“Network with errors”: Europe’s emerging web of DNA databases, by Eric Topfer
01 January 2011
The networking of European national police databases is progressing. However, the implementation of the “principle of availability” is full of pitfalls, as the practice of DNA data exchange illustrates.
EU Member States have until 26 August 2011 to implement the so-called Prüm Decisions [1] adopted by the Council of the European Union (EU) three years ago. [2] National databases storing DNA profiles, fingerprints and vehicle registration data will be made available for automated cross-border searches by the police and criminal justice agencies of each Member State. The ultimate goal is to overcome lengthy mutual legal assistance bureaucratic procedures by establishing a single national contact point as an electronic interface for automated information exchange. Traditional channels of legal assistance would only be activated when search data matches a stored entry. Such a “hit” would lead to a request for further information. [3]
The rocky path from Prüm
Becoming a member of the Prüm network is a complex political and technical process. Regulatory frameworks have to be adjusted, national contact points need to be established, central searchable databases have to exist and must be connected to the secure European administration intranet S-TESTA, least common denominator data protection requirements have to be fulfilled, search capacities defined, technical specifications implemented, questionnaires answered, pilot runs successfully completed and a final evaluation visit has to be hosted before the Council of Justice and Home Affairs Ministers (JHA) must decide unanimously that a Member State can start operational data exchange.
Given this elaborate procedure it comes as no surprise that it is already evident that the August deadline for complete implementation cannot be met. In October 2010, a survey by the Belgian EU Presidency found that only ten Member States were exchanging DNA profiles, seven were exchanging vehicle register data and only five had made their dactyloscopic databases available for cross-border searches. Despite this, the Belgian study optimistically claimed that “most countries are convinced that they will make the deadline for all three data categories“. However, it had to admit that at least six countries would be incapable of connecting both their DNA databases and their fingerprint databases, and that another five countries would miss the deadline for the connection of their vehicle registers. [4] Responding to these obvious problems in 20 November 2010, the JHA Council insisted that all “Member States concerned should intensify their efforts and that those Member States which are already operational should increase their efforts to provide technical assistance.” [5]
Holes in the web of DNA databases
In October 2010, the members of the Prüm network in the field of DNA data exchange were: Austria, Bulgaria, Finland, France, Germany, Luxemburg, the Netherlands, Romania, Slovenia, Spain and – then still in a test phase – Belgium. Slovakia joined the information network in November. [6] But even among these 12 states not all members have access to each other’s DNA database. Only Austria was connected to all of the databases and was thus the spider in the web. Germany, for instance, had a direct wire for DNA profile exchange to only five other countries, and a German-French “axis”, usually seen as the motor of European integration, did not exist in this context. [7] In August 2009, Joachim Hermann, the Bavarian Interior Minister, commented angrily that the French neighbour is hindering crime control in Europe “unnecessarily.” [8]
The causes of these problems are manifold: difficulties in mobilising causes of political majorities for adjusting national legal frameworks with the Prüm requirements, power struggles between agencies over the denomination of the national contact point, troubles caused by intra-organisational restructuring entailed by international cooperation, and scarcity in personal and financial resources. The major challenge is, however, posed by technical problems that were reported by at least ten countries: components of hardware or software were found to be incompatible, or the connection to the S-TESTA network did not work without friction. Sometimes existing systems had to be replaced completely. It is estimated that connecting to the Prüm network costs an average sum of two million Euros. [9] For countries that had no national DNA database in operation before 2008 - such as Italy, Greece, Malta or Ireland [10] - the costs are likely to be much higher.
Some financial support is offered by the European Commission via the “Prevention and Fight against Crime” (ISEC) funding stream. A “helpdesk” was established at Europol and German Federal Criminal Police Office (BKA) experts travel around Europe to advise and support swamped partners as a “mobile competence team”. The coming months will reveal the success of these measures. From March 2011 onwards a wave of final evaluations is expected which will likely reach a peak before the deadline in July and August. It is unlikely that the few experts in charge of these evaluations will be capable of shouldering the foreseeable workload. Moreover, it is not certain that their evaluations, a precondition for the Council of the EU to give a green light for the launch of automated data exchange, will be positive in each case.
Thus, the Belgian report warns:
The Prüm procedure is in itself a time-consuming process; should this procedure remain as it is, it appears highly unlikely that all M[ember] S[tates] will be up and running by August 26th 2011. Even if all other problems – be they technical, organisational or financial – are solved, this [the evaluation process] might still be one of the biggest problems in the implementation of ‘Prüm Decisions’. [11]
It seems that – after the significant problems in setting up the Europol Computer Systems and in the face of the ongoing crisis around the implementation of the second generation of the Schengen Information System – another ambitious plan for European police cooperation will be thwarted by the complexities of large international IT projects.
Six loci, one hit? The rising risk of false positives
However, it is probably only a matter of time before the teething troubles of the Prüm network are resolved. A more serious problem for future operations will be Chapter 1 of the annex to the Council Decision 2008/616/JHA, which regulates the technical details of the implementation of the Prüm Decision. It defines the rules for the exchange of DNA data as follows: Transferred and compared are pairs of numbers which represent so-called alleles, variants of genes at a specified location of a chromosome. Transferred DNA profiles must consist of number pairs representing alleles for at least six of the seven gene locations (so-called “loci”) which are defined as the “European Standard Set of Loci” (ESS). In addition, the profiles may include further loci – in total 24 loci are allowed – or empty fields. Although it is recommended that “all available alleles shall be stored in the indexed DNA profile database and be used for searching and comparison” in order “to raise the accuracy of matches”, a match of six loci is defined as “hit”. [12]
But the rising number of Prüm network members increases the risk of so-called “adventitious matches” (i.e. false positives). Shortly before the launch of the initial DNA database comparison between Germany and the Netherlands in summer 2008, a leading Dutch forensic expert estimated on the basis of a bio-statistical calculation that the comparison would produce 190 false matches. [13] The comparison resulted in around 1,600 “hits”. [14] However, no figures have been presented concerning the number of false hits, and the German government claims that this statistical data is not collected. [15] Anticipating the forthcoming problems, the Ad hoc Group on Information Exchange, a preparatory body of the EU JHA Council which was transformed into the Working Party for Information Exchange and Data Protection, recommended in 2009:
that the national DNA experts of the requesting Member State carry out an additional verification on such possible matches before sending the result to the police and judicial authorities. A balance should be found between providing law enforcement authorities with investigative indications, which was the aim of the Prüm data exchange, and avoiding unnecessary work and the follow-up of false matches. [16]
This risk has been known for years. In 2005 the European DNA Profiling Group’s (EDNAP) forensic experts [17] and the European Network of Forensic Science Institutes (ENSFI) Working Group [18] discussed options to expand the “European Standard Set” by additional loci. After a proposal to expand the ESS by five loci was drafted at an ENSFI meeting in 2008, [19] the JHA Council finally adopted a corresponding resolution in November 2009. However, a resolution is non-binding “soft law” which can only encourage “Member States to implement as soon as practically possible the new ESS and no later than 24 months after the date of adoption of this Resolution”. [20]
Through this Resolution the Council avoided an amendment to the Prüm Decisions which was probably seen as a political mission impossible because the Lisbon Treaty introduced the European Parliament as another potential legislative veto player in the field of justice and home affairs. Since the adoption of the resolution its scope has been contested. The Dutch delegation at the Working Party on Information Exchange and Data Protection noted in June 2010 that the Prüm Decisions explicitly call for the implementation of a new European Security Strategy.[21] The relevant text, however, reads: “Each Member State should implement as soon as practically possible any new ESS of loci adopted by the EU.” [22] Member States are supposed but not obliged to implement the ESS, and only when practically feasible. This is the catch, as the adjustment of national infrastructure will entail significant technical and financial expense for some Member States.
Therefore it is no surprise that the previously mentioned Belgian report states: “One M[ember] S[tate] is reluctant to share all of its profiles, since this may result in an excessive number of profiles being sent abroad due to false positives, creating a data protection concern.” [23] It is very likely that the reluctant state is the United Kingdom which stores six million entries in its National DNA Database. [24] In the wake of the economic crisis and suffering severe budget cuts it seems that the UK prefers to keep its impressive stock of DNA data separate from the continental European Prüm network instead of adapting its bio-surveillance-industrial complex for the inclusion of two more loci. Thus, at least for a transitionary period the construction of the European surveillance network has reached its technical and organisational limits. Perhaps it is time to take a pause in the hunt for borderless biometric control.
Footnotes
1. Namely, the two Council Decisions 2008/615/JHA (EU Official Journal 2008/L 210/1) and 2008/616/JHA (EU OJ 2008/L 210/12, 6.8.08.)
2. In addition to the 27 EU Member States also Norway and Iceland will join the Prüm information exchange network as soon as possible. See: Council Decision 2009/1023/JHA of 21 September 2009 published in the EU OJ 2009/L 353/1, 30.12.09.
3. For more information on the Prüm regime see: E. Töpfer: “Searching needles in an ever expanding haystack” In: Statewatch, Vol. 18, No. 3, pp. 14-16.
4. Council document 15567/10, 28.10.10
5. Council doc. 15848/10, 8.11.10
6. Council doc. 14606/10, 29.10.10 adopted at the JHA Council meeting on 8.11.10.
7. Council doc. 5904/5/10, 17.9.10
8. FOCUS, Issue 35/09, 24.8.09
9. Council doc. 14918/10, 19.10.10
10. B. Prainsack & V. Toom: The Prüm Regime. Situated Dis/Empowerment in Transnational DNA Profile Exchange. In: British Journal of Criminology, 50 (2010), pp. 1117-1135 (1121)
11. Council doc. 14918/10, 19.10.10
12. EU Official Journal 2008/L 210/20-21, 6.8.08
13. Kees van der Beek: Exchange of DNA-profiles by the Treaty of Prüm. http://www.dna-conference.eu/ppt/Van%20der%20Beek.pdf
14. German Federal Ministry of Interior. BMI: Deutschland und die Niederlande schließen Testphase beim Abgleich von DNA-Analysedateien erfolgreich ab. Press release 1.7.08; German and Dutch DNA data, press release 1.7.08.
15. German Parliament doc. BT-Drucksache 16/14150, 22.10.09
16. Council doc. 8505/09, 15.4.09
17. EDNAP was launched in 1988 by initiative of the London Metropolitan Police Forensic Science Laboratory as an informal network of forensic genetic scientists aiming to harmonise DNA analysis for the purpose of criminal investigation. Since 1991 EDNAP is a formal working group of the International Society for Forensic Genetics, based in the German city of Mainz, which is representing the interests of 1,100 members from 60 countries Though EDNAP is thus legally a private association it has – among others funded by the EU – a significant influence on the development of forensic DNA analysis. See: http://www.isfg.org/EDNAP.
18. ENFSI was founded in 1995 as network of public forensic institutes. The organisation has currently 58 institutional members in 33 countries. Meanwhile member organisations do not have necessarily to be public bodies. Instead it is sufficient if they have a “credible status” in their homeland and if the quality of their work is or will be certified according to ISO standards. Therefore also private companies can be ENSFI members as illustrated by the privatised British Forensic Science Service. Nonetheless the European Commission recognised ENSFI as “monopolist” and “sole voice of the forensic community in Europe”. The importance of ENSFI is underlined by formal agreements with Europol and Eurojust and close contacts to Interpol and other international organisations. See: http://www.enfsi.eu.
19. Peter Gill et al. The Evolution of DNA Databases – Recommendations for new European STR loci. In: Forensic Science, 156 (2006), pp. 242-244
20. EU Official Journal 2009/C 296/01, 5.12.09
21. Council doc. 11084/10, 16.6.10
22. Section 1.1 of chapter 1 of the annex to Council Decision 2008/616/JI (EU OJ 2008/L 210/20)
23. Council doc. 14918/10, 19.10.10
24. National DNA Database Statistics http://www.npia.police.uk/en/13338.htm