This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement n° 720417 D1.3 - Privacy, ethical and legal constraints WP number and title WP1 – Project Management Lead Beneficiary CERTH Contributor(s) ENG, ADM Deliverable type Report Planned delivery date 30/06/2017 Last Update 24/07/2017 Dissemination level PU SURVANT Project H2020-FTI-Pilot-2015-1 – Fast Track to Innovation Grant Agreement n°: 720417 Start date of project: 1 January 2017 Duration: 24 months
31
Embed
D1.3 - Privacy, ethical and legal constraints...privacy, ethical and legal constraints’ of WP1 ‘Project Management’. The task’s primary objective consists of two complementary
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Thisdocumentcontainsmaterial,whichisthecopyrightofcertainSURVANTcontractors,andmaynotbereproduced or copied without permission. All SURVANT consortium partners have agreed to the fullpublication of this document. The commercial use of any information contained in this document mayrequirealicensefromtheproprietorofthatinformation.
AnalysisandmonitoringofPrivacy,EthicalandLegal(LEP)constraintsinSURVANTwillbeconductedwithinTask 1.3. The task’s primary objective consists of two complementary parts: first, ensuring that R&Dactivitieswithintheprojectwillbecomplianttorespective lawsandethicalpractices,second,supportingsystem development so that the SURVANT system does not generate ethically unwanted effects, isrespectful of human rights, and complies with the applicable legislation. It must be noted that, sinceSURVANT is the followupof the researchprojectADVISE, the intentionof theanalyseswithinT1.3 is tobuildupontheethical/legalworkdonewithinADVISE.
The scopeof the analyseswithin T1.3 is the SURVANTproject and systemand its context. For example,regardingdatacollection,sincetheSURVANTsystemisenvisionednotasavideo(data)collectiontoolbutas a video analysis toolset, all ethical/legal obligations related to the data capturing phase of the datalifetimelieprimarilywiththeinitialowner/creatorofthedata.
The initial stage of the analysis was the preparation of an overview of ethical issues related to videosurveillanceaswell as theapplicable legal frameworks (international andEuropean).At theheartof theethicalanalysislietheconceptsofprivacyanddataprotectionwhichareanalysed.Similarly,internationaland European legal frameworks for the protection of privacy and personal data are presented andanalysed. A significant aspect of the SURVANT project is that it will be running in parallel with thefundamental change of the EU regulatory and legal frameworkwhich is taking place currently. The newRegulation(EU)2016/679shallapplyfrom25May2018whilethenewDirective(EU)2016/680hastobetransposedintonationallawoftheEUMemberStatesby6May2018(M17outof24oftheproject).Asaconsequence,theSURVANTprojectwillpartlyrunwiththepreviousEUprivacy/dataprotectionframeworkinforce(uptoM17)andpartlywiththenewEUprivacy/dataprotectionframeworkinforce(afterM17).
A significant part of the present document and of the effort within T1.3 is devoted in identifying anddescribingthekeydifferencesbetweenSURVANTandADVISEthatareconsideredtoaffectLEPaspects.Thedifferencesarepresentedinthisdocumentseparatedindifferencesinwhatthesystemwillberequiredtodoanddifferencesinhowthesystemwilldowhatisrequired.
Finally,besidesprovidinganoverviewof LEPprinciples thatare relevant in thecontextof SURVANTandsupporting the development of an ethically and legally compliant system, T1.3 team is also taskedwithmonitoring R&D activities with regards to LEP compliance. Therefore, we want to make sure that dataprocessingconductedwithinSURVANTwillberespectfulofanypersonaldatathatmightbeincludedintheproject datasets. To this end, a detailed discussion regarding the project datasets is presented in thisdocument.
The task’s primary objective consists of two complementary parts. First, ensuring that research anddevelopmentactivitieswithintheproject(mainlymanagement1ofdatasets)willbecomplianttorespectiveNational andEuropean laws, andbestethicalpracticesand rules/standards. Second, support theprojectconsortiumindevelopingatechnicalprototype,i.e.theSURVANTsystem,thatdoesnotgenerateethicallyunwantedpersonalorsocialeffects,isrespectfulofhumanrights(particularlytherighttoprivacyanddataprotection),andcompliestotheapplicableNationalandEuropeanlegislation.
Theanalyseswill,on theonehand,monitor researchanddevelopmentactivitieswithin theprojectwithregards to respective laws, and best ethical practices, and on the other hand, identify any legalrequirementsapplicabletothetechnicalsystemandarchitectureitselfandmonitortheirimplementation.
InSection2ofthisdeliverableweprovideanoverviewofprivacy,legalandethicalrulesandprinciplesthatare relevant in the context of the SURVANT project. We define the scope of our analysis, presentinternationalaswellasEuropeanframeworksandbestpractices.Section3providesahigh-levelcaptureofthe key differences between SURVANT and ADVISE that are considered to affect LEP aspects. Section 4deals with ethical, legal and privacymonitoring of research and development activities focusing on themanagementofthedatasetsthatareplannedtobeused intheproject.Finally,thedocumentconcludeswithSection5.
1 The term ‘management’ is used here in a sense that covers the whole dataset lifetime, from inception tocreation/discoveryandtolongtermstorageorproperdestruction.2AdvancedVideoSurveillancearchives searchEngine for securityapplications (ADVISE,GA285024), co-financedbyEU in the FP7 Work programme in the SEC-2011 call. For more details please refer to:http://cordis.europa.eu/project/rcn/102502_en.html.
SURVANT aims to deliver an innovative system that will collect relevant (i.e. surveillance) videos fromheterogeneous repositories, extract video analytics, enrich the analytics using reasoning and inferencetechnologies, andoffer aunified search interface to theuser. The SURVANT system functionalitywill beprimarily adjusted for Law Enforcement Agencies (LEAs), critical infrastructure operators and privatesecurityorganizationsbuttheprojectwillalsotrytoadjustthesystemtootherusersthatsharecommonneeds.
Currentproceduresforperforminginvestigationsinvideoarchivesarecumbersomeandtimeconsuming.Theinvestigatorhaseithertocollectalltherelevantvideofootageinoneplaceoridentifythevideosonebyoneandaccesstheminadedicatedinterface.Inmulti-cameraenvironments,theinvestigatorisusuallyforced to identify the exact camera location and viewing angle utilizing separate resources, limiting theoverallsituationalawareness.
Existingvideosurveillancemanagingsystemsfocusonrealtimeoperations,disregardingthechallengesofvideoarchivesearch.Theirprovisiontoassistinvestigatorsduringsearchislimitedtothumbnailextractionto speed up the detection of relevant segments, visualization of the location of the viewed camera andcreationofcustomplayliststoassistinvestigation.
SURVANT aims to provide a unified interface for advanced, content-based search capabilities, evidenceminingandsmartinvestigationassistancefunctionalities,withincollectionsofmultiplevideoarchives.TheSURVANTsystemisenvisionednotasavideo(data)collectiontoolbutasavideoanalysistoolset,especiallyefficient for very large volumes of video data coming from heterogenous sources (i.e. cameras orsurveillancesystemsofdifferentspecificationsandtechnologies).
D1.3-Privacy,ethicalandlegalconstraints
11
Therefore,allethical/legalobligationsrelatedtothedatacapturingphaseofthedatalifetimelieprimarilywiththeinitialowner/creatorofthedata(e.g.legalsurveillance,notificationofbypassersetc.).Ofcourse,the SURVANT system will be subsequently processing3these enormous amounts of videos and mustthereforecomplytoalllegalandethicalrulesthathavetodowiththeprocessingofsuchdata(thatmightbealsoincludingpersonal4orevensensitive5data).
2.1.2 DataAnalysis
2.1.2.1 AutomatedAnalyses
The SURVANT systemwill perform video (and image) analysis employing Deep Learning (DL) techniquessuchasConvolutionalNeuralNetworks(CNN)andRecurrentNeuralNetworks(RNN),usedtoanalysestaticandmotioncontentrespectively. Inter-cameratrackingandre-identification(ofdetectedcontent)willbeat thecoreofattention.Optimalbalancebetweenspeedandaccuracywillbepursued.DLsystemshavebeen already successfully deployed in applications such as object classification, object detection andtracking, activity recognition and modelling etc. They are already deployed in commercial applicationsenablingnew functionalities due to impressiveperformance. Especially regarding indexingof the content(videoandimages),SURVANTwilluseadvancedmultimediaindexingtools(e.g.suchasthosedevelopedbytheEU-FP7LASIEproject6)thatwillbeleveragedandvalidatedforlargerscaledeployments.
The SURVANT system will also apply event enrichment and reasoning. It will deliver an inferenceframeworkabletocombinetogetherlow-levelinformationandsemanticannotationstoenableautomatedreasoningmechanismstodiscoverhigh-leveleventsand/orinvestigativehypotheses.Specifically,SURVANTwillevolvetheOWLtableaureasoningframeworkdevelopedinADVISE,basedonaSWRL(SemanticWebRuleLanguage)approach,applyingtheeventcalculusformalisminordertoallowtheeventreconstructioninanarrativewaytakingintoaccountspatial-temporalcoordinatesusefultotrackthecrimeandpredictitsevolutioninthetimeandspace.OWLreasoningparallelizationusingconcurrentcomputationofinherentlyindependentproofstepswillbeutilizedtooptimizeperformanceandensurethescalabilityofthesystem.
3Accordingtothe[GeneralDataProtectionRegulation]:“‘processing’meansanyoperationorsetofoperationswhichisperformedonpersonaldataoronsetsofpersonaldata,whetherornotbyautomatedmeans,suchascollection,recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure bytransmission, dissemination or otherwise making available, alignment or combination, restriction, erasure ordestruction.”4According to the [General Data Protection Regulation]: “‘personal data’ means any information relating to anidentifiedor identifiablenaturalperson (‘data subject’); an identifiablenaturalperson isonewhocanbe identified,directlyorindirectly,inparticularbyreferencetoanidentifiersuchasaname,anidentificationnumber,locationdata,anonlineidentifierortooneormorefactorsspecifictothephysical,physiological,genetic,mental,economic,culturalorsocialidentityofthatnaturalperson.”5Ingeneral,EUlegislationidentifiesspecialcategoriesofpersonaldatathataresubjecttoadditionalprotections,i.e.‘sensitive(personal)data’.Accordingto[Directive95/46/EC]:“‘sensitive(personal)data’arepersonaldatarevealingracial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and dataconcerninghealthorsexlife.”Accordingtothe[GeneralDataProtectionRegulation]:“‘sensitive(personal)data’arepersonal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-unionmembership;dataconcerninghealthorsexlifeandsexualorientation;geneticdataorbiometricdata.Datarelatingtocriminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislativecompetence).”6LargeScaleInformationExploitationofForensicData(LASIE),EUFP7IP,http://www.lasie-project.eu/.
D1.3-Privacy,ethicalandlegalconstraints
12
2.1.2.2 NonautomatedAnalyses
Finally, in contrast to the above automated analyses, the SURVANT system will also leverage humanintervention(human-in-the-loop)capabilities–suchasGIS-basedGUIallowingtheusertoexecutetargetedqueries,advancedrelevantfeedbacktools,etc–andaugmentthemwithamoreuser-friendlymultimodalinterface and more advanced reasoning capabilities. Topology-driven reasoning will have a key role inlearning from the trajectory of temporal events (the geographic positions of the retrieved events) andproviderecommendationstotheuser.
2.1.3 Validation
The SURVANT system will be validated through live prototype demonstrations (pilot tests) in LEAoperationalenvironment.
A concise but yet complete list of key ethical issues related to video surveillance has been provided inDeliverable2.2‘Reportofrelevantlegalandnormativestandardsandtheirevolution’oftheADVISEproject[ADVISED2.2]:
• Privacy and the person. Theprimary ethical issue invokedby surveillance activities in general isthatofprivacy.Privacyinethicaltermsinvokesthenotionthatthereisasacrosanct“person”atthecoreofanyandeveryobjectofhumansurveillance.Thisperson isdifferentthanthe informationaboutthepersongatheredthroughsurveillanceandcannotbereducedtothesurveillancedata.
• Sub-categories of privacy (e.g.privacyof thebody,ofpersonalbehaviour,of communication,ofpersonaldataetc)arethesubjectofethicaldebateandnodefinitivecategorisationexists.
• Dataprotection–fromanethicspointofview–concernsthemeansavailabletosafeguardprivacyandinvokesseveralissuessuchas:theactualdatathatiscollectedandstored,storageconditions,durationofstorage,metadata, informedconsent (or, inotherwords,authorisationbythesubjectwhosedataisbeingprocessedfortheprocessingofthedata),riskassessment(ofthepossibilitiesandconsequencesofdatatheft,disclosureetc),(DPA)notificationrequirementsaspernationalorEuropean law, dual use (i.e. unintended secondary use) of the data, and proportionality as thegoverningprinciple indicating thatonlydatanecessary to theendenvisaged shouldbe collectedandnotmore.
It isworthnotingthatguaranteesofprivacyarecentral tenetsof theEuropeanCharter forFundamentalRights[CFR]andemergefromadeontological8approachtoethicsthatplacestheinterestsandrightsoftheindividual at the forefront. The European Commission has taken steps to safeguard and attempt toguarantee personal privacy. This is evidenced by the new General Data Protection Regulation (GDPR)7E.g.theCharterofFundamentalRightsoftheEuropeanUnionenshrinescertainpolitical,social,andeconomicrightsforEuropeanUnion(EU)citizensandresidentsintoEUlaw.8Deontology (also referred to as Kantian ethics) is based onmoral beliefs and values and, the obligations of theindividualtowardsothers.OftenusedincontrasttoTeleology,i.e.results-orientedethicsthatdeterminesanactiontobeethicallysoundifitsresultsproducebenefitsandhappinessforothers.
Hence,privacyanddataprotectionarenotequivalents.There isa substantivedifferencebetween thesetwo. On the one hand, privacy is broader than data protection; the latter is just a tool to protect theformer.Ontheotherhand,whilebothfundamentalrights–toprivacyandtodataprotection–participateintheprotectionofthepoliticalprivatesphere,thisisdoneinseparateways;privacysetsprohibitivelimitsthatshieldtheindividualagainstpublicauthoritiesandotherpowers(warrantingacertainlevelofopacityof the citizen), whilst data protection channels legitimate use of power (imposing a certain level oftransparencyandaccountability).[PRESCIENTD1]
Attheinternationallevel,therighttoprivacyisprotectedbyArt12oftheUniversalDeclarationofHumanRights (1948) [UDHR], however non-binding. Art 17 of the International Covenant on Civil and PoliticalRights(1966)[ICCPR],i.e.abindinginternationalhumanrightsinstrument,offersprotectionofprivacy.In1980, theOrganisation for EconomicCooperationandDevelopment (OECD) issued (and revised in2013)theGuidelineson theProtectionofPrivacyandTransborderFlowsofPersonalData(non-binding) [OECDPrivacy].
• The first one, i.e. the Council of Europe (CoE), is based onArt 8 of the European Convention onHumanRights(ECHR)[ECHR].TheECHRestablishestheEuropeanCourtofHumanRights(ECtHR)inStrasbourg. While the ECHR itself is silent about protection of personal data, the Court hasdevelopeditfromtherighttoprivacy.
• Thesecondone,i.e.theEuropeanUnion, isbasedonArt7CFR.However,thescopeoftheCFRislimited to “the institutions, bodies, offices and agencies of the Union with due regard for theprincipleof subsidiarityand to theMemberStatesonlywhen theyare implementingUnion law”(Art52(1)CFR).
• Forthefirstsystem,i.e.theCouncilofEurope(CoE),thereisthe1981ConventionfortheProtectionof Individualswith regard to Automatic Processing of Personal Data (No 108)with an additionalprotocolregardingsupervisoryauthoritiesandtransborderdataflows(No181).
• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on theprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(knownsimplyasthe1995DataProtectionDirectiveorDirective95/46/EC).
• Directive 2006/24/EC of the European Parliament and of the Council of 15March 2006 on theretention of data generated or processed in connection with the provision of publicly availableelectroniccommunicationsservicesorofpubliccommunicationsnetworksandamendingDirective2002/58/EC.
• Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personaldataprocessedintheframeworkofpoliceandjudicialcooperationincriminalmatters.
• Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing ofpersonaldatabytheCommunity institutionsandbodiesandonthe freemovementofsuchdata(i.e.lyingdowndataprotectionrulesapplicableonlyfortheEUinstitutionsandbodies).
2.3.2.1 EUdataprotectionframework
The core instrument for data protection in the EuropeanUnion is thewell-known 1995Data ProtectionDirective.Directive95/46/ECsetsupathree-levelsystemfortheprotectionofpersonaldata.Thefirstlevelis the general one that applies to any processing of personal data. The second level,which needs to beappliedon topof the first level, is applicablewhen sensitivedataarebeingprocessed.The third level isapplicable when personal data are being processed to third countries, i.e. outside the EuropeanUnion/EuropeanEconomicArea.
This Directive does not apply to the processing of personal data in the course of an activitywhich fallsoutsidethescopeof(former)Communitylawandbyanaturalpersoninthecourseofapurelypersonalorhouseholdactivity.
AsadirectiveisanEUlegalinstrumentthatisnotdirectlyapplicableintheMemberStates,eachofthemneeded to implement it in their legal systems.Therefore,we have at least 27 national laws governingdataprotectionintheEU.
In January 2012, the EuropeanCommissionput forward an EUDataProtectionReformaiming “tomakeEuropefitforthedigitalage”.
On15December2015,theEuropeanParliament,theCouncilandtheCommissionreachedagreementonthenewdataprotection rules,establishingamodernandharmoniseddataprotection frameworkacrossthe EU. The European Parliament's Civil Liberties committee and the Permanent RepresentativesCommittee (Coreper) of the Council then approved the agreements with very large majorities. TheagreementswerealsowelcomedbytheEuropeanCouncilof17-18Decemberasamajorstepforward intheimplementationoftheDigitalSingleMarketStrategy.
• Regulation (EU)2016/679oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotection of natural persons with regard to the processing of personal data and on the freemovementofsuchdata,andrepealingDirective95/46/EC(GeneralDataProtectionRegulation).–http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG
• Directive (EU) 2016/680 of the EuropeanParliament andof theCouncil of 27April 2016on theprotection of natural persons with regard to the processing of personal data by competentauthoritiesforthepurposesoftheprevention, investigation,detectionorprosecutionofcriminaloffences or the execution of criminal penalties, and on the free movement of such data, andrepealing Council Framework Decision 2008/977/JHA. – http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0089.01.ENG
D1.3-Privacy,ethicalandlegalconstraints
16
Figure1:EUdataprotectionreformtimeline.
WhiletheRegulationwillenterintoforceon24May2016,itshallapplyfrom25May2018.TheDirectiveenters intoforceon5May2016andEUMemberStateshavetotranspose it intotheirnational lawby6May2018.
Theobjectiveof this new set of rules is to give citizensback control over of their personal data, and tosimplifytheregulatoryenvironmentforbusiness.ThedataprotectionreformisakeyenableroftheDigitalSingle Market which the Commission has prioritised. The reform will allow European citizens andbusinessestofullybenefitfromthedigitaleconomy.
The EUGeneral Data Protection Regulation (GDPR) replaces theData ProtectionDirective 95/46/EC andwasdesignedtoharmonizedataprivacy lawsacrossEurope,toprotectandempowerallEUcitizensdataprivacyand to reshape thewayorganizationsacross the regionapproachdataprivacy.TheenforcementdateoftheGDPRis25May2018atwhichtimethoseorganizationsinnon-compliancewillfaceheavyfines.
Theaimof theGDPR is toprotectallEUcitizens fromprivacyanddatabreaches inan increasinglydata-drivenworldthatisvastlydifferentfromthetimeinwhichthe1995directivewasestablished.Althoughthekeyprinciplesofdataprivacystillholdtruetothepreviousdirective,manychangeshavebeenproposedtotheregulatorypolicies.KeychangesrelatedtotheSURVANTprojectcanbefoundbelow:
• Increased Territorial Scope (extra-territorial applicability). Arguably the biggest change to theregulatorylandscapeofdataprivacycomeswiththeextendedjurisdictionoftheGDPR,asitappliestoallcompaniesprocessingthepersonaldataofdatasubjectsresidingintheUnion,regardlessofthecompany’slocation.
• Penalties. UnderGDPR organizations in breach ofGDPR can be fined up to 4% of annual globalturnoveror€20Million(whicheverisgreater).
• RighttoAccess.PartoftheexpandedrightsofdatasubjectsoutlinedbytheGDPRistherightfordatasubjectstoobtain fromthedatacontrollerconfirmationastowhetherornotpersonaldataconcerning them is being processed, where and for what purpose. Further, the controller shallprovideacopyofthepersonaldata,freeofcharge,inanelectronicformat.
• Right to be Forgotten. Also known as Data Erasure, the right to be forgotten entitles the datasubjecttohavethedatacontrollererasehis/herpersonaldata,ceasefurtherdisseminationofthedata,andpotentiallyhavethirdpartieshaltprocessingofthedata.
• Privacy by Design. Privacy by design as a concept has existed for years now, but it is only justbecoming part of a legal requirementwith theGDPR. At its core, privacy by design calls for theinclusionofdataprotection fromtheonsetof thedesigningof systems, rather thananaddition.TheADVISEandSURVANTprojectshadPrivacybyDesignintheircorefromtheverybeginning.
• Data Protection Officers. Currently, controllers are required to notify their data processingactivitieswith local DPAs, which, formultinationals, can be a bureaucratic nightmarewithmostMemberStateshavingdifferentnotificationrequirements.UnderGDPRitwillnotbenecessarytosubmitnotifications/ registrationstoeach localDPAofdataprocessingactivities,norwill itbearequirementtonotify/obtainapprovalfortransfersbasedontheModelContractClauses(MCCs).Instead, there will be internal record keeping requirements and DPO appointment will bemandatory only for those controllers and processors whose core activities consist of processingoperationswhichrequireregularandsystematicmonitoringofdatasubjectsonalargescaleorofspecial categories of data or data relating to criminal convictions and offences. Importantly, theDPO:
o Must be appointed on the basis of professional qualities and, in particular, expertknowledgeondataprotectionlawandpractices
o Maybeastaffmemberoranexternalserviceprovidero ContactdetailsmustbeprovidedtotherelevantDPAo Must be providedwith appropriate resources to carry out their tasks andmaintain their
Several tools and methodologies exist that can be used either for ensuring privacy/ personal dataprotectionorformonitoringtheimpactofasystemwithregardstolegal,ethicalandprivacyprinciples.
2.4.1 Privacybydesign
Privacy by design (PbD) is a concept developed and subsequently promoted by Dr Ann Cavoukian, theInformation and Privacy Commissioner of Ontario, in 1990s, to address the ever-growing and systemiceffectsof informationandcommunicationtechnologies(ICT),andof large-scalenetworkeddatasystems.Daviesobservedthattheemergenceofprivacybydesignpresentsasubstantialopportunitytoraisethebaronprivacyprotectionandtoreducetheextentofsurveillanceofpeople’sdataandtransactions.Privacybydesignadvancestheviewthatthefutureofprivacycannotbeassuredsolelybycompliancewithregulatory
PrivacyEnhancingTechnologies(PETs)aretechnologiesthataredesignedforsupportingprivacyanddataprotection.TheobjectiveofPETsistoprotectpersonaldataandensuretheusersoftechnologythattheirinformationisconfidentialandthatmanagementofdataprotectionisaprioritytotheorganizationswhowithhold responsibility for any personally identifiable information (PII). PETs address among other theprinciples of data minimisation, anonymisation and pseudonymisation. Examples of PETs arecommunicationanonymizers,encryptiontools,cookie-cutters,etc.
3 Key differences between SURVANT and ADVISE affectingLEPaspects
Thischapterprovidesahigh-levelcaptureof thekeydifferencesbetweenSURVANTandADVISE thatareconsidered to affect LEP aspects. The differences are separated into differences in requirements (user,systemetc.),orinotherwordsdifferencesinwhatthesystemwillberequiredtodo,andpurelytechnicaldifferences(e.g.architecturaldifferencesordifferencesinspecificmodules),orinotherwordsdifferencesinhowthesystemwilldowhatisrequired.
3.1 Differencesinrequirements
3.1.1 UseCases
Commercially focusedusecaseshavebeende-prioritized inSURVANT.ADVISEtackledthreeusecasesofcriminal activity on commercial premises – vandalism of company property (graffiti, fuel theft and carvandalismincarparks).InSURVANTwerecognisethatcriminalincidentsoncommercialpremisesarejustparticular scenarios of use cases observed in the community. The same use cases are valid for streetsurveillancebutherethecircumstancesaregenerallymorechallengingwitha largerdiversityofcamerasand busier scenes. Tackling the more challenging scenarios that occur in uncontrolled environmentspromisestodeliveramorerobustplatformthatoffersincreasedreusabilityacrossstreetandcommercialsurveillance.
Wehavelearnedthatinvestigatorsroutinelyrequestsurveillancefootagethatencompassesbiggerspatialand temporal areas than the actual time and place of the reported incident. Investigators are not onlyinterested in the actual scene of the crime but also in activities in the surrounding area in the timesimmediatelyprecedingandfollowingtheincident.Thereasonsforthisinclude:
• Construction of an incident timeline which captures the geographical and temporal path of thevictimand/orsuspect(s)
ADVISEworksundertheprinciplethatan investigator identifiesatimeandareaandthen itanalysesthisentireareaandtimeperiodforevidenceofaparticularevent.Notonlydoesthisresultinneedlessanalysisof footage for event detection (e.g. looking for evidence of pick pocketing in block Bwhenwe know itoccurredinblockA)butitalsoincreasestheamountofinformationclutterpresentedtotheenduser.
InSURVANTwerecognise the investigator’sdual intentof firstlyanalysingaspecific incidentareawherethe crime occurred and secondly, analysing a surrounding time and area for the presence of particular
ADVISEworkedundertheprinciplethateachcamerasisattachedtoasinglerepository.Multiplecamerasmay be attached to the same repository.When investigators include a camera in an investigation theyspecify a timeperiod andADVISEwould thenquery the associated camera repository for that subset offootage. In discussions with the end user we discovered that repositories are actually assembled perinvestigation. The base repository to which street surveillance cameras are connected to is strictlycontrolledbyanofficialvideocontrollerwithin theLEAorganisation.Access tosubsetsof footagewithinthisrepositoryareonlygiventoinvestigatorsuponpresentationofofficialauthorizationbyahighrankingLEA. In effect, investigators are given smaller bespoke repositories which are extracted from the mainrepository.Asimilarprincipleappliestocommercialsurveillancefootage–subsetsoffootageareextractedby commercial organisations and handed over to investigators upon official request. We observed,therefore,thatthedataavailabletoSURVANTisdispersedacrossa largeanddynamiccollectionofsmallindependentrepositoriesratherthanconcentratedinasmallnumberoflargeintegratedrepositories.
We can see the same pattern with mobile phones and other portable video devices where capturedfootagedoesnotallexistinasinglerepositorybutisinsteaddownloadedandmanagedinsmallindividualrepositories.
A new model of repository management is proposed for SURVANT in which bespoke repositories areidentifiedandattachedtoaninvestigation.Thismodelhasthebenefitofpreventingdataleakagebetweeninvestigationsasaccessislimitedtothedataexplicitlyattachedtoagiveninvestigation
ADVISEwasbasedon thepremise that therewasanexplicit criminal incidentbut therearecaseswheresurveillancefootageneedstobeanalysedbasedonaparticularphysical location(toobservewhovisitsacertainbuildingforexample)orthelastsightingofaparticularperson(elderlypersonwithAlzheimer’sforexample).
3.1.5 Anonymizationasoptional
In ADVISE, anonymization of surveillance footage was an integral part of the processing pipeline.Discussions with investigators revealed that this is unnecessary (and often unwelcome). SURVANT willmake the anonymization step optional – a configuration setting that can be enabled or disabled by theSURVANTplatformadministrator.
3.2 Technicaldifferences
3.2.1 DifferencesinArchitecture
SURVANT’smainpurposeistodevelopasystemthatwillbereadyforthemarketusingasastartingpointthesystemdeveloped in theEUFP7projectADVISE. Itsarchitecture isbasedontheADVISEarchitecturebut it integrates some essential changes that will render the system ready for use in a real-world
The main difference between the two projects is about the software design. While ADVISE follows amonolithicdesign,SURVANTisbeingdevelopedasamicro-servicemulti-containerapplication.Amonolithisasoftwareshippedasasinglebigblockanditspartsshowahighdegreeofcoupling,whichmeansthatthey havemany dependencies among themselveswith the disadvantage that if the developerswant toapply any modification to the platform they have to build and redeploy the whole software. On thecontrary,micro-servicesarelowincouplingandhighincohesion:theyareself-containedcomponentswithzero or very low dependencies among them, devised to meet per-business requirements. The mainadvantagesofthisarchitecturearesummarizedhere:
l Self-containedmodulesarepronetoreusability.
l Thewholesystemismorerobustbecausethelackofdependenciesbetweenmodulesimpliesthatthefailureofoneofthemdoesn’taffecttheintegrityoftheothers.
l Micro-servicescanbescaledeasily(theyareactuallymadeforbeingscaledout),scalingamonolithicapplicationcanbeapainfulchallenge.
l Oncetheinterfaceamongmicro-serviceshasbeendecided,micro-servicescanbeimplementedusingdifferenttechnologiesinsteadofadoptingauniqueframeworkforthewholeapplicationlikehappensinmonolithicapplications.
Analysingthediagramsfromthetop,thefirstdifferencecanbefound inthe implementationoftheuserinterface logical blocks. While ADVISE has a “legacy” user interface design, SURVANT inherits thecharacteristics of the Backend-For-Frontend (BFF) architectural paradigm that helps to tailor a backendsystemforend-user interfaces,enhancingtheuserexperience(theGateway)onmultipledevicessuchasmobileandwebclients.This choicehasbeenmade toallow frontenddevelopers to focuson their taskswithouthavingtotakeintoaccountotherself-containedpartsofthesystem.Moreover,thetechnologicalsolutionsemployeddon’taffectothercorrespondingBFFs(ifpresent).
Moving to the service layer, eachworking service such as theGIS and theVideoAnalysis is going to bedecoupled, improved and containerized according to the micro-service specification, earning all theadvantages described above. SURVANT will use Docker containers to host each micro-service to takeadvantage of their flexibility, expandability and the easy management they offer. This choice allows toeasilydeploy theSURVANTsystem inclient infrastructurewithouthaving toworryabout systemspecificproblemsanddependencies.Moreover,itallowsthedeploymentofmultipleinstancesofthesameservicestoimprovesystemperformanceinthesameorevenremoteinfrastructure,assuringsystemexpandability.
Another significant evolution consists in the fragmentation of the responsibilities of the Content accessnegotiator across all themicro-services. Thismeans that the systemdoesn’t have a centralized requestsnegotiator anymore, but each module implements independently the access to its own entities, inaccordancetothekindofuser,therole,thepermissionsandtheaccesslevel.Lastbutnotleast,theoverallsecurityinSURVANTisfinelytunedbecauseitimplementsthefollowingadditionalcomponents:
l UserAuthenticationAuthorityServer:managestheauthorizationandtheauthenticationoftheusersontheportal.
l Micro-servicesAccessControlList:managestheauthorizationofthegatewayinrelationshipwitheachregisteredmicro-service.
3.2.2 DifferencesinModules
TheSURVANT system reuses themodules thathavebeen identifiedanddeveloped inADVISE.However,mostofthemarere-designedtocovertherequirementsoftheend-users.Newtechnologiesareemployedto improve their efficiency and performance, extending in some cases their functionality. The followingtableillustratesthedifferencesofeachmoduleinthetwoprojects.
ModulesFunctionalmodules
Typeofchange
Details
VideoProcessing
Objectdetection&tracking
Redesign
Performance: Employ Deep Learning techniques toimproveobjectdetectionandtracking.Speed: Improve processing time to less than realtime
Eventdetection Redesign
Performance: Employ Deep Learning techniques toimproveeventdetection.DetectmoreeventsSpeed: Improve processing time to less than realtime
Indexing VisualDescription RedesignPerformance: Employ Deep Learning techniques toextract more distinctive descriptors for objectsdetected.
Performance:Improvetheanonymizationprocesstohide unnecessary personal data during theinvestigationSpeed:Provideontheflyanonymizedvideoresults.
Knowledgemodelling
Ontology RedesignPerformance: Improve the expressiveness andflexibility of the ADVISE ontology to better modeltheknowledgeextractedfromthevideosexamined.
Tothisend,wewanttomakesurethatdataprocessingthatwillbeconductedbytheSURVANTconsortiumduring theproject is respectful of anypersonal data thatmightbe included in theproject datasets. TheSURVANTprojectisplanningtousetwodatasets:
• Both datasets were/ will be created within the controlled environment of a European researchproject(ADVISEinthefirstcase,SURVANTinthesecondcase)andwithinacontrolphysicalspace(areaswithinor rightnext to thepremisesofMadridMunicipalPoliceorareascontrolledby theMadridMunicipalPolice)
• ProperagreementshavebeensignedbetweentheinitialowneroftheADVISEdataset(thepartnerthatcaptured it)andtherestof theADVISEprojectconsortiumregardingtheuseof thedataset.ThesaneprocedureisenvisionedforthecaseoftheSURVANTdatasetanditistheresponsibilityofTask 1.3 to monitor that this procedure is conducted appropriately and completed in a timelymanner (i.e. before the actual processingof thedatasetby technical partnersof the consortiumcommences).
4.1 ADVISEDataset
In themunicipality ofMadrid, CCTV cameras are controlledbymunicipal police and accessible locally ateachofthelocationswheretheyareinstalled.AllsignalsreceivedfromthelocationswhereCCTVcamerasare located, are centralized in the Integrated Centre for Video Signal (CISEVI). For the purpose of theADVISEproject,theMadridMunicipalPoliceperformedvideorecordingsusingtheavailableinfrastructureof camerasdeployed in the city. Theonlyway toensure that recordingswouldmatch the identifiedusecaseswastorecordthemonpurpose,thatis,withactorsmakingarepresentation,onceandagain,oftheuse cases.TheTheatreGroupof theMadridMunicipalPoliceperformed the identifieduse cases for thebenefitoftheproject.Atotalof27actorsactedoutwithdifferentclothing,cars,motorcycles,andluggage.
D1.3-Privacy,ethicalandlegalconstraints
25
Duringtherecordings,otherpeopleandvehicleswereprohibitedfromenteringthearea.Therecordingsweretakenwithdifferentlightcondition,differentpeople,numberofpeople,etc.tobeasmorerealisticaspossible.ThepoliceofficersworkingatCISEVIwereresponsiblefortherecordings.Thescenariosandusecases were “Pickpocketing”, “Luggage theft” and “Beat and Run Away”. The videos in the availableinfrastructurearesecurelysavedinaproprietaryformatinCISEVI.Forthisreason,extractedvideoswereconvertedtoAVIsothatthetechnicalpartnerscouldworkwiththem.Furthermore, thevideosrecordedwereexamined fromtheMadridMunicipalPolice toexcludesegmentswhere residentsmayaccidentallyappearinascene.Intotal,103videoswereproducedinAVIformatthatcontainedmultipleinstantiationsof the identifiedusecasescenarios,aswellas“noevent”videos for trainingpurposes.EthicalandLegalAspects – as these have been shaped by partner ADM – were taken into consideration since the verybeginning.Theperson, inMadridCityCouncil,responsibleforvideosurveillancecamerasdeployedinthestreetswasadequatelyinformedoftherecordingsfortheprojectthatweretotakeplace.Moreover:
• All actorsperformingon the streethadpreviously signedanappropriateConsentForm thatwasbasedonthetemplateshowninAnnexI.
• Nootherpeople,buttheactorswereshownontherecordings.• AMemorandum of Understandingwas signed between partner ENG, in the name of thewhole
Consortium,andpartnerADM,fortheusageofrecordings.
Figure3:VideoscontainedintheADVISEdataset.
4.2 SURVANTDataset
TheMadridMunicipalPolicewillperformnewrecordings for theSURVANTproject thatwillbebasedonthe use case scenarios identified in D2.1 “Requirements and use cases”. The scenarios that have beenidentifiedarethefollowing:
Storyline1:AggressiononastreetinMadrid.Theaggressorranawayafterbeatingseveraltimesintheface and the body of a tourist in an unprovoked attack, because the victimwould not let go of thebackpacktheaggressorwastryingtostealformhim.
Storyline 2: Theft of a wallet with credit cards, documentation, and 625 euros from a city street inMadrid. The victim was a Japanese citizen who was traveling alone. A thief opened his backpack,removing his wallet from it, while another one (his companion) distracted him by offering cheap
D1.3-Privacy,ethicalandlegalconstraints
26
sunglasses.
Storyline3:Duetotheconfrontationbetweenofficialcitytaxidriversandnewrentalcarswithdriver(UBER, CABIFY), the later ones are suffering aggressions to their vehicles by taxi drivers, who throwstonesanddamagetheircars.AtaxidriverdetectsanunattendedUbercarandgetsoffhisowncabtomakegraffitiontheUber.Hespoilsthecarpaintandleavesanoffensivemessageatthesametime.Thetaxidriverquicklydrivesaway.
Storyline 4: A couple of youngsters armed with sprays in a not very busy street, and in just a fewminutes,makegraffitionthewallofapublicbuilding,defacingitsfaçade.Theyleavetheareaatafastmovingpace.
Basedontheabovescenarios,theMadridMunicipalPolicewillperformnewrecordingswhereofficerswillinstantiate the above scenarios under various conditions. Itwill exploit its previous experience from thedata acquisition and sharing process during the ADVISE project to deliver a dataset according to therelevant legal and ethical regulations. After negotiations with the relevant authorities, the MadridMunicipalPolicehasbeenauthorized toperformthe recordings incrowdedareas to replicate theactualoperationalenvironment. Inallcases, theeventsdescribed in thescenarioswillbe instantiatedbypoliceofficersonlyandnotrealcases.
Please note that the recordings have not taken place at the moment that this deliverable was beingwritten.Therefore,nofurtherdetailsareavailableonthedatasettobeacquired.
D1.3-Privacy,ethicalandlegalconstraints
27
5 Conclusions
In this report, we presented the analyses and activities taking place within Task 1.3 “Analysis andmonitoringofprivacy,ethicalandlegalconstraints”oftheSURVANTproject.
TheanalysisofLEPprinciples indicates thatamajor issue is thecurrentlyundergoingEUdataprotectionreformwhichwill oblige SURVANT to be partially runwithin two different data protection frameworks.EarlyadoptionbytheSURVANTconsortiummembersofnotionssuchasPrivacybyDesignandPrivacybyDefault evenback from thebeginning of theADVISE project is a powerful tool that the project holds inordertocopewiththecomingchanges.Another importantaspecthighlightedbytheLEPanalysis isthat,sincetheSURVANTsystemisenvisionednotasavideo(data)collectiontoolbutasavideoanalysistoolset,allethical/legalobligations related to thedatacapturingphaseof thedata lifetime lieprimarilywith theinitialowner/creatorofthedata
TheanalysisofkeydifferencesbetweenSURVANTandADVISEthataffectLEPaspectsindicatedashiftfromLEAfocusedusecasestoscenariosthatoffergoodreuseacrosssectorsandforwhichtheconsortiumcanleverage decent quality training footage staged with actors in real life challenging environments. Thischangedoesnotposeadditionalproblemstothelegal/ethicalsidesincetheenvisionedsystemwasinitiallydesignedwithsuchcasesinmind.
Finally,ourLEPmonitoringactivitiesfocusedinidentifyinganddescribingtheprojectdatasetsinordertobereadytoensurelegal/ethicalcomplianceregardingtheirmanagementandofcoursethemanagementofpersonaldatathatmightbecontainedwithin.Bothdatasetsarecreatedwithinacontrolledenvironment,are staged (meaning that only volunteer ‘actors’ participate), all ‘actors’ in both datasets are signingappropriateconsentforms,andproperagreementsaresignedbetweeninitialownersofthedatasets(thepartnerthatcapturedit)andtherestofthepartners.
This is to state that I agree toparticipate in a programof researchbeing conductedby theADVISEProject: (Project Coordinator name: Francesco Saverio Nucci, Organization: ENGINEERINGINGEGNERIAINFORMATICASPA,Coordinator’sEmail:[email protected],Coordinator’sFax:+3906-83074200).
A.PURPOSE
I havebeen informed that thepurposeof the research is as follows: {Pleasestatethepurposeoftheresearchclearlyandconcisely,innomorethanoneortwosentences}.
If at any time you have questions about the proposed research, please contact the project’sCoordinator (Project Coordinator name: Francesco Saverio Nucci, Organization: ENGINEERINGINGEGNERIAINFORMATICASPA,Coordinator’sEmail:[email protected],Coordinator’sFax:+3906-83074200).
If at any time you have questions about your rights as a research participant, please contact theproject’sEthicsAdvisoryBoard{Indicateinthissectionthename,andcontactinformationfortheDataProtectionController}.