The EU Court of Justice is to decide how extensively the Commission must inform about a research project sensitive to fundamental rights. The decision is of great significance, because the successor to iBorderCtrl, which has long been terminated, is also problematic.
Last week, the European Court of Justice (ECJ) in Luxembourg heard a case on the disclosure of the EU security research projec iBorderCtrl. It was supposed to develop a system for quick and easy border control. Travellers are thereby screened for suspicious behaviour with a risk analysis. It is not known how the platform will implement this in concrete terms. That is why MEP Patrick Breyer, who sits in the Brussels Parliament for the Pirate Party, has sued the EU Commission for more transparency.
From 2023, the EU will put into operation a “Travel Information and Authorisation System” (ETIAS) in which entries must be declared before crossing the border. This affects all third-country nationals, even if they do not require a visa. iBorderCtrl is one of the projects that should develop or improve individual components of the ETIAS. This includes the fusion and analysis of as much traveller data as possible.
Querying travellers’ Twitter accounts
Part of the system is an avatar of a border police officer who conducts a virtual interview. A software then examines the facial expressions of the person in front of him or her and looks for conspicuous features. If, for example, the facial expression does not match the answer or the avatar notices nervousness, the person is marked for “manual” control by border personnel. Breyer and other civil rights activists therefore criticise iBorderCtrl as a “lie detector”. The EU border agency Frontex was also involved in such research on “deception detection” about ten years ago.
As is usual in the field of EU security research, the Commission gives some details about iBorderCtrl on its website. According to this, it covered the entire costs of 4.5 million Euros, and the project ended in August 2019. Further information can be found on the project website. However, all evaluations, including those on ethical and legal issues, are not public. This was the aim of Breyer’s lawsuit; the MEP hopes “for a landmark ruling” that would allow public scrutiny of European research funding.
The “lie detector” is not the only procedure in iBorderCtrl worthy of criticism. The project, which has been funded under the Horizon 2020 research framework programme, has also investigated the processing of facial images. There is still no legal basis for this at EU level, as the researchers themselves point out. The same applies to a search on the internet, for example by obtaining additional data on travellers via their Twitter account. The information is also screened against relevant EU databases, including the Schengen Information System, the Visa Database or the Fingerprint Database for Asylum Seekers.
New project against entry of “economic migrants”
Under the name “robusT Risk basEd Screening and alert System for PASSengers and luggage” (TRESSPASS), the EU Commission is funding a follow-up project to iBorderCtrl, which also follows a “risk-based” approach for border control and customs authorities. Through targeted profiling of all travellers or passengers, the EU wants to use it to detect and prosecute “smuggling, irregular immigration, cross-border crime and terrorism”.
In contrast to iBorderCtrl, the EU has almost doubled its funding for TRESSPASS to around eight million Euros. The project is dominated by authorities and companies from Greece, the Netherlands and Poland, the project’s prototypes are being tested in these countries.
TRESSPASS is developing three different platforms for control at land, air and sea borders. These are basically similar, but target different “threats” at the border crossings. While at the air and sea ports, for example, the focus is more on entry with false papers, the illegal smuggling of cigarettes or of “economic migrants” is assumed at the land border. In this scenario, persons are hidden in a large commercial vehicle.
Video surveillance for “real-time behavioural analysis”
Like iBorderCtrl, TRESSPASS first compiles the information on planned entry already supplied via ETIAS. In addition to matching with EU databases, a query is then made of open sources on the internet, described in the project description as “social media etc.”. Information from the “dark web” can also be processed. This is to determine in advance whether a traveller “poses a threat to the internal security of the EU”.
If the persons then arrive at the border crossing, they are observed by a “real-time behavioural analysis” in the airport. Other cameras are used to read travel documents, while suitcases are tracked by RFID chips in the terminal. Both travellers and their luggage can be screened with RFID scanners, and this information also flows into TRESSPASS.
“Frequent travellers” can identify themselves as trustworthy in TRESSPASS with an app by depositing a set of personal data in advance. Such a “Registered Traveller Programme” was originally planned by the EU before it adopted the “Entry/Exit System” (EES), which, like ETIAS, is also scheduled to go into operation in 2023. In principle, all travellers from third countries are to submit their facial images and four fingerprints in it. These will be stored in a new database in which all biometric data from other information systems will be merged.
Pilot project for a maritime PNR System
In terms of the databases used for risk analysis of travellers, TRESSPASS thus goes well beyond iBorderCtrl. In addition to all biometrics-based data collections, the EU Passenger Name Record (PNR) system will also be queried. According to the EU directive on the use of PNR data, travel service providers and travel agencies must transmit all passenger data collected during the booking process first to the border authorities of the destination country at the time of booking and a second time at boarding. There they are analysed for possible “threats” and then stored for five years.
Up to now, the passenger data system has only existed for air travel; in TRESSPASS, the expansion to a “maritime PNR” is now anticipated. A first run is to take place in the summer at the ferry port of Piraeus in Greece. The land component of the project will be tested beforehand at the Polish-Ukrainian border crossing at Dorohusk. Tests of the airport pilot project were scheduled for late last year in Amsterdam.
On the project website, TRESSPASS raises the question of whether “lie detectors” are also being researched. In principle, yes, is the answer, according to which “when a distrusted traveler is interrogated, technology may be useful to help specifically trained border guards to more quickly and accurately assess the sincerity of the traveler and his statements.”. The researchers are aware of the risks of this fundamental rights-sensitive penetration of personal data. However, they are convinced that they can still benefit “from this technology”.
TRESSPASS ends on 30 November 2021, and presumably not all findings and reports of this EU project will be publicly available. But perhaps they will be, if the pirate Patrick Breyer is successful with his lawsuit before the ECJ. The judges will decide on this by this summer.