Poor governance has left five Victorian councils with no way to tell whether footage from their nearly 1200 surveillance cameras has been accessed and by whom, according to a damning state auditor-general’s report into CCTV policies.

The report also identified deficient maintenance practices that have left camera systems years out of date.

Tabled this month, the Victorian Auditor-General’s Office (VAGO) enquiry – entitled Security and Privacy of Surveillance Technologies in Public Places – reviewed policies for management of public-safety cameras and corporate CCTV cameras across the City of Melbourne, Whitehorse City Council, Hume City Council, East Gippsland Shire Council, and Horsham Rural City Council.

Together, the five councils have 193 public-safety CCTV cameras – which are typically installed in high-crime and high-traffic areas such as malls and laneways – and 998 corporate CCTV cameras, which are installed in public facilities such as libraries, swimming pools, tourist attractions, child-care centres, and visitor centres.

Public-safety CCTV cameras are generally connected to monitoring hardware installed in local police stations, where police use them but council staff aren’t able to.

Corporately-managed cameras are managed entirely by councils – and the VAGO review found that despite some efforts to formalise policy around the use of private data, most councils were still well behind the Information Privacy Principles (IPPs) mandated in the state’s Privacy and Data Protection Act (PDPA) 2014.

Poor security

Councils have generally established procedures governing police access and public requests for recorded footage, which are generally handled under general freedom-of-information processes.

However, outside access to the systems was poorly policed and the reviewed councils “could not demonstrate that they are consistently meeting their commitments to the community to ensure the protection of private information collected through CCTV systems,” the report found.

The fact that the councils advised they had never found an incident of “inappropriate use” of surveillance systems was no guarantee that such incidents had not occurred, VAGO noted, “given the weaknesses that we identified in security and access controls”.

None of the examined councils, for example, enforced strong passwords even though such policies were part of the council’s corporate policies.

All were using shared or generic logins for the CCTV systems, which meant that there was no way to trace inappropriate usage of the system to a specific employee.

None had data backup policies covering either their corporate or public-safety CCTV systems, which typically contain up to 31 days’ live footage; an equipment failure “may result in a reputational risk for the councils”, the VAGO report noted.

Lack of auditing capabilities also meant that councils were failing to conduct periodic targeted reviews of user access – which would be critical to identifying unusual activity.

All five councils were also found to have fallen dramatically behind in patching their CCTV systems, with East Gippsland Shire Council running the same versions of its software and camera firmware since 2013 and other councils nearly as outdated.

“The failure to upgrade this software increases the risk that any known security vulnerabilities in this software may expose the system to unauthorised access.”

Surveillance state

With growing numbers of cameras installed – and new options such as drones and body-worn cameras becoming more popular – the findings raise concerns in the context of a growing climate of cyber crime.

Insecure cameras have been targeted in incidents such as the 2016 Mirai malware attack, which identified and took over hundreds of thousands of connected cameras that were repurposed to launch crippling distributed denial of service (DDoS) attacks.

Mirai has spawned a new generation of malware that scans networks and takes over poorly secured cameras, routers, and other devices.

These risks have been compounded by concerns about the growing use of face recognition – which some see as a step towards a Chinese-style surveillance state – and the Australian government’s push towards greater surveillance powers even as it purportedly risks security by using potentially insecure overseas cameras.

Unauthorised access to council surveillance cameras could easily allow malicious actors to identify and track persons of interest, for example, or to monitor regular activity patterns that could help plan other crimes.

Insecure cameras have regularly been targeted for unauthorised use, including a high-profile 2013 case that saw the US Federal Trade Commission crack down on camera maker Trendnet after vulnerabilities in its software allowed cameras to be freely viewed online.