The Schengen Entry/Exit System: biometrics to facilitate smart borders

​​​Because of migratory pressures and terrorist attacks suffered by Europe over the last few years, border management has become a priority for the European Commission.

​The Visa Information System (VIS) has indeed been operational since 2015 in Member State consulates, and its consultation is now compulsory for visa-holders entering the Schengen area.

Besides, since February 2013, the concept of Smart Borders has been introduced.  It's an ambitious package of legislative measures drawn up in consultation with the European Parliament.

The new EES System to be operational in 2020

Adopted and then signed on 30 November 2017 by the European Council, it will be used in conjunction with the European Passenger Name Record (PNR) Directive which, from 25 May 2018, will collect data on air passengers.

Based on the principle that the majority of visitors are "bona fide", the EES will radically change the Schengen Borders Code with the double objective of: 

• making borders smart by automating checks and controls on legitimate visitors while strengthening methods for combating irregular migration
• creating a central register of cross-border movements.

In other words, external border management is being modernized.

Because it improves the quality and efficiency of checks and controls in the Schengen area, the common database of the EES should help to reinforce homeland security and the fight against terrorism and serious crime.

Systematic identification of people 'overstaying' in the Schengen area is one of its major challenges.

We will see why facial biometrics, in particular, is the technical winner of the EES initiative. And no longer just in airports, as is currently the case but also in all ports of entry.

In this web report, we will examine the following six topics:

• What the Entry-Exit System is
• How the 2006 Schengen Borders Code is impacted
• How its access is highly regulated
• Why facial biometrics becomes key for the EES
• How EES contributes to the fight against identity fraud
• Where Thales fits in the picture.

Let's dig in.

EES: a powerful prevention and detection mechanism

Criminal activities such as human trafficking, migrant smuggling, and trafficking of goods are made possible by illegal border crossings.

They are primarily facilitated by the absence of any system for recording entry/exit movements in Europe.

Yes, you read that right.

And the route to identity fraud is, unfortunately, a well-travelled one: "standard" checks on entering the Schengen area, followed by the destruction of identity documents to commit malevolent acts, knowing that authentication without an ID is impossible.

So the good news is that although the EES is aimed at "bona fide" visitors, in the long term, the system will act as a powerful means of preventing and detecting terrorist activities or other serious criminal offences.

The data stored in the new register for five years – including for people turned back at borders – mainly consists of:

• names,
• passport numbers,
• Four fingerprints
• and photos.

It will be accessible to border and visa granting authorities as well as Europol.

The system will be made available to investigating authorities as it will allow consultation of cross-border movements and access to travel history data.

All of this will be carried out with the strictest respect for the human dignity and integrity of the person.

The mechanism is very clear on this point: the competent authorities cannot discriminate against persons on the grounds of sex, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion.

Investigations must also not discriminate against membership of a national minority, property, birth, disability, age or sexual orientation.

Reappraisal of the Schengen Borders Code

Given the expected growth in the number of Third Country Nationals visiting the Schengen area (887M by 2025), the challenge is now to make border checks faster and simpler.

This is a particularly ambitious initiative as it will require a reappraisal of the famous Schengen Borders Code which requires thorough checks, made manually by Member State authorities at entry and exit points, without the possibility of automation.

Besides, the Schengen Borders Code has no provisions on the recording of cross-border movements. The current procedure requires only that passports be stamped with dates of entry and exit.

This is the sole method available to border guards when calculating whether a right to stay has been exceeded.

Just think about it.

It's not easy when stamps are poorly printed and placed randomly throughout the passport book. Besides, a stamp can be counterfeited, and there is not an electronic record in any database.

Another problem is that regular visitors and people living near borders have to replace their passports every 2 to 3 months because they run out of space for new stamps!

Let's admit it.

The whole process is archaic, given the potential offered by information technologies.

The 2013 package consisted of three proposals:

• Creation of an automated Entry/Exit System (EES)
• A Registered Traveler Program (RTP) to allow pre-vetted regular visitors to benefit from facilitation of border checks.
• Amendment of the Schengen Borders Code

Withdrawal of the RTP initiative

Proving to be too complex to implement in the 28 Member States, the RTP initiative was eventually withdrawn and replaced by an ambitious Entry/Exit System (EES) for short-stay visitors (no more than 90 days in any period of 180 days).

The final outlay is well below that initially forecast by the Commission in 2013. Instead of the estimated billion euros which also included an RTP component, the revised proposal of a single EES will cost "only" €480 million as singled out by the EES regulation proposal.

This ambitious initiative is being implemented after a technical study conducted in 2014, followed by a prototyping phase led by the eu-LISA agency in 2015, which resulted in the withdrawal of the RTP project and a switch of focus to the EES program.

Centralized architecture managed by eu-LISA

The key body of the EES is eu-LISA, the European agency for the operational management of large-scale IT systems, which is headquartered in Tallinn, with an operational site in Strasbourg and a back-up site in Sankt Johann Im Pongau (Austria).

The agency will be responsible for the following four tasks:

1. Development of the central system
2. Implementation of a National Uniform Interface (NUI) in each Member State
3. Secure communication between the EES and VIS central systems
4. Communication infrastructure between the central system and National Uniform Interfaces.

Each Member State will be responsible for the organization, management, operation and maintenance of its existing national border infrastructure and its connection to the EES.

Optimized border management

With the new mechanism, all Third Country Nationals will be treated equally, whether or not they are visa-exempt.

The Member States will, therefore, be able to identify any irregular migrant or visitor who has crossed borders illegally and to facilitate their expulsion if applicable.

The process can be assisted or automated, for instance, visitors could authenticate themselves at a self-service terminal under supervision of a border guard, which will display the following information:

• Date, time and border crossing point, in replacement of manual stamps
• Notification of refusal of entry if applicable
• Maximum authorized length of stay
• Notification of overstay if applicable

For the authorities of Member States, this is a revolutionary step up from the inadequacies of the current system.

There's more.

The possibility of compiling powerful statistics are already being anticipated, as is better management of granting or refusal of visas based on cross-border movements, in particular through information such as:

• Overstays per country
• History of cross-border movements per country

The Visa Information System (VIS) has been operational since 2015

EES: highly regulated access

But one thing's for sure.

Access to the EES is highly regulated.

Each Member State must notify eu-LISA of the law enforcement agencies authorized to consult data to prevent, detect or investigating terrorist offences and other serious crimes.

Europol, which plays a crucial role in crime prevention, will be included in the law enforcement agencies authorized to access the system within the framework of its tasks.

In contrast, EES data cannot be transferred or made available to any third country, international organization or any private entity established in or outside the European Union.

Of course, in the case of investigations to identify a Third Country National, and prevention or detection of terrorist offences, exceptions may be made.

Proportionality and privacy

Against a legislative backdrop where privacy is held as a major priority, the volume of personal data recorded in the EES will be significantly reduced, i.e. 26 data items instead of the 36 initially planned in 2013.

The mechanism will be negotiated between the European Data Protection Supervisor (EDPS) and the national authorities responsible for applying the new regulation.

The data collected will be limited to minimum information such as last name, first name, travel document, and visa references, a facial image, and four fingerprints.

The date, time and border check location will be recorded for each visit. This data will be stored for five years, and not the 181 days as proposed in 2013.

Why?

This will allow border guards and consular posts to analyze the travel history of applicants when issuing new visas.

EES: privacy by design

The European Commission proposal has been drawn up based on "privacy by design" principles.

From a legal standpoint, the proposal is measured concerning the right to protection of personal data; in other words, the data collected and stored, and its period of retention, are strictly limited to what is necessary for the system to function and meet its objectives.

The EES will be a centralized system through which the Member States cooperate, hence the need for a common architecture and operating rules.

Given the need for uniform processes governing border checks and access to the system, only a regulation could be chosen as a legal instrument, without the possibility of adaptation to national legislation.

Secure Internet access to a web service hosted by EU-LISA will allow Third Country Nationals to check their remaining authorized length of stay at any time.

Carriers such as airlines will also be able to use this function to check whether their passengers are authorized to enter the EU.

Facial biometrics: key weapon of the EES system

The EES results in radical changes to the Schengen Borders Code as it will be used to register the biometric data of all Third Country Visitors. In contrast, only those requiring a visa are recorded in the VIS today.

In terms of biometric identifiers, under the old system, ten fingerprints were planned. 

The new one combines four fingerprints and a portrait for facial recognition on entry, although either of these is acceptable for an exit.

The face is now the key to opening border crossings. The technology involved has progressed significantly over the last few years and supports traditional fingerprinting methods.

Although the European Commission is no longer using the RTP principle, it is present in all but name.

But we're jumping ahead. Here's the process.

• Four fingerprints will still be taken at the first check to verify that the traveller is not already listed in the EES or VIS.

• In the absence of a signal, the border authority will create a file, making sure that the photograph in the Machine Readable Travel Document corresponds to the live facial image taken of the new visitor.
   
• When they next cross a border, it is their face that will determine whether or not they are let in.

Biometrics is the big winner.

Smile, you're in Europe! 

The time-consuming (and falsifiable) stamps on passports will be replaced by access to the EES.

Biometrics is, therefore, the big winner of the EES initiative. And no longer just in airports, as is currently the case.

Particularly busy sea terminals and land border posts will become the first clients of the famous automated passport control eGates currently reserved only for air travellers.

Frontex, as the agency helping EU countries and Schengen associated countries manage their external borders, is helping harmonize border controls across the EU.

The mission of the European Border and Coast Guard Agency is to facilitate and render more effective the application of existing and future European Union measures relating to the management of external borders.

As such, the agency is providing technical support and expertise to facilitate cooperation between border authorities in each EU country. T

They have already published "Guidelines for Processing of Third‑Country Nationals through Automated Border Control".

They will play a key role in analyzing and defining the capability needs in border control and in supporting the Member States in the development of these capabilities.

EES and the fight against identity fraud

The EES mechanism is complex and ambitious as it will make border crossing faster while also making checks and controls more robust.

Procedures for welcoming Third Country Nationals to Europe will be much-improved thanks to eGates and self-service kiosks.

In terms of migration policies and prevention of malevolent acts, it will now be possible to immediately identify people who fail to comply with entry conditions and to access their travel history.

It should also be remembered that the EES will be a powerful tool in the fight against identity fraud, particularly within the Schengen area, as each visitor will have been recorded on their arrival at an external border.

Thales and identity: more than 20 years' experience

Where do we fit in?

Thales, with its recent acquisition of Gemalto, is particularly interested in the EES initiative which is hugely dependent on biometrics and checking of travel documents.

Identification and authentication of people are two areas in which Gemalto has excelled for more than 20 years. The company contributes to more than 200 government programs in 80 countries on these issues.

It has the expertise to meet the objectives of the EES initiative, in particular through:

• Exploiting the latest technologies to authenticate travel documents, identify travellers through biometric recording operations and checks, and assess risk with access to watch lists at all border checkpoints.
• Reducing costs through process automation and optimization while deploying new technologies to reinforce security and offer passengers greater convenience.
• Optimizing the tasks of border guards who will supervise these devices, allowing them to focus their attention on suspicious cases.
• Reducing waiting times after registration in the EES database. This factor is not insignificant for people who live near borders and regular visitors who will be able to devote more time to productive activities!

Self-service registration terminals and automatic or semi-automatic borders could be deployed in the next few years, to speed up border checks and make access to the Schengen area more welcoming. 

These automatic and biometric terminals are already being deployed in the Paris airports of Orly and Charles de Gaulle (New PARAFE smart gates).

Facial recognition was implemented in 2018.

New PARAFE biometric smart gates at Roissy – September 2017

Thales has recognized expertise in integrated border management and contributes in particular to two major migration management systems.

• Thales biometric identification systems are a central component of the American data management system IDENT (formally US-VISIT). This biographic and biometric database contains information on more than 200 million people who have entered, attempted to enter or exited the United States of America. The US biometric the entry-exit tracking system​​ has many similarities with the European EES.

• Thales has been a supplier to the biometric Eurodac (European Dactyloscopy) system since its inception. It's the largest multi-jurisdictional Automated Fingerprint Identification System (AFIS) in the world, with 32 affiliated countries. The Eurodac system is a database containing the fingerprints of asylum seekers for each Member State and of people apprehended when attempting to cross borders illegally.

• To thwart attempted document fraud, Thales has developed sophisticated equipment to check the authenticity of documents through comparison with the models in circulation (Identity Verification). Their validity is also checked by connecting to the Interpol database of Stolen and Lost Travel Documents (SLTD) or national watch lists.
• For border control, in addition to its biometric smart gates, Thales offers its document reader ​portfolio coupled with document authentication software, fingerprint scanners, biometric authentication equipment and software such as advanced face identification​, thanks to its Gemalto Cogent portfolio, one of the pioneers in biometric technology.

Highest matching speed thanks to FPGA (Field-Programmable Gate Array)

Thales's biometrics technology and matching engine have been leading the industry in terms of matching speed and accuracy for more than 20 years.

Our FGPA based matching engine limits the environmental impacts of a data centre while offering unique advantages:

• Fast matching speed: FPGA offers low latency, massively parallel data processing with hardware acceleration
• System cost reduction: Off-loading the heavy CPUs calculations to FPGA acceleration cards results in lower CPU requirements.
• Higher power efficiency: FPGA data processing consumes much less power than CPUs to achieve same matching throughput
• Scalability: Horizontal scaling advantage by duplicating the server entities; vertical scalability advantage by increasing the number of acceleration cards in the system
• Flexibility: Reconfigurable circuits, algorithms on FPGA can be improved by reprogramming without needing to buy new hardware
• Commercial off-the-shelf (COTS): No vendor lock-in, FPGA cards can be purchased from multiple vendors

To find out more, please do not hesitate to contact us.