Privacy Enforcement in Surveillance Systems

Conference paper


Hauke Vagts
Thomas Emter
Alexander Bauer
Jürgen Beyerer


Peter Elsner (ed.), Future Security: 4th Security Research Conference, Fraunhofer Verlag, 2009.




Future Security: 4th Security Research Conference, Karlsruhe, September 29 - October 1, 2009

Surveillance Systems have become increasingly powerful. Conventional camera based Systems are extended with all kind of sensors (RFID, GPS, etc.), the number of data sources increases, hardware and algorithms improve, and data can potentially be shared between interlinked networks. The technological progress does not threaten solely the protection of privacy; it also provides an opportunity to achieve data and privacy protection on a new level.

In this work we propose privacy and security mechanisms to achieve data protection in surveillance systems while providing the best possible functionality. The suggested methods are included in an Object-Oriented World Model (OOWM) that serves as central information hub. It has been developed as a part of the semi-autonomous surveillance system NEST.

All member states of the European Union must obey the directive on the protection on personal data. Hence the suggested approach enforces mechanisms to be compliant with the directive that cannot be bypassed. To allow flexible handling of data, the privacy concept for personal data is task-oriented and granular access controls are enforced according to the principle of least privilege. To ensure personal rights, an observed individual can request and access data collected about him. All data related to him can then be corrected or deleted on request with minimal influence to the surveillance tasks. To achieve non-repudiation all changes in the world model are logged. This also helps to ensure data freshness.

The approach also aims at data minimization. A minimal amount of information is collected and irrelevant data are deleted as quickly as possible. Processed data are also minimized; i.e. only relevant objects, attributes, and prior knowledge are processed. Concluding, only relevant data is stored outside the world model. The persistent information is linked to the world model and appropriate access controls are enforced to realize multiple access levels.