By Dr Ausma Bernot, Postgraduate Research Fellow in the Charles Sturt Australian Graduate School of Policing and Security, and Associate Professor Marcus Smith in the Charles Sturt Centre for Law and Justice. This article was originally published on Australian Outlook, the online journal of the Australian Institute of International Affairs.

Recent debate on the use of China-made closed-circuit television (CCTV) cameras has resulted in the removal of the cameras from federal and state buildings. Further regulatory measures are needed that prioritise cybersecurity risks and national interests while also resisting politicisation.

China-made information-gathering technologies, particularly CCTV surveillance cameras, have gained significant popularity for routine video-based surveillance.

Manufacturers from China, such as Hikvision and Dahua, are leading global suppliers of CCTV cameras, with distribution in over 200 countries.

In 2021, independent researchers identified over 60,000 surveillance camera networks in Australia from the two corporations – over 41,000 from Hikvision and 18,000 from Dahua.

This widespread adoption has prompted concerns about national security due to potential links to the Chinese Communist Party (CCP), cybersecurity vulnerabilities, and sales in regions with human rights violations, most notably Xinjiang.

In February 2023, Australians entered a public debate on whether federal government agencies should use CCTV surveillance cameras made in China. Concerns like these were earlier expressed in the United States (US), the United Kingdom (UK), and the European Union.

The discussion began when Australia’s shadow cybersecurity minister issued a media release revealing that over 900 Chinese-made surveillance cameras from Dahua and Hikvision were employed in federal agencies.

The media statement referenced the UK Government Biometrics and Surveillance Camera Commissioner as calling China-made cameras ‘digital asbestos’, and pointed to removal efforts taken by Australia’s partners, the US and the UK.

But what are the actual national security concerns and to what extent are they blown out by the stubborn ‘China threat’ narrative?

Fundamental to Australia’s discussion is the balance between national security and economic interests.

In our recently published article on the topic, we evaluated the suite of technical, ethical, and data security and privacy concerns as they relate to China-based information-collecting technology manufacturers.

We found that Australia has three key regulatory pathways in which to counter these concerns.

Concerns linked to China-based technology manufacturing

Australian policymakers have expressed three key concerns related to the use of Chinese tech, not solely directed at CCTV cameras: (1) technical vulnerabilities of Internet of Things (IoT) CCTV cameras, (2) Chinese tech company links with the CCP, and (3) legal data transfer obligations to China’s national security actors.

IoT devices, including IoT CCTV cameras, often present enhanced capabilities such as remote surveillance and facial recognition.

However, these functionalities also bring heightened cybersecurity risks, often stemming from default login credentials, manufacturer vulnerabilities, and potential hacking incidents.

Despite concerns raised by Australia’s allies, the February audit did not delve into technical details such as device models, data protection protocols or cybersecurity vulnerabilities.

This missed opportunity underscores the need for comprehensive regulatory frameworks in Australia that can address technical concerns related to information-collecting technologies.

For a second challenge, Chinese technology companies have developed strong links with China’s Party-state, driven under the framework of ‘authoritarian capitalist dynamic’. This ‘party-state capitalism’ is characterised by maintaining CCP political power over companies, influencing the broader merger between state strategies and corporate goals.

The CCP’s emphasis on political loyalty to China’s Party-state offers financial security to private and semi-private companies in return (e.g. state subsidies), fostering a complex interplay between private and state interests.

Companies like Hikvision and Dahua actively align their products with state narratives, leveraging government materials to promote offerings. This is how China-based companies often get entangled with sales records in regions with human rights violations, most notably Xinjiang.

Legal data transfer obligations to China’s national security actors

Chinese companies’ potential of transferring data to public security or intelligence agencies has been a hot topic.

Most recently, during the hearings of Foreign Interference through Social Media in July 2023, TikTok Australia was questioned over the potential and frequency of China-based employees accessing Australians’ data, and China-based employees ability to tweak TikTok’s algorithm. What basis do these concerns have?

China’s legal and regulatory landscape enforces data disclosure obligations on all companies, irrespective of their private connections, with a focus on the broader goals of foreign interference prevention and Party-state control over information technologies.

A suite of laws introduced since 2013 under Xi Jinping’s leadership, highlights this regulatory shift, and include the 2014 Counterespionage Law, 2016 Cybersecurity Law, and the 2017 National Intelligence Law, which obligate companies and individuals in China to collaborate with the government if requested.

The all-encompassing nature of the regulations is also underscored by provisions that demand support for intelligence efforts and cooperation from individuals, groups, and organisations. Non-compliance carries penalties, fostering an ‘all-of-society’ approach to intelligence collection.

The law emphasises rewards for cooperation and potential consequences for obstruction, making resistance to state data collection difficult due to potential criminal liability.

Regulatory approaches to Chinese-made CCTV cameras in Australia

While categorical bans on Chinese-made technologies might not be feasible due to potentially high economic costs, a calculated regulatory stance is crucial. There are three possible pathways for such regulation.

The first is addressing data security risks. Data security concerns surrounding Chinese-made CCTV cameras in Australia are warranted, driven by potential data transmission to the Chinese Party-state and large-scale cyberattacks against Australia originating from China.

The Australian government and corporations could opt not to use Chinese cameras for sensitive activities. However, this approach might not fully address data security or espionage risks.

A second is enhancing data privacy regulations. Currently, domestic law and its adequate provisions for data privacy in Australia are lacking, particularly in the context of biometric facial recognition and the technology’s increasing integration with CCTV.

The potential for identifying individuals through facial recognition technology is alarming, especially when considering the collection of sensitive biometric information without informed consent.

The need for a comprehensive regulatory approach that accounts for the sophisticated nature of information-collecting technologies is emphasised.

Finally, there is a need to prevent unauthorised integration of surveillance capabilities. Some recent examples show that the potential for unauthorised biometric use is not hypothetical.

In 2021, the Office of the Australian Privacy Commissioner determined that 7-Eleven violated Australian Privacy Principle 3 via their integration of biometric capabilities, namely facial images and faceprints, without the consent ─ and minimal knowledge ─ of customers.

The excessive gathering of sensitive biometric data was deemed unnecessary for enhancing the in-store customer experience.

As these suggestions illustrate, the timely and effective regulations aligned with individual and national interests would begin to resolve these concerns along with those for China-made information-collecting technologies.

This approach would also help avoid politicisation and focus on clear guidelines for privacy-protecting regulation.

Overall, a stronger focus should be placed on evaluating cybersecurity risks of Internet of Things information-collecting technologies and considering their timely and effective regulation from the perspective of individual and national interests.