Big Brother is watching, and it’s mostly a good thing
When newspapers, popular magazines, and cable news channels run stories on public safety security and video surveillance, their knee-jerk reaction is too often a clever reference to “Big Brother” and an implication that something dangerous and sinister is happening.
Our headline this month is intended to provide a counterpoint to mainstream journalists who feel a need to infer that security and surveillance are bad – because we think they are mostly beneficial. The security and surveillance industry is dedicated to protecting the public by giving the good guys advanced tools to help them prevent the bad guys from hurting innocent people. And there are people in our industry paid to worry about security and privacy surrounding security products and technologies, and that seems like a great idea for every company to adopt.
About a decade ago, a particular California school district purchased an RFID badge system to enhance campus safety, but didn’t fully inform parents before it was implemented. It didn’t take long for one mother to rally her neighborhood and the ACLU against this perceived invasion of privacy and the supposed danger of having vulnerable children tracked by school administrators. This unfortunate misunderstanding of the district’s good intentions led the manufacturer of that secure identity system to create an executive position empowered to study and monitor how their products impacted their customers – and advocate for personal privacy protections embedded in the design of every new product.
Kathleen Carroll still serves as director of government relations for that company, HID Global, a leader in secure identity solutions. She is also the chair of the Government Relations Committee of the Security Industry Association (SIA). One of her favorite aspects of her job at HID Global is collaborating with colleagues to keep the company at the forefront of privacy awareness and protection.
“Sensitivity around privacy is good for commerce,” Carroll suggested. ”Our industry takes a risk-based approach to implementing security systems. Consultants look at where the risks are and, based on those risks, they propose an appropriate solution. The strength of each system is geared to the associated risks and the likelihood that something might happen. This is the same approach that companies should take with regard to privacy, especially with new technologies for mobile, online, physical access control, CCTV cameras, and now biometrics.”
Step one, Carroll offered, is for every manufacturer to complete a privacy impact assessment around its customer base and products. This involves looking at the risks and the harm that could result if personal data is breached, then creating a program to mitigate as many of those risks as possible.
“The questions I ask our engineers when they’re inventing a new solution are things like, ‘If people can now use their secure ID card for mobile payments, and we know that financial data is sensitive, how are we ensuring that our card readers cannot be compromised? How do we prevent a man-in-the-middle attack, so that someone cannot grab data off a card just by passing by the reader? How are we protecting our customers from all of this?’ These are the kinds of questions every company has to consider, throughout the entire organization,” Carroll told me.
Carroll conducts regular meetings with system integrators, and makes presentations on how they should complete their privacy impact assessments.
“We also have conference calls with school districts that are considering implementing one of our solutions,” Carroll revealed. “I’m not a lawyer, and I tell them that upfront, but I try to say, ‘Here’s what you need to be thinking about from a privacy perspective, so that you avoid the misunderstandings that have happened in other schools.’ There are different kinds of RFID systems. If a district is going to implement one of these systems, whether physical or logical access control or a converged system, and they’re going to be transmitting and accessing personal data, I advise them to make sure they have encryption, mutual authentication, and all the available technological protections.”
What basic questions should be asked when any kind of security system is implemented?
“Start with these,” Carroll said – “‘How much personal data do I need to collect? Do I really need this information to make the system perform the way it needs to work?’ Collect only the data you absolutely need. And once you collect the data, decide how long you need to hold it. If you’re a CCTV manufacturer, or you’ve installed a CCTV camera and you’re collecting video feeds, how long do you need to hold onto that data? The longer you hold sensitive data, the more at risk it is, so you really want to limit the time frame.”
Companies need to restrict everyone’s access to private data, Carroll advised.
“That’s where security companies can do good work – we can help organizations control access to data, which is a very big deal. If you look at the data breaches that have happened, a lot of them are related to user names and passwords. That’s how Edward Snowden got access to sensitive material – he ‘social engineered’ user names and passwords from his co-workers.”
I asked Kathleen how she thinks the industry is doing, as a whole, on privacy protection.
“I don’t think we’re doing a bad job, but I think we can do better,” she answered. “There are many efforts underway to balance the need for privacy with the need for access to data. A lot of people say they want more privacy, but I think they would miss the benefits they would lose by not sharing their data with trusted entities. Fundamental privacy principles introduced years ago include data minimization, tight security of the data, and giving subjects the right to access and redress their own data.”
In her role as Chair of the Government Relations Committee of the Security Industry Association, Carroll helped develop a privacy framework freely available from the SIA. This is a set of best practices, including how to conduct a privacy impact assessment, with all of the questions that manufacturers and integrators should be asking themselves. The full document is available on the SIA website, and also at this link – http://bit.ly/1oyzhsF. If you have any trouble gaining access, please feel free to send an email request to my address shown below.
John Convy and Convy Associates provide strategic alliance, A&E consultant, technology ecosystem, and lead generation programs to monetize relationships and accelerate demand for leading security industry manufacturers. John is the Founder and Managing Director of the Open Standards Security Alliance and the IP Video Surveillance Academy, and is a speaker at many global industry events. Email: [email protected]