4. 'Travel intelligence’: profiling and risk assessment

In 2013, Frontex noted that developments in technology were making it possible to undertake checks of travellers “partly or in full before their arrival to the physical border.”[1] That is, the EU’s borders – and the controls on entry that go with them – could be extended far beyond their physical boundaries.

This was hardly a new phenomenon. Individuals that need a visa to travel to the Schengen area (as well as many of the world’s rich states) have long been subject to forms of remote border control, through the need to apply for a visa in person (at a consulate or embassy) combined with carrier sanctions, through which travel companies can be fined for transporting a person who does not have the correct documentation. This of course encompasses the vast majority of the world’s asylum seekers.[2]

These forms of remote control are now both extending, through their application to a far wider group of people; and intensifying, through the increased use of personal data and new technologies to undertake the automated screening and profiling of travellers. In the case of the EU, the need for government “permission to travel”[3] is being extended to citizens from visa-exempt countries, who will soon need a “travel authorisation” to enter the Schengen area. Meanwhile, those subject to visa and travel authorisation requirements will have their applications automatically assessed against “screening rules” and “risk indicators”. It should be noted that the EU’s proposed Artificial Intelligence Act seeks to exempt the EU’s large-scale databases from the safeguards that would otherwise govern AI systems categorised as high-risk. This would allow the use of these technologies without sufficient guarantees for individual rights and liberties.[4]

4.1. Profiling HQ: the ETIAS Central Unit

In order to implement these new forms of control, Frontex will host the ETIAS Central Unit, the primary objective of which is to process travel authorisations and to define the “specific risk indicators” that will be used for the profiling of travel authorisation and visa applicants.[5] When a traveller submits an application for a visa or travel authorisation, the application will be sent to the Central Unit and automatically cross-checked against a variety of databases, run through a profiling tool and checked against a ‘watchlist’ of persons of interest. Any “hits” must be manually reviewed by a member state ETIAS National Unit for approval or refusal; Europol may also be involved in the assessment process, depending on the type of hit.

4.2. Automated checks of EU and international databases

Automated checks will rely on the “identity data” provided by the applicant: names, nationality, date of birth, travel document information, fingerprints and facial image. Through the European Search Portal, one of the components of the interoperability architecture,[6] applications will be compared to  the records, files and/or alerts registered in an array of other EU and international databases:

  • Schengen Information System (SIS);
  • Entry/Exit System (EES);
  • Eurodac;
  • European Travel Information and Authorisation System (to check for previous applications);
  • European Criminal Records Information System for Third-Country Nationals (ECRIS-TCN);
  • Visa Information System (to check for previous applications);
  • Data held by Europol, the EU’s policing agency;
  • Interpol databases:
    • Stolen and Lost Travel Documents (SLTD); and
    • Travel Documents Associated With Notices (TDAWN).

This process opens up new possibilities for error and abuse in immigration procedures: firstly, because the EU’s databases are known to be strewn with errors and omissions;[7] secondly, because both Interpol’s databases and the EU’s own systems are potential targets for abuse by repressive states wishing to pursue dissidents and opponents abroad.[8]

With regard to Interpol, the misuse of the SLTD database, in particular by the Turkish authorities, has been well-documented: officials report an individual’s Turkish passport as lost or stolen, and when that individual attempts to travel using the document, they are prevented from doing so.[9] Interpol’s ‘red notice’ system has also been abused by a variety of states across the globe.[10] The red notice system is not part of the EU’s interoperability architecture, although it may be checked by states at border crossings.

Similar kinds of abuse may also take place via Europol and the SIS, due to new rules that came into force in June. Europol can now propose that member states create “information alerts on third-country nationals in the interests of the Union” in the SIS. These are to be based on data shared with Europol by third states, and should relate to individuals suspected of involvement in terrorism or serious crime.[11] This raises the possibility that third states could request the insertion of data on political opponents and dissidents, turning them into persons of interest for the EU authorities.[12] Rules under discussion to upgrade the Prüm network of national police databases raise a similar problem.[13] As Frontex’s deployments grow in scale and scope, it is increasingly likely that it will be a Frontex officer refusing an individual entry to the EU on the basis of such alerts.

4.3. Automated profiling

Automated profiling of all visa and travel authorisation applications will take place via algorithms: the ETIAS screening rules[14] and the VIS screening rules.[15] Those rules will be drawn up based on a variety of statistics. For the ETIAS, these will be drawn from the EES and the ETIAS itself; and for the VIS, from the EES and the VIS. Both systems will also make use of “information substantiated by factual and evidence-based elements provided by Member States,” and information on epidemic diseases provided by the European Centre for Disease Prevention and Control and the World Health Organization. The Commission is obliged to adopt delegated and implementing acts to define and specify the risks in question, although it has not yet done so.[16]

The ETIAS Central Unit will then draw up the “specific risk indicators”, after having consulted the ETIAS Screening Board and the VIS Screening Board. These will be based on “a combination of data including one or several” of the factors set out in the table below.

Basis for the specific risk indicators

ETIAS

VIS

age range, sex, nationality

age range, sex, nationality

country and city of residence

country and city of residence

current occupation (job group)

current occupation (job group)

 

the Member States of destination

 

the Member State of first entry

 

purpose of travel

level of education (primary, secondary, higher or none)

 

The two Screening Boards will be made up of representatives from Frontex, Europol and every ETIAS National Unit (in the case of the ETIAS) and every member state (in the case of the VIS). They are to be consulted by the Central Unit on “the definition, establishment, assessment ex ante, implementation, evaluation ex post, revision and deletion of the specific risk indicators,” and will meet twice a year.[17] In doing so, they should also “take into consideration” the non-binding recommendations issued by the ETIAS Fundamental Rights Guidance Board and the VIS Fundamental Rights Guidance Board.[18]

Screening Boards

ETIAS

VIS

Frontex representative

Frontex representative

Europol representative

Europol representative

Representative of every ETIAS National Unit

Representative of every member state

The Fundamental Rights Guidance Boards have an “advisory and appraisal function” and will be made up of Frontex’s Fundamental Rights Officer, a member of the Frontex Consultative Forum on Fundamental Rights, and representatives from the European Data Protection Supervisor, the European Data Protection Board and the Fundamental Rights Agency. A representative of each Fundamental Rights Guidance Board will be invited to attend meetings of the respective Screening Board “in an advisory capacity,” and shall have access to the files of the respective Screening Board.[19]

Fundamental Rights Guidance Boards

ETIAS

VIS

Frontex Fundamental Rights Officer

Representative of the Frontex Consultative Forum on Fundamental Rights

Representative of the European Data Protection Supervisor

Representative of the European Data Protection Board

Representative of the EU Fundamental Rights Agency

The legislation on both the VIS and the ETIAS includes the following obligation:

“The specific risk indicators shall be targeted and proportionate. They shall, in no circumstances, be based solely on a person’s sex or age or on information revealing a person’s colour, race, ethnic or social origin, genetic features, language, political or any other opinion, religion or philosophical belief, trade union membership, membership of a national minority, property, birth, disability or sexual orientation.”

It will be up to the Central Unit, the Screening Boards and the Fundamental Rights Guidance Boards to determine whether the authorities uphold this obligation. However, as noted, the Fundamental Rights Guidance Boards have no binding powers.

4.4. The ETIAS watchlist

Despite the EU already operating an extensive digital infrastructure for keeping tabs on suspected criminals, terrorists and other persons of interest – in particular via the Schengen Information System and Europol’s databases – the ETIAS legislation also establishes a new “watchlist”, in keeping with an international trend for such practices.[20] All visa and travel authorisation applications will be checked against the watchlist, which aims at:

“…identifying connections between data in an application file and information related to persons who are suspected of having committed or having taken part in a terrorist offence or other serious criminal offence or regarding whom there are factual indications or reasonable grounds, based on an overall assessment of a person, to believe that they will commit a terrorist offence or other serious criminal offences.”[21]

Europol and the member states will be responsible for adding names to the watchlist,[22] which will be based on “information related to terrorist offences or other serious criminal offences.” The legislation does not specify any particular sources of information, but it is noteworthy that the EU is making substantial efforts to make it simpler to receive information from non-EU states and insert it into EU-wide databases. In this context, the information that used to make an “overall assessment of a person” may not be entirely reliable.

Before an individual’s data is added to the watchlist, the authorities must check whether it corresponds to an alert in the SIS – and if so, they should not enter the data into the list. Here, the legislation indicates the reason for the list – as a way to keep tabs on individuals for whom there is insufficient justification to enter their data in the SIS: “Where the conditions for using the data to enter an alert in SIS are fulfilled, priority shall be given to entering an alert in SIS.” If those conditions are not fulfilled, their name goes in the watchlist.[23]

Europol and the member states must review entries at least once per year and remove them if they are “obsolete or not up to date”.[24] While this looks efficient on paper, it has been noted that the necessity and efficacy of watchlisting “has not been reliably established and, in practice, [watchlisting] is extraordinarily difficult to challenge.”[25]

4.5. Towards an EU travel intelligence architecture

The new systems of surveillance control being established through the ETIAS and the changes to the VIS are part of a larger picture – the development of an EU “travel intelligence” architecture. While Frontex certainly has a role in this architecture, it appears that it is largely being propelled by Europol. The policing agency describes travel intelligence as relating to “PNR [Passenger Name Record], EES, ETIAS, VIS and other relevant information management initiatives on the movements of persons and goods.”[26]

Its current work programme notes that Europol will “work with the relevant EU agencies, the European Commission and the Member States to implement its roadmaps related to travel intelligence and to EU systems interoperability,”[27] which is intended to lead to “a fully-fledged European Travel Intelligence Centre (ETIC).”[28] The ETIC will provide “concrete operational and strategic products and services on the basis of travel information and intelligence to support the Member States,” interconnect national Passenger Information Units (PIUs, responsible for processing PNR data), and step up cooperation with “private partners relevant for the collection of travel intelligence,” including by using the new powers contained in the revamped Europol Regulation.[29],[30]

More information on the travel intelligence plans can be found in the final report of the Europol-Frontex Future Group on Travel Intelligence, which was made public by Statewatch in May 2022. This outlined the possibility of a “European System for Traveller Screening” that would incorporate data from as many sources as possible to generate information on an individual across the “EU Border and Travel Continuum” – from an individual planning to travel to the EU, crossing the border, staying within the EU, and then departing. The Future Group report notes that this would require legal changes, and may see the further incorporation of artificial intelligence technologies into the EU’s border regime.[31]

 Notes

[1] Frontex, ‘Border Control in the Information Age’, 26 March 2013, https://frontex.europa.eu/media-centre/news/focus/border-control-in-the-information-age-udh57L

[2] The absurdity of such a system was laid bare when the UK’s Home Secretary, Suella Braverman, was questioned by fellow Conservative MP Tim Loughton in a parliamentary committee in November 2022. A video of the exchange is available in a tweet by Andrew Connolly, 23 November 2022, https://twitter.com/connellyandrew/status/1595376648261623810

[3] ‘Government permission to travel: “Authority to Transport”’, Papers, Please!, 8 February 2019, https://papersplease.org/wp/2019/02/08/government-permission-to-travel-authority-to-carry/

[4] ‘Joint statement: The EU Artifical Intelligence Act must protect people on the move’, Statewatch, 6 December 2022, https://www.statewatch.org/news/2022/december/joint-statement-the-eu-artifical-intelligence-act-must-protect-people-on-the-move/

[5] Article 7, Regulation (EU) 2018/1240

[6] See ‘European Search Portal’ in the interactive map ‘EU agencies and interoperable databases’, https://www.statewatch.org/eu-agencies-and-interoperable-databases/

[7] Fundamental Rights Agency, ‘Under watchful eyes’, 2018, pp.81-98, https://fra.europa.eu/sites/default/files/fra_uploads/fra-2018-biometrics-fundamental-rights-eu_en.pdf

[8] Ewelien Brouwer, ‘Schengen Entry Bans for Political Reasons? The Case of Lyudmyla Kozlovska’, Verfassungsblog, 30 August 2018, https://verfassungsblog.de/schengen-entry-bans-for-political-reasons-the-case-of-lyudmyla-kozlovska/; Edward Lemon, ‘Weaponizing Interpol’, Journal of Democracy, 30(2), April 2019, pp. 15-29; Romain Lanneau, ‘How a Dutch Pacifist Activist Ended up on the Europol and Interpol Terrorism Lists’, Politics Today, 6 December  2021, https://politicstoday.org/how-a-dutch-pacifist-activist-ended-up-on-the-europol-and-interpol-terrorism-lists/

[9] ‘Turkey’s Abuse of INTERPOL: How Erdoğan Weaponized the International Criminal Police Organization for Transnational Repression’, Stockholm Center for Freedom, 24 August 2021, https://stockholmcf.org/turkeys-abuse-of-interpol-how-erdogan-weaponized-the-international-criminal-police-organization-for-transnational-repression/

[10] Fair Trials, ‘INTERPOL’, https://www.fairtrials.org/campaigns/interpol/

[11] ‘CHAPTER IXa: Information alerts on third-country nationals in the interest of the Union’, Regulation (EU) 2018/1862 (consolidated version), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02018R1862-20220801#tocId50

[12] ‘Empowering the police, removing protections: the new Europol Regulation’, Statewatch, November 2022, p.30, https://www.statewatch.org/media/3615/empowering-the-police-removing-protections-new-europol-regulation.pdf

[13] ‘Empowering the police, removing protections’, p.32

[14] ‘CHAPTER V: THE ETIAS SCREENING RULES AND THE ETIAS WATCHLIST’, Regulation (EU) 2018/1240, https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32018R1240#d1e3365-1-1;

[15] Preamble para. 24, Regulation (EU) 2021/1134, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021R1134 

[16] All the delegated acts adopted in relation to the ETIAS Regulation are available here: https://eur-lex.europa.eu/search.html?SUBDOM_INIT=ALL_ALL&DTS_SUBDOM=ALL_ALL&DTS_DOM=ALL&DB_DELEGATED=32018R1240&lang=en&type=advanced&qid=1673343289301. The related implementing acts are available here: https://eur-lex.europa.eu/search.html?SUBDOM_INIT=ALL_ALL&DTS_SUBDOM=ALL_ALL&DTS_DOM=ALL&lang=en&type=advanced&DB_IMPLEMENTING=32018R1240&qid=1673343118890

[17] Article 9, Regulation (EU) 2018/1240; Article 9k, Regulation (EU) 2021/1134

[18] Ibid.

[19] Article 10, Regulation (EU) 2018/1240; Article 9l, Regulation (EU) 2021/1134

[20] Ramzi Kassem, Rebecca Mignot-Mahdavi and Gavin Sullivan, ‘Watchlisting the World: Digital Security Infrastructures, Informal Law, and the “Global War on Terror”’, Just Security, 28 October 2021, https://www.justsecurity.org/78779/watchlisting-the-world-digital-security-infrastructures-informal-law-and-the-global-war-on-terror/

[21] Article 34(1), Regulation (EU) 2018/1240

[22] Article 20(4), Regulation (EU) 2018/1240, Article 9a(3)(c), Regulation (EU) 2021/1134

[23] Article 35(3), Regulation (EU) 2018/1240

[24] Article 45(4), Regulation (EU) 2018/1240

[25] Ramzi Kassem, Rebecca Mignot-Mahdavi and Gavin Sullivan, ‘Watchlisting the World: Digital Security Infrastructures, Informal Law, and the “Global War on Terror”’, Just Security, 28 October 2021, https://www.justsecurity.org/78779/watchlisting-the-world-digital-security-infrastructures-informal-law-and-the-global-war-on-terror/

[26] ‘Europol Programming Document 2023-25, p.41, https://www.europol.europa.eu/publications-events/publications/europol-programming-document

[27] Ibid., p.22

[28] Ibid., p.43

[29] Ibid., p.44

[30] ‘Empowering the police, removing protections: the new Europol Regulation’, Statewatch, 10 November 2022, https://www.statewatch.org/publications/reports-and-books/empowering-the-police-removing-protections-the-new-europol-regulation/

[31] ‘EU: Police plans for the “future of travel” are for “a future with even more surveillance”’, Statewatch, 30 August 2022, https://www.statewatch.org/news/2022/august/eu-police-plans-for-the-future-of-travel-are-for-a-future-with-even-more-surveillance/

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error