Data Privacy in Video Surveillance Code of Practice

Data Privacy in Video Surveillance Code of Practice 

Video surveillance has been used for security applications since the 1940s and has evolved from analog cameras to IP-based systems that can include analytics and machine-learning capabilities.

The rapid growth of networked surveillance, along with the evolution of Internet, cloud and mobile applications, as well as improvements in image quality, have vastly expanded video’s ability to deter and detect criminal activity and to provide evidence used to solve crimes and find missing persons. An estimated one billion surveillance cameras are watching you around the world in 2023.

However, we often lack understanding of the lawfulness of video surveillance, the measures that can be taken to protect our privacy, and wheater our video footage is even considered personal data by the General Data Protection Regulation (GDPR).

Given the nature of video surveillance, concerns about potential misuse and invasions of privacy are understandable, and there have, unfortunately, been cases in which a lack of proper controls has led to privacy violations. The Security Industry Association (SIA) Data Privacy Advisory Board has produced this Code of Practice for Video Surveillance (“Code”) based on common privacy and security principles to provide manufacturers, integrators and end users with guidance that can be used to inform their development of sound policies and practices that mitigate privacy risks while leveraging the power of video technology.

Data protection and data privacy laws in India are at a nascent stage with the enactment of the Digital Personal Data Protection Act,2023 (“DPDPA”) only on 11th August,2023 and shall be notified for its stage wise implementation in India. It will take time to evolve with many upcoming developments to take shape in personal data and its usage, storage and transfer. Additionally, other Indian legislations further influence the legal conundrum surrounding data protection law of India.

For manufacturers / OEMs, primary responsibilities relate to device and platform default configurations and upkeep, as well as building privacy into the design of hardware and software. Device and platform design and maintenance should include:

• Patching

• Vulnerability communication

• Forced changing of default login credentials

• Role-based access control, multi-factor authentication, encryption, and other data security best practices

• Device security risk considerations and notifications (e.g., trusted platform details)

• Cloud services security and management if apps are offered

o Associated security considerations and notifications

• Publicly available and current guidance to secure infrastructure

Responsibility for integrators (System Integrator) begins with the design and layout of the system. Conducting a privacy impact assessment can identify areas of concern before installation begins. For example, camera viewing areas and the use of analytics software must be addressed in the planning stages. As you are deal with customers / end users, educated them with applying appropriate data.

It is critical to establish an appropriate set of default privacy settings, in addition to “hardened” secure settings for cameras and the network, including purpose-specific analytics and viewing/exclusion zones.

Other important areas for integrators to consider include:

• Ongoing privacy and cybersecurity education and training for employees

• Proper authentication of employees on systems and devices

• Requirements, roles and responsibilities, including third-party security

• Nature of systems involved (cloud, on premises, hybrid) and designated privacy and security measures

• Applicable international, federal, state, and local laws and regulations, as well as industry standards, frameworks and best practices

• A service contract that identifies the integrator’s privacy and security obligations and risk.

For End users are the surveillance system data controllers (in privacy terms). They establish the purpose and justification for the surveillance system as well as its operational scope. When hiring a third-party services provider, the end user should take reasonable steps to ensure that the provider follows all applicable data privacy laws, regulations and best practices and meets the same standards when handling data that the end user has in place for itself. The end user, as data controller, retains the ultimate responsibility to protect sensitive information and respect privacy and should not solely rely on third-party service providers for compliance.

Transparency is a priority, especially regarding the identification of the owner or processor of the data, as it enhances trust. End users must be aware of requirements in jurisdictions in which they operate, because, in many places, there are transparency and notice mandates concerning such information as who is conducting the surveillance, the level of surveillance being conducted, and the risk involved.

Privacy risk factors vary depending on the end user’s system and its interactions with individuals. A risk assessment is crucial to determine areas of concern. This assessment should look at the use of video surveillance across the organization and consider business, operational, legal, technical and social aspects. It should begin by addressing the most basic questions, such as identifying the purpose of the surveillance, who or what is being surveilled, and what the justification is.

Legal position concerning surveillance culture in india

Presently in India, communication surveillance is primarily governed by two legislations. First being the Telegraph Act, 1885 which deals with interception of telephonic conversations and the second being the Information Technology Act, 2000 which concerns the surveillance of electronic communication.

However, there are no specific laws or regulations to address the gaps existing between the aforesaid two legislations for avoiding overreach.

The Supreme Court of India (hereinafter referred to as the “Supreme Court”) while considering that data privacy is a part of Right to Life enshrined in the Constitution of India and also a fundamental human right, observed the principles of informational privacy and data protection in the landmark judgment of K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1. This celebrated judgement of the Supreme Court resulted in the introduction of the Personal Data Protection Bill, 2019 (hereinafter referred to as the “PDP Bill”).

The PDP Bill lays forth the fundamentals of data protection and establishes mechanisms for dealing with any violations of its provisions. Further, it imposes sanctions on corporations and individuals that fail to comply with the provisions of the PDP Bill. Moreover, it establishes an adjudicatory procedure through which individuals can seek compensation for any ‘damage’ they have suffered as a result of a violation of the PDP Bill’s provisions.

However, though an umbrella legislation may be easier to draft and implement, it may overlook sector-specific details in order to achieve the declared State goal. For an instance, data collection in the health sector amid the Covid-19 pandemic would be different from data collection and use for the national security, which includes challenges such as terrorism and counterfeit money. It is pertinent to note that the surveillance needs in both the circumstances would be different.

The PDP Bill was referred to a Joint Parliamentary Committee (hereinafter referred to as the “Committee”) for further consideration, and thereafter the Committee published its Report and finalized the Data Protection Bill, 2021 (hereinafter referred to as the “Bill”). The Bill which is expected to be enacted anytime soon, shall govern all the aspects of data processing in the country and any surveillance mechanism shall be affected by the same.

The following is a non-exhaustive set of questions that operators in several sectors can use to begin to determine potential privacy risks. Security system operators are the systems administrators for the data controllers who authorized the surveillance.

Corporate security

v  How is video being used?

v  Can data subjects be identified?

v  Are analytics being used?

v  Is there notice of surveillance before it takes place?

v  Is there an opt-in option? Or opt-out? Or right to be forgotten?

v  What are the retention times? How do these compare to legal requirements, if

v  there are any?

v  Security & Privacy are same team ?

Healthcare facilities

ü  Are there HIPAA compliance requirements?

ü  Are there protected health information (PHI) implications?

Education

Ø  Are there Family Educational Rights and Privacy Act (FERPA) considerations?

Ø  Is facial recognition being used for attendance?

Ø  Have parental concerns been considered and addressed?

Marketing

v  What levels of transparency and notice are in place?

v  Are there PII concerns with how the video is collected, used and stored?

v  Are data subjects being identified? If so, is this necessary/appropriate?

Public/Government/Law Enforcement

§  Who/what area is being surveilled and why?

§  Is artificial intelligence (AI) or another automated technology being used?

§  Is appropriate notice/signage in place in place?

Code Principal

This Code of Practice is based on core privacy and security principles as they apply to the manufacture, deployment and use of video surveillance systems. As with any technology-based security system and the products developed for such systems, conducting a privacy impact assessment (PIA) can establish a baseline for appropriate privacy practices. This begins with the design phase and continues through to deployment and use.

A PIA analyzes how information is collected, used, shared, maintained and retained and identifies the operational requirements. (These requirements extend beyond compliance as they also drive governance and resulting policy.) Further, a PIA can identify areas in which privacy violations would occur if surveillance were used, with some obvious cases being surveillance in a restroom and inadvertent capture of identity and payment cards. One should also be aware of the integration of video surveillance with identity management and physical access control systems.

In addition to conducting a PIA, implementing the following principles can further improve the privacy practices of manufacturers, integrators and end users.

Privacy by Design

Privacy by design approaches privacy from a proactive rather than reactive perspective. In practice, this means anticipating and preventing breaches before they occur and recognizing privacy rights and enabling their exercise. For manufacturers, this means approaching product design from a privacy standpoint. For integrators, it means designing and installing video surveillance systems that incorporate privacy principles in their use and maintenance. Organizations adopting privacy by design will have to make privacy a priority in determining default settings and must keep all stakeholders informed of their privacy practices and any changes that are made to them.

Regular Review

Establishing consistent and regular review and audit processes will help to ensure compliance with legal and regulatory requirements and industry standards and best practices. These will need to be updated from time to time as circumstances or technological advancements dictate. The review should include all stakeholders, including individuals and third parties that may be affected.

Transparency and Notification

o Inform consumers and employees that cameras are in use

o Provide information regarding the data captured and how it will be used and limit uses to those for which there is legal justification

o Share data retention information (e.g., how long information will be stored, how it will be deleted)

o Include a point of contact for complaints or further information

Data Access

Restrict access to data and retained images. Clearly define rules stating who has access and when and for what purpose access may be granted.

Purpose Limitation

Use video surveillance systems for a specified purpose that meets an identified and pressing legitimate need.

Data Minimization

Collect only that video that is necessary for the intended purpose.

Data Accuracy

Data controllers are responsible for the accuracy of the data. Make sure that the metadata concerning location, date, time and other factors are accurate. In some cases, the data accuracy needs to meet evidentiary requirements. If analyzing data and comparing it to a reference database, ensure that the database is accurate and kept current. For video surveillance purposes, manipulating video images requires notation and should be avoided unless absolutely necessary.

Data Storage Limits

Only store video footage for as long as is reasonably necessary or required by law or regulation.

Integrity, Confidentiality and Security

Implement appropriate processes, policies, and procedures to process and store data in a secure manner. This could include the use of digital signatures and watermarking to prevent modification as well as other cryptographic techniques, such as encryption during transmission and storage. Regularly review processes, policies and procedures to protect against unauthorized access or use.

Privacy and surveillance in india: judicial precedents

The Right to Privacy has not been explicitly mentioned in the Constitution of India. However, the Courts in India have created a framework for protection of privacy of the citizens by interpreting it within the meaning of Right to Life and Personal Liberty under Article 21 of the Constitution.

The Supreme Court developed the law on Right to Privacy via some landmark judgments involving surveillance. The first being the case of Kharak Singh v. State of U.P., (1964) 1 SCR 33, wherein the constitutional validity of Regulation 236 of the Uttar Pradesh Police Regulations, 1861 was challenged which permitted surveillance. The Supreme Court held that “surveillance by domiciliary visits and other acts under regulation 236 was ultra vires articles 19 (1)(d) and 21”.

In another case of People’s Union for Civil Liberties v. Union of India, 1995 (3) 365, the Supreme Court held that “right to privacy included the right to hold a telephone conversation in the privacy of one’s home or office and that telephone tapping, a form of technological eavesdropping’ infringed the right to privacy”.

However, in Govind v. State of Madhya Pradesh (1975) 2 SCC 148, a case of surveillance under the Madhya Pradesh Police Regulations, though the Supreme Court acknowledged a limited right to privacy, it upheld the impugned regulation which authorised domiciliary visits in its entirety.

Reference:

1.    Article from securityindustry.org

2.    https://www.infosecurity-magazine.com/opinions/privacy-video-surveillance-paris/

 

Encryption vs. Encoding

Encryption is a very important concept in cyber security. Enabling encryption by default for all services will help improving the confidentiality of those services and sensitive data. There are few different considerations when it comes to a good encryption.

Encryption and encoding are the two distinct processes used for data or information transformation, and they serve different purposes. This article will explain these processes in detail and highlight their differences.

What is Encryption?

Encryption is the process of transforming data or information into a secret code that is unintelligible and unreadable to unauthorized individuals and can only be unlocked with a key. It involves using mathematical algorithms and a secret key to transform plaintext (the original, readable data) into ciphertext (the encrypted, unreadable data). It ensures the confidentiality and privacy of sensitive information, making it difficult for unauthorized parties to understand or access the data.

The purpose of encryption is to secure data during data at rest, data in transit, or communication.

·        Data at Rest: Encryption protects data that is stored on a computer or other devices, such as a USB drive, hard drive, or cloud storage.

·        Data in Transit: Encryption is used to secure data that is transmitted between two devices, such as a laptop and a printer.

·        Secure Communication: Encryption is used to protect data that is shared over a network, like email, web browsing, and file transfers.

·        Disk level encryption: Where the information stored on a digital disk like a network storage or a computer hard drive is encrypted. SAN Storage encryption or Windows Bitlocker are examples in this category.

·        Database encryption: The information stored in a database (e.g. SQL or Oracle) is encrypted using a certificate, or a static key. This will minimize the risks of copying database files and opening them by unauthorized people.

·        File-based encryption: This is about encrypting files and their contents. Normally, it can be done using right management solutions. Encrypting Microsoft Office documents or Adobe PDF are examples in this category.

·        Backup encryption: When taking a backup, the backup files must be encrypted to prevent unauthorized access to the content that has been backed up.

·        Public cloud resources encryption: Public cloud services, like AWS, Azure, GCP services, need to be encrypted appropriately and normally that capability is provided by the service provider. Examples are AWS S3, RDS or Azure Blob.

·        Encryption in motion: Sensitive information must be encrypted when they are being transferred from on location to another. Some examples are, use traffic to an application, or data is transferred from a database server to an application server, or data that is transferred between two applications for integration purposes. There are a few different areas to consider when it comes to encryption in motion

·        Encrypted web traffic: Web is pretty much everything these days, and it is critical to ensure all web traffics, whether standard web application interface, APIs or any other type of web traffic is encrypted properly using HTTPS protocol.

·        Email Encryption: Email is the main type of communication for companies these days and unfortunately it is not encrypted by default. We need to make sure email traffic is encrypted in motion and at rest when dealing with sensitive information.

·        Encrypted services: Pretty much all standard network services provide encryption capabilities these days and it is important to switch to the encrypted version and avoid using clear-text protocols as much as possible. Examples of encrypted services are SFTP, SSH, SMTPS, POP3S, IMAPS, LDAPS, etc.

·        Key based Encryption:  Public/Private key encryption is used in a lot of services and integrations, e.g. PGP, to ensure network connectivity and data transfer is done in a secure and encrypted way.

·        Remote access: Remote access services like VPN must provide a secure and encrypted channel between end users and devices to the targets.

There are different types of encryption algorithms, such as symmetric and asymmetric encryption. Where a single key is used to encrypt and decrypt the data. AES 256 or AES 512 are the most common in this category.

Symmetric Encryption Algorithm

·        Advanced Encryption Standard (AES): Widely adopted for security and efficiency.

·        Triple DES: Applies DES three times for enhanced security.

·        Blowfish: Known for its flexibility and speed.

Asymmetric Encryption Algorithm

·        Elliptic Curve Cryptography (ECC): Based on elliptic curves, offering strong security with shorter key lengths.

·        RSA (Rivest-Shamir-Adleman): Used for key exchange and digital signatures.

·        Diffie-Hellman Key Exchange: Secure key exchange protocol without prior communication.

Where two separate keys (public/private) are used to encrypt and decrypt the data. RSA 2048 or RSA 4096 are examples in this category.

What is Encoding?

Encoding is the process of converting data or information into a specific format or code that can be easily stored, transmitted, or processed by a computer or another entity. It involves the use of specific rules, algorithms, or standards to transform data into a format better suited for a particular purpose or medium.

There are many different types of encoding, each with its purpose. Some common types of encoding include:

·        Character Encoding: Converts characters and symbols from the character set to unique code. ASCII, UTF-8, and UTF-16 are popular character encodings.

·        Image Encoding: Transforms images into a digital format. JPEG, GIF, and PNG are popular image encodings.

·        Video Encoding: Converts video signals into a digital format. MPEG-4, H.264, and HEVC are popular video encodings.

·        Audio Encoding: Converts sound waves into a digital format. MP3, WAV, WMA, and AAC are popular audio encodings.

Encoding Algorithms

·        Base64: Converts binary data into a string of ASCII characters.

·        URL Encoding (Percent-encoding): Encodes special characters in a URL.

·        Binary: Represents data using a binary representation.

·        HTML: Represent special characters and reserved symbols in HTML documents.

·        UTF-8: Encodes characters from the Unicode character set.

·        UTL: Encodes special characters for safe URL transmission.

Difference Between Encryption and Encoding

Encryption and encoding are both ways of transforming data into a different format. However, they have different purposes and use different methods.

Basis	Encryption	Encoding
Objective	It transforms data or information in such a way that it remains confidential and secure.	It represents or converts data into a specific format or representation to another.
Used For	It is used to maintain data confidentiality by converting it into an unreadable form using cryptographic algorithms.	It is used for character representation, multimedia compression, or data format conversions to maintain compatibility, efficiency, or data integrity.
Security	Very secure; it can only be decoded with the correct key.	Not secure; it can be easily decoded.
Reversibility	It is reversible, but only with the correct decryption key.	It is reversible.
Method	It uses an encryption algorithm and a key.	It uses a conversion algorithm.
Key Usage	It requires the use of secret keys.	It does not involve the use of secret keys.

Thanks to Mr. Rassoul Ghaznavi Zadeh for main inputs and learn to me.

 

System Integrators Start with IIoT

System Integrators Start with IIoT Now 

“Companies whose investment processes demand quantification of market sizes and financial returns before they can enter a market get paralyzed or make serious mistakes when faced with disruptive technologies” Clayton M Christensen – The Innovator’s Dilemma. The excerpt above sums up what I believe may be happening in the system integration space with regards Industrial IoT (IIoT) implementation and will be the subject that I seek to address in this post.

An IoT system integrator is a qualified business that offers companies consulting services, training and solutions to setup and maintain all aspects of IoT (Internet of Things), from hardware to software. There are a lot of system integrators who are IIoT savvy, but most are filled with skepticism and they still see it as a hype. So they eagerly wait on the side-lines for the wave to pass or to adopt the technology next year or the year after when the hype has died down. Another reason could be that they do not yet fully comprehend the opportunities afforded by IIoT. Whatever reason they may have for dragging their feet, the reality is that those who fail to act quickly will be forced to share the plant floor with new competition.

But here is the kicker, there is a new breed of integrators crossing over from the commercial sector. The ones that specialise in smart devices. They are willing and ready to move into manufacturing and industry in general. However, automation systems integrators are well positioned to fill the gap now more than ever, because in most businesses the acquisitions of IoT solutions has shifted from being handled by the IT department to operations. And due to an existing relationship between operations and system integrators they happen to speak the same language and it will therefore be easy for systems integrators to liaise with IIoT vendors and quickly step in to fill the void. Consequently, with investment in the knowledge of embedded systems, wireless applications, front-end and back-end solutions they can provide an entire chain on IIoT and in turn offer efficient systems to the user. Creating a win win situation.

Nowadays, almost all automation devices are being shipped IP and cloud ready. The challenge though, as i have personally experienced, is that IIoT vendors are still emphasising on locking in market share. Making it difficult to aggregate all the information from different sensors and devices onto a single platform as opposed to using separate cloud components for each device or sensor. But then again this also presents itself as an opportunity for the IIoT savvy system integrator to act as a differentiator by providing solutions that make it easy to move data between systems, unlocking all the value for their customers.

The idea is simple. The data that is already being used within automation systems for operation happens to contain a wealth of useful information for running the business more effectively in areas such as energy consumption, asset utilisation, supply chain management and predictive maintenance to name a few. Its not just connecting to the PLC and exchanging data, its something more. Its about the system integrators getting involved as the needed experts on big data, connectivity and cloud computing etc. Because no one, not even the vendors have as much knowledge as system integrators on the businesses these IIoT systems are being sold to.

A master systems integrator provides a single (core) user interface to monitor and manage every aspect of a facility. This gives owners a competitive edge in today's sophisticated market. Master systems integrators also install and manage the systems that make your building run.

In conclusion, Its only a matter of time before non-automation companies come down into the manufacturing space and I envisage it getting a little bit crowded. What action can be taken? System integrators need to start building their skills in applying these technologies and incorporating fresh ideas.

ASi-5 – high data bandwidth for demanding applications

Machine data, process data and diagnostic data - today, machines and systems generate huge amounts of data. But only a fraction of this data necessarily belongs in the higher-level PLC. In order to successfully implement Industry 4.0 projects, the majority of the data needs to be processed and analyzed in IT. Coordinated interaction is only possible when all devices in the cyber-physical system communicate with each other.

 

A powerful data shuttle such as ASi-5 is needed. The new ASi generation offers a high data bandwidth and short cycle times. This makes it easy to integrate the smart sensors like IO-Link that are so important for Industry 4.0.

 

Our modern ASi-5/ASi-3 gateways also play an important role. They have two independent interfaces - for OPC UA and a fieldbus - which allow the respective data to be transferred directly to IT or the control. The gateways also act as a link between field devices and higher-level IT systems, collecting valuable diagnostic data that usefully supplements the device data from the field.

 

Since more connectivity increases cyber risks, we rely on encrypted communication and authentication. Thanks to field update capability, the ASi-5/ASi-3 gateways also meet future security requirements.