Privacy Commissioner issues statement about webcam and viewing

November 13, 2014 |

The Age in Fly on the wall: Security footage from Australia shows inside lounge rooms, bedrooms and shops  highlights and the Canberra Times in Canberrans’ privacy compromised in security camera hack both report on on line footage from security cameras being streamed on line for anyone to see.

This seems to have prompted the Privacy Commissioner to issue a statement Don’t leave your webcam open to view which provides:

If you have an internet connected webcam installed in your organisation or home, you should ensure that you have changed the manufacturer’s default username and password. Instructions on how to do this should be available in the user manual for your device model or online.

A website called Insecam is claiming to aggregate live footage from internet connected cameras that use default manufacturer usernames and passwords. The website features thousands of links to live video streams from around the world, including houses, businesses and other locations in Australia. Internet connected cameras are also commonly used as security cameras and baby monitors.

Default usernames and passwords for webcams made by most manufacturers are readily obtained online. Like any internet connected device, you should change its default username and password when you set it up. If you do not,  your device may be accessible to the general public.

Organisations with obligations under the Privacy Act 1988 should be aware of the requirements of APP 11 — Security of personal information. Organisations using internet connected cameras may be collecting personal information. The Privacy Act requires that reasonable steps be taken to protect personal information held from misuse, interference and loss, as well as unauthorised access, modification or disclosure….

The Age article provides:

Online footage of 1000 Australian sites streaming without their owners’ consent or knowledge puts insecurity into security devices.

I’ve never met Paul Petrovski or been to his dental clinic in Penrith, but when I call him I can say the painting on his wall has a black frame and the front desk is tidy.

Mr Petrovski’s security camera feed is one of nearly 1000 in Australia that are being streamed live on a website without the owner’s knowledge.

He’s a bit lost for words when he receives my call. “Yes that’s it,” he repeats as I outline what his clinic looks like. “Yes it does surprise me.”

The camera was installed about six years ago, he says, and it’s alarming that anybody who wants to can have a peek at what his receptionist is doing.

In another stream from Sydney, you can peer inside a lounge room. It’s clear the owners have a passion for purple, with seats, rugs and cushions all coloured in different shades.

In a different living room, there’s an extremely elaborate child’s playpen set-up, complete with plastic slide.

As I munch on a banana and switch to another stream, I watch two men as they make their selections at a sandwich store. As the page refreshes, I see them move along the line, deep in conversation.

The website Insecam claims to have collected the feeds of more than 73,000 internet protocol cameras from around the world  (you can watch some sort of scale in Iraq, and in Uzbekistan there’s an empty, tree-lined road for viewing), including 924 from Australia. Footage from IP cameras, like CCTV ones, are streamed online for owners to view.

Insecam claims that that they’ve been able to access the feeds because owners haven’t changed their passwords from the generic ones that come with the devices – like 1234, or admin.

“This site has been designed in order to show the importance of the security settings. To remove your public camera from this site and make it private, the only thing you need to do is to change your camera password,” Insecam says.

Of course, if you want to be a peeping tom, there are other ways to access this kind of thing online. There’s the shadowy search engine Shodan and Google Dorking (where you use special search syntax to find information) and other surveillance camera search software.

Professor James Der Derian, the Director of the Centre for International Security Studies at the University of Sydney, said the feeds were an invasion of privacy, but people should learn from it. He said this particular case was unique because of its scale. 

“The fact is right now we are the most transparent society that has ever existed, and people would still like to believe that they are exercising privacy with bad passwords or not having passwords at all,” Professor Der Derian said.

“Everybody should treat anything thats being taken  –  a picture, an image, a video – in the default that this is public access, not private access.”

The IP address of Insecam is from Moscow.

UNSW’s Cyberspace Law and Policy Centre at the University of New South Wales co-convenor David Vaile said the safest option was to think twice before using internet-enabled surveillance tools.

“This is a great illustration of the illusion of security coming from surveillance and, in fact, you’re getting the opposite, you’re getting increased risk of unwanted and possibly quite hostile misuse of your information,” Mr Vaile said.

 The Canberra Times has run a parrallel piece


Leave a Reply