Pervasive Video Surveillance
MAKING SENSE OF 'SUBJECT ACCESS REQUESTS'
This paper focusses on the requirements for servicing Subject Access Requests for CCTV footage.
CCTV VIDEO PRIVACY
CCTV systems have long been used to provide live monitoring and evidentiary data for private and public premises. They are usually put in place to help keep buildings, their contents and the people within them safe. They have been an accepted part of life but with the exponential growth in the volume of cameras being deployed and increased sophistication of image recognition technology the data captured by these systems is raising new questions of data governance, privacy and management.
Historically CCTV footage has been the sole domain of the Security team but it’s demands have been spreading to other internal functions who want to extract valuable business data (footfall, demographics, people flows and the general behaviour of staff, customers or visitors) and the billions of individuals who are now captured on a daily basis.
Along with more traditional CCTV systems video is now being captured by a growing number of new devices; smart doorbells, cars, buses, drones, street lights and body-worn cameras. Video based IOT systems are providing live monitoring of industrial environments (manufacturing, warehousing and logistics) where these systems also capture footage of employees and site visitors. Automated number plate recognition systems (ANPR systems) have become more widespread in public and private locations and come with associated video streams of people and their movements. We’re also starting to see the roll out of video based biometric based access systems for banking, social and door-entry.
Security based video is becoming more pervasive across our lives.
GDPR along with other data protection legislation sets out the framework for how video data needs to be stored and managed but there are still lots of grey areas when it comes to the usage of that data by specific parties.
- Individuals: Through a ‘subject access request’ individuals can request all the video footage a business has on them ‘can you send me the footage you have of me in the bar from Friday night?’
- Police: For incidents Police access CCTV video footage to help with their investigations; data that can then be reviewed by legal teams under legal privilege and potentially supplied into court as evidence.
- Business functions: More demands are being made on security video as a source of valuable business data for anonymised analytics in retail and other environments.
There is currently no thicket of case law or legal precedent in any of these areas to help guide specific actions; businesses are making sense of their obligations and approach to video data privacy as specific issues and questions arise.
SUBJECT ACCESS REQUESTS (SAR)
It all starts when the first subject access request is received.
The first SAR for CCTV footage raises many questions:
“‘Really… we have to supply video from our CCTV system?’
‘How much video are we talking about, how many cameras did they appear on?’
‘We need to check the individual in question was actually here and that they are who they say they are - i.e. that they’re not trying to access data on someone else’
‘We need to be able to identify them in the footage - they may need to send in a description of their movements and images of themselves’
‘Any video we send cannot contain any personal data for anyone bar the subject’
‘How do we get the video redacted so only the Subject is visible?, How do we check it?’
‘We need to do this within a month?’
‘Who pays for the time and effort to do this?’”
There are a lot of questions and very limited information to guide a way forwards without seeking expert legal advice. GDPR states that ‘reasonable efforts’ have to be met in protecting personal data but what about situations that may also involve wider safety or security concerns for the company, employees or pubic individuals?
It all comes down to the detailed requirements of the individual case for the company and individual/s.
Once a business works its way through its obligations and starts to investigate solutions for supplying the requested data then a more detailed understanding of requirements is needed to proceed efficiently.
THE COMPLICATIONS OF VIDEO
Video is a very dense and objectively descriptive medium, in crowded environments it can be packed full of sensitive personal data from multitudes of people. Video files are typically large in size, take time to extract and are cumbersome to move around (hours for upload/download); they present unique challenges of scale and security for managing access, processing, review and supply vs other text based behavioural data.
1x CCTV camera can capture 70k individual frames per hour which could equate to 2 million individual faces captured in a busy environment (circa 1GB of data, 30min upload to cloud).
A small private venue may have 3x cameras in one location capturing a specific individual for 3 hours; this would equate to a total of 650k individual frames (roughly 20 million faces, 9GB data, 4.5hrs cloud upload) that would need to be redacted, reviewed and supplied for an SAR video.
Even at this relatively small scale of request (3hrs x 3 cameras) the redaction and review task is unmanageable without the right technical systems and tools. Manually adding boxes for each face in each frame (ie. 20 million boxes) would take a lifetime - even with automated people tracking.
The review time can be shortened greatly by reversing the process and only adding boxes for the subject in question and then redacting all other content but even here the process for the above example would still take a week to work through without the right tools.
Advances in machine learning (a subset of AI) allow for the automatic detection of faces/bodies and the development of semi-automated tools to speed up the review and editing process. The challenge for CCTV footage is that most data is low quality with subjects at varying angles and distances from the camera. In busy environments the level of occlusion is extremely high and the small size of faces can make them difficult to detect and even harder to identify. These challenges are made more difficult for moving cameras (those on bodies and vehicles) due to a range of blur and noise artefacts that are introduced from dynamically changing scenes and camera viewpoints.
On the surface it appears that redacting personal data from video data looks simple but depending on the level of requirements can be a complex technical challenge.
As individuals move around scenes they create temporal information that can be used to identify them across video footage. When viewed in isolation it may be that an individual is impossible to identify from one frame (ie. when they are far away from the camera) but when paired with an earlier frame with a close-up shot the viewer can track the subjects subsequent movement and pick up additional information on their clothing/appearance to identify them at different points in the footage. What constitutes identifiable personal data in video can be much broader than the usual face based biometric data, this creates the need in some situations to detect and remove full bodies of individuals rather than just faces (this also ensures other distinguishing marks like arm tattoos and birth marks are not identifiable).
With Pimloc’s world-class expertise in deep learning system development it has been able to re-develop its face detectors and classifiers to perform well on security specific footage (as used in the Secure Redact product) but it’s still impossible to ‘guarantee’ that 100% of all the faces/bodies would be picked up in every frame from automated detections alone.
- A 1% error rate (ER) in the example above would mean 200k missed faces in the combined 9 hours of footage.
- A 0.1% ER would still equate to 20k missed faces
- Even a 0.01% ER would have missed 2k individual faces (ie. @ 99.99% accuracy)
What is an acceptable rate?
If a system is used that meets the current benchmark for face/body recognition accuracy then a business may argue that meets GDPR’s guidelines for ‘reasonable efforts’. But if the company needs to guarantee that specific individuals are not identifiable in any frames within a piece of video then additional review and editing steps are required. Also of note is that the general benchmarks for face detection accuracy are not measured specifically against CCTV data sets and likely over-estimate the accuracy levels in this domain (as is also the case in other specialist domains).
Depending on the length of video to be reviewed, position of camera, number of people in the footage and how dynamic the environment is (ie. how much everyone moves around) it may be as simple as watching the processed videos at 0.5x – 2x speed to pick-up and edit missing detections. But if there’s many hours of footage and a high number of people moving around in the scene this becomes very difficult and extremely time consuming. This is further compounded as human error rates for these tasks are extremely high and require multiple people to review the same footage to reach desired quality of results. It can take up to 20x real-time to review and edit detections using simple video editing tools - ie. a minimum of 180 hours to review/edit 9 hours of footage for one pass of the video.
This is where Pimloc’s purpose built ‘Secure Redact’ reviewing and editing tools speed up the process through semi-automated workflows for picking up additional detections and applying intelligent tracking. For projects with high accuracy thresholds a manual review step cannot be avoided but it can be greatly sped-up (>15x increase in review/edit speed) through a mix of specialist machine learning and computer vision driven application features. These tools can be used directly by the company via the Secure Redact SaaS product or indirectly as part of a managed service.
Over time automated detection accuracy rates will continue to increase but a manual review step will always be required for cases with very low error thresholds.
If you don’t meet the criteria for exemptions on SAR supply (ie. if an SAR is found to be ‘manifestly unfounded’ or ‘excessive’) then alternatives to selective redaction for more complex video requests may be to destroy the footage and not supply anything to the end user or as proposed earlier to redact all footage bar the subject in question. Both are likely not the ideal solution for the business or individual but could be the only practical way of protecting the privacy of all involved.
If you are looking at SAR solutions for video then you’ll need to be consider the following:
1. How many hours of footage do you need to process / redact?
2. What level of personal data redaction do you require (faces vs bodies, background scene, number plates)?
3. What level of accuracy is required?
4. Whether you want to review and edit the video yourself or pay for a managed service?
5. How you will check the final redacted videos before supplying?
If you are interested in trying out the SaaS version of Secure Redact or want to discuss a managed service please contact: simon@pimloc.com.