“The EU’s own top court has ruled on multiple occasions that the USA does not offer adequate privacy protections for non-citizens, yet the Commission and the member states are planning to open up their biometric databases to the [DHS].”
This post is based largely on the findings of a report that was released in late April by the British civil rights organization Statewatch. That was some time ago, but given the pertinence of the topic to citizens on both sides of the North Atlantic as well as the paucity of coverage in both the mainstream and alternative media, I thought it merited a belated post.
An Offer Most Governments Probably Won’t Refuse
First some background. As readers may recall, the Biden administration last year quietly made an offer to roughly 40 governments in Europe, the Anglosphere and beyond that they will probably be unable to refuse. That offer was to grant them access to vast reams of sensitive data on US citizens held by the Department of Homeland Security. From my July 26, 2022 post, Unbeknown to Most US Citizens, Washington is Preparing to Share Their Biometric Data With Dozens of Other National Governments:
[The data repositories] include the IDENT/HART database, which… Statewatch describes as “the largest U.S. Government biometric database and the second largest biometric database in the world, containing over 270 million identities from over 40 U.S. agencies.”
Biometric identifiers include fingerprints, facial features and other physiological characteristics that can be used for automated identification. In some cases, these identifiers have been harvested by the US government without the consent of the citizens in question.
Granted, biometric technologies are already being used in diverse settings from banks (a topic Yves recently broached in Banks Try to Make Security Customer-Friendly. Not a Good Mix) and other financial institutions to schools and workplaces. Passports around the world have included biometric features for many years, as have other forms of ID. Many people choose to sign in to their mobile phones and tablets using their biometric data.
Nonetheless, DHS’ data-sharing proposal is worrying for a host of reasons. For a start, the wholesale collection and sharing of biometric data is problematic because the data is irreplaceable. Once it is compromised, there is no way of undoing the damage. You cannot change or cancel your iris, fingerprint or DNA, like you can change a password or cancel a credit card. It is also prone to biases as well as failure, whether due to the fading of fingerprints or cataracts affecting iris scans.
It also poses “extreme privacy risks” due to the government’s ability to use if for surveillance, warns the Electronic Frontier Foundation warns. And that is exactly how the DHS wants to use it. Combining multimodal biometric databases with geolocation tracking technologies open up the very real possibility of “constant surveillance.” What’s more, the systems upon which the data are stored are far from impregnable.
“The idea of a data breach is not a question of if, it’s a question of when,” says Professor Sandra Wachter, a data ethics expert at the Oxford Internet Institute. “Welcome to the Internet: everything is hackable.”
And so it has proven. In 2020, hackers supposedly working for the Russian government gained access to internal communications within DHS. As Jerri-Lynn Scofield reported for NC in 2017, the world’s largest biometric ID database, India’s Aadhaar system, has been repeatedly hacked. Documents published by Wikileaks suggest that the CIA used tech provider Cross Match Technologies to discreetly extract Aadhaar data. As Wikileaks noted on its website, the CIA already has a branch, known as the Office of Technical Services (OTS), that is devoted to collecting and sharing biometric data with liaison services around the world, “[b]ut this ‘voluntary sharing’ obviously does not work or is considered insufficient by the CIA.”
Now, the US wants to formalize its collection of biometric data beyond US borders. Its data-sharing arrangement is being offered to all 40 countries selected for the US government’s Visa Waiver Program (VWP). That means their citizens can travel to the U.S. for up to 90 days without a visa. They include most of the EU’s 27 Member States, three of the US’ four fellow members of the Five Eye Alliance (United Kingdom, New Zealand and Australia), Japan, Israel and South Korea.
The first countries to be approached were reportedly the EU, the UK and Israel (though Israel is not actually a VWP member). Of course, the US government is not doing this out of selfless altruism. On the contrary, it expects the governments of the VWP member countries to make their own citizens’ biometric data available to the US Department of Homeland Security as part of what the US calls “Enhanced Border Security Partnerships (EBSPs).” Back to my last piece:
“…DHS may submit biometrics to IBIS partner countries to search against their biometric identity management systems in order for partner countries to provide DHS with sharable biographic, derogatory, and encounter information when a U.S. search matches their biometric records. This high-volume matching and data exchange is accomplished within minutes and is fully automated; match confirmation and supporting data is exchanged with no officer intervention.”
The emphasis in the last sentence was added by Statewatch, for good reason. In the fully digitised world that is fast taking shape around us, many of the decisions or actions taken by local, regional or national authorities that affect us will be fully automated; no human intervention will be needed. That means that trying to get those decisions or actions reversed or overturned is likely to be a Kafkaesque nightmare.
Participation in the EBSPs will be mandatory for VWP member states if they want their citizens to continue to benefit from visa-free travel to the US. Any country that refuses will probably find their eligibility for the Visa Waiver Program withdrawn. A Department of Homeland Security (DHS) document published by Statewatch last year showed that the EBSPs will require “direct connections between the biometric databases of participating states and the USA’s IDENT/HART system.”
“Continuous and Systematic” Transfers of Data
Statewatch recently came out with a second report detailing the latest developments in this quietly evolving story. It features excerpts from a Council of the EU document obtained by Statewatch. They include an admission from the Council that the EBSPs will involve “continuous and systematic” transfers of biometric data to the USA for the sake of immigration and asylum vetting. The Commission and the Biden administration set up a “dedicated Working Group” last September to hash out the EBSP requirements.
Ominously, the document notes that “the Commission has recently opted for a pragmatic approach, that is to disassociate information exchange from issues linked to visa policy,” when EU member states engage with the U.S. on “bilateral negotiations.”
In other words, the Commission will look the other way if EU member states decide to begin sharing their citizens’ biometric data with the DHS. It has even told member states that they can negotiate an EBSP bilaterally with the USA as long as those discussions cover “information exchange only, and not the EU’s common policy on visa.” At the same time, it notes that “considering the continuous and systematic transfers envisaged by the U.S.,” negotiations should be based on “an international agreement or administrative arrangement ensuring sufficient data protection safeguards.”
Of course, the Commission knows better than anyone that the US does not have sufficiently strong data protection safeguards in place. The Court of Justice of the European Union (CJEU) has twice ruled against the Commission’s proposed data sharing arrangements with the US for failing to comply with the EU’s General Data Protection Regulation (GDPR). Although GDPR may be flawed, it is, as Cory Docotorow commented on this site just over a year ago, “the most comprehensive (and, sadly, underenforced) data-protection law on Earth.” While the US may have made some concessions on data protection in recent years, it still has a long way to go.
Just last week, the European Parliament called on the European Commission to reject the latest proposed EU-US Data Privacy Framework in a non-binding resolution. The Commission believes that US law now offers an “adequate” level of protection for the personal data of EU users of US companies’ services but the Parliament’s Committee on Civil Liberties, Justice and Home Affairs begs to differ, arguing that the proposed data privacy framework doesn’t fully comply with GDPR, particularly in light of the US’s ongoing predilection for the large-scale, warrantless collection of user data for national security purposes.
Yet the EU’s executive branch appears to be willing to set aside those concerns in order to participate in the US’ proposed biometric data sharing system. In fact, according to the document published by Statewatch, the Commission is “already working on a Proof of Concept that would assess the added value of this sharing of information.” This comes after a meeting of EU and USA senior justice and home affairs officials in March at which they discussed the possibility of “hav[ing] a first set of data transferred” as part of the “proof of concept.”
In other words, the biometric data of US and EU citizens would be shared without any kind of official agreement or arrangement in place, and despite the opposition of the European Parliament to the Commission’s latest attempt to establish a lasting framework for EU-U.S data transfers. As the parliamentary committee noted, “unlike all other third countries that have received an adequacy decision under the GDPR, the US still does not have a federal data protection law.”
“Galling” But Not Surprising
For Statewatch’s Director Chris Jones, the most enraging aspect of the whole business is the secrecy of the negotiations:
“The EU’s own top court has ruled on multiple occasions that the USA does not offer adequate privacy protections for non-citizens, yet the Commission and the member states are planning to open up their biometric databases to the Department of Homeland Security and, by extension, who knows how many other US agencies? The fact that discussions on the plan are taking place in secret makes it all the more galling, albeit entirely unsurprising.”
No less galling in my view is the blatant duplicity of EU policymakers. One of the arguments most frequently deployed by the EU (and governments of other ostensibly democratic nations) for setting up digital identity systems, which are likely to include a biometric component, is that they will grant citizens greater control over the use of their personal data on the Internet. It will be the citizens, they say, who will ultimately decide who has access to their data.
A case in point is the following statement from EU Commission President Ursula Von der Leyen on the empowering potential of the EU’s Digital Identity Wallet:
Every time an App or website asks us to create a new digital identity or to easily log on via a big platform, we have no idea what happens to our data in reality. That is why the Commission will propose a secure European e-identity. One that we trust and that any citizen can use anywhere in Europe to do anything from paying your taxes to renting a bicycle. A technology where we can control ourselves what data is used and how.
That is, of course, unless the data in question is being shared, in a “pragmatic” way, with the US Department of Homeland Security, which in turn will share the data with a whole host of other US government agencies.
It is also worth recalling that the EU itself is in the process of building one of the largest facial recognition systems on planet Earth, ostensibly as part of wider plans to “modernize” policing across the 27-member bloc. It is also seeking to merge biometric data from different databases into a “Common Identity Repository,” which will be used by security forces to compare fingerprints and facial images at EU borders.
This has all been in the works for some time. As a 2020 expose by The Intercept revealed, the national police forces of 10 EU member states, led by Austria, were calling for the introduction of EU legislation to introduce and interconnect all Member States’ biometric databases as early as November 2019. As the article noted, “If previous data-sharing arrangements are a guide, the new facial recognition network will likely be connected to similar databases in the U.S., creating what privacy researchers are calling a massive transatlantic consolidation of biometric data.”
Those transatlantic structures are now being put in place. This is happening at the same time that both the EU and the US are scrambling to set up their own respective digital ID and government systems. Those systems are a prerequisite for the establishment of central bank digital currencies, which are being broadly treated as a fait accompli in policy circles on both sides of the Atlantic. In 2021, the FT noted “it will be nigh on impossible to issue [retail CBDCs] outside of a comprehensive national digital ID management system.”
By next year all EU member states will have to make a Digital Identity Wallet available to every citizen who wants one, providing (in the words of the European Commission) “a powerful enabler of digital operations that require cross-border identity recognition”. On the other side of the Atlantic, unbeknown to most US citizens, the US Senate Homeland Security and Governmental Affairs Committee recently passed the Improving Digital Identity Act by 11 votes to one. The legislation now awaits debate at the full Senate. This is all happening, of course, in the almost complete absence of public consultation, awareness or debate.