​BlackVue tells Australians that its dash cams comply with the country’s new cyber-security law. The company’s own compliance page tells a more complicated story, and the law it leans on says nothing about who can see your footage. As a governance specialist, I read the fine print.

THE STORY SO FAR

BlackVue makes popular dash cams, the cameras that film the road from your windscreen. Its cloud models also stream live video and your GPS location to the company’s servers, so you can watch your car from your phone.

In 2024, Australia passed its first standalone cyber-security law. One part of it, which became mandatory on 4 March 2026, sets three minimum requirements for any internet-connected consumer device: no shared “universal default password,” a publicly available channel to report security bugs, and honesty about how long the device receives security updates.

BlackVue began telling Australian customers it complies with that law. A news team suspected the claim concealed a flaw and set out to expose it (watch the clip). Reading BlackVue’s own published compliance page, the claim doesn’t hold together most starkly; the page lists several of the company’s own models as exceptions to the no-default-password rule, and one model (the ELITE+GOLD) appears both as an exception and as certified compliant. This feature reads that page line by line and explains why a cyber-security tick says nothing about the privacy question that actually worries dash-cam owners.

There is a particular kind of sentence that makes people in my line of work go quiet and reach for the source document. It is usually short, usually reassuring, and usually wrapped around the name of a regulation most readers have never opened. We operate within the guidelines set by the Australian Cyber Security Act 2024. A claim like that is built to end a conversation. My job, governance, risk and compliance, is to start one.

The sentence belongs to BlackVue, one of the most recognisable dash-cam brands on Australian windscreens. Its premium cameras film the road continuously, and its cloud-connected models do something more intimate: they can stream live video and your GPS position to the company’s servers, so you can watch your own car from your phone while you sit at your desk. It is a genuinely useful feature. It is also a continuous, location-stamped record of where a person goes and when, sitting on infrastructure they do not control. When a company selling that proposition reaches for a cyber-security law as a comfort blanket, the responsible thing is not to feel comforted. It is to read the page. So I did. BlackVue Australia publishes a document it calls its Cyber Security Commitment, last updated in late February, days before the new rules took effect. It is a short page. It is also, on close reading, a page that argues with itself.

What the law actually asks for

First, the law itself, because the claim only means something against it. The Cyber Security Act 2024 was Australia’s first standalone cyber law, passed at the end of 2024. Most of it has nothing to do with dash cams; it covers ransomware-payment reporting, a new incident review board, protections for companies that share information with government after a breach. Only one slice touches a consumer device, and on 4 March 2026, that slice became mandatory through a set of rules governing smart devices.

The rules are deliberately narrow and modelled on the British product-security regime, so they are not vague aspirations. A connected device must do three things. It must not ship with a universal default password, the kind shared identically across every unit, because those are the first thing an attacker tries. It must offer a publicly available way to report security vulnerabilities, with clear timelines for acknowledging a report and updating the person who sent it. And it must be transparent about how long the device will receive security updates, so a buyer knows whether they are purchasing a product or a future paperweight. Passwords, a working complaints channel, an honest support window. That is the whole test. It says nothing, incidentally, about what happens to your footage or your location, a point I will come back to, because it matters more than the law does. Hold those three requirements up to BlackVue’s own page, and the trouble starts on the first one.

The list that undoes the claim

Under the heading for passwords, BlackVue Australia states that the products it supplies are not set to a universal default password. Reassuring, until you reach the exception. The same sentence carves out a specific list of the company’s own models: the DR750G-M1, DR750G-PRO-M1, DR750X-M1, DR750X PLUS-M1, DR970X-M1, DR970X PLUS-M1, DR770X-M1, the DR800, and the ELITE+GOLD. A footnote explains that these have factory-default passwords that the user can change.

Read that as a regulator will. The standard exists to eliminate shared defaults. The escape route the law allows, letting the user set their own password, only works if the device does not quietly ship every unit with the same credential that persists until somebody bothers to change it. A default that a user may alter, but is not required to, is not a near-miss on the standard. It is the precise behaviour the standard was written to abolish. By listing these models as exceptions to its own assurance, BlackVue has, on the face of it, published a register of its own products that appear not to meet the law’s headline control. Whether they truly fail it turns on a question only the company can answer, and I will put it to them plainly: does every unit of those models ship with the same password, and is changing it mandatory before use, or merely possible?

Then there is the contradiction that needs no clarification at all. The ELITE+GOLD sits on that list of password exceptions. It also appears, a few centimetres further down the same page, in BlackVue’s published Statements of Compliance, the formal declarations that a product meets the standard. One model, on one page, simultaneously declared not to meet the password assurance and certified as compliant. Those two statements cannot both be true. (A similar question hangs over the DR800, which is excepted, while a “DR800 GOLD” carries a compliance statement; a reporter should confirm whether they are the same unit. The ELITE+GOLD overlap needs no such caveat.)

A mailbox is not a policy

The second requirement fares only a little better. BlackVue offers an email address for reporting security problems and promises to acknowledge reports and provide updates as its investigation proceeds. That is more than nothing, and more than some manufacturers manage. But the standard asks for a published disclosure policy with defined timelines, and no timelines appear. The distinction is not pedantry. It lands against a documented history: when independent researchers warned, in years past, that cloud cameras could expose location and live feeds, the company’s overseas arm reportedly waved it away as a feature rather than a flaw. A standard that demands a real intake-and-response process is, in effect, a standard against that exact reflex. A reporting address with no commitments behind it does not yet clear the bar.

The third requirement, the support window, dissolves as you read it. BlackVue says the security-update period aligns with the manufacturer’s factory warranty, then states, in the next breath, that its warranty does not define or imply any security-update commitment. The support period is the warranty, except the warranty promises no support. As a transparency control it is close to circular, and a buyer trying to learn how long their camera will be patched comes away knowing less, not more.

Who is actually answerable

It is worth being precise about who owns all this, because there is a temptation, with an imported product, to point upstream to a factory in Korea and shrug. The page forecloses that. It is published by Auto Blackbox Pty Ltd, trading as BlackVue Australia, and the company states it is the importer and supplier subject to the Act. Under the rules, when the overseas manufacturer has no Australian place of business, the local importer is treated as the manufacturer and carries the obligations itself. BlackVue Australia has not only accepted that; it has accepted, by publishing statements of compliance at all, that these dash cams fall within the law’s scope. The convenient defence, that the rules might not even apply to a dash cam, has been closed by the company’s own hand.

Why a marketing line becomes a legal one

This is the point where my discipline hands off to another. A compliance claim that a company’s own evidence undercuts is not just an engineering quibble; it is consumer-protection territory. Australian consumer law prohibits conduct likely to mislead, and crucially, an honest mistake is no defence; the bar is low, requiring only a real rather than remote chance of misleading. A separate provision bans false or misleading representations about whether a product meets a standard, and that one carries civil penalties. The competition regulator enforces it, and has spent recent years pursuing exactly this species of claim in the environmental space, where it has a name: greenwashing. Telling the public you comply with the Cyber Security Act while your own page lists models excepted from its central requirement is the same move in a different coat. Cyberwashing, if we need a word, and we probably will.

To be fair, and fairness is the whole of this work rather than a footnote to it, BlackVue has not been found to have breached anything. Citing a law you fall short of is not automatically unlawful, and the company is entitled to its account. Its Australian operation states that footage is private by default and that public sharing is opt-in; it has historically argued that anyone visible on its public map chose to be there. My concern is narrower and more old-fashioned than an accusation. It is whether the impression the claim creates is accurate and substantiated. On the evidence the company itself has published, it is not yet.

The thing the law never touched

And here is the part worth saying the loudest, because it is the part the law cannot reach. Even a flawless pass on passwords, reporting and patching would tell you nothing about the worry that actually sells, or should unsell, a cloud dash cam: where your footage goes, who can see it, and whether your movements are being mapped. That is privacy, and in Australia, it lives under a different statute and a different regulator entirely. BlackVue’s manual notes that GPS location recording, which sends your route to the cloud, is enabled by default. A cyber-security badge does not, and was never designed to, address that. A consumer who reads “we comply with the Cyber Security Act” and hears “my data is safe” has been led, gently, to the wrong conclusion. The law is about the lock on the door. It says nothing about who you have handed the keys to, or where they keep them.

That, in the end, is what the page reveals, and why it is worth more than a shrug. Compliance has become a thing you can assert before you have achieved it, in language that sounds like a verdict and functions as a slogan. The remedy is dull and entirely within reach: say which models, made from which date, actually meet the standard; publish the real reporting policy and the real support window; and tell people, separately and plainly, what happens to their footage. Specific, dated, substantiated. Until then, the reassuring sentence is doing what default settings always do. It is making a choice on your behalf, quietly, and hoping you never change it.

The questions BlackVue Australia has not yet answered:

For the excepted models, does each unit ship with the same factory default, and is changing it required before use or merely optional?

How can the ELITE+GOLD be both exempt from the password assurance and listed as compliant? Where is the published vulnerability-disclosure policy with defined timelines?

What is the per-model security update support period, independent of the warranty?

And are the excepted models still being supplied after 4 March 2026, and under what statement of compliance?