Complex Made Simple

Remember to Forget Me: Ensuring Security without Compromising on Privacy

The ever-increasing use of security technology is raising some inevitable questions about how information is collected, stored and accessed

Blurring faces in video or anonymizing data, should be as much a part of an organization’s overall security plan as encrypting data Businesses must be proactive and not simply rely on governments to determine which vendors are trustworthy The old “check the box” compliance model no longer holds up in our electronically-driven business world

By Firas Jadalla, Regional Director for the Middle East, Turkey and Africa (META)

There’s an old adage that says you can’t have privacy without security, but you can have security without privacy.  

People’s privacy should be paramount: they have the right to be made aware up front and purposefully, and not at the end of an arcane privacy agreement that they’re sharing their personal information. Cameras used to identify unsafe situations and de-escalate potential threats should automatically anonymize individuals’ identities. Information should be archived only as long as necessary and, where it is collected publicly, should be made available to the general public in a secure, sustainable manner. But whose job is it to ensure that individuals’ privacy is respected?

Read: Over 50% of Arab citizens polled jeopardise their privacy, security by using pirated software

The role of legislation

The right to privacy is one of the basic tenets of liberal democracies and democratic governments around the world have been drafting policies such as the GDPR (General Data Protection Regulation) in Europe, and California’s Consumer Privacy Act in North America. India’s Supreme Court even states that “a right to privacy is part of the fundamental rights to life” and an inherent part of the fundamental freedoms enshrined in the constitution. Similar legislations also exist in Malaysia and Brazil.   

These recently enacted policies provide guidelines that strongly encourage organizations to take privacy protection seriously. But, just as importantly, they also set minimum requirements on cybersecurity, including principles for data security, proper data handling and processing, as well as breach-reporting. Privacy protection and cybersecurity go hand-in-hand and protecting individual privacy, by blurring faces in video or anonymizing data, should be as much a part of an organization’s overall security plan as encrypting data or protecting edge devices. It’s critical to have a cybersecurity strategy to ensure privacy. No single approach is enough. There needs to be multiple layers of defense such as encryption, multi-factor authentication, and authorization.

Organizations must be proactive in protecting their networks

In addition to laying the legal and regulatory foundation necessary to protect privacy and create safer networks, governments play another important role by restricting the use of technology from vendors or manufacturers that present security concerns, as was recently done in the US with the ban on Dahua, Huawei and Hikvision for US government-funded contracts and critical infrastructure and national security usage.  

Moving forward, if these companies don’t want to be left behind, they’re going to have to change their business practices, become more transparent, and improve the security of their offerings.

As much as governments are doing to safeguard privacy, they can’t keep our personal data secure all on their own. Organizations must also do their part. When it comes to adding technology to a network, businesses must be proactive and not simply rely on governments to determine which vendors are trustworthy. Individual businesses must step up to the plate and do some serious vetting of their own.

Read:  Endpoint security processes and visibility remain challenges

Privacy and transparency can co-exist 

The dilemma of properly securing public spaces via video surveillance while also protecting people’s privacy can – and is – being resolved, thanks to advances in technology that allow for both. Technology is capable of ensuring a high level of security is in place while at the same preventing abuse and invasions of privacy for everyday people. Privacy protection technology such as the KiwiVision Privacy Protector module from Genetec automatically blurs all persons in surveillance videos in real-time. All actions remain recognizable but unnecessary intrusion into personal privacy is prevented without compromising security. If a real incident requiring response takes place, the video is, in fact, accessible if needed. That is the time when actual governance can be put in place and the head of security or a privacy officer, for example, can give the clearance to review said video. Ensuring the system creates an audit trail by securely storing who has accessed what and when to ensure proper governance and accountability is also key. At that point you will have the checks and balances in place so you can review the actual footage – without blurred faces – and act on it to potentially solve an incident that occurred. 

This capability is core to the products and solutions delivered by Genetec and we are firm believers that legislation such as a GDPR is a good thing for society as a whole.

Making cybersecurity and privacy protection features more accessible

It’s critically important that vendors provide clear guidance to end-users and make implementing layers of protection easier. This means making cybersecurity and privacy protection features more accessible and, in general, activated by default. In these instances, end-users wouldn’t need to figure out how to protect their data.  

It also comes down to developing good business practices that offer solid guidelines and processes. Manufacturers need to be transparent and open when communicating around new functionalities, as well as any vulnerabilities that may be discovered in systems or software. At Genetec, we’ve developed our own set of best practices and recommendations, including a Security Score tool is a dynamic hardening tool that checks the security of your physical security system in real-time. It lays out guidelines and then monitors whether the different elements of your system comply. Based on your compliance with the criteria, the widget gives you a score so that you know how secure your whole system is at all times. We have also developed lists of privacy and cyber security-oriented questions to ask any potential manufacturer or integrator of physical security technology. A commitment to educating the market, providing clear guidance for roll-out of our products and transparency in dealing with privacy or cybersecurity issues is key to establishing a network of trust that keeps people and their data safe.

Read: 5G threats and security recommendations in a Non-Public Network

Privacy by design

Privacy by Design is a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business practices. Building a software solution from the ground up with privacy in mind means that organizations don’t have to choose between protecting the privacy of individuals and their physical security. The old “check the box” compliance model no longer holds up in our electronically-driven business world. A risk-based approach is warranted to identify digital vulnerabilities and close privacy gaps.

As Dr. Ann Cavoukian, Executive Director of the Privacy and Big Data Institute at Ryerson University, has noted, “Protecting privacy while meeting the regulatory requirements for data protection around the world is becoming an increasingly challenging task. Taking a comprehensive, properly implemented risk-based approach—where globally defined risks are anticipated and countermeasures are built into systems and operations, by design—can be far more effective, and more likely to respond to the broad range of requirements in multiple jurisdictions.”

Tips on how to better protect what you’re protecting

Priority One – Control who sees what! Put in place a comprehensive privilege management program to restrict the scope of who can access your system. By implementing precise controls over which resources, data or applications your users and user groups can access and modify, you’ll have complete control over who sees what in your system.

Automate anonymization of video.  Privacy protection features such as the built-in KiwiVision™ Privacy Protector™ module of Genetec Security Center can help protect the identity of individuals caught within a cameras’ field of view. The award-winning module automatically anonymizes individuals without obscuring actions and movements. This ensures the privacy of individuals while safeguarding potential important video evidence. Only with appropriate pre-determined measures such as a second confirmation by a legal department (four-eyes principle) can video be unlocked for complete viewing. 

Securely collect, manage and share evidence. Organizations mandate strict guidelines for how evidence is controlled, as the mishandling of sensitive data can lead to fines, and for cases to even be dismissed in courts. Still, many continue to rely on USBs to store and distribute digital evidence, despite the risk of the data being lost or stored insecurely.

To ensure alignment with the highest security standards, all data transferred to a digital evidence management system such as Genetec Clearance should be encrypted, and files cannot be modified in any way so they can be used as evidence in court. This way, organizations can configure their access control policies to ensure cases are only accessible by authorized individuals. Additionally, all user actions should be preserved in the system’s audit trails to maintain chain of evidence and should be easily be reviewed by administrators when required.

In conclusion

Protecting people and assets sometimes requires you to collect personal data, as well as footage about individuals using public spaces in or around your facilities. But to meet regulations and public expectations, access to this data or footage often needs to be restricted. We at Genetec make sure you don’t have to choose between protecting the privacy of individuals and their physical security. Our solutions help you to define who has access to sensitive data and footage, without slowing down investigations and incident response. It’s important to ensure that you have complete control over your data so that you can adjust your protection methods and processes to meet regulations, and, more importantly, build trust with your customers.