Skip to main content
European Commission logo print header

Privacy Awareness Through Security Branding

Final Report Summary - PATS (Privacy Awareness Through Security Branding)


Executive Summary:
In recent years, a discourse on the invasion of privacy that occurs every day and in a variety of forms has emerged. Invasive surveillance activities are carried out in the name of preventing terrorism and stopping fraud. Discussions of crime control have become synonymous with surveillance technologies, information technologies, and databases. Security markets are exploding worldwide, and companies happily tap into the demand for security measures by state and private actors. These actors carry responsibility with regard to privacy developments – but are they aware?

The PATS project directs its focus at the actors within the security industry – those who produce the technologies and services used to surveil and control. The project's central topic is privacy awareness among security actors and the possibilities of raising awareness through and increase in privacy-related communication. The project suggests a model for ethical communication by security companies around the issue of privacy and data protection that is called “privacy branding”.

In the project's first phase, all partners developed an understanding of their countries' security regimes and actors' rationales against the backdrop of their cultural and historical context and market situation. In particular, processes of securitization and expanding security regimes and markets were described. Different security notions as well as the convergence of foreign, internal, business, and infrastructure security (resulting in the notion of networked security) were analysed. One main conceptual result of this research phase is a security actor typology. The typology describes organisational types in the field and their specific characteristics. The cross-country typology includes Security Service Providers (small & traditional vs. Large & modern), Technology Producers (systems integrators vs. specialised manufacturers), Associations and Networks, Consultancies and Research institutions.

In the second, empirical research phase, in-depth interview series with security organisation representatives were carried out in all partner countries with a focus on privacy awareness. We found that privacy awareness was generally low and responsibility sometimes rejected, so we inquired further into the reasons for this situation. We concluded that actor constellations are not conducive to communication about privacy and that market mechanisms in the security sector do not include data protection as a feature. The conditions for self-regulation are hence less than perfect, to say the least. Another aspect studied with data collected in the field are the symbolic representations put forward by security companies – the imagery and text they use to represent who they are and what their notion of security and privacy is. Again, privacy and data protection did not figure in the organisational communication.

These analyses were undertaken with a specific self-regulation aim in mind: PATS' main conceptual advancement is – in the third, constructive project phase – the development of a branding (or communication) strategy that refers to the value of privacy. Branding is understood as a two-sided, ongoing communication process between the brand owners and their clients and stakeholders. The PATS concept for ethical (privacy) branding consists of an ideal model composed of a number of graded dimensions. Each dimension ideally builds on the preceding dimension so that a roadmap for long-term development can be formulated on their basis. Each dimension is a continuous rather than discrete concept, and for now these dimensions are left as qualitative concepts, though it is conceivable these could be converted into quantitative variables in the future. The concept is thus intended to be used as a blueprint by security companies who wish to work towards privacy aware practices and communicate about this. The dimensions are called reflexivity, information availability, communicability, action-ability, testability, and, as a cross-cutting dimension measuring progress, materialisation.

A concept of ethically focused branding needs to consider and rebuild the relationships and communication channels among the actors in the arena. PATS formulated policy recommendations for national and EU frameworks building on the above insights. Using more reflexive measures such as open expert interviews, dialogue work shops, expert evaluations, focus groups and two major conferences, PATS initiated not only an informed, but a constructive dialogue between stakeholders in order to enable a proactive rather than reactive basis for future policies.

Project Context and Objectives:

In recent years, a discourse on the invasion of privacy that occurs every day and in a variety of forms has emerged. Apparently invasive surveillance activities are carried out in the name of preventing terrorism and stopping fraud. Discussions of crime control have become synonymous with surveillance technologies, information technologies, and databases. And talk of public and private life has witnessed a blurring of boundaries, in which privacy at times and in particular places appears compromised in the name of protecting the public.

For example, CCTV systems have become a pervasive means for monitoring particular spaces (see for example Hempel and Töpfer, 2002). The continued development and deployment of CCTV systems has raised a variety of questions alongside the possibility that these systems involve ever increasing threats to privacy, including issues of cost (with many millions invested, for example, in CCTV in the UK alone) and the extent and justification for information collection (See, for example, Lyon, 1994; Norris and Armstrong, 1999; Williams and Johnstone, 2000).

In order to enhance security, these systems are often closed to those they seek to protect. As a result, those subject to surveillance frequently seem to have little access to the information held about them, little knowledge of how these systems operate and either few opportunities or little knowledge of the opportunities available for challenging these surveillance systems (Neyland, 2006). In the absence of opportunities to hold surveillance systems to account, the possibility for invasions of privacy to continue unchecked appears to remain. Especially with regard to data protection, a discourse on self-regulation has picked up over the past decade, suggesting that companies can and should become more active in the protection of privacy.

The PATS project hence directs its focus at the actors within the security industry – those who produce the technologies and services used to surveil and control. The initial question is: how do these actors perceive their role and responsibility in this development? How aware are they of the problems arising from privacy infringement and surveillance? Consequently, the project's second line of questioning is: how can the awareness of social conflicts and privacy concerns be raised among the private security actors who undermine privacy necessarily on a daily basis in their mission to provide security?

In order to advance these goals, the PATS project's first objective was to develop a socio-technical mapping of security regimes in the partner countries and understand actors' rationales against the backdrop of their cultural and historical context and market situation. One main conceptual result of this research phase is the security actor typology.

In a second, empirical research phase, in-depth interview series with security organisation representatives were carried out in all partner countries with a focus on privacy awareness. The data was also analysed with regard to the actor constellations and market mechanisms in the security sector, and the conditions for self-regulation that could be inferred from our findings. Another aspect studied were the symbolic representations put forward by security companies – the imagery and text they use to represent who they are and what their notion of security and privacy is.

These analyses were undertaken with a specific self-regulation aim in mind: PATS' main conceptual advancement is – in the third, constructive project phase – the development of a branding (or communication) strategy that refers to the value of privacy. Branding is understood as a two-sided, ongoing communication process between the brand producers and their clients and stakeholders. A concept of ethically focused branding needs to reconsider the relationships and communication channels among the actors in the arena. Using more reflexive measures such as open expert interviews, dialogue work shops, expert evaluations/focus groups and two major conferences, PATS sought to initiate not only an informed but a constructive debate between stakeholders in order to enable a proactive rather than reactive basis for future policies.

2) In recent years, a discourse on the invasion of privacy that occurs every day and in a variety of forms has emerged. Apparently invasive surveillance activities are carried out in the name of preventing terrorism and stopping fraud. Discussions of crime control have become synonymous with surveillance technologies, information technologies, and databases. And talk of public and private life has witnessed a blurring of boundaries, in which privacy at times and in particular places appears compromised in the name of protecting the public.

For example, CCTV systems have become a pervasive means for monitoring particular spaces (see for example Hempel and Töpfer, 2002). The continued development and deployment of CCTV systems has raised a variety of questions alongside the possibility that these systems involve ever increasing threats to privacy, including issues of cost (with many millions invested, for example, in CCTV in the UK alone) and the extent and justification for information collection (See, for example, Lyon, 1994; Norris and Armstrong, 1999; Williams and Johnstone, 2000).

In order to enhance security, these systems are often closed to those they seek to protect. As a result, those subject to surveillance frequently seem to have little access to the information held about them, little knowledge of how these systems operate and either few opportunities or little knowledge of the opportunities available for challenging these surveillance systems (Neyland, 2006). In the absence of opportunities to hold surveillance systems to account, the possibility for invasions of privacy to continue unchecked appears to remain. Especially with regard to data protection, a discourse on self-regulation has picked up over the past decade, suggesting that companies can and should become more active in the protection of privacy.

The PATS project hence directs its focus at the actors within the security industry – those who produce the technologies and services used to surveil and control. The initial question is: how do these actors perceive their role and responsibility in this development? How aware are they of the problems arising from privacy infringement and surveillance? Consequently, the project's second line of questioning is: how can the awareness of social conflicts and privacy concerns be raised among the private security actors who undermine privacy necessarily on a daily basis in their mission to provide security?

In order to advance these goals, the PATS project's first objective was to develop a socio-technical mapping of security regimes in the partner countries and understand actors' rationales against the backdrop of their cultural and historical context and market situation. One main conceptual result of this research phase is the security actor typology.

In a second, empirical research phase, in-depth interview series with security organisation representatives were carried out in all partner countries with a focus on privacy awareness. The data was also analysed with regard to the actor constellations and market mechanisms in the security sector, and the conditions for self-regulation that could be inferred from our findings. Another aspect studied were the symbolic representations put forward by security companies – the imagery and text they use to represent who they are and what their notion of security and privacy is.

These analyses were undertaken with a specific self-regulation aim in mind: PATS' main conceptual advancement is – in the third, constructive project phase – the development of a branding (or communication) strategy that refers to the value of privacy. Branding is understood as a two-sided, ongoing communication process between the brand producers and their clients and stakeholders. A concept of ethically focused branding needs to reconsider the relationships and communication channels among the actors in the arena. Using more reflexive measures such as open expert interviews, dialogue work shops, expert evaluations/focus groups and two major conferences, PATS sought to initiate not only an informed but a constructive debate between stakeholders in order to enable a proactive rather than reactive basis for future policies.

Project Results:

PHASE 1: security regimes and actors

The first work package was a research journey of all involved project partners into their respective national empirical fields: mapping the security regimes along the concepts of actors, technology and discourses. For this, we gathered on the one hand quantitative data about the security industry market and developed different qualitative types of security organisations; on the other hand we made a literature review of documents and articles about the development of the security field between 1989 and 2009. This section gives an account of the more general trends we have observed and which focus on the current debate surrounding the regulation of privacy in this sector.

Several discourses on security were identified during our research of current security regimes. A powerful, but creeping discourse concerns the broadening of security both as a term and as a political task. This development has been labelled “securitisation” in the academic discourse and has at the political realm enabled shifts in competences and power. Security is seen as a cross-cutting political issue that needs to be ensured in virtually every social sphere. The notion of a “right to security” propels the pursuit of security to a number one responsibility for the state5. Under the title of “security vs. freedom”, the shift of the political norm towards measures of securitisation has been discussed and the considerably weakened position of privacy values and other liberties observed. The most unquestioned discourse about “new threats” originated in the political realm and is tightly coupled to processes of globalisation and allegedly new forms of war after the end of the Cold War. This discourse has global scope and is taken up by both political and economic actors, especially after 9/11. It is a powerful narrative and justification for securitisation processes in the US, but in most other countries analysed as well.

Another manifestation of the extension of the security notion can be identified in what we called the“network paradigm”. Originally coined and used by social scientists in response to socio-technical developments, the “network” term has seen a career beyond compare. The discourse is used by many, if not all of the actors dealt with here. Yet, it proves most useful to those already most competent when it comes to networking: the companies we have identified as Systems Integrators in a security actors typology.

The network paradigm and the rhetoric of “new threats” are tightly coupled: The dissolution of borders, globalisation, new types of conflict or war have been bundled into one image by the 9/11 terrorist attacks in the USA. This focus event, singularly witnessed by millions through extensive media coverage, is probably present before everyone’s eyes when “new threats” are mentioned, also in Germany. The invention of the term “Homeland Security” by the US government in the aftermath of the attacks and the instalment of a powerful institution of the same name is the consequence of the “new threat” discourse as well as a medium for safety and security convergence. The Homeland Security department is not only responsible for “Counterterrorism”, “Preparedness, Response, Recovery”, but also for “Border Security” and “Immigration”.

It thus includes safety from natural disasters in its security mission and subsumes immigration under the security aspect.

A similar development can be shown for the EU long before the attacks took place. The understanding of security had undergone a process of broadening for some two decades. The roots of this shift lie in the military and security political discussion that has seen a merge in internal and foreign security. As an early focus event, the Schengen Agreement (1985) and Convention (1990) brought the borders into focus. First, the 1985 Agreement regulated a now “borderless” massive area - the suspension of internal borders was seen as an experiment, also in terms of criminal behaviour. Fear of an increase in organised crime and massive trans-border criminal movement arose. One of the conclusions drawn was that outer borders now needed to be even more secure.

While most telecommunications and internet service providers have unintentionally become part of the security regime, many private actors – companies – benefit from the extension of security in general. A first major trend concerns the rising use of risk management and security measures on the part of companies and industries. Traditional security service companies offered services of locking, guarding and patrolling.

With the continued increase in space occupied by industries, more protection has been engaged. Security services have also often been linked with building-related services such as cleaning and other forms of maintenance.

Concerning the notion of security, a qualitative shift has occurred with the introduction of IT in most industrial and service organisations: it has become a security issue and a sector of its own, extending the “security market” vastly. With growing networks and more complex supply chains through outsourcing and lean production, security of business, data, finance, etc. has come to be seen as one issue termed “business continuity”. The rescue comes as a comprehensive systems solution from one hand, e.g. the large security service company or the systems integrating company, including risk management, services, and technologies. This development finds its expression in the emergence of a market for security consulting asa stand-alone product. Consultancies take on an intermediary role in the unregulated, diverse and thus confusing security market.

A second development concerns the shift in public and private spaces. Many places have – often unnoticedby the public – become private spaces. Whole infrastructures such as public transport are private, shopping precincts, banks and even streets are in the responsibility of their owners, yet used as, and perceived as, public spaces. The employment of private security services can thus be seen as the “natural” responsibility that comes with property (of space), a kind of “self-help” on the part of those who create these spaces. To the people who frequent these spaces, and often to the security actors themselves, it is far from clear where the responsibilities lie. At the same time, since security is not the prime function of the organisations using private spaces, it is always in competition with commercial interests. Highly symbolic and visible security measures such as video surveillance thus meet with more approval from the companies than the more expensive security staff. This problem of accountability and legitimacy becomes crucial when privacy and data protection come into view – if security is of secondary importance, privacy is considered to be even less relevant.

The type of outsourcing of security functions commonly perceived as privatisation is the fulfilment of core security functions through private companies in Public Private Partnerships. Here, it is not private but public space that is handed over to be secured through private actors. The requirements set by the public agencies are not much higher than otherwise – a point criticised by some actors within the market, because professionalisation processes stay slow. Still, the security service market leaders are prepared for Public Private Partnerships as they themselves are setting higher standards and approaching police quality in terms of education and appearance.

With the blurring of safety and security concepts and functions, actors formerly concentrating on defence (and aviation) step into the civil security market more powerfully. Making intense use of the network paradigm and their experience in real-life missions, these companies now offer comprehensive solutions for the protection of critical infrastructures and crisis management and present themselves as the prime partner for the state when it comes to cooperation with private actors. In this regard, a capacity imbalance of public and private security providers is articulated. While public agencies now use private information infrastructures, they cannot keep pace with the original technological novelties. Large-scale sensitive projects such as the digital telecommunications network for security organisations are implemented by private companies.

To sum up, what is commonly termed “privatisation” is not a mere outsourcing of public functions, but a complex and multi-faceted development. An increase in private space (space privatisation) – industry and business representing an important share – also accounts for the involvement of private actors in security.

At the same time, the state encroaches on private assets when security agencies make use of companies’ infrastructures. Thirdly, an entirely new sector within security has emerged, adding to the capacity of private actors as compared to state capacities – the field of IT security, a major cross-cutting security issue.

Considering these developments, it makes sense to speak first of an extension of the security regime in general – including both public and private actors –, and second of the qualitative extension and quantitative growth of a security market undergoing structural changes. Indeed, the “security market”, as heterogeneous as it is, has attracted much attention from economically interested actors, especially in the field of technology.

The institutional vision of “networked security” which connects agencies and includes safety and security is complemented by the security technology oriented use of the term. Perceived changing threats are faced with converging solutions: “Many measures which were initially aimed against organised crime are by now used against international terrorism.” What is more, measures are now aimed at terrorists, burglars and fire at the same time. Security technologies have undergone a process of convergence through digitisation, making new functionalities possible in interconnected systems.

Great hopes are set in the security technology market – mostly from an economic perspective, but from a rhetoric viewpoint and closely coupled to the new understanding of security. The security technology market is booming – at least according to the market overviews available and the self-description of the participants. Still, the market remains completely obscure and mostly arbitrarily defined. All kinds of technologies can be subsumed under “security” if the application indicates it, which is best shown with classic dual-use technologies. Biometric sensors, for example, are quite common in industrial quality management, but have been re-appropriated as a security technology. Security technology development is also generally supported well in terms of funding.

In such a dynamic market, as could be expected, actors try to get their share of the cake. Large economicplayers play the game – they make the most of existing discourses such as the network paradigm or extended security programmes. Our analysis has shown that many corporate players utilise security extension rhetoric in order to expand their business15. Market potential studies and an uncritical use of “new threat” rhetoric become self-feeding mechanisms. Since all technology can be appropriated for security uses, there is a wide field especially through convergence of digital technologies such as IP video and biometrics. Systems integrators benefit from this development.

Against the backdrop of this general process of securitisation of political, legal and economic regimes and an expanding security market, notions of regulation shift when it comes to the problematic effects of security services and technologies on the people and the public under surveillance. Responsibility for the protection of privacy and data is being transferred to companies with clear for-profit goals and little intrinsic motivation to question the supremacy of security over privacy protection. The underlying assumption of most actors is that legal provisions are clear and sufficient to safeguard the data subjects' privacy and liberties.

There is clearly a contradiction between the goal of “networked” and “total” intelligence pursued and advertised by security companies – the general idea of feasibility and omnipotence – and the public and individual interest to preserve privacy and personal data protection, as well as just having “unobserved” spaces. Yet, when it comes to surveillance, attention focuses mostly on the state as the central actor and potential invader. Decentralised surveillance, delivered by private actors in private spaces such as public transport systems, is harder to discern and grasp in its entirety, or assess with regard to its effects. This is true both for the data subjects and regulating bodies, and the organisations themselves.

The transformation of the security field towards increasingly market-based relations leads to new questions about the governance of privacy and the efficacy of legal provisions. A closer look at the actual, day-to-day practices of security actors was hence deemed necessary. Discussions about new forms of more market-based regulation – “self-regulation” - cannot be led without a clear picture of the context and mechanisms – the market – that these organisations operate within.

While privacy is largely perceived as a ”problem”, and not an opportunity within the security industry, some developments suggest that there is room for privacy awareness raising within organisations: the targeted professionalisation of the security service market, a trend towards systems solutions including consulting and auditing (risk management), and the branding efforts of globally operating companies. Based on these potential opportunities attached to the hugely enhanced role of the private sector, the PATS project inquired into current levels of privacy awareness among security actors as part of the next research step.

PHASE 2: privacy awareness and symbolic representation

To gain a better understanding of the organisations operating in the regimes described above, and to assess the feasibility of self-regulatory approaches towards data protection, we proceeded to investigate the practices of security actors more closely. The specific goal of the WP3 empirical study was to assess current levels of privacy awareness among security actors and whether self-regulatory instruments are implemented.

The main question during this research phase was how privacy is perceived by security actors, and how, in contrast with abstract legal norms, privacy and data protection are actually practised in organisational routines and operations. In other words: how does privacy figure in security actors' daily business lives and decisions?

Conceptually, we developed three perspectives to build a qualitative interview guideline. The (1) performance perspective explores privacy standards and measures in organizational practice; the (2) technology perspective concerns the capabilities and current developments of security technology and whether privacy enhancing technologies are actively integrated; lastly questions about the (3) self-regulation efforts of security organizations were asked. Next to these three perspectives we asked about the (4) actors and relationships within the security field in order to map the driving mechanisms with regard to privacy regulation in the field.

Based on the actor typology developed in WP2, every project partner picked a number of some 10 representatives of security organizations operating in their country for semi-structured in-depth interviews to be analysed with qualitative research software. These organizations were technology producers, service providers, consultancies, research institutions and associations in the security industry. Public agencies were interviewed in some countries, but were not central to the goals of the following Work Packages focusing on self-regulation of industry actors.

The main results from the WP3 interview series were the following: In general, we found a very limited understanding of privacy in security organisations. Privacy is mainly understood as data security – a rather technical understanding of privacy that neglects the democratic value of privacy and the basic principles of data parsimony and sensitivity. Privacy is thus reduced to organisational-technical issues of data processing and storage and is not dealt with on the level of business processes or decisions in general.

Another important practice is the reference to the existence of ISO standards and legal frameworks with the objective of shifting responsibility to those entities. These standards and legal frameworks are used as black boxes when used as an argument for not giving more thought to the related issues: “Why, but there is a data protection law!” The practices and routines regarding privacy and data protection are opaque even to the members of the organisations we interviewed.

This becomes problematic when the unquestioning trust in the almost magical workings of legal provisions is accompanied by a reluctance to even discuss the topic – as privacy, so our interview partners argued, had surely been taken care of in some shape or form. Another dimension of opacity lies in the fact that the organisational structures – which should enhance privacy compliance – depend on the actual practices of each company. For example, it makes a big difference as to whether data protection officers are employed full time or not, how well trained they are in data protection issues and how independently and proactively they can act within their company. As stated in interviews, the qualification of employees is indeed an issue; some actors are still trying to achieve basic legal compliance, which renders active engagement for data protection impossible and sheds a very critical light on ideas of self-regulation.

In conversations, most of the representatives express their willingness to enhance privacy protection, but they feel that they face the described organisational problems and are limited in their sphere of action, because they have to act according to the needs, more specifically: the demand of the markets.
While there are indeed individuals who wish to enhance the privacy practices within their organisations and who are aware of privacy problems and problematic structures, there is nevertheless a general lack of communication with the public about privacy issues – even when there is a real interest in providing and enhancing privacy within the business model. We found examples of security actors with a strong willingness to improve the privacy situation in relation to services or technologies offered. These interviewees stressed that trust is more important in the long run than instant economic profit, and thatthey offer data protection education in addition to their security products and services.

Yet, according to a technology producer who offered specific Privacy Enhancing Technology (PET) options in combination with an IP camera product, there is little or no demand for these technologies and clients will not buy them as long as it is perceived as a costly “add on”. This lack of client interest, along with what one interviewee called a “cat-and-mouse-atmosphere” when talking about data protection issues, seems to lead to a situation where companies do not feel like communicating about privacy in the public domain. It seems like putting oneself in danger for no reason.

This difficult relationship between privacy practice and privacy communication becomes evident when we look at companies that went through privacy scandals. From our interviews, it emerged that data leakage or misuse scandals hit the clients of security (technology) providers, not necessarily the security companies themselves. When misuse becomes publicly known, these organisations mostly show two reactions: either they begin to talk publicly about their privacy efforts or they avoid any (further) publicity about data protection. For the former however – intense communication on privacy efforts – it was reported that organisations try to achieve formal law abidance to “safeguard the management board from claims”. This is illustrated by companies that set up entire compliance departments to purify their reputation, notwithstanding the efficacy of these measures. Reputation is an important asset especially in regard to investors' trust, but engagement spurred by this motivation does not surpass a pragmatic attitude towards data protection and privacy. The communication aims to present a good image regardless of the real effectiveness of data protection measures and related practices.

The second common reaction to scandals is the avoidance of further image damage through the avoidance of any communication about privacy related issues, which against the backdrop of the “accountability” discourse seems to be a questionable strategy. Companies that stay silent about their surveillance projects clearly impact their security technology providers' behaviour. Not only are suppliers less than encouraged to enhance their privacy performance, but they are also asked to keep a low profile. This is in stark contrast to ideas of self-regulation or even building a positive image by stressing one's outstanding privacy performance.

To revisit the findings so far: There are intransparent structures which lead to a certain degree of opacity.

Responsibility is shifted to institutions such as data protection law or data protection officers, quality standards or – as we will point out in the next section – even technology (e.g. PET). The market, which is invocated as a source for regulation by the “invisible hand”, reflects this opacity and is far from constituting a regulative framework. The current market structures do not relay market pressure or incentives towards more privacy protection to the companies in charge. On the contrary, it seems that the regulating power of the security market weakens privacy as a consequence of the actual relationships.

According to our outcomes we face (1) conflicting interests of different actors, (2) a tendency to hold citizens accountable notwithstanding their constrained possibilities to influence or participate security organisations and their clients' business behaviour, and, maybe most problematic, (3) a total lack of representation of citizens/ data subjects and of any information directed towards this group.

The low demand for privacy tools is rooted in the market setup: the clients are interested in (cheap) surveillance technologies, not in citizen rights. It is important to understand the supplier-client relationship here: if we think of clients as those paying for security products and deploying them in their facilities, they provide the demand for security technologies – and are legally held responsible as “data controllers”. The suppliers are security technology producers or security service providers offering their products to this market of clients, e.g. public transport companies, airports, other companies or institutions.

Which role does the citizen, public transport passenger, or employee take on in this constellation? The data subject is a client of the security organisations' clients – or even a dependant, e.g. in an employment relationship. The relationship is thus not always a voluntary one based on market forces. Even if we concede consumers some market power in respect of their choice of e.g. surveilled or non-surveilled supermarkets, their power is very low. Sheer selection forces do not go far here; for example, in order to avoid public transport due to the use of CCTV, one has to opt out of the system and use alternative transportation means. It becomes difficult to walk the streets without being captured by any camera, or even realise in whose space – public, private? – one is moving about and whose camera is watching – so in this case, how can consumers possibly exert market influence by pure selection? Accordingly, the actor we expect to demand privacy – the data subject – is utterly uninformed and cannot easily exert influence within the market of security technologies and services. In a sort of pre-emptive move, many interviewees from the security field hold citizens accountable for infringements of their privacy with reference to the fact that they use Google and Facebook – the great icons of voluntary data deluge – and take part in rebate marketing.

This attitude suggests that “the horse has already bolted” and is combined with an affirmation of consumers' choice. The assumption that ICT users themselves generally lack privacy awareness is both implicitly and explicitly mentioned, often alleging a generational difference and genuinely new culture of “digital natives” that knows no privacy concept. At the same time the public's and citizens' demand for security is taken for granted and articulated over and over e.g. when it comes to security on public transport where violent events receive a lot of media attention.

In the current communication of the European Commission, the problem of the citizen's burden of being held accountable is addressed with the claim of enhancing the transparency of e.g. privacy notices, replacing opt-outs with opt-ins, and strengthening the power of the users. However it is questionable as to how internal market regulations can be enhanced to strengthen privacy efficacy when we are facing an utter non-representation of the citizen within the markets. Our findings pertain to the specific case of the security market, but we hold it to be indicative of the general lack of information and transparency when it comes to the much heralded market-based regulation of privacy in other industries (Social Network Sites).

The next question in line, accordingly, was about the current form of communication and branding carried out by security actors. In WP4, the project partners collected and analysed empirical material such as brochures, websites, photographic evidence of public signage and of industry fairs and other instances of company self-presentation. The overall result of this analysis was that, again, privacy is hardly addressed, and if so begrudgingly and in widely divergent ways. The more dominant lines of symbolic representation we found were the following.

The technology-oriented convergence or network paradigm discourse we identified in WP2 is widespread in visual and textual communication about security by companies. In general, high-tech is advertised heavily and with sophisticated visuals and metaphors. Complexity, nature, and slick surfaces rule the technological imagery. The “technological fix” must be understood as part of the modernist dream to exercise control over all aspects of life in order to reduce uncertainty and maximize well-being - the dream of cybernetic control. This message must be seen critically since it further black boxes and naturalizes “security”. Social determinants and dynamics of security and its interrelation with other social processes are blocked out when technological fixes focus on fighting symptoms rather than understanding causes. The issues of security and privacy become de-politicized through a technology discourse.

Another aspect of security communication we found is its gendered nature. Promotional material from the industry often reinforces the view that women are a “weaker sex” in need of protection in their homes and routine activities by using phrases such as ‘securing your life’ and ‘enhance security’ alongside images of women (and children) in domestic contexts.

Another commonality to how the industry markets its products is representations of globalization and global mobility. Images of personal and informational mobility as represented by images of business travel or symbols of capitalism such as business centres. Other representations of mobility are less about information security and business management as they are about securing the physical infrastructures that enable large-scale mobility such as airports, seaports, rail transportation networks, and energy facilities, tying directly into the current “critical infrastructures” discourse around risk and vulnerability.

Overall, the picture that emerged from this study was that the industry makes heavy use of a securitization discourse and imagery rather than communicating about privacy, data protection, or other freedom infringements that security measures entail. This reinforces the WP3 results that security actors communicate with only a particular group of stakeholders rather than the general public.

The insights from the empirical research phase shed a critical light on the project's initial premise that self-regulation can be fostered through branding. One result of our research was clearly that privacy communication had yet to be initialised.

PHASE 3: a privacy communication concept

One way to initialise privacy communication is what the PATS project plan had coined “ethical branding” - the strategic communication between companies and their stakeholders. In our understanding, branding is a process, and hence evolving rather than static. A brand expressed through images, logos and value indicators is a cultural artefact that represents a snapshot of this evolution of constructed meaning. The meaning of a brand is co-constructed by a number of actors who take part in creating, perceiving and re-defining a brand.

The general term “ethical” branding which we use refers both to the quality of the branding process – communication – and the content of branding – privacy. The idea of an ethical privacy-aware brand is one in which structures and sub-processes are incorporated or changed so that awareness, commitment and discourse over privacy impacts can intervene in the branding model. More specifically, in the security sector this means that citizens get a chance to enter the branding discourse amongst security providers and clients.

The PATS concept for ethical (privacy) branding consists of an ideal model composed of a number of graded dimensions. Each dimension ideally builds on the preceding dimension so that a roadmap for long-term development can be formulated on their basis. Each dimension is a continuous rather than discrete concept, and for now these dimensions are left as qualitative concepts, though it is conceivable these could be converted into quantitative variables in the future. The concept is thus intended to be used as a blueprint by security companies who wish to work towards privacy aware practices and communicate about this.

The dimensions of an “ideal ethical brand” reflect the normative goals of enhancing transparency and accountability. The core of the model consists of developing measures and instruments of privacy awareness and privacy practice in the security organisation. This has then to be communicated and finally efficiency of privacy enhancing practices needs to be confirmed by audits. We have condensed these normative goals into a number of dimensions that define the shape of an ethical brand:

Dimensions of Privacy Branding:

1. Reflexivity

In the context of branding and communication in organisations, we understand reflexivity as the more or less developed capability of an actor to reflect upon their activities/behaviours and to alter them in relation to how they impact others. With regard to privacy accountability, reflexivity can be seen as the basic condition for even rendering an account. In the concept of ethical branding, reflexivity thus represents the most basic dimension: the higher the organisational reflexivity, the better the conditions for accountability.

2. Information Availability

This second dimension refers to an organisation's efforts to make statements about their privacy awareness and standards publicly available. This is closely related to the material that constitutes the dimension of reflexivity, such as internally-oriented documents, reports, etc. Availability, however, refers to material that is specifically oriented towards an external audience.

3. Communicability

In contrast to the mere existence of the material captured within the dimension of Information Availability, Communicability refers to the extent to which an actor enters a two-sided communication process about its privacy commitments with others.

4. Action-ability

Whereas communicability measures the quality of the communication loop between the security field (private and public actors) and citizens, action-ability is a dimension we use to focus the impact or outcome of these communicative acts. Impact is understood in terms of changing the behaviour – attitude or actions – of the security actor. In other words action-ability focuses on the outcome of communication acts, e.g. the integration of citizen feedback into technology development.

5. Testability

This dimension is the fulcrum point of the above dimensions. Testability refers to processes by which a security actor is open to the audit of the impact of their products/service/business on personal privacy by external actors. Internal reviews are a step in this direction but fully independent, third party reviews are more robust. Ideally, such processes will be proactive and pre-emptive.

→ Materialisation

To sum up, the dimensions build on each other to materialize a process of communication and action that takes place within a company and in relationship with its environment. Materialisation is vertical to the other dimensions and measures the results of Ethical Branding based on the indicators of the individual dimensions.

In a last step, we relayed the above privacy branding concept to security and privacy experts as well as policy experts in order to include feedback and formulate policy recommendations. The cross cutting issues with privacy branding are the following. The main barrier to privacy branding is the lack of incentives (legal or monetary). A clear policy recommendation that is recommended by all PATS partners is the need for stronger regulatory regime with more effective enforcement. This seems at odds with the initial self-regulatory approach, but in fact seems to be a precondition for the emergence of self-regulatory activity in this sector. A stronger regulatory regime that is in tune with current technologies and ethical norms will provide the needed value for privacy that is so lacking at present. If properly enforced, such regime may also provide strong incentives for innovators in the security industry to start practising privacy branding and influencing others to adopt such practices.

Privacy standard and certification schemes seem to be important for starting self-regulation procedures in the security industry, once the regulatory regime is crystalized. A national standard is needed to prevent a situation of multiple competing standards that may not be viewed by the public as important enough. A common certification scheme will distinguish organisations that have good privacy practices and comply with the national standard from the rest and foster privacy branding.

Another recommendation from PATS partners relates to public procurement of privacy-respecting technologies. The government is a very large player in the security industry, and a significant share of video surveillance (and biometrics) infrastructures are purchased by government. Once government will condition procurement on complying with privacy standards, the security industry will have to take notice and eventually also engage in privacy branding practices. PATS partners recommend using Privacy Impact Assessment (PIA) and Privacy by Design (PbD) procedures in situations where new video surveillance and biometrics infrastructures are planned to be deployed.

In order to increase the awareness of the public and the security industry, privacy campaigns and awards schemes are recommended in most countries. In such campaigns it is also recommended to involve opinion leaders and influencers in order to speed the adoption process of privacy branding.

At the EU level of regulation, now that the new approach to data protection in the EU is becoming clear, this may serve as a guideline for the security industry for co-regulation and privacy branding.

The newly proposed legislation even calls for further self-regulatory activities to be practised in relevant industries (e.g. codes of conduct and certification). The proposed General Data Protection Regulation (GDPR) lays out a number of measures that directly support and provide incentive for the PATS privacy branding model. Examples are the calls for Privacy by Design, for Transparency Enhancing Technologies, and for certification schemes. In the WP7 report, we have matched the GDPR articles with our communication concept in detail. As for industry guidelines, it is highly recommended to develop GDPR guidelines for the security industry, so that European security organizations will be able to implement the law to the best of their ability.

In conclusion, the PATS project has provided insights about the security sectors and actors in the partner countries Germany, UK, Poland, Finland, US, and Israel, as well as at EU level. The project has collected and analysed empirical data on privacy awareness and practices in security organisations as well as their symbolic self-representation and communication activities. In its conceptual phase, the project has produced a generic model for privacy branding, understood as a two-sided communication process that directly impacts organisational practice. The branding model can be used as a blueprint for organisational development by companies who wish to enter the discourse. Policy recommendations have been articulated in order to create a framework that is conducive to the implementation of our self-regulation concept.

Potential Impact:

Impact in the scientific and expert community:

The conversations we engaged in were patently sobering with regard to the current self-regulation cheer, and the PATS project's own premises for seeking further, market-based, self-regulation. These findings emerged in parallel with the publication of the Article 29 Working Party's Opinion 3/2010: “On the principle of accountability”. The accountability principle described seemed to uphold the idea of self-regulation while trying to take into account the problematic gap between a kind of idealised theory and far messier practice of data protection through self-regulation. While the idea of “regulated self-regulation” is not new, and the principle of accountability has also been discussed for some time, it seemed clear in the Article 29 Working Party Opinion that there was a need for change – and a need for a concept that could help bring this change about. We felt that bringing accountability to the fore held great promise, both analytically for thinking through new ideas of data and privacy protection, and for bringing the community together in renewed discussion. We decided to use our first PATS project conference targeted at the scientific and policy community around privacy and data protection to provide a space to discuss “Privacy and Accountability” (Berlin, April 4-6, 2011). The fact that Priscilla Regan, Charles Raab, Colin Bennett, and Paul de Hert did not hesitate to give keynote speeches when invited and consequently developed their ideas into contributions for an edited book showed that we were indeed on the right track. The edited volume is to be published at Palgrave Macmillan in fall 2012 and has been titled “Managing Privacy Through Accountability.” Edited by Guagnin, Daniel/ Hempel, Leon/ Ilten, Carla/ Kroener, Inga/ Neyland, Daniel/ Postigo, Hector, all members of the PATS project, it is an original PATS result.

The coordinator stayed in touch with participants of the first conference, in particular with Paul de Hert and Serge Gutwirth, who are prominent law professors in the field in Belgium. We collaborated over the course of the project and especially for the second PATS conference, which was renamed into “Communicating Privacy”. This reflects the initial understanding of branding as an instance of communication and the insight that a main barrier in the effective implementation of privacy enhancing measures is the lack of communication. Since the established “Computers, Privacy and Data Protection” conference took place near the intended date of our conference, we joined forces with the organisation committee and were given two panels for our own organisation and dissemination. The panels were divided into one focusing on “communicating privacy in organisations” and one on “communicating privacy into societies”. The presented results from the PATS project were met with wide interest from the participants and the prominent conference organisation committee. Besides brochures and posters we also produced a gadget for the conference which was distributed during the panels. The gadget consisted of so-called “black bar glasses” which had been branded with a sticker showing the PATS website address. The gadgets – an humorous take on the privacy discussion – attracted a lot of attention and induced conversation. The PATS project could thus practically show one of its tenets: the privacy discourse needs some relaxation so that more people can get involved.

Over the course of the project, partners managed to publish on their field studies regarding privacy awareness as well as on related analyses. Publications included peer reviewed journals, sector specific journals, and edited volumes. A series of newsletters has been published to communicate the progress of the project and announce important dates, next to an up-to-date website where reports can now be downloaded.

Impact in the security sector and policy field:

The PATS project has had a double agenda from the outset: not only is it a research project that has prepared original analysis about privacy awareness and practices in the security sector, but it also pursued the constructive goal to raise awareness and improve privacy practices through communication. The main conceptual contribution of PATS toward this aim is the privacy branding model developed in its third phase – a blueprint for organisational behaviour and development with regard to enhancing privacy awareness and communication. The model's eventual uptake by companies and hence impact is hard to assess at this early point, but communication between project partners and security actors and experts has been intensive as will now be shown.

From the very beginning of the project, PATS involved security actors, data protection authorities and experts through its interview series, workshops and conferences. Contacts from field work were kept up and project results were continuously communicated. Over the course of two and a half years, a diverse network could be built around the project across security service providers and clients, technology producers, consultancies, and associations. With regard to contacts in the security sector, each project partner developed their own network depending on local context, some with more ties to security providers, others with intense relations to clients.

One of the main impacts, of course, of conducting interview series concerning privacy and data protection awareness is that awareness is generated. A total of more than 100 actors were directly engaged in conversation with project partners on their companies' privacy practices or the sector as a whole. Some security company representatives showed interest in more active communication and branding. In the most progressive case, a workshop was held with a large security client in order to delineate a CCTV policy together with other experts, authorities, and activists. In some countries, relationships with data protection and privacy activists and consultancies were created and ties were created between these “privacy demand” actors and the security sector. So the PATS project directly tackled the missing links identified in the security market relationships in WP3. It contributed to the slow but sure emergence of a privacy and data protection consultancy market.

List of Websites:

http://pats-project.eu/

Leon Hempel
Fon: +49 (030) 314-25373
hempel(at)ztg.tu-berlin.de
Zentrum Technik und Gesellschaft
Sekr. HBS 1
Hardenbergstr. 16-18
D - 10623 Berlin
Tel.: +49 (030) 314-23665
Fax:+49(030) 314-26917