Modern Surveillance Landscape
Before choosing countermeasures, you must map who collects data, what sensors they use, how that data is fused across systems, and where retention and sharing occur. This page builds the threat model that underpins every other module in this section.
Foundation Page
Threat Model Dimensions
Every surveillance system can be decomposed into four layers. Understanding each layer reveals specific defensive opportunities.
1. Collectors
Government agencies, transport operators, private venues, retail analytics, insurers, data brokers, and employer monitoring programs.
- β’ Law enforcement: FBI FACE Services, local fusion centers
- β’ Transport: TSA, ALPR networks (Vigilant, Flock Safety)
- β’ Private: Clearview AI, data brokers (Acxiom, LexisNexis)
2. Sensors
CCTV (fixed, PTZ, fisheye), thermal/FLIR, ALPR, BLE beacons, Wi-Fi access points, ultrasonic proximity, directional microphones, and cellular IMSI catchers.
- β’ Visual: 4K+ IP cameras with on-board ML inference
- β’ RF: BLE sniffers, Wi-Fi probe collectors, cell-site simulators
- β’ Audio: smart speakers, ambient microphone arrays
3. Fusion Layer
Identity graphing that joins face embeddings, device IDs, MAC addresses, location history, payment metadata, social media accounts, and behavioral fingerprints into unified profiles.
- β’ Cross-modal: face β device β payment β social
- β’ Temporal: building movement timelines from fragmented signals
- β’ Probabilistic: confidence scoring and graph expansion
4. Action Layer
Watchlist alerts, real-time geofence triggers, movement anomaly scoring, retrospective forensic search, and analyst triage workflows that decide follow-up actions.
- β’ Real-time: instant match β alert β dispatch
- β’ Retrospective: bulk historical search across retention window
- β’ Predictive: behavioral pattern anomaly detection
Modern Surveillance Stack (2026)
The current generation of surveillance operates as a layered data pipeline. Each layer creates defensive opportunities.
| Layer | Technologies | Data Collected | Defensive Opportunity |
|---|---|---|---|
| Collection | CCTV, doorbell networks, ALPR, retail analytics, BLE beacons | Raw video, plate images, device signals, Wi-Fi probes | Reduce signal quality and limit emissions |
| Identity | Face embeddings, gait signatures, voiceprints, device fingerprints | Biometric vectors, device hashes, behavioral patterns | Reduce embedding stability and consistency |
| Enrichment | Data brokers, social media scraping, public record joins, CDRs | Linked identities, social graphs, location histories | Minimize data broker exposure and compartmentalize |
| Decision | Alert thresholds, watchlists, risk scoring, triage dashboards | Match confidence, movement correlations, anomaly scores | Force low-confidence matches below alert thresholds |
Primary Defensive Principle
Surveillance Data-Flow Pipeline
Data Retention Landscape
Understanding retention windows is critical for threat modeling. Data that exists can be searched retrospectively.
CCTV Footage
Typically 7β90 days for standard systems; cloud-backed systems may retain indefinitely. Government systems often have longer mandatory retention.
ALPR Records
Varies wildly: some agencies retain 48 hours, commercial networks (Vigilant/DRN) retain 5+ years of historical plate scans.
Cell Tower Logs
Carriers retain CDRs and cell-site location info (CSLI) for 1β7 years depending on carrier and jurisdiction.
Data Broker Profiles
Indefinite retention with continuous enrichment. Removal requests may not propagate to downstream buyers.
Social Media Archives
Cached/scraped copies persist in third-party databases even after account deletion. Internet Archive and scraper caches add persistence.
Biometric Databases
Face embeddings in law enforcement databases (NGI, FACE Services) may be retained for decades. Commercial databases vary by service terms.
Global Surveillance Landscape
Surveillance capability varies dramatically by region. Understanding the local landscape is essential for accurate threat modeling.
| Region | Key Systems | Legal Framework | Scale |
|---|---|---|---|
| United States | Fusion centers, ALPR networks, Ring/Neighbors, Clearview AI | Fragmented (state-level BIPA, CCPA; no federal biometric law) | ~85M CCTV cameras |
| United Kingdom | ANPR national network, CCTV (1 per 11 people), GCHQ Tempora | Investigatory Powers Act 2016 (βSnooperβs Charterβ), UK GDPR | ~6M CCTV cameras |
| EU | S.I.S. II, PrΓΌm Convention biometric sharing, Europol databases | GDPR, EU AI Act (2024), member-state DPAs | Varies by member state |
| China | Skynet/Sharp Eyes, social credit, Megvii/SenseTime FR | Personal Information Protection Law (PIPL), minimal enforcement | ~600M+ cameras (est.) |
| Five Eyes | UKUSA Agreement, XKEYSCORE, intelligence sharing | Inter-government agreements; limited public oversight | US, UK, CA, AU, NZ |
Operational Baseline Principles
- 1. Separate identities from movement: where legal and practical, decouple personal identity from travel patterns using device hygiene and payment compartmentalization.
- 2. Minimize telemetry emissions: Bluetooth, Wi-Fi probes, background location services, and advertising IDs create persistent tracking surfaces.
- 3. Assume retention and secondary sharing: unless policy explicitly states otherwise with verification, assume all captured data is retained and shared with third parties.
- 4. Layer mitigations: combine appearance controls, behavioral variations, device hygiene, and legal/policy controls β never rely on a single technique.
- 5. Measure outcomes: validate that your controls actually reduce match confidence, correlation continuity, and cross-system linkage rather than just assuming they work.
Surveillance Network Discovery
Use these techniques to discover and map surveillance infrastructure in your environment. Always ensure you have authorization before scanning.
Open-Source Discovery (Shodan / Censys)
# Prerequisites: pip install shodan censys
# Requires: Shodan API key (SHODAN_API_KEY) and Censys API credentials
#
# Discover exposed video management systems (defensive recon only)
# Shodan CLI β requires API key
shodan search "Server: DVR" --fields ip_str,port,org,country_code --limit 50
shodan search "RTSP/1.0 200 OK" --fields ip_str,port,org --limit 50
# Censys search for exposed ONVIF endpoints
censys search 'services.http.response.body:"onvif"' --max-records 25
# Google dork for publicly indexed camera pages
# inurl:/view.shtml inurl:"ViewerFrame?Mode="# Prerequisites: pip install shodan censys
# Requires: Shodan API key (SHODAN_API_KEY) and Censys API credentials
#
# Discover exposed video management systems (defensive recon only)
# Shodan CLI β requires API key
shodan search "Server: DVR" --fields ip_str,port,org,country_code --limit 50
shodan search "RTSP/1.0 200 OK" --fields ip_str,port,org --limit 50
# Censys search for exposed ONVIF endpoints
censys search 'services.http.response.body:"onvif"' --max-records 25
# Google dork for publicly indexed camera pages
# inurl:/view.shtml inurl:"ViewerFrame?Mode="Local Network Camera Discovery
Scan your own network segment to identify camera systems, DVRs, and NVRs. This establishes your baseline exposure.
#!/usr/bin/env python3
# Prerequisites: pip install python-nmap
# Requires: nmap installed (apt install nmap / brew install nmap)
"""Passive network survey β identify surveillance-related services on a local segment."""
import nmap
scanner = nmap.PortScanner()
# Common surveillance ports: RTSP, ONVIF, DVR HTTP, Hikvision, Dahua
# β Adjust target subnet to match your network (e.g., 10.0.0.0/24)
scanner.scan(hosts='192.168.1.0/24',
# -T3 = "Normal" timing β balances speed and stealth (T1=slowest/stealthiest, T5=fastest/noisiest)
arguments='-sV -p 554,8554,80,8080,443,37777,34567,8000 --open -T3')
for host in scanner.all_hosts():
for proto in scanner[host].all_protocols():
ports = scanner[host][proto].keys()
for port in sorted(ports):
svc = scanner[host][proto][port]
print(f"{host}:{port} {svc['name']} {svc['product']} {svc['version']}")#!/usr/bin/env python3
# Prerequisites: pip install python-nmap
# Requires: nmap installed (apt install nmap / brew install nmap)
"""Passive network survey β identify surveillance-related services on a local segment."""
import nmap
scanner = nmap.PortScanner()
# Common surveillance ports: RTSP, ONVIF, DVR HTTP, Hikvision, Dahua
# β Adjust target subnet to match your network (e.g., 10.0.0.0/24)
scanner.scan(hosts='192.168.1.0/24',
# -T3 = "Normal" timing β balances speed and stealth (T1=slowest/stealthiest, T5=fastest/noisiest)
arguments='-sV -p 554,8554,80,8080,443,37777,34567,8000 --open -T3')
for host in scanner.all_hosts():
for proto in scanner[host].all_protocols():
ports = scanner[host][proto].keys()
for port in sorted(ports):
svc = scanner[host][proto][port]
print(f"{host}:{port} {svc['name']} {svc['product']} {svc['version']}")Wi-Fi Probe Analysis
Understand what your devices broadcast by capturing probe requests in a controlled environment.
# Prerequisites: apt install aircrack-ng wireshark-common (provides tshark)
#
# Capture Wi-Fi probe requests to understand tracking surface
# Requires monitor-mode capable adapter
sudo airmon-ng start wlan0
sudo tcpdump -i wlan0mon -e -s 256 type mgt subtype probe-req \
| awk '{print $10, $12}' | sort | uniq -c | sort -rn | head -30
# Alternative: tshark for structured output
sudo tshark -i wlan0mon -f "subtype probe-req" \
-T fields -e wlan.sa -e wlan_mgt.ssid -e radiotap.dbm_antsignal
# β Restore normal WiFi after capture:
# sudo airmon-ng stop wlan0mon && sudo systemctl restart NetworkManager
# --- Expected Output ---
# 12 aa:bb:cc:11:22:33 HomeNetwork-5G
# 9 de:ad:be:ef:00:01 Starbucks_WiFi
# 7 aa:bb:cc:11:22:33 OfficeWPA3
# 5 44:55:66:77:88:99 (Broadcast)
# 3 de:ad:be:ef:00:01 AirportFreeWiFi
# 2 10:ab:cd:ef:34:56 Galaxy_S24_AP
#
# wlan.sa wlan_mgt.ssid radiotap.dbm_antsignal
# aa:bb:cc:11:22:33 HomeNetwork-5G -42
# de:ad:be:ef:00:01 Starbucks_WiFi -58
# 44:55:66:77:88:99 -71
# 10:ab:cd:ef:34:56 Galaxy_S24_AP -65
# de:ad:be:ef:00:01 AirportFreeWiFi -73# Prerequisites: apt install aircrack-ng wireshark-common (provides tshark)
#
# Capture Wi-Fi probe requests to understand tracking surface
# Requires monitor-mode capable adapter
sudo airmon-ng start wlan0
sudo tcpdump -i wlan0mon -e -s 256 type mgt subtype probe-req \
| awk '{print $10, $12}' | sort | uniq -c | sort -rn | head -30
# Alternative: tshark for structured output
sudo tshark -i wlan0mon -f "subtype probe-req" \
-T fields -e wlan.sa -e wlan_mgt.ssid -e radiotap.dbm_antsignal
# β Restore normal WiFi after capture:
# sudo airmon-ng stop wlan0mon && sudo systemctl restart NetworkManager
# --- Expected Output ---
# 12 aa:bb:cc:11:22:33 HomeNetwork-5G
# 9 de:ad:be:ef:00:01 Starbucks_WiFi
# 7 aa:bb:cc:11:22:33 OfficeWPA3
# 5 44:55:66:77:88:99 (Broadcast)
# 3 de:ad:be:ef:00:01 AirportFreeWiFi
# 2 10:ab:cd:ef:34:56 Galaxy_S24_AP
#
# wlan.sa wlan_mgt.ssid radiotap.dbm_antsignal
# aa:bb:cc:11:22:33 HomeNetwork-5G -42
# de:ad:be:ef:00:01 Starbucks_WiFi -58
# 44:55:66:77:88:99 -71
# 10:ab:cd:ef:34:56 Galaxy_S24_AP -65
# de:ad:be:ef:00:01 AirportFreeWiFi -73Authorization Required
Counter-Surveillance Assessment Workflow
Follow this structured process to evaluate and improve your surveillance exposure posture.
Step 1: Define Scenario
Daily commute, sensitive meeting, protest attendance, source protection, or high-sensitivity travel. Each has different adversary capabilities and risk tolerances.
Step 2: Map Sensors
Identify likely cameras, RF collectors, and identity joins along your route or at your destination. Use OSINT and physical observation.
Step 3: Legal Controls First
Privacy settings, data minimization, consent boundaries, opt-out requests, and deletion rights. These are the cheapest and most sustainable defenses.
Step 4: Physical + Behavioral
Add appearance, route, timing, and device controls in layers. No single control is sufficient β combine multiple techniques.
Step 5: Measure Outcomes
Test with controlled experiments: reduced face match confidence, reduced device tracking continuity, reduced cross-channel linkage.
Step 6: Iterate
Surveillance systems evolve continuously. Re-assess quarterly, after infrastructure changes, and when your threat model shifts.
Common Failure Pattern
Notable Surveillance Programs & Vendors
Understanding the landscape of deployed systems helps calibrate your threat model to realistic capabilities.
| System / Vendor | Type | Capabilities | Documented Scale |
|---|---|---|---|
| Clearview AI | Facial recognition | Scraped 30B+ images, one-to-many face search | Used by 3,100+ agencies globally |
| Flock Safety / Vigilant | ALPR network | Real-time plate tracking, historical search, geofencing | 4,000+ cities, billions of plate scans |
| Palantir Gotham | Data fusion platform | Multi-source identity resolution, link analysis, prediction | IC, DoD, major metro police departments |
| NSO Group (Pegasus) | Mobile spyware | Zero-click exploit, full device access, location/audio/camera | 45+ countries documented |
| Ring / Neighbors | Doorbell camera network | Video sharing with law enforcement, facial recognition capable | 10M+ devices in the US |
| Fog Data Science | Location intelligence | Purchases app location data, retrospective geofence queries | Used by local/state law enforcement |
Defense Strategy Summary
- Reduce collection quality: limit photo uploads, strip metadata, minimize public biometric samples
- Break fusion links: compartmentalize identities, rotate device identifiers, separate payment channels
- Exploit enrichment gaps: submit data deletion requests, minimize social media exposure, use pseudonyms where legal
- Push below action thresholds: reduce match confidence through layered physical and behavioral controls
- Exercise legal rights: FOIA requests, BIPA/GDPR claims, data subject access requests
Surveillance Landscape Labs
Hands-on exercises to build your threat modeling and surveillance discovery skills.
Related Topics
Facial Recognition Evasion
Deep dive into facial recognition pipeline weaknesses.
Surveillance Infrastructure Mapping
Field techniques for mapping camera and sensor coverage.
OSINT Techniques
Open-source intelligence collection and analysis.
Physical Security Assessment
On-site security evaluation and entry control testing.