Milestone "GDPR-ready" Certification Claim Critiqued

By Charles Rollet, Published Aug 12, 2019, 08:09am EDT

Milestone is touting that its latest XProtect VMS is "GDPR-ready" with a 'European Privacy Seal'.

IPVM Image

However, our investigation raises significant concerns over the applicability and suitability of this. In this post, we examine Milestone's "GDPR Ready" claim, including:

  • What Milestone is claiming
  • Why the certifier has 'not been accredited'
  • How Milestone and the certifier EuroPriSe has responded
  • What part of Milestone's software is being left out of the certification
  • What improvements Milestone said they made
  • What other certifications exist, such as Dahua and Uniview have used
  • What Genetec removed from their claim
  • What this tells us about GDPR certification schemes

Overall, this case shows clear limitations to GDPR certification - that is almost never mentioned in press releases- even well over a year after the law was implemented.

Milestone *****

** **** **,********* ****** * ***** release******* **** *** ****** XProtect *** *** *** "first ***** ***** ********** software *******" ** ****** GDPR-Ready *************, *******:

**** *** ****-***** ************* from *** *********** *** recognized ********* *********,end-users *** ** ********* **** **** **** *** ***** ********** ** ***** * **** ********* ***** ************ ************. [emphasis added]

*** ************* *** * "European ******* ****" ****** by ******* ****** ****************,***** ****** *"***** ****** ******"***** *** *******.

IPVM Image

*** ********** ****** *** carried *** ** *** "legal" *** *** "*********" expert *** *** ** the ******* ****** ************:

IPVM Image

Not **********, ******** *** ********

*** **** *********** ***** is **** ** "********* Note" ** *********'**** ******* *********** **** ******** **** "not **** ********" ***** EuroPrise ****** *** *** been ********** "** * certification ****":

IPVM Image

**** ** *** **** certification ******* *** ** approved, ******* *****'* **** ********** ******** *** ******** ******** on *** ********** *** be **********, ******* *** GDPR ********** ********** **** in******** *******.

********* ** *** ** the **** ********* *** transparent **** ********** (****** originally **** ****** ** the******** **********),*** **** ** ********** that ***** *** ** official **** **********, ******* IPVM:

******* **** ********, *** formal ********** ****** ** completed *** **** ***** that ** **** *****,no *** ** ** *** ******** ** ***** ** ******** **** ************* [emphasis added]

Milestone *** *** ******** *** ********* **************

***** ********* ****** ************ that *** ************* ** not ********* ********, ********* did *** ******* **** anywhere ** *** ***** release ** ******* *****. This ** ******** ** EuroPriSe's *** ****************:

Customers ** ********* *** ********** ** ******** **** ******* **** ****** *** ** ***** that have been granted [emphasis added]

Mistake - *********: "**** *** ** * *******"

** ******** ** ***** non-disclosure ** *** *************'* legal ******, ********* **** us **** *********:

*** ***** ** *** certification *** ***** ** EuroPriSe [***** **] *** we **** ********** ********** and *** ********/*********** **. This *** ** * mistake, *** ** **** investigate *** ******* *** mistakes.

**** **** ****** *** reporting ** ** **** Milestone ******** *** ********.

Milestone ****** "******** ****-***** *************"

*********'* ***** ******* ****** that "*** ************* ****** all **** ************ ** Milestone ******** *********", * point ******* ********** ** a *****:

IPVM Image

********* ** *** ********* report, *** ********* ******* of ******** **** *********:

IPVM Image

Long **** ** *********, ********* ****** ***

*******, *** ****** ****** showed **** ******** ******** functions **** *** ******** at ***:

  • ****** ******
  • ****** *** *** ******
  • ********** ** ***** *** metadata
  • ******** *********'* ***** *****
  • ********* *** ******
  • ********* ****** *********

*******, *** ******** ****** app ** * ***** omission - ** *** over ***,*** *********:

IPVM Image

Plugins/Biometrics ********

******* ***** ********, ***** unlike *** ****** *** not *********, *** *** 160+ ******* ********* *********** ***********.

*** **** *** **** reasons, **'* ************** **** Milestone *** *** ******* these *******, ******* ********* should **** **** **** clear, *********, **** ***** may ***** *** ******* are **** "**** *****", which ** ********* *** the ****.

**** ** ************ ********** since**** ********* ************ ****** ***********, * biometrics ******** ******** ********* by *******'* ******* *, *.*.:

IPVM Image

*** **** ***** ** using ********** *** *********** in*********'* ******** **** ******* guide** ****. (*** **** on ********** ***, *** our**** ******** *** ********** ********** ******.)

Milestone: **'** ******* ****** "*** ****** ********", **** *** ****** **********

***** ** ******* **** out ** *********, **** told ** **** **** GDPR ******* *** ****** service "*** ****** ********" of ********, ***** * notice ***** *** ***** plugins "**** ** ***** to *** **** ******* of *** ******* *****".

Auditor: ********* *** ****

**ö** **********, * ******** ******* used ** ********* ** certify *********, **** **** he *** *** ******** the ******* ***** ** be "**** **********":

**, *** ********, ***** not **** *** ********** that **** **** ******* from *** *** "**** components" ** *** ***** that **** *** *********** for * ****** ************ of ******** *********. ***** thesecomponents ***** ** ******** *** ******* ********* **** *** ***** ******** ******** that have to be enabled or actively selected during the installation process in order to be used. [emphasis added]

*** ******* *** ********* is **** ***** '********' components **** ****-*** *** core ** *** *******'* own ********* *********** *** marketing. *********'* ***** ******** on ***** ** **** platform *** ********* *** 3rd ******* ** *** within ********* ** ********* by ***** ******* ***** 'certified' *** **** *** disclosed.

**** *************, ******** ********** and*** ****** ** '****'** ********.

EuroPriSe: ****** ******* ** **********

********* **** **** **** "cherry ******* ** **********" when ** ***** ** their **** **************:

** ********* *** ****** shape ** *** ************* of *********’* *** ** the ********* ** *** certification ******* *** ******* that *** ****** ** evaluation ** **** ********** and ****-*********.

No ********* ******* *********

****** ********** ** * very ********* **** ** the ****, ***** ******** "******* ** ******" *** "***** ** *** ***" ********* *** ********* data ******** ** ** to ** ******* ***** or *% ** ****** revenue, ********* ** ******(******* **).

*******, ********* ****** *** not **** *********'* ********** strength. *******, ********* **** IPVM ****, ***** ** does ********* ** *** own ********, **** **** it "*****[**] *** *******" of ******* ****'* ****:

* *** **** *** been ********* ** ***** privacy / ** ******** experts ********.** ** **** *** task ** *** ********* Experts ** ***** *** results ** **** *** test *** ** ****** that *** **** ********* has ***** *********** ******** to **** **** ********** shortcomings (** ***).

** *** ********* ******, encryption ******** *** *** one ** *** **********'* four "************." ******, **** of *** ********* ********** relied ** ******* ** Milestone ********* - ******* its **** ******* ***** and ***** *************, *** underlined *****:

IPVM Image

Improvements ****

********* *** *** **** made * ****** ** improvements ****** **** ************* process, *********:

* *** *** ******, Smart ****** <.> ********* server **********, ***** ****** ********** ****** ********** (including *** ********* *** component: *** ******** ******), and *** ** *** Channels ******* ******** ***************. A ****** ** ***** improvements **** ******* **** as *** ****** ****** certificate ******** *** *** new ****** *************/******** ********** for *** ***** ****** of *******.

Other **************

********* ** *** **** the **** ***** ************ firm ** *** **** certification. ******* ******* ****** company *******Ü* *************** **** *******, *** unlike *********, ** **** not ******* *** ****** reports ***** *** ************* nor ****** ********* **** the *****.

*******, *Ü* ********* ****** vague **** '**************' ** Dahua *** *******, *** quickly *** ******* ******* that **** ***** ***** products **** ******* "**** compliant". (*** ****, ******** ******** *** *** GDPR *********, ** ******** Can **).

Genetec ********* ********* "*** ********** ****-*****"

******* *** **** ****** its ********* "****-*****" ****** for********** ******* *********:

IPVM Image

*******, ******* **** **** it *** ******* *********** this *** ** *********'* lack ** *************/*************. ***** we ******* *** **** the ************ ***************** *** ************* *** not ******* ****, *** following ********** *** *****:

IPVM Image

Highlights ***** **** **** ************* *******

*** ********* ******, ** our ********, ********** * number ** ****** **** GDPR ************* *******, ******:

  • *** ** *** *** to ********* ** ************* process *** **********, *** has *** ****** *** guidance ***** **** ******** should ** **** ** judge **** *********.
  • ******* ** ****, ***** is ** "********" **** certifier, ***** ******* ********** can **** ** ***** own ******** ** ***** whether * ****** ** "GDPR *****" ** ***. This ***** ***** *** omit *********** ******** ** a ****** ** **** see *** **** ***** evaluations.
  • ***** "**** *****" ******* a ***** **** * system *** ****** ********** i.e. ******** *** ****** of * **** ******, certifiers ** *** **** to ******* ***** *** PenTests.

*******, **** ** ***** clear *********** *** ********* when ********* **** ***** GDPR ************** ** ***** releases (*** *** ********* is *******'* ******* ******.)

**********

** *** **** ******* an ************ ********* ***** for ***** ************, **'* important ** **** ** mind *** ***** *********** of **** **************. ***** true ***** ** ********* to ****** ****** *** EU ****** ******** ************* schemes *** ******** **********.

Comments (13)

"*** **** **** ****** pick ** *** ******* manufacturers?"

-- ******** ** ***** integrators

***** *********** **** ********* GDPR *****? :)

** *** ***********, ** a ******* ****, * have **** **** ****** heavily **** ****** **** are ***** **** **** use | **** | make *** ****** ** other ******. ** ******* in ****** ********* ********** that **** ** ****** against **** **** *** | **** | ****.

*** ** *** ******* things ** ** ** that **** ******* ** data ***********, ********* *** sub-processors ** *** ************* of * ******* ** opposed ** * ******* delivered ****** **** *** have **** **** ** do **** ******* ** not *** **** ******** rights *** ******* ** practice.  ** ***** ** EU ********** * ***** refer ** *****://****.******.**/****-**********/****-**********/*********-*******/*****-*************** ***** ** *** *** comment.  ** *********** ** are ********** ******** ** the ******** ********.

**'* *** *** ******* link ** **** **** the ***** ************ ****, so **** ** *** link ** *** ****** guidance*****://****.******.**/*****/****/*****/************/****************************************.***

** *********, ****** *** the *******. ***** *** guidelines *** ****** *** best ******** *** ***** right *** *** **** video ************ **********. ** actually ******* **** **** they **** ******** **** in ****, ****** **** ********** *** Video ************ ********.*** ********** *** *********** (there ** * ****** comment ******) ***** ********* 6; ** **** ****** if *** ***** ******* are ****.

** ****** *******. *'* say **** *** ***** the ******** *** *****. You **** * ****** of ****** ** *** UK, *,*, **** *** BSI **** ** ** the ****** ******,*** **** *** ** surveillance ************, ** (***********) put * ****** ** these ******** ** **** document **** *** ****** it ** * ****** old ************ ***** ** and ***** ************ **** have ******* *****,*** ******* ******* ********** | ******** ******** ***********

*** ** * ********* above, ** (***********) *** currently ********** ******** (********* in *** ** *** EU) ** **** ** provide * ******** ** the ****. ** ****** wants ** ******* *********** the ****** *** ** accessed ****.*************** — ************/* ***

** *******, ** *** conducting ******** ** **** at *********** *** *** response *** * ******** if * ***** *** a **** **** ** try ** ****** *** input *** * ******** to *** ****. ****** that ************ *** ***-** for ********.

****, ** *****.

******, ****** ** ** a *** **********.**** ** *** ****.

**** *** ** ** IAPP **** *** *** Portuguese ********** **** **** effect. *** ********* *** included ** *** ***** for ***** ************ ***** the **********:

***** ************ ** ********** to *** **** ** protect ****** *** ******, which ** ** **** with *** ****’* ******** in ******** ** ***** surveillance. *** *** *********** the ******* ****** ****** public *****, ******** ** areas ******** ** *******, users ** *******, **** as *********, ******* ***** and ******** *****, *** can ** ***** ** ATMs ** **** * manner **** ** ******** the ********.

********* ** ******* ** some **** *** *** spreading ****.

*** ****** ******* *** some ***** ************ *** having ***** ** **** may ***** **** ********** Milestone ******* ***** *** immune **** **** ********** using *** *******. **** is ******* *** *** case, *** ********** ** his ****** ** ***, he *** *** ******* with **** **** *** lots ** **** **** if ** **** *** systems ** *** ***** way. ******* ** *** Milestone "******* *** *******" is ********** - *** damage *** **** ****, and *** ******** ****** its ******* (**** **** Milestone).

*** *** **** ** that **** ***** ************ systems ****** ****** *** you **** ** ** able ** ******** ***** people. ** *****'* ****** matter **** *** ******* things ** *** ********* have *** ********** **** as ****. *********, ***'** using * ****** ******** to ***** ******* ** people *** *** ** identified. **** *** ** that - ***** ****** have * ***** ** get ******* **** **** database. ** ***'** ********* for ** **** ** 100s ** *******, **** task *** ** * major **** ** *** ass. ** *** **** time, *** **** ** filter *** ******** ****!!! Certified ** ***.

*** ******* ***** ** in ****** (*** ****** to *********); * ********** put **** ** *** test *** ************ *** NOT ****** **** "** was * ****** ** export *****" ** * valid ****** *** *** providing * **** ** the *******.

*****://***.********.**/*******/************-*****-*****-*****-********-********-****-**-********-*****************-*******

*** ***** *** ****** VMS *****/********* ****** ****?

** * ****** ** here. **** **** ******* was ****** * **** a ******* (**) ****** request ** ********** ****/******* point ** *******. * did *** * ******* acknowledgement *** ** ******* response. * **** ****** it ** **** ***. Clock *** *** ****** 2 ******. ** *** all *** **** ******** what ******* ** *********** privacy, *** ** *** not ****.

***, ****** *** *******! I ********* **** ******* to ********* ****** **** to ****** *** *******.

Read this IPVM report for free.

This article is part of IPVM's 6,651 reports, 895 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports