Merged security prompts privacy fears

Unified physical and IT security systems raise privacy issues

In George Orwell’s classic novel, 1984, surveillance devices constantly monitor the citizens of Oceana, and Big Brother controls their movements. Orwell may have missed his target by about 20 years, but parts of his ominous vision are imminently more possible now that physical and IT security systems are merging. 

Consider the network-connected door lock, which grants employees entry based on their identity or behavior according to policies that reside in a rules engine. That same door lock in theory could keep a person locked inside — say, until the end of his or her shift. Or consider biometric sensors and surveillance cameras, which can track your every move inside a building and develop a composite picture of your behavior, including your online activity.

Extreme? Maybe, but many questions remain as to how converged systems and the data they generate will be used. Few companies are willing to speak publicly about deployments of converged physical and IT security systems, says Eric Maurice, director of eTrust security management at Computer Associates. “They’re concerned about the perception the system will create with their own employees — the fear that this kind of tool will be used to monitor everybody in real time.”

Mark Cherry, global product development manager of Honeywell’s Enterprise Building Integrator product, says privacy issues are a moving target linked to public sentiment and legislation. “You’re always dealing with the civil liberties aspects of this,” he says, noting that companies in some Scandinavian countries must by law expunge data on employees’ access activities within 30 days.

In the United States, privacy advocates backed off some of their demands in the wake of Sept. 11. “But as time passes, the more relaxed people will become [about security measures]. We’re already seeing it,” Cherry adds. He notes that some businesses, such as pharmaceutical and health care companies, are required by regulators to collect information about employee activities. But at many companies, monitoring is not viewed as crucial. “If you’re in a warehouse pushing out paper, you probably don’t need to track everywhere John has been,” he says.

Other approaches to protecting employee privacy include keeping biometric data on a smart card as a private key rather than in a central database and carefully limiting access to certain data.

At Delaware State University, for example, in addition to having strong, publicly posted privacy policies, the IT department does not have access to data about students’ physical movements around campus, explains Dr. Charles D. Fletcher Jr., the university’s CIO. “We try to keep that separate,” he explains. “That makes good auditing policy.”