Biometrics watchdog calls for public space surveillance review


The government must conduct a review of public space surveillance in the UK, according to biometrics and surveillance camera watchdog, after police and local authorities were unable to answer questions about the number of Chinese-owned camera systems deployed.

In his first annual report covering his dual function – which was delivered to home secretary Suella Braverman in November 2022 and laid before Parliament on 9 February 2023 – Fraser Sampson, the biometrics and surveillance camera commissioner of England and Wales, highlighted the purchase of facial-recognition technology from Chinese firms such as Hikvision and Dahua by UK police and local authorities as a national security risk, given the number of sensitive sites the equipment was being installed in.

In that report, Sampson noted the role of those companies in surveilling Uyghur Muslims in China’s Northern Xin Jiang province, and has separately expressed concern about the country’s National Intelligence Law, which allows the government to force any firm headquartered there to hand over its data.

Given these concerns, Sampson conducted a survey of police and local authorities towards the end of 2022 to gain a better understanding of how many cameras they had purchased and deployed from Chinese surveillance firms.

Speaking with Computer Weekly, Sampson said most of the public bodies he recently surveyed were completely unaware of how many cameras they have deployed from firms such as Hikvision and Dahua, despite the “ethical and data security” risks.

He added that the issue was not confined to police and local authorities, and that he is aware of similar systems being deployed in universities, hospitals and airports.

“There are a number of very experienced and thoughtful individuals and bodies that have said we need a national review of public space surveillance, so we can at least understand the size and extent of the problem,” he said.

“I did my survey…to see how far policing and local authorities at least have an answer to that question. I’ve now realised that they know less than I gave them credit for, in which case I’m now saying we need a review of public space surveillance.”

However, Sampson’s office has no powers of intervention, meaning he is unable to order an official review into the extent of the technology’s deployment himself.

Following a meeting with policing minister Chris Philp – in which Sampson said, “I found some support” – Sampson has now written to Jeremy Quin, paymaster general and minister for the Cabinet Office, to formally call for a review.

Sampson wrote: “I…am of the view that a review is needed, if only to answer the question being asked of us on a daily basis: ‘Just how many of these cameras are pointed at us?’ 

“Having had the benefit of a meeting to discuss these issues in the context of their impact on critical national infrastructure and national security with the security minister last year, I now believe the need for a review is supported by the evidenced risks, and the policing minister agreed that I would seek an early meeting with you to discuss how such a review might be taken forward.”

Computer Weekly contacted both the Cabinet Office and the Home Office about Sampson’s call for a review, and asked the latter about his meeting with Philp, but received no response by time of publication.

Sampson said that, of all those he’s spoken to throughout government and the public sector, nobody has been able to explain how Hikvision and Dahua cameras got in to public spaces and sensitive sites.

“I find it extraordinary, really, that in some areas it’s been seen simply as a facilities management issue, like who’s got the contract to clean the windows,” he said.

“In fact, you’re probably more careful about who cleaned the windows because they might look in and read what’s on your screen. But the ability of the cameras that you’ve put in as part of your facilities management contract would suggest that you ought to have taken at least the same degree of care over who might be looking over your shoulder.

“Just securing the site itself and the on-site cameras isn’t really closing off all the risk if somebody else is able to watch everyone coming and going.”

Not a country of origin issue

However, Sampson stressed that his position on the matter is not a country of origin issue: “It is not because they’re Chinese…this is not about it being headquartered in Hong Kong, Shanghai or anywhere else, because the same issues ought to apply, and the same demands for assurance ought to apply, irrespective of the of the brand and the country of origin.

“If people genuinely think that only the Chinese have got the ability to demand big datasets where it’s in the interest of their government to do so, then they haven’t really understood this area at all…I can’t think of a single functioning nation that wouldn’t have given itself the ability to go through a large corporate organisation for information that it felt was relevant to his national interests.”

Speaking about the proliferation of US cloud providers throughout the UK’s criminal justice system, which are subject to similar surveillance laws that would force them to hand over data to the American government, Sampson added the same standards should be applied across the board to public sector technology procurements: “Do you really think the Americans can’t go and demand this data if they want it for national security? Do you think we can’t? Of course we can.”

However, he noted that presentation-wise, “I can see why it’d be much harder to persuade people that these are real questions [around US companies] because we’re all friends and we use each other’s branded products every second, and therefore why would we?”

He further added: “I would imagine the Chinese are raising this all the time internally and saying that, ‘This is just because it’s us’. I’m really keen to make sure it isn’t seen as from my perspective as just that because it isn’t, I’ve never badged it as being a country of origin issue, it’s a principles issue.”

In June 2023, it was reported that the Cabinet Office will tell central government departments to remove all surveillance equipment made by Chinese companies from sensitive sites in an attempt to limit potential intelligence-gathering by Beijing.

This follows on from the Cabinet Office telling departments to stop installing surveillance cameras made by companies subject to China’s National Intelligence Law in November 2022.

“The Chinese government has always encouraged Chinese companies to conduct international investment and cooperation in accordance with market principles, international rules and local laws,” said a spokesperson for the Chinese embassy in Britain at the time.

“We urge the UK side to stop political manipulation and provide a fair, just and non-discriminatory environment for the normal operation of Chinese companies in the UK.”

Hikvision itself added: “We believe that the possible action by the UK government is a further step up of the mounting geopolitical tensions being expressed through technology bans, which by no means relates to the security of Hikvision’s products.”

In response to a BBC Panorama investigation aired on 6 June 2023, which claimed its cameras could be easily hacked to provide remote access, Hikvision said the vulnerability exploited was identified and patched in 2017, one week after it was discovered.

“The BBC repeatedly refused to clarify the following: which camera model and serial number would be used, what version of firmware was installed, whether the camera included was UK firmware, whether the camera would be tested on a closed circuit or connected to a network, how any network would be secured, if the hack would include port forwarding, if the camera was still being sold in the UK, and how the camera was obtained,” it said.

Hikvision has also previously claimed that it “cannot transmit data from end users to third parties, we do not manage end user databases, nor do we sell cloud storage in the UK.”

Computer Weekly asked the Cabinet Office and the Home Office whether they would support a review of technology procured from companies subject to similar surveillance laws in other countries, such as the US, but received no response by time of publication.



Source link