Posted on 04-30-2020.
There is no shortage of news about hacks and cybersecurity flaws, which may not come as a surprise. Yet, there are curious ones that catch the eye. In this piece, we take a look at a recent story about a blatant vulnerability in a CCTV system exposing 8.6 million records and try to find an upside in today's messy situation with privacy.
“We take joint responsibility for working to address this data breach. It is not an acceptable thing to have occurred. However, it is important to be very clear that, to the best of our knowledge, nobody came to any harm or suffered any detrimental effects as a result of this breach,” Sheffield officials told The Register.The flawed dashboard was reportedly shut down shortly after The Register notified local authorities. This case is concerning because of several reasons. First of all, it should have taken quite an astonishing amount of confidence to leave a municipal CCTV dashboard just laying in the open. It seems that everything is fine, but not knowing about bad things happening isn’t the same as knowing they didn’t happen. Aside from spying on people, the vulnerability may have allowed an adversary to change important parameters withing the system: rename cameras, edit their assigned location, etc. Moreover, the situation raises the question of how much more freely accessible information of this sort is still out there. On the other hand, there’s the problem of balance between keeping people’s privacy and making everybody observe the law.
“ANPR use must be proportionate to the problem it's trying to address – it's not supposed to be a tool of mass surveillance. Both the council and police have a responsibility to ensure their use is proportionate and subject to a data protection impact assessment,” Privacy International's Edin Omanovic told The Register, “They must both now explain how exactly they are using this system, how their use is consistent with data protection rules, how it came to be that this data was exposed, and what changes they've made to ensure it never happens again.”In this particular case, one of the surveillance system functions was to automatically detect vehicles entering the city center to charge a fee from the owners. The measure is meant to encourage people to reduce car traffic in the area and combat pollution. Sounds harmless, but ANPR is still a serious surveillance tool, which is easy to mishandle.