Location data can be collected from dedicated positioning devices (e.g. GPS receivers) that are part of VSN nodes. The timestamp is tied to the data so that any manipulation of the timestamp is detected.
PRIVACY
Privacy Protection Requirements and Techniques
Imageless data distribution provides the best privacy protection, but at the same time makes monitoring by system operators impossible. A single frame of a sequence where sensitive regions are falsely detected can break the privacy protection for the entire sequence. A privacy protection system can also support multiple levels of privacy at the same time, where a video stream contains several substreams with different types of information.
A multi-level approach allows designing a privacy protection system that presents different types of information to observers depending on their security clearance. In more recent work, Dufaux and Ebrahimi [2010] present a framework for evaluating privacy protection mechanisms. 2000] on the effects of filtered video on awareness and privacy shows that pixelation provides better privacy protection than blurring.
The research results indicate that pixelization provides the best performance when it comes to the balance between privacy protection and understandability of the video content.
Related Work on Privacy
Regardless of the chosen protection technique, two key questions remain the same: (1) is privacy adequately protected by the chosen technique and (2) what is the impact on the utility of VSN. 2012a] developed an evaluation framework to systematically investigate privacy protection versus trade-off of system services. Privacy protection is achieved by transmitting only event information or by replacing detected objects with abstracted versions.
Qureshi [2009] proposes a framework for privacy protection in video surveillance based on decomposing raw video into object-video streams. Access to sensitive video objects is granted conditionally depending on the rights of the observer and the individual policies of the monitored users. If the incoming data is qualified as private by one of the privacy filters, the data is not output from the privacy buffer.
As summarized in Table II, most approaches to privacy protection rely on the identification of sensitive regions.
USER-CENTRIC SECURITY
User-Centric Security Requirements
Various approaches offer various privacy levels where the delivered data stream contains different protection variants of the original sensitive data. By handing out dedicated devices or RFID tags to known and trusted users, a stronger form of awareness about video surveillance is realized [Brassil 2005; Wickramasuriya et al. Users equipped with such devices are not only made aware of the installed cameras, but even gain a certain degree of control over their privacy.
By using public-key cryptography to protect personal data, users gain full control over their privacy-sensitive data by actively participating in the decryption of that data. The locations of already installed cameras and planned cameras were mapped by volunteers on Google Maps [OWNI 2011]. To establish this trust and provide feedback on the internal functionality of the system, Senior et al.
The software of a smart camera may have been changed by the operator without recertifying the system.
Related Work on User-Centric Security
Feedback and control.In today's systems, users must trust operators to protect their privacy. This report should include information about what personal data is captured, processed, stored and provided to observers. Control goes beyond pure feedback and means users are actively involved when their personal data is disclosed to third parties.
An approach that does not need user-carried electronics is presented by Schiff et al. Our user-based visual authentication technique is built upon the capabilities of TPM and its platform status reporting. Wireless communication cannot be used as it is very difficult to assess whether the response is actually coming from the target camera or some other potentially malicious device in the vicinity.
Visual communication using 2D barcodes allows users to intuitively select the intended camera and eavesdropping attempts on the communication channel can be easily detected.
NODE-CENTRIC SECURITY
Node-Centric Security Requirements
Basic tampering can be prevented when the circuit board is designed so that communication lines are not routed in the top or bottom layers of the circuit board. Side-channel attacks exploit circuit characteristics such as timing, power consumption [¨Ors et al. Code Security. A trend in VSNs and embedded systems in general is for significant parts of the system to be implemented in software rather than specialized hardware.
The SoC provides functionality as part of its boot procedure that allows the authenticity and integrity of the executed software (e.g. the bootloader) to be checked based on digital signatures and hash sums. For authenticity and integrity checks, a certificate containing the expected hash sum of the verified component must be available. However, in the case of a software MTM, support of the underlying platform such as ARM TrustZone [ARM Limited 2009] or TI M-Shield [Azema and Fayad 2008] is advantageous.
The registered device status can be safely reported to a third-party verifier who can decide whether the device status is trustworthy or not.
Related Work on Node-Centric Security
In this scenario, the software status of the embedded device is confirmed using the TPM before sensitive information is sent. All reconfiguration of the FPGA must be performed via the functionality provided in this static section. The advantage of this approach is that the TPM itself becomes part of the chain of trust; therefore, TPM functionality can be easily updated, extended and improved.
The measurement of the software stack of the system is performed with a coarse granularity where separate measurements are performed of the bootloader stages, the OS kernel and the root file system image. To provide detailed information about the launched applications, the camera middleware takes measurements of the individual computer vision applications being launched. In addition, the device status is made available to the user to enable assessment of the security and privacy protection features of the camera.
Physical security is usually considered in limited forms where, for example, tamper resistance is realized for a small part of the system, such as a cryptographic key store.
NETWORK-CENTRIC SECURITY
Network-Centric Security Requirements
Although many of the security requirements of VSNs overlap with those of WSNs, there are also important differences. Channel security. Channel security requires authentication of the communication partners, as well as integrity protection, freshness and confidentiality of transmitted data. The main difference is that in the context of the network, these requirements apply only to the secure communication channel established between two VSN nodes.
This additional computing power of VSN devices can be used for asymmetric encryption, which in turn greatly simplifies and strengthens many security techniques originally designed for WSNs. For example, the correlation of events detected by multiple nodes requires a common time base between VSN participants. Since VSN node clocks operate independently, node time readings will vary.
Decentralized mechanisms are therefore needed to enable discovery and querying of services provided by network members.
Related Work on Network-Centric Security
An ISA-100.11.a [ISA100 Wireless Compliance Institute 2011] network consists of non-routing sensor and actuator devices, as well as routing devices that are responsible for forwarding data, but can also include I/O interfaces. Data is sent to backbone routers that route data to other segments of the network or through gateways to higher instances on the network. The ISA-100.11.a stack includes several established technologies, including IEEE 802.15.4 as the physical layer and data link layer, 6LoWPAN as the network layer, or UDP as the transport layer.
Confidentiality in ISA-100.11.a is ensured through AES-128 encryption at the data link layer (hop to hop) and at the transport layer (end to end). The protocol also includes protection against replay and delay attacks based on timestamping and non-uses. Joining an ISA-100.11.a network includes asymmetric cryptography, while the rest of the security functions are based on symmetric cryptography (AES-128).
In the ZigBee protocol [ZigBee Alliance 2012], coordinating devices take on the role of a trust center that allows other devices to join the network.
VSN SECURITY AND PRIVACY: OBSERVATIONS AND OPEN QUESTIONS
Key Observations and Limitations
Researchers such as Fleck and Straßer [2010] argue that privacy protection is no longer necessary in reactive systems because they do not continuously transmit data to a monitoring facility as proactive systems do. However, the reduction in the amount of data delivered does not mean that security and privacy protection are obsolete – especially the security aspects focused on nodes and users. The best protection of privacy is achieved when VSN does not provide raw images, processed images and derived data that could reveal the identity of individuals.
For the design of secure, privacy-preserving VSNs, it is crucial to explore solutions that achieve a reasonable balance between privacy protection and system utility. A critical aspect is who is responsible for incorporating security and privacy protection, and when and at what level they are addressed. We advocate that security and privacy must be transformed into off-the-shelf solutions that can be implemented as simply as integrating a second image sensor.
VSNs and video surveillance are controversial topics; therefore, it is not only important to integrate adequate security and privacy protection, but also to be transparent and open.
Open Research Questions
These include secure topology control based on the fields of view of VSN devices or secure data exchange between nodes for joint image processing. Although cooperating cameras cannot access encoded information shared by other cameras, they can still perform signal processing on the input data. Second, privacy protection at the sensor level means that in-camera image processing and analysis applications must be adapted to deal with pre-processed and pre-filtered data.
We have already outlined the need to raise awareness about the presence of VSNs and provide feedback on the properties, capabilities, and implemented security features of VSNs. Modern mobile devices such as smartphones open the possibilities for much more sophisticated approaches where users are proactively notified of VSNs. Based on user identification, personal data can be encrypted with user-specific keys, which requires users to be actively involved in decrypting the data.
Wouldn't the inherent requirement to identify the user be even worse for user privacy than simply taking pictures?
Concluding Remarks
