MASS SURVEILLANCE: PART TWO
Vumacam’s ‘hundreds of thousands of cameras’ will be watching you
Apart from thousands of high-definition security cameras on SA’s city streets, security company Vumacam is gearing up to connect its surveillance network to cameras in private estates and shopping centres. Vumacam says it prioritises privacy. But it has lied repeatedly to the public – and the high court – about its surveillance system’s compliance with privacy regulations.
Heidi Swart is a journalist who reports on surveillance and data privacy. This report was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s Department of Journalism, Film and TV and Unisa’s Department of Communication Science.
First published in the Daily Maverick 168 weekly newspaper.
Imagine this: Cameras that record when you leave your house, when you arrive at work, and when you decide to secretly duck out to the mall on your cigarette break. They may see when you enter and exit a lingerie store, and perhaps even film what goes into your gift bag. When you call home to say you’re working late, they record the truth: you leaving the office early and arriving at an up-market security estate 30 minutes and 23 seconds later. All of these cameras are connected to the surveillance system of one private company.
Vumacam CEO Ricky Croock says it is gearing its system to include “hundreds of thousands of cameras”. Vumacam currently has over 5,000 cameras that have sprung up throughout Joburg’s suburbs since 2019. Croock elaborated on his ambitions in an interview with TechCentral in June last year. Added to thousands of street cameras in major South African cities, the company plans to connect its surveillance system to privately owned cameras in shopping centres, security estates and “things like that”, said Croock.
Vumacam markets its camera network as a crime-fighting tool, and private security companies pay Vumacam a monthly fee to view video feeds from cameras in their patrol areas. But privacy advocates have argued that the company is infringing on people’s fundamental human rights, including the right to privacy, freedom of association, and freedom of movement (also known as locational privacy – the right to move around in public without someone keeping a record of your movements. Privacy advocates further argue that such power to monitor citizens in the hands of a for-profit venture is particularly worrisome – much of their operations are kept secret, and they carry out the function of the police without the same oversight. Vumacam, however, says that privacy is a top priority, and that it complies with South Africa’s Protection of Personal Information Act (Popia). Organisations had until 1 July 2021 to be fully compliant with Popia.
Privacy regulations like Popia have a clear purpose: To protect the individual from companies and governments that harvest, store and analyse massive amounts of personal information. That includes where you go, what you buy, who you see, your spending habits, where you work, your banking and medical records, fingerprints, identifying details, your email address and phone number, your values and beliefs, your sexual preferences, and so on. Roughly speaking, in terms of Popia, it’s basically any piece of information about you. (For a detailed definition, see here.)
Legal protection of such personal information is necessary because it can be used against you, your community, or your country – particularly when it’s collected in bulk. Companies use it to target political audiences and sway votes (for instance, Cambridge Analytica). Governments use it to keep citizens in line (China, for example, uses facial recognition to name and shame jaywalkers. Criminals use it to send phishing emails, steal identities, blackmail, clean out bank accounts, and launch cyber attacks. Privacy laws like Popia define personal information, prohibit the unnecessary collection of it, limit how long it can be kept, and compel those collecting it to keep it secure. The less personal information floating about in the ether, the safer you are.
Since Vumacam started operating before Popia came into effect, it has been policing itself and its paying clients (the security companies) where privacy and data security are concerned. It has always insisted that its practices are compliant with Popia, and while waiting for Popia to kick in, Vumacam said that it looked to “international best practice” for guidance to promote Popia compliance. In particular, the company said it looked to Europe’s General Data Protection Regulation (GDPR). Very similar to Popia, the EU’s GDPR comprises some of the stiffest privacy regulations in the world, and Popia was modelled on it. In a sworn affidavit to the Gauteng High Court in Joburg last year, Croock claimed that the software its surveillance system uses is “certified GDPR-compliant under the General Data Protection Regulation applicable under European Union law”.
But Crook’s statement to the court simply isn’t true.
The software Croock is referring to is the Milestone Video Management System (VMS). A VMS is necessary because you cannot view camera footage on your computer if you don’t have the proper software. For that, you need something like Milestone that lets you view the footage live, as well as rewind, replay and download it. But Milestone can do much more than that, thanks to video analytics – software that lets you analyse hours of video footage to locate individuals or their cars in seconds . For instance, Milestone allows for tracking people through facial recognition technology, and vehicle tracking through licence plate recognition. Milestone even offers the option of adding audio to camera feeds, meaning the person monitoring the camera feed can also hear sounds within range of the camera. Used to its full potential, the software can make it near-impossible for the average citizen to keep their movements from being recorded.
In August 2019 Milestone announced that its Milestone XProtect software (which Vumacam says it uses) was “the first major video management software (VMS) to obtain the EuroPriSe (European Privacy Seal) GDPR-ready certification”.
EurPriSe is an organisation that certifies privacy compliance of IT products in the EU. But Milestone’s message carries a caveat: EuroPriSe has to be accredited by the relevant authorities before it can issue such GDPR-ready certification for Milestone. That accreditation still hasn’t happened.
EurPriSe explains on its website that although criteria for IT product GDPR certification have been operational since 2017, official certification isn’t yet available. It also says its customers (like Milestone) need to make this clear. Their website states: “EuroPriSe’s criteria catalogue v201701 has not been approved pursuant to Article 42(5) GDPR and EuroPriSe GmbH has not been accredited as a certification body pursuant to Article 43 GDPR yet. Customers of EuroPriSe are instructed to indicate this clearly when making use of seals that have been granted on the basis of v201701 of the criteria catalogue (or any previous versions of this document). EuroPriSe is dedicated to receiving the approval of its certification criteria and the accreditation as a certification body in accordance with Art. 42 f. GDPR asap.”
Daily Maverick contacted EuroPriSe and Milestone. Neither organisation commented formally, but both confirmed that the certification still isn’t available.
Vumacam repeated Milestone’s claim of certification on its website, but omitted the disclaimer.
Croock’s claim that Milestone is certified “GDPR-compliant” is false for another reason: No amount of certification can guarantee compliance. Vumacam even goes as far as to say that the “Milestone VMS ensures responsible use of data by end users”. But Milestone makes it clear that this is not the case . To see why, one needs to take a closer look at Milestone’s capabilities and the limitations put on video camera surveillance by the GDPR.
Hundreds of people in Silicon Valley
Milestone has a special feature that makes it particularly powerful, and Vumacam highlights this in its sales pitch: Milestone calls itself an “open access platform”, meaning that you can use analytical software built by other companies with the Milestone VMS. (These are known as plug-ins). Vumacam’s website also highlights the use of analytics based on “deep learning” (artificial intelligence, the latest in video analytics software). Ultimately, the idea behind an open access platform is that individual security companies can customise their own monitoring system with the analytics of their choice.
Croock understands the importance of analytics in video surveillance; when Vumacam unveiled its network to the press at a launch in February 2019, he told reporters: “It’s one thing to deliver all this feed into their [the security company’s] control room, it’s another thing actually doing something with it.” Croock explained their system was “open source” so that security companies could take advantage of the “new analytics and new clever things” that “hundreds of people in Silicon Valley” were developing.
Analytics, however, have implications for privacy. That’s partly because footage of you, your vehicle and your vehicle’s licence plate number are no longer lost in hours of video tape that must be manually reviewed by a pair of exhausted, blood-shot human eyes. Analytics can enable a system like Milestone to locate you instantly in a sea of footage and to track your movements.
To boot, there are many analytics that won’t be covered by the EuroPriSe certification. These include Milestone’s licence plate recognition analytics, and all of the plug-ins that you can buy on Milestone Marketplace, Milestone’s dedicated sales page for plug-ins from other developers (aka third-party developers.) Another piece of software not covered by the EurPriSe certification is Proof360, which is used by Vumacam clients to handle data from its licence plate recognition camera network.
Thus, although Vumacam said on its website that Milestone will “ensure” that personal data is handled responsibly, the opposite is in fact the case: it’s up to Vumacam and the security companies using Milestone to make sure they stick to the law. Vumacam, however, seems to have taken a hands-off approach when it comes to its clients and the analytics it uses.
On its website, Vumacam states: “Vuma Secure does not have any input as to how their clients will monitor or how they will react to any information they may receive off the footage provided by our vumacams. This is dependent on the amount of control room monitors they have, the size of the control room and software they choose to apply.”
When we asked Vumacam about this, they said that “this statement points out that we would not make a provider take on more, or less, software than what they feel meets their needs.”
The company says it keeps strict control.
“Vumacam defines which, and must approve any, software that plugs into our platform. All must meet compliance, regulatory and security standards. Our security partners may select the software they apply within the ambit of what is approved by Vumacam to ensure their needs are met. We place strict limits on the analytics our clients use which are provided only by our platform. From these, clients can configure the parameters of such analytics tools to suit their individual needs.”
We asked Vumacam for comment on its false claims of Milestone’s certification by EuroPriSe. They responded:
“As with most software, Milestone itself cannot be compliant but rather, is built to support compliant behaviour. In other words, the system supports the person using or engaging with it in a manner that is compliant. We believe that the manner in which we engage with the system is indeed compliant, however, as we are not governed by GDPR in South Africa, please note that this is a standard that we set for ourselves and is not a regulatory standard in South Africa.
“The material quoted is prior to the implementation of Popia in South Africa and while we feel it is important to work to an international standard of data and privacy, we are governed by South African law and on this front, we believe that we not only meet but exceed regulatory standards.
“All our systems, processes and technology are Popi compliant and further to this, we have made a request to the Information Regulator to engage on the standards we have in place.”
We then asked Vumacam for comment on its false statement that the “Milestone VMS ensures responsible use of data by end users”.
“Communication between Vumacam and Milestone indicated GDPR compliance as the system is configured, however, this does not ensure responsible usage in and itself. This is again requisite on use which is something we monitor and audit.
“We do not operate in Europe, and as such do not require Proof360 to be GDPR certified nor have we claimed that it is. Again, use of the systems – in adherence with the requirements and restrictions – is what ensures compliance.
“Our focus for responsible usage is via the processes we put in place and the audited measurement of use. While GDPR compliance is certainly a means through which to measure alignment with international privacy standards, it is not the only means of assurance and we place far more value in the auditable manner in which our systems are used and Popi compliance in managing data.
“We also, as stated previously, do not have the means to access any personal data. Data cannot be linked by Vumacam to any individual, their name or their address.
“We conduct regular safety and penetration testing, and our systems’ security is a top priority for us. We also conduct user education, training, vet and audit users to ensure Popi requirements are met to the utmost of our ability.”
Even if Vumacam is telling the truth about its compliance to privacy regulation this time around, the company won’t hesitate to push the limits of its system if the law allows it. Take, for instance, its stance on facial recognition. To assuage privacy concerns, Croock told TechCentral in the 2020 interview: “…we don’t have facial recognition cameras…” But that doesn’t mean they’ll never fit their system with facial recognition capabilities. At the launch of their network in February 2019, when asked by a reporter about the future application of facial recognition, the then managing director of Vumacam, Ashleigh Parry, was quite clear: “That’s a horrible question…. We’ve got to be very careful around what we are and aren’t allowed to do; 100% we’ve got our eye on what is happening out there, and if we can go there, we will go there.”
Daily Maverick contacted Milestone to confirm its communication with Vumacam regarding GDPR compliance. Milestone referred us to Vumacam for comment. As for Vumacam’s statement that they do not access any personal information – you can read all about that here and decide for yourself if you agree. Vumacam confirmed that it stands by the position voiced by Parry in 2019. You can see their full response to all of our questions here. DM/DM168
Read their full response to all of our questions here
This story first appeared in our weekly Daily Maverick 168 newspaper which is available for R25 at Pick n Pay, Exclusive Books and airport bookstores. For your nearest stockist, please click here.
Daily Maverick © All rights reserved