The EU Wants to Build One of the World’s Largest Biometric Databases. What Could Possibly Go Wrong?

May 1, 2019, 6:30 AM UTC

China and India have built the world’s largest biometric databases, but the European Union is about to join the club.

The Common Identity Repository (CIR) will consolidate biometric data on almost all visitors and migrants to the bloc, as well as some EU citizens—connecting existing criminal, asylum, and migration databases and integrating new ones. It has the potential to affect hundreds of millions of people.

The plan for the database, first proposed in 2016 and approved by the EU Parliament on April 16, was sold as a way to better track and monitor terrorists, criminals, and unauthorized immigrants.

The system will target the fingerprints and identity data for visitors and immigrants initially, and represents the first step towards building a truly EU-wide citizen database. At the same time, though, critics argue its mere existence will increase the potential for hacks, leaks, and law enforcement abuse of the information.

In the EU, where privacy is enshrined in the union’s Charter of Fundamental Rights, watchdogs have called the creation of the CIS a “point of no return.”

What’s being consolidated?

The CIR will be a repository of the identity records, fingerprints and photographs of visiting or resident non-EU citizens and some EU citizens; it’ll be searchable by immigration, border, and law enforcement authorities across the continent, and is expected to cost at least €1.1 billion ($1.2 billion) through 2027.

Considering that Europe had 718 million international visitors in 2018, the CIR will likely contain information on hundreds of millions of non-Europeans once it’s fully in effect.

The new CIR system will wrap together three existing EU databases of asylum seekers, foreign visitors, criminals and missing people with three new databases of criminals and of visitors entering and exiting the EU. The flow of non-residents and non-visa holders in the bloc will be tracked by a system similar to the U.S.’s Electronic System for Travel Authorization. It will require visitors, including those from the U.S., to submit to a check prior to departure for Europe starting in 2021, although the specific details of how it will work are still in the works.

However, unlike in India and China, the EU system won’t automatically cover every run-of-the-mill EU citizen who has not been charged with a crime, and it’s not clear how many of the roughly half-billion Europeans would ultimately come under the system. By contrast, the Indian biometric system covers about 1.24 billion people, while the Chinese government operates a vast biometrics system that is particularly invasive in western China, where it closely tracks millions of minority Muslims.

Security vs. Privacy

Homeland security is the biggest argument for the EU database harmonization. The plan for the system emerged in 2016, when Europe was still in the midst of absorbing refugees from the Syrian civil war, and Brussels had just endured a terrorist attack that killed 34, months after the devastating Paris attack. Advocates for the database say that the responsible terror cell might have been found more quickly had law enforcement agencies been able to easily exchange information across borders. At the time, German interior minister Thomas de Maziere put it bluntly: “Privacy is nice, but in times of crisis like these, security comes first.”

India’s Aadhaar biometric database serves as a blueprint for the risks of such far-reaching initiatives. NARINDER NANU AFP/Getty Images
Narinder Nanu—AFP/Getty Images

But building such a complex system aimed at homeland security begs urgent questions about data security.

“It demands constant vigilance because you’ve got all these databases, produced at different points of time,” says Maya Ganesh, a tech researcher at Leuphana University in Germany. “And in making it interoperable, there are constant threats of leaks and hacks and gaps.”

The European Parliament and the European Council have promised to address those concerns, through “proper safeguards” to protect personal privacy and to regulate officers’ access to data. In 2016, they passed a law regarding law enforcement’s access to personal data, alongside General Data Protection Regulation or GDPR.

But total security is a tall order. Germany is currently dealing with multiple instances of police officers allegedly leaking personal information to far-right groups. Meanwhile, a Swedish hacker went to prison for hacking into Denmark’s public records system in 2012 and dumping online the personal data of hundreds of thousands of citizens and migrants.

What could go wrong?

There’s little precedent for such a massive database, but India’s Aadhaar, the universal identification system launched nearly a decade ago, provides one roadmap for the risks. About 1.24 billion people now have Aadhaar numbers, according to the Unique Identification Authority of India, equivalent to about 95% of the country’s population. (Unlike in India, the EU system won’t include unique numbers, and is less comparable to a national identity number.)

The Indian system was promoted as a way to create financial opportunity by banking the unbanked and ease access to public services for poor Indians, while preventing fraud and money laundering. To get a 12-digit Aadhaar number—available to Indian citizens and residents—applicants had to provide all 10 fingerprints, a photo, and scans of both irises.

It’s an impressive accomplishment, but “the Indian database is ridiculously insecure,” Ganesh says.

Last year, a hacker figured out a way to generate unauthorized Aadhaar numbers without biometric information. Access to the entire database was being sold via WhatsApp message for less than $10. Researchers found anyone could become a database admin and add other admins. And there are ongoing reports of the utility company Indane and telecom Reliance Jio accidentally leaving their customer databases—including Aadhaar numbers—open to snoopers. Critics questioning the security of the Aadhaar system say they’ve experienced harassment and surveillance from the government.

What’s next?

The CIR’s backers see it as a way to ease the work of border guards and law enforcement. But because it targets people moving in and out of the EU’s borders, researchers argue it could also disproportionately target and track immigrants and refugees coming to the bloc, subjecting them to discrimination or harassment.

Leaks and hacks, meanwhile, are an inherent risk of any database, warns Ganesh. How would she recommend Europe proceed if they want to ensure security of all this personal data?

“Don’t do big databases,” she said. In other words, the bigger the database, the bigger the risk.