blvdone - Fotolia
Patrons of the two Boston Calling music festivals held in 2013 were surprised to learn this week that they were guinea pigs for a surveillance software test for which the city spent $650,000. While the event went off without a hitch, the broad use of high-tech monitoring software may raise some big surveillance questions for enterprise security and privacy managers.
Though concerts aren't really a place to seek privacy -- what with media photographers, band videographers and fellow smartphone-wielding fans taking videos and snapping photos -- being a test subject for a government-funded experiment is another matter.
Let's rewind. In March 2012, Boston received a Smart Cities Challenge grant from IBM to "help achieve Boston's climate- and traffic-improvement goals by unlocking, sharing and analyzing transportation data." In May 2013, the city conducted a trial run of what it calls "situational awareness software" at the spring Boston Calling event. At the September 2013 concert, a full-fledged test was conducted.
While the city claims the software was not used to track individuals based on race or other characteristics, DigBoston, the outlet that first reported the surveillance, found year-old documents detailing that the software is able to recognize and record a person's height, clothing and skin color, among other attributes.
According to Kade Crockford, the director of the Technology for Liberty Project at the American Civil Liberties Union of Massachusetts, the documents were only found because an IBM employee uploaded them to a public server. IBM has declined comment.
Boston Mayor Martin Walsh's press secretary Kate Norton said, "The purpose of the pilot was to evaluate software that could make it easier for the City to host large, public events, looking at challenges such as permitting, basic services, crowd and traffic management, public safety, and citizen engagement through social media and other channels. These were technology demonstrations utilizing pre-existing hardware (cameras) and data storage systems."
If meant for traffic analysis, why would categories such as "baldness" or "head color" be collected for data classification?
Can surveillance and privacy co-exist?
Privacy has struck a nerve with the public lately, beginning with last year's revelations from NSA whistleblower Edward Snowden and most recently with the iCloud hacks that revealed sensitive pictures and videos of celebrities. While some may give Boston leeway for pursuing situational awareness technology following the 2013 Boston Marathon bombing, when it took days to identify the suspects from grainy surveillance photos, it remains unclear not only whether the Boston Calling data was really being used for "public safety" as the city claims, but also the amount of information Big Blue has collected -- and why.
Surveillance is often credited as a means to improve security. However, there's a fine line between security and privacy, and that's a realization more enterprise security teams must face as the collection and correlation of closed-circuit video, access cards and Web browser logs, GPS data and other surveillance technologies document the minute-to-minute activities of employees.
As the Electronic Frontier Foundation notes, "New technologies are radically advancing our freedoms but they are also enabling unparalleled invasions of privacy." The reality is, technology is advancing far more quickly than the laws, so knowing the exact right or wrong side of any given surveillance situation will remain up for debate until a law is put into place.
In the end, Boston did not purchase situational awareness software, yet it remains interested in it, despite outcries from privacy advocacy groups. Yet, it leaves a strong lesson to be learned: Organizations must take a long, hard look at how they go about conducting -- and allowing -- the surveillance of their employees, customers and the public at large. Treading the waters of surveillance carefully is essential, and until a law goes into place concerning surveillance and privacy, organizations may be wise to conduct surveillance carefully and with full disclosure regarding their surveillance policies.
In other news
- The Apache Software Foundation is urging its users to upgrade to version 7.0.40 of its open source Tomcat Web server to remediate a remote code-execution vulnerability. Mark Thomas, an Apache Tomcat committer, warned that versions 7.0.0 through 7.0.39 are vulnerable to the threat. While its severity is rated a relatively low "important" -- and even Apache officials claim the hack is easier said than done -- an upgrade is recommended. Alternately, users can upgrade their Oracle Java to 1.7.0 or later to mitigate the threat.
- After coming under scrutiny for the Heartbleed flaw, the OpenSSL Project, the group behind the open source software encryption toolkit, published a security policy for the first time this week. The policy details how the group handles security issues internally, as well as its pre-notification policy, which will now alert OpenSSL users of the release data and time and severity of the issues being fixed and display those updates on its homepage. The hope is to provide transparency and help organizations ensure the appropriate staff will be available to implement the updates.
- A survey by AKJ Associates revealed that 76% of respondents are worried about how call centers safeguard their personal information. While the results are not surprising given the recent slew of retail data breaches, it highlights one more arena in which enterprises should be diligent in maintaining security. While many call centers have implemented stronger knowledge-based authentication practices, it is still common for attackers to impersonate a victim over the phone and trick a call center representative into providing unauthorized access. Robert Walker, director at AKJ Associates, said, "Every day, we hear about major data breaches of large firms, impacting thousands of consumers -- and contact centers are a potential weak point in the armor. Without proper defenses, hackers could steal a treasure trove of sensitive information.” A conference by PCI Portal, "Securing the Contact Centre," will be held next week in London.
Learn more about enterprise security surveillance issues, the effects of the ongoing NSA encryption-cracking scandal, Apache Tomcat security, recent OpenSSL and Heartbleed events, and call center security.