Final Report Summary - IRISS (Increasing Resilience in Surveillance Societies)
Executive Summary:
IRISS set out to analyse the effects of surveillance for European societies. In doing this, a dual analytical perspective was applied. On the one hand the state of the art in theory and research was synthesized to provide an assessment of the present state of surveillance in Europe. On the other hand IRISS put a focus on the view from the citizens, trying to understand how they perceive of and react to comprehensive surveillance in their daily lives. Taking both perspectives together produces a comprehensive account of the present state of surveillance in Europe and opens a number of options for resilience. The key findings of IRISS can be summarized as follows:
• The effect of increased surveillance in fighting crime and terrorism could not be established. While Law Enforcement agencies are collecting, storing and processing more and more person-related information a significant effect of such increased and intensified surveillance cannot be established. On the other hand, the increase in electronic data processing creates new opportunities for criminal behaviour, discussed under the heading of cyber-crime.
• When discussing the rise of the surveillance society the activities of the private sector and commercial actors have to be included. Under the regime of electronic consumerism citizens as consumers are exposed to a data collection regime often more intrusive than any surveillance by public authorities.
• Legal regimes governing the use of person-related and other types of information for surveillance are scattered and law lags behind technology. Concepts like privacy have to be re-defined in a technologically mediated surveillance society.
• Comparing different surveillance practices across Europe reveals a wide array of differences. Legal and administrative regimes to govern surveillance in individual countries should be harmonized, based on those cases providing the highest level of protection of citizens’ rights. Subject access rights are enforced unevenly across Europe.
• Citizens perceive and react to massive surveillance in very different ways. While being aware of surveillance practices they often do not openly resist or take counter measures. Trading in personal data for services as consumers is seen as a legitimate exchange by a majority of Europeans. A more critical view towards surveillance emerges when the potentially negative effects of surveillance measures are experienced immediately at a personal level.
• Resilience towards surveillance rarely takes on the form of active resistance against new and more encompassing surveillance measures. What can be observed is adaptation to the fact of being surveilled while at the same time citizens show a high level of awareness about the data collection they are exposed in their daily lives as consumers.
• An informed public debate about the fact that European societies are sleep-walking into the state of surveillance societies should be launched pointing to the multiple effects of the gradual transformation of citizens into techno-social hybrids, continuously linked to massive data-processing systems, shaping their range of action as consumers and citizens.
Project Context and Objectives:
The IRISS projected was located in the SSH programme and thus could adopt a broader perspective reaching beyond the focussed, mission-oriented approach pursued in the security research programme. Bringing together scholars from across Europe, covering a wide array of disciplines, from sociology and surveillance studies, legal and political science in the research consortium IRISS was following a multi-disciplinary and multi-dimensional approach in the analysis of surveillance and the challenges it poses for open and democratic societies.
While many debates about surveillance focus on the instrumental effects in the context of fight against crime and terrorism or take a critical stance, measuring the impact of surveillance on entrenched legally defined fundamental rights to privacy, IRISS chose an approach that was broader, taking into account also the perspective of lay citizens at ground level and wider societal effects of increasing surveillance. Understanding what it means for ordinary citizens to live in a surveillance society was one of the main objectives of IRISS. While a number of studies, based on large scale survey research have investigated the general attitudes of European citizens towards different surveillance measures (mostly by public authorities) very little is known about the ways citizens handle surveillance in their everyday lives. In doing this IRISS looked at the effects of surveillance performed by law enforcement and by private commercial actors alike.
While much of the critical debate about surveillance looks at data collection done by police and security agencies, as could be seen after the Snowdon revelations, relatively little attention is paid in critical security and surveillance studies to surveillance emerging as a side effect of what we termed “electronic consumerism”. The effects of this form of non-state surveillance have to be investigated with regard to citizens’ fundamental rights of informational self-determination in the same way as state-based forms of surveillance. The intrusiveness of so-called customer-relation-management programmes, applied in the realm of electronic consumerism by far outweighs standard data-collection practices by most Law Enforcement Agencies. Surveillance in the commercial realm fosters processes of social sorting without consumers being aware of the fact they are categorized based on information collected about their activities involving the Internet. Entering into a transaction with a retailer on the Internet customers have to accept “terms and conditions” of the company by ticking a box and only in very rare cases they read the long and complex documents, detailing the data processing practices they accept, when agreeing with ticking the box.
One of the main objectives of the IRISS project was to identify what could be called deep-structural changes of European societies, once they begin to transform themselves into surveillance societies. Being linked to a myriad of databases creates a new socio-ontological status of citizens as techno-social hybrids. The definition of what it means to be a citizen, a consumer, or a full member of society entails data processing and identification of person-related information in remote electronic files, involving information often not accessible by citizens. Humans have to become machine-readable to enjoy the status of citizens, customers and consumers in surveillance societies. The IRISS project set out to follow the social, legal, and cultural ramifications of these deep-structural changes.
To understand such processes requires a close look at societal processes and the daily actions of citizens and at the same time conceptual work, screening the binary concepts of privacy and public sphere rooted in political and philosophical thought of pre-electronic times to adapt them to the emerging new conditions of cyber-space.
Developing a comprehensive perspective towards the effects of massive surveillance requires a critical analysis of the debates in legal and political theory to determine how surveillance affects fundamental human and political rights. At the same time the costs of surveillance have to be investigated in different dimensions, last not least the monetary costs of acquiring, implementing and maintaining surveillance technologies in different domains. IRISS set out to conduct such an analysis, synthesizing theoretical debates and analysing the costs of surveillance.
When looking at the effects of massive surveillance on the political processes in democratic societies, a number of very fundamental questions have to be addressed in the analysis. Surveillance can create informational advantages for some actors in the political process while others may have no access to privileged knowledge. This produces the transparent, machine-readable voter, who can easily be manipulated. On the other hand easy access to knowledge and information through the spread of electronic means of communication puts citizens in a position to make them independently knowledgeable about contested political issues and to organize horizontal debates about relevant political issues.
Weighing the positive and negative effects of increased electronic communication is not an easy task and IRISS, putting an emphasis on surveillance was focussing more on the negative implications and effects of these new technologies creating surveillance effects. The question though is to what extent the obviously negative effects of surveillance can be curtailed or at least, if surveillance is deemed unavoidable, if they can be justified from a rational position of law enforcement reasoning. These kinds of questions were addressed in a cooperative endeavour with two other projects, investigating the effects of surveillance from a different analytical angle. Both of these projects, SURVEILLE and RESPECT were funded under the security research programme in FP7 and were addressing similar questions, looking at the effects of surveillance on society, though from different theoretical perspectives. All three projects started at the same time. During the negotiation phase before the beginning of the project it was agreed with the Project Officers to set up a joint platform to exchange ideas, results and papers and to create synergies among the consortia. Each coordinator joined the project meetings of the other consortia and all three projects organized a joint final event in Brussels at the end of the projects’ life cycle, bringing together the members of the three consortia with an audience of law enforcement experts, scholars and policy makers to present and discuss their findings. Looking at this cooperation between the three projects from the perspective of the IRISS consortium one of the main contested issues is the effectiveness of surveillance. Can the effects – positive and negative – of increased surveillance on modern societies be measured or assessed in a transparent, rational way, based on independent empirical evidence? While SURVEILLE and RSPECT both produced valuable ideas for such an assessment the question still remains, how a society as a whole can control its own path of development in the face of the eminent changes increased surveillance brings about.
From the perspective of the overall approach taken in the IRISS project this question cannot be left to the experts in law enforcement, intelligence services or industrial system providers. It has to be brought back in a reflexive political move to the public forum. While this may sound rather abstract it can be broken down into operational ideas of how the effects of surveillance can be deliberated and critically analysed by those who are affected by it, i.e. by the citizens. Such an approach aims at enlightenment in the classical sense, which as Immanuel Kant prominently put it can be defined as “man’s emergence from self-inflicted immaturity”. One of the main strategic objectives of IRISS was to address not only the many relevant expert communities of political scientists, privacy scholars, lawyers, data protection experts, etc., but at the same time to involve policy makers and a broader public into the process of research and communication.
Such a strategy cannot be limited to dissemination activities and the communication of findings produced in the research process. It affects the overall approach taken in the project. As mentioned above IRISS set out to cover the realm of academic discourse and the life world of European citizens alike. Giving citizens a voice in the debate about the effects of surveillance on democratic societies entails more than running large-scale surveys eliciting aggregated views on pre-given fixed choice questions. While this approach has its merits it rarely touches the level of mundane and everyday problems and perceptions where the multiple effects of surveillance technologies unfold to gradually change the everyday life of ordinary citizens. Addressing the “big” societal problems of data-protection, privacy, human rights and mass surveillance by intelligence services is a necessary part of the analysis, but leaves out the “little” problems encountered by citizens using a mobile phone, a loyalty or credit card, booking flights and buying goods using the Internet or moving in public space while under surveillance from a CCTV camera. Understanding and documenting the many minuscule effects of modern data producing technologies on routine activities in a surveillance society, populated by techno-social hybrids, requires a different methodological approach. Citizens rarely use concepts like informational self-determination or subject access rights to talk about their experience with new technologies. Often they do not reflect in greater detail about the impact these technologies have on their lives. When framing the problem in terms of privacy, surveillance and fight against crime an terrorism, i.e. using the vernacular of standard media discourse after Snowdon, the typical response is based on the standard reasoning captured in the popular phrase that s/he who has nothing to hide has nothing to fear. However at the level of everyday life citizens rarely weigh such questions of national security or fight against organized crime and terrorism. The interface of the everyday citizens with surveillance society can be studied at the workplace, in public space, in encounters with public bureaucracies, while shopping on the Internet or when signing a contract with a mobile phone provider. These kinds of hands-on situations at ground level have to be considered to fully understand the breadth and depth of the workings of pervasive surveillance in contemporary societies.
This overall approach of linking the big policy issues with the little mundane problems of living in surveillance society also has an impact on the understanding and conceptualization of resilience. Resilient reactions can be discussed at many different levels and the preparedness to take adequate measures to increase resilience can be assessed. At the level of structural and policy processes it is obvious that more democratic oversight and control are required before surveillance regimes are extended and new surveillance technologies are implemented. In particular a better regime of assessing the presumed effects of surveillance is required to determine whether surveillance works as intended. At the level of lay citizens such policy measures often do not resonate. This could nicely be demonstrated in the results of citizen polls following the Snowdon revelations (which happened while the IRISS project was running). While the results of these polls in Western societies show mixed results it turned out that a substantial number of citizens seemed to accept the encompassing surveillance regime established by national intelligence services in cross-border cooperation. A different picture emerges when the potential effects of surveillance that are closer to home, i.e. affecting everyday routine activities of citizens are introduced. Resilient reactions creating a change of daily routines are more likely to happen, when citizens experience effects of surveillance themselves. Such effects can include cases of cyber-mobbing at the level of horizontal surveillance or the refusal of credit by banks based on credit scoring. Generally speaking citizens are more willing to show resilient reactions when they experience the practical consequences of the manifold ways of social sorting, giving them differential access to goods and services. Resilience has to be investigated and strengthened at many different levels, from policy and legal regulations to raising citizens’ awareness about surveillance being a part of their daily lives. Raising public awareness is a precondition for changing public policy with regard to surveillance in democratic societies. IRISS attempted to demonstrate this full circle, analysing how public discourse and political activity are affected by surveillance measures and how this again in a reflexive way has an impact on the capacity of modern societies to remain their democratic structure and process through a robust, active and enlightened discourse among citizens, addressing the fundamental question: what kind of society do we want to live in?
Project Results:
Preface
The IRISS (Increasing resilience in surveillance societies) project was designed to address surveillance and resilience from two analytically different perspectives: the observer’s and the participants’ perspective on surveillance and democracy inform our research. The first perspective generating a comprehensive analytical framework on surveillance, democracy and resilience was in the focus of first half of the project. The work during the fist phase of IRISS is documented in the book “Surveillance Industry in Europe” edited by the IRISS co-ordinator Reinhard Kreissl and David Wright. The book was published by Routledge in 2014. In the second phase of IRISS, the research conducted procured a complex, multidimensional data set covering a wide variety of different types of societies. This was achieved by three different empirical research approaches. Overall IRISS was aiming at the following five research areas and has produced a large variety of scientific reports drawing upon a rich dataset of empirical evidence on surveillance in Europe. All reports can be downloaded from the project’s website: http://irissproject.eu .
Five main S & T results outlined by the IRISS project:
1) Analytical framework: Analysis of the surveillance industry in Europe.
2) Watching the watchers: a case studies approach on different surveillance practices from across the EU
3) Living in a surveillance society: Investigating citizens’ perceptions towards surveillance in different EU member states
4) A stress test on the right to subject access requests as a cornerstone of the European data protection law: Accessing personal data, documenting and analysing the outcomes in different member states of the EU.
5) Increasing resilience in surveillance societies.
1) Surveillance industry in Europe
Surveillance is (and has always been) a normal element of modern society. Registering and identifying citizens began in the 18th century and was an important prerequisite for a modern centralised government. The data was necessary for taxation, provision of public infrastructure and the modern welfare state. In the 19th and early 20th century, surveillance became an important element in industrialism’s division of labour. In the post-industrial age, information and surveillance have become a lubricant of the information society. Histories, culture, legislative legacies, administrative rules and procedures, and vested interests, all play a role in shaping the use of surveillance technologies.
Surveillance seems to make life more predictable and calculable. It synchronises behaviour and provides a platform for social interaction in a modern, anonymous world. These are useful things, but the belief that greater surveillance can overcome problems such as the incompleteness of information or the partiality of abstraction is a dangerous delusion. Most of the examples from the different historical periods show that each useful application of surveillance also bears the danger of totalitarianism. Information and its use create an even greater need for information for even more beneficial purposes. The naïve thinking that those “who have nothing to hide, have nothing to fear” and that people “would be happy to give up a little privacy in return for more convenience, security, etc.” leads to a situation where the abuse potential exceeds any real or perceived benefits. In the current scenario, it is an illusion to believe that one can erase personal information stored in a networked system.
There are numerous open questions about the usefulness and effectiveness of surveillance technologies and their possible rebound effects, specifically in relation to surveillance measures introduced to fight terrorism and organised crime without knowledge of their effectiveness and consideration of their negative side effects (such as false positive matches, the inversion of the presumption of innocence, and costs of intensified security checks). The question of what impact greater surveillance has on an open society is still under debate. While counter-surveillance movements show that citizens are not always willing to follow the rationale of government agencies and industry, the case of surveillance cameras illustrates that citizens are gradually becoming accustomed to these measures.
Based on our findings, and given the economically significant role played by the European surveillance industry, overall, we recommend a cautious approach in any actions or measures to regulate the surveillance industry to avoid undue competitive disadvantage. At the same time producing technologies that qualify as privacy enhancing while at the same time meeting functional requirements can be considered to be a competitive advantage.
Europe requires a multi-level strategy to address surveillance concerns and strengthen resilience. Hence we recommend that industry associations (which our research reveals are powerful entities) are taken on board in the discussion about societal security and included to enhance the effectiveness of resilience. Industry associations can regulate their members to a reasonably good degree and can develop surveillance-related guidelines and codes of ethics, foster greater corporate social responsibility practices, develop standards for privacy enhancing technologies and so on.
Strit legal trade regulation might be the most effective solution to help curb the sale of surveillance solutions to non-acceptable entities and third countries.
Greater transparency and accountability for the surveillance industry might come through the adoption of mandatory privacy impact assessments (PIAs) or surveillance impact assessments (SIAs) and through the development of standards and certification requirements for surveillance technologies.
There is a need to officially recognise the increasing privatisation of state surveillance, the emergence of a security-industrial complex, and its impact upon society. Civil society organisations and academia also have an important role to play here (e.g. in recognising detrimental effects, keeping a watch over the impact of new technologies and acting to maintain democratic oversight).
Finally, there is a need to establish multi-stakeholder platforms or forums and even a European surveillance industry observatory (either within existing platforms or as a new initiative) to continuously monitor the industry.
Our analysis of the impacts of surveillance on civil liberties and fundamental rights yielded several provisional themes and findings:
• Surveillance technologies and practices have an actual or potential impact (mainly negative, but sometimes positive) upon a wide range of individual and trans-individual rights, freedoms and values.
• The effects of surveillance go beyond those that concern individual privacy, dignity, autonomy, and the presumption of innocence, and can also be seen in terms of a number of dimensions of social and political life.
• There are gaps and deficiencies in the law and in jurisprudence as they struggle to keep pace with technological development and institutional practice, especially in an online environment and in a political climate asking for enhanced repressive measures from law enforcement and counter-terrorist policy.
Discussing the impact of surveillance on a host of rights and values, and the impact of rights and values on surveillance requires conceptual disaggregation and clarity, detailed and systematic analysis, and empirical evidence. The degree to which all these desiderata are currently available is uneven, but our analysis of the impacts of surveillance on civil liberties and fundamental rights has shown how they can be brought to bear on a subject that is sometimes ambiguous (e.g. the concepts of privacy and surveillance) and sometimes not easily amenable to reliable empirical research (e.g. social and psychological effects of surveillance), but with reasonable prospects of making subsequent judgements about the resilience of societies in the context of surveillance societies.
Data protection authorities (DPAs) as external overseers and regulators typically focus on privacy-related implications of surveillance and find it difficult to embrace a wider perspective of values in their regulatory exhortations and enforcement practice. The laws within which they operate do not normally give them a licence to roam across the range of values to invoke when they seek to limit surveillance.
Thus, there is at least some indication that, amongst regulators, a broader sense of values, rights and freedoms, and/or their close relationship with privacy and data protection in a stricter sense has been recognised as important in the oversight of surveillance. Surveillance has a demonstrable effect on individuals or on categories of persons, and not only on their privacy, but whether this toehold of recognition of a wide array of rights, freedoms and values in data protection and privacy oversight is broad enough in practice to counter the wide-ranging effects of surveillance is not certain.
In the following sub-chapters of this report we have summarised the findings of our empirical research conducted in the IRISS project from 2012 to 2015.
2) Watching the watchers – the IRISS Case Studies
A series of case studies was conducted examining three surveillance practices from the perspectives of the watcher and the watched in different European countries. Case studies were defined in terms of the surveillant relationship: whether it was between the state and citizens, the private sector and citizens or citizens and citizens. The central finding is that increasing resilience to surveillance in Europe begins with increased public – and institutional - awareness of its harms and its benefits. For the watchers - those organizations in whose favour surveillance was deployed - surveillance produced several benefits. These benefits included better risk management and traffic law enforcement which has almost made the watchers immune to recognising that any harm may arise. Nevertheless, activist groups and the media have been working hard to highlight the harms associated with specific instances of automated number plate recognition (UK, Slovakia, Belgium), and credit scoring (UK, Norway) but changes in governance are also needed to limit the effect of those harms. The following chapter will review the results from the three case studies conducted in IRISS on ANPR, Credit Scoring and Neighbourhood Watch. Looking at different countries revealed a wide array of best (and worst) practices in the regulation of surveillance measures.
2.1) The cases: Automatic Number Plate Recognition
Automatic Number Plate Recognition, or ANPR, is a surveillance practice in which digital CCTV cameras capture images of vehicle registration plates. These images are then matched to government vehicle licensing and other databases which contain information pertaining to the ownership of the vehicle, whether it is insured or whether it has been marked as suspicious in any police investigation. ANPR is also used to administer car parking and road toll charges. Users of ANPR are thus not only public bodies such as the police, city and regional municipalities and national bodies.
ANPR resulted in some harms against which policies to promote resilience need to be formulated. The case studies found evidence that use of ANPR had in some cases circumvented and breached the rule of law, compromised rights and had raised serious privacy issues. However In Slovakia the situation caused economic and environmental harms. In an effort to avoid the economic losses imposed by road tolls, Slovakian truck drivers had taken to driving on smaller roads and affecting the quality of life for the villages which along those roads. In the ANPR case, with the exception of Germany, where a constitutional court ruling limited the use of ANPR data, very little engagement of the public was evident. This was because there is a lack of consistent regulation and signage, low levels of general media coverage and low engagement of data protection regulators with the practice. In respect of its very significant harms we observed different levels of governance which lagged behind technological capabilities.
2.2) The cases: Credit Scoring
Credit Scoring is a surveillance practice whereby financial services companies who are lending money calculate the creditworthiness of their customers. A customer’s credit score helps to determine whether a loan should be made and the interest rate that is offered. Different financial institutions operate different credit scoring models. Factors such as the amount of credit already accumulated; late payment history; percentage of total credit in use; mortgage account; age of the applicant; employment history; length of time at an address – all this information is determine risk levels and assess the viability of the application. Nevertheless, lenders are keen to stress that lending decisions are not made solely on credit scores, factors such as the type of loan sought, the reason for the loan and the likely profitability of the loan are all influential. If the customer has had prior business relations with the lender, the type and history of that customer relationship is assessed. Lifestyle information, as represented in Experian demographic profiles, may also be used.
The harms associated with credit scoring stem from its role as an administrative tool for financial services organizations. This highlights how this form of surveillance is explicitly part of a management process with little legal regulation and also is subject to administrative errors. However evidence was also uncovered of bank and legal staff abusing their position in relation to this sensitive financial data (in Austria and Hungary). Similarly its location in the commercial sector meant that some unscrupulous organizations exploited credit scores, to facilitate the lending of money to customers who could not afford it and were financially illiterate (UK). Overall this points to a problem with transparency and with the operation of the rule of law in relation to credit scoring (particularly in Italy, Hungary, and Austria).
The distributive justice aspects of credit scoring and its ability to delimit economic prosperity were noted in the UK and Norwegian cases particularly. With the exception of Norway and the UK, there was minimal public engagement and low public awareness of the practice. The first issue to solve is the public’s awareness of and access to their own credit scoring data. While this is widely available in the UK and Norway, this is not the case in Austria, Italy and Hungary. Increasing transparency and accountability of financial institutions in relation to credit scoring data again could be instantiated at European level. Other countries could learn from the best practice Norwegian model, which places DPA at the heart of credit scoring and invests genuine powers in the courts to hear citizens’ complaints about credit scoring practices. Following the credit crunch, demand for credit is now increasing across Europe and institutions should take this opportunity to inform consumers of their rights. Controversies associated with credit scoring appear in all countries involved in the case study, but in some cases the media have been slow to react, resulting in ill informed consumers and unaccountable, intransparent banking policies.
2.3) The cases: Neighbourhood watch
Neighbourhood Watch (hereafter NW) is conceptualised in this project as a ‘horizontal surveillance practice’ where citizens watch each other. In the Anglo-American tradition, Neighbourhood Watch comprises informally organized local neighbourhood groups looking out for all kinds of wrongdoing, in the spirit of community safety to assist the police. However, these kinds of social practice take on a completely different kind of significance in European countries which have had fascist or authoritarian pasts. In this case study we explored the operation of ‘neighbourhood watch-style’ schemes in Austria, Germany, Spain and the United Kingdom.
Core stakeholders in Neighbourhood Watch are all citizens who may be the subject of surveillance by neighbourhood watch ‘schemes’. This includes suspicious persons and citizens who are critical of neighbourhood watch. Similarly citizens’ property is a key target in the schemes. As discussed in the previous section, watchers are very diverse in character. They include neighbourhood watch volunteers who operate within official schemes, as well as police sponsored schemes, formal and informal community groups.
Typically peripheral stakeholders are found at a variety of institutional levels and include those who promote particular local developments and community safety strategies (including National and European institutions), community safety and crime prevention charities, political organizations, mass media who report on neighbourhood and social media which facilitate the sharing of information in schemes, residents associations and trading standards associations concerned with catching ‘rogue’ tradespeople.
A number of harms emerged, some more significant than others. Privacy was a relatively minor issue associated with the schemes’ use of online and social media. The cultural and social significance of surveillance was far more powerful and generated strong sentiment towards NWP as a community safety idea (in Austria, Germany, and Spain). In these cases such horizontal surveillance processes became controversial because as well as creating unpleasant links with the nation’s past, it was feared that such schemes would present opportunities for extremists of all political colours. The presence of NW-like organizations fostered a stigmatisation of particular spaces and tended to victimise those who were perceived as the ‘Other’ in the community. It also challenged policing authorities who, at a community level, tread a fine line between too-little or too-much intervention, leading to a rise in feelings of insecurity if crime appears to be increasing. Neighbourhood Watch is a special case in that, with the exception of the UK, it has developed outside the remit of law enforcement institutions. However the experience of NW in the case study countries is simultaneously an example of community resilience and community breakdown. In an attempt to create community safety its harms stem from frustration with ‘the other’ and insecurities in relation to community policing. The British example, with minimal regulation and a caring focus, shows how NW can succeed without the deep levels of mistrust and unpleasant associations which stem from authoritarian pasts in many continental European societies. The community reaction to Neighbourhood Watch in Austria, Germany and Spain demonstrates how those societies have become resilient to the surveillance they suffered at the hands of authoritarian and fascist governments. Improved relations within communities as well as between communities and police would further strengthen this resilience. Frustrations with a low police presence as a result of funding cuts (among other things) point to how this surveillance practice is intertwined with public resourcing issues. Whilst it is inevitably difficult to prioritise resource deployment in the current public financial climate, it is always important for police to be connected with the communities they serve.
2.4) Summary of Findings of the IRISS case studies
IRISS examined democratic intersections with the different surveillance practices using three concepts: governance, participation and engagement.
Governance: refers to the manner in which the surveillance practice is regulated and the extent to which different parties comply with regulation.
Participation refers to the extent to which the surveillance practice and its outcomes are co-determined by watcher and watched and wider stakeholders.
Engagement refers to the depth of personal interaction with the surveillance practice and the centrality of that interaction to the strategies of organizations and governments.
Within the ANPR case IRISS found variable forms of governance, ranging from top down constitutional governance within Germany to minimal governance in the United Kingdom. Stakeholder participation was very limited apart from Germany where a constitutional court ruling limited the processing of data collected by ANPR cameras. There is also low public engagement with ANPR, partly because regulation has not yet caught up with practice and ANPR cameras do not have to be specially signed. It is difficult to know whether one is subject to ANPR or not. There has been some activist and campaign engagement, however, which has resulted in media coverage in all of the case settings.
Credit scoring had strong centralised governance in all cases, given that the financial services industry is regulated at a European as well as at National level. There was variable involvement of Data Protection Authorities (DPAs), however. In Norway the entire credit scoring system was premised on data protection regulations. In the UK credit scoring data are easily available without reference to the DPA. In other countries there was next to no involvement of DPAs. Stakeholder participation is low, although financial services authorities and credit bureaux readily share information to enhance their risk assessment of customers. In Italy financial information is also shared with government for tax purposes. Finally, in Norway and the UK there is high public engagement with credit scoring but in Austria, Hungary, and Italy there is minimal engagement, with the exception of a few court cases.
Neighbourhood watch itself is in principle a democratic idea, premised, as it is in the Anglo American model at least, on active citizenship around local crime and community safety. However it is also premised on local neighbourhood surveillance and in post-authoritarian and post-fascist contexts touches upon historical taboos. Hence, there is low governance, participation and engagement in the three post-authoritarian contexts – Austria, Germany and Spain – we examined.
Credit Scoring, by contrast, is a commercial practice and many of its internal parameters are the subject of commercial confidentiality. Financial services organizations have their own strategies in terms of the customers targeted and risks are managed in relation to those customers. Revealing those to external stakeholders would be regarded as commercially unwise. Credit bureaux, which trade on the analysis of consumer financial data would have similar views. However, given the harms we have uncovered surrounding malpractice and the abuses of power surrounding credit scoring, financial services organizations would need to be given an opportunity to respond as well as this sector would clearer regulatory guidelines associated with credit scoring practices. Greater regulatory powers to control financial institutions in the case of malpractice could improve the situation. Customers should be pro-actively informed about their rights in this domain. Finally, participation in neighbourhood watch is very low apart from in the UK because of the taboos associations NW encounter in post-authoritarian or post-fascist countries.
The main issue with Credit scoring is public awareness of and access to their own credit scoring data. UK and Norway can be seen as good practice cases here. Increasing transparency and accountability of financial institutions in relation to credit scoring data should be instantiated at European level.
When looking at the reaction to Neighbourhood Watch in Austria, Germany and Spain it shoud be emphasized that cultural resistance to this approach can be interpreted as a resilient to surveillance these societies suffered at the hands of authoritarian and fascist governments.
2.5) Conclusions and Recommendations based on the IRISS case studies
The IRISS case studies have highlighted four dimensions of resilience in relation to surveillance. These four dimensions were derived from the position that surveillance is deployed to counteract harm, threat and risk, but that it simultaneously has harmful, risky or threatening consequences.
Surveillance as a strategy to counter risk produces two types of resilience:
Resilience to and reduction of harm through increased safety and security: When surveillance counters risk or threat in an effective way, increased safety, security and economic prosperity are experienced. The means of surveillance renders society more resilient to threats to security, safety and economic threats.
Resilience to surveillance by understanding its benefits: If surveillance is commonly understood as an effective means of counteracting threat, then it becomes normalised and accepted more readily. Its harms are perhaps more readily accepted and are seen as being outweighed by its benefits.
Surveillance as producing risks, threats and harms:
Resilience and the chilling effect: When surveillance produces harm, chilling effects have also been observed as rights are denied and civic engagement declines. The chilling effect represents a homogenisation and/or stagnation of social, economic and democratic processes, as society puts its ‘head in the sand’, preferring to ignore what is going on. It is a very unproductive type of reaction to surveillance.
Resilience through increased awareness of surveillance and privacy and the development of critique: If different sections of society engage with the harms produced by surveillance, resilience to its harms emerges in critical discourse against such surveillance practices and increased resistance to them. This also includes the discourse on consumer protection, data protection and constitutional law.
These four dimensions of resilience were constructed on the assumption that core stakeholders – watcher and watched (in particular) – would have prior knowledge that they were engaged in a surveillant relationship and knew the terms of that engagement. When the cases were assessed, however, this position was not a consistent one. Given low levels of engagement, it is difficult to suggest that effective democratic mechanisms are in place, at European and at country level, which could mitigate the harmful effects of surveillance in a resilient way. The central finding of this work package is therefore that in order to increase resilience to the harms of surveillance across each case study, increased engagement with the nature and impact of those harms is needed on the part of both watchers and watched. Engagement may be achieved through enhanced media coverage, strengthened freedom of information and subject access procedures, better public (ANPR) and customer (Credit scoring) information and subsequently regulatory powers and scrutiny of the institutions concerned should be increased.
Overall the intersection between surveillance and democracy across the three case studies we have examined is varied. Patterns have emerged which are associated with historical, legal, political, social and institutional factors. At the dawn of the age of Big Data and as social life becomes constituted and reconstituted by layer upon layer of information infrastructures, the local and everyday contexts of our lives become readable and transparent to power. Citizens are transformed into machine-readable techno-social hybrids. To a greater degree than ever before, surveillance processes intersect with and constitute the way in which we get things done. As consumption, communication, security and even democracy is done in this way – we need to question how transparency and accountability re-organize themselves as the traditional and institutional ways in which democratic power becomes enacted become less relevant. Perhaps political activity outside the conventional venues of power – one which focuses on the everyday life of what has been termed “sub-politics” by the late Ulrich Beck, on active local citizenship reflecting the mundane aspects of life would provide fertile ground for alternatives to emerge.
3) Living in a surveillance society
The empirical research in IRISS was designed to investigate the surveillance society as a mundane phenomenon, moulding the everyday life of European citizens. IRISS highlighted how lay citizens perceive surveillance and react to the fact of being more or less constantly exposed to different types of surveillance measures. Surveillance and resilience – two of the key concepts of the IRISS project - cannot be considered household words for the layperson. There exists an elaborate academic discourse about these two concepts, but they are not common coinage in everyday language. Although the revelations of Edward Snowden have received ample response in public media discourse, the complex technical, legal, and political ramifications of programs like PRISM are far beyond the grasp of non-experts. Thus for IRISS it was important to understand the effects of modern technologies and the surveillance capabilities they entail on ground level in everyday life.
Everyday life exposure to surveillance has been investigated through a qualitative in-depth approach which has, as its core, stories or events as primary units of analysis. The underlying assumption of IRISS was that surveillance is an endemic feature of contemporary societies and technology increasingly mediates and shapes everyday life activities. Privacy is not a “default state” but instead it has to be actively created by individuals. In IRISS, stories about citizens’ understanding of surveillance were collected with a specific focus on how surveillance is embedded in social processes and how people comply and/or negotiate with it.
1,000 stories were collected about everyday encounters with technology in five European countries (Austria, Germany, Italy, Slovakia and the UK) through 300 interviews. Additionally, 10 focus groups were carried out in order to deepen the understanding on socio-cultural differences towards surveillance.
The myriad ways in which citizens shop, feel more or less secure, share information on social networks, are “watched” in the workplace and actively engage in security practices are telling on how they “do” privacy in surveillance societies. The core of the analysis is in the fact that the variety of situations that citizens deal with, comply to, negotiate with and/or resist to, demonstrate the pervasiveness of technology and control.
As mentioned above, concepts like “surveillance”, “privacy”, or “resilience” are not common coinage for most of the European citizens most of the time. Except for situations where problems of surveillance score high on the political and media agenda, such as in recent times, triggered by the revelations of Edward Snowden on the practices of the NSA and CIA, surveillance, privacy, security, and resilience are not topical in managing everyday life for the average lay person. Of course attitudes of citizens towards surveillance and resilience can be investigated, when confronting them with explicit questions, e.g. when conducting a survey on privacy and security. But obtaining a response upon reflection of a question and considering problems of surveillance and resilience on a daily basis and spontaneously are two different things.
What IRISS has shown is, that individuals integrate surveillance related technologies (from mobile phones to swipe cards documenting their office hours) in many different and often creative ways into their everyday lives. Daily routines are built around the uses of these technologies, they are perceived as means to facilitate daily business, open new opportunities, create new ways to communicate and socialize. The majority of the respondents had a positive attitude towards technologies, ignoring their potential for intrusion of privacy and surveillance. Respondents showed an awareness of the changes in their lives caused by new technologies, but typically perceived of these changes as positive. Only a small fraction declared themselves as critical or reluctant technology users from the very beginning or reported about precautionary measures (like e.g. changing the default privacy settings in social media or using encryption).
The narratives on surveillance have been structured in four main dilemmas or trade-offs which provide the analytical framework of the analysis:
3.1) Privacy and Convenience: Citizens as consumers
3.2) Privacy and Security: Citizens and their views on security in Europe
3.3.) Privacy and Sociality: Citizens and the use of social media
3.4) Privacy and Trust-Fairness: Citizens at their workplace
3.1) Privacy and Convenience: Citizens as consumers
While almost all forms of shopping and consumption could have been performed anonymously in pre-Internet times, this is no longer possible. One reason lies in the changing methods of payment and the problem of establishing trust in commercial relationships without cash transactions. Paying cash over the counter allows for highly anonymous transactions. By paying with cheques, credit cards or advanced forms of electronic payment like PayPal consumers have to identify themselves and hence leave data traces; by shopping via Internet they provide additional relevant marketing information about what they buy, when and where they shop and what they look at before and after buying. This may yield various data concerning, for instance geo locational information, personal preferences, medical conditions, personal relations and so forth. Using these data, profiles could be constructed in order to derive e.g. credit ratings from shopping patterns or postcode information.
What can be observed here is a paradox of anonymity. Being involved in a commercial transaction with your local shopkeeper may create a social relation, in which anonymity ceases to be an issue, and relations will be re-configured and once anonymous customers will be rendered loyal customers, of whom the shop owner is well informed regarding preferences and so forth. This is represented in the iconic figure of the grocer at the corner-shop acting as a communication hub for the neighbourhood. In this setting an individual as a customer is known to his/her local community, but anonymous outside this environment. The same person shopping in an inner-city department store would enter into another setting, one in which anonymity prevails. Businesses in such a setting do not know their customers personally. They neither know their names, nor preferences. Anonymity is the default setting, and at the same time, a problem for the business striving to extend their base of loyal customers in terms of advertising, offers and service.
Throughout the citizens statements on privacy, data, the uses of data in everyday life, the personal encounters with data collection and the respective assessments were often embedded in a narrative of „managing“ data and privacy (thus hinting at a concept of „doing privacy“) in everyday life. This narrative of what could be termed „privacy management“ or “privacy labour” occurs in various contexts and to various degrees throughout many interviews, as do statements referring to data protection and privacy issues. As data and privacy issues become relevant in more mundane, everyday activities, the “Digital” appears to be an inseparable part of everyday life. Accordingly, managing privacy and personal data implies the existence of routines and socio-cultural „scripts“ that are followed to cope with the many requirements and demands of a digital information society in everyday life. The pervasiveness of the Internet in all its forms is apparent and has long become a part of everyday life and practices - socially, culturally and economically. To frame this under the term surveillance may thus be misleading as many of those measures and strategies are not driven by a desire to control the citizen in the sense of an authoritarian state, but to make money – hence knowing and managing the customer is paramount here. But as much of these strategies appear in the everyday contexts of Europeans, the perceptions of these strategies and the attitudes towards the data collection behind them may be framed differently than in terms of surveillance and control.
3.2) Privacy and Security: Citizens and their views on security in Europe
Security at the level of citizens is primarily discussed as perceived security. Over the last decades the concept of perceived security or subjective security has attracted attention in academic and policy discourse. There are a number of reasons for this replacement of security with perceived security. First of all the figures of registered crime, crime being the dominant source of insecurity for a long time, are not representative of the development of criminal behaviour. They primarily reflect activities of law enforcement agencies, i.e. more police creates more (registered) crime, more reports of incidents by citizens to the police lead to higher crime figures. Secondly, as criminological research on victimization and fear of crime has demonstrated, levels of perceived insecurity do not mirror objective victimisation risk: persons with statistically low probability of victimization often display high levels of fear or insecurity and vice versa. As fear of crime studies have repeatedly demonstrated, levels of fear of crime reflect other, broader existential insecurities. Law enforcement agencies thus have begun to focus on feelings of insecurity as public sentiment, while at the time acknowledging the limitations of combatting or reducing crime in the literal sense.
IRISS explored the dilemma between privacy and security by focusing on technology. In particular, we drew attention both to a specific surveillance tool (CCTV) and to views on security and crime prevention. In general fear of crime plays an important role in this context. We investigated several dimensions, one of them being the difference between the watchers and the watched and how the latter perceive control through technology. As we showed, several ambiguities seem to arise pertaining to citizens’ attitudes towards surveillance technologies. More often than not, citizens do not have clear-cut views, however, there are a few recurring themes which are worth considering.
The dilemma between security and privacy is presented as irrelevant if the respondents have a good reason to believe that security tools “work”. Moreover, the general belief is that more surveillance is more likely to increase security. Despite the differences between reality and perceptions, it is worth noting that the latter affects feelings of security and can therefore also play a role in changing the attitudes of citizens who perceive themselves as “insecure” or “at risk”. However, what seemed to emerge are doubts about the effectiveness of technology along with questions on the overall approach to security. For instance, the delegation of security to technology was emphasized by many respondents as well as the false sense of security provided by surveillance tools. The effectiveness of technology is connected rather more with fighting crime, then with crime prevention. Our interviewees highlighted the importance of personal and/or social responsibilities in order to feel safe and to live in a safe environment.
Privacy is at stake when citizens report personal feelings of being “stalked” or “watched”. Surveillance is not always taken for granted, especially in the urban context. Although the “surveillant gaze” is not always accepted, the inevitability of surveillance permeates everyday life. Nonetheless, there are options for resilience, namely avoiding places where there are a certain number of cameras, for instance, or trying to be “less visible”, that is behaving normally when “spied upon”. However, the notion of resilience appears complex and multi-faceted. Like surveillance, resilience has two faces: one draws attention to options to avoid control, the other is the opposite as resilience can also be surveillance. In other words, resilience as surveillance emerges when the feeling of insecurity is prevalent.
Another important insight is the high level of awareness of surveillance technologies. Citizens we interviewed are familiar with the surveillance society they live in and daily encounters with technology do not go unnoticed. Yet, it is difficult to determine whether awareness relates only to the visibility of security tools or also pertains to a deeper understanding of the consequences of surveillance. Nevertheless, especially when considering new high-tech surveillance mechanisms such as drones or biometrics, “the nothing to fear, nothing to hide” approach is not prevalent and respondents implicitly recognize the need for regulation.
To conclude, citizens only rarely use the language of rights violations when it comes to thinking about surveillance in the context of security. Even though the “gaze” can be uncomfortable and – as we showed – might affect behaviour, acceptance towards surveillance in the general public is quite high
3.3.) Privacy and Sociality: Citizens and the use of social media
Much of the power of social media can be understood through the changing elements of the Internet. Being ‘on’ and having instant and 24/7 access to news, blogs and ‘feeds’ has irredeemably altered the communication landscape. To the forefront has been the use of smart phones or devices, where access to the Internet is available remotely and widely throughout most European countries. Indeed, the use of mobile Internet use has seen a substantial jump in the level of usage, 36% of Europeans in 2012 accessed the Internet daily via a mobile device (smart phone, tablet or PDA (personal digital assistant), whereas in 2011 14% of Europeans did.
There is clearly not the use of social media, but rather many different usages, usage patterns, shapes, and forms. It was ostentatious, that distinctions in social media practice were not only mentioned as side notes, but most often explicitly captured, focused on and even scrutinized. Highly specialized and customized forms of usages of the social web determined the greater picture given in the interviews. Social media (notably Facebook as the manifest and dominant example) do serve as a platform and a tool for sheer endless variations of self-expression – and sometimes self-degradation – information gathering, information spreading, up keeping as well as creation of relations and relationships, networking, and also controversy all the way to hate speech – and, as a matter of fact, surveillance.
Indeed, a negative reading of ‘The Web’ in a rather dystopian way – either to a certain extent recalling Horkheimer’s and Adorno’s criticism of the mass media and/or suspecting irrevocable separations of the individual based on disintegrative technologies – was given by some respondents. The perception of a web-mediated world of allegedly highly individualised users taking selfies and spreading pictures of their daily meals all over the web is surely one side of the coin. Although excessive self-expression is undoubtedly a very real part of the social web and was sometimes met with incomprehension by interviewees (especially those, that were not ‘heavy users’ or ‘digital natives’ but rather interested ‘digital immigrants’), it wasn’t, after all, an assertive topic in the quotes. The dominant discourse was clearly a positive attitude toward the social web and all its possibilities.
The nature of social media is primarily a social tool in which friendship can be expanded and information and communications exchanged. This as we have mentioned can appeal to certain personality traits. Nevertheless, things can go wrong with social media and most pressing here is when defamatory or embarrassing material is circulated and the adverse outcomes of the exposure re felt by users. The control of this information is given some safeguard due to privacy labour, but even here controls are easily circumvented and indeed are easily lost – particularly if an ‘accepted’ friend has open privacy. Working to maintain privacy and working to avoid the consequence of information that has been posted is important. Again, drawing on the European Court ruling, the erasure of information is being taken seriously and the tentative reassurances provided by privacy settings are being superseded by stronger regulations. Needless to say as with privacy settings, getting around these controls is not difficult, for instance removing a court conviction from a search engine will not remove it from court records or even from newspaper records. However, it does stress that privacy labour in terms of online material may prove in the future to be more robust. Social media is a popular tool with undoubted social qualities, however at times it also needs to be treated carefully, particularly when used in carelessly.
3.4) Privacy and Trust-Fairness: Citizens at their workplace
While the relation between employer and employee is first and foremost of an economic nature, to be analysed in terms of wages and profits, capital and labour force, each workplace situation also entails an element of social interaction. The social relations in a workplace setting reproduce the economic relations of domination and submission, even if in many present-day work environments concepts like creativity, motivation, and personal satisfaction are invoked to describe the situation of the work force. In modern Western societies the model of the shop floor and the assembly line of industrial mass-production no longer provide the paradigmatic workplace scenario. The rise of the service economy, the integration of modern ICT in production processes, an increase in symbolic production and design work, the international division of labour and the flexibility, volatility and fluidity of work, blurring the boundaries between private- and work life are just a few key words to account for the dramatic changes in the everyday situation of the working population. What used to be a tangible and collective experience of exploitation in industrial capitalism has been transformed for a substantial segment of the work force into an abstract, often remotely controlled and intangible regime of self-motivated performance in a flexible work environment. Surveillance at the workplace can take on different forms depending on the kind of setting. From the perspective of the actors involved there are different ways of integrating new technologies with high surveillance potential into their everyday work life. One option is to develop a moral perspective, justifying surveillance practices as an adequate means to identify wrongdoers, to develop an adequate system of rewards and to improve health and safety of the workforce. Understandably this narrative is used mostly in stories told from the perspective of the “watchers”, i.e. management. A moralistic approach to surveillance can go either way, supporting and justifying the use of technology or criticising and condemning it. A key concept in either case is trust. If trust prevails, there is no need for surveillance; if surveillance is introduced this erodes trust.
Having to work in an environment under surveillance produces a number of practical and discursive strategies of normalization. Employees are aware of the fact of being surveilled in sometimes rather complex ways, but they learn to find ways to either work around the surveillance regime or to adapt their routine practices. What can be clearly seen is how the introduction of new ICT in work processes changes the situation of employees dramatically and how new rules and regulations, formal and informal have to be negotiated and implemented. Those who grew up with new social media have acquired the skills to adapt their behaviour when using e.g. Facebook. They are aware of the pitfalls of documenting their private life online.
What could be shown in the stories about workplace surveillance is the wide array of technologies and strategies deployed here. From crude and simple CCTV cameras installed on the premises to highly sophisticated multi-channel and multi-sensor systems tracking every move across multiple sites and assessing performance using several indicators.
The changing structure of the workplace and working environment in recent times has been accompanied by greater flexibility in how, when and from where employees conduct their employers’ business. Greater flexibility has been encouraged by employers through facilitating flexible workspaces, home working, provision of laptop computers, smartphones and other technologies to allow businesses to respond to the 24/7 demands of the modern working world. However, accompanying this more flexible approach by employers, and apparent weakening of previous monitoring controls, which they might have used to ensure that employees were performing to required standards, there has been an increase in the availability of surveillance technologies, which can and are being used in the workplace. Many examples of the different types of workplace surveillance technologies being used are provided in the stories, including the most direct: body-worn CCTV. Some evidence of the resilience of employees is provided, through resistance to the practices of management, or indulging in deviant behaviours. Coupled with the increase in flexible working has been a massive rise in the use of communications technologies, including the Internet and social media, all of which are being used in both professional and private settings. This has resulted in what has been described as a ‘blurring’ of the boundaries between the private and the professional, which then invites an ethical debate around these issues. Many governments have produced legislation covering data protection and data processing, and most have appointed regulators to manage the inevitable interpretations and sometimes conflicts which arise, although in reality the legislation can never be expected to keep up with the speed of technological change. In the workplace, many responsible employers have produced codes of conduct for employees around use of the Internet and use of employer’s hardware and software when not on working time, and provided definitions of what is acceptable and unacceptable use. Above all, a fair degree of common sense is required from any employee engaging in what might be regarded as ‘personal’ activities while on ‘work time.’
Call centres are popular with governments and development agencies due to the labour intensive nature of their staffing requirements, and impact which they can have on unemployment levels, however as can be seen from the interviews and the literature, they also create environments which are target driven and feature what some might regard as ubiquitous and oppressive forms of surveillance monitoring. Due to the ubiquity and non-discriminating nature of the surveillance technology within call centres, this is claimed to have mediated the behaviour and attitudes of some employees (and supervisors) in harbouring resentment against some team members who perhaps do not meet the required standards, and in effect some managers may look at the statistics and not the underlying (and personal) reasons which might lie behind the output or performance.
Turning to ‘Google-veillance’ and the use of social media in a recruitment setting, there are many examples provided from the interviews of employers monitoring the activities of employees, and as an aid to informing their recruitment decisions for prospective employees. There emerges a feeling of inevitability about the continuing growth in use of social media in this context, and to that extent, it could be regarded as having almost become ‘normalised’. Personal prejudices are also evident when using this medium. Reputational management is a key driver for many employers in justifying the use of social media or checking work E-mails to view what their employees have been saying. It is important therefore for employees not to be irresponsible and to write (publically accessible) disparaging remarks about their employer, their team leader or colleagues.
Regarding national trends in workplace surveillance within the countries where the interviews took place, i.e. Austria, Germany, Italy, Slovakia and the UK, it is difficult to draw firm comparisons, however it is clear that they all have a regulatory system at the national level for data protection and processing; they all respect the rights of personal privacy, and there is a role for some form of representation of employees through trade unions or works councils etc. when discussing surveillance technologies in the workplace.
Regarding trust, it is the single-most important building block upon which future relationships, reciprocity, and mutual respect can be developed and strengthened. Time and again from the interviews, we were provided with examples of the breakdown of trust caused by management, most often simply because they used the data or images which the surveillance technology provided them with, which of course was too tempting (in their eyes) to turn down.
Often, the data and images were used for purposes other than those originally agreed upon, resulting in the breakdown in relationships, and sometimes increased resilience and resistance by employees to their employer.
In the final analysis it seems that there are no serious options for an active strategy of resistance against the rise of surveillance in the workplace. The only option is either to quit the job (only to probably find a new position where a similar regime of surveillance prevails) or to develop informal counter strategies to neutralize the surveillance practice to some extent. Since ICT is on the rise in most workplaces settings, be they industrial or service, it can be assumed that surveillance of work environments will become more intense across all areas and workers will continue to develop – wherever feasible, morally justifiable and practically possible – their counter strategies to work these systems in their favour
4) A stress test on the right to access data
Third, the research in IRISS found that the spirit of the European Data Protection Directive has frequently been undermined as it has been transposed into national legal frameworks, and then further undermined by the evolving national case law. Therefore IRISS has conducted subject access requests in several European countries to examine how citizens in their role as data subjects, encounter a wide range of legitimate but not always convincing and straightforward restrictions in their attempts to exercise their rights. These legal restrictions were further undermined by illegitimate actions enacted through a series of discourses of denial practiced by data controllers or their representatives.
In the context of surveillance and democracy, the principles of consent, subject access and accountability are at the heart of the relationship between the citizen and the information gatherers. The individual data subjects have the right to at least know, what kind of data is collected about them and by whom, how it is being processed and to whom it is disclosed. Furthermore, they have rights to inspect the data, to ensure that it is accurate and to complain if they so wish to an independent supervisory authority who can intervene on their behalf.
The second of these three principles, one’s right of access to personal data, is a central feature of European Data Protection Regulatory Framework and in particular of the European Data Protection Directive 95/46/EC. It is, arguably, the most important of the so called ARCO data protection rights (access, rectification, cancellation, opposition) because, if one cannot discover what is held about oneself, it is not possible to exercise the remainder of these rights.
Our research found, however, that the spirit of the European Data Protection Directive has frequently been undermined as it has been transposed into national legal frameworks, and then further undermined by the evolving national case law. Citizens, in their role of data subjects, encounter a wide range of legitimate but not always convincing and straightforward restrictions in their attempts to exercise their rights. These legal restrictions are further undermined by illegitimate actions enacted through a series of discourses of denial practiced by data controllers or their representatives.
The research was conducted in three parts. The first part involved a comparative analysis of European and national legal frameworks in the areas of data protection and, specifically, subject access rights. The second part saw researchers undertake empirical work in attempts to locate data controllers, their contact information and key content regarding data protection and subject access rights. The third part continued this empirical work and tasked researchers with submitting subject access requests, in relation to their own personal data, to a range of data controllers to assess this process as well as the responses received from these organisations.
4.1) Findings of IRISS on subject access rights
Data subjects are inherently disadvantaged before they can even begin the process of submitting a subject access request. This is in part because the implementation of the EU Data Protection Directive 95/46/EC has been uneven across EU Member States and, together with the development of case law, many European countries have interpreted key provisions of the European law in a narrow way.
As a consequence, European citizens living in different countries are subject to very different regimes in relation to:
legally defined response time obligations on data controllers;
requirements upon data controllers to appoint Data Protection Officers;
the costs of making a subject access request;
the complaints and redress mechanisms available to data subjects with their national Data Protection Authorities.
This means that, not only are there considerable differences at the European level, but that an access request emanating from one country, but submitted to another, may be subject to completely different procedures. This inconsistency is particularly true of provisions in relation to the concept of ‘motivated requests’ in the area of CCTV, (Belgium and Luxembourg) which demand that data subjects legitimise their requests with a justified reason accompanying the submission of the request itself. In such cases, it seems that exercising one’s right as set out in the European Data Directive, is not a justified reason in and for itself, and often leaves the data subject at the mercy of the data controller's discretion to determine what constitutes a legitimate reason.
4.2) Who is the data controller
The right of access is exercised by submitting an access request to a given data controller but, before this can begin, one must locate the data controller. This phase of the empirical work was conducted as follows:
The research was conducted across 10 European countries (Austria, Belgium, Germany, Hungary, Italy, Luxemburg, Norway, Slovakia, Spain and the UK) and examined 327 individual sites in which one’s personal data was routinely collected and stored.
The research sites were chosen based on a consideration of the socio-economic domains in which citizens encounter surveillance on a systematic basis. These domains were health, transport, employment, education, finance, leisure, communication, consumerism, civic engagement, security and criminal justice.
Researchers attempted to locate data controllers and their contact details in a variety of ways including by telephoning them, by attending sites in person and by accessing organisations’ online content.
The research sought to determine the ease and/or difficulty of locating data controllers, given the centrality of this process as the natural pre-condition of citizens being able to exercise informational self-determination.
The research found that, in a significant minority (20%) of cases, it was simply not possible to locate a data controller. This immediately restricts citizens’ ability to exercise their right of access because insufficient information is given regarding to whom one should send access requests. Where data controllers could be located, the quality of information concerning the process of making an access request varies enormously from country to country and in different sectors, both public and private. In the best cases, information was thorough and followed legislative guidelines closely, providing citizens with an unambiguous pathway to exercise their right of access. In the worst cases information was very basic, often failing to explain how to make an access request or indeed what an access request actually is. Information was often confusing and incomplete, consequently obliging the citizen to pro-actively seek out clarification before being in a position to submit a request.
The most reliable, efficient and frequently used way of locating data controllers turned out to be on-line. In nearly two thirds (63%) of all cases on-line searching provided the relevant contact details, and this was achieved in less than five minutes over half (61%) of the time.
Attempts to locate data controllers using alternative methods generally did not fare well. In the majority of cases, when contacting organisations by telephone, members of staff lacked knowledge and expertise concerning subject access requests. As a result, answers were often incorrect, confusing and contradictory to their own organisations’ stated policies.
When it was possible to locate the data controller via telephone, this took over 6 minutes, sometimes on premium rate lines, in over half (54%) of all cases. And even then, the quality of information provided via telephone was rated as ‘good’ in only 34% of cases.
In the case of CCTV, where we attended the sites in person:
nearly 1 in 5 sites (18%) did not display any CCTV signage;
where signage was present, in over four out of ten cases (43%) it was rated as being ‘poor’ in terms of its visibility and content;
only one third (32.5%) of CCTV signage identified the CCTV system operator or the data controller.
By failing to display appropriate signage at CCTV sites, one fifth of organisations effectively employed ‘illegal’ practices. The expertise of members of staff when approached in person was often lacking and they frequently reacted to queries with suspicion and scepticism, questioning why one would wish to access their personal data. Thus, even where researchers were merely trying to find the contact details of the data controller, they were forced to justify why they sought to exercise their democratic rights, and even then they were frequently denied.
4.3) Submitting access request
When it is possible to locate the data controller, the process of then submitting an access request can be problematic with data controllers employing a range of discourses of denial which restrict or completely deny data subjects the right to exercise their informational rights.
Subject access requests were sent from 10 European countries to 184 individual organisations sampled from the first part of the empirical phase of the research.
This sample set included both public and private sector organisations as well as a number of key multinational organisations which routinely collect large amounts of data.
The requests were made for a range of data including information held on paper and digital records as well as CCTV footage.
Requests made three key demands of data controllers: disclosure of personal data; disclosure of third parties with whom data had been shared and disclosure of whether (and if so how) data had been subject to automated decision making processes.
The research found that obtaining a satisfactory response concerning all aspects of the requests was relatively rare.
Four out of ten requests (43%) did not result in personal data being disclosed or data subjects receiving a legitimate reason for the failure to disclose their personal data.
In over half of all cases (56%), no adequate or legally compliant response was received concerning third party data sharing.
In over two-thirds of cases (71%) automated decision making processes were either not addressed or not addressed in a legally compliant manner.
Even taking account of those cases in which successful outcomes were achieved, the process of submitting an access request was often fraught, confusing and time-consuming.
Holding/acknowledgement letters were received in only a third (34%) of cases, which meant that data subjects had no idea as to whether the requests were being dealt with or simply ignored.
Even where data subjects received their personal data, in some instances the disclosure of this data was incomplete and additional data was still outstanding. This occurred in one third of cases (31%) and required researchers to pursue data controllers for more information, as the first disclosure was incomplete.
There were noted variations in how different types of organisations responded to requests. In general, public sector organisations performed less badly than those in the private sector, with only 43% engaging in restrictive practices compared with 62% in the private sector. Requests for CCTV footage were particularly problematic, with seven out of ten requests for CCTV footage being met by restrictive practices from data controllers or their representatives. While loyalty card scheme operators were generally facilitative in disclosing personal data (86% of cases), they did not perform as strongly in providing information about automated decision making processes (only 50% of cases). Meanwhile, requests made to banks did not yield much information about third party data sharing (only 30% of responses disclosed this).
In assessing both the process of submitting access requests as well as the content of the responses received from data controllers, the research found a range of restrictive practices employed.
Data controllers frequently render themselves ‘invisible’ to data subjects using a variety of practices, ranging from the absence of CCTV signage identifying who is operating the cameras to flatly refusing to respond to access requests at all. In 12 cases, requests were met with complete silence. In a further 17 cases, although preliminary communications were entered into, any subsequent correspondence elicited no response. In total, therefore, in the end, one in six (15%) of all cases were met with silence.
Many organisations did not have clear and formal administrative procedures in place to receive and respond to subject access requests. These bureaucratic failures led to considerable delays and confusion for data subjects in the way that their requests were processed. This included the inability (or unwillingness) of data controllers to respond to requests in any language other than English despite receiving requests in other languages.
Data controllers often responded to requests only after long and excessive delays. This at times had a direct impact on the availability of the data requested (e.g.: the deletion of CCTV footage). It also meant that data controllers were in breach of their legal obligations to respond to requests within nationally specified time frames.
Some data controllers, particularly multinational corporations, offered only fixed and pre-determined mechanisms for data subjects to submit requests. These mechanisms did not allow for specific queries to be addressed and took an extremely narrow and, in the context of European law, invalid interpretation of what type of data citizens are entitled to request.
In many cases, data controllers refused to fulfil requests by invoking legal provisions incorrectly. This belied a lack of knowledge and expertise on behalf of data controllers and their representatives because data subjects were erroneously advised that they had no legal entitlement to exercise their rights.
Achieving a successful outcome when submitting an access request is possible and we came across a significant minority of cases, for instance in Germany and the UK, where requests were dealt with courtesy, diligence and efficiency. However, the burden of achieving a successful outcome lies heavily with the data subject and many organisations in this research did little to lift this burden away from the citizen: members of staff repeatedly reacted with surprise and puzzlement to our requests, explaining that they had never before received such queries. A vicious circle therefore emerges, where organisations fail to inform citizens of their rights or how to exercise them. As a result, for those citizens who have little or no prior knowledge about privacy and data protection issues, the right of access is either unknown, denied or inaccessible. Then due to the lack of subject access related queries received from the public, organisations fail to inform/train their staff in matters of privacy and data protection, and have little motivation to do so.
The empirical results of the research demonstrated significant disparities in the ways requests were processed from one country to another. The research shows that this is partly due to the willingness of Data Protection Authorities in some countries to support citizens when they exercise their informational rights. This, coupled with the absence of the need for data subjects to provide a justified motivation for their requests, meant that submitting such requests was generally a smooth process in these countries. In contrast, in Italy and Spain, the researchers encountered a plethora of restrictive practices ranging from the identification of data controllers, the ways in which their requests were processed and the difficulty of submitting complaints to DPAs when disputes arose.
The myriad of restrictive practices evidenced in this research means that data subjects have to work extremely hard to exercise their rights. They must show persistence, confidence and resilience in the face of a series of discourses of denial during which their access requests may be regarded as illegitimate, severely delayed or simply ignored altogether. And even then, they are only likely to have successfully exercised their rights fifty-percent of the time.
4.4) Policy Implications & Recommendations
The research revealed an endemic lack of awareness of informational rights and specifically access rights amongst both data subjects and data controllers. This vacuum in expertise suggests that Data Protection Authorities may have a crucial role to play in providing additional promotion of informational rights. Moreover, Data Protection Authorities play a central role as the natural recourse in cases of poor practices on behalf of data controllers. However, the research findings showed that in some cases, DPAs’ resources (or lack thereof) are such that they are unable to process complaints in a satisfactory manner and this can therefore become a lengthy process. As a result, we propose the following:
DPAs should prioritise the promotion of informational rights to citizens and give some consideration to how training/awareness-raising could be delivered.
DPAs should provide standard model templates for data subjects to use in order to submit an access request.
DPAs should, in conjunction relevant stake holders such as consumer rights and labour orgnisations, promote the development and acceptance of standard templates in specific sectorial contexts.
DPAs should provide detailed guidance to data controllers in how to respond to access requests including examples of best practice and give some consideration to how specific training could be delivered.
DPAs should also provide detailed guidance to data subject on how to exercise their rights.
DPAs should ensure that a clear, unambiguous and affordable complaints procedure is always available to data subjects in case of data breaches.
DPAs should have the power of audit and inspection as this would go some way to redress the asymmetry of power experienced between data subjects and data controllers.
DPAs should proactively audit public and private sector orgnaisations web sites and other channels of communication to see whether all relevant information is available to citizens to make a sucessful access request.
4.5) Policy recommendations in light of the European data protection reform
The policy implications and recommendations resulting from our research findings are made on the basis of the existing European and national legislation. The EU is currently in the process of reforming Directive 95/46/C and some comments can be made here in light of our research findings which address the substance of the proposed reforms.
First, our research has found considerable variation in how subject access rights are enacted in different Member States. The use of regulation rather than a directive would lead to greater consistency between different countries.
Second, the research demonstrated that the presence of DPOs facilitated the access request procedure for the data subject. Any proposal which seeks to diminish organisations’ responsibilities to appoint DPOs will need to consider the detrimental effect that this may have on citizens’ abilities to exercise their rights.
Third, our research illustrated that privacy policies often lacked the requisite depth of detail to enable data subjects to manage their data in a meaningful way. If citizens are to be empowered to exercise their rights, organisations must clearly describe their subject access procedures and policies and provide explicit protocols to submit an access request.
Fourth, the research found that data controllers were generally reluctant to disclose any information about their data sharing protocols and even when pushed, only revealed generic lists of those they shared personal data with. While this is in accordance with the current legislation, it is quite clearly inadequate as data subjects are completely unable to know with whom data is actually shared and how it is then used and continues to be processed.
Fifth, our research showed the almost complete inability of data controllers to address when and how automated decision making processes were used. As such, proposals demanding data controllers properly address issues of automated decision making and profiling should help to alleviate this problem.
Sixth, our research showed that the obligation to justify and motivate requests acted as an unwarranted restriction on data subjects’ ability to exercise their rights. This should be explicitly addressed in the proposed reforms.
Finally, as our research has clearly illustrated, in the case of transnational corporations, there is a lack of clarity as to which national legislation they are subject to and whether they are subject to European legislation at all. This would appear to be an area that legislators need to urgently address.
5) Final conclusion: Increasing resilience in surveillance societies.
The IRISS project has defined resilience as the ability of people (individuals and groups) and organisations to adapt to and/or resist surveillance, while recognising that some forms of surveillance may be acceptable or tolerable, and others pose a serious challenge to our fundamental rights. Examination of resilience in different domains has shown that the term resilience is often widely used and defined in different ways, and that its conceptualisations often share similarities despite significant conceptual differences. Some of these conceptualisations have proved usefulin the context of this project. The domains analysis revealed a number of insights about resilience. Resilience is multifaceted; sometimes it has an opportunistic aspect. It has a temporal as well as a spatial aspect. It involves communications between stakeholders. It calls for solidarity. Its core elements include: anticipation of vulnerabilities, threats, attacks, crises; preparedness; prevention, detection and response; mitigation; recovery and the sharing of responsibility and co-operation among stakeholders. Resilience also suggests a coherent set of objectives and measures aimed at achieving them in the face of typical human and natural threats to national security and community disruption. The key learning from the domains analysis was that the framing of resilience measures often benefits from lessons learned from prior events with the aim of mitigating future adverse events. However, resilience measures do not always anticipate very well their own sometimes negative and counterproductive consequences.
Resilience in the context of surveillance is different from resilience in the instance of the capacity of an infrastructure or of a community disrupted by an earthquake, tsunami or a financial calamity. Although it may come as a shock or a revelation to some people when they realise how extensive and pervasive surveillance has become, much of the surveillance today can be regarded as an on-going stress on society, rather than a shock. Hence, resilience in a surveillance society has more to do with coping than with recovering or bouncing back. Further, in a surveillance society, there is clearly a difference between resisting surveillance and adapting to it. It is possible to resist surveillance, but resistance may not prevent surveillance. One might also see resilience as on a continuum somewhere between surrender and civil disobedience.
The empirical research and the theoretical analysis in the IRISS project has outlined various measures to increase resilience in surveillance societies amongst which are political and regulatory measures (such as accountability and oversight, explicit consent, privacy principles, creating boundaries and limiting surveillance, awareness and communication), individual measures (such as whistle-blowing, resistance and using privacy-enhancing technologies), and societal measures (such as public opinion polls and an activist press). The list is not exhaustive. As surveillance continues to grow and expand, such measures need to be reinforced and strengthened at all levels. Individuals and societies need to take active and sustained measures to curtail surveillance and its dangerous and deleterious effects.
Potential Impact:
The overall approach of the IRISS project was to contribute to an informed public debate about the manifold problems related to the emergence of a surveillance society. IRISS was not designed to produce a technological tool or system to be applied in a practical context. Rather the overall objective was to unfold a set of critical arguments, supported by empirical research. The findings of IRISS should target different expert communities and a general interested public alike. The overall impact of such an endeavour is to help rising thresholds for the quality of debate about the topic under discussion. All partners in the consortium shared this understanding and contributed to local, national and European debates about surveillance as a problem for contemporary societies using findings produced by IRISS. As can be seen from the documentation of dissemination activities, the consortium members addressed public media, policy makers and the academic community alike. In doing this we targeted a wide array of audiences from local radio stations across Europe and beyond to the LIBE Committee of the European Parliament (IRISS has contributed to the NSA & Mass Surveillance hearing of the European Parliament on the 24th of September 2013).
What can be considered as a specific feature of IRISS and hence, hopefully, as a relevant contribution regarding the impact of our findings is the holistic approach taken in our research. Surveillance, as a topic of debate and controversy, surfaces in many different expert discourses, from computer science to legal theory, from anthropology to criminology. Under the heading of “surveillance studies” there is even a distinct academic community addressing surveillance as a topic for research. Within IRISS we attempted to contribute to all of these discourses, emphasizing the ambivalences, problems and unintended side effects of surveillance as a powerful development impacting European societies. Informing legal scholars about the technological side of the problem or criminologists about the privacy-intrusive nature of crime fight strategies can help to open the debate within the respective academic disciplines.
With regard to public controversies surveillance tends to be a topic with a high and controversial political loading. While surveillance is considered to be a useful strategy to counter the rise of societal threats from organized crime to terrorism and child pornography and the problems associated with increased surveillance are deemed acceptable when measured against the presumed positive effects, there is also massive critique brought forward, questioning the intended impact of increased surveillance and highlighting the negative consequences on privacy, freedom of speech and the deliberative democratic public sphere. Both sides operate with clear cases to make their point and substantiate their claims. Against this rhetoric of black and white IRISS highlighted the many shades of grey in the overall picture. Our findings suggest that aspirations of pro-surveillance adherents often are overstating the positive effects, while opponents sometimes tend to entertain an attitude of preventive paranoia and exaggerated fears of a panoptic Big Brother. To give some more depth and increase the complexity on both sides of the political and argumentative divide IRISS introduced a more nuanced perspective. Positive effects of surveillance have to be acknowledged but only within limits. This can be perfectly demonstrated using the highly politicized case of CCTV. The evaluation of CCTV measures shows mixed results and while some technological arrangements can have a positive effect on crime rates under some specific circumstances, it can be shown that CCTV is not the magic bullet in securing public space. At the same time the fears of critics that this technology is about to develop into the panoptic-automated super-surveillance tool can be countered by looking at the tremendous problems still unsolved in research on automatic pattern recognition technology.
What this demonstrates with regard to the impact envisioned by the IRISS project is the need to overcome the stalemate of political controversy by increasing complexity of pro- and con arguments on both sides. This is not intended to create an average value of conflicting positions or finding a compromise based on a position in the middle of extremes. Rather we opt for an increase of complexity by taking into account conflicting empirical evidence, proximate and distant causes, considering paradoxical effects or what Gary T. Marx once termed the “ironies of social control”.
Within IRISS we were emphasizing the experience of lay citizens, exposed to massive surveillance from many different organisations and institutions on a continuous basis, as citizens, consumers, voters or members of the work force. The massive impact of surveillance on citizens’ everyday lives could be demonstrated but at the same time it became clear that laypersons often do not understand the ramifications of surveillance as an element of their daily lives. This sheds light on another dimension of impact we envisage for the results of the IRISS project. Surveillance emerges as a side effect of living in a society of electronic consumerism. Scholars form surveillance studies have coined the terms data double and leaking data container to describe this situation. While surveillance often is understood in the narrow sense of a targeted strategy by public authorities to watch or track individuals or groups, it should be emphasized how surveillance emerges as by-product of a myriad of daily activities as soon as these are electronically mediated. Using mobile phones, making payments using online banking or credit cards, posting pictures for friends on social media platforms produces data traces in cyber space and creates opportunities for massive surveillance by different actors. Harvesting these data pools is on the one hand a commercially highly viable business opportunity and on the other hand provides public authorities with data to be used in the context of different policing activities. While it has to be acknowledged that for modern societies the trajectory towards this kind of surveillance cannot be changed – there is no way back into the age of a pre-electronic culture – it seems of utmost importance to raise awareness of citizens to what extent they are dependent on a techno-social infrastructure transforming them into machine-readable techno-social hybrids. In terms of envisaged impacts of the IRISS project we hope to contribute to what could be termed an up-date of reflexive societal self-observation. The conceptual tool kit used to deliberate about modern societies is rooted in political theory of the 18th century, reaching back to the classical heritage of ancient Hellenic democracies. The findings of the IRISS project might help to augment this tool kit creating an opportunity for European societies to develop a more realistic understanding of where they are going and what they should envisage to keep on a developmental path connecting to the entrenched values of European enlightenment. This might entail a redefinition of some of the key concepts for an age where humans increasingly merge with the technology they produce.
List of Websites:
http://irissproject.eu
IRISS set out to analyse the effects of surveillance for European societies. In doing this, a dual analytical perspective was applied. On the one hand the state of the art in theory and research was synthesized to provide an assessment of the present state of surveillance in Europe. On the other hand IRISS put a focus on the view from the citizens, trying to understand how they perceive of and react to comprehensive surveillance in their daily lives. Taking both perspectives together produces a comprehensive account of the present state of surveillance in Europe and opens a number of options for resilience. The key findings of IRISS can be summarized as follows:
• The effect of increased surveillance in fighting crime and terrorism could not be established. While Law Enforcement agencies are collecting, storing and processing more and more person-related information a significant effect of such increased and intensified surveillance cannot be established. On the other hand, the increase in electronic data processing creates new opportunities for criminal behaviour, discussed under the heading of cyber-crime.
• When discussing the rise of the surveillance society the activities of the private sector and commercial actors have to be included. Under the regime of electronic consumerism citizens as consumers are exposed to a data collection regime often more intrusive than any surveillance by public authorities.
• Legal regimes governing the use of person-related and other types of information for surveillance are scattered and law lags behind technology. Concepts like privacy have to be re-defined in a technologically mediated surveillance society.
• Comparing different surveillance practices across Europe reveals a wide array of differences. Legal and administrative regimes to govern surveillance in individual countries should be harmonized, based on those cases providing the highest level of protection of citizens’ rights. Subject access rights are enforced unevenly across Europe.
• Citizens perceive and react to massive surveillance in very different ways. While being aware of surveillance practices they often do not openly resist or take counter measures. Trading in personal data for services as consumers is seen as a legitimate exchange by a majority of Europeans. A more critical view towards surveillance emerges when the potentially negative effects of surveillance measures are experienced immediately at a personal level.
• Resilience towards surveillance rarely takes on the form of active resistance against new and more encompassing surveillance measures. What can be observed is adaptation to the fact of being surveilled while at the same time citizens show a high level of awareness about the data collection they are exposed in their daily lives as consumers.
• An informed public debate about the fact that European societies are sleep-walking into the state of surveillance societies should be launched pointing to the multiple effects of the gradual transformation of citizens into techno-social hybrids, continuously linked to massive data-processing systems, shaping their range of action as consumers and citizens.
Project Context and Objectives:
The IRISS projected was located in the SSH programme and thus could adopt a broader perspective reaching beyond the focussed, mission-oriented approach pursued in the security research programme. Bringing together scholars from across Europe, covering a wide array of disciplines, from sociology and surveillance studies, legal and political science in the research consortium IRISS was following a multi-disciplinary and multi-dimensional approach in the analysis of surveillance and the challenges it poses for open and democratic societies.
While many debates about surveillance focus on the instrumental effects in the context of fight against crime and terrorism or take a critical stance, measuring the impact of surveillance on entrenched legally defined fundamental rights to privacy, IRISS chose an approach that was broader, taking into account also the perspective of lay citizens at ground level and wider societal effects of increasing surveillance. Understanding what it means for ordinary citizens to live in a surveillance society was one of the main objectives of IRISS. While a number of studies, based on large scale survey research have investigated the general attitudes of European citizens towards different surveillance measures (mostly by public authorities) very little is known about the ways citizens handle surveillance in their everyday lives. In doing this IRISS looked at the effects of surveillance performed by law enforcement and by private commercial actors alike.
While much of the critical debate about surveillance looks at data collection done by police and security agencies, as could be seen after the Snowdon revelations, relatively little attention is paid in critical security and surveillance studies to surveillance emerging as a side effect of what we termed “electronic consumerism”. The effects of this form of non-state surveillance have to be investigated with regard to citizens’ fundamental rights of informational self-determination in the same way as state-based forms of surveillance. The intrusiveness of so-called customer-relation-management programmes, applied in the realm of electronic consumerism by far outweighs standard data-collection practices by most Law Enforcement Agencies. Surveillance in the commercial realm fosters processes of social sorting without consumers being aware of the fact they are categorized based on information collected about their activities involving the Internet. Entering into a transaction with a retailer on the Internet customers have to accept “terms and conditions” of the company by ticking a box and only in very rare cases they read the long and complex documents, detailing the data processing practices they accept, when agreeing with ticking the box.
One of the main objectives of the IRISS project was to identify what could be called deep-structural changes of European societies, once they begin to transform themselves into surveillance societies. Being linked to a myriad of databases creates a new socio-ontological status of citizens as techno-social hybrids. The definition of what it means to be a citizen, a consumer, or a full member of society entails data processing and identification of person-related information in remote electronic files, involving information often not accessible by citizens. Humans have to become machine-readable to enjoy the status of citizens, customers and consumers in surveillance societies. The IRISS project set out to follow the social, legal, and cultural ramifications of these deep-structural changes.
To understand such processes requires a close look at societal processes and the daily actions of citizens and at the same time conceptual work, screening the binary concepts of privacy and public sphere rooted in political and philosophical thought of pre-electronic times to adapt them to the emerging new conditions of cyber-space.
Developing a comprehensive perspective towards the effects of massive surveillance requires a critical analysis of the debates in legal and political theory to determine how surveillance affects fundamental human and political rights. At the same time the costs of surveillance have to be investigated in different dimensions, last not least the monetary costs of acquiring, implementing and maintaining surveillance technologies in different domains. IRISS set out to conduct such an analysis, synthesizing theoretical debates and analysing the costs of surveillance.
When looking at the effects of massive surveillance on the political processes in democratic societies, a number of very fundamental questions have to be addressed in the analysis. Surveillance can create informational advantages for some actors in the political process while others may have no access to privileged knowledge. This produces the transparent, machine-readable voter, who can easily be manipulated. On the other hand easy access to knowledge and information through the spread of electronic means of communication puts citizens in a position to make them independently knowledgeable about contested political issues and to organize horizontal debates about relevant political issues.
Weighing the positive and negative effects of increased electronic communication is not an easy task and IRISS, putting an emphasis on surveillance was focussing more on the negative implications and effects of these new technologies creating surveillance effects. The question though is to what extent the obviously negative effects of surveillance can be curtailed or at least, if surveillance is deemed unavoidable, if they can be justified from a rational position of law enforcement reasoning. These kinds of questions were addressed in a cooperative endeavour with two other projects, investigating the effects of surveillance from a different analytical angle. Both of these projects, SURVEILLE and RESPECT were funded under the security research programme in FP7 and were addressing similar questions, looking at the effects of surveillance on society, though from different theoretical perspectives. All three projects started at the same time. During the negotiation phase before the beginning of the project it was agreed with the Project Officers to set up a joint platform to exchange ideas, results and papers and to create synergies among the consortia. Each coordinator joined the project meetings of the other consortia and all three projects organized a joint final event in Brussels at the end of the projects’ life cycle, bringing together the members of the three consortia with an audience of law enforcement experts, scholars and policy makers to present and discuss their findings. Looking at this cooperation between the three projects from the perspective of the IRISS consortium one of the main contested issues is the effectiveness of surveillance. Can the effects – positive and negative – of increased surveillance on modern societies be measured or assessed in a transparent, rational way, based on independent empirical evidence? While SURVEILLE and RSPECT both produced valuable ideas for such an assessment the question still remains, how a society as a whole can control its own path of development in the face of the eminent changes increased surveillance brings about.
From the perspective of the overall approach taken in the IRISS project this question cannot be left to the experts in law enforcement, intelligence services or industrial system providers. It has to be brought back in a reflexive political move to the public forum. While this may sound rather abstract it can be broken down into operational ideas of how the effects of surveillance can be deliberated and critically analysed by those who are affected by it, i.e. by the citizens. Such an approach aims at enlightenment in the classical sense, which as Immanuel Kant prominently put it can be defined as “man’s emergence from self-inflicted immaturity”. One of the main strategic objectives of IRISS was to address not only the many relevant expert communities of political scientists, privacy scholars, lawyers, data protection experts, etc., but at the same time to involve policy makers and a broader public into the process of research and communication.
Such a strategy cannot be limited to dissemination activities and the communication of findings produced in the research process. It affects the overall approach taken in the project. As mentioned above IRISS set out to cover the realm of academic discourse and the life world of European citizens alike. Giving citizens a voice in the debate about the effects of surveillance on democratic societies entails more than running large-scale surveys eliciting aggregated views on pre-given fixed choice questions. While this approach has its merits it rarely touches the level of mundane and everyday problems and perceptions where the multiple effects of surveillance technologies unfold to gradually change the everyday life of ordinary citizens. Addressing the “big” societal problems of data-protection, privacy, human rights and mass surveillance by intelligence services is a necessary part of the analysis, but leaves out the “little” problems encountered by citizens using a mobile phone, a loyalty or credit card, booking flights and buying goods using the Internet or moving in public space while under surveillance from a CCTV camera. Understanding and documenting the many minuscule effects of modern data producing technologies on routine activities in a surveillance society, populated by techno-social hybrids, requires a different methodological approach. Citizens rarely use concepts like informational self-determination or subject access rights to talk about their experience with new technologies. Often they do not reflect in greater detail about the impact these technologies have on their lives. When framing the problem in terms of privacy, surveillance and fight against crime an terrorism, i.e. using the vernacular of standard media discourse after Snowdon, the typical response is based on the standard reasoning captured in the popular phrase that s/he who has nothing to hide has nothing to fear. However at the level of everyday life citizens rarely weigh such questions of national security or fight against organized crime and terrorism. The interface of the everyday citizens with surveillance society can be studied at the workplace, in public space, in encounters with public bureaucracies, while shopping on the Internet or when signing a contract with a mobile phone provider. These kinds of hands-on situations at ground level have to be considered to fully understand the breadth and depth of the workings of pervasive surveillance in contemporary societies.
This overall approach of linking the big policy issues with the little mundane problems of living in surveillance society also has an impact on the understanding and conceptualization of resilience. Resilient reactions can be discussed at many different levels and the preparedness to take adequate measures to increase resilience can be assessed. At the level of structural and policy processes it is obvious that more democratic oversight and control are required before surveillance regimes are extended and new surveillance technologies are implemented. In particular a better regime of assessing the presumed effects of surveillance is required to determine whether surveillance works as intended. At the level of lay citizens such policy measures often do not resonate. This could nicely be demonstrated in the results of citizen polls following the Snowdon revelations (which happened while the IRISS project was running). While the results of these polls in Western societies show mixed results it turned out that a substantial number of citizens seemed to accept the encompassing surveillance regime established by national intelligence services in cross-border cooperation. A different picture emerges when the potential effects of surveillance that are closer to home, i.e. affecting everyday routine activities of citizens are introduced. Resilient reactions creating a change of daily routines are more likely to happen, when citizens experience effects of surveillance themselves. Such effects can include cases of cyber-mobbing at the level of horizontal surveillance or the refusal of credit by banks based on credit scoring. Generally speaking citizens are more willing to show resilient reactions when they experience the practical consequences of the manifold ways of social sorting, giving them differential access to goods and services. Resilience has to be investigated and strengthened at many different levels, from policy and legal regulations to raising citizens’ awareness about surveillance being a part of their daily lives. Raising public awareness is a precondition for changing public policy with regard to surveillance in democratic societies. IRISS attempted to demonstrate this full circle, analysing how public discourse and political activity are affected by surveillance measures and how this again in a reflexive way has an impact on the capacity of modern societies to remain their democratic structure and process through a robust, active and enlightened discourse among citizens, addressing the fundamental question: what kind of society do we want to live in?
Project Results:
Preface
The IRISS (Increasing resilience in surveillance societies) project was designed to address surveillance and resilience from two analytically different perspectives: the observer’s and the participants’ perspective on surveillance and democracy inform our research. The first perspective generating a comprehensive analytical framework on surveillance, democracy and resilience was in the focus of first half of the project. The work during the fist phase of IRISS is documented in the book “Surveillance Industry in Europe” edited by the IRISS co-ordinator Reinhard Kreissl and David Wright. The book was published by Routledge in 2014. In the second phase of IRISS, the research conducted procured a complex, multidimensional data set covering a wide variety of different types of societies. This was achieved by three different empirical research approaches. Overall IRISS was aiming at the following five research areas and has produced a large variety of scientific reports drawing upon a rich dataset of empirical evidence on surveillance in Europe. All reports can be downloaded from the project’s website: http://irissproject.eu .
Five main S & T results outlined by the IRISS project:
1) Analytical framework: Analysis of the surveillance industry in Europe.
2) Watching the watchers: a case studies approach on different surveillance practices from across the EU
3) Living in a surveillance society: Investigating citizens’ perceptions towards surveillance in different EU member states
4) A stress test on the right to subject access requests as a cornerstone of the European data protection law: Accessing personal data, documenting and analysing the outcomes in different member states of the EU.
5) Increasing resilience in surveillance societies.
1) Surveillance industry in Europe
Surveillance is (and has always been) a normal element of modern society. Registering and identifying citizens began in the 18th century and was an important prerequisite for a modern centralised government. The data was necessary for taxation, provision of public infrastructure and the modern welfare state. In the 19th and early 20th century, surveillance became an important element in industrialism’s division of labour. In the post-industrial age, information and surveillance have become a lubricant of the information society. Histories, culture, legislative legacies, administrative rules and procedures, and vested interests, all play a role in shaping the use of surveillance technologies.
Surveillance seems to make life more predictable and calculable. It synchronises behaviour and provides a platform for social interaction in a modern, anonymous world. These are useful things, but the belief that greater surveillance can overcome problems such as the incompleteness of information or the partiality of abstraction is a dangerous delusion. Most of the examples from the different historical periods show that each useful application of surveillance also bears the danger of totalitarianism. Information and its use create an even greater need for information for even more beneficial purposes. The naïve thinking that those “who have nothing to hide, have nothing to fear” and that people “would be happy to give up a little privacy in return for more convenience, security, etc.” leads to a situation where the abuse potential exceeds any real or perceived benefits. In the current scenario, it is an illusion to believe that one can erase personal information stored in a networked system.
There are numerous open questions about the usefulness and effectiveness of surveillance technologies and their possible rebound effects, specifically in relation to surveillance measures introduced to fight terrorism and organised crime without knowledge of their effectiveness and consideration of their negative side effects (such as false positive matches, the inversion of the presumption of innocence, and costs of intensified security checks). The question of what impact greater surveillance has on an open society is still under debate. While counter-surveillance movements show that citizens are not always willing to follow the rationale of government agencies and industry, the case of surveillance cameras illustrates that citizens are gradually becoming accustomed to these measures.
Based on our findings, and given the economically significant role played by the European surveillance industry, overall, we recommend a cautious approach in any actions or measures to regulate the surveillance industry to avoid undue competitive disadvantage. At the same time producing technologies that qualify as privacy enhancing while at the same time meeting functional requirements can be considered to be a competitive advantage.
Europe requires a multi-level strategy to address surveillance concerns and strengthen resilience. Hence we recommend that industry associations (which our research reveals are powerful entities) are taken on board in the discussion about societal security and included to enhance the effectiveness of resilience. Industry associations can regulate their members to a reasonably good degree and can develop surveillance-related guidelines and codes of ethics, foster greater corporate social responsibility practices, develop standards for privacy enhancing technologies and so on.
Strit legal trade regulation might be the most effective solution to help curb the sale of surveillance solutions to non-acceptable entities and third countries.
Greater transparency and accountability for the surveillance industry might come through the adoption of mandatory privacy impact assessments (PIAs) or surveillance impact assessments (SIAs) and through the development of standards and certification requirements for surveillance technologies.
There is a need to officially recognise the increasing privatisation of state surveillance, the emergence of a security-industrial complex, and its impact upon society. Civil society organisations and academia also have an important role to play here (e.g. in recognising detrimental effects, keeping a watch over the impact of new technologies and acting to maintain democratic oversight).
Finally, there is a need to establish multi-stakeholder platforms or forums and even a European surveillance industry observatory (either within existing platforms or as a new initiative) to continuously monitor the industry.
Our analysis of the impacts of surveillance on civil liberties and fundamental rights yielded several provisional themes and findings:
• Surveillance technologies and practices have an actual or potential impact (mainly negative, but sometimes positive) upon a wide range of individual and trans-individual rights, freedoms and values.
• The effects of surveillance go beyond those that concern individual privacy, dignity, autonomy, and the presumption of innocence, and can also be seen in terms of a number of dimensions of social and political life.
• There are gaps and deficiencies in the law and in jurisprudence as they struggle to keep pace with technological development and institutional practice, especially in an online environment and in a political climate asking for enhanced repressive measures from law enforcement and counter-terrorist policy.
Discussing the impact of surveillance on a host of rights and values, and the impact of rights and values on surveillance requires conceptual disaggregation and clarity, detailed and systematic analysis, and empirical evidence. The degree to which all these desiderata are currently available is uneven, but our analysis of the impacts of surveillance on civil liberties and fundamental rights has shown how they can be brought to bear on a subject that is sometimes ambiguous (e.g. the concepts of privacy and surveillance) and sometimes not easily amenable to reliable empirical research (e.g. social and psychological effects of surveillance), but with reasonable prospects of making subsequent judgements about the resilience of societies in the context of surveillance societies.
Data protection authorities (DPAs) as external overseers and regulators typically focus on privacy-related implications of surveillance and find it difficult to embrace a wider perspective of values in their regulatory exhortations and enforcement practice. The laws within which they operate do not normally give them a licence to roam across the range of values to invoke when they seek to limit surveillance.
Thus, there is at least some indication that, amongst regulators, a broader sense of values, rights and freedoms, and/or their close relationship with privacy and data protection in a stricter sense has been recognised as important in the oversight of surveillance. Surveillance has a demonstrable effect on individuals or on categories of persons, and not only on their privacy, but whether this toehold of recognition of a wide array of rights, freedoms and values in data protection and privacy oversight is broad enough in practice to counter the wide-ranging effects of surveillance is not certain.
In the following sub-chapters of this report we have summarised the findings of our empirical research conducted in the IRISS project from 2012 to 2015.
2) Watching the watchers – the IRISS Case Studies
A series of case studies was conducted examining three surveillance practices from the perspectives of the watcher and the watched in different European countries. Case studies were defined in terms of the surveillant relationship: whether it was between the state and citizens, the private sector and citizens or citizens and citizens. The central finding is that increasing resilience to surveillance in Europe begins with increased public – and institutional - awareness of its harms and its benefits. For the watchers - those organizations in whose favour surveillance was deployed - surveillance produced several benefits. These benefits included better risk management and traffic law enforcement which has almost made the watchers immune to recognising that any harm may arise. Nevertheless, activist groups and the media have been working hard to highlight the harms associated with specific instances of automated number plate recognition (UK, Slovakia, Belgium), and credit scoring (UK, Norway) but changes in governance are also needed to limit the effect of those harms. The following chapter will review the results from the three case studies conducted in IRISS on ANPR, Credit Scoring and Neighbourhood Watch. Looking at different countries revealed a wide array of best (and worst) practices in the regulation of surveillance measures.
2.1) The cases: Automatic Number Plate Recognition
Automatic Number Plate Recognition, or ANPR, is a surveillance practice in which digital CCTV cameras capture images of vehicle registration plates. These images are then matched to government vehicle licensing and other databases which contain information pertaining to the ownership of the vehicle, whether it is insured or whether it has been marked as suspicious in any police investigation. ANPR is also used to administer car parking and road toll charges. Users of ANPR are thus not only public bodies such as the police, city and regional municipalities and national bodies.
ANPR resulted in some harms against which policies to promote resilience need to be formulated. The case studies found evidence that use of ANPR had in some cases circumvented and breached the rule of law, compromised rights and had raised serious privacy issues. However In Slovakia the situation caused economic and environmental harms. In an effort to avoid the economic losses imposed by road tolls, Slovakian truck drivers had taken to driving on smaller roads and affecting the quality of life for the villages which along those roads. In the ANPR case, with the exception of Germany, where a constitutional court ruling limited the use of ANPR data, very little engagement of the public was evident. This was because there is a lack of consistent regulation and signage, low levels of general media coverage and low engagement of data protection regulators with the practice. In respect of its very significant harms we observed different levels of governance which lagged behind technological capabilities.
2.2) The cases: Credit Scoring
Credit Scoring is a surveillance practice whereby financial services companies who are lending money calculate the creditworthiness of their customers. A customer’s credit score helps to determine whether a loan should be made and the interest rate that is offered. Different financial institutions operate different credit scoring models. Factors such as the amount of credit already accumulated; late payment history; percentage of total credit in use; mortgage account; age of the applicant; employment history; length of time at an address – all this information is determine risk levels and assess the viability of the application. Nevertheless, lenders are keen to stress that lending decisions are not made solely on credit scores, factors such as the type of loan sought, the reason for the loan and the likely profitability of the loan are all influential. If the customer has had prior business relations with the lender, the type and history of that customer relationship is assessed. Lifestyle information, as represented in Experian demographic profiles, may also be used.
The harms associated with credit scoring stem from its role as an administrative tool for financial services organizations. This highlights how this form of surveillance is explicitly part of a management process with little legal regulation and also is subject to administrative errors. However evidence was also uncovered of bank and legal staff abusing their position in relation to this sensitive financial data (in Austria and Hungary). Similarly its location in the commercial sector meant that some unscrupulous organizations exploited credit scores, to facilitate the lending of money to customers who could not afford it and were financially illiterate (UK). Overall this points to a problem with transparency and with the operation of the rule of law in relation to credit scoring (particularly in Italy, Hungary, and Austria).
The distributive justice aspects of credit scoring and its ability to delimit economic prosperity were noted in the UK and Norwegian cases particularly. With the exception of Norway and the UK, there was minimal public engagement and low public awareness of the practice. The first issue to solve is the public’s awareness of and access to their own credit scoring data. While this is widely available in the UK and Norway, this is not the case in Austria, Italy and Hungary. Increasing transparency and accountability of financial institutions in relation to credit scoring data again could be instantiated at European level. Other countries could learn from the best practice Norwegian model, which places DPA at the heart of credit scoring and invests genuine powers in the courts to hear citizens’ complaints about credit scoring practices. Following the credit crunch, demand for credit is now increasing across Europe and institutions should take this opportunity to inform consumers of their rights. Controversies associated with credit scoring appear in all countries involved in the case study, but in some cases the media have been slow to react, resulting in ill informed consumers and unaccountable, intransparent banking policies.
2.3) The cases: Neighbourhood watch
Neighbourhood Watch (hereafter NW) is conceptualised in this project as a ‘horizontal surveillance practice’ where citizens watch each other. In the Anglo-American tradition, Neighbourhood Watch comprises informally organized local neighbourhood groups looking out for all kinds of wrongdoing, in the spirit of community safety to assist the police. However, these kinds of social practice take on a completely different kind of significance in European countries which have had fascist or authoritarian pasts. In this case study we explored the operation of ‘neighbourhood watch-style’ schemes in Austria, Germany, Spain and the United Kingdom.
Core stakeholders in Neighbourhood Watch are all citizens who may be the subject of surveillance by neighbourhood watch ‘schemes’. This includes suspicious persons and citizens who are critical of neighbourhood watch. Similarly citizens’ property is a key target in the schemes. As discussed in the previous section, watchers are very diverse in character. They include neighbourhood watch volunteers who operate within official schemes, as well as police sponsored schemes, formal and informal community groups.
Typically peripheral stakeholders are found at a variety of institutional levels and include those who promote particular local developments and community safety strategies (including National and European institutions), community safety and crime prevention charities, political organizations, mass media who report on neighbourhood and social media which facilitate the sharing of information in schemes, residents associations and trading standards associations concerned with catching ‘rogue’ tradespeople.
A number of harms emerged, some more significant than others. Privacy was a relatively minor issue associated with the schemes’ use of online and social media. The cultural and social significance of surveillance was far more powerful and generated strong sentiment towards NWP as a community safety idea (in Austria, Germany, and Spain). In these cases such horizontal surveillance processes became controversial because as well as creating unpleasant links with the nation’s past, it was feared that such schemes would present opportunities for extremists of all political colours. The presence of NW-like organizations fostered a stigmatisation of particular spaces and tended to victimise those who were perceived as the ‘Other’ in the community. It also challenged policing authorities who, at a community level, tread a fine line between too-little or too-much intervention, leading to a rise in feelings of insecurity if crime appears to be increasing. Neighbourhood Watch is a special case in that, with the exception of the UK, it has developed outside the remit of law enforcement institutions. However the experience of NW in the case study countries is simultaneously an example of community resilience and community breakdown. In an attempt to create community safety its harms stem from frustration with ‘the other’ and insecurities in relation to community policing. The British example, with minimal regulation and a caring focus, shows how NW can succeed without the deep levels of mistrust and unpleasant associations which stem from authoritarian pasts in many continental European societies. The community reaction to Neighbourhood Watch in Austria, Germany and Spain demonstrates how those societies have become resilient to the surveillance they suffered at the hands of authoritarian and fascist governments. Improved relations within communities as well as between communities and police would further strengthen this resilience. Frustrations with a low police presence as a result of funding cuts (among other things) point to how this surveillance practice is intertwined with public resourcing issues. Whilst it is inevitably difficult to prioritise resource deployment in the current public financial climate, it is always important for police to be connected with the communities they serve.
2.4) Summary of Findings of the IRISS case studies
IRISS examined democratic intersections with the different surveillance practices using three concepts: governance, participation and engagement.
Governance: refers to the manner in which the surveillance practice is regulated and the extent to which different parties comply with regulation.
Participation refers to the extent to which the surveillance practice and its outcomes are co-determined by watcher and watched and wider stakeholders.
Engagement refers to the depth of personal interaction with the surveillance practice and the centrality of that interaction to the strategies of organizations and governments.
Within the ANPR case IRISS found variable forms of governance, ranging from top down constitutional governance within Germany to minimal governance in the United Kingdom. Stakeholder participation was very limited apart from Germany where a constitutional court ruling limited the processing of data collected by ANPR cameras. There is also low public engagement with ANPR, partly because regulation has not yet caught up with practice and ANPR cameras do not have to be specially signed. It is difficult to know whether one is subject to ANPR or not. There has been some activist and campaign engagement, however, which has resulted in media coverage in all of the case settings.
Credit scoring had strong centralised governance in all cases, given that the financial services industry is regulated at a European as well as at National level. There was variable involvement of Data Protection Authorities (DPAs), however. In Norway the entire credit scoring system was premised on data protection regulations. In the UK credit scoring data are easily available without reference to the DPA. In other countries there was next to no involvement of DPAs. Stakeholder participation is low, although financial services authorities and credit bureaux readily share information to enhance their risk assessment of customers. In Italy financial information is also shared with government for tax purposes. Finally, in Norway and the UK there is high public engagement with credit scoring but in Austria, Hungary, and Italy there is minimal engagement, with the exception of a few court cases.
Neighbourhood watch itself is in principle a democratic idea, premised, as it is in the Anglo American model at least, on active citizenship around local crime and community safety. However it is also premised on local neighbourhood surveillance and in post-authoritarian and post-fascist contexts touches upon historical taboos. Hence, there is low governance, participation and engagement in the three post-authoritarian contexts – Austria, Germany and Spain – we examined.
Credit Scoring, by contrast, is a commercial practice and many of its internal parameters are the subject of commercial confidentiality. Financial services organizations have their own strategies in terms of the customers targeted and risks are managed in relation to those customers. Revealing those to external stakeholders would be regarded as commercially unwise. Credit bureaux, which trade on the analysis of consumer financial data would have similar views. However, given the harms we have uncovered surrounding malpractice and the abuses of power surrounding credit scoring, financial services organizations would need to be given an opportunity to respond as well as this sector would clearer regulatory guidelines associated with credit scoring practices. Greater regulatory powers to control financial institutions in the case of malpractice could improve the situation. Customers should be pro-actively informed about their rights in this domain. Finally, participation in neighbourhood watch is very low apart from in the UK because of the taboos associations NW encounter in post-authoritarian or post-fascist countries.
The main issue with Credit scoring is public awareness of and access to their own credit scoring data. UK and Norway can be seen as good practice cases here. Increasing transparency and accountability of financial institutions in relation to credit scoring data should be instantiated at European level.
When looking at the reaction to Neighbourhood Watch in Austria, Germany and Spain it shoud be emphasized that cultural resistance to this approach can be interpreted as a resilient to surveillance these societies suffered at the hands of authoritarian and fascist governments.
2.5) Conclusions and Recommendations based on the IRISS case studies
The IRISS case studies have highlighted four dimensions of resilience in relation to surveillance. These four dimensions were derived from the position that surveillance is deployed to counteract harm, threat and risk, but that it simultaneously has harmful, risky or threatening consequences.
Surveillance as a strategy to counter risk produces two types of resilience:
Resilience to and reduction of harm through increased safety and security: When surveillance counters risk or threat in an effective way, increased safety, security and economic prosperity are experienced. The means of surveillance renders society more resilient to threats to security, safety and economic threats.
Resilience to surveillance by understanding its benefits: If surveillance is commonly understood as an effective means of counteracting threat, then it becomes normalised and accepted more readily. Its harms are perhaps more readily accepted and are seen as being outweighed by its benefits.
Surveillance as producing risks, threats and harms:
Resilience and the chilling effect: When surveillance produces harm, chilling effects have also been observed as rights are denied and civic engagement declines. The chilling effect represents a homogenisation and/or stagnation of social, economic and democratic processes, as society puts its ‘head in the sand’, preferring to ignore what is going on. It is a very unproductive type of reaction to surveillance.
Resilience through increased awareness of surveillance and privacy and the development of critique: If different sections of society engage with the harms produced by surveillance, resilience to its harms emerges in critical discourse against such surveillance practices and increased resistance to them. This also includes the discourse on consumer protection, data protection and constitutional law.
These four dimensions of resilience were constructed on the assumption that core stakeholders – watcher and watched (in particular) – would have prior knowledge that they were engaged in a surveillant relationship and knew the terms of that engagement. When the cases were assessed, however, this position was not a consistent one. Given low levels of engagement, it is difficult to suggest that effective democratic mechanisms are in place, at European and at country level, which could mitigate the harmful effects of surveillance in a resilient way. The central finding of this work package is therefore that in order to increase resilience to the harms of surveillance across each case study, increased engagement with the nature and impact of those harms is needed on the part of both watchers and watched. Engagement may be achieved through enhanced media coverage, strengthened freedom of information and subject access procedures, better public (ANPR) and customer (Credit scoring) information and subsequently regulatory powers and scrutiny of the institutions concerned should be increased.
Overall the intersection between surveillance and democracy across the three case studies we have examined is varied. Patterns have emerged which are associated with historical, legal, political, social and institutional factors. At the dawn of the age of Big Data and as social life becomes constituted and reconstituted by layer upon layer of information infrastructures, the local and everyday contexts of our lives become readable and transparent to power. Citizens are transformed into machine-readable techno-social hybrids. To a greater degree than ever before, surveillance processes intersect with and constitute the way in which we get things done. As consumption, communication, security and even democracy is done in this way – we need to question how transparency and accountability re-organize themselves as the traditional and institutional ways in which democratic power becomes enacted become less relevant. Perhaps political activity outside the conventional venues of power – one which focuses on the everyday life of what has been termed “sub-politics” by the late Ulrich Beck, on active local citizenship reflecting the mundane aspects of life would provide fertile ground for alternatives to emerge.
3) Living in a surveillance society
The empirical research in IRISS was designed to investigate the surveillance society as a mundane phenomenon, moulding the everyday life of European citizens. IRISS highlighted how lay citizens perceive surveillance and react to the fact of being more or less constantly exposed to different types of surveillance measures. Surveillance and resilience – two of the key concepts of the IRISS project - cannot be considered household words for the layperson. There exists an elaborate academic discourse about these two concepts, but they are not common coinage in everyday language. Although the revelations of Edward Snowden have received ample response in public media discourse, the complex technical, legal, and political ramifications of programs like PRISM are far beyond the grasp of non-experts. Thus for IRISS it was important to understand the effects of modern technologies and the surveillance capabilities they entail on ground level in everyday life.
Everyday life exposure to surveillance has been investigated through a qualitative in-depth approach which has, as its core, stories or events as primary units of analysis. The underlying assumption of IRISS was that surveillance is an endemic feature of contemporary societies and technology increasingly mediates and shapes everyday life activities. Privacy is not a “default state” but instead it has to be actively created by individuals. In IRISS, stories about citizens’ understanding of surveillance were collected with a specific focus on how surveillance is embedded in social processes and how people comply and/or negotiate with it.
1,000 stories were collected about everyday encounters with technology in five European countries (Austria, Germany, Italy, Slovakia and the UK) through 300 interviews. Additionally, 10 focus groups were carried out in order to deepen the understanding on socio-cultural differences towards surveillance.
The myriad ways in which citizens shop, feel more or less secure, share information on social networks, are “watched” in the workplace and actively engage in security practices are telling on how they “do” privacy in surveillance societies. The core of the analysis is in the fact that the variety of situations that citizens deal with, comply to, negotiate with and/or resist to, demonstrate the pervasiveness of technology and control.
As mentioned above, concepts like “surveillance”, “privacy”, or “resilience” are not common coinage for most of the European citizens most of the time. Except for situations where problems of surveillance score high on the political and media agenda, such as in recent times, triggered by the revelations of Edward Snowden on the practices of the NSA and CIA, surveillance, privacy, security, and resilience are not topical in managing everyday life for the average lay person. Of course attitudes of citizens towards surveillance and resilience can be investigated, when confronting them with explicit questions, e.g. when conducting a survey on privacy and security. But obtaining a response upon reflection of a question and considering problems of surveillance and resilience on a daily basis and spontaneously are two different things.
What IRISS has shown is, that individuals integrate surveillance related technologies (from mobile phones to swipe cards documenting their office hours) in many different and often creative ways into their everyday lives. Daily routines are built around the uses of these technologies, they are perceived as means to facilitate daily business, open new opportunities, create new ways to communicate and socialize. The majority of the respondents had a positive attitude towards technologies, ignoring their potential for intrusion of privacy and surveillance. Respondents showed an awareness of the changes in their lives caused by new technologies, but typically perceived of these changes as positive. Only a small fraction declared themselves as critical or reluctant technology users from the very beginning or reported about precautionary measures (like e.g. changing the default privacy settings in social media or using encryption).
The narratives on surveillance have been structured in four main dilemmas or trade-offs which provide the analytical framework of the analysis:
3.1) Privacy and Convenience: Citizens as consumers
3.2) Privacy and Security: Citizens and their views on security in Europe
3.3.) Privacy and Sociality: Citizens and the use of social media
3.4) Privacy and Trust-Fairness: Citizens at their workplace
3.1) Privacy and Convenience: Citizens as consumers
While almost all forms of shopping and consumption could have been performed anonymously in pre-Internet times, this is no longer possible. One reason lies in the changing methods of payment and the problem of establishing trust in commercial relationships without cash transactions. Paying cash over the counter allows for highly anonymous transactions. By paying with cheques, credit cards or advanced forms of electronic payment like PayPal consumers have to identify themselves and hence leave data traces; by shopping via Internet they provide additional relevant marketing information about what they buy, when and where they shop and what they look at before and after buying. This may yield various data concerning, for instance geo locational information, personal preferences, medical conditions, personal relations and so forth. Using these data, profiles could be constructed in order to derive e.g. credit ratings from shopping patterns or postcode information.
What can be observed here is a paradox of anonymity. Being involved in a commercial transaction with your local shopkeeper may create a social relation, in which anonymity ceases to be an issue, and relations will be re-configured and once anonymous customers will be rendered loyal customers, of whom the shop owner is well informed regarding preferences and so forth. This is represented in the iconic figure of the grocer at the corner-shop acting as a communication hub for the neighbourhood. In this setting an individual as a customer is known to his/her local community, but anonymous outside this environment. The same person shopping in an inner-city department store would enter into another setting, one in which anonymity prevails. Businesses in such a setting do not know their customers personally. They neither know their names, nor preferences. Anonymity is the default setting, and at the same time, a problem for the business striving to extend their base of loyal customers in terms of advertising, offers and service.
Throughout the citizens statements on privacy, data, the uses of data in everyday life, the personal encounters with data collection and the respective assessments were often embedded in a narrative of „managing“ data and privacy (thus hinting at a concept of „doing privacy“) in everyday life. This narrative of what could be termed „privacy management“ or “privacy labour” occurs in various contexts and to various degrees throughout many interviews, as do statements referring to data protection and privacy issues. As data and privacy issues become relevant in more mundane, everyday activities, the “Digital” appears to be an inseparable part of everyday life. Accordingly, managing privacy and personal data implies the existence of routines and socio-cultural „scripts“ that are followed to cope with the many requirements and demands of a digital information society in everyday life. The pervasiveness of the Internet in all its forms is apparent and has long become a part of everyday life and practices - socially, culturally and economically. To frame this under the term surveillance may thus be misleading as many of those measures and strategies are not driven by a desire to control the citizen in the sense of an authoritarian state, but to make money – hence knowing and managing the customer is paramount here. But as much of these strategies appear in the everyday contexts of Europeans, the perceptions of these strategies and the attitudes towards the data collection behind them may be framed differently than in terms of surveillance and control.
3.2) Privacy and Security: Citizens and their views on security in Europe
Security at the level of citizens is primarily discussed as perceived security. Over the last decades the concept of perceived security or subjective security has attracted attention in academic and policy discourse. There are a number of reasons for this replacement of security with perceived security. First of all the figures of registered crime, crime being the dominant source of insecurity for a long time, are not representative of the development of criminal behaviour. They primarily reflect activities of law enforcement agencies, i.e. more police creates more (registered) crime, more reports of incidents by citizens to the police lead to higher crime figures. Secondly, as criminological research on victimization and fear of crime has demonstrated, levels of perceived insecurity do not mirror objective victimisation risk: persons with statistically low probability of victimization often display high levels of fear or insecurity and vice versa. As fear of crime studies have repeatedly demonstrated, levels of fear of crime reflect other, broader existential insecurities. Law enforcement agencies thus have begun to focus on feelings of insecurity as public sentiment, while at the time acknowledging the limitations of combatting or reducing crime in the literal sense.
IRISS explored the dilemma between privacy and security by focusing on technology. In particular, we drew attention both to a specific surveillance tool (CCTV) and to views on security and crime prevention. In general fear of crime plays an important role in this context. We investigated several dimensions, one of them being the difference between the watchers and the watched and how the latter perceive control through technology. As we showed, several ambiguities seem to arise pertaining to citizens’ attitudes towards surveillance technologies. More often than not, citizens do not have clear-cut views, however, there are a few recurring themes which are worth considering.
The dilemma between security and privacy is presented as irrelevant if the respondents have a good reason to believe that security tools “work”. Moreover, the general belief is that more surveillance is more likely to increase security. Despite the differences between reality and perceptions, it is worth noting that the latter affects feelings of security and can therefore also play a role in changing the attitudes of citizens who perceive themselves as “insecure” or “at risk”. However, what seemed to emerge are doubts about the effectiveness of technology along with questions on the overall approach to security. For instance, the delegation of security to technology was emphasized by many respondents as well as the false sense of security provided by surveillance tools. The effectiveness of technology is connected rather more with fighting crime, then with crime prevention. Our interviewees highlighted the importance of personal and/or social responsibilities in order to feel safe and to live in a safe environment.
Privacy is at stake when citizens report personal feelings of being “stalked” or “watched”. Surveillance is not always taken for granted, especially in the urban context. Although the “surveillant gaze” is not always accepted, the inevitability of surveillance permeates everyday life. Nonetheless, there are options for resilience, namely avoiding places where there are a certain number of cameras, for instance, or trying to be “less visible”, that is behaving normally when “spied upon”. However, the notion of resilience appears complex and multi-faceted. Like surveillance, resilience has two faces: one draws attention to options to avoid control, the other is the opposite as resilience can also be surveillance. In other words, resilience as surveillance emerges when the feeling of insecurity is prevalent.
Another important insight is the high level of awareness of surveillance technologies. Citizens we interviewed are familiar with the surveillance society they live in and daily encounters with technology do not go unnoticed. Yet, it is difficult to determine whether awareness relates only to the visibility of security tools or also pertains to a deeper understanding of the consequences of surveillance. Nevertheless, especially when considering new high-tech surveillance mechanisms such as drones or biometrics, “the nothing to fear, nothing to hide” approach is not prevalent and respondents implicitly recognize the need for regulation.
To conclude, citizens only rarely use the language of rights violations when it comes to thinking about surveillance in the context of security. Even though the “gaze” can be uncomfortable and – as we showed – might affect behaviour, acceptance towards surveillance in the general public is quite high
3.3.) Privacy and Sociality: Citizens and the use of social media
Much of the power of social media can be understood through the changing elements of the Internet. Being ‘on’ and having instant and 24/7 access to news, blogs and ‘feeds’ has irredeemably altered the communication landscape. To the forefront has been the use of smart phones or devices, where access to the Internet is available remotely and widely throughout most European countries. Indeed, the use of mobile Internet use has seen a substantial jump in the level of usage, 36% of Europeans in 2012 accessed the Internet daily via a mobile device (smart phone, tablet or PDA (personal digital assistant), whereas in 2011 14% of Europeans did.
There is clearly not the use of social media, but rather many different usages, usage patterns, shapes, and forms. It was ostentatious, that distinctions in social media practice were not only mentioned as side notes, but most often explicitly captured, focused on and even scrutinized. Highly specialized and customized forms of usages of the social web determined the greater picture given in the interviews. Social media (notably Facebook as the manifest and dominant example) do serve as a platform and a tool for sheer endless variations of self-expression – and sometimes self-degradation – information gathering, information spreading, up keeping as well as creation of relations and relationships, networking, and also controversy all the way to hate speech – and, as a matter of fact, surveillance.
Indeed, a negative reading of ‘The Web’ in a rather dystopian way – either to a certain extent recalling Horkheimer’s and Adorno’s criticism of the mass media and/or suspecting irrevocable separations of the individual based on disintegrative technologies – was given by some respondents. The perception of a web-mediated world of allegedly highly individualised users taking selfies and spreading pictures of their daily meals all over the web is surely one side of the coin. Although excessive self-expression is undoubtedly a very real part of the social web and was sometimes met with incomprehension by interviewees (especially those, that were not ‘heavy users’ or ‘digital natives’ but rather interested ‘digital immigrants’), it wasn’t, after all, an assertive topic in the quotes. The dominant discourse was clearly a positive attitude toward the social web and all its possibilities.
The nature of social media is primarily a social tool in which friendship can be expanded and information and communications exchanged. This as we have mentioned can appeal to certain personality traits. Nevertheless, things can go wrong with social media and most pressing here is when defamatory or embarrassing material is circulated and the adverse outcomes of the exposure re felt by users. The control of this information is given some safeguard due to privacy labour, but even here controls are easily circumvented and indeed are easily lost – particularly if an ‘accepted’ friend has open privacy. Working to maintain privacy and working to avoid the consequence of information that has been posted is important. Again, drawing on the European Court ruling, the erasure of information is being taken seriously and the tentative reassurances provided by privacy settings are being superseded by stronger regulations. Needless to say as with privacy settings, getting around these controls is not difficult, for instance removing a court conviction from a search engine will not remove it from court records or even from newspaper records. However, it does stress that privacy labour in terms of online material may prove in the future to be more robust. Social media is a popular tool with undoubted social qualities, however at times it also needs to be treated carefully, particularly when used in carelessly.
3.4) Privacy and Trust-Fairness: Citizens at their workplace
While the relation between employer and employee is first and foremost of an economic nature, to be analysed in terms of wages and profits, capital and labour force, each workplace situation also entails an element of social interaction. The social relations in a workplace setting reproduce the economic relations of domination and submission, even if in many present-day work environments concepts like creativity, motivation, and personal satisfaction are invoked to describe the situation of the work force. In modern Western societies the model of the shop floor and the assembly line of industrial mass-production no longer provide the paradigmatic workplace scenario. The rise of the service economy, the integration of modern ICT in production processes, an increase in symbolic production and design work, the international division of labour and the flexibility, volatility and fluidity of work, blurring the boundaries between private- and work life are just a few key words to account for the dramatic changes in the everyday situation of the working population. What used to be a tangible and collective experience of exploitation in industrial capitalism has been transformed for a substantial segment of the work force into an abstract, often remotely controlled and intangible regime of self-motivated performance in a flexible work environment. Surveillance at the workplace can take on different forms depending on the kind of setting. From the perspective of the actors involved there are different ways of integrating new technologies with high surveillance potential into their everyday work life. One option is to develop a moral perspective, justifying surveillance practices as an adequate means to identify wrongdoers, to develop an adequate system of rewards and to improve health and safety of the workforce. Understandably this narrative is used mostly in stories told from the perspective of the “watchers”, i.e. management. A moralistic approach to surveillance can go either way, supporting and justifying the use of technology or criticising and condemning it. A key concept in either case is trust. If trust prevails, there is no need for surveillance; if surveillance is introduced this erodes trust.
Having to work in an environment under surveillance produces a number of practical and discursive strategies of normalization. Employees are aware of the fact of being surveilled in sometimes rather complex ways, but they learn to find ways to either work around the surveillance regime or to adapt their routine practices. What can be clearly seen is how the introduction of new ICT in work processes changes the situation of employees dramatically and how new rules and regulations, formal and informal have to be negotiated and implemented. Those who grew up with new social media have acquired the skills to adapt their behaviour when using e.g. Facebook. They are aware of the pitfalls of documenting their private life online.
What could be shown in the stories about workplace surveillance is the wide array of technologies and strategies deployed here. From crude and simple CCTV cameras installed on the premises to highly sophisticated multi-channel and multi-sensor systems tracking every move across multiple sites and assessing performance using several indicators.
The changing structure of the workplace and working environment in recent times has been accompanied by greater flexibility in how, when and from where employees conduct their employers’ business. Greater flexibility has been encouraged by employers through facilitating flexible workspaces, home working, provision of laptop computers, smartphones and other technologies to allow businesses to respond to the 24/7 demands of the modern working world. However, accompanying this more flexible approach by employers, and apparent weakening of previous monitoring controls, which they might have used to ensure that employees were performing to required standards, there has been an increase in the availability of surveillance technologies, which can and are being used in the workplace. Many examples of the different types of workplace surveillance technologies being used are provided in the stories, including the most direct: body-worn CCTV. Some evidence of the resilience of employees is provided, through resistance to the practices of management, or indulging in deviant behaviours. Coupled with the increase in flexible working has been a massive rise in the use of communications technologies, including the Internet and social media, all of which are being used in both professional and private settings. This has resulted in what has been described as a ‘blurring’ of the boundaries between the private and the professional, which then invites an ethical debate around these issues. Many governments have produced legislation covering data protection and data processing, and most have appointed regulators to manage the inevitable interpretations and sometimes conflicts which arise, although in reality the legislation can never be expected to keep up with the speed of technological change. In the workplace, many responsible employers have produced codes of conduct for employees around use of the Internet and use of employer’s hardware and software when not on working time, and provided definitions of what is acceptable and unacceptable use. Above all, a fair degree of common sense is required from any employee engaging in what might be regarded as ‘personal’ activities while on ‘work time.’
Call centres are popular with governments and development agencies due to the labour intensive nature of their staffing requirements, and impact which they can have on unemployment levels, however as can be seen from the interviews and the literature, they also create environments which are target driven and feature what some might regard as ubiquitous and oppressive forms of surveillance monitoring. Due to the ubiquity and non-discriminating nature of the surveillance technology within call centres, this is claimed to have mediated the behaviour and attitudes of some employees (and supervisors) in harbouring resentment against some team members who perhaps do not meet the required standards, and in effect some managers may look at the statistics and not the underlying (and personal) reasons which might lie behind the output or performance.
Turning to ‘Google-veillance’ and the use of social media in a recruitment setting, there are many examples provided from the interviews of employers monitoring the activities of employees, and as an aid to informing their recruitment decisions for prospective employees. There emerges a feeling of inevitability about the continuing growth in use of social media in this context, and to that extent, it could be regarded as having almost become ‘normalised’. Personal prejudices are also evident when using this medium. Reputational management is a key driver for many employers in justifying the use of social media or checking work E-mails to view what their employees have been saying. It is important therefore for employees not to be irresponsible and to write (publically accessible) disparaging remarks about their employer, their team leader or colleagues.
Regarding national trends in workplace surveillance within the countries where the interviews took place, i.e. Austria, Germany, Italy, Slovakia and the UK, it is difficult to draw firm comparisons, however it is clear that they all have a regulatory system at the national level for data protection and processing; they all respect the rights of personal privacy, and there is a role for some form of representation of employees through trade unions or works councils etc. when discussing surveillance technologies in the workplace.
Regarding trust, it is the single-most important building block upon which future relationships, reciprocity, and mutual respect can be developed and strengthened. Time and again from the interviews, we were provided with examples of the breakdown of trust caused by management, most often simply because they used the data or images which the surveillance technology provided them with, which of course was too tempting (in their eyes) to turn down.
Often, the data and images were used for purposes other than those originally agreed upon, resulting in the breakdown in relationships, and sometimes increased resilience and resistance by employees to their employer.
In the final analysis it seems that there are no serious options for an active strategy of resistance against the rise of surveillance in the workplace. The only option is either to quit the job (only to probably find a new position where a similar regime of surveillance prevails) or to develop informal counter strategies to neutralize the surveillance practice to some extent. Since ICT is on the rise in most workplaces settings, be they industrial or service, it can be assumed that surveillance of work environments will become more intense across all areas and workers will continue to develop – wherever feasible, morally justifiable and practically possible – their counter strategies to work these systems in their favour
4) A stress test on the right to access data
Third, the research in IRISS found that the spirit of the European Data Protection Directive has frequently been undermined as it has been transposed into national legal frameworks, and then further undermined by the evolving national case law. Therefore IRISS has conducted subject access requests in several European countries to examine how citizens in their role as data subjects, encounter a wide range of legitimate but not always convincing and straightforward restrictions in their attempts to exercise their rights. These legal restrictions were further undermined by illegitimate actions enacted through a series of discourses of denial practiced by data controllers or their representatives.
In the context of surveillance and democracy, the principles of consent, subject access and accountability are at the heart of the relationship between the citizen and the information gatherers. The individual data subjects have the right to at least know, what kind of data is collected about them and by whom, how it is being processed and to whom it is disclosed. Furthermore, they have rights to inspect the data, to ensure that it is accurate and to complain if they so wish to an independent supervisory authority who can intervene on their behalf.
The second of these three principles, one’s right of access to personal data, is a central feature of European Data Protection Regulatory Framework and in particular of the European Data Protection Directive 95/46/EC. It is, arguably, the most important of the so called ARCO data protection rights (access, rectification, cancellation, opposition) because, if one cannot discover what is held about oneself, it is not possible to exercise the remainder of these rights.
Our research found, however, that the spirit of the European Data Protection Directive has frequently been undermined as it has been transposed into national legal frameworks, and then further undermined by the evolving national case law. Citizens, in their role of data subjects, encounter a wide range of legitimate but not always convincing and straightforward restrictions in their attempts to exercise their rights. These legal restrictions are further undermined by illegitimate actions enacted through a series of discourses of denial practiced by data controllers or their representatives.
The research was conducted in three parts. The first part involved a comparative analysis of European and national legal frameworks in the areas of data protection and, specifically, subject access rights. The second part saw researchers undertake empirical work in attempts to locate data controllers, their contact information and key content regarding data protection and subject access rights. The third part continued this empirical work and tasked researchers with submitting subject access requests, in relation to their own personal data, to a range of data controllers to assess this process as well as the responses received from these organisations.
4.1) Findings of IRISS on subject access rights
Data subjects are inherently disadvantaged before they can even begin the process of submitting a subject access request. This is in part because the implementation of the EU Data Protection Directive 95/46/EC has been uneven across EU Member States and, together with the development of case law, many European countries have interpreted key provisions of the European law in a narrow way.
As a consequence, European citizens living in different countries are subject to very different regimes in relation to:
legally defined response time obligations on data controllers;
requirements upon data controllers to appoint Data Protection Officers;
the costs of making a subject access request;
the complaints and redress mechanisms available to data subjects with their national Data Protection Authorities.
This means that, not only are there considerable differences at the European level, but that an access request emanating from one country, but submitted to another, may be subject to completely different procedures. This inconsistency is particularly true of provisions in relation to the concept of ‘motivated requests’ in the area of CCTV, (Belgium and Luxembourg) which demand that data subjects legitimise their requests with a justified reason accompanying the submission of the request itself. In such cases, it seems that exercising one’s right as set out in the European Data Directive, is not a justified reason in and for itself, and often leaves the data subject at the mercy of the data controller's discretion to determine what constitutes a legitimate reason.
4.2) Who is the data controller
The right of access is exercised by submitting an access request to a given data controller but, before this can begin, one must locate the data controller. This phase of the empirical work was conducted as follows:
The research was conducted across 10 European countries (Austria, Belgium, Germany, Hungary, Italy, Luxemburg, Norway, Slovakia, Spain and the UK) and examined 327 individual sites in which one’s personal data was routinely collected and stored.
The research sites were chosen based on a consideration of the socio-economic domains in which citizens encounter surveillance on a systematic basis. These domains were health, transport, employment, education, finance, leisure, communication, consumerism, civic engagement, security and criminal justice.
Researchers attempted to locate data controllers and their contact details in a variety of ways including by telephoning them, by attending sites in person and by accessing organisations’ online content.
The research sought to determine the ease and/or difficulty of locating data controllers, given the centrality of this process as the natural pre-condition of citizens being able to exercise informational self-determination.
The research found that, in a significant minority (20%) of cases, it was simply not possible to locate a data controller. This immediately restricts citizens’ ability to exercise their right of access because insufficient information is given regarding to whom one should send access requests. Where data controllers could be located, the quality of information concerning the process of making an access request varies enormously from country to country and in different sectors, both public and private. In the best cases, information was thorough and followed legislative guidelines closely, providing citizens with an unambiguous pathway to exercise their right of access. In the worst cases information was very basic, often failing to explain how to make an access request or indeed what an access request actually is. Information was often confusing and incomplete, consequently obliging the citizen to pro-actively seek out clarification before being in a position to submit a request.
The most reliable, efficient and frequently used way of locating data controllers turned out to be on-line. In nearly two thirds (63%) of all cases on-line searching provided the relevant contact details, and this was achieved in less than five minutes over half (61%) of the time.
Attempts to locate data controllers using alternative methods generally did not fare well. In the majority of cases, when contacting organisations by telephone, members of staff lacked knowledge and expertise concerning subject access requests. As a result, answers were often incorrect, confusing and contradictory to their own organisations’ stated policies.
When it was possible to locate the data controller via telephone, this took over 6 minutes, sometimes on premium rate lines, in over half (54%) of all cases. And even then, the quality of information provided via telephone was rated as ‘good’ in only 34% of cases.
In the case of CCTV, where we attended the sites in person:
nearly 1 in 5 sites (18%) did not display any CCTV signage;
where signage was present, in over four out of ten cases (43%) it was rated as being ‘poor’ in terms of its visibility and content;
only one third (32.5%) of CCTV signage identified the CCTV system operator or the data controller.
By failing to display appropriate signage at CCTV sites, one fifth of organisations effectively employed ‘illegal’ practices. The expertise of members of staff when approached in person was often lacking and they frequently reacted to queries with suspicion and scepticism, questioning why one would wish to access their personal data. Thus, even where researchers were merely trying to find the contact details of the data controller, they were forced to justify why they sought to exercise their democratic rights, and even then they were frequently denied.
4.3) Submitting access request
When it is possible to locate the data controller, the process of then submitting an access request can be problematic with data controllers employing a range of discourses of denial which restrict or completely deny data subjects the right to exercise their informational rights.
Subject access requests were sent from 10 European countries to 184 individual organisations sampled from the first part of the empirical phase of the research.
This sample set included both public and private sector organisations as well as a number of key multinational organisations which routinely collect large amounts of data.
The requests were made for a range of data including information held on paper and digital records as well as CCTV footage.
Requests made three key demands of data controllers: disclosure of personal data; disclosure of third parties with whom data had been shared and disclosure of whether (and if so how) data had been subject to automated decision making processes.
The research found that obtaining a satisfactory response concerning all aspects of the requests was relatively rare.
Four out of ten requests (43%) did not result in personal data being disclosed or data subjects receiving a legitimate reason for the failure to disclose their personal data.
In over half of all cases (56%), no adequate or legally compliant response was received concerning third party data sharing.
In over two-thirds of cases (71%) automated decision making processes were either not addressed or not addressed in a legally compliant manner.
Even taking account of those cases in which successful outcomes were achieved, the process of submitting an access request was often fraught, confusing and time-consuming.
Holding/acknowledgement letters were received in only a third (34%) of cases, which meant that data subjects had no idea as to whether the requests were being dealt with or simply ignored.
Even where data subjects received their personal data, in some instances the disclosure of this data was incomplete and additional data was still outstanding. This occurred in one third of cases (31%) and required researchers to pursue data controllers for more information, as the first disclosure was incomplete.
There were noted variations in how different types of organisations responded to requests. In general, public sector organisations performed less badly than those in the private sector, with only 43% engaging in restrictive practices compared with 62% in the private sector. Requests for CCTV footage were particularly problematic, with seven out of ten requests for CCTV footage being met by restrictive practices from data controllers or their representatives. While loyalty card scheme operators were generally facilitative in disclosing personal data (86% of cases), they did not perform as strongly in providing information about automated decision making processes (only 50% of cases). Meanwhile, requests made to banks did not yield much information about third party data sharing (only 30% of responses disclosed this).
In assessing both the process of submitting access requests as well as the content of the responses received from data controllers, the research found a range of restrictive practices employed.
Data controllers frequently render themselves ‘invisible’ to data subjects using a variety of practices, ranging from the absence of CCTV signage identifying who is operating the cameras to flatly refusing to respond to access requests at all. In 12 cases, requests were met with complete silence. In a further 17 cases, although preliminary communications were entered into, any subsequent correspondence elicited no response. In total, therefore, in the end, one in six (15%) of all cases were met with silence.
Many organisations did not have clear and formal administrative procedures in place to receive and respond to subject access requests. These bureaucratic failures led to considerable delays and confusion for data subjects in the way that their requests were processed. This included the inability (or unwillingness) of data controllers to respond to requests in any language other than English despite receiving requests in other languages.
Data controllers often responded to requests only after long and excessive delays. This at times had a direct impact on the availability of the data requested (e.g.: the deletion of CCTV footage). It also meant that data controllers were in breach of their legal obligations to respond to requests within nationally specified time frames.
Some data controllers, particularly multinational corporations, offered only fixed and pre-determined mechanisms for data subjects to submit requests. These mechanisms did not allow for specific queries to be addressed and took an extremely narrow and, in the context of European law, invalid interpretation of what type of data citizens are entitled to request.
In many cases, data controllers refused to fulfil requests by invoking legal provisions incorrectly. This belied a lack of knowledge and expertise on behalf of data controllers and their representatives because data subjects were erroneously advised that they had no legal entitlement to exercise their rights.
Achieving a successful outcome when submitting an access request is possible and we came across a significant minority of cases, for instance in Germany and the UK, where requests were dealt with courtesy, diligence and efficiency. However, the burden of achieving a successful outcome lies heavily with the data subject and many organisations in this research did little to lift this burden away from the citizen: members of staff repeatedly reacted with surprise and puzzlement to our requests, explaining that they had never before received such queries. A vicious circle therefore emerges, where organisations fail to inform citizens of their rights or how to exercise them. As a result, for those citizens who have little or no prior knowledge about privacy and data protection issues, the right of access is either unknown, denied or inaccessible. Then due to the lack of subject access related queries received from the public, organisations fail to inform/train their staff in matters of privacy and data protection, and have little motivation to do so.
The empirical results of the research demonstrated significant disparities in the ways requests were processed from one country to another. The research shows that this is partly due to the willingness of Data Protection Authorities in some countries to support citizens when they exercise their informational rights. This, coupled with the absence of the need for data subjects to provide a justified motivation for their requests, meant that submitting such requests was generally a smooth process in these countries. In contrast, in Italy and Spain, the researchers encountered a plethora of restrictive practices ranging from the identification of data controllers, the ways in which their requests were processed and the difficulty of submitting complaints to DPAs when disputes arose.
The myriad of restrictive practices evidenced in this research means that data subjects have to work extremely hard to exercise their rights. They must show persistence, confidence and resilience in the face of a series of discourses of denial during which their access requests may be regarded as illegitimate, severely delayed or simply ignored altogether. And even then, they are only likely to have successfully exercised their rights fifty-percent of the time.
4.4) Policy Implications & Recommendations
The research revealed an endemic lack of awareness of informational rights and specifically access rights amongst both data subjects and data controllers. This vacuum in expertise suggests that Data Protection Authorities may have a crucial role to play in providing additional promotion of informational rights. Moreover, Data Protection Authorities play a central role as the natural recourse in cases of poor practices on behalf of data controllers. However, the research findings showed that in some cases, DPAs’ resources (or lack thereof) are such that they are unable to process complaints in a satisfactory manner and this can therefore become a lengthy process. As a result, we propose the following:
DPAs should prioritise the promotion of informational rights to citizens and give some consideration to how training/awareness-raising could be delivered.
DPAs should provide standard model templates for data subjects to use in order to submit an access request.
DPAs should, in conjunction relevant stake holders such as consumer rights and labour orgnisations, promote the development and acceptance of standard templates in specific sectorial contexts.
DPAs should provide detailed guidance to data controllers in how to respond to access requests including examples of best practice and give some consideration to how specific training could be delivered.
DPAs should also provide detailed guidance to data subject on how to exercise their rights.
DPAs should ensure that a clear, unambiguous and affordable complaints procedure is always available to data subjects in case of data breaches.
DPAs should have the power of audit and inspection as this would go some way to redress the asymmetry of power experienced between data subjects and data controllers.
DPAs should proactively audit public and private sector orgnaisations web sites and other channels of communication to see whether all relevant information is available to citizens to make a sucessful access request.
4.5) Policy recommendations in light of the European data protection reform
The policy implications and recommendations resulting from our research findings are made on the basis of the existing European and national legislation. The EU is currently in the process of reforming Directive 95/46/C and some comments can be made here in light of our research findings which address the substance of the proposed reforms.
First, our research has found considerable variation in how subject access rights are enacted in different Member States. The use of regulation rather than a directive would lead to greater consistency between different countries.
Second, the research demonstrated that the presence of DPOs facilitated the access request procedure for the data subject. Any proposal which seeks to diminish organisations’ responsibilities to appoint DPOs will need to consider the detrimental effect that this may have on citizens’ abilities to exercise their rights.
Third, our research illustrated that privacy policies often lacked the requisite depth of detail to enable data subjects to manage their data in a meaningful way. If citizens are to be empowered to exercise their rights, organisations must clearly describe their subject access procedures and policies and provide explicit protocols to submit an access request.
Fourth, the research found that data controllers were generally reluctant to disclose any information about their data sharing protocols and even when pushed, only revealed generic lists of those they shared personal data with. While this is in accordance with the current legislation, it is quite clearly inadequate as data subjects are completely unable to know with whom data is actually shared and how it is then used and continues to be processed.
Fifth, our research showed the almost complete inability of data controllers to address when and how automated decision making processes were used. As such, proposals demanding data controllers properly address issues of automated decision making and profiling should help to alleviate this problem.
Sixth, our research showed that the obligation to justify and motivate requests acted as an unwarranted restriction on data subjects’ ability to exercise their rights. This should be explicitly addressed in the proposed reforms.
Finally, as our research has clearly illustrated, in the case of transnational corporations, there is a lack of clarity as to which national legislation they are subject to and whether they are subject to European legislation at all. This would appear to be an area that legislators need to urgently address.
5) Final conclusion: Increasing resilience in surveillance societies.
The IRISS project has defined resilience as the ability of people (individuals and groups) and organisations to adapt to and/or resist surveillance, while recognising that some forms of surveillance may be acceptable or tolerable, and others pose a serious challenge to our fundamental rights. Examination of resilience in different domains has shown that the term resilience is often widely used and defined in different ways, and that its conceptualisations often share similarities despite significant conceptual differences. Some of these conceptualisations have proved usefulin the context of this project. The domains analysis revealed a number of insights about resilience. Resilience is multifaceted; sometimes it has an opportunistic aspect. It has a temporal as well as a spatial aspect. It involves communications between stakeholders. It calls for solidarity. Its core elements include: anticipation of vulnerabilities, threats, attacks, crises; preparedness; prevention, detection and response; mitigation; recovery and the sharing of responsibility and co-operation among stakeholders. Resilience also suggests a coherent set of objectives and measures aimed at achieving them in the face of typical human and natural threats to national security and community disruption. The key learning from the domains analysis was that the framing of resilience measures often benefits from lessons learned from prior events with the aim of mitigating future adverse events. However, resilience measures do not always anticipate very well their own sometimes negative and counterproductive consequences.
Resilience in the context of surveillance is different from resilience in the instance of the capacity of an infrastructure or of a community disrupted by an earthquake, tsunami or a financial calamity. Although it may come as a shock or a revelation to some people when they realise how extensive and pervasive surveillance has become, much of the surveillance today can be regarded as an on-going stress on society, rather than a shock. Hence, resilience in a surveillance society has more to do with coping than with recovering or bouncing back. Further, in a surveillance society, there is clearly a difference between resisting surveillance and adapting to it. It is possible to resist surveillance, but resistance may not prevent surveillance. One might also see resilience as on a continuum somewhere between surrender and civil disobedience.
The empirical research and the theoretical analysis in the IRISS project has outlined various measures to increase resilience in surveillance societies amongst which are political and regulatory measures (such as accountability and oversight, explicit consent, privacy principles, creating boundaries and limiting surveillance, awareness and communication), individual measures (such as whistle-blowing, resistance and using privacy-enhancing technologies), and societal measures (such as public opinion polls and an activist press). The list is not exhaustive. As surveillance continues to grow and expand, such measures need to be reinforced and strengthened at all levels. Individuals and societies need to take active and sustained measures to curtail surveillance and its dangerous and deleterious effects.
Potential Impact:
The overall approach of the IRISS project was to contribute to an informed public debate about the manifold problems related to the emergence of a surveillance society. IRISS was not designed to produce a technological tool or system to be applied in a practical context. Rather the overall objective was to unfold a set of critical arguments, supported by empirical research. The findings of IRISS should target different expert communities and a general interested public alike. The overall impact of such an endeavour is to help rising thresholds for the quality of debate about the topic under discussion. All partners in the consortium shared this understanding and contributed to local, national and European debates about surveillance as a problem for contemporary societies using findings produced by IRISS. As can be seen from the documentation of dissemination activities, the consortium members addressed public media, policy makers and the academic community alike. In doing this we targeted a wide array of audiences from local radio stations across Europe and beyond to the LIBE Committee of the European Parliament (IRISS has contributed to the NSA & Mass Surveillance hearing of the European Parliament on the 24th of September 2013).
What can be considered as a specific feature of IRISS and hence, hopefully, as a relevant contribution regarding the impact of our findings is the holistic approach taken in our research. Surveillance, as a topic of debate and controversy, surfaces in many different expert discourses, from computer science to legal theory, from anthropology to criminology. Under the heading of “surveillance studies” there is even a distinct academic community addressing surveillance as a topic for research. Within IRISS we attempted to contribute to all of these discourses, emphasizing the ambivalences, problems and unintended side effects of surveillance as a powerful development impacting European societies. Informing legal scholars about the technological side of the problem or criminologists about the privacy-intrusive nature of crime fight strategies can help to open the debate within the respective academic disciplines.
With regard to public controversies surveillance tends to be a topic with a high and controversial political loading. While surveillance is considered to be a useful strategy to counter the rise of societal threats from organized crime to terrorism and child pornography and the problems associated with increased surveillance are deemed acceptable when measured against the presumed positive effects, there is also massive critique brought forward, questioning the intended impact of increased surveillance and highlighting the negative consequences on privacy, freedom of speech and the deliberative democratic public sphere. Both sides operate with clear cases to make their point and substantiate their claims. Against this rhetoric of black and white IRISS highlighted the many shades of grey in the overall picture. Our findings suggest that aspirations of pro-surveillance adherents often are overstating the positive effects, while opponents sometimes tend to entertain an attitude of preventive paranoia and exaggerated fears of a panoptic Big Brother. To give some more depth and increase the complexity on both sides of the political and argumentative divide IRISS introduced a more nuanced perspective. Positive effects of surveillance have to be acknowledged but only within limits. This can be perfectly demonstrated using the highly politicized case of CCTV. The evaluation of CCTV measures shows mixed results and while some technological arrangements can have a positive effect on crime rates under some specific circumstances, it can be shown that CCTV is not the magic bullet in securing public space. At the same time the fears of critics that this technology is about to develop into the panoptic-automated super-surveillance tool can be countered by looking at the tremendous problems still unsolved in research on automatic pattern recognition technology.
What this demonstrates with regard to the impact envisioned by the IRISS project is the need to overcome the stalemate of political controversy by increasing complexity of pro- and con arguments on both sides. This is not intended to create an average value of conflicting positions or finding a compromise based on a position in the middle of extremes. Rather we opt for an increase of complexity by taking into account conflicting empirical evidence, proximate and distant causes, considering paradoxical effects or what Gary T. Marx once termed the “ironies of social control”.
Within IRISS we were emphasizing the experience of lay citizens, exposed to massive surveillance from many different organisations and institutions on a continuous basis, as citizens, consumers, voters or members of the work force. The massive impact of surveillance on citizens’ everyday lives could be demonstrated but at the same time it became clear that laypersons often do not understand the ramifications of surveillance as an element of their daily lives. This sheds light on another dimension of impact we envisage for the results of the IRISS project. Surveillance emerges as a side effect of living in a society of electronic consumerism. Scholars form surveillance studies have coined the terms data double and leaking data container to describe this situation. While surveillance often is understood in the narrow sense of a targeted strategy by public authorities to watch or track individuals or groups, it should be emphasized how surveillance emerges as by-product of a myriad of daily activities as soon as these are electronically mediated. Using mobile phones, making payments using online banking or credit cards, posting pictures for friends on social media platforms produces data traces in cyber space and creates opportunities for massive surveillance by different actors. Harvesting these data pools is on the one hand a commercially highly viable business opportunity and on the other hand provides public authorities with data to be used in the context of different policing activities. While it has to be acknowledged that for modern societies the trajectory towards this kind of surveillance cannot be changed – there is no way back into the age of a pre-electronic culture – it seems of utmost importance to raise awareness of citizens to what extent they are dependent on a techno-social infrastructure transforming them into machine-readable techno-social hybrids. In terms of envisaged impacts of the IRISS project we hope to contribute to what could be termed an up-date of reflexive societal self-observation. The conceptual tool kit used to deliberate about modern societies is rooted in political theory of the 18th century, reaching back to the classical heritage of ancient Hellenic democracies. The findings of the IRISS project might help to augment this tool kit creating an opportunity for European societies to develop a more realistic understanding of where they are going and what they should envisage to keep on a developmental path connecting to the entrenched values of European enlightenment. This might entail a redefinition of some of the key concepts for an age where humans increasingly merge with the technology they produce.
List of Websites:
http://irissproject.eu