Defensive counter-surveillance framing · find-vs-make asymmetry vs AirTags · regional rules surveyed (not legal advice) · found-camera data handling and chain-of-evidence basics

13.1 About this volume

Every volume in this series carries a posture marker. Vol 1 established the baseline: “Posture: defensive counter-surveillance throughout. This topic is finding cameras hidden by someone else — Airbnb hosts, stalkers, voyeurs. The framing is squarely defensive.” Vols 3 and 6 each carry a consenting-environment gate for the two offensive-adjacent techniques documented in this series (deauth-confirm and analog FM-video demodulation of a found stream). Vol 12 restated the posture at its “About this volume” section and again in the data-handling constraints at its Resources section.

This volume gathers the posture spine in one dedicated place. Rather than a single callout buried at the end of a technical section, this is the comprehensive treatment: what the defensive framing means and why it matters (§2), where exactly the find-vs-make line sits and why this series is almost entirely on the find side (§3), what the regional legal landscape looks like at a high level for both the sweep and the content you may encounter (§4), and what to do once you have actually located a camera — the data-handling protocol that keeps you out of legal jeopardy and preserves the evidentiary value of your find (§5).

What this volume is not. It is not a legal guide and it is not a comprehensive treatment of surveillance law across every jurisdiction. Regional rules are presented as high-level orientation only — the shape of the law (what categories of statute apply, which well-established federal examples exist), not as specific legal advice for specific situations. The ../../_shared/legal_ethics.md document is the hub-wide gate for all technique decisions; this volume supplements it with the camera-detection-specific framing. For any real-world situation involving law enforcement, platform disputes, or legal risk, consult a lawyer in your jurisdiction.

What is established here vs what was established earlier. This volume takes the posture claims from earlier volumes as given and does not re-derive the technical material. The deauth-confirm gate is argued from first principles in Vol 3 §6.3; this volume quotes its conclusion. The analog-demod gate is argued in Vol 6 §2.7; this volume quotes its conclusion. This volume focuses on the posture framework — the organizing principles that explain why those gates exist and how to apply similar reasoning to any technique encountered in a sweep.

Provenance. All claims about regional law are high-level, orientation-grade, and not legal advice. Named statutes are cited as illustrative examples of law categories that exist, not as a complete or authoritative legal survey. Penalty ranges and enforcement specifics are not stated. Consult primary legal sources and qualified legal counsel for your jurisdiction.

13.2 The defensive framing

13.2.1 Counter-surveillance the governing posture

This entire series is written from the perspective of the person being surveilled — or more precisely, the person who suspects they are being surveilled and wants to find out. The sweep subject is not the public, not a third party, not a network you do not own. The sweep subject is the private space you occupy: the Airbnb apartment you rented for the weekend, the hotel room you checked into, the gym changing room you use, the temporary office you’re working from.

Counter-surveillance is the practice of detecting, identifying, and neutralizing surveillance being conducted against you without your knowledge or consent. It is the mirror image of surveillance: where surveillance installs or operates a monitoring device to observe a subject, counter-surveillance detects that the monitoring is happening. The defensive posture is baked into the definition of the practice.

Defensive framing — the governing posture of this series

Every technique documented in the CameraDetection deep dive (Vols 1–15) is oriented toward finding cameras that someone else installed in a space the finder legitimately occupies. The techniques are tools for answering the question: “Is there a hidden camera here that I did not place and did not consent to?” They are not tools for installing surveillance, monitoring third parties, or accessing content from cameras on networks the finder does not control. Where this distinction is maintained, the practice is counter-surveillance. Where it is abandoned, it becomes the offense being defended against.

This framing is not aspirational. It has concrete technical and legal consequences: it determines which techniques are within scope, which are gated to consenting-environment use, and which are out of scope entirely.

The distinction matters for legal analysis because most surveillance-related law is written from the standpoint of protecting privacy — the victim’s standpoint. Finding a camera that violates your privacy is the act the law was written to protect; installing such a camera is the act the law was written to prohibit. The counter-surveillance finder is generally on the protected side of that line.

“Generally” is doing real work in that sentence. Two caveats limit the categorical claim:

The found-signal problem. When you detect a camera’s radio signal (a Wi-Fi beacon, an analog FM-video carrier), the camera’s existence is on the right side of the law — your finding it is lawful. What you do with the signal content is potentially on the wrong side: demodulating and viewing the video from a camera that is recording you is the finder viewing footage whose interception may be regulated. The camera’s operator committed the offense; the finder is detecting that offense. These are legally distinct acts.
The technique problem. Some detection techniques (deauth-confirm, signal injection, packet replay) cross the line from passive detection into active interference with a device or network. Even when used defensively, they touch statutes that do not have a “defensive intent” exception. These are the gated techniques treated in §3.

13.2.2 The real-world threat landscape

Understanding the threat landscape matters for calibrating both the sweep procedure and the posture. Hidden cameras are not a theoretical threat. Documented cases in the public record establish the following patterns:

Airbnb and vacation rental cameras. Since roughly 2017, law enforcement and news reporting have documented hundreds of cases involving cameras found in Airbnb, VRBO, and other short-term rental properties. The cameras are predominantly consumer-grade Wi-Fi cameras (Wyze Cam, Reolink, Eufy, TP-Link Tapo, generic Amazon cameras) installed in smoke detectors, USB wall chargers, alarm clocks, picture frames, and decorative objects — the same high-risk objects identified in the Vol 12 sweep procedure. The installers range from single-property operators to multi-property hosts with systematic monitoring. Airbnb’s own policies prohibit undisclosed cameras in private spaces (bedrooms, bathrooms, changing areas); the breach of those policies is also typically a criminal offense in the jurisdiction where it occurs.

Hotel rooms. Cases involving hotel and motel room cameras are documented in law enforcement records across the US, UK, South Korea, and Southeast Asia. Hotel installations tend to be more deliberate and longer-term than vacation rental cases — suggesting either staff installation or devices placed by prior guests. The camera placement vectors (smoke detectors, clock radios, USB outlets) match the vacation rental pattern.

Changing rooms, restrooms, and gyms. These are the highest-expectation-of-privacy settings in public life. Cases involving cameras in gym changing rooms, retail fitting rooms, public restrooms, and workplace bathrooms are documented in law enforcement records in most English-speaking jurisdictions. The offenders in these cases are frequently prosecuted under video voyeurism statutes (see §4.3) and face felony charges in most US jurisdictions.

Domestic and stalking scenarios. A significant fraction of hidden-camera cases involve intimate-partner violence or stalking: a partner or ex-partner installing a camera in a shared or formerly-shared residence to monitor the subject. These cases intersect with harassment and stalking law as well as surveillance law.

The typical attacker profile. The overwhelming majority of documented real-world hidden-camera installations use off-the-shelf consumer cameras purchased from Amazon or local electronics retailers. They are not sophisticated TSCM-class installations. They use standard Wi-Fi protocols, announce themselves on the network with vendor OUI prefixes, and in many cases are set up on the property’s own Wi-Fi network — discoverable by a basic Fing scan. This aligns with the Vol 3 and Vol 12 finding that the most valuable single sweep tool for travelers is a network scan (Fing + mDNS + OUI) combined with a lens finder (SpyFinder Pro).

13.2.3 What the defensive posture permits and constrains

What the defensive posture permits:

Passive detection in your occupied space. Spectrum sweeping, Wi-Fi network scanning, optical retroreflection sweeping, thermal triage, physical search — applied to a space you legitimately occupy — are squarely within counter-surveillance scope.
Documenting and reporting a find. Photographing a discovered camera in situ and contacting law enforcement and the platform are both within scope and are the appropriate responses. See §5 for the protocol.
The gated techniques, in consenting environments. Deauth-confirm and analog FM-video demodulation are documented for consenting-environment use only — a device you own, or a space/network where you have explicit authorization.

What the defensive posture does not permit:

Installing cameras yourself. Installing a camera in a shared space without the occupants’ knowledge is surveillance, not counter-surveillance. Nothing in this series provides a basis for that.
Accessing content from cameras you did not install. Finding a camera and viewing its stored footage or RTSP stream is legally distinct from finding the camera. The data-handling protocol is in §5.
Sweeping someone else’s space. A space you do not occupy without the owner’s authorization is not your sweep target.
Active techniques on networks you don’t own. Deauth, probe injection, and ARP poisoning on a network you don’t control are unauthorized even when the intent is defensive.

13.3 The find vs make line

13.3.1 Find-side vs make-side the core distinction

Every counter-surveillance topic has two possible orientations:

Find-side: You are detecting and locating devices that others have placed. The subject of the techniques is a device you did not install and do not control.
Make-side: You are designing, building, placing, or operating devices of the type being discussed. The subject of the techniques is a device you are creating or deploying.

For some topics in the Hack Tools hub, both orientations are legitimate and documented. For the CameraDetection topic, the orientation is almost entirely find-side.

The definition of “find-side” for this series:

Vol 1–6: Detection physics, camera taxonomy, per-emission-class detection methods — applied to cameras you did not place, to locate and identify them.
Vols 7–8: Building a detector device — a device that finds cameras, not one that operates as a camera. The device under construction is a finder, not a hidden camera.
Vols 9–12: Commercial detectors, open-source projects, sweep methodology — all oriented toward finding.
Vols 13–15 (this volume and forward): Posture, comparison, and field cards — synthesizing the find-side approach.

The make-side of the hidden-camera problem — designing, building, and deploying hidden cameras — is out of scope for this series entirely. That is the offense being defended against, not a topic this series documents. If there is interest in the make-side for understanding attacker capabilities, that analysis belongs in a different context (threat modeling, adversarial research). The offensive side of the surveillance-device topic, in the Hack Tools hub, would be treated under a different deep dive if warranted — not under the CameraDetection find-side series.

13.3.2 Asymmetry vs AirTags

The CameraDetection and AirTags deep dives are the two counter-surveillance topics in the Hack Tools hub. They are close siblings — both cover the “find the hidden emitter” problem — but they differ in a structurally important way: asymmetry.

The AirTags deep dive is symmetric: it covers both making trackers (DIY Find My beacons using OpenHaystack or ESP32-based implementations, enrolling custom devices in the Apple Find My network) and finding unwanted trackers (AirGuard, native OS detection alerts, the Apple/Google DULT spec, BLE-scan RSSI-walk detection). A practitioner using the AirTags series legitimately may both build new Find My beacons and find/disable unwanted trackers placed by others. The make-side and find-side coexist in that topic because making a beacon is legitimate (asset tracking, personal tracking) and finding an unwanted beacon is also legitimate (anti-stalking).

The CameraDetection deep dive is asymmetric: it is almost entirely find-side. There is no legitimate personal-use case for deploying hidden cameras in spaces occupied by others without their consent. The “make” side of the hidden-camera topic is the offense. This asymmetry is not incidental — it is the defining feature of the topic’s posture and the reason the defensive framing is so central here.

Find-vs-make comparison table:

Table 1 — Find-vs-make comparison table:

Dimension	CameraDetection (this series)	AirTags (sibling series)
Find-side documented	Yes — the primary arc (Vols 1–12)	Yes — detecting unwanted trackers
Make-side documented	No — making hidden cams is the offense	Yes — making Find My beacons (OpenHaystack, ESP32)
Make-side legitimacy	None in a counter-surveillance context	High — personal asset tracking is a common use
Asymmetry	Strongly asymmetric (find-only)	Symmetric (both find and make)
“Build the finder” arc	Yes — Vols 7–8 build a camera finder	Partial — covered via existing tools (AirGuard, Flipper BLE)
Threat actor posture	Installer is the adversary; finder is the defender	Can be either (unwanted tracker = adversary; tracker on own asset = defender)
Closest sibling	AirTags (find-the-hidden-emitter sibling)	CameraDetection (find-the-hidden-emitter sibling)

The build-the-finder exception. Vols 7 and 8 document building a Wi-Fi-camera-finding device: an ESP32-S3 scanner with a vendor-OUI fingerprint database, RSSI-walk localization, traffic-rate confirmation, and optional RF-sweep and optical-lens-finder add-ons. This is a “make” activity — building a device — but the device made is a finder, not a camera. The make-side of Vols 7–8 is on the find-side of the camera problem. There is no contradiction.

13.3.3 The few offensive-adjacent techniques

Two techniques documented in this series are offensive-adjacent: they are documented here for their value in counter-surveillance, but they cross the line into active interference with a device or signal, and carry legal exposure outside the consenting-environment constraint.

Technique 1: Deauth-confirm (Vol 3 §6)

Deauthentication is a management-frame notification in 802.11 that terminates a station’s association with an AP. In WPA2 networks, management frames are unauthenticated — any device on the network can forge a deauth frame with any source MAC address. The deauth-confirm technique sends a forged deauth to a suspected camera’s MAC address and observes whether the device reconnects — confirming it is a live Wi-Fi client, not a stale ARP entry.

Why it is offensive-adjacent: Sending a deauth frame to a device on a network you do not own is active management-frame injection — a brief disruption of the target’s association. Statutes governing unauthorized interference with networks (CFAA in the US; CMA 1990 in the UK; equivalents elsewhere) generally do not include a “defensive intent” exception.

The gate: Deauth-confirm is documented in Vol 3 §6 for networks you own and control, or where you have explicit written authorization from the network owner. In the typical traveler scenario the network is the property’s; the passive detection tracks (OUI scan, mDNS/SSDP, traffic-rate correlation in monitor mode) are the authorized path. Deauth-confirm is not.

Technique 2: Analog FM-video demodulation to view content (Vol 6 §2.7)

When a spectrum sweep identifies an analog wireless camera carrier on 1.2, 2.4, or 5.8 GHz, demodulating that carrier with a HackRF or RTL-SDR lets you confirm the content is a camera feed and not a baby monitor or AV sender.

Why it is offensive-adjacent: Viewing content from a signal you did not install and did not consent to receive may be regulated under wiretap or interception statutes. “Receivable” is not the same as “legal to view.” Identifying that a carrier is present (the spectrum-sweep step) is generally lawful; demodulating and viewing the content is the step that may not be.

The gate: Documented in Vol 6 §2.7 for consenting-environment use: a camera you own, a test/lab setup, or a sweep where authorization explicitly covers content viewing.

Consenting-environment gate — the two gated techniques in this series

Both deauth-confirm (Vol 3 §6.3) and analog FM-video demodulation to view content (Vol 6 §2.7) are gated to consenting-environment use:

Consenting environment means: A device you own and control, OR a space and network where you have explicit authorization from the owner to perform active techniques including the specific step in question.

The traveler scenario (Airbnb, hotel, gym) does NOT satisfy this threshold for either technique. The network is the property’s; the signals may be the property’s. Passive techniques — spectrum identification, OUI scan, mDNS/SSDP listening, traffic-rate correlation in monitor mode, optical sweep, physical search — are authorized. Active injection and content demodulation are not.

When in doubt: Apply the passive technique. The passive alternatives (identifying a carrier is present without demodulating it; passive OUI + mDNS scan without deauth) accomplish the detection goal for the purposes of finding the camera. The gated techniques are confirmation escalations, not primary detection methods.

The ../../_shared/legal_ethics.md document is the hub-wide gate and the authoritative reference for all offensive-adjacent technique decisions.

13.3.4 Gated-technique table

The table below summarizes every technique in the series that carries a gate or posture constraint, the section where the gate is argued, and the constraint.

Table 2 — 3.4 Gated-technique table

Technique	Volume and section	Gate condition	Authorized context	Not authorized context
Deauth-confirm (send forged deauth to suspect camera MAC)	Vol 3 §6, §6.3	Network you own, or explicit written authorization from network owner	Your own lab network; engagement with written scope	Airbnb, hotel, gym, any property network you don’t own
Analog FM-video demodulation to view content (WFM demod of found carrier)	Vol 6 §2.7	Consenting-environment authorization covering content demodulation	Your own camera in test; authorized sweep with content-view permission	Traveler sweep of rented space; any found signal without content-view authorization
Spectrum carrier identification (identifying that a carrier is present, frequency/bandwidth only)	Vol 2, Vol 6 §2.3–2.5	No gate — passive identification of existing transmissions	All sweep contexts (Airbnb, hotel, your own space)	N/A — passive identification has no gate
Passive Wi-Fi scan / OUI lookup (monitor mode scan, no injection)	Vol 3 §2–4	No gate — passive capture and analysis	All sweep contexts	N/A — passive capture has no gate
RSSI-walk localization (walking toward stronger signal)	Vol 5 §5	No gate	All sweep contexts	N/A — passive localization has no gate
RTSP probe (probing port 554 on a camera you’ve already located on your network)	Vol 3 §4	Use only on network you own or have joined with authorization	Your network; a network you are authorized to use	Property network without authorization to probe devices
Physical search and borescope	Vol 12 §2.8	No gate for your own occupied space	Hotel room, Airbnb, changing room you occupy	Another person’s space you do not occupy or have authorization to search

13.4 Regional rules

13.4.1 Frameworks and the not-legal-advice notice

NOT LEGAL ADVICE. The content in this section is high-level orientation only. It describes the categories of law that exist in major English-speaking and EU jurisdictions as they relate to hidden cameras and counter-surveillance sweeps. It does not constitute legal advice. Named statutes are cited as illustrative examples of established law; they are not a complete survey of applicable law in any jurisdiction. Statutory penalties, enforcement practice, and case law are not presented. If you find a hidden camera, or if you believe your own conduct during a sweep may have legal implications, consult a lawyer in your jurisdiction before taking action. This series, and this volume in particular, cannot substitute for legal counsel. See also ../../_shared/legal_ethics.md.

With that notice stated clearly, the regional landscape can be oriented around three categories of law that apply to the hidden-camera problem:

Category A: Surveillance-device installation laws (what the camera installer did). Most jurisdictions have statutes that specifically prohibit installing a recording or observation device in a private space where people have a reasonable expectation of privacy — a bedroom, bathroom, changing room, or private sleeping area — without their consent. These are generally felony-level offenses. Understanding these laws matters to the finder because they establish that finding and reporting the camera is the right response (the law was violated; the violation should be reported).

Category B: Interception-of-communications laws (what happens to the signal). Statutes governing the interception of wire, electronic, or oral communications potentially apply to signals you detect during a sweep: a camera’s wireless transmission is an “electronic communication” in most legislative frameworks. These statutes generally prohibit unauthorized interception of communications — an act much narrower than passive detection of that a signal exists. The key question is whether demodulating and viewing content constitutes “interception.” In the US, the Electronic Communications Privacy Act (18 U.S.C. §2511 et seq.) provides the framework; viewing content from an intercepted communication without consent is generally prohibited regardless of intent.

Category C: Privacy and data protection laws (what happens to the content). In EU jurisdictions, GDPR and national privacy laws govern the processing of personal data — video footage is personal data, and collecting, storing, or distributing it without a lawful basis is prohibited. In most jurisdictions, you cannot lawfully possess, retain, or distribute footage captured by a camera installed without consent, even if the footage shows you. The content is evidence of a crime; handling it as such (photograph in place, hand to law enforcement) is the correct response.

13.4.2 Laws relevant to the sweep

The sweep itself — applying detection techniques to a space you occupy — is the starting point. The relevant legal question is whether the sweep methods are authorized.

Sweeping your own occupied space. Conducting a counter-surveillance sweep of a space you occupy and are authorized to inspect is generally lawful across English-speaking jurisdictions. A hotel guest sweeping their room is exercising a reasonable protective right. An Airbnb tenant sweeping their rented apartment is doing the same. The sweep itself — applying passive detection methods to your own occupied environment — does not require special authorization.

Active techniques in your occupied but not owned space. Where the law gets complicated is when a sweep technique reaches beyond passive detection into the infrastructure of the property. Specifically:

The Wi-Fi network. The property’s Wi-Fi network is infrastructure you have been given access to use (as a network client), not infrastructure you own. Passive scanning of the network (Fing, mDNS discovery, traffic capture in monitor mode) is generally within the bounds of authorized use of the network connection you were given. Active manipulation (deauth, probe injection, ARP poisoning) is not — it interferes with other devices on the network and potentially with the network itself.
The RF environment. Receiving and identifying RF signals in the space you occupy is passive and generally lawful. Transmitting to affect those signals (deauth is an RF transmission) requires authorization from whoever controls the spectrum use in that space.

No-jamming rule. This applies universally and is restated from _shared/legal_ethics.md: continuous-wave RF jamming of any frequency band is illegal under FCC Part 97/15 (US), Ofcom regulations (UK), and equivalent frameworks everywhere. A camera-jamming device (transmitting into the 2.4 GHz band to disrupt camera transmissions) is not a counter-surveillance tool; it is an illegal jammer. Nothing in this series documents or endorses jamming.

Deauth legality — the concrete implication. Deauth sends forged 802.11 management frames that impersonate a legitimate party. Under the US CFAA (18 U.S.C. §1030) and the UK Computer Misuse Act 1990 s.3 (and EU/AU equivalents), unauthorized transmission of commands to a computer on a network you don’t own may constitute an offense. As a guest on a property network, the authorization to send management frames to other devices on that network is not implied by your network access. It requires explicit owner consent.

13.4.3 Laws relevant to what cameras record

The cameras you may find during a sweep were recording people — possibly including you — without consent. The legal issues that arise from the content are distinct from the legal issues arising from the sweep.

Video voyeurism laws. In the US, federal law (Video Voyeurism Prevention Act of 2004, 18 U.S.C. §1801) makes it a federal crime to knowingly capture an image of a private area of an individual in a federal context without consent. All 50 US states have their own video voyeurism statutes, most enacted between 2000 and 2015; many carry felony-level penalties, particularly for repeat offenses, offenses involving minors, or offenses in protected spaces — classification varies by state. The key element in these statutes is the “reasonable expectation of privacy” standard: bedrooms, bathrooms, changing rooms, showers, and hotel rooms all qualify. The installation of a camera in any of these locations without consent is the offense; the camera’s operator committed that offense. The finder did not.

Two-party and all-party consent for audio. Many jurisdictions require all parties to consent to audio recording. US federal law (ECPA, 18 U.S.C. §2511) sets a one-party-consent baseline, but many states impose stricter requirements. Modern Wi-Fi cameras routinely capture audio — the camera’s operator committed any audio-consent violation; the finder did not. However, a finder who views or retains the captured audio content may face separate exposure.

GDPR and privacy law (EU/UK GDPR). The GDPR (EU 2016/679) treats video footage of identifiable individuals as personal data. A hidden camera installed without consent has no lawful basis (Article 6); its footage is unlawfully obtained personal data. The finder’s appropriate action is to treat the device as evidence and hand it to law enforcement — not to view, retain, or distribute the footage.

13.4.4 Regional overview table

The table below provides high-level orientation only. It is NOT legal advice and is NOT a complete survey of any jurisdiction’s law. Consult qualified legal counsel for your jurisdiction and situation.

Table 3 — 4.4 Regional overview table

Region	Primary law category	Hidden-camera installation prohibited where	Sweep of your own occupied space	Signal demodulation risk	Key references (orientation only)
United States (federal)	ECPA (18 U.S.C. §2511); Video Voyeurism (18 U.S.C. §1801); CFAA (18 U.S.C. §1030)	Federal spaces; all 50 states have additional statutes covering lodging, changing rooms, restrooms	Generally lawful	Demodulating and viewing intercepted content may violate ECPA §2511	US DOJ ECPA resource; state AG offices
United States (state level)	State voyeurism statutes; state wiretap statutes (some stricter than federal)	Bedrooms, bathrooms, changing rooms, hotel rooms — varies by state statute	Same as federal — generally lawful	Two-party/all-party consent for audio varies by state; video demodulation exposure varies	State-specific criminal code; consult local counsel
United Kingdom	Regulation of Investigatory Powers Act 2000 (RIPA); Computer Misuse Act 1990; Protection of Freedoms Act 2012; Human Rights Act 1998 Art. 8	Anywhere with reasonable expectation of privacy; RIPA Part II regulates directed surveillance	Generally lawful as private individual in your own occupied space	Viewing intercepted content may raise RIPA issues; deauth may raise CMA s.3 issues	Ofcom guidance; ICO guidance; RIPA code of practice
European Union	GDPR (EU 2016/679); member-state criminal codes for voyeurism and surveillance	Private spaces with expectation of privacy; all member states have national criminal law	Generally lawful; GDPR processing issues if footage retained	Interception and content processing implicate GDPR lawful basis and member-state wiretap equivalents	EDPB guidance on GDPR video surveillance; national supervisory authority guidance
Australia	State Surveillance Devices Acts (NSW, VIC, QLD, etc.); state criminal codes for voyeurism	Bedrooms, bathrooms, changing rooms, hotel rooms — varies by state	Generally lawful as occupant; state SDAs vary in their possession provisions	Recording private activities without consent violates state SDAs; demod may constitute interception	State-level Surveillance Devices Acts; OAIC guidance
Canada	Criminal Code s.162 (voyeurism); Criminal Code s.184 (interception of private communications); PIPEDA	Private places or circumstances giving rise to reasonable expectation of privacy (s.162)	Generally lawful	Intercepting private communications without consent violates s.184; content retention implicates PIPEDA	Department of Justice Canada summaries; OPC guidance

Note on table scope. This table covers the jurisdiction categories most relevant to likely readers of this deep dive. It omits or only mentions in passing many other jurisdictions with relevant law. It does not address the law of surveillance in commercial or government contexts, which is substantially more complex. This is NOT a legal survey; treat it as a reading list of the law categories to research, not as the research itself.

13.4.5 Key legal risk zones for the finder

Across all jurisdictions above, the legal risks for the finder — the person conducting the counter-surveillance sweep — cluster around four zones:

Risk zone 1: Active technique on an unauthorized network. Using deauth, probe injection, or other active management-frame techniques on a network you do not own or have written authorization to test. This is the clearest legal risk for the finder and the one most directly addressed by the consenting-environment gate in §3.3.

Risk zone 2: Demodulating and viewing content from a found signal. Moving from “I detected a carrier” to “I viewed the video that carrier was transmitting” crosses into content-interception territory under most wiretap and interception frameworks. The first step is detecting; the second step is intercepting. Only the second step is the risky one; passive carrier identification is not.

Risk zone 3: Retaining, distributing, or publishing found footage. If you access a found camera’s storage (microSD card, NVR stream), view the footage, and then retain or distribute it — even to show what the camera was recording — you may be processing unlawfully obtained personal data (EU/UK) or distributing intimate imagery (a separate offense in most US states and in UK law). The correct handling of found storage media is: do not access it; photograph the device in situ; hand it to law enforcement. See §5.

Risk zone 4: Physically disturbing a found device without authorization. Removing a found camera, disassembling it, or powering it down before law enforcement arrives may constitute tampering with evidence in jurisdictions where an investigation is underway. It may also compromise the evidence chain (see §5.5). If you need to leave the scene (you must check out, the space will be cleaned), photograph the device exhaustively and note its exact position and state, then contact law enforcement to advise them. If you can leave it in place for law enforcement, do so.

13.5 Data handling

13.5.1 Found a camera what now the decision tree

The following decision tree covers the immediate choices when a camera is confirmed — “confirmed” means a physical inspection has established that the object contains a camera module (the lens aperture is visible, or the camera housing is identifiable). Instrument hits alone (an OUI match, a glint, a thermal anomaly) are not a confirmed find; the decision tree starts at confirmed.

═══════════════════════════════════════════════════════════════════════
          FOUND A CAMERA — WHAT NOW
═══════════════════════════════════════════════════════════════════════

  ╔════════════════════════════════════════╗
  ║  CONFIRMED CAMERA FIND                 ║
  ║  Physical inspection confirms:         ║
  ║  lens aperture or camera housing       ║
  ╚═══════════════════╤════════════════════╝
                       │
                       ▼
  ╔════════════════════════════════════════╗
  ║  STEP 1: DOCUMENT IN PLACE             ║
  ║  Photograph before touching anything. ║
  ║  • Location (room, floor, address)    ║
  ║  • Object it is concealed in          ║
  ║  • What it is pointing at             ║
  ║  • Date, time                         ║
  ║  DO NOT: power it off / move it /     ║
  ║  open it / access storage             ║
  ╚═══════════════════╤════════════════════╝
                       │
                       ▼
  ╔════════════════════════════════════════╗
  ║  STEP 2: PERSONAL SAFETY FIRST        ║
  ║  Is leaving the space safe?           ║
  ║  If occupant safety is at risk        ║
  ║  (e.g., domestic violence context)    ║
  ║  — leave with documentation, do not   ║
  ║  alert the installer; call police.    ║
  ╚═══════════════════╤════════════════════╝
                       │
                       ▼
             ┌─────────┴──────────┐
             │ Rental property    │ Your own
             │ (hotel, Airbnb,   │ home / space
             │ VRBO, gym, etc.)  │
             └─────────┬──────────┘
                       │                        │
                       ▼                        ▼
  ╔══════════════════════════════╗  ╔═══════════════════════════════╗
  ║  STEP 3A: CONTACT POLICE     ║  ║  STEP 3B: CONTACT POLICE      ║
  ║  (rental property context)   ║  ║  (your own space context)     ║
  ║  Call local law enforcement. ║  ║  Call local law enforcement.  ║
  ║  Do this BEFORE contacting   ║  ║  Camera in your home may      ║
  ║  the platform or manager.    ║  ║  indicate ongoing stalking or ║
  ║  Police can preserve the     ║  ║  intimate-partner monitoring. ║
  ║  scene; the platform cannot. ║  ║  Safety context applies.      ║
  ╚══════════════════════════════╝  ╚═══════════════════════════════╝
                       │                        │
                       ▼                        │ (own space: skip to Step 5)
  ╔════════════════════════════════════════╗    │
  ║  STEP 4: CONTACT PLATFORM / MANAGEMENT║    │
  ║  Airbnb Trust & Safety;               ║    │
  ║  hotel general manager + chain HQ;    ║    │
  ║  gym management + corporate;          ║    │
  ║  Report IN WRITING (email creates     ║    │
  ║  a paper trail the platform must      ║    │
  ║  respond to).                         ║    │
  ╚═══════════════════╤════════════════════╝────┘
                       │
                       ▼
  ╔════════════════════════════════════════╗
  ║  STEP 5: PRESERVE YOUR DOCUMENTATION  ║
  ║  Keep copies: photos, timestamps,     ║
  ║  all communications with police and   ║
  ║  platform. Do not delete.             ║
  ║  Do not post publicly until           ║
  ║  authorized to do so (ask counsel     ║
  ║  or law enforcement).                 ║
  ╚════════════════════════════════════════╝

───────────────────────────────────────────────────────────────────────
What NOT to do at any step:
  ✗  Power off the camera or remove its battery before police arrive
  ✗  Open the device or remove its microSD card
  ✗  Access stored footage (view, copy, or distribute)
  ✗  Post footage or photos of the camera's *output* (what it recorded)
     on social media before police advise it is safe to do so
  ✗  Confront the suspected installer directly
───────────────────────────────────────────────────────────────────────

13.5.2 Document photograph in place

When you first confirm a camera find, the single most important immediate action is documentary photography before you touch anything. This serves two purposes: it preserves the evidentiary state of the device for law enforcement, and it gives you a record if the scene is disturbed before police arrive.

What to photograph:

Table 4 — What to photograph:

Photo	What it establishes
Wide shot of the room with camera location in context	Where the camera was placed and its field of view
Medium shot of the concealment object (smoke detector, USB charger, etc.) in place	The concealment method used
Close-up of the lens aperture or housing	Confirms this is a camera, not a legitimate fixture
Close-up of any visible markings or model numbers	Assists law enforcement in tracing the device purchase
Shot showing what the camera was pointed at	Establishes who was being surveilled
Note the MAC address if visible from your earlier network scan	Assists cloud-account and log warrants

What NOT to touch before photographing:

The camera itself (any adjustment may alter its orientation or disturb fingerprints)
The surface it rests on or is embedded in
Any cabling or power source visible

The powered-state question. Leave the camera powered if it is on — law enforcement can obtain the device’s state and any buffered network activity if it is still live. Powering it off may flush buffers, terminate cloud-recording sessions, and remove the “caught in the act” evidentiary value. Powering off is tampering; leave it alone.

[FIGURE SLOT — Vol 13, § 5.2] A person photographing a hidden camera found inside a smoke detector, with the smoke detector lid removed, using a smartphone. The camera lens is visible. Source: Photo Helper search “hidden camera found smoke detector documentary photography evidence” — or a counter-surveillance demonstration photo from a TSCM educational resource. Caption when filled: “Figure 13.1 — Documenting a confirmed camera find in situ. Photograph the device in place before touching anything: the location, the concealment object, the lens aperture, and any visible markings. Leave the device powered and in position for law enforcement. Photo: [credit]. [License].”

Personal safety overlay. In domestic-violence or stalking contexts, the existence of the camera means the installer may be monitoring real-time. If you suspect the camera feeds a live stream to the installer and the installer may be physically dangerous, your safety takes priority over preserving the device: leave the space with your documentation and call law enforcement from a safe location. In a rental context (Airbnb, hotel) this risk is lower because the installer is typically not physically monitoring in real time, but the possibility cannot be ruled out.

13.5.3 Report who to tell and in what order

The correct reporting order matters. The platform (Airbnb, hotel chain) and law enforcement have different capabilities, different incentives, and different legal authority. Contacting them in the right order maximizes both the investigative outcome and your own legal and financial position.

1. Law enforcement — always first. Call local police (non-emergency line or 911/999/112 if urgent). Give your location, what you found, and confirm you have photographed it in place. Law enforcement can initiate a criminal investigation, preserve the scene, and obtain warrants for the camera’s content and cloud records. The platform cannot do any of these things. Contacting the platform first — without police — gives the platform the opportunity to handle the incident through their own Trust & Safety process rather than criminal channels.

2. The rental platform or hotel — second, and in writing. Report in writing (email or in-app messaging) after contacting law enforcement. Include the date, location, and any police case number. Writing creates a paper trail the platform must respond to.

Platform reporting contacts (current as of authoring date; verify when using):

Table 5 — Platform reporting contacts (current as of authoring date; verify when using):

Platform	Report channel	Notes
Airbnb	airbnb.com/help/article/1386 or in-app Help > Safety	”Undisclosed camera” is a listed option; Trust & Safety team responds
VRBO / Vrbo	vrbo.com/info/help-center/policies/safety-report	Similar process; note case number from police
Booking.com	Through the platform’s “Report an issue” link or contacting Booking.com customer service	Less structured than Airbnb; escalate to Booking.com Trust & Safety
Hotel chains	Contact property general manager first; escalate to chain corporate	Many chains have a privacy or safety email; check the chain’s website
Gym / fitness	General manager of specific location; corporate member relations	Ask for incident report confirmation in writing

3. Consider legal counsel before publishing. If you intend to publish photographs of the camera (on social media, to news media, or elsewhere), consult a lawyer first. Issues include: potential defamation liability if the installer is identified incorrectly, privacy issues if the publication reveals the camera’s content (even incidentally), and whether publication might complicate an active police investigation. Many jurisdictions protect the right to report what happened to you, but the details matter.

13.5.4 What not to do tamper and broadcast

The most common mistake made by people who find hidden cameras is to do too much: open the device, view the footage, and share what they found. Each step in that sequence is harmful — to the investigation, to the finder’s legal position, and in some cases to third parties whose images may appear in the footage.

Do not open the device or remove its storage. The camera’s microSD card (if it has one), its internal flash memory, and its network logs are evidence. Opening the device — removing a screw, pulling out the card, cracking the housing — potentially destroys fingerprint evidence, disrupts the device’s internal state, and constitutes physical tampering with evidence in jurisdictions where an investigation has begun (or may begin). Even if you do not view the footage, physically disturbing the storage medium may compromise its evidentiary value in court.

Do not access or broadcast the footage. Even if the microSD card is accessible without disassembly, do not insert it into your phone or laptop, access the RTSP stream, or log into the cloud account. Accessing stored content may constitute unauthorized interception, processing of unlawfully obtained personal data (GDPR), or possession of intimate imagery — and viewing it does not help law enforcement. Posting footage from a found camera, even briefly, may violate non-consensual intimate-imagery laws (a criminal offense in the UK, Australia, Canada, all 50 US states, and most EU member states), complicate an active investigation, and create defamation liability if the installer is misidentified.

Do not confront the suspected installer. Contact law enforcement and let them handle the confrontation. They may destroy evidence or become dangerous.

13.5.5 Chain-of-evidence basics

“Chain of custody” (sometimes “chain of evidence”) is the documented, unbroken sequence of custody of a piece of evidence from the moment of discovery to its presentation in court. Breaking the chain — by handling the evidence in ways that cannot be accounted for, or that could have altered its state — can render it inadmissible and prevent prosecution of the installer. Law enforcement needs to establish: where the device was placed (your in-situ photography), that its state was not altered from discovery to lab analysis (the unbroken handoff chain), when it was placed (camera storage timestamps, DHCP logs, purchase records), and who placed it (fingerprints, purchase records, cloud-account links). All of those investigations require law enforcement authority — none are accessible to you without a warrant.

Your role in preserving chain of evidence:

Table 6 — Your role in preserving chain of evidence:

Your action	Effect on chain of evidence
Photograph in place, touch nothing	Establishes discovery state; chain intact
Call police, describe location	Police document scene officially; chain established
Leave device powered	Cloud session may still be active; logs obtainable
Disclose to police everything you touched during the sweep	Concealment is worse than disclosure
Access microSD card or RTSP stream	Breaks the evidence chain for that medium
Power off the device before police arrive	Flushes volatile state; potentially tampering
Open the device or remove hardware	Destroys fingerprints; breaks chain

The “if I have to leave” scenario. If you must vacate the space before police arrive — your flight is in two hours, the checkout time is now — photograph everything exhaustively (device, location, pointing direction, power state), communicate the exact location and state to the responding officer by phone, and leave the device in place if at all possible. If leaving it in place risks it being disturbed by cleaning staff or the next occupant, it may be necessary to remain at the property and coordinate directly with management to prevent access to the room until police arrive. Request a late checkout for this reason; document the request.

13.6 Resources

13.6.1 Within this series

Table 7 — Within this series

Volume and section	Relevance to Vol 13
Vol 1 §1 — About this volume	Establishes the “defensive counter-surveillance throughout” baseline
Vol 3 §6, §6.3 — Deauth-confirm	Technical detail + consenting-environment gate argued from first principles
Vol 6 §2.7 — Analog FM-video demodulation gate	Consenting-environment gate for content viewing
Vol 12 §1 — About this volume	Posture in sweep-methodology context; the three honest constraints
Vol 12 §6 — Resources	Jurisdiction note; legal_ethics.md cross-link
Vol 14 — Comparisons and decision guide	Coverage-vs-cost reasoning for sweep investment decisions
Vol 15 — Cheatsheet	Will include a condensed found-camera response card based on §5 of this volume

13.6.2 Legal and ethics cross-references

../../_shared/legal_ethics.md — The hub-wide gate for all offensive-adjacent techniques in the Hack Tools collection. Read before any sweep that involves active techniques (deauth, probe injection, anything that transmits into a network you don’t own). The rules stated there are the baseline; this volume’s posture treatment is the camera-detection-specific application of those rules.
AirTags deep dive (sibling project, ../AirTags/) — The symmetric counterpart to this series. The AirTags series covers both making trackers (OpenHaystack, ESP32 Find My beacons) and finding unwanted trackers. Its posture treatment covers the make-and-find duality that this series explicitly does not have. For contrast, reading the AirTags posture and legal sections alongside this volume clarifies why the find-vs-make asymmetry documented in §3.2 matters.

13.6.3 Platform abuse reporting

Table 8 — Platform abuse reporting

Platform	Reporting path	What to report
Airbnb	airbnb.com/help/article/1386 (Trust & Safety)	“Undisclosed security camera in private space”
VRBO	vrbo.com/info/help-center/policies/safety-report	Unauthorized recording device in private areas
Booking.com	booking.com/content/security.html; customer service	Unauthorized camera in accommodation
Expedia / Hotels.com	Customer service; escalate to Trust & Safety	Security camera concerns
Independent hotel	General manager + corporate HQ (chain-specific contact)	Written incident report

13.6.4 Law enforcement and external orientation

This series does not list specific police non-emergency numbers (these vary by city and country). Use the non-emergency line unless you are in immediate danger (in which case use 911/999/112). Non-emergency does not mean low-priority — a found surveillance camera in a hotel room is a crime in progress (the camera was there for past occupants too) and is treated seriously by law enforcement in most jurisdictions. International travelers should contact the local emergency services of the country they are in (listed on government travel advisory sites including US State Department, UK FCDO, and Australian DFAT).

External orientation (not legal advice): US DOJ ECPA resource at justice.gov (search “ECPA”); ICO (UK) video surveillance guidance at ico.org.uk; EDPB Guidelines 3/2019 on video surveillance at edpb.europa.eu; OAIC privacy guidance at oaic.gov.au; Airbnb’s stated camera policies at airbnb.com/trust.

This is Volume 13 of a fifteen-volume series. Volume 14 covers comparisons and the decision guide: buy-vs-build, which detector for which threat model, the owned-gear-vs-dedicated-device tradeoff, and the cost/coverage trade-off matrix. Volume 15 presents the laminate-ready cheatsheet, including a condensed found-camera response card based on §5 of this volume.

CameraDetection Volume 13 — Operational posture, legal & ethics