June, 2018

Last week I gave a seminar on various aspects of UAS in Public Safety, and a component of that discussion was information security/infosec. During the presentation, one officer from a California beach community made a comment while shrugging his shoulders, explained their use of a popular brand of drone sharing information with and without the Department’s knowledge, and that as a law enforcement officer, “neither me nor my agency care”.

I explained why he and his agency should care, and it had me wondering how many other agencies have this same cavalier attitude towards infosec in the public sector.

Amongst other concerns, agencies of similar thought should be considering at least two critical issues.

– Chain of Custody. Imagine going into a courtroom with video evidence and learn that the same evidence is located on a server (likely overseas) that can be edited, retimed, or otherwise manipulated without the officer nor agency being aware of the compromise. If nothing else, a defense attorney would have no problem generating doubts regarding the veracity of the video file. 

– Citizen privacy. The officer in the room seemed to not think it might matter to the hundreds of celebrities and thousands of citizens in a small, wealthy beach town on the California coast, if their residential information is suddenly public.

The Fourth Amendment plays a significant role; Agencies are generally required to obtain a warrant prior to initiating surveillance. Citizens have a reasonable expectation of privacy in and around their homes (for example, inside of fenced areas not visible from public areas.

This concern extends to processing SaaS as well. Any information collected for purposes of evidence is tightly controlled through applications such as Axon’s evidence.com. Cloud-based analytics processing, non-CJIS compliant cloud storage, and similar all generate risks to chain of custody and overall data security. One such system offers outstanding command and control of UAS and evidence capture. Unfortunately, it not only requires the use of a singular brand of UAS (allowing evidence to be shared outside the UAS ecosystem), it also lacks digital fingerprinting to track any individual or organization that may access the stored files.

Agencies should be looking at data analytics software that has the option to process locally as well as in the cloud. Tools such as Pix4D for example, allow officers or investigators to upload to the cloud or limit the data to a localized computer for processing. Be wary of any post-flight processing software that does not have significant security in place, or cannot be operated on a local computing system.

Consulting and training organizations such as Sundance Media Group area able to assist agencies in navigating these pathways to ensure a compliant and controlled ecosystem for UAS operation and information security.