© Springer Science+Business Media Dordrecht 2015Serge Gutwirth, Ronald Leenes and Paul de Hert (eds.)Reforming European Data Protection LawLaw, Governance and Technology Series2010.1007/978-94-017-9385-8_11
11. Privacy and Security – On the Evolution of a European Conflict
University of Tuebingen, Tübingen, Germany
Privacy and security have long been framed as incommensurable concepts that had to be traded off against each other. While such a notion is rather under-complex, it has been quite persistent. In recent years, however, the relation has undergone a transformation and is now apparently conceived of as a technological issue that is set to be resolved through privacy by design. This paper retraces, through an analysis of EU security research funding, how this shift has come about, and critically assesses its potential to eventually resolve the conflict between privacy and security in a world of data-driven security measures.
KeywordsSecurityPrivacyResearchHorizon 2020European Union
Privacy and security have often been framed as conflicting concepts that must be conceived of as incommensurable and thus constitute a trade-off.1 And although such a notion has been largely criticized for using under-complex definitions of both privacy and security, as well as for neglecting empirical examples of positive sum games and questions of whose privacy and whose security are affected,2 the trade-off model appears quite persistent. Considering the contemporary nature of data-driven security measures, much digital ink has been spilled about the presumably weak standing of privacy in the face of a more or less overwhelming context of (inter-)national security.3 This paper analyzes how the relation between privacy and security has been framed and re-framed in the field of European security research, eventually ending up as a question of privacy by design. Privacy by design, so the argument goes, enables new security technologies to be both privacy-preserving as well as effective and efficient, and thus would ultimately serve as the silver bullet that resolves the conflict/trade-off. However, this paper puts forward the claim that the notion of privacy by design rather puts old wine into new bottles, as a closer look reveals that the core problem is not tackled, but only re-framed according to the general technical scope of security research. Thus, it appears that the new emphasis on privacy and the ensuing argumentative mitigation of the conflict merely intends to comply with the EU’s increased focus on normative security and at the same time renders research governance as a technological fix for the technological fix that security is conceptualized as in the first place.
The paper proceeds by providing a brief overview of the emergence of security research at the EU level over the last decade and sheds light on its underlying rationalities, en passant retracing how the presumed trade-off between privacy and security was framed and eventually evolved into a privacy by design approach alongside the emergence of a more normatively coined EU ‘security project’. The paper concludes with a critical assessment that questions the suitability of privacy by design as the panacea that it comes advertised as.
11.1 EU Security Research – On the Emergence of a Field and a Conflict
“Security research is the new guy in town.”4 As opposed to ‘traditional’ fields of research funded by the European Union, research that is explicitly dedicated to the security of the EU and its citizens has only been around for the relatively short term of about a decade,5 and has at times struggled to find its niche among related fields with a strong ‘security touch’, such as for instance Information and Communication Technologies (ICTs). However, fostered by ‘new’ and global threat scenarios, the quest for appropriate remedies has become an integral part of the realm of fundamental and applied research that is set to produce new tools and technologies, and thus to contribute to effectively establishing security in the European Union – or so the argument goes. Arguably, the need for reinforced security solutions has been catalyzed by the debate that was kindled by the events of 9/11 and their massive aftermath in terms of security policy adjustments.6 In the EU, security is now conceived of as a cross-cutting concept that has to tackle widespread areas such as terrorism, serious and organised crime, cybercrime, cross-border crime, violence itself, and natural and man-made disasters.7 Thus, security research has eventually been established as a key area within the European funding framework.
This very framework, however, is currently undergoing structural change. In 2014, EU research funding has hit an institutional threshold as the established Framework Programmes (FP) come to an end with FP7 and will be replaced by an overhauled, streamlined, and arguably simplified and more efficient program entitled Horizon 2020.8 Official documents promise that this new framework will, amongst other, set clearer scopes on societal issues, most notably privacy and data protection.9 Thus, this structural change appears an appropriate break to analyze how the still emerging field of security research is being (re-)shaped alongside economic rationalities and the emergence of a European ‘security project’ itself, and how the relationship between privacy and security keeps evolving. In order to set out an analytical framework, this paper argues that EU security research funding follows two general trajectories: it is mainly conceived of as (1) a means to foster the European economy, and (2) as a primarily technical framework that aims to produce specific solutions to clearly defined security problems. In recent years, however, a third notion has been added to this dichotomy, as ‘security’ itself is now increasingly presented as a normatively embedded concept that needs to comply with human rights and civil liberties. This appears to be a major reason for abandoning the trade-off model and the search for new and integrative approaches, eventually ending up with privacy by design.
‘Historically’ speaking, EU security research can be framed as a field that has been shaped through an inextricable entanglement with the industrial sector, as has been compellingly shown by Bigo, Jeandesboz, Hayes, and others.10 Multiple companies and personalities from the branch have been involved in setting up of the field and the intensified cooperation between the Commission and the industry, taking off in 2003 with the establishment of the Group of Personalities in the Field of Security Research (GoP)11 and the initiation of the Preparatory Action on Security Research (PASR) in 2004. The GoP was eventually followed up by the European Security: High Level Study on Threats, Responses and Relevant Technologies (ESSTRT) in 200612 and the setting up of the European Security Research Advisory Board (ESRAB)13 in 2005 and the European Security Research Innovation Forum (ESRIF)14 in 2008, both of which further envisioned the future of security research at the EU level.
Throughout the published reports of the aforementioned fora, particularly privacy and data protection have been framed as disruptive elements for security technologies and thus for the overall goal of a secure European Union. For instance, as Bigo and Jeandesboz have pointed out, the ESSTRT final report frames the conflict such that “the underlying assumption is that intrusiveness is a requirement for efficiency, and that privacy undermines efficiency”,15 and the ESRAB report states that “research into ethics and privacy, and the trade-off between improved security and loss of privacy, will influence technology development and in parallel address aspects of how citizens perceptive security and insecurity.”16 Thus, privacy and security were generally conceived of as incommensurable concepts, and it was very clear where the preferences for effective security research had to be placed – the need for security apparently trumped the need for privacy. Either security measures would work, and this would be because they would be based on a sufficiently large database that allowed for glimpses of the future and the next event that needs to be canceled out – or they wouldn’t work because privacy claims and the restrictions of the data protection framework would thwart their effectiveness. More or less independent of any actual conceptualizations of privacy, be it as the classical “right to be left alone”17 that entails a “boundary control process”,18 as the “claim of an individual to determine what information about himself of herself should be known to others”19 which in terms involves “a constraint on the use of power”,20 or politically as the foundation of the democratic constitutional state21 – any position that values the (digital) personal sphere would be considered disruptive from an industry point of view. Especially when taking into consideration Helen Nissenbaum’s concept of privacy in context,22 one might indeed be inclined to say that threat scenarios were used to create a contextual override for privacy arguments.
As mentioned earlier, such a trade-off model is certainly oversimplified, and arguably only represents a part of the full story. How come we find such a striking neglect of privacy arguments in official documents, then? The next section aims at unpacking the underlying notions of security and security research in the European Union. It will become clear that EU security research unfolds along a clear-cut economic agenda, and thus introduces a very specific and market-driven approach to the relationship between privacy and security.
11.2 Economics and Technologies
First trajectory. Both FP7 and Horizon 2020 documents acknowledge the economic goals identified by the Europe 2020 strategy,23 framing “research and innovation as central to achieving the objectives of smart, sustainable and inclusive growth.”24 The underlying rationale, as stated by the Staff Working Paper on Horizon 2020, is that “modern economic theory unanimously recognises that research and innovation are prerequisites for the creation of more and better jobs, for productivity growth and competitiveness, and for structural economic growth.”25 For that purpose, a study on behalf of DG Industry & Enterprise has analyzed the global security market and the position of the European security industry, coming to the conclusion that “it appears vital to stimulate and create a proper innovation framework in the security domain and establish fast track development procedures for new market technology requirements.”26 As a consequence from those findings, the European Commission in 2012 adopted an “Action Plan for an innovative and competitive Security Industry”27 in order to secure and extend market shares in a rapidly growing global security economy.
In the same year, the Commission published a document on EU security research entitled “Safeguarding Society, Boosting Growth.”28 Overlooking its content, it quickly becomes clear that the emphasis lies on the latter part, as the document states that
our objective, notably through our Security Industrial Policy initiative, is to improve the global competitiveness of the EU security industry by stimulating its growth, invest in the research and development of future, world-leading security technologies and processes, and launch any effort necessary to overcome the current market fragmentation for security products in the EU and thus establish a true Internal Market.29
In fact, the conceptualization of EU research funding as a policy tool for economic growth has always been out in the open. Particularly, the purpose of security research can be identified by its institutional location. The housing within DG Enterprise and Industry instead of the maybe more natural fit DG Research & Innovation indeed provides a clear statement and has been criticized for its “significant consequences for the way we understand and do research on security as an ethically charged field of research.”30 This general economic scope will likely be reinforced with the start of Horizon 2020. As the joint communication on the new framework states, “since the launch of the Seventh Framework Programme (FP7), the economic context has changed dramatically”,31 and now urges the EU to provide even stronger incentives, since “research and innovation help deliver jobs, prosperity, quality of life and global public goods.”32
The ECORYS report on the competitiveness of the European security industry bolsters those general assumptions with factual numbers. The global security market is estimated to be worth €100 billion, with the size of the European market in the range of €26 to €36.5 billion.33 This translates into roughly 180,000 employees in the European security sector. Accordingly, security research receives a considerable amount of funding, with the security theme under the FP7 being worth an overall amount of €1.4 billion34 and the financial terms for the “Secure Societies” action under Horizon 2020 alone determined at €1.7 billion. However, despite those efforts, the ECORYS report points out a “low aggregate level of EU funding for security-related research, technology development and innovation.”35 In a comparative perspective, EU security research funding still remains “considerably below the efforts made in the USA”, leading to “potential weaknesses in the underlying competitiveness of the EU security sector.”36 This could in terms lead to a predicted loss of market shares to a low of 20 % in 2020,37 particularly with the Asian security industry massively catching up in the high-tech area, but also with considerable competition from Russia and Israel.38 The remedy for such a threatening scenario appears quite simple: reinforcement of market stimulation through enhanced security research funding and faster product cycles.39 Thus, one might indeed be inclined to agree with Bill Clinton’s famous statement that “it’s the economy, stupid”. Economic prosperity has been the driving force behind European integration from the beginning, and why should it change within security research, of all things?
The Action Plan for the security industry subsequently provides concrete steps of action in order to reinforce the competitiveness of the European security industry, suggesting the creation of a true Internal Market through favorable conditions, the enhancement of competition and lower production costs, as well as strengthened support for SMEs.40 Apart from those issues, however, one of the most pressing concerns still appears to be the potential of privacy and data protection to thwart the effectiveness of security technologies and thus their successful market impact in the first place. Subsequently, the Action Plan takes up on that conflict and states that a major problem arising from the societal dimension of security research is the social acceptance of security technologies – or rather the lack thereof, which could result in a number of negative consequences for the security industry, i.e. wasted investments.41 Most strikingly, privacy requirements are regarded to hurt the security market on both supply and demand side. For the supply side (i.e. the European security industry), this would mean that its products might not reach their maximum ‘security potential’ due to constraints in data collection and analysis, and “for the demand side it means being forced to purchase a less controversial product which however does not entirely fulfill the security requirements.”42 Thus, from an industry angle, the situation appears quite clear: privacy hampers security. Or rather, it hampers security technologies, as EU security research is indeed primarily locked in on the emergence of new technologies.
Second trajectory. The rationale behind this scope becomes clearer when looking at how current security efforts within the EU are conceptualized as data-driven and risk-mitigating measures. As security policies increasingly emphasize the potential of databases, data-sharing and interoperability for the purpose of gathering knowledge and thus being able to prevent future risks,43 Information and Communication Technologies (ICTs) have spilled over into security contexts – and with them issues of privacy (and data protection). Security technologies heavily focus on communication, social networks, and other forms of individual interaction with a digitized everyday environment, such as sensors or biometrics. The massive amount of personal and behavioral data constantly produced then serves as the basis for fighting crime and terrorism through various forms of data exploitation such as algorithmic profiling and probabilistic risk calculations.44 Or, put more simply: security itself has indeed become dominated by the desire to accumulate data in order to predict the future and counter-act criminal and terrorist incidents. But when security is supposed to be enacted through mitigation of future risks, those risks first have to be identified.
ICTs have emerged as the very tools to do so, and such a notion has obviously evoked critical reactions. Thus, ICT research ethics have specifically been concerned with the implications of the use of personal information in distinct contexts.45 Arguably, the increasing spill-over of ICTs into the realm of security is also the reason why privacy and data protection are framed as predominant ethical concerns of current security research within official EU documents. Whether or not this limitation of ethical concerns to one clear-cut area is by any means adequate remains questionable. It should clearly be noted that multiple other pending ethical issues such as autonomy, social inclusion, human dignity, or dual use and function creep/mission creep between the civil and the military realm of security also do require attention.
However, when looking at the political and financial efforts put into security research over the last decade, one might indeed be under the impression that “our political masters, aided and abetted by the security industry, often appear willing to sacrifice some of the citizenry’s privacy in order to better secure society”,46 as van Lieshout et al. have provocatively formulated it. Thus, how come the stark contrast of a presumed trade-off was eventually transformed and is now conceived of as a resolvable privacy by design issue instead of the irreconcilable conflict that it was before?
11.3 A Normative Turn?
The answer arguably lies in the re-framing of the overall European ‘security project’. With the Treaty of Lisbon in 2009 and the ensuing legally binding status of the European Charter of Fundamental Rights,47 the EU has – at least on paper – made a clear commitment to human rights and civil liberties. For the (broader) field of security, this commitment is reflected in the European Internal Security Strategy48 of 2010 and the Stockholm program that provides the current concrete policy framework (2010–14).49 The Internal Security Strategy, for instance, explicitly states that “Europe must consolidate a security model, based on the principles and values of the Union: respect for human rights and fundamental freedoms, the rule of law, democracy, dialogue, tolerance, transparency and solidarity.”50 And the Stockholm Programme puts forward a Europe built on human rights, and goes as far as to claim that when it comes to security measures,
basic principles such as purpose limitation, proportionality, legitimacy of processing, limits on storage time, security and confidentiality as well as respect for the rights of the individual, control by national independent supervisory authorities, and access to effective judicial redress need to be ensured and a comprehensive protection scheme must be established.51
This strengthened emphasis on normative aspects of security can also be found in the FP7 security scheme, claiming that “the potential impact of the resulting technologies and activities on Fundamental Rights, ethical principles and societal values should be addressed as part of the proposed research.”52 Again, especially privacy and data protection have thus been officially tagged as norms that potentially become infringed by security technologies.53 Apart from such official statements, the predominantly technological security tools that have emerged from the FP frameworks in recent years have become the target of normative interventions due to their potential negative impact on society.54
Third trajectory. Alongside this new scope on the normative dimension of security, research funding, or rather the governance thereof, is also undergoing change. Security research now has to be ‘ethically compliant’ in order to take into account possible negative impacts on the societal level. Security research projects are thus to be accompanied by the explicit coverage of ethics boards in order to ensure that research is in line with normative principles. Subsequently, research ethics have come to enact a key role in the governance of security research, and are set to establish safeguards against detrimental societal impacts of security technologies at an early stage during research and development. In EU research funding, a dedicated ethical coverage of the research process has been introduced as “fundamental ethical principles”55 since FP5 (1998–2002). Particularly, fields such as medical and biological research have a long history of a need for ethical coverage, as has become apparent by the emerging possibilities of ‘engineering’ human life at the genetic or molecular level. Security research is joining those fields as one of the areas that has be monitored and advised closely. As Burgess notes, “security comes with its own special ethical baggage”,56 since it carries the potential to inflict curtailments on fundamental societal and individual values. In fact, numerous scholars have in recent years engaged with the threatening and negative consequences of new and emerging security technologies.57
However, on the other hand, security itself represents an important value as it “embodies the social and cultural needs of a society, its hopes and fears, its past and its ambitions for the future.”58 Read through that lens, security represents its own ethics as an overarching prerequisite for any society. Much has been written on the problems that can arise from over-emphasized security and ensuing detrimental impacts on human rights and civil liberties.59 Adding to that list of potential negative consequences, security research
can include particular measures that have as a secondary effect an increase in insecurity – such as the development of scanning devices that cause unease, weapons systems that provoke fear or insecurity among innocent bystanders, or surveillance systems that are experienced as too invasive.60
Thus, security research appears a Janus-faced phenomenon that possesses the potential of both detrimental and beneficial outcomes that indeed come as “inseparably intertwined.”61 The delicate balance of the ‘goods’ and ‘bads’ of security for society subsequently underlies constant challenges through security research and the technological tools that emerge from it. A close look reveals, as mentioned earlier, that nearly all security-related research projects within FP7 do feature a technological scope, as “the Security theme supports R&D actions oriented towards new methodologies and technologies.”62 Due to the sketched potential detrimental impact of security technologies on societies, coupled with the financial volume of security research funding, the stakes for particular security research ethics appear exceptionally high.63 This constellation is indeed reflected in official documents – and once again it is predominantly framed in terms of privacy. The last call fiche for the security theme of FP7, for instance, states that “if ethical issues, including privacy are raised, they should be addressed in the core of the proposed activity”,64 and the EC document on ethical and regulatory issues in research policy dedicates a whole chapter to “New Security Technologies and Privacy.”65
This emphasis on privacy arguably comes from the aforementioned data-driven nature of contemporary security technologies that build on the collection and analysis of large amounts of data, as well as from the well-defined legal applicability of the data protection framework that gives privacy concerns a ‘procedural advantage’ over other normative concerns when it comes to security technologies. The interesting fact is now, that with this ‘new’ scope on morally right security, the original conflict between security and privacy becomes rather reinforced than mitigated. In other words: with the increased emphasis on the importance of privacy, the privacy side of the original equation has been upgraded and is now not so likely to be overridden by security anymore. And since there no longer seems to be an a priori