Security must be front of mind when modernising video surveillance technology
Local governments have long played a key role in the operation of physical security for community safety.
Public and community safety camera implementations differ by geography. In states such as NSW, Victoria and Western Australia, local councils tend to deploy cameras in collaboration with local police agencies, and other private camera operators can register their existence on a police-coordinated list. Police agencies do not get involved in operation or monitoring but — with agreement — may seek access to video footage as part of an investigation.
A number of studies over the years have examined the impact of camera technology on community safety and crime deterrence. The findings overall are that video surveillance has a role to play, and that access to footage helps police conclude more investigations (such as by making an arrest or laying charges) in a timely manner — all while ensuring the community returns to normal as quickly as is possible.
This has led to broader uses for camera technology in government, upgrading the technology to enable real-time, central oversight of public interactions in government service delivery centres.
The drive to modernise video surveillance deployments is a recognition of the improved efficacy of camera networks, as well as of advances in the capability of the technology. Such advances are delivering cameras with ultrahigh resolution and analytics, and increasingly connected systems that can share video and data across consenting parties. But while these new and emerging capabilities are incredibly effective in helping prepare for, respond to and investigate incidents, they bring with them growing concerns about privacy and cybersecurity.
Clarity, transparency and reassurance will be required to bring to bear some of these technological advances on current and future camera deployments.
Approaching upgraded system design
According to the United Nations, nearly 80% of the world’s 194 countries have put in place or drafted legislation to secure the protection of data and privacy. These regulations are aimed at restricting the collection of, processing of and access to personally identifiable information (PII), including both data and video, to help maintain privacy and mitigate the risks of criminal cyber activities. Regulations establish a minimum standard for how PII should be stored and managed, but police departments can do more than the minimum to protect privacy.
In Australia, it’s important for an organisation to realise that it should be closely aligned with the Essential Eight security guidelines created and promoted by the Australian Cyber Security Centre. The Essential Eight provides organisations with a clear framework that can improve their levels of IT security and better position them to withstand attacks.
The Essential Eight framework covers a variety of items that security teams need to consider. These include application control (or who can run what and where), regular data backups, software patching, the deployment of multifactor authentication capabilities and the restriction of admin privileges.
In addition, IRAP assessments involve a process documented in the Australian Government Information Security Manual (ISM). This is required before government agencies can adopt any security platforms and tools that external vendors provide.
An important point to make is that privacy and public safety are not mutually exclusive. Modern video management systems (VMS) contain, for example, privacy protection capabilities that pixelate images of people in videos to blur identity, and provide audit trails to ensure there is a record of who accessed data and when. Likewise, they offer multilayer cybersecurity features and advanced capabilities to track accountability.
It is worth examining how a modern VMS can support both privacy and cybersecurity enhancements in this space, starting with privacy.
There are several ways agencies can develop robust privacy standards while taking advantage of emerging technologies to improve public safety.
One is to be more selective about the data collected, minimising the amount of data that is stored. For example, modern automatic registration plate recognition systems typically store only the ‘read value’ of a licence plate — not the image of the plate itself — and may offer the option to store other information only if a plate matches with a hotlist.
Some agencies also limit access to PII using the ‘four eyes’ principle, which requires two people to provide credentials to access certain kinds of data. For example, faces on video recordings can be pixelated by default. If an operator sees an event happening, they can ask a supervisor to unlock the video. For very sensitive data, some agencies require two supervisors to agree to authorise a request to access data.
Protecting privacy also means hardening the devices and networks on which PII resides. Some of the most common attack strategies employed against agencies with video surveillance data holdings can be used to access data at rest or in transit.
Likewise, there are many things that can be done to build resilience in security technology infrastructure. The more layers that are implemented, the better protected the data will be.
The first layer is encryption: encoding information or scrambling readable text to hide and protect it from unauthorised users helps protect all the data sent between cameras, servers and workstations.
The next layer of protection is authentication: validating the identity of a user, server or client application before granting access to the data. Then there’s authorisation: defining specific user privileges to restrict when and what types of information can be shared internally or externally, and how long data is kept.
Finally, a single, global data protection and privacy strategy can be helpful in ensuring cybersecurity while protecting PII. Support by a technology platform from a trusted vendor can also help to lower cybersecurity risk and ensure privacy stays protected.
Building secure AI: a critical guardrail for Australian policymakers
While AI has the potential to significantly enhance Australia's national security, economic...
Building security-centric AI: why it is key to the government's AI ambitions
As government agencies test the waters of AI, public sector leaders must consider how they can...
State government agencies still struggling with securing user access
Audit reports have shown that Australian government agencies in four states experience challenges...