We're Watching

Why we must design privacy protections into our systems

Designing for Privacy
With regard to security monitoring systems, privacy designs need to be incorporated at several levels:

  • Design of technology and systems (manufacturers)
  • Strategy and design for technology and systems deployment (designers and integrators)
  • Administration and system operations (system owners and operators)

Jerry Cordasco is the Vice President and General Manager of Compass Technologies, Inc, a Wheelock Company that designs, manufactures and supports forward-thinking Access Control and Security Management systems. "Privacy is important at many levels. For example, our access control systems (and those from several other companies) contain a feature whereby the location of a person inside a facility can be tracked. Our customers have told us that their executives and senior management do not want to have their locations tracked and viewed by security monitoring personnel, so our software provides the capability to exclude specific individuals from tracking."

Cordasco is active in the National Fire Protection Association (NFPA) and has an extensive background in fire and life safety systems and has a strong interest in integrating access control information with fire systems for life safety purposes. "There is tremendous potential in the utilization of access control system information for use by emergency first responders, especially with regard to building evacuation," explains Cordasco. "What if the occupants of a particular floor are congregated in a large conference room? The typical fire evacuation instructions to 'proceed to the nearest exit' may not be appropriate, if the single nearest exit cannot accommodate the entire crowd. Several exits may be needed for safe and timely evacuation. However, tracking the whereabouts of every individual has privacy implications. Among other things, it means that you must restrict who can access the information and under what circumstances. These are the kinds of issues that all security system manufacturers should be considering."

Information system audit trails are commonplace in the IT world, but access control manufacturers typically include minimal or no audit trail capabilities in their products, despite the fact that doing so is technically simple. A security system without an advanced audit trail capability is not fully secure. If one of the security personnel temporarily changed the access privilege for a friend to allow prohibited access, and then changed it back again, how would you know what happened? You would if the audit trail included what data values were changed (i.e. the "before" and "after" values). This would also provide support for the data quality, security and accountability principles of fair information practices.

Encryption of system information is important, especially for data that is transmitted over an Ethernet local or wide area network. There are still some access control manufacturers with systems whose IP-based access commands and transaction records, as well as report data, are not encrypted when sent over an Ethernet network. Not only can the transmission of human readable data violate privacy considerations, the lack of encryption is also a security vulnerability. Thus end users would be wise to verify the use of encryption on any systems deployed over an Ethernet network.

Designers and Integrators
There are four current trends that have privacy implications for security system designers and integrators:

  • use of biometrics in security systems.
  • integration of physical access control systems with HR personnel systems and IT identity management systems
  • use of a common card for physical, IT and financial transactions
  • use of security technology for operations purposes (such as remote video monitoring of warehouse operations)