Suppose a terrorist, a Dutch national, arrives at Amsterdam’s Schiphol Airport and buys a one-way ticket on the daily KLM flight to New York. Like the September 11 2001 hijackers, he travels under his real name. US authorities have uncovered his identity and placed him on the terrorist watch list. The question is: will he be caught and, if so, when?
Currently, even if the US authorities had provided this terrorist’s name to Dutch or European authorities, there is no watch-listing system in either jurisdiction that would have identified him as he purchased his international ticket or transited through Dutch immigration control. Moreover, be-cause he is a Dutch national he would not have been required to apply for a visa to enter the US. So he would pass out of Europe undetected.
In all likelihood, however, he would be identified once his flight had left European soil. Under a May 2004 agreement between the US and the European Commission, European airlines were allowed to transmit their passenger manifests to US authorities 15 minutes after take-off. Two days ago, the European Court of Justice annulled this agreement.
The ECJ based its decision on technical legal grounds. It said that the Commission officials with whom the US had been negotiating lacked the legal authority to conclude the agreement. This is a significant, though perhaps temporary, setback for the European Union officials who have been trying to impose some coherence and rigour on Europe’s various post-9/11 counter-terrorism and law-enforcement activities. It is also, in Washington, an unpleasant reminder of Henry Kissinger’s famous line from three decades ago: “You say Europe, but can you tell me which number I should call?”
But the court avoided the real issue raised by the accord – the proper balance between the individual’s right to privacy and the collective’s interest in security in the era of infiltrative, transnational terrorist threats and unbounded computer power.
Huge private-sector databases, such as the airlines’ passenger records, can be extremely useful to a government’s effort to locate and eliminate terrorist threats. National governments have a responsibility to protect their people and therefore must take seriously new counterterrorism techniques presented by the advance of technology.
Yet a government’s access to these private-sector databases raises troubling issues of personal privacy. Privacy advocates, pundits and politicians have raised alarm about a wide variety of such activities initiated in the aftermath of 9/11 – and not without reason. Potentially valuable counterterrorist initiatives such as the US-EU passenger data accord are at risk of foundering for loss of public trust and political support. In the US, the long-standing plan of the Transportation Security Ad-ministration to check the passenger manifests of domestic flights against the terrorist watch list is essentially dead in the water for this reason.
Both the US and Europe need to update their laws governing official access to private-sector databases for security purposes. The European privacy directive dates from 1995 and the US Privacy Act from 1974, so the legal framework on both sides of the Atlantic lags at least a decade behind the technological art of the possible.
But, more important than legal reform, government security services need to update their practices to incorporate that art of the possible. It is no longer necessary for government agencies to acquire and retain an entire private-sector database in order to accomplish a legitimate public purpose. It is now possible for a government to check a watch list anonymously – that is, to check one list of names in a private-sector database against another list of names in a government database in a manner that reveals to the government only those names that match. This is but one of several important new privacy-enhancing technologies that could, if adopted by governments, improve security as well as liberty.
US and European officials are trying to figure out what to do now that the ECJ has scuttled their passenger-data agreement. The first thing they should do is study the ways in which new technologies and procedures can be used to achieve their basic security aims while minimising the impact on personal privacy. In so doing, they may earn back some of the public trust they have lost and become more effective in the long run.