Vumacam has hit back at claims made by US lawmakers in a resolution proposed by certain members of the country’s House of Representatives concerning its use of Hikvision cameras.
The resolution calls for President Joe Biden to thoroughly review the relationship between the United States and South Africa based on our close ties with the Chinese government.
The resolution calls for the president to oppose South Africa’s hosting of military exercises with China and Russia, but also makes wide-ranging assertions about South African entities working closely with the Chinese government and businesses.
Among these many claims, the lawmakers said that Vumacam was building a nationwide CCTV network in South Africa and had partnered with Hikvision for its camera hardware.
Hikvision is one of several Chinese tech firms being scrutinised by the US and other Western nations because its cameras are reportedly being used for widespread government surveillance and foreign information gathering.
In November 2022, the US Federal Communications Commission banned Hikvision, Huawei, and ZTE from selling new electronics in the country, claiming they posed a security risk.
“These new rules are an important part of our ongoing actions to protect the American people from national security threats involving telecommunications,” it said.
Vumacam operates a network of nearly 2,000 cameras in the Johannesburg metropolitan area, supported by a vast fibre network.
As part of the SafeCity initiative, private security companies like Fidelity ADT use its technology to crack down on various crimes, including hijackings, burglaries, and infrastructure theft.
But Vumacam CEO Ricky Croock told MyBroadband the company could “emphatically ensure” its cameras could not be used for unlawful surveillance by any government.
“Not only would this go against our principles as an organisation, but our system is not designed for this purpose, nor is it capable of ongoing surveillance of individuals,” Croock said.
“Vumacam is a private entity, and our cameras and operations are used solely to prevent, investigate, and monitor criminal activity and malicious damage to infrastructure.”
The CEO explained that all data in Vumacam’s system was anonymised and no personal data was linked, ensuring no personal data was available to compromise privacy.
“Our cameras do not support facial recognition software, do not link to any personal data, and cannot be used to track and trace individuals,” Croock stated.
Croock also denied there was or ever had been any partnership between Vumacam and Hikvision.
“Vumacam uses hardware from multiple vendors. Hikvision is one provider of camera hardware that is used as a source of video data used by our clients,” Croock said.
MyBroadband wanted to learn more about the level of access that law enforcement in South Africa had to Vumacam’s network.
Croock said they did not have direct access to its feeds, but could make use of footage related to crimes, provided it was for preventing, investigating or prosecuting criminal activity.
He said these requests were conducted through an “extremely controlled, monitored, and audited” process.
“This would be carefully managed in line with our established processes and follow our rigorous controls as well as those required by law to ensure the right to privacy is balanced with the right to safety,” said Croock.
One example where the authorities might be granted access to view footage would be for investigating and preventing rampant damage to public infrastructure, Croock said.
“While the police or security companies may use anonymised data alongside other investigative strategies or techniques, this is in line with any investigative activities that bring criminals to book,” he stated.
“Our cameras are effectively reliable witnesses and can only record events as much as an individual might write it down or take a picture of it with a cell phone camera.”
On a technical level, Vumacams were wide-angled, deployed in specific locations and oriented in a particular direction, which limited what data they could capture.
One of the primary design functions of Vumacams is licence plate recognition (LPR), which enables them to read number plates and query the data against the national Vehicle of Interest (VOI) database.
However, only once a vehicle has been linked to a previous crime does Vumcam’s system generate alerts in security control rooms.
Croock explained that the security companies using Vumacam’s services must also be registered with the Private Security Industry Regulatory Authority and sign strict protocols and agreements regarding conditions of use.
In addition, Vumacam implements the following measures to prevent abuse and protect privacy:
- All Vumacam users undergo training on privacy restrictions and responsible use of the system.
- Each user is authenticated via multi-factor authentication protocols, and all activity on the platform is logged and audited.
- Users undergo a full vetting process, require certification on systems, and receive extensive training.
- Clients cannot download content themselves. Only Vumacam can do so once all prerequisites have been met.
- A Saps case number is required before any footage is provided as evidence.
MyBroadband also wanted to learn how Vumacam protected its feeds and data from malicious attacks.
In August 2022, security researchers at CYFIRMA identified a critical command injection flaw that had affected hundreds of thousands of Hikvision cameras.
While the company rolled out a patch for the vulnerability in 2021, an analysis found that tens of thousands of units had not been updated almost a year later, including at least 2,465 used in South Africa.
The team found Hikvision login credentials on Russian forums, which could allow hackers to remotely access Hikvision accounts and camera feeds.
Croock said that Vumacam used its own proprietary platform, which underwent rigorous and regular testing for protection against cyberattacks.
“Any hardware is susceptible to penetration risk if not properly managed, regardless of its brand or country of origin,” said Croock.
Crook said Vumacams were regularly patched against vulnerabilities and that the company reconfigured its cameras upon installation to meet high-security standards.
“Vumacam’s entire platform is designed with advanced security features, including encryption and multi-factor password protection, to ensure that the captured data is secure and protected against unauthorised access,” said Croock.
“The cameras are deployed on a private network that is not connected to the Internet, preventing external threats from accessing them and preventing data from the cameras being sent to external parties, authorised or otherwise.”
In addition, they boast firewall rules to prevent unauthorised access and malicious traffic from being sent to the cameras.
Vumacam also has policies and procedures in place to ensure the physical security of its cameras, which includes limiting access to authorised personnel only and monitoring access logs to detect any unauthorised access attempts.
Lastly, staff and partners were continuously trained on best practices for maintaining network security.
Hikvision’s human rights problems
MyBroadband also asked Vumacam whether it believed it was ethical to use Hikvision technology, given that the company had been accused of enabling human rights abuses.
Hikvision has reportedly supplied the Chinese government with cameras that helped its police repress the minority population of Muslim Uyghurs in detention camps in the country’s north-western Xinjiang region.
Croock said that Vumacam was closely following information and outcomes regarding the situation in China.
“Vumacam strongly supports human rights — be that the right to freedom and security of the person in South Africa or the protection of human rights globally,” he stated.
“With a firm focus on ethical supplier management, we are reviewing these concerns in line with our operating principles.”
Croock added that where Vumacam believed it could source from an alternate vendor without impacting its operations and South Africans’ right to safety, it would do so.
