A Research Project Funded by the Sixth Framework Research Programme of DG Research (European Commission)
As Director of the University of Leeds’ contribution to the ‘Challenge’ research programme on balancing security and liberty (funded by the EU’s Sixth Framework programme and involving over 20 universities across Europe), I am responsible for leading work on biometrics, ICTs for cross-border information exchange in the EU and the issues of transparency and accountability that they occasion. I gave oral evidence on inter-operability and the principle of availability to the European Parliament’s Civil Liberties Committee at the Public Hearing on the Future of Europol in April 2007.
Five observations arising from our research are:
there is little point in adopting a territorial approach to problems arising form technologies that do not recognise such borders. In digi-space, there are no effective territorial controls or accountability mechanisms commensurate with the challenge of ensuring that ICT uses for automated information exchanges within states and among states are (a) subject to appropriate, sufficient or robust accountability and transparency requirements; (b) amenable to sufficient levels of scrutiny and control by either the national parliaments or the European Parliament.
the Reform Treaty would improve the situation of accountability and transparency in the area of pillar III (freedom, security and justice) but the application of ICTS for information exchange across borders cuts across all three pillars, including foreign affairs.
at present the accountability and transparency checks afforded by parliaments need to be boosted. National parliaments should work with the European Parliament to enhance the latter’s capacity to effect sufficient open accountability in order to ensure that liberty is maintained as ICTs designed to enhance the capabilities of law enforcement and related agencies are deployed with the aim of bolstering security.
It is accepted that transparency and complete openness are unrealistic and operationally not feasible. However, our research confirms many of the observations and cautions issued by the European Data Supervisor’s Office
Questions of automated data transfer raise serious issues about the technology itself, data management, and the impact of ICTs on the way we are governed.
There is a need for a joined up approach to the use of automated information exchange at all levels, whether local, regional, national or European-wide.
There is an astonishing naivete and complacency evident in disingenuous claims-making by the purveyors and developers of the technological applications (commonly dubbed eGovernment) and the politicians trying to commend them to the public.
The greatest threat to liberty and security in applying these ICTs comes not from executives lacking information or having malevolent, Big Brother intentions. Rather it is inherent in the weakness of the ICTs themselves. They are not secure from malevolent insider or outsider incursion; nor are the claims made regarding their robustness against fraud plausible. The ICTs are unacceptably vulnerable to hostile incursions.
This means that before any system is deployed, whether to exchange health service data, tax, insurance, motor vehicle license information, DNA information, school records, bank details, council tax data, passports or ID card information in either the private or public sectors, the ICT systems must start from the premise of BAKING IN SECURITY as the primary goal. Inter-operability parameters should follow the development of virtually impenetrable security architectures. At present, this is not the case.
The proliferation of fuzzy public-private cooperation and arrangements also means that audit trails and management codes on data handling, access, verification, authentication, storage and transmission open the door to greater insecurity as well as inadequate controls to ensure the accountability at a public political level for what happens to data that citizens provide.
Out-sourcing of data to third parties (for example to private companies – whose ownership and seat may be outside the UK or outside the EU ) means that the principle of purpose limitiation, data minimisation and controls over the subsequent use made of data is hard to police, and far harder still to control and make accountable. The Passenger Name Record row (where the European Court of Justice ruled, at least in part, in favour of the European Parliament) illustrates this.
Data supplied for one purpose by citizens can be used or viewed in such a way as to generate new data (or data files). Who owns the new data? Who accesses it and for what purpose?
In the EU, for example, the inclusion of biometric data has a specific purpose : to use the biometric (eg an iris scan or fingerprint(s)) as a measure to corroborate the identity that someone presenting a specific document claims : it is a means of verifying and authenticating an individual. In the USA, by contrast, biometrics means something more and are part of profiling. The implications for data exchanges, whether mediated by humans or automated, are legion and require serious and urgent appraisal.
Data mining and data linkage pose threats to individual citizens who are not in a position to know that this occurs, when it does, why and for what purpose. Codes that allow citizens to correct false data entries are desirable but inaccessible to many, and exceptionally discriminatory for the socially excluded and handicapped, for example. Electronic document rights management remains problematic.
The individual data-subject is not in control of the release of his data. Biometric reverse encryption may help but at present obsolete technologies are being deployed with little appreciation of the implications for accountable, transparency government and the liberties we take for granted.
Partial outsourcing of data, and variable laws and entitlements as to which agencies can access which data under whose jurisdiction on an automated or case-by-case basis, highlight the extent of muddle. In the EU, the proliferation of arrangements (Prum Treaty, Schengen II, VIS, Eurodac, SIRENE, Frontextetc) mean that the must vaunted goals of the Single European Market (a level playing field with equal citizens) are susceptible to being undermined.
UK ‘opt-ins’ do not disguise the fact of differential access rights, different exchange agreements (as on DNA data exchange, as profiled during the Austrian and German Presidencies) and the fact that defining liability, responsibility and trust in those accountable for cross-border data exchange remain in their infancy. It is no wonder that Prumification of pillar III is highly likely. It is equally likely that as the common consular space evolves, different offices will adopt different practices [1]. Where is leadership? Where is accountability?
Is Rome burning?
While it may be relatively easy to convince publics (at least for the time being) that ease-of-use and the convenience of accessing services any time anywhere outweighs the possibility of data and identity theft, this cannot be taken for granted. MPs and MEPs must be the custodians and guardians of liberty, accountability, responsibility, trust and security. They are the ultimate interlocuteurs between the executive and governments but rarely seen in the spaces of egovernment and automated information exchange for purposes associated with the implementation of policies and access to public services.
National parliaments are not in a good position to exchange information among themselves or with the European Parliament even in respect of critical issues like inter-operability and the application of the Hague programme principle of availability.
It is not surprising that many appear therefore not to be concerned about the issues of political accountability, transparent governance and responsibility in digi-space. Such a parlous situation must be urgently addressed, and not simply by Data Protection agencies whose powers must be increased.
Exaggerated and False expectations?
There is little doubt that political controls are inadequate, obsolete and in need of urgent overhaul. It is also clear that there are exaggerated claims that inter-operable systems now mean that Big Brother is here now in a pan-opticon surveillance society. Tracking subjects using ambient intelligence, RFID chipping and payment by biometric verification and authentication for domestic commercial transactions and retail grows without an overall legislative framework to regulate data mining, aggregation, storage etc.
The reality is one of EU states having incompatible systems, obsolete technologies, inadequate financial and human resources and differing codes designed to implement existing national laws and EU legislation.
The inter-operability of central databases remains questionable : it is not as extensive as claimed. However, it would be fool-hardy to assume that distributed information repositories cannot be linked and function in ways akin to a central data base from a technical perspective.
The politico-legal problems raised by this mean that if information stays where it is, data base content remains the political responsibility of member states (even if out-sourced possibly) but the technical responsibility of the ICT provider.
‘Sharing information’ may be politically required but technically hampered by obsolete systems, flawed by differential architectures, easily breached by one system but not by another. Defining access rights and granting access also creates misunderstandings arising from a lack of comparability in terminology (what is a document?) as well as in roles. This is more than a matter of intellectual property.
In short, the technology cannot yet deliver sufficiently the kind of inter-operability that would be useful to law enforcement services. Their imprecision over what constitutes ‘information’ as opposed to ‘intelligence’ also raises the spectre of function creep and practices incompatible with data privacy and human rights.
Parliaments must ensure that automated information exchange and sharing is amenable to parliamentary accountability, sufficient controls and fit-for-the purpose of sustaining security and liberty. The Reform Treaty offers an opportunity to insert parliaments more effectively not just into territorial EU policymaking but also into the digi-spaces opened by the roll-out of ICTs for information sharing.
Juliet Lodge
Professor of EU politics and integration
Director CHALLENGE programme
Jean Monnet European Centre of Excellence
Institute of Communication Studies
University of Leeds
Leeds LS2 9JT
j.e.lodge@leeds.ac.uk
July 2007
Footnotes
[1] Leeds University is currently working on this in conjunction with consular offices under a f6p alled r4eGovernment.
Sections
In the same section
Crime and violence: Global economic parameters- The Trouble with the banlieues
- Suspicion et exception
- The Reform Treaty & Justice and Home Affairs - Implications for the common Area of Freedom, Security and Justice
- Inburgering, gelijke behandeling en verblijfsrecht van vreemdelingen in Nederland
- The Politics of Fear
- Précarisation sociale et itinéraires de vie
- Court of Justice of the European Communities Judgment of 3 May 2007, Case C-303/05, Advocaten voor de Wereld VZW v. Leden van de Ministerraad
- El Tratado de Lisboa y un Espacio de Libertad, Seguridad y Justicia: Excepcionalismo y Fragmentación en la Unión Europea.
- The war on terror vs. the rule of law: Judicial proceedings against defendant Mohamed A.
Keywords
Files - Dossiers
- Antiterrorism struggle and internal security / Lutte antiterroriste et sécurité intérieure
- Asylum outsourcing / Externalisation de l’asile
- Borders, Enlargement and Neighbourhood / Frontières, élargissement, voisinage
- Breaking news / Une
- Critical Infrastructure protection / Protection des infrastructures critiques
- Detention of foreigners - Camps in Europe / Détention des étrangers - Camps en Europe
- European Liberty and Security / Liberté et Sécurité en Europe (ELISE)
- European Union and Lebanon Crisis / Union européenne et crise libanaise
- European Union databases & biometrics / Bases de données et biométrie en Europe
- Guantanamo
- Implementing the Hague Programme / Mise en oeuvre du programme de La Haye
- Mapping the field of European security / Cartographier le champ de la sécurité en Europe
- Urban riots in France / Violences urbaines en France
Keywords - Mots clefs
- Asylum - Asile
- Biometry - Biométrie
- Borders - Frontières
- Camps - Camps
- Citizenship - Citoyenneté
- Coercive Agencies - Agences coercitives
- Conflict - Conflit
- Data Files - Fichiers
- Databases - Bases de données
- Exception - Exception
- Foreign affairs - Affaires étrangères
- Freedom - Liberté
- Human rights - Droits de l’homme
- Illiberalism - Illibéralisme
- Justice - Justice
- Liberalism - Libéralisme
- Migrations - Migrations
- Military - Militaires
- Nationalism - Nationalisme
- Police - Police
- Religion - Religion
- Security - Sécurité
- Securization - Sécurisation
- Social insecurity - Insécurité sociale
- Sovereignty - Souveraineté
- Surveillance - Surveillance
- Technologies - Technologies
- Terrorism - Terrorisme
- Violence - Violence
- War - Guerre
RSS 2.0
CERI