Professor decries Joburg’s private surveillance networks
A leading academic has criticised the massive rollout of private camera networks in the City of Johannesburg (COJ), saying there were no consultations and residents should have a say in what happens to their data.
SA has recently seen unprecedented high levels of surveillance, with many questions arising as to what happens to the data collected, and who is responsible for its collection, storage, analysis, protection and disposal.
The COJ alone is expected to have over 15 000 Vumacam cameras in the next 12 months, in addition to thousands more that are privately controlled.
The cameras watch every person and car that moves near them. If their algorithms pick up something strange, such as a licence plate known to be linked to crimes, the security companies that rent the data can react.
Vumacam’s system uses Hikvision’s IP cameras; each camera has a unique IP address that identifies it on the Internet and the surveillance services can be rented by residents’ associations for R730 a month per camera.
Professor Jane Duncan, an intellectual and activist at the Journalism Department at the University of Johannesburg, says ethical and legal standards are necessary and the Protection of Personal Information Act (POPIA) should apply to both cases.
“Aside from the legal issues, before embarking on privacy-invasive projects, the City of Johannesburg really should have developed a policy and consulted the public on it, so that residents could have an opportunity to shape what happens to their data,” she says.
“They [the COJ] should have also undertaken privacy impact assessments for each project and released them publicly, together with statements on how they planned to mitigate any risks. The Vumacam project, for instance, should have been preceded by such a process.”
Vumacam concedes the city should have provided some guidelines.
“We agree the COJ should have developed a CCTV surveillance policy, especially considering they and many other companies (including other private companies) have hundreds, if not thousands, of cameras up around Johannesburg,” Vumacam CEO Ricky Croock tells ITWeb.
“We have been engaging with the COJ since October 2017. We want and encourage a policy, and look forward to one being implemented as soon as possible. We identified a gap, and a need which was not being fulfilled, and similar to private security companies, we want to contribute to and be part of the solution for a safer society.
“Overall, we think we’re getting it right,” notes Croock.
“We are also a tech company. That means we are alert to the advantages and downsides of intelligent systems. We constantly assess and introduce measures to manage these. We believe we have a world-class product and have designed a world-class system – with bells and whistles and safeguards. Intelligent security is not just about safety – it is also a baseline for economic opportunity.
“We are committed to delivering with integrity – of the system and the people. And believe we do a good job at this. We believe in engagement and evolution as the landscape changes for a smarter city.”
Duncan, however, says: “A private mass surveillance network with inadequate public oversight or rule-making (which is what Vumacam is) is a recipe for disaster. Imagine what could happen if personal information about your daily movements in and out of your house got into the wrong hands.
“There is something fundamentally wrong-headed about allowing an initiative where such incredibly sensitive information – that rightfully should require a warrant to access – can be accessed purely for money, which makes this project a surveillance network for hire.”
She says many may argue that criminals aren’t going to wait around for such consultations.
“But, without a proper framework, such surveillance can give rise to unintended new threats and vulnerabilities for residents. Your movements can be tracked in public spaces for reasons other than crime.”
Setting the legal standard
In SA, the Regulation of Interception of Communications and Provision of Communications Related Information Act (2002) is the main communications surveillance law.
Its stated aim includes setting up a system for law enforcement to apply for judicial authorisation for the interception of communications.
The second relevant legislation is the Protection of Personal Information Act (POPIA), which was enacted to govern the collection and sharing of information in the digital age and is yet to come into force.
Croock says preceding the establishment of Vumacam, the company undertook to garner multiple legal opinions on the solution, and specifically its adherence to POPIA in advance of and in preparation for POPIA.
He explains: “We are acutely aware of the risk and implication any deviation in abiding to POPIA regulations would pose. Our clients enter into a contracted agreement with us to regulate the processing and acceptable use of the feed (to prevent, detect and prosecute offences). This contract includes a clause that stipulates they will be subject to periodic auditing by an independent third-party to ensure their continued adherence.
“Our clients are also considered ‘responsible parties’, according to POPIA, and hence have a legal obligation to abide by the POPIA regulations in their own regard. We have attempted to engage, and continue in these attempts, with the COJ.”
Duncan, however, holds a different view on this.
“Smart cities are controversial around the world for allowing people’s personal data to be exploited by public and private bodies. In response, people should be able to practise smart citizenship, where within reasonable limits they take control over the data the city generates and how it is used, including through open data approaches,” she explains.
“People must be in a position to give meaningful consent for the processing of their personal data, and they should not be forced into accepting the most privacy-insensitive alternatives. People should also have the right to opt-in or opt-out of data-insensitive initiatives.
“I can’t accept that you can’t have a reasonable expectation of privacy in public spaces, because devices to track our personal data, including our movements, are becoming increasingly smart, which means they have unprecedented abilities to profile our movements, interests, habits and relationships.”
The COJ and Information Regulator hadn’t responded to requests for comment by the time of publication.