Tony Porter launches Secure by Default requirements for video surveillance systems

Surveillance Camera Commissioner Tony Porter launched Secure by Default minimum requirements for video surveillance technology at IFSEC 2019, as well as the inaugural National Surveillance Camera Day.

On the third and final day of the integrated security event, Porter told the Keynote Arena that when he took on the role of Surveillance Camera Commissioner he felt he understood the security industry, but understanding his remit was a bigger challenge.

Video surveillance systems were nearly all analogue and, as such, cybersecurity was a non-issue. CCTV cameras were ubiquitous but many observers doubted their effectiveness as a deterrent, while concerns about a surveillance state abounded.

But a new world order was on the horizon. Body-worn cameras hadn’t yet appeared and “drones – well, frankly, they were for the birds.”

Now in addition to drones – both as a commercial tool and a threat to counter – and body cameras used widely by law enforcement and other sectors, we finally have effective facial recognition plus gait analysis, among other tech that not long ago seemed so futuristic.

GDPR, meanwhile, has added to the weight of responsibility on anyone tasked with managing, storing and securing video data.

Back in 2014, when Porter became Surveillance Camera Commissioner, everyone knew what CCTV was: cameras fed images back to a control room monitored by security staff. Footage could be retrieved to examine incidents but it was time-consuming and had a patchy record as a source of courtroom evidence.

Porter believes the Home Office and industry must ensure that only technologies compliant with relevant standards should be installed in public and private spaces

Five years later the public don’t truly understand the phenomenal capabilities of modern systems, said Porter. Into that vacuum has rushed understandable misgivings about AI, facial recognition and the risk to privacy and potential for abuse such capabilities create. With this in mind Porter believes the Home Office and industry must focus on ensuring only hardware and software compliant with relevant standards is installed in public and private spaces alike.

But Porter is no Luddite when it comes to technology with profound benefits for public safety, if used correctly. “I still believe that advancing technology is essential for this country to move forward,” he said. “We should be a leader in new security technology, but we need to listen to people with concerns about civil liberties and also be a leader in protecting them.”

Secure by default is still a “toddler”, said Porter, but it’s moving forwards and people in the industry appreciate the chance to reassure the public and security professionals alike. He has worked with the police, NCIS and local authorities to undertake some ‘horizon scanning’. His office also released a survey to every police force in England and Wales to find out about their surveillance strategies.

Citizen engagement is important, he said, because we do not have the right to surveil people – morally or legally. Despite being a champion of proportionate, appropriate use of video surveillance, Porter said he was a big fan of listening to people who hate surveillance, to find where the “pressure points are” and mitigate against them. If the argument against is not open it’s harder to argues a positive case for video surveillance.

What was the point of National Surveillance Camera Day? To show that surveillance is there to support, not to spy on, communities

So what was the point of National Surveillance Camera Day? To show that surveillance is there to support, not to spy on, communities, said Porter. So far it is having a strong impact, he added.

With the cyber threat growing, the secure by default requirements involved collaboration between stakeholders to draw up baseline standards for manufacturers of video surveillance systems. Written by manufacturers for manufacturers, it’s a global first, claimed Porter.

A harmonised approach to security means the end user will know what they’re getting: a very high level of cybersecurity.

The fine-grain details of cybersecurity were beyond Porter’s understanding, confessed the former senior police officer, but he had sought the advice of numerous experts who did understand the issue.

Self-certification

Together they have devised a simple self-certification system: where manufacturers use the minimum standards as a benchmark. This is then submitted to his office and evaluated against the guidance by industry professionals. They are then awarded a certification mark, which they can then include on the product’s box and in its marketing.

Porter expects that manufacturers will start to see that if they want to make money from their product, they need to have this mark on the box, because that’s what the end user wants.

As it’s self-certification, is there a risk of companies lying? The simple answer is yes, but the risk of embarrassment and scandal for a company that did so would be a major deterrent. Nevertheless, Porter’s office is working on a more robust system for the future.

“One audience member raised the spectre of the UK becoming “a dumping ground for substandard products because we don’t have legislation”

Offered the chance to ask questions of the commissioner, one audience member raised the spectre of the UK becoming “a dumping ground for substandard products because we don’t have legislation”. Currently the UK has only a code of conduct for video surveillance systems. While there is talk of legislation, some other countries have used the UK code of conduct as a basis for legislation.

“This echoes a conversation with senior Home Office officials,” replied Porter. “It would be fair to say we have a government that lacks confidence and is very heavily engaged with issues around Europe. You will be reassured to know there is connectivity around key stakeholders and there is buzz around it, but I cannot guarantee that the legislation will be there to prevent your concerns entirely. I am optimistic that it won’t be the case, but I can’t guarantee it.”

Another audience member asked about control rooms opening their doors to the public for National Surveillance Camera Day. And how will Porter measure the initiative’s success?

“We’re tracking social media use and we’re looking at the impact,” replied Porter. “It’s an interesting point: how do we measure success. After 20-30 years of the analogue surveillance industry we still don’t have a measure of success for the higher tech systems in place now. Most likely it will start with something very raw, very basic and we’ll tweak it as we go along.”

We interviewed Tony Porter in the build-up to IFSEC 2019 about the Secure by Default standard and the inaugural National Surveillance Camera Day.