Digital Fortress Europe #2: Trapped in a digital surveillance system

At the Greek Consulate in Istanbul, one morning in 2016, Erkan, a Turkish citizen of Kurdish origin, crosses the threshold of the building to address the Greek authorities. He was seeking a visa to enter Greece in order to flee Turkey at a time when the Erdogan regime was stepping up persecution, particularly against the leadership and members of the opposition HDP party and its Kurdish supporters. The Greek consular authority, however, rejected the visa request and Erkan was forced to remain in Turkey.

Orestiada Evros, 4 years later. Erkan was arrested at the Greek-Turkish border as he attempted to enter Greek territory and was taken to court. The court sentenced him to 4 years in prison without suspension and a 10,000 euro fine on charges of re-entering the country. But Erkan had not re-entered Greece.

What had happened? In front of Greek judges, Erkan sought asylum from Greece for persecution by the Erdogan regime, but was told that his name was on the National List of Unwanted Aliens (EKANA) and the Schengen Information System (SIS II, the largest information exchange system between Schengen countries), with a note that he had been banned from entering the country for 7 years. Because of his inclusion on these lists, he was taken first to Komotini prison and then to Corfu prison.

“We were trying to find out what had really happened” recounts Erkan’s lawyer and Human Rights 360 attorney, Eugenia Kouniaki. “My client had never entered Greece before and was suddenly convicted of re-entering the country. Initially, I contacted the police authorities, the Director of the Asylum Service in Athens, where he replied that my client had been included in the EKANA and SIS II because his visa had been rejected by the Consulate in Istanbul.”

The truth was quite simply to be found in the operation of the Single European Visa Information System (VISA-VIS) and SIS II. The Greek consulate that processed Erkan’s application entered the visa refusal in the VIS system and in SIS II at the same time. From then on, this record was enough to get him on his way to prison, even if he sought international protection.

“Even when I asked for his removal from the undesirable list and SIS II, as Erkan was an asylum seeker, the Greek police refused,” Kouniaki describes. “Apart from the fact that my client did not know that he was on the list, when we tried to find out why his visa was refused in 2016, we received the vague answer ‘for falsifying some documents’. When we attempted to find out what documents were claimed to have been falsified, we could not check what they were. Fortunately, in the appeal that we filed for a delay in implementing the sentence, the judges accepted our arguments, and after a year he was released from prison.”

However, after all this unfair treatment and imprisonment, he preferred to leave the country “because he believed that he would never find justice,” Kouniaki concludes.

Burning fingers to avoid identification in EURODAC

Erkan’s story may sound outrageous, but unfortunately it is not the only one linked to the consequences of surveillance technologies and biometric data systems for migrants. In the report “Technological Testing Grounds: migration management experiments and reflections from the ground up” (EDRi, Refugee Law Lab, November 2020), author Petra Molnar, a lawyer and member of EDRi (European Digital Rights), has collected a multitude of interviews with asylum seekers in Brussels who came into contact with mobility control systems during their journey to safety in Europe.

Caleb, a married man in his 30s, describes his experience of the asylum process by saying he felt “like a piece of meat with no life, just fingerprints and iris scans”. Another migrant, Esche, describes her encounter with drones in the Mediterranean and the English Channel with a devastating quote the moment she saw them in the sky: “now we have flying computers instead of more asylum”.

The most unpleasant story is told by Negassi, a 20-year-old from Ethiopia: ‘I am tired and I want to go to England’ he says after being stranded in Brussels for nearly two years, undocumented, and earlier the same in Nuremberg for 5 years. But this is not his first time in Belgium, as he was deported to Germany before when he was arrested in a park in Brussels, where he was sleeping rough. When his biometric data was taken by the Belgian police, his fingerprints showed a hit on the EURODAC system, which stores and identifies the fingerprints of asylum seekers, identifying him as a first-time asylum seeker in Germany. So they sent him back because of Dublin II, which stipulates that the first host country has to process the claim.

Negassi acknowledges that the process of collecting biometric data is invasive to the body, but asks: “How can I refuse when the police handcuff me, take me to the station and force me to give my fingerprints?” he tells Molnar. He has friends who have gone so far as to burn their fingers to alter their fingerprints and avoid identification. “However, that doesn’t solve the problem” for Negassi, as no identification usually means a longer detention period.

“There is a very important aspect that is not discussed enough in the public debate,” Petra Molnar tells us, “and it concerns the fact that these surveillance technologies cause trauma to people who are not even familiar with the technology. The migrants I spoke to all had a strong belief within them that they were experiencing racist and discriminatory treatment through their contact with these systems.”

This is why it is even more important, he continues, “in terms of the rampant use of these technologies, that there is accountability, oversight and governance. We need to focus on what kind of governance structures need to be developed to ensure that these technologies, which are a human-rights risk, do not cause trauma to people.”

The accountability part, however, does not seem to be enhanced by the way these systems are developed. The involvement of private companies in the security and defence industries further complicates matters. “There is a very problematic relationship of private companies and state institutions working together under the guise that states themselves cannot develop these technologies in-house”, points out Molnar. “So huge public resources are directed to big companies to develop them. But also from a legal point of view, it creates the problem of what some call ‘responsibility laundering’ when something goes wrong. In these cases, as we have seen, the state says ‘it is not our problem because we did not develop this technology’. And the private company for its part retorts that ‘the state management of the tools is to blame’.”

But public budgets for the industrial complex of migration management and border control are substantial, Molnar points out. “Of all that money in such a problematic technology that inflicts trauma, imagine if it went to education, legal services, housing. Why don’t states, instead of pouring so much money into surveillance technologies, think about how to use it for social inclusion?”

The European Border Surveillance system (Eurosur) and the money for drones

Perhaps the most interesting system for migration issues is Eurosur, which produces maps of both territorial/land and maritime borders. It is operated by Frontex and allows for the exchange of maps between states regarding border controls at sea. “The development of Eurosur was launched in 2007, but it reaches the European Parliament for the first time at the end of 2012, after hundreds of millions have been spent and its design has been completed, effectively presenting the institution with a fait accompli. Due to the lack of transparency, the research in the relevant directorates of the European Commission is largely captured by the priorities of the security-industry complex”, journalist Apostolis Fotiadis reported in his book “Border Merchants”.

When it was first developed it was promoted as a “humanitarian technology”, a system that would allow the authorities of each member state to conduct search and rescue operations. The idea was that “we use maps, we get information from satellites and also from drones, to perceive migratory flows, for example from Africa to Europe, so that we can rescue people at sea”. The problem is that Eurosur creates so-called pre-frontier pictures. These are maps that focus on the area before the border, before a ship arrives at the maritime border, for example Greece. “Mainly they do it to organise pull-back operations, because for example the Italian authorities can share data with the Libyan authorities so that the Libyan authorities can take back the migrants. They know that push-backs are not allowed, so the solution is pull-backs. That’s why Libya is funded,” explains Georgios Glouftios, a lecturer at the University of Trento, to MIIR.

For the creation of the pre-frontier maps, Frontex also cooperates with the European Union Satellite Centre (EU SatCen), which provides it with satellite imagery, aerial photographs and other related services. The Eurosur database also records incidents occurring at the EU maritime borders, although member states have not been obliged until now to upload data from incidents at border checkpoints in a systematic and organised manner (this changed with an implementing regulation in April 2021). Which means that there is no complete and methodical recording of incidents, blurring the overall picture of incidents at the external borders. A fact that is also admitted by the European Commission in the Eurosur evaluation report (September 2018).

Frontex’s second report in 2018 on the operation of Eurosur recorded over 184,000 incidents in the period from December 2013 to the beginning of 2018, with the vast majority (147,827) relating to migratory flows.

In February 2022, the French government announced that it would install additional cameras along the Channel coast to help monitor migrants hoping to cross the stretch of water to the UK. The cameras are being paid for by the British government. In December 2021, the Italian navy delivered a new shipment of containers with surveillance equipment to Libya to monitor migration in the Mediterranean (source: Altreconomia research magazine, February 2021 issue). Additional “trap cameras” for cars and people have also been placed at or near the border between Italy and Slovenia along the so-called Balkan route.

Eyes in the sky

Frontex confirms that it uses “a set of services falling under Eurosur, the information exchange framework designed to improve the management of Europe’s external borders” (source: infomigrants.net, “Digital borders: EU increases use of technology to monitor migration” , 18.2.2022). It states that most of this monitoring is carried out “by aerial surveillance by manned and unmanned aircraft, with satellite imagery devices and collection of vessel positions through positioning systems”.

According to a recent in-depth survey (“Funds for Fortress Europe: spending by Frontex and EU-LISA” , January 2022) by the non-profit organisation Statewatch, Frontex spends most of its annual budget on maritime and aerial surveillance, alongside deportations (chartered and scheduled flights for the return of migrants). According to data analysis carried out by Statewatch, between 2014-2020 Frontex together with the European agency EU-LISA (which oversees large-scale mobility-control information systems) spent a combined €1.9 billion on contracts with private IT companies and the security and defence industry. Of this money about half a billion (€434 million) was managed by Frontex with more than €100 million going to contracts with private companies related to air surveillance. This included a €50 million contract with the Airbus consortium – one of the leading trans-European companies in the aerospace and defence industry – and the Israeli company Elbit, which supplies 85% of the Israeli army’s drones.

In the same period, Frontex seems to have had a profitable relationship with three other air surveillance service providers: the Canadian CAE Aviation, the British Diamond-Executive Aviation (DEA) and the Dutch EASP Air. As a consortium they won contracts worth a total of €57 million (not counting the contracts they have signed alone for other security and control services to Frontex).

The same trend continued in 2021 with €84 million – i.e. one sixth of Frontex’s annual budget – going to air surveillance services.

In the deportation process, Frontex has worked with the Polish eTravel SA on €50 million in contracts to provide travel services (booking and ticketing services) for the scheduled return flights. It has also worked with the British multinational Air Charter Service Limited and the Norwegian AS Aircontact in flight chartering for the same purpose.

London-based Privacy International in July 2021 published its findings on how an increasing number of companies are “developing satellites capable of tracking and selling their data to border agencies”. The organisation concluded that while “such surveillance can save lives, it can also facilitate pullbacks or be used to persecute asylum seekers”.

The use of all these surveillance technologies also has a deeper consequence, underscores Antonella Napolitano, network coordinator of Privacy International. “On the one hand, it contributes to the criminalization of the migrant’s person, and at the same time it turns him into a data hub, from the beginning of the journey from the country of origin to the evaluation of biometric data in the EU. The aim is to fully record his movement and track him until the next steps within the European area. Indeed, if he is found trapped because of a wrong recording or decision within these systems where his data is stored, this error follows him for the rest of his life.”

This notion is not unconnected to the risk of extending surveillance to the whole range of travel, whether for tourism or work. Moreover, Napolitano points out, “the very interoperability of the systems is a good example of how a system developed to monitor migratory movements can then be extended to everyone, as these systems are progressively extended to all travellers entering the European area, but also to EU citizens moving within the EU”.  

“Being potentially considered a ‘criminal by default’, a concept reflected in the management of surveillance technologies, cannot leave anyone indifferent,” Napolitano concludes.  

Passenger Name Record: the monitoring of intra-EU movements

The Passenger Name Record (PNR) concerns the recording of all data of passengers moving within European territory, regardless of whether they come from a third country. What does this system collect?  Name, nationality, when we travelled, where from, where to, our email, our address. Apart from that, one can find out our travelling companions, possibly some data related to our stay such as hotel reservations, whether we travelled for business or personal reasons. It can probably even find out in an extreme case our religion, as the system even records the meal we ate during our flight. This meal may contain ‘interesting’ facts about us, e.g. if we eat kosher we are Jewish, if we don’t eat pork it means we are Muslim. It may also reveal if someone has allergies.

The PNR is accessible to the police authorities of each country. “And this is where the problems start. There is a European directive on how personal data can be processed through the PNR system. This European legislation must be transposed into national law in each country. The problem is that we have some failures in the transposition of this directive in different countries, such as Greece,” says lawyer Kostas Kakavoulis, a member of Homo Digitalis, to MIIR. As he explains, “the European directive says that each member state shall establish or designate an authority which is responsible for the prevention, detection, investigation and prosecution of serious terrorist offences. So we are talking about an authority that is either established from the outset or exists and is given this competence. In Greece, the legislature has given this competence to a department within the Directorate of Information Management and Analysis of the Greek Police. So we are not talking about an authority but a directorate of the Greek police. It is absurd for the body which holds the data, the police, to ask for access to this data from a department within the police. If it is subject to hierarchical control or if there are pressures in general, it is rather doubtful that a department of the Greek police will refuse to provide other departments of the Greek police with data that they need, even if it were necessary to do so. In France this is not the case, as a special independent authority has been set up for PNR data. In Greece any police force can have uncontrolled access to PNR data anywhere, anytime. There is no record anywhere of who requested which data, when and for what purpose. And there is no classified access policy. You only need to be a member of the police force to access this data.”

In Greece, the organisation Homo Digitalis (member of EDRi), in an open letter to the parliament, underlines that “the data in question can reveal the pattern of a person’s movements, such as the time of travel, the place of departure and arrival, his/her email and address, as well as a person’s travelling companions, but possibly even related hotel reservation data, etc., thus revealing information on business or personal travel and even the person’s social circle, such as friends or companions”.

The organisation notes that in the draft law submitted in 2018 in Greece there was:

● lack of a system for recording access to PNR data

● lack of prior judicial control over the provision of PNR data to pre-trial and other authorities

● the retention period of PNR data is not limited to the strictly necessary period

Four years later, the same shortcomings remain.

The organisation stressed that PNR data of minors transferred should be described clearly and accurately, and that any data transferred should not reveal either religious beliefs or information about the passenger’s health.

In part three of MIIR’s research: the features of artificial intelligence and algorithmic systems in the new mobility-screening regime, and the private contractors building and marketing them in the EU.