Examination of Witnesses (Questions 108
- 119)
WEDNESDAY 18 JUNE 2008
Professor Juliet Lodge and Professor Didier Bigo
Q108 Chairman:
Two professors; we are honoured, welcome. It is very good of you
to come. As you know, this Committee, which is a Sub-Committee
of the main European Union Committee of the House of Lords, is
doing an investigation currently on Europol. You may realise that
you are on the record. You have sent us written evidence, for
which we are grateful. If, at a later stage, you want to supplement
anything, we shall be delighted to receive any extra evidence
or thoughts in writing; that would be very helpful. I do not know
if either of you wants to make an opening statement. We are a
little bit against the clock, but, if you would wish to, either
of you, you would be welcome. No? Well, let us start. You have
both highlighted in your evidence that Europol's potential role
is compromised by mistrust, different administrative practices,
and variable and inadequately secure information communication
technology. I wonder if you could give us an overview of the kind
of work that you believe is necessary for effective supranational
action in the EU law enforcement and justice domains. I realise
that is a broad question, but it would be most helpful if you
would start with that one.
Professor Lodge: Thank you, my Lord Chairman,
for the opportunity to comment and make an input. I will try and
be brief. I think one of the biggest issues that this raises is
the question of having an effective information management system
or regime at all levels, not just the supranational, but at all
those levels below that because the supranational, particularly
where Europol is concerned, depends on Member State input from
regional levels, so the supranational level to set standards for
technology and policy direction and strategic issues is very important.
Very briefly on the technology, I think there is a whole range
of issues that needs to be addressed on handling, data-mining,
data re-use, in particular, and data degradation, issues surrounding
the information management of exchange of information, training
and vetting of personnel and again setting standards, privacy
and data protection, information acquisition, and the exchange
and co-operation within the EU and with third States, particularly
where public-private partnerships are concerned, and I think that
is an area that seems to be very vague and eludes proper accountability.
There are also issues about the outsourcing of information by
people who may be providing information, handling it or storing
it on behalf of supranational agencies or the participants within
them, and trying to establish that there should be an approach
towards this regarding justice and home affairs communication
technology use based on the first principle of "baking in"
security and not then saying, "Well, we're a little bit unsure
about how effectively security is going to be guaranteed for data
subjects and data-handling", and then adding the idea that
there should be privacy-enhancement technologies almost as an
afterthought. I think at the political strategy level there is
a need to recognise that law enforcement encroaches on domestic
policy and that there are linkages of databases, and one has only
to think of motor-licensing in the UK and the way in which that
is accessible, not just to insurance agencies, but also to the
police, and various other law enforcement issues. There is a huge
issue of policy trust and trust in personnel, including issues
of accountability at the European level and the national parliamentary
level, which has to be addressed supranationally, I think, if
we are going to have compliance on behalf of all the Member States.
We must also deal with another issue which seems to have dropped
from the radar which is how one is going to deal with the next
generation of information exchange technologies, not just the
ambient intelligence and the nano-technological applications,
but the way in which mobile phones are going to be used and whether
or not information taken from them is going to be admissible,
and how automated information exchange, which is not mediated
by personnel, is going to be dealt with. That is something again
which has to be addressed at the supranational level so that one
does not just accept off-the-shelf solutions that the producers
already have and which are going to be obsolete, but so that one
does not compromise the need for accountability by having rather
vague arrangements, given that there is open recognition now of
the level of corruption, distrust and compromised security, so
I think one needs a very firm steer politically and a very firm
steer vis-a"-vis the technological applications that are
adopted.
Q109 Chairman:
Professor Bigo?
Professor Bigo: Thank you, my Lord Chairman.
I share a lot of what Professor Lodge has said, but maybe I would
insist more on the notion of mistrust and why do we have such
a mistrust between the different administrations. I think, firstly,
it is the difference between the criminal justice approaches and
intelligence approaches which is central. The more Europol is
trained to bridge or plug the intelligence approach into its criminal
justice approach in search of better information and efficiency,
the more it will create trouble as the notion of information has
not the same meaning in the two different logics, so that is the
first point. We need to ask more about the notion of information
when policemen discuss between different traditions, different
cultures and different professions together because they use the
same terminology, but they do not put the same facts into this
terminology, and that is central. The second element is certainly
the lack of a clear European approach as to what is relevant information,
who has collected the information, for what purpose and with what
level of accuracy. Evidence from the judge is different from grounds
of suspicion about a specific individual from the police and is
clearly far from suspicion towards a risk category created by
analysis and applied to an unknown individual which may fit the
criteria of a preventative approach and inquiry. The third element
is: who is entering this information into the system and for what
purpose, especially when you have analysts on one side and European
police officers on the other side. It is as crucial as the information
itself. The apparent paradox is that the segmentation of information
may be a better solution if it creates less uncertainty and less
numbers and focuses on a smaller, but more accurate, target. I
know that I am challenging a lot of discourse here because all
the main discourse is about sharing more and more data in order
to have more relevant intelligence. From the interviews we have
done, it is not what is said by a large majority of the people
who are involved in intelligence, so the idea that the bigger
is better is perhaps a mistake and we need to have a better evaluation
of the quality of the information which is processed before going
on. I think that mistrust is emerging from the idea that people
who have different professions do not exactly share the way they
receive the information and what is relevant. They receive data,
but they do not receive information
Q110 Lord Mawson:
Your map shows a highly complex landscape of EU security agencies,
and your written evidence speaks of competition, control issues,
rivalries and fierce struggles in Europol's relationships with
other EU agencies in the field of justice and home affairs. Are
such power struggles inevitable in the current institutional landscape?
Professor Bigo: I would say that, yes,
the struggles are inevitable, but they are also a sign of a lively
democracy with divergence of opinion and analysis even with the
same evidence or grounds of suspicion at the beginning. However,
if it exists in any case at the national level, it is nevertheless
aggravated at the transnational levelso I am not saying
that it is bad to have struggles, because it can give to the professional
and to the politician a different view on the same subject by
different organisations, and we have to remember that. When you
have only unique information coming from all the police and intelligence
services, it may be misleading. So the idea that we have diversity
and struggle is not bad in itself, but of course it is aggravated
at the transnational EU level as the national interests of the
States, the cultural and bureaucratic culture of the different
services and the way they pride their relationship on law and
law enforcement is slightly different, the UK from the Continent,
for example, and different also inside the Continent between federal
Germany and unitary France. Only the non-democratic regimes have,
at least at the surface, a unanimous point of view often organised
around what they want more than around the possible rationale
of action and behaviour of the target of their research. Nevertheless,
we have to try to reduce it, and I suppose it was the sense of
your question, by a better articulation of task between the agencies.
We have seen that it was possible after discussion to find agreements,
for example, on counterfeiting the euro, an agreement was found
between OLAF and Europol which had both good claims. Both agencies
may pretend to deal with counterfeiting of the euro, but, nevertheless,
they succeeded to define clearly who would be in charge. What
we have seen from the US is that the notion of lead agency is
not a real solution. We have done some research in the US and
we have seen that the notion of lead agency has created more competition
in fact than it has reduced the level of competition, and maybe
we need to be aware of not going too easily with this solution
and saying, "We will have a pool of agencies with one lead
agency". It is perhaps better to have a clear mark of one
agency only and not to have a pooling of competence without a
clear definition of who is in charge, and then maybe can reduce
the level of struggle. It will not disappear, but at least it
will be more clear.
Q111 Lord Mawson:
If you have been involved in running a business, you will know
that it is not just about the structure that you create, but it
is about the people and relationships, and senior people in government
seem to think that, if they get the structure right, something
will magically happen, but my experience is that it does not.
When we listened to Europol, we were told that about 10 per cent
of their budget investment was in training and how you actually
enabled staff to operate in complex environments. Do you think
there is enough investment going in actually in enabling staff
in organisations to operate in this complex world that they have
to operate in? Do you think that they are understanding what the
complex partnership is actually about or what the relationship
is or is there not enough investment in that?
Professor Bigo: It is difficult to answer
with accuracy because we do not have enough elements about the
different allocations of budget and value for money of the different
agencies inside the agency itself. For example, in Europol, what
is the part of the allocation of the budget for analysts and what
is the part of the allocation of the budget for the liaison officers?
Maybe you have here the elements, but we did not get these elements.
We were surprised that a lot of work seems to be done by the police
liaison officers both at the headquarters and in the different
national Member States; they are in charge of a high level of
current information, on the contrary you have a lot of analysts
with not so many work files, but, as we did not have of course
access to these work files, maybe they are huge, maybe they are
very important, very interesting, but it is quite difficult to
know, so I would say that it is very important to look at this
allocation of resources inside the agencies. The second element
is that we need to be aware, and I think it will be part of other
questions, of the relation between putting a lot of money into
software and providing results. It is said that because of the
large amount of information, you need to have expert software,
but sometimes maybe the human mind could be just as efficient
as some expert software. Replacing human beings by so-called "advanced
technology", which may cost a lot of money, will not always
create more efficiency, so we have to be very aware that of course
it is a case-by-case study and we cannot answer in general.
Q112 Chairman:
Professor, I looked at your map and you have various out-of-Europe
organisations, particularly in the United States, on it. I could
not find where you had Interpol in all of this. Did I miss it
or where does it fit in, if it is not in?
Professor Bigo: Next year, we will develop
the map and you will have Interpol in it and you will have also
the Police Chief Task Force, but we tried first to map the European
Union internal security agencies: Europol, Eurojust, Frontex and
to have not only their formal agreement, but interviews with the
people inside both agencies at their headquarters and at some
Member State levels. For the moment, we have investigated their
relations with third parties in the US, Norway, and Switzerland,
but not their relations with other institutions such as Interpol,
United Nations agencies, and NATO. That is why this mapping is
still a preliminary mapping, but the idea was just to show that,
if you look at one agency, you loose the point of what is a European
information system.
Q113 Baroness Garden of Frognal:
Professor Lodge, you welcome the proposal to modernise Europol
in your evidence, but you are concerned about the impact on good
governance of dissolving administrative boundaries. I wondered
what procedures introduced by the Decision may, in your view,
impact on, or alter, practices within Member States' agencies?
Professor Lodge: I think there are some
critical issues surrounding the work files and the management
of the work files and the information that goes into the work
files, and part of this would come out of what Didier has just
said. The information exchange processes and the ability to co-opt
parties to input intelligence, I think, will have a significant
impact at all different levels on how this is managed and the
accountability for it. I think there are also results that will
occur as a consequence of implementing the principle of data availability
and that requires both legal minds and personal trust. There are
also arrangements which permit the continuation of the bilateral
accords instead of having commonality within the Decision, and
bilateral accords are often a very effective way for police forces
to liaise and take steps forward, but, if one is going to respect
the principle of equality of treatment of citizens or suspects
and the equality of personnel in the individual forces, then that
is eroded by the lack of commonality, and I think different States
with different resources are going to be more adept or more influential
as a result and this will have implications for the process management
in individual Member States. I think overall there is the danger
of a weakening of political accountability which will aggravate
distrust. There is also a lack of legal certainty as to what definition
of a biometric is going to be used for identity management and
for verification and authentication. Now we accept it as a measurement
of a particular feature, an iris or a fingerprint or whatever,
but other States, and certainly the United States, associate it
with behaviour and with profiling. When one is exchanging information
and creating a work file or recreating a work file, which definition
is being applied and how can we rely on it? If it is a hunch and
the definition is of vague, loose intelligence and we are not
sure of the agency who has provided it, what are the implications
of that as opposed to information and its classification and,
crucially, its indexation? Furthermore, the role of the Europol
Director and Chair in defining strategy and the supposition of
the claim that this will not necessarily have much implication
for operational activities, I think, is likely to be challenged
because of the intelligence-led policing model that is embedded
within this Decision, so that is a further problem. I think also
that the issue over a lack of common terms, which we have already
touched on, will be problematic in creating the indices, regarding
where you put the information, how you exchange it, whether it
is legitimate or cannot be exchanged and in the development of
a European criminal records information system. Again, we have
got a multiplicity of different systems, a multiplicity of codes
and rules for accessing those systems and I think that is bound
to have myriad consequences for personnel, for work practices,
for audit trails and for everything associated with proper information
management within the agencies.
Q114 Baroness Garden of Frognal:
Do you see a way forward for getting a common understanding of
these things and a common interpretation of the definitions?
Professor Lodge: With common definitions
and common terms, I think one has almost got to insist on a single
language, and this runs counter to everything, but, without that
precision, the term is not going to appear in the index and, if
it does not appear in the index, then the investigating officer
who is trying to find out about the existence of a certain section
of a file when he has access to a certain portion of it is not
going to be able to find it is there, even though it is, because
it has not been indexed and classified, and we have all the political,
administrative and cultural problems that we have already alluded
to which, I think, will make these even more difficult. Whilst
I would not normally want to be an advocate of one language, I
think here there is a very strong case for arguing for possibly
making that a universal language.
Q115 Lord Dear:
Could I pose a short question to each of you, and perhaps to Professor
Lodge first of all, but the question is the same. When Europol
was set up, there was envisaged, I think, a fairly rigid structure
of the traffic of information and who did what and it was all
envisaged to be fairly well-compartmentalised and on well-trodden
routes. There has been a decision, as I understand it, recently
to encourage a policy of ad hoc bilateral exchanges on a needs-must
basis, I suppose, between some of the EU law enforcement agencies
based on judicial investigation. I can see that there is a way
forward to speed things up on that, but it does throw into disarray
what the original model envisaged. I wonder if you would both
like to address that point and tell us what you think the longer-term
effects of that might be.
Professor Lodge: I think, firstly, that
the ad hoc-ism can be very valuable, but, as you are pointing
out, it is based on mutual trust and, the more that Europol, Eurojust
and all the associated agencies move towards automated information
exchange, the more they are relying on the technology rather than
analysis by the individual. If you cannot trust technology, and
we cannot trust technology, then this issue of trust has further
ramifications for the political accountability and legitimacy
of the whole system which then impacts on the citizen. I think
too rigid rules within the Decision will make certain States opt
for bilateralism and ad hoc-ism because it is the soft route,
the easy route to circumvent some delays which may be inherent
in the system and some delays which may be a consequence of not
being able to understand the language, not being able to access
the work file and so on because it is done more on an automated
basis. I think it implies in the longer term that there must be
much closer co-operation between Europol and Eurojust, and they
are establishing automated information exchange systems between
the two of them to ensure that there is greater operational effectiveness.
Now, that has implications for this concept of Europol basically
being a forum where there is high-quality analytical material,
and what we are saying really is that you cannot separate, in
the longer term, the analytical function from the repercussions
it may have on operational strategies and operational steps that
are taken along with the financing that has to be associated with
making this efficient.
Q116 Lord Dear:
Do I understand what you are saying correctly, which is, in a
nutshell, that you appreciate that there will always be people
seeking to take a quick route to a solution, they know somebody
or they know a system at the other end of the telephone and they
would use that ad hoc basis, that informal basis, and that is
all right, in your view, is it, so long as the information that
is exchanged eventually gets fed through to the databank? Is that
what you are saying?
Professor Lodge: I think what I am saying
is possibly slightly subtler in that operationally people often
need information very fast, and it may be that they can obtain
sufficient general information by their bilateral exchanges face-to-face
through humanly trusted relationships to enable them to be very
effective in the prosecution of serious organised crime and, on
that basis, one can see there is a role for that. It is where
you then say, "This does not matter" and one can do
it because it eludes accountability, that is not adequate.
Q117 Lord Dear:
Professor Bigo?
Professor Bigo: I agree with what Professor
Lodge has just said, but just one caveat is that of course it
works to have an ad hoc information system if you have already
a network of trusted people, therefore, it is an advantage for
the oldest Member States in comparison to the other ones. So,
maybe it is also a strategy by the oldest EU member states to
go on an ad hoc information system in a way to restrict the others
member states access to some level of intelligence or information
that they prefer not to spread too much. So maybe the preference
for an ad hoc system is not just a functional question of what
it is more efficient and has a better speed, but it is a question
of politics.
Q118 Lord Hodgson of Astley Abbotts:
Could I just come back to mutual trust, you use the phrase "high-quality
analytical material", and the interplay. In your memoranda,
which are most interesting, I read about the importance of proper
input, proper control and proper safeguards, but what are we going
to do about making sure that information, when put in, is accurate?
I am much involved with the Rendition Programme and certain people
have been picked up on the basis that the information is wrong.
The approach was fine, the analysis was fine, but the fundamental
information database was inaccurate. How are we going to ensure,
as the database gets bigger and bigger and bilateral exchanges
and Europol operate to a greater extent, that the information
that goes in is accurate and remains accurate through the passage
of time?
Professor Lodge: I suppose at one level,
assuming that the information that is provided to the data-inputter
is accurate, there is a big issue, I think, on the vetting and
training of the data-inputters who may be outsourced to countries
anywhere, who may not have had the kind of training that one would
hope they have had and who may have different objectives in having
sometimes jobs which are very poorly paid. There are issues, I
know from talking to people about this, about who is sitting there
doing the typing or managing the system and the upkeep of the
system, so, in that sense, I think there is a real issue at that
level, but it is also one that comes back to these problems of
definition, terminology, what is information, how we classify
it, what is intelligence and the reliability of that source and
maybe whether or not there has been a group discussing it, and
I am not really sure how one gets round that.
Q119 Lord Marlesford:
Can I just follow up because there seems to be a theme which has
come through from your answers to all the questions and I just
want to check whether I am right in identifying the theme. It
is that, whilst you have no problem with the sort of database
approach to the identity of people, there is a serious question
as to forming very big databases on very limited information,
almost like having, as it were, too many suspects with insufficient
discipline as to who is on the list. For example, last week we
had the Serious Organised Crime Agency come to see us and they
have a database which has been formed from the suspicious activity
reports which are filed, many of which have been shown in the
press to be totally trivial, and we assumed that these had been
ignored, but we were told no, they have now got over a million
on that database alone. Are you saying really it would be much
better to have a better discipline on who is on a database, a
suspect of any sort rather than where none of us minds being on
the database as to who we are?
Professor Bigo: Yes it is my view , and
this point is a central one. Perhaps to come back to the previous
question, each time we have information, it is important to know
who has given the information. And, if I may, in this period of
Euro football, I have proposed as a policy recommendation about
four years ago to give a kind of yellow card or red card to those
providing incorrect information. If you want to improve the quality
of information, you can perhaps have a review of who has given
inaccurate information at the level of the individual and at the
level of the services in order to diminish their ranking of valuable
information and then, not immediately, but in the future, they
will think twice about sending dubious information. If we do not
have that, we will continue to have trouble, but, if we have that,
we can change the behaviour of the organisation so that they will
send less information, but more accurate information, and maybe
that is not a perfect solution, but it will resolve perhaps part
of the problem.
|