Monday, November 29, 2004

An Open Letter to the European Parliament on Biometric Registration of all EU Citizens and Residents from the European Digital Rights coalition of civil liberties groups.

To the Members of the European Parliament,

We the undersigned are calling on you to reject the 'Draft Council Regulation on standards for security features and biometrics in passports and travel documents issued by Member States'. This is an unnecessary and rushed policy that will have hazardous effects on Europeans' right to privacy. This policy process requires additional oversight, and the eventual systems established will require significant controls and a strong legal framework to ensure that this is a proportionate response to the war on terrorism. In particular, we call for the removal of the requirement for fingerprinting all EU citizens.

We are quite alarmed by the political dynamics at play in this policy decision.



* The Council of the European Union pressed the European Parliament into including the Coelho reports on biometric identifiers on the agenda for the mini-session on Wednesday, 1 December 2004.

* Behind closed doors on October 25 the Justice and Home Affairs Council decided to introduce mandatory fingerprinting for all EU citizens into the draft regulation.

* The Parliament's response to this significant shift in policy is even more alarming: a majority of the Presidents of the Political Groups acccepted the claim that the change was not sufficient grounds for the report to be sent back to the LIBE Committee for further consideration.

* If the Presidents had refused to accept, the Council would have called for an urgency procedure.

* If the Presidents had refused, the Council would have also delayed the introduction of the co-decision procedure for immigration and asylum issues to April 1 instead of January 1.

These dynamics are irresponsible and unhealthy for a functioning democratic system.

Securing our passports from fraudulent use is indeed a pressing need, particularly considering the substantial number of blank passports lost every year. The proposed policy that is being presented to you for review will however have significant implications. This policy is dependent on an unprepared and under-developed technological infrastructure. It will therefore lead to an increased risk of abuse.

We are calling on the European Parliament to reject this policy. The European Parliament needs to provide sunlight to this policy process through oversight and an open deliberative process.

We are calling on the European Parliament to reject this policy. The case still has not been made openly and clearly as to why biometric passports are required. There is a lack of adequate safeguards. We urge the Parliament to oppose the creation of an EU-wide database of personal data. We further urge the Parliament to oppose mandatory fingerprinting as an unnecessary and disproportionate act. Finally, we are calling on the Parliament to reserve the right to question the legal basis of the proposal.

The European Parliament needs to provide sunlight to this policy process through oversight and an open deliberative process.
A Dangerous Policy

The grounds for changing our passport standards are many and varied. Yet the proposed changes in this policy are without foundation. U.S. law does require biometric passports programmes to be in place by the Autumn of 2005 in order for countries to remain part of the Visa-Waiver Programme. U.S. law also required the standard for these programmes to be established by the International Civil Aviation Organization. However, neither the U.S. nor the ICAO requires biometric passports in the form proposed by the Council.

We would like to take this opportunity to remind you that

* The Council is calling for the use of two biometrics, when the U.S. and the ICAO only require one, and this only involves a digital photograph. The inclusion of a fingerprint biometric is unprecedented.

* The U.S. has no intentions of implementing fingerprints in their passports. [1]

* The ICAO has itself noted that some States are legally barred from storing biometrics. [2]

* The U.S. Department of Homeland Security and the Department of State note that privacy issues need to be resolved prior to the implementation of these systems.[3]

* The French Government reached a similar conclusion, requiring that any implementation of biometric techniques is systematically subject to prior agreement from its national privacy commission.[4]

* The legal basis offered by the Commission and Council is fundamentally flawed. A legal analysis by Professor Steve Peers (University of Essex) concludes that: "The proposed Regulation on EU passports, with or without mandatory fingerprinting requirements, exceeds the legal powers conferred upon the Community to adopt measures concerning checks at external borders. It furthermore exceeds any other powers conferred upon the Community. If the Regulation includes mandatory fingerprinting requirements, it would also breach the principle of proportionality that is a requirement for the legality of Community acts, and the general principles of Community law, which include the protection of the right to private life."[5]

We are thus alarmed by the omission of these facts from the current debates.
Problematic Technologies

Lurking behind this policy is the creation of an EU-wide database system that will store the personal information of over 450 million people. This database is neither required nor is it technologically desirable. The European Commission previously advocated a centralised database solution, but even then the Commission noted that further research is necessary to "examine the impact of the establishment of such a European Register on the fundamental rights of European citizens, and in particular their right to data protection."[6]

Centralised EU databases covering passports, visa and residence permits will be linked through SIS II. This risks becoming a mass surveillance infrastructure tracking the movements of all residents and citizens. Plans to give access to all law enforcement and internal security agencies risks the misuse of sensitive personal information. To date, there have been too few studies, if any, of these problems and challenges. Policy as important and far-reaching as this requires more care before being adopted.

We would like to further remind you that the risks to privacy are well known. In particular, European Privacy and Data Protection Commissioners have long warned of the dangers of biometric data collection.

* The Article 29 Working Party on Data Protection rightly notes that fingerprints are usually collected from criminals. The increased collection of highly personal information will de-sensitize us to the effect that this processing will have on our daily life.[7]

* This proposal may not make us any safer and may in fact create more risks, and even greater potential of reuse and abuse. Centralised databases are prone to abuse, and fingerprints can easily be collected without consent, and are thus ideal for additional surveillance.[7]

* Even face recognition technology reveals racial or ethnic origin, [7] which under EU law is of a highly sensitive nature and deserves even greater privacy protection.

Additionally, the International Conference on Data Protection and Privacy Commissioners in 2003 declared that

"In the fight against terrorism and organized crime, countries should determine their responses paying full regard to fundamental data protection principles, which are integral parts of the values being defended."

They recommend that in situations where there are required interventions into the right to privacy,

"they should take place within a framework taking data protection into account, e.g. on the basis of an international agreement stipulating adequate data protection requirements, including clear purpose limitation, adequate and non-excessive data collection, limited data retention time, information provision to data subjects, the assurance of data subject rights and independent supervision."

The current proposal does not sufficiently address these most basic requirements. It lacks a legal framework to protect privacy rights. This deficiency is inexcusable, particularly as the personal information of Europeans is collected and transferred abroad.
Greater Implications

When the U.S. implemented its mass fingerprinting and face-scanning programme for all visitors, the world responded with alarm. All visitors over the age of 13 will now have their fingerprints taken and stored for 75 to 100 years by the Department of Homeland Security, and will be shared with other government departments and agencies, and other governments.[8]

The Council's proposed policy goes well beyond this already problematic US-VISIT programme. The U.S. Government is not fingerprinting its own citizens. The EU policy intends to fingerprint all EU citizens, residents, and visitors. The secondary effect of this policy is that whenever EU citizens travel abroad (not necessarily to the United States), they will again be required to register their fingeprints and face-scans with foreign governments as their passports are verified. As a result, the EU is drastically enlarging the US-VISIT programme by turning it against its own citizens and then globalising this practice.

We would also like to point to the practical implications of this policy.

* Citizens will now have to present themselves at an 'enrolment centre' to be 'processed and have their fingerprints taken by their National passport authority every time they want a passport. Previously, passport renewal could be achieved remotely, even through the post. The increased administrative costs to the authorities and to individuals are likely to be significant.

* The complexities of the database systems involved in the registration, issuance, and verification processes are unprecedented.

* There is no legal framework in this policy to prescribe how this information may be collected, processed, and transferred.

* Error rates in fingerprinting are significant, and poorly understood. Two percent of the general population do not even have fingerprints, while certain ethnic, and demographic groups are more difficult to fingerprint than others.[9] According to a recent overview of the current technological systems, the error rates are far from being minor, with false match error rates across products tested averaged 18 percent.[10]

According to one expert, our understanding of fingerprints "is dangerously flawed and risks causing miscarriages of justice".[10] Amongst the many cases of mistaken identification through fingerprinting, we would like to remind the Parliament of the recent case of Brandon Mayfield. After the Madrid Bombings of March 11, 2004, Spanish National Police managed to lift a fingerprint from an unexploded bomb. Three highly skilled FBI fingerprint experts declared that Oregon lawyer Brandon Mayfield's fingerprint matched. U.S. officials called it "absolutely incontrovertible" and a "bingo match." As a former U.S. soldier, his fingerprint was on the national fingerprint system. Mayfield was imprisoned for two weeks. The fingerprint, however, was not his. According to one law professor,

"The Mayfield misidentification also reveals the danger that extraneous knowledge might influence experts' evaluations. If any of those FBI fingerprint examiners who confidently declared the match already knew that Mayfield was himself a convert to Islam who had once represented a convicted Taliban sympathizer in a child custody dispute, this knowledge may have subconsciously primed them to "see" the match. ... No matter how accurate fingerprint identification turns out to be, it cannot be as perfect as they claim." [11]

When all of his personal information was combined, however, the FBI was convinced. Yet according to a recent panel of experts, they were wrong.[12] As we increase the database collection of biometric information away from criminals and other select groups, errors are likely to increase. The technology in our midst, and our methods, are not perfect.

The Council and the Commission are busy implementing many other systems of surveillance that will involve increased personal data collection, data mining, and data sharing. These policies together ensure that instead of achieving certainty and security, we only create more risk, danger, misplaced suspicion and abuse.
Greater Oversight is Required

The fatal flaw in this entire policy process is the lack of adequate supervision, oversight, and deliberation. This must be rectified. We call on the European Parliament to play this key role in democratic process.

We call on the European Parliament to:

* Re-establish essential safeguards for the proposed systems, including those that were set out in the Parliament's report, and in particular the abandonment of an EU-wide database.

* Require and/or establish a legal framework for the collection and use of personal information in travel documents and border programmes. This framework must be consistent with the European Convention of Human Rights, and in particular Article 8. This would include requiring clearer statements of purpose and use, so that the data collected is not used for generalised surveillance or other purposes.

* Require that this legal framework also ensure that the systems supporting this policy are secure, with clear lines of accountability, and that the collection procedures are well understood. Only then can we begin to understand the complexity of the system involved, and in turn the potentially severe cost implications.

* Call for the establishment of mechanisms for the oversight of the planning, implementation, testing, and use of biometrics in travel documents.

* Remove the unnecessary requirement of mass fingerprinting of EU residents and citizens.

* Review the technological implications of this and related policies. In establishing what could be one of the largest database systems in existence, we are alarmed by the lack of publication, public discourse, and scrutiny of the costs and implications of this policy. We need valid research of the problem, which can then be relayed to the Parliament, focussing on cost implications, legal implications, technological implications, and potentials for abuse.

* Call on the research and policy community to propose alternative solutions that are privacy-friendly. Alternative systems and technologies exist, as we already see that the U.S. is not intending on generating a fingerprint registry. Innovative solutions must be brought to the forefront to preserve European values, rights, democratic standards, and laws.

* Question the legal basis of the proposal in the first place.

The EU is embarking on a policy that will make our most personal information the currency of travel, while creating one of the world's largest surveillance infrastructures. This is unprecedented and unnecessary.

These are serious times and we need serious policy based on effective deliberation. Rushing this policy through the European Parliament is not required, when careful scrutiny is necessary. The EU's respect for privacy is often considered the global gold-standard, and yet now the EU is revolutionising surveillance. When combined with data profiling and data sharing proposals also being developed by the Commission and the Council, Europe faces the real prospect of creating a surveillance behemoth.

We call on MEPs to oppose this proposed policy, and we look forward to working with you in the future on establishing effective policies for securing our societies whilst simultaneously securing our rights and liberties.

Signed,

Gus Hosein
Privacy International

Tony Bunyan
Statewatch


Statewatch

Andreas Dietl
European Digital Rights

Additional Endorsements

(Individuals or organisations who wish to endorse this letter are kindly asked to send an e-mail to brussels email)
References

[1] U.S. Department of State, Abstract of Concept of Operations for the Integration of Contactless Chip in the U.S. Passport. Washington, April 26, 2004.

[2] ICAO BIOMETRICS DEPLOYMENT OF MACHINE READABLE TRAVEL DOCUMENTS ICAO TAG MRTD/NTWG TECHNICAL REPORT: Development and Specification of Globally Interoperable Biometric Standards for Machine Assisted Identity Confirmation using Machine Readable Travel Documents. Montreal: ICAO, May 12, 2003. ver 1.9.

[3] Tom Ridge and Colin Powell, Dear Mr. Chairman, letter to the Chairman of the House Committee of the Judiciary. Washington, D.C.: 2004. Archived at http://www.house.gov/judiciary/ridge031704.pdf

[4] French Government, Implementation of Biometric Techniques on French Airports. Cairo, Egypt: Presented to the ICAO summit in Cairo. March 18, 2004, FAL/12-IP/24. Archived at http://www.icao.int/icao/en/atb/fal/fal12/documentation/fal12ip024_en....

[5] Steve Peers, Commission’s EU biometric passport proposal exceeds the EC’s powers. Statewatch, November 26 2004. Archived at http://www.statewatch.org/news/2004/nov/11biometric-legal-analysis-htm...

[6] Commission of the European Communities, Proposal for a Council Regulation on standards for security features and biometrics in EU citizens' passports. Brussels: The European Commission, February 18 2004, COM(2004)116final. Archived at http://register.consilium.eu.int/pdf/en/04/st06/st06406-re01.en04.pdf

[7] Article 29 Working Party, Working document on biometrics. Brussels: Article 29 Data Protection Working Party, August 1, 2003. Archived at http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp8...

[8] Privacy International, The enhanced US border surveillance system: an assessment of the implications of US-VISIT. London, September 28, 2004. Archived at http://www.privacyinternational.org/issues/terrorism/rpt/dangers_of_vi...

[9] United States General Accounting Office, Technology Assessment: Using Biometrics for Border Security, November 2002.

[10] Fingerprint Verification Competition 2004, Open Category Results: Average results over all databases, Preliminary results.

[11] J.L. Mnookin, "The Achilles' Heel of Fingerprints". Washington Post, May 29, 2004.

[12] B. Harden. "FBI Faulted in Arrest of Ore. Lawyer." Washington Post, November 16, 2004.




No comments: