitted" carve-out removed to the fullest extent the law allows.
The other two
The contract passed — but ALPR isn’t activated. There’s still time to be heard.
The Bend ALPR expansion is still only proposed, and the County hasn’t switched plate-reading on. A short, sourced email to the Bend Council and the County Commissioners is the single highest-leverage action you can take this week.