Milestone "GDPR-ready" Certification Claim Critiqued

By: Charles Rollet, Published on Aug 12, 2019

Milestone is touting that its latest XProtect VMS is "GDPR-ready" with a 'European Privacy Seal'.

IPVM Image

However, our investigation raises significant concerns over the applicability and suitability of this. In this post, we examine Milestone's "GDPR Ready" claim, including:

  • What Milestone is claiming
  • Why the certifier has 'not been accredited'
  • How Milestone and the certifier EuroPriSe has responded
  • What part of Milestone's software is being left out of the certification
  • What improvements Milestone said they made
  • What other certifications exist, such as Dahua and Uniview have used
  • What Genetec removed from their claim
  • What this tells us about GDPR certification schemes

Overall, this case shows clear limitations to GDPR certification - that is almost never mentioned in press releases- even well over a year after the law was implemented.

Milestone *****

** **** **,********* ****** * ***** release******* **** *** ****** XProtect *** *** *** "first ***** ***** ********** software *******" ** ****** GDPR-Ready *************, *******:

**** *** ****-***** ************* from *** *********** *** recognized ********* *********,end-users *** ** ********* **** **** **** *** ***** ********** ** ***** * **** ********* ***** ************ ************. [emphasis added]

*** ************* *** * "European ******* ****" ****** by ******* ****** ****************,***** ****** *"***** ****** ******"***** *** *******.

IPVM Image

*** ********** ****** *** carried *** ** *** "legal" *** *** "*********" expert *** *** ** the ******* ****** ************:

IPVM Image

Not **********, ******** *** ********

*** **** *********** ***** is **** ** "********* Note" ** *********'**** ******* *********** **** ******** **** "not **** ********" ***** EuroPrise ****** *** *** been ********** "** * certification ****":

IPVM Image

**** ** *** **** certification ******* *** ** approved, ******* *****'* **** ********** ******** *** ******** ******** on *** ********** *** be **********, ******* *** GDPR ********** ********** **** in******** *******.

********* ** *** ** the **** ********* *** transparent **** ********** (****** originally **** ****** ** the******** **********),*** **** ** ********** that ***** *** ** official **** **********, ******* IPVM:

******* **** ********, *** formal ********** ****** ** completed *** **** ***** that ** **** *****,no *** ** ** *** ******** ** ***** ** ******** **** ************* [emphasis added]

Milestone *** *** ******** *** ********* **************

***** ********* ****** ************ that *** ************* ** not ********* ********, ********* did *** ******* **** anywhere ** *** ***** release ** ******* *****. This ** ******** ** EuroPriSe's *** ****************:

Customers ** ********* *** ********** ** ******** **** ******* **** ****** *** ** ***** that have been granted [emphasis added]

Mistake - *********: "**** *** ** * *******"

** ******** ** ***** non-disclosure ** *** *************'* legal ******, ********* **** us **** *********:

*** ***** ** *** certification *** ***** ** EuroPriSe [***** **] *** we **** ********** ********** and *** ********/*********** **. This *** ** * mistake, *** ** **** investigate *** ******* *** mistakes.

**** **** ****** *** reporting ** ** **** Milestone ******** *** ********.

Milestone ****** "******** ****-***** *************"

*********'* ***** ******* ****** that "*** ************* ****** all **** ************ ** Milestone ******** *********", * point ******* ********** ** a *****:

IPVM Image

********* ** *** ********* report, *** ********* ******* of ******** **** *********:

IPVM Image

Long **** ** *********, ********* ****** ***

*******, *** ****** ****** showed **** ******** ******** functions **** *** ******** at ***:

  • ****** ******
  • ****** *** *** ******
  • ********** ** ***** *** metadata
  • ******** *********'* ***** *****
  • ********* *** ******
  • ********* ****** *********

*******, *** ******** ****** app ** * ***** omission - ** *** over ***,*** *********:

IPVM Image

Plugins/Biometrics ********

******* ***** ********, ***** unlike *** ****** *** not *********, *** *** 160+ ******* ********* *********** ***********.

*** **** *** **** reasons, **'* ************** **** Milestone *** *** ******* these *******, ******* ********* should **** **** **** clear, *********, **** ***** may ***** *** ******* are **** "**** *****", which ** ********* *** the ****.

**** ** ************ ********** since**** ********* ************ ****** ***********, * biometrics ******** ******** ********* by *******'* ******* *, *.*.:

IPVM Image

*** **** ***** ** using ********** *** *********** in*********'* ******** **** ******* guide** ****. (*** **** on ********** ***, *** our**** ******** *** ********** ********** ******.)

Milestone: **'** ******* ****** "*** ****** ********", **** *** ****** **********

***** ** ******* **** out ** *********, **** told ** **** **** GDPR ******* *** ****** service "*** ****** ********" of ********, ***** * notice ***** *** ***** plugins "**** ** ***** to *** **** ******* of *** ******* *****".

Auditor: ********* *** ****

**ö** **********, * ******** ******* used ** ********* ** certify *********, **** **** he *** *** ******** the ******* ***** ** be "**** **********":

**, *** ********, ***** not **** *** ********** that **** **** ******* from *** *** "**** components" ** *** ***** that **** *** *********** for * ****** ************ of ******** *********. ***** thesecomponents ***** ** ******** *** ******* ********* **** *** ***** ******** ******** that have to be enabled or actively selected during the installation process in order to be used. [emphasis added]

*** ******* *** ********* is **** ***** '********' components **** ****-*** *** core ** *** *******'* own ********* *********** *** marketing. *********'* ***** ******** on ***** ** **** platform *** ********* *** 3rd ******* ** *** within ********* ** ********* by ***** ******* ***** 'certified' *** **** *** disclosed.

**** *************, ******** ********** and*** ****** ** '****'** ********.

EuroPriSe: ****** ******* ** **********

********* **** **** **** "cherry ******* ** **********" when ** ***** ** their **** **************:

** ********* *** ****** shape ** *** ************* of *********’* *** ** the ********* ** *** certification ******* *** ******* that *** ****** ** evaluation ** **** ********** and ****-*********.

No ********* ******* *********

****** ********** ** * very ********* **** ** the ****, ***** ******** "******* ** ******" *** "***** ** *** ***" ********* *** ********* data ******** ** ** to ** ******* ***** or *% ** ****** revenue, ********* ** ******(******* **).

*******, ********* ****** *** not **** *********'* ********** strength. *******, ********* **** IPVM ****, ***** ** does ********* ** *** own ********, **** **** it "*****[**] *** *******" of ******* ****'* ****:

* *** **** *** been ********* ** ***** privacy / ** ******** experts ********.** ** **** *** task ** *** ********* Experts ** ***** *** results ** **** *** test *** ** ****** that *** **** ********* has ***** *********** ******** to **** **** ********** shortcomings (** ***).

** *** ********* ******, encryption ******** *** *** one ** *** **********'* four "************." ******, **** of *** ********* ********** relied ** ******* ** Milestone ********* - ******* its **** ******* ***** and ***** *************, *** underlined *****:

IPVM Image

Improvements ****

********* *** *** **** made * ****** ** improvements ****** **** ************* process, *********:

* *** *** ******, Smart ****** <.> ********* server **********, ***** ****** ********** ****** ********** (including *** ********* *** component: *** ******** ******), and *** ** *** Channels ******* ******** ***************. A ****** ** ***** improvements **** ******* **** as *** ****** ****** certificate ******** *** *** new ****** *************/******** ********** for *** ***** ****** of *******.

Other **************

********* ** *** **** the **** ***** ************ firm ** *** **** certification. ******* ******* ****** company *******Ü* *************** **** *******, *** unlike *********, ** **** not ******* *** ****** reports ***** *** ************* nor ****** ********* **** the *****.

*******, *Ü* ********* ****** vague **** '**************' ** Dahua *** *******, *** quickly *** ******* ******* that **** ***** ***** products **** ******* "**** compliant". (*** ****, ******** ******** *** *** GDPR *********, ** ******** Can **).

Genetec ********* ********* "*** ********** ****-*****"

******* *** **** ****** its ********* "****-*****" ****** for********** ******* *********:

IPVM Image

*******, ******* **** **** it *** ******* *********** this *** ** *********'* lack ** *************/*************. ***** we ******* *** **** the ************ ***************** *** ************* *** not ******* ****, *** following ********** *** *****:

IPVM Image

Highlights ***** **** **** ************* *******

*** ********* ******, ** our ********, ********** * number ** ****** **** GDPR ************* *******, ******:

  • *** ** *** *** to ********* ** ************* process *** **********, *** has *** ****** *** guidance ***** **** ******** should ** **** ** judge **** *********.
  • ******* ** ****, ***** is ** "********" **** certifier, ***** ******* ********** can **** ** ***** own ******** ** ***** whether * ****** ** "GDPR *****" ** ***. This ***** ***** *** omit *********** ******** ** a ****** ** **** see *** **** ***** evaluations.
  • ***** "**** *****" ******* a ***** **** * system *** ****** ********** i.e. ******** *** ****** of * **** ******, certifiers ** *** **** to ******* ***** *** PenTests.

*******, **** ** ***** clear *********** *** ********* when ********* **** ***** GDPR ************** ** ***** releases (*** *** ********* is *******'* ******* ******.)

**********

** *** **** ******* an ************ ********* ***** for ***** ************, **'* important ** **** ** mind *** ***** *********** of **** **************. ***** true ***** ** ********* to ****** ****** *** EU ****** ******** ************* schemes *** ******** **********.

Comments (13)

"*** **** **** ****** pick ** *** ******* manufacturers?"

-- ******** ** ***** integrators

***** *********** **** ********* GDPR *****? :)

** *** ***********, ** a ******* ****, * have **** **** ****** heavily **** ****** **** are ***** **** **** use | **** | make *** ****** ** other ******. ** ******* in ****** ********* ********** that **** ** ****** against **** **** *** | **** | ****.

*** ** *** ******* things ** ** ** that **** ******* ** data ***********, ********* *** sub-processors ** *** ************* of * ******* ** opposed ** * ******* delivered ****** **** *** have **** **** ** do **** ******* ** not *** **** ******** rights *** ******* ** practice.  ** ***** ** EU ********** * ***** refer ** *****://****.******.**/****-**********/****-**********/*********-*******/*****-*************** ***** ** *** *** comment.  ** *********** ** are ********** ******** ** the ******** ********.

**'* *** *** ******* link ** **** **** the ***** ************ ****, so **** ** *** link ** *** ****** guidance*****://****.******.**/*****/****/*****/************/****************************************.***

** *********, ****** *** the *******. ***** *** guidelines *** ****** *** best ******** *** ***** right *** *** **** video ************ **********. ** actually ******* **** **** they **** ******** **** in ****, ****** **** ********** *** Video ************ ********.*** ********** *** *********** (there ** * ****** comment ******) ***** ********* 6; ** **** ****** if *** ***** ******* are ****.

** ****** *******. *'* say **** *** ***** the ******** *** *****. You **** * ****** of ****** ** *** UK, *,*, **** *** BSI **** ** ** the ****** ******,*** **** *** ** surveillance ************, ** (***********) put * ****** ** these ******** ** **** document **** *** ****** it ** * ****** old ************ ***** ** and ***** ************ **** have ******* *****,*** ******* ******* ********** | ******** ******** ***********

*** ** * ********* above, ** (***********) *** currently ********** ******** (********* in *** ** *** EU) ** **** ** provide * ******** ** the ****. ** ****** wants ** ******* *********** the ****** *** ** accessed ****.*************** — ************/* ***

** *******, ** *** conducting ******** ** **** at *********** *** *** response *** * ******** if * ***** *** a **** **** ** try ** ****** *** input *** * ******** to *** ****. ****** that ************ *** ***-** for ********.

****, ** *****.

******, ****** ** ** a *** **********.**** ** *** ****.

**** *** ** ** IAPP **** *** *** Portuguese ********** **** **** effect. *** ********* *** included ** *** ***** for ***** ************ ***** the **********:

***** ************ ** ********** to *** **** ** protect ****** *** ******, which ** ** **** with *** ****’* ******** in ******** ** ***** surveillance. *** *** *********** the ******* ****** ****** public *****, ******** ** areas ******** ** *******, users ** *******, **** as *********, ******* ***** and ******** *****, *** can ** ***** ** ATMs ** **** * manner **** ** ******** the ********.

********* ** ******* ** some **** *** *** spreading ****.

*** ****** ******* *** some ***** ************ *** having ***** ** **** may ***** **** ********** Milestone ******* ***** *** immune **** **** ********** using *** *******. **** is ******* *** *** case, *** ********** ** his ****** ** ***, he *** *** ******* with **** **** *** lots ** **** **** if ** **** *** systems ** *** ***** way. ******* ** *** Milestone "******* *** *******" is ********** - *** damage *** **** ****, and *** ******** ****** its ******* (**** **** Milestone).

*** *** **** ** that **** ***** ************ systems ****** ****** *** you **** ** ** able ** ******** ***** people. ** *****'* ****** matter **** *** ******* things ** *** ********* have *** ********** **** as ****. *********, ***'** using * ****** ******** to ***** ******* ** people *** *** ** identified. **** *** ** that - ***** ****** have * ***** ** get ******* **** **** database. ** ***'** ********* for ** **** ** 100s ** *******, **** task *** ** * major **** ** *** ass. ** *** **** time, *** **** ** filter *** ******** ****!!! Certified ** ***.

*** ******* ***** ** in ****** (*** ****** to *********); * ********** put **** ** *** test *** ************ *** NOT ****** **** "** was * ****** ** export *****" ** * valid ****** *** *** providing * **** ** the *******.

*****://***.********.**/*******/************-*****-*****-*****-********-********-****-**-********-*****************-*******

*** ***** *** ****** VMS *****/********* ****** ****?

** * ****** ** here. **** **** ******* was ****** * **** a ******* (**) ****** request ** ********** ****/******* point ** *******. * did *** * ******* acknowledgement *** ** ******* response. * **** ****** it ** **** ***. Clock *** *** ****** 2 ******. ** *** all *** **** ******** what ******* ** *********** privacy, *** ** *** not ****.

***, ****** *** *******! I ********* **** ******* to ********* ****** **** to ****** *** *******.

Login to read this IPVM report.

Related Reports

Gait Recognition Examined on Sep 14, 2020
Facial recognition faces increasing ethical and political criticisms while...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Beware Of Feevr on Apr 14, 2020
Beware of "Feevr". The company is marketing a 'Feevr' solution that...
Uniview Heat-Tracker Temperature Screening Series Examined on Apr 22, 2020
Uniview is marketing #UNVagainstCOVID19 with their Heat-Tracker series,...
Avigilon Face Mask Detection Tested on Jun 24, 2020
Face mask detection or, more specifically not wearing a face mask, is an...
WDR Cheat Sheet and Camera Tracking - 30 Manufacturers on Aug 26, 2020
Manufacturers are regularly cryptic about what WDR support they actually...
Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020
Dahua USA has issued a press release admitting a controversial point in the...
FDA Gives Guidance on 'Coronavirus' Thermal Fever Detection Systems on Mar 30, 2020
The US FDA has given IPVM guidance on the use of thermal fever detection...
IPVM Rejects Feevr's Improper Threats And Demands on May 04, 2020
IPVM categorically rejects Feevr's improper threats and demands submitted...
Wyze Fails To Deliver Own On-Board Analytics, Launches Novel Name Your Own Price Service on Jul 24, 2020
While Wyze failed to deliver their own onboard analytics to replace the...
Avigilon Open Analytics Tested on Apr 16, 2020
After years of effectively closed analytics, Avigilon decided in late 2018 to...
ZKTeco SpeedFace+ Are Medical Devices, Per FDA Definition, Contrary Claims Are False on Jun 12, 2020
ZKTeco SpeedFace+ series products are medical devices as defined by the US...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...

Recent Reports

Mobile Access Control Usage Statistics 2020 on Sep 21, 2020
Most smartphones can be used as access control credentials, but how...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
Chilean Official Investigated for Motorola And Hikvision Contracts on Sep 17, 2020
A corruption investigation is underway in Chile after a crime prevention...
Huawei HiSilicon Production Shut Down on Sep 17, 2020
Huawei HiSilicon chips are no longer being manufactured or supplied to...
Virtual ISC West and GSX+ Exhibiting Contrasted on Sep 17, 2020
Both ISC West and ASIS GSX are going virtual this year, just weeks apart, but...
X.Labs Sues FLIR on Sep 16, 2020
X.Labs, the maker of Feevr, has sued FLIR, the publicly traded thermal...
Video Surveillance 101 September Course - Last Chance on Sep 16, 2020
Today is the last chance to sign up for the Fall Video Surveillance 101...
No Blackbody Mistake, Half Million Dollar, Hikvision Fever Camera System in Georgia on Sep 16, 2020
A Georgia school district touted buying Hikvision fever screening "about...
Costar Technologies / Arecont H1 2020 Financials Examined on Sep 16, 2020
Costar's financial results have been hit by the coronavirus with the company...
Startup Cawamo Presents Live Alerts With Edge AI and Cloud VMS on Sep 15, 2020
Cawamo, an Israeli edge-to-cloud analytics and VMS startup, presented its...
Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...
Dangerous Hikvision Fever Screening Marketing In Africa on Sep 15, 2020
A multi-national African Hikvision distributor is marketing dangerously...
New Products Show Fall 2020 Announced - Register Now on Sep 14, 2020
IPVM's sixth online show will feature New Products from over 25...
Hanwha 8K / 33MP Camera Tested on Sep 14, 2020
Hanwha Techwin has released an 8K / 33MP resolution camera, the TNB-9000 with...