EU is Spending More Than a Billion Dollars Expanding Biometric Honeypots, Despite Risks to Privacy and Freedom

Posted on Sep 27, 2021 by Glyn Moody

Privacy News Online has just reported on a major privacy disaster in Afghanistan, where biometric and other highly personal data is now in the hands of the Taliban. That makes clear, in a dramatic fashion, the folly of creating huge databases of unique and unchangeable personal data. Of course, it could be argued that the situation in Afghanistan is unique – it’s not every day that key government databases fall into the hands of people who might use them for summary executions. But sadly, the idea of gathering as much information as possible about huge numbers of people, and holding them in a few large databases – as happened in Afghanistan – is still high on the list of many governments. For example, an article in Wired Italia details how the European Union plans to spend over a billion dollars doing just that (translation via DeepL):

In April 2020, Eu-Lisa awarded a EUR 302.55 million contract to develop the biometrics part of the Entry Exit System (EES), the automatic identity check programme for non-EU persons crossing EU borders, and the future Shared Biometric Matching System (SBMS). In other words, ‘one of the largest biometric systems in the world’, as it was triumphantly described in the note with which Idemia and Sopra Steria, French giants of digital identity and security infrastructures, announced that they had been awarded the contract.

The shared biometrics system SBMS will, according to the companies, integrate the data of “more than 400 million third-country nationals with their fingerprints and faces”. In addition to serving the EES system, the biometric archive will connect, according to EU-Lisa’s plans, SIS, the information system that links the authorities of the Schengen area [EU’s core] countries; Vis (for visas); Eurodac (which contains the fingerprints of asylum seekers) and the future Ecris-Tcn, for the exchange of information on suspects, wanted or convicted persons with non-EU countries. A boundless archive of personal and biometric data under the control of the Estonian agency, which started the first tests in July.

That’s just one contract: Wired Italia goes on to describe two more. In total, they add up to over 900 million euros – a billion dollars – being spent on the creation of huge databases holding comprehensive sets of personal data. The “Lisa” in EU-Lisa, the agency in charge of this project, stands for “Large-Scale IT Systems in the Area of Freedom, Security and Justice“. However, not everyone thinks that the new system will do much to promote any of those. A few weeks ago, 31 NGOs wrote an open letter to key members of the European Parliament to express their “fundamental rights concerns about the Eurodac reform“. Although Eurodac began as the main EU fingerprint database for identifying asylum seekers and those crossing the border irregularly, the latest plans will see it expanded greatly. The NGOs identified a number of areas of concern, including the application of facial recognition techniques for biometric identification, and the widened scope of the database.

It will hold new categories of data, as well as new categories of people, including “persons apprehended irregularly crossing the external border”, “irregular migrants”, persons disembarked from search and rescue operations, people eligible for resettlement inside the EU, and people in third countries eligible for admission on humanitarian grounds. Another issue is that data will be stored for five years, well beyond the current 18 months. The NGOs called the plan a “wholly unjustified mass surveillance of migrants”. Despite these issues, the lead politician for the project says he will seek its “swift adoption” by the European Parliament, so it seems likely that it will go ahead.

Beyond the specific points raised by the NGOs in their letter, there are some more general worries with the EU’s plans. Once such a huge biometric database system exists, there will be a natural tendency to “enhance” it by adding more people, or at least linking it to other databases. Obvious candidates for inclusion would be convicted criminals in the EU, then later on perhaps biometric data from all EU passports. This would be a gradual process, so that any protests were spread out over time, and thus easier to ignore. But the logic will doubtless be that adding more personal data would make the system more efficient, and help catch more terrorists and paedophiles – the usual excuses exployed to justify the loss of key rights.

A troubling new argument in favour of this kind of cross-linking and consolidation of biometric data is increasingly being used. Those in favor of giving the authorities greater access to such personal data point out that most people allow online platforms like Google and Facebook to gather huge quantities of information about them routinely. Moreover, fingerprints are becoming a common way of establishing identity to unlock smartphones, so people are already being trained to accept their use as perfectly unexceptional. However, rather than justifying the creation of new and larger government databases, this is rather an argument to stop Google and Facebook building up such detailed pictures of our digital lives, and limiting biometric logons.

A larger issue is that it is simply not a good idea to create these massive databases in the first place. Just recently, the details of 100 million visitors to Thailand were exposed online. That was probably simply human error, but as this blog noted last year, China in particular is actively breaking into large-scale databases, presumably to harvest the personal information held there. The bigger that databases like Eurodac become, the greater the incentive for countries like China or Russia to attempt to exfiltrate the data, preferably without being detected. Spending a billion dollars on creating what amount to inviting biometric honeypots, with all the risks to privacy and security their breach would imply, seems like a really foolish thing to do.

Featured image by ExplorerBob.