140 likes | 151 Views
Privacy and Cybersecurity Lessons at the Intersection of the Internet of Things and Police Body Worn Cameras. Peter Swire & Jesse Woo North Carolina Law Review Symposium November 3, 2017. This paper. Why Body Worn Cameras (BWCs) are part of the Internet of Things (IoT)
E N D
Privacy and Cybersecurity Lessons at the Intersection of the Internet of Things and Police Body Worn Cameras Peter Swire & Jesse Woo North Carolina Law Review Symposium November 3, 2017
This paper • Why Body Worn Cameras (BWCs) are part of the Internet of Things (IoT) • Lessons from the IoT for privacy and cybersecurity, for BWCs • Lessons from BWCs for privacy and cybersecurity, for the IoT
Background of the Authors • Peter Swire: • Now professor of Law and Ethics in Scheller College of Business • Jesse Woo: • Research faculty at GT • “Smart Cities Pose Privacy Risks and Other Problems, But That Doesn't Mean We Shouldn't Build Them,” 85 UMKC L. Rev. 953 (2017)
I. BWCs as IoT • Definition of IoT: • A sensor • Connected to the Internet • Data stored remotely, typically in the cloud • Our claim: for purposes of identifying and mitigating privacy and cybersecurity issues, BWCs are an example of the IoT • No previous literature on this (but, Adam Thierer)
BWCs as IoT • “Sensor”: a camera, yes • ”Data stored remotely, typically in cloud” • Storage of the video footage is remote, not on the camera itself • Storage may be in the cloud, or else database maintained separately by police department • If stored separately, then often greater security risks, unless police department is unusually skilled at cybersecurity • “Connected to the Internet” • Depends on configuration • If it is, then have the worry about remote attacks on the BWCs and their software • If not, then those specific risks do not apply, but the rest of the lifecycle of protecting data is the same
II. Lessons from IoT for BWCs • Large and growing literature on IoT cybersecurity and privacy • IoT is becoming enormous, $1 trillion/year in coming years • Numerous types of IoT have similarities to BWCs: smart cities, gunshot locators, fixed video surveillance, many more • Emergence of standards for good cybersecurity and privacy • How to use the IoT literature to help BWCs? • Cities and police departments face challenges in discovering good practices • If they discover good practices, in politically fraught settings, helpful to have neutral/authoritative set of practices • If practices are not yet good, then basis for critiquing and improving practices
Sources on IoT • Broadband Internet Technology Advisory Group, IoT Security and Privacy Recommendations (2016) • Microsoft Azure, Internet of Things Security Best Practices (2017) • Federal Trade Commission • Internet of Things: Privacy and Security in a Connected World (2015) • Other privacy and security reports and enforcement actions • Privacy by design/privacy-enhancing technologies
Some themes from the IoT literature • Well-known organizing principles for cybersecurity and privacy: • Life cycle of data – collection, storage, use, dissemination, destruction • Technical, physical, and administrative measures • CIA: Confidentiality, integrity, and availability • “Integrity” – preserve evidentiary integrity • Secondary use: • Primary use (collect as evidence in a particular case) • Secondary uses – when is it lawful/appropriate to use for other purposes • Biometrics example from this morning
Conclusions on Part II • IoT: have well developed approaches for hardware, software, and system protections for IoT • Rich literature and experience on numerous issues • BWC systems and policy debates can draw on these approaches
III. Possible lessons from BWCs for IoT • Always on • Transparency • Jesse Woo
“Always on” • Existing IoT standards usually assume the device is “always on” • For BWCs, that will not be true • Bathroom breaks • Sitting in car • Others • This could become a checklist item for IoT security and privacy • Technical issues – set default on/off; mechanism for switching between on/off • Administrative issues – how to develop on/off policy and create compliance • Privacy design principle of “minimization” can lead to “sometimes off”
Transparency • Transparency an enormous issue for BWC • Complex First Amendment, privacy, accountability, and other issues • IoT best practices have not addressed transparency at this level of detail • Great majority of IoT deployment done by the private sector, with minimal FOIA or First Amendment issues • Much discussion in the symposium on proper approach to transparency • When must the camera be on • Who should get access
Transparency • Conclusion for IoT: rich BWC discussion on transparency can inform the broad IoT literature • Suggestion for BWC community: • Study the decade-long conferences on “Privacy and Public Access to Court Records” from William & Mary’s Center for Legal and Court Technology • Huge tradition of public access to court records • Huge privacy issues when juvenile, financial, and other records available on the Internet
Conclusion • Link BWC discussions to the broader IoT literature • Can move the BWC community up the learning curve from the larger IoT discussions • Can inform the IoT community of under-appreciated issues such as “always on” and transparency