North Carolina Law Review Symposium Privacy and Cybersecurity Lessons at the Intersection of the Internet of Things and Police Body Worn Cameras Peter Swire & Jesse Woo North Carolina Law Review Symposium November 3, 2017

This paper Why Body Worn Cameras (BWCs) are part of the Internet of Things (IoT) Lessons from the IoT for privacy and cybersecurity, for BWCs Lessons from BWCs for privacy and cybersecurity, for the IoT

Background of the Authors Peter Swire: Now professor of Law and Ethics in Scheller College of Business Jesse Woo: Research faculty at GT “Smart Cities Pose Privacy Risks and Other Problems, But That Doesn't Mean We Shouldn't Build Them,” 85 UMKC L. Rev. 953 (2017)

I. BWCs as IoT Definition of IoT: A sensor Connected to the Internet Data stored remotely, typically in the cloud Our claim: for purposes of identifying and mitigating privacy and cybersecurity issues, BWCs are an example of the IoT No previous literature on this (but, Adam Thierer)

BWCs as IoT “Sensor”: a camera, yes ”Data stored remotely, typically in cloud” Storage of the video footage is remote, not on the camera itself Storage may be in the cloud, or else database maintained separately by police department If stored separately, then often greater security risks, unless police department is unusually skilled at cybersecurity “Connected to the Internet” Depends on configuration If it is, then have the worry about remote attacks on the BWCs and their software If not, then those specific risks do not apply, but the rest of the lifecycle of protecting data is the same

II. Lessons from IoT for BWCs Large and growing literature on IoT cybersecurity and privacy IoT is becoming enormous, $1 trillion/year in coming years Numerous types of IoT have similarities to BWCs: smart cities, gunshot locators, fixed video surveillance, many more Emergence of standards for good cybersecurity and privacy How to use the IoT literature to help BWCs? Cities and police departments face challenges in discovering good practices If they discover good practices, in politically fraught settings, helpful to have neutral/authoritative set of practices If practices are not yet good, then basis for critiquing and improving practices

Sources on IoT Broadband Internet Technology Advisory Group, IoT Security and Privacy Recommendations (2016) Microsoft Azure, Internet of Things Security Best Practices (2017) Federal Trade Commission Internet of Things: Privacy and Security in a Connected World (2015) Other privacy and security reports and enforcement actions Privacy by design/privacy-enhancing technologies

Some themes from the IoT literature Well-known organizing principles for cybersecurity and privacy: Life cycle of data – collection, storage, use, dissemination, destruction Technical, physical, and administrative measures CIA: Confidentiality, integrity, and availability “Integrity” – preserve evidentiary integrity Secondary use: Primary use (collect as evidence in a particular case) Secondary uses – when is it lawful/appropriate to use for other purposes Biometrics example from this morning

Conclusions on Part II IoT: have well developed approaches for hardware, software, and system protections for IoT Rich literature and experience on numerous issues BWC systems and policy debates can draw on these approaches

III. Possible lessons from BWCs for IoT Always on Transparency Jesse Woo

“Always on” Existing IoT standards usually assume the device is “always on” For BWCs, that will not be true Bathroom breaks Sitting in car Others This could become a checklist item for IoT security and privacy Technical issues – set default on/off; mechanism for switching between on/off Administrative issues – how to develop on/off policy and create compliance Privacy design principle of “minimization” can lead to “sometimes off”

Transparency Transparency an enormous issue for BWC Complex First Amendment, privacy, accountability, and other issues IoT best practices have not addressed transparency at this level of detail Great majority of IoT deployment done by the private sector, with minimal FOIA or First Amendment issues Much discussion in the symposium on proper approach to transparency When must the camera be on Who should get access

Transparency Conclusion for IoT: rich BWC discussion on transparency can inform the broad IoT literature Suggestion for BWC community: Study the decade-long conferences on “Privacy and Public Access to Court Records” from William & Mary’s Center for Legal and Court Technology Huge tradition of public access to court records Huge privacy issues when juvenile, financial, and other records available on the Internet

Conclusion Link BWC discussions to the broader IoT literature Can move the BWC community up the learning curve from the larger IoT discussions Can inform the IoT community of under-appreciated issues such as “always on” and transparency