Home Analysis Securing video analytics data: the law and best practice

Securing video analytics data: the law and best practice

Share on

Before you think about data analytics as a business tool, you need to understand the current and future rules about data handling. John Enser, a partner in the commercial practice at Olswang, an international law firm specialising in technology, media and telecoms, says that one main principle video service providers need to observe is – at a European level at least – “a double lock” on data usage.

Operators need (a) to have good reason for keeping and using any data that could potentially identify a specific individual (often referred to as ‘PII’ data, or ‘Personally Identifiable Information’), and (b) they need to have their customers’ informed consent.

“Broadly speaking, the basic principles are that customers need to know what you’re doing, with a few exceptions,” explains Enser. One of these is that, “if you’re doing something which is necessary in order to fulfil a contract you’ve got with a consumer, you don’t need a separate consent.”

Another broad principle of European law is that it requires video service providers to meet what Enser describes as good data management principles. “Companies handling data have a duty to keep the information up-to-date, and not keep it for longer than is appropriate.”

European law also requires “that you should apply the proper operational and technological means to safeguard the data,” he says. In other words, video service providers are also required to take the necessary security measures to counter possible data theft.

Regulators are updating rules on data handling and privacy all the time. A good example of this trend can be seen in Europe, where a major challenge confronting operators is the adoption of the new GDPR in mid-2018. Olswang observes that “it is important to read GDPR through the lenses of the huge fines (up to 4% of global annual turnover) and other sanctions that it introduces.”

While non-compliance with the existing European Directive rarely led to serious fines or claims, “non-compliance with GDPR could be terminal for your business,” says Olswang.

Significant changes include:

  • New security requirements
  • New data breach requirements, with an extremely low notification threshold to the regulator, who needs to be informed ‘without undue delay’
  • Greater accountability, governance and resourcing
  • A wider definition of personal data
  • The requirement for an operator to appoint a Data Protection Officer (subject to company size)
  • The need to document data processing with care
  • More tightly defined justifications for data-processing
  • A more exacting standard for ‘consent’
  • Enhanced data subject rights (e.g. the ‘Right to Erasure’).

Olswang comments wryly that “GDPR was supposed to be about reducing red tape for businesses – instead, it has added to it.”

Thomas Helbo, the recently appointed CTO of Swedish triple-play cable operator Com Hem, agrees that GDPR “will be a problem to many companies, I think, because it will require some big changes in the way you react, and how you should behave with customer data. […] You definitely need to be much more aware of the way you handle your customer data.”

For his part, Ricardo Tavares, CEO of Techpolis – which advises leading players in the mobile technologies sector – believes that the GDPR “will be a reference for consumer groups and for consumer politicians around the globe to try to come to that same standard – so the pressures in the U.S. are likely to build in the next few years to reach a similar framework.”

Indeed, Tavares argues that contentious new privacy rules the FCC is currently proposing to apply to broadband ISPs contain a number of provisions for data collection and processing that “are part of the GDPR” – for instance, the requirement for ISPs to obtain explicit consent from customers for using or sharing their data in certain circumstances.

Accordingly, Tavares foresees that the GDPR will “set the bar” for the data analytics sector worldwide, implying that “anybody in the data analytics business will have to look at [the GDPR] framework.”

Operators need to keep tabs on how regulators’ interpretations of the law are changing, of course. Tavares accepts that facing up to all the regulatory compliance issues associated with becoming a data-centric business is hard to do, but maintains that “we do hard things if we want to succeed.” Compliance is “perfectly possible to manage,” even if, as he concedes, “it might be more costly to manage, because you really need to set up a data protection bureaucracy.”

Thus, says Tavares, operators should not bury their heads in the sand: “If you are scared about the regulations, you’re not going to do anything about data analytics. I think you then have to be aware that you could be out of business.”

Compliance and data security will go hand in hand. Peter Docherty is Co-founder and CTO of recommendation engine specialists ThinkAnalytics, which recently launched its own video analytics solution dubbed ‘ThinkBigData’. He declares: “If you’re collecting data of what people are watching, then the security of that and privacy of it are vital. It’s a factor in every deployment that you make sure that the systems, procedures and processes are in place to protect that data.”

Here, security practice commonly falls into two parts. First, any PII data retained in line with the appropriate consents is kept behind a secure ‘wall’, in encrypted form and accessible only to those who have a need to use the data, and are licensed to do so in line with external regulations and internal data handling procedures. Second, outside that wall, that data is de-personalised and anonymised before any other user has access to it.

The integrity of source data collected by an operator can be compromised in a number of different ways. It can include fraudulent data (i.e. emanating from a cloned or un-authenticated device), it can be corrupted or misappropriated on its way back to an operator’s data warehouse, or – once stored at a central point – that storage facility can be hacked.

Paradoxically, when it comes to securing ‘Big Data’, less is more. According to Tom Weiss, CEO of data analytics company Genius Digital, the tendency of operators adopting a video analytics data approach is to collect as much data as they possibly can but this causes a real security problem. Because, “if you’re collecting all this data, you don’t quite know what you’re going to want to do with it, and you need to work out where you’re going to keep it, how you’re going to control access to it, and it’s problematic.”

Olswang’s Enser observes: “As people are becoming increasingly aware of cyber security risk and the risk of hacking, they understand that one of the ways to minimize the impact of data loss is actually not to keep too much.”

Paul Collins, Director of Communications, Media & Entertainment at data analysis specialists Information Management Group Ltd (IMGROUP), says it would be good practice to run checks on data before it gets anywhere near any operational or analytical system, or is stored. “You can make sure the data is expected, is it coming from a certified location and it is in the approved format,” he notes.

However, the source data also needs to be protected in transit. Sebastian Braun, Director of Product Management at Verimatrix, a content security specialist that also provides the Verimatrix Verspective Operator Analytics solution, recommends that “what you have to do in order to cope with, or minimize your risks, is first encrypt the communications channel from the device back to the headend.”

Then, if the technology of the device allows it, “you should also encrypt the data itself that is transmitted across this encrypted channel. Even if the channel gets broken into, the data that the potential hacker would see is garbage, essentially.”

Braun also believes that the most effective storage approach is a unified headend where the various different data sources are fused and enriched in a high-security environment, still in encrypted form.

This is, in fact, exactly how the Verimatrix Verspective Operator Analytics solution would typically be deployed in a hybrid environment, using the well-established VCAS security solution from Verimatrix both to protect the data-flow upstream from the subscriber’s device, as well as using it to secure downstream video delivery.

Brett Sappington, Senior Director of Research at Parks Associates, says compliance and security considerations are forcing operators to decide whether or not data security should be part of their core business. “Do I have an internal group of security experts, or do I turn to experts outside of my organization? Many of them look at it and say, my core business is video, I’m not sure I want to be in the security business. Some do decide that they want it in-house, but for many they’re looking outside of their organizations for that security expertise.”


More reading

This story is based on excerpts from the new Videonet report called ‘Securing Video Analytics Data to Enhance Pay-TV Profitability’. The report outlines the challenges and solutions in three main sections: Evolving Data-Handling and Privacy Rules; Data Analytics Integrity – Securing Data Collection; and Breaking Down Silos While Acknowledging ‘Rules and Roles’. We have talked to a wide cross section of the media industry and contributors include Unitymedia, Deutsche Telekom, KPN, Telefónica, Verimatrix, IMGROUP, Rovi, GroupM, Techpolis, Parks Associates, ThinkAnalytics, Genius Digital, IBM and Olswang. You can download the 7,500 word report free, here.

Share on