The Schengen Entry/Exit System: biometrics to facilitate smart borders

​​​Because of Europe's migratory pressures and terrorist attacks over the last few years, border management has become a priority for the European Commission.

​The Visa Information System (VIS) has been operational since 2015 in Member State consulates, and its consultation is now compulsory for visa-holders entering the Schengen area.

Besides, since February 2013, the concept of Smart Borders has been introduced. It's an ambitious package of legislative measures drawn up in consultation with the European Parliament.

The new EES System is to be operational at the end of 2023

Adopted and then signed on 30 November 2017 by the European Council, it will be used in conjunction with the European Passenger Name Record (PNR) Directive, which, from 25 May 2018, collects data on air passengers.

The EES is now scheduled to become functional in November 2023.

Based on the principle that the majority of visitors are "bona fide," the EES will radically change the Schengen Borders Code with the double objective of: 

• making borders smart by automating checks and controls on legitimate visitors while strengthening methods for combating irregular migration
• creating a central register of cross-border movements.

In other words, external border management is being modernised.

Because it improves the quality and efficiency of checks and controls in the Schengen area, the EES's common database should help reinforce homeland security and the fight against terrorism and serious crime.

Systematic identification of people 'overstaying' in the Schengen area is one of its significant challenges.

We will see why facial biometrics, in particular, is the technical winner of the EES initiative, as is currently the case, and no longer just in airports but also in all ports of entry.

In this web report, we will examine the following six topics:

• What the Entry-Exit System is
• How the 2006 Schengen Borders Code is impacted
• How its access is highly regulated
• Why facial biometrics becomes key for the EES
• How EES contributes to the fight against identity fraud
• Where Thales fits in the picture.

Let's dig in.

EES: a robust prevention and detection mechanism

Criminal activities such as human trafficking, migrant smuggling, and trafficking of goods are made possible by illegal border crossings.

They are primarily facilitated by the absence of any system for recording entry/exit movements in Europe.

Yes, you read that right.

And the route to identity fraud is a well-travelled one: "standard" checks on entering the Schengen area, followed by the destruction of identity documents to commit malevolent acts, knowing that authentication without an ID is impossible.

So the good news is that although the EES is aimed at "bona fide" visitors, in the long term, the system will be a powerful means of preventing and detecting terrorist activities or other serious criminal offences.

The data stored in the new register for five years – including for people turned back at borders – mainly consists of the following:

• names,
• passport numbers,
• Four fingerprints
• and photos.

It will be accessible to the border and visa-granting authorities and Europol.

The system will be available to investigating authorities to allow consultation of cross-border movements and access to travel history data.

All of this will be carried out with the strictest respect for the person's human dignity and integrity.

The mechanism is very clear  the competent authorities cannot discriminate against persons based on sex, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion.

Investigations must also not discriminate against membership of a national minority, property, birth, disability, age, or sexual orientation.

Reappraisal of the Schengen Borders Code

Given the expected growth in Third Country Nationals visiting the Schengen area (887M by 2025), the challenge is now to make border checks faster and simpler.

This is a particularly ambitious initiative. It will require a reappraisal of the famous Schengen Borders Code, which requires thorough checks made manually by Member State authorities at entry and exit points without possible automation.

Besides, the Schengen Borders Code has no provisions on the recording of cross-border movements. The current procedure requires only that passports be stamped with entry and exit dates.

This is the sole method available to border guards when calculating whether a right to stay has been exceeded.

Just think about it.

It's difficult when stamps are poorly printed and placed randomly throughout the passport book. Besides, a stamp can be counterfeited, and no electronic record exists in any database.

Another problem is that regular visitors and people living near borders must replace their passports every 2 to 3 months because they run out of space for new stamps!

Let's admit it.

The whole process is archaic, given the potential offered by information technologies.

The 2013 package consisted of three proposals:

• Creation of an automated Entry/Exit System (EES)
• A Registered Traveler Program (RTP) allows pre-vetted regular visitors to benefit from the facilitation of border checks.
• Amendment of the Schengen Borders Code

Withdrawal of the RTP initiative

Proving to be too complex to implement in the 28 Member States, the RTP initiative was eventually withdrawn and replaced by an ambitious Entry/Exit System (EES) for short-stay visitors (no more than 90 days in any period of 180 days).

The final outlay is well below that initially forecast by the Commission in 2013. Instead of the estimated billion euros, including an RTP component, the revised proposal of a single EES will cost "only" €480 million, as the EES regulation proposal singled out.

This ambitious initiative is being implemented after a technical study conducted in 2014, followed by a prototyping phase led by the eEU-LISAagency in 2015. This resulted in the withdrawal of the RTP project and a switch of focus to the EES program.

Centralised architecture managed by eu-LISA

The essential body of the EES is eu-LISA, the European agency for the operational management of large-scale IT systems, headquartered in Tallinn, with an active site in Strasbourg and a backup site in Sankt Johann Im Pongau (Austria).

The agency will be responsible for the following four tasks:

1. Development of the central system
2. Implementation of a National Uniform Interface (NUI) in each Member State
3. Secure communication between the EES and VIS central systems
4. Communication infrastructure between the terminal system and National Uniform Interfaces.

Each Member State will be responsible for the organisation, management, operation, and maintenance of its existing national border infrastructure and connection to the EES.

Optimised border management

All Third Country Nationals will be treated equally with the new mechanism, whether or visa-exempt.

Therefore, the Member States will identify any irregular migrant or visitor crossing borders illegally and facilitate their expulsion if applicable.

The process can be assisted or automated; for instance, visitors could authenticate themselves at a self-service terminal under the supervision of a border guard, which will display the following information:

• Date, time, and border crossing point, in replacement of manual stamps
• Notification of refusal of entry, if applicable
• Maximum authorised length of stay
• Notification of overstay, if applicable

For the authorities of Member States, this is a revolutionary step up from the current system's inadequacies.

There's more.

The possibility of compiling robust statistics is already being anticipated, as is better management of granting or refusal of visas based on cross-border movements, in particular through information such as:

• Overstays per country
• History of cross-border movements per country

The Visa Information System (VIS) has been operational since 2015

EES: highly regulated access

But one thing's for sure.

Access to the EES is highly regulated.

Each Member State must notify eu-LISA of the law enforcement agencies authorised to consult data to prevent, detect, or investigate terrorist offences and other serious crimes.

Europol, which plays a crucial role in crime prevention, will be included in the law enforcement agencies authorised to access the system within the framework of its tasks.

In contrast, EES data cannot be transferred or made available to any third country, international organisation, or private entity established in or outside the European Union.

Of course, in the case of investigations to identify a Third Country National and prevent or detect terrorist offences, exceptions may be made.

Proportionality and privacy

Against a legislative backdrop where privacy is held as a major priority, the volume of personal data recorded in the EES will be significantly reduced, i.e., 26 data items instead of the 36 initially planned in 2013.

The mechanism will be negotiated between the European Data Protection Supervisor (EDPS) and the national authorities responsible for applying the new regulation.

The data collected will be limited to minimum information such as last name, first name, travel document, visa references, a facial image, and four fingerprints.

The date, time, and border check location will be recorded for each visit. This data will be stored for five years and not the 181 days as proposed in 2013.

Why?

This will allow border guards and consular posts to analyse applicants' travel history when issuing new visas.

EES: privacy by design

The European Commission proposal has been drawn up based on "privacy by design" principles.

From a legal standpoint, the proposal concerns the right to protection of personal data; in other words, the data collected and stored and its prevention period are strictly limited to what is necessary for the system to function and meet its objectives.

The EES will be a centralised system through which the Member States cooperate, creating a common architecture and operating rules.

Given the need for uniform processes governing border checks and access to the system, only a regulation could be chosen as a legal instrument without the possibility of adaptation to national legislation.

Secure Internet access to a web service hosted by EU-LISA will allow Third Country Nationals to check their remaining authorised length of stay at any time.

Carriers such as airlines can also use this function to check whether their passengers are authorised to enter the EU.

Facial biometrics: key weapon of the EES system

The EES results in radical changes to the Schengen Borders Code as it will be used to register the biometric data of all Third Country Visitors. In contrast, only those requiring a visa are recorded in the VIS today.

Ten fingerprints were planned in terms of biometric identifiers under the old system. 

The new one combines four fingerprints and a portrait for facial recognition on entry, although neither is acceptable for an exit.

The face is now the key to opening border crossings. The technology has progressed significantly over the last few years and supports traditional fingerprinting methods.

Although the European Commission no longer uses the RTP principle, it is present in all but name.

But we're jumping ahead. Here's the process.

• Four fingerprints will still be taken at the first check to verify that the traveller is not already listed in the EES or VIS.

• Without a signal, the border authority will create a file, ensuring that the Machine Readable Travel Document photograph corresponds to the new visitor's live facial image.
   
• When they next cross a border, their face will determine whether or not they are let in.

Biometrics is the big winner.

Smile, you're in Europe! 

Passports' time-consuming (and falsifiable) stamps will be replaced by access to the EES.

Biometrics is, therefore, the big winner of the EES initiative. And no longer just in airports, as is currently the case.

Bustling sea terminals and land border posts will become the first clients of the famous automated passport control eGates currently reserved only for air travellers.

As the agency helping EU and Schengen-associated countries manage their external borders, Frontex helps harmonise border controls across the EU.

The mission of the European Border and Coast Guard Agency is to facilitate and render more effective the application of existing and future European Union measures relating to the management of external borders.

The agency provides technical support and expertise to facilitate cooperation between border authorities in each EU country.

They have already published "Guidelines for Processing of Third‑Country Nationals through Automated Border Control."

They will play a key role in analysing and defining the capability needs in border control and supporting the Member States in developing these capabilities.

EES and the fight against identity fraud

The EES mechanism is complex and ambitious as it will make border crossing faster and checks and controls more robust.

Procedures for welcoming Third Country Nationals to Europe will be much improved thanks to eGates and self-service kiosks.

Regarding migration policies and prevention of malevolent acts, it will now be possible to immediately identify people who fail to comply with entry conditions and access their travel history.

It should also be remembered that the EES will be a powerful tool in the fight against identity fraud, particularly within the Schengen area, as each visitor will have been recorded on their arrival at an external border.

Thales and identity: more than 20 years of experience

Where do we fit in?

With its recent acquisition of Gemalto, Thales is particularly interested in the EES initiative, which is hugely dependent on biometrics and checking travel documents.

Identification and authentication of people are two areas in which Gemalto has excelled for more than 20 years. The company contributes to over 200 government programs in 80 countries on these issues.

It has the expertise to meet the objectives of the EES initiative, in particular through:

• Exploiting the latest technologies to authenticate travel documents, identify travellers through biometric recording operations and checks, and assess risk with access to watch lists at all border checkpoints.
• We are reducing costs through process automation and optimisation while deploying new technologies to reinforce security and offer passengers greater convenience.
• Optimising border guards' tasks will supervise these devices, allowing them to focus on suspicious cases.
• We are reducing waiting times after registration in the EES database. This factor is not insignificant for people who live near borders and regular visitors who will devote more time to productive activities!

Self-service registration terminals and automatic or semi-automatic borders could be deployed in the next few years to speed up border checks and make access to the Schengen area more welcoming. 

These automatic and biometric terminals are already deployed in the Paris airports of Orly and Charles de Gaulle (New PARAFE smart gates).

Facial recognition was implemented in 2018.

New PARAFE biometric smart gates at Roissy – September 2017

Thales has recognised expertise in integrated border management and contributes to two major migration management systems.

• Thales biometric identification systems are central to the American data management system IDENT (formally US-VISIT). This biographic and biometric database contains information on more than 200 million people who have entered, attempted to enter, or exited the United States of America. The US biometric entry-exit tracking system has many similarities with the European EES.

• Since its inception, Thales has been a supplier of the biometric Eurodac (European Dactyloscopy) system. It's the most extensive multi-jurisdictional Automated Fingerprint Identification System (AFIS) globally, with 32 affiliated countries. The Eurodac system is a database containing the fingerprints of asylum seekers for each Member State and those apprehended when attempting to cross borders illegally.

• To thwart attempted document fraud, Thales has developed sophisticated equipment to check the authenticity of documents by comparing the models in circulation (Identity Verification). Their validity is also checked by connecting to the Interpol database of Stolen and Lost Travel Documents (SLTD) or national watch lists.
• For border control, in addition to its biometric smart gates, Thales offers its document reader ​portfolio coupled with document authentication software, fingerprint scanners, biometric authentication equipment, and software such as advanced face identification, thanks to its Gemalto Cogent portfolio, one of the pioneers in biometric technology.

Highest matching speed thanks to FPGA (Field-Programmable Gate Array)

Thales's biometrics technology and matching engine have led the industry in matching speed and accuracy for more than 20 years.

Our FGPA-based matching engine limits the environmental impacts of a data centre while offering unique advantages:

• Fast matching speed: FPGA provides low latency, massively parallel data processing with hardware acceleration
• System cost reduction: Off-loading the heavy CPUs calculations to FPGA acceleration cards lowers CPU requirements.
• Higher power efficiency: FPGA data processing consumes much less power than CPUs to achieve the same matching throughput
• Scalability: Horizontal scaling advantage by duplicating the server entities; vertical scalability advantage by increasing the number of acceleration cards in the system
• Flexibility: Reconfigurable circuits algorithms on FPGA can be improved by reprogramming without needing to buy new hardware
• Commercial off-the-shelf (COTS): No vendor lock-in, FPGA cards can be purchased from multiple vendo.rs

To find out more, please do not hesitate to contact us.