Cameras in the new privacy era
By Will Mazgay
As the surveillance industry is increasingly powered by artificial intelligence, lightning-fast processing and ever more powerful cameras, concerns for personal privacy are sometimes overshadowed.
With that in mind, according to advocates, privacy should be top of mind for every business that collects or views surveillance data. Leaving personal information vulnerable to attack from malicious actors, as well as taking part in unnecessarily intrusive surveillance practices, can have reputational and financial consequences.
Transparency and consent
The Office of the Privacy Commissioner of Canada, Canada’s federal privacy regulator, says in its guidance — as it pertains to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law — that businesses “are required to inform individuals about what personal information they will collect, how they plan to use or disclose that information, and for what purposes, to enable individuals to decide whether or not to provide consent.” Consent can be express or implied.
David Fraser, privacy lawyer with the law firm McInnes Cooper, says for the purposes of surveillance operations, implied consent is acceptable, which can be achieved through signage that lets individuals know not only that they are being surveilled, but the purposes of the surveillance. “Just putting up a sign saying that video surveillance is taking place, which is the common practice, is not sufficient,” Fraser says. “If you enter premises where you understand that collection is taking place and you understand the purposes, by going into those premises you’re implicitly consenting to the collection, use and disclosure as described in the signage.”
Lack of transparency in surveillance is a major problem, according to David Shipley, CEO of Fredericton, N.B.-based cybersecurity firm Beauceron Security and a digital privacy advocate. He says, “There’s far too many systems deployed that are not properly documented, articulated or consented to.”
Caitlin Lemiski is the director of policy at the Office of the Information and Privacy Commissioner for B.C., which has a private sector privacy law that supersedes PIPEDA in many cases. She agrees with Shipley. “People often don’t understand that they’re being subject to audio or video surveillance, or the purposes for what that’s being used. You need to tell people that up front.”
Management and retention
Beyond maintaining transparency in surveillance operations, those collecting this kind of data need to be conscious of regularly deleting old footage.
PIPEDA and other privacy laws dictate that unused video footage should be deleted when it is no longer needed; this is up to the discretion of individual organizations.
Roger Miller, president of Northeastern Protection Service, a Halifax, N.S.-based integrator and security services firm, says, “Our advice is usually try to target 30 days. If there’s an incident that you need to go back and retrieve that video, for the most part, you’ll know within 30 days.”
David Weinkauf is the senior policy and technology advisor at the Office of the Information and Privacy Commissioner of Ontario (IPC), which is responsible for the province’s public sector. He says, “For us, the retention schedule is driven by the amount of time reasonably required to discover or report an incident that occurred in the space under surveillance.” He continues, “Look at past incidents — problem X occurred X number of times and each time it took however long before someone reported it or you discovered it; you would use that as probably your baseline.”
In most jurisdictions, individuals have a right to ask for access to personal information that is being held by an organization. Fraser says that often these requests will come if someone is looking for evidence for a lawsuit, for a slip and fall for example.
So how does one square up regularly erasing unused data with the potential for information requests? On that matter, Fraser says, “They only have to provide access to information they actually have. There is no obligation to retain information just because someone may ask for it in the future. But if someone does ask for it, it has to be preserved until it’s either provided to them or they have an opportunity to complain to the Privacy Commissioner if it is refused.” He continues, “The shorter you keep information, including recordings, the less information you have around and the less likely that you’ll have to go looking through it to respond to an individual’s request for their own personal information.”
Weinkauf also says firms shouldn’t hold on to data for very long. “There’s additional risks that arise, cyber attacks being one. Also, there could be some internal risks, risks of misuse, or snooping, on the part of employees or who knows.”
Another important consideration when trying to avoid privacy overreach is practicing data minimization — collecting only information that is necessary for what PIPEDA describes as a “legitimate identified purpose.”
Weinkauf says clear objectives are key to avoiding overreach. “If you’re setting up a video surveillance program, you should have a problem you’re trying to address, and you should have evidence of that problem; it should be continuous and a real problem. And there should be boundaries around that problem or space in which that problem is occurring.” He continues, “The idea is you should only be collecting personal information that is relevant and necessary to achieving that purpose.”
Fraser says collection should also be limited to a firm’s property, “If they have a store on a busy street and they have a camera that’s pointing out onto the sidewalk they’re not getting consent from anybody on the sidewalk.”
He also notes that audio surveillance that could intercept a private conversation should be avoided, as it is a crime in Canada to do so unless you are a party to the conversation.
As important as data minimization is to maintaining privacy, manufacturers are taking this concept a step further by baking it into the equipment they sell.
Montreal-based Genetec, through a partnership with KiwiSecurity, provides a technology called Privacy Protector that automatically pixelates people in live and recorded video.
Francis Lachance, director of video and appliances for Genetec, explains that the technology captures two streams of video, one where personal information is blurred, and a stream where footage is unobscured. He says, “It can be consumed by a curator who still has the ability to do their job… If there’s something happening, they can still monitor and do their work. But then a second stream will be non-blurred, so the clear video will be stored directly and encrypted on the server for potential use of that video.”
The clear footage is only required if there’s an incident that needs to be examined more carefully or shown to law enforcement.
Lachance says that this technology gives property owners the freedom to surveil their assets without fear of compromising privacy or getting into trouble with regulators. He says that right now Privacy Protector is an additional functionality available in its software packages, but Genetec’s goal is to make the technology a standard offer.
Deleting unused data and reducing the amount of data captured can reduce the risk of breaches, but other steps need to be taken to protect personal information — another responsibility under PIPEDA and most other privacy laws.
Northeastern Protection Service’s Miller says the consequences of leaving surveillance footage and cameras vulnerable to malicious actors are severe: “There was an incident in Nova Scotia about a year and a half ago, where a school video camera had been hacked by one of these video hacking websites and there was live video being streamed on a website of the school.”
Genetec’s Lachance says a robust video management system will have multiple layers of protection: strong authentication so only authorized people can access the system; controls to determine once users are in the system which cameras or video feeds they have access to; and lastly, strong encryption, both for data that is stored and in transit, which ensures that if data falls into the wrong hands, it is unreadable.
Miller says something as simple as setting difficult passwords can go a long way to preventing breaches. He adds, “And not giving people access to the surveillance system who don’t need it. We’ve seen a fair bit of that… We encourage our clients who have an IT department or an IT agency that they work with to let them manage the access to the surveillance system.”
B.C Privacy’s Lemiski says those purchasing surveillance equipment also need to be very careful who they buy from. “It would be in their best interest to ask a lot of questions from the vendor, not only about the hardware but about the backend.”
Beauceron’s Shipley expands on this, advising that firms opt for manufacturers that are clear about the expected lifespan of technology. He also says to pay careful attention to available software updates and be prepared to replace technology when updates or support are no longer available. Lastly, “Many of these devices don’t automatically update by default — prefer devices that do.”
Regulation and non-compliance
Fraser says if firms aren’t in compliance with PIPEDA, this can result in a complaint to the Privacy Commissioner. The Commissioner can then issue what’s called a “report of findings,” which can direct remedies to fix non-compliance, but it can also be used by a complainant in a lawsuit.
He explains, “There’s a range of damages that the Ontario Court of Appeal has set related to recognizing people being upset by having their privacy invaded. That ranges from nominal damages to $20,000.” But, he continues, “It is usually not worthwhile for an individual to pursue that claim, other than perhaps in small claims court.”
PIPEDA can, as of Nov. 1, 2018, expose firms to fines of up to $100,000, but Fraser says these circumstances are very limited.
Fraser says for his clients, one of the biggest concerns is reputational damage. “They pride themselves on being diligent in how they manage their affairs and the last they want is the publicity to be associated with the Privacy Commissioner finding they’re offside.”
“It’s only under the criminal code stuff that one can expect to get into any kind of significant financial harm,” the lawyer notes, referencing audio eavesdropping and video voyeurism.
While there may not be significant financial consequences for non-compliance of Canada’s privacy laws right now, that could change, and quickly.
Fraser says, “For the last couple of years, privacy advocates in Canada have been calling for changes to our law to align more closely with the state of the law in Europe.”
Under the EU’s General Data Protection Regulation (GDPR), companies that manage data of Europeans can potentially face fines of up to 20 million Euro or up to four per cent of annual global revenue, whichever is higher.
Fraser continues, “Just before the election, the federal government tabled something called the Digital Charter, calling for a move toward the GDPR, and likely the most important thing, to give our Privacy Commissioner greater enforcement power. That was before the election, they used it as part of their election campaign… So I would not be surprised if, over the horizon, we were to see amendments to our privacy laws that gave the Privacy Commissioner the ability to levy fines and penalties.”
Shipley adds to this, “Eventually when we do get caught up to Europe’s laws, those fines will not be inconsequential.”