Smart cameras: prevention or cause of a threat to security?
This article was co-authored by Lachezar Anastasov, Trainee Solicitor.
Whilst many of us have been in lockdown, our reliance on technology has increased as a way of connecting us to the outside world. An estimated 75 billion smart devices, such as cameras and televisions are predicted to be within our homes globally by the end of 2025. However, as smart devices become more and more integral to our personal day to day lives, the cyber-security risks to our data and privacy are also becoming more personal.
In early March 2020, the National Cyber Security Centre (NCSC) warned that smart cameras and baby monitors can be watched by criminals over the internet, exposing the existing cyber threats that smart devices face. On 29 May 2020, the UK government launched a program to promote the creation of design schemes that test the security of smart devices. Under the initiative, innovators are encouraged to bid for funding from a pot of £400,000 to create more assurance schemes, which ultimately aim to boost the security of consumer smart products.
In this article we consider how smart camera manufacturers can seek to protect their consumers from potential cyber-threats and avoid potential data protection and product liability claims.
Smart security cameras ensure the peace of mind of millions of customers who monitor their household through a smartphone application. Once connected to a WiFi network, consumers can check a livestream, or request that they are sent notifications when noise or motion is detected. Footage can be stored on the cloud, or on to a memory card and accessed when required. Further, such devices can connect, and be communicated with, through to other smart devices, such as smart speakers. They are a useful addition for any smart home, provided that they are used in a manner which ensures cyber threats are minimised.
Smart cameras, however, can expose consumers to cyber threats by placing user data and privacy at risk, particularly when the default settings are unchanged after the product is installed. Cyber criminals can access the smart camera through guessable default passwords, allowing them to remotely access the camera’s live stream. Further, smart cameras may be exposed to malware, even when consumers have appropriate defence measures in place.
In light of these risks, in March 2020, Matt Warman, the Digital Minister, announced plans to ensure that all consumer smart devices sold in the UK adhere to the following security requirements:
- All internet-connected device passwords must be unique and not resettable by any universal factory settings
- Manufacturers must provide a public point of contact so consumers can report a vulnerability, which is acted on in a timely manner
- Manufacturers must explicitly state the minimum length of time for which devices will receive security updates at the point of sale.
Secure by default
Until legislation is enacted, manufacturers can prioritise consumer safety by following the voluntary minimum security requirements launched by the UK Surveillance Camera Commissioner (SCC). The requirements ensure that default configuration settings of a product are the most secure possible. Consumers should look out for the Secure by Default logo, which can be displayed by manufacturers who self-certify by demonstrating compliance with the minimum requirements outlined by the SCC.
Smart camera manufacturers should be alert to the possibility of product recall in respect of smart cameras, and smart devices in general, where it is deemed that consumer safety is at risk. In February 2019, the European Commission issued a product recall in respect of a children’s smart watch. The smartphone application accompanying the watch was unencrypted, meaning that user data such as location history and phone numbers could be accessed by malicious users.
Data protection and product liability laws
When the Consumer Protection Act 1987 (CPA) was enacted, a market for smart devices was not contemplated. As such, the risk posed by such devices does not sit completely comfortably with the current legal regime. However, the European Product Liability Directive has been under review since 2017, to consider how it can specifically adapt to potential liability in respect of new technologies and related products.
Under the CPA a consumer can claim compensation for a personal injury and/or property damage is valued at worth more than £275 or above. Smart cameras are unlikely to pose any immediate physical risk to the consumers, but as highlighted risks instead to the consumer’s data and privacy. However, depending on the level of privacy intrusion, there are arguably risks of the consumer suffering from distress.
Currently under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, and following the important decision of Vidal-Hall and others v Google Inc , a claim for distress suffered by a privacy breach can be made where there was no financial loss. In recent cases involving the misuse of personal data, such as TLT v Secretary of State for the Home Department , compensation between £2,500 to £12,500 was ordered.
The liability picture is further complicated by the numerous parties involved in manufacturing and enabling the use of smart cameras. This includes software engineers designing the related smartphone applications, component manufacturers responsible for the sensors detecting sound and movement and manufacturers who put together the final physical products. Third parties may also be involved, such as the manufacturers of the smartphone, the internet service provider, and those managing the cloud.
Generally, smart device manufacturers should ensure that they highlight any cyber risks, which consumers may be exposed to via clear and adequate product packaging warnings and instructions for safe use and installation of software updates. They should also keep an eye on any developments in data and privacy laws and product liability laws, which may affect smart devices.
Manufacturers of smart cameras, and smart devices in general, should be alert to the potential cyber threats to their consumers and they should have appropriate measures in place to try and protect them from such risks and to avoid potential complex and costly litigation in several spheres of potential liability.