U.S. lawmakers are questioning why Costco and ADI Global continue to sell banned Hikvision and Dahua equipment in the U.S., calling the decision “puzzling” when most competitors have already pulled the items.
U.S. Rep. Chris Smtih (R-N.J.) and Senator Jeff Merkley (D-OR), who chair the Congressional-Executive Commission on China (CECC), sent the letters to the chief executives Costco and ADI.
The PRC-based brands’ products are banned for use by the U.S. government and “implicated in assisting with genocide and other horrific human rights abuses in the Xinjiang Uyghur Autonomous Region (XUAR),” the lawmakers said.
Costco’s sale of Lorex security equipment allows Dahua to profit from the U.S. market in spite of the FCC ban, they said.
“Your competitors, Best Buy, Home Depot, and Lowe’s, discontinued the sale of Lorex products, citing human rights and ethical sourcing concerns — making Costco’s continued sale of the equipment all the more puzzling,” the letter notes.
They also said the sales seem to conflict with Costco’s stated commitment to the United Nations Guiding Principles on Business and Human Rights and the International Bill of Human Rights.”
Merkley and Smith said the recent sale of Lorex to Taiwanese company Skywatch “does not allay our concerns or immediately change the security risks posed to U.S. companies and consumers moving forward,” as Dahua still supplies all the component parts for the Lorex cameras and other surveillance equipment.
As for ADI, lawmakers asked by the company’s website still markets Hikvision and Dahua security equipment as “NDAA compliant,” despite Congress banning their use and sale on U.S. military bases in the National Defense Authorization Act of 2019.
Lawmakers said they were concerned about the sale of Hikvision and Dahua technology by ADI to American schools, hospitals and other public and private entities in the U.S.
Smith and Merkley alleged the telecommunication and surveillance equipment manufactured by Hikvision and Dahua are a “recognized threat” to American users as the equipment is made “according to standards that could be leveraged by intelligence agencies” in China, “where private sensitive information of Americans is likely stored.”
ADI competitor Wesco/Anixter announced plans to drop cameras from Dahua and Hikvision because of “applicable U.S. laws and regulations,” the lawmakers noted, but said ADI hadn’t made a similar announcement -- even after news broke that U.S. Department of Defense documents describe Hikvision as a partner of “Chinese intelligence entities” and “using relationships with resellers to disguise its products for sale to government suppliers.”
As recently as this year, experts found vulnerabilities in Dahua products, including unauthorized viewing of video and audio feeds and archives, as well as unauthorized network access and remote tampering with settings, the letter to ADI said.
“U.S. consumers, schools and private businesses should not have to worry about how their data is stored and whether it will be accessed by foreign governments,” the lawmakers wrote. “The cybersecurity of your U.S. customers, which includes large and small companies, schools, and remote working professionals, should be of paramount concern.”
ADI spokesperson Adrienne Zimoulis said the company received the letter in question on Oct. 31. "We are in the process of reviewing it and intend to work cooperatively with the Commission to address their questions," said ADI spokeperson Adrienne Zimoulis. "Our company takes compliance with all laws (including the National Defense Authorization Act and FCC rules referenced in the letter) very seriously, and we look forward to working with the Commission.”
Costco has not responded to requests for comment since the letters were released Wednesday. SecurityInfoWatch questioned Costco specifically about whether the continued Lorex sales violates Costco’s code of conduct. On Costco’s investor relations website, the company describes its global supplier “code of conduct” that prohibits human rights abuses in its supply chain.
The company specifically names practices such as human trafficking, physical abuse, restricting freedom of movement, confiscation of passports and other documentation, unsafe work environments, failure to pay adequate wages, excessive or forced overtime, illegal child labor and “many other aspects of worker welfare are addressed by the Code.”
Costco says that to evaluate compliance, the company arranges for the audit of certain facilities of selected suppliers -- with an emphasis on “suppliers of private-label merchandise and suppliers whose product or country of origin poses an increased risk.”
The audits are performed by independent third-party auditors who specialize in social responsibility audits, Costco’s post reads.
“While we retain the right to conduct unannounced audits, as a practical matter, some minimum notice is given to comply with security concerns and to allow the supplier to collect records that are reviewed during the audit. Sub-suppliers generally are outside the scope of the audit,” the post said.
If a violation is found, Costco’s post states the company responds, “in a manner commensurate with the nature and extent of the violation” and there may be remedial action, such as terminating the business relationship or giving the supplier “reasonable time to develop and implement a plan for remediation. In those instances we conduct follow-up audits to monitor progress.”
If a supplier fails to make satisfactory progress toward improvement, “we will cease our business relationship with that supplier,” Costco said.
Costco said it encourages those aware of code violations to notify management, the company’s Code of Conduct Compliance team, or utilize Costco's whistleblower site: costco.ethicspoint.com.
John Dobberstein is managing editor of SecurityInfoWatch.com and oversees all content creation for the website. Dobberstein continues a 34-year decorated journalism career that has included stops at a variety of newspapers and B2B magazines.
