Beyond the security paradox: Ten criteria for a socially informed security policy:

TL;DR: The analysis identifies 10 criteria, generated by citizens themselves, for a socially informed security policy that reveal the conditions, purposes and operation rules that would make current European security policies and technologies more consistent with citizens’ priorities.

Abstract: This article investigates the normative and procedural criteria adopted by European citizens to assess the acceptability of surveillance-oriented security technologies. It draws on qualitative data...

Summary

Introduction

• Over the past twenty years, but especially since 9/11, security policies in western societies have increasingly adopted pre-emptive measures which are reliant on SurveillanceOriented Security Technologies .
• The present article tries to overcome these shortcomings by applying an adapted version of a specific type of public engagement method, the citizen summit (Bedsted et al. 2011).
• Furthermore, in spite of producing more evidence of a security paradox (Eurobarometer 2015) the qualitative methods deployed by the paper demonstrate that there is more to be understood in relation to citizen assessments of SOSTs.
• From the analysis of the qualitative data gathered across the twelve citizen summits, a set of common criteria emerged.

Normative criteria

• The acceptability of SOSTs was often linked to the normative context in which the technologies are operated.
• National and international regulations, transparency and private-public separation were fundamental criteria used by the large majority of participants to say how SOSTs should be managed.

International legal framework

• Regulation is still seen by citizens as a powerful mechanism to ensure that technological risks are contained and managed (Falkner 2012).
• International laws are considered necessary to limit the sovra-national ubiquitous, digital surveillance.
• Specific laws should also be introduced to reduce massive surveillance and limit the impact of SOSTs beyond national borders: “the authors need a new and international legal frameworks.. it is important.. and even more an oversight body that could intervene if someone broke the law when using deep packet inspection in an illegal way” [Norwegian National Report, p.17].
• Given the global nature of security threats and security strategies, the national fragmentation of regulations and data protection authorities was perceived as an obstacle to both security strategies and data protection 7: “Legal guarantees should safeguard citizens' rights in the entire EU region.
• A body at a EU-level must give out licenses to set up surveillance cameras, oversee accountability, and protection of personal data” [Recommendation, Hungarian Citizen Summit].

Transparency and accountability

• Many participants perceived that SOSTs are used in situations in which information, transparency and responsibility are poor or missing.
• They suggested that SOSTs should only be introduced after providing detailed and accessible information about operation modes, operators, rules, domains and purposes to the public: “the use of SOSTs is opaque, responsible authorities are not known to the public.
• Several groups made a concrete suggestion to create a “My page”, where one can see a list of everyone who have stored your personal data, and a log of when it is used.
• Such action would help ensure that clear responsibilities could be identified when things go wrong: “Transparency here is absolutely essential: people want to know what data are being collected, who is responsible for them and what purposes they are intended for” [Swiss National Report, p. 36].
• Furthermore, surveillance technologies should only be used when it is necessary: “evidence is needed before initiating surveillance and greater transparency from companies and authorities on what the surveillance is used for” [Recommendation, Danish Citizen Summit].

Public-private separation

• Transparency of operations and international regulations were deemed crucial but not sufficient requirements.
• The involvement of private actors in security operations and in the management and use of SOSTs generated particular anxiety (Zedner, 2006).
• They suggested the establishment of such bodies on an international or European level 8 [Norwegian National Report, p. 26].
• The outsourcing of the security function to private firms was considered especially problematic: “No security services should be outsourced to private companies!” [Postcard, UK Citizen Summit].
• In circumstances where the involvement of private actors is absolutely necessary, stricter requirements were considered necessary to ensure transparency and accountability.

Data protection criteria

• Characterised by high 8 Effectively, European and National security agencies have to comply with the new European Directive on Data Protection (2016).
• Level of secrecy, they considered necessary to inform the public about how security agencies operate and respect people’s rights.
• Information on how data protection rights, for instance, are safeguarded during police investigation can help diminish citizens’ concerns about the data privacy.
• The purpose and conditions under which people’s data were processed in security investigations represented a very relevant and controversial theme.
• Blanket surveillance was especially criticised not only for its impact on privacy and human rights, but also for its effectiveness.

Notice and consent

• A major source of concern for all participants was the fact of not being aware of being a subject of surveillance.
• When opt-in frameworks are not viable, notification about when, and for what purpose, surveillance is operated needs to be given to help people become aware of these practices.
• “Active information obligation for data collectors, public and private, means the citizen is not required to make a demand but rather that who collects data should be obliged to inform the concerned person; what is stored, how long and why at all!.
• When the retrieval of personal data is required for security reasons, citizens considered they should be notified and have the right to access, modify, or have their data removed after the investigation ends.

Purpose limitation

• SOSTs should not be used for operating mass government surveillance, but only for targeting clearly defined threats and within the scope of specific investigations.
• “Participants argued towards more control of surveillance activities and the demand for justified reasons for surveillance in order to target real suspects and criminals instead of the general public” [Austria National Report, p.33].
• Mass surveillance was considered detrimental as it undermines citizens’ perceived safety and their trust in security operators.
• “By vast dragnet surveillance activities of governmental institutions, the trust in the state would get undermined because citizens perceive themselves subjected to a blanket suspicion.
• Broad surveillance measures involving large parts of the population are seen as disproportionate function or mission creep” [German National Report, p.31].

Data collection limitation

• Concerns were expressed on the type of data gathered.
• Some types of data, such as those related to location or bodily appearance, were considered less sensitive than others, such as those related to personal communication.
• Whenever possible, it was argued, security actions should target the least sensitive data in the least sensitive spaces, as this comment reveals: “[a]t some tables participants expressed that they found location as a less sensitive type of data than for example the content of their communication, which can be accessed through deep packet inspection” [Norway National Report p. 28].
• Thus, the implementation of basic data management norms, such as EU data protection principles, was recognised by citizens as an important criterium determining the acceptability of SOSTs.
• “We need clear rules concerning the limits on use and collection of personal data by technological means.the authors.

Technology deployment criteria

• Concerns about the ways in which technologies are designed and deployed were also addressed by citizens.
• The cost of developing and implementing new surveillance devices was a highly relevant issue, which was discussed in conjunction with themes related to alternative security measures and solutions to complement or improve SOSTs, such as the adoption of privacy-by-design principles in the design phase.

Cost-effectiveness

• Since tax payers’ money is involved in the acquisition and deployment of SOSTs, it is not surprising that participants wanted to receive more information about the appropriateness, costs and impact of SOSTs: “I have no problems with smart CCTV but the use of it, the running costs, the legitimacy and the effectiveness of it needs to be carefully monitored.
• And the watchers made accountable” [Postcard, UK Citizen Summit].
• As most of these technologies are developed, implemented and operated by public institutions, the presentation of exhaustive cost-benefit analyses was considered absolutely necessary—.
• Very concerned about the future” (UK postcard).
• Others pointed out that SOSTs need to be supervised and operated by qualified staff—“maintaining the human factor, that is to say, not replacing humans for robots in processes and their uses” (Spanish recommendation).

Alternative security approaches

• In designing new security solutions, social, cultural and economic causes of crime and terrorism should never be forgotten (UN, 2007), and humans should be considered part of the solutions, not only part of the problem—in terms of, for example, criminals or suspects.
• Participants also suggested that SOSTs should be used to support, not to replace, the work of human operators.
• Right to access, modify and delete data … they allow monitored individuals to access, modify and remove their own data.
• Whilst their purposes may change, these changes need to be explicitly discussed and publicly approved.
• Non-technological alternatives and security measures not based on surveillance … they work and operate in combination with non-technological measures and social strategies addressing the social and economic causes of insecurity.

5. Conclusion

• Increasing reliance on security policies that use SOSTs has sparked lively debate about their acceptance.
• DREWER, D. Europol’s data protection framework as an asset in the fight against cybercrime.
• Engaging with science and technology in contemporary Europe, also known as Public deliberation and governance.
• The European Union and the securitization of migration.

Figures

Figure 1. Defining privacy

Table 2. SOSTs are more acceptable if…

Fig. 2. List of criteria

Full text

1
INDICATIVE VERSION: DO NOT CITE WITHOUT PERMISSION
FROM THE AUTHORS
Beyond the security paradox: ten criteria for a socially informed
security policy
Abstract
This paper investigates the normative and procedural criteria adopted by European
citizens to assess the acceptability of surveillance technologies. It draws on qualitative
data gathered at twelve citizen summits in nine European countries. The analysis
identifies ten criteria, generated by citizens themselves, for a socially informed security
policy. These criteria not only reveal the conditions, purposes and operation rules that
would make current European security policies and technologies more consistent with
citizens’ priorities. They also cast light on an interesting paradox: although people feel
safe in their daily lives, they believe security could, and should, be improved.
Keywords
Public engagement, surveillance technology, security, privacy preference

2
Introduction
Over the past twenty years, but especially since 9/11, security policies in western societies
have increasingly adopted pre-emptive measures which are reliant on Surveillance-
Oriented Security Technologies (SOSTs). This shift has had controversial consequences,
with scholars highlighting a variety of concerns they associate with pre-emptive security
and surveillance practices (Hoijtink, 2014, De Goede, 2014, De Goede and Randalls,
2009). As new SOSTs facilitate the collection, storage, processing and combination of
personal data by security agencies and commercial organizations, their impact on
established civil and political rights (Friedewald et al., 2010), social sorting (Strauß and
Nentwich, 2013, Lyon, 2007a), and on individual privacy (Lyon, 2002)
1
has been
criticized.
With so many concerns raised by technologies over which citizens have little
control, it would be reasonable to expect Public Engagement with Science (PES) studies
to have scrutinised how people assess these technologies and their implementation.
However, SOSTs have so far received relatively little attention (Martin and Donovan,
2014, Pavone and Degli Esposti, 2012). Inspired by an unquestioned acceptance of the
trade-off between privacy and security, early studies tend instead to consider the extent
to which citizens are willing to trade their privacy in exchange for greater security
(Bowyer, 2004, Jain et al., 2005, Strickland and Hunt, 2005). More recent studies have
focused on the decision-making process involved in the development and implementation
1
Many of these concerns have been recently confirmed by the scandals and abuses revealed by
whistleblowers like Assange, Snowden and Manning in LANDAU, S. 2013. Making sense from
Snowden: What's significant in the NSA surveillance revelations. IEEE Security & Privacy, 54-63,
LYON, D. 2014. Surveillance, snowden, and big data: capacities, consequences, critique. Big Data &
Society, 1, 2053951714541861, BAUMAN, Z., BIGO, D., ESTEVES, P., GUILD, E., JABRI, V.,
LYON, D. & WALKER, R. B. 2014. After Snowden: Rethinking the impact of surveillance.
International political sociology, 8, 121-144.

3
of SOSTs (Hempel et al., 2013, van Lieshout et al., 2013, Wright and Friedewald, 2013,
Wright et al., 2014, Michael Friedewald et al., 2017).
The present study hopes to contribute to this line of inquiry by focusing on an
interesting paradox: although people feel safe in their daily lives, they believe security
could, and should, be improved. Evidence of this paradox can be found in Eurobarometer
432—Europeans’ attitudes towards security (EC, 2015). The report indicates that,
although the large majority of respondents consider their countries secure places (89
percent; n = 28,082), and agree on saying that their immediate neighbourhood, city, town
or village are safe places to live in (82 percent), a large percentage of them think that
security agencies are not doing enough to fight crimes such as corruption (52 percent),
human trafficking (47 percent), money laundering (46 percent), drug trafficking (41
percent), or cybercrime (40 percent), and that citizens (79 percent) and citizens’
associations (64 percent) could also help and play a role in safeguarding public security.
Furthermore, the majority of European citizens (55 percent) consider that fundamental
rights and freedoms have been restricted as a result of current security policies. This
negative perception of the effect of security policies on individual freedoms seems to be
worse in 2015 than it was in 2011, when only 48 percent considered their liberties to have
been restricted for reasons related to the fight of crime and terrorism (EC, 2014). These
findings seem to suggest that current security policies and solutions are somehow
perceived as inadequate by citizens, whose demands, opinions and perceptions need to be
further explored and included in future security policies. In pursuing this objective, PES
studies can stimulate productive and insightful discussion about the politics and purposes
of science and technology (Stirling, 2008). They also have a role in producing new and
socially responsible knowledge that can underpin innovation (Owen et al., 2012),

4
governance (Macnaghten and Chilvers, 2014) and policy-making (Jasanoff, 2003,
Hagendijk and Irwin, 2006).
Through the adoption of an adapted version of the citizen summit methodology,
this paper analyses the multiple ways in which citizens interpret security and privacy and
assess and evaluate SOSTs. Drawing from qualitative data gathered at twelve citizen
summits in nine European countries, this article presents ten general criteria used by
citizens to assess the adequacy of SOSTs. On the one hand, the analysis confirms the
appropriateness of policy actions undertaken in the area of data protection; on the other
hand, it also suggests alternative normative and procedural principles, which could be
adopted in the design, deployment and management of security technologies and that can
increase the acceptability of future security solutions.
Exploring SOSTs from a public engagement perspective
Over the past twenty years, the concept of security has undergone multiple
reformulations. It has shifted from territorial integrity and national sovereignty to human
security and, after 9/11, to a new concept of homeland security. New security policies
have particularly encouraged pre-emptive security measures, enacted through the
development of data-intensive security technologies and public-private security
collaboration. These measures have been introduced within policy frameworks which
justify the restriction of individual privacy and freedom; a matter of political concern
(Beck and Lau, 2005, Richards, 2012, Cohen, 2014, Lyon, 2007b, Lyon, 2013,
Friedewald et al., 2010). Some scholars argue that new holistic security policies suffer
from a democratic deficit (Zwolski, 2012, Eriksen et al., 2003, Tonra, 2011); they aslo
tend to reduce democratic scrutiny in other policy domains by framing social problems

5
as security problems (Huysmans, 2006, Huysmans, 2000, Loader, 2002, Balzacq, 2010,
Balzacq, 2008). Several studies have shown how the security agenda increasingly
constructs migration, crime and social integration as existential threats, addressing them
in very narrow security terms and shifting attention away from the role played by social,
political and economic factors (Léonard, 2010, Karyotis, 2011, Boswell, 2007, Dover,
2008).
Security solutions which rely heavily on digital surveillance have been especially
criticized for different reasons. First, they privilege pre-emptive approaches based on
pattern discovery over forms of targeted and historically motivated tracking (Lyon, 2014).
Furthermore, their impact on crime reduction is contested (Welsh et al., 2015) and can
encourage crime displacement (Johnson et al., 2012). Finally, more recent studies of
privacy concerns demonstrate that most people feel resigned and powerless when
confronted with the current reality of mass dataveillance (Degli Esposti, 2014, Turow et
al., 2015).
Despite the relevancy of the topic and the need to investigate public perceptions of
security technologies, most studies in the area suffer the limitations of having replicated
policymaker discourses concerning the existence of a trade-off between privacy and
security (Strickland and Hunt, 2005). In framing security and privacy as interchangeable
goods, these studies have not explored, for instance, whether security technologies
actually address citizens’ security needs and priorities (Jain et al., 2005), how privacy is
conceptualized, or whether citizens actually frame the latter in opposition to security
(Strickland and Hunt, 2005). Furthermore, these studies have contributed to perpetuate
security policies that considerably reduce privacy without offering significant gains in
security (Mitchener-Nissen, 2014, Pavone et al., 2016). In fact, studies based on the

Frequently asked questions

Q1. What are the contributions in "Indicative version: do not cite without permission from the authors beyond the security paradox: ten criteria for a socially informed security policy" ?

This paper investigates the normative and procedural criteria adopted by European citizens to assess the acceptability of surveillance technologies. 

Q2. What are the future works in "Indicative version: do not cite without permission from the authors beyond the security paradox: ten criteria for a socially informed security policy" ?

The future of science governance: publics, policies, practices. Failure to collectively assess surveillance-oriented security technologies will inevitably lead to an absolute surveillance society. The potential of public participation to facilitate infrastructure decision-making: Lessons from the German and European legal planning system for electricity grid expansion. 

Q3. What were the main criteria used by the participants to say how SOSTs should be managed?

National and international regulations, transparency and private-public separation were fundamental criteria used by the large majority of participants to say how SOSTs should be managed. 

Q4. What are the main reasons why new security policies have been criticized?

New security policies have particularly encouraged pre-emptive security measures, enacted through the development of data-intensive security technologies and public-private security collaboration. 

Q5. What are the implications of SOSTs for democracy?

As a result of the increasing surveillance and of the progressive restriction of civil rights triggered by pre-emptive security polices based on SOSTs, several scholars have warned about the implications for democracy and for personal privacy. 

Q6. How many European citizens consider that security policies have been restricted?

the majority of European citizens (55 percent) consider that fundamental rights and freedoms have been restricted as a result of current security policies. 

Q7. What is the role of the public in the social appraisal of technology?

Utilities Policy, 42, 64-73.STIRLING, A. 2008. “Opening up” and “closing down” power, participation, and pluralism in the social appraisal of technology. 

Q8. What was the common view of privacy in the three countries?

Participants in Switzerland, Germany and Austria tended to frame privacy as a right to be left alone, as expressed by a note-taker in Germany: “citizens feel a chilling effect on their behaviour, deriving from the wish to be left alone. 

Q9. What was the idea of privacy-preserving SOSTs mentioned in the Nordics?

The idea of privacy-by-design (Cavoukian, 2011) was mentioned as a possible solution to design privacy-preserving SOSTs and, thus, protect citizens’ privacy: “the concept of “privacy by design” was mentioned, hoping that future technology developers would use their knowledge to increase privacy, instead of increasing surveillance” [Norway National Report, p. 23]. 

Q10. What is the purpose of the paper?

Through the adoption of an adapted version of the citizen summit methodology,this paper analyses the multiple ways in which citizens interpret security and privacy and assess and evaluate SOSTs. 

Q11. What is the impact of SOSTs on the civil and political rights of citizens?

As new SOSTs facilitate the collection, storage, processing and combination of personal data by security agencies and commercial organizations, their impact on established civil and political rights (Friedewald et al., 2010), social sorting (Strauß and Nentwich, 2013, Lyon, 2007a), and on individual privacy (Lyon, 2002) 1 has been criticized. 

Q12. What are the limitations of the study?

Despite these limitations, their study makes an important contribution to shed light on citizens’ perceptions of SOSTs and confirms the important role that participative exercises can play in increasing their understanding of how people frame complex policy issues.