Abstract
This article examines AI-based video surveillance systems in public spaces. We investigate a case of AI-based camera technology designed to detect falls into the water and prevent drowning accidents at the harbor front of a large Scandinavian city. This case confronts a common state-citizen tension between safety enhancement and privacy intrusion, and illustrates how involved actors strived to balance this through technological design choices such as thermal imaging. Building on these empirical insights and approaches that seek to deal with the complex safety-privacy tension, we draw out the notion of narrow surveillance as a general approach to safety monitoring in public spaces, aiming to minimize privacy intrusion through three criteria: (i) non-identification, (ii) purpose limitation, and (iii) alignment of interests. By implication, our study contributes new insights to interdisciplinary debates in surveillance studies by providing a framework for evaluating current AI-based surveillance systems and guiding future implementations of such systems.
Introduction
Debates on surveillance in public spaces frequently invoke tensions between privacy and safety (Akinsanmi and Salami, 2021; Bates et al., 2025; Sætra, 2022; Véliz, 2024; Westin, 1967). In policy, media, and academic discussions alike, surveillance is often approached through a heuristic in which safety-oriented interventions (associated with crime prevention, counter-terrorism, or public order) are assumed to entail some degree of privacy intrusion. While this framing has been productive in drawing attention to the risks of surveillance, it has also tended to stabilize privacy and safety as opposing values, leaving limited conceptual space for examining how surveillance systems might be designed to address both simultaneously.
Recent developments in artificial intelligence (AI) further complicate this landscape. A large-scale analysis of computer vision research suggests that much contemporary innovation enhances surveillance capabilities, particularly in relation to identification and facial recognition (Kalluri et al., 2025). As AI-based video analysis becomes increasingly embedded in safety-oriented applications, the question is less whether surveillance introduces new risks than how those risks are distributed, justified, and governed. Importantly, these developments also foreground system design as a key site of intervention: choices about sensors, data flows, and operational boundaries shape not only what surveillance can do, but also what kinds of privacy can be preserved in public spaces.
Building on critical accounts that emphasize the ambivalent character of surveillance (or of the more neutrally-sounding synonym “monitoring”), simultaneously enabling and constraining, this article moves beyond a simple trade-off model. Rather than treating privacy loss as the inevitable cost of safety, we argue that AI-based safety-monitoring systems can be deliberately configured to internalize surveillance critiques, including concerns about identification, purpose expansion, and misalignment of interests. In doing so, we shift the analytical focus from whether surveillance should be accepted or rejected to how specific forms of surveillance can be rendered normatively acceptable.
We develop our argument through an examination of governmental safety monitoring in public space. Specifically, we draw from a case study of an AI-based video surveillance system at the harbor front in Aalborg, Denmark, where camera systems were deployed to detect accidental falls into the water and prevent drowning. The case confronts a concrete safety problem while raising concerns about surveillance in terms of identification, purpose expansion, and dynamic effects. We approach the harbor safety initiative as a generative case that reveals the practical conditions under which privacy-preserving safety monitoring can—and cannot—be realized.
Based on insights from this case and approaches to privacy in public spaces, we suggest the notion of narrow surveillance as a criteria-based framework for privacy-preserving monitoring. Narrow surveillance refers to monitoring systems that are deliberately constrained in scope and capability, such that they (i) avoid identification, (ii) operate with a strictly limited and technically embedded purpose, and (iii) rest on a justifiably assumed alignment of interests between the surveillant and those under surveillance. While stemming from engagement with the harbor safety case, narrow surveillance is intended as a transferable analytical notion that can inform the broader development and evaluation of AI-based safety-monitoring systems in public spaces. By implication, our study contributes new insights to the cross-disciplinary field of surveillance studies by offering narrow surveillance as a reference point for the design and assessment of safety-monitoring systems that seek to enhance safety while preserving privacy in public spaces.
The article proceeds as follows. Section 2 reviews central surveillance concerns and selected technological approaches to privacy preservation, while Section 3 develops a context-sensitive definition of privacy in public space. Section 4 presents the harbor safety case and examines its technical design, operational challenges, and public reception. Drawing on insights from the case, Section 5 articulates the notion of narrow surveillance that provides a framework for evaluating current AI-based surveillance systems and guides future implementations of such systems. Section 6 discusses the contribution of narrow surveillance, along with limitations and directions for future research.
Surveillance concerns
As surveillance technologies advance, the ethical and political challenges they raise have increased in depth and scope (Galič et al., 2017). Using Saheb's (2023) categorization of surveillance debates, this paper falls within the domain of video surveillance systems and facial recognition. Early critiques emphasized how public surveillance can reshape urban life, transforming cities into “enormous Panopticons” (Koskela, 2003: 293), ushering an expansive biopolitical gaze (Smith, 2020), and enabling not only the identification of individuals but also the inference of intentions through techniques like micro-expression detection (Gray, 2002). With facial recognition technologies, concerns include the absence of meaningful individual consent (Taslitz 2002) and growing unease over the legitimacy of biometric technologies in policing and crime prevention (Eneman et al., 2022). Additional scholarship on location tracking (Koops et al., 2019) and spatial power dynamics (Andrejevic and Volcic, 2021) underscores how surveillance in public spaces structures who is visible and subject to control.
The EU AI Act Article 5 prohibits “real-time remote biometric identification,” except in specifically defined circumstances such as criminal investigations or terrorist threats. While such applications may initially be justified by serious security concerns, the expanded enforcement possibilities they introduce create room for purpose drift (also called function creep): the gradual and often imperceptible repurposing of data for uses beyond its original intent (Aaen, Nielsen and Carugati, 2022; Koops 2021). This can include scenarios in which surveillance systems initially installed to combat terrorism are subsequently used to police relatively minor offenses or manage public nuisances (den Boer and van Buuren, 2010: 221; Moore, 2015). Relatedly, Article 5(c) of the EU's General Data Protection Regulation (GDPR) emphasizes the principle of data minimization, requiring that only data strictly necessary for the intended purpose be collected (see also Małagocka, 2024). This is tied to the principle of purpose limitation, which mandates that the purpose of data collection must be clearly defined and specific. According to the European Data Protection Board guidelines (§15), vague justifications like “safety” or “for your safety” are not considered sufficiently specific (Krivokapić et al., 2021: 9f). Similarly, surveillance systems must feature minimal data retention, avoiding large-scale data collection and storage to preserve privacy (Vermeulen and Bellanova, 2013). Moreover, following the European Data Protection Board's broader guidance in Article 5, that “[v]ideo surveillance is not by default a necessity when there are other means to achieve the underlying purpose,” (2020) we may extend this proviso to systems where surveillance is implemented: any surveillance system should be strictly limited in scope to serve its explicitly defined purpose.
On this basis, we identify two overarching concerns in video surveillance: (i) avoiding individual identification, which is most commonly associated with facial recognition but also encompasses biometric tracking, bias and discrimination minimization, and profiling; and (ii) avoiding wide purpose flexibility, which can be addressed technically through measures such as data minimization, limited retention, and restricted data collection. We refer to these concerns as non-identification and purpose limitation, respectively. In the following section, we provide insights into selected techniques concerning non-identification and purpose limitation.
Technical privacy-preserving approaches
One part of computer vision research focuses on developing privacy-preserving methods. Thematic structuring of these methods varies greatly depending on the purpose of the study (Padilla-López et al., 2015; Ravi et al., 2024; Tariq et al., 2025), and our selection provides an overview of four principal technical approaches to privacy-preserving surveillance. The categorization is a pragmatic structuring choice intended to convey the diversity of potential methods rather than to reflect a definitive taxonomy in the literature. The aim is to outline significant technical approaches in support of privacy-enhancing outcome-focused discussion. These approaches are summarized schematically in Table 1, but they do not operate in isolation and may be combined to provide mutually reinforcing privacy measures.
Four technical privacy approaches for non-identification and purpose limitation.
First, on-device/edge processing (“detect and forget”) performs all analysis locally on the camera or edge device and shares only minimal event information; it sustains non-identification strongly by not exposing high-fidelity data externally, and sustains purpose limitation strongly by producing only task-relevant outputs (Myneni et al., 2022; Nayak et al., 2024). Second, privacy-preserving feature extraction outputs only abstracted representations, such as pose keypoints or statistics protected via differential privacy, understood here as a formal guarantee that the inclusion or exclusion of any single individual's data does not significantly affect the output of the computation. This supports strong non-identification by eliminating or mathematically obfuscating direct identity markers, while only moderately sustaining purpose limitation, since derived data may still allow inference of behavioral patterns (Ardabili et al., 2023; Bambauer et al., 2014; Dwork, 2006). Third, anonymization through resolution reduction captures scenes at reduced detail or via alternative modalities (e.g., low-resolution or thermal imaging), sustaining non-identification moderately because some identifying traits may still be reconstructed via auxiliary information, and sustaining purpose limitation moderately as contextual or environmental data remains usable for other purposes (Kumawat and Nagahara, 2022; Rashvand et al., 2025; Ryoo et al., 2016). Fourth, de-identification techniques, such as blurring, masking, or reversible masking, alter already captured imagery to obscure identities; these sustain non-identification moderately, because original identifiers can exist and might be reconstructed, and sustain purpose limitation weakly, since the altered imagery may still support unintended secondary analyses (Fitwi et al., 2020; Meden et al., 2023).
We have identified two major privacy concerns (identification and purpose flexibility) that may be remedied through different technical methods. Next, we introduce a context-sensitive definition of privacy applicable to the harbor safety case, providing the basis for analysis and the subsequent conceptualization of narrow surveillance.
Preserving privacy in public spaces
We take as our starting point the view that privacy is context-dependent (Nissenbaum, 2010), meaning that privacy takes on different meanings and serves different functions across domains. Our notion of privacy applies exclusively to surveillance in public spaces and not to private homes (sometimes referred to as “local privacy”; see Rössler, 2005: Ch. 6). Accordingly, our account is designed to address concerns specific to public spatial environments, distancing it from paradigmatic privacy intrusions related to the household, personal correspondence, or the public disclosure of private facts (Prosser, 1960).
This domain-specific focus aligns with what Koops et al. (2017: 568) identify as “behavioral privacy,” one of seven ideal types of privacy they outline. Behavioral privacy concerns contexts in which individuals are already publicly visible yet retain legitimate expectations against systematic data capture, aggregation, or profiling. In this sense, public visibility does not imply the forfeiture of privacy claims, but rather a transformation of what privacy consists of. We define privacy in public spaces as being preserved when surveillance systems (i) do not reveal the identities of those under observation, (ii) operate with an explicitly stated and non-multifunctional purpose, and (iii) maintain a justifiably assumed alignment of interests between the surveilled subjects and the surveillant entity.
Our first criterion (non-identification) builds on Daniel Solove's critique of privacy frameworks that reduce privacy to secrecy alone. Solove (2006, 2008) has shown that many privacy harms arise not only from the disclosure of sensitive information as such, but also from practices of aggregation of information in the public domain that render individuals legible. In this light, maintaining privacy in public space entails shielding individuals from being rendered identifiable, even when no sensitive attributes are disclosed. This understanding parallels a recent definition of surveillance as “an entity gathering, extracting, or attending to data connectable to other persons” (Kalluri et al., 2025, p. 73, our italics). Narrow surveillance seeks to interrupt such connectability at the level of system design.
To articulate this interruption, we frame monitoring as approximating an ideal bystander: a system that possesses no prior knowledge of identities and, in some cases, even less information than what is directly observable by human observers, as in our case below, where qualitative thermographic sensors are used. This criterion resonates with Jane Jacobs’ notion of “eyes on the street” (Jacobs, 1992: 35), where safety emerges from mutual visibility without personal identification. Observers notice events and anomalies, not identities or records. Surveillance technologies, we argue, should aim to replicate this model: enhancing safety without enabling identification that exceeds ordinary public observation.
The second criterion (purpose limitation) addresses a further dimension of privacy harm emphasized in Solove's work, namely the risks associated with secondary use and repurposing of data. Even non-identifying surveillance can become privacy-invasive if it is gradually enrolled into new objectives. Accordingly, individuals under surveillance should be able to know not only that monitoring is taking place, but why. This requires a clear public articulation of purpose and technical safeguards against purpose drift. As noted above, the European Data Protection Board emphasizes that “[v]ideo surveillance is not by default a necessity when there are other means to achieve the underlying purpose.” Purpose limitation therefore, goes beyond avoiding identifiability: it requires that the necessity and scope of surveillance be publicly justified and technically embedded. In this sense, the term operate in our definition denotes both normative transparency and material constraint.
This raises the question of whether cameras can be designed to function as “strategic eyes”: narrowly focused on specific safety purposes while, in effect, seeing less rather than more of the individual. While Stahl (2020) argues that “strategic surveillance,” understood as interest-driven monitoring aimed at prediction, control, or sanctioning, should generally be disallowed in public spaces, we draw here on David Lyon's (2001) account of surveillance as Janus-faced: simultaneously oriented toward care and control. From this perspective, the issue is not surveillance per se, but which side of this duality is stabilized through design and governance. Narrow surveillance seeks to anchor surveillance on the side of care by constraining its scope, purpose, and informational yield so that it does not slide into generalized social control.
The third criterion (interest alignment) extends this contextual account of privacy beyond legal compliance alone. Following Nissenbaum's (2010) notion of contextual integrity, we argue that privacy is upheld not only when systems avoid identification and operate with explicit purposes, but also when the surveillant entity can justify its assumption that surveillance serves the interests of those under surveillance. Here, Lyon's emphasis on the political and ethical ambivalence of surveillance is again instructive: even care-oriented systems require justification, as the interests of institutions and publics cannot be presumed to coincide. Given that public space is characterized by norms of both commonality and anonymity, the alignment of interests must be publicly articulated and remain open to contestation. In our framework, justifiably assumed interest functions as a form of implied consent, not as passive acquiescence, but as an ongoing, revisable relationship between surveillant and surveilled (more on this shortly).
Overall, the three criteria of privacy respond directly to concerns identified in Bates et al.'s (2025) review of public acceptance of surveillance technologies in public spaces. Their analysis shows that public support often depends on how individuals assess their exposure to harm in a given setting, with those who perceive themselves as facing higher immediate risks (for example, of crime or accident) tending to be more accepting of surveillance than those who do not. Privacy-preserving surveillance systems must address this variability not by presuming a fixed trade-off between safety and privacy, but by constraining surveillance through non-identification and purpose limitation while requiring explicit justification for assumed interest alignment. Bates et al. further emphasize transparency as a key factor in acceptance, which underscores the importance of clearly articulated and publicly communicated purposes, as captured by our second criterion. While the review highlights consent as particularly salient for mobile surveillance technologies, such as drones, our contribution reframes consent in static public-space surveillance as a matter of justifiably assumed and contestable interest alignment, rather than explicit individual authorization (see Section 5).
Before turning to our case, we offer one final remark. We maintain that privacy in public space can still be preserved even under two commonly cited conditions of concern: (i) when individuals lack control over what counts as personal information, and (ii) when the surveillant agent already possesses extensive prior knowledge about surveilled individuals. While such conditions are often treated as sufficient for a loss of privacy in other accounts (for discussion, see Blaauw, 2013; Matheson, 2007), we argue that individuals in public space cannot control what others might interpret as personal information about their appearance and that this does not constitute a breach of privacy because, insofar as privacy is maintained under public visibility, traits that may be interpreted as personal information are already publicly visible. Second, when the surveillance system is operated by the government (as in our case below), the government already possesses sensitive information about its citizens. If this information is not coupled with or embedded in the surveillance infrastructure, its mere existence does not, by itself, imply that governmental monitoring systems constitute a breach of privacy in public spaces. The crucial point is that, in public space, individuals retain the possibility of avoiding linkage to identity-revealing information stored elsewhere. In this sense, in trying to capture how privacy is preserved in public space, we must move beyond both the Control Account, where privacy amounts to control over one's own personal data, and the Access Account, where privacy entails others’ inaccessibility to one's own personal data (Mainz and Uhrenfeldt, 2021; Sax, 2018).
Case study: Addressing drowning accidents at a harbor front
Our case highlights the practical tensions and design choices involved in balancing the prevention of drowning accidents with the preservation of privacy in public spaces. The context is the harbor front in Aalborg, Denmark's fourth-largest city. 1 The area was earlier an industrial harbor, now transformed into a vibrant recreational urban space featuring a museum, a restaurant, and the city's university campus. It is within walking distance of the city center, in particular a lively nightlife street, which attracts large numbers of visitors. Some of these visitors use this part of the harbor front at night to urinate in the sea, which puts them at risk, as their level of intoxication increases the likelihood of falling into the water. Moreover, their impaired state and the absence of nightly nearby assistance significantly reduce their chances of being rescued from drowning.
The municipality began, in 2016, a collaboration with university researchers and a European surveillance technology firm. 2 Together, they pursued a technical solution to this problem, and the core idea was that drowning accidents could be prevented if an AI-based computer vision system could automatically detect accidental falls into the water through camera feeds and alert rescue authorities in real time. 3 Thus, in 2016, two thermal cameras and one PTZ camera (a movable camera used to track individuals in the water while rescue teams are en route) were installed. Due to challenges faced during the initial phases of the project, the municipality certified the harbor as a ‘Safe Harbor’ in 2020, which required equipping the harbor front with 44 illuminated ladders, rescue ladders, rescue hooks, and handheld fire extinguishers. However, the temperature shock (especially in colder months), combined with intoxication, leaves individuals with little time to orient themselves, often preventing them from using these ladders effectively. In addition, lifebuoys remain inactive in the largely empty public space at night. Therefore, the AI-based video surveillance system continued to be regarded by the municipality as necessary.
Developing the system proved challenging, as training the AI model required substantial amounts of data depicting rare ‘abnormal’ events, such as accidental falls into the water (Noesgaard et al., 2025). While the infrequency of such incidents is desirable from a safety perspective, it complicates model development and validation. During a pilot test in 2017, the AI-based system generated more than 30 false drowning alarms per day at the Aalborg rescue team, overwhelming operational capacity and leading to the system's temporary deactivation (Figure 1).

Images from surveillance cameras at the harbor front. The two upper too images stem from the RGB sensors, while the rest are thermal images (Bonderup et al., 2016).
From January to August 2021, 8 months of thermal imaging data from the harbor front were collected and annotated. This extensive dataset made it easier for researchers to work efficiently on an AI-based model capable of detecting accidents using the camera feeds. In 2022, following a drowning accident that occurred outside the monitored harbor front, the coverage area was expanded from 200 to 700 m, and nine new thermal cameras and two PTZ cameras were installed. An IT employee from the response team noted: “The images from the new cameras are exceptional, not only maintaining the impressive quality of the previous ones but enhancing it substantially.” Later, by the end of 2024, the team manager of the rescue team explained: “We have been given the freedom to expand the coverage area, though it can never reach 100% due to privately owned harbor sections that cannot be included. Currently, we estimate that around 80% of the area is covered, with a goal of reaching 90–95%.” The AI-based algorithms are slated for launch in 2026. 4
Technically, the cameras installed at the harbor front were equipped with both RGB sensors (capturing visible light) and thermal sensors (capturing thermal radiation). However, given the research team's goal of developing a surveillance system compliant with the GDPR, and now also with the EU AI Act, real-time surveillance with high-resolution detail was not used. The team aimed to embed privacy protections by shutting off some of the hardware, as the RGB sensor was not utilized, and the system relied solely on the thermal sensor as the input for the surveillance system. The team worked with qualitative (also known as relative) thermal cameras, as opposed to quantitative (or absolute) thermal cameras. The distinction lies in how temperature data is processed: quantitative cameras measure the precise heat value in each pixel, while qualitative cameras generate a thermograph that displays temperature variation relative to the warmest and coldest signals in the frame. Qualitative thermal cameras are significantly more affordable and therefore more commonly used. Their key advantage lies in the high contrast of the resulting image, a feature of their relative calibration. This makes them well-suited to scenarios where precise temperature measurements are unnecessary, such as here, where the goal is simply to detect the presence of a human body. One of the key advantages of thermal cameras is their insensitivity to visual disturbances such as city lights or heavy fog that typically impair the performance of standard color cameras. Thermal imaging captures wavelengths in the infrared spectrum, where visually distorting effects have no impact. As a result, thermal cameras can detect human presence with equal clarity during both day and night.
However, this advantage comes at a cost: One of the limitations of thermal imaging in computer vision and machine learning is its lack of rich visual information (such as color and texture) that is typically available in conventional RGB sensors. These elements are often essential for algorithms to classify and distinguish between objects. As a result, thermal imaging makes it difficult not only to differentiate between individuals but also to distinguish around 37°C objects similar in size to humans, for example the warm housing of a recently-run outboard motor at the harbor, which could resemble a person's torso and be mistakenly detected as a crouched figure working on the boat or even falling into the water. While thermal cameras are effective at detecting the presence of warm objects (with the advantage that lighting conditions and time of day have little effect on appearance, whether in complete darkness or bright light, aside from minor heat reflections), identifying what those objects are, particularly when their shapes are ambiguous, is a significantly more challenging computer vision task. For example, the AI model had a hard time not triggering an alarm when detecting a dog or a duck. However, this limitation also serves as a privacy advantage: the reduced visual detail makes it harder to identify individuals based on fine-grained characteristics, thereby inherently enhancing privacy.
Cameras of all types generally lack the processing power to run computationally intensive algorithms. Some modern models include lightweight AI functions for basic image enhancement or processing, but the cameras installed at Aalborg Harbor do not. Instead, the video feed is streamed to a parallel computing system, where more advanced AI algorithms are executed. Currently, the parallel system at Aalborg Harbor runs a virtual tripwire algorithm that detects motion in the water. Moreover, the data was stored locally to address public privacy concerns, as the security of cameras has previously been called into question. The municipality sought to ensure that all data remained within its fully owned, closed-circuit system, rejecting multiple offers of private data storage (more on this shortly). Organizationally, the alarm system is directly linked to emergency services, ensuring that the rescue team receives and responds to the alarms.
The harbor front initiative has received considerable public attention in the Danish press, sometimes negatively due to its failure to function properly or meet expectations. One headline stated, “After eight years, the cameras that were supposed to improve safety in Aalborg Harbor have not been fully developed,” (Rasmussen and Smorawski, 2024), reflecting widespread dissatisfaction.
Overall, this case illustrates how, in safety monitoring, surveillant agents may attempt to address both the inherent challenges of surveillance systems and the concerns of those being surveilled. The harbor safety case attempts to do at least two things to meet privacy-preserving safety monitoring. First, it seeks to curb the identification of individuals under observation. The thermographic images do not reveal identities, nor are they linked to other databases held by the surveillant authority. In this sense, the surveillance system does not exceed what bystanders in a public space could observe. Second, the AI is designed to detect a very specific event: human bodies non-purposely falling into the water. The research team has trained the system to trigger an alarm only in the event of such an accident. The use of a tripwire and (a), (b), and (c) zoning (see Figure 2) to sectionalize the system's frames and to turn on certain features (such as motion detection) whenever activity is observed, is a possible way of constructing a phase model in which surveillance features are narrowed to the specific safety task. This purpose has been publicly communicated (e.g., in newspapers), informing citizens that the system is exclusively intended to detect and prevent drowning. From the approach of the harbor case initiative to install privacy-preserving safety-monitoring, there are at least two additional issues that should be considered for the further development of this specific case and for the general development of safety-monitoring of this kind, if it should move towards a greater degree of privacy-preservation. These are trying to approach and mitigate privacy-relevant dynamic effects and the technical lack of precision of the system, which, if not precise enough, tend towards either not being functional or being privacy-infringing.

The average magnitude of optical flow (i.e., the average amount of motion detected in the image) is estimated in area (a). The tripwire is set within area (b). Area (c) is marked as a dangerous zone, as it is close to the edge (Bonderup et al., 2016).
Dynamic effects
The harbor case revealed two significant and unforeseen social effects. First, rumors circulated that the cameras were Chinese-made and could therefore be misused by foreign actors. A national newspaper reported that the manufacturer of the cameras used at the harbor was “partly owned by the Chinese state and the manufacturer's products are involved in large-scale surveillance of Chinese citizens and the ethnic minority Uyghurs” (Seidelin and Broberg, 2020). In response, the municipal department head publicly refuted the claim: “The stories began circulating. But we quickly ended them, as all the cameras operate on our municipal platform in a closed circuit. We checked all the installed cameras and ensured data could not leak.” Even if such rumors dissipate, a second issue emerged: some bystanders at the harbor deliberately damaged the cameras by throwing stones at them, presumably because they objected to being surveilled, not by the Chinese but by any government. The municipality had not provided signage or otherwise communicated at the location how the cameras were used and functioned. Moreover, given that the PTZ camera, as well as the RGB sensors in the thermal imaging hardware are still possible to utilize, misuse in the case's system is still present, prompting questions as to the placement of the cameras (for example, why is such a large portion of the harbor front monitored rather than only areas immediately adjacent to the water?). To address some of these concerns, one possible solution could be to install clear signage along the harbor front. Such signage could explain the configuration of the safety monitoring system, for example, by explicitly stating that facial recognition is not used, that the system cannot link processed data to personal identities, and that it is technically restricted to the purpose for which it was programmed, namely, finding bodies based on thermographic heatmaps. This form of transparency would help distinguish the cameras from other surveillance systems, thereby possibly mitigating concerns and reassuring the public that the technology is limited in scope and privacy-preserving in this specific way.
Lack of precision
One serious challenge, though potentially solvable with further research, is the surveillance system's lack of precision (accuracy). In this case, the difficulty lay in accurately detecting when people fell into the water. Although there has been a significant improvement since the system was first pilot-tested in 2017, a key technical challenge remains: developing an AI-based system capable of reliably distinguishing between accidental falls and intentional bathing while preserving individuals’ privacy. By 2025, the system's technical accuracy rate for just recognizing humans stood at approximately 55%. This figure does not correspond to the accuracy in detecting falls into the water, which remains a separate challenge. Another challenge is that the thermal cameras are calibrated at fixed intervals, making the models highly sensitive to changes in the overall image. Seasonal variations in harbor front activity further skew the dataset, overrepresenting common scenarios (e.g., many people on warm days, which reduces the relative temperature difference between human and environment, making it more difficult to distinguish between objects) and underrepresenting critical ones (e.g., a lone individual on a December night), thereby reducing the model's ability to reliably detect the latter. Faced with relatively low accuracy rates, one tempting solution is to increase the system's sensitivity. However, doing so increases the risk of false positives, leading emergency services to receive excessive false alarms and devote too much time to system administration. For the surveillance system to be operationally viable, it must achieve a sufficiently high level of accuracy to avoid frequent misidentifications of falls.
Narrow surveillance
Building on empirical insights from the harbor safety case and related approaches that seek to nuance the safety–privacy relation (Lyon 2001; Nissenbaum 2010; Solove 2006, 2008), we derive three criteria for what we term narrow surveillance in public spaces. These criteria articulate conditions under which AI-based video surveillance may contribute to public safety while remaining normatively and legally constrained. We argue that a surveillance system can be considered privacy-preserving only insofar as it satisfies the following requirements: non-identification, purpose limitation, and interest alignment. Taken together, these criteria specify how surveillance can be technologically, organizationally, and politically narrowed to a defined safety task, rather than expanded into generalized monitoring (see Table 2).
Broad and narrow surveillance.
Non-identification
In surveillance without privacy-preserving methods, the potential for identifying specific individuals is high. In narrow surveillance systems, the goal is only to detect the presence of someone in the space of an emergency, regardless of who that person is. By definition, narrow surveillance is ‘unconcerned’ with identities, focusing instead on the situation unfolding within that space. The technological design of the system should center on this principle, eliminating any possibility of identification (Gray, 2002; Koops et al., 2019; Taslitz, 2002).
The harbor case approximates non-identification through its deliberate reliance on thermal imaging and the deactivation of RGB sensors, which reduces the system's capacity to recognize or re-identify individuals. By limiting detection to heat signatures and bodily presence, the system is designed to register that someone has fallen into the water, rather than who that person is. However, the case also falls short of full non-identification insofar as the installed hardware retains latent identificatory capacities, most notably through unused RGB sensors and PTZ functionality, which remain technically available and could be reactivated, leaving open the possibility of future identification beyond the system's stated intent.
Purpose limitation
Surveillance systems often expand their scope, using collected data for purposes beyond their original intent (Aaen, Nielsen and Carugati, 2022; Koops 2021). Narrow surveillance systems, by contrast, operate with a clearly defined and limited purpose, such as detecting and responding to emergencies, which should be communicated explicitly to those under observation. This may be achieved, for example, through signage displayed in the public space or via a government-supported digital interface cataloging the purpose of surveillance systems. This clarity helps ensure that monitoring remains tied to its stated aim. It also helps ensure the technological aspect of the system by requiring that the stated purpose be technically implementable and constrained by programable boundaries. This establishes a direct link between the deployer's intended purpose and what is technologically feasible, moving beyond the vague “for your safety” claim (Krivokapić et al., 2021: 9f).
The harbor case's surveillance system aligns with purpose limitation by being explicitly designed and publicly justified as a safety intervention aimed solely at detecting accidental falls into the water and enabling rapid rescue. This narrow purpose is reflected in the system's event-specific detection logic, such as tripwires and zoning mechanisms that activate monitoring only under predefined conditions. However, the case also illustrates how purpose limitation can be undermined by organizational and institutional dynamics rather than by technical design alone. Because the surveillance infrastructure is capable of monitoring public space more broadly, it could, in principle, be repurposed by other authorities, such as the police, for fundamentally different objectives, including monitoring gatherings in public streets, demonstrations, or other forms of collective assembly. Such a shift would represent a clear case of purpose drift, in which a system introduced to prevent drowning is gradually enrolled into practices of public order policing or crowd surveillance. The harbor case thus shows that narrow surveillance depends not only on technical constraints but also on organizational boundaries that prevent actors from being “drawn into” alternative uses that exceed the system's original and publicly stated purpose.
Interest alignment
From the citizen's perspective, surveillance can raise concerns due to its pervasive nature and the potential for governmental misuse without democratic oversight, fostering oppositional relationships between the state and the individual (Lyon 2001; Nissenbaum 2010; Solove 2006, 2008). In contrast, narrow surveillance systems seek to align the interests of the surveillant and the surveilled. This alignment, however, cannot be taken for granted; the assumption of aligned interest must be explicitly justified from the standpoint of those under surveillance (cf. Bates et al., 2025). We propose that such justification take two concrete forms. First, the surveillance operator or owner should issue a written, non-technical, and publicly accessible statement explaining why the consent of those under surveillance can reasonably be assumed, while recognizing that such justification remains open to rejection or dispute by affected publics. In line with the European Data Protection Board guidelines mentioned above, this must go beyond vague claims such as ‘safety’ or ‘for your safety,’ and it must go beyond stating the purpose (second criterion). The statement may also describe how surveillance is conducted or processed, if relevant for the justification. It should enable citizens to exercise their right to contest under GDPR Article 22(3), which in turn requires establishing channels for contestability (for one such framework, see Alfrink et al., 2023). Such contestability would function not only as a regulatory foundation for developers but also as an actionable means through which individuals may exercise their rights and maintain an ongoing relationship with the surveillance infrastructure of public spaces, thereby sustaining political and ideally deliberative channels between those who surveil and those who are surveilled.
A way to address the fact that the interests of those subject to surveillance may diverge with situational risk is to treat alignment not as a static property of a system but as something that can vary across concrete circumstances, while remaining anchored to the perspective of those most adversely affected. Appeals to the interests of “all citizens” are too coarse-grained to capture how narrow surveillance practices can impose unequal burdens, for example, on unhoused individuals who are more frequently present in monitored public spaces and whose interests cannot be presumed to track those of more advantaged users of the same space. At the same time, the relevance of surveillance to those interests plausibly shifts with risk: when risk is low, the primary interest of those present, including the least advantaged, is to avoid unnecessary data capture; when risk escalates, their interest may instead lie in timely detection and intervention. This can be operationalized by allowing a single narrow surveillance system to modulate its intensity across situational phases. Consider a harbor-monitoring system that could ordinarily operate in a baseline, highly privacy-preserving mode that provides only ambient awareness and stores no data. If contextual cues indicate heightened risk, such as a lone individual near the water late at night, the system may temporarily increase sensor sensitivity and hold minimal, short-term data to preserve context, while maintaining strict limits on retention and use. Only when an actual incident is detected does the system enter a responsive phase, briefly capturing and transmitting just enough information to enable rescue before returning to baseline and deleting residual data. In this example, the system's safeguards are not abandoned but selectively loosened and promptly restored, reflecting the idea that the interests of those surveilled can justifiably support different levels of surveillance intensity as situational risk rises and falls.
The harbor case partially exemplifies interest alignment insofar as the surveillance system is designed to intervene in situations where the immediate interests of those under surveillance plausibly converge with those of the municipality: namely, preventing fatal drowning accidents. In moments of acute risk, such as an intoxicated individual falling into cold water at night, rapid detection and rescue can reasonably be understood as serving the interests of the surveilled subject, even in the absence of explicit consent. At the same time, the case reveals limitations in how such alignment is articulated and sustained from the perspective of affected publics. The municipality did not provide a publicly accessible, non-technical justification explaining why interest alignment could be presumed, nor did it establish visible channels through which citizens could contest the system's operation or scope. As a result, alignment remained implicit and administratively assumed rather than publicly justified, arguably contributing to distrust, rumor formation, and acts of resistance such as camera vandalism. The case thus illustrates that interest alignment cannot be secured through benevolent intent or safety-oriented design alone; it requires ongoing institutional practices of responsiveness that admit that alignment is provisional and open to challenge by those subjected to surveillance.
Taken together, these three criteria of narrow surveillance (non-identification, purpose limitation, and interest alignment) reinforce one another. Narrow surveillance can be understood as a continuum, with systems becoming progressively narrower, and thus more privacy-preserving, as each additional criterion is met. Conversely, surveillance systems become progressively broader and less privacy-preserving whenever their functioning runs counter to the narrow surveillance framework. This is summarized in Table 2.
Discussion
Through an examination of AI-based video surveillance systems in public space, we have challenged the view that privacy must come at the expense of safety and introduced the notion of narrow surveillance. In the following, we outline our research contribution and address limitations and future research directions.
Research contribution
Narrow surveillance responds to the widely invoked tension between privacy and safety in public-space monitoring by departing from trade-off models that treat privacy as a residual cost of safety. Instead of balancing competing values, we articulate three criteria (non-identification, purpose limitation, and interest alignment) that specify conditions under which surveillance systems can be deliberately constrained to preserve privacy while enabling safety monitoring. Drawing on empirical insights from the harbor safety case, we conceptualize narrow surveillance as particularly suited to contexts of unavoidable visibility, where the central question is not whether observation occurs, but how public privacy can be maintained under conditions of monitoring.
In developing this framework, we draw on Nissenbaum's (2010) contextual account of privacy and Solove's (2006: 510ff) critique of identifiability-centered surveillance, both of which articulate the normative stakes of privacy but leave their operationalization largely open; narrow surveillance extends this work by specifying concrete design and governance criteria for privacy-preserving surveillance in public spaces. Narrow surveillance approximates the role of an ideal bystander: one who can register the occurrence of an emergency without identifying individuals (non-identification), whose operation is bound to a clearly specified and technically constrained purpose (purpose limitation), and whose deployment rests on a publicly articulated and contestable justification for assuming alignment between the interests of the surveillant and the surveilled (interest alignment).
Applied as an analytical framework, narrow surveillance reveals both strengths and shortcomings in the harbor safety case. While certain design choices, such as the use of thermal imaging, approximate non-identification, the framework also makes visible how unclear public communication, organizational flexibility, and technical imprecision may undermine purpose limitation and interest alignment in practice. Viewed through this lens, the case illustrates that narrow surveillance is not a binary attribute but a matter of degree, shaped by technical design and organizational governance.
Importantly, narrow surveillance is outcome-oriented rather than technology-specific. Building on Nissenbaum's emphasis on evaluating information practices in terms of normative appropriateness to context, and on Lyon's conception of surveillance as a socio-technical arrangement rather than a fixed technology, the framework does not prescribe particular sensors or algorithms. Instead, it defines constraints that surveillance systems must satisfy to remain privacy-preserving. As illustrated by the harbor case, different technical components may support these constraints more effectively in combination than in isolation, and future innovations may further refine how they are realized.
By integrating non-identification, purpose limitation, and interest alignment, narrow surveillance responds directly to challenges identified in research on public acceptance of surveillance technologies, including perceived safety–privacy tensions, risks of discriminatory monitoring, and the problem of consent in public spaces (Bates et al., 2025). In this sense, the framework functions not only as an evaluative lens but also as a developmental standard, enabling practitioners and policymakers to diagnose shortcomings and iteratively improve safety-monitoring systems toward more privacy-preserving implementations.
Limitations and future research
Narrow surveillance focuses analytically on systems that operate at the level of individual events rather than on aggregate data collection infrastructures, such as smart city technologies that monitor generalized movement patterns. Nevertheless, such aggregate systems can give rise to what is commonly described as the Mosaic Theory (Bellovin et al., 2014), whereby fragmented and individually non-identifying data points are combined across time and systems to produce a coherent and relatable identity. This logic closely parallels what Haggerty and Ericson (2000) theorize as the surveillance assemblage, in which disparate data flows are reassembled to render individuals legible and governable. While narrow surveillance does not directly address these cross-system aggregations, the harbor case suggests that constraining direct identification within individual systems may limit the raw material available for mosaic-style inferences, thereby mitigating, though not eliminating, the broader risks of indirect identification that emerge through data aggregation.
A further limitation concerns data requirements for system development. Although narrow surveillance aims to minimize data retention during operation, the training of AI-based systems currently necessitates the collection and annotation of data, as illustrated by the harbor case. This creates a residual privacy risk: accumulated training data may itself become a record that enables profiling, even if it remains formally disconnected from other databases. Future work should therefore explore approaches that further separate training from deployment, including openly available annotated datasets and synthetic data generation, to reduce the need for prolonged or repeated data harvesting in public spaces.
The harbor case also highlights that technical safeguards alone cannot eliminate the risk of misuse. Camera-based systems necessarily produce data that could, under certain organizational or political conditions, be repurposed. While it is arguably unrealistic to design hardware that is entirely immune to any misuse, risks can be meaningfully reduced through measures such as encryption, restricted access, locked model architectures, and local processing. Narrow surveillance should thus be understood not as a guarantee against abuse, but as a framework for making misuse more difficult.
Finally, we have developed narrow surveillance primarily in relation to safety-oriented use cases, where risks are relatively well-defined and intervention plausibly aligns with the interests of those under surveillance. As AI capabilities advance, similar design principles may be proposed for crime-related contexts. Such extensions raise substantially more difficult questions, particularly regarding interest alignment and identification: for example, whether it is possible to intervene in the interest of victims without expanding surveillance toward generalized suspicion or selective unmasking. Investigating whether and how narrow surveillance can be meaningfully adapted beyond safety monitoring constitutes an important avenue for future research.
Conclusion
This article has introduced narrow surveillance as a privacy-preserving approach to AI-based safety monitoring in public spaces. We define narrow surveillance through three interrelated criteria: non-identification, purpose limitation, and interest alignment. Together, these criteria specify how surveillance systems can be deliberately constrained so that they intervene only in clearly defined emergency situations, operate without identifying individuals, and remain oriented toward the interests of those under surveillance. Rather than treating privacy as a single technical property, narrow surveillance conceptualizes privacy preservation as the outcome of coordinated technical, organizational, and normative design choices.
A central contribution of the notion is its emphasis on interest alignment as a condition that must be publicly justified and institutionally sustained, rather than assumed. This includes recognizing that the interests of those under surveillance may vary with situational risk and that surveillance intensity may therefore be modulated in bounded ways, provided that safeguards are restored as soon as elevated risk subsides. In this sense, narrow surveillance offers a structured alternative to both continuous monitoring and blanket rejection of surveillance in public space.
Too often, the legitimate ethical and political concerns surrounding surveillance systems, such as its potential for identification or purpose drift, are generalized and transferred to all forms of surveillance. Our notion of narrow surveillance challenges this spillover effect. We argue that narrow surveillance presents a distinct ethical and political opportunity: it can be designed in a way that serves specific safety goals without the invasive consequences typically associated with broad surveillance. As such, narrow surveillance should be evaluated on its own terms, rather than inheriting the criticisms directed at broader surveillance systems.
The empirical harbor case illustrates both the promise and the limits of this approach. While the use of thermal cameras and AI-based detection operationalized non-identification and a narrowly defined safety purpose, the case also revealed how organizational choices, public communication, and technical imprecision can undermine purpose limitation and interest alignment in practice. These shortcomings do not weaken the notion of narrow surveillance; rather, they underscore its value as a diagnostic and developmental framework for identifying where privacy-preserving safety systems succeed and where they require further refinement.
Finally, narrow surveillance is not tied to any specific technology. It is intentionally outcome-focused and technically indifferent, allowing it to accommodate future innovations while maintaining normative constraints. By articulating clear criteria for privacy-preserving safety monitoring, this notion provides a shared reference point for interdisciplinary work among computer scientists, designers, policymakers, ethicists, and political theorists. In contexts where public safety interventions are perceived as necessary, narrow surveillance offers a principled way to leverage AI while resisting both techno-solutionism and the normalization of expansive surveillance practices.
Footnotes
Acknowledgments
Thanks to Rolf Hvidtfeldt, Anders Skaarup Johansen, Nazia Aslam, Thomas Ploug, and not least the anonymous reviewers for commenting on earlier versions of this article, and thanks to Stine Nørgaard Christensen and Mette Strange Noesgaard for help with data acquisition for the harbor case.
Funding
The authors disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: Research for this publication is principally conducted as part of the Grundfos Foundation project grant no. 83648813 for the project Responsible AI for Value Creation (REPAI). Additionally, funding is provided from the project Contestable Artificial Intelligence – defining, evaluating and communicating AI contestability in healthcare, law, and finance, by Independent Research Fund Denmark grant no. 10.46540/2027-00140B, and from the Villum Foundation for the project “XAI for Safety and Security: A Bottom-Up Approach” [grant No.57384].
Declaration of conflicting interests
The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
