The Video Surveillance Privacy Dilemma
Any modern method of monitoring safety & security compliance relies heavily on video surveillance. There is simply no other way organizations can ensure compliance across thousands of workers and hundreds of activities and generate data to analyze and improve current practices.
A standard and basic form of video surveillance would be security cameras generating a live feed to be supervised via a central control room. But this is getting increasingly replaced by a “smarter” form of surveillance. Computer/Machine Vision is an AI technology capable of deriving higher levels of insights from videos and images in near real-time.
However, to do that, a Computer Vision algorithm must process, analyze, store, and distribute the information recorded by the camera, shaping the two major dilemmas of privacy and security.
The first is valid for any form of video surveillance. Recorded footage contains images of people that can be used to identify them directly or indirectly. This qualifies the recorded information as “personal data”.
The second is more specific to Computer Vision AI. Here, the recorded information is passing through comparatively more nodes (for analysis, storage, processing, distribution, etc.), raising additional concerns about personal information getting intercepted across the points.
This dilemma forms the groundwork for our discussion today. But before we look at the solution, let’s take a quick peek at how the law interprets these apprehensions.
What does the law say?
The GDPR (General Data Protection Regulation) of the European Union, the PIPEDA (Personal Information Protection and Electronic Documents Act) of Canada, and the CCPA (California Consumer Privacy Act) of the United States are some generally recommended prominent laws in this field. The purpose of these acts is to protect individuals and the “data that describes them” and to ensure the responsibility of its usage.
The GDPR mandates that organizations indulging in the collection of descriptive data (such as surveillance footage) must protect it against “unauthorized or unlawful processing, accidental loss, destruction or damage.”
The first is valid for any form of video surveillance. Recorded footage contains images of people that can be used to identify them directly or indirectly. This qualifies the recorded information as “personal data”.
The second is more specific to Computer Vision AI. Here, the recorded information is passing through comparatively more nodes (for analysis, storage, processing, distribution, etc.), raising additional concerns about personal information getting intercepted across the points.
This dilemma forms the groundwork for our discussion today. But before we look at the solution, let’s take a quick peek at how the law interprets these apprehensions.
Similarly, the CCPA aims to regulate the collection, consumption, and dissemination of personal information by providing citizens with the rights to knowledge, deletion, and withdrawal. The PIPEDA, although constituting more guiding principles than actual regulations, directs organizations to obtain consent for collecting, using, or disclosing personal information.
In simpler words …
Private companies do have the right to monitor their employees with the camera, especially when employee safety is at stake. However, employers are required to notify employees in the range of the cameras of the property being under video surveillance. However, such surveillance must not include audio and may not be used in locations where it is reasonable to expect privacy.
Since many of these laws come with big punitive consequences, ensuring privacy is no longer an add-on feature. To be able to properly leverage video surveillance for HSE compliance management, it becomes imperative to balance it with individual privacy.
Security vs Privacy
Data security and privacy are interconnected, but they are not the same.
“Security has more to do with the safeguarding of data, whereas privacy is about safeguarding the identity of workers”
Privacy in our case means a worker’s immunity from footage-based identification, and security refers to protection from the footage getting into the wrong hands, through a breach, leak, or cyber-attack.
Even the safest systems around are at perpetual risk of data breaches. Since notifications and acknowledgments do not cover data breaches, any compromise on data security is an inevitable compromise on user privacy as well.
It is therefore important to ensure that in case data does get leaked, it is encrypted, encoded, or structured to preserve the privacy of stakeholders. This concept is known as “privacy by design”. We at Detect have endorsed it at the very core of our design, ensuring our systems are built around privacy rather than as an extension.
The Concept of privacy by Design
Privacy must be approached from a “design-thinking” perspective. It must be incorporated into systems and technologies, by default, making it integral to organizational priorities, project objectives, design processes, and planning operations.
Choosing a solution that is built around the “Privacy by Design” concept is a step toward stronger legislative compliance without a backstep from ensuring safety compliance. A purpose-built, privacy-centric solution allows industries to evolve their safety operations to simultaneously add layers of privacy and data protection.
Ensuring Privacy
For video surveillance specifically, privacy redaction or blurring solutions solve a considerable proportion of the problem. The most important, efficient, and practical approach is that of privacy masking. A privacy mask either hides or anonymizes a part of the video (mostly identifiable information like region, face, or body), to help prevent unwarranted exposure.
Traditionally (and commonly) privacy masking has been static in nature, where the mask blocks defined areas in the live video feed. Since the mask is burned into all camera video streams, this type of masking is permanent.
However, the major limitation here is that it can only be used to anonymize known areas of sensitivity and hence won’t be of much help in a bustling industrial workplace where the information spread is highly dense and dynamic. The cameras need to gather as much information as possible to feed it to the processing algorithms.
Dynamic masking, on the other hand, blurs or anonymizes identifiable features of the workers. Everything else in the video frame or image can be seen and monitored as usual. It ensures identities are protected, while still allowing operators to see what’s happening in the video footage. Since it completely removes people’s identities from the masked video stream, the identity is secured not only during authorized processing but also in the event of a breach.
The unmasked video may be retrieved by authorized personnel by switching to a second, original video stream, for forensic investigation or root cause analysis. The second stream is only made available, over a secure network, for instances requiring detailed investigation.
Ensuring Security
Masking identifiable information from surveillance footage is just one part of the story, securing it is also equally important. More than 22 billion records were exposed because of data breaches in 2021, costing the industry more than 4.35 million dollars in direct costs. We at Detect Technologies endorse the importance of networks, tools, and software architected around privacy for information protection.
While designing the Detect Cloud, extensive attention was paid to ensuring the robustness of network security, access control, and encryption while a rigorous procedure was adopted to deal with data breaches.
The first characteristic of a secure system is a restriction of data subjects, something we achieve by processing only metadata. Simply put, only non-descriptive data subjects are collected and then processed to deliver the functional requirements. Secondly, the raw data, if stored, rests behind layers of firewalls, protected by powerful AES-256 encryptions from both client and server sides.
Regardless of whether the information is compromised at the user or server end, it can only be accessed following double decryption, from both client and server sides. In simple terms, your information is secured behind a lock that opens only after both keys (yours as well as ours) have been inserted and turned.
A strong internal control process, involving regular risk assessments and information security practices is equally important to maintain and upgrade policies as required. This framework of policies and procedures that includes all legal, physical, and technical controls is collectively known as the ISMS (information security management system).
Standard certifications like ISO 27001 are universally accepted assessments denoting the quality of an organization’s ISMS. In addition to being a hallmark of best information security practices adorning our closet, it is a guarantee that you can trust Detect Technologies with your data.
Before you leave
If you contribute in any manner to the heavy industry, we may have something worth checking out. Detect Technology offers a wide range of products that aim to revolutionize the industry by challenging the notion of progress at the cost of health, safety, and the environment.
We solve some of the most exasperating problems faced by people, assets, and processes with artificial intelligence, computer vision, and data analytics, to make sure your organization stays competitive and compliant in an evolving world with shifting priorities.
Better experienced than said? Sign up for a demo of the tool that serves your purpose best and watch it unleash futuristic levels of safety and productivity without compromising on privacy. Because with Detect, it is less about privacy and more about trust.