Embed Size (px)
Citation preview
This article was downloaded by: [University of Windsor]On: 28 September 2013, At: 01:24Publisher: RoutledgeInforma Ltd Registered in England and Wales Registered Number: 1072954 Registeredoffice: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK
Journal of Cultural EconomyPublication details, including instructions for authors andsubscription information:http://www.tandfonline.com/loi/rjce20
SECURITY CLOUDSMonica den Boer & Jelle van BuurenPublished online: 02 Feb 2012.
To cite this article: Monica den Boer & Jelle van Buuren (2012) SECURITY CLOUDS, Journal ofCultural Economy, 5:1, 85-103, DOI: 10.1080/17530350.2012.640558
To link to this article: http://dx.doi.org/10.1080/17530350.2012.640558
PLEASE SCROLL DOWN FOR ARTICLE
Taylor & Francis makes every effort to ensure the accuracy of all the information (the“Content”) contained in the publications on our platform. However, Taylor & Francis,our agents, and our licensors make no representations or warranties whatsoever as tothe accuracy, completeness, or suitability for any purpose of the Content. Any opinionsand views expressed in this publication are the opinions and views of the authors,and are not the views of or endorsed by Taylor & Francis. The accuracy of the Contentshould not be relied upon and should be independently verified with primary sourcesof information. Taylor and Francis shall not be liable for any losses, actions, claims,proceedings, demands, costs, expenses, damages, and other liabilities whatsoeveror howsoever caused arising directly or indirectly in connection with, in relation to orarising out of the use of the Content.
This article may be used for research, teaching, and private study purposes. Anysubstantial or systematic reproduction, redistribution, reselling, loan, sub-licensing,systematic supply, or distribution in any form to anyone is expressly forbidden. Terms &Conditions of access and use can be found at http://www.tandfonline.com/page/terms-and-conditions
SECURITY CLOUDS
Towards an ethical governance of
surveillance in Europe
Monica den Boer and Jelle van Buuren
Within the European Union (EU), several instruments have been created at local, national and
international level to monitor the movements of persons, goods and systems. The political
justification of this vast expansion of surveillance instruments is based on the supposed need for
security actors to predict and prevent security voids. In this article, we argue that the emergence of
security clouds � the spray of data on individuals that floats between accumulated data-systems
and networked surveillance instruments � present a considerable challenge to the governance
of surveillance. The formally pronounced objects of combating crime and terror can be
conceptualized as emerging forms of governance through surveillance and therefore influence
societies deeper than merely in the field of security governance. Data which are fused in the
security clouds can be stored for different purposes by different actors, acquire new functionalities
and technical applications. The responsibility for surveillance technologies reaches beyond the
scope of traditional scrutiny mechanisms, including parliaments, judicial authorities and civilian
oversight bodies. The European, national, vertical and horizontal legal arrangements for
transparency, access and data protection lack coherence and consistency. This article advocates
a professional security ethic on top of a consolidated legal framework.
KEYWORDS: European Union; surveillance; security; intelligence; ethics
Introduction
Within the European Union (EU), several instruments have been created at local,
national and international level to facilitate the surveillance of the movements of persons,
goods and systems. Surveillance includes a range of measures, exercised by public and
private authorities, and is considered to enhance objective and subjective security. Hence,
in the EU, surveillance has become closely intertwined with security. Traditionally, national
and international law enforcement authorities and intelligence services rely heavily on
information, principally gathered and dispersed through large databases (Van Linde 2002).
However, as we will argue, the rise in surveillance is not just a modernized state-of-the art
practice of policing, customized for the needs of modern societies, but also entails new
forms of governance. Gill (2006, p. 28) writes � comparably but more extensively � that
global surveillance is argued to be an intrinsic part of the general economic restructuring of
capitalism, and that ‘security intelligence processes’ are ‘essentially a sub-set of the more
general surveillance that constitutes contemporary governance. Thus, since intelligence is
Journal of Cultural Economy, Vol. 5, No. 1, February 2012ISSN 1753-0350 print/1753-0369 online/12/010085-19
# 2012 Taylor & Francis http://dx.doi.org/10.1080/17530350.2012.640558
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
one of the two defining components of surveillance, and, in turn governance, then security
intelligence is one of the defining components of security governance’.
On the basis of this argumentation, an approach which advocates legal rules
concerning the collection, dissemination and use of information gathered by surveillance
practices needs to be complemented by an ethical governance of data-exchange in the
security arena. We argue that a coherent legal framework is important but insufficient in the
face of four developments. First, the ever expanding range of European databases which
have been designed with the objective to enhance the security of the Member States and
their citizens. These databases have gradually expanded to include new functionalities and
new technological facilities. Second, the EU accommodates a multiplicity of European,
national, vertical and horizontal legal arrangements for transparency, access and data
protection, culminating in a patchwork of rules and instruments. Third, surveillance
technologies are used by many different security actors, at international, national and local
level, as well as at public and private level. Increasingly, the responsibility for surveillance
technologies reaches beyond the scope of traditional scrutiny mechanisms, including
parliaments, judicial authorities and civilian oversight bodies. Fourthly, the function of
surveillance exceeds the formally pronounced objects of combating crime and terror and
can be conceptualized as emerging forms of governance through surveillance and therefore
influences societies more deeply than just in the field of security governance. We will
introduce the concept of ‘security clouds’ to grab the essence of these interlocking
developments. By this we mean clouds of data about individual citizens. These data can be
stored for different purposes by different actors but are now retransformed under the magic
umbrella of ‘security’ and can be used for different reasons by different security actors. So
what is needed is a more fundamental reappraisal of the rising surveillance complex.
In this article, we begin by providing a brief overview of existing European databases
which are operated in the EU Area of Freedom, Security and Justice. A trend that can be
discerned is the transformation from ‘old fashioned’ silos of information to the inter-
connection and interoperability between these systems, as well as a move towards global
data transfers and quantum surveillance. The change from vertical and compartmentalized
information systems to horizontal and inter-sectoral information exchange generates
several questions about governance through surveillance as well as the governance of
surveillance. We will discuss the governance implications and conclude the article by
presenting some reflections on an ethical governance of surveillance in Europe.
European Dataveillance: From Database to Security Clouds
Security databases have been created at different moments, have been embedded
in different institutional contexts, and have served a range of objectives. These automated
information systems have been built on the basis of different technological architectures,
and have been subjected to diverging rules for access and use. The incremental fashion of
their introduction has prevented a comprehensive political and social debate about the
necessity, proportionality, functionality and effectiveness of these systems. The gradual
erosion of the walls between information systems renders the guarantees and conditions
on their use and application rather obsolete, which necessitates a fundamental debate.
Examples of European cross-border security databases that are used by law
enforcement authorities (including customs and border control authorities) are VIS (Visa
Information System), SIS I and II (Schengen Information System), CIS (Customs Information
86 MONICA DEN BOER AND JELLE VAN BUUREN
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
System), Eurodac (a fingerprint system for asylum-seekers) and EIS (Europol Information
System). SIS1 was of the first European databases, created for the purpose of immigration
and crime control. The system emanated from a desire of the Member States to create an
area without internal border controls while facilitating the movement of persons across
their external frontiers. Operational since 1995, it seeks to maintain public security,
including national security, within the Schengen area and facilitate the movement of
persons using information communicated via this system. SIS is a centralized information
system comprising a national part in each participating state (NSIS) and a technical
support function in France. Member States may issue alerts for persons wanted for arrest for
extradition; third country nationals to be refused entry; missing persons; witnesses or those
under judicial summons; persons and vehicles subject to exceptional monitoring on account
of the threat they pose to public or national security; lost or stolen vehicles, documents and
firearms; and suspect bank notes. Data entered in SIS include names and aliases, physical
characteristics, place and date of birth, nationality and whether an individual is armed and
violent. Police, border control, customs and judicial authorities in criminal proceedings may
access these data in accordance with their respective legal powers. Europol and Eurojust
also have access to SIS data relating to third-country nationals on the entry ban list and
alerts on lost and stolen documents, persons wanted for arrest for extradition and those on
persons subject to exceptional monitoring on account of the threat they pose to public or
national security. In addition to the original data categories covered by the first-generation
system, SIS II will be able to handle fingerprints, photographs, copies of the European arrest
warrant, provisions to protect the interests of people whose identity is being misused and
links between different alerts (see also Brouwer 2008). SIS is Europe’s largest running
information system. The total of valid records in SIS reached 35.69 million by 2010; about
one million of those records are on individuals.2
Eurodac3 is a centralized automated fingerprint identification system containing the
fingerprint data of asylum-seekers and people who have been apprehended in connection
with the unlawful crossing of the external borders of the EU. In operation since January
2003, its purpose is to assist in determining which Member State should be responsible,
under the Dublin Regulation, for examining a particular asylum application. By comparing
the fingerprints of asylum-seekers and irregular migrants with Eurodac records, national
authorities seek to establish where that person might have submitted an asylum
application or first entered the EU. Authorities may also compare against Eurodac records
the fingerprints of third-country nationals found illegally on their territory. According to
the latest figures (European Commission 2010), 1,554,558 sets of fingerprints have been
stored in Eurodac. Of a total of 236,936 new asylum applications recorded in Eurodac in
2009, 23.3% were ‘multiple asylum applications’. However, as the Commission (2010)
admits, these figures are partly flawed, as some Member States retake and retransmit the
fingerprints of applicants upon arrival after transfer under the Dublin Regulation, which
results in ‘a distortion of the statistics on multiple applications’.
The purpose of the Visa Information System (VIS)4 is to help implement a common
visa policy by facilitating the examination of visa applications and external border checks
while contributing to the prevention of threats to Member States’ internal security. VIS is a
centralized information system comprising a national part in each participating state and a
technical support function. It includes data on visa applications, photographs, fingerprints,
related decisions of visa authorities and links between related applications. It uses a
biometric matching system to ensure reliable fingerprint comparisons and verify the
SECURITY CLOUDS 87
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
identity of visa-holders at external borders. Visa, asylum, immigration and border control
authorities have access to this database for the purpose of verifying the identity of visa-
holders and the authenticity of visas. National law enforcement agencies and Europol may
consult it for the purpose of preventing and combating terrorism and other forms of
serious crime. VIS is set to become the EU’s largest database, with currently 20 million visa
requests. In the near future, the EU will also launch a system by means of which it can
detect so-called over-stayers, or people whose legal residence has expired. This will be the
Entry/Exit System (ESS) (Besters and Brom 2010, p. 4).
The CIS Convention of 1995 deploys the Customs Information System (CIS)5 to assist
in preventing, investigating and prosecuting serious violations of national laws by
increasing, through the rapid dissemination of information, the effectiveness of coopera-
tion between Member States’ customs administrations. CIS, which became operational on
24 March 2003, is managed by the Commission and is a centralized information system
accessible via terminals in each Member State and at the Commission, Europol and
Eurojust. It comprises personal data with reference to commodities, means of transport,
businesses, persons and goods and cash retained, seized or confiscated. CIS also establishes
a Customs file identification database (FIDE) to assist in preventing, investigating and
prosecuting serious violations of national laws. FIDE enables national authorities
responsible for conducting customs investigations, when they open an investigation file,
to identify other authorities that may have investigated a given person or business
(Broeders 2007).6
Gradually, the functionalities of these data-systems have been or will be extended.
The main common characteristics in the relevant EU databases concern the increased use
of biometric identifiers, which allows them to be used for the purpose of criminal
investigation and intelligence-gathering, the growing number of authorized users who
have access to these systems, and the potential for searching large amounts of data with
the help of data-mining and data-profiling.
Meanwhile, the creation of new databases is underway, such as the (interlinking of)
national DNA-databases (resulting from the Prum Treaty which was signed in 2005) and
the creation of a European Border Surveillance System (Eurosur).7 These data-systems are
ordered according to the principle of verticality, i.e. data-input organized inside the
Member States and mediated by a central (law enforcement) authority. The reason for this
type of information architecture is the stronghold of national sovereignty: the prime locus
of control on law enforcement activity still resides with national authorities. A vertical,
central, hierarchical governance of data-gathering and exchange suggests that informa-
tion practices are correctly, intelligibly and transparently subjected to national and
international data protection systems.
Increasingly, however, there is an emphasis on data retention and data transfers,
which allows a horizontal information-exchange between agencies at different govern-
ance levels. One of those rather prominent instruments is the Passenger Name Records
(PNR) agreement.8 Since 2003, USA authorities have demanded on-line access to the PNR
which are kept by European flight carriers on flights to the USA. By screening the data, the
American and Canadian authorities9 seek to reduce the possibility that (would-be)
terrorists enter their territories from the EU. PNR comprise various data, such as name, date
of birth and telephone numbers, as well as credit card numbers, seat numbers and meals.
The USA authorities may also demand information from the Advanced Passenger
Information System, including gender, passport number and nationality of the passengers
88 MONICA DEN BOER AND JELLE VAN BUUREN
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
(Rathenau Instituut 2007). The screening method raises several questions however as to
how PNR helps to identify risks, what the substance of the precise procedure actually is,
and whether the data are run against existing criminal data (Kuipers 2008). Several bilateral
agreements have shaped the basis for the exchange of PNR data by airlines. These
comprise the 2004 EU�US PNR agreement, ruled in 2006 by the European Court of Justice
to be founded on the wrong legal basis (Balzacq 2008, p. 91); the 2005 EU�Canada
agreement on API (Advanced Passenger Information) and PNR data; the 2006 EU�US
interim PNR agreement (replaced by the 2007 definitive EU�US agreement on the
submission of PNR-data), and the PNR agreement between the EU and Australia from June
2008 (Kuipers 2008, p. 17). Foreign authorities can use these data of individuals travelling
from Europe for the purpose of data-matching, data-mining and profiling. In the
meantime, it has been ventured that these data have also been used to detect criminals
and to control land borders. Hence, vast numbers of data are put in stock by American,10
Canadian and Australian authorities which demonstrate the increasingly dense informa-
tion web and the way in which the EU has actively developed an external security link in its
counter-terrorism policy.
As the number of countries developing PNR systems will most likely increase in the
coming years, the European Commission is considering the development of a series of
general criteria for the negotiation of new PNR agreements with third countries. In the
long term, the EU is exploring the possibility of replacing bilateral agreements with a
multilateral agreement between all countries that use PNR data.11 Members of the
European Parliament, the European Data Protection Supervisor, privacy organizations,
airlines and data protection authorities are increasingly concerned about the transmission
of personal files without the approval of the relevant individual (Kuipers 2008, p. 3).
A major concern is that data are used for purposes other than counter-terrorism purposes,
and that the obligation to transfer data on passengers lacks reciprocity.12
The move to ‘horizontal data transfers’ is also visible in the monitoring and tracking
of financial data by means of the Terrorist Financial Tracking Programme (TFTP), the so-
called SWIFT-agreement (see also Wesseling, de Goede and Amoore, this issue). This
agreement allows US authorities access to European based financial data managed by
SWIFT13 in cases of anti-terrorism investigations. The draft agreement14 was rejected by
the European Parliament on 11 February 2010, the main reason being that the instrument
impacted negatively on the personal privacy of European citizens (Guild 2010, p. 2).
Despite certain improvements which were made in the interim agreement, the European
Data Protection Supervisor continued to express concerns about ‘bulk transfers’ of data.
He also recommended that data protection standards ought to be guaranteed, for
instance in view of the proportionality of the system itself, data retention periods,
enforceability of (European) data protection rights, judicial oversight and independent
supervision.15 In the meantime, the European Parliament agreed with an extension of the
agreement after Europol was given the formal mandate to screen and verify the transfer of
data.16 However, in Spring 2011,17 it was concluded by the Europol Joint Supervisory
Board that many data protection requirements were not being met by Europol, and that
USA requests for data were too general and too abstract.
Data-warehousing and the governance of data flows imply a historically unprece-
dented penetration of the state into society, which can be identified as a fundamental shift
in the bureaucratic power of the state and as a manifestation of political dominance of
the state vis-a-vis her citizens (Gilliom 2001, p. 129). Thus, in addition to the vertical
SECURITY CLOUDS 89
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
governance of large EU-databases, international data-exchange practices gradually evolve
into ‘horizontal’ strategies, whereby de-central, i.e. local, law enforcement authorities can
directly and automatically exchange information and intelligence with their foreign
counterparts in other EU Member States. The change in the information regime of the EU
Area of Freedom, Security and Justice can also be identified in recent EU discourses, such
as the Stockholm Programme18 and the EU Internal Security Strategy,19 which announce a
development towards synergy and interoperability in the face of multiple threats:
databases become increasingly interconnected and are made accessible to a broad range
of criminal investigation, intelligence and surveillance objectives. Gradually, we may
witness the emergence of a ‘security cloud’, which drifts along in virtual space, fused in the
catch-all notion of ‘security’. Personal and sensitive data, once collected and stored by
private and public actors for different purposes � be it for medical reasons, social security,
credit rating agencies, criminal investigations, intelligence operations, libraries, travel
agencies, on-line web-shops, air line companies, social media or telecom and internet
providers � are permanently exchanged, combined, upgraded, refined, analysed, resold
and stored in a range of national and international databases that can be accessed from a
distance by a plethora of actors. Through these practices, personal data clouds are being
transformed and deformed into security clouds, because all data are being seen in the
light of ‘security’. Public and private actors have the ability to tap into these security clouds
that are gathered over each individual citizen at any moment and from any location,
following their own logics, aims and rules. Increasingly, data are used to exercise
permanent surveillance on citizens. Torpey (1998) defined this as the capacity of the
modern state to ‘embrace’ society. Due to digitalization, data about citizens are subjected
to permanent surveillance and monitoring, which is justified on the basis of security
threats. Hence, filing cabinets have become liberated from their fixed physical positions
and can be operated from a distance (Broeders 2007, p. 76). In parallel with this
development, Ericson (2007, p. 1) observed an ‘intensification of security measures’
through an incremental series of legal transformations via ‘innovative surveillance
technologies and networks’.
Security Surveillance Technologies in Europe
In the EU, therefore, we may observe an accumulation as well as an intensification of
information gathering environments, both at the vertical governance level (the databases
we discussed above) and the sub-central and networked information systems, which
include a wide range of data-gathering facilities in the form of closed-circuit television
(CCTV), smart cards, face recognition, data matching, data-mining, private policing,
environmental designs, body scans, body-cams, automatic number plate registration
(ANPR), the storage and interception of telecommunication, the use of GPS for detection
purposes, Radio Frequency Identification (RFID) tags and electronic chips implanted
in goods and vehicles (Ericson 2007, p. 2; Rathenau Instituut 2007; House of Lords 2009,
p. 17; Van ‘t Hof 2007).20 These are the ‘tapping points’ where the (practices of the)
individual citizens are compared with the compositions that have been made of them in
security clouds, where new information is fed into the cloud and where authorities are
prompted into action whenever a ‘risk’ is indicated. CCTV-surveillance, for instance, is
spreading across Europe, although it is ‘impossible’ to provide an exact estimate of
the amount of CCTV in Europe and their levels of performance (European Council 2008).
90 MONICA DEN BOER AND JELLE VAN BUUREN
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
In six European capitals, CCTV was common in publicly accessible space such as shops,
banks, restaurants, bars, and transport termini (Hempel & Topfer 2009, pp. 27�34): 29% of
such publicly accessible institutions used some form of video surveillance although the
proliferation was uneven.
Further, a new generation of smart cameras has been introduced in several (semi-)
public spaces, such as shopping malls and railway stations, which can ‘comb through’
a concentration of people, register irregular behaviour (such as shouting or pushing),
allowing for a direct notification to security agents (European Council 2008).21 With face
recognition, CCTV will be given a new functionality. Interpol, the Europe-based interna-
tional law enforcement group, has proposed an automated face-recognition system for
international borders.22 Such a system could require travellers to undergo face scans, and
make the information available to numerous countries. An Interpol face-recognition
database would permit Interpol member nations to search records containing travellers’
personal biometric information, and could be used in conjunction with travel watch lists.
‘We need to get our data to the border entry points. There will be such a large role in the
future for fingerprints and facial recognition,’ said Mark Branchflower, head of Interpol’s
fingerprint unit (20 October 2008).23
Automated Number Plate Recognition (ANPR) is also a form of camera registration
and can integrate a surveillance device (the camera) with the police national computer
and all of its associated databases. ANPR was launched in 1996 in the UK, as part of the
city of London’s defences against the IRA terrorist threat. Since then, ANPR has been
widely applied throughout the EU. Like open street CCTV it targets all under its gaze but
greatly enhances its surveillance capacity as it creates a major investigative resource of a
vehicle’s movements and locations, regardless of the status of the driver. This opens the
possibility of exploiting profiles of non-offenders for the purpose of data-mining by police
(Watson & Walsh 2008, p. 8).
Crucial for the connection between the individual citizen and his or her security cloud
is the introduction of biometrics as a technique for the identification and authentication of
individuals (Lodge 2010, p. 7; Hier 2003, p. 402).24 Biometric information systems are
increasingly woven into existing practices and procedures of international police co-
operation (Lewis 2005, p. 97), particularly when it concerns documents that facilitate cross-
border travel, like e-Identity cards (Lodge 2010, p. 3). The Prum Treaty demands from its
signatories that they create a national DNA database.25 In addition, by adding biometric
data to the system of migration control, digital borders in Europe are transformed into
‘biometric borders’ (Besters & Brom 2010; reference to Amoore 2006). The EU plans to
introduce biometric identifiers by 2015 at various air, sea and land borders to monitor all
non-EU nationals who enter the Schengen zone (Lodge 2010, p. 9). Governments take
recourse to the technology of biometrics, because it relies on ‘permanent physical features’
of the (unique) human body (Besters & Brom 2010, p. 3). Moreover, the biometric data are
stored in a search engine, which is called the Biometric Matching System (BMS). The next
generation of VIS and SISII will also have the same technical infrastructure. However, when
we take the EU27 into account, we may observe a tapestry of different arrangements,
where DNA samples are taken and stored for different purposes, according to different
definitions of what constitutes a criminal offence, and stocked for different periods of
time (Lodge 2010, p. 19). The European Court of Human Rights is more reserved about the
biometrication of society. On 4 December 2008, it handed down a judgment against the
United Kingdom regarding a law enforcement database that includes various items of
SECURITY CLOUDS 91
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
biometric data on individuals (Guild 2010, p. 3), because ‘the blanket and indiscriminate
nature of the powers of retention of fingerprints, cellular samples and DNA profiles of
persons suspected but not convicted of offences failed to strike a fair balance between the
competing public and private interests, and that the UK had overstepped any acceptable
margin of appreciation in this regard’ (p. 3).
Governance Trends in Surveillance
The role of technology in surveillance is pre-eminent and poses formidable
regulatory problems. The Information Commissioner told us that individuals ‘leave
electronic footprints behind with the click of a mouse, making a phone call, paying
with a payment card, using ‘‘joined up’’ government services or just walking down a street
where CCTV is in operation. Our transactions are tracked, our interactions identified and
our preferences profiled � all with potential to build up an increasingly detailed and
intrusive picture of how each of us lives our life. This has increased the capability for
surveillance of the citizen through data collection’ (House of Lords 2009, p. 15).
Spurred on by security crises such as 9/11, the surveillance climate has altered
dramatically. Data-mining and data-profiling are also known as ‘ambient intelligence’.
New technology allows for ambient intelligence and ubiquitous computing, enabling a
total information awareness on the side of not only government and law enforcement
authorities, but also private (security) authorities, exercised by means of Real Time
Intelligence Rooms. A condition for this practice is the cultivation of multi-disciplinary
co-operation, primarily between security agents, but increasingly also between public and
private agents. It is contended that public authorities organize a co-production (or
‘conscription’) with private business to enable the construction of a surveillance society
(ACLU 2004; Hall & Mendel, this issue). Private vigilantism has become part of the
surveillance complex; customers and citizens cannot always distinguish the roles and
responsibilities of the surveillance agents.
An ever-expanding range of instruments, technologies and databases has become
available for the active monitoring of individuals and commodities. Ericson and Haggerty
(2006) have labeled this the ‘surveillant assemblage’ (see also Sheptycki 2007). Increasingly, a
vast volume of data is available to government in general and to law enforcement and
security agencies in particular, to the extent that the physical movement, the decisions, and
even the mental state of each individual is subject to continuous observation. Marx (1998)
said that new surveillance technologies ‘transcend the physical, liberty enhancing limitations
of the old means [that] are constantly appearing’, which ‘probe more deeply, widely and
softly than traditional methods, transcending barriers (whether walls, distance, darkness, skin
or time) that historically made personal information inaccessible’ (1998); ‘The power of
governmental and private organizations to compel disclosure (whether based on law or
circumstance) and to aggregate, analyze and distribute personal information is growing
rapidly’ (1998). Surveillance � particularly exercised through electronic i.e. technological
means � has become an inescapable reality, primarily because governments seek to reduce
risk by means of preventative control (Zureik & Salter 2005, p. 1), culminating in a ‘risk
aversive Panopticon’ (Whitaker 1999, p. 44).
How do these tools, technologies and trends in surveillance affect modes of
(security) governance? The rising surveillance cannot be understood as just a function of
increasing security concerns, where surveillance simply promises the EU citizen a better
92 MONICA DEN BOER AND JELLE VAN BUUREN
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
protection against criminality and terrorism. Surveillance also gives rise to new forms of
governance in late modernity. We will analyse some of the emerging trends and signal
some of the challenges for new forms of governance through surveillance.
Governing Through Data-Warehousing and Profiling
Data-warehousing consists of a process of gathering, analyzing, actualizing and
ordering data. These data are centrally stored in an automated database. Data can be
‘mined’ to discover correlations, patterns or trends by ‘sifting through’ large quantities of
data stored in repositories. A core element of the EU counter-terrorism strategy is the
storage of data with the objective to facilitate electronic surveillance (Akdeniz & Walker
2003), which has been formalized by a series of legal instruments. One of these is
the binding EU Directive on the Retention of Telecommunications, which was adopted on
15 March 2006.26 Data retention or data preservation generally refers to the (temporary)
storage of internet traffic, electronic message exchange and mobile telephony. This allows
governmental traffic analysis as well as mass surveillance. The Directive requires Member
States to ensure that communications providers must retain, for a period of between six
months and two years, necessary data as specified in the Directive. The data is required to
be available to competent national authorities in specific cases, ‘for the purpose of the
investigation, detection and prosecution of serious crime, as defined by each Member
State in its national law’. The Data Retention Directive was criticized for a number of
reasons, first of all because it demands the storage of telecommunications data from all
citizens and not just those who are suspected of a crime; it leaves ample discretion to the
individual Member States, e.g. with a view to storage periods, and the legal basis in the
Internal Market provisions was not clear (Hustinx 2010; Hijmans 2010).
Governing Through Interconnectivity
At the level of the EU, several instruments have been adopted and good practices
shared in law enforcement circles which enable the connection between public order
policing and overt as well as covert surveillance of audiences, to enable a prognosis of
the behaviour of political dissidents, football hooligans, mentally deranged people etc,
in order to prevent riots, or in the worst case, attacks. In the UK, this is called ‘forward
intelligence’. Moreover, as indicated above, there is an increasing development towards
authorized access to large national and international databases for police and law
enforcement authorities, which increases the possibilities for multi-disciplinary usage of
data and data-fusion.
The Stockholm Programme, which lays down new ambitions for the EU Area of
Freedom, Security and Justice, advances the thesis that Europe can be made more secure
through an enhanced ‘interoperability’ between data information systems. The sharing of
information across borders and between different agencies is seen as a remedy against the
fragmentation of information. In fact, this will mean that information walls will be further
eroded and that an amalgam may arise of different large data systems. When looking at
the EU Internal Security Strategy, cross-agency cooperation is advocated between police
agencies, civil emergency response and domestic services (Lodge 2010, p. 4). The aim
is furthermore to encourage the interaction between databases, providing effective
SECURITY CLOUDS 93
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
information exchange across the Union and maximizing the opportunities offered by
biometric and other technologies by arguing that it is to improve the security of citizens.
This has paved the path for the creation of a ‘security continuum’, linking different sets of
‘deviant’ behaviour (immigration, crime, terrorism, hooliganism, radicalization, political
protest) (Mitsilegas 2006).
Another dimension of interconnectivity is the close co-operation between public
and private agencies, particularly in the field of surveillance. Sensitive data storage is
‘outsourced’ to private partners in order to gain more efficiency; in the UK, in particular,
data-handling for tax and customs has already been delegated to commercial partners in
India (Lodge 2010, p. 21).
Governing Through Preventive Intervention
The EU also advocates the development from tagging real suspicions to possible
suspicions. An emergent ‘precautionary logic’ (Ericson 2007, p. 25; Zedner 2009) combined
with administrative anxiety about accountability has encouraged more pro-active data-
gathering and risk management. The evolving finality can also be demonstrated in the
new application potential of SIS, which will also be used for counter-terrorism purposes by
virtue of the Prum Treaty.
While other approaches to government seem to yield more uncertainty, governing
through crime sends a strong signal of certainty. When there is a persistent threat that is
said to affect the quality of life, or a catastrophic failure in a risk management system for
which the government is held responsible, criminalization through counter-law provides
an ending to the political narrative of uncertainty in the short term, and perpetuates the
myth of governability in the long term. (Ericson 2007, p. 207)
The digitalization of borders which will control the migration flow from and to
Europe allows for the detection of migration patterns and the identification of so-called
risk groups (Besters & Brom 2010, p. 4). Hence, the digitalization of borders facilitates a
form of proactive risk management. The focus on an identification ‘as early as possible’ of
signs of radicalization and of the preparation of terrorist activities can be traced in the
European discourse, e.g. the EU Strategy on Terrorism and Radicalization, the EU Security
Strategy, and the more recent EU Internal Security Strategy. Governments have expanded
their remit in the field of data-collection, first of all by means of new strategies of data-
gathering, namely by data-profiling, but secondly by access to large-scale databases of
people who have not committed criminal offences (Sietsma 2007, p. 13); this ‘future
perfect’ (Bigo 1994, quoted in Guild 2010) fundamentally alters the relationship between
governments and citizens, in that the presumption of innocence tends to whither as a core
principle of modern criminal justice systems. This heralds the transformation of a security
governance built on trust towards a security governance based on suspicion.
Governing Through Mental Disciplining
The effect of total surveillance or total information awareness is that individuals know
that they are continuously watched by state and private authorities, to the extent that they
discipline and regulate themselves mentally (Hier 2003, p. 401). In this regard, Ericson (2007,
p. 29) notes that ‘the police power is perfected when it results in self-policing among
94 MONICA DEN BOER AND JELLE VAN BUUREN
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
members of the population. The liberal social imaginary of the ‘house of certainty’ is a
house of discipline as self-policing. The individual who knows that she is seen through by
the surveillant assemblage, who recognizes her visibility, will internalize the gaze. That is,
she will not only assume responsibility for the constraints of power, but will have that
power inscribed in her to the point where she polices others as well as herself. The
Leviathan-like surveillance net is incrementally enlarged through new legislation (not
always passed by parliament but de-centrally widened by municipal authorities who then
‘export’ their new surveillance practice to other cities) to include ever new groups of the
population, who for reasons of safety, education, health, housing or social benefit are made
subject of more active monitoring. Technological surveillance becomes a vehicle for a
moral discourse in which individuals find themselves webbed in a vocabulary of fraud
allegations (Hier 2003). Social engineering has politically been reframed in terms of
individual responsibilization.
Towards an Ethical Governance of European Surveillance Practices
At the level of the EU, the accumulation of surveillance measures, the speed at
which measures have been adopted, and the expansion of functionalities of information
systems may lead to new paradox: how can the EU as an emerging security actor govern
security clouds? Given the intrusiveness of many surveillance technologies, the relative
absence of public discussion about this issue is surprising. The synergy between
information and communication technology, biotechnology, and nanotechnology pro-
mises a fundamental shift of every aspect of life. ‘Converging Technologies’ will form an
invisible technical infrastructure for human action. As the convergence draws in other
technologies and technology-enabling sciences, it would appear that nothing can escape
the reach of converging technologies and that the mind, social interactions, communica-
tion, and emotional states can all be engineered. Humans may end up surrendering their
freedom and responsibility to a mechanical world that acts for them.27
An ethics-based governance of surveillance28 in Europe can be consolidated by a
comprehensive legal framework, which has been tabled and proposed by the European
Commission. This may help to counter the current fragmented situation, as they deal with
instruments of the former ‘first pillar’, the data protection directive of 1995 and the data
retention directive of 2006; in the former ‘Third Pillar’, the Member States have to
implement the 2008 Framework Decision on data protection which stems from the former
third pillar; moreover, several legal instruments such as the Prum Convention contain
specific chapters on data protection (Buttarelli 2010, p. 32). The differentiation between
member states regarding the application of standards for the registration of persons has
to be countered, and this has been argued by the Joint Supervisory Authority of Schengen
2005 and 2007 (Besters & Brom 2010).29
Any new surveillance measure should be assessed and scrutinized prior to its
introduction. Hence, the EU and the member states can develop an impact assessment
tool (Buttarelli 2010). The European Data Protection Supervisor has the task to conduct
prior checking of legislation.30 Lodge (2010, p. 29) proposes that the European Data
Protection Supervisor should be involved at all stages in the Commission’s process of
drafting recommendations, communications and proposed legislation. In addition, the
European Parliament should demand a risk-impact assessment for all e-activities and R&D
includes high specification technical provisions to safeguard privacy (Lodge 2010, p. 30).
SECURITY CLOUDS 95
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
The EU Stockholm Programme proposes a so-called certification scheme for privacy-aware
technologies, products and services (Lodge 2010, p. 3).
European (security) surveillance instruments should comply with national and
international data protection standards, and they should be designed in such a way that
they do not infringe the personal lives of citizens (European Convention on Human Rights
(ECHR), art. 8). Moreover, art. 7 of the Fundamental Rights Charter of the Union reads
that everyone has the right to respect for his or her private and family life, home and
communications. Article 8 provides that everyone has the right to the protection of
personal data concerning him or her; that such data must be processed fairly for specified
purposes and on the basis of the consent of the person concerned or some other
legitimate basis laid down by law; that everyone has the right of access to data which has
been collected concerning him or her, and the right to have it rectified; and that
compliance with these rules shall be subject to control by an independent authority.
In this light, there have been questions about the independence of Europol to assess the
transfer of financial data to the USA.
Essential data protection principles are finality or purpose-limitation (data may only
be used for a stated purpose), proportionality (no data collection beyond as stated limit),
and subsidiarity (no data collection if the measure can be achieved by less privacy-intrusive
means). Lodge (2010, p. 8) argues that regardless of the safeguards of ECHR, art. 8, remote
and automated monitoring of all the activities of persons ‘facilitates and acclimatizes
the public to a pervasive, stealthy and unaccountable surveillance that ultimately
insecuritizes individuals and society: quantum surveillance’. Governmental restraint (based
on classic data protection principles of finality, proportionality and subsidiarity) should be
exercised in the mass collection of data.
Surveillance measures should only be used when (externally) evaluated as effective.
This proven effectiveness may help to avoid function creep (Besters & Brom 2010). To
achieve this, sunset-clauses should be introduced for each new surveillance measure,
allowing parliaments and civil oversight bodies (to propose) to withdraw the relevant
measure. Proven effectiveness, efficiency and proportionality. Sunset-clauses may help to
prevent mission-creep in the policy use of ICT-technology (see e.g. Lodge 2010, p. 11).
Data may not migrate between authorities, services and databases without approval
of the individual who is the owner of the data. Here, one could think of a prior consent
system, more or less in line with the German principle of informationelle Selbstbestimmung.
Moreover, there should be more emphasis on the integrity of personal data in networked
environments. Hence, the planned interconnection (‘interoperability’) between electronic
databases between the current EU databases in the fields of security, law enforcement,
border control, migration control and asylum control should not only be done on the basis
of proven effectiveness, but should rest on shielded data environments. Retention of data
should also be considered to be based on individual consent.31 Information rights are
pivotal.
Governments, whether local, national or international, know a lot more about
societies, individual citizens, their movements, relationships, interactions and their
transactions. Surveillance may induce more normalizing effects on conduct, self-percep-
tion, personality, and world-view, than ever before. Regulation of surveillance will be
delegated more from persons to technology and from public, governmental parties to
private organizations and citizens: this changes governance relationships. The govern-
ability of technologies will change due to growing uncertainty and complexity. The
96 MONICA DEN BOER AND JELLE VAN BUUREN
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
perception and the nature of privacy invasions may change as well. As noted before,
security governance nowadays embodies a focus from reaction, retribution and
rehabilitation, towards prevention and risk control. Freedom and personal responsibility
may affect the ways in which persons perceive their own and others’ identities; they need
not automatically undermine conceptions of morality and law that take personal
responsibility and free will as their starting points.
The inclusion of norms in technology involves increasing challenges to moral
outlooks in which the free choice to act morally or legally right is primordial, and new
challenges arise regarding the legitimacy of arrangements for regulation and enforcement
(Teeuw & Vedder 2008, pp. 23�24).
Despite the pivotal importance of legally enshrined data protection mechanisms, the
combination of ever expanding databases, rapidly emerging new surveillance technologies
and the accompanying forms of governance through surveillance make it necessary to look
beyond those legal rules and take into account the deeper societal transformations
encouraged by surveillance. Currently available standards may be insufficient when
measured against the vast potential of the emergent European surveillance society and
cannot provide the answer to the deeper questions of surveillance. With growing
technological means, state authorities have shifted the purposes of data-gathering and
exchange practices, but mainly gained power and knowledge about sizeable parts of the
population through performing searches on the basis of specific characteristics by means of
sophisticated data- and text-mining techniques. Irrespective of large-scale accumulation of
data governed in a horizontal or vertical manner, warning shots have been given that we
may be sleepwalking into a surveillance society. Data which have been gathered by
different public authorities can be concatenated in a powerful manner, such that new
knowledge or intelligence may arise from it.
A political-moral reflection is also required on the need for constructing (more)
security clouds and the interaction between security providers and individual citizens.
Bringing an ethical reflection into the arena of surveillance demands a multidimensional
approach, which takes international data protection standards as a point of departure but
which may reach beyond this framework in order to keep pace with the accelerated growth
of the surveillance complex. Lodge (2010, p. 1) is of the opinion that the transformational
impact of ICT on society and governance ‘proceeds without sufficient ethical, socio-legal or
political control, public consent or public accountability’. An ethics-based governance of
surveillance is characterized by a high level of adaptability to newly arising challenges;
moreover, it has to evoke moral reflection as well as having the ability to be incorporated in
the daily working practices of security professionals as well as supervisors.
Professionals who are endowed with surveillance powers should receive ethics and
data protection training at several stages throughout their career (see e.g. Neyroud &
Beckley 2001, p. 175f). Concerning, organizational transparency about surveillance
instruments and the processes employed for data-gathering and the decisions which are
based on data-collection and data-analysis,32 the EU should introduce an Information
Charter, imposing norms on public and private authorities in the EU Member States.
Accountability procedures for the surveilling authority and judicial redress for individuals
are essential in this regard (Marx 1998, p. 113). At the level of independent oversight, it
should be noted that on 9 March 2010, the EU Court of Justice ruled on criteria for the
independence of data protection authorities under EU law (Hijmans 2010).
SECURITY CLOUDS 97
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
Last but not least, checks and balances in the monitoring of the working of and
interface between European information systems is pivotal in an ethics-based governance
of surveillance. The control of European surveillance suffers from a democratic deficit
(Bohre 2010) as politicians are not obliged to account for surveillance issues if not based
on publicly accessible information and there has been limited attention from the media.
The introduction of biometric passports, like in the Netherlands, has significantly enhanced
the power of the state to the extent that individual citizens can be identified, profiled,
monitored and searched. This can have deep consequences for the exercise of classical
democratic rights. A cultural change is required from ‘collect before you select’ to ‘select
before you collect’ (Hustinx 2010). One of the most important conditions is to cultivate a
healthy ethical professionalism, in order to guarantee the integrity of data-handling.
In most democratically ruled societies, the governance of security surveillance resides
with a well-developed system for oversight at different levels, including parliaments
(parliamentary committees, parliamentary inquiries), data supervision authorities, civilian
oversight bodies (ombudsmen) and special complaints boards. In view of the emerging
security clouds, these oversight systems need to be encompassing, coherent, and
consistent.
Concluding Notes
The EU’s role as a security actor is strongly interrelated with the framing of
transnational security challenges: terrorism, organized crime, illegal migration. Building on
the narrative of a Europe that serves and protects its citizens, numerous databases have
been erected for a wide range of security-enhancing purposes. Increasingly, technological
innovation facilitates the introduction of networked surveillance technology, and this is
strongly encouraged by relevant EU actors (Den Boer 2011). The functionalities of these
new devices are increasingly subject to interconnection, convergence and synergy. At the
same time, these new security surveillance devices make it possible to invade deeper into
the private lives of European citizens. For instance, the introduction of biometric identifiers
in international data systems imply that individuals carry the border within themselves:
surveillance technologies make it possible to replace physical border controls with
omnipresent controls which allow for an intervention prior to the potential perpetration of
a crime.
In this article we have given an overview of the main surveillance trends and
instruments in the European Union, as well as highlighted some of the new trends such as
‘interoperability’ and pro-activity through intelligence-gathering. We have argued that
surveillance trends have a deep transformative effect on governance relationships, as it
profoundly affects the relationship between governmental authorities and citizens. We
have also given several examples of functional spillover of data use, e.g. from crime to
terrorism and radicalization, and from migration control into law enforcement. Moreover,
the close co-operation between the public sector and corporate security, the use of more
sophisticated methods of data-analysis, as well as the trans-nationalization of data-
exchange leads us into a diffused web of informational connections (‘Security Cloud’)
amidst differentiated accountability mechanisms33 for data exchange.34
Given the deep repercussions on governance relationships, we argue the need for a
multi-dimensional ethical framework that allows for a systematic pre-assessment of
surveillance instruments as well as information rights for European citizens of where their
98 MONICA DEN BOER AND JELLE VAN BUUREN
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
data are, for what purpose their data are used, and when their data are removed or
destroyed. For security professionals across the whole range, this implies the need for a
deeply engrained awareness of their power through surveillance, and the potential for
loss, damage, or misuse of privacy sensitive information. More than ever, ‘ethics of
surveillance’ is a crucial issue to address during the continuous training and education of
security professionals, at public and private level, as well as national and international
level.
ACKNOWLEDGEMENTS
The authors would like to thank the reviewers for their very useful comments. Any
omissions or errors are the responsibility of the authors.
NOTES
1. Legal basis of SIS II: Regulation (EC) No 1987/2006 of 20 December 2006 (OJ L 318/4,
28.12.2006) and Council Decision 2007/533/JHA of 12 June 2007 (OJ L 205/63, 7.8.2007)
on the establishment, operation and use of the second generation Schengen Information
System.
2. Council of the European Union (2011) ‘Provision of SIS and SIRENE statistics to the
Council’, 9928/11, Brussels, 10 May 2011.
3. Council Regulation (EC) No 2725/2000 of 11 December 2000 concerning the establish-
ment of ‘Eurodac’ for the comparison of fingerprints for the effective application of the
Dublin Convention.
4. VIS is based on the Visa Code (Regulation EC) No 810/2009 of the European Parliament
and of the Council of 13 July 2009 establishing a Community Code on Visas; relevant
legislation includes: Council Decision 2004/512/EC of 8 June 2004 establishing the Visa
Information System; Regulation (EC) No 767/2008 of the European Parliament and of the
Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of
data between the Member States on short-stay visas (VIS Regulation); Commission
Decision of 4 May 2010 on the Security Plan for the Operation of the Visa Information
System (2010/260/EU).
5. The establishment of the Customs Information System is provided in Title V of the
Council Regulation (EC) No 515/97 of 13 March 1997 on mutual assistance between the
administrative authorities of the Member States and cooperation between the latter and
the Commission to ensure the correct application of the law on customs and agricultural
matters.
6. For a complete oversight see European Commission (2010), ‘Overview of information
management in the area of freedom, security and justice’, COM(2010)385 final, Brussels
20.7.2010.
7. For a report of the European Parliament’s Policy Department C on Citizen’s Rights and
Constitutional Affairs on Eurosur, see PE 408.295 Briefing Paper ‘An analysis of the
Commission communications on future development of Frontex and the creation of a
European border surveillance system (Eurosur)’, June 2008. The briefing paper opines
that the evaluation of Frontex falls short of ‘critically assessing the consistence of Frontex
activities with the fundamental values upheld by the EU’.
SECURITY CLOUDS 99
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
8. Agreement between the European Union and the United States of America on the
processing and transfer of Passenger Name Record (PNR) data by air carriers to the
United States Department of Homeland Security (DHS) (2007 PNR Agreement); OJ L 204
of 4.8.2007, p. 18 (renewed agreement).
9. United States’ Customs and Border Protection (US�CBP) and the Canada Border Services
Agency (CBSA).
10. On 14 July 2008, the American Civil Liberties Union ACLU announced that the US
authorities had tagged the names of 400,000 individuals on the terrorist suspects list,
95% of whom are foreign or not a resident of the United States. 50,000 people were
tagged as potentially suspicious with regard to (terrorist attacks on) air transport, while
only 16 names were known to the authorities when the 9/11 attacks took place (ANP
Press, 14 July 2008).
11. European Commission (2010), ‘On the global approach to transfers of Passenger Name
Record (PNR) data to third countries’, COM(2010) 492 final, Brussels, 21.9.2010.
12. See also the Opinion of the European Union Agency for Fundamental Rights on the
Proposal for a Directive on the use of Passenger Name Record (PNR) data for the
prevention, detection, investigation and prosecution of terrorist offences and serious
crime (COM(2011) 32 final) (FRA Opinion 1/2011). Vienna, 14 June 2011; http://www.
fra.europa.eu/fraWebsite/attachments/FRA-PNR-Opinion-June2011.pdf (accessed 1 July
2011).
13. Society for Worldwide Interbank Financial Telecommunication, which is a company used
in roughly 80% of all international transactions.
14. Agreement between the European Union and the United States of America on the
processing and transfer of Financial Messaging data from the European Union to the
United States for the purposes of the Terrorist Finance Tracking Program, OJ L 8/11-16,
13.1.2010.
15. European Data Protection Supervisor, Press Release, 22 June 2010 Source: http://www.
edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/
Press/2010/EDPS-2010-10_TFTP_EN.pdf; accessed 13 September 2010; OJ C 355, vol. 53,
29/12/2010, pp. 10�16.
16. OJ L 8/11.
17. Report on the inspection of Europol’s implementation of the TFTP Agreement,
conducted in November 2010 by the Europol Joint Supervisory Body, Report No. JSB/
INS. 11-07, 1 March 2011 (JSB Europol Inspection Report 11-07); see also Commission
report on the joint review of the implementation of the Agreement between the
European Union and the United States of America on the processing and transfer of
Financial Messaging data from the European Union to the United States for the purposes
of the Terrorist Finance Tracking Program 17�18 February 2011, Brussels 16.3.2011.
18. European Council, ‘The Stockholm Programme � An open and secure Europe serving and
protecting citizens’, 4 May 2010 OJ C 115.
19. European Commission, Communication from the Commission to the European Parlia-
ment and the Council, ‘The EU internal security strategy in action: Five steps towards a
more secure Europe’, Brussels, 22.11.2010, COM (2010) 673 final.
20. ‘An RFID chip contains a small chip and an antenna to communicate on radio frequency
. . . The combination of a unique identity together with the place and time the identity is
displayed, can serve to track movements through an RFID system’. (Van ‘t Hof 2007, p. 15;
see also http://epic.org).
100 MONICA DEN BOER AND JELLE VAN BUUREN
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
21. For a discussion on CCTV, see European Parliament Report on the evolution of CCTV
video surveillance, PE 419.588, April 2009.
22. http://epic.org/privacy/facerecognition/ (accessed 23 June 2011).
23. Source: Electronic Privacy Information Centre, http://epic.org/privacy/facerecognition/.
24. For a discussion, see European Parliament Working Document on problem of profiling
(2008).
25. The European Court of Human Rights (S and Marper v United Kingdom, for a discussion on
this ruling, see also Guild 2010, p. 5) has specified its criteria of the lawfulness of the
storage of DNA-information in national databases, and this may have consequences for
the functioning of the Prum system (Hustinx 2010).
26. Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on
the retention of data generated or processed in connection with the provisions of
publicly available electronic communications services or of public communications
networks (OJ 2006 L 105, p. 54).
27. Nordmann, A. (2004) Converging Technologies � Shaping the Future of European Societies,
Brussels: European Commission � Directorate-General for Research.
28. Inspired by e.g. The European Code of Police Ethics, Recommendation Rec (2001)10
adopted by the Committee of Ministers of the Council of Europe on 19 September 2001
and explanatory memorandum, Council of Europe Publishing, March 2002; art. 3 of the
Police Service of Northern Ireland Code of Ethics 2008 (http://www.nipolicingboard.org.
uk/final_code_of_ethics-2.pdf).
29. Ombudsman of The Netherlands, rapport Toegang Geweigerd (Access denied).
30. Lodge (2010, p. 23) is however of the opinion that currently, despite the fact that
Ombudsmen and Data Protection Registrars are essential, they are ‘insufficiently
influential’ at the stage before draft rules are finalized, certainly when it concerns
(semi-)public-private partnerships in the handling of data.
31. This is in line with the principle of informational self-determination, which exists in
Germany. In The Netherlands, citizens have been given the opportunity to opt out of the
Electronic Patient Dossier system.
32. See for instance background paper of the European Data Protection Supervisor, ‘Public
access to documents and data protection’ (2005); http://www.edps.europa.eu/EDPSWEB/
webdav/site/mySite/shared/Documents/EDPS/Publications/Papers/BackgroundP/05-07_
BP_accesstodocuments_EN.pdf.
33. Geneva Centre for the Democratic Control of Armed Forces, Parliamentary Oversight of
the Security Sector. Principles, mechanisms and practices, Geneva 2003.
34. Adviescommissie Informatiestromen Veiligheid 2007; Gill 2006, p. 33.
REFERENCES
ADVIESCOMMISSIE INFORMATIESTROMEN VEILEGHEID. (2007) Data voor daadkracht. Gegevensbestanden
voor veiligheid: observaties en analyse, Den Haag, Ministerie van Binnenlandse Zaken en
Koninkrijksrelaties.
AKDENIZ, Y. & WALKER, C. (2003) ‘Anti-terrorism laws and data retention: war is over?’, Northern
Ireland Legal Quarterly, vol. 54, no. 2, pp. 159�182.
AMERICAN CIVIL LIBERTIES UNION (ACLU). (2004) The Surveillance-Industrial Complex: How the American
Government is Conscripting Business and Individuals in the Construction of a Surveillance
SECURITY CLOUDS 101
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
Society, J. Stanley (author), New York, [Online] Available at: http://www.aclu.org/
FilesPDFs/surveillance_report.pdf (accessed 2 January 2012).
BALZACQ, T. (2008) ‘The policy tools of securitization: information exchange, EU foreign and
interior policies’, Journal of Common Market Studies, vol. 46, no. 1, pp. 75�100.
BESTERS, M. & BROM, F. W. A. (2010) ‘‘‘Greedy’’ information technology: the digitalization of the European
migration policy’, European Journal of Migration and Law, vol. 12, no. 4, pp. 455�470.
BIGO, D. (1994) ‘The European internal security field: stakes and rivalries in a newly developing
area of police intervention’, in Policing Across National Boundaries, eds M. Anderson &
M. den Boer, Pinter Publications, London, pp. 161�173.
BOHRE, V. (2010) Happy Landings? Het biometrisch paspoort als zwarte doos, Wetenschappelijke
Raad voor het Regeringsbeleid, Den Haag.
BROEDERS, D. (2007) ‘The new digital borders of Europe: EU databases and the surveillance of
irregular migrants’, International Sociology, vol. 22, no. 1, pp. 71�92.
BROUWER, E. R. (2008) Digital Borders and Real Rights. Effective Remedies for Third-Country Nationals
in the Schengen Information System, Martinus Nijhoff Publishers, Leiden.
BUTTARELLI, G. (2010) The Surveillance Policy in Europe, Today and Tomorrow, speech delivered at
the Conference for the 30th Anniversary of the CRID, Namur, 22 January.
DEN BOER, M. (2011) ‘Technology-led policing in the European Union: an assessment’, Cahiers
Politie Studies, vol. 20, pp. 39�56.
ERICSON, R. V. (2007) Crime in an Insecure World, Polity Press, Cambridge.
ERICSON, R. V. & HAGGERTY, K. D. (2006) The New Politics of Surveillance and Visibility, University of
Toronto Press, Toronto.
EUROPEAN COMMISSION. (2010) Annual Report to the European Parliament and the Council on the
Activities of the EURODAC Central Unit in 2009, COM(2010)415 final, Brussels 2-8-2010.
EUROPEAN COUNCIL. (2008) Close Circuit Television (CCTV) � Main Findings of Questionnaires, 11746/
1/08 REV 1 EXT 1 ENFOPOL 138, Brussels, 15 October.
EUROPEAN PARLIAMENT. (2008) ‘Working document on profiling, notably on the basis of ethnicity
and race, in counter-terrorism, law enforcement, immigration, customs and border
control’, Committee on Civil Liberties, Justice and Home Affairs, Sarah Ludford
(rapporteur) 30 September 2008, DT\745085EN.doc.
EUROPEAN PARLIAMENT. (2009) ‘A review of the increased use of CCTV and video-surveillance for
crime prevention purposes in Europe’, C. Norris (author), Note for the European
Parliament’s Committee on Civil Liberties, Justice and Home Affairs, PE 419.588.
GILL, P. (2006) ‘Not just joining the dots but crossing the borders and bridging the voids:
constructing security networks after 11 September 2001’, Policing & Society, vol. 16, no. 1,
pp. 27�49.
GILLIOM, J. (2001) Overseers of the Poor: Surveillance, Resistance, and the Limits of Privacy,
University of Chicago Press, Chicago, IL.
GUILD, E. (2010) Global Data Transfers: The Human Rights Implications, INEX Policy Brief, No. 9,
May, [Online] Available at: www.inexproject.eu (accessed 2 January 2012).
HEMPEL, L. & TOPFER, E. (2009) ‘The surveillance consensus: reviewing the politics of CCTV in three
European countries’, European Journal of Criminology, vol. 6, no. 2, pp. 157�177.
HIER, S. P. (2003) ‘Probing the surveillant assemblage: on the dialectics of surveillance practices as
processes of social control’, Surveillance & Society, vol. 1, no. 3, pp. 399�411, [Online]
Available at: http://www.surveillance-and-society.org (accessed 2 January 2012).
HIJMANS, H. (2010) ‘Recent developments in data protection at European level’, ERA-Forum, vol. 11,
no. 2, pp. 219�231.
102 MONICA DEN BOER AND JELLE VAN BUUREN
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
HOUSE OF LORDS. (2009) Surveillance: Citizens and the State, House of Lords Select Committee on
the Constitution, Volume I, HL Report 18-I.
HUSTINX, P. (2010) ‘Data protection for law enforcement after Lisbon’, Speech delivered at ERA-
conference Data-protection in the era of SWIFT, PNR, Prum and E-Justice, Trier, 31 May,
[Online] Available at: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/
Documents/EDPS/Publications/Speeches/2010/10-05-31_Speech_ERA_EN.pdf (accessed
2 January 2012).
KUIPERS, F. (2008) No Dream Ticket to Security. PNR Data & Terrorism, Clingendael Security Paper
No. 5, The Hague.
LEWIS, N. (2005) ‘Expanding surveillance: connecting biometric information systems to
international police cooperation’, in Global Surveillance and Policing: Borders, Security,
Identity, eds E. Zureik & M. B. Salter, Willan Publishing, Devon, pp. 97�112.
LODGE, J. (2010) Quantum Surveillance and ‘Shared Secrets’. A Biometric Step Too Far?, CEPS
Liberty and Security in Europe, Brussels, July.
MARX, G. T. (1998) ‘An ethics for the new surveillance’, The Information Society, vol. 14, no. 3,
[Online] Available at: http://web.mit.edu/gtmarx/www/ncolin5.html (accessed 2 January
2012).
MITSILEGAS, V. (2006) What are the Main Obstacles to Police Cooperation in the EU?, Briefing Paper
for the European Parliament, IP/C/LIBE/FWC/2005-24, Brussels, January 2006.
NEYROUD, P. & BECKLEY, A. (2001) Policing, Ethics and Human Rights, Willan Publishing, Uffculme.
RATHENAU INSTITUUT. (2007) Van privacyparadijs tot controlestaat? Misdaad- en terreurbestrijding in
Nederland aan het begin van de 21ste eeuw, Studie 49, February, The Hague.
SHEPTYCKI, J. (2007) ‘High policing in the security control society’, Policing, vol. 1, no. 1, pp. 70�79.
SIETSMA, R. (2007) Gegevensverwerking in het kader van de opsporing. Toepassing van datamining
ten behoeve van de opsporingstaak: afweging tussen het opsporingsbelang en het recht op
privacy, University of Leiden, Leiden, doctoral dissertation.
TEEUW, W. B. & VEDDER, A. H. (EDS) (2008) Security Applications for Converging Technologies. Impact
on the Constitutional State and the Legal Order, WODC, Den Haag.
TORPEY, J. (1998) ‘Coming and going: on the state monopolization of the legitimate means of
movement’, Sociological Theory, vol. 16, no. 3, pp. 239�259.
VAN LINDE, E. (2002) Quick Scan of Post 9/11 National Counter-terrorism Policymaking and
Implementation in Selected European Countries, RAND, Europe.
VAN ’T HOF, C. (2007) RFID & Identity Management in Everyday Life. Striking the Balance between
Convenience, Choice and Control, Rathenau Institute, The Hague.
WATSON, B. & WALKSH, K. (2008) ‘The road safety implications of automatic number plate
recognition technology (ANPR)’, The Centre for Accident Research and Road Safety,
Queensland, [Online] Available at: http://eprints.qut.edu.au/13222/1/13222.pdf (accessed
16 January 2012).
WHITAKER, R. (1999) The End of Privacy. How Total Surveillance is Becoming a Reality, The New
Press, New York.
ZEDNER, L. (2009) ‘Fixing the future? The pre-emptive turn in criminal justice’, in Regulating
Deviance: The Redirection of Criminalisation and the Futures of Criminal Law, eds S. Bronnit,
B. McSherry & A. Norrie, Hart Publishing, Oxford, pp. 35�58.
ZUREIK, E. & SALTER, M. B. (2005) ‘Global surveillance and policing: borders, security, identity:
Introduction’, in Global Surveillance and Policing: Borders, Security, Identity, eds E. Zureik &
M. B. Salter, Willan Publishing, Devon, pp. 1�10.
SECURITY CLOUDS 103
Dow
nloa
ded
by [
Uni
vers
ity o
f W
inds
or]
at 0
1:24
28
Sept
embe
r 20
13
