Feeds

House of Lords steps into US-EU data spat

UK ATS pilot still not catching terrorists

Combat fraud and increase customer satisfaction

The House of Lords has called for some fair play in the homeland front of the "war on terror" after examining the massive data gathering exercises the US is using to build risk profiles of people travelling through its borders.

In weighing the balance between public security and private rights, the House of Lords EU Committee considered evidence used by America to justify its collection of Passenger Name Records (PNR) data and their use in the Automated Targeting System, its dragnet border surveillance programme.

The US has doubled the evidence it presents to allied nations who ask questions about its data gathering: it now has eight case studies that describe how 11 baddies were plucked out of the 400 million people who travel yearly through US border ports.

Lord Wright of Richmond, chair of the EU sub-committee on Home Affairs, said even those eight were of limited use: "We've only been given one piece of evidence that the collection of PNR has avoided any terrorist outrage," he said. And even then that suspected terrorist wasn't caught: he was turned away at the US border - his partial fingerprints were later found on the steering wheel of a car bomb that killed 132 people in Iraq.

The other examples noted how the system had been used to nab three suspected drug smugglers, five suspected terrorists, a drug user, and a corrupt ticket agent. The suspected terrorists were turned away, so it cannot be known if the intelligence was correct.

The Lords report gives its own example of how intelligence can be wrong: the case of Mahar Arar, a 34-year-old Canadian ICT consultant who just happened to live in Syria until the age of 17. In 2002, Arar was arrested at JFK airport in New York on route to Montreal. He was "chained, shackled, flown to Syria...held in a tiny 'grave-like' cell for ten months...beaten, tortured and forced to make a false confession". A Canadian judge "categorically" cleared him of all terrorism allegations last year.

The report is aimed at the UK government, which is running its own ATS clone, and EU negotiators who are trying to limit US demands for more data in a PNR agreement they hope to agree before an interim arrangement runs out in July.

Home Office minister Joan Ryan told the committee that 23 people had been nabbed at British borders in 2007 by Project Semaphore, the UK's pilot criminal PNR profiling system. The report said Semaphore had "resulted in some 900 arrests for crimes including murder, rape, drug and tobacco smuggling and passport offences" since it was established in 2004.

However, it noted: "Any increased detection of crimes or immigration offences is welcome, but we have yet to hear that the collection of this data has led to successes in combating terrorism or serious cross-border crime."

In seeking to find a balance between "public security and private rights", said Lord Wright, the committee has found the median rests on the point of purpose - that is, the reasons why the US collects PNR and other data to create risk profiles of the people who pass through its borders. The original purpose given for these systems was to catch terrorists, but there has been some project creep.

"You will have seen [from the report] that there is quite a lot of inconsistency between the various statements about what this is for," said Lord Wright.

"As the agreements have developed over the years it's become clear that the US authorities want it to cover much more. The problem is it departs from its original purpose of collecting PNR.

"The [PNR] agreement should have a clear definition about what all this is for. We are calling for much greater clarity - whether we will get it, I don't know."

The point of equilibrium the Lords have found is flexible, however, Lord Wright said. Should the authorities decide they want to build data profiles of people to determine how likely they are to be involved in serious crime, then "that's fine", but the US and EU would have to agree on a definition of serious crime.

Existing and evolving data protection laws should put a spanner into the US plans as well. And, the Lords committee is the second in two days to recommend the European Commission and German Presidency of the EU, which are conducting the PNR negotiations with the US, listen to the European Data Protection Supervisor.

EU law prevents data being sent to countries like the US that don't have equivalent data protection. The US's contempt for the interim PNR agreement, for which the Lords committee said there was "no justification at all", might be taken as an indication of what happens when people's personal data is shared with countries with an old-fashioned sense of fundamental rights. ®

SANS - Survey on application security programs

More from The Register

next story
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.