«

»

European hotels edge toward universal reporting of guests to police

Screen shot 2011-03-14 at 11.32.20 AMBy Simon Davies

The next time you check into a hotel in any European country – or indeed in many countries outside the EU – chances are you’ll be required to fill out a guest registration form. At the very least this form will demand information such as passport number, nationality, home address, telephone number, gender and date of birth.

Most travellers are blissfully unaware that this information is an internationally available police and security resource required by law. Guests are rarely informed of the fact, despite the ubiquity of data protection laws in those countries.

Indeed in Europe, registration data is increasingly being made available in near real time to security and police authorities.

Indeed in Europe, registration data is increasingly being made available in near real time to security and police authorities. In 2009 the Netherlands commenced a pilot project to enable hotels to directly transmit guest information direct to authorities, while hotels in Italy and Spain are required by law to report their guests directly to police within 24 hours.

When you fill out your guest registration form your information may be searched by national policing authorities who could then match interesting files with data in national and global policing systems. In Belgium, for example, Article 44/1 of the Law on police duties contains an exhaustive list of all the authorities to whom police may disclose personal data, e.g. foreign police services, Belgian intelligence services, Interpol, or EUROPOL.

Security law generally facilitates such widespread sharing with minimal oversight. In the Netherlands, for example, as soon as police come into the possession of hotel registration information they become answerable to the Ministry of Justice, not the Data Protection Authority. The Intelligence and Security Services Act 2002 authorises the intelligence and security services to then request the data, and police are permitted to share guest information with law enforcement in other EU Member States.

A tide of new security legislation, international “mutual assistance” treaties and the gutting of limitations on extradition enables comprehensive sharing of information between agencies, imposing ever greater requirements on commercial organisations to gather and transmit raw data. Only in Germany does there appear to be a slight reversal of this trend, mainly due to constitutional protections and aggressive data protection authorities. A new German federal law on registration has been adopted and will enter in to force in 2015.  However, contrary to initial plans by the federal government, it no longer provides for a central register and there will be no routine matching of information across agencies.

A tide of new security legislation, international “mutual assistance” treaties and the gutting of limitations on extradition enables comprehensive sharing of information between agencies, imposing ever greater requirements on commercial organisations to gather and transmit raw data.

Generally though, the hotel registration system creates an EU-wide police reporting regime on a vast scale. There was no outcry over this imposition – no public scandal over mass surveillance. It just silently happened as part of the Schengen Information System designed to eliminate internal EU border checks (specifically, Article 45 of the Schengen Implementing Convention). Sensitive personal data on hundreds of millions of innocent people is being systematically collected to become low-hanging fruit for the authorities. These requirements affect all travelers to and within Europe, regardless of nationality.

Hotel surveillance is just one of dozens of opaque law enforcement systems being established worldwide. A large proportion of the budgets for EU framework research projects are directed at more efficient security systems, many of which would qualify as mass surveillance initiatives. The European Information Exchange Programme (EIXM), for example, aims to build a surveillance canopy across Europe that will ensure unprecedented sharing of data for police and security purposes. There’s a hierarchy of such systems which build from a broad base of police operational systems, through to criminal intelligence systems, all feeding up to security agencies.

While much has been written about the global surveillance web engineered by the US and UK spy agencies the intersection with law enforcement agencies remains under the radar. Just how Europe’s new information sharing schemes will connect with the NSA network is entirely unclear.

The availability of more data on more people is a two-edged sword for authorities. On the one hand it creates new opportunities for cooperation and enforcement. On the other, it creates new threats in the form of information overload and pressure on finite resources.

The limited data published by international policing agencies highlights this tension and may provide a key to understanding why nations are so committed to global communications spying. Most relevant, perhaps, are the stats supplied by INTERPOL, the International Criminal Police Organisation.

INTERPOL is the only International Government Organisation that rivals the United Nations in terms of active national membership. It also happens to be the least-understood of all global policing bodies.

The organisation, which turned 90 this year, is the key international body responsible for police administrative cooperation. It has a membership of 190 states (compared with 193 in the UN). INTERPOL’s exuberant growth reflects the globalisation of policing.

The operational relationship between security agencies and operations such as INTERPOL are shrouded. What is known is the breathtaking growth of their data systems. INTERPOL operates a notification system which establishes the equivalent of an international arrest warrant. The notice system is powered by a series of data systems to which police and security agencies in all 190 countries have access.

While much has been written about the global surveillance web engineered by the US and UK spy agencies the intersection with law enforcement agencies remains under the radar.

The globalisation of police systems is evidenced (pdf doc) by accesses to INTERPOL’s “wanted persons” criminal information system (known as NOMINAL). In 2012 the system was interrogated 232 million times – a 230-fold increase from 2007. “Red notices” and “diffusion” notices requesting police cooperation and arrest more than doubled in that period.

However the INTERPOL system appears to be severely stretched, which may in part explain such widespread support for NSA-style cooperation.

In 2011 the agency published 26,500 notices and diffusions for wanted people, resulting in a total of nearly 90,000 active notices and diffusions in circulation. However that same year only 7,958 people were arrested as a consequence of being on the system – less than one target in eleven.

The indication of overload can be seen in the following year’s statistics. Interpol published 32,750 notices and diffusions in 2012 – a twenty-five percent increase on the previous year. The number of active notices in circulation thus rose from 90,000 to 113,000 in the space of a year. There is an increasing lag between new notices and arrests. If the trend continues INTERPOL’s effectiveness will decrease, requiring significant new information resources just to keep up with increased demand. Enter the NSA alliance.

The extent to which INTERPOL seeks the direct support of its national security colleagues to counter this lag is unknown, though the NSA has made occasional reference to the “critical” importance of INTERPOL collaboration.

In these circumstances it would perhaps be prudent to shift some of our focus of attention to law enforcement organisations that feed data to the NSA network, instead of merely trying to crack how the NSA uses this data. The most important elements of the global surveillance system may yet be unexpectedly close to home.