A Workshop on Ethical, Legal, Social Issues in Networked Information Exchange for PPDR
The Workshop will be followed by the PSCE Conference which will take place 18-19th May.
The Invitation for the ELSI Workshop is available here.
9:30 – 10:00 Registration - Coffee/Tea 10:00 – 10:30
Welcome, Introduction, Plan for the Day
10:30 – 10:45
Novelties of the General Data Protection Regulation
Irina Vasiliu, DG JUST, European Commission
10:45 – 11:00
Towards a new digital ethics, the EDPS and the Ethics Advisory Group
Delphine Harou, EDPS
11:00 – 11:15
Legal certainty and public safety by design
Mireille Hildebrandt, Professor Vrije Universiteit, Brussels, Belgium
11:15 – 11:40 Discussion 11:40 – 12:00 eVACUATE Project, Hanneke Vreugdenhil, HVK Consultants 12:00 – 13:00 Lunch 13:00 – 13:20 ECOSSIAN Project, Jessica Schroers, legal researcher at KU Leuven, CiTiP 13:20 – 13:40
Providing Information Privacy with Attack Modelling
Blaž Ivanc, Jožef Stefan Institute, Slovenia
13:40 – 14:00
Multi-stakeholder collaboration for European Commission's standardisation request on data protection by design in security technologies
Matthias Pocs, ANEC, Germany
14:00 – 14:20
14:20 – 14:30
14:30 - 14:50
Draft Whitepaper: ELSI Guidelines for IT in Risk Governance
14:50 - 15:30
Whitepaper Discussion and Exploration of Opportunities for H2020 Calls and Future Programmes in Groups
Please see here for more detail
15:30 – 16:00 Coffee break 16:00 – 17:00 Plenary Discussion 17:00 - 17:30 Next steps
Who should participate?
This workshop brings together participants from emergency response agencies, academia, legal practice, humanitarian response, volunteer & technical communities, technology development, and policy and standardisation bodies.
The aim of this workshop is to develop resources that support the PSCE community in defining proactive responses to ethical, legal and social issues (ELSI) arising in networked, collaborative PPDR, focusing on socio-technical innovation around information and communication technologies. One such resource are ‘ELSI Guidelines’. Please see the short paper ‘ELSI Guidelines for Networked Collaboration and Information Exchange in PPDR and Risk Governance’ to be presented at ISCRAM 2016 for further information.
This workshop raises awareness by sharing experiences of ELSI, interpretations of opportunities and challenges, and innovative responses in technology design, organisational, regulatory and policy innovation in the field of PPDR. Topics include, but are not limited to:
- ELSI in future communication networks (e.g. ownership of infrastructure)
- ELSI for PPDR professionals and organisations (e.g. new forms of psychological pressure, accountability and liability, challenges of translating awareness of ELSI into practice, such as enacting respect for the vulnerable in the use body worn video)
- ELSI in data (e.g. data quality and meaning, social sorting, how to understand how one is ‘being read’)
- Methodologies of addressing ELSI proactively (e.g. Privacy Impact Assessment, Ethical Impact Assessment, collaborative design, value sensitive design, digital ethics)
- Designing and implementing ELSI-aware innovation (e.g. support for accountable datamining, informational self-determination, trust)
- ELSI in new partnerships (e.g. who to include, who to exclude, how to negotiate different interests and perspectives)
The aim of this workshop is to explore how it might be possible to address ethical, legal, and social challenges and opportunities through creative design of IT for networked PPDR. Exploring these issues in practice, from a multidisciplinary perspective, can open up how addressing these issues might lead to new possibilities for productive collaborations and ways of approaching interoperability through European values of equality, liberty and solidarity. The workshop seeks to develop resources for the PSCE community, such as guidelines and/or a whitepaper.
Submissions of Abstracts & Important Dates
The workshop will include a series of presentations and facilitated discussions. We invite presentations on the above topics from practitioners, researchers from different disciplines (e.g. social science, law, policy, organizational theory, computing), technology developers, policy-makers and regulators, non-governmental organisations, members of affected publics and others interested in these matters.
- Submission of Abstracts 14th April 2016
- Notification of Acceptance 16th April 2016
Registered participants include Blaž Ivanc http://www.redirnet.eu
Please join our mailing list ELSI-CRISISIT
Accommodation is available directly at Hotel BLOOM!. Interested participants are advised to book their rooms on this link before 17 April 2016. After this date, rooms will not be guaranteed. The address of the hotel is: Rue Royale 250, 1210 Brussels, Belgium. Practical information is available here.
The fields of public protection and disaster relief (PPDR) are increasingly supported and coordinated by ICT systems. Capabilities of ICT systems used for information management depend on their specifications, varying from ad-hoc and high speed wireless communication networks, to networked mobile collaboration technologies and social networks of public and public-private partnerships. Some ICT systems support formal and informal social networks on local, national or part of Pan-European levels. Many innovations in technology, organisational practice, regulatory frameworks and policy instruments aim to support these networks and enhance interoperability of available technologies.
Ethical, legal and social context
It is increasingly recognised that ICT systems used for PPDR, apart from technical challenges, face ethical, legal and social issues (ELSI). The latter include not only opportunities for new, more inclusive partnerships, including private and civil society actors and more coordinated disaster risk governance between different types of first responder organisations, but also challenges to privacy, liability, accountability, social practices of sharing and controlling information, trusting people, organisations and technologies, dealing with issues around the relevance and quality of information, information overload, the immediacy of transfer (e.g. of distressing images), digital divides and more.
Challenges and Opportunities
These issues are - paradoxically - often either regarded as constraints for innovation or as subject to exceptions. For example, the need to ensure trustworthy information can be seen both as limiting how far technical potential can be exploited for networked PPDR and as not applicable to PPDR, because time-critical needs for information can override a need for accuracy and reliability. Similarly, data protection issues are often seen as either a limiting constraint for innovation in PPDR or as subject to exceptions. Awareness that ELSI are an inescapable, integral aspect of all technology design and use is growing, but there is a lack of approaches that translate this awareness into proactive, creative, and uncompromisingly ELSI-sensitive social, technical and socio-technical innovation. This limits the value and usefulness of novel technologies, ways of working, regulatory reforms and policies. In practice, ELSI present multi-faceted challenges and opportunities that are difficult but also highly important and rewarding to address.
Abstracts and Speaker Biographies
Novelties of the General Data Protection Regulation - Irina Vasiliu, DG JUST, European Commission
Abstract: Ms Vasiliu will present the General Data Protection Regulation and speak about its relevance to public safety and security, as well as the peculiarities that need to be taken into account when collecting data from individuals during emergencies.
Bio: Ms Irina Vasiliu works at the European Commission's Directorate-General for Justice and Consumers (DG JUST) on the data protection reform. She closely follows the work of the European institutions on the areas of fight against terrorism, data protection and police cooperation. Ms Vasiliu is a member of the Transatlantic Legislators Dialogue (TLD) and has been involved in several European Commission Delegations to the United States of America and discussions on the PNR agreement and the General Data Protection Regulation. Ms Vasiliu has studied European and Romanian law and public administration with a focus on human rights, European criminal law and international relations.
Towards a new digital ethics, the EDPS and the Ethics Advisory Group - Delphine Harou, EDPS
Abstract: Our societies are rapidly evolving into spaces and communities dependent on massive collection and use of personal information. New technologies have an impact on individuals which is impossible to predict, even in the short - or the medium term.The EDPS has set up the Ethics Advisory Group to investigate how intensive use of personal information is likely to affect individuals and shape society in the years to come and how we can respond to safeguard human dignity as the foundation of the EU's framework of values and rights. The discussion will be an occasion to learn about the intentions of the EDPS in the domain of digital ethics.
Bio: Delphine Harou heads the secretariat of the Ethics Advisory Group. She is Head of Prior checking at the European Data Protection Supervisor (EDPS) and works in close cooperation with the Data Protection Officers of the EU institutions. She is currently acting Head of the Supervision and Enforcement Unit of the EDPS.
Legal certainty and public safety by design - Mireille Hildebrandt, Vrije Universiteit, Belgium
Abstract: Our environments are increasingly data-driven, and so is PPDR. Legal protection and public safety 'by design’ refer to new practices that aim to make sure that information and communication technologies do not disrupt agreed legal goods such as privacy or safety, notably when enabling data flows to enable disaster prevention, mitigation and relief. To respond to the ELSI challenges of mobile, networked, collaborative PPDR, it is important to explicitly confront one of the core dimensions of legal protection, that is, legal certainty. Any effort to formulate ‘ELSI guidelines' must acknowledge that legal and ethical operations in the field of PPDR raise questions about the balance between stability and flexibility that such Guidelines must accommodate to generate both trust and trustworthiness. In this talk I will address the issues of necessity and proportionality of data processing as an example of stable but flexible legal requirements in the domain of fundamental rights, calling for legal precepts that operate on the cusp of legal certainty, digital security and public safety.
Bio: Mireille Hildebrandt is a research professor at Vrije Universiteit Brussel, with a focus on 'Interfacing Law and Technology', at the Faculty of Law and Criminology. She is also a professor at the institute of Computing and Information Sciences at Radboud University Nijmegen, holding the Chair of Smart Environments, Data Protection and the Rule of Law. Her research focus is on law, technology and philosophy, with an emphasis on artificial agency.
Short Work in Progress Presentations - ECOSSIAN Project - Jessica Schroers, legal researcher at KU Leuven, CiTiP
Abstract: The protection of Critical Infrastructure (CI) increasingly demands solutions which support incident detection and management at the levels of individual CI, across CIs which are depending on each other, and across borders. An approach is required which really integrates functionalities across all these levels. Cooperation of privately operated CIs and public bodies (governments and EU) is difficult but mandatory. ECOSSIAN is a European attempt to develop this holistic system.
One goal is a prototype which facilitates preventive functions like threat monitoring, early indicator and real threat detection, alerting, support of threat mitigation and disaster management. The factors of societal perception and appreciation, the existing and required legal framework, questions of information security and implications on privacy will be analyzed, assessed and regarded in the concept. The mission of ECOSSIAN is to improve the detection and management of highly sophisticated cyber security incidents of and attacks against critical infrastructures by implementing a pan-European early warning and situational awareness framework with command and control facilities.
Beside the need to reduce financial risks and to use budgets in a cost-efficient way, decisions on security measures in general and on CIP measures in particular are often strongly driven by political, societal, ethical, legal, administrative etc. factors and restrictions. They are mostly not expressible in monetary or physical units. These factors may range from political appropriateness, social perception, privacy violations and acceptancy by people or fears on environmental impacts.
Supposing that the ECOSSIAN framework will develop into an operational system, it needs to be evaluated against how it will influence and how it may be influenced by such socio-political factors.
We will present an approach for assessing in a systematic way how the utility of security measures in Critical Infrastructures is influenced by intangible factors as opposed to tangible or quantitative factors like money, loss of supplies, number of fatalities or similar. Such intangible factors are also called here qualitative criteria. Typical qualitative criteria are fear, freedom of movement, loss of time, but factors like subjectively perceived security, data privacy or compliance with existing rules of law etc. as well.
For ECOSSIAN a methodology and comprehensive catalogue of qualitative criteria is derived from a former EU project and other resources, and modified for the purposes of ECOSSIAN. The methodology QCA is demonstrated with a selection of basic parameter variations like application scenarios or type and objective of stakeholders. Recommendations are given for a full-scale evaluation with the tool to accompany and support the implementation of the ECOSSIAN system in Europe in the future.
 ValuSec Project (FP7), D6.2_Tools_and_Data_Setup and 6.3_Experiment_results_conclusions_recommendations, http://www.valuesec.eu.
 Qualitative Criteria Assessment
Short Work in Progress Presentations - eVACUATE Project - Hanneke Vreugdenhil, HVK Consultants
Abstract: In the FP7 eVACUATE project the intelligent fusion of sensors, geospatial and contextual information, with advanced multi-scale crowd behaviour detection and recognition is being developed, in order to assist crisis managers in evacuation decision making. One of the technologies to be developed and demonstrated in the eVACUATE project is chipless Radio Frequency Identification System (RFID) to detect humans for crowd monitoring. In the eVACUATE project team recently a discussion has been held to agree in more depth on the data protection requirements and principles that the project partners in eVACUATE have to follow in the course of their research activities when they work with personal data. In this abstract we focus on the chipless RFID technology. The role of these tags will be to update and maintain the Active Evacuation Route (AER) by counting the number and type of individuals who pass through a specific place, where an appropriate RFID reader is installed, e.g. at the entrance of a metro station. There are some practical issues that could result in the decrease of the accuracy of the technology. The most important one is that the technology does not show the direction of movement of the individuals, i.e. it can only locate the proximity of a certain tag next to an RFID reader, without knowing whether actually someone has exited the space and should not be counted as part of the crowd any more.
A Privacy Impact Assessment (PIA) needs to be carried out for the use of RFID tags in the eVACUATE pilot demonstrations. The purpose of the PIA is to identify the privacy and data protection risks associated with the RFID application, as well as to define the mitigation measures that need to be taken in respect of these risks. This is to help the operators of RFID technologies be privacy compliant and monitor more systematically their privacy compliance throughout the period of operation of their RFID technology.
Some privacy and data protection risks have been defined already, for which mitigation measures should be taken into account:
- Information security (e.g. skimming, eavesdropping)
- Information accuracy (info on ticket and of number of people), e.g. when ticket bent or carried by people
- Lack of transparency
- Lack of voluntariness
- Re-use of data (e.g. information that someone is disabled) for incompatible purposes (e.g. marketing, tracking not related to evacuation and crowd management purposes)
- Data storage and tracking
The discussion reveals that while the eVACUATE chipless RFID technology does not as such seek to identify individuals, it still poses certain risks to their privacy and data protection rights. Thus, in the further development of the technology and its potential future exploitation in operational situations, the risks discussed should be addressed in order to prevent the negative impact on individuals.
Bio: Hanneke Vreugdenhil is senior consultant crisis management for HKV consultants in the Netherlands. She is involved in several projects, related with flooding en safety. In the FP7-project eVACUATE she is responsible for end user involvement and the organisation and evaluation of four pilot demonstrations in Greece, Spain and France. The eVACUATE system is a tool for situation awareness and decision support for sustaining active evacuation routes. Crowd modelling is incorporated in the tool, based on data collection and analysis. During the ELSI workshop she will discuss some ethical and privacy issues related to chipless Radio Frequency Identification System (RFID), which will be used in the pilot demonstrations to count evacuated people and to indicated people who might need help.
Providing Information Privacy with Attack Modelling - Blaž Ivanc, Jožef Stefan Institute, Slovenia
Abstract: The issue of privacy has never been as prominent as it is today. With the development of information technology, increasing spread of information systems and connection of databases, information privacy has become a rather elusive term. Attack model is a fundamental tool for setting up the attack scenario, which shows the process of the attack and the techniques used.
Attack modelling is one of the most important methods for detecting weak points of information systems. It raises security awareness and helps us to prepare for possible scenarios which we would like to avoid in practice. If we prepare ourselves for potential security incidents, we can adequately protect corporate environment and make sure the incidents do not occur. In an effort to improve attack modelling and remedy certain weaknesses of the existing models, we developed a model called the Enhanced Structural Model (ESM). The model eliminates certain limitations that are present in the attack modelling.
The current problems in privacy protection could be successfully remedied if we did not wait until the invasion of privacy occurs and eliminate the consequences after the violation. The solution lies in the focus on incident prevention and on the systematic integration of privacy protection mechanisms. In planning and verifying system privacy protection, regular use of the attack modelling method would be recommended.
Bio: Blaž Ivanc, Jožef Stefan Institute, works in the field of information security, especially in critical infrastructure and have a strong background in threat intelligence, security requirements engineering and "red team" security validation. As a researcher at Jozef Stefan Institute, he works on security guidance and evaluation of public safety communications and emergency management information systems. He is also a regular lecturer at various conferences and conduct trainings/consultations in the area of operations security for the key staff in corporations and law enforcement agencies. In addition, he was the professional head of the 1st international conference in the field of intelligence and security informatics that took place in Slovenia.
Multi-stakeholder collaboration for European Commission's standardisation request on data protection by design in security technologies - Matthias Pocs, ANEC, Germany
Abstract: The European Commission requested a European standard on security industry and privacy by design to be developed by the European standardisation organisations until 2019 (C(2015) 102 final, M/530). This standard will be a co-regulatory resource developed for communities such as the PSCE's on citizen privacy and data protection in ICT-based civil-security products and services. It will also support upcoming EU legislation to come into force in 2018 on data protection by design  .
To this end, the European Committee for Standardization (CEN) and European Committee for Electrotechnical Standardization (CENELEC) have set up the Joint Working Group 8 "Privacy management in products and services" (JWG 8), in which Matthias Pocs represents the consumers as a delegate of ANEC - The European consumer voice in standardisation. ANEC contributed to drafting of the Commission's request the requirement for CEN-CENELEC to take into account "fundamental ethical and legal values, follow the legal principles of privacy and data protection and [innovative] privacy goals such as decentralised processing and anonymity."
This contributions aims to explore why currently there is a lack of commitment in the development of the European standard requested by the Commission, and how to engage stakeholders participating in this workshop. Currently, stakeholders are not represented in a balanced way. Groups represented in the JWG 8 tend to be specialised in privacy and IT security but not in PPDR and other domains of civil security. As a result, questions remain unanswered: Should the work focus on security industry as requested by the European Commission or apply to all existing sectors in the market? Should it focus on generic privacy management processes or real technological privacy safeguards? ANEC argues that the involvement of relevant stakeholders as well as concretisation ("translation") of general ethical and legal principles into sector-specific rules (such as the civil security sector) are needed to resolve legal uncertainty and implement privacy by design in such a way that response teams and other stakeholders can focus on their primary tasks in their daily work.
Stakeholders could benefit from particpating in the development of the standard which will apply to their work, because it offers a competitive advantage and higher reputation, respectively. However, they would need to go to the their country's standardisation body (EU, EFTA, FYROM, Turkey) to apply for membership and ask for authorisation to attend the meetings of the JWG 8 on behalf of the national body . Since every decision in the standards body needs at least 5 countries, relevant networks such as the PSCE community, industry associations, user groups and consortia can play an important role in coordinating contributions to the standards body. In parallel they can apply for direct liaison with the JWG 8 but they need their members as representatives of emergency response agencies, academia, legal practice, humanitarian response, volunteer and technical communities, manufacturers, service providers and policy makers in order to fulfil the five-countries rule. In support, approaches can developed by carrying out collaborative European projects on ELSI in PPDR information exchange.
1. Article 23 ("data protection by design and by default") of the General Data Protection Regulation (GDPR): Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [first reading] - Political agreement, ST 5455 2016 INIT, 28 January 2016.
2. Article 19 ("data protection by design and by default") of the Police Data Protection Directive: Council of the European Union, Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data [first reading] - Political agreement, ST 5463 2016 INIT, 28 January 2016.
3. A list of national standards bodies https://standards.cen.eu/dyn/www/f?p=CENWEB:5, http://www.cencenelec.eu/research/ResearchHelpdesk/Pages/default.aspx
Bio: Matthias Pocs is a data protection expert and founder of “Stelar Security Technology Law Research”, a start-up based in Hamburg (Germany). He works on ethics, privacy, and security issues for European Commision funded projects, including OPERANDO and eWALL. He has also is a Consumer representative and data protection expert in the European consumer organisation ANEC - The European consumer voice in standardisation, in particular, participating in the execution of the European Commission’s standardisation request on Privacy by Design in security technologies.
Whitepaper: ELSI Guidelines for IT in Risk Governance - Monika Büscher and Katrina Petersen (Editors), Centre for Mobilities Research, SecInCoRe
Abstract: Networked collaboration and information exchange technologies have transformative potential for PPDR and risk governance. However, it is difficult to shape these transformations in a way that supports real world practices of collaboration and sense-making, and it is even more difficult to do so in ways that are ethically, legally and socially sensitive and proactive. This white paper is a collaborative effort, led by a transdisciplinary team of editors and theme editors. It is based on several years of analysing ethical, legal and social issues (ELSI) arising in PPDR and risk governance through wide ranging research collaborations between academics and domain experts. The paper takes stock of key insights in four different areas: ELSI arising in networked risk governance, policy and organisational innovation, applicable regulatory and legal frameworks, technological innovation. This paper presents ongoing efforts to construct ELSI guidelines for IT in risk governance. The guidelines are designed to become a living community resource to support the design and use of IT for risk governance. A draft of the paper will be circulated to all participants before the workshop, with an invitation to become involved in shaping its structure and content as well as that of the ELSI guidelines themselves.
During the workshop, participants will have the opportunity to discuss their experience and needs in relation to the ELSI Whitepaper and ELSI guidelines ideas in small discussion groups.
Bio: Monika Büscher is Professor of Sociology at Lancaster University, Director of the Centre for Mobilities Research and Associate Director at the Institute for Social Futures. Her research explores the digital dimension of contemporary ‘mobile lives’. She leads research on ethical, legal and social aspects of the informationalization of PPDR and risk governance, exploring opportunities and challenges around sustainability, security, and public engagement in a range of different national and international projects (Catalyst, BRIDGE, SecInCoRe).
Professor of Sociology at the Centre for Mobilities Research at Lancaster University. She researches the digital dimensions of contemporary ‘mobile lives’, with a focus on IT-ethics and crises. She leads research on ethical, legal and social issues in the BRIDGE and SecInCoRe projects. She edits the book series Changing Mobilities with Peter Adey.
Dr Catherine Easton
Senior Lecturer in the School of Law, Lancaster University. Her research focuses upon access to technology and human/computer interaction. She is the co-chair of the United Nations’ Internet Governance Forum’s Internet Rights and Principles Dynamic Coalition. Through this she is involved in the development of the Charter of Human Rights and Principles for the Internet with a focus on disability access. Catherine is Chair of the BILETA Law and Technology Research network and in this role organises one of the largest law and technology conferences in the EU.
A legal researcher, KU Leuven University, Belgium. She joined CiTiP in June 2014. Currently, she works on the FP7 projects titled “Establish Pan-European Information Space to Enhance seCurity of Citizens in disaster situations” (EPISECC) and "A holistic, scenario-independent, situation-awareness and guidance system for sustaining the Active Evacuation Route for large crowds" (eVACUATE). Her research interests include human rights, regulation of new technologies and the protection of children's as well as minorities' personal data.
Dr Katrina Petersen
Research Associate at Lancaster University working on the SecInCoRe project focusing on the design of a culturally and ethically conscious disaster information sharing system for the EU. Her main research is on visualizing risk, disaster maps, and how to communicate between diverse groups.
Secretary General of PSCE (Public Safety Communications Europe) since 2009. Specialised in European law and European affairs, she has been working in various EU projects, being responsible for dissemination and communication activities. She has been also working for the medical profession and the police administration at EU level during the last 15 years.