The 28 countries of the European Union each has its own biometrics databases of citizen IDs, residents, immigration, etc. The Common Identity Repository (CIR) project wants to centralize all that, with one enormous JOIN command.
I know what you’re thinking: “What a great idea! When CIR is up and running, law enforcement will be able to do a much better job of keeping EU citizens safe from all those bad people. I mean, I’m not a bad person, so CIR is a great thing, right?”
But what of the unintended consequences? And what about false positives? And how do we know the data won’t be misused—or hacked? In this week’s Security Blogwatch, we go off grid.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: More Data.
Brexit starts to sound sane?
What’s the craic? Catalin Cimpanu reports—EU votes to create gigantic biometrics database:
The European Parliament voted last week to interconnect a series of border-control, migration, and law enforcement systems into a gigantic, biometrics-tracking, searchable database of … over 350 million … EU and non-EU citizens. … CIR will aggregate both identity records (names, dates of birth, passport numbers, and other identification details) and biometrics (fingerprints and facial scans), and make its data available to all border and law enforcement authorities.
…
Ever since plans to create this shared biometrics database have been made public last year, privacy advocates have criticized the EU, calling CIR's creation as the "point of no return" in creating "a Big Brother centralised EU state database." [It] will become one of the biggest people-tracking databases in the world, right behind the systems used by the Chinese government and India's Aadhar system.
You wanna do whatnow? Catie Keck mouses around—Say Cheese!:
[The] enormous information database … will include biometric data and facial images—an issue that has raised significant alarm among privacy advocates. … The idea is that it will also make obtaining information a faster and more effective process, which is either great or nightmarish depending on your trust in government data collection and storage.
…
The CIR was approved through two separate votes. … If this sounds like the handiwork of some serious lobbying, you might be correct. … A European Commission official [said] they didn’t “think anyone understands what they’re voting for.”
So that’s reassuring.
Still, democracy is the least-worst system we have, amirite? Cory Doctorow sounds unconvinced:
The vote passed just weeks before an EU election that is expected to deliver new powers to authoritarian, xenophobic ultra-nationalist parties, who have also been surging at the national level, and whose officials will be able to use the database to track and target migrants, people accused of crimes, etc.
How much will all this cost? Billions. Caitlin L. Chandler and Chris Jones sound slightly sarcastic, with The European Union is about to become a lot safer:
[It] comes with a hefty price tag: Brussels has set aside [$475 million] between 2019 and 2027 for interoperability, with countries expected to pay some of their own costs. Germany estimates it will need to spend up to [$105 million]. The creation of the new border crossing and travel authorization systems … will cost the EU another [$775 million].
…
Some security experts question [the] logic. Giovanni Buttarelli, the European data protection supervisor, has warned of a potential “panopticon in which all our behavior is considered useful for investigative purposes and must be made accessible because fighting crime is given priority.”
…
The EU's Fundamental Rights Agency has warned that these new powers introduce "a severe risk of discriminatory profiling" against minority groups. … Dutch MEP Sophie in 't Veld of the Democrats 66 party [said] “This interoperability proposal is premature and has lots of in-built weaknesses. … If you build in more power for authorities, you need more safeguards for citizens as well. That is not happening here.”
…
The EU’s privacy laws — including … GDPR — state that personal data must be “collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” And yet, data collected in the CIR database will be used for “purposes distinct from those of the original collection,” according to … an advisory group made up of representatives from the national data protection authorities of individual EU countries.
Fair point? XXongo agrees:
Yow. On the one hand, EU enforces tyrannical privacy laws. On the other hand, they set up a massive violation of privacy.
Pick one, EU.
But Someone1234 engages in some light whataboutism:
If you're a US Citizen you also need to submit in order to get re-admitted into your country of birth, or just to gain a US Passport.
…
I'm not defending the EU, but the US is already doing exactly this.
OTOH, coastwalker doesn’t really care:
Given the fact that people are free to cross borders un-monitored within [Shengen] then it is hardly surprising that countries have harmonized their databases. Don't you want the local hospital to be able to identify you? The local police to know who they just arrested for fighting at the soccer game?
After all Facebook doesn't just know your identity anywhere on the planet, it knows how much money you have and what kink you [prefer]. So what "privacy" issue are you worried about exactly?
The one where the State hemmed in by laws and open access legislation can find out who you are to provide services? Or a shadowy private company who want to use big data to turn you into a profit center subject to no laws or monitoring?
…
"They" really do have you under their thumb, only it is not actually "a government" who will be running the rest of your life is it. Is it?
And Quentin Hardy—@qhardy—senses the wider debate about sensors: [You’re fired—Ed.]
Surveillance Capitalism, meet Surveillance Democratic Socialism. China = Surveillance Authoritarianism. Many do Personal Surveillance, via insurers and Fitbits.
Point is, there are exponentially more sensors in the world. All organized systems will use them. Question is, How.
So? So Drew Crosby—draws this conclusion:
This definitely won’t get hacked or leak out tens of millions of people’s personal information. And it surely won’t be used for nefarious purposes ever. No way.
Meanwhile, Ron Miller had exactly the same thought as your humble blogwatcher:
“The EU has voted to interconnect border control, migration, and law enforcement systems into a searchable biometrics database of 350M+ EU and non-EU citizens”
…
What could possibly go wrong?
The moral of the story?
When collecting and storing private data, be clear why. And guard against mission creep, lest you lose your users’ trust.
And finally
Hat tip: Mark Hosler and Cory Doctorow: “When did online life become a non-stop Turing test? And when did humans become the ones who are failing it?”
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Diversity in Faces (cc:by-sa)
Keep learning
Understand the newest privacy laws with this Webcast: California’s own GDPR? It’s not alone.
Take a deep dive into the new privacy laws with TechBeacon's Guide to GDPR and CCPA.
- Get up to speed on cloud security and privacy and selecting the right encryption and key management with TechBeacon's Guide.