ABSTRACT
In the global interconnected economy, China-made information-collecting technologies such as closed-circuit television (CCTV) surveillance cameras have become popular products for routine video-based surveillance. Hikvision and Dahua are the two largest global suppliers of CCTV cameras, with both companies supplying their products to over 200 countries. Despite their popularity, national security concerns are commonly cited when adopting these cameras, citing manufacturer links with the Communist Party of China (CPC), cybersecurity vulnerabilities, and sales recorded in the Xinjiang region, that has records of human rights violations. This paper is structured in three parts: first, we explore the predominance of China-made information-gathering technologies in Australia; second, we summarise common national security concerns usually associated with China-based technology manufacturers; and third, we propose regulatory measures to regulating China-made CCTV cameras in Australia. The paper suggests that while state and Federal decision-makers are free to remove Chinese CCTV surveillance cameras, they should avoid overt politisation. Overall, a stronger focus should be placed on evaluating cybersecurity risks of Internet of Things (IoT) information-collecting technologies and considering their timely and effective regulation from the perspective of individual and national interests.
Introduction
In February 2023, Australia entered a public debate on whether Federal Government agencies should be using China-made CCTV surveillance cameras from Dahua and Hikvision. Such concerns mirrored debates in the United States (US), the United Kingdom (UK), and the European Union. The debate began when a media release by Australia’s Shadow Cybersecurity Minister’s audit concluded that over 900 Chinese-made surveillance cameras from Dahua and Hikvision were being used in Federal agencies. The media release cited the UK Government Biometrics and Surveillance Camera Commissioner calling China-made cameras ‘digital asbestos,’ and pointed to removal actions taken by Australia’s strategic allies—the United States and the United Kingdom (Paterson Citation2023). Shortly after, several Australian government agencies, Federal and state, committed to removing the cameras from government buildings (Vinall Citation2023). Apart from their China-made origin and the companies’ prior sales record to Xinjiang, the North-Western region of China where the United Nations recently reported serious human rights violations, the audit did not comment on any technical details of the cameras, such as device models, internet connectivity, facial recognition capabilities, or prior cybersecurity vulnerability concerns. Such omissions miss an opportunity to raise broader regulatory concerns about information-collectingFootnote1 technologies, as we argue in the third section of this paper.
IoT devices connect to wireless internet networks and have data collection, storage, and transfer capabilities. The CCTV cameras that are widely marketed on the websites of both Hikvision and Dahua can potentially be linked to the internet. For example, one of Hikvision’s surveillance cameras offer ‘flashing lights and audible warning’ and a focus on human and vehicle targets ‘based on deep learning’ (Hikvision Citationn.d.). Similarly, Dahua devices offer real-time facial recognition and descriptive statistics of the faces captured, including ‘age and gender distribution’ (Dahua Citationn.d.). While such IoT cameras provide more functions, they also have increased cybersecurity risks, commonly through use of default login details, manufacturer vulnerabilities, and hacking (Gavrovska and Samčović Citation2020). Simon (Citation2017) outlines four main types of cyber-attacks commonly linked to IoTs, increasing in impact severity: ‘hacktivism,’ cybercrime, cyber-espionage, and cyberwar. Internet-connected infrastructure has thus given rise to ‘promise vs. peril’ debates in government and academia relating to the interdependence of critical infrastructure and IoT devices (Simon Citation2017).
CCTV cameras are now commonly produced as IoT devices: among other functions, IoT CCTV cameras often have automated alerts, can be set to record video streams, and can stream video online allowing their users to monitor real-time footage. IoT CCTV cameras contain more functions, such as remote surveillance, facial recognition, and even demographic statistics, but they also create more technical vulnerabilities. Due to a lack of ‘strategic trust’ between Australia and China (Hartcher Citation2021), concerns about the potential to engineer vulnerabilities into the hardware or software of IoT CCTV cameras have been raised at the levels of Federal and state governments. Australia’s narrative of ‘strategic trust’ (or lack thereof) in China links to geo-economics—‘an interplay of international economics, geopolitics, and strategy’ (Hussain Citation2021).
National security is central to the issues discussed in this article. We adopt the following definition:
[National security is the] measurable state of the capability of a nation to overcome the multi-dimensional threats to the apparent well-being of its people and its survival as a nation-state at any given time, by balancing all instruments of state policy through governance … and is extendable to global security by variables external to it. (Paleri Citation2008, 54)
The national economy is often linked to national security conceptions—a key theoretical concept that ties the empirical contributions of this article. As James G. Rickards (Citation2009) observed, national security can be ‘captive’ to economic security, inescapably tying the two together, even though economic security is not explicitly recognised as national security by the Federal government (Australian Government Citationn.d.). China is Australia’s largest trading partner and one that is likely to react coercively to any politicised trade restrictions (Ferguson and Lim Citation2021). Indeed, following Australia’s CCTV inquiries, the Chinese Foreign Ministry spokesperson Mao Ning called for fair market competition for Chinese companies by saying that ‘the Chinese government always encourages Chinese companies to engage in international investment and cooperation in accordance with market principles, international rules and local laws’; She also called for business neutrality by expressing strong opposition to Australia ‘over-stretching the concept of national security and abusing state power to discriminate against and suppress Chinese companies’ (Ministry of Foreign Affairs of the PRC Citation2023).
Globalisation, national security and economy are increasingly tied together. Dupont and Reckmeyer (Citation2012, 34) recommend that the Australian government should develop a comprehensive approach to evaluating security challenges, and not treat them ‘as independent, compartmentalised issues.’ This article uses the analytical study of China-made CCTV surveillance cameras manufactured by Dahua and Hikvision to illustrate how a more comprehensive approach by the Australian government is needed to evaluate imported technologies and their data privacy and security risks. A ‘whack-a-mole’ approach to China-made technologies, as Bennett Moses (Citation2023) argues, politicises government narratives and does not provide appropriate national security protections for Australians. For example, the Australian market is not only supplied by Dahua and Hikvision CCTV cameras, but also cameras from other Chinese manufacturers with lower market shares, such as Concord or Eufy. IoTs produced by other countries also carry data collection and espionage risks (Bernot Citation2022). Additionally, the economic element to politicised national security risks may hurt Australia’s economy more than it would China’s because—China diversifies its imports a trade security element that vulnerable Australian industries are currently encouraged to strengthen (Ferguson and Lim Citation2021).
By 2018, Australians were estimated to have purchased 16 million IoT devices (Australian Research Council Citation2020), and the total IoT market was evaluated as worth almost A$19 bn that year, a large portion of which are produced in China, with an estimated annual market growth of 14% (PwC Citation2018). Responding to the growing numbers of IoT devices in Australia, the Government has placed an increasing focus on governing their production and use. For example, in 2020, the Australian Government introduced a ‘Voluntary Code of Practice: Securing the Internet of Things for Consumers’ based on consultations with the Department of Home Affairs and the Australian Signals Directorate (Chalmers Citation2022). Before Australia builds native IoT manufacturing industries, diversifies its trade routes, and drafts clear regulation to govern IoT manufacturing and supply, security concerns related to IoTs will remain.
This paper addresses those concerns in terms of the Chinese surveillance cameras used by the Australian Government and proposes a way to mitigate national security risks. To that end, we aim to explain the key concerns of Australians’ CCTV data access from China and review the legal and regulatory measures required to preserve the privacy and security of Australians’ data potentially linked to CCTV cameras. This article is an interdisciplinary contribution that draws on Chinese security studies and Australian regulation scholarship to analyse a contemporary issue in Australian politics. We have integrated sources from Dahua, Hikvision, and policy makers, where available, and supplemented those sources with scholarly and grey literature to support our critical scholarly interrogation.
The first aim formulates the data access concerns and contextualises them in the political–legal context of China, including the ‘authoritarian capitalist dynamic’ (Huang and Tsai Citation2022, 2) to which China-based companies are bound. The second aim maps Australia’s current regulatory capability to respond to those concerns. The article progresses in three parts: first, we discuss the application of China-made information-collecting technologies in Australia. Next, the article explains the political and legal context of private technology manufacturers from China, including their national security obligations to the Party–state (Australian Research Council Citation2020). The third part of the article draws from the first two parts to suggest the actions that the Australian Government should consider in regulating information-collecting technologies manufactured in China.
The key argument analyses the balance of national security and economic interests between Australia-China and Australia’s increasing governance focus on data security, to argue that clearer Federal regulation is key to managing the use of China-made IoT devices in Australia. It is not sufficient to point to the national origin of information-collecting technologies. Rather, a more nuanced and clear regulatory position needs to be taken by Australian Government actors in articulating the actual and potential threats of such technologies. Additionally, the Australian government should consider the broader regulatory expectations for technology companies that would legally bind the companies to responsible data management practices.
Context of information-collecting Chinese technologies in Australia
Concerns regarding information-collecting technologies fully or partially manufactured in China are here to stay as Australia is reliant on China for the supply of these technologies. Due to the lack of information technology regulations, they are also likely to re-emerge every time a new technology application reaches the Australian market. This section highlights the debates about several of such technologies—IoT CCTV cameras, TikTok, iPhones, and 5G, the use of which the Australian Government contested in August 2018 (Hartcher Citation2021). The concerns of data misuse are likely to be similar, only appearing in the form of different emergent technologies.
China is Australia’s most important trading partner, accounting for 39% of all goods exported in 2019–2020 and 27% of all commodities purchased (Australian Bureau of Statistics Citation2020). In August 2022, following trade disputes with China (Miller Citation2022), Australia’s imports from China paradoxically hit a record high of A$10.6 billion—larger than the United States, the United Kingdom, and Japan combined in that month (Mizen Citation2022). The imports coming in from China are not only low-value labour-intensive goods: in 2019–2020 the third of all imported products were telecommunication and sound equipment, office and automated data processing machinery, electrical machinery and appliances (Australian Bureau of Statistics Citation2020). In 2015, the Xi Jinping administration proposed a 10-year plan ‘Made in China 2025’ that aims to move China’s manufacturing to 10 higher-value industries, including new information technologies, high-end machines and robots, aerospace equipment, and electrical equipment (The State Council of the PRC Citation2015). Since 2015, China’s government has heavily invested in these target areas, including support for Internet of Things (IoT), cloud computing, and artificial intelligence companies (Gao Citation2019).
The trade relations between Australia and China are closely intertwined. From CCTV cameras to 5G infrastructure and the collection of genetic data, the Australian Government authorities are bound to continue running into the repeated issues of Chinese companies’ potential for collecting or allowing access to Australians’ data in China. In 2021, independent researchers surveyed Shodan—a global search engine of internet-connected devices—and found that Australia houses over 60,000 Hikvision and Dahua surveillance camera networks—over 41,000 from Hikvision and 18,000 from Dahua (Migliano and Woodhams Citation2021). The number is small in comparison. The two companies have over 700,000 camera networks in the United States and over 800,000 in Vietnam. The 900 cameras on Federal buildings identified in Australia’s February audit constitute only a small portion of the total number of cameras installed in Australia. In encouraging the removal of Hikvision and Dahua cameras, three core concerns were raised by Australian government representatives: the companies’ links with the Chinese Party–state, their sales records in Xinjiang region, and concerns about potential data access from China (Paterson Citation2023).
Other information-collecting technologies have had similar concerns raised in Australia. Since 2020, Australian Government actors have also been looking at data transfer and access concerns around the use of the social media app TikTok, which reported 7 million users in Australia in September 2022 and revenue of A$71.8 million (US$50 million) in 2021 (Mason Citation2022). In June 2022, Buzzfeed published a report based on 80 leaked internal TikTok meetings (Baker-White Citation2022). The report confirmed that while data in the US is not actively transferred to China, it can be accessed in China via access permissions to cloud-based data servers. At the time of writing, the Australian Federal Government is undergoing a review of cybersecurity implications of all social media use in the public service and government departments. In April 2023, Australia’s Attorney-General issued a statement banning TikTok from Federal government devices (Bonyhady and Knott Citation2023), and the app has been banned on government work phones in the United Kingdom (Geiger and Kleinman Citation2023), United States (Shepardson Citation2023), and the European Union (Xu, Brennan, and Frater Citation2023).
Several other examples of China-made technologies mirror the theme of data concerns. BGI (Shenzhen Huada Gene Technology Co. Ltd; 深圳华大基因科技有限公司), a genomics company that had data security concerns raised about genomic data derived from prenatal testing kits, Non-Invasive Fetal TrisomY (NIFTY), that capture genomic data from the pregnant person tested and the foetus (Needham and Baldwin Citation2021). In addition, in August 2018 Australia became one of over twenty countries to ban Huawei’s 5G infrastructure from entering public tenders because the company was deemed likely to ‘be subject to extrajudicial directions from a foreign government’ (BBC News Citation2018).
The below section articulates key concerns related to Australia’s ‘China challenge discourse’ (Laurenceson Citation2018) and contextualises them in China’s political–legal background.
Concerns linked to China-based technology manufacturing
National security interests are increasingly shaping economic policies and decision-making (Golley et al. Citation2020). The debates about economic globalisation tie national economics and security together by emphasising great-power competition, strategic rivalry, security concerns, and ideological conflict as its central factors (Roberts and Lamp Citation2021). In considering Chinese-made technologies, Australia lacks ‘strategic trust’ towards China (Hartcher Citation2021). At the forefront of national debates about information-collecting technologies made by China-based manufacturers, three areas of concern are considered—Chinese technology company links with the Party–state, legal data transfer obligation under the Chinese law, should such transfer be requested, and technical vulnerabilities—accidental or by design. These two concerns undergird further considerations, such as national and cyber security risks (Hartcher Citation2021) and potential impacts on critical infrastructure vulnerabilities such as communications networks linked via space (Schaefer Citation2018) or submarine cables (McGeachy Citation2022). The next three sections expand on the source of concerns around public-private partnerships and data transfer obligations and contextualise them within China’s political developments.
Chinese technology company links with China’s Party–state
The Chinese government is a large buyer of emergent technologies such as Artificial Intelligence, biotechnology, and cybersecurity products. Huang and Tsai (Citation2022, 2) argue that autocratic countries are forced to rely on foreign suppliers or allow local private businesses to enter the vital industrial sector to establish a powerful surveillance state and call this an ‘authoritarian capitalist dynamic.’ It is this dynamic that helps China’s Party–state to merge the social control interests of the Party–state and profit-seeking interests of private enterprise. Additionally, the Party has control over the administration of the state, the two being inseparable in China. It is therefore reasonable to expect that most large private companies are affiliated with the Chinese Party–state to some extent. This section explains those intertwined interests between the CPC, the state, and private actors.
Since the late 1970s when China’s market opened up to capitalist trade within China and internationally, profit-seeking behaviours have motivated not only China-based start-ups but also international companies. Following international collaborations and the eventual growth of domestic technology providers (Bernot Citation2022), China’s market system eventually evolving into ‘party–state capitalism’—a political economy undergirded by the aims to maintain continued ownership of political power by the CPC (Pearson, Rithmire, and Tsai Citation2022).
Targeting the Party–state as a buyer not only has direct sales benefits. It is not surprising that Chinese technology companies are keen to align themselves with the strategic goals of the Chinese Party–state, considering that the Chinese market offers sustained financial benefits, domestic and international competitiveness-building advantages, and occasionally even promotes Chinese technologies via political alliances (Bernot Citation2022). In a recent publication Trevaskes and Bernot (Citation2023, 3) showcased promotional materials from Hikvision and three smaller surveillance technology companies and argued that ‘ideological concepts … undergird the links between the Party–state and surveillance company products and services.’ The article highlights how these four companies use government documents to align their business goals with the national political and ideological strategies of the Party–state. In one particularly striking example, the authors cite a Hikvision spokesperson promoting an integrated video surveillance and facial recognition product ‘Sharp Eyes’ by describing the technology as ‘an important means to maintain national security and social stability, prevent and combat violent and terrorist crimes,’ directly parroting official state narratives (5). Additionally, Huang and Tsai (Citation2022, 4) noted that smaller technology companies might compete with large established technology giants by offering more intrusive and powerful information-collecting products and services. For some of the largest companies in China, aligning company goals with those of the Party–state is a long-standing business strategy, a foundation for ensuring Party–state support, such as subsidies or strategic business development (Bernot Citation2022).
The Party–state also takes an active approach to establishing presence in private enterprises, consolidating the motivations for private and semi-private companies to be tied to the state. Pearson and colleagues (Citation2022) argue that China’s Party–state capitalism differs from state capitalism in two main ways: first, the Party–state actively extends its presence to private enterprise via practices of corporate governance and financial instruments and second, it requires political loyalty from firms and the persons who are tied to them.
Writing to the first point, the authors highlight that by 2018, 1.88 million non-state enterprises (73%) had created Party cells (Pearson, Rithmire, and Tsai Citation2022, 152). Although scholarly literature considers the nuance of political influence between the Party cells and companies, such as the firms actually transmitting influence on the Party cells (Hawes Citation2022), the pragmatic business interests of private companies strategically link them with contested decisions taken by the Chinese Party–state. In relation to the present object of study, the Australian Strategic Policy Institute identified that both Dahua and Hikvision have close ties with the Chinese government and the Party and have supplied the surveillance infrastructure in Xinjiang: Dahua maintains active Party committees and branches, has received direct financial support from the Chinese government from national projects, an extensively supplies Xinjiang-based projects in areas of public security and ‘counter-terrorism’—a political double-speak keyword for ethnic minority repression (Australian Strategic Policy Institute Citationn.d.a); Hikvision similarly maintains active Party affiliations: some of its subsidiary companies have joint public-private ownership, the company was visited by Xi Jinping in 2015, and has contributed to surveillance infrastructure in Xinjiang, most controversially by supplying facial recognition and surveillance systems for extra-legal internment camps of ethnic minorities (Australian Strategic Policy Institute Citationn.d.b).
The second aspect of China’s Party–state capitalism is that of financialisation—investment of state-controlled capital beyond state-owned firms. State-backed financialisation often happens via state-owned capital investment companies that ascertain investment directions. Unlike privately owned investment companies, government-backed financialisation organisations can locate funds in support of private and semi-private enterprise according to both financial and political goals. This difference proved significant during the 2015 stock market crisis when state-backed investments prioritised economic stability rather than capital gains (Pearson, Rithmire, and Tsai Citation2022, 153).
The Party–state is proactively seeking to gauge increased political loyalty and provide financial security to companies in return. Additionally, state buying constitutes a large portion of many companies’ domestic sales, helping China’s government to both develop a strong market and fulfil state interests. For instance, according to the available data from 2020, domestic Chinese companies supplied more than half of the total US$11.93 billion IaaS cloud infrastructure market in China (IDC Citation2021). Private companies are often financially motivated to maintain a close relationship with the Party–state, thus proactively adding to the muddling of private-state relationships.
Legal data transfer obligations to China’s national security actors
Private company connections do not necessarily imply that companies share their data with the Chinese Party–state by default. It is China’s legal and regulatory background that binds all companies to disclose data upon request. Specifically, following Xi Jinping’s ascent to political power in 2012, a suite of new laws and regulations, exemplified below, around private company data and its sharing with state actors strengthened those obligations. The ‘umbrella concerns’ that seep through these laws and regulations are those of foreign interference and increased Party–state control over information-collecting technologies. This section traces the regulatory developments of state data access centralisation in China from 2013, spotlighting the regulations that could hypothetically allow China’s government access to internationally collected data that is stored in and/or accessed from mainland China.
The political context of the last decade is important to understand the scope of current laws and regulations guiding information collection work. In particular, all of the key laws and regulations discussed were published by the administration of Xi Jinping, who became the leader of the Party–state in 2012. At the very beginning of his leadership term, it became clear that Xi was taking a different role of political leadership as compared to the previous China’s leader Hu Jintao. Under the newly minted ideological concept of ‘comprehensive national security’ (总体国家安全), he expanded the scope of international risks (including cybersecurity) and called for a stricter model of governance to respond to those risks (Drinhausen and Legarda Citation2022).
As part of Xi’s stricter strategy to both growing big data and internet industries as well as regulating them, the Xi Administration has introduced a suite of laws and regulations over the last decade (2013–2023). Namely, we address the 2014 Counterespionage Law of the PRC (中华人民共和国反间谍法) and 2017 National Intelligence Law (国家情报法) because these two Laws particularly feature in international debates on the privacy and data security risks of Chinese technologies. While outside of the scope of this paper to discuss in full, it is important to note that these laws link to a broader ecosystem of other laws, such as the 2015 National Security Law that outlined a new ‘Xi-ism’—the concept of holistic national security (总体国家安全) to which national security threats are now linked (Drinhausen and Legarda Citation2022). These laws oblige companies established in China to closely collaborate with the government if requested.
The Counterespionage Law was adopted in November 2014 during the Twelfth National People’s Congress in November. The law stresses ‘mass line,’ hinting at a whole-of-society approach to counter-espionage, ‘active defence,’ and tasks state security agencies with counter-espionage efforts. The Law largely imported its content from the previous National Security Law, but its later iterations greatly expanded the scope of the Law, specifically the 2017 Detailed Implementation Rules for the Counterespionage Law (further, Implementation Rules) and Provisions on Efforts on Counterespionage Security Precautions (further, Provisions).
Jeremy Daum (Citation2017) remarked that the 2017 Implementation Rules allow to investigate acts of subversion that are not espionage when they are determined to be endangering national security. The Implementation Rules also increase punishment limits from refusing to disclose evidence and single out foreign citizens living in China as a group requiring heightened surveillance, among other examples of scope creep. The Provisions to the law are further published in 2021 and call on ‘people’s groups, enterprises, public institutions, and other social organisations to implement responsibility for counter-espionage,’ adopting an all-of-society responsibility model. Overall, the Counterespionage Law now calls on individuals, groups, companies, and government organisations to proactively partake in counter-espionage and introduces penalties for refusing if engaged by authorities. This ‘all-of-society’ approach to intelligence collection was further consolidated in the 2017 National Intelligence Law.
National Intelligence Law is the first law that was drafted specifically for China’s national intelligence agencies. Article 7 of the Law is the most contested part of the legal text, because it stipulates that:
All organisations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of. The State protects individuals and organisations that support, assist, and cooperate with national intelligence efforts (The Standing Committee of the PRC Citation2017).
Article 7 not only places responsibility on all organisations and individuals within China to cooperate with intelligence gathering. The law promotes a carrots-and-sticks approach by outlining provisions for rewards and also including stipulations in case of non-compliance. Major contributions to national intelligence efforts by individuals and organisations can receive commendations and awards from the state, while obstruction of national intelligence work can result in warnings from state and public security organs, up to 15 days in detention and even criminal responsibility. In a media conversation with People’s Daily, the Information Office of the Ministry of State Security stressed that ‘national security is everyone’s responsibility, and everyone must fulfil their responsibilities’ (Fu and Qin Citation2021).
The Office also outlined that behaviours perceived as endangering state security can be reported by individuals via a designated hotline or reported online. Such crowdsourced intelligence reporting practices date to the Mao Zedong era when citizens were strongly encouraged to report on each other. Xi Jinping’s leadership has revived numerous historical Maoist practices, including citizen-led mass reporting that is now deployed to call on ‘counter-terrorism’ and anti-Party–state sentiments on university campuses (Jiang Citation2021). Law and digital technologies play a significant role in supporting those resurrected practices.
China-based or -linked companies that operate internationally are often questioned based on the 2017 National Intelligence Law. For instance, Huawei (Citationn.d.) officially claims to have obtained an independent legal opinion stating that the 2017 National Intelligence Law does not force the company to engage in intelligence gathering activities. Similarly, TikTok (Citationn.d.) proposed Project Texas to store US customer data locally in the US after continued data access from China was reported in June 2022 (Baker-White Citation2022). However, private company compliance with national law within China’s jurisdiction bears potential criminal responsibility. This legal liability has been considered a risk by liberal democracies: In 2023, the National Cyber Security Centre (NCSC) of GCHQ, UK’s key national intelligence agency, recommended a risk-based approach despite their evaluation reportedly not having revealed specific threats (Boland Citation2023).
State-supported media now provides some examples of intelligence reporting. In a 2021 People Daily article titled ‘Acts that endanger national security may be around us’ reported ‘typical cases’, including one on an alleged overseas spy that recruited a person on WeChat to monitor a port area in Guangdong (Xiao, Fu, and Su Citation2021). Future news and government articles on awards and commendations given to individuals and organisations may reveal further extent and scope of the new intelligence reporting activities.
It is reasonable to expect that the National Intelligence Law will make it difficult for organisations and individuals to resist information collection by state and public security agencies, because they can be held criminally liable for obstruction of intelligence collection. Like in Australia, it is unlikely that the cases of data transfer to national intelligence actors would be kept secret and not be publicised in company reporting documents.
Technical vulnerabilities of IoT CCTV cameras
In Australia in 2021, more than 60,000 Hikvision and Dahua CCTV surveillance cameras were estimated to be operational. With the advancement of artificial intelligence, facial recognition functions can either be integrated into IoT CCTVs or applied to video footage separately (Amin, Ahman, and Ali Citation2016), thus introducing another layer of personal data threats. This section highlights previous vulnerabilities and addresses the political framing of those vulnerabilities in the political context of Australia and its allied countries.
Cybersecurity vulnerabilities of Hikvision and Dahua are not hypothetical. Various vulnerability databases list both Hikvision and Dahua, amid a long list of other companies (CCTV Calculator Citationn.d.). Although it is not uncommon for vulnerability databases to list private company products, the impact that Hikvision and Dahua have is larger than a bug that can be fixed with a company-wide announcement. Both companies are also Original Equipment Manufacturers (OEM) supplying their products to other brands, that may not be aware of newly found vulnerabilities. In 2021, Hikvision fixed a vulnerability that allowed hackers extensive access to the cameras and the network linked to the cameras both within and outside China. Despite the fix, 80,000 Hikvision camera users were found to be subject to those vulnerabilities due to not having installed a firmware update (Paganini Citation2022).
The lack of strategic trust between Australia and China deepens cybersecurity concerns. The cyber concerns raise questions if the vulnerabilities are accidental or created by design for purposes of espionage. A senior intelligence officer commented that ‘It’s the control of the design that gives you zero cost of entry [to collect intelligence]. It’s a lot harder to reverse-engineer to find the malign element’ (Hartcher Citation2021). Cyberespionage fears are strengthened by ongoing malicious cyberattacks originating from China. In 2021, in an official announcement, Australia’s then Home Affairs Minister, Karen Andrews, attributed China’s Ministry of State Security to malicious cyber activities related to Microsoft Exchange software vulnerabilities (Saunokonoko Citation2021). Large-scale cyberattacks in Australia in 2021 and 2022 targeted information about critical infrastructure (e.g. defence, health, government sectors), the origins of which were also attributed to China (Australian Cyber Security Centre Citation2022; CyberSecurity Connect Citation2021). From the perspective of the Australian government, attacks on critical infrastructure would be of concern in case of political conflict, as they would have the capacity for large-scale societal disruptions.
Combined with Chinese companies’ connections with the Party–state, cybersecurity concerns have been mirrored across other countries that Australia maintains strategic relationships with. Indeed, the Australian Home Affairs Deputy Secretary, Mark Ablong, recently quoted strategic security alignment with the United States and the United Kingdom, noting that ‘[f]or the same reasons that the US and the UK have looked at these technologies, we remain concerned about those companies and their relationship with the Chinese Government’ (Brookes Citation2022). In 2018, the US–China Economic and Security Review Commission concluded that Chinese IoT devices may reveal information that was not planned to be shared as data are aggregated and combined. Additionally, the Review Commission clearly articulated espionage concerns:
China’s central role in manufacturing global information technology, IoT devices, and network equipment may allow the Chinese government—which exerts strong influence over its firms—opportunities to force Chinese suppliers or manufacturers to modify products to perform below expectations or fail, facilitate state or corporate espionage, or otherwise compromise the confidentiality, integrity, or availability of IoT devices or 5G network equipment (US–China Economic and Security Review Commission Citation2018).
In November 2022, the United States’ Federal Communications Commission deemed that communications equipment manufactured by Hikvision and Dahua, among other China-headquartered companies, poses a threat to national security (Federal Communications Commission Citation2022). The ban referenced actions taken as part of the federal government’s broader effort to secure US communications networks and prohibit the use of equipment that could allow a foreign enemy to exploit those networks, without providing specific details of the threats posed by Hikvision and Dahua. The use of public funds was prohibited from purchasing equipment or services and the Government instated a reimbursement scheme to remove and replace insecure equipment that had already been installed in US networks.
The overall cybersecurity risk associated with Chinese-made CCTV surveillance cameras also more broadly applies to all IoT devices. Some of the information that is missing from conducting an actual cybersecurity evaluation concerns the types of CCTV cameras installed, the way they collect, store (e.g. on-device or online), and analyse data collected, the quality and security processes undertaken prior to the camera installation, and camera security characteristics.
Regulatory approaches to Chinese-made CCTV cameras in Australia
The potential security sensitivities associated with the use of Chinese-made CCTV cameras in Australia is the latest in an ongoing public debate in relation to both Chinese-made electronic products and digital services. Specifically, the February 2023 government audit of the number of Chinese CCTV cameras installed accelerated those debates. This development is taking place in the context of a trade dispute that escalated following the Australian Governments comments about the origins of the COVID-19 virus and the broader geopolitical dispute in the South China Sea.
The first aspect to be addressed is the international element. If, based on technical advice, CCTV cameras can store and transmit images or other data to the Chinese state, this is obviously a concern considering the Chinese National Intelligence Law 2017, and the fact that the countries are not politically aligned. The Australian Federal Government, as well as Australian corporations undertaking work that may be associated with national security implications (e.g. national intelligence and security organisations, and other Federal agencies), could simply determine not to use Chinese-made cameras in their workplaces. The decision is not one that needs to be publicly advertised or necessarily enacted in legislation and could be achieved in a politically sensitive manner avoiding, assuming non-Chinese-made options are available. For instance, the February 2023 audit focused on counting Hikvision and Dahua cameras based on their national origin and expressed dual concerns—moral concerns over the companies’ sales to Xinjiang region and data security. The measures of removing the cameras from Federal buildings do not address either of those concerns in full: first, small scale government bans are not likely to affect market opportunities that large Chinese technology companies are able to access due to technical sophistication of China-made products and a relative price advantage; second, they can address espionage risk to some extent but do not actually provide any substantive cybersecurity evaluation of cameras adopted.
In the present case and to the extent of information that the Government audit revealed, CCTV cameras only pose a risk if they are used in sensitive environments such as Federal government buildings, and a different approach may, therefore, be appropriate to mitigate the lesser risk they present. In both instances, it is unclear why this would need to be publicly discussed: presumably the government could use non-Chinese-made products and state that the decision was made based on commercially sensitive reasons that are not required to disclose—a practice commonly used by Australian Federal Government agencies. The fact that these issues are being highlighted by conservative opposition politicians, who also publicly canvass the prospect of war with China, may be an indication of political motives. More broadly, overt politisation of China-made technologies ignores the pressing issue of IoT under-regulation (Harkin, Mann, and Warren Citation2022) and the rising ease with which face recognition technology applications may be used (Mann and Smith Citation2017).
The decision of the National Security Committee of Cabinet in August 2018, to ban Huawei from providing infrastructure for Australia’s 5G network, is a precedent that should be noted as having potentially set a path dependency for Australia’s approach to regulating Chinese technologies (Hartcher Citation2021). At the time, the Government stated it would be prohibiting ‘vendors who are likely to be subject to extra judicial directions from a foreign government that conflict with Australian law’ (Hartcher Citation2021). On the advice of the Australian Signals Directorate, it was decided that allowing a Chinese company to provide such fundamental technology infrastructure would be too great a security risk related to large-scale disruptions of critical infrastructure.
The second aspect to be addressed are the considerations for domestic law, which does not present a comprehensive approach to preserving citizen data privacy and security. Over the last 10 years, the development of biometric facial recognition technology, and its capacity to be integrated with CCTV, has amplified the privacy and security considerations associated with the technology. Since 2015, the Australian Government has been exploring creating a face recognition database using facial photographs from driving licence and passport photos, a database that would effectively become a national facial recognition database. While this has not yet been developed, it remains a likely future prospect. Such a database would operate in association with data from CCTV systems and it highlights that it is possible to identify almost anyone captured in CCTV footage. If a bad actor or foreign state was able to hack a national database, or even a state drivers licence photograph database, data from CCTV footage would be more valuable, assuming it was of sufficient quality, because specific individuals can now be identified more readily (Mann and Smith Citation2017). The infamous example of the company Clearview AI shows how that might work. The company provides facial recognition software for law enforcement and government agencies and private companies around the world, drawing from billions of images scraped from the internet to identify suspects (Smith and Urbas Citation2021). Developments such as this demonstrate the growing significance of CCTV systems, as photographic and biometrivnc template datasets, as well as the algorithms used to interrogate them via biometric facial recognition technology, become more sophisticated. This means that there is a greater likelihood that the data captured by CCTV cameras can be used to identify and track individuals, and that this can be applied for a wider range of purposes.
Third, the use of facial recognition in CCTV systems operated by Australian retailers has been widely criticised for their integration of biometric capabilities without the consent—and minimal knowledge—of customers. In 2021, the Office of the Australian Privacy Commissioner found that 7-Eleven breached Australian Privacy Principle 3. It stated that the company’s ‘large-scale collection of sensitive biometric information through 7-Eleven’s customer feedback mechanism was not reasonably necessary for the purpose of understanding and improving customers’ in-store experience’ (Office of the Australian Information Commissioner Citation2021).
These examples highlight the expanded use of CCTV to integrate biometric facial recognition and artificial intelligence to multiply the significance of this technology from a regulatory standpoint. The Australian Government and business sector should contemplate that if Chinese cameras do potentially allow the state to access the data, using Chinese companies as intermediaries, this would be a significant national security risk, considering capability developments in facial recognition technology.
In summary, the use of Chinese-made CCTV cameras adds to broader concerns about a lack of regulation of information-collecting technologies, especially as biometric capabilities continue to advance. While it may be possible for governments and corporations to avoid using Chinese-made IoTs in security-sensitive settings, it is not realistic to ban Chinese CCTV cameras or technology in general. Timely and effective regulation of new technologies from the perspective of individual and national interests will be increasingly important.
Conclusion
This paper explained the prevalence of China-made CCTV cameras used in Australia (in particular, the Australian Federal and state governments), articulated the most common national security concerns linked with adopting information-collecting technologies made in China, and suggested regulatory pathways for Australian state and Federal Government decision-makers. We argue that Australia is likely to remain dependent on China-made information-collecting technologies in at least the medium term because approximately 70 per cent of the world’s electronics are made in China (Cheng et al. Citation2019). Therefore, small-scale government bans are not likely to protect Australians’ data as Chinese technology companies will be able to continue trade due to the technical sophistication of China-made products and a relative price advantage. National security concerns are, therefore, here to stay, along with those technologies, increasingly pronounced with the prevalence of IoT devices, not only those of Chinese origin.
Among some of the most common concerns are Chinese technology company links with the Chinese Party–state, legal data transfer obligations to China’s national and public security agencies, and technical vulnerabilities of IoT CCTV cameras. In the national context of China, the CPC is inseparable from the Government. Additionally, the Party–state offers financial and strategic incentives for private and semi-private actors, such as state subsidies for technology companies expanding overseas, tax breaks, and financial incentives for start-ups. Both Hikvision and Dahua therefore, are bound to the ‘authoritarian capitalist dynamic’ (Huang and Tsai Citation2022, 2) and have strong financial incentives to work with the Party–state, like most technology companies establishing themselves domestically in China. In turn, the association with China’s domestic market implies a mandate for companies to cooperate with China’s national and public security agencies if approached. Refusal to do so may result in warnings, detention, and even criminal responsibility. The market growth of IoT devices increases that risk because devices can transfer data via the internet, making it more vulnerable to hacking and/or backdoor access. As the Australian Government continues to review IoT cybersecurity governance, including critical infrastructure security and security principles for manufacturers (Chalmers Citation2022), CCTV camera security in the context of their China-based supply chain should also be evaluated.
Due to the lack of strategic trust between Australia and China—in particular, considering the continued large-scale cyberattacks against Australia originating from China—the aforementioned concerns are likely to be considered when evaluating national security risk. In high-risk areas, such as Federal Government buildings, Australian Government agencies are likely to adopt a risk-based approach to adoption of China-made information-collecting technologies. These issues do not require repeated politisation of the national origin of such technologies. Overt politisation of China-made technologies bypasses the urgent concern of IoT under-regulation (Harkin, Mann, and Warren Citation2022) and the increasing ease of facial recognition technology applications (Mann and Smith Citation2017). Rather, a targeted technology-specific evaluation of risks approach can be more productively adopted, in addition to known national security concerns.
In both liberal and authoritarian governments, surveillance data is increasingly being used for purposes beyond which it was originally collected. Privacy and identity theft are chief among the concerns raised by lax regulation in this area (Smith and Miller Citation2022). The issues outlined highlight the fact that a lack of regulation is not only a risk to Australian citizens’ privacy and security rights but may also constitute a national security risk for the country.
Australia is unlikely to reduce dependency from China-made CCTV surveillance cameras or other information-collecting digital technologies without a trade diversification plan. Even if it excludes Chinese-made IoT devices, Australia cannot avoid engaging with them because their dominance in the region ensures unavoidable interaction (Lee Citation2021). Additionally, similar risks may be presented by other imported technologies or technology parts. A long-term solution should be the broader regulatory regime of emergent information-collecting technologies that would place liability on technology manufacturers to ensure the data privacy and security of their products and services.
Disclosure statement
No potential conflict of interest was reported by the author(s).