White Paper

Protecting Identity in the Age of Privacy

With great advances in video and access control technology – including mobile capabilities, cloud efficiencies, analytics and biometrics – security providers are aiming to create the most secure and seamless credentials, all during a time when privacy concerns seem to be dictating public opinion and impacting security. The increase in use of these technologies brings with it a growth in the volume of data.

This article looks at the following areas of focus in privacy considerations:

  1. Definitions of privacy.
  2. Legalities of privacy and compliance (in the U.S.).
  3. Education on privacy.
  4. Definitions and ethical use of facial recognition.
  5. The biometric debate.
  6. Can we have both security and convenience?

Definitions of privacy

The description for privacy in Merriam-Webster’s dictionary is – “freedom from unauthorized intrusion.”

From a legal point of view, privacy is defined as a person’s right to control access to his or her personal information.

In today’s data-driven world, privacy issues are raised in the context of government collection or distribution of personal information, as well as corporate use of personally identifiable information (PII).

PII is any data that could potentially be used to identify a particular person. Examples include a full name, social security number, driver’s license number, bank account number, passport number and email address. Photo or video data also comes into play, as well as biometric data.

Legalities of privacy

Milestone Systems is a global video management software company based out of Copenhagen, Denmark, that has had a focus since 2017 on the General Data Protection Regulations (GDPR) that went into force in Europe in May 2018. They define the individual’s critical privacy matters to be protected as ‘sensitive personal data’ such as your racial/ ethnic origin, genetic and biometric info, health and financial data, religious, political and sexual preferences.

GDPR has a focus on these key principles:

  1. Lawfulness.
  2. Fairness and transparency.
  3. Legitimate purpose’ limitations on the gathering, use, sharing and storage of sensitive personal data, and its minimization.

Milestone has investigated every facet of business from products to business practices, to ensure compliance and provide guidance to employees, partners and customers.

In the U.S., three states led the way in 2019 enacting biometric privacy laws – Illinois, Texas and Washington. The California Consumer Privacy Act (CCPA) took effect in January 2020. Then multiple states proposed similar legislation to protect consumers. Arizona, Florida, and Massachusetts introduced legislation addressing biometric privacy, on the heels of a decision for the Illinois Biometric Information Privacy Act.

The best way for security dealers, integrators and consultants to learn each state’s biometric laws and work within their parameters is to keep informed.

To stay abreast of the changing state-privacy landscape, the IAPP Westin Research Center compiled a list of proposed comprehensive privacy bills from across the country. The updated version of this tool, including a new state law tracker map, exists on the IAPP Resource Center, here.

It is advised to take a multi-path approach to stay informed from the many points of view:

  1. Join local chapters of SIA and ASIS to network with other professionals specific to your region.
  2. Partner with the manufacturers and developers of the technologies you are interested in; they will know how their solutions fit state and local legislation.
  3. Get involved with local law enforcement groups, attend relevant presentations on new local and state ordinances.
  4. Follow and support organizations like the IAPP which is the world’s largest and most comprehensive global information privacy community.

Be vigilant for compliance

Ensuring compliance with GDPR and similar data privacy laws requires high organizational maturity with careful planning and preparation of video surveillance and other security systems, including the policies and procedures regulating how the technology is used.

To help system integrators and end users design, implement and operate video surveillance systems that are compliant with such privacy regulations, Milestone provides a holistic set of tools, including privacy guides, best practices and training resources to build privacy awareness.

If you go to the Milestone website and search for GDPR, you’ll find 1,450 references. There’s a lot of useful information available.

Education on privacy and cybersecurity

The entire market needs to be educated on what’s being done with people’s sensitive information. Milestone carries out GDPR webinars that are mandatory for staff – as we have also done with cybersecurity training (both internally and externally for our partners) which is related when trying to preserve data privacy, access or sharing.

Regarding cybersecurity hackers and our partners’ work with IT systems, current knowledge and best practices help to keep people’s sensitive information safe.

  1. Double authentication is becoming standard for managing access to company systems and websites.
  2. Data encryption is also key to the lockdown of information and its history of creation, access, user logs etc.
  3. Regular software updates with the newest version releases are also best practice to ensure against cyber trouble.

At Milestone, we have a comprehensive system hardening guide online. It details the top five most effective cybersecurity strategies to focus on when combating cyberattacks:

  1. Isolate the device network from other networks.
  2. Educate employees about security threats.
  3. Use Active Directory for user and computer management.
  4. Enable encryption at every stage necessary.
  5. Separate the VMS server and client networks from the company’s business network.

Ethics of facial recognition

Advanced facial recognition technology has benefited Americans in countless under-publicized ways, helping to do many critical things, for example: find missing children, fight human trafficking, secure borders from drug trade, identify dangerous criminals, bring sexual predators to justice and thwart identity thieves.

There is a difference between facial detection vs. facial recognition. Facial detection is a broader term and means that a system is able to identify that there is a human face present in an image or video. Facial recognition can confirm identity and thereby be used to control access to sensitive areas.

Authentication/ verification helps verify a person is who they claim to be. The system checks a submitted photo against an existing template to verify that it is the same person – one-to-one (1:1) matching. This configuration is applicable to banking, electronic payment, personal electronic device unlocking, employee time and attendance, secure building or door access for employees and visitors, air traveler entry-exit and other border-crossing systems, passports, preventing identity theft and fraud, and more.

Identification/ discovery helps determine who a person is. In this case, the system compares a photo of an unknown person to a set of existing templates in a data set that can range from large databases to a small watchlist. This is called oneto-many (or 1:N) matching. Searches of the data set using an algorithm return a candidate photo or group of candidate photos based on the similarity score. The primary benefit of this is that it automates the initial step of sifting through large numbers of photos, where it is more efficient, objective and accurate than human analysts performing this same initial step manually prior to reviewing potential matches.

How facial recognition works

Facial recognition is a way of recognizing a human face through technology. A facial recognition system uses biometrics to map facial features from a photograph or video. It compares the information with a database of known faces to find a match.

Because facial recognition is not completely accurate, it creates a list of potential matches. A human operator must then look through these potential matches. Studies show that the operators pick the correct match out of the list only about half the time.

Best practices for responsible use of facial recognition data

At its crux, GDPR is all about increasing transparency and letting the person know how their data will be used. For instance, before a person completes a certain action when operating a system, a message could pop up telling users about the feature and asking if they would like to have it turned on. Consent as per GDPR is:

  1. A positive opt-in with no pre-ticked boxes. The user must freely agree or not agree to having their information collected.
  2. Information can be withdrawn by the user anytime.
  3. Name of all the third parties intended to share the information with.
  4. Specific information on what personal data will be collected and why.
  5. How long that data will be stored.
  6. A record of a person’s consent, which is updated as any changes are made to the relevant technologies or features.

A global role: Institute of Standards and Technology

Security manufacturers, dealers, integrators and consultants with privacy-related issues, questions and concerns should check out the National Institute of Standards and Technology which was founded in 1901 and is now part of the U.S. Dept. of Commerce. As one of the nation’s oldest physical science laboratories, NIST research and testing provide state-of-the-art technology benchmarks and guidance to industry and U.S. Government agencies.

NIST responds to requirements for biometric standards, including facial recognition technologies, working to improve the accuracy, quality, usability, interoperability, and consistency of identity management systems. For the past 20 years, NIST’s Face Recognition Vendor Test (FRVT) program has been a respected evaluator of facial recognition algorithms – examining technologies provided by developers for independent testing.

In December 2019, NIST published the most comprehensive report to date (1,500 pages) on the performance of facial recognition algorithms – across race, gender and other demographic groups. The most significant takeaway from the report – it confirms that facial recognition technology performs far more effectively across demographic groups than had been widely reported.

Overall, modern facial recognition technology is highly accurate today. NIST documented massive improvements in recent years, finding ‘close to perfect’ performance by high-performing algorithms, with miss rates averaging only 0.1 percent. On this measurement, the accuracy of facial recognition is reaching that of automated fingerprint comparison, which is generally viewed as the gold standard for identification.

Balancing security and convenience

Does technology win over public opinion? Does technology make it so easy that people won’t have a choice, or will they cling to privacy? Change is hard. Is it possible to have the best of both worlds – security and convenience?

There is a line to be straddled, for sure. People like to have their privacy but need safety and security. After 9/11, citizens were clamoring for more security technology to be put in place to safeguard their well-being. However, the privacy fears of security tools such as facial recognition stem from misconceptions due to lack of knowledge as to how the technology works, its regulations and policies.

In our personal lives we are getting to make decisions about whether we consent to our data being saved and shared, but in business use, tech companies have the responsibility to educate and to create guard rails to keep us on the right road.

As systems grow smarter, more ‘aware,’ machine learning and AI-type technologies can take over many of the mundane tasks that make our lives and work inconvenient, inefficient or even unsafe.

Incorporating security, convenience and privacy in security does not have to mean that these three points are mutually exclusive. You can certainly have a secure system that leverages the best practices of IT system design, and that system can be built and operated within regulation guidelines and local privacy ordinance.

With a video security system, there’s a huge range of possibilities – everything from simply configuring a camera so it cannot view sensitive areas or infringe upon the privacy of neighboring buildings, to setting PTZ motion limits or blanking zones within wide-view scenes, or setting up systems to ‘watch the watcher’ where managers have records of exactly what an operator viewed throughout the day, to assure privacy compliance for all involved.

Privacy safeguards

Regulations like GDPR as well as legislation actually help to advance our industry. These regulations help define expectations and set a framework for innovation to support. With clear regulations in place, the public feels better knowing that there are safeguards and expectations and real penalties for abuse and non-compliance – which can be identified and acted upon.

The Security Industry Association (SIA) has an Ethics Committee with representative members of the physical security industry, who are drafting guidelines and planning education efforts. SIA is also working with government committees, participating in hearings to present the facts that can help minimize public and media fears that are based on misinformation. These will help move the needle from some fearful knee-jerk reactions to deliberate considerations that hold the safety of people and assets as the priority.

Technology developers and manufacturers want the trust of public opinion. We aim to solve problems, not create more.


To top