PUBLIC - This article does not require an IPVM subscription. Feel free to share.
ONVIF has 'trashed' the suspension statement for Dahua, Hikvision, Huawei, etc. but confirms to IPVM that those companies are all still suspended.
This creates a highly irregular situation where ONVIF is admitting their own website is deceptive but that they will not correct it.
ONVIF Confirms
ONVIF confirmed the suspensions on January 13, 2020, declaring that the 'companies remain in suspended status. No change', as shown below:
"Trashed" Statement
ONVIF's confirmation comes despite ONVIF having 'trashed' their original suspension statement sometime in late December, as the screencap of the redirected ONVIF URL below shows:
ONVIF refuses to explain why they 'trashed' their own statement despite confirming that the suspension remains.
Update Jan 19, 2020: ONVIF no longer is redirecting that link to 'trashed' and has issued a new statement, which we detail later in this report.
Motive?
The only reasonable hypothesis we have heard so far is that RFPs are being released that require an active ONVIF membership and that this has caused these mega-Chinese manufacturers to protest to ONVIF as they are losing out on projects. By removing the public statement, this could help these Chinese manufacturers (falsely) claim they are not suspended.
Further Confusion
ONVIF's deception is causing problems. For example, an industry professional emailed ONVIF's support / help email, to which ONVIF staff falsely said Huawei was an active member:
ONVIF confirmed to IPVM on January 13, 2020, that this was wrong:
The information that the help desk gave out was incorrect.
However, it is not the fault of the ONVIF help desk.
ONVIF's own website is knowingly factually wrong, as its own member list falsely says these companies are active members:
We asked ONVIF for clarification on why they would knowingly falsely report their membership status but they declined to comment on that.
Original ONVIF Email To Members
Earlier, in October 2018, ONVIF was clear to other members about these companies being suspended due to sanctions and the importance of not violating these sanctions:
Violations of the Export Administration Regulations, 15 C.F.R. Parts 730-774 (EAR) may be subject to both criminal and administrative penalties. Under the Export Control Reform Act of 2018 (50 U.S.C. §§ 4801-4852) (ECRA), criminal penalties can include up to 20 years of imprisonment and up to $1 million in fines per violation, or both. Administrative monetary penalties can reach up to $300,000 per violation or twice the value of the transaction, whichever is greater. In general, the administrative monetary penalty maximum is adjusted for inflation annually. [emphasis added]
ONVIF is increasing the risk of violating sanctions, even potentially inadvertently for its members, by its deceptive public position.
Better For ONVIF To Publicly Tell The Truth Directly
This puts IPVM in an unprecedented situation where an organization is being deceptive on their own website while acknowledging that, on the record, to us.
We would much prefer ONVIF accurately disclose the suspensions on its own website to avoid the inevitable confusion, finger-pointing, and complaints their approach causes.
UPDATE New Statement
UPDATE: On January 19th, IPVM interviewed, from right to left, in the image below, ONVIF's Chairman Per Björkdahl, ONVIF steering committee member Stuart Rawling and ONVIFs PR agency Eclipse Media's Andrea Gural.
ONVIF said it regretted the way it suddenly deleted its original statement suspending Dahua and Hikvision. ONVIF's chairman said:
In retrospect, we should have gone that route [of adjusting rather than deleting the statement], but also the fact is that we're not always one voice. We do agree with you that was probably a bit drastic.
In the interview and in a related new January 19, 2020 ONVIF statement, ONVIF has reworded the 'suspension' as 'restrictions', confirming that, in 2 months (March 19, 2020), those companies will no longer be able to conform products.
Notably, they have removed specific company names impacted (i.e., Dahua, Hikvision, Huawei, etc.) replacing it with a link, excerpted below:
This allows the Chinese manufacturers to save face as well as make it harder for a reader to immediately confirm who the companies that are restricted / suspended. ONVIF justified that in a statement to IPVM:
In reality the entity list can change at any time - companies can be added or removed - and it's the responsibility of the US government to maintain the list of companies, not ONVIF's
However, in actual reality, the entity list changes quite infrequently and it would be easy enough if or when it changes for ONVIF to update their own statement accordingly.
ONVIF told IPVM that the suspension remains for member-only information:
their status as member companies of ONVIF remains current but their access to member-only information is what is suspended.
The most direct issue is the impending suspension of these companies ability to conform their products:
Once a new version of the test tools is required by ONVIF for conformance, affected companies will no longer be able to submit products for conformance.
ONVIF told IPVM that allowing the companies access to the current test tool - which was released on December 19, 2019 - would be a violation. ONVIF has a 3 month grace period for using the old test tool, meaning that as of March 19, 2020, Dahua, Hikvision and Huawei will no longer be able to obtain ONVIF conformance for their products.
A core component of providing physical security involves ethics and responsibility. Security professionals often, through service contracts or other mechanisms, have the ability compromise the security of customer sites. Things like disabling access control systems, creating credentials, or altering video surveillance components can frequently be done with no knowledge by the customer.
Organizations like ONVIF, and many times SIA, that prioritize their membership dollars over their integrity and service to the industry do nothing but set everyone back.
Grow a spine, ONVIF. Update your website to reflect current and accurate information, even if this may upset certain organizations that provide your funding.
Latching onto the use of the (correct) word "trashed" and suggesting "removed" rather than addressing the actual question "Why are you reporting false membership status on your website?" seems to be a case of deflection. Come on OnVif you are better than this and we need you to be a trustworthy source of standards compliance information.
Latching onto the use of the (correct) word "trashed" and suggesting "removed"
For context on this, I don't think ONVIF's PR agency was initially aware that ONVIF set the URL to 'trashed'. I did clarify this and offer to title the post 'removed' rather than 'trashed' if ONVIF changed the link to 'removed' rather than 'trashed'.
Why ONVIF named it 'trashed'? Why ONVIF did not re-name it to anything but 'trashed'? Who knows.
Dahua marketing head Tim Shen has confirmed Dahua's current suspension and that he is no longer a committee chair for ONVIF, per the suspension, in the email below:
We inquired since his LinkedIn profile still lists him as ONVIF's communications chair.
ONVIF was founded by Axis (Swedish), Bosch (German) and Sony (Japanese). It was incorporated in Delaware (probably more to do with taxes than technology). which means that the laws of the US apply to them. They must follow the law. No question.
The different profiles, which are de-facto public (witness several OS implementation of the specs) - merely describes the format of the payload exchanged between two parties (the camera as a server and a computer acting like a client). The actual exchange mechanism is neither defined or controlled by ONVIF. That process lives further down the OSI layers. AFAIK (and I'm admittedly a little rusty), the media transfer is done via RTSP which - in contrast to ONVIF - is a genuine open standard. No-one is looking for a "RTSP certified" sticker. Open standards + free markets just work.
All this means that it possible, and somewhat trivial, to create ONVIF conformant devices. "Conformant" in the literal sense of the word - and not a deviation where "conformant" also means "validated by the organization known as ONVIF".
Naturally they cannot brand themselves "Certified ONVIF" because ONVIF is not legally able to do certify them, but the certification might not be a requirement. Certainly, from a technical perspective the certification is probably worthless. In a very large percentage of installations (fixed cameras) ONVIF is little more than a way to discover the RTSP url needed to get the live feed. For those installs you can always fall back to generic RTSP support - the problem is that those URLs sometimes can be hard to find. But once again, an ONVIF conformant (but not certified) will work just fine.
So, in this case, I find that from a purely technical perspective, the ONVIF suspension is of no concern. ONVIF is not a collection of brilliant scientists that come up with super advanced high tech that no-else can figure out and that clueless companies then get access to.
Strategically, for ONVIF, this whole thing is problematic. On one hand, some people seem to think that Verkada and closed systems are the instruments of Beelzebub, but on the other they want ONVIF be so tightly controlled so that it can exclude companies, and - i suppose - prevent or limit interoperability between products in the industry. Leading to less choice and less competition, which (if you are an end-user) is always a bad thing. Concentration camps are also bad, but that's a different topic.
What happens when (or if) China and the US gets back on good terms (perhaps a new administration will see things differently)? Now people are going to be confused as to whether it's safe to buy ONVIF labelled products because ONVIF can be required to suspend/exclude members from time to time.
Is it in ONVIFs charter to make it difficult (or impossible) for non-members to adhere to the "standard"? That would be a weird thing for a standard body to do - but helpful to some companies for sure.
ONVIF has brand recognition, but if the brand gets tainted because the ONVIF sticker doesn't guarantee interoperability (for whatever reason), then users and customers will look for something else to provide that.
But once again, an ONVIF conformant (but not certified) will work just fine.
Wait, are you not the same person who has complained about ONVIF implementation problems over the years? :)
I agree with you that "ONVIF is not a collection of brilliant scientists" but there's enough complexity involved that having direct, non-public input from ONVIF and the ONVIF test tool can help ensure the implementation works fully and reliably.
In a very large percentage of installations (fixed cameras) ONVIF is little more than a way to discover the RTSP url needed to get the live feed. For those installs you can always fall back to generic RTSP support - the problem is that those URLs sometimes can be hard to find.
That's a fair description for a 'very large percentage of installations' but there is a non trivial and growing number that use ONVIF for changing camera settings, video analytic alerts, retrieving stored video, etc. There's value in that and benefit of an actual ONVIF conformant product, not just one that claims to be.
ONVIF has brand recognition, but if the brand gets tainted because the ONVIF sticker doesn't guarantee interoperability (for whatever reason), then users and customers will look for something else to provide that.
I think this is a concern for ONVIF. ONVIF is in a Catch-22. It certainly does not want to endorse human rights abuses but it does want its standard to be used as broadly as possible.
As a practical matter, though, these companies need ONVIF more than ONVIF needs them. ONVIF is well established and it takes a lot to gain adoption of a completely different standard. Thoughts?
but there's enough complexity involved that having direct, non-public input from ONVIF and the ONVIF test tool can help ensure the implementation works fully and reliably.
I'm not sure I agree with that, and - if true - it is directly contradicting the principle of being open.
The complaints I have is a) use of SOAP and b) ambiguity in the spec.
a) Is just a technical annoyance - Axis could have made VAPIX open for 3rd parties to implement, but they didn't (and threatened companies that did) and VAPIX is still how 99.99% of all users interact with Axis' cameras. I believe ONVIF is not even enabled per default on the cameras made by a founder of the organization.
b) A spec can be "soft" on details when it shouldn't be. For example, it may say "to get a motion detected event, use /detection/[event id]". And leave it to the camera manufacturer to decide what "event id" is. This creates problems for most VMS vendors, as company 1 uses "motion event" for the id, and company 2 uses "xyyxtg". Both implementations are "to spec", but the VMS vendor needs to keep a table of the names used for the different camera models, firmware versions and so on.
Everyone is technically adhering to the spec, but when company 3 shows up - adhering to the spec - the VMS will not, and cannot, know what id they used. Thus, edge based motion detection doesn't work.
That's a bad spec, and the fabled test-tool will not help here (and who cares about that tool, they can just get a free XProtect and try - and that's ultimately what matters - does it work with the VMS). IDK if the VMS guys have been able to sit in the same room, because they could easily define an ONVIF+ spec that clarifies the grey areas. But now that most VMS's are owned by camera manufacturers, I doubt that will ever happen, and I've had that dream for 20 years, and all I got was this shitty spec called ONVIF.
I don't think ONVIF being open is an endorsement of anything. It's a recognition that open standards are just that - open. This means that Satan can use it. But it's worth the trade-off. If TCP was made by the ONVIF-people, we would not have a functioning Internet. The same could be said about encryption... it's not an endorsement of pedophilia (the argument du jour to "un-invent" encryption) - it's the recognition that math is math.
but if the brand gets tainted because the ONVIF sticker doesn't guarantee interoperability...
In my opinion ONVIF already doesn't guarantee interoperability. I generally avoid quoting any solution that relies on ONVIF unless it's been specifically tested by our technicians with the exact firmware version for the camera, and software version/device pack on the VMS side.
"I would not use ONVIF unless I had no other choice." - Gandalf (Paraphrased)
This allows the Chinese manufacturers to save face as well as make it harder for a reader to immediately confirm who the companies that are restricted / suspended. ONVIF justified that in a statement to IPVM:
In reality the entity list can change at any time - companies can be added or removed - and it's the responsibility of the US government to maintain the list of companies, not ONVIF's
ONVIF told IPVM that the suspension remains for member-only information:
their status as member companies of ONVIF remains current but their access to member-only information is what is suspended.
The most direct issue is the impending suspension of these companies ability to conform their products:
Once a new version of the test tools is required by ONVIF for conformance, affected companies will no longer be able to submit products for conformance.
We are checking with ONVIF when that date is for affected companies no longer being able to conform their products.
Also, Charles interviewed ONVIF at Intersec and we will be publishing on that in the next day.
Update: I have added Charles interview and most importantly confirmation on the date when Dahua, Hikvision, Huawei can no longer obtain ONVIF conformance for its products - March 19, 2020, 2 months from today.
This is based on the new test tool being released on December 19, 2020, and a 3 month grace period before the new test tool must be used.
This allows the Chinese manufacturers to save face as well as make it harder for a reader to immediately confirm who the companies that are restricted / suspended.
My extensive experience with Axis is that they do not like to publicly offend anyone, including human rights abusers. As such, I am not surprised at the lengthy and confusing process they took on this.
“Now people are going to be confused as to whether it's safe to buy ONVIF labelled products“
Onvif has nothing to do with safety or in reality, security...
I’ve no horse in this race but, you’re either open and inclusive or closed and restrictive.
I see an increased likelihood of ‘ONVIF Compatible’ products or approx 50% of the worlds cameras becoming ChinaVIF in fact if ONVIF remain closed, they should remove the O from their name... perhaps replacing it with a C (for closed)
That would make it CNVIF...
On a different point, if <entity list members> can’t contribute to standards it does not mean they cannot comply with them...
because of this shenanigans, several consultants have now removed the ONVIF Conformant requirement from new tenders because ‘it’s no longer assures the client of market-compatible solutions’
I read market-compatible to mean cost-efficient...
if can’t contribute to standards it does not mean they cannot comply with them...
Actually, it literally means they cannot comply with them. Companies cannot claim to comply or confirm with ONVIF unless they use validate using the ONVIF test tool.
because of this shenanigans, several consultants have now removed the ONVIF Conformant requirement from new tenders because ‘it’s no longer assures the client of market-compatible solutions’
I agree with your broader point that this creates confusion and increased complexity but given what these companies have done, it is a helpful measure to counterbalance their abuses.
Genuine question: who provided cameras and recorders for Guantanamo Bay?
Hik are going out of their way to distance themselves from the reported issues in CN. I don’t blame them TBH.
We will never know the whole truth... there’s a lot of mainstream media reporting that seems to have circular references to the same pieces of ‘evidence’. Security systems are in place to detect and deter terrorism and pedophiles... same as in the UK and USA.
I have a colleague from this region who is neither pro government or pro rebel who tells a long and interesting story of the atrocities on both sides going back centuries. Imprisoning someone because of their political beliefs is fundamentally wrong in my book(I’m not wishing to reopen this debate so please don’t flame!)
There is probably more surveillance into normal citizens in the UK by the time you count internet and email snooping, cellphone tracking, vehicle tracking, ANPR, facial recognition etc. The Police in just one county (size reference for US readers, your chesterfield county is about the size of the UK) of around 500k inhabitants, captures 1.3m vehicle registration plates!
back to the original topic...
when IBM had a monopoly on business pc’s, they locked a smart group of techies in a building to create an instruction set so that others could be ’IBM compatible’. OBM as a commercial entity had closed doors, yet other vendors/manufacturers suddenly became able to run the same software, perform the same functions etc. This situation is generally the same... I will be surprised if ONVIF compatible doesn’t occur. What could ONVIF do to stop them? Nothing!
The only time I can see this having any weight is when it’s specified that the ‘cameras shall be onvif conformant.’ Most specs still state ‘or equal and approved’ which for those of you who don’t work in the UK contracting industry means ‘or cheaper/better that fulfills the operational requirements’ thus that’s how we alter a proposal to suit our preferences/budget!
Genuine question: who provided cameras and recorders for Guantanamo Bay?
Genuine remark: Trying to minimize the mass brutality and oppression in Xinjiang with Guantanamo Bay is factually wrong and selfish, considering how many make money selling Dahua and Hikvision.
We will never know the whole truth... there’s a lot of mainstream media reporting that seems to have circular references to the same pieces of ‘evidence’.
Security systems are in place to detect and deter terrorism and pedophiles... same as in the UK and USA.
No, it is not. In the UK and the USA, individual rights and innocent individuals are largely protected and you can speak out in defense of them. In the PRC, individuals are mass incarcerated and any protests are promptly censored or imprisoned themselves.
You can watch the BBC clip to get a better feel of this issue:
As for:
There is probably more surveillance into normal citizens in the UK by the time you count internet and email snooping, cellphone tracking, vehicle tracking, ANPR, facial recognition etc.
John, I did not link Guantanamo and Xinjiang... I was interested in who provided them, then I’ll probably comment...
I never said it wasn’t bad in CN, clearly it is!
There maybe privacy laws in place, but they largely don’t apply to the secretive world of law enforcement. Speaking out against them is just as likely to get a marker on your record, thus you’ll get more data collected on you... less likely to get banged up I’ll agree.
Snowden exposed the mass data collection on US citizens (and the rest of us) that was against the constitution - what about the enormous data centre in Utah that allegedly stores all data?
let’s suppose in the unlikely event of it happening, Trump and Xi Jinpin make up and the PRC get removed from the entity list, are you going to be a proponent of Hikuawei? Or at least treat them the same as Axis et al?
are you going to be a proponent of Hikuawei? Or at least treat them the same as Axis et al?
We criticized Dahua and Hikvision for various ethical issues well before the entity list or the US government ban, so it is independent of Trump's position on the matter.
Btw, have you determined how many more years of human rights abuses that the PRC is allowed to have since, as you say, "CN activity whilst it is in progress"?
I'm trying to clear up a misunderstanding about interpreting the bible here. It's not directed towards anyone in particular.
I recommend reading the original source of the saying "Let he who is without sin".
It's about stopping the brutal execution of a woman, by stoning her to death. Something that still happens to this day. It is NOT about letting mass murderers go free because you once drove 40 in a 30 zone. It absolutely was a progressive statement, that was part of advancing a cruel and primitive society into what most of us take for granted today.
I understand that people in general are now using it as a whataboutism and "look who's talking", but that's a misinterpretation.
It's about stopping the brutal execution of a woman, by stoning her to death... It absolutely was a progressive statement, that was part of advancing a cruel and primitive society into what most of us take for granted today.
Agreed and I am not criticizing Jesus.
I understand that people in general are now using it as a whataboutism and "look who's talking", but that's a misinterpretation.
Yes, that's my concern here when it's used as a response to human rights abuses.
To my knowledge, and I'm just a regular civilian so I could be wrong, no Americans (regardless of religious alignment) have been rounded up, brainwashed, gang raped, tortured, and "re-educated" by our military to preach "We love President Trump!" while performing forced labor.
No Americans, to my knowledge, have been forced to replace their murals and shrines and pictures of their religious prophets with pictures of Trump.
I don't think "Let he who is without sin cast the first stone." is a good idea actually. We'll never make anyprogress that way. I think perhaps "one foot in front of the other" or step by step improvements and progress is a better, more effective, plan of action- eventually we'll get somewhere. Sure every nation has problems, but some are more unacceptable than others, and we can all hold each other accountable for a better future on the whole.
And to answer your question with my speculation, I wouldn't be surprised if Hikvision's cameras were in Guantanamo Bay. We lost our DEA account to Jack at Aventura because he lied to them and said his Hikvision was made in the USA. I wonder how many other agencies he sold to under that lie?
With the high level of uncertaintly of an ONVIF camera working as expected within an ONVIF VMS/NVR, being officially compliant isn't really worth much in my opinion. I'd far rather work with a company that is not technically ONVIF compliant, but has the functionality and is willing to work with their customers to solve issues with ONVIF integration.
I've seen too many companies that simply get their product to pass on the ONVIF test tool, and then are completely useless when it comes to actually making it work, as they just say "it passed the test".
I've seen too many companies that simply get their product to pass on the ONVIF test tool, and then are completely useless when it comes to actually making it work, as they just say "it passed the test".
Any specific names you can share? It would be interesting to see if we could replicate this and happy to report on that because it would be a good thing to call attention to.
We've had issues with UNV, TVT and Dahua not actually conforming to ONVIF 100% This is throughout varying product lines and different years though, so currently I'm not sure where we stand. One thing that I know would never stick was the damn time stamp. I haven't checked with my tech staff lately on this issue though, I'll ask them when things slow down a bit.
The Onvif.org website is like 35% of Internet websites using Wordpress. From looking inside the source page HTML, they are using a plugin called Yoast SEO, this has a function which will create an auto-redirect of a page when you change/modify the title. So the original page created for the link spotted by IPVM had the word trashed on it, the re-direct will remain and be automatically created after the title was removed/changed. You have to go and manually remove such automatically created re-directs. Note: This is a Yoast pro function, not the free version. And NO I don't work for Yoast! PS Onvif your WordPress site core is very much out of date by several minor versions. Best be getting that fixed!
The Onvif.org website is like 35% of Internet websites using Wordpress. From looking inside the source page HTML, they are using a plugin called Yoast SEO, this has a function which will create an auto-redirect of a page when you change/modify the title. So the original page created for the link spotted by IPVM had the word trashed on it, the re-direct will remain and be automatically created after the title was removed/changed. You have to go and manually remove such automatically created re-directs. Note: This is a Yoast pro function, not the free version. And NO I don't work for Yoast! PS Onvif your WordPress site core is very much out of date by several minor versions. Best be getting that fixed!
The Onvif.org website is like 35% of Internet websites using Wordpress. From looking inside the source page HTML, they are using a plugin called Yoast SEO, this has a function which will create an auto-redirect of a page when you change/modify the title. So the original page created for the link spotted by IPVM had the word trashed on it, the re-direct will remain and be automatically created after the title was removed/changed. You have to go and manually remove such automatically created re-directs. Note: This is a Yoast pro function, not the free version. And NO I don't work for Yoast! PS Onvif your WordPress site core is very much out of date by several minor versions. Best be getting that fixed!
The Onvif.org website is like 35% of Internet websites using Wordpress. From looking inside the source page HTML, they are using a plugin called Yoast SEO, this has a function which will create an auto-redirect of a page when you change/modify the title. So the original page created for the link spotted by IPVM had the word trashed on it, the re-direct will remain and be automatically created after the title was removed/changed. You have to go and manually remove such automatically created re-directs. Note: This is a Yoast pro function, not the free version. And NO I don't work for Yoast! PS Onvif your WordPress site core is very much out of date by several minor versions. Best be getting that fixed!
The Onvif.org website is like 35% of Internet websites using Wordpress. From looking inside the source page HTML, they are using a plugin called Yoast SEO, this has a function which will create an auto-redirect of a page when you change/modify the title. So the original page created for the link spotted by IPVM had the word trashed on it, the re-direct will remain and be automatically created after the title was removed/changed. You have to go and manually remove such automatically created re-directs. Note: This is a Yoast pro function, not the free version. And NO I don't work for Yoast! PS Onvif your WordPress site core is very much out of date by several minor versions. Best be getting that fixed!
The Onvif.org website is like 35% of Internet websites using Wordpress. From looking inside the source page HTML, they are using a plugin called Yoast SEO, this has a function which will create an auto-redirect of a page when you change/modify the title. So the original page created for the link spotted by IPVM had the word trashed on it, the re-direct will remain and be automatically created after the title was removed/changed. You have to go and manually remove such automatically created re-directs. Note: This is a Yoast pro function, not the free version. And NO I don't work for Yoast! PS Onvif your WordPress site core is very much out of date by several minor versions. Best be getting that fixed!
The Onvif.org website is like 35% of Internet websites using Wordpress. From looking inside the source page HTML, they are using a plugin called Yoast SEO, this has a function which will create an auto-redirect of a page when you change/modify the title. So the original page created for the link spotted by IPVM had the word trashed on it, the re-direct will remain and be automatically created after the title was removed/changed. You have to go and manually remove such automatically created re-directs. Note: This is a Yoast pro function, not the free version. And NO I don't work for Yoast! PS Onvif your WordPress site core is very much out of date by several minor versions. Best be getting that fixed!
The Onvif.org website is like 35% of Internet websites using Wordpress. From looking inside the source page HTML, they are using a plugin called Yoast SEO, this has a function which will create an auto-redirect of a page when you change/modify the title. So the original page created for the link spotted by IPVM had the word trashed on it, the re-direct will remain and be automatically created after the title was removed/changed. You have to go and manually remove such automatically created re-directs.
Note: This is a Yoast pro function, not the free version. And NO I don't work for Yoast!
PS Onvif your WordPress site core is very much out of date by several minor versions. Best be getting that fixed!
