Note: This page contains a SPECIAL EXPANDED VERSION of this article. It includes content that was not able to be fit into the space available in the printed magazine. The new material is marked with yellow highlighting, as this paragraph has been marked.

No single technology issue is more important, or is more frequently or widely discussed today, than the issue of privacy. Our powerful information and security technologies step across the boundaries of what was once considered sacred and inalienable.

There are two important reasons for having a good understanding of privacy issues as they relate to security systems. First, as American citizens, we must know what our individual rights are or be at significant risk of losing them both at the smaller level of daily transactions, and at the larger level of state and national legislation. Second, as providers of security systems and services (including system owners, managers, administrators and operators), even partial ignorance of individual privacy rights means that we risk substantially violating the rights of others - the very people whose property and persons we have committed to protect.

Privacy is a topic that is more easily discussed in general terms. Getting specific tends to lead into social, ethical and legal issues. It is easy enough to avoid the subject for just that reason. But the fact remains that as providers and end users of security systems, we must educate ourselves on the subject, at least to the extent that we can handle our systems in ways that respect the privacy rights of those in our charge.

Fortunately, this is not as hard as it may sound. Suitable guidelines and principles for information privacy have already been established; our main task is to understand and follow those that are applicable to our systems.

It is ironic that security systems, intended and designed to protect individuals, have become a potent means for violating their privacy. How has this happened, and what can we do about it?

Evolution of Security Systems

In the previous two decades, the growth in scope and capabilities of security systems has outpaced all prior development. This growth has been fueled by developments in computer and information technology.

The electronic security industry began during the end of the Industrial Age with dial-up alarm systems that had no information storage but printed out alarm records at the alarm company central station. The advent of the Space Age and improved electronics brought greater on-site capabilities for security systems, which could store a small amount of basic information in electronic memory chips and could locally print out system information and activity.

Then computers ushered in the Information Age, and on-site computer based systems became capable of storing tens of thousands of personal information records, and keeping years of user access information on computer disks.

Finally, in very recent years, several advances came together to create a very real and widespread threat to individual privacy. Affordable high-speed global computer networking (private networks as well as the Internet), and international standards for messaging and data exchange, made it practical for individuals and businesses to share information and conduct transactions electronically. This also made it possible for criminally minded persons to anonymously steal personal information from clear across the globe. Periodically such stories surface in the daily news.
Today's high-capacity data storage systems make it possible to collect and keep trillions of data records, and to search and access them in a matter of seconds.

For less than the cost of a new mid-sized automobile, you could install a computer-based data storage system in the smallest closet in your home that would be capable of storing 100,000 copies of the Encyclopedia Britannica (2,619 pages per copy) and could retrieve any page or photograph for display in just a few seconds. That's equivalent to five copies of every book in the Library of Congress. It's also about one page of information for every man, woman and child residing in the United States.

In the past few years the combined growth of four aspects of computer-based systems has brought us to the point where there is considerable basis for concerns about information privacy:

• The proliferation of independent computer systems that store personal data
• Widespread high-speed internetworking connectivity
• Standard protocols for information sharing
• Increases in storage and retrieval capabilities (compared to 15 years ago) of a million-fold for personal computers and a billion-fold for digital data repositories

What kind of capabilities do these advances provide? Using 10 high-speed data connections, all 20 million books of the Library of Congress could be transferred to a single computer system in less than 2 hours. This technology is available to any business or individual (non-criminals and criminals alike); such a computer system would cost less than a high-end Sport Utility Vehicle.

Click to view a larger and easily readable version of Megabytes, Gigabytes and Terabytes in a new Window.

Note added on July 14, 2007 - As of Today: WalMart and PC Club are selling 500 gigabyte hard drives for under $140 - two drives make 1 terabyte of storage for less than $280. USB Flash Drives now exist that have a 64 gibabyte capacity. Cavalry Storage, Inc. has a 4 terabyte "personal disk array" that resellers offer for $3,775. That means $18,875 can buy enough computer disk storage to hold all of the text in the Library of Congress. As storage capacities continue to rise, the cost per gigabyte continues to drop.

Prior to these advances, there was no risk in giving out various small pieces of personal information here and there, because they couldn't be assembled to create a bigger picture. We could provide one person or company with information "A" only, and another person or company information "B" only, even though we wouldn't want any one person or company to know both "A" and "B". Thus the information remained essentially private. It would be lost to human memory, or buried under mounds of paper. Now, such pieces of information are most likely to go into a computer. They can easily be stored, shared and assembled to create a much more significant collection of private information. Data mining systems provide this capability, and can perform the work automatically.

Access control systems that record the whereabouts of persons and vehicles, and video monitoring systems that record their images, are becoming commonplace in business and retail establishments. Access control systems are being integrated with central databases to facilitate management of personnel information, which allows security smartcards to be used for other purposes, such as cafeteria purchases and checkout of library books. CCTV surveillance systems are now also used for operational purposes, such as monitoring snow removal or parking enforcement. The more widely used such systems become, the more their capabilities increase, the more important it is for providers and purchasers of the systems to understand the privacy rights of those subject to system control and surveillance, and to safeguard the privacy of recorded information.

The Privacy Issue

Privacy is not a new issue. In 1890 Samuel D. Warren and Louis D. Brandeis wrote the influential paper "The Right to Privacy", motivated largely by the advent of modern photography and the printing press ¹. The article stated, "the latest advances in photographic art have rendered it possible to take pictures surreptitiously." Previously photo taking required the conscious participation of the subject, who had to "hold still" in front of the camera long enough for the picture to be taken.

Modern video equipment can record images of persons and events in lighting conditions under which ordinary photography is not possible. Furthermore, recorded images can be transferred around the globe almost instantaneously, as we commonly see almost daily in live news broadcasts.

Each general advance in technology sounds a new warning against potential abuses of technology, especially with regard to violations of individual rights. Citizen uproars occurred in the 1960s when governments began to use mainframe computing to catalog information about its citizens. Remembering the Nazi exploitation of detailed public records in World War II (allowing them to easily find the Jewish population of any city they raided), many European nations passed various "data-protection" laws in order to prevent any misuse of such centrally stored information. In the 1980s the increased use of credit cards and electronic transactions opened the door to new abuses, including electronic theft. In the 1990s the dawn of the World Wide Web made privacy protection an even more important issue, one that is still an active concern.

Today we are in the midst of responding to domestic attacks by terrorists, and we look to electronic security technology to help protect us. Technologies that offer great potential for terrorist detection (such as the inter-linking of security databases, video surveillance and facial recognition) also offer great potential for violation of the privacy rights of ordinary citizens.

That makes it even more important for us to get our thinking straight about the use of such systems. The potential for violations of individual rights does not lie in the technologies themselves, but in the way that people use the systems. Thus it would be irresponsible for system providers and system purchasers to simply ignore privacy issues, and wait for citizen protest and government regulation to step into the picture. From a practical perspective, why cause all that trouble when simply understanding the issues and making appropriate use of the systems would prevent it?

Understanding Privacy Rights

To properly address privacy rights we must first have a good general understanding of what they are. What is happening now has happened before: over the course of time the primary focus of privacy shifts according to technological developments ². Thus, for example, the State of California's Constitution includes privacy as one of the "inalienable rights" of "all people." ³

Privacy issues can be traced as far back as 1361, when the Justices of the Peace Act in England provided for the arrest of peeping toms and eavesdroppers, establishing the first notion of behavioral or media privacy ⁴ . In the 18th century, English parliamentarian William Pitt wrote, "The poorest man may in his cottage bid defiance to all the force of the Crown. It may be frail; its roof may shake; the wind may blow though it; the storms may enter; the rain may enter - but the King of England cannot enter; all his forces dare not cross the threshold of the ruined tenement". This form of privacy is often referred to as territorial privacy ⁵. With the increased use of the telephone system in the 1930s, communication privacy received much attention with the case of Olmstead vs. United States in 1928, which questioned the legality of wiretapping by the United States government. The privacy of the person, often called bodily privacy, was seriously violated only a few years later, when Nazi leadership decided to conduct compulsory sterilization, as well as gruesome medical experiments, on parts of the non-Aryan population. The increased use of governmental electronic data processing in the 1960s and 1970s finally created the issue of information privacy.

While the first four aspects of privacy have by now been very well established in most legal frameworks around the world, often directly defined as constitutional rights, it is information privacy that creates most of the troubles today, and is the reason for this article.

Even though laws covering information privacy have been around for more than 30 years, the rapid progress in technology, most recently the commercial success of the World Wide Web, continuously challenges legislation that was initially devised in a time of room-sized mainframes and punch cards.

One of the most influential pieces of early privacy legislation was the US Privacy Act of 1974, which created the notion of fair information practices, a significant policy development that influenced privacy policies worldwide.

Fair Information Practices ⁶

1. Openness and transparency: There should be no secret record keeping. This includes both the publication of the existence of such collections, as well as their contents.
2. Individual participation: The subject of a record should be able to see and correct the record.
3. Collection limitation: Data collection should be proportional and not excessive compared to the purpose of the collection.
4. Data quality: Data should be relevant to the purposes for which they are collected and should be kept up to date.
5. Use limitation: Data should only be used for their specific purpose by authorized personnel.
6. Reasonable security: Adequate security safeguards should be put in place, according to the sensitivity of the data collected.
7. Accountability: Record keepers must be accountable for compliance with the other principles.

The Department of Justice has posted on its website a detailed overview of the Privacy Act, prepared by the Office of Information and Privacy ⁷. In its Policy Objectives page, the overview states, the purpose of the Privacy Act is to balance the government's need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from federal agencies' collection, maintenance, use, and disclosure of personal information about them. The historical context of the Act is important to an understanding of its remedial purposes: In 1974, Congress was concerned with curbing the illegal surveillance and investigation of individuals by federal agencies that had been exposed during the Watergate scandal; it was also concerned with potential abuses presented by the government's increasing use of computers to store and retrieve personal data by means of a universal identifier--such as an individual's social security number. Now, more than twenty-five years later, the capabilities of security and information technologies have grown far beyond the factors that led to the Privacy Act. At the same time, current national security issues have begun to soften the general public's resistance to biometric technologies, CCTV surveillance, and to inter-agency security information sharing.

History Favors Privacy Rights

There are many appealing arguments both for and against privacy. However, history shows that in general people favor privacy protection and want to control what personal data is collected and released, and to whom it is released. Legislation continues to be enacted to support such control and restriction. Thus security system users can anticipate the need for documenting and auditing privacy policies and procedures, and manufacturers can anticipate the need for the development of privacy-aware product features.

This means there are two paths that lay ahead of us. One is the broad deployment of advanced security technologies and widespread information recording and sharing without any regard for privacy. History tells us that this would sooner or later be met with public outcry, to be followed by a further expansion of the Privacy Act, with new regulations that would have to be retrofit onto products and systems that were not designed for it. The other path is to incorporate support for fair information practices into our systems, and to develop and adopt security industry standards for their use. This is the more prudent path, and the one most in accordance with the general goal of security, which is the protection of those in our charge.

Considering security systems in light of these principles makes it clear that it is not the technology itself that is the problem; it is how we use the technology. Security technology is applied within the context of security objectives, plans and procedures, including training. Thus we have the means of resolving privacy issues and implementing privacy practices through those very same objectives, plans, procedures and training.

Manufacturers can make things easier for their customers by learning more about the privacy-compliant use of security systems and designing privacy support features into their systems.

There are many appealing arguments both for and against privacy. However, history tells us that in general people favor privacy protection and want to control what personal data is released and to whom it is released, and legislation continues to be enacted to support such control and restriction. Thus security system users can anticipate the need for documenting and auditing privacy policies and procedures, and manufacturers can anticipate the need for the development of privacy-aware product features.

Ignorance Will Be No Excuse

Many engineers involved in security systems and product development have never given thought to privacy issues. Others hold the idea that privacy issues can be addressed solely by end-user measures, which lie outside the scope of product development. This idea places an unfair burden upon the end-users, who are on their own to determine how best to apply information privacy to a system that they did not design and of which they have limited understanding.

The seven principles of fair information practices listed above must become integrated into the "thinking caps" of product developers. This is a new step for many in the security industry. However, ignorance does not convey the right to compromise the privacy of the personal information in system design or system deployment. Thus an educational step concerning privacy issues is essential.

In 1996 Brian Foran, Special Advisor to the Privacy Commissioner of Canada, spoke about government systems development and the privacy issue. "Privacy should not be seen as restricting good systems development, it should be considered as an essential systems component which helps ensure public confidence in the government's computer based systems. It should be recognized that the principles of data protection are actually principles of good information management, and when they're integrated, they are understood and adhered to rather than perceived as interference or human rights 'babble' impediments. So, privacy should not be seen as a competing interest to technological progress and efficiency. Privacy should be an integral and positive part of any systems development plan. It must be designed into the system from the outset, not left to become an awkward afterthought. Building in privacy principles at the outset is just good, common-sense business practice."

Given the power and scope of today's information and security technologies, taking into account privacy issues will be essential to benefiting from the power of those technologies while still maintaining the public's trust in both private and government use of security technologies.

Securing Privacy Rights Through Our Systems

Openness and Transparency

Many retail establishments already have a head start on this by posting signs that announce the use of video surveillance cameras. What should also be disclosed is whether or not the video camera signals are recorded, and how long the recordings are kept. For access control systems that record the movements of persons entering, leaving, and moving about the facility, the time period for which this information is kept should be disclosed. Remember to take into account any centralized or off-site backup data locations, where information may be retained even after it is deleted from the primary system or primary storage location.

If cameras that are used for crime prevention and detection are also used for employee surveillance, the full nature of the surveillance should be disclosed. For example, if there are periodic reviews of video recordings to rate employees on training or quality of service issues, employees should be so informed, especially where promotions or pay advances are affected by the outcome of such reviews.

Individual Participation

Personal identification information in access control systems is usually provided directly by the subject being given access privileges, who thus does have full participation. Sometimes the information comes from Human Resources personnel system records, again usually provided directly by the subject. Dual monitor systems at ID badge stations can provide a convenient means to allow people to review and approve the personal information that is being typed in. This convenience can be supported by an "approval window" feature in the software, designed for dual monitor systems, to help ensure that other system data is not available for viewing by non-operators.

Collection Limitation

Data collection in electronic security systems is fixed; it is limited to what the systems themselves can record. For access control systems, it is the successful or unsuccessful access attempt that is recorded. This of course does strictly fit the purpose of the system. Video images (and sometimes audio tracks) are recorded for CCTV systems. Where security personnel have the ability to adjust audio recording levels, or to control pan-tilt-zoom cameras, clearly written policies should exist and be enforced to prevent the misuse of the operator's control capabilities. Periodically the camera field of view settings and audio recording settings should be verified and be corrected if they have changed.

It would be helpful for video system software to facilitate such verification by providing a setup "snapshot" feature that records a still picture of the camera video image, default pan-tilt-zoom settings, and initial audio recording levels. A means of comparing the current camera image and settings with the original settings, along with a "restore original settings" button, would help support review and correction of the system setup.

Data Quality

Where emergency contact and medical information is maintained, it is in the interests of all parties to keep the contact information up to date. It is a good practice to re-verify emergency information on a periodic basis. Where the extent of access privileges granted is based upon information obtained outside the security system such as personnel warnings, corporate parking violations, or breach of rules citations, it is important that system procedures include verification that such information is correct. Where system information requires verification, a verification log feature could record the date and time of verification, along with the name and ID of the operator performing the verification.

Use Limitation

Security policies should ensure that security system data and surveillance recordings are only be used for their specific purpose and only by specifically authorized personnel. Policies should also be developed to establish to whom and under what conditions system data will be released. Who will approve or disapprove the release of data for any purpose other than its primary security use? How will compliance with court orders be handled? For example, marked copies of sensitive data could be released to a court under a protective order requiring that the material not be duplicated, and that it be returned at the end of the court proceedings. The facility should retain its own copy of such material to verify the accurate and complete return of information. The higher the degree of security involved, the more important it is to establish secure data handling procedures. It is not out of order to require that police or government investigative agencies obtain a subpoena or make a written request to obtain copies of recorded information. Such a request for information should state what restrictions will be applied to the handling and distribution of the data, what purpose it will be used for, and how the return or destruction of the information will be accomplished.

Most video system software includes the ability to restrict the viewing or copying of recorded video. It would also be helpful to keep an audit trail of who viewed what portions of the recorded video. For extremely high security of video review, video systems could include automatic activation of cameras that would record the view of persons sitting or standing in front of the review monitor, which recordings should be easily accessible from the audit trail records. When recorded video is exported to tape or CD ROM disc, the export process could include marking the video stream or the tape or disk with the date and time of export, and information identifying the operator performing the export.

How long video recordings should be maintained depends upon the nature of the surveillance and the area being surveilled. A theft at an airport checkpoint may not be discovered and reported until after the traveler returns home. That could be as long as 10 or 15 days from the time the theft took place. So its not unreasonable to keep checkpoint video recordings for 30 days, or much longer for the portion of a video recording that captured a crime or offense. A time-based limitation is easy to implement with VHS tape recordings by limiting the number of tapes in the system, thereby automatically forcing the recycling of tapes.

Digital video recording systems should support automatic time-based deletion of video, and should record the deletions in a system audit trail log. For systems that provide backup to external media or remote locations, it would be convenient to provide an email or other notification function, to remind the system administrator when specific backups must be deleted. High-security systems should require that the administrator make a log entry attesting that the deletion was performed.

Reasonable security

Accountability

Keepers of physical and electronic records must be accountable for compliance with established data security policies and procedures.

Product Development

Developers of security system products should include support for secure data handling by appropriate use of audit trail logs and other data privacy protection features, and should include documentation and tutorials for low, medium and high security applications. These features should be extremely easy to use to avoid being burdensome on system administrators.

The Future

In the future electronic data exchange will be established among security systems, and between security and non-security systems, for security purposes and also to afford conveniences to the system users. Thus system owners and managers, and manufacturers of security systems, should support the development of secure and accountable data exchange protocols, including data traceability.

When enrolling in a security system that participates in data exchange, an individual should be able to specify that the data be confined to the immediate system, or shared, however the individual sees fit.

The right for an individual to determine what personal information is released may in the future include the right to electronically query systems that contain personal information. The response to this query should detail the entire chain of information distribution and use, including who the responsible data keepers are and what each system's data security policies are. The development of data security standards will simplify the disclosure of this information.

If trade and industry associations step forward to develop such protocols, and system manufacturers enable their use in security products, we may be spared excessive government regulation and legislation.

Footnotes

¹ View this paper online at www.go-rbcs.com/RightToPrivacy.htm. (back)

² The three paragraphs that follow are based upon a discussion of privacy legislation in a paper titled Privacy by Design , by Marc Langheinrich of the Swiss Federal Institute of Technology, and is available for download at www.inf.ethz.ch/~langhein/ (back)

³ California Office of Privacy Protection website, the California Constitution, Article 1 Declaration of Rights, www.privacyprotection.ca.gov/declaration.htm. (back)

⁴ James Michael. Privacy and Human Rights: An International and Comparative Study, With Special Reference to Developments in Information Technology. Dartmouth Pub Co. / UNESCO, 1994. (back)

⁵ William Pitt, Earl of Chatam (1708-1778). Speech on the excise bill. (back)

⁶ Marc Langheinrich, Privacy by Design, page 3. (back)

⁷ Overview of the Privacy Act, May 2000, www.usdoj.gov/oip/04_7_1.html (back)