One of life’s sweet pleasures is to travel. Thanks to the increasing number of low-cost flights, traveling abroad is no longer a luxury reserved for the privileged few. At the same time, however, there is an alarming increase in the demand of personal data from tourists and no clear transatlantic legal framework on personal data exchange. Though third parties such as airlines and airport operators have the right to read this data, we don’t know what happens with it afterwards.
Under legislation introduced after the September 11th attacks, the United States has tightened security measures for foreign tourists entering its country. The latest measure requires that by 2012, every traveler entering the United States who is part of the visa-waiver program must have a biometric passport or be forced to apply for a visa.
The biometric passport – which contains an embedded chip with personal data, facial images and fingerprints – is on its way to becoming a global travel prerequisite. Current passports will remain valid for travel to most countries until then. Germany, France and the Netherlands have already started issuing the new documents. EU parliamentarians approved the US’ demand and passed a ruling at the end of 2005 saying that its goal is to combat illegal immigration, terrorism and organized crime. But the excuse that the new passports will help prevent international terrorism is questionable since security agents will need to know whose face or fingerprints they are looking for in the first place.
Initially, Washington gave a 2006 deadline for the 27 countries in the EU and other visa-waiver countries such as Norway, Iceland and Switzerland, but then pushed the date back to June of this year to give these countries more time to prepare the technology needed to issue the biometric passports. The US State Department started introducing e-passports in 2006 and every passport holder in the US is projected to have one by 2017.
In the meantime, there is little enthusiasm for these new requirements. Data watchdogs and human rights activists argue that this regulation treats everyone as a potential criminal, thus violating the protection of citizens’ personal data and imposing a state of constant surveillance.
Peter Hustinx, the European Data Protection Supervisor, said in a press conference on the implementation of biometric passports in 2007 that security measures aimed at preventing terrorism are often stepped up at the expense of privacy. Hustinx is in charge of giving governments and EU bodies advice on data security standards and acts independently of EU institutions. He warned that the EU was “rushing in a new era” of using biometric identifiers for security checks while standards for data protection were still not clear.
“It is very important that the biometric data is only saved in the passport and not in external databanks. Until now there are no international regulations which guarantee this,” said Peter Schaar, German Federal Commissioner for Data Protection, at a conference on data protection held in March of this year in Berlin.
In 2005 when this ruling was issued, no intense political debate occurred in Germany but there were some voices of dissent. The left-wing daily newspaper Die Tageszeitung published a column saying that since 9/11 domestic security had gained more importance than the protection of fundamental citizen rights. In addition, security experts have warned of the danger and ease with which hackers and state agencies could abuse the data registers and the sensitive personal information they track.
In fact, the e-pass, which is supposed to protect states against terrorist attacks, is not so safe at all. In 2006 at the Black Hat security conference held in Las Vegas, Lukas Grunwald, a German computer security consultant, proved that the data in the chips is easy to copy. He demonstrated that a terrorist could carry a passport with his/her real name and photo printed on the pages, but with a chip that contains different information cloned from someone else’s passport. However, this could be easily avoided if the security official examines the pass to make sure the name and the picture printed on it match the data read from the chip.
Further troubling to activists and watchdogs, the European Union is about to enter talks with the US on giving it access to banking data. The plan could go beyond an existing deal with the EU that allows trans-Atlantic airlines to transfer credit card, email addresses, passport, travel itineraries and other data belonging to European passengers to US officials. The US has already been examining transactions handled by the Society for Worldwide Interbank Financial Transactions (SWIFT) since 9/11. SWIFT, which is headquartered in Belgium, is planning to move its servers and database from the US to Europe. With data privacy laws far stricter in Europe, the US would then need permission from the EU before it could gain access to this sensitive information.
The protection of a citizen’s privacy and personal data is vital for any democratic society, and should be respected as much as freedom of expression or movement. Some officials in the US and the EU would do well to re-read Article 8 of the European Union’s Charter of Fundamental Rights which states the following:
“Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. […] Compliance with these rules shall be subject to control by an independent authority.”
In the paranoid quest for more security, freedom and privacy are often sacrificed. We are all being watched by “Big Brother,” but who is watching “Big Brother” for us?