140 likes | 159 Views
This paper explores the intersection of IoT with police body cameras, discussing lessons in privacy and cybersecurity. It outlines the challenges faced by cities and police departments in discovering good practices and emphasizes the need for neutral authoritative standards. Drawing on IoT literature, it provides insights into hardware, software, and system protection approaches. The analysis suggests key lessons from body cameras for IoT devices, focusing on the concepts of "always on" and transparency. The discussion around when cameras should be active and who should have access can inform broader IoT deployments. The paper concludes by highlighting the importance of studying existing practices and drawing parallels from other fields for effective implementation.
E N D
Privacy and Cybersecurity Lessons at the Intersection of the Internet of Things and Police Body Worn Cameras Peter Swire & Jesse Woo North Carolina Law Review Symposium November 3, 2017
This paper • Why Body Worn Cameras (BWCs) are part of the Internet of Things (IoT) • Lessons from the IoT for privacy and cybersecurity, for BWCs • Lessons from BWCs for privacy and cybersecurity, for the IoT
Background of the Authors • Peter Swire: • Now professor of Law and Ethics in Scheller College of Business • Jesse Woo: • Research faculty at GT • “Smart Cities Pose Privacy Risks and Other Problems, But That Doesn't Mean We Shouldn't Build Them,” 85 UMKC L. Rev. 953 (2017)
I. BWCs as IoT • Definition of IoT: • A sensor • Connected to the Internet • Data stored remotely, typically in the cloud • Our claim: for purposes of identifying and mitigating privacy and cybersecurity issues, BWCs are an example of the IoT • No previous literature on this (but, Adam Thierer)
BWCs as IoT • “Sensor”: a camera, yes • ”Data stored remotely, typically in cloud” • Storage of the video footage is remote, not on the camera itself • Storage may be in the cloud, or else database maintained separately by police department • If stored separately, then often greater security risks, unless police department is unusually skilled at cybersecurity • “Connected to the Internet” • Depends on configuration • If it is, then have the worry about remote attacks on the BWCs and their software • If not, then those specific risks do not apply, but the rest of the lifecycle of protecting data is the same
II. Lessons from IoT for BWCs • Large and growing literature on IoT cybersecurity and privacy • IoT is becoming enormous, $1 trillion/year in coming years • Numerous types of IoT have similarities to BWCs: smart cities, gunshot locators, fixed video surveillance, many more • Emergence of standards for good cybersecurity and privacy • How to use the IoT literature to help BWCs? • Cities and police departments face challenges in discovering good practices • If they discover good practices, in politically fraught settings, helpful to have neutral/authoritative set of practices • If practices are not yet good, then basis for critiquing and improving practices
Sources on IoT • Broadband Internet Technology Advisory Group, IoT Security and Privacy Recommendations (2016) • Microsoft Azure, Internet of Things Security Best Practices (2017) • Federal Trade Commission • Internet of Things: Privacy and Security in a Connected World (2015) • Other privacy and security reports and enforcement actions • Privacy by design/privacy-enhancing technologies
Some themes from the IoT literature • Well-known organizing principles for cybersecurity and privacy: • Life cycle of data – collection, storage, use, dissemination, destruction • Technical, physical, and administrative measures • CIA: Confidentiality, integrity, and availability • “Integrity” – preserve evidentiary integrity • Secondary use: • Primary use (collect as evidence in a particular case) • Secondary uses – when is it lawful/appropriate to use for other purposes • Biometrics example from this morning
Conclusions on Part II • IoT: have well developed approaches for hardware, software, and system protections for IoT • Rich literature and experience on numerous issues • BWC systems and policy debates can draw on these approaches
III. Possible lessons from BWCs for IoT • Always on • Transparency • Jesse Woo
“Always on” • Existing IoT standards usually assume the device is “always on” • For BWCs, that will not be true • Bathroom breaks • Sitting in car • Others • This could become a checklist item for IoT security and privacy • Technical issues – set default on/off; mechanism for switching between on/off • Administrative issues – how to develop on/off policy and create compliance • Privacy design principle of “minimization” can lead to “sometimes off”
Transparency • Transparency an enormous issue for BWC • Complex First Amendment, privacy, accountability, and other issues • IoT best practices have not addressed transparency at this level of detail • Great majority of IoT deployment done by the private sector, with minimal FOIA or First Amendment issues • Much discussion in the symposium on proper approach to transparency • When must the camera be on • Who should get access
Transparency • Conclusion for IoT: rich BWC discussion on transparency can inform the broad IoT literature • Suggestion for BWC community: • Study the decade-long conferences on “Privacy and Public Access to Court Records” from William & Mary’s Center for Legal and Court Technology • Huge tradition of public access to court records • Huge privacy issues when juvenile, financial, and other records available on the Internet
Conclusion • Link BWC discussions to the broader IoT literature • Can move the BWC community up the learning curve from the larger IoT discussions • Can inform the IoT community of under-appreciated issues such as “always on” and transparency