Who Owns your Security System?

Alarm systems, like most security technology, contain a number of codes by which the system can authenticate the user. Most alarm users are familiar with their own PIN or code used to arm/disarm the system. Additionally there are ‘Master Codes’ which have enhanced access and usually allow the addition or deletion of other people’s codes.

There is an additional code that fewer people are aware of. The ‘Installer Code’ (also known as ‘Tech Code’ in some systems) allows access to every setting inside the alarm system. Which zones are monitored and how, which monitoring centres are called (or not) as well as in most cases adding, changing or deleting user codes. Powerful stuff.

The programming options of most alarm systems are not straightforward to the untrained user. Curious DIYers or those with a keen sense of discovery can very quickly write-off an alarm system with a single erroneous keystroke. Nor are the programming interfaces especially user friendly. Sometimes it’s hard to even exit programming mode should one realise they’re in over their head. For example whilst typing the installer code on the keypad of some Bosch alarm systems will get you into programming mode easily enough, one has to enter ‘960 Away’ to get out. There is no obvious “exit” key. Pressing more keys will only make the situation worse and many amateurs have well and truly stuffed their system up.

The problem has been exacerbated by online Internet forums for DIYers where people with the tiniest amount of knowledge start playing around with their system. Ironically many of these people wouldn’t dream of attempting to replace their own brakepads, a relatively simple task, but feel comfortable playing around with a system that in many cases is also responsible for life-safety. Of course on the Internet everyone is an expert…

To prevent this, in most cases the Installer code is not given to system owners at the time of installation. This is ostensibly to protect them from themselves and a responsible approach. But what happens when the alarm system changes owners, or a customer decides to change security provider?

Some security companies will be happy to hand over the Installer code. In some cases they may ask for a written confirmation from an authorised party such as the owner, which indemnifies them from any liability for whatever is done with the installer code thereafter. That is, if the user goes and stuffs something up, they must accept the risk and cannot consequently hold the installer responsible for any failure.

Where a system has been leased and title has not transferred to the user, or the user is subject to a contract that has not expired, the installer may also withhold the installer code as their way of maintaining their contractual rights. Both of these scenarios are usually quite reasonable. However there are many cases where installers flat-out refuse to hand over the installation code to an obviously departing customer for entirely specious reasons. Here are a few of the excuses served up.

1) “We can’t give you that code because if we do, you’ll have the installer code to every other system we’ve ever installed”.

Imagine for a second a locksmith who put the same master-key system on every house to which they’d ever supplied a lock. Quite incompetent. If the alarm installer was stupid enough to reuse the same code on every site they’d ever commissioned, how is that your problem?

2) “The programming of the system is our intellectual property”. This is one of the more pathetic claims. A tiny handful of ultra high-end systems may contain clever programming, usually bundled with home automation and significant bolt-on system interfaces. The absolute majority of security systems however contain ‘intellectual property’ about as sensitive as “how many seconds the keypad should beep before the siren sounds” or “What time the panel should auto-arm”. Not exactly valuable trade secrets.

The only substantial intellectual property in most alarm panels was designed by the panel manufacturer, not a grubby alarm installer.

Security industry trade association ASIAL has drafted guidelines for ‘Security System Programming Data Ownership And Transferability‘. Needless to say these guidelines are routinely ignored by non-members of ASIAL and being mere ‘guidelines’ have no real weight behind them. The document, currently under review, also suggests installer codes remain the confidential information of the installation company who can release it (or not) at their discretion. As such it does not resolve the issue despite stating explicitly that: “ASIAL members are encouraged to provide other ASIAL members with alarm security system access, providing the Customer owns the equipment and
providing any valid agreement has expired and all conditions met.“

The sad reality is that too many installation companies refuse to hand over their installer code as a final parting-shot to a departing customer and as a kick in the guts to a competing business who they hope will stuff up the system during reprogramming from scratch.

Such attitudes damage the security industry. Instead of encouraging dialogue and communication between businesses. Contrast this with how a doctor of a new patient might speak to their previous treating doctor and obtain their records. Many installers do not even bother ringing the incumbent, knowing the answer they are likely to receive, and simply default the panel, sometimes with unforeseen consequences e.g. access control failures..

A number of installers deliberately employ ‘lockout’ options in some alarm panels which make it significantly harder, if not virtually impossible, to reset the panel. There are a number of tricks which can get around this, for example swapping chips around, discharging capacitors or in the case of C&K Alarm panels, by submerging the alarm panel in a pool of salt-water and burying it at a crossroads at midnight.

In many cases, after ‘defaulting’ you still need to reprogram from scratch. In my experience, the companies who employ these methods are also the first to come up with tired excuses why they can’t hand over the installation code. They are solely interested in salting the earth and screwing the next guy.

Mobotix CCTV cameras can only have their password reset by physically shipping the camera to Mobotix (in Germany). If the installation company doesn’t want to play nice and the camera owner does not know the password, they can have a very major problem indeed. Even the installation company could find themselves in trouble if a disgruntled employee of theirs changed all the passwords before leaving.

Disconnecting and shipping the cameras is not only an expensive exercise it also means the sites will be without a camera for days or weeks. They’re expensive gear and sites which have invested tens or hundreds of thousands of dollars could easily be held to ransom by a petulant installer with a bruised ego and a sense of entitlement.

Or could they? There is a criminal offence known as “Trespass to chattels”, broadly defined as direct interference with goods (chattels) in another’s possession that deprives them of the use of those goods. Companies who act in an unconscionable manner can probably take comfort from the fact that a simple solicitor’s letter will likely cost more than a replacement alarm panel, so it may be cheaper to simply cop it, rip out a perfectly good panel and replace it with the same type, unlocked.

However enterprise customers, chain-stores and large sites who part-ways with an installer may have a big stick with which to recover useful access to their system. Ideally, these matters should be considered up-front. We see a number of tenders for multi-site alarm services, notably local councils, where they do not know the installer code and will leave it up to the incoming tenderer to work it all out. This is often costly and as far as the incumbent supplier goes, it doesn’t change the reality of a new supplier coming in.

Sensible contracts should be negotiated which include ‘swap-out’ provisions (perhaps for a reasonable fee) to avoid arguments later. As with all such matters, this needs to be established at the start of the engagement or it may not happen.

Security companies themselves need to have policies and procedures in place for existing customers who leave. This includes seeking authority and relevant paperwork as well as disclosing the installer code, or reprogramming another one (ideally without having to attend site). It is also not unreasonable to expect the incoming installer to provide some notice of their intentions rather than the far too common scenario of them ringing you from site demanding you drop what you’re doing to help them secure new business. Even though you may not even know who they are and need to know you’re not handing sensitive information to an unauthorised party.

Interestingly, while lots of smaller alarm installers like to routinely criticise ‘the majors’, in most cases the large companies are quite sporting about passing on installer codes, provided it’s done with authority and nobody owes anything. Whereas it is often the small companies who complain about ‘uneven playing fields’ that are in fact the ones operating in an anti-competitive manner. Not the big boys.

It is a shame that ASIAL or even government regulators are required to intervene in these matters. Many security companies and their owners just need to grow up. It’s a fact of business that contracts come and go. If you act with integrity and honour you may get another go one day. But foolish companies who decide to be stubborn don’t realise that they are virtually guaranteeing that their former customer or a would-be customer in the case of a new owner, will never, ever consider them in future.

Originally Published in 2013 in Security Solutions Magazine, Issue 85.