Head of a video surveillance company: “Security requires controllable systems”

Mobile video masts have become a familiar sight on construction sites, at large projects, and in public institutions. Providers of video surveillance systems promise increased security with them.

Carsten Simons, managing director of LivEye and NSTR.security, is increasingly focusing on relocating key technologies back to Germany within his company. In an interview, he explains why he speaks of technological sovereignty even with internationally sourced components – and why he attaches particular importance to European solutions in security-relevant environments.

When I walk through Bielefeld, I feel like I see your video masts everywhere. Have you become a monopolist?

Carsten Simons: (laughs) I take that as a compliment. No, we are not a monopolist. We are the third-largest provider in Germany and probably in Europe as well. The market leader is BauWatch, followed by Kooi Security.

Nevertheless, many people wonder when they walk by: Am I being watched right now?

Public areas are generally excluded. Anyone operating video surveillance needs data protection as a core competency. We operate within the framework of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and the respective state data protection laws.

As a rule, we rely on Article 6, Paragraph 1 Letter f of the GDPR – the so-called “legitimate interest.” This means that we weigh the operator's need for protection, for example against theft, against the rights of the data subjects and document this assessment. We define clear storage periods and implement technical and organizational measures – TOMs for short. These are legally required protective measures such as encryption, access restriction, or logging.

Where exactly is LivEye used? You mentioned construction sites – but where else?

Our classic area of application is construction sites. In the past, the focus was primarily on theft and vandalism. Today, we also see the issue of sabotage. Construction sites are often the first place where infrastructure can be spied on or manipulated. We are also very active in the municipal sector. This includes, for example, public institutions or municipal areas where vandalism or illegal waste disposal occurs regularly.

Another area is critical infrastructure. When we talk about substations or other sensitive facilities, it's about protection against unauthorized access or sabotage. There, we provide a verified situational picture for the emergency services. There are also many interventions at schools. If documented incidents exist, video surveillance can be a component of the security concept.

Critics fear a creeping surveillance state with more and more cameras and AI analysis. You yourself have said that video surveillance should be used more extensively. What do you say to these concerns?

I am happy that we are allowed to live in Germany – a country with very good data protection laws. Video surveillance here takes place within a clean legal framework. It's not about spying but about protection. If documented risks exist and criminal offenses demonstrably decrease once active video surveillance is installed, then I consider that legitimate. But of course, this must always happen within the scope of applicable laws and under the supervision of data protection authorities.

How often do you receive mail from data protection authorities?

Between 20 and 30 inquiries per year. Mostly concerning storage duration or camera angles. For more complex projects, we conduct a Data Protection Impact Assessment, which is a structured risk analysis when data processing could be particularly intrusive.

Why do you operate your control center?

Our control center is the core of our service. It's where decisions are made on whether to approach a perpetrator or inform the police. Our employees see what's happening beforehand – unlike with a classic alarm system. We provide a verified situational picture. Interventions range from trespassing at night to serious incidents like attempted sabotage of critical infrastructure.

You have changed your hardware strategy. Why?

We are consciously focusing on reshoring – that is, relocating key technologies and production processes from abroad back to Germany or Europe – in order to better control supply chains, security, and quality. For us, resilience means resistance to supply failures, geopolitical risks, or cyber threats. The AI chip in our new system comes from Israel. However, development, system design, software development, and integration are carried out in Germany.

Why an Israeli chip?

Because they are good and consume little energy. For our systems, we need a Neural Processing Unit (NPU). Our devices must evaluate video images in real time. The system decides on the spot whether a movement was triggered by a person or just by a shadow or an animal. This decision phase is called inference. This means an already trained AI model is applied to new data. The training – i.e., learning from thousands of example images – takes place beforehand. The device only runs the application of what has been learned.

Don't you have any concerns about possible manipulation or hidden functions?

That is a valid question. Firstly, the entire environment of the chip was created by ourselves. The circuit board on which the chip sits comes from our own company. The AI edge device we built was developed entirely by us. We essentially only take the bare chip and run our own or common AI models on it. This allows us to rule out many things.

Secondly, our devices are in a completely private environment. The mobile communication system we have set up is a purely private network. We do not share the infrastructure with other customers but work with private Access Point Names (APNs) – specially configured, isolated access points in the mobile network – that connect directly to our servers. This secures the system. I sometimes say jokingly, If you're afraid of hidden functions, you don't have control over your network.

What kind of AI models do you use?

We use so-called Convolutional Neural Networks, or CNNs for short. These are special neural networks that are particularly well-suited for image analysis. They can recognize, for example, people, vehicles, or, in an extended capacity, movement patterns.

The models are quantized, meaning the computational values are simplified, for example, in a so-called INT8 format. This reduces energy consumption and speeds up computation without significantly affecting recognition quality.

Inference runs entirely locally on the device. This is called edge AI – artificial intelligence that is executed directly on the device and not in a remote data center. No permanent video streams are transmitted. Only when a relevant event is detected is a segment sent to the control center.

How is the system technically secured?

We clearly separate system control from AI computation. An adapted embedded OS – a specially adapted operating system for our devices – in combination with our application software, manages local resources, connectivity, and encryption.

The AI chip is connected as a co-processor, meaning an additional specialized processor alongside the main processor. We use this exclusively locally. Secure Boot ensures that only digitally signed and verified software is loaded during startup. Additionally, we use a so-called Trusted Platform Module (TPM). This is a hardware-based security component that ensures the system has not been tampered with.

How are the devices connected?

Each device has two SIM cards, each with access to all networks available in Europe, in case one mobile provider fails. Data transmission occurs via private APNs. Our systems are therefore completely separated from the customer's network and additionally secured by further mechanisms. We adhere to ISO/IEC 27001 – an international standard for information security management systems.

What role do legal requirements play in your business?

For critical infrastructure, the German IT Security Act, regulations from the Federal Office for Information Security (BSI), and the European NIS 2 Directive also apply. In addition to the IT Security Act and BSI regulations, the KRITIS umbrella act will also play an important role in the future. It obliges operators of critical infrastructure to conduct risk analyses and implement both digital and physical protective measures.

What does that mean specifically for video surveillance?

The KRITIS umbrella act significantly broadens the perspective. It's no longer just about IT security in the narrow sense but about resilience against sabotage, natural events, or targeted attacks. Physical protective measures are explicitly addressed. And this is precisely where video surveillance is an important component.

For example, if I operate a substation, a water treatment plant, or a traffic hub, I will have to systematically examine in the future, where are my vulnerabilities? How do I detect intrusion attempts early? How do I document incidents? In our opinion, video analysis can and should be part of a security concept here.

Is this more of a market opportunity or an additional burden?

Both. For operators, it means additional effort because risk analyses must be documented and protective measures proven. For providers like us, it means that systems must be traceable, auditable, and regulatorily sound. And in my view, this in turn strengthens the demand for transparent, controllable European solutions.

If an operator of critical infrastructure falls under the KRITIS umbrella act, the IT Security Act, and also the NIS 2 Directive, the responsibility increases enormously. It must be clear who the manufacturer is, who is liable, who delivers updates, and under which legal jurisdiction the system operates. This is precisely where I see the importance of proprietary or at least European-controlled technologies.

Why is technological sovereignty so crucial in your view?

If security-relevant systems are based on components whose firmware – the device software – update infrastructure or backend systems are outside our legal jurisdiction, we lose control and thus direct influence. This affects security updates, support cycles, spare parts availability, and legal enforceability.

There are hundreds of thousands of cameras that are openly accessible on the internet. This is often because default passwords have not been changed or no password protection was set up at all. In my opinion, companies should outsource CCTV – i.e., video surveillance – to specialized service providers. Which IT officer in the company really takes care of installing security updates on cameras? Many say: “We have more important things to deal with.” But if image data is openly available on the internet, that is a very important issue.

And this is not a theoretical scenario. It was recently reported that in Iran, surveillance cameras were apparently used to evaluate so-called “life patterns” – i.e., regular movement and behavior profiles. The aim was to analyze drivers, accompanying people, and movement routes based on camera images and draw conclusions about high-ranking decision-makers. Regardless of how one politically evaluates these reports, they show one thing very clearly: Aggregated image data can gain strategic importance.

A single camera seems harmless. But many cameras over longer periods allow for pattern recognition. Who arrives when? Which vehicles regularly move where? Which processes repeat themselves? In a geopolitically tense environment – and we are currently experiencing a phase of increased global tensions – such information becomes valuable. If cameras are poorly secured or openly accessible on the internet, they enable precisely these kinds of analyses – and not just in authoritarian states, but everywhere. If this affects industrial plants, energy infrastructure, or traffic hubs, a real security risk arises.

Especially in a time when hybrid threats, sabotage, and cyberattacks are being discussed, video surveillance should not be a secondary issue. It is intended to create security – but if operated improperly, it can itself become a vulnerability. Therefore, we need a stronger lobby for German and European video surveillance technology. There are great solutions from Germany – we need to make them more visible, develop them further technologically, and establish them in a regulatorily sound manner.

(mack)