While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
When the international police organization Interpol began sharing fingerprint records with the border control system two years ago, U.S. officials immediately got a match on a Bulgarian national wanted for embezzling 9 million Euros. Interpol had been searching 10 years for the man, who had fled to Costa Rica and become a citizen of that country. The United States Visitor and Immigrant Status Indicator Technology system identified him when he applied for a U.S. visa, and authorities arrested him shortly afterward in Costa Rica.
As a result of that success, Interpol sent US-VISIT another set of prints, and U.S. authorities got a match with a commercial truck driver who drove regularly from Canada to Lewiston, N.Y. The man was a citizen from the Republic of Georgia who was wanted for murder in Germany. He too was arrested.
The US-VISIT partnership with Interpol, which continues to yield significant arrests, has government officials from many nations contemplating more ambitious plans for data sharing. Robert A. Mocny, acting director of US-VISIT, proposed in November that the United States and other foreign nations share more information as part of a “global security envelope” to counter international terrorists and criminals. Mocny emphasized the importance of protecting privacy, but said public officials also have an obligation to share information that can save lives and property.
“How ethical is it to withhold data on someone known to be dangerous from those officials who have a need to know?” Mocny asked in a recent speech to the International Conference on Biometrics and Ethics.
Recognizing the potential value of collaboration, the United States and other nations are already laying the groundwork for improved information sharing, Mocny says. Throughout the globe, nations are building border control systems similar to US-VISIT, which uses biometric fingerprints to screen and track foreign visitors as they enter and exit the country. Many officials involved in these different projects are now sharing lessons learned and taking steps to ensure technical interoperability of their systems if government leaders decide to move in that direction.
“Technically speaking, Bob [Mocny] and I have been working for many years on creating standards so we have the potential for information sharing between our systems if the legislators on both sides of the Atlantic decide that this is what is needed,” says Frank Paul, head of the Large-Scale IT Systems Unit for the European Commission’s Directorate General of Justice, Freedom and Security.
But Paul, Mocny and others recognize that these political issues represent huge obstacles. Many nations will not share information with nations that do not meet their standards for data protection and privacy. Still, the idea of robust information sharing remains a compelling vision.
“With biometrics and the foundation of international cooperation, we are already in a great position to build the global security envelope that will transform the way the world travels and the way we protect our nations from those who would do us harm. We have the tools to make it happen,” Mocny says.
The United States is not alone in using biometrics for border control, Mocny says. The United Kingdom is developing a biometric visa program, while Japan is building a biometric system similar to US-VISIT. New Zealand Customs is testing facial recognition software at one of its airports, and Australia’s immigration minister has announced that Sydney’s airport would test a biometric border-security system. The European Union’s Schengen Information System (SIS) also has embarked on a major upgrade that will incorporate biometrics into the new SIS II system.
As officials from these countries “saw that we were trying to do similar things, we realized that it might be a good idea to partner as we develop our systems, mindful that we might want to share more information with each other,” Mocny says. For example, a US-VISIT employee is working with the U.K.’s new system and the Schengen project to ensure, where possible, common standards for interoperability.
Officials are paying attention to several projects. US-VISIT is currently running an exit program with biometric checkout kiosks at 12 airport locations, while the European Union is examining the feasibility of building an exit system for its foreign visitors.
“Europe is watching very closely what the United States is doing to draw some insight for a possible European exit system should we decide to build one,” says Paul, who is directing efforts to build both SIS II and an upgraded Visa Information System (VIS) for Schengen countries.
European nations are also testing registered traveler systems that use biometrics to speed people through airport security lines. Amsterdam has a registered traveler system with 40,000 frequent fliers that uses iris-scan technology. But the system works only at that airport, thus limiting its effectiveness. To realize their full potential, frequent traveler systems at multiple airports need the capability to share data.
“Interoperability won’t happen overnight, but these are things we need to discuss so we can develop common standards and technologies so the systems can be interoperable,” Paul says.
The United States can also learn from the Europeans’ experience. From the beginning, US-VISIT officials made privacy a top priority, says Jim Williams, former director of US-VISIT and now commissioner of the General Services Administration’s Federal Acquisition Service. Knowing that many foreign travelers would be wary about sharing biometric and biographical information with the U.S. government, “we were very careful about how we stored the information and how it was used,” Williams adds. “We tried to be transparent about who we gave it to and for what purpose.”
Although US-VISIT officials didn’t borrow anything specific from SIS in this regard, they recognized that Schengen’s reputation for protecting privacy and data helped garner trust, he says. “We knew that Schengen paid a lot of attention to privacy. We saw Schengen as a success and something to be emulated.”
Schengen’s federated database also provides a useful model for information sharing among independent organizations, says Jim Ganthier, leader for worldwide defense, intelligence and public security solutions for Hewlett-Packard. HP is part of a consortium that is developing the SIS II and VIS systems.
Under the SIS federated model, participating nations provide their information to Schengen’s central database, which each nation can access. “This allows member states to share data while still keeping some level of control over their own data and its security,” Ganthier says. “This helps eliminate some of the cultural objections to information sharing that arise within organizations.”
Although careful planning can help smooth the way for exchanging data about terrorists and criminals, overcoming the political challenges may prove more difficult. Schengen nations, for example, will not share information with other nations that do not have comparable data and privacy protections. Each member state has an independent Data Protection Authority that promotes access to public information, protects personal information and acts as an advocate for individuals or organizations to keep their information accurate and private.
“Individuals have the right to be informed about information stored on them in SIS, within limits, and can appeal to the Data Protection Authority in their country to rectify information,” the European Commission’s Paul says.
Although the Homeland Security Department has a privacy officer, this official is not independent of DHS, and therefore does not currently satisfy Schengen requirements that US-VISIT have an independent data protection authority, Paul notes.
The United States and Schengen also have differing policies about how long to store information. US-VISIT’s Arrival and Departure System holds biographical information for 100 years, while DHS’ Automated Biometric Identification System holds information for 75 years. In contrast, Schengen countries are debating whether to hold information for just three to five years.
“The European Union’s data protection laws were designed around a different era and for different reasons,” Mocny says. “We know that some of the 9/11 hijackers were here for up to five years. So if you throw away that data, then you’ve lost valuable information.”
Mocny acknowledges that he doesn’t have all the answers about which standards to adopt or how best to establish information-sharing protocols. That’s why he wants to continue the international dialogue and alleviate all nations’ concerns about privacy. “We have to strike a delicate balance to make sure we share the right amount of information but don’t share too much.”