Everyone’s been through it: the wait after a long flight, the shuffle forward, and the brief delay while the border guard runs your passport through a scanner. Hopefully, you simply go on your way to your destination. But you leave behind a trail of data that began when you booked your ticket and created what’s known as a Passenger Name Record (PNR), continued when you checked in, passed security, and boarded the plane, and culminates on arrival at the border.
What happens to PNR data has been widely discussed publicly in the wake of the EU’s controversial decision to share that data with US authorities. What is much less well known is what happens to border data and how it is protected. The national border agencies – as well as Warsaw-based Frontex, the EU-wide border agency set up in 2005 – tend not to discuss it, though no data breaches stemming from border agencies have come to light.
“Most countries regard this kind of information around border security, watch lists, visas, etc., as some of the more sensitive data that we deal with”, says Alex Bazin, head of biometrics for Fujitsu, which works for the UK Border Agency, among others. Both he and Peter Graham, an associate partner and border security expert for IBM, could not go into detail on any specific contract; their comments should not be taken as applying to any particular country.
Protecting National Security
Border data is sensitive both because people correctly view their travel data as exceptionally personal and because nations perceive this information as vital in protecting national security – not just for controlling immigration, but also for counter-terrorism and the fight against organized crime, and preventing money laundering, smuggling, and tax evasion.
A data breach, says Graham, might jeopardize all of that. “A lot of the work in this field, as in many law enforcement fields, is making the right links between people and things. Anybody who can access the system and disrupt those links can make that harder.” A lot of IBM’s focus in recent years is on predictive analytics: “Asking what questions we should be asking instead of always assuming we know the right questions to ask”, Graham reveals.
The UK stands out from the rest of the EU in several ways. For one thing, it hasn’t joined the Schengen agreement, which turns 25 European countries into a single travel area. For another, like other Anglo-Saxon countries, the UK’s border agency is separate from the police; in most Schengen countries the border is managed and staffed by police officers.
| "A lot of the work in this field, as in many law enforcement fields, is making the right links between people and things" |
| Peter Graham, IBM |
In common with other countries, however, the UK takes escalating amounts of information from four categories of arriving passengers: UK citizens, EU citizens, non-visa foreign nationals and visa foreign nationals.
“If you’re a national, very little information is captured”, says Graham. This includes whatever is scanned in from the machine-readable zone in your passport, plus the date, time, and port of arrival. Captured data from foreign nationals might also include their conditions of entry. “It varies from country to country what is stored and how much use is made of it”, he continues. The most comprehensive information is kept on visa foreign nationals, who are fingerprinted to verify that the arriving passenger is the same person who was granted the visa.
An additional factor, says Fujitsu’s Bazin, is a push toward giving mobile devices to officers working in overseas airports – as well as in-country enforcement officers – for access to the collected information. Before now, access has been limited to specific locations and roles. Mobile systems will require particular care, Bazin advises: “The actual amount of information you could get from the back-end system would be very limited due to the nature of the environment you’re operating in”, he says. A device that might be stolen or compromised will have more restricted access than one in a secure, private location, for example.
Legislation
The UK Border Agency, which expects its new Records Management System to go live in 2012 to strengthen the physical control of its paper records, says that its obligations are specified by a number of pieces of legislation, including the Data Protection Act, the Public Records Act, the Freedom of Information Act, and the Human Rights Act. Over the next five to ten years, it expects to gradually eliminate its paper-based systems. The agency says it also complies with the cross-government information assurance guidelines issued by the Cabinet Office after the HMRC disks incident.
A similar situation holds in other countries to provide the general framework under which the data is kept and shared. Data security standards, however, Graham says, vary from country to country depending on each nation’s laws and policies.
| "Most countries regard this kind of information around border security, watch lists, visas, etc, as some of the more sensitive data that we deal with" |
| Alex Bazin, Fujitsu |
“Some are partly linked to the level of the security classification of the data they already hold that it’s being matched against”, he says. “In other countries, one of the things we see is different people being allowed to see different parts of the data using role-based access.” A customs officer, for example, might only be able to see customs-related data, while a counter-terrorism officer would be allowed wider access.
Peter Forrest, the chief executive of DPM Systems (Barbados), which supplies systems such as passport information capture and validation to small countries, says the systems he’s familiar with are tied down with several levels of authentication. He says access is secured by location as well as role, and there is a full audit trail.
“The level of ensuring that the database is not being used incorrectly is very high”, he notes. “I can’t ever say it hasn’t been done, but the audit logs show us we’re managing very well.”
Joining Forces
Over time, the trend is increasingly to share data across border agencies (see sidebar) and also with law enforcement. Interpol maintains a database of lost and stolen passports accessible via fixed (FIND) or mobile (MIND) networks; any government can use the service to check the validity of passports proffered at the border.
“There’s no way they can access the data”, explains Forrest. “They just send the request and it comes back yes or no.”
Graham says IBM’s systems first air-gap the data from the internet. In some cases the data is encrypted; in others, it’s pseudonymized by storing the data in such a way that someone leaking a copy of it wouldn’t be able to make use of it without the code, stored separately. “We try to build security into everything we’re doing in this particular area”, he says. “It tends not to be an extra package but part and parcel of what we’re doing when we build the system.”
| "The place in the world where you have the least amount of powers is the border of another country. You have more rights in prison" |
| Gus Hosein, Privacy International |
Increasingly, the goal will be, as Bazin puts it, to “export the border. The first decision point shouldn’t be the guy walking up in Dulles. It should be before he gets on the plane, or before he’s even able to book the ticket.” The information being gathered, he says, “allows people to make decisions at a much more appropriate time and avoid all the additional cost and hassle of dealing with someone you don’t want in your country once he’s arrived at the border.” Instead, he argues, identify them at an early stage and then share that data with trusted partners.
It’s this scenario that concerns Gus Hosein, a visiting fellow at the London School of Economics and policy director for Privacy International. “These decisions are being made away from public scrutiny”, he says, warning that as every country puts these systems in place, “you will inevitably be caught [somewhere] as a third-country national. There is no accountability for this. The place in the world where you have the least amount of powers is the border of another country. You have more rights in prison.”
Bazin, however, is more optimistic. “When we speak to immigration departments and border departments, we try to make sure we do design some flexibility and intelligence into these systems. As they become more joined up and immigration officers get access to more and more historical information, in some ways their jobs become more about intelligent decision-making.”
As Fujitsu’s Alex Bazin explains, data sharing between EU nations is growing in three areas. However, he notes that countries typically impose quite strict controls: they’re more likely to do their own searches and grant access to only the information relating to a match than to allow fishing expeditions. The first is EURODAC, a central repository of the fingerprints of all EU asylum seekers, intended to reduce multiple applications and to ensure that unsuccessful claimants are identified if they return for a second attempt. The second, VIS, the Visa Information System, was established in 2004 and began rolling out at the end of 2009. The system is intended to reach all Schengen countries within three years. It aims to ensure that visa applications that have been denied by one Schengen country are known to another when the same applicant presents at the border. “It will allow countries to be able to properly manage a common visa system across member states”, Bazin explains. The third is the registered traveler and border automation schemes which, like US-VISIT, Privium in the Netherlands, and IRIS in the UK, have typically been designed for a single nation. These all speed registered travelers on their way by passing them through automated border controls. These are beginning to join up so that members of the Dutch system can use the German system and vice-versa. “It makes sense in terms of adding value to a scheme that people pay for”, says Bazin, though he is unsure whether this type of sharing will go beyond a few specific arrangements. |