These private moments have all been visible to anyone on the internet through a website that’s live streaming thousands of unsecured cameras around the world in real time.
When an employee at a downtown Toronto coffee shop learned that he and other staff were being watched, he said he was surprised because his manager is typically thorough when it comes to security.
CBC News is withholding the employee’s full last name because he says he feels uneasy after his privacy was already breached. Andy C. said a woman called the Second Cup to alert them that the video from one of their cameras at the back of the store was visible on the website and described what they were doing in real time.
“As soon as she revealed she wasn’t in the area, I was like, ‘OK, how do you know all this stuff?’ She was able to identify key traits of people who were working; me and another person,” he said. “Definitely uncomfortable.”
Andy said he disconnected the security camera immediately.
‘Privacy is all about control’
Websites that stream unsecured cameras aren’t illegal, but the Office of the Privacy Commissioner of Canada has been tracking the particular website for years. It says while the website stopped broadcasting for a time, it ramped back up, and a few weeks ago it started once again streaming private settings.
Cybersecurity experts say with home security cameras becoming more popular and people working from home during the pandemic, it’s vital the public is educated about how to keep their cameras secure.
CBC News is not naming the website to avoid contributing to the invasion of people’s privacy. The site is reported to be based in Russia and bills itself as the world’s biggest directory of online surveillance security cameras. On any given day, there are tens of thousands of cameras available to watch around the world, including more than 250 in Canada.
Most of them show outdoor spaces, where the expectation of privacy is low, but some clearly show inside homes and businesses without permission.
CBC News attempted to contact the owners of several cameras and was able to get in touch with a handful of businesses (the website lists the cameras’ general location, but some were inaccurate). Aside from the one coffee shop employee, business owners and staff didn’t want to be interviewed after being told video from their cameras was visible, but several feeds were taken down.
Ontario’s former privacy commissioner said it’s appalling that the site is broadcasting people’s personal moments and interactions without their knowledge or consent.
“You can imagine how much sensitive information could potentially be captured on a camera,” Ann Cavoukian said. “It’s nobody’s business. Privacy is all about control. It’s about personal control over the use and disclosure of your personal information. This throws it out the door.”
Cavoukian, who is now executive director of the Global Privacy and Security by Design Centre in Toronto, said without control over the images being broadcast online, one “can’t imagine what unethical uses could arise.”
“We have to find ways to stop this,” she said.
Site targets cameras without passwords
Cybersecurity experts say the main ways a website can access a security camera is if it’s not assigned a password, the factory password isn’t changed or a camera is misconfigured during setup.
“If you’re not changing [passwords] or you’re not using complex passwords, then you leave yourself vulnerable,” said Sumit Bhatia, director of innovation and policy at the Rogers Cybersecure Catalyst at Ryerson University.
The main page of the website that CBC is focusing on includes a statement that it only broadcasts cameras without passwords and that the cameras are not hacked, but Bhatia said cameras left vulnerable can lead to hackers breaking in.
It’s possible hackers can gain access to other devices on the same network, he said, such as computers, phones and tablets, which is even more of a concern during the pandemic.
“Everybody is working from home, and a lot of people haven’t necessarily placed new measures or implemented new ways to protect their home systems,” Bhatia said. “And that’s just a function of their own limited knowledge or resources, which means that work laptops and computers are now also accessible by hackers who have hacked into security cams.”
Bhatia said there are several sites that stream cameras without people’s knowledge, and he believes some work in tandem. While some of them may claim they are exposing vulnerabilities that exist in security camera systems, he said, outside hackers can take advantage of the compromised cameras.
“There’s clearly some concerns around there that we have to address as a community and as an industry, but I believe that their motives are not necessarily one for social good.”
Federal privacy commissioner sent letter to site in 2014
A spokesperson for Canada’s privacy commissioner says seven years ago, the office — along with the heads of other provincial and international data protection authorities — sent a letter to the website’s operator requesting the site be taken down.
Vito Pilieci said that shortly after, the site stopped streaming for a time, but it resumed by posting a smaller number of outdoor feeds. Then, a few weeks ago, he said, the site once again started streaming “some egregious cases” of private settings.
“This is clearly an extremely concerning privacy issue,” Pilieci said in an email. “We are currently considering options about how to best address the matter.”
He said that potentially includes discussions with international counterparts because the site isn’t based in Canada.
“We would urge anyone with a webcam in their home or business to ensure that they take steps to secure the camera. In particular, they should make sure they are not using the factory default password,” Pilieci said.
CBC News contacted the website’s administrator but didn’t get a response. The site claims it works to protect people’s privacy by only showing filtered cameras and says anything unethical will be removed upon an emailed complaint.
“If you do not want to contact us by email, you can still remove your camera from [the site]. The only thing you need to do is to set the password of your camera,” the website reads.
Not illegal to stream compromised cameras, lawyer says
Despite their intrusive nature, running websites that stream unsecured cameras isn’t illegal in Canada, said Elliott Goldstein, a lawyer in Newmarket, Ont., who consults the alarm and security industries on the use of surveillance cameras in homes and businesses.
“The problem is most of these websites are out of the country. There’s no law that really governs these types of websites,” he said, adding the onus is on the person who owns the camera to ensure it’s secure with a password.
“It’s like leaving your windows open and people looking in. If you want privacy, shut your drapes.”
Goldstein said compromised footage could be used in nefarious ways — from blackmail and harassment to the compromised feed being sold to other viewers for a profit.
Businesses with unsecured cameras could be held responsible for compromising the personal information of their customers, Goldstein said. That can be a particular issue in settings where sensitive personal information is collected, such as a doctor’s office, he added.
“It’s the responsibility of the organization that controls the information-gathering device to make sure it does it properly.”
There hasn’t been a significant push by provincial or federal governments to pass legislation addressing the specific issue, Goldstein said.
“Right now they have an awful lot of other problems to deal with. Compromised cameras are not really that high on the list of priorities.”
Tips to keep your camera secure
Ryerson University’s Bhatia said cybersecurity is a growing concern, and there’s a lack of education and awareness programs to help people protect themselves and their information.
Here are his main tips when it comes to protecting home or business cameras:
- Change your camera’s default password and assign it a new one.
- Avoid simple and short passwords.
- If you can’t remember complex passwords, get a password manager to help.
- Avoid connecting devices to the same network.
- Regularly update the camera’s firmware.
If your camera has been compromised:
- Immediately disconnect it from your network.
- Disconnect your router, reconfigure your network and change all of your passwords.
- If your camera is linked to a monitoring service, notify the service.
- Check your other home devices for anomalies, reconfigure them and change passwords.
- If you have serious concerns, notify police.