The UK is one of the most watched nations in the world. Our research suggests there are up to eight million CCTV cameras installed, while others suggesting that there is least one camera for every ten people. Together they collect many petabytes (a petabyte is equal to 1,000,000 gigabytes) of data every single hour, all of which is subject to the GDPR.
This would have been less significant for CCTV users if the GDPR had come into force a few years, ago, when we were still in the era of analogue CCTV cameras trained on the high street, commercial premises or blocks of flats and piping footage to a control room or a fixed recording device. However, the new regulations have coincided with significant changes in CCTV technology, bringing new possibilities but also significant new privacy and data protection risks.
Expensive legacy systems will not disappear overnight, but Internet Protocol (IP) based CCTV systems which send and receive data via computer networks and the Internet and back up output to local or cloud connected storage are fast replacing them. Some can live stream output for off-site monitoring, be configured to record or stream on varying environmental triggers (such as motion detection) and send targeted outputs to particular recipients or mobile devices. This mix of capabilities is already leading to exciting new applications for visual data.
This connectivity, of course, makes cameras more vulnerable to unauthorised access and use. Attacks may take several forms, including: unauthorised access to output; the ability to disable cameras remotely; the co-option of cameras into ‘botnets’, which are then used for distributed denial of service attacks; and the compromise, via the cameras, of computer systems into which they are connected. The first and last pose particular risks of data protection and privacy breaches and hence non-compliance with the GDPR.
An expectation of evergreening accountability
The GDPR requires organisations to be much more accountable for the security of the data they collect. Anyone using IP based CCTV, whether installing a new system or upgrading an old system, will be expected to have identified security risks, including those discussed above, and have clearly identified how they will be addressed. For example, using CCTV for large scale, systematic monitoring of public areas, schools or workplaces will require a PIA (Privacy Impact Assessment) which addresses the particular vulnerabilities of IP cameras. The risk assessment might even rule out their use altogether.
The assessment of risk is not a one-off activity. New vulnerabilities in CCTV cameras are being discovered all the time. Just this month Chinese surveillance camera maker Xiongmai was named and shamed by researchers for poor security, and independent research we commissioned found major vulnerabilities in a wide range of cameras. As a result, we can expect that the regulators’ default expectation will be for organisations to carry out an ongoing risk review – in other words, the ‘evergreening’ of accountability.
Security regulations for IP products, including cameras, are on the way. The UK government has just published a Code of Practice, which offers reassurance but is not enough to guarantee security. I would like to see some kind of government lab or initiative to test products, and the information produced should be put into the public domain to help purchasers make informed choices. We also need to ensure that the Code is internationally recognised, as many IoT products sold in the UK are manufactured elsewhere. In the interim, it is up to users to assess the products and systems they use.
If their CCTV system stores data in the cloud, users also need to consider where that data is being held and processed, as data processing outside the EU increases risk factors and legal complexity.
A detailed discussion of the requirements to ensure that CCTV is GDPR compliant by Andrew Charlesworth, Professor of Law, Innovation & Society at the University of Bristol, can be found in the paper Watching the Watchers.
IP cameras offer many new possibilities
The good news is that IoT based CCTV offers significant opportunities to users. Systems are available which offer compliance friendly technologies that reduce operational overheads. For example, they can provide selective and secured online access to certain types of CCTV output by particular employees for specified purposes (audited and granular access). As well as making footage instantly available to authorised personnel from any location, it can be accurately time stamped, making it much more useful for crime prevention and investigation. This also makes it easier to access recordings in order to comply with a subject access request, and hence to delete them if required.
Such systems are already being used by housing associations, saving both time and money by making it easier to review potential issues and manage maintenance. They are also helping care homes to monitor patients (with appropriate permissions), providing protection and reassurance to patients, their families and staff.
Some systems have the ability to blank out or redact sensitive areas that should not be recorded, such as a school which may be in the background of a camera covering another building. Other features include the ability to stop unwanted motion triggering a camera, such as traffic on a main road in front of a building – ensuring the camera only captures relevant material and avoiding continuous recording, another potential GDPR concern, as this could be deemed excessive.
Taking responsibility for IoT security to ensure GDPR compliance
At present, it is up to users to choose and use IoT based CCTV systems wisely to ensure cyber security and GDPR compliance. Some problems can be prevented by understanding how risks arise and taking simple security precautions, such as ensuring that usernames and passwords are of a sufficient strength to prevent immediate access. Users should comply with the recommendations of the Information Commissioner’s Office and the Surveillance Camera Commissioner by ensuring that all CCTV data is encrypted when in transit and when it is being stored.
In the medium term, organisations that use old IoT cameras or those not manufactured in the UK should review their CCTV security and consider whether to retrofit secure adapters or indeed to replace their existing CCTV with a more secure system. Without this, they run the risk of both data theft and a significant fine for non-compliance with GDPR. With the first GDPR fines due to be announced by the end of the year, CCTV users should take action now.
By James Wickes, Chief Executive, Cloudview
European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.