Photo by teguhjatipras, CC0, via Wikimedia Commons
Hey there folks. For the next week or two, I'm going to be trying something different. Rather than sending out all the surveillance news once a week, I'm going to send out the best surveillance news once a day. I think this will deliver more utility to you, the reader, as well as be more conducive to my schedule. Let me know what you think by replying to this email in your inbox or leaving a comment. If you haven't subscribed yet, do it now so you can get the best surveillance news directly to your inbox each morning.
Here is today’s surveil-link, a piece of surveillance news I thought was pretty important. You can easily, and slightly more privately, navigate to the link typing in to “surveil.link/105” into your browser’s address bar.
Surveil-link #105: Is your hospital, employer, or even your favorite bar using facial recognition? A group of hackers found evidence they just might be.
Yesterday, Bloomberg reported on a group of hackers that breached a startup in San Mateo, California known as Verkada. Verkada makes security cameras and the hackers were able to obtain the highest privileges available on the cameras and watch Verkada's customers in real time. Videos seen by Bloomberg reporters include footage inside several hospitals, a Tesla partner facility in Shanghai, and "330 security cameras inside the Madison County Jail in Huntsville, Alabama."
What is particularly interesting about these cameras is that, at least two different models, offer a feature which Verkada markets as "People Analytics." Verkada claims that the feature allows users to "filter based on many different attributes, including gender traits, clothing color, and even a person’s face." Recently, Verkada touted this feature as a possibility to return to work safely after the pandemic claiming the cameras could help "identify foot traffic data to build startegic cleaning schedules," send "proactive text alerts that notify administrators of crowds," implement "customer door schedules that limit permission to meeting rooms," enable "quick, effective contact tracing with video analytics," and "visualize motion across floor plans and see real-time activity."
Bloomberg was able to see proof of these features in the images provided by the hackers saying, "that the cameras inside the jail, some of which are hidden inside vents, thermostats and defibrillators, track inmates and correctional staff using the facial-recognition technology." This story perfectly illustrates how such invasive and biased technology is becoming more easily obtainable. Not to mention, how the global pandemic is quickly driving the normalization of it.
According to Motherboard, who obtained the customer list from the hackers after the Bloomberg story was published, Verkada cameras are in use at over 24,000 customer sites:
"The staggering list includes K-12 schools, seemingly private residences marked as 'condos,' shopping malls, credit unions, multiple universities across America and Canada, pharmaceutical companies, marketing agencies, pubs and bars, breweries, a Salvation Army center, churches, the Professional Golfers Association, museums, a newspaper's office, airports, and more."
One such school, Bloomberg reports, is Sandy Hook Elementary in Connecticut, which suffered a horrific mass shooting in 2012.
Verkada's customer list, feature set, and lack of security show how quickly surveillance technology is growing and how far behind the regulations of which are lagging behind, an issue highlighted by the Economist just yesterday. The fight against facial recognition specifically is largely happening on a local basis with over a dozen cities having implemented bans of the technology, most recently and as reported in surveil-link #31, Minneapolis, Minnesota. Vermont is the only state to have implemented a state-wide ban on the technology's use specifically by law enforcement. Activists and law makers pushing for these bans often cite the racial biases found in the algorithms.
Of all the bans thus far, only that of Portland, Oregon prohibits the use of the tech by private organizations in public places, like some of Verkada's customers have done. The rest simply ban its use by law enforcement or other government agencies. Last June, members of the U.S. Senate and the House of Representatives introduced the Facial Recognition and Biometric Technology Moratorium Act of 2020 which would place a temporary ban on the technology by U.S. federal agencies.
Beyond the regulation of facial recognition by public and private entities alike, the Verkada breach also calls into question whether or not companies actively developing and selling the technology should comply with certain security standards. The hackers told Bloomberg, "they found a user name and password for an administrator account publicly exposed on the internet," a mistake that may have been subject to a fine under other regulation standards such as HIPAA or the EU's General Data Protection Regulation. If not the credential leak, then surely the exposure of customer data it lead to.