siam - tu berlin · siam focuses on security measures and technologies in public transport systems,...

44
1 Deliverable 12.2 SIAM Methodology Handbook Technical University Berlin Dr. Leon Hempel Hans Lammerant Lars Ostermeier Tobias Schaaf Christian Geminn SIAM Security Impact Assessment Measures SIAM Methodology Handbook Project number 261826 Call (part) identifier FP7-Security-2010-1

Upload: others

Post on 15-Jun-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

1

Deliverable 12.2

SIAM Methodology Handbook

T e c h n i c a l U n i v e r s i t y B e r l i n

D r . L e o n H e m p e l

H a n s L a m m e r a n t

L a r s O s t e r m e i e r

T o b i a s S c h a a f

C h r i s t i a n G e m i n n

SIAM Security Impact Assessment

Measures

SIAM Methodology Handbook

Project number

261826

Call (part) identifier

FP7-Security-2010-1

Funding scheme

Collaborative Project

Page 2: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

2

Contents

Contents .................................................................................................................................................. 2

Introduction ............................................................................................................................................. 3

The assessment process ...................................................................................................................... 3

The STEFi-approach ............................................................................................................................. 4

The SIAM assessment support tool ..................................................................................................... 6

The focus of the SIAM-project: Security measures and technologies at public transport systems .... 6

Structuring the Assessment Process ....................................................................................................... 9

A systematic approach towards threat assessment.............................................................................. 12

1. Objectives ...................................................................................................................................... 12

2. Guidelines for scenario workshops ............................................................................................... 13

3. Conclusion ..................................................................................................................................... 19

A systematic approach towards assessments of the effectiveness of SMTs in terms of security ........ 20

A systematic approach towards assessing freedom infringements ...................................................... 24

Dimensions of technological normativity .......................................................................................... 24

Typology of freedoms ........................................................................................................................ 25

Freedom infringement table ............................................................................................................. 26

Workshops ......................................................................................................................................... 28

A method for the legal evaluation of security measures in public transportation ............................... 32

1. Introduction ................................................................................................................................... 32

2. Basic Principles of KORA ................................................................................................................ 32

3. KORA as an Instrument for the Evaluation and the Design of SMTs ............................................. 38

Bibliography ....................................................................................................................................... 43

Page 3: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

3

Introduction

The SIAM project provides support to end-users in the assessment process of security

measures and technologies (SMT). Today security is managed by an increasing range of

diverse technological systems and measures. Given the variety of spaces, contexts and

actors in which these technologies are deployed an adequate assessment methodology

requires a whole range of questions and perspectives to be taken into account. Where, by

whom, for what purpose is a technology introduced in a certain field or area? Does

employment of the measure achieve the intended effects? What is the impact on security?

Will the investment be appropriate for handling the issue in the long run? What are the

unintended effects? Who are the people that will be affected? Are people treated fairly and

decently and are their rights respected? How will people cope with the security measures

and will they accept them? Security technologies are widely used, creating the need to raise

and include questions of ethical and social implications into the assessment. The overall

objective is to create an assessment support system that takes the complexity of

technologies, economic aspects, cultural differences and societal dimensions into account.

SIAM focuses on security measures and technologies in public transport systems, but the

methodologies can be used to assess SMTs in other contexts as well.

The purpose of this handbook is to describe the understanding of the assessment process

that has been developed in the SIAM project, and to provide users of the SIAM assessment

support tool (AST) with methodologies for assessments

The handbook is therefore less an academic text but a handbook in the practical sense. It

aims to give stakeholders involved in assessment processes an understanding of the

conceptual thinking about assessments that both the AST and the methodologies are built

upon.

In this handbook we first look at how we understand the assessment process, while also

explaining the core concepts we are using. The following parts look at several methodologies

used in the SIAM project which can be used to provide a knowledge base for the assessment.

The assessment process

The SIAM project followed a process-based understanding of assessments. It did not develop

a one-size-fits-all procedure with a strictly defined outcome. It rather developed, based on

case studies, a systematic model for assessment processes and a set of tools and

methodologies which can be used to conduct an assessment.

The assumption that following a standardized assessment procedure would guarantee a

certain outcome like enhanced security or increased acceptance seems not valid for us. The

Page 4: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

4

SIAM tool and methodologies have a more limited ambition and are meant to assist in

broadening the scope of the assessment.

The innovation journeys conducted by the SIAM project give a good rationale for such

broadening of scope (see the deliverables in work package 2). A limited assessment, through

the fast closure of issues under discussion, a limited set of options under consideration or a

limited involvement of stakeholders, carries the risk to exclude relevant issues from

consideration too fast. In a later stage, when the major design or investment decisions are

already made, such issues can pop up again as having relevant implications on the use of the

technology and forcing changes which are in this later phase much more costly. An early

consideration of a broad scope of issues and allowing a broad set of stakeholders to raise

such issues, maps out all decisions to be made and allows a more comprehensive balancing

of costs and consequences of the choices.

This approach of assessments rests on the observation that any assessment is an inherently

political exercise. While assessments carry with them the promise to increase the rationality

of decision making, they always include decisions about what needs to be known, what can

be ignored and what is important. We hope that the SIAM tool and the methodologies

contribute to increase the rationality of these decisions, but again we emphasize that they

cannot rationalize the whole decision making process. On the other hand, considering

assessment as a political exercise does not reduce it to a negotiation between mere political

beliefs. Impact is not a value-free notion, but stands for the secondary side-effect on

relevant interests. Impact assessment is a tool to produce knowledge about the impact on a

set of interests considered relevant. This set of relevant interests can be assembled in

different ways. Legal recognition of such interests, e.g. in human rights law, is such a way.

Looking at the opinions of passengers and travellers or other stakeholders is another. The

impact on these interests can be methodologically assessed.

The STEFi-approach

The SIAM-project has tried to incorporate a wide range of such interests through the STEFI-

approach. Out of the wide range of assessment criteria collected through the empirical

research, four core assessment dimensions have been identified that help to structure the

field: Security, Trust, Efficiency and Freedom Infringement.

Security Dimension

Security in a narrow sense describes the functionality of a product in countering threats and

reducing risks. It covers the questions of whether the product fulfils promises and

expectations regarding its performance. Evaluation criteria, amongst others, are the

detection rate, the false alarm rate and the impact of intended interference or

environmental interference. In a broader sense, security is what the stakeholders perceive

Page 5: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

5

and define as security. This societal dimension of security has also been included into the

assessment support tool by including questions that highlight the socially constructed and

changing character of security.

Trust Dimension

Trust encompasses the experience of the product provider as well as of the scrutinized in

using the product. Beside the experience, the subjective perception defines the way in which

a product achieves an appropriate acceptance level. Evaluation criteria for the Trust

dimension include, for example, the degree of discrimination regarding the use of product

and the potential physiological and psychological invasiveness of the product. For instance,

health risks such as DNA damage associated with the ionising radiation used in body

scanners or other effects such as claustrophobia and anxiety attacks.

Efficiency Dimension

Efficiency implies the economical dimension of the product. Evaluation criteria for this

dimension are the product’s life cycle costs, such as purchasing costs, implementation costs,

operating costs and disposal costs. It also contains derivative criteria such as opportunity

costs and the impact on business processes, such as the through put or false positive alarm

rates.

Freedom Infringement Dimension

The Freedom infringement dimension of security product evaluation depicts the impact of a

product on the freedoms and rights of persons. One of the main impacts of security products

and services is enhanced personal data collection, processing, sharing and retention. This

affects the rights to privacy and data protection. Additionally, security products have a

tendency to affect other rights such as the right of self-determination, right to the freedom

of movement, right of association; these must all be taken into account in the evaluation of

security products.

These dimensions may provide some systematisation of a socio-technical security regime,

but they are no separated boxes. On the contrary, they mutually overlap. Above all it is true

that they involve different, often contesting perspectives and activities. However, instead of

defining them in very abstract terms, the respective systematisation approach here is

different, not distinctive by definition but by resemblance. Its idea is not to wipe out, but

first to assemble the differences between related aspects or criteria, notions or concepts as

they occur in the field. E.g. numerous notions of security are in use, often depending on the

community an actor is associated or associates herself or himself with. An engineer

responsible for the computer infrastructure at the airport has a different understanding of

security than a police officer responsible for the airport premises or the airport management

focusing on passenger convenience. Thus, instead of claiming to cover all possible notions,

the dimensions rest on the resemblance of concepts. It is even more important from a

Page 6: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

6

methodological point of view to ensure some conceptual flexibility as new notions might

become relevant while old ones lose their meaning. The use of the four dimensions is to

structure the field on a first level. However, at the same time their conceptual indeterminacy

shall allow the widest range of involvement possible to discuss assessment criteria and

attributes as well as their mutual relationships.

The SIAM assessment support tool

This use of the four dimensions, as well as its flexible sorting of assessment criteria and

openness to new criteria, is reflected in the SIAM assessment support tool (AST). It contains

a question set along these four dimensions, in order to provide for a wide scope of issues

brought under attention during the assessment. But it is also not a closed set, but allows

adding or posing new questions during the assessment. The AST is also configured in a way

that allows changing the whole set of question to adapt the AST towards other settings than

mass transportation systems. This openness of the AST makes it flexible in its use and its

functionality.

Following a process-based understanding of assessments, the AST does not provide for a

one-stop impact assessment as an outcome or a product. It is rather a tool to assist

assessment processes from the beginning on. The tool bears two core functionalities:

1. A consultative functionality. This means that it suggests the assessment dimensions that

should be integrated into the assessment process.

2. A knowledge management functionality. This means that ongoing assessment processes

can be managed and documented using the tool. It structures collected knowledge given by

various actors and perspectives along the assessment criteria and presents them accordingly

to the assessment participants.

The AST in its current state is focused on the assessment of one specific technology. As such

it is less useful for the assessment of a broad range of options to address a problem, but

more for the thorough assessment of a specific technology. This will mostly take place in a

later stage of the assessment process, although this does not exclude using the AST in an

early phase. The actual use of the AST is further described in the guidelines.

The focus of the SIAM-project: Security measures and technologies at

public transport systems

The STEFi-approach and some of the methodologies described in this handbook can be used

for a variety of security measures. The SIAM-project itself focused on security measures in

transport hubs like airports or railway systems. It developed a typology of these security

Page 7: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

7

measures, which is used in the AST. Again, this typology can be further refined which would

allow for more specific questions and assessment criteria linked to more refined and narrow

categories of technology. The typology and the use made of it in questions raised in the AST

present a balance between keeping a broad scope of technologies which can be assessed

and allowing to address concrete problems or issues. The AST gives the possibility to raise

new questions, through which a more detailed assessing of the technology at hand is

possible.

The security measure technology (SMT) typology is described in more detail in D2.3 and

concerns those technologies which address malicious threats to people and their physical

infrastructures. The manifold technology options that can be implemented for achieving a

reduction or prevention of risk can be categorised into four major classes depicting its major

purposes. The AST then enables the subcategorisation into nine categories to narrow down

the technologies’ functionalities.

The typology can be summarised as follows:

Threat Detection

Threats are processes which are intended to damage infrastructures and inflict casualties. As

in any process they are composed of actors, activity and tools each of which can be

addressed by a type of SMT.

Object and Material Assessment SMTs (also: Screening SMTs) are used within security

measures to search people, luggage, cargo and airport deliveries to identify possible

dangerous or illegal objects and substances e.g. weapons, drugs, or explosive residue.

Event Assessment SMTs attempt to identity an unfolding incident or reconstructing it by, for

example, using CCTV to detect suspicious behaviour or to spot abandoned luggage.

People Assessment SMTs are used in measures designed to identify potential malefactors.

This includes questioning strategies, profiling methodologies such as background checks of

passengers, or asymmetric screening based on demographics.

Page 8: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

8

Access Control

A key component of security policy is to physically restrict access to those with a right to

access. Maintaining the integrity of facility will require establishing identity and the right to

access, and ensure those with no right of access are excluded.

Identification SMTs are used to identify people as part of security measures designed to

establish access rights.

Physical Access SMTs relate to the broad category of physical barrier and access

technologies such as turnstiles, perimeter fencing, and automated car park barriers.

Policing

In general terms, the SMT category Policing refers to those technologies used to maintain an

understanding of what is happening within a controlled area and to those technologies

which enforce compliance.

Situation Awareness SMTs includes the use of CCTV to monitor an environment and liaise

with staff on the ground, and the use of asset management solutions such as Radio

frequency Identification (RFID) tags and readers to track baggage and passenger movements

or automated number plate recognition ANPR technology to identify vehicles.

Enforcement SMTs are technologies used in security measures that respond to some

process deviation or detected threat such as ensuring passenger hand luggage is screened or

dealing with a detected weapon.

Support

Some technologies are used to enable and support security processes yet do not present

security technologies in their own right. This general category refers to technologies for

controlling and enabling the general function and performance of security measures, the

information and communication systems and processes that underpin any security system.

Process Control SMTs capture the range of technologies that configure the security process

including passenger flow, and the selection of security measures applied to individual

passengers.

Information and Communication SMTs capture the computing and communication

technologies used for a variety of different security measures within any security regime,

such as those which can be found in devices and algorithms for information processing, as

well as data transfer and storage.

Page 9: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

9

Structuring the Assessment Process

A technology is not given, but rather the result of many process assessment activities of

different actors during the invention, implementation and adoption phase. The assessment

activities of actors decide, which questions are being asked, what answers will be given and

what aspects of a technology or a measure will be emphasized and analysed. They also

decide which criteria will be used to assess SMT solutions. Over time the assessment

activities lead to emerging irreversibility and it gets increasingly difficult to change or modify

the chosen assessment way.

As a consequence it is important to involve as many stakeholders as possible at a very early

stage and it must agree upon a common list of criteria for assessing the SMT. However, the

SIAM research analysed multiple assessment processes in various contexts and business

cultures and was able to identify an ideal-typical procedure for the adoption of a new SMT.

1. Gathering information about SMT options

In SIAM two general ways to achieve a market overview in the security technology sector

were identified. One is that the type of technology is already given. This happened in the

case studies when a subjective factor came into account like the wish of certain actors to

make the site seemingly innovative. However, a best practice example was in one case that

asked a neutral scientist to give a short overview about potential technologies that have

reached marketability. This scientist had no affiliations with the site and no personal or

economical aim to achieve by favouring a certain SMT.

Page 10: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

10

2. Defining and involvement of all stakeholders affected by the SMT option

The process of implementation of new SMTs affects various actors within but also outside

the organisation. Some actors are rather obvious to identify, for example organisational

units such as accounting and IT. But some are not so obvious such as representatives of

customers and employees.

To find such actors, SIAM reconstructed “innovation journeys” in the case studies. In practice

these journeys go backwards in the implementation process starting from the final

introduction of new SMTs. Protocols of meetings and tenders were analysed and interviews

conducted that led. Through these activities the identification of incoming and leaving actors

in the process and the discovery of conflicts was possible.

3. Discussion and decision on common assessment criteria

The assessing of SMTs requires a common understanding on a set of criteria. In practice this

step is closely connected to the involvement of all stakeholders. As difficult it is to

acknowledge all relevant actors as harder it is to incorporate their heterogeneous interest

driven assessment criteria. Often these criteria derive ad hoc and are divergent in their

importance for the actors. A best practice that could be identified in SIAM was the

evolvement of a criteria list that has been circuited within the actors group. All actors were

able to assess, add and weigh the criteria. The result was an agreed common list of criteria

that respected the different importance to each individual actor.

4. Testing and problem solving of the SMT option and evaluation of the

assessment criteria

In this step the SMT should be tested in a limited space and for a limited time. At this stage

all actors will be able to identify the affects this new SMT might have on their activities and

their interests. This phase should also be used to reassess the chosen criteria. Did new

criteria come up? Did the test show a different importance of criteria?

5. Evaluation and comparison of technology options

The assessment leader will receive all statements and assessments by all participating actors

and will have the basis for an evaluation and comparison of the technology options.

Page 11: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

11

The SIAM AST

The AST is structuring the ideal-typical assessment process. It supports the identification of

stakeholders and of assessment criteria by asking questions that cannot be answered by

every participant. The participants have to think about the incorporation of further people to

enable themselves to answer such problems and overcome lack of knowledge.

The AST in its current setup only allows the assessment of one option. Assessing several

options comes down to distinct assessment cases for each option. In other words, a separate

assessment for each option, but which can run in parallel. The results of the distinct

assessment cases can inform the evaluation and comparison.

Page 12: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

12

A systematic approach towards threat assessment

In this chapter we present the methodological guidelines for scenario workshops as

developed and implemented in WP6. In the section “Objectives” we attempt to clarify some

of the conceptual issues and discussions that have emerged in this WP. In the section

“guidelines” we provide an overview of the methodology. This methodology was further put

into practice by our case studies partners.

1. Objectives

Decision makers need to be aware of possible emerging and developing ‘security threats’ as

this constitutes an important part of evaluating SMTs. ‘Security’ refers to a field of practices

that intend to provide prevention capabilities and protection against deliberate acts and/or

the intentional infliction of harm. Threats, as they are usually conceptualized in risk

assessments, refer to the likelihood that a specific type of attack will be initiated against a

specific target.

Ideally, we gather data that allows us to assess the likelihood that a terrorist attack, an

organized crime attack, a cyber crime attack, a deliberate act of fraud or corruption and a

deliberate breach of immigration laws will be initiated against or in a site in an airport or

mass transportation context and/or that these sites will be used for such purposes. But such

data is not always available. Traditional risk assessments to determine what will most likely

happen or what the most likely scenario will be, can not always be used. Possible targets

cannot be assessed in this manner. The security threats we face are adaptive and flexible

and their covert nature makes it hard to assess capabilities, intent and exact time of

occurrence.

Another option is to develop scenarios that give insights about possible targets for terrorism,

illegal migration, cyber crime, transnational organized crime, transnational white collar

crime, as well as the impacts those targets could suffer. Scenarios, however, are a rather

ambiguous notion. Scenarios are never predictions. They never depict what the future will

be like or how events will play out. Scenarios are most often used to create a common vision

and a shared understanding of a strategic issue. They are useful to uncover and question

decision makers (strategic) assumptions, to make them aware of issues or perspectives they

don’t consider and to show what the consequences might be if these issues are left

unattended. Scenarios thus invite decision makers to be reflexive about the strategic issues

at hand.

In its final report, the 9/11 Commission concluded that improving decision making in security

issues in terms of foresight and imagination is not about finding an expert who can imagine

what plans might be used for terrorist purposes. It is about improving the quality of decision

Page 13: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

13

making. This requires decision makers to make informed decisions, include information from

multiple perspectives, so that tunnel visions and rigidity in decision making can be avoided.

Such informed decision making on security challenges can be based on existing threat

assessments. These reports provide information about emerging and developing threats. As

these reports focus on transnational threat trends, they do not provide in detail information

about threats to the airports and mass transportation sites. What needs to be explored are

the implications of the documented threats to the specific site under consideration.

To develop a pragmatic, easy to use methodology allowing us to draft scenarios in a

structured and systematized manner, we turned to a qualitative risk assessment

methodology that was developed for public transportation purposes in the EU – ‘Counteract’

project. Again, this methodology was not chosen to assess what will happen, or to quantify

what is actually most at risk and so forth. What this methodology allows us to do is

understand what local security experts and decision makers consider to be a threat, what

the effects of these threats are to their setting, and how they believe SMTs might help

mitigate or prevent these threats. Making the understanding, assumptions and evaluation of

threats of experts and decision makers explicit, helps to improve the discussions during the

assessment process. In the following section we will elaborate on this methodology.

2. Guidelines for scenario workshops

2.1 Objectives and tasks

The scenario workshop shall have the following objectives:

1) To reveal the assumptions of decision makers and security experts about concrete

threats. For example what do threats like terrorism, organized crime, cyber crime, or

white collar crime mean? What threats in these fields do they prepare for? What do

they expect? What threats are not considered, and why?

2) To reveal assumptions about assets, vulnerabilities and targets. What targets and

vulnerabilities do experts identify? What do they believe is most at risk and why? Why

are some assets not believed to be a target or at risk?

3) To reveal assumptions about the role that SMTs can and should play in preventing or

mitigating the identified threats.

4) To reveal assumptions about the impact and the consequences of the unfolded threat,

and the strategies that are believed to be useful to respond to these threats.

5) The methodology suggests that the process will point to two scenarios that need to be

developed. One scenario will be focused on the case of which the experts believe its

occurrence is highly unlikely, but of which the impact would be disastrous if it did occur

and which therefore needs to be prevented even if unlikely to happen. The second will

be a scenario of which the experts believe its occurrence is very likely and the impact

disastrous. Both these scenarios will be further developed as narratives that describe

Page 14: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

14

the unfolding of these events. Again, the point of the exercise is not to forecast,

calculate or predict the future. We do not intend to assess or quantify what will actually

be very likely to happen or what is highly unlikely to happen. The point is that one has to

come to understand why decision makers feel that a scenario is very unlikely or very

likely as this will provide insights about how decision makers assess threats, what they

believe to ready for and why. It would be possible to understand how they reflect on the

consequences and impacts, and how they believe these threats can be mitigated or

prevented.

2.2 Methodology

In the following we present the methodology to be used to organize a scenario workshop

and conduct it.

1) Preparation of the workshop

- A mix of security experts specialized in relevant security fields/threats and security

implementors will be invited. Overall around ten participants should be expected.

- A list of actual threats and assets should be prepared to contribute to the workshop.

Discussions will be held around these points.

- An expert will be nominated to guide the workshop and to report on the

conclusions.

- Workshops could be complemented by interviews to gain more information.

2) STEP 1: What are the threats?

The first step involves a short brainstorm with the participants of the workshop about

threats concerning the discussed topic: e.g. “If you think about terrorist threats at an airport,

what would such a threat be exactly”? What needs to be identified are very specific actions.

For instance, from the transnational threat assessments we know that one of the most

important trends in terrorism is that they are carried out in terms of an individual or a

number of armed individuals conducting an assault or a raid against large crowds. The threat

is then “armed assault/raid”. Other examples for terrorism are: shootings, improvised

explosive devices (IED), dirty bomb, chemical weapon, biological weapon, etc. Some overlaps

can be expected, e.g. can cyber crime also be considered as organized crime or terrorism.

Corruption or fraud can be a threat when discussing illegal migration and so forth. These

overlaps in themselves will provide important insights on the process.

3) STEP 2: What are the assets, vulnerabilities or targets?

The second step is the identification of important assets, targets, vulnerabilities. Objective is

to be as specific as possible and to focus on identifying assets, based on the importance of

their mission or function, and groups of people that are believed to be at risk and to focus on

the significance of structures. A useful concept which helps surface such locations are nodes:

these are locations (virtual or physical) where flows of goods, people, energy (e.g. fuel,

electric power units), capital, information come together. An airplane, a security control

Page 15: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

15

centre, the entrance hall of an airport, a train station at an airport, banks, are all examples of

nodes.

4) STEP 3: a matrix creation.

In the 3rd step, the previous steps are combined to create a matrix. (See example for

terrorism in fig. 1)

Fig. 1- Threat and Assets

Threats

Assets Chemical weapon Armed assault IED

Entrance hall

Security control centre

Airplane

Underground station with trains

5) STEP 4: assessment of the probability of occurrence

- For each threat-asset participants need to reach a consensus about the probability of

occurrence they attribute, ranging from very unlikely to very high.

- Probabilities are collected

The 4th step requires the participants of the workshop to indicate what they perceive to be

the probability of occurrence, ranging from very unlikely to very likely. The point of this step

is not to surface actual probabilities. This is a qualitative assessment in which we attempt to

surface decision makers’ or experts’ assumptions about what they believe to be very

unlikely, low, possible, high, or very high probabilities of occurrence of a particular threat

(e.g. see fig. 2). As such, this exercise allows us to understand what threats they believe to

be possible. For each square in the matrix, the workshop leader needs to reach a consensus

among the participants about the assessment that is made.

Fig. 2 – Example for terrorism - Likelihood

Threats

Assets Chemical weapon Armed assault IED

Entrance hall Very high high possible

Page 16: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

16

Security control centre low Very unlikely Very unlikely

Airplane with passengers on air side Very unlikely Very unlikely Very unlikely

Underground station with trains possible possible possible

6) STEP 5: assessment of impact and severity

The 5th step requires the participants of the workshop to indicate what they perceive to be

the impact and severity of each threat. As we are facing quite different security threats, their

impact and severity should be assessed in terms that fit the nature of the security threat.

The categories used to measure severities are: uncritical, marginal, significant, critical,

disastrous. We introduced the following societal dimensions that could be affected if a

threat is realized: People, Infrastructures, Environment, Economy, Political systems and

Values (see details in the following). Not every dimension is relevant in each case. For

organized crime for example we can focus on the profit that can be made, the political

system and Values. Once the societal dimensions are determined the impact on them can be

assessed and the severity estimated. The severity would then be an integrative evaluation of

the impacts assessed to get a severity level in the scale of 1-5. Aim of this step is to reveal

decision maker’s or expert’s assumptions about what they believe to be the impact and

severity of each threat within the limits defined in the previous paragraphs.

Fig. 3 Example for terrorism – Likelihood and severity

Threats

Assets Chemical weapon Armed assault IED

Entrance hall Very high high possible

disastrous critical critical

Security control centre Low Very unlikely Very unlikely

disastrous critical disastrous

Airplane with passengers on air side Very unlikely Very unlikely Very unlikely

disastrous disastrous disastrous

Underground station with trains Possible possible possible

disastrous critical disastrous

Page 17: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

17

7) STEP 6: creation of risk categories

The 6th step involves the creation of risk categories. These categories are created by

combining the probability of occurrence with the impact/severity assessment. The scores

that are given thus refer to the multiplication of the probability of occurrence with the

severity. This table is only intended as a tool to visualize and prioritize the different threats

(see fig. 4). This step is important for the selection of scenarios that need to be developed in

step 7, and in addition to the scenario development the table will provide valuable

information for the draft of the combined scenario threat report. In this stage we asses the

severity of the threat based on its impact on several societal dimensions as detailed in step

7. As seen in the table we actually use scales of 1-5 to assess the probability of occurrence

and the severity of the threat. See also step 7 section 3 for further explanation of the impact

assessment.

Fig. 4 Risk assessments for terrorism

Probability of occurrence

Very high (5) Chemical weapon / entrance hall (20)

High (4)

Possible (3) Armed assault on underground station with trains (9)

Low (2)

Very unlikely (1) Airplane / IED (4)

Uncritical (1) Marginal (2) Significant (3) Critical (4) Disastrous (5)

Severity / Impact

8) STEP 7: writing scenario narratives

- For each category two scenarios are selected. The first scenario is a ‘very

high/disastrous’ scenario. The second scenario is a ‘very unlikely/disastrous’ scenario.

- The scenario narratives provide information about the scenario unfold as well as

information about the reasons for that expert assessment.

The 7th step is the final step in which two scenarios are developed as a narrative. The

information that can be derived from the entire process are detailed in the following section.

Page 18: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

18

2.3 Scenario framework

Scenarios are built using the following building blocks

1) Events unfold

The description of how the events unfold should contain the following elements:

- Threat actor(s): Who is involved in a threat?

- Threat activities: How is a threat being carried out exactly?

- Threat tools: what weapons or other tools are used?

- Threat technologies: The name of the general technologies associated to the activities

or tools)

- Assets, vulnerabilities and nodes: describe the setting; and explain why they are felt

to be assets, vulnerabilities or nodes

2) SMTs description

The description of SMTs should include the following elements:

- Existing security measures at the location

- Security actors: Who supervises or operates in this area? Who has which

responsibilities?

- Security activities: Which security procedures are in place?

- Security tools: What kinds of devices are used?

- Security technologies: Type or category of technologies

3) Impact of the threat that unfold

The description of impact/severity refers to the consequences of the unfolded threat. In the

5th step we applied a broad definition of impact/severity which was directly related to the

security threat. The scenario narratives allow us to widen the scope of consequences. We

will not only focus on the immediate consequences of the threat (e.g. for organized crime we

suggested that we assess the impact in terms of the profit that was made). In addition to

these consequences, in this phase scope can be widened and participants can reflect on the

following focal issues (societal dimensions) to surface that information (not all issues apply

for each security threat):

- People: what are the consequences of the threat to the people involved?

- Infrastructures: what are the consequences of the threat to the infrastructure?

- Economy: what are the economic consequences of the threat?

- Environment: what are the consequences of the threat for the environment?

- Political system: what are the political consequences of the threat?

Page 19: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

19

- Values: what are the consequences for societal or ethical values?

The impact on the several societal dimensions helps assign the severity score. This is a

qualitative process to finally evaluate the severity level.

4) Proposals to mitigate or prevent the threat from unfolding again

The description of proposals to mitigate or prevent the threat from unfolding again

requires the participants of the workshop to reflect on how they would respond after the

threat has unfolded.

- Security actors: Are there additional employees required? Should additional

responsibilities be assigned to existing actors? Should we recommend certain actors

to cooperate with other actors?

- Security activities: Are there any changes to make in certain procedures? Do we need

new procedures to cover for the threat? If improved cooperation between certain

actors is suggested, what exactly does this mean in terms of activities?

- Security tools: Can the existing tools be configured to cover the threat? Do we need to

acquire new devices or tools for screening, identification, etc?

- Security technologies: The general name of the (new) technologies associated with

these activities or tools.

3. Conclusion

In this chapter we presented methods and guidelines for the process of conducting scenario

workshops with the objective of threat assessment in the sector of mass transportation . On

the basis of literature surveys, recent experience and outcomes of EU security projects (e.g.

FESTOS) and implementation of SIAM case studies this methodology was developed and

tested and can serve this sector and these kind of evaluations for further needs.

Page 20: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

20

A systematic approach towards assessments of the

effectiveness of SMTs in terms of security

Work package seven has shown that crime maps are not simply tools representing an

objective image of crime but are tools incorporating both previously existing data about

crime and ideas how it should be dealt with.1 Crime maps include various strands of

criminological crime pattern theories and are being used as tools for the planning and

allocation of resources. The different rationales point towards two questions related to the

use of crime pattern analysis:

1. In the context of urban train transport security, it provides answers to the

question where resources should be allocated.

2. At airports, most policing resources are already available at the different security

areas, so the question here is not so much on where to use them, but on how or

against whom to use them.

Different rationales of selecting and using security technologies in the contexts of urban

train transport security and airport security can be distinguished and analyzed. One

characteristic is the different impact of crime pattern and threat pattern analysis. It serves

mainly for the identification of so-called 'hotspots', the types of crime that are recorded at

these locales and a more or less vague categorization of victims and offenders in urban train

transport security. In the context of airport security, threat pattern analysis typically leads to

a profiling of passengers. Another major difference is the emphasis being made on

passengers' perception in urban train transport security discourses, while economic

considerations are being emphasized in all areas of airport security.

Both questions imply different definitions of security and different dimensions of trust,

efficiency and freedom infringements. This affects the way that the behavior of passengers

becomes normalized and that groups of people are targeted and excluded. Perhaps the most

obvious difference is the basis for interventions in both rationales. In order to better

understand the basis, it is helpful to distinguish between the anticipative concepts of

precaution, pre-emption and preparedness and prevention. The three concepts stand for a

gradual decrease of the threshold for interventions, thus bearing the potential increase of

1

The same is true for „crime signatures“ being used in automated video analytics. „Crime Signatures“ basically

resemble the idea to make crimes machine-readable in the way that threat assessments have been made

machine-readable in work package 6 in SIAM. The first problem of this approach is that threats can be defined

informally while crimes are defined by law. Strictly speaking, the police do not record crime but suspicious

behavior probably fulfilling the legal definitions of criminal actions. Whether or not these actions are „criminal“

is being decided in courts. Crime signatures therefore always refer to „suspicious“ behavior which requires a

distinction between a suspicious and a non-suspicious situation.

Page 21: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

21

freedom infringements compared to preventive security measures. The rationale that has

been analyzed for urban train transport security can be characterized as preventive, whereas

airport security increasingly becomes anticipative.

Work package three has investigated how the effectiveness of security measures and

technologies can be and is being assessed in terms of increasing security. This research has

brought up the inherently political dimension of impact assessments and highlighted some

of the ambiguities at play when it comes to determining frequently occurring and dangerous

criminal actions as well as the evaluation of the impact of security technologies on security.

Frequently occurring criminal actions like theft do not necessarily spark the introduction of

new security technologies. The latter requires the construction of dangerousness of criminal

actions that involves changes in a certain context/space, where resources are being

contested and where public imaginations of dangerousness come into play, creating a

demand for an altered way of policing. Technology is often a quick answer in such a case. At

the same time, it is often unclear or forgotten what exactly the initial question was that has

led to the answer. Assessing the impact of security measures and technologies on security

often leads to the question: Technology is the answer, but what is the question?

Assessing the impact of security technologies on criminal actions raises questions about how

security is understood and how technologies are thought to relate to security. Three ways of

managing this area of ambiguity have been reconstructed in work package three. In the first

case, security remains a contested concept and the impact of a technology on security

remains vague. In the second case, security has been defined as an 'adequate' problem and

the impact of a technology can be clearly assessed. In the third case, a security problem is

being constructed in order to provide a use-case for a technological solution.

Generally speaking, it is important to distinguish the rationale of the security measure from

the beginning of the assessment on. For example, crime prevention does not necessarily

involve the detection of crime. This is crucial for the assessment of the effectiveness of

security measures because it appears that the detection of crime is the least likely use case

of security measure technologies. Rather, the most likely use case is the detection of

suspicious and possibly threatening actors, tools and activities. Much more difficult to

measure, the likeliest effect in terms of prevention is the interruption and the so-called

general preventive effect, which is difficult to measure.

Summarizing his experience of the political dimensions of security technology assessments,

Brian Rappert has suggested that

„a fruitful line of analysis regarding the relation between technology

and politics is to examine the way in which the ambiguities

Page 22: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

22

associated with technologies are managed, and the manner in which

the distribution of ambiguity helps constitute technology.“2

A methodology to assess the impact of security measures and technologies should therefore

aim to understand how knowledge about the assessment is being produced and how this

shapes the overall result of the assessment. This involves both the consideration “of the

adequacy of the approaches offered, and their ability to inform practical matters.“3

Work packages three and seven have provided important requirements for the development

of a methodology to assess the impact of security technologies on security. The

methodology requires the stakeholders to understand how a certain way of assessing the

impact of a technology is constituted and how it has become dominant. This means to

understand and critically reflect the overall security narrative that is inherent to the

impact assessment, including how crime is being imagined. The narratives to be

reconstructed should be analyzed in terms of how a certain way of assessing the impact of

a technology on security becomes dominant, including how security is being understood.

The following questionnaire can be used either for a number of interviews or for a workshop

with end users, security personnel and other stakeholders in order to produce the data

needed to reconstruct the narratives:

2 Brian Rappert (2001) „The Distribution and Resolution of the Ambiguities of Technology, or Why Bobby Can’t

Spray“, Social Studies of Science 31 (4), p. 559.

3 Ibid, p. 562.

Page 23: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

23

Security Impact Assessment Questionnaire

The following questionnaire can be used either for a number of interviews or for a workshop

in order to produce the data needed to reconstruct the narratives. The narratives to be

reconstructed should be analyzed in terms of how a certain way of assessing the impact of a

technology on security becomes dominant, including how security is being understood.

1. Mapping frequent and dangerous criminal actions

◦ What are the most frequent criminal actions?

◦ Why to they occur frequently?

◦ What are the most dangerous criminal actions?

◦ What makes these actions dangerous?

2. Available Security Measures and Technologies (SMTs)

◦ What kind of SMTs are being operated to deal with these criminal actions?

◦ Are there any major technological innovations that have been introduced?

◦ Is any technological innovation expected that will enhance the possibility to deal

with these criminal actions?

3. Impact of SMTs on criminal actions

◦ In which way have the SMTs contributed to security, and are there different

dimensions of security affected?

◦ What is the impact of SMTs on crime? How were the number and the nature of

crime affected since the SMTs are in place?

◦ How is the impact of the SMTs on threats and crimes assessed / measured?

◦ When is an SMT ineffective and does it not improve security as foreseen?

◦ How do notions of crime and security change in the course of the introduction of

SMTs? Has the way of measuring and assessing crime and security changed?

◦ Which unintended consequences have been observed after the implementation of

the specific SMT?

▪ Unintended Consequences on criminal actions?

▪ Unintended Consequences on freedoms?

▪ Unintended Consequences on organizational routines (function creep)?

◦ To what extent have the promises of SMTs been delivered

Page 24: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

24

A systematic approach towards assessing freedom

infringements

In WP4 and WP8 a methodology was developed to map and assess how a SMT infringes

freedoms.

In order to describe the normative impact of technology the notion of technological

normativity was developed. It understands normativity to be not limited to the legal field.

The normative impact of technology is situated in the way that it induces or enforces certain

types of behavior and/or inhibits or rules out other types of behavior.4 Technological

normativity looks at how technology impacts on the behavior of people and as such has a

similar effect as legal norms.

Dimensions of technological normativity

To map this impact 4 dimensions of technological normativity are discerned: scope,

intrusiveness, coerciveness, distribution.

Scope has been defined as the normative impact of a security measure in terms of space and

time. At first glance, many measures seem to impact in a locally contained way. Physical

security measures often last only for a few minutes. But in some cases persons can be

physically or psychologically affected for much longer after the actual treatment with the

SMT. Also, data gathered locally can be used in other contexts and for other purposes as

well. The impact of data gathering might thus gain larger scope, both in terms of physical

spaces and in terms of context (work, leisure, home, health, religion), and in terms of

temporal spaces, notably a person’s individual biography.

Intrusiveness measures the magnitude of the impact of an SMT. This impact concerns both

the impact on the person in physical and psychological terms as the impact on the data

double of this person.

The first aspect concerns the direct physical intrusion at or into the body of an individual,

and can be scaled from intrusion of the body, being touched, undressed, being seen, … As

part of the impact we also have to consider the psychological effects: feelings of being hurt,

damaged, affected by the SMT. Such negative feelings can have longer lasting effects than

the actual physical impact.

4 Hildebrandt, M., “Legal and technological normativity: more (and less) than twin sisters”, Techné 12:3 Fall

2008; Hildebrandt, M., “A vision of Ambient Law” in: Roger Brownsword, Karen Yeung (eds), Regulating Technologies. Legal Futures, Regulatory Frames and Technological Fixes, 2008, Hart Publishing Ltd, Portland, US, 177

Page 25: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

25

Another aspect is the impact on the data double, or more precise the data double created by

the SMT. The more intimate or the more detailed the information gathered or used, the

more intrusive the SMT is. This aspect of intrusiveness does not in itself depend on whether

a person is aware of the specific impact.

Coerciveness describes the degree of compulsion associated with a particular

measure/technology, or in other words how much agency an individual may exert over being

monitored by a security measure/technology. It looks into the range of behavioral choices

the technology makes possible, allows and makes impossible.

Distribution points to the fact that, notwithstanding that a technology functions

independently of social factors, the impact of that technology can differ widely according to

social roles or to social groups. Different categories of people can be affected by SMTs in

different ways. Coerciveness, intrusiveness and scope of an SMT can be much larger for

specific groups compared to the ‘average’ person. This may cause refined discrimination in

the extent to which various freedoms, such as bodily integrity or privacy are infringed.

Typology of freedoms

Secondly, a typology of freedoms has been derived from human rights law, defining the

main freedoms with which the SMT can interfere. These freedoms reflect the areas of

human behavior considered as protected by human rights law.

These freedoms do not equal the human rights themselves. They are not legal norms or

notions, and do not cover the same areas as the human rights norms from which they are

derived. What is labeled as freedom is a simplified, proto-legal notion of what is protected

by the human rights. These freedoms are ‘common sense’ concepts, referring to these

human rights, but which are used without the specifications, qualifications and nuances of

human rights law.

Further, what gets labeled here as freedom infringements are not necessarily violations of

human rights but rather interferences with these protected rights or freedoms. An

interference does not necessarily qualify as a violation of a legal right. If, however, an

interference is an infringement that violates one of the codified human rights, they are

prohibited, unless they can be justified on the basis of the applicable limitations. Mapping

the impact of the SMTs on the freedoms does not equal mapping of violations of human

rights, but gives the necessary facts needed to assess the proportionality of an infringement

by a SMT and if a violation takes place or not.

For the assessment it is important to recognize when and how an SMT interferes with a

freedom, also when such interference is not a violation in legal sense. In the assessment it is

checked if such interference is necessary and how it can be minimized. The assessment is

meant to make visible all options and to enable a proportionality check, not just to find out

Page 26: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

26

which options are legal but also to allow a choice between legally available options in order

to minimize the nuisance.

Freedom infringement table

These 2 notions were further operationalized in a concept table of freedom infringements.

This table brings both notions in relation with each other and provides general questions

through which the impact of an SMT can be mapped.

Scope Intrusiveness Coerciveness Distribution

Bodily Integrity Infringement of

bodily integrity in

terms of time and

space. Where and

when does the body

get touched,

undressed, seen,

intruded by any

means, …?

This includes

psychological effects

of such impact on

the body.

It also includes data

concerning the

body. The storage of

such data, its further

use and sharing

enlarges the scope.

How does the SMT

affect bodily

integrity?

Intrusiveness can be

scaled from

intrusion of the

body, being

touched, undressed,

being seen, …

Part of the

intrusiveness are the

psychological

effects: feelings of

being hurt,

damaged, affected

by the SMT. These

feelings are also

influenced by the

perception of the

legitimacy of this

infringement on

bodily integrity. But

legitimacy is as such

no element of

intrusiveness.

Another aspect is

the impact on the

data double. The

more intimate or the

more detailed the

information

gathered or used,

the more intrusive

the SMT is.

The intrusiveness

Which choices does

the SMT leave to

modulate or avoid

the impact on bodily

integrity and which

consequences do

these choices have?

This can be no

choice (or opting out

means no flying), a

limited range of

choices which all

imply some but a

different impact on

bodily integrity.

Is the impact on

bodily integrity in

terms of scope,

intrusiveness and

coerciveness

different for certain

groups or categories

of people?

People with certain

physical attributes

can be impacted

more (e.g. people

with medical

conditions or

disabilities). Other

groups can feel more

impact as they are

targeted more

(depending on

ethnicity, religion, …)

or due to a larger

psychological impact

(different

appreciation

resulting from

religious or cultural

values).

Page 27: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

27

does not depend on

whether a person is

aware of the specific

impact.

Equal treatment & non-discrimination

Where and when do

people get treated

differently? This also

includes treatment

of their data and

treatment according

to their data.

On which grounds

do people get

treated differently

and what are the

differences in the

treatment? How

does the different or

discriminatory

treatment impacts

the person?

Which choices does

the SMT leave to

modulate or avoid

different or

discriminatory

treatment? How

does the different or

discriminatory

treatment affects

the behavioural

choices or options

available?

Which groups get

treated in a different

or discriminatory

way?

Freedom of movement

Impact on the

freedom of

movement in terms

of time and space.

This includes the

impact due to the

processing or

sharing of data

gathered through

the SMT.

What is the specific

impact of the SMT

on the freedom of

movement? How

does these

infringements of the

freedom of

movement impact

the person?

Which choices does

the SMT leave to

modulate or avoid

its impact and how

does this affect a

person’s freedom of

movement?

Sorting of

movements. Which

groups are affected

in their ability to

travel?

Freedom from unlawful detention

Where and when

does or can a person

get detained?

When and how are

people detained?

How does such

detention impacts

the person?

Which choices does

the SMT leave to

modulate or avoid

its impact and how

does this affect the

possibility and scope

of a detention?

Which groups get

more likely detained

or are more

impacted by a

detention?

Presumption of innocence

Where and when a

person gets treated

as suspicious or a

possible danger, or

feels treated as

such?

This includes such

treatment due to

the processing or

sharing of data

gathered through

the SMT.

Based on which

suspicion does the

person gets treated?

What is the impact

on the person of a

treatment as being

suspicious or a

possible danger?

Which choices does

the SMT leave to

modulate or avoid

its impact and how

does this affect the

presumption of

innocence? What

choices are available

as being less

suspicious and

which raise the

perception of

suspicion or danger?

Which groups raise

more suspicion

through the SMT, are

treated as more

suspicious by the

SMT or during the

handling of the SMT?

Page 28: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

28

Fair trial and due process

Are people able to

contest freedom

infringements

through the SMT?

Where and when is

this (not) possible?

What can be

contested and what

not? What is the

consequence of such

contesting? What is

the impact of the

lack of this

possibility?

Which choices does

the SMT leave to

modulate or avoid

its impact and how

does this affect the

possibilities of

contesting? How do

the possibilities of

contesting affect the

choices to modulate

or avoid the impact

of the SMT?

Which groups are

less able to contest

freedom

infringements? And

which groups are

more impacted by

the lack of

possibilities to

contest the freedom

infringements.

Privacy and data protection

Where en when gets

certain data

collected, stored

(incl. retention) and

where does this data

end up after

sharing?

Which shape of

'data double' gets

created by the SMT?

Which sort of data

gets collected,

stored and shared?

How are the rights

of the data subject

affected (knowledge

of collection,

consent, access and

correction)?

What is the impact

on the person of the

infringements of

privacy and data

protection?

Which choices does

the SMT leave to

modulate or avoid

the impact on

privacy and data

protection and

which consequences

do these choices

have?

E.g. is the data

collection based on

consent and what is

the consequence of

refusing consent?

Which groups get

more impacted in

their privacy and

data protection

rights? And which

groups get more

impacted by the

infringements of

privacy and data

protection?

Workshops

The questions in this table are not differentiated for specific SMT or categories of SMTs. In

several workshops the normative impact of SMTs on the freedoms was further investigated.

Aim was to relate the concepts in the freedom infringement table to practical use cases or

technologies using the knowledge and experience of users and experts.

In WP4 focus-groups with legal experts and civil society organizations made an inventory of

infringements and measures to reduce such infringements. In WP8 similar issues were

investigated through the development of scenarios.

These methodologies also can be used when users of the SIAM AST want to derive more

specific questions and issue related to a specific SMT, or to further explore which CIT can be

used to diminish the impact on the freedoms.

Page 29: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

29

a) Expert focus group

The workshops in WP4 had the primary aim of developing a catalogue of infringements,

questions, and mitigation measures. The workshops are brainstorming activities, and as with

any such activity participants should be allowed to generate as many responses as possible.

The workshops can be conducted in essentially three steps in which participants will be

asked to enumerate 1) infringements, 2) questions, and 3) mitigation measures. The aim of

these steps is to generate a pool of issues, questions, and mitigation measures for each

category.

Step 1: The purpose of this step is to brainstorm the range of potential infringements

associated with each technology in typology. These could be breaches of legal rules or

cultural norms and values. Partners should strive to enumerate as many issues as possible

and be as specific as possible. For example:

Example 1: Surveillance cameras may be used to focus disproportionately upon ethnic

minorities

Example 2: Body scanners reveal the body in a semi-nude state

Example 3: Pat-down searches may offensive for women if conduct by a man

Step 2: The purpose of this step is to translate the infringement issues outlined above into

questions that should be asked during the acquisition and implementation phase of a

technology. This should be a straightforward process that will bridge Step 1 with Step 3.

Example 1: How can we reduce the potential for surveillance cameras to discriminate against

ethnic minorities?

Example 2: How can we reduce the privacy issues associated with body scanners?

Example 3: How can we avoid offending gender or religious sensibilities when conducting

security pat-downs?

Step 3: Using the concepts of scope, coerciveness, intrusiveness and distribution, generate a

list of technologies, rules, or procedures that could be implemented to mitigate the

infringements identified in Step 1. As the issues in Step 1 were converted into questions in

Step 2, Step 3 can be seen as efforts to answer those questions. It may make sense to focus

on one or two of the infringement dimensions put partners should strive to generate

counter-infringements measures for all dimensions.

Example 1: Privacy-enhancing algorithms may be used to blur faces or invert the video’s

color spectrum, thereby reducing the intrusiveness of surveillance cameras. The scope of

cameras can be restricted by limitations on the duration for which images are stored.

Example 2: The privacy issues associated with body scanners can be reduced primarily by

focusing on scope and intrusiveness. Operators who conduct the scans should be limited to a

Page 30: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

30

small number of professionally-trained staff, they should not be within visual sight of

individuals beings scanned, and images from scans should not be recorded and/or retained

in any way. The coerciveness of body scanners can be minimized by offering an alternative

security procedure such as a pat-down search.

Example 3: The higher intrusiveness of pat-downs for specific groups may be minimized if

they are conducted by having them conducted by persons of the same gender and/or

religious identity.

b) Scenario workshops

The workshops of WP8 approached these issues through the development of freedom

scenarios. These freedom scenarios are narratives that will depict the types of freedom

infringements that may be possible in relation to different kinds of SMTs, and they will

illustrate how these infringements could unfold along the four freedom infringement

dimensions and how they might be mitigated.

The workshop is conducted with 6-10 people, who bring a range of expertise into the

discussion, including on civil rights. Diversity of the participants is important; e.g. academia,

civil society, industry, SMT-expertise. The output of the workshop is to develop one ‘worst-

case’ scenario and one ‘best-case’ scenario for each SMT or SMT type under consideration.

For every SMT selected there are two main focal issues:

What are the most pressing infringement problems of the SMT? (worst-case

scenarios)

How can these infringement problems be mitigated /settled? (best-case scenarios)

1. Worst-case scenarios

For the purpose of the workshop, experts should discuss and agree on what the main issues

are concerning freedom infringements of each SMT. To structure the workshop discussion

the concept freedom infringement table can be used, as well as results from workshops as

described above.

In the workshop experts are asked whether:

(i) they agree with the findings from earlier workshops if conducted and whether additional

information can be provided. In addition participants are invited to discuss the normativity

dimensions of each SMT, using the freedom infringement table.

(ii) they can prioritize the infringements. What infringements are the most pressing ones?

We found that it might be helpful to ask experts to briefly summarize in laymen’s terms

Page 31: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

31

what the key infringement problem is regarding a particular SMT/SMT type. For some SMTs

all 7 infringements might be felt to be a pressing problem, for others there are specific issues

that seem to be of more concern than others.

(iii) to combine the infringement information into one coherent story that explains what the

infringement problem of the particular SMT is. This results in a 2-page narrative for the

worst-case scenario. The reader should be able to understand and grasp the infringement

problems that the particular SMTs pose.

2. Best-case scenarios

After discussing the freedom infringement issues there should be a discussion about how

these problems can be mitigated/settled. What are potential Counter Infringement

Technologies (CIT)? CITs are applications or architectures of SMTs that rule out, inhibit or

diminish freedom infringements. Such CITs are part of the broader set of Counter

Infringement Measures (CIM), which broadens the search for mitigating measures by looking

at the implementation and the context in which the SMT functions. CITs and CIMs can be

discussed in the workshop in terms of the following sensitizing concepts: regulation and

policy, planning, technology, awareness and transparency, accountability, redress, human

factor - security officers, infrastructure, …

Last step is to combine the CIT information into one coherent story that explains how the

infringements might be mitigated. This results in a 2 page narrative for the best-case

scenario. The reader should be able to understand what the various ways are to counter

infringements related to an SMT.

Page 32: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

32

A method for the legal evaluation of security measures in

public transportation

1. Introduction

This section of the handbook presents a method for the legal evaluation of security

measures in public transportation.5 The basis for this method is the KORA method, from

German ‘Konkretisierung rechtlicher Anforderungen’. Its creators are Roßnagel and the

research group ‘provet’ (Projektgruppe verfassungsverträgliche Technikgestaltung – Project

Group Constitutionally Compatible Technology Design). It was developed and used for the

first time in the constitutionally compatible design of ISDN communication systems, i.e. in

the field of information and communication technologies.6 In the following, it was used on

multimedia documents,7 the purchasing of goods via internet,8 the handling of personal data

in the context of individualisation,9 process management systems in public administration,10

internet voting11 and many other fields.12

The following chapter will first present the KORA method. Afterwards, it will be

demonstrated, how the method can be used for evaluation of security measures in public

transportation.

2. Basic Principles of KORA

Development of new technologies usually takes place without taking into account legal

aspects of the use of the final product, and instead focuses on functional efficiency and

serviceability.13 Designing technologies is a process characterised by the selection of

individual design choices. Throughout the process of technology genesis and development,

decisions have to be made and their impacts, including legal impacts, have to be evaluated.

The KORA method, as a rule-based approach for the normatively guided design of

5 A more detailed description can be found in Geminn 2014 and D9.2 of the SIAM project from which this

contribution has been derived. 6 Hammer/Pordesch/Roßnagel 1993, 43 ff.

7 Idecke-Lux 2000.

8 Scholz 2003.

9 Schwenke 2006.

10 Laue 2010.

11 Richter 2012.

12 Among others on digital signatures in form-oriented process management systems (Pordesch/Roßnagel, DuD

2/1994, 82 ff.), concepts of availability management (Hammer/Pordesch/Roßnagel/Schneider 1994) and the problem of presentation of digital documents in the submission of evidence (Pordesch 2003, 257 ff.). Furthermore, KORA is a consequent advancement of the principles of legal research of the consequences of the use of technology set forth in Roßnagel’s habilitation thesis. Roßnagel 1993, in particular 29 f. 13

Steidle 2005, 55.

Page 33: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

33

technology,14 supports decision makers in these decisions by helping them choose those

design options that are best suited to fulfil legal requirements. KORA has been conceived to

come into play during the design phase of technology development, after a technology has

been defined beyond the early stages of conceptual development.15 This means that there

already has to be some idea about composition and capabilities of a technology, i.e. ideally

after an early prototype has been constructed. Its aim and effect is avoiding or at least the

minimising the immanent risks of a technology. Risk in this context means any negative

effect that a technology might have. The second aim is achieving or strengthening chances,

meaning positive consequences.16

KORA is based upon the most permanent legal norms, which – through their fundamental

and technology neutral nature – provide a framework for future societal developments. In

the Federal Republic of Germany such norms can be found in the Constitution or “Basic Law”

(Grundgesetz). Subconstitutional law derived from it is not suitable as a starting point for the

KORA method, as it can only be technology neutral to a certain degree.17 This means that

due to the rapid progress of technology it antiquates quickly and thus cannot be used for the

compilation of long-lasting guidelines. In addition to this, it is only concerned with a small

part of the effects of technology usage.18 The life expectancy of such subconstitutional laws,

especially those concerned with the use of technology, is therefore limited. The constitution

however and especially its core, the fundamental rights and principles, is long-lasting and

offers a much more future-proof solution.19 In addition to this, it serves as a guideline for the

interpretation of subconstitutional law (rule of constitutionally compatible interpretation).20

This is true not only in Germany, but in any legal system based on a hierarchy of norms,21 as

the constitutional norms are the consented objectives of a society. It is easy to agree that

technology should be socially acceptable. The quarrel begins where it has to be decided

what it means to be socially acceptable. But if the definition is based on constitutional norms

that society has already agreed upon as its objectives, then this means that consented

14

In this context, design means any purposeful development and alteration of technical systems; cf. Roßnagel 1997, 267 f. The normative design approach that KORA is based on has to be differentiated from design based on empirical observations. 15

Hammer/Pordesch/Roßnagel/Schneider 1994, 4, 6 f.; Steidle 2005, 64. 16

Schnabel 2009, 32; Pordesch 2003, 257. 17

Roßnagel 2009, 336 f.; Idecke-Lux 2000, 213 ff. 18

Hammer/Pordesch/Roßnagel 1993, 46. 19

Roßnagel 1993, 196. 20

The rule of constitutionally compatible interpretation demands that from several possible interpretations out of which some would yield a constitutional, some an unconstitutional result, those interpretations must be favored that are constitutionally compatible; BVerfGE 32, 373, 383 f.; Lüdemann, JuS 1/2004, 27, 27 ff. 21

For the USA cf. the seventh rule of the so-called ‘Ashwander Rules’; Ashwander v. Tennesse Valley Authority, 297 U.S. 288 (1936), Crowell v. Benson, 285 U.S. 22 (1932): ‘When the validity of an act of the Congress is drawn in question, and even if a serious doubt of constitutionality is raised, it is a cardinal principle that the Court will first ascertain whether a construction of the statute is fairly possible by which the question may be avoided.’

Page 34: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

34

objectives for a technology design that avoids conflicts are already predetermined.22 This

underlines the logic behind using the constitution as a basis.

However, the constitution does not contain statements that are directly applicable to

technical systems.23 This means that the fundamental rights cannot be the immediate basis

for the evaluation and the design of technology; they have to be concretised.24 This is where

the previously described rules of interpretation come into play. One has to keep in mind

though, that the aim is not to ascertain the legality of the technology, but its legal

compatibility. Ascertaining the legality of a technology means nothing more than saying that

the use of a technology would be legal or illegal. In that case, there would be only black and

white, which means that this approach is too narrow. In contrast, legal compatibility is a

broad approach which allows a grading: a technology can be more legally compatible or less

legally compatible.25 It is thus a qualitative approach that allows for a differentiation within

the concept of legality. This means that it is not identical with legality and not the opposite

of illegality.26 Constitutional compatibility, as legal compatibility in relation to the

constitution, means the compatibility of the social requirements and the impact of

technological changes with the objectives of the constitution.27 The term is thus mostly

synonymous with social compatibility, as social compatibility is defined as the compatibility

with the objectives and standards of a society,28 whereas the law – and particularly the

fundamental rights and principles – is the embodiment and formalisation of these

objectives.29

Fig. 1 – The qualitative approach of the KORA method

By using the means of concretisation of constitutional norms, KORA faces the challenge of

closing the description gap between broad and unspecific legal requirements – as found for

instance in general clauses – and concrete design proposals,30 because such proposals

22

Roßnagel 2001, 27. 23

Hammer/Pordesch/Roßnagel 1993, 47. 24

Hammer/Pordesch/Roßnagel 1993, 46; Roßnagel 2001, 29. 25

Roßnagel/Wedde/Hammer/Pordesch 1990, 7; for a detailed description of this concept see Roßnagel 1993, 192 ff. 26

Roßnagel 1993, 194. 27

Roßnagel 1997, 148; Steidle 2005, 60; Roßnagel 1993, 26. 28

Roßnagel 1993, 193. 29

Roßnagel 1993, 194. 30

Roßnagel 1993, 16, 28, 67 ff.; Schwenke 2006, 11; Pordesch 2003, 260; Roßnagel 2001, 30.

Page 35: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

35

cannot be found in abstract general clauses.31 To this end, the general clause, or in this case

a basic right, is concretised over several steps. Thereby only the legally relevant part is

covered, not the entire functionality of the technology or measure. This requires an

interdisciplinary discourse between legal researchers and technicians: a dialogue of

disciplines. This cooperation can be seen as one of the core elements of KORA. It is the only

way to ensure that the expertise of both sides is channelled into the design process, because

technology and law each have an individual terminology of concepts and are thus separated

by a seemingly impenetrable language barrier.32 Overcoming this barrier between

professions is both an integral part of KORA and one of its goals.

KORA must not be misunderstood as an automatism for the generation of technological

solutions to legal problems.33 Rather, the outcome of its use can depend on the attitude of

the user. This is due to the fact that different interpretations of legal norms exist.34 This

effect can be minimised where the user follows the majority position when faced with a

controversial question, especially the rulings of the higher courts, specifically the

constitutional court (in Germany the Bundesverfassungsgericht as the guardian and supreme

interpreter of the German constitution). This approach is further advocated by the fact that

it strengthens the result of the examination. Still, the use of KORA will yield different but

congeneric results, varying from user to user. This is a desired effect, because KORA does not

strive to be an automatism, but a guideline that allows for different emphases. The

structured composition of the method guarantees traceability. Thus, the results of its use are

derived in a clear way and become a subject for discussion.

The use of KORA is composed of four steps. Starting point of its use are the relevant

constitutional norms, which have to be identified and selected in a preliminary stage. What

follows is a step by step concretisation of the fundamental legal provisions identified in the

preliminary stage, at first into legal requirements, then in a second step into legal criteria, in

the third step into technical objectives and finally into technical design proposals. The

abstract legal requirements become more concrete with every step. Between the legal

criteria and the technical objectives, there is a shift from the terminology of the law to the

terminology of technology.

As an exception, subconstitutional law may under certain circumstances also be used as a

basis for KORA, where it contains constitutional goals in the form of abstract general

clauses.35 An example for this is § 3a of the German Data Protection Act

(Bundesdatenschutzgesetz) which demands data reduction and data economy. This is a

concretisation of the general right to the protection of personality via the right to

informational self-determination.

31

Examples for such an abstract general clauses are § 163(1) and 161 of the German Code of Criminal Procedure (Strafprozessordnung; StPO). 32

Schnabel 2009, 31 f.; Idecke-Lux 2000, 211. 33

Bräunlich/Richter/Grimm/Roßnagel, DuD 2/2011, 129, 131. 34

Roßnagel 1993, 198 f. 35

Steidle 2005, 62.

Page 36: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

36

The four-steps structure of the KORA method:

Fig. 2 – Decision making using the KORA method

The individual steps and stages will be presented in the following chapter in more detail.

2.1 Legal Requirements

The legal requirements are the result of the first step of concretisation and are derived from

the fundamental legal provisions. They are the product of the legal interpretation of social

functions that are affected by the technology being evaluated. This makes it necessary to

establish a relation between the fundamental legal provisions and the social functions of the

technology.36 The basis for this is a description of the chances and risks, created by the

technology being evaluated, for the social functions behind the fundamental rights. Thus,

the possible chances and risks have to be identified and examined in a side-step.37 All in all,

the goal of the first step of the use of KORA is to create legal norms that have been specified

for the technological environment. The legal requirements are expressed in legal

terminology.

One example for the concretisation of a legal requirement from a fundamental legal

provision is the right to informational self-determination, derived from Art. 2(1) of the

German Basic Law in conjunction with Art. 1(1) in the so-called Census decision

(Volkszählungsurteil)38 as a concretisation of the protection of personality to the risks of

electronic data processing. Another possible fundamental provision is Art. 8(1) of the ECHR.

36

Pordesch 2003, 266 f. 37

This has been done in work packages 2 and 4 of the SIAM project. 38

BVerfGE 65, 1.

Page 37: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

37

2.2 Legal Criteria

Legal criteria stem from the concretisation of legal requirements. They are closer to

technology than legal requirements, but still on the legal side and formulated in legal

terminology. They describe solutions for the problems within the legal requirements, but

without a limitation to a certain concrete technological, organisational or legal approach. All

technical and non-technical possibilities for solutions still remain possible at this stage.39

In this step, the right to informational self-determination could be concretised into the

principle of transparency of any data collection and data handling.

2.3 Technical Objectives

During the concretisation of legal criteria to technical objectives, the terminology used

changes from legal terminology to technical terminology by converting legal terms into

technical terms. Therefore, significant cooperation between legal researchers and

technicians is necessary. The technical objectives are derived by looking for the most basic

functions that the technology has to have in order to fulfil the demands set by the legal

criteria. The technical objectives are thus too abstract to be implemented directly. They are

nothing more than rough technical target specifications.

In this step, the principle of transparency could be further refined into the technical

objective to document any kind of data collection and handling.

2.4 Technical Design Proposals

The technical design proposals are derived from the technical objectives. They are a

collection of measures for direct implementation into the technology.40 They are regularly

not without alternatives; they should be seen as proposals, as their name indicates. This

means that the catalogue of measures created in this last step can contain several

alternative solutions for an individual problem. This is due to the fact that the aim of KORA is

not to create a coherent system design. In fact this cannot be the case as KORA only looks at

those aspects of a technology that are legally relevant. However, the proposals developed

should be fit for direct implementation. This means that they have to be concrete enough

that they could become part of a technical specifications sheet.41 Their implementation may

not be strictly necessary from a legal point of view, but it should at least be desirable. This is

due to the fact that the results of the use of the KORA method have been designed to fulfil

fundamental legal provisions in the best way possible which means that they can be above

the legally required minimum standard.42

39

Pordesch 2003, 261. 40

Laue 2009, 65. 41

Pordesch 2003, 267 f. A definition of what is meant by a technical specifications sheet (Lastenheft) can be found in DIN 69905. 42

Bräunlich/Richter/Grimm/Roßnagel, DuD 2/2011, 129, 130.

Page 38: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

38

During the creation of a technology, the technicians, engineers, etc. involved can work

towards the implementation of these measures. But it is also possible to utilise the results of

the application of KORA to compare them with products readily available in the free market.

This comparison will show any deficits the product might have; i.e. the degree of the

product’s compatibility compliance with fundamental legal provisions.43

The example that illustrated the individual steps of the KORA method culminates here with

the proposal to implement the technical objective to document any kind of data collection

and handling by including a display that shows the history of any data collection or data

handling performed.

3. KORA as an Instrument for the Evaluation and the Design of SMTs

In 2008, the global market for security products and services exceeded for the first time the

mark of 100 billion Euros and has grown by about five to seven per cent every year since.44

30 per cent fall upon the European market. This is an indicator for the high expenses in this

sector. An investment into a certain SMT is a long-term investment. No end user can afford

misinvestments due to high acquisition and follow-up costs. It is thus very important for any

decision maker to choose a security product that can be used in his own legal system

without coming into conflict with the law. Furthermore, the SMT must be socially accepted;

it must not deter potential passengers from travelling. Here legal evaluation and social

evaluation gear into each other: As shown above, constitutional norms are expressions of

generally accepted social standards and norms. It is thus beneficial in more than one way to

adhere to these constitutional norms when performing an evaluation. The concept of legal

compatibility takes this up and tries to achieve a maximum of conformity with fundamental

legal provisions using a qualitative approach, instead of just adhering to minimum standards.

This leads to a broader social acceptance of a measure.

Finding such a product can be challenging due to the fact that the market for security

products is international. This means that it can be difficult to find a product that is

compatible with the legal situation in the end user’s country. This is where KORA comes into

play as a method for legal evaluation and legally compatible design. Not just to end users

should KORA be of some interest, but also to manufacturers in the security sector that want

to benefit from the continuous boom, to enable them to develop security products that are

legally compatible and can thus survive in the marketplace and prevail in the critical eyes of

the public.

43

Hammer/Pordesch/Roßnagel 1993, 46. 44

Bundestag printed matter (Drucksache) 17/8500, 6.

Page 39: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

39

Parameters like those that can be found in Part A of the Annex to Commission Regulation

(EC) No 272/200945 in the form of a catalogue containing acceptable methods for the

screening of passengers, luggage and freight in civil aviation do not offer much assistance

when selecting a concrete product. Such parameters offer nothing more than a list of

methods that are acceptable in principle, but they do not offer indications on how a method

has to be shaped precisely, both in a technological and an organisational sense.

Furthermore, the fact that a measure is accepted on a European level does not mean that it

is compatible with the constitutional framework of one of the member states.

Unconstitutional SMTs however cannot and must not be authorised and operated.

The following chapters will demonstrate how KORA can be used for the legal evaluation of

SMTs, thus exceeding its original purpose which was the legally compatible design of

information technologies. To achieve this, KORA has been adapted to the characteristics of

this goal. At this point, it has to be emphasised once again that the aim of the method is not

to attach a seal of approval to a certain product that merely indicates conformity with legal

minimum requirements; similar to what the CE logo46 or the ECB-S certificate47 stand for in

the field of product specific conformity. Instead the aim is a qualitative evaluation of the

legal compatibility of a measure.

These guidelines will enable a fundamental legal evaluation of existing and future SMTs. In

addition to this, KORA can and should be used for the legally compatible design of SMTs. The

following paragraphs will give a detailed description of the individual steps a user has to

follow to perform a legal evaluation of an SMT.

3.1 Pre-stage – Identifying the relevant fundamental legal provisions

First, in a pre-stage, the relevant fundamental legal provisions as the basis for the evaluation

have to be identified. In Germany, the catalogue of fundamental rights found in the Basic

Law is primarily relevant. At the European level, the Charter of Fundamental Rights of the

European Union can form the basis. To be able to reduce such a catalogue of rights to those

that are actually relevant for the evaluation, a preliminary evaluation is necessary.

3.1.1 Type and Functions of the SMT

The user of the method will at this point already have decided which type of SMT he or she

wants to evaluate. This means that the start of the procedure is the decision in favour of a

certain measure, for instance a system for biometric access control or video surveillance. To

make this decision in a professional way, the user has to possess basic technological

knowledge, as well as knowledge in the fields of security and counter-terrorism. Here the

45

Commission Regulation (EC) No 272/2009 of 2 April 2009 supplementing the common basic standards on civil aviation laid down in the Annex to Regulation (EC) No 300/2008 of the European Parliament and of the Council, L 91/7. Cf. deliverable 9.8 of the SIAM project. 46

Regulation (EC) No. 765/2008 of the European Parliament and of the Council of July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (ECC) No. 339/93, L 218/30. 47

Issued by the European Security Systems Association.

Page 40: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

40

scenarios and the scenario building tool developed in work package 6 of the SIAM project

can be helpful, as they give indications for the necessity and suitability of a measure. The

second pillar of decision making in this context are the technological and social features of

an SMT. Here, the results of work packages 2, 4 and 5 of the SIAM project can lend some

assistance to the user. At the end of this step, type and functions of the SMT that is to be

evaluated will have been identified.

3.1.2 Fundamental legal provisions

After the basic functions of a measure have been isolated and carved out, the fundamental

legal provisions can be identified. For this, it is necessary for the user to possess legal

knowledge. A fundamental right is relevant, if its protected sphere is affected by the

measure being evaluated. Furthermore, a fundamental right can become relevant where it is

facilitated by the measure. To determine this, the chances and risks of the use of the SMT

have to be examined. They are derived from the functions identified in the previous step.

This is in line with the target to extract legal requirements from social principles that are the

basis for legal norms. Depending on type and functions of an SMT, different fundamental

rights will be affected.

It has to be kept in mind that the goals stated in fundamental rights do not just stand side by

side, but that they often come in conflict with each other, meaning there are conflicts of

goals.48 Such conflicts can occur in every stage of the KORA method. They should not be

solved if possible and carried on as far as possible in order not to lose alternative solutions

that may result from these conflicts of goals.

The carved out functions and the fundamental legal provisions should be linked in a table in

order to increase clarity and traceability of the process:

LP #1 LP #2 LP #3 …

F #1

F #2 - -

F #3 -

shows, that a function (F) affects the range of protection of a fundamental legal provision (LP)

Fig. 3 – Example of a diagram of the functions of an SMT and the affected fundamental rights

3.2 Stage 1 – Deduction of Legal Requirements

What follows is the first step of concretisation in which the fundamental legal provisions are

condensed and channelled into legal requirements. Where such concretisations already

exist, for example in the shape of a ruling of the constitutional court, they can be resorted

to. In any other case, the conventional methods of legal interpretation should be used.

48

Roßnagel 1993, 200.

Page 41: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

41

It has to be noted that the principle of proportionality can neither serve as a fundamental

legal provision nor as a requirement; rather it is an implicit part of the KORA method. This

results from the fact that the question of proportionality of a measure – and thus of the

material lawfulness – is an aspect of legal compatibility, which aims at a gradation of

proportionality.49 Proportionality is thus not located on the level of legal requirements, but

instead it is an overarching concept that lances the evaluation as a whole and which is

ultimately absorbed by the concept of legal compatibility.

3.3 Stage 2 – Concretization into Legal Criteria

The legal requirements are now concretised into legal criteria by deriving from the legal

requirements the basic requisites concerning the use of the SMT. In order to do this, rules

have to be identified which determine how to fulfil the legal requirements with regard to the

specific features, risks and conditions of the use of the SMT.50 The criteria thus derived are

both connected to the technology as well as to the social and legal aspects. They are the

bridge between the law and technology and herald the change in terminology from the legal

terminology to the terminology of technology.

3.4 Stage 3 – Concretization into Technical Objectives

In the third stage, technical objectives are derived from the legal criteria. Since they can also

contain organisational objectives that do not pertain to the concrete design of a technology,

but rather to the environment and manner of its use, they could also more accurately be

called technical and organisational objectives. The technical objectives are abstractions of

concrete technological features. The concretisation from legal criteria is based on

considerations about how to transform these legal criteria into basic functions of an SMT.

The objectives thus developed are descriptions of functions and requirements in general

terms. In this stage, alternative proposals can be developed to have a broader base for the

comparison following in the final stage. Such alternative proposals can also facilitate a

comparison between several SMTs that try to give different solutions to legal requirements.

If KORA is used in the context of the genesis and design of technology, technical (and

organisational) objectives which are not concerned with technology design but rather with

the use of technology must not be omitted; they remain relevant. Because as early as during

the design process it has to be made sure that technology is designed in a way that does not

hinder or preclude certain legally compatible organisational options. Quite the contrary, the

producer should work towards promoting certain organisational options which benefit basic

rights. To that end, it is imperative that producers concern themselves with organisational

aspects and possibilities of the later use on the level of technical objectives and account for

them in the development process. Basic rights would benefit even more, if producers were

to pass recommendations for the implementation of their products and its organisational

49

Cf. chapter 2.2. 50

Hammer/Pordesch/Roßnagel 1993, 46.

Page 42: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

42

environment on to the buyers and users. In order to realise this, it is again necessary for

producers to concern themselves actively with these aspects.

If the methodology is used in the context of the acquisition of an SMT by a decision maker,

still the organisational aspects of the use of the SMT should be kept in mind, but only those

technical objectives are directly relevant for the decision which SMT to buy that concern the

technological features of the SMT. Still, it is important that – by compiling them together

with technological aspects – organisational aspects are on hand as early as during the

acquisition phase for the comparison with SMTs, because they may for example indicate

additional costs or spatial requirements and can thus be relevant for the decision. During the

implementation and arrangement phase of the chosen SMT, the organisational aspects can

finally have full effect.

3.5 Stage 4 - Comparison

Where the user evaluates a concrete product (or several), the use of the method is

concluded with a comparison of this (or these) product(s) with the technical objectives

developed in the previous stage. If the user evaluates more than one SMT, he or she is

advised to draft a table containing an overview as shown in Fig. 6. Alternatively, the

technical objectives can be used as a checklist for the selection of a suitable SMT. It has to be

kept in mind that it is possible for an SMT to only partially comply with a technical objective.

Also, when comparing several SMTs, it can occur that a number of candidates are equally

compatible with technical objectives. In such a case the user should fall back on non-legal

factors to decide between these candidates.

SM #1 SM #2 SM #3 …

TO #1

TO #2

TO #3

A security measure (SM) fulfils a technical objective (TO) completely (), partially () or not at all

().

Fig. 4 – Example of a diagram when comparing SMTs

In this last stage, the guidelines deviate from the original application of the KORA method.

Concretising the technical objectives into technical design proposals, which would have to be

adhered to during the development of a technology, is substituted for the above mentioned

comparison. This approach, however, is not new. Hammer/Pordesch/Roßnagel for instance

have already described the possibility of making a comparison with available products.51

In summary, the structure is as follows:

51

Hammer/Pordesch/Roßnagel 1993, 46.

Page 43: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

43

Fig. 5 – KORA as a method for the legal evaluation of SMTs

Using a method such as the one proposed can entail significant benefits. It will increase

social acceptability of a security measure and it will increase the durability of the decision

made, since it is based on the most durable legal norms and principles. Furthermore, the

decision becomes traceable. Also, the method facilitates rational decision-making, as it

forces a decision-maker to place his or her decision on a solid foundation, namely

fundamental rights and principles, and it makes it necessary that the decision-maker

concerns him- or herself with the effects of the measure on the rights and principles. Overall,

the attractiveness of the mode of transportation or the transportation site, where the

method is used, is increased. Passengers will be less likely to opt for another mode of

transportation or for example to choose a different airport for their travels, if they have

confidence not only that a state of security is maintained, but also that security is

maintained while keeping in mind the effects of security measures on passengers and

minimising any negative effects.

Bibliography

Bräunlich, K./Richter, P./Grimm, R./Roßnagel, A., Verbindung von CC-Schutzprofilen

mit der Methode rechtlicher IT-Gestaltung KORA, DuD (Datenschutz und

Datensicherheit) 2/2011, 129-135.

Geminn, C., Rechtsverträglicher Einsatz von Sicherheitsmaßnahmen im öffentlichen

Verkehr, Wiesbaden, 2014 (forthcoming).

Hammer, V./Pordesch, U./Roßnagel, A., Betriebliche Telefon- und ISDN-Anlagen

rechtsgemäß gestalten, Berlin, 1993.

Hammer, V./Pordesch, U./Roßnagel, A./Schneider, M. J., Vorlaufende Gestaltung von

Telekooperationstechnik – am Beispiel von Verzeichnisdiensten, Personal Digital

Page 44: SIAM - TU Berlin · SIAM focuses on security measures and technologies in public transport systems, but the methodologies can be used to assess SMTs in other contexts as well. The

44

Assistants und Erreichbarkeitsmanagement in der Dienstleistungsgesellschaft, GMD-

Study Nr. 235, Sankt Augustin, 1994.

Idecke-Lux, S., Der Einsatz von multimedialen Dokumenten bei der Genehmigung von

neuen Anlagen nach dem Bundesimmissionsschutzgesetz, Baden-Baden, 2000.

Laue, P., Vorgangsbearbeitungssysteme in der öffentlichen Verwaltung: Rechtliche

Rahmenbedingungen und Gestaltungsanforderungen, Kassel, 2010.

Lüdemann, J., Die verfassungskonforme Auslegung von Gesetzen, JuS (Juristische

Schulung) 1/2004, 27-30.

Pordesch, U., Die elektronische Form und das Präsentationsproblem, Baden-Baden,

2003.

Pordesch, U./Roßnagel, A., Elektronische Signaturen rechtsgemäß gestalten, DuD

(Datenschutz und Datensicherheit) 2/1994, 82-91.

Richter, P., Wahlen im Internet rechtsgemäß gestalten, Baden-Baden, 2012.

Roßnagel, A., Rechtswissenschaftliche Technikfolgenforschung, Umrisse einer

Forschungsdisziplin, Baden-Baden, 1993.

Roßnagel, A., Rechtswissenschaftliche Technikfolgenforschung am Beispiel der

Informations- und Kommunikationstechniken, in: Schulte, M. (Ed.), Technische

Innovationen und Recht, Antrieb oder Hemmnis?, Heidelberg, 1997, 139-162.

Roßnagel, A., Allianz von Medienrecht und Informationstechnik: Hoffnungen und

Herausforderungen, in: id., Allianz von Medienrecht und Informationstechnik?,

Schriftenreihe des Instituts für Europäisches Medienrecht, Vol. 24, Baden-Baden,

2001.

Roßnagel, A., „Technikneutrale“ Regulierung, Möglichkeiten und Grenzen, in: Eifert,

M./Hoffmann-Riem, W. (Hrsg.), Innovation und Recht II, Innovationsfördernde

Regulierung, Berlin, 2009, 323-327.

Roßnagel, A./Wedde, P./Hammer, V./Pordesch, U., Digitalisierung der Grundrechte?,

Zur Verfassungsverträglichkeit der Informations- und Kommunikationstechnik,

Opladen, 1990.

Schnabel, C., Datenschutz bei profilbasierten Location Based Services, Die

datenschutzadäquate Gestaltung von Service-Plattformen für Mobilkommunikation,

Kassel, 2009.

Scholz, P., Datenschutz beim Internet-Einkauf, Gefährdungen – Anforderungen -

Gestaltungen, Baden-Baden, 2003.

Schwenke, M. C., Individualisierung und Datenschutz – Rechtskonformer Umgang mit

personenbezogenen Daten im Kontext der Individualisierung, Kassel, 2006.

Steidle, R., Multimedia-Assistenten im Betrieb, Datenschutzrechtliche

Anforderungen, rechtliche Regelungs- und technische Gestaltungsvorschläge für

mobile Agentensysteme, Wiesbaden, 2005.