(CAVEATS: Might be of note to those that are take an interest in or are concerned with personal privacy and security. I do not have detailed facts to hand, and strongly suggest some personal research by BlackVue dashcam owners themselves to ensure that these features are disabled (if indeed they have them)).

 

Hi all,

 

At the risk of merging work / social (forum) life, and being a boring serious post, my work involves 'IT Security' (information security) and data protection stuff day in, day out - which includes mindless commuting and listening to a few podcasts - one of which I highly recommend, which is the Smashing Security podcast.

 

The most recent episode (#97) brought up a recent privacy issue with BlackVue dashcams ('cloud-connected' / Internet based) ones. 

 

Without going into too much unnecessary detail - which this video and GIF can speak volumes for me - BlackVue dashcams with cloud connectivity ARE NOT developed with 'Privacy By Design' in mind, and therefore have a lot of this connectivity functionality enabled by default. 

 

A key part of this is that the device can broadcast your location in real-time, as well as live video feed(s) online - PUBLICLY (i.e. accessible by all without login credentials required) - by default.

 

You don't need to be a risk-averse, worrying-Wally, nerd like me to feel like 'that's probably not right...!'

 

Anyway - some honestly well-meaning advice (to those that may have not done so, or who are not aware) - Please check your settings in the console / portal that you manage your device from, and ensure that these 'connectivity' features are disabled - of course, at your own discretion.

 

Sadly not all companies take user privacy seriously enough, still.

 

Laters. A

 

 

Some would call that a feature... not a bug

Stalkers and burglar types would love feature.

 

car says it’s 100 miles away. Check video, yes they are on the motorway passing a sign that confirms it.

 

cool, at least 2 hours to break in and steal everything.

Wow! an onboard Speed Camera too - Mr Plod must love this, just sit in the station looking at broadcast videos mph readings and sending out the tickets.

3 hours ago, cheezemonkhai said:

Stalkers and burglar types would love feature.

With the proper tools and focus, the level of pre-event reconnaissance you can reach with this is pretty high - to the ends of whatever that 'event' might be.

 

I'll try and keep tabs on any guidance that comes out from this (as BlackVue may release a patch / guidance which rectifies their mistake, if there's any escalated reputational damage - e.g media attention)  - however, if someone else notices some good info., do post it on here

yes its the first thing i disabled when i installed mine. I couldnt believe its on by default. GPS location and all! there is no real benefit, the benefit is if a burglar steals your car you can track, see and hear them in real time. The only problem in london is the peelers will be too busy arresting people for saying hurty things on the tinterweb to come and help you.

There was a guy around my way who made the local papers as he had £12K worth of bikes stolen from his garage.  He's convinced the perpetrators used the Strava app to track him/the bikes down.

 

Obviously it's possible if you've got your security settings wrong but this post just highlights the flaws of modern tech that's meant to be helpful..... well it is helpful but probably for the wrong people!

Logged onto my friends Blackview account (with her permission), and yep... was able to watch "MK** DKE" travelling down the M6 at 93mph whilst chatting to his passenger.

 

A quick play around on the map, and I'm listening to a cab driver in New York talking rubbish.

 

The comedy aspect of this aside, it opens people up to inherent risk, especially when their Blackview handle is 'Merc AMG' or 'Tesla S'.

Nothing but a sitting target if monitored for long enough.

 

Your ruined if your affair is hosted in the cloud for all to enjoy at their leisure.  I've since disabled my friends cloud upload facility from public to private (it turns your little emoji to orange from green and nothing can be seen)... but her last known location was still my house, through which you could see out of her rear camera and the contents of my driveway.  A sobering thought.

Edited 28 September, 20187 yr by Mr_James_88

Turn it on, go to a park somewhere, turn it off.

 

looks like the black view is out until this is fixed. I know you can fix it, but that’s a massive oversight.

21 hours ago, Ads230 said:

A key part of this is that the device can broadcast your location in real-time, as well as live video feed(s) online - PUBLICLY (i.e. accessible by all without login credentials required) - by default.

Is this GDPR compliant?

 

It's certainly not in keeping with the spirit/intent of GDPR where you have to specifically give consent for you data to be stored/shared.

17 hours ago, PetrolDave said:

Is this GDPR compliant?

Not especially, but more in the spirit of data protection rather than actual non-compliance. BlackVue are a Korean company so they take a dim view of EU rules and regs anyway. Plus, 'Privacy / Security by Design' is still such a new concept to most tech and design companies that culture is REALLY slow to catch on and do it.

 

Without going into too much detail, BlackVue legal would probably claim your 'consent' is within use of product (e.g. T&Cs), and it's up to the user whether you enter information such as license plate etc into the device, or pay attention and switch those things off upon first use. The ICO wouldn't bat an eye anyway, so it wouldn't change unless BlackVue get a lot of bad press from EU customers, then they'll change it by default via updates (maybe). 

 

 

As an EU citizen, all companies (no matter where they are from) are obligated to protect the data of EU citizens in like with GDPR.

 

That includes where the data is processed as well as privacy laws.

 

I would be pretty certain this is potentially a significant GDPR breach. Especially as I would be quite certain people have not explicitly signed up to this level of public data sharing. (Assuming the initial statement from the OP is accurate, which I have no reason to believe it isn’t).

 

Hiding it in the T&c is no longer compliant since GDPR, as it is not considered an explicit opt in.

 

Any affected citizen could report it to their country of citizenship’s data privacy regulator, who would investigate this.

 

The fact that they may (or may not) take a dim view of the laws would be pretty irrelevant.

 

 

Edited 1 October, 20187 yr by cheezemonkhai

2 hours ago, cheezemonkhai said:

Any affected citizen could report it to their country of citizenship’s data privacy regulator, who would investigate this.

All good points @cheezemonkhai - my reply above is based on the cynical view I've carefully constructed over the years working in info-sec  / DP  

Most of us in already lost confidence in the ICO a long time ago, well before GDPR (including their lax enforcement of Freedom of Information (FOI)), and the fact that half their flock fled before Dec 2017 - a sure sign that the organisation was not yet fit to support GDPR. But I digress...

 

The (O)OP (CyberWire's Dave Bittner) will likely push a media stance on this first, as it would be more likely to get a faster response than an ICO investigation would. It is 100% a company's responsibility to ensure that the devices and technologies they push out are secure and support privacy by design - however, I (and many others outside the industry) know that this is still so rarely the case...

 

Either way, I would stress the importance of individuals schooling-up / investigating the Security & Privacy settings on all devices that are likely to process, store, and transmit personal data, and edit the settings accordingly. Where this isn't possible, consider getting in touch with the company to request improvements, or indeed getting rid of the device / tech altogether. If the latter action, you have the Right to Erasure  ('Right To Be Forgotten') which you can request from the company themselves.

 

Knowledge is Power. (And power is measured in BHP & ft-lbs. )

Call me cynical, but any product that has the word "cloud" on it makes me shiver.

 

"Cloud" is someone elses computer.

 

Yes it can be good for backup (eg. iCloud photos) or collaborating across teams / devices (eg. Google docs), but be aware that ultimately it's on someone elses machine where it can be compromised both internally or externally.

https://youtu.be/XaoI2Fltoxs

Covered well in this video

On 28/09/2018 at 12:39, Ads230 said:

'll try and keep tabs on any guidance that comes out from this

From the comments on this video raised, BlackVue have been made aware (both privately before the info was released, and now publicly on YouTube / media) - so hopefully this will be appropriately updated at some point.

All this talk of "take the camera back and buy something that respects your privacy" is a load of rubbish.
These cameras are very good value for money, for what they provide... and are absolutely NO different to your mobile phone or most other internet-connected devices available today.

If you do not read (or understand) the terms and conditions of use, then do not click the agree button - and therefore do not use that particular device or application.

Most smart devices out there - TVs, internet-connected whitegoods, mobile phone, etc, etc, have the privacy settings turned off by default (or certainly limited) - to make the device user-friendly and functional, to the majority of people, straight out of the box.

If you are too stupid to then go through and personalise the settings for your individual requirements, then you only have yourself to blame.

There is nothing sinister or hidden about this particular function on this range of cloud-connected cameras... the setting is right there in full view (as this thread/video shows) for you to turn off the function in question.

Get a grip people
- buy devices, sure

- read the Ts&Cs & ignore the details and just click Accept like 99% of the population does, sure

- go into the setting and personalise your device/app to suit your own preferences, definitely.

 

Nothing difficult about this at all.....

Edited 6 October, 20187 yr by spinifex

On 06/10/2018 at 01:54, spinifex said:

[...]

Nothing difficult about this at all.....

@spinifex - I agree with you on the above to some extent, but in my world it's one thing 'verbally slapping' people for their own ignorance (which is definitely fun), but it's another thing to try and give objective and helpful guidance to allow people to learn.

 

Giving the 'What & Why' (positive reinforcement) is usually more productive than the 'Can't believe you didn't ____, you utter mug!' (negative reinforcement).

 

T&Cs are usually a tenuous method for data protection compliance, and not always fully informative to the end user. Quite often (as in the case with BlackVue, actually) they don't include international compliance requirements... so people wouldn't know the ins and outs of data protection anyway. (As an aside - DO use this website to decipher T&Cs more easily - Terms of Service; Didn't Read)

 

I find that awareness is the biggest deficiency these days (whether spacial, situational, geopolitical etc.) - and data protection / information security has always been one where people need to stay informed. My OP was purely for informing those with dashcams (or other connected devices) to take a look & set it themselves .

 

Totally agree it's not hard or especially technical; but it is important.

on a more positive note the image quality is amazing. watching  in 4K and stereo is nice. Unfortunately if i shared any of my 'incidents' i'd probably end up in court, so dont ask!

Thanks for raising this. Checking out the video, it looks like Blackvue responded and "allegedly" fixed the issue.

 

Hello Tim, thank you for raising this issue and apologies for the trouble caused. The app was updated over the weekend so that every public sharing setting is disabled by default when registering a dashcam. In addition, we set all public sharing settings for all current users to private as well on the server side, so users do not have to take action. Users who wish to re-enable public sharing of their dashcam's location, name, video and audio can do so manually. Thank you.

 

19 hours ago, ChaybobbTidbit said:

Thanks for raising this. Checking out the video, it looks like Blackvue responded and "allegedly" fixed the issue.

No worries, and yes that's start from BlackVue - thanks for updating, CT.

 

Likely they only did it due to the negative publicity brought on from exposing their silly mistake / greedy data-slurping, but it's user awareness that will hopefully mitigate, or at least curb, privacy violations (i.e. reigning in on the Tin-hat 'switch it all off, the Interwebs scare me! Umbrella Corp. is out there!" moment) 

How do these blackvue's gain internet access all of the time?  Surely the owners would notice massive uses of their mobile data?

On 28/09/2018 at 08:42, cheezemonkhai said:

Stalkers and burglar types would love feature.

 

car says it’s 100 miles away. Check video, yes they are on the motorway passing a sign that confirms it.

 

cool, at least 2 hours to break in and steal everything.

 

Assuming of course there's nobody else at home... and the thief knows what car the camera is in...  and who's driving...  and what the address is...  100 miles from where? and the house alarm isn't working...   etc. 

 

Honestly, when phrases such as 'data protection' are mentioned, folk (aided by doom and gloom media headlines) can't see the forest for the trees. Hows this going to help a thief?  Theives don't tend to go to this amount of trouble.

 

Personally I like that advert where a burgler walks up to the front door and the houseowner speaks to him via a speaker. The company then try to flog you a device where you can see people at your front door via a phone app whilst you're on holiday thus your house is safe.   If I were a thief and someone spoke to me via a speaker rather than answer the door...  HAPPY DAYS !!!

 

  

4 minutes ago, Scot5 said:

 

Assuming of course there's nobody else at home... and the thief knows what car the camera is in...  and who's driving...  and what the address is...  100 miles from where? and the house alarm isn't working...   etc. 

 

Honestly, when phrases such as 'data protection' are mentioned, folk (aided by doom and gloom media headlines) can't see the forest for the trees. Hows this going to help a thief?  Theives don't tend to go to this amount of trouble.

 

Personally I like that advert where a burgler walks up to the front door and the houseowner speaks to him via a speaker. The company then try to flog you a device where you can see people at your front door via a phone app whilst you're on holiday thus your house is safe.   If I were a thief and someone spoke to me via a speaker rather than answer the door...  HAPPY DAYS !!!

 

  

 

Working in the field, you would be surprised how often thieves break in because someone posted they’re on holiday on Facebook etc.

 

Addresses are easy to come by or buy. 

 

So you can knock it, but it happens a lot, because with a little bit of knowledge theft can be de-risked.

 

House alarms are rare these days, rarely monitored and the some of the wireless ones quite easy to subvert.

 

It isn’t your have a chance, seen a shiny thing thief no. But then many thefts happen on new build estates, because a bump key opens all the locks in the area.

 

You might want to accept that thieves have a little more intelligence than you assume they have.

 

 

15 minutes ago, Scot5 said:

Theives don't tend to go to this amount of trouble.

 

You would be surprised. Any thief looks for vulnerabilities and all things aside, knowing where a vehicle is, whether they are looking to break into the house, or the car, is extremely valuable. 

 

As @cheezemonkhai has said, other information is freely available and these days, especially, we're all too willing to share it out willy nilly.