By: Nat Puffer
I’m not sure if it’s serendipity or if SXSW was particularly rowdy this year, but I ran across several people on TWiT talking about Taser’s new offering to support their AXON system. If you’re interested in the original interview with Jason Droege check it out here. This story piqued my interest since this particular offering is the convergence of so many emergent areas. It’s almost like Taser decided to take on every possible hot topic all at once, but a bit of background first.
For a while Taser has been looking for ways to take the windfall from non-lethal weaponry and branch out. One of their solutions almost seems too obvious. The AXON system is a combination of a headmounted camera, buffering system, and tactical computer. The general idea is that the benefits of the dashcam for officers in the field has been proven, so why not have that capability for an officer away from their car? The added benefit is POV coverage. What better way to judge after the fact if a tazing was justified than if you can see and hear what the officer saw in full HD.
If you have questions about police privacy, or citizen’s privacy, I definitely think there’s healthy debate to be had. Just not here. I’m more interested in the technological and legal ramifications with where this video goes.
As mentioned on the AXON site, in order to use the system you need to be able to upload the video to Taser’s cloud, namely Evidence.com. Reports earlier this year indicate that this back-end offering will be made available through partnerships with Cisco and Equinix. The general flow of data will then be from the headset to the recorder, where buffering and hashing takes place, to the docking station, to Evidence.com. From here two copies of the video will be placed in two datacenters, and things get interesting.
From Evidence.com, you can see what appears to me a licensed API of google maps with nodes for all the video uploaded that meet a set of criteria. Based on the online demo from the site, you can also see deployments and actions. Things like “Swat Deployed” with an address. You can also review clips, create subclips, and export them. All very cool considering this is remote HD video.
So what are the hop topics that Taser is taking on? First of all, they’ve built the cloud themselves. So all the issues with multi-tenancy, security, auditing, availability, redundancy, etc are issues they need to solve.
Storage and latency issues? This isn’t your tweets they’re storing. This is full HD video that needs to be taken in and played back from remote systems. Now the playback seems to be Flash based, but still, there has to be an expectation that this is going to be a fair amount of data that’s moved around. From the demo you’re looking at a 2x to 3x size requirement for each file, since you store it in two places then again for playback. Not to mention all the logging that needs to be done to satisfy chain of custody and integrity.
Storing critical data? Check. This is video for trial that may make the difference between guilt or innocence in a jury’s eyes. In addition, the logistical data about current operations would seem very sensitive. Furthermore, the video is GPS tagged. Want to see the patrol routes of cops in your city? Let me compile that for you.
Legal issues? And then some. This is evidence after all. So you need to make sure that you’re not only abiding by Federal statutes, but all local requirements for each jurisdiction as well.
I hope they’re open with how things go, because I think they’re going to be the use-case for many issues in the community going forward. How are they going to prove they are securing the data? SAS70 Type II Reviews? How will they handle growth? Segment the service by paired data centers? What happens when someone terminates service? Do you get 50 Blue-Ray disks of data? How will you handle misuse and attacks against the system?
I’d love to see Taser take this combination of risks they have and start looking at better ways to test themselves. Full scope, open ended pentesting of the entire system would be a great start. Combined with a real time Risk model they might be able to not only provide precedent for Cloud issues, but for emerging Risk issues as well.