DM168

MASS SURVEILLANCE: PART TWO

Vumacam’s ‘hundreds of thousands of cameras’ will be watching you

Illustrative image | Sources: Adobe Stock | Dean Hutton / Bloomberg via Getty Images
By Heidi Swart
25 Sep 2021 29

Apart from thousands of high-definition security cameras on SA’s city streets, security company Vumacam is gearing up to connect its surveillance network to cameras in private estates and shopping centres. Vumacam says it prioritises privacy. But it has lied repeatedly to the public – and the high court – about its surveillance system’s compliance with privacy regulations.

 

Heidi Swart is a journalist who reports on surveillance and data privacy. This report was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s Department of Journalism, Film and TV and Unisa’s Department of Communication Science.

First published in the Daily Maverick 168 weekly newspaper.

Imagine this: Cameras that record when you leave your house, when you arrive at work, and when you decide to secretly duck out to the mall on your cigarette break. They may see when you enter and exit a lingerie store, and perhaps even film what goes into your gift bag. When you call home to say you’re working late, they record the truth: you leaving the office early and arriving at an up-market security estate 30 minutes and 23 seconds later. All of these cameras are connected to the surveillance system of one private company. 

Vumacam CEO Ricky Croock says it is gearing its system to include “hundreds of thousands of cameras”. Vumacam currently has over 5,000 cameras that have sprung up throughout Joburg’s suburbs since 2019. Croock elaborated on his ambitions in an interview with TechCentral in June last year. Added to thousands of street cameras in major South African cities, the company plans to connect its surveillance system to privately owned cameras in shopping centres, security estates and “things like that”, said Croock. 

Vumacam markets its camera network as a crime-fighting tool, and private security companies pay Vumacam a monthly fee to view video feeds from cameras in their patrol areas. But privacy advocates have argued that the company is infringing on people’s fundamental human rights, including the right to privacy, freedom of association, and freedom of movement (also known as locational privacy – the right to move around in public without someone keeping a record of your movements. Privacy advocates further argue that such power to monitor citizens in the hands of a for-profit venture is particularly worrisome – much of their operations are kept secret, and they carry out the function of the police without the same oversight. Vumacam, however, says that privacy is a top priority, and that it complies with South Africa’s Protection of Personal Information Act (Popia). Organisations had until 1 July 2021 to be fully compliant with Popia. 

Privacy regulations like Popia have a clear purpose: To protect the individual from companies and governments that harvest, store and analyse massive amounts of personal information. That includes where you go, what you buy, who you see, your spending habits, where you work, your banking and medical records, fingerprints, identifying details, your email address and phone number, your values and beliefs, your sexual preferences, and so on. Roughly speaking, in terms of Popia, it’s basically any piece of information about you. (For a detailed definition, see here.) 

Legal protection of such personal information is necessary because it can be used against you, your community, or your country – particularly when it’s collected in bulk. Companies use it to target political audiences and sway votes (for instance, Cambridge Analytica). Governments use it to keep citizens in line (China, for example, uses facial recognition to name and shame jaywalkers. Criminals use it to send phishing emails, steal identities, blackmail, clean out bank accounts, and launch cyber attacks. Privacy laws like Popia define personal information, prohibit the unnecessary collection of it, limit how long it can be kept, and compel those collecting it to keep it secure. The less personal information floating about in the ether, the safer you are. 

Since Vumacam started operating before Popia came into effect, it has been policing itself and its paying clients (the security companies) where privacy and data security are concerned. It has always insisted that its practices are compliant with Popia, and while waiting for Popia to kick in, Vumacam said that it looked to “international best practice” for guidance to promote Popia compliance. In particular, the company said it looked to Europe’s General Data Protection Regulation (GDPR). Very similar to Popia, the EU’s GDPR comprises some of the stiffest privacy regulations in the world, and Popia was modelled on it. In a sworn affidavit to the Gauteng High Court in Joburg last year, Croock claimed that the software its surveillance system uses is “certified GDPR-compliant under the General Data Protection Regulation applicable under European Union law”. 

But Crook’s statement to the court simply isn’t true. 

Caveat 

The software Croock is referring to is the Milestone Video Management System (VMS). A VMS is necessary because you cannot view camera footage on your computer if you don’t have the proper software. For that, you need something like Milestone that lets you view the footage live, as well as rewind, replay and download it. But Milestone can do much more than that, thanks to video analytics – software that lets you analyse hours of video footage to locate individuals or their cars in seconds . For instance, Milestone allows for tracking people through facial recognition technology, and vehicle tracking through licence plate recognition. Milestone even offers the option of adding audio to camera feeds, meaning the person monitoring the camera feed can also hear sounds within range of the camera. Used to its full potential, the software can make it near-impossible for the average citizen to keep their movements from being recorded. 

In August 2019 Milestone announced that its Milestone XProtect software (which Vumacam says it uses) was “the first major video management software (VMS) to obtain the EuroPriSe (European Privacy Seal) GDPR-ready certification”. 

EurPriSe is an organisation that certifies privacy compliance of IT products in the EU. But Milestone’s message carries a caveat: EuroPriSe has to be accredited by the relevant authorities before it can issue such GDPR-ready certification for Milestone. That accreditation still hasn’t happened. 

Milestone’s website makes it clear that official GDPR-ready certification isn’t yet available. (Source: Milestone)

EurPriSe explains on its website that although criteria for IT product GDPR certification have been operational since 2017, official certification isn’t yet available. It also says its customers (like Milestone) need to make this clear. Their website states: “EuroPriSe’s criteria catalogue v201701 has not been approved pursuant to Article 42(5) GDPR and EuroPriSe GmbH has not been accredited as a certification body pursuant to Article 43 GDPR yet. Customers of EuroPriSe are instructed to indicate this clearly when making use of seals that have been granted on the basis of v201701 of the criteria catalogue (or any previous versions of this document). EuroPriSe is dedicated to receiving the approval of its certification criteria and the accreditation as a certification body in accordance with Art. 42 f. GDPR asap.” 

Daily Maverick contacted EuroPriSe and Milestone. Neither organisation commented formally, but both confirmed that the certification still isn’t available. 

Vumacam repeated Milestone’s claim of certification on its website, but omitted the disclaimer. 

Vumacam repeated Milestone’s claim of certification on its website, but omitted the disclaimer. (Source: Vumacam)

Croock’s claim that Milestone is certified “GDPR-compliant” is false for another reason: No amount of certification can guarantee compliance. Vumacam even goes as far as to say that the “Milestone VMS ensures responsible use of data by end users”. But Milestone makes it clear that this is not the case . To see why, one needs to take a closer look at Milestone’s capabilities and the limitations put on video camera surveillance by the GDPR. 

Hundreds of people in Silicon Valley 

Milestone has a special feature that makes it particularly powerful, and Vumacam highlights this in its sales pitch: Milestone calls itself an “open access platform”, meaning that you can use analytical software built by other companies with the Milestone VMS. (These are known as plug-ins). Vumacam’s website also highlights the use of analytics based on “deep learning” (artificial intelligence, the latest in video analytics software). Ultimately, the idea behind an open access platform is that individual security companies can customise their own monitoring system with the analytics of their choice. 

Vumacam highlights Milestone’s compatibility with third-party analytics on its website.
(Source: Vumacam)

Croock understands the importance of analytics in video surveillance; when Vumacam unveiled its network to the press at a launch in February 2019, he told reporters: “It’s one thing to deliver all this feed into their [the security company’s] control room, it’s another thing actually doing something with it.” Croock explained their system was “open source” so that security companies could take advantage of the “new analytics and new clever things” that “hundreds of people in Silicon Valley” were developing.  

Analytics, however, have implications for privacy. That’s partly because footage of you, your vehicle and your vehicle’s licence plate number are no longer lost in hours of video tape that must be manually reviewed by a pair of exhausted, blood-shot human eyes. Analytics can enable a system like Milestone to locate you instantly in a sea of footage and to track your movements. 

For Milestone to be truly compliant with the GDPR, the human beings using it need to specifically configure (adjust) the video management system’s settings to make it so. 

Milestone’s website states clearly that the customer using its video management system is responsible for ensuring GDPR compliance.

To boot, there are many analytics that won’t be covered by the EuroPriSe certification. These include Milestone’s licence plate recognition analytics, and all of the plug-ins that you can buy on Milestone Marketplace, Milestone’s dedicated sales page for plug-ins from other developers (aka third-party developers.) Another piece of software not covered by the EurPriSe certification is Proof360, which is used by Vumacam clients to handle data from its licence plate recognition camera network. 

Thus, although Vumacam said on its website that Milestone will “ensure” that personal data is handled responsibly, the opposite is in fact the case: it’s up to Vumacam and the security companies using Milestone to make sure they stick to the law. Vumacam, however, seems to have taken a hands-off approach when it comes to its clients and the analytics it uses. 

On its website, Vumacam states: “Vuma Secure does not have any input as to how their clients will monitor or how they will react to any information they may receive off the footage provided by our vumacams. This is dependent on the amount of control room monitors they have, the size of the control room and software they choose to apply.” 

When we asked Vumacam about this, they said that “this statement points out that we would not make a provider take on more, or less, software than what they feel meets their needs.” 

The company says it keeps strict control.  

“Vumacam defines which, and must approve any, software that plugs into our platform. All must meet compliance, regulatory and security standards. Our security partners may select the software they apply within the ambit of what is approved by Vumacam to ensure their needs are met. We place strict limits on the analytics our clients use which are provided only by our platform. From these, clients can configure the parameters of such analytics tools to suit their individual needs.”  

We asked Vumacam for comment on its false claims of Milestone’s certification by EuroPriSe. They responded: 

“As with most software, Milestone itself cannot be compliant but rather, is built to support compliant behaviour. In other words, the system supports the person using or engaging with it in a manner that is compliant. We believe that the manner in which we engage with the system is indeed compliant, however, as we are not governed by GDPR in South Africa, please note that this is a standard that we set for ourselves and is not a regulatory standard in South Africa. 

“The material quoted is prior to the implementation of Popia in South Africa and while we feel it is important to work to an international standard of data and privacy, we are governed by South African law and on this front, we believe that we not only meet but exceed regulatory standards. 

“All our systems, processes and technology are Popi compliant and further to this, we have made a request to the Information Regulator to engage on the standards we have in place.” 

We then asked Vumacam for comment on its false statement that the “Milestone VMS ensures responsible use of data by end users”. 

They responded: 

“Communication between Vumacam and Milestone indicated GDPR compliance as the system is configured, however, this does not ensure responsible usage in and itself. This is again requisite on use which is something we monitor and audit. 

“We do not operate in Europe, and as such do not require Proof360 to be GDPR certified nor have we claimed that it is. Again, use of the systems – in adherence with the requirements and restrictions – is what ensures compliance. 

“Our focus for responsible usage is via the processes we put in place and the audited measurement of use. While GDPR compliance is certainly a means through which to measure alignment with international privacy standards, it is not the only means of assurance and we place far more value in the auditable manner in which our systems are used and Popi compliance in managing data. 

“We also, as stated previously, do not have the means to access any personal data. Data cannot be linked by Vumacam to any individual, their name or their address. 

“We conduct regular safety and penetration testing, and our systems’ security is a top priority for us. We also conduct user education, training, vet and audit users to ensure Popi requirements are met to the utmost of our ability.” 

Even if Vumacam is telling the truth about its compliance to privacy regulation this time around, the company won’t hesitate to push the limits of its system if the law allows it. Take, for instance, its stance on facial recognition. To assuage privacy concerns, Croock told TechCentral in the 2020 interview: “…we don’t have facial recognition cameras…” But that doesn’t mean they’ll never fit their system with facial recognition capabilities. At the launch of their network in February 2019, when asked by a reporter about the future application of facial recognition, the then managing director of Vumacam, Ashleigh Parry, was quite clear: “That’s a horrible question…. We’ve got to be very careful around what we are and aren’t allowed to do; 100% we’ve got our eye on what is happening out there, and if we can go there, we will go there.” 

Daily Maverick contacted Milestone to confirm its communication with Vumacam regarding GDPR compliance. Milestone referred us to Vumacam for comment. As for Vumacam’s statement that they do not access any personal information – you can read all about that here and decide for yourself if you agree. Vumacam confirmed that it stands by the position voiced by Parry in 2019. You can see their full response to all of our questions here. DM/DM168 

Read  their full response to all of our questions here

Vumacam Responses

This story first appeared in our weekly Daily Maverick 168 newspaper which is available for R25 at Pick n Pay, Exclusive Books and airport bookstores. For your nearest stockist, please click here.

Gallery

Comments - share your knowledge and experience

Please note you must be a Maverick Insider to comment. Sign up here or sign in if you are already an Insider.

Everybody has an opinion but not everyone has the knowledge and the experience to contribute meaningfully to a discussion. That’s what we want from our members. Help us learn with your expertise and insights on articles that we publish. We encourage different, respectful viewpoints to further our understanding of the world. View our comments policy here.

All Comments 29

  • In regard to choices. At this point what is best? Move to Switzerland. Denmark or Sweden.
    We live in a broken world where human life has no value. The HRC (Human Rights Commission) gives more rights to a murder and criminals than to the innocent. A robber is let out on bail to commit the same if not a worse crime.
    Basically there is little protection for the innocent and our children.
    My personal opinion is I would rather have a camera watching my family than this failed state. Don’t get me wrong. Their are some good Cops out there. But do you want to risk your family? Over a camera that can be there when no one else is there.
    I say Bring it on. Our law enforcement is so paralysed by the broken state, anything is better than moving from one’s home to a country with a different language.

    • And yup, who do you think into whose hands your data is going to fall? The good guys? That’s a leap of faith I don’t have – all it requires is a single login from a criminal network to track, monitor and trace you for their shopping lists of vehicles, homes and what have you.

  • I honestly dont see the big whinge about this. It’s clearly the lesser evil in that it assists a totally broken security / policing industry be “slightly” better, and for that I’ll support it. The author of this piece uses someone buying lingerie for an affair as an example as to why it’s bad? And honestly, being tracked around my boring life, well, good luck to the guys watching that. If I do wrong, and get caught out, kudos to the system working.

    • This is basically a surveillance system available to anyone who is willing to pay for it. It has already been installed in Gauteng by a municipality that we know is incompetent and with the knowledge that in intrudes on our privacy. If you believe that the current police system are looking after your best interest then I must ask why? (Think about this the next time you are asked for a bribe.) If you believe that all small private security companies are honest and above board then you have a better view of society than I do. There is no-where in the world that 100% surveillance is not abused by those in power. The temptation is simply too great.

      • I hear you 100%. But again, to answer the comment below too, not naive at all. Hell, the cameras around my very own house use facial recognition (although super private and secure using Apple Homekit). But again, there’s not much I do in public that when being studied and watched is going to create a “we have you on video doing X” problem. And of course the corrupt cops / security / etc… probably the worst, but again, by not doing anything that can be used against me, I do not see the problem. And lastly, reference the study on police body cams: of course they were “erratic in recording” when the cops were called out on their behaviour, but for the everyday general public in dealing with the police, the abuse towards them dropped something like 99%. Which shows people behave differently around a lot of cameras. And if that means even a 10% drop in crime, I think that’s worth it. Even if my neighbour is being blackmailed about her affair. haha.

    • You are making the assumption that this system will only be used to track criminals, and that ‘good guys’ are good, and ‘bad guys’, bad. That’s a very naïve worldview, and you are bound to be shocked into reality sooner rather than later. The data this system gathers is the property of the gatherer, and there is absolutely no guarantee that it will be used for the common or individual good.

  • I have no problem with the system. I think both POPIA and PAIA are examples of legislators gone mad in many respects. We are a third world country with failing policing, justice and defence systems where criminals are afforded more protection than normal citizens. Behave out there and smile for the camera.

  • I don’t think there is any right to privacy when you are in public spaces. You can as much forbid somebody looking at you as filming you. On your own property, different story.

    • Hmm, sure. “Privacy” doesn’t just mean what you think it does. Let’s assume you have an extramarital affair and video evidence exists that could convict you in the eyes of your spouse – are you still keen on security companies keeping the footage on record for as long as they like? It’s also all very well to take said company at their word that they will only use the footage for security purposes, blah blah blah, but how about the corrupt mid-level employee who gets bribed into taking a copy of the footage home and selling it to private investigators? There are all sorts of chilling implications here.

      • Spot on. Who watches the watchers? And why, if I am a law abiding citizen, can I not opt out of being recorded? I have nothing to hide, I need not be recorded doing it.

  • If you can experience a criminal act in real time in your house, with criminals high in drugs pointing a firearm in your face, you will never talk bad about these cameras. People are being tortured in their houses by criminals who brag about killing and raping people in their houses. They compete with the number of people they killed and tortured in their houses, and now Daily Maverick complaints about the cameras that capture evidence. Of course if the cameras are used for any other purpose other than recording criminal activity, that would wrong. I would be glad if i can see a camera at each street i reside.

  • Who cares except the criminals. This type of surveillance is quite normal in UK and USA. It does help to catch criminals and collect evidence. I personally have no problem with being on camera anywhere out of my own home and nobody is going to be looking at footage of me unless something happens, e.g. I am the victim of some crime. I’m a bit tired of people bleating about human rights and conspiracy theories about being spied on.

    • “nobody is going to be looking at footage of me unless something happens” – Uhh, really? No-one? How sure are you of that? Have you *met* South Africa?

  • A storm in a tea cup. Get the opinions of those affected by crime who may have recovered their goods, or the perpetrators having been arrested.
    As has been seen in the Kinear murder, your cell phone can take away your privacy of movement.

    • And that’s exactly the point! It doesn’t make it right. Laws were broken in that specific case, and if you don’t stand up against these things you’re going to be next to be on the side where the laws were broken that were supposed to be protecting you. Didn’t do much for Kinnear did it?

  • Unfortunately, there are criminals in this world. Unfortunately in SA, we have savages that will kill you for a cellphone. It is like this in any big city in the world. If it will help to reduce the violent crime, I say bring it on. Bheki Cele and his bunch of clowns are more interested in political battles and many of the police officers are running these criminal syndicates. So no help coming from them.

  • I wonder what they actually do with all the footage that they get every day. Clearly not much judging by the increase in violent crimes in the suburbs.

    • We have a limited number of cameras up in our neighbourhood, two separate arrests have been made and a stolen vehicle recovered in the last month both as a result of the security cameras helping the police and security companies.
      I am concerned about personal privacy and believe that we have to keep monitoring these companies. Journalists like Heidi Swart are doing a fantastic job in shining a light on the actions of companies like Vumacam. I think we need the camera system to help fight crime as it can be incredibly effective, but we also need our journalists and interest groups to keep these companies in check.

      • I agree completely that they’re a big help in solving crimes but I’d like to see more being done to prevent crime. The area where I live is saturated with cameras yet violent crime, especially against old people, is escalating at an alarming rate and very often they are committed in full view of cameras.

  • There already is no personal privacy – every move is tracked through phones, apps, credit cards, IDs, passports, driving licences. We are forced to divulge our actions and movements whatever we do. Security cameras are just another extension of the Big Brother world. The wider fear is the possibility of manipulating the captured footage.

    • It depends on “who” we are I am afraid. There are already two sets of laws – and if you think these camera surveillance laws serve you I am sorry to inform you that they do not. Your information is being sold to the highest bidder and you’re not the one deriving benefit from it. If Vumacam offered me payment for recording me, I’d be interested in hearing what they have to say.

    • The problem with “high tech” companies is that – quite frankly – they generally have a completely cavalier attitude towards your rights. I find the same is true of (for eg) IT services at banks – you can never contest (for eg) when a call-centre claims “computer-error” as if that somehow excuses the bank from (say) an incorrect deduction from your account. SARS are another problem area in that respect. They send out (often idiotic) AI generated emails from a “no-reply” address. Such practise should be made illegal – you have a right of response to anything that SARS sends you. We need to have beefy “high-tech” laws to deal with “high-tech” cowboys! All the more so as AI technology becomes increasingly pervasive.

  • I have a criminal walking down my road every single week. If he doesn’t commit a crime in my road he does in one of the roads that come off my road. My camera system has helped identify and catch a criminal at least 1 out of 2 weeks. And that’s 1 camera working alone.
    This article is making a hoohaa about persons being identified, but the same is long being done on license plates and cars.

  • Please peer review 3 community comments before your comment can be posted