The standards built up over years to cover CCTV are being lost as the office of the Surveillance Camera Commissioner is going. It looks like all the work by the industry to set those standards will be for nothing. Now what? asked Mark Rowe, in the June print edition of Professional Security Magazine.
(An update since writing; in early August in a frosty letter to Home Secretary Suella Braverman, Prof Fraser Sampson announced his resignation, as of October. The Surveillance Camera Commissioner’s third-party certification scheme ended in July, as Prof Sampson told the inspection bodies NSI, SSAIB and IQ Verify in a letter on the SCC website. As Sampson says, the Data Protection and Digital Information (no. 2) Bill is likely to be passed by Parliament in spring 2024; will effectively abolish the Office of the Biometrics and Surveillance Camera Commissioner, ‘with no suggestion about what might replace the [SCC] code of practice, if anything’.)
Some causes such as VAWG (violence against women and girls) are inspired by a case, such as the murder of Sarah Everard; one crime among many, with a time and a place. The fading away of what was built up in the ten years or so of the Surveillance Camera Commissioner makes no sound, like an air bed with a hole in it; and no noise, and has no defining event. The industry appears to have taken it with a shrug; the CCTV User Group told its annual conference in April that it has written a letter of concern to the Home Secretary Suella Braverman. The Commissioner, Prof Fraser Sampson, is in post by agreement after his term has ended (as happened with the previous and more impactful Commissioner, Tony Porter). The Government is ending the SCC, which lately covered biometrics also; the Government has other plans.
Added analytics
That’s sensible, because as the SCC annual reports from Porter’s years onwards have show, surveillance products and data are proliferating. Police and others with body-worn video are in effect walking CCTV poles; add drones; and analytics, the tech that can do so much more with the images than in the ‘old days’ when an operator simply viewed footage on a screen (or not at all). The SCC, then, has so much more to cover. The very term CCTV is ‘so last century’ as Mike Gillespie says. He was cyber security adviser to the SCC, first Porter, then Sampson. As a sign of quite how in the air everything is, Mike says that ‘apparently’ he is still on the advisory board. “Not that we are doing very much, let’s be honest.”
Gone scheme
Given the uncertainty, the SCC office staff are naturally seeking other civil service jobs. With them goes the institutional knowledge. All that the SCC created is in limbo too: the certification of camera systems that comply with the SCC code of practice, the ‘secure by default’ scheme whereby manufacturers could self-certify their products. Mike describes the self-certification, launched by Tony Porter at IFSEC in summer 2019, as a ‘fantastic achievement’, for getting manufacturers around the table (literally, for this was pre-covid), to admit the cyber flaws in their products to one another (remarkable enough) and to agree standards, to address the most common cyber weaknesses in security products. For example, default passwords (and some products even shipped with hard-coded engineer re-set passwords, so that you cannot change the password). To be ‘secure by default’, a product had to require its default password to be changed at install, before the product could be connected to the internet. Perhaps all is well in the sector, video products are perfectly cyber-secure, and camera and drone and ANPR and other video systems are all running efficiently, and ethically? On cyber, Mike says that in his 30 years of experience, we (the good guys) have always been behind (the hackers and criminals), and ‘I have never seen us as far behind the bad guys as we are’.
No thanks
Mike describes it all as a shame. On a personal level, we may note that he and numerous others volunteered to help the SCC with their time and expertise, not for any money, but for the good of the industry. They have got no thanks from anyone in authority. The documents they worked on if unrefreshed will inevitably soon fall out of date and even become dangerous to use. It makes a sad and peculiar contrast with all the (paid) work Home Office and police are putting into the Protect Duty. Presumably all the ‘publicly accessible locations’ that will fall under the Duty could be more secure thanks to public space CCTV? But to what standards any more?
Warning letter
Will other regulators pick up the slack meanwhile? The data privacy watchdog, the ICO, for example? Before the SCC it gave guidance on CCTV, but always had other, more pressing business. Steven Wright, a principal policy adviser at the ICO, had little concrete to give in his update to the CCTV User Group conference. The ICO awaits a data protection law to replace the EU-era 2018 Act. The best case Wright could give of the ICO’s work around video was a ‘warning letter’ sent to a Scottish school, for its proposed use of facial recognition at the canteen. On domestic CCTV (and Ring doorbells, that police routinely appeal for footage from, when seeking missing people) he could only say lamely that it brings ‘regulatory challenges’. The melancholy moral of this story, that campaigners for Martyn’s Law will not want to see repeated in the Protect Duty, is that regulation no matter how much in the public interest can be painfully slow to arrive, and easy to seep away to nothing.
Photo by Mark Rowe: CCTV on the back foot? A dome camera and artwork of WG Grace batting on a building at Gloucestershire county cricket club ground, Bristol.
