Letter to 10 webcam manufacturers in Canada and the United States

The Office of the Privacy Commissioner of Canada (OPC) has sent a letter to 10 webcam manufacturers to highlight concerns related to internet connected cameras and urge them to ensure that appropriate security measures are in place to protect their customers’ privacy. Concerns about the use of Internet connected cameras came to light when a website began livestreaming footage from unsecured cameras around the world. The letter to webcam manufacturers was sent in concert with the U.K. Commissioner’s Office, which has also written to webcam makers to highlight similar concerns.  The OPC and several other data protection offices had previously written to the website operator to ask that the site be taken down. At this time, the site is inaccessible.

February 12, 2015

Dear Sir or Madam,

We are writing to you to highlight our concerns regarding the insecurity of devices accessible over the Internet such as IP Cameras, and to ask for your assistance in helping us to reduce risks to individuals.

The mandate of the Office of the Privacy Commissioner of Canada includes overseeing compliance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) in addition to promoting public awareness of privacy rights generally. We are committed to improving public and industry awareness in relation to privacy concerns, particularly those associated with a high risk to individuals. One of our strategies in administering Canada’s privacy legislation is to promote compliance through prevention and education.

In recent months there has been widespread international media coverage of a website using the name “Insecam”. Until recently, this website was streaming live video footage from Internet connected cameras (IP cameras) in residential and commercial premises around the world, providing access to the private lives of numerous individuals. The cameras featured on this website were unsecure because owners had failed to change the manufacturer’s default password settings. These default settings are often freely available online, exposing unsecured cameras to online viewing without the owner’s knowledge.

At one point, Insecam was streaming over 73,000 camera feeds from numerous countries. Alongside the live video footage, the website included each camera’s manufacturer, model, and approximate geographical location. As you can appreciate, this represented a major risk to privacy and data protection rights and was extremely concerning for Privacy Enforcement Authorities around the world.

We worked closely with other Privacy Enforcement Authorities to prepare a joint letter (https://ico.org.uk/media/about-the-ico/documents/1042566/letter-to-the-operators-of-insecam.pdf) calling on Insecam to take immediate action to take down the website. At this time the website appears to be inactive, however as long as cameras remain configured in this way, the privacy risk remains.

Camera users are often not aware of the risk associated with not changing the default settings of their devices. As a manufacturer of IP cameras, we are calling on you to take steps to ensure that your cameras can no longer be subject to unauthorized access in this way. This could include implementing a solution whereby your customers must secure access to the camera before it can be operated, for example: requiring customers to change passwords before using the camera for the first time, or using individual default passwords, if this is not already the case.

We would also encourage you to provide further guidance to customers about ensuring the security of their IP cameras. We hope that you will share our concerns and put such measures into place to protect the privacy and security of your customers.

Yours sincerely,

Original signed by

Brent Homan
Director General, PIPEDA Investigations
Office of the Privacy Commissioner of Canada

c.c: Stephen Eckersley
Head of Enforcement
Information Commissioner’s Office, United Kingdom

Date modified: