Public Affairs Networking
Why Data is King of the EU and US Borders

In conducting border checks, agencies need to balance public security against convenience and cost writes Sue Cameron. They either have to check huge numbers of travellers or cargo, resulting in long delays – or risk letting in travellers or cargo that are illegitimate or pose a threat. According to the International Air Transport Association (IATA), in 2014 borders and customs agencies will have to deal with 3.3 billion passengers and 50 million metric tonnes of cargo across almost 50,000 routes. Modern airport security check-points can process on average 149 passengers per hour per lane in immigration queues, less than half of the 350 passengers who could be processed pre 9/11.

Coupled with this, agencies operating in integrated regions like the EU face the need to deliver open borders whilst dealing with the increased risks this can bring. Under the Schengen Agreement, member states agree to the four freedoms of movement (people, goods, services and capital), putting pressure on nations with external borders to provide adequate border protection.

Data Holds the Key

So what kind of methods can agencies employ to address the above challenges? Traditional blanket approaches to border security typically result in long delays at border crossing points. Equally, they often fail to make the most effective possible use of data to hone in on the travellers or cargoes that pose a threat. So what’s the alternative? How can agencies make better use of the data they have at their disposal to protect borders and keep the public secure?

While pervasive data privacy regulations still threaten to restrict the volume and type of data agencies can access, risk scoring can enhance border checks and improve public security. Typically, the approach leverages a vast number of data sources including advanced passenger information (API) data, passenger number record (PNR) details and watch list information including black lists of criminals and terrorist suspects.

An Intractable Challenge?

All of these different pots of data are often in different formats and located in silos. Agencies need advanced data management capabilities to connect and merge disparate data sets, even if they contain unstructured data, and make them usable.

Such issues can generally be overcome with the right technology. Legal challenges are more intractable. In many countries, there are stringent rules around data privacy and data retention times. In some European countries, for example, you can only hold API data for one day.

With regard to PNR data, the situation is comparatively optimistic. There have been detailed discussions in the European Union about the possibility of mandating carriers to send relevant data for international flights to the border agencies – an approach that is already in place in US, Canada and Australia. Yet, at the time of writing, no directive has yet been approved in the EU.

An additional issue is that, merging different data sets together can sometimes result in an individual being identified and that is not permitted under data privacy laws. Anonymising data can be the answer here. The approach satisfies privacy laws (as individuals cannot be identified) while at the same time continuing to provide valuable intelligence both for analytics purposes and for establishing the patterns of normal and risky behaviour.

Risk Scoring

Once the right data has been collected and formatted, risk scoring comes into play. There are three key areas. Watch list management and matching, business rules-based profiling and analytics-based profiling.

Watch list management and matching refers to the approach taken to manage and match lists of known or suspected terrorists and other criminals held by the intelligence agencies or other governmental authorities. It involves administering not just the lists themselves but also the updates to them, while handling any conflicts over priority actions when a person of interest appears on more than one list.

Data quality has a key role to play here also, in tackling the threat posed by criminals trying to hide their true identities through slight misspellings of their names or alternative representations of other details. Often, a great deal of intelligence work has gone into finding the aliases and false names used by criminals – so it would be a serious error to then miss information critical to an investigation just because a name has been incorrectly spelt.

Business rules-based profiling consists of testing passengers against a range of known rules. Somebody buying a ticket on the same day of travel for a long-haul flight and paying in cash will receive a higher risk score in this category than somebody who bought a ticket two weeks earlier and paid by card.

Analytics-based profiling allows agencies to ‘move up a level’ and target ‘unknown unknowns’. This requires historical data, which is easier to obtain in some countries than others. Agencies can then
investigate such data and start building patterns of normal behaviour. This is typically achieved by creating clusters of travellers with similar characteristics, for example family travellers; business travellers etc., to identify normal behavioural patterns for comparable people within a particular cluster.

The behaviour of each passenger crossing the border can be checked against the behaviour of those clusters and if it matches, that individual can be given a lower risk score for this category.

The main benefit of analytics-based profiling is that it enables agencies to identify ‘unknown unknowns’.

Business rule-profiling works effectively in identifying known threats. The authorities are asking specific questions, which they know to ask.

The issue is that criminals and terrorists are becoming adept at identifying the key rules and adapting their behaviour accordingly. Agencies therefore need to adapt their approach, ask new questions and spot patterns that they didn’t know existed – and to do this they need analytical profiling.

While it can never be a replacement for the knowledge and understanding of experienced border guards, analytics-based profiling should be used as part of a coordinated approach to border management, complementing the expertise of these key agency staff and helping them make better, more informed decisions. Ideally, this should encompass data management, watch list matching, rules-based profiling and analytics profiling all within the one solution.

Individual risk scores can then be generated by the last three named approaches and combined to create an overall risk score and an alert will be generated if the score exceeds a certain threshold.

Benefits of Risk Scoring

The ability to score passengers crossing the border based on a combination of all three of these methods is a major differentiator for border agencies, enabling them to achieve a more informed and accurate perception of risk than if they were just employing one or two approaches in isolation.

It is also important to identify low-risk behaviour so passengers can be fast-tracked through the green lane and queues minimised. Improving traffic queues, especially during peak times is a key political driver to change the approach to border management.

Preserving public security should be the priority of any border management agency. Risk scoring helps achieve this while at the same time helping control costs, reduce queues and streamline the border crossings.

While acts of terrorism are rare, plots still need to be found and intercepted to prevent potential threats. It is therefore important to be able to identify these people. When you are looking for small pockets of terrorists, however, you are typically looking in a ‘massive haystack’. One of the best ways of doing this is to reduce the haystack in the first place – and risk profiling can help here by also identifying low risk individuals to pass through the green lane and giving agencies a smaller group of passengers to concentrate on.

There are clearly a raft of benefits to the approach. Yet while some border agencies have implemented risk-based scoring, many are behind the curve when it comes to adopting this kind of profiling.

Where agencies are using technology, it is often rules-based rather than analytics-based. So, why is this, given that risk-based systems are increasingly available and offer such a wide range of benefits?

One issue agencies face, relates to the stringent data privacy rules in place in many countries, especially across Europe. The effectiveness of analytics-based profiling is dependent on its ability to access a rich source of high-quality historical data, and, critically, to hold it for a prolonged period of time.

Under the current rules, agencies often do have access to multiple kinds of data but the prevailing legislation can make it difficult for them to hold onto this data for long enough to run effective analysis on it. With judicious use of anonymisation, agencies may be able to hold on to more historic data which can then be used to generate risk-based profiles.

Data privacy is a critically important principle and the prevailing legislation in this area must and should be respected and adhered to at all times. However, it is hoped that the relevant laws may be modified in the future to allow a greater range of data to be accessed by agencies and for that data to be retained for longer periods. Being able to ensure public safety needs to be a top priority of any border agency and risk-based profiling offers great potential as a means of enhancing security.

Ultimately though any approach to profiling depends on the quality of data collected and reviewed. The way this data is managed and analysed will be critical in determining the quality of the final results achieved.

The technology to optimise this process is available today and is now increasingly being applied to border management challenges around the world. To ensure the technology is being applied as effectively as possible, a balance needs to be struck between the need to preserve data privacy and the need to make the most of the security systems available at the border to tackle criminal and terrorist threats. It is an argument that is already happening across the EU and that we expect to see continuing for the foreseeable future.

Pointing the Way Forward

We are now starting to see more programmes around the world where people give their permission to use their data and in return are granted faster passage through the airport. It is an approach that is particularly popular in the United States. The U.S. Customs and Border Protection’s Trusted Traveler Programs scheme, for example, provides expedited travel for pre-approved low risk travellers through dedicated lanes and kiosks.

The technology is increasingly in place to support effective border management practices and procedures. While even more could be achieved in the future if data privacy rules were relaxed, risk scoring today already offers an increasingly practicable alternative to traditional security approaches.Ultimately, security is the most important issue here and to achieve an appropriate balance between cost, passenger convenience and security, that prioritises the latter, an approach based on risk scoring is the only viable option.

Sue Cameron is a SAS Public Security expert

Comments
No comments yet
Submit a comment

Policy and networking for the digital age
Policy Review TV Neil Stewart Associates
© Policy Review | Policy and networking for the digital age 2024 | Log-in | Proudly powered by WordPress
Policy Review EU is part of the NSA & Policy Review Publishing Network