for freedom. Flickr/Ashiful Haque. Some rights reserved.It looks like an ironic twist in history: liberal democracies at the beginning of the twenty first century seem to emulate imploded communist dictatorships of the second half of the twentieth century in their surveillance and control practices.

The rapid development and wide availability of technologies, such as telecommunication data mining technologies, profiling and predictive analytics, biometric identification and pattern recognition, location tracking technologies, as well as surveillance in the form of unmanned aerial vehicles (UAVs) and  closed-circuit television (CCTV), has obviously increased the propensity of state agencies to make use of them. 

Security technologies enter into and transform the relationship between state bureaucracies and society in a way unforeseen by Thomas Hobbes in the sixteenth century, or by Michel Foucault in the second half of the twentieth century. This ambivalent co-evolution of the state-technology-society relationship has given rise to phenomena as different as the Arab Spring and massive data retention practices by several national governments across the globe. the economic and political stakes are thereby so high that such phenomena become of geo-political, superregional salience. 

Most political efforts to cope with insecurities end up resorting to increased control, while citizens’ waning trust in public authorities often gets left out of sight/ out of mind. Trust seems, however, to be a key factor in all security strategies.

The ill-defined concept of security

Gradually over the past decades, domestic and foreign dimensions of security have got merged, and increasingly, more aspects of social life, such as health or the environment, and their connection with political realities across the globe became securitized, often under the label of “human security”.Gradually over the past decades, domestic and foreign dimensions of security have got merged.

Thereafter, the attacks of September 2011 in the US provided the master narrative for the emergence of a novel kind of all-encompassing “homeland” security, or “security of the citizens” paradigm, as the more colloquial term in Europe has it. In this paradigm, distinctions between safety (referring to protection from accidents), and security (referring to protection from intentional attacks), are getting increasingly blurred, so that pre-emption appears to be the opportune strategy to cope with the sources of threat.

Already centuries ago, “security” probably had such fuzzy, ill-defined contours. But it is currently becoming evident to more people that security strongly resembles a “wicked problem”. Wicked problems are generally defined as the result of plural interests and value divergence among stakeholders; institutional complexity due to multi-level and inter-organisational governance; and, not least, scientific uncertainty regarding reliable cause-effect relationships.

First, the issue of uncertainty in reliably estimating cause and effect and taking adequate action has given rise to risk, vulnerability and resilience discourses. Second, there is the issue of the complexity of actors involved in decisions, who occupy different regional, national, international governance levels, and are embedded in different epistemic networks. And, third, an ambiguity in values occurs in the very attempt to define and so agree upon desirable and acceptable security policy objectives.

Those three dimensions turn “security” and practices of security provision into a  highly contentious field, where the problem never enjoys unequivocal definition, and the available solutions dictate the strategies to address the problem, instead of vice-versa. There have been several demonstrations of “clumsy” solutions given to current challenges to the protection of urban critical infrastructure, border control, “illicit” migratory movement and human trafficking, counter-terrorism and anti-radicalization policies, transnational organized crime, and cyber-security. The efforts by European and national agencies to cope with unprecedented immigration flows by monitoring borders via location and tracking technologies, certainly demonstrated poor grasp of background dynamics of the problem.

Politics: opportunism and reactive actionism

How do decision-makers cope with the wicked triangle of complexity, uncertainty, and ambiguity? Security policy is a high risk/high gain game for political decision makers. Security policy is a high risk/high gain game for political decision makers. As even one single accident or attack might prove fatal for their careers and for the longevity of governments - politicians and policy makers in agencies with a security-relevant mandate tend to think in worst-case scenarios. Having said that, one should recognise the existence of cleavages which run across political parties about issues of border control, data protection, or public surveillance, but also of occasional controversies among the executive, legislative, and judicative branches of government.

Not least, one should take note of the tensions between policy makers in the administration, often technocrats following bureaucratic routines, and politicians, frequently captive to party politics, prone to shifting agendas opportunistically. Academic political analysts often get this wrong, but policy makers care less about the consistency and coherence of their strategies and measures, and focus instead on two very different Cs: compatibility and political commitment. Compatibility, in the case of security policy, is sought with regard to policies in other fields, e.g. justice, or industrial and trade policies, which are also vital for perceived ‘national’ interests and have to be reconciled with security considerations. Commitment, on the other hand, is a result of advocacy coalitions which promote specific framings of an issue, advancing it until it becomes a security-relevant problem on the agenda. Both latter Cs reflect the workings of politics behind the policies, even if this makes policies appear to be incoherent and inconsistent, and also, at the end of the day, ineffective.

Security policies remain, due to at least some of the above reasons, almost always reactive in character, and, despite respective political declarations, they seldom live up to the claim to be proactive and anticipatory.

Massive data collection and retention by national authorities has often been justified by security authorities as a pre-emptive measure, yet their link to effective prevention is far from being unequivocally documented and legitimate. Events such as terrorist attacks, or leaking revelations like those reported in the media in the past couple of years, trigger (more) legislation, and (new) measures in an actionist manner, by which I mean that it is more important for politicians to be seen to be doing something than actually doing anything - preferably announcing the intensification of one or other measure, or the introduction of exceptional emergency provisions, in order to demonstrate in front of camera crews that the state is in control of the critical situation. This happens almost always after negative headlines appear in the media, and after citizens get out in the streets to protest.

Actionist and symbolic security measures dominate policy, and are usually passed through parliament with TINA (There-Is-No-Alternative) arguments. What is more, political decision-makers often drastically reduce the complexity of security challenges by pointing e.g. either to concrete “weak spots” in critical infrastructure grids, or to “suspect telecommunications” among potential agents of terrorist acts.

By pinning down the problem, policy makers furnish it with intelligible contours. This enables them to promote particular solutions, even if the problem analysis is based upon a simplistic diagnosis, and the solutions resemble  - at best - symptomatic therapies. Such solutions in security policy are premised most of the time on formulas of the type “the more X we do, the more secure we are”, whereby x often stands for “control”.  However, whenever security policy formulas of this type disregard second-order non-intended effects of purposeful action, or laws of diminishing returns, they turn themselves into security risks. 

Security technologies: the mantras of high-tech “Solutionism” and data “Collectionism”

The boom in recent years of ICT research, combined with spill-overs from technologies originally developed and applied for either defence or medical purposes, opened up the possibility of transferring those or hybrid forms of technologies into the civil security field. An example of that kind of “function creep” is heart-beat detectors, first used on the Iraq war battlefield in 2003, which have ever since found broad usage in border control for detecting living beings transported in containers, but also in crisis and emergency management, for locating survivors under debris.

Technologies such as RFID ( radio frequency identification), location and remote tracking technologies, terahertz radiation, or pattern recognition, have found wide “dual use” both for military and civilian purposes in unmanned aerial vehicles (UAVs), body scanners, or CCTV in public spaces. A similar ambivalence exists for deep packet inspection and information extraction technologies (DPI), which may be used in telecommunication interception at once for increasing the resilience and safety of a network, for commercial advertising, but also for warrantless intelligence and censorship purposes. 

The industrial supply of security-relevant technologies has gradually created and consolidated the market demand for them, not least due to the allocation of research funding for their development and their endorsement by public authorities.

The global security industry, although not always easily identifiable or distinguishable from its older and much better established defence ‘sister’, develops security relevant products with a turnout of an estimated € 200 B, a major part of which comes from European industry. The security technology sector, surveillance technologies in particular, has been a fast growing sector even despite the financial crisis, with the demand from public and private security providers rising year by year since 2010. A considerable number of European policy makers see in the deployment of high-tech solutions the major component for security measures. Moreover, this has proved to be beneficial not only for export and industrial competitiveness policies, but also for employment policies (an estimated 2.3 million people work in that industry). 

A related trap to that of technological solutionism has been the (revealed) trend to indiscriminately collect huge amounts of citizens’ transaction data. A related trap to that of technological solutionism has been the (revealed) trend to indiscriminately collect huge amounts of citizens’ transaction data. The current mantra of “big data” mirrors the optimistic expectation in public health, conflict management, and increasingly in public security, that collection of more data processed automatically by algorithmic provide security practitioners with reliable profiling of suspects and  predictions and threat patterns. 

Yet, so far, this high-tech-solutionist and data-collectionist paradigm in security policy seems to so far lack the plausible evidence base required to gain legitimacy. Evidence about success in prevention and mitigation of attacks, but also about failure and undesirable performance of security measures is rarely accessible, often for “security reasons”, but also because effectiveness in  performance is not systematically monitored. Is the application of all those technologies in their concrete societal contexts fit-for-purpose in terms of delivery? Or do security measures suffer from a “hammer-nail” bias, where the supposed security challenges are being tailored to match the respective solutions? Are the deployed technologies effective and proportionate, that is, do benefits outweigh costs? Last, and certainly not least, are those technologies ethically acceptable and in line with existing legal provisions?

Experience so far has shown that with regard to screening and profiling technologies too many type-I (false positives), and type-II errors (false negatives) occur, which curtail their effectiveness, credibility and acceptability in practice. It is also far from clear how security analysts navigate in the ‘soup’ of big data in order to pick up the needle in the haystack. The volume of rapidly accumulating data is overwhelming and it seems higly questionable that security authorities can make sense or appropriate use of them. Can it be that, more often than not, good old profiling methods, which definitely discriminate against social, ethnic and religious groups, come into play? Are those technologies also effective and proportionate, that is, do benefits outweigh costs?

The demand that security policies demonstrate when security tools deliver on their set objectives, and do not misfire, by being irrelevant or ineffective, causing opportunity costs, or even backfire, by having counterproductive boomerang effects, such as the violation of anti-discrimination provisions and civil liberties, is legitimate. Corrective measures promoted by technology developers and often readily accepted by policy makers promise to reconcile security objectives with privacy requirements. These  comprise, for example, privacy-by-design (PbD) or privacy enhancing technologies (PETs) as add-ons. Something stays, nevertheless, in the blind spot of such approaches: using technological fixes to amend problems caused by technologies themselves is caught in an infinite Red-Queen’s race. This paradoxical effect of having to speed up in order to keep pace with these developments was sarcastically described by Lewis Carroll in 1871 in the story of the red Chess Queen, who instructed Alice: “Now, here, you see, it takes all the running you can do, to keep in the same place.”

The citizens: do frogs in boiling water come to mind?

Can it be that, more often than not, good old profiling methods, which definitely discriminate against social, ethnic and religious groups, come into play?Do citizens run fast enough in order to save themselves from threats, but also in order to escape all the undesirable consequences induced in our societies by security technologies? The current picture is rather mixed across Europe. Unlike the organized civil society and activist pressure groups for digital rights and civil liberties, which are well informed and actively engaged in promoting their agendas, citizens in general do not seem particularly mobilized against the negative consequences of intrusive practices by state authorities. 

 A recent Eurobarometer survey on Data Protection conducted in March 2015, revealed that almost 50% on average of the respondents in the 28 EU member states had not heard about revelations concerning public authorities which collected citizens’ data for national security reasons (p. 23)

Half of those aware of the recent revelations stated that they had had a negative impact on their trust about the usage of their data, while 40% stated that there had been no impact on their trust (p. 25)

In the Eurobarometer survey regarding “Europeans’ attitudes towards security”  conducted again in March 2015, the impact of new internet, smart phone, etc. technologies upon the rights and freedoms of citizens, but also upon the security of citizens has been assessed by half of the respondents in both cases as positive (p. 49)

However, 55% of the respondents believe that fundamental rights and freedoms had been restricted in the fight against terrorism and organised crime, while roughly 40% thought that no serious restrictions had taken place (p. 45)

Responses to surveys fluctuate of course in time due to citizens’ reactions to events such as attacks or revelations of unsolicited state activity. Citizens who otherwise thought that the US government did not do enough to protect them, responded in July 2013 (after the revelations by E. Snowden) in a survey conducted by the Pew Research Center saying that the government had gone too far in restricting civil liberties. Citizens in general do not seem particularly mobilized against the negative consequences of intrusive practices by state authorities.

Citizens ought to be the ultimate beneficiaries of security measures, and, in any case, they are the ones who get primarily affected by them, although they have no voice at the decision table.

Most policy makers conveniently – and erroneously – equate   important “societal dimensions” of security with citizens’ acceptance of invasive security technologies. Something similar occurs whenever “ethical” concerns are narrowed down to compliance with data protection guidelines. In discussions about responsible security R&D, one should not conflate acceptance of e.g. surveillance technologies, which is always a snapshot of public opinion, with its acceptability, which provides a list of criteria for conditioning technology application in correspondance to cultural values, principles, and laws.

Citizens, furthermore, weigh and, explicitly or implicitly, make trade-offs in their preferences and priorities in terms of their wish to be secure, but also to be active in social media and networks, or or to conducti business. It might well be that many gradually get used to the fact that circulating and exposing personal data  increasingly and inadvertently becomes a normal part of the everyday life. This development brings to mind, at the same time, the brutal, but very instructive frog experiment. One frog is thrown into a pot with boiling water: it immediately springs out and saves itself. A second one is already in the pot from the beginning and gets gradually heated with the water. It stays there and does not attempt to jump out before the water starts to boil...

Security as a public good

It makes a difference how security is framed each time by different influential stakeholders from politics, industry, academia, to civil society. Is it about securing borders and critical infrastructure? Is it about securing national sovereignty and protecting citizens? Is it about freedom from fear? Awareness-raising and informed public debates about desirable and undesirable security policies, their benefits and costs to various stakeholder groups in society, cannot be meaningful if one side reacts with ‘moral panics’ while the other conceals mistakes and does not seek responsible and sustainable ways to address security threats, with society and not against it.

Security is mediated and valorized by trust. Even if citizens were to get used to the side effects of the increasing application of security technologies, trust in public authorities would still define the relationship between the state and the society at least as much as control. Trust defines the relationship between the state and the society at least as much as control. And from a governance perspective, the law of diminishing returns demonstrates an ominous security paradox. When more invasive security controls are conducted, a tipping point will be reached after which trust of citizens will be undermined instead of being raised, and citizens will feel less secure.

The blind spot in many political declarations about public security is that they neglect, deny, or distract people from non-intended and non-anticipated impacts of the security measures themselves. A medical metaphor from public health should elucidate this point. Effective therapies are premised upon good diagnoses of the disease, along with a clear understanding of the ultimate goals. Even the best medication can unfold its beneficial effects only if applied properly and in a proportionate manner within a narrow zone of cases. It can be ineffective, full of side-effects, or even lethal if used to cure all the other cases. Needless to say, the active cooperation of the patient is almost always crucial for the success of the cure.

Unlike in the field of public health, evidence-informed decision-making for checking the effectiveness and efficiency of measures is largely missing from public (and also international) security strategies, so that some obvious mistakes are being repeated again and again. ‘Evidence’ encompasses here a broader knowledge base than purely scientific facts, and includes values and principles, minority group concerns and sensitivities, and also cultural and institutional realities.

The more complex, uncertain, and ambiguous the policy challenge is, the earlier, and the broader the engagement of societal stakeholders should be. To be sure, this will not make issues such as counter-terrorism, border control, or surveillance and data retention less contentious, or their politics less adversarial. Security, privacy, ethics, fundamental rights will remain moving targets for national and particular international policies and regulations, and will resist once-and-for-all settlement. Yet, turning civil society from passive addressee of policies into active agent will help to ground security practices to the everyday realities of the citizens. To foster dialogue about insecurities and the appropriate ways to address them, all sides should overcome simplistic stories that impede open dialogue about what should be regulated and how. 

Engagement, when it comes too late, often takes the form of protest. Many wish that citizens could get mobilized earlier with a constructive view on the future, and reflect upon how their lives should be in 10 or 20 years from now. In equal access multi-stakeholder exchange, political decision-makers should consult about desirable and feasible goals of security measures, about valid diagnoses and rankings of security threats, as well as about legitimate, accountable, and effective security policies. Inclusive ways of exchange in democratic contexts should help to minimize populist ideological assertions, or particularistic accounts of private interests, and enable security policies to adhere as closely as possible to an identifiable public interest.

While increasing technologization tends to depoliticize and commodify security, this is the point in time where polities should start thinking of security as a public good, where all involved are potential winners or potential losers.

There is an acute and growing tension between the concern for safety and the protection of our freedoms. How do we handle this? Read more from the World Forum for Democracy partnership.