Trending Topics

How police can protect privacy when modernizing surveillance technologies

There are several ways agencies can develop robust privacy standards while taking advantage of emerging technologies to improve public safety

surveillance security facial recognition camera

AP Photo/Mark Lennihan, File

By Phil Malencsik

Advances in physical security technology are delivering cameras with higher resolution, AI-enabled analytics and increasingly connected systems. These capabilities are incredibly effective in helping agencies prepare for, respond to and investigate incidents. With the expansion of public-private partnerships and community connect programs, this also introduces new concerns around privacy and cybersecurity. Police departments face hard questions when they seek to modernize their physical security infrastructure.

This article will guide law enforcement agencies on how to protect privacy while modernizing public safety technology and provide meaningful reassurance to stakeholders.

Privacy and public safety aren’t mutually exclusive

According to the United Nations, nearly 80% of the world’s 194 countries have put in place or drafted legislation to secure the protection of data and privacy. These regulations are aimed at restricting the collection, processing and access to personally identifiable information (PII), including both data and video. The goal is to maintain privacy and mitigate the risks of criminal cyber activities. Regulations establish a minimum standard for how PII should be stored and managed. However, police departments can do more than the minimum to protect privacy.

Modern video management platforms (VMS) include tools to enhance privacy and cybersecurity. Look for systems that include privacy protection capabilities by design and dynamically pixelate images of people to blur identities. Likewise, solutions can provide audit trails of who accessed data and when and offer multi-layer cybersecurity features.

There are several ways agencies can develop robust privacy standards while taking advantage of emerging technologies to improve public safety:

  • Be selective about the data you collect and who can access it. Modern automatic license plate recognition (ALPR) systems can gather and store tremendous amounts of data. It’s up to the agency to implement best practices to protect the information from unauthorized use. One option is to associate a case number in the application when an officer or investigator runs a license plate against a database. This helps build trust that the data is only used for an investigation or an open case.
  • Ensure PII is seen by authorized persons only. Some agencies ascribe to the “four eyes” principle, which requires two people to provide credentials to access certain kinds of data. For example, images of people on video recordings can be pixelated by default. If an operator sees an event happening, they can ask a supervisor to unlock the video. For very sensitive data, some agencies require two supervisors to agree to authorize a request to access data.
  • Communicate your privacy policy. Create, maintain, and share your policy with city officials and other stakeholders. The policy should outline what data is collected, how it’s stored, how long it’s stored (retention), who can access this data, and under what circumstances.
  • Look for vendors who develop tools that include privacy protection by design. These solutions give agencies complete control over their data so that they can adjust protection methods and processes to meet evolving regulations. The manufacturer or integrator can also help the agency configure the system to define who has access to sensitive data and footage without slowing down response times or investigations.

Cybersecurity: The other side of privacy protection

Protecting privacy means hardening the devices and networks on which PPI resides. With worldwide reports of cyber breaches rising continually, law enforcement agencies need to recognize and close all potential gaps.

Some of the most common attack strategies take the form of spyware, ransomware, brute-force attacks, denial of service attacks, phishing, and others. Older, proprietary security technologies weren’t designed to defend against these threats.

Here are some questions to help assess whether your legacy equipment or policy is leaving your agency open to cyberattacks:

  1. Are you aware of how much time your agency spends every month updating different software and firmware and managing cybersecurity practices across your various systems?
  2. Do your legacy systems allow you to adopt the latest encryption methods or cybersecurity features to stay ahead of evolving threats?
  3. If your agency receives a request from an investigator or other stakeholder to see stored video footage, will you be able to securely share those recordings while protecting the identities of other individuals in the frame?
  4. Do you have the ability to build and maintain strong password policies and effectively restrict access to your data?
  5. Can you offer single sign-on capabilities with multiple layers of authentication?

There are many things that you can do to build resilience in your security technology infrastructure. The more layers you implement, the better protected your data will be:

  • The first layer is encryption. Encoding information or scrambling readable text to hide and protect it from unauthorized users helps protect all the data sent between your surveillance cameras, body-worn and in-car cameras, access control readers, and other IoT sensors, and your servers and workstations. When encrypting video specifically, use strong methods for data both in transit and at rest.
  • The next layer of protection is authentication. Validate the identity of a user, server, or client application before granting access to your protected resources. Client authentication can include usernames, passwords, and security tokens, while confirmation of trusted third parties on the server side is provided through digital certificates. Deploy multiple forms of authentication for additional safeguards.
  • The third layer is authorization. Define specific user privileges to restrict who can access your applications and what they can see or do within each. Authorization within security systems can also include when and what types of information can be shared internally or externally, and how long data is kept. Note that you can automate the provisioning of these granular privileges through a Microsoft Active Directory integration with your security systems. Not only does this help to simplify the authentication setup, but it also ensures that when an employee leaves the department, their system privileges also get revoked.
Covering everything from drones to thermal imaging cameras.

Unify physical security systems to ensure cybersecurity while you protect PII

To deter cybercriminals and protect PII, many agencies implement a single, global data protection and privacy strategy. Unifying physical security technologies on a single, open platform simplifies that process by enabling cybersecurity measures to be standardized across all your physical security systems.

This approach eliminates the need to check different solutions to ensure cyber hygiene or track system health as all systems’ data is controlled through a single interface. Unified solutions often include built-in defenses and unified tools and services that alert you to potential vulnerabilities. They help streamline updates, restrict system access and user privileges, and provide security scores to enhance system resilience. With a unified platform, users require one single login and password. This minimizes the chance of multiple passwords being stolen or hacked and the likelihood of a potential breach.

One of the best ways to lower your cybersecurity risk and ensure privacy protection is to work with trusted technology vendors. Ask questions. Make sure they incorporate privacy by design and have a comprehensive strategy in place to close security gaps in their systems. They should be forthcoming about known vulnerabilities and deliver quick remediation. Confirm their adherence to standards such as ISO 27001, and their certifications from regulatory bodies and law enforcement associations. When solid cybersecurity measures are in place, it’s a team effort to ensure public safety with strong privacy protection.

About the author

Phil Malencsik is Account Executive, Public Sector at Genetec.