Quis custodiet ipsos custodes: the new PNR Directive and the risks of mass surveillance

(To Andrea Puligheddu)

During the first quarter of the 2016, traffic data at Italian airports provided by Assaeroporti is extremely interesting. In just three months, in fact, the total number of passengers passing through was about 31,8 million (6,6% more than those registered in the same period of 2015), and the total number of movements made (or aircraft arriving and departing) it is attested around the 306.400 units. Data that make us think, and that are on the same line as those in Europe, proportionate in terms of size and relevance: in Heathrow airport, London, at least 18 million passengers pass on a quarterly basis, against the roughly 15 million of Paris Roissy and the 14,5 of Frankfurt.

Swirling figures, which suggest that a complex infrastructure system resides daily behind airport security, both to manage the technical risks and those connected to the human factor. The primary tool with which these infrastructures operate is preventive risk management and emergency response activity is that of data collection. In fact, there are thousands of sensors, video surveillance systems, passages in which the transfer and access to passengers' personal data is required, as well as the most apparently harmless vehicles (such as Wi-Fi shared spots o alert dedicated telematics) able to potentially become real tools for systematic interception of information content exchanged by connected users.

It is therefore true to say that a passenger, although harmless, is to be constantly monitored at each stage of his flight path, starting from the booking of the ticket until he arrives in the destination country. This has become such an ordinary factor in our lives, almost as if it no longer represents an object of criticism: if what is collected on our account is relative to our security, what problem can actually exist?

Fortunately, European lawmakers have considered the issue in itself non-exhaustive in a few simple steps, and have released the April 14 the so-called "PNR Directive" (Passenger Name Record), which within two years of its enactment must be translated as soon as possible, from a legislative point of view, into an act of normative reception by each Member State.

First of all, the fact that this act was released in the same context of promulgation of the European personal data protection package, including in addition to the PNR Directive also the Directive on commercial secrecy is above all, historic introduction for the sector legislation, the New European Regulation on the protection of personal data. The message bestowed is clearly that of wanting to undertake a path of shared regulation of cyberspace and all related phenomena, thus avoiding that it is technology that forces institutions to react, instead of the opposite. For its part, the PNR Directive has represented, and still represents, a controversial affair, the outlines of which are still to be examined and further defined. From its guidelines, it can be clearly deduced that it was born as a response to terrorism, establishing a register containing the data of each type (from the name to the preference expressed for meals eventually ordered inside the aircraft) referring to passengers passing through each European airport . Pnr must necessarily be kept for 5 years by flight companies, must be issued in case of a request from a European judicial authority and must be communicated to them in the case of passengers passing on non-European territory and in the case of optional flight within the Union territory. Beyond the criticisms on passenger privacy, a factor that every member state will have to take into account at the time of internal implementation of the Directive, the logic followed is that of using the PNR as study elements to analyze the potentially suspicious behavior of individuals not falling within any identification system already in force (for example the subjects filed by the judicial authorities), and preventing the occurrence of terrorist activities or risks for national security through the use of biometric and predictive algorithms.

In other words, to avoid the occurrence of terrorist-type events, such as the 21 march of 2016 in Zaventem, one of the airports in the Brussels area, which caused more than 30 deaths, hundreds of wounded and terrified citizens across Europe.

Although it may seem like science fiction, we must reiterate that it is a simple reality. A similar program, the ThinTread, has long been active in the United States on the initiative of the NSA, as well as in China monitoring activities are carried out on internal security to prevent security risks and public order in Tibet, through large-scale behavioral analysis carried out against the its inhabitants also through specific video surveillance technologies and the use of big data.

However, there is also the other side of the matter, more controversial, which in the present case corresponds to a system that is by now well-known and to the limelight: mass surveillance.

When we talk about mass surveillance, we talk about a phenomenon whose contours are not always precise, which vary according to the technological progress of a territory and its social and economic variables. Conventionally, reference is made to the subjection of an entire population or a significant group of it to an indiscriminate and systematic control, carried out using explicit and / or hidden instruments. This basic always implies a constant interference with the right to privacy of citizens. Any system that collects and stores personal data of individuals, categorizing them by well-defined classes (such as race, gender, etc.), associating them with additional elements (such as, for example, routes taken, behaviors, conversations and opinions expressed) in a time interval precise, it also only potentially represents a form of mass surveillance. Therefore, the link between these dynamics and the object of the PNR Directive is not overlooked, even if to verify the effects it will be necessary to wait for the completion of the interpretative function delegated to the European courts, and even before compare according to which criterion and orientation the Member States will proceed to introduce it in the respective legal systems.

The most immediate, or perhaps obvious, premise is that mass surveillance as described has some social criticalities that undermine any further reflections on the subject, sometimes resulting worthy of reflection and sometimes misleading. On the other hand, to realize it, it is enough to simply observe the media prominence acquired over time by the protagonist of the mass surveillance scandal par excellence: Edward Snowden (photo).

Any name interested in international affairs, this name will not be new at all. Snowden, a former CIA analyst, has achieved the celebrity that is his own today through a complex and intricate story about a form of mass surveillance supposedly carried out by American security agencies, first and foremost the NSA, is that it has taken the name suggestive of Datagate.

In a nutshell, during the 2013 through periodic releases of targeted information (cd whistleblowing) by Snowden and his collaborators and the disclosure of US security documents covered by secrecy, various actual and potential data traffic analysis and interception projects are revealed, carried out for years by the NSA and related bodies as its suppliers or agencies, to the detriment of citizens and government bodies in various countries including France, Germany, Italy and Spain.

From that moment on, the very concept of mass surveillance has become irremediably just an icon, a bleak aspect of the long arm of power and, undoubtedly, for the vast majority of public opinion, an explicit attack on the human rights of person. We lost all connection with the purpose for which it was intended, every result presented (the NSA produced a copy of a report documenting the dismantling of at least 50 terrorist attack projects against the citizens of more than twenty countries in the world) it was torn to shreds by the media vortex in which the American defensive institutions were sucked in, to the cry of a power that observes and, as a sword of Damocles, is ready to launch its fatal blow to democracy.

The question is not simple. An in-depth examination would be necessary, both from a technical and ethical point of view, and not for nothing is it today the subject of intense debate among experts from all over the world from every extraction, and is destined to remain open regardless of the legislative interventions of the next Exit. The PNR Directive is now in the spotlight, demonstrating the fact that a positive response to the risk of the surplus of the Machiavellian tastes, exists and is the mission of the institutions to protect the community. On the other hand, even the potential occurrence of abuses and attacks on the free determination of the subject's will are matters of no small importance, which can hardly be sacrificed superficially on the altar of national security.

Perhaps the question that each of us should ask ourselves, even before turning it to regulatory instruments and complex games of power and strategy, should be: in the face of today's terrorist-style events, war between people and unconventional weapons such as the use of data and cracking of defensive systems and infrastructures, given the faults and the firm condemnation of those who use the tools they possess not for the sake of the subjects they are called to defend but to obtain a gradual control, we are certain that a static and individual conception of confidentiality is a priori deployable against the interest of the community? Are we sure we are not, in our turn, the object of an induced instrumentality that necessarily depicts a negativity inherent in certain defensive instruments and not even their concrete utility for the well-being of an advanced society?

The question, in the face of events that have happened and will happen, remains open and, as mentioned, not simply resolved.

(Photo: Defense Online / web)