7.5.24 – SSI –Simon Randall
A growing body of legislation means more organizations need a tech strategy that defaults to anonymization and privacy.
In the digital age, society has come to a general understanding of what personal data needs protecting. This includes health records, for example, as well as financial records, browser histories, and students’ grades.
Governments have taken a variety of steps to legislate data privacy. In the U.S., decades ago, lawmakers even decided a person’s videotape rental habits were protected. Now courts are deciding whether that covers online streaming.
Generally, we’ve known how such data was generated, who had it, and roughly where it resided and needed protection. But data evolves. Beyond records held in databases and digital documents, data now includes the millions of terabytes of video created every day.
Video from CCTV security and IP cameras, drones, body-worn cameras, smartphones, you name it. And if a person or person’s property (like a car or home) is identifiable in that video, it can be deemed personal data that increasingly must be protected.
We see aspects of this already today: local authorities want to share security video to help identify a suspect, for instance, but they don’t want to share the identities of all the bystanders to protect their privacy.
Or a TV news station plans to broadcast smartphone footage of a protest but must be mindful of showing onlookers. Or even video that may fall under existing privacy laws, like the Health Insurance Portability and Accountability Act (HIPAA).
If a doctor’s office maintains cameras for its own security, video of its patients coming and going may need to be protected from unauthorized viewing, sharing, or identification.
Inside the Transformation
So, how do we do it? How do we as security professionals help our customers protect video data privacy in a time when video comes from myriad sources; is stored on devices, servers, and in the cloud; and is governed by a patchwork of privacy regulations that’s constantly evolving? Especially at a time when umbrella privacy regulations are becoming the norm.
The best course is what I’ll call default security. In other words, today’s myriad video systems should default to privacy protection through technology that anonymizes all video data as necessary — and as privacy frameworks evolve — yet still allows organizations to use that video information for the various reasons they require it — physical security, monitoring, and operations improvement, to name a few.
Not only does default video security ensure compliance, it goes a long way toward building trust among consumers, employees, and institutions.
Privacy Legislation and Video Data
In the U.S. the biggest privacy framework on every integrator and organization’s radar is the American Privacy Rights Act (APRA). Currently under consideration by Congress, APRA would establish national consumer data privacy rights and set standards for data security, effectively unifying the patchwork of state and federal data protection measures already in effect.
In many ways, APRA is like the European Union’s General Data Protection Regulation (GDPR), published in 2016, in that it seeks to safeguard personal information and empower individuals with greater control over their data, including video data. But even if APRA changes dramatically — or never passes into law — the patchwork remains and evolves, ensuring video data privacy is an ever-present consideration as our digital lives advance.
With video cameras permeating everyday life, and courts essentially agreeing that if an organization discloses its use of video, it can record in publicly accessible locations, individuals have largely come to accept they’re often on camera. But that doesn’t change the fact that in most cases, that footage may be considered personally identifiable data that needs protecting — especially now, as generative artificial intelligence (AI) can allow nefarious actors to manipulate unprotected video, audio, and imagery. It’s one thing to criminalize publication of so-called “deepfake” videos; it’s another to protect video data before it can be altered. And with so much video being stored and handled in the cloud, security is paramount.
So if we accept that different organizations use video for varied, productive reasons — video security in retail stores and schools, police body cameras, municipal traffic cameras, surveillance in transportation hubs, offices, elevators, etc. — and we support standards and legislation to protect individuals’ video data as we would their digital records and information, then we’re faced with a challenge.
How do we guide our customers to create the infrastructure to not just manage but also protect video data across their enterprise in compliance with current and future laws?
Anonymization as Privacy Layer
The best way to think about the challenge is to consider real-world situations. For example, think about a Freedom of Information Act (FOIA) request for video footage of some event or occurrence. To fulfill such a request while protecting the privacy of bystanders in the video, faces may need to be digitally “blurred out” — a potentially painstaking process.
Or, as legislation like GDPR and eventually APRA give consumers more control over their privacy, they would be within their rights to seek all video footage of themselves in relevant locations, like malls, hospitals, office buildings, or schools. But they don’t have rights to others’ identities in the same footage.
The solution is to introduce a privacy layer to video management platforms that effectively defaults to complete security and gives organizations the power to anonymize personally identifiable information in their video streams.
Whether it’s live or recorded video, this privacy layer uses AI and machine learning to digitally detect and redact the video data that needs protecting, like faces, addresses, license plate numbers, and more. What’s more, it should be powerful enough to track and anonymize individuals in every frame of the video for maximum compliance.
By giving organizations a privacy layer that defaults to complete security — in other words, anonymizing all the video it handles — the organization is in a better position to comply with whatever data protection and handling regulations come its way. Not to mention, this privacy layer dramatically accelerates and streamlines the handling and sharing of video in compliance with data requests or other situations.
Ultimately, a privacy layer for video management acts as future-proofing not only against new regulations, but also in support of innovative applications. Imagine real-time video footage of busy transit hubs.
By anonymizing the video through a privacy layer, operators can publicly share the footage, so people know when traffic is heavy or light, while remaining in compliance with prevailing privacy laws.
The fact is data privacy legislation like APRA represents a tipping point in the handling of video data. Suddenly, any organization — public or private — that collects video should be prepared to protect it as personal data.
That could prove a tall task, unless the video management system it uses defaults to privacy.
Simon Randall is the chief executive officer of Pimloc.