Milestone "GDPR-ready" Certification Claim Critiqued

By Charles Rollet, Published Aug 12, 2019, 08:09am EDT (Info+)

Milestone is touting that its latest XProtect VMS is "GDPR-ready" with a 'European Privacy Seal'.

IPVM Image

However, our investigation raises significant concerns over the applicability and suitability of this. In this post, we examine Milestone's "GDPR Ready" claim, including:

  • What Milestone is claiming
  • Why the certifier has 'not been accredited'
  • How Milestone and the certifier EuroPriSe has responded
  • What part of Milestone's software is being left out of the certification
  • What improvements Milestone said they made
  • What other certifications exist, such as Dahua and Uniview have used
  • What Genetec removed from their claim
  • What this tells us about GDPR certification schemes

Overall, this case shows clear limitations to GDPR certification - that is almost never mentioned in press releases- even well over a year after the law was implemented.

Milestone *****

** **** **,********* ****** * ***** ************** **** *** ****** ******** *** was *** "***** ***** ***** ********** software *******" ** ****** ****-***** *************, writing:

**** *** ****-***** ************* **** *** independent *** ********** ********* *********,end-users *** ** ********* **** **** **** *** ***** ********** ** ***** * **** ********* ***** ************ ************. [emphasis added]

*** ************* *** * "******** ******* Seal" ****** ** ******* ****** ****************,***** ****** *"***** ****** ******"***** *** *******.

IPVM Image

*** ********** ****** *** ******* *** by *** "*****" *** *** "*********" expert *** *** ** *** ******* German ************:

IPVM Image

Not **********, ******** *** ********

*** **** *********** ***** ** **** an "********* ****" ** *********'**** ******* *********** **** ******** **** "*** **** approved" ***** ********* ****** *** *** been ********** "** * ************* ****":

IPVM Image

**** ** *** **** ************* ******* are ** ********, ******* *****'* **** ********** ******** *** ******** ******** ** *** certifiers *** ** **********, ******* *** GDPR ********** ********** **** ********** *******.

********* ** *** ** *** **** respected *** *********** **** ********** (****** originally **** ****** ** *********** **********),*** **** ** ********** **** ***** are ** ******** **** **********, ******* IPVM:

******* **** ********, *** ****** ********** cannot ** ********* *** **** ***** that ** **** *****,no *** ** ** *** ******** ** ***** ** ******** **** ************* [emphasis added]

Milestone *** *** ******** *** ********* **************

***** ********* ****** ************ **** *** certification ** *** ********* ********, ********* did *** ******* **** ******** ** its ***** ******* ** ******* *****. This ** ******** ** *********'* *** explicit********:

Customers ** ********* *** ********** ** ******** **** ******* **** ****** *** ** ***** that have been granted [emphasis added]

Mistake - *********: "**** *** ** * *******"

** ******** ** ***** ***-********** ** the *************'* ***** ******, ********* **** us **** *********:

*** ***** ** *** ************* *** given ** ********* [***** **] *** we **** ********** ********** *** *** repeated/interpreted **. **** *** ** * mistake, *** ** **** *********** *** correct *** ********.

**** **** ****** *** ********* ** or **** ********* ******** *** ********.

Milestone ****** "******** ****-***** *************"

*********'* ***** ******* ****** **** "*** certification ****** *** **** ************ ** Milestone ******** *********", * ***** ******* emphasized ** * *****:

IPVM Image

********* ** *** ********* ******, *** following ******* ** ******** **** *********:

IPVM Image

Long **** ** *********, ********* ****** ***

*******, *** ****** ****** ****** **** numerous ******** ********* **** *** ******** at ***:

  • ****** ******
  • ****** *** *** ******
  • ********** ** ***** *** ********
  • ******** *********'* ***** *****
  • ********* *** ******
  • ********* ****** *********

*******, *** ******** ****** *** ** a ***** ******** - ** *** over ***,*** *********:

IPVM Image

Plugins/Biometrics ********

******* ***** ********, ***** ****** *** others *** *** *********, *** *** 160+ ******* ********* *********** ***********.

*** **** *** **** *******, **'* understandable **** ********* *** *** ******* these *******, ******* ********* ****** **** been **** *****, *********, **** ***** may ***** *** ******* *** **** "GDPR *****", ***** ** ********* *** the ****.

**** ** ************ ********** ********* ********* ************ ****** ***********, * ********** ******** strictly ********* ** *******'* ******* *, *.*.:

IPVM Image

*** **** ***** ** ***** ********** are *********** ***********'* ******** **** ******* ******* ****. (*** **** ** ********** use, *** ******* ******** *** ********** ********** ******.)

Milestone: **'** ******* ****** "*** ****** ********", **** *** ****** **********

***** ** ******* **** *** ** Milestone, **** **** ** **** **** GDPR ******* *** ****** ******* "*** future ********" ** ********, ***** * notice ***** *** ***** ******* "**** be ***** ** *** **** ******* of *** ******* *****".

Auditor: ********* *** ****

**ö** **********, * ******** ******* **** ** EuroPriSe ** ******* *********, **** **** he *** *** ******** *** ******* parts ** ** "**** **********":

**, *** ********, ***** *** **** the ********** **** **** **** ******* from *** *** "**** **********" ** the ***** **** **** *** *********** for * ****** ************ ** ******** Corporate. ***** *****components ***** ** ******** *** ******* ********* **** *** ***** ******** ******** that have to be enabled or actively selected during the installation process in order to be used. [emphasis added]

*** ******* *** ********* ** **** these '********' ********** **** ****-*** *** core ** *** *******'* *** ********* positioning *** *********. *********'* ***** ******** on ***** ** **** ******** *** community *** *** ******* ** *** within ********* ** ********* ** ***** neither ***** '*********' *** **** *** disclosed.

**** *************, ******** ********** ****** ****** ** '****'** ********.

EuroPriSe: ****** ******* ** **********

********* **** **** **** "****** ******* is **********" **** ** ***** ** their **** **************:

** ********* *** ****** ***** ** the ************* ** *********’* *** ** the ********* ** *** ************* ******* and ******* **** *** ****** ** evaluation ** **** ********** *** ****-*********.

No ********* ******* *********

****** ********** ** * **** ********* part ** *** ****, ***** ******** "******* ** ******" *** "***** ** *** ***" ********* *** ********* **** ******** by ** ** ** ******* ***** or *% ** ****** *******, ********* is ******(******* **).

*******, ********* ****** *** *** **** Milestone's ********** ********. *******, ********* **** IPVM ****, ***** ** **** ********* do *** *** ********, **** **** it "*****[**] *** *******" ** ******* firm's ****:

* *** **** *** **** ********* by ***** ******* / ** ******** experts ********.** ** **** *** **** ** the ********* ******* ** ***** *** results ** **** *** **** *** to ****** **** *** **** ********* has ***** *********** ******** ** **** with ********** ************ (** ***).

** *** ********* ******, ********** ******** was *** *** ** *** **********'* four "************." ******, **** ** *** EuroPriSe ********** ****** ** ******* ** Milestone ********* - ******* *** **** Privacy ***** *** ***** *************, *** underlined *****:

IPVM Image

Improvements ****

********* *** *** **** **** * number ** ************ ****** **** ************* process, *********:

* *** *** ******, ***** ****** <.> ********* ****** **********, ***** ****** ********** ****** ********** (********* *** important *** *********: *** ******** ******), and *** ** *** ******** ******* channels ***************. * ****** ** ***** improvements **** ******* **** ** *** Mobile ****** *********** ******** *** *** new ****** *************/******** ********** *** *** first ****** ** *******.

Other **************

********* ** *** **** *** **** video ************ **** ** *** **** certification. ******* ******* ****** ******* *******Ü* *************** **** *******, *** ****** *********, it **** *** ******* *** ****** reports ***** *** ************* *** ****** questions **** *** *****.

*******, *Ü* ********* ****** ***** **** 'certifications' ** ***** *** *******, *** quickly *** ******* ******* **** **** meant ***** ******** **** ******* "**** compliant". (*** ****, ******** ******** *** *** **** *********, No ******** *** **).

Genetec ********* ********* "*** ********** ****-*****"

******* *** **** ****** *** ********* "GDPR-Ready" ****** ************* ******* *********:

IPVM Image

*******, ******* **** **** ** *** stopped *********** **** *** ** *********'* lack ** *************/*************. ***** ** ******* out **** *** ************ ***************** *** ************* *** *** ******* this, *** ********* ********** *** *****:

IPVM Image

Highlights ***** **** **** ************* *******

*** ********* ******, ** *** ********, highlights * ****** ** ****** **** GDPR ************* *******, ******:

  • *** ** *** *** ** ********* an ************* ******* *** **********, *** has *** ****** *** ******** ***** what ******** ****** ** **** ** judge **** *********.
  • ******* ** ****, ***** ** ** "official" **** *********, ***** ******* ********** can **** ** ***** *** ******** to ***** ******* * ****** ** "GDPR *****" ** ***. **** ***** firms *** **** *********** ******** ** a ****** ** **** *** *** when ***** ***********.
  • ***** "**** *****" ******* * ***** that * ****** *** ****** ********** i.e. ******** *** ****** ** * data ******, ********** ** *** **** to ******* ***** *** ********.

*******, **** ** ***** ***** *********** are ********* **** ********* **** ***** GDPR ************** ** ***** ******** (*** one ********* ** *******'* ******* ******.)

**********

** *** **** ******* ** ************ important ***** *** ***** ************, **'* important ** **** ** **** *** clear *********** ** **** **************. ***** true ***** ** ********* ** ****** before *** ** ****** ******** ************* schemes *** ******** **********.

Comments (13)

"Why does IPVM always pick on the Chinese manufacturers?"

-- Plethora of Hikua integrators

Agree
Disagree
Informative
Unhelpful
Funny: 3

Hikua integrators read Milestone GDPR posts? :)

In all seriousness, as a general rule, I have seen that people heavily read topics that are about what they use | sell | make and rarely on other topics. It results in people regularly concluding that IPVM is biased against what they use | sell | make.

Agree: 3
Disagree
Informative: 4
Unhelpful
Funny

One of the curious things to me is that GDPR relates to data controllers, processor and sub-processors so the certification of a product as opposed to a service delivered really does not have very much to do with whether or not the data subjects rights are honored in practice.  In terms of EU guidelines I would refer to https://edps.europa.eu/data-protection/data-protection/reference-library/video-surveillance_en which is out for comment.  At OpenConsent we are conducting research on the proposed guidance.

Agree: 1
Disagree
Informative
Unhelpful
Funny

It's not the easiest link to find from the basic surveillance page, so here is the link to the latest guidance https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_201903_videosurveillance.pdf

Agree
Disagree
Informative: 1
Unhelpful
Funny

Hi Salvatore, thanks for the comment. Those new guidelines are indeed the best resource out there right now for GDPR video surveillance compliance. We actually covered this when they were released back in July, see New GDPR Guidelines for Video Surveillance Examined. The guidelines are provisional (there is a public comment period) until September 6; we will update if any major changes are made.

Agree
Disagree
Informative
Unhelpful
Funny

Of course Charles. I'd say they are among the guidance out there. You have a number of things in the UK, e,g, from the BSI this is in the public domain, and also the UK surveillance commissioner, we (OpenConsent) put a number of these together in this document with SIA though it is a little old particularly given CA and other requirements that have evolved since, SIA Privacy Profile References | Security Industry Association

And as I mentioned above, we (OpenConsent) are currently conducting research (primarily in the UK and EU) on this to provide a response to the EDPB. If anyone wants to provide information the survey can be accessed here. opnsurveillance — OpenConsent k/r Sal

Agree
Disagree
Informative
Unhelpful
Funny

Hi Charles, we are conducting research on this at OpenConsent for the response and I wondered if I could put a link here to try to expand the input for a response to the EDPB. Anyone that participates can opt-in for findings.

Agree
Disagree
Informative
Unhelpful
Funny

Sure, go ahead.

Agree
Disagree
Informative
Unhelpful
Funny

Thanks, posted it is a new discussion. This is the link.

Agree
Disagree
Informative
Unhelpful
Funny

Also saw in an IAPP feed the new Portuguese regulation went into effect. The following was included as the scope for video surveillance under the regulation:

Video surveillance is restricted to the need to protect people and assets, which is in line with the CNPD’s position in relation to video surveillance. The law establishes the cameras cannot target public roads, interior of areas reserved to clients, users or workers, such as bathrooms, waiting rooms and dressing rooms, nor can it point to ATMs in such a manner that it captures the keyboard.

Agree
Disagree
Informative
Unhelpful
Funny

Milestone is engaged in some good old FUD spreading here.

Joe Schmoe looking for some video surveillance and having heard of GDPR may think that installing Milestone somehow makes him immune from GDPR violations using the product. This is clearly not the case, and regardless of his choice of VMS, he may get saddled with high fees and lots of shit work if he uses the systems in the wrong way. Whether or not Milestone "correct the mistake" is irrelevant - the damage has been done, and the campaign served its purpose (well done Milestone).

IMO the crux is that most video surveillance systems record people and you want to be able to identify these people. It doesn't really matter that you encrypt things as you obviously have the decryption keys as well. Basically, you're using a system designed to amass footage of people who can be identified. When you do that - those people have a right to get deleted from your database. If you're recording for 30 days on 100s of cameras, this task can be a major pain in the ass. At the same time, you have to filter out everyone else!!! Certified or not.

The article below is in Danish (use google to translate); A journalist put GDPR to the test and Datatilsynet did NOT accept that "it was a hassle to export video" as a valid excuse for not providing a copy of the footage.

https://www.version2.dk/artikel/datatilsynet-ringe-video-evner-ugyldigt-argument-ikke-at-udlevere-overvaagningsklip-1086872

Are there any honest VMS sales/marketing people left?

Agree
Disagree: 1
Informative: 1
Unhelpful
Funny: 1

As a follow up here. When this article was posted I made a subject (me) access request to Milestones GDPR/privacy point of contact. I did get a receipt acknowledgement but no further response. I then resent it 10 days ago. Clock has now passed 2 months. So for all the GDPR stickers what matters is operational privacy, and so far not much.

Agree
Disagree
Informative
Unhelpful
Funny

Sal, thanks for sharing! I forwarded your comment to Milestone asking them to review and respond.

Agree
Disagree
Informative
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports