The New York Times reports today that "Privacy Fears Grow as Cities Increase Surveillance." The main theme is that municipal police and law enforcement agencies around the country are deploying new and more sophisticated data gathering and analysis technology, some of it bought with counter-terrorism funds, stoking privacy concerns among residents and watchdog groups.

As with much of the early reporting of National Security Agency surveillance programs disclosed by Edward Snowden, the Times piece is heavy on what the systems collect and how they store and combine information. Only near the end of the piece, however, does it address accompanying rules and guidelines being developed to regulate such issues as who can access this information, for what purposes, under what supervision, and with what checks. Rapid technological development and lower price-tags for it are inevitable, and the most important question is whether regulation for how surveillance technology and data may be used can keep up.

It is no surprise that local governments are deploying technologies like video surveillance systems, license plate readers, drones, networks of sensors, and systems for aggregating and analyzing the information streams they produce. The New York Police Department has been out in front of other cities in this regard, on account of its size, resources, threats, security needs, and politics. These technologies are spreading fast as they get cheaper and cheaper, though. The opportunities for fighting, deterring, or preventing crime and other threats are clear. The dangers to privacy are also clear, however, and debates are playing out across the nation as state, county, and local levels.

The key to balancing these interests is not to hold back the wave of technological progress (as well as its commercialization), but developing and improving rules for handling the information they produce and establishing oversight systems to monitor their use and effectiveness. The very decentralized system of American policing means that much of this work will be bottom-up, learned and promulgated at the state and local level, with—if done properly—best practices developing over time as lessons are observed and shared among localities.

This process will necessarily take time and produce uneven results. In the counter-terrorism context, states and major cities with intelligence “fusion centers” have been institutionalizing mechanisms for comparing practices as they improve policies and guidelines, though the effectiveness of these centers to date has been strongly criticized. The recent controversy over facial recognition technology in Ohio, where the state attorney general’s office sloppily mismanaged the development of privacy protocols and oversight for these systems, shows what can go wrong when state and local governments fail to study adequately the practices of others.

To say that local experimentation and learning are important, and to emphasize that legal and policy variation with respect to surveillance is not only inevitable but sometimes very valuable, is not to deny that there are already some minimum standards and practices that government should adopt at all levels. As state and local governments build and integrate sophisticated surveillance systems, for example, baseline data security protocols for their vast information troves are especially important to both security and privacy; strict rules for protecting information systems and limiting access help prevent abuse from within and help prevent infiltration by others.