UK Home Office accused of data theft

Written By: Andrew Rosthorn
Published: May 31, 2018 Last modified: May 31, 2018

A document leaked in Brussels accuses Britain of stealing security information from the EU’s Schengen Information System.

The Home Office is said to be allowing privatised contractors to circulate dangerously outdated personal information on thousands of international travellers.

The document warns that inaccurate and outdated details of British and EU citizens could end up in the hands of American border guards.

The vast SIS II computer system, operated by 26 countries that signed the Schengen agreement, but not by the UK or Ireland, tracks undocumented migrants, missing people, stolen property and international criminals. According to SIS their highly sensitive information

enables competent authorities, such as police and border guards, to enter and consult alerts on certain categories of wanted or missing persons and objects. An SIS alert not only contains information about a particular person or object but also clear instructions on what to do when the person or object has been found.

In 1985 John Major’s Tory government refused to sign the Schengen Agreement that abolished passport checks between Belgium, France, West Germany, Luxembourg and the Netherlands. But the UK Home Office and British police forces were allowed restricted access to some SIS data in 2015.

Reporter Nikolai Nielsen writing in EU Observer this week states:

British mismanagement and manipulation of the Schengen system also meant that ‘persons sought for arrest for instance even for terrorism related activities by Schengen Associated Countries cannot be detected upon entry to the UK.’

The British authorities copied the data and handed it over to border police despite the fact that some of the information contained was not only incorrect but entirely out of date.

That meant that innocent people visiting or living in the UK run the risk of being flagged for violations they never committed from data that was unlawfully copied.

The document was drafted by Schengen security experts after conducting spot checks in UK government offices, police stations and airports at London Heathrow, Warrington, Southampton and in Kent during November 2017. The spot checks included unannounced visits to police stations.

The UK violations of the 2015 limited access agreement with the 26 Schengen states are said to ‘constitute serious and immediate risks to the integrity and security of SIS data as well as for the data subjects.’

The British are also accused of ignoring security alerts from the other member states so that ‘vehicles stolen on the territory of another member state and located in the UK are not seized.’

Some major deficiencies in the legal, operational, and technical implementation of SIS identified during the evaluation of 2015 were not effectively remedied and still persist.

The UK has made numerous full and partial copies of SIS, increasing the risk of data breach and of having it unlawfully shared with other authorities around the world.

The dodgy copies are now in the hands of privately-owned government contractors like IBM, based in New York, CGI, a US-Canadian company employing 75,000 people world-wide, and ATOS, a French-based company whose largest division is based in the USA.

CGI now manages a copy of the SIS data that included photographs, fingerprints and European Arrest Warrants. IBM manages a copy used by the UK’s national border targeting centre as a service for the UK Home Office and stored at a data centre owned by ATOS.

All these IT companies with US divisions can potentially be compelled by the US Patriot Act to hand over any information they hold in Europe, even if inaccurate, out of date or based on misguided suspicion. The SIS document states:

Entrusting the management of the SIS technical copies to private contractors poses increased risks in terms of physical and logical data security, especially since the private contractors in the UK are not only hosting the systems but also implement changes to the system.

The leaked report says one of the Home Office systems, operated by the Japanese firm Fujitsu and used by UK Border Force at six UK airports, ‘constitutes an unlawful copying of SIS data.’

Airport border force personnel use Fujitsus’s Warning Index to compare incoming passports with a list of known criminals and terrorists.

The home secretary who negotiated British access to the Schengen Information System in 2015 was Theresa May, now the British prime-minister charged with negotiating the exit of the UK from the EU.

At the 2018 Munich security conference Mrs May said

through the Schengen Information System II, the UK is contributing to the sharing of real-time data on wanted criminals, missing persons and suspected terrorists. About a fifth of all alerts are circulated by the UK, with over 13,000 hits on people and objects of interest to law enforcement across Europe in the last year alone.

The UK has also driven a pan-EU approach to processing passenger data, enabling the identification and tracking of criminals, victims of trafficking and those individuals vulnerable to radicalisation.

In all these areas, people across Europe are safer because of this co-operation and the unique arrangements we have developed between the UK and EU institutions in recent years.

So it is in all our interests to find ways to protect the capabilities which underpin this co-operation when the UK becomes a European country outside the EU but in a new partnership with it.