What is the CCTV User Group position on the use of video surveillance cameras manufactured by five Chinese companies which have been accused of racial profiling and are also the subject of national security concerns because of their close links to the Chinese government? This is a question we have been asked by Members and the media alike, but rather than rush to comment , we wanted to put together a considered response on the issue.
First, it is useful to define scope. The conversation includes the use of CCTV cameras in all forms including body worn, in-vehicle, deployable and fixed site camera systems, traffic monitoring and enforcement cameras, ANPR, ‘fever’ detection, personal attribute identification and drones. Also included are OEMs and re-labellers of the included equipment and the use of components such as sensor chips (OEM stands for original equipment manufacturer and is often used to refer to companies which purchase products or components from one company and rebrand them as their own).
The five companies in question are:
Hangzhou Hikvision Digital Technology (Hikvision)
Use of equipment that originates from certain Chinese companies has now been banned in the US under the National Defense Authorization Act (NDAA). This act, signed in August 2018, prohibits the use of Dahua and Hikvision products and their OEMs by the US government, government-funded contracts and possibly even critical national infrastructure. Huawei was added later.
The US Federal Communications Commission (FCC) is also currently engaged in a process that could result in further restrictions against the use of equipment from these five companies.
There are two key concerns around these companies.
Ethics – racial profiling
There is substantial evidence that these companies have built racial profiling technology for the Chinese government based on algorithms that detect facial characteristics associated with the Uyghurs, an ethnic, mostly Muslim group who live in the Xinjiang region of China and have been the subject of suppression by the Chinese government.
This use of facial recognition technology has been widely reported. It was uncovered by reporters at IPVM but has been widely shared in mainstream media (including Reuters, the BBC, Daily Telegraph etc) around the world. https://ipvm.com/reports/hikvision-uyghur. While racial profiling technology is not used in the UK, in our view, use of systems from manufacturers who implement such technology which is capable of repressing selected groups carries with it ethical supply chain risks as well as reputational risks.
National security – cyberwarfare
The five companies are based in China and a number are part owned or controlled by the Chinese government. As China-based companies, they have a legal duty to share data with the Chinese state on demand. While there may not be any evidence of this occurring, it is a risk worth considering as if it occurs, it may place the end user in breach of UK/EU GDPR and Data Protection regulations.
In addition, concerns have been raised, because of the companies’ connection to the Chinese government, that there is potential for networked cameras to be used for gathering intelligence, providing cyber backdoors into networks or conducting cybercrime/cyberwarfare. The Chinese government is known to have an active cyber ops capability and they have been implicated in many breaches. https://en.wikipedia.org/wiki/Chinese_cyberwarfare
Networked CCTV cameras can be used not only against those who have installed them for an inward-facing attack, but can also be used as a platform for externally facing attacks such as distributed denial of service (DDoS) which could be traced back to the organisation hosting the devices, leading to reputational damage.
There have been warnings voiced by the UK’s National Cyber Security Centre (NCSC) — a branch of signals intelligence agency GCHQ — and MI5 which have both raised concerns about the risks presented by this technology.
It should be noted that the NDAA regulations also ban the use of Huawei Hisilicon chips in cameras (something the FCC is also considering) as these chips are also regarded as a security risk. There are a number of mainline CCTV manufacturers who use these chips in their camera designs.
Regulators around the world are taking an interest in Hikvision and other China-based manufacturers of surveillance and communications systems. In the US, the Federal Communications Commission (FCC) recently took the first step in banning the sale of CCTV cameras from five Chinese manufacturers. https://www.bloomberg.com/news/articles/2021-06-17/chinese-surveillance-cameras-targeted-by-fcc-on-security-worries
The decision, taken by unanimous vote of the the FCC on 16 June, is subject to review before a final vote, but in a further step, the FCC also indicated that it was considering revoking its previous authorisation for the companies’ equipment which would force US customers to replace existing CCTV systems. This follows a Congressional vote in 2018 which stopped federal agencies from using the Chinese-made equipment under the National Defense Authorization Act (NDAA).
Indeed in the US, the FCC is moving towards a total national ban on the supply, distribution and use of equipment from these five companies for all users. Consideration is currently underway to make the ban retrospective which if enacted, will require all existing installations to be removed. This has already taken place at the Federal level with the John McCain National Defense Authorization Act (NDAA) regulations requiring all existing systems to be removed from US Government financed organisations.
Similar conversations have taken place in the UK Parliament, although current legislation does not allow for such a directive.
The EU is taking a more active interest in the subject now, recently removing Hikvision cameras from the EU Parliament. https://ipvm.com/reports/hik-eu
Implications for purchasers in the UK
In the UK, we believe there is no current legally enforceable legislation that specifically bans the supply and use of equipment/systems manufactured by the five companies.
However, given moves by the US (and other countries) plus questions being asked by UK government and media, there is a risk that cameras and systems originating from certain Chinese companies will either be banned or become a reputational risk to organisations which use them.
So in our view, there are a number of risks associated with using equipment from the five Chinese companies subject to the FCC ban which can be summarised as:
Technical risk – the cameras could be used to compromise an organisation’s CCTV system or even, if there is a connection between them, the council’s main IT network. This can generally be managed through the use of Firewalls and even air gaps to prevent hostile command & control activity from external sources, but it remains a risk if the air gap is inadvertently compromised in the future. We have also heard from various sources that some UK Government Departments are actively stripping existing systems from their premises based on the cybersecurity risk.
Ethical risk – some of the companies are implicated in the suppression of ethnic groups in China. It is well documented that they have undertaken such activity, and the repression of the Uyghurs is a topic of global concern. This may present a challenge to an organisations’ ethics and supply chain policies.
Reputational/political risk – As we have seen in numerous media reports, there is growing awareness and concern over the use of Chinese surveillance products. There have been a small number of protests by residents outside of town halls regarding the use of equipment from manufacturers that are alleged to facilitate oppression of ethnic minorities.
Financial risk – Based on the current trajectory, it is possible that the use of these cameras and associated equipment may be banned at some point in the future, either by the UK government or an organisation’s governing body (eg, councillors in the case of local authorities or a PCC). This would necessitate removal of the equipment ahead of its normal life expectancy.
When considering the installation and use of these camera systems, it is also important to remember there are companies reselling the same cameras under different brand names (ie, OEM and white label).
Overall, it is our view that the risk in using these products should be considered alongside financial and technical advantages of this equipment.
We have always recommended that CCTV User Group Members conduct a full risk assessment before using equipment from any manufacturer. This should include consultation with your own procurement section, legal advisers, the organisation’s cybersecurity lead, the organisation’s communication/public affairs lead and the data processing officer (DPO). It is also advisable to seek agreement from the political leader’s office within a local authority or even the local police and crime commissioner (PCC), should the funding originate from their office, to ensure that any political risks have been considered and approval to proceed has been obtained.
Special reference should include consideration of the organisation’s ethical policy, supply chain policy, cybersecurity policies and compliance with relevant legislation including the Modern Slavery Act.
We are in close contact with the Biometrics and Surveillance Camera Commissioner (BSCC) and Information Commissioner’s Office (ICO) for a statement on this. When we obtain a response, we will happily pass this on to our Members.
This is a developing situation, and we will issue updates when they are available.
* Thanks to John Kinloch at North Northamptonshire Council and others for their questions regarding this issue.