Orwellian state of security - CCTV

The BBC reports that there are approximately 4.2 million CCTV cameras in operation in Britain
The BBC reports that there are approximately 4.2 million CCTV cameras in operation in Britain
CCTV should only be deployed in areas consdiered private if circumstances are exceptional
CCTV should only be deployed in areas consdiered private if circumstances are exceptional
Martin Tweedie, Mirasys UK
Martin Tweedie, Mirasys UK
Mike Lewis, Mobotix
Mike Lewis, Mobotix

You will be captured on camera several times a day. There will be CCTV cameras near your home, on the public transport you use, and likely at your place of work. If these systems were linked up, someone could monitor your every move. Is this reassuring, or is it an intrusion of privacy and downright scary?

There does not seem to be an exact figure on how many CCTV cameras are in operation in Britain. The BBC has reported that there are around 4.2 million, or one for every 14 inhabitants, whilst consultancy company IMS Research reckons that the figure is closer to 3.2 million.

In connection with the release of the report on the Surveillance Society by the Surveillance Studies Network in 2006, co-author Dr David Murakami-Wood told the BBC that the UK is the most surveilled of industrialised Western states: “We have more CCTV cameras and we have looser laws on privacy and data protection.”

So what are the rules and who enforces them?

The rules

The Information Commissioner’s Office (ICO) has issued a CCTV Code of Practice. The code offers advice for those operating CCTV and covers other information derived from images relating to individuals. Such information is covered by the Data Protection Act 1998 (DPA).

The use of CCTV by organisations or businesses is covered by the DPA. However, the use of cameras for ‘limited household purposes’ is exempt, even if an anti-burglar CCTV system overlooks a street or other areas near the home.

When operated by or on behalf of a public authority, human rights issues come into play: Article 8 of the European Convention on Human Rights, for example – the right to respect private and family life.

The ICO offers a list of questions to determine whether CCTV is appropriate. If so, there are a range of issues to take into consideration.

It is important to establish who has responsibility for the control of the images: What is going to be recorded? How should images be used, and to whom can they be disclosed? Whoever is appointed data controller is legally responsible for compliance with the Data Protection Act.

When it comes to positioning, the ICO says cameras should not be set to view areas that are not of interest and “are not intended to be the subject of surveillance, such as individuals’ private property”. If CCTV is used in areas where people are particularly concerned about privacy, such as in changing rooms or toilet areas, this should only be in exceptional circumstances, and people should be made aware.

Recordings should only be viewed in restricted access areas, and when recording in places where people expect privacy, images should only be viewed by authorised persons.

The ICO does not set out a time frame for how long images should be kept, but says that “retention should reflect the organisation’s own purposes for recording images.” In general, the ICO recommends that this period should be as short as possible unless needed by law enforcement agencies.

The ICO code concludes that operators are responsible for ensuring that:

  • CCTV systems continue to comply with the DPA
  • Staff using CCTV systems or images should be trained to comply with the code
  • All images must be protected sufficiently
  • There should be periodic reviews – at least annually – of the system’s effectiveness, to ensure that it is still doing what it was intended to do.

Home Office report questions efficacy

In 2005, the UK Home Office conducted a study, ‘Assessing the Impact of CCTV’, on the use and efficacy of CCTV. Thirteen CCTV projects were evaluated in various contexts, including town centres, city centres, car parks, hospitals and residential areas. The objective was to measure the impact of the projects on crime and fear of crime.

"It's down to the hierarchy of the management of whoever it is that's installed it [CCTV] to make sure that they stick to certain guidelines and methods of working."
Mike Lewis

All the systems had broad objectives on lowering crime, but only six showed a relatively substantial reduction in crime in the target area. Only two showed a statistically significant reduction. Crime increased in seven areas.

Despite this, the Home Office report found that “the level of support of CCTV remained high, at over 70% of the sample in all but one area.” Furthermore, “concerns regarding the implication for civil liberties decreased slightly following the implementation of CCTV.”

People worried less about becoming victims of crime after installation of CCTV, though the results were only statistically significant in three areas. Overall feelings of safety increased, but again not enough to be statistically significant.

Premeditated crime, such as car theft, was more likely to be reduced by CCTV than impulsive (e.g. alcohol related) crime. CCTV was more effective on sites with limited and controlled entrances and exits.

The Home Office noted that many of the projects did not have clear objectives, and that systems had often been installed without checking whether CCTV was the best solution. Project management was also a problem. Many owners did not have the technical expertise, and some systems failed to engage properly with end-users, such as the police. In six cases, control rooms were not staffed 24/7.

Nevertheless, the Home Office argues that CCTV is not necessarily without effect, referring to CCTV evidence used in individual cases. Furthermore, the report remarks that where CCTV fails, it is often down to human error. “Systems have to be monitored properly, and recordings made and stored properly.”

However, the Home Office concludes: “Assessed on the evidence presented in this report, CCTV cannot be deemed a success.”

The vendors’ view

Mike Lewis, country manager for the UK & Ireland at German camera vendor Mobotix, says that their cameras can send images directly to a storage drive without needing to go via software on a computer. The cameras support various security protocols, and data is protected by existing network protection.

“You need to be confident that no one can just come along and view images, download images, and especially change images”, Lewis says. He agrees that any CCTV system is only as good as those operating it: “you need to understand the limitations of the people actually using it”.

"When recording in places where people expect privacy, images should only be viewed by authorised persons."

Last year, the Association of Chief Police Officers (ACPO) called for more CCTV training, and improved use of CCTV systems to make the interface between CCTV operators and police officers more seamless.

Despite the security in place with Mobotix cameras, Lewis admits that CCTV images can still be abused. “I think it’s down to the hierarchy of the management of whoever it is that’s installed it [CCTV] to make sure that they stick to certain guidelines and methods of working. But there’s always the opportunity there for people to abuse the systems.”

For a CCTV system to be accepted, it must be registered with the Data Protection Act, but Lewis remarks that for every organisation that registers, there are probably another five or six that don’t. He does not think that a national register for CCTV systems would be a bad thing, but does not believe public opinion is strong enough for it to appear on anyone’s radar just yet.

Martin Tweedie, technical director at security camera software vendor Mirasys UK, says data security is high with Mirasys’ systems. Amongst other measures, the firm uses password protection, and all passwords are encrypted when stored.

Mirasys supports storage for over a year, but Tweedie says storage requirements are different for different customers. “We can set schedules to delete the data or not retain data after a certain period of time, and basically the data gets overwritten on that cyclical basis.”

Asked about the possibility of retrieving deleted data, Tweedie says the data is completely deleted in a process involving several delete levels.

In contrast to the Home Office report, Tweedie does not think that CCTV “would be used so prevalently if it didn’t have significant effect and benefit. There’s a reason that people continue to invest … a lot of money in CCTV systems.”

He agrees, though, that CCTV for the sake of CCTV is not of benefit to anyone: “there need to be reasons for it to be implemented.”

He does not believe that CCTV infringes on a person’s civil liberties if they have nothing to hide: “I think the concept of a constant Big Brother watching you is absolutely a misrepresentation of what a CCTV system does. CCTV is almost entirely recorded and very rarely watched. No one is going to be monitoring anyone not doing anything out of the ordinary or criminal.”

Nothing to fear?

Wendy M. Grossman, member of the Advisory Council at interest organisation Privacy International, disagrees with the vendors’ favourable view, and is against the growth of mechanisms of surveillance.

“Today’s government is benign, but we don’t know what tomorrow’s will be – the infrastructure will be used by whoever comes along.”

She says that CCTV is ‘sold’ under the guise of stopping or solving crime, and in some cases they are successful in this – particularly when the cameras (ie; speed cameras) – are visible.

However, Grossmann fears that increasingly sophisticated CCTV technology could be used to monitor people. The example she sites is that police forces could track who attends protests and demonstrations.

People believe authorities’ claims that CCTV is for their own good, she suggests, even when there is no supporting evidence. She refers to a study conducted in Glasgow (see boxout), in which people believed CCTV made them safer and would reduce crime, even though, as in the Home Office report, the study found CCTV cameras to have had no significant impact on crime rates.

How are CCTV images stored and protected?

Mobotix cameras both record and analyse images before sending them for storage. The camera incorporates a high-speed computer and, in some cases, digital memory (an SD card) for long-term recording. A PC is only used for viewing.

The cameras record to a central hard disc system, but because the images have already been de-warped and analysed, no software is needed to store the images.

The storage device can be located separately from the camera – for example, in a secure communications room. The stored images are protected by whatever IP network protections are in place, although the CCTV system can also be set up on a completely separate network, inaccessible to the outside world.

The Mirasys technology on the other hand, can support both analogue and digital systems. Like most IT systems, Mirasys’ systems are protected by password protection, firewalls, etc. In addition to operating system-based restrictions put in place by the IT department of the user’s organisation, Mirasys supplies it own levels of encrypted password protection and data protection.

Mirasys says it encrypts all stored passwords, and that the system can only be accessed through a username and password.

The data structures of the Mirasys storage systems are complex, and a Mirasys developer would be needed to decipher them. Without Mirasys’ custom-built applications, it is practically impossible to recreate useable data, Tweedie told InfoSecurity.

Data on Mirasys’ systems is overwritten on a cyclical basis, and can be stored for up to a year, depending on the requirements of the customer. According to Tweedie, several delete levels ensure that no traces of data are left after an overwrite-cycle.

Quoting security specialist Bruce Schneier, Grossmann says: “There’s a difference between feeling safer and being safer.” If CCTV is there to make people feel safer, she argues, then CCTV has perhaps achieved something, but she questions how safe CCTV cameras are once in place.

She compares the CCTV situation to that of boiling a frog – if you do it slowly and gradually, the frog does not notice the water getting warmer. “If you sat down people in 1990 and asked if two million cameras was a good idea, they would probably have said ‘no’.”

In the paper CCTV Policy in the UK: Reconsidering the Evidence Base, published in Vol 6, No 1, 2009, of Surveillance & Society, the journal of the Surveillance Studies Network, William Webster, senior lecturer in public management, Department of Management, University of Stirling also criticises the blind faith people put in CCTV.

“If CCTV cannot be justified in terms of its impact on crime, then we have to ask important questions about the reasons for its introduction and ongoing provision.”

The proliferation of CCTV in the UK could be ascribed to the central government funding programmes established in the mid-1990s for CCTV. Under the CCTV Challenge Competition 1994-1999, £38.5 million of funding was made available to 585 schemes across the UK. Between 1999 and 2003 another £170 million was made available to 680 CCTV schemes under the Home Office funded Crime Reduction Programme and the CCTV Initiative. Several crime prevention programmes have also supplied funding for CCTV.

In the beginning, Webster says, the focus was on crime prevention and detection, before shifting to reducing antisocial and undesirable behaviour. After 9/11 and 7/7, the focus has moved again to national security and deterring terrorism.

Number plate, movement and facial recognition are now built into cameras, and previously disparate systems are being integrated and networked.

Despite the increase in functions and activities of CCTV, it has not, he concludes, been met by public debate. This, says Webster, is because “low levels of awareness about the realities of technologically enhanced surveillance remain.”

What’s Hot on Infosecurity Magazine?