The ICO might be mostly powerless to take action against the operators of the Russian web site streaming unsecured web cams, but the non-domestic users of the web cams could be vulnerable to enforcement action
The Information Commissioner’s Office (ICO) warned yesterday of the dangers of failing to secure web cams which are connected to the internet. This was on the back of stories about a Russian-based web site which aggregates feeds from thousands of compromised cameras worldwide.
This site was drawn to my attention a few weeks ago, and, although I tweeted obliquely about it, I thought it best not to identify it because of the harm it could potentially cause. However, although most news outlets didn’t identify the site, the cat is now, as they say, out of the bag. No doubt this is why the ICO chose to issue sensible guidance on network security in its blog post.
I also noticed that the Information Commissioner himself, Christopher Graham, rightly pointed to the difficulties in shutting down the site, and the fact that it is users’ responsibility to secure their web cams:
It is not within my jurisdiction, it is not within the European Union, it is Russia.
I will do what I can but don’t wait for me to have sorted this out.
This is, of course, true, and domestic users of web cams would do well to note the advice. Moreover, this is just the latest of these aggregator sites to appear. But news reports suggested that some of the 500-odd (or was it 2000-odd?) feeds on the site from the UK were from cameras of businesses or other non-domestic users (I saw a screenshot, for instance, of a feed from a pizza takeaway). Those users, if their web cams are capturing images of identifiable individuals, are processing personal data in the role of a data controller. And they can’t claim the exemption in the Data Protection Act 1998 (DPA) that applies to processing for purely domestic purposes. They must, therefore comply with the seventh data protection principle, which requires them to take appropriate measures to safeguard against unauthorised and unlawful processing of personal data. Allowing one’s web can to be compromised and its feed streamed on a Russian website is a pretty good indication that one is not complying with the seventh principle. Serious contraventions of the obligation to comply with the data protection principles can, of course, lead to ICO enforcement action, such as monetary penalty notices, to a maximum of £500,000.
The ICO is not, therefore, completely powerless here. Arguably it should be (maybe it is?) looking at the feeds on the site to determine which are from non-domestic premises, and looking to take appropriate enforcement action against them. So to that extent, one is rather watching Mr Graham, to see if he can sort this out.
informationrightsandwrongs 
Your Seventh Principle point is well made. The part of Christopher Graham’s interview on BBC yesterday which puzzled me was his assertion that he could not alert the people affected since in doing so he would himself breach the Data Protection Act and the Computer Misuse Act. As regards the former I can think of at least three exemptions that might protect him (exercising a Regulatory Function conferred on him by Parliament being the most obvious) and likewise I struggle to see how the act of alerting the unwitting victim of a crime to the perpetration of a crime against them – hacking their CCTV – is in itself a criminal act exposing the informant to prosecution. That seems to run counter to the public interest in preventing or detecting crime. I wondered whether you had any thoughts on the matter?
I didn’t see the interview (I’ll try to find it on iplayer now) but if he said that, it’s palpable nonsense. By that token it would seem he feels he couldn’t investigate any complaint where the data subject was unaware of the infringing processing.