The Schengen Entry/Exit System: biometrics to facilitate smart borders

​​​Because of Europe's migratory pressures and terrorist attacks over the last few years, border management has become a priority for the European Commission.

​The Visa Information System (VIS) has been operational since 2015 in Member State consulates, and its consultation is now compulsory for visa-holders entering the Schengen area.

Besides, since February 2013, the concept of Smart Borders has been introduced. It's an ambitious package of legislative measures drawn up in consultation with the European Parliament.

The new EES System to be operational in 2022

Adopted and then signed on 30 November 2017 by the European Council, it will be used in conjunction with the European Passenger Name Record (PNR) Directive, which, from 25 May 2018, collects data on air passengers.

Based on the principle that the majority of visitors are "bona fide," the EES will radically change the Schengen Borders Code with the double objective of: 

• making borders smart by automating checks and controls on legitimate visitors while strengthening methods for combating irregular migration
• creating a central register of cross-border movements.

In other words, external border management is being modernised.

Because it improves the quality and efficiency of checks and controls in the Schengen area, the EES's common database should help reinforce homeland security and the fight against terrorism and serious crime.

Systematic identification of people 'overstaying' in the Schengen area is one of its significant challenges.

We will see why facial biometrics, in particular, is the technical winner of the EES initiative, as is currently the case, and no longer just in airports but also in all ports of entry.

In this web report, we will examine the following six topics:

• What the Entry-Exit System is
• How the 2006 Schengen Borders Code is impacted
• How its access is highly regulated
• Why facial biometrics becomes key for the EES
• How EES contributes to the fight against identity fraud
• Where Thales fits in the picture.

Let's dig in.

EES: a robust prevention and detection mechanism

Criminal activities such as human trafficking, migrant smuggling, and trafficking of goods are made possible by illegal border crossings.

They are primarily facilitated by the absence of any system for recording entry/exit movements in Europe.

Yes, you read that right.

And the route to identity fraud is a well-travelled one: "standard" checks on entering the Schengen area, followed by the destruction of identity documents to commit malevolent acts, knowing that authentication without an ID is impossible.

So the good news is that although the EES is aimed at "bona fide" visitors, in the long term, the system will act as a powerful means of preventing and detecting terrorist activities or other serious criminal offences.

The data stored in the new register for five years – including for people turned back at borders – mainly consists of:

• names,
• passport numbers,
• Four fingerprints
• and photos.

It will be accessible to border and visa granting authorities and Europol.

The system will be made available to investigating authorities to allow consultation of cross-border movements and access to travel history data.

All of this will be carried out with the strictest respect for the person's human dignity and integrity.

The mechanism is very clear on this point: the competent authorities cannot discriminate against persons based on sex, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion.

Investigations must also not discriminate against membership of a national minority, property, birth, disability, age, or sexual orientation.

Reappraisal of the Schengen Borders Code

Given the expected growth in the number of Third Country Nationals visiting the Schengen area (887M by 2025), the challenge is now to make border checks faster and simpler.

This is a particularly ambitious initiative. It will require a reappraisal of the famous Schengen Borders Code, which requires thorough checks made manually by Member State authorities at entry and exit points, without the possibility of automation.

Besides, the Schengen Borders Code has no provisions on the recording of cross-border movements. The current procedure requires only that passports be stamped with entry and exit dates.

This is the sole method available to border guards when calculating whether a right to stay has been exceeded.

Just think about it.

It's not easy when stamps are poorly printed and placed randomly throughout the passport book. Besides, a stamp can be counterfeited, and there is no electronic record in any database.

Another problem is that regular visitors and people living near borders have to replace their passports every 2 to 3 months because they run out of space for new stamps!

Let's admit it.

The whole process is archaic, given the potential offered by information technologies.

The 2013 package consisted of three proposals:

• Creation of an automated Entry/Exit System (EES)
• A Registered Traveler Program (RTP) to allow pre-vetted regular visitors to benefit from the facilitation of border checks.
• Amendment of the Schengen Borders Code

Withdrawal of the RTP initiative

Proving to be too complex to implement in the 28 Member States, the RTP initiative was eventually withdrawn and replaced by an ambitious Entry/Exit System (EES) for short-stay visitors (no more than 90 days in any period of 180 days).

The final outlay is well below that initially forecast by the Commission in 2013. Instead of the estimated billion euros, which also included an RTP component, the revised proposal of a single EES will cost "only" €480 million as the EES regulation proposal singled out.

This ambitious initiative is being implemented after a technical study conducted in 2014, followed by a prototyping phase led by the eu-LISA agency in 2015, which resulted in the withdrawal of the RTP project and a switch of focus to the EES program.

Centralised architecture managed by eu-LISA

The essential body of the EES is eu-LISA, the European agency for the operational management of large-scale IT systems, headquartered in Tallinn, with an active site in Strasbourg and a backup site in Sankt Johann Im Pongau (Austria).

The agency will be responsible for the following four tasks:

1. Development of the central system
2. Implementation of a National Uniform Interface (NUI) in each Member State
3. Secure communication between the EES and VIS central systems
4. Communication infrastructure between the central system and National Uniform Interfaces.

Each Member State will be responsible for the organisation, management, operation and maintenance of its existing national border infrastructure and its connection to the EES.

Optimised border management

All Third Country Nationals will be treated equally with the new mechanism, whether they are visa-exempt.

Therefore, the Member States will identify any irregular migrant or visitor who has crossed borders illegally and facilitate their expulsion if applicable.

The process can be assisted or automated; for instance, visitors could authenticate themselves at a self-service terminal under the supervision of a border guard, which will display the following information:

• Date, time, and border crossing point, in replacement of manual stamps
• Notification of refusal of entry if applicable
• Maximum authorised length of stay
• Notification of overstay if applicable

For the authorities of Member States, this is a revolutionary step up from the current system's inadequacies.

There's more.

The possibility of compiling robust statistics are already being anticipated, as is better management of granting or refusal of visas based on cross-border movements, in particular through information such as:

• Overstays per country
• History of cross-border movements per country

The Visa Information System (VIS) has been operational since 2015

EES: highly regulated access

But one thing's for sure.

Access to the EES is highly regulated.

Each Member State must notify eu-LISA of the law enforcement agencies authorised to consult data to prevent, detect, or investigate terrorist offences and other serious crimes.

Europol, which plays a crucial role in crime prevention, will be included in the law enforcement agencies authorised to access the system within the framework of its tasks.

In contrast, EES data cannot be transferred or made available to any third country, international organisation, or private entity established in or outside the European Union.

Of course, in the case of investigations to identify a Third Country National and prevent or detect terrorist offences, exceptions may be made.

Proportionality and privacy

Against a legislative backdrop where privacy is held as a major priority, the volume of personal data recorded in the EES will be significantly reduced, i.e., 26 data items instead of the 36 initially planned in 2013.

The mechanism will be negotiated between the European Data Protection Supervisor (EDPS) and the national authorities responsible for applying the new regulation.

The data collected will be limited to minimum information such as last name, first name, travel document, visa references, a facial image, and four fingerprints.

The date, time, and border check location will be recorded for each visit. This data will be stored for five years and not the 181 days as proposed in 2013.

Why?

This will allow border guards and consular posts to analyse applicants' travel history when issuing new visas.

EES: privacy by design

The European Commission proposal has been drawn up based on "privacy by design" principles.

From a legal standpoint, the proposal is measured concerning the right to protection of personal data; in other words, the data collected and stored and its period of retention are strictly limited to what is necessary for the system to function and meet its objectives.

The EES will be a centralised system through which the Member States cooperate, creating a common architecture and operating rules.

Given the need for uniform processes governing border checks and access to the system, only a regulation could be chosen as a legal instrument without the possibility of adaptation to national legislation.

Secure Internet access to a web service hosted by EU-LISA will allow Third Country Nationals to check their remaining authorised length of stay at any time.

Carriers such as airlines will also be able to use this function to check whether their passengers are authorised to enter the EU.

Facial biometrics: key weapon of the EES system

The EES results in radical changes to the Schengen Borders Code as it will be used to register the biometric data of all Third Country Visitors. In contrast, only those requiring a visa are recorded in the VIS today.

In terms of biometric identifiers, under the old system, ten fingerprints were planned. 

The new one combines four fingerprints and a portrait for facial recognition on entry, although either of these is acceptable for an exit.

The face is now the key to opening border crossings. The technology involved has progressed significantly over the last few years and supports traditional fingerprinting methods.

Although the European Commission no longer uses the RTP principle, it is present in all but name.

But we're jumping ahead. Here's the process.

• Four fingerprints will still be taken at the first check to verify that the traveller is not already listed in the EES or VIS.

• In the absence of a signal, the border authority will create a file, ensuring that the photograph in the Machine Readable Travel Document corresponds to the new visitor's live facial image.
   
• When they next cross a border, their face will determine whether or not they are let in.

Biometrics is the big winner.

Smile, you're in Europe! 

The time-consuming (and falsifiable) stamps on passports will be replaced by access to the EES.

Biometrics is, therefore, the big winner of the EES initiative. And no longer just in airports, as is currently the case.

Bustling sea terminals and land border posts will become the first clients of the famous automated passport control eGates currently reserved only for air travellers.

As the agency helping EU countries and Schengen associated countries manage their external borders, Frontex helps harmonise border controls across the EU.

The mission of the European Border and Coast Guard Agency is to facilitate and render more effective the application of existing and future European Union measures relating to the management of external borders.

The agency provides technical support and expertise to facilitate cooperation between border authorities in each EU country.

They have already published "Guidelines for Processing of Third‑Country Nationals through Automated Border Control."

They will play a key role in analysing and defining the capability needs in border control and supporting the Member States in developing these capabilities.

EES and the fight against identity fraud

The EES mechanism is complex and ambitious as it will make border crossing faster while also making checks and controls more robust.

Procedures for welcoming Third Country Nationals to Europe will be much-improved thanks to eGates and self-service kiosks.

In terms of migration policies and prevention of malevolent acts, it will now be possible to immediately identify people who fail to comply with entry conditions and to access their travel history.

It should also be remembered that the EES will be a powerful tool in the fight against identity fraud, particularly within the Schengen area, as each visitor will have been recorded on their arrival at an external border.

Thales and identity: more than 20 years' experience

Where do we fit in?

With its recent acquisition of Gemalto, Thales is particularly interested in the EES initiative, which is hugely dependent on biometrics and checking of travel documents.

Identification and authentication of people are two areas in which Gemalto has excelled for more than 20 years. The company contributes to more than 200 government programs in 80 countries on these issues.

It has the expertise to meet the objectives of the EES initiative, in particular through:

• Exploiting the latest technologies to authenticate travel documents, identify travellers through biometric recording operations and checks, and assess risk with access to watch lists at all border checkpoints.
• Reducing costs through process automation and optimisation while deploying new technologies to reinforce security and offer passengers greater convenience.
• Optimising border guards' tasks will supervise these devices, allowing them to focus their attention on suspicious cases.
• Reducing waiting times after registration in the EES database. This factor is not insignificant for people who live near borders and regular visitors who will devote more time to productive activities!

Self-service registration terminals and automatic or semi-automatic borders could be deployed in the next few years to speed up border checks and make access to the Schengen area more welcoming. 

These automatic and biometric terminals are already deployed in the Paris airports of Orly and Charles de Gaulle (New PARAFE smart gates).

Facial recognition was implemented in 2018.

New PARAFE biometric smart gates at Roissy – September 2017

Thales has recognised expertise in integrated border management and contributes to two major migration management systems.

• Thales biometric identification systems are a central component of the American data management system IDENT (formally US-VISIT). This biographic and biometric database contains information on more than 200 million people who have entered, attempted to enter, or exited the United States of America. The US biometric entry-exit tracking system has many similarities with the European EES.

• Since its inception, Thales has been a supplier to the biometric Eurodac (European Dactyloscopy) system. It's the most extensive multi-jurisdictional Automated Fingerprint Identification System (AFIS) globally, with 32 affiliated countries. The Eurodac system is a database containing the fingerprints of asylum seekers for each Member State and of people apprehended when attempting to cross borders illegally.

• To thwart attempted document fraud, Thales has developed sophisticated equipment to check the authenticity of documents by comparing the models in circulation (Identity Verification). Their validity is also checked by connecting to the Interpol database of Stolen and Lost Travel Documents (SLTD) or national watch lists.
• For border control, in addition to its biometric smart gates, Thales offers its document reader ​portfolio coupled with document authentication software, fingerprint scanners, biometric authentication equipment, and software such as advanced face identification, thanks to its Gemalto Cogent portfolio, one of the pioneers in biometric technology.

Highest matching speed thanks to FPGA (Field-Programmable Gate Array)

Thales's biometrics technology and matching engine have led the industry in terms of matching speed and accuracy for more than 20 years.

Our FGPA based matching engine limits the environmental impacts of a data centre while offering unique advantages:

• Fast matching speed: FPGA provides low latency, massively parallel data processing with hardware acceleration
• System cost reduction: Off-loading the heavy CPUs calculations to FPGA acceleration cards lowers CPU requirements.
• Higher power efficiency: FPGA data processing consumes much less power than CPUs to achieve the same matching throughput
• Scalability: Horizontal scaling advantage by duplicating the server entities; vertical scalability advantage by increasing the number of acceleration cards in the system
• Flexibility: Reconfigurable circuits algorithms on FPGA can be improved by reprogramming without needing to buy new hardware
• Commercial off-the-shelf (COTS): No vendor lock-in, FPGA cards can be purchased from multiple vendors

To find out more, please do not hesitate to contact us.