Skip to main content


The future:

Cameras will be ubiquitous. Storage will be effectively infinite. CPU processing power will be effectively infinite. Cameras will detect a broad range of the electromagnetic spectrum. The combination of cameras everywhere and infinite storage will inevitably result in all persons being under surveillance all the time. When combined with infinite processor power and recognition software, it will be impossible for persons to move about society without being observed by their government.

All governments eventually are corrupted and when corrupted will misuse the surveillance data. There is no particular reason to think that this is political party or left/right specific. Although it currently is fashionable to think that the right is evil and the left is good, there is no reason to think this will be the case in the future. The only certainty is that party in power will misuse the data to attempt to control their ‘enemies’, whomever they might perceive them be at the time.

Surveillance advocates claim that cameras are simply an extension of law enforcements eyes and therefore are not a significant new impingement on personal freedom.

I disagree.

Here’s how I’d build a surveillance system that allows the use of technology to maximize law enforcement effectiveness, yet provide reasonable controls on the use of the surveillance against the population as a whole.

  • The cameras are directly connected to a control room of some sort. The control room is monitored by sworn, trained law enforcement officers. The officers watch the monitors.
So far this is ordinary surveillance. Here’s how I’d protect individual privacy:
  • The locations of the cameras are well known.
  • All cameras record to volatile memory only. The capacity of the volatile memory is a small, on the order of one hour or so. Unless specific action is taken, all recorded data more than one hour old is automatically and irretrievably lost. A ring buffer of some sort.
  • If a sworn officer sees a crime, the sworn officer may switch specific cameras to non-volatile storage. The action to switch a camera from volatile to non volatile storage is deliberate and only taken when an officer sees specific events that constitute probable cause that a crime is being committed, or when a crime has been reported to law enforcement. Each instance of the use of non-volatile storage is recorded, documented and discoverable by the general public using some well defined process.
  • Once a camera is switched to non-volatile storage, it automatically reverts to volatile storage after a fixed time period (one hour, for example), unless the sworn officer repeatedly toggles the non-volatile switch on the camera.
  • The non-volatile storage automatically expires after a fixed amount of time (24 hours, for example). If law enforcement believes that a crime has occurred and that the video will be evidence in the crime, law enforcement obtains a court order to retain the video evidence and move it to permanent storage. The court order must be for a specific crime and must name specific cameras and times.
  • When a court so orders, the video is moved from non-volatile storage to whatever method law enforcement uses for retaining and managing evidence. If the court order is not obtained within the non-volatile expiration period, the video is irretrievably deleted. If the court order is obtained, the video becomes subject to whatever rules govern evidence in the legal jurisdiction of the cameras.

In the case of a 9/11 or 7/7 type of event, the officer would simply toggle all cameras non-volatile mode and would continue to re-enable non-volatile mode every hour for as long as necessary (days, if necessary). The action of toggling the cameras would be again be recorded, documented and discoverable.

To prevent the system from being subverted by corrupt law enforcement, (think J Edgar Hoover and massive illegal surveillance) the systems would be physically sealed, the software and storage for the non-volatile and volatile storage would be unavailable to law enforcement.

There would be some form of crypto/hash/signing  that enables tracking the recordings back to a specific camera and assures that the recordings have not been altered by law enforcement.

The key concepts are:

  1. the system defaults to automatically destroying all recordings automatically.
  2. a sworn officer of the law must observe an event before triggering non-volatile storage.
  3. specific actions are required to store the recordings
  4. those actions are  logged, documented and discoverable.
  5. a court action of some sort is required for storage of any recording beyond a short period of time.
  6. the system would be tamper-proof. The act of law enforcement tampering with the systems to defeat the privacy controls would be a felony.
  7. the system would maintain the integrity of the recordings for as long as the video exists.

And most importantly, the software would be open source.

EPIC Video Surveillance and Wikipedia contain quite a few other thoughts on surveillance.


  1. Obviously a lot of thought; has the beginnings of a really good idea - but in its present form, has some obvious glitches:
    - How are the oaths enforced? We today have (all over the world) people in public office, for whom the oaths they took are zero obstacle to illegal/unethical/corrupt behavior. Why should the 'sworn officers' in your case be any better?

    - Fixed duration for automatic loss of data? Take a case of a child climbing into a car in front of one of the cameras. Two hours later, the child is overdue at home; frantic parents call the police - but the fixed ring-buffer has by now dumped data of the actual crime being committed. To detect that a crime was in progress at that moment, a 'sworn officer' would need facial recognition data for the child, and his *daily schedule*; would need to run the car plates for owner info/"stolen" status; check child's genealogy db to find if the car's owner is a relative; check other info to see if neighbor/friend/someone legally deputed to pick up the child... and only THEN toggle the switch for long-duration-storage (besides sending a police car to intercept). Even with infinite CPU power and automated checks... isn't the data required for these checks enough of an invasion of privacy?

    - Who foots the bills? High-security manufacturing/delivery/deployment/maintenance, dedicated network?

    - Who watches the watchdogs? Someone has to keep the camera and other system hardware safe, verify physical seals periodically, monitor the data networks for signs of illegal taps/cracking... how are these people guaranteed to be free from corruption or pressure/threats from malicious groups?

    - What about the factories where the hardware is manufactured/assembled? How, even if the hardware design and software is FOSS, is an individual citizen assured that no tampering has been done with the hardware, no hypervisor been installed to siphon off data? Why, China is building its own Loongson processors because they don't trust North American processors in their computer systems. I'm not saying they are justified, but why should any member of the public assume that the hardware for this system is built with total integrity and honesty?

    - Given the fact that even software used in billion-dollar space/planetary exploration projects still has bugs, I really don't see how you can assert that "the system would be tamper-proof". It's an old axiom that nothing is ever 100% secure or foolproof. That ought to hold true both for hardware and software, right?

    - How does John Q Public on the streets *know* his privacy is safe, without himself being a hardware/software expert, and physically inspecting/verifying the hardware and software to see it hasn't been tampered with? Aside from the obvious burden of domain knowledge, John Q isn't going to be let anywhere near that setup - bad physical security! So ultimately it stills boils down to trust in other human beings, at multiple points in the system. As we have seen more than enough times, often the trust is misplaced. This system is apparently still prone to subversion via the human factor.

    Sorry for the pessimism... I call it realism :)

  2. Anon -

    Interesting comments. I share your pessimism.

    I'll admit incompleteness. I sat on the post for a year - ever since the Republican National Convention came to town and brought 2500 cameras and a secret command center with them.

    Enforcement - at best, you'd have enforcement similar to what you have today, where media, public watchdogs, or 'Internal Affairs' handles it. In the US, there are always disinterested agencies that are happy to investigate other agencies, with the obvious exception of the agencies that we aren't allowed to know about or talk about. But they are already unsupervised, so this isn't going to make it worse. In my neighborhood, the county is happy to investigate local police, the state is happy to investigate the county, and if all else fails, the FBI investigates any/all of them.

    - Fixed duration: make it 4 hours. (the length of the buffer isn't the point, the ring-nature of it is.). But - you are correct, there is a privacy issue on the checks necessary to determine if a crime has/has not been committed.

    - Bills: Who foots them today?

    - Watchdogs: Good question. I keep thinking that 'openness' is about all we'd have. Anything else can be subverted.

    - Tampering: Is it possible to permit third party checks of firmware and chip sets? (I.e. - 1/10 of all systems are taken off line each year and checked by a disinterested third party.) In many ways, this is similar to the voting machine problem.

    The best I can come up with is: Some system of checks is better than none. Today we have none.



Post a Comment

Popular posts from this blog

Cargo Cult System Administration

Cargo Cult: …imitate the superficial exterior of a process or system without having any understanding of the underlying substance --Wikipedia During and after WWII, some native south pacific islanders erroneously associated the presence of war related technology with the delivery of highly desirable cargo. When the war ended and the cargo stopped showing up, they built crude facsimiles of runways, control towers, and airplanes in the belief that the presence of war technology caused the delivery of desirable cargo. From our point of view, it looks pretty amusing to see people build fake airplanes, runways and control towers  and wait for cargo to fall from the sky.
The question is, how amusing are we?We have cargo cult science[1], cargo cult management[2], cargo cult programming[3], how about cargo cult system management?Here’s some common system administration failures that might be ‘cargo cult’:
Failing to understand the difference between necessary and sufficient. A daily backup …

Ad-Hoc Versus Structured System Management

Structured system management is a concept that covers the fundamentals of building, securing, deploying, monitoring, logging, alerting, and documenting networks, servers and applications. Structured system management implies that you have those fundamentals in place, you execute them consistently, and you know all cases where you are inconsistent. The converse of structured system management is what I call ad hoc system management, where every system has it own plan, undocumented and inconsistent, and you don't know how inconsistent they are, because you've never looked.

In previous posts (here and here) I implied that structured system management was an integral part of improving system availability. Having inherited several platforms that had, at best, ad hoc system management, and having moved the platforms to something resembling structured system management, I've concluded that implementing basic structure around system management will be the best and fastest path to…

The Cloud – Provider Failure Modes

In The Cloud - Outsourcing Moved up the Stack[1] I compared the outsourcing that we do routinely (wide area networks) with the outsourcing of the higher layers of the application stack (processor, memory, storage). Conceptually they are similar:In both cases you’ve entrusted your bits to someone else, you’ve shared physical and logical resources with others, you’ve disassociated physical devices (circuits or servers) from logical devices (virtual circuits, virtual severs), and in exchange for what is hopefully better, faster, cheaper service, you give up visibility, manageability and control to a provider. There are differences though. In the case of networking, your cloud provider is only entrusted with your bits for the time it takes for those bits to cross the providers network, and the loss of a few bits is not catastrophic. For providers of higher layer services, the bits are entrusted to the provider for the life of the bits, and the loss of a few bits is a major problem. These …