This project has received funding from the European Union’s Seventh Framework Programme for research, technological development and demonstration under grant agreement no 285492.


SurPRISE finished

After three years of challenging and very interesting research, on January 31st 2015, the SurPRISE project has come to an end.
We are thankful for the support we received and confident that our results will be picked up by policy makers and researchers as well.

The public deliverables can be found under “Research Results”.
Our information material on surveillance-orientated security technologies can be downloaded from the section “Info Material”.
And last but not least some of the other scientific output based on the work done in the project can be located in the section “Papers and Presentations”.

If you are interested in our work, would like to get more information or have specific questions, please do not hesitate to contact us, for example by sending a mail to

Joint conference of SurPRISE, PRISMS and PACT

“Citizens’ Perspectives on Surveillance, Security and Privacy: Controversies, Alternatives and Solutions”

13th-14th November 2014, Vienna

Privacy Breach

Europe’s citizens demand non-technical alternatives to current surveillance practices. This is one of the main results of three EU-projects exploring citizens’ opinions on security and surveillance. Experts from all over Europe gathered in Vienna to discuss results and define future discourses.

When we use a smart phone or write an email, we do more than just communicate. We are making ourselves vulnerable by giving up our data to sources often unknown. In times of mass surveillance and pre-emptive security measures, it is important for Europeans to ask questions, and to insist on having them answered.

Three EU-projects did just that: While SurPRISE, coordinated by Austria’s Institute of Technology Assessment, used citizen summits and meetings as an instrument to gather opinions and arguments on surveillance technologies, PRISMS, overseen by the German Fraunhofer ISI, and PACT, lead by the Peace Research Institute Oslo (PRIO), focused on a numbers-approach: Thousands of interviews conducted in 27 EU-member states delivered a picture of acceptance and/or fear of current practices depending on circumstance.

In Vienna, 200 experts from all over Europe gathered at the Austrian Academy of Sciences on November 13 and 14 to discuss those results and make out topics for future research. The conference titled “Citizens’ Perspectives on Surveillance, Security and Privacy: Controversies, Alternatives and Solutions” represents a joint effort to make citizens’ voices heard: “The revelations of Edward Snowden about the NSA and the hesitation of policy-makers to guard people’s privacy are clear signs that public voices have to be heard in this debate”, stresses SurPRISE coordinator Johann Cas (ITA).

“We just celebrated the 25th anniversary of the fall of the Berlin Wall, but we are erecting new, virtual walls around us which we are not even aware of”, Cas adds. In his keynote, Julian Kinderlerer, President of the European Group on Ethics in Science and New Technology, made another strong argument for the need to strengthen the rights of citizens. Civil rights advocate Ben Hayes spoke out in favour of solidarity and not dividing societies in “the others” and “us”.

At a press conference in the wake of the conference, Michael Friedewald (Fraunhofer ISI) stressed the common ground of these three different efforts to pinpoint the privacy-security trade off: “It has become clear in the course of our research that people do not reject security and surveillance measures as such. But they demand to be informed about the necessity and the consequences of such measures.” Johann Cas adds: “Surveillance technologies themselves are not something that we can simply deny. But they need strong regulations, there have to be rules in place that justify giving up our privacy in public areas, or having our internet traffic monitored. There is definitely a need for decision makers to keep existing standards in place and come up with new solutions”.

Findings of the large-scale citizen summits are now available

SurPRISE re-examines the relationship between security and privacy, commonly positioned as a “trade-off”. Where security measures and technologies involve the collection of information about citizens, questions arise as to whether and to what extent their privacy has been infringed. This infringement of individual privacy is sometimes seen as an acceptable cost of enhanced security. Similarly, it is assumed that citizens are willing to trade off their privacy for enhanced personal security in different settings. This common understanding of the security-privacy relationship, both at state and citizen level, has informed policymakers, legislative developments and best practice guidelines concerning security developments across the EU.

However, an emergent body of work questions the validity of the security-privacy “trade-off”. This work suggests that it has over-simplified how the impact of security measures on citizens is considered in current security policies and practices. Thus, the more complex issues underlying privacy concerns and public skepticism towards surveillance-oriented security technologies may not be apparent to legal and technological experts.

In response to these developments, the SurPRISE project consulted with citizens from nine[1] EU member and associated states on the question of the security-privacy “trade-off” as they evaluate different security technologies and measures.

In the section “Research Results” eight[2] national reports (Austria, Germany, Hungary, Italy, Norway, Spain, Switzerland and the United Kingdom), which are  based on the findings of the large scale citizen summits can be found.

[1]      Austria, Denmark, Germany, Hungary, Italy, Norway, Spain, Switzerland and United Kingdom

[2]      In total there will be nine reports, but the Danish report is not yet finished.

Prof Julian Kinderlerer, President of the European Group on Ethics at the Joint conference of SurPRISE, PRISMS and PACT

Prof Julian Kinderlerer, President of the European Group on Ethics (EGE) will present Opinion No. 28 on Ethics of Security and Surveillance Technologies at the Joint conference of SurPRISE, PRISMS and PACT.

In May 2014 the European Group on Ethics in Science and New Technologies (EGE) delivered Opinion No. 28 on Ethics of Security and Surveillance Technologies to the President of the European Commission, José Manuel Barroso. The joint conference will be opened by keynote presentation of this Opinion by the President of EGE, Prof Kinderlerer.

More information on EGE’s findings and recommendations can be found here.

Opinion no. 28 of the European Group on Ethics in Security and Surveillance Technologies

On the 20th of May 2014, the European Group on Ethics in Science and New Technologies (EGE) delivered its Opinion no. 28 on the Ethics of Security and Surveillance Technologies to the president of the European Commission, José Manuel Barroso. 


The press release, which provides more information on the EGE’s findings and recommendations can be found here.


What to do in a Network Attack

Although a network breach can be destructive at any level, an individual does not have the required resources to recover from such attacks.

The attacker has to have the resources to engage in a high-intensity cyber-attack in order to achieve a success.

This author made a number of mistakes in applying this framework for analyzing corporate attacks. The overall purpose of the blog was to create a framework that would allow users to simplify the analysis of a target network breach. While the specific techniques used in this framework can be used to generate a summary of the attack’s scope, for now, the analysis should continue with the rest of the key elements.

Post-Cyber-Attack Checklist

While I would not characterize the employee training as totally ineffective, there is no doubt that the mindset of many employees and managers has changed in the current environment. The assumption is that if they don’t have data breaches, they aren’t a part of the problem. They have forgotten how to do this in the past. Even if an employee or member of a network was compromised in a data breach in the past, the hacker may have altered the contents of data so that an employee doesn’t even realize he has been compromised, and that’s why using network protection services like Fortinet can be essential to avoid this happens again in the future.

There are many lessons to be learned from the research we performed. On a personal level, I spent several hours on my computer investigating data breaches I would normally find at the supermarket. While there are many small data breaches that don’t include a lot of personal data, there is a lot of evidence showing that most big data breaches do. These types of breaches have significantly increased as a result of traditional investment in network security, at the same time as the emergence of wireless networks and various forms of cloud computing and application services.

Management practices can only go so far if the organization is not prepared to manage multiple data breaches in rapid succession. I would not assume that the organizations behind this blog don’t have any preparedness tools to help them realize this. We know that much of the current thinking around risk management focuses on detection and mitigation; it is time we started thinking about proactive security and protection.


Some corporate networks that I have access to are protected by firewalls that are unable to perform any of the above-mentioned scans. A firewall cannot be expected to protect against every kind of attack. However, if an organization is seeing more than one data breach, a firewall can be an important part of the security infrastructure.

Are you currently using a firewall?

Related Content

Privacy Impact of Data Breaches: An Independent Review

The Internet of Things

Becoming Incredibly Vulnerable to Social Engineering Attacks (read about a lot of new attacks on IoT devices)

The Data Retention Directive was proclaimed “invalid” by the Court of Justice

The Data Retention Directive was initiated to unify the Member States’ provisions regarding the storage of specific data that are generated by providers of publicly available electronic communications services or of public communications networks with the intention to prevent and detect crime and others. Therefore the aforementioned providers are allowed to keep traffic and location data and also data needed to identify the user, but not the content of communication or of information consulted.

On the apprehension that the directive contradicts fundamental rights under the Charter of Fundamental Rights of the EU, especially the rights to respect for private life and the fundamental right to the protection of personal data, the High Court (Ireland) and the Verfassungsgerichtshof (Constitutional Court, Austria) are requesting the Court of Justice to examine the validity of the directive.

After analyzing the directive in regard of the made accusations, the Court states that, “by requiring the retention of those data and by allowing the competent authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.” (Court of Justice of the European Union, Press Release No 54/14, Luxembourg, 8.4.14, Judgment in Joined Cases C-293/12 and C-594/12)

Read more

SurPRISE Citizen Summits are successfully completed

With the two last SurPRISE citizen summits held on the 29th of March 2014 in Germany and in the Italian speaking part of Switzerland the series of twelve citizen summits – conducted in nine European countries – has been accomplished very successfully.

On average 200 citizens per country used these summits to discuss the relation between surveillance, security and privacy in small groups of six to eight persons, to express their individual opinion anonymously via electronic voting and to develop their recommendations commonly. At these summits a huge amount of quantitative data and qualitative information was generated. It will provide a deep insight into the assessment of surveillance-based security technologies by European citizens and allow us to better understand whether security and privacy are actually being seen as a trade-off relation. The recommendations formulated by citizens will be passed on to policy makers and to scientific and public debates and thus contribute to security measures more in line with public opinion and with human rights.

Apart from general considerations on surveillance, privacy and security, three concrete surveillance technologies were in the focus of the events: smart closed-circuit television (Smart CCTV), deep packet inspection (DPI) and smartphone location tracking. In each country the participants of the citizen summits discussed two of these technologies.

The results of the SurPRISE citizen summits are going to be presented in nine country reports, analyzing the gathered national data, and a comprehensive report focusing on the European perspective.  They will be transferred to politics and the public through publications, presentations and discussions at workshops and conferences.

The knowledge gained at the citizen summits will also be used to develop a method for smaller scale participatory involvement of citizens in decision making on security measures. The developed approach should provide opportunities to incorporate the citizens’ views in a faster and easier way.

The country reports as well as the synthesis report will be uploaded on the SurPRISE website in the Download section.


Berlin, September 16–18, 2014

The development of security research results from the complex endeavor of ensuring the security and liberty of society.
The 9th Future Security Conference provides comprehensive insights into current security research projects and establishes an essential international exchange platform for researchers as well as experts from industry and public authorities.

Read more


SurPRISE Citizen Summits

The SurPRISE citizen summits, which are held in nine European countries, are currently in progress. The consultations have already taken place in Denmark, Norway, Hungary, Spain, Italy and Austria and will be concluded by Switzerland, the UK and Germany until the end of March 2014.

The program is a combination of films on selected security technologies, deliberation in small groups and individual voting – displayed to the plenum. The citizen summit combines qualitative and quantitative methods and provides data in order to understand differences, according to nationality, social class, age and gender. It will provide important insights in what European citizens think of the trade-off between privacy and security.

The exact dates of the national summits can be found here. The map also provides links to specific information about the individual partner summits.