Digital technologies post-September 11th: more security but less privacy for the European citizen?

Will new technologies protect privacy or hamper it in the post-September 11 world? Trends in information society technology will have a significant impact on the balance between citizens’ security and privacy, according to a report released today by the European Commission’s Joint Research Centre (JRC). The study on “Security and Privacy for the Citizen in the Post-September 11 Digital Age: A Prospective Overview”, commissioned by the European Parliament, analyses the security and privacy implications of three emerging technologies: identity management (on-line services based on the identification of the user), location-based services (focusing on local positioning and tracking of the user) and virtual residence in an ambient intelligence environment (with “smart” and mobile electronic devices connected to our home, office, car etc.). According to the report, there is a need to restore the balance in favour of privacy as the use of these technologies for some governmental or commercial actions stretch the ability of current legislation to provide adequate personal data protection.

“In response to the threat of terrorism after the tragedy of September 11, many governments enhanced their surveillance powers, but at the risk of affecting privacy”, said European Research Commissioner Philippe Busquin. “However, citizens are not prepared to let privacy be one of the casualties in the war on terrorism. This comprehensive report will raise the awareness of decision makers for the need to maintain a balance between protecting data and making services widely available online, and the need to fight terrorism and crime whilst respecting individual privacy.”

“Steps have already been taken at the EU level to address concerns raised by some governmental or commercial use of communications technologies”, said Enterprise and Information Society Commissioner Liikanen. “The new Directive on Privacy and Electronic Communications, applicable in all Member States at the end of this month, applies important principles of EU law to communications services, including new mobile and Internet-based services. For instance, it requires that location information generated by mobile phones can only be further used or passed on by network operators with prior user consent, unless it is an emergency call. Where exceptions have to be made, for example for national security, they must be necessary and proportionate and laid down in legislation”.

Is Big Brother watching you?

The effects of September 11 on privacy have yet to be fully assessed. In the immediate aftermath, the United Nations responded with Resolution 1368 calling for increased co-operation between countries to prevent and fight terrorism. The ability of law enforcement and national security agencies to intercept communications was increased, as were powers of search and seizure. The variety of data accessed has also grown. While no full appraisal of the effects of September 11 has been carried out, new technologies and communication infrastructures have strengthened enforcement of these powers, putting at risk the rights of individual citizens to privacy.

Biometrics (using statistical and mathematical methods to analyse biological data), for example, can be used to enhance the security levels in identification processes. Biometrics can help identify a person’s physical features using electronic parameters. However it can also provide additional and sensitive data such as ethnic or medical information. A way to counter-balance this side-effect could be to only use a sample of facial characteristics (the major pertinent points) in producing the template needed for the matching process instead of a full picture of the face.

Protecting an individual’s privacy

To address these issues the European Parliament Committee on Citizens’’ Freedoms and Rights, Justice and Home Affairs, asked the Commission’s JRC to develop a detailed and comprehensive report on information society trends to identify particular concerns. The Commission’s Joint Research Centre sees an emerging pattern and trend, characterised by a shift from ‘reactive’ to ‘pro-active’ security protection, using information and communications technology systems to support intelligence gathering.

These facilitate the control and tracking of personal data, while offering opportunities of access for third parties for commercial purposes. For example, Radio Frequency Identification (RFID) tags, tiny chips that will be increasingly embedded in all kinds of devices and goods, will enable such items to be tracked. However, they could also be used to identify the owner of the item. It is important that these RFID tags are regulated by legislation addressing identity-related issues.

I can see you, I can feel you, and I know where you are

The JRC report outlines technology trends and implications for privacy and security and new challenges. It summarises important issues relating to policy development for privacy and surveillance in several areas, including:

• Identity-management systems: Identity is a key concept for the future Information Society. Identity-management systems and identity-related technologies will become an essential part of communicating via the Internet, enhancing the user’s protection against potential privacy and security risks.
• Location-based services: Location computing technologies and permanent mobile broadband connections provide multifunctional global positioning. Commercial use of such services could enhance security but also expose users to the risk of unauthorized access to personal data.
• Ambient intelligence and Virtual Residence: Computing technologies in all kinds of objects will provide a large number of services. The new environment will blur the traditional boundaries between private and public domains and is uncharted territory in terms of privacy practice in the future smart home, in cyberspace and when mobile. New security and privacy measures will have to be devised.

Reducing risks to a minimum

Based on security measures identified, the JRC report recommends:

• Privacy-invasive measures resulting from September 11, developed as an immediate response to establish a safer environment, should be temporary and limited; and
• Policy should strike an appropriate longer-term balance between security and privacy when dealing with measures facilitating the development of the Information Society.

The role of technology

Technology can bring about change – but also solutions to the problems caused by change. The flexibility of new technologies must be acknowledged and considered before appropriate policy measures can be formulated. While technologies could be used to invade privacy, they can also help enhance protection of personal data and increase transparency in security processes.

According to the JRC report, technology could play a key role in protecting individual privacy against abuse if aligned with current legal measures in the EU. The JRC identified a number of areas where policy action may be needed, such as: identity theft; private-sector databases; private-public sphere indicators; and technology-specific regulation.

In the case of identity theft in Europe, the report stressed that due to strong existing European legislation, which defines clear privacy and data protection rights, this type of crime is less frequent than in other countries. In order to maintain this level of security for the citizen, new technologies will need to be integrated into the existing legal framework. The report recommends that a monitoring activity be established to track the rate of change in technology, its impact on the security/privacy balance and the potential need for regulatory action.