Brought to you by Genetec
How to protect privacy when modernizing your surveillance technologies

Advances in physical security technology are delivering cameras with higher resolution, AI-enabled analytics, and increasingly connected systems. These capabilities are effective in helping agencies prepare for, respond to, and investigate incidents. With the expansion of public-private partnerships and community connect programs, this also introduces new concerns around privacy and cybersecurity.

This article will guide law enforcement agencies on how to protect privacy while modernizing public safety technology and provide meaningful reassurance to stakeholders.

According to the United Nations, nearly 80 per cent of the world’s 194 countries have put in place or drafted legislation to secure the protection of data and privacy. These regulations are aimed at restricting the collection, processing, and access to personally identifiable information (PII), including both data and video. The goal is to maintain privacy and mitigate the risks of criminal cyber activities. Regulations establish a minimum standard for how PII should be stored and managed.

Privacy and public safety aren’t mutually exclusive

Modern video management platforms (VMS) include tools to enhance privacy and cybersecurity. Look for systems that include privacy protection capabilities by design and dynamically pixelate images of people to blur identities. Likewise, solutions can provide audit trails of who accessed data and when and offer multi-layer cybersecurity features.

There are several ways agencies can develop robust privacy standards while taking advantage of emerging technologies:

• Be selective about the data you collect and who can access it. Modern automatic license plate recognition (ALPR) systems can gather and store tremendous amounts of data. It’s up to the agency to implement best practices to protect the information from unauthorized use. One option is to associate a case number in the application when an officer or investigator runs a license plate against a database.

• Ensure PII is seen by authorized persons only. Some agencies ascribe to the “four eyes” principle, which requires two people to provide credentials to access certain kinds of data. For example, images of people on video recordings can be pixelated by default. If an operator sees an event happening, they can ask a supervisor to unlock the video.

• Communicate your privacy policy. Create, maintain, and share your policy with city officials and other stakeholders. The policy should outline what data is collected, how it’s stored, how long it’s stored (retention), who can access this data, and under what circumstances.

• Look for vendors who develop tools that include privacy protection by design. These solutions give agencies complete control over their data so that they can adjust protection methods and processes to meet evolving regulations. The manufacturer or integrator can also help the agency configure the system to define who has access to sensitive data and footage.

Cybersecurity: the other side of privacy protection

Protecting privacy means hardening the devices and networks on which PII resides. Some of the most common attack strategies take the form of spyware, ransomware, brute-force attacks, denial of service attacks, phishing, and others. Older, proprietary security technologies weren’t designed to defend against these threats.

Here are some questions to help assess whether your legacy equipment or policy is leaving your agency open to cyberattacks:

1. How much time does your agency spend updating different software and firmware and managing cybersecurity practices?
2. Do your legacy systems allow you to adopt the latest encryption methods or cybersecurity features?
3. If your agency receives a request from an investigator or other stakeholder to see stored video footage, will you be able to securely share those recordings while protecting the identities of other individuals in the frame?
4. Do you have the ability to build and maintain strong password policies and effectively restrict access to your data?
5. Can you offer single sign-on capabilities with multiple layers of authentication?

There are many things that you can do to build resilience in your security technology infrastructure. The first layer is encryption. Encoding information or scrambling readable text to hide and protect it from unauthorized users helps protect all the data sent between your surveillance cameras, body-worn and in-car cameras, access control readers, and other sensors, and your servers and workstations.

The next layer of protection is authentication. Validate the identity of a user, server, or client application before granting access to your protected resources. Deploy multiple forms of authentication for additional safeguards.

The third layer is authorization. Define specific user privileges to restrict who can access your applications and what they can see or do within each. Authorization within security systems can also include when and what types of information can be shared internally or externally, and how long data is kept.

Unify physical security systems to ensure cybersecurity while you protect PII

To deter cybercriminals and protect PII, many agencies implement a single, global data protection and privacy strategy. Unifying physical security technologies on a single, open platform simplifies that process by enabling cybersecurity measures to be standardized across all your physical security systems.

This approach eliminates the need to check different solutions to ensure cyber hygiene or track system health as all systems’ data is controlled through a single interface. Unified solutions often include built-in defenses and unified tools and services that alert you to potential vulnerabilities. They help streamline updates, restrict system access and user privileges, and provide security scores to enhance system resilience. With a unified platform, users require one single login and password. This minimizes the chance of multiple passwords being stolen and the likelihood of a potential breach.

—

One of the best ways to lower your cybersecurity risk and ensure privacy protection is to work with trusted technology vendors. Make sure they incorporate privacy by design and have a comprehensive strategy in place to close security gaps in their systems. They should be forthcoming about known vulnerabilities and

deliver quick remediation. Confirm their adherence to standards such as ISO 27001, and their certifications from regulatory bodies and law enforcement associations. When solid cybersecurity measures are in place, it’s a team effort to ensure public safety with strong privacy protection.

Phil Malencsik is Account Executive, Public Sector at Genetec.

Learn more here: https://www.genetec.com