EU PNR: Unproven, ineffective strategies are not security

By EDRi · July 14, 2015

“When people are scared, they need something done that will make them feel safe, even if it doesn’t truly make them safer. Politicians naturally want to do something in response to crisis, even if that something doesn’t make any sense.”

Bruce Schneier, Security expert

The proposal for a EU PNR Directive (Fight against terrorism and serious crime: use of passenger name record (PNR) data 2011/0023(COD)) will be put to a vote on Wednesday 15 July, in the Civil Liberties Committee (LIBE) of the European Parliament. Timothy Kirkhope, the Rapporteur (Member of the Parliament in charge of the proposal) has pushed during the last weeks to have this proposal voted on as soon as possible, despite the opposition from civil society groups, from experts including the European Data Protection Supervisor (EDPS) and the Fundamental Rights Agency, and the scepticism shown by many Parliamentarians and political groups in Brussels.

As we presented in our infograph, the (il)logical steps behind the EU PNR proposal are the same ones that are increasingly used in the “fight against terrorism”. After tragic terrorist attacks happen, politicians feel obliged to do “something” to show that “something” is being done – even if that something is useless, even if it generates new risks, even if it is counterproductive.

PNR is a profiling measure. It intends to guess, using algorithms, who is likely to pose a terrorist threat according to the patterns created by mixing different types of passenger data (nationality, flight routes, paying method used…) obtained by the airlines when a person books a flight. As Emeritus Professor of International Law Douwe Korff has noted in his recent Report on PNR presented at the Council of Europe, profiling “poses a serious threat of a Kafkaesque world in which powerful agencies (like the DHS and the NSA – or in the near future European agencies? ) take decisions that significantly affect individuals , without those decision-makers being able or willing to explain the underlying reasoning for those decisions, and in which those subjects are denied any effective individual or collective remedies. That is how serious the issue of profiling is: it poses a fundamental threat to the most basic principles of the Rule of Law and the relationship between the powerful and the people in a democratic society.” These issues were highlighted by the New York Times on 9 July in an article entitled “When algorithms discriminate”.

Creating lists of people with alleged similar characteristics seems in theory useful for law enforcement purposes, but in fact it usually produces mismatches which end up with serious consequences for those who are wrongly profiled. Korff provided examples of this, such as the case of Maher Arar: “The case of Mr Arar was in fact one of the most scandalous instances of an innocent person being classified as a terrorist on a US watchlist. Amnesty International summarises the case as follows: Maher Arar, a Canadian citizen, was travelling home to Canada from visiting relatives in Tunisia in 2002. While changing planes at New York City’s JFK airport, he was detained by U.S. authorities and then transferred secretly to Syria, where he was held for a year and tortured.” Other serious cases (although not as extreme as that of Mr Arar) have been raised in other parts of the world.

The EU PNR proposal adds nothing more than the insecurity of another set of unnecessary databases, the risk of an unaccountable algorithm putting innocent people at risk of suspicion, of delays, of denied boarding or arrest and indiscriminate mass surveillance. If the European Parliament goes down the same road than it used for the Data Retention Directive, it is likely to find the same result – a failed, ineffective placebo for security fears. The European Parliament should be a strong institution that produces durable, evidence-based coherent policies for the benefit of EU citizens, and not as a reactionary body that over-reacts, adopting rules based on false assumptions.

Additional reading:

Bruce Schneier: Is aviation security mostly for show? – (29.12.2009)

Douwe Korff and Marie Georges: Passenger Name Records, data mining & data protection: the need for strong safeguards (15.06.2015)

Statewatch: Protests in the EU: “Troublemakers” and “travelling violent offenders [undefined] to be recorded on database and targeted (16.04.2010)

Statewatch: Schengen Information System Article 99 report: 33,541 people registered in SIS for surveillance and checks

Council of the European Union, 8570/10: Draft Council Conclusions on the use of a standardised, multidimensional semi- structured instrument for collecting data and information on the processes of radicalisation in the EU (16.04.2010):