By: Marie Innarelli
As a society we have collectively accepted being constantly surveilled. From street cameras, security cameras outside businesses, and surveillance cameras within almost any building you enter we have grown to find comfort in the presence of cameras everywhere we go. Even on social media, people have become increasingly comfortable revealing personal details of their life, where they live, where they work, and personal contact info with strangers on the internet. What we have forgotten, though, is that if this information that we’ve become so comfortable sharing were to fall into the wrong hands, our privacy could easily be violated. The breach of Verkada surveillance footage pops the bubble of the false sense of security we have established surrounding the protection that video security equipment provides. Some are claiming that this breach is a result of poor security standards, which could leave Verkada legally liable to those affected by the breach.
On Monday, March 8th, a group of digital hackers broke into the Verkada, Inc. data system, gaining access to 150,000 streams of live feed surveillance into private companies that use the cameras for safety purposes. Some of the affected organizations include hospitals, jails, and schools in addition to major tech companies like Tesla and Cloudflare. One video captured was from a Florida hospital showing violent behavior between hospital staffers and a patient, another was the inside of a women’s clinic, and another was from Sandy Hook Elementary School. Several cameras the hackers gained access to used facial recognition technology to identify the people in the footage. Tillie Kottmann, one of the hackers involved, claimed that the goal of the breach was to bring attention to how widely used surveillance cameras are and how easily they can be hijacked. He describes their motives as, “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
Verkada advertises their facial recognition capabilities on their website. It is this feature, unfortunately, that may be to blame for any liability they could face as a result of the breach. If your identity and private activities are exposed due to the features of specific equipment, it will likely be the maker of the equipment that is to blame for the invasion of your privacy. It would create a stronger argument for the individuals in the footage if they were in stereotypically private settings which is the case for those captured in jails and hospitals. Reena Bajowala, a partner at a firm focusing on data security and technology matters, stated that it is more likely that the companies who purchased the cameras and services from Verkada will be held liable to the individuals who had their privacy invaded by the hacked footage.
The biggest shock in the breach is the ease with which the hackers accomplished it. The group of hackers gained ‘Super-Admin’ status to Verkada’s system by using the login information they found publicly on the internet. The username and password protection were the only safeguard between the footage and potential hackers. Brad Ree, chief technology officer for the ioXT Alliance stated, “What has me concerned here for sure is this really doesn’t feel like a reasonable level of security for the risk.” In other words, it is likely that Verkada did not update their security standards in proportion to their growth as a company by neglecting to implement protections beyond a simple username and password.
Looking forward, a hack of such large scale will likely prompt conversations and, more importantly, legislation surrounding privacy and security standards relating to surveillance footage. Melissa Krasnow, a partner at VLP Law Group LLP, stated, “a high-profile breach like this could galvanize lawmakers to pass laws at the state and federal level.”
Verkada’s greatest business assets are the unique features it offers for surveillance. For instance, their cloud service allows customers to watch the surveillance from their phone. Additionally, their ‘People Analytics’ enables customers to search the footage for specific features, clothing, gender, and more. But, Tillie Kottman stated that it was these advanced services that made the system vulnerable. This begs the question: are these advanced surveillance technologies really in the best interest of our safety?
Student Bio: Marie Innarelli is a second-year law student at Suffolk University Law School and serves as a staff member on the Journal of High Technology Law. Marie holds a Bachelor of Arts in History from Hobart & William Smith Colleges.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.