“The EU’s own top court has ruled on multiple occasions that the USA does not offer adequate privacy protections for non-citizens, yet the Commission and the member states are planning to open up their biometric databases to the [DHS].”
This post is based largely on the findings of a report that was released in late April by the British civil rights organization Statewatch. That was some time ago, but given the pertinence of the topic to citizens on both sides of the North Atlantic as well as the paucity of coverage in both the mainstream and alternative media, I thought it merited a belated post.
An Offer Most Governments Probably Won’t Refuse
First some background. As readers may recall, the Biden administration last year quietly made an offer to roughly 40 governments in Europe, the Anglosphere and beyond that they will probably be unable to refuse. That offer was to grant them access to vast reams of sensitive data on US citizens held by the Department of Homeland Security. From my July 26, 2022 post, Unbeknown to Most US Citizens, Washington is Preparing to Share Their Biometric Data With Dozens of Other National Governments:
[The data repositories] include the IDENT/HART database, which… Statewatch describes as “the largest U.S. Government biometric database and the second largest biometric database in the world, containing over 270 million identities from over 40 U.S. agencies.”
Biometric identifiers include fingerprints, facial features and other physiological characteristics that can be used for automated identification. In some cases, these identifiers have been harvested by the US government without the consent of the citizens in question.
Granted, biometric technologies are already being used in diverse settings, from banks (a topic Yves recently broached in Banks Try to Make Security Customer-Friendly. Not a Good Mix) and other financial institutions to schools and workplaces. Passports around the world have included biometric features for many years, as have other forms of ID. Many people choose to sign in to their mobile phones and tablets using their biometric data.
Nonetheless, DHS’ data-sharing proposal is worrying for a host of reasons. For a start, the wholesale collection and sharing of biometric data is problematic because the data is irreplaceable. Once it is compromised, there is no way of undoing the damage. You cannot change or cancel your iris, fingerprint or DNA, like you can change a password or cancel a credit card. It is also prone to biases as well as failure, whether due to the fading of fingerprints or cataracts affecting iris scans. What’s more, the systems upon which the data are stored are far from impregnable.
“The idea of a data breach is not a question of if, it’s a question of when,” says Professor Sandra Wachter, a data ethics expert at the Oxford Internet Institute. “Welcome to the Internet: everything is hackable.”
And so it has proven. In 2020, hackers supposedly working for the Russian government gained access to internal communications within DHS. As Jerri-Lynn Scofield reported for NC in 2017, the world’s largest biometric ID database, India’s Aadhaar system, has been repeatedly hacked. Documents published by Wikileaks suggest that the CIA used tech provider Cross Match Technologies to discreetly extract Aadhaar data. As Wikileaks noted on its website, the CIA already has a branch, known as the Office of Technical Services (OTS), that is devoted to collecting and sharing biometric data with liaison services around the world, “[b]ut this ‘voluntary sharing’ obviously does not work or is considered insufficient by the CIA.”
Now, the US wants to formalize its collection of biometric data beyond US borders. Its data-sharing arrangement is being offered to all 40 countries selected for the US government’s Visa Waiver Program (VWP). That means their citizens can travel to the U.S. for up to 90 days without a visa. They include most of the EU’s 27 Member States, three of the US’ four fellow members of the Five Eye Alliance (United Kingdom, New Zealand and Australia), Japan, Israel and South Korea.
The first countries to be approached were reportedly the EU, the UK and Israel (though Israel is not actually a VWP member). Of course, the US government is not doing this out of selfless altruism. On the contrary, it expects the governments of the VWP member countries to make their own citizens’ biometric data available to the US Department of Homeland Security as part of what the US calls “Enhanced Border Security Partnerships (EBSPs).” Back to my last piece:
“…DHS may submit biometrics to IBIS partner countries to search against their biometric identity management systems in order for partner countries to provide DHS with sharable biographic, derogatory, and encounter information when a U.S. search matches their biometric records. This high-volume matching and data exchange is accomplished within minutes and is fully automated; match confirmation and supporting data is exchanged with no officer intervention.”
The emphasis in the last sentence was added by Statewatch, for good reason. In the fully digitised world that is fast taking shape around us, many of the decisions or actions taken by local, regional or national authorities that affect us will be fully automated; no human intervention will be needed. That means that trying to get those decisions or actions reversed or overturned is likely to be a Kafkaesque nightmare.
Participation in the EBSPs will be mandatory for VWP member states if they want their citizens to continue to benefit from visa-free travel to the US. Any country that refuses will probably find their eligibility for the Visa Waiver Program withdrawn. A Department of Homeland Security (DHS) document published by Statewatch last year showed that the EBSPs will require “direct connections between the biometric databases of participating states and the USA’s IDENT/HART system.”
“Continuous and Systematic” Transfers of Data
Statewatch recently came out with a second report detailing the latest developments in this quietly evolving story. It features excerpts from a Council of the EU document obtained by Statewatch. They include an admission from the Council that the EBSPs will involve “continuous and systematic” transfers of biometric data to the USA for the sake of immigration and asylum vetting. The Commission and the Biden administration set up a “dedicated Working Group” last September to hash out the EBSP requirements.
Ominously, the document notes that “the Commission has recently opted for a pragmatic approach, that is to disassociate information exchange from issues linked to visa policy,” when EU member states engage with the U.S. on “bilateral negotiations.”
In other words, the Commission will look the other way if EU member states decide to begin sharing their citizens’ biometric data with the DHS. It has even told member states that they can negotiate an EBSP bilaterally with the USA as long as those discussions cover “information exchange only, and not the EU’s common policy on visa.” At the same time, it notes that “considering the continuous and systematic transfers envisaged by the U.S.,” negotiations should be based on “an international agreement or administrative arrangement ensuring sufficient data protection safeguards.”
Of course, the Commission knows better than anyone that the US does not have sufficiently strong data protection safeguards in place. The Court of Justice of the European Union (CJEU) has twice ruled against the Commission’s proposed data sharing arrangements with the US for failing to comply with the EU’s General Data Protection Regulation (GDPR). Although GDPR may be flawed, it is, as Cory Doctorow commented on this site just over a year ago, “the most comprehensive (and, sadly, underenforced) data-protection law on Earth.” While the US may have made some concessions on data protection in recent years, it still has a long way to go…
Read the full article on Naked Capitalism