I would second this. I’ve definitely spent a lot of time with this question.

For my setting, I try to lean into realism. So the first thing we have to ask is what “hacking” means in these situations. Hacking shouldn’t be magic.

First, hacking typically looks like using a system in the way it was intended by someone who wasn’t intended to use it or in some other modified way. So to break into a CCTV system, ask how proper users would use it, and then how to bypass that.

Second, the more advanced technology gets, the more advanced security gets. Think about what it would take to hack into a CCTV system today. You’d likely need to steal a password to use the actual software or snoop the raw data signal of a camera and then decode it. In the future, this isn’t going to be less secure.

So if you wanted to hack into CCTV camera, players should not be able to roll and then see anything anywhere. They should need to find some physical connection and/or find some way to obtain credentials to a remote access system. This could be by forging biometrics of someone with access, tricking someone with access to logging in for them, or finding leaked access credentials online. And all of these should have limitations: how long they can be logged in; what they can do without triggering detection; how long it takes to call files; etc.

These same principles apply to a social media search. It wouldn’t really make sense for everyone’s data to be readily available to anyone with basic hacking proficiency in some kind of easy database. Assume online privacy moves forward at the same pace or greater than privacy invasion. You can’t just type “HACK!” and see someone’s real-world location. You could probably find a publicly listed address or maybe find a license plate reading with a time and place. But you’re going to have to still do a lot of the conventional investigation work to find someone: figure out where they work, hang out, shop, etc. and look for a point where they slipped up, either in biospace or online.