Police agencies need CJIS-like security policy to protect sensitive video data

As thousands of police departments across the country prepare to deploy body-worn cameras, it is time to ask how the millions of hours of video to be collected by these cameras will be protected from misuse or unwarranted disclosure.

The reality is that some of this video footage will be highly sensitive in nature. It is not enough to simply say: “The public has a right to know.” We can all agree that citizens have the right to question the actions of law enforcement agencies as these agencies exist to serve and protect the public. The public’s “right to know” must be paramount in cases of misconduct. But this does not address the issue of protecting body-camera video.

The focus of the media and elected officials regarding a small number of disturbing law enforcement incidents should not mask the fact that the majority of police interactions with the public are not violent. Police are most often called in when someone needs help — crime or accident victims, people suffering from substance abuse or mental health issues, homeless people in need of shelter. These are the people that law enforcement officers work around the clock to assist.

Jeff Gould (Safegov.org)

When the majority of law enforcement officers wear body cameras — as will soon be the case in the U.S., the U.K. and Canada – these recordings will often display innocent victims in distress. We can agree that these videos should not be published indiscriminately on the Internet — at least not without careful redactions to conceal identities. While evidence of police misconduct must not be withheld, a reasonable policy must also admit that victims and citizens have a fundamental right to privacy.

For this reason, the rapid adoption of police body-worn cameras requires the parallel adoption of a clear policy framework for securing these videos and for deciding how they should be released.

Here’s a look at what can go wrong when sensitive law enforcement data is not adequately protected. Investigations by privacy advocates have recently revealed that many of the automated license plate readers used by police to track stolen vehicles have been made accessible online due to configuration errors. In the worst cases, anyone who knows the URL of these cameras can access their real-time video feeds, the actual license plate numbers and even data about the vehicles’ owner. A situation like this takes place because there are no standards governing license plate readers and how they handle data.

Body-worn camera video needs to be protected by the strongest data standards available. The FBI’s Criminal Justice Information Service (CJIS) Security Policy, developed over many years by the FBI with extensive input from state and local law enforcement agencies, is made for the task. The CJIS Security Policy is designed to ensure that the information that flows from the FBI’s vast national database to local law enforcement agencies is protected from outside hackers and inside leaks.

The FBI’s database includes mug shots, fingerprints, criminal history and other confidential data. The CJIS Security Policy covers not only the technical details of securing this data (e.g., encryption, authentication, hardware security), but also the business practices of the police agencies and IT suppliers who handle it. For example, strict audit trails must be maintained and all who have access to CJIS information must undergo rigorous background checks. Outside vendors handling such data must sign legally binding commitments to comply with the CJIS Security Policy.

The FBI does not own the body-worn video captured by local law enforcement agencies, and therefore cannot mandate how the data is protected. But for state and local agencies, the CJIS Security Policy is the best practice model to adopt for their rapidly expanding body-worn camera programs.

Body-worn cameras are still in the early stages of deployment. In a few short years, we will see hundreds of thousands of cameras in daily use. If we do not adopt strong and rigorous standards to protect the video they produce, it is only a matter of time before damaging leaks and hacks could occur. Anyone who doubts this need should recall the series of recent data breaches that affected federal agencies and Fortune 500 firms alike.

If body-camera video is breached, the trust of the public and elected officials in law enforcement’s ability to manage this powerful new tool will inevitably be shaken. Police chiefs, sheriffs, commissioners, mayors and city councils must ask themselves: What will we say when leaked videos of domestic violence victims or crime scenes are posted on the Internet alongside the name of our department?

If they do not want to face this situation, they must implement the right policy framework for protecting body-worn video and other sensitive law enforcement data, and that is where the CJIS Security Policy is the answer.

Jeff Gould serves as president of SafeGov Inc. He is also CEO and director of research at Peerstone Research, which he co-founded. He has 20 years of experience in technology publishing and IT market research. Reach him at Jeff.Gould@safegov.org.