Security Digest

Balancing Privacy with Physical Security

Image of people in a grocery store with faces blurred to protect their privacy

Privacy laws continue to change.

On January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect. Similar to the European General Data Protection Regulation (GDPR), the CCPA aims to give people a measure of control over their personal privacy. Although California may be leading the charge in the US, 11 other states have also introduced similar bills*. The corporate penalties for transgression of privacy laws can be severe. As an example, GDPR non-compliance imposes a fine of four percent of annual global revenue or €20 million, whichever is greater. With the growing defense of privacy rights worldwide, if you’re responsible for your company’s security, it’s essential you understand the impacts of privacy laws.

It’s not obvious how privacy protection and physical security can work together; in fact, the two often have conflicting goals. The information needed to protect a building requires identifying individuals through video feeds, access badges, and/or biometric information. Deterrent measures such as perimeter security cameras must observe wide areas to catch violations, capturing images of many people with no harmful intent. All of these data points outline a detailed history of actions, times, and places for everyone under the system’s scrutiny, potentially violating several aspects of personal privacy. Turning physical security measures off is clearly not practical. What can be done?

Basic components of a privacy-safe security policy

Many security companies, even those in North America, seem to focus almost exclusively on GDPR when discussing privacy concerns. While important to consider, GDPR was neither written for the security market nor for non-European interests. Even though the regulations in other jurisdictions are currently in a state of flux, there are some basic elements to consider when looking at creating your own privacy-safe security policy:

Intention. The intent of your policy should be clearly stated up front, such as the jurisdiction your policy will cover or the expected privacy rights of different types of people such as employees, visitors, or suppliers. This allows you to quickly double-check that you are fulfilling the overall intent of your policy when you audit or change it. For instance, do we need to change anything if we expand our operation across state lines? Should we be keeping video footage of people who pose no security threat? Knowing the intention of your privacy policy makes these questions easier to answer and can point out when changes are necessary.

Access. Carefully consider the appropriate access level for every role in your organization and grant only the minimal-required privileges to prevent potential abuse. Knowing that private information and personal images can be surreptitiously captured by a disgruntled employee with a smartphone in seconds, security centers need to be extremely careful at revealing only the data necessary for the task at hand. This can include things like camera control too. You don’t want operators to misuse security cameras in order to follow someone down the street or peer into private residences. You also don’t want a security guard posting footage to social media of a car accident or celebrity sighting.

Encryption and retention. Data needs to be encrypted and kept long enough for your company’s own security audits, like camera footage surrounding alarm events, and for legal oversight such as responding to a subpoena, but it should be destroyed after a certain point. This is where physical security systems can help bolster cybersecurity efforts, since private data cannot be stolen if it no longer exists. Data retention must be carefully coordinated with system backups, as backups – either offline or in the cloud – enhance the problem of only keeping data that’s time-relevant. To be successful, any data retention policy must be consistently applied, which requires automatic handling rather than manually executed strategies. One way that backups can be handled is by deleting data encryption keys once their lifespan expires. While this doesn’t physically delete the expired data, it does make all copies effectively unreadable regardless of how many there are or where they are stored.

Technology. Technology plays a big part in adhering to privacy standards. Ensure your system has technology with privacy features and controls. Also critical is intelligent deployment of those devices – it makes little sense to have privacy-enhancing cameras if those features are never enabled or avoided by existing protocols.

Privacy-enhancing security

What sorts of technologies are we talking about? Since privacy-enhancing technologies in modern security cameras seem to be little known or widely misunderstood, let’s take a look into several of these.

Static masking. This allows a camera or video management software (VMS) to pixelate or blank out defined areas within the camera’s range, letting you mask areas outside designated property, such as a public sidewalk or private residence. While most commonly applied to fixed position cameras, it can also be a feature on pan, tilt, and zoom (PTZ) cameras using a fixed-coordinate system. If static masking is performed from the VMS software, the original video feed must be secured via access-level privileges and encryption.

Dynamic masking. Unlike static masking intended for fixed locations, dynamic masking applies pixelation to objects that enter into and out of the scene. While this is primarily used to identify and obscure faces, it can also be applied to other sensitive identifying characteristics such as license plates.

Significant events. Some systems default to a privacy-protected state and only record video when a significant event is detected. This removes the need for operators to be consistently monitoring cameras as well as any reliance on the correctness of operator judgements. What qualifies as a significant event? That depends on the product. It can be something that’s recognized in the video feed by a machine-trained AI such as a person’s unexpected movements within the frame. It can also be an event tied to another sensor trigger such as detecting someone scaling a perimeter fence.

Face recognition. Facial recognition software can be used to flag identified faces (for building entry access) or unidentified faces (for security breaches). In either case, recognition of the individual is similar to dynamic masking in that any additional personal information needs to be guarded by system access rights.

Security without privacy protection is no longer an option

Having a solution that prioritizes physical security of individuals at the expense of their privacy is no longer an option. If doing both is not mandated by your jurisdiction, it soon will be. Getting ahead of enforced legislation while you have ample time to investigate options is the best position to be in.

Start with a detailed privacy-safe security plan, followed by a company-wide policy. You will likely need to incorporate some advanced technology into your solution; technology that is flexible and adaptable to changing requirements is ideal.

*To stem a country-wide patchwork of privacy obligations in the US, federal-level privacy bills are being introduced such as the American Data Dissemination Act and the Social Media Privacy Protection and Consumer Rights Act of 2019.

This page is being provided for informational purposes only and should not be misconstrued as legal advice.