TUYAD Survey Results from Members and the Industry

TUYAD TAKES ITS PLACE AT BROADCAST FAIR | OCTOBER 22–25

Free Cloud Camera Recording Services: Where Are Videos Stored, Who Can Access Them, and What Are the Risks?

Security cameras are no longer merely devices that capture images. They are digital systems that generate personal data, process that data, and often transfer it to cloud-based infrastructures. IP cameras used in homes, small businesses, retail stores, warehouses, residential compounds, and offices have become increasingly common with features such as mobile applications, remote monitoring, motion detection, AI-powered notifications, and cloud recording. For users, these services may appear as “free recording,” “cloud history,” “event recording,” or a “trial plan.” However, behind these seemingly simple offerings lies a critical question: where are camera recordings stored, for how long are they retained, and who can access them?

There is no single answer that applies to every brand or service provider. The country in which recordings are stored may vary depending on the camera brand, the application used, the subscription plan, the user’s location, the provider’s cloud infrastructure, and its backup policy. Some manufacturers clearly state that data may be processed or stored in data centers located in the United States, Ireland, Singapore, or in regions close to the user. Others use broader expressions such as “cloud service providers,” “third-party services,” or “international data transfers.” This lack of clarity is an important assessment point for both individual users and professionals responsible for corporate procurement.

Are Camera Images Considered Personal Data?

Camera recordings may qualify as personal data when the identity of an individual in the footage can be directly or indirectly identified. A person’s face, vehicle license plate, voice, movement time, location, entry-exit pattern, or device data associated with a user account may fall within the scope of personal data. Therefore, security camera recordings should not be treated merely as “video files”; they must also be assessed from the perspectives of privacy, data security, and legal compliance.

The data processed by cloud camera systems is often not limited to video recordings. User accounts, email addresses, phone numbers, IP addresses, device serial numbers, location information, Wi-Fi details, timestamps, motion detection logs, and application usage data may also form part of the system. When AI-powered features such as person, vehicle, pet, or facial recognition are used, the data processing activity becomes even more sensitive.

In Which Countries Are Free Recordings Stored?

The country where free or trial-based cloud camera recordings are stored depends on the service provider. In some systems, recordings are stored directly on a microSD card inside the device or on a local NVR/DVR system. In this model, footage is stored locally; however, features such as mobile applications, remote access, notifications, and user accounts may still cause certain data to be transferred to the provider’s servers.

In the cloud recording model, video recordings are stored in data centers operated by the manufacturer or by the service provider’s contracted infrastructure partners. These data centers do not necessarily have to be located in the same country as the user. Providers may store or back up data in different countries for performance, redundancy, disaster recovery, and service continuity purposes. Therefore, the fact that a camera is used in Türkiye does not mean that the recordings are necessarily stored in Türkiye.

The key point users should consider is how clearly the provider discloses data location in its privacy policy and terms of service. If a brand does not explicitly specify its data center countries, backup regions, subprocessors, and international transfer mechanisms, the data location remains uncertain from the user’s perspective.

How Long Are Recordings Stored?

In consumer-grade cloud camera services, retention periods are usually determined in hours or days rather than years. Free plans may offer a few hours of event history, short preview recordings, or limited cloud storage. Paid plans may offer options such as 7 days, 30 days, 60 days, or, for certain devices, 10 days of continuous recording.

However, it is not sufficient to consider only the video history visible to the user in the application. When a user deletes a recording, it should also be questioned how long it takes for that data to be removed from active systems, backups, logs, and support systems. Some providers may retain certain data for longer periods due to legal obligations, disputes, security investigations, or service operations.

For professional use, recording retention periods must be converted into a formal policy. Businesses should not only ask, “How many days do the cameras retain recordings?” but also assess who deletes these recordings, whether deletion is documented, when the data is removed from backups, and what the applicable legal retention period is.

Can the Service Provider Process the Footage?

Technically, yes. A cloud camera provider may process certain data to store, play, delete, back up, analyze motion, generate notifications, provide support, troubleshoot issues, or improve products. However, such processing must be based on a valid legal ground, a clear purpose, sufficient user notification, and appropriate security measures.

The most critical issue is the purpose for which the footage may be used by the provider. Technical processing necessary for the operation of the service is not the same as product development, AI training, human review, marketing analytics, or third-party sharing. Camera footage may reveal a user’s home, workplace, employees, customers, or private living areas. Therefore, the use of such data for secondary purposes carries a high level of sensitivity.

In the past, official enforcement actions have been taken against certain major camera service providers due to employee or contractor access, the use of customer videos for algorithm training, and deficiencies in account security. These examples demonstrate that the question “who can access recordings on the provider side?” is not theoretical; it is a real security and privacy concern.

Can Footage Be Sold to Third Parties?

If camera footage qualifies as personal data, selling it or transferring it to third parties for commercial purposes is not a freely permitted activity. Such a transfer requires a lawful basis for processing, clear disclosure, explicit consent where necessary, contractual safeguards, and compliance with data transfer rules.

It is important to distinguish between “sale” and “transfer required for the operation of the service.” Data may be transferred to subprocessors for cloud hosting, technical support, payment infrastructure, error logging, or security monitoring. However, users must be informed about who receives the data, for what purpose, in which country, and under which security measures. A camera provider’s statement that “we do not sell personal data” is not sufficient on its own; it is necessary to examine which data is shared, with which parties, and for what purpose.

How Can Users Find Out Where Their Recordings Are Stored?

Users and organizations should first review the privacy policy, terms of service, and cloud recording plan page of the camera they use. In these documents, particular attention should be paid to terms such as data center, international transfer, cloud storage, service providers, subprocessors, retention period, backup, deletion, and third parties.

For corporate use, the following questions should be submitted to the provider in writing:

In which countries are video recordings stored?
Are the primary storage location and backup location the same?
Who are the subprocessors and cloud infrastructure providers?
How many days are recordings retained under free and paid plans?
When a user requests deletion, how long does it take to delete the data from active systems and backups?
Can support personnel or third-party contractors access the footage?
Are access activities logged and audited?
Are recordings used for AI training, product development, or analytics?
If there is an international transfer, which legal mechanism is used?

Providers that cannot provide clear and written answers to these questions should be considered high-risk, particularly for corporate and sensitive-area use cases.

Key Security Threats

One of the most common threats in cloud camera recordings is account takeover. Weak passwords, reuse of the same password across different platforms, lack of multi-factor authentication, or credential stuffing attacks may allow malicious actors to access camera accounts.

A second major risk is unauthorized access on the provider side. If support personnel, contractors, or technical teams have excessive access rights, user footage may be misused. Access must be role-based, logged, and regularly audited.

A third risk is cloud misconfiguration. Improperly permissioned storage areas, exposed API endpoints, weak token management, or faulty integrations may lead to the exposure of recordings. Mobile application vulnerabilities, outdated camera firmware, default passwords, and weaknesses in local network security are also significant threats.

In addition, risks related to international data transfers, third-party integrations, unclear deletion processes, AI-based analysis, facial recognition, and motion metadata should also be taken into account. Even if the footage itself is not leaked, metadata such as motion time, location, home occupancy patterns, or business activity levels may constitute sensitive security information.

TUYAD closely monitors issues related to data security, user policies, and potential security breaches in cloud-based camera recording systems. TUYAD President Hayrettin Özaydın emphasized that, in security camera systems, not only image quality and price but also where recordings are stored, who can access them, how long they are retained, and under which policies they are processed are of critical importance. He stated that TUYAD continues its reporting and information activities to ensure that the sector has access to accurate information and that end users are properly informed. Highlighting that data security is a fundamental element of sectoral trust, TUYAD underlined the importance of more transparent data policies by service providers and greater user awareness on this issue.

Free cloud camera recording services offer ease of use and cost advantages, but they must be evaluated carefully from a data security perspective. In many cases, users do not know in which country their recordings are stored, how many days they are retained, who can access them, and for what purposes the footage may be processed.

The selection of a security camera should not be based solely on resolution, night vision, price, and mobile application experience. A camera is also a system that processes personal data. Therefore, data location, retention period, international transfers, subprocessors, access rights, encryption, deletion processes, and third-party sharing must be integral parts of the purchasing decision.

The most appropriate approach is to prefer providers that clearly document where recordings are stored, define retention periods transparently, offer users deletion and access rights, support multi-factor authentication, and explain third-party data processing practices in a transparent manner. In cloud camera systems, real security does not begin merely with recording images; it begins with knowing where, how, and under whose control those images are stored.

Child Safety in Digital Games: Age Limits, Hidden Risks, and the Real Limits of Family Control

Digital games are no longer just entertainment products; they are a large digital ecosystem where children socialize, spend money, build identities, and sometimes become open to manipulation. Mobile games, computer and console games, and multiplayer productions played over the internet have turned into a global industry reaching billions of users. According to Newzoo’s 2025 data, the global gaming market has reached a revenue of 188.8 billion dollars and approximately 3.6 billion players; about 55 percent of the revenue comes from mobile games. In the same report, the number of mobile players is estimated at approximately 3 billion, PC players at 936 million, and console players at 645 million.

The situation is also striking in terms of Turkey. According to TÜİK’s “Survey on the Use of Information Technologies by Children 2024,” the rate of children who state that they play digital games is 74 percent. This rate shows that the issue of gaming should be addressed not only as a “leisure habit,” but together with topics such as child safety, consumer rights, data privacy, and mental health.

When popular games are examined, productions where children and young people are intensely present include Fortnite, Minecraft, Roblox, Counter-Strike 2, League of Legends, Valorant, EA Sports FC, PUBG, Royal Match, Pokémon GO, Coin Master and similar games. In Newzoo’s 2026 ranking of monthly active PC users, Counter-Strike 2, Minecraft, Roblox, Fortnite and League of Legends are at the top, while on the mobile side games such as Pokémon GO, Royal Match, Coin Master and PUBG are in strong positions in different revenue categories.

How Valid Are Age Restrictions?

When it comes to age restrictions in games, the best-known systems are PEGI, based in Europe, ESRB, based in the USA, and the IARC system used in digital stores. PEGI indicates the suitability of content to age with labels such as 3, 7, 12, 16 and 18; it also uses warnings such as violence, fear, bad language, gambling, online interaction and in-game purchases. ESRB, in addition to classifications such as “Everyone,” “Teen,” “Mature 17+,” provides interaction warnings such as “in-game purchases,” “users interact,” and “shares location.” IARC is an automatic age rating infrastructure used globally for digital games and applications.

However, the critical problem here is this: age labeling and age verification are not the same thing. A game being PEGI 12 or ESRB Teen does not mean that a child cannot access that game. If the child uses an adult account, enters the date of birth incorrectly, has a family payment card registered, or platform settings are not configured correctly, the age label often remains only as an informative warning. For this reason, the real effect of age restrictions depends on the control mechanism established together by the game company, application store, device manufacturer and the family.

How Are Children Manipulated in Games?

One of the most common manipulation methods directed at children is that in-game economies obscure the feeling of real money. Virtual currencies, diamonds, tokens, chests, costumes and temporary campaigns abstract the money spent by the child. Messages such as “only today,” “last chance,” “special package,” “your friends bought it,” “don’t fall behind your team” trigger the feelings of scarcity, belonging and competition.

Another risk area is loot boxes, that is, random reward boxes and chance-based digital rewards. The child spends money without knowing what they will receive; this structure can create psychologically gambling-like expectation loops. In the European Parliament’s 2025 evaluations regarding children’s online safety, loot boxes, dark design patterns, addictive design and commercial manipulations directed at children are listed among special risk areas.

Dark design patterns are not seen only on purchase screens. Daily login rewards, pressure not to break streaks, limited-time events, “battle pass” systems, infinite scrolling logic, automatic matchmaking, continuous notifications and fear of social exclusion are also used to keep children in the game longer. A 2025 academic study has revealed that interface manipulations are widespread in popular free children’s applications and that on average more than one deceptive design pattern exists in applications.

Financial and Psychological Harms

The most visible examples of financial harms are unauthorized in-game purchases, accidental expenditures and the child’s inability to comprehend the difference between virtual money and real money. The U.S. Federal Trade Commission’s Epic Games/Fortnite file is striking in this regard: Epic Games accepted a settlement of 520 million dollars due to allegations related to children’s privacy and dark design patterns; 245 million dollars of this amount was allocated to consumer refunds due to misleading payment designs. The FTC announced in 2025 that the total of refund payments to Fortnite players approached approximately 200 million dollars.

Psychological harms are more complex. In the World Health Organization’s ICD-11 classification, “gaming disorder” is defined with symptoms such as loss of control over gaming, giving more priority to gaming than other activities, and continuing despite negative consequences; for diagnosis, significant functional loss and continuity are generally required. This does not mean that every child who plays a lot of games is addicted; however, if school success, sleep, family relationships, physical activity and social life are deteriorating, the risk should be taken seriously.

Social risks in online games are also large. Voice chat, written messaging, private room invitations, user-generated content and interaction with strangers increase the risks of cyberbullying, inappropriate language, fraud, harassment and grooming. In Ofcom’s 2025 report on children and parent media use, it is stated that a significant portion of children aged 8–17 have been exposed to offensive or harmful behaviors through online games.

Where Does the System Fail?

Some of the gaps originate from game companies. Many games, despite knowing the presence of child players, establish their revenue model on in-game purchases, random rewards, aggressive notifications, social pressure and continuous event cycles. Age control mostly relies on user declaration. Spending limits, chat safety, advertisement distinction, data collection and matching algorithms are not sufficiently transparent for most users.

The second gap is in game stores and device ecosystems. Although Apple, Google, Xbox and PlayStation offer parental control tools, these remain ineffective when not set correctly. Apple can link children’s purchase and download requests to parental approval with “Ask to Buy.” Google Play parental controls provide restrictions on content downloads and purchases; however, Google states that purchase approvals are only valid through the Google Play billing system. Xbox Family Settings offer time and content management on console and Windows, while there are cases where settings do not cover mobile games. PlayStation family management provides controls such as chat, user-generated content and monthly spending limits.

The third gap is fragmented control on the family side. The child may use different accounts on phone, tablet, console and computer. Even if the parent restricts only device time, in-game chat, spending, adding friends, watching live streams or communication on side platforms such as Discord may continue. For this reason, “screen time” alone is not a sufficient security criterion.

What Should Be Done?

From the sector perspective, the priority should be to make child accounts safe by default. Private messaging should be closed for children, spending limits should start from zero, loot box and random reward mechanics should be disabled in child accounts, advertisements should be separated by age, data collection should be minimized and algorithms should be opened to independent audit. The European Union’s Digital Services Act guidelines for 2025 also emphasize that privacy should be high by default, the impact of recommendation systems on children, blocking/muting tools and measures against harmful commercial practices should be taken.

From the family perspective, the basic approach should be to configure before banning. The child should not be given an adult account; a child account should be opened on every platform, age should be entered correctly, purchase approval should be activated, registered cards should be limited, voice chat and receiving messages from strangers should be turned off, in-game spending limits should be set, PEGI/ESRB warnings should be read and the game should be experienced together. Most importantly, children should be given digital awareness with questions such as “why does this game call you back every day?”, “why is this package limited?”, “do you really know what will come out of this box?”

As a result, digital games are not harmful on their own; in fact, when chosen correctly, they can be valuable in terms of problem solving, coordination, socialization and creativity. The problem is that children are placed into an economy of money, data and attention designed for adults without sufficient protection. A safe gaming ecosystem is the shared responsibility not only of families but also of game companies, platforms, device manufacturers, regulatory institutions and the education system.

In this context, TUYAD holds an important position as one of the sector representatives that closely follows developments in digital games, broadcasting technologies, mobile and online platforms and end-user safety. TUYAD President Hayrettin Özaydın follows current studies regarding risks that children may encounter in digital environments, age restriction applications, family control systems and technological security solutions; he continues his contacts with relevant stakeholders and awareness activities for the sector to develop in a more conscious, safe and sustainable manner. TUYAD – Association of Telecommunications, Satellite and Electronics Industrialists and Businesspeople – continues to contribute to studies that will shed light on the future of the sector by emphasizing that the opportunities provided by technology should be handled together with user rights, child safety and social responsibility principles.