Brentford Dock, General Data Protection Regulation (GDPR) and CCTV.

Brentford Dock, General Data Protection Regulation (GDPR) and CCTV.  According to the 549th Brentford Dock Ltd board meeting held on the 8th May 2014 the following was minuted:

“PROPOSAL: to enter into a contract with Trigion for the outright purchase of the CCTV equipment as specified in the documents circulated with the Board papers in the sum of £23,780+VAT plus a live monitoring system – at a cost of £1,200+VAT (which allows cameras to be controlled and viewed at Trigion’s security center) to support the guards on patrol on the Dock.

PROPOSAL: to enter into a contract with Trigion to purchase and install a column mounted camera opposite the gateway to Syon Park in the sum of £4,578 + VAT.

There was an informal show of hands which resulted in unanimous agreement to obtain the proposed new CCTV system with the addition of a camera at the Syon gate from Trigion”

The images of residents or their vehicles captured by these surveillance cameras are personal data.  Every arrival and departure to and from the estate by vehicle or foot is known to Trigion Security, the data processor, and consequently available to Brentford Dock Limited, the data controller.  This would have been made clear in Brentford Dock’s registration application to the Information Commissioner’s Office (“ICO”) under the Data Protection Act.  This contradicts the claim that very little residents’ data is held by Brentford Dock Limited.

ICO_Logo_Brentford-Dock-General-Data-Protection-RegulationAt the meeting the board was told that private areas of flats on Brentford Dock would be obscured with privacy masks. But the board do not appear to have been told that no privacy masks would obscure any of the neighbouring private property which includes residential houseboats on the Grand Union canal, the Lock Keeper’s house, and the MSO Marine boatyard.  These private areas have been seen by a resident who has been shown live images from the cameras.

In October 2014 the poles for these cameras were erected. This was done without planning permission. When this was brought to the attention of Hounslow Planning Department, Brentford Dock Limited was obliged to submit a planning application (No. 01383/2/P2)* six months after the poles had been erected.

Some residents had already raised objections with Brentford Dock Limited to these cameras on poles, some within a few meters of their windows, to no avail. At least one objection to the planning application was made but Hounslow Planning granted planning permission retrospectively.

It would be interesting to know how it is possible that Veronica Wray, Brentford Dock chair /Mike Edwards, Brentford Dock deputy chair; Adam Goldwater/Carol Cherriman/John Antrobus, Michael Richards & Co could spend this amount of money on such structures and not have given any thought about planning permission!  Maybe this was done to circumvent any residents’ objections.

In any case was this money well spent? A College of Policing summary (http://library.college.police.uk/docs/what-works/What-works-briefing-effects-of-CCTV-2013.pdf) found that on some public housing estates CCTV could result in a small reduction in crime on others crime increased or the effect was unclear. In any case they had no effect on levels of violent crime.

A letter was written to Veronica Wray, Brentford Dock Ltd, Adam Goldwater, Michael Richards & Co, and Philip Lockwood-Taylor of Trigion Security, in addition to the distress caused, it raised the issue of the cameras vulnerability to hacking. This had been highlighted in the press at the time of the residents’ concerns. The Daily Mirror (https://www.mirror.co.uk/news/technology-science/technology/hacked-footage-baby-monitors-webcams-4659182) and The Guardian (https://www.theguardian.com/technology/2014/nov/20/webcam-russians) published relevant articles on 20th November 2014.

The cameras on Brentford Dock include Redvision X series with Hikvision firmware. The multiple vulnerabilities of Hikvision cameras became publicly known in 2013 when a cyber security company SECUREAUTH issued a warning (https://www.secureauth.com/labs/advisories/hikvision-ip-cameras-multiple-vulnerabilities).  The CVE Details website (https://www.cvedetails.com/vulnerability-list/vendor_id-13150/Hikvision.html) records this and eight other vulnerabilities that have subsequently come to light in 2014, 2017 and 2018.

In May 2017 The US Department of Homeland Security issued a warning that Hikvision cameras are vulnerable to unauthorised access (https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01).  Following this US President Trump signed a law banning their use for US government and US government-funded contracts (https://ipvm.com/reports/ban-law).

This youtube clip (https://m.youtube.com/watch?v=bhY71LHRPK4#) shows how Hikvision cameras can be accessed without knowledge of the password. Presumably Redvision cameras with Hikvision firmware are just as vulnerable.

This map (https://ipvm.com/reports/hik-hack-map) shows a sample of thousands of Hikvision cameras that are vulnerable or have been hacked, demonstrating that unauthorised access is not just a theoretical possibility.

Some Hikvision cameras have a ‘phone home feature’ (https://ipvm.com/reports/hikvision-home).  Home is China where the cameras are manufactured. What exactly is being ‘phoned home’ is anybody’s guess. The website explains that this feature ‘could be used to setup a reverse shell or quasi-VPN [Virtual Private Network], letting outsiders tunnel in to the network’ i.e. the Brentford Dock surveillance cameras that are watching residents.

Are the board members who approved these cameras with ‘an informal show of hands’ aware of these vulnerabilities?

During this series of events the data controller, Brentford Dock Limited, again breached the Data Protection Act by producing/allowing an unlawfully late Subject Access Request (“SAR”) as deliberated by the Information Commissioner’s Office.  Brentford Dock Ltd and their data handlers Michael Richards and Company regularly breach the Data Protection Act.

Can residents be confident that personal data captured by the Brentford Dock Ltd CCTV cameras are relevant, secure and processed in a manner that complies with General Data Protection Regulation (GDPR)?  Can Brentford Dock and its managing agents Michael Richards & Co be trusted with Brentford Dock residents’ data?

Regards,

Concerned residents and shareholders

*Brentford Dock Planning Permission for CCTV Poles

Leave a comment