If absolute power can corrupt absolutely, will absolute sovereignty over surveillance data corrupt governments’ duty to be absolutely trusted?

In the Philippines, it was recently reported that the country’s national police (PNP) will be using closed-circuit monitors with AI capabilities to track down criminals and terrorists during events such as rallies.

This was after an event which the media has named “Blood Sunday”: the PNP’s recent crackdown on activists had resulted in the deaths of nine people.

As demonstrated by a breach that recently occurred in San Francisco, digital closed-circuit monitors can be hacked. Footage from some 150,000 security cameras mounted in jails, banks, schools and the car company Tesla had been accessed by a hacker collective. In a statement issued on a social media platform, the hackers indicated their motive for their act: “What if we just absolutely ended surveillance capitalism in two days?”   

Security vs privacy

The concern over how security cameras could impinge on an individual’s liberty is not unlike how people worry that contact tracing apps can be used to track someone’s movements.

On the one hand, such tracking devices can be said to be useful for safeguarding the community’s health, well-being and even integrity.

On the other hand, should those devices fall into the wrong hands, the average citizen is at the mercy of wrongdoers. For example, the enforced use of contact-tracing apps, initially enacted with the purpose of containing the pandemic, can be utilized by some governments and their police for other purposes.  

In 2019, in an attempt to solve traffic optimization challenges, an Australian city deployed more than 900 smart LED lights, a network of 138 new CCTV cameras, 24 environmental sensors and parking sensors, among many other connected devices. Using the devices to monitor traffic conditions, optimize routes and manage fleet availability for emergency services was laudable, but it also inadvertently raised cyber risks.

The numerous devices that are connected via the Internet of Things were vulnerable to hacking because their factory-default access passwords had been left unchanged. In the event of a breach, hackers can mine the huge amount of data.

Can you imagine your daily route to work being accessible to a hacker?

Responsible surveillance

Sometimes, preventing security devices from being hacked could come down to a simple matter of changing passwords or patching vulnerabilities promptly. As Andrew Shikiar, Executive Director of authentication association FIDO Alliance, stated: “With great connectivity comes great responsibility.”

When utilizing surveillance and security devices, some points that must be considered, Shikiar pointed out: “The continued lack of IoT security standards and typical processes such as shipping with default password credentials leave devices open to exploitation. Many IoT devices fall easily when it comes to device authentication, as passwords remain unchanged from their default values.”

Most IoT devices are unprotected or poorly connected due to obsolete protocols, and this makes them vulnerable to hackers looking to gain access to data.”

Over and above these points of necessary diligence, governments should practice transparency when using security devices: stick with their true purpose and enforce vigilance against legislating any further expedient use cases.

In the Philippines, for instance, the PNP should remember that those AI-capable cameras are intended to primarily protect the citizenry from infections, and not to immediately eradicate all suspected criminals and terrorists in the land.