Ports in a Security Storm
 
What if cameras placed to catch terrorists catch employees behaving badly instead?

BY DR. LARRY PONEMON

Many security and privacy professionals in municipal agencies face the dual challenge of protecting individuals' privacy yet complying with new Homeland Security surveillance rules intended to protect our country from future terrorist attacks. In the following case, we discuss how surveillance technologies challenge an organization's privacy commitments and new wireless technologies create unexpected security risks.


In the Eye of the Storm
Mark was the newly appointed CIO of a state's department of ports and tunnels. During the first few weeks, Mark was engrossed in reviewing a recent audit of the security system for the ports that was conducted by an independent firm. Since 9/11, the department had been upgrading its data security to prevent hackers and terrorists from accessing sensitive information about the ports and tunnels.

Before he took the job, Mark was well aware of both the physical and technical security risks of the ports and tunnels to possible terrorism. His priority when he started was to have his assistant schedule meetings with the various IT staff to understand the adequacy of the department's physical and electronic controls over data. In addition, Mark met with Audrey, the department's privacy and public policy manager. She told Mark that while she understood the need for heightened security measures, she also wanted to make sure that the department continued to honor its privacy commitments.

"We recently took an inventory of the data collected, used, stored and shared about our employees, contractors and businesses," said Audrey. "Strict security safeguards were put in place to protect personal information from abuses as well as to keep the hackers out. We also approved a new privacy policy that clearly explains the limits we have placed on sharing personal information with other organizations."

Mark told Audrey that the FBI and local law enforcement officials had discussed with him the need to have access to databases containing personal information about employees and contractors. "They wanted to be able to match records to a suspected watch list of terrorists and people wanted for violent crimes," said Mark. "How can I protect personal information while sharing our databases with who knows how many people? Yet there are valid national security reasons why the government would be interested in our workers." Audrey advised him that as a high-profile municipal agency, a privacy breach could damage its reputation and pose risks of class-action lawsuits.

A Case of Overexposure
One beautiful summer day, Mark decided to leave his office and take a walk through the dock's cargo holding zone. He enjoyed seeing the containers being unloaded and marveled at the efficiency of the port. However, as he was watching some of the workers, he became uneasy. A number of individuals were using wireless devices such as cell phones (some with built-in digital cameras) and PDAs.

Mark heard about terrorists using wireless technology to collect digital photos, plant explosives and release remote bombing devices, but knew that his department had yet to address the security implications of wireless equipment that many employees and contractors now had routine access to. He made a mental note that when he returned to the office he would convene a meeting to discuss the development of policies and procedures for wireless technology.

In the meantime, the FBI had begun surveillance because they believed terrorists might have infiltrated the ports. Video cameras were installed in several discreet locations to record suspicious activity. Department officials were informed that the cameras would be on all the time. In the interest of national security, however, employees and contractors were not told about the increased surveillance.

A few months later, FBI agents were reviewing some of the tapes that had been flagged for their attention. "Wow, look at that," laughed one of the agents. "I thought things were pretty dull on the docks." The tape had captured two employees engaged in a compromising act during working hours. "I think we need to let the ports and tunnel department know about this tape and what some of their employees are doing during working hours," he added.

The Issue: Balancing Security with Privacy
Video camera surveillance used to protect against terrorism has created new data and privacy risks for Mark's agency. While not tipping his hand to terrorists and making them aware of the surveillance technologies in place, Mark needs to consider the privacy commitment of the agency to citizens, contractors and employees.

First, is the agency's current privacy policy realistic when the ports and tunnels are threatened? What privacy protections should the privacy policy commit to? Mark should involve the organization's leadership in responding to these issues.

Second, the agency should determine how it will protect information gathered through surveillance from overexposure and the violation of individuals' right to privacy. In this case, security surveillance had the unintended consequence of creating a potential employee disciplinary issue for the agency.

Many organizations use wireless connectivity as a complement to traditional, wired networks. From a security perspective, however, wireless raises many new challenges in addition to those associated with traditional networking. Employees are bringing new wireless devices into the workplace. These security issues become even more critical when an organization must not only deal with potential employee abuse and negligence but also with possible terrorist attacks.

A high priority for Mark should be the development of policies for the appropriate use of network wireless technologies. Many organizations are now prohibiting the use of these technologies in the workplace for business confidentiality and intellectual property reasons and also to prevent a security and privacy breach. The policies should define the "do's and don'ts" for everyone to follow. They should also identify clear accountability for enforcing the rules, as well as have training and assignment of roles, responsibilities and duties to the employees and contractors who deploy, operate, administer and maintain the organization's security on an ongoing basis.

Finding the appropriate balance between national security concerns and individuals' privacy is a challenge facing those in the public sector. In this case, the ports clearly are in the center of a privacy and security storm.


 
  • Michael Moore's Candid Camera
  • MythTV and a Security Camera
  • CCTV Visual Lens Comparison Chart
  • Lights, Camera, 9/11
  • Kids Safe: Teach Your Children Well
  • Considering CMOS for security and surveillance
  • Isolation, breakdowns and mysterious injections
  • Oh, grow up
  • Security alarm system
  • Geek house
  • Race case verdict blow to Yard
  • Compare Security Camera Products