The US is planning to give up its citizens’ most precious data in exchange for the biometric data harvested by its “partner” governments in Europe and beyond.
The Biden Adminstration is currently making an offer to dozens of governments in Europe and beyond that they probably will not be able to refuse. On offer is access to vast reams of sensitive data on US citizens held by the Department of Homeland Security. It includes the IDENT/HART database, which the British civil rights organization Statewatch describes as “the largest U.S. Government biometric database and the second largest biometric database in the world, containing over 270 million identities from over 40 U.S. agencies.”
Biometric identifiers include fingerprints, facial features and other physiological characteristics that can be used for automated identification. In some cases, these identifiers have been harvested by the US government without the consent of the citizens in question (more on that later).
The data-sharing arrangement is being offered to all 40 countries selected for the US government’s Visa Waiver Program (VWP). That means their citizens can travel to the U.S. for up to 90 days without a visa. They include most of the EU’s 27 Member States, three of the US’ four fellow members of the Five Eye Alliance (United Kingdom, New Zealand and Australia), Japan and South Korea.
A Kafkaesque Nightmare
Of course, the US government is not offering to share the biometric data of 270 million of its citizens out of pure selfless altruism. It wants something in return — namely the biometric data of the citizens of its partner states:
“In turn, DHS may submit biometrics to IBIS partner countries to search against their biometric identity management systems in order for partner countries to provide DHS with sharable biographic, derogatory, and encounter information when a U.S. search matches their biometric records. This high-volume matching and data exchange is accomplished within minutes and is fully automated; match confirmation and supporting data is exchanged with no officer intervention.”
The emphasis in the last sentence was added by Statewatch, for good reason. In the fully digitised world that is fast taking shape around us, many of the decisions or actions taken by local, regional or national authorities that affect us will be fully automated; no human intervention will be needed. That means that trying to get those decisions or actions reversed or overturned is likely to be a Kafkaesque nightmare.
Statewatch has obtained an internal US government document titled “DHS International Biometric Information Sharing (IBIS) Program” and with the sub-heading “Enhanced Biometric Security Partnership (EBSP),” which, as Statewatch notes, is essentially a sales pitch to potential “foreign partners”:
The IBIS Program, it states, provides “a scalable, reliable, and rapid bilateral biometric and biographic information sharing capability to support border security and immigration vetting,” which:
“…creates value for the United States and its partners by detecting fraud, identifying transnational criminals, sex offenders who have been removed from the United States, smugglers of humans and narcotics, gang members, terrorists and terrorist-related information, and the travel patterns of criminals.”
The US government will also gain access to the biometric data of untold millions of law-abiding civilians of VWP countries who, like untold millions of law-abiding citizens in the US, have been caught up in their respective government’s biometric data dragnet. At least 600 law-enforcement agencies in the U.S., including ICE, have used the services of US company Clearview, which sells facial recognition tools to governments and companies after scraping the photos of hundreds of millions of people from social media platforms without their consent.
Clearview has already faced fines and bans in Britain, Canada, France, Australia and Italy, and the company faces multiple law suits in the US. Yet if the IBIS Program goes ahead, the governments of those countries will be given access to huge troves of biometric data of US citizens that US government agencies acquired from that company.
A Privacy Nightmare
Privacy campaigners on both sides of the Atlantic are rightly concerned about the potential implications of the IBIS Program, especially given the US’ much laxer approach to data protection. After a meeting of European Parliament civil liberties committee members with the DHS, Pirate Party MEP Patrick Breyer described the new U.S. policy as “blackmail” and urged the European Commission to reject the demand:
“Millions of innocent Europeans are listed in police databases and could be exposed to completely disproportionate reactions in the USA. The US lacks adequate data and fundamental rights protection. Providing personal data to the US exposes our citizens, i.e. to the risk of arbitrary detention and false suspicion, with possible dire consequences, in the course of the US “war on terror”. We must protect our citizens from these practices.”
As I noted in my April article, “Biometric Surveillance Systems Are Being Hastily Rolled Out Across the West, With Next to No Public Debate,” the problem is not just about privacy; it is about the inherent flaws within biometric systems, including facial recognition:
The systems are notoriously inaccurate on women and those with darker skin, and may also be inaccurate on children whose facial features change rapidly.
There are also concerns about who the data will end up being shared with or managed by and just how safe it will be in their hands. In December 2021, the civil liberties group Statewatch reported that the Council of the EU, where the senior ministers of the 27 Member States sit, not only intends to extend the purposes for which biometric systems can be used under the EU’s proposed Artificial Intelligence Act but is also seeking to allow private actors to operate mass biometric surveillance systems on behalf of police forces.
In February Statewatch published another report titled “Building the Biometric State: Police Powers and Discrimination.” In it the group warned that the EU’s rapid expansion of biometric profiling at borders and identity checks within the 27-member bloc risk is likely to lead to increased racial profiling of ethnic minority citizens and non-citizens.
UK and Israel Already on Board
News about the Enhanced Border Security Partnership (EBSP) surfaced last month after it was revealed that the DHS was approaching EU member state governments directly, effectively cutting out the European Commission. Like so many of these kinds of schemes, participation is initially on a voluntary basis, but from 2027 it will become mandatory under the U.S. Visa Waiver Program (VWP). In other words, if countries want their citizens to continue enjoying visa-free travel to the US, they will have to provide US authorities with access to their citizens’ biometric data.
Unsurprisingly, the UK is already participating in the new program, although no officials in the UK or the US have disclosed what kind of information is being shared. So too is Israel. In early July, The Register reported that the UK, along with three other unnamed countries, has signed up to the EBSP, which prompted the following statement from the UK Home Office:
“The UK has a long-standing and close partnership with the USA which includes sharing data for specific purposes. We are in regular discussion with them on new proposals or initiatives to improve public safety and enable legitimate travel.”
The news comes after the UK’s currently rudderless government introduced a new bill to the UK parliament that proposes significant changes to data protection, law enforcement, biometrics, digital identity and identity verification, and even modifications to the civil registry for births and deaths.
EU on a Similar Path
As I reported in April, the EU is also on the verge of building one of the largest facial recognition systems on planet Earth, ostensibly as part of wider plans to “modernize” policing across the 27-member bloc. The EU is also seeking to merge biometric data from different databases into a “Common Identity Repository,” which will be used by security forces to compare fingerprints and facial images at EU borders.
If the European Entry/Exit System (EES) goes into operation as planned in two months’ time, all travellers arriving to the EU, including those subject to a visa requirement as well as those exempted from it and admitted for a short stay of up to 90 days in a 180-day period, will have to provide fingerprints and facial images on crossing an EU external border. All Schengen states must procure the necessary technology, including fingerprint readers, face scanners and the necessary server infrastructure, to connect to the EES by September. However, some reports suggest that the ongoing supply chain crisis, in particular the acute shortage of semiconductors, is complicating matters.
This is all happening despite opposition from the EU’s own data watchdogs. Wojtek Wiewiorowski, who leads the EU’s in-house data protection agency, EPDS, which is supposed to ensure the EU is complying with its own strict privacy rules, told Politico in November that European society is not ready for facial recognition technology: the use of the technology, he said, would “turn society, turn our citizens, turn the places we live, into places where we are permanently recognizable … I’m not sure if we are really as a society ready for that.”
Flags raised by data protection officials at the EU’s European Border and Coast Guard Agency, also known as Frontex, are also being systematically ignored. Evidence gathered by the Balkan Investigative Reporting Network suggests that Frontex’s senior leadership, backed by the European Commission, is sidelining EU data protection watchdogs in order to push through the Commission’s plan to vastly expand “intrusive” data collection from migrants and refugees, regardless of warnings of institutional overreach, threats to privacy and the criminalisation of migrants:
Nayra Perez, Frontex’s own Data Protection Officer, DPO, warned repeatedly that the PeDRA expansion “cannot be achieved by breaching compliance with EU legislation” and that the programme posed “a serious risk of function creep in relation to the Agency’s mandate.” But her input was largely ignored, documents reveal.
The DPO warned of the possibility of Frontex data being transmitted in bulk, “carte blanche”, to Europol, a body which this year was ordered to delete much of a vast store of personal data that it was found to have amassed unlawfully by the EU’s top data protection watchdog, the European Data Protection Supervisor, EDPS.
Backed by the Commission, Frontex ignored a DPO recommendation that it consult the EDPS, currently led by Polish Wojciech Wiewiórowski, over the new PeDRA rules. In a response for this story, the EDPS warned of the possibility of “unlawful” processing of data by Frontex.
Enabling Digital Identity
This is all happening at the same time that the European Commission is using aid money to push countries in its outer orbit that provide large flows of migrants into the EU, mainly in Africa, to set up “large-scale, high-risk” biometric databases to manage migration flows to the EU and facilitate deportation, as Privacy International reported in 2020. They include countries with egregious human rights records.
In 2014, the governments of France, Norway, the UK and Australia, together with the Bill and Melinda Gates Foundation and the Omidyar Network, provided the seed funding for the World Bank’s Identification for Development (ID4D) program whose goal is to help countries in Africa, Asia and Latin America “realize the transformational potential of digital identification systems. The program’s implications for human rights has drawn attention from many quarters, including the NYU School of Law, which recently warned that it risks setting countries down a “digital road to hell.”
Much the same is happening in the so-called “liberal” democracies of the West. After the “success” of its vaccine passport program, the EU has already launched a pilot for a digital identity wallet. Secured by biometric identifiers, it will allow EU citizens to verify their ID, access public and private services across the bloc, and store digital documents. As I’ve noted in previous articles, a mandatory digital identity is a necessary precondition for the launch of central bank digital currencies (CBDCs), which more than 100 central banks are in the process of developing.
The official launch of the EU’s digital ID wallet is scheduled to take place as early as September 2022. To begin with, it will be offered on a voluntary basis but we all know how the so-called “Green Pass” turned out. The UK, Australia and Canada are also developing similar digital identity programs, while in the US a new digital identity bill is steadily making its way through Congress, unbeknown to most of its citizens. The complete lack of public debate or consultation is a feature, not a bug, of the digital surveillance and control systems rapidly being constructed around us.