Ethics in Security Research

SECURITY RESEARCH INFO DAY FP7-SEC-2013-1 call Brussels - 11 September 2012

Bruno Mastantuono Legal Adviser REA S3 - Security Research

NOT LEGALLY BINDING

Not Legally Binding

Ethical aspects in Security research

Ethics is becoming an essential requirement and guideline in the development of new technology solutions in modern society. Its also a competitive factor in the business Main areas of concern in EU public-funded research:

-Privacy and data protection -Dual use -Mission/Function creep

Not Legally Binding

Compliance with ethical rules: a legal obligation

FP7 Decision N 1982/2006/EC, Article 6(1) All research activities carried out under the Seventh Framework Programme shall be in compliance with fundamental ethical principles Part 4.3 Rules for submission of proposals: The Commission may reject proposals on ethical grounds following an ethical review Article 15.2 of Rules for Participation: Any proposal that contravenes fundamental ethical principles shall not be selected

Not Legally Binding

Some definitions
Data privacy: Data privacy is the right of any individual to expect that his/her personal information directly or indirectly collected are processed securely and are not disseminated without their written consent. Data privacy must not be subject to "mission creep i.e information collected with permission for one purpose and used without permission for other reasons). Data protection: Data protection is the framework of security measures designed to guarantee that data are handled in such a manner as to ensure that they are safe from unintended, unwanted or malevolent use. Data protection is the technical mechanism to ensure data privacy.

Not Legally Binding

Some definitions
Mission/Function Creep: is used in the security context for a type of misuse concern, where an experiment, a technology or information/data is used beyond the approved initial plan and thereby could harm fundamental ethical values or civil rights (surveillance, people tracking tools etc) Dual use: technologies relevant to both civilian and military application exclusive civilian application focus (robotics, use of listed chemical/biological agents etc) (Council Decision 2006/971/EC) Misuse/Malovelent use: research involving or generating materials, methods or knowledge that could be misused for unethical purposes (toxic chemicals, radioactive material, manuals for the production for toxic materials, critical infrastructural vulnerabilities)
(ftp://ftp.cordis.europa.eu/pub/fp7/docs/guidelines-on-misconduct-misuse-ofresearch_en.pdf)

Not Legally Binding

Issues to be elaborated in the proposal (I)

The ethical standards and guidelines of FP7 must be rigorously applied, regardless of the country in which the research is carried out Explain in the ethical section how you will comply with those (procedures, safeguards, monitoring and reporting exercises etc) Adequate ethical expertise shall be ensured for the project Ethical aspects shall be considered during the development phases of a system (e.g during tests, field trials, experiments, demonstrations) to ensure Privacy Enhancing Technologies Dont wait the system to becomes operational. The potential market outlet could be jeopardised if system does not comply with national rules

Not Legally Binding

Issues to be elaborated in the proposal (II)

The exploitation strategy, the dissemination and communication of the study results should be reviewed/checked by competent experts Apply ethics/safety standards and rules also to own staff involved in the trials (as for volunteers) and ensure that appropriate health and safety procedures conform with national legislations are applied to staff involved in the project Be aware, at proposal stage, that prior to the start of the relevant research, ethical and data protection approvals/notifications to the competent local/national Ethics Bodies and Data Protection administrations may be requested by REA/Commission Compliance with these obligations may be reported as a project deliverable to comply with special clause 15 of the grant agreement (when applicable). Take measures to anticipate these steps (!)

Not Legally Binding

Relevant expertise
Ensure ethics/data protection experts in the consortium, an Ethics Advisory Board may be established or An external independent Ethics expert may be appointed to oversee the ethical concerns When there are concerns on data protection and privacy, in compliance with Directive 95/46/EC and article 29 working group n 8/2010 opinion, a data controller shall be appointed The Ethics Board may include relevant external, independent ethical expertise, in addition to the ethics experts members of the consortium, to monitor the ethical concerns.

Not Legally Binding

Ethics screening/review
Following the scientific evaluation, the Ethics Screening is conducted at REA by an independent panel composed of ethical experts (REA manages this process whose tentative date is March/Mid April 2012) The screening is a preliminary check of the ethical issues. It may identify proposals requiring a more in-depth ethical analysis e.g: - projects that raise sensitive ethical issues; - project where applicants fail to address ethical issues appropriately

The flagged proposals will go through a second stage process called Ethics Review (DG R&I manages this process) An Ethics Review report is produced that may contain: - recommendations for negotiations (like in screening reports); - request for additional information to be provided to the Review Panel; - recommend the rejection of the proposal based on ethical grounds

Not Legally Binding

Ethics screening/review
The Ethics panels examine a wide range of issues:
-the type of data collected -children/adults/patients/animals/volunteers involved? -the purpose and the need for data collection -the type of processing and storage proposed -safeguards and any risk management measures -acceptable justification on time needed for data storage -any potential data transfer outside the EU -the method to be followed for its fabrication or deletion -proportionality check (right balance between the techniques proposed and the societal benefits of research?) -is the ex ante notifications to DPAs envisaged? - any other ethical aspect (dual use, function creep etc)

Not Legally Binding

Common sources of personal data affected by DP rules:

Health related information/records (hospitals records on patients) Judicial and criminal justice (e.g criminal records) Financial information Genetic information (DNA) Biometrics Circulation/travel records (e.g visas, PNR); Data resulting from geographic/location records of persons or households (e.g GPS, GMEs records) 8. Data resulting from tools for tracking of people / visual data records (human behaviour detection cameras etc) 9. Data resulting from security scanners or intrusive systems 10. Public data/information/material/videos available on the web 1. 2. 3. 4. 5. 6. 7.

Not Legally Binding

Examples of sensitive research/applications :

biometric passports/visas Systems for facial recognition in real-time in an unrestricted environment 3D facial recognition algorithms iris and facial recognition video surveillance systems in railways, airport, urban areas, commercial, retail, banks, parking, traffic control etc.) smart systems / technologies mobile electronic tags automatic number plate recognition exposure of volunteers to electro-magnetic field tests research tests that could endanger human safety or breach fundamental rights Use of animals / testing

Not Legally Binding

Privacy/Personal Data Protection

Who does what and where on processing of data in the whole consortium? Who should be appointed Data-Privacy Controller responsible for the management of data operations (in EU, EEA countries and outside EU) Would the data operations be compliant with EU Directive and national laws in the countries where data will be collected, processed, stored? How to ensure safeguards if processing means any intrusion of either an individuals fundamental rights or privacy. Is this clear in the proposal? How proportional? Define a data-privacy management procedure to be followed Engage to set up an Ethics Advisory Board with an independent expert Engage to a specific Ethics Report/Deliverable

Not Legally Binding

Dual Use And Mission/Function Creep

Provide a detailed description of the security measures and legal and operational safeguards that will be implemented to prevent any potential improper/malevolent use of the system and any potential mission creep scenarios Consult experts if you dont have internal expertise in the consortium, set up a Security Advisory Board and keep the REA/Commission informed of any development

Not Legally Binding

Recommendations
Describe in the proposal awareness, competence and expertise Elaborate in detail the action plan and specific WPs and deliverables envisaged to comply with ethics and privacy/data protection issues Address the costs adequately in the budget State whether the approvals/notifications have already been sought before the competent authorities or the calendar and relevant WPs envisaged to fulfill those tasks Pay attention also to the communication aspect of the project
On data protection issues, consult the Vademecum on national notification procedures and applicable law and other guidance publicly available and anticipate the notifications duties under national law
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/others/2006-07-03-vademecum.doc https://clientsites.linklaters.com/Clients/dataprotected/Overview/Pages/Index.aspx

Not Legally Binding

Guidance documents
https://ec.europa.eu/research/participants/portal/page/fp7_documentation https://ec.europa.eu/research/participants/portal/ShowDoc/Extensions+Reposi tory/General+Documentation/Horizontal+issues/Ethics/Guidance+documents/i nformed-consent_en.pdf https://ec.europa.eu/research/participants/portal/ShowDoc/Extensions+Reposi tory/General+Documentation/Horizontal+issues/Ethics/Guidance+documents/ privacy_en.pdf https://ec.europa.eu/research/participants/portal/ShowDoc/Extensions+Reposi tory/General+Documentation/Horizontal+issues/Ethics/Guidance+documents/a rticle-29_en.pdf https://ec.europa.eu/research/participants/portal/ShowDoc/Extensions+Reposi tory/General+Documentation/Horizontal+issues/Ethics/Guidance+documents/s ocial-sciences-humanities_en.pdf https://ec.europa.eu/research/participants/portal/ShowDoc/Extensions+Reposi tory/General+Documentation/Horizontal+issues/Ethics/Guidance+documents/i nternational-cooperation_en.pdf https://ec.europa.eu/research/participants/portal/ShowDoc/Extensions+Reposi tory/General+Documentation/Horizontal+issues/Ethics/Useful+documents/ethi cs-for-researchers_en.pdf

Not Legally Binding

More information and for assistance

Ethics Help Desk for all FP7 projects

http://cordis.europa.eu/fp7/getsupport_en.html#ethics

Surveille Ethics Advisory Service

Not Legally Binding

! W E

projects Objective, confidential, constructive and free advice on ethical issues arising from technology research and development Delivered by experts in security and technology ethics To be launched in Autumn 2012. To register an expression of interest please visit website www.surveilleadvisoryservice.eu

For individual companies, research consortia, and