Purpose Limitation and Secondary Use Prevention in Large-Scale Video Surveillance Systems

Large-scale video surveillance systems (VSS) are increasingly seen as the answer to problems concerning public safety, law enforcement, and situational awareness in public places, as VSS has evolved from simple video acquisition and display systems to intelligent automated systems, capable of performing complex video analysis tasks. Video cameras are excellent multi-sensors, i.e., many different types of information can be extracted from the same video data, which when analyzed with other external data sources like different public information systems can generate a lot of useful information, which may be interpreted as personal. VSS observers are legally, socially, and morally obliged to use any piece of personal information for authorized purposes only, otherwise, it may lead to privacy violations. In order to preserve individuals' privacy in VSS data, various data protection legislation have issued specific guidelines about the installation and operation of VSS, whenever it collects or processes any personal data. For instance, the
General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) require VSS owners to have a valid legal basis for its deployment. It also requires owners to state an explicit purpose for their data usage, and confirmation that video data will not be subject to secondary use, i.e., it will only be used for the consented primary purposes. Most data-protection legislation allows informed individual consent as a legal basis for recording personal data, which reduces legal uncertainty. However, due to the continuous presence of VSS, it is generally not possible to obtain consent from every individual every time a public camera records them. Therefore, VSS deployment often uses
'public interest' as a legal basis for collecting and processing all the recorded data (including personal information), as dierent public administrative services and authorities use the data (broadly) for multiple purposes like public safety, trac management, etc. Individuals do not have a right to erasure and data portability under this legal base, but they do retain a right to object in some cases. Hence, VSS data collected under 'public interest' supports dierent sorts of purposes that are benecial for citizens, but individuals also have fewer rights and are often expected to trust observers with their data. However, often observers intentionally or unintentionally reuse personal information (secondary use), either by misunderstanding or exploiting the ambiguous purpose statements or by going beyond their authority to access personal information under 'public interest', causing a high number of privacy invasion incidents of voyeurism, blackmail, proling, etc. Hence, due to the multitude of personal information that can be obtained from VSS data collected under legal base 'public interest', observers are exposed to a lot of personal information that is irrelevant to their authorized purposes. Moreover, individuals are expected to trust VSS owners to use their data for the purposes authorized under supporting legal base, which by incidents in past shows is often abused by observers. Therefore, in order to limit secondary use in VSS to preserve privacy, it needs to enforce a dynamic need-to-know view for observers according to their requirements, to
reduce their exposure to irrelevant personal information available to them. This thesis develops an access control model (ACM), and an associated prototype implementation of an access control mechanism, that enforces purpose limitation in a large-scale VSS (or other Big Data information systems and Data Lakes). Our proposed ACM is an RBAC-ABAC hybrid solution that is designed according to the large-scale infrastructure requirements and is called Attributes Enhanced Role-Based Access Control (AERBAC) model. AERBAC uses RBAC for its dynamic role-assigning simplicity in categorizing dierent observers and assigning them minimum default permissions per their role and then utilizes
ABAC for evaluating different resource and system properties thus implementing fine-grained access. We have proposed an extended AERBAC model that ensures purpose limitation in large-scale systems by verifying the resource's 'collection purpose' with the observer's 'access purpose' to control the exposure of personal information. The implemented solution enforces the need-to-know view principle in large-scale video surveillance systems for observers by allowing them access to essential personal information based on their authorized requirements and limiting avoidable exposure to irrelevant personal information.