Visa-free travelers to the EU will undergo “risk” checks from 2023. Who counts as risky remains unclear

For Twitter’s Anti-Brexiteers, the upcoming end to visa-free travel to the EU, which will introduce “health and safety” background checks on UK travelers, amongst others, is a hot topic. “I guess Barry from Carlisle who punched his mate out at the pub in 1988 is staying home,” one account gloated. Another exclaimed the checks are going to be “keeping the EU safe from scumbags,” and a third eye-rolled, “bracing myself for the outraged sob stories in the Mail.” 

Countries like the United States and Australia already have systems like ESTA and ETA to cross-reference travel applications from visa free countries against (potentially inaccurate) government datasets. Unlike them, ETIAS, or the European Travel Information and Authorization System, will also include an algorithm that, lawmakers claim, can flag people who pose a vaguely-defined “risk” to “public health, security or irregular migration.” From November 2023 onwards, Frontex, the EU Border and Coast Guard Agency expects around 5 percent of future travelers to be flagged and thus potentially denied entry.

Risk assessments: the future of eu-LISA

Academic and non-governmental organizations such as Access Now want to ban automated risk-assessments like ETIAS. They argue that even if such assessments are done on legally “non-sensitive data”, like nationality, it can still lead to illegal indirect discrimination. And they are especially annoyed that the drafted AI Act right now excludes ETIAS and other EU migration databases from its scope, which offers strict protections to EU citizens who might be impacted by the same technologies. 

But to hear border security tell it, the ETIAS regulation is only the beginning. Eu-LISA is The EU’s tech equivalent to Frontex, which runs a growing set of soon-to-be-linked databases with info on non-EU citizens for migration control and security purposes. 

At the agency’s October conference in Tallinn, where it has its headquarters, Frontex deputy executive director Uku Särekanno said that AI “risk assessments and profiling” can play a big part in the future of EU border control. If Europe wants to compete with American companies like Google, Särekanno said, “eu-LISA is very well placed to develop such technologies,” because “[it] is probably the only agency in Europe with such a vast amount of data that could be used for scientific purposes.” Reactions from the audience, which included people who introduced themselves as “IT system managers”, ranged from excitement (“we could fill the gap for AI in Europe!”) to skepticism (“it’s just a panel”). 

Aside from ETIAS, there are also plans to start using an algorithm to flag “risky” visa applications. Then the next step is to develop tools that categorize “risks”. A 2020 eu-LISA report confirms that the agency is doing research on how to use Artificial Intelligence for its IT systems. The report proposes that eu-LISA could – in line with EU aims to pioneer AI “grounded in the common European values” – manage the storage of training data and resultant development of tools for law enforcement purposes. 

“Political exercise”

Eu-LISA was set up 10 years ago to manage Eurodac (a database that collects asylum seekers’ fingerprints) and the Schengen Information System (to monitor non-EU citizens suspected or convicted of criminal offenses or subject to entry bans). Since then, it keeps growing: new databases were built, for people with visas, people from non-visa countries, as well as a system to monitor the entry and exit of all non-EU citizens. “The European Commission feels like there are gaps, say oh we don’t cover this system of third country nationals, so we need to make another system,” says Niovi Vavoula, a senior lecturer on migration and security at Queen Mary University in London.

According to Vavoula, the motivation for eu-LISA’s growth is political, not practical. “It’s one hundred percent a political exercise,” she says. The sharp turn to the right in the EU’s immigration policy that occured around 2015, as well as pressure to “keep up” with similar initiatives happening in the USA and Australia, contributed to the expansion of eu-LISA’s mandate and to an increase in spending on private sector contractors. 

Where state meets industry

At October’s eu-LISA conference in Tallinn, meanwhile, a risk assessment software-pitching company showed a clip of a carefree young couple strolling through an empty airport before getting their faces scanned. One eu-LISA delegate said he wouldn’t want his face scanned and personal data used this way, and that’s why he hasn’t signed up to certain dating apps in recent years. But at eu-LISA, he said, he helps keep borders open for EU citizens. He couldn’t say why ETIAS exists, though, as “the [ETIAS] regulation was already there when I joined.” 

When asked why ETIAS exists, one engineer – whose Athens-based IT company is one of several private contractors hired by eu-LISA – said he was “jealous” that someone would be interested: “for most people here, ETIAS is just about money.” He expects the contracts to keep coming: “Right now, ETIAS is a solution, just like 10 years ago, eu-LISA was a solution. In 10 years, ETIAS will be a problem and there will be new solutions - that's how security works.” 

Frontex’s 5% 

In Warsaw, a Frontex-run “ETIAS Central Unit” is currently hiring people to work in shifts around the clock to check any ETIAS applications that are flagged as potentially “risky”. Frontex is also helping eu-LISA by developing the flagging algorithm. The agency expects that one in twenty applicants, or 5%, will be automatically selected for manual review. 

Jorge Silva Rodrigues, a Frontex project officer who is setting up the Central Unit, gives a hypothetical example of how the algorithm would work: “If we had ETIAS running during the Covid-19 situation, we’d ask specific questions relating to Covid in the application.” A person coming from a country with a high Covid incidence, he said, would be flagged. 

“I am amazed,” Vavoula, the lecturer on migration, says, when told of Silva Rodrigues’ example. The soon-to-be very powerful Frontex employees at the Central Unit ought to know that they will not be allowed to train the algorithm with pandemic data, because the ETIAS regulation only talks about “epidemic risks,” as opposed to pandemic, which implies a global spread. 

To decide what characteristics should be considered “risky”, Frontex will rely on data from EU member states – specifically, from their border guards, to find out what “indicators” border guards have used in the past, when deciding that someone from a visa-free country posed a “threat” to “public policy, internal security, public health or the international relations of any of the Schengen States.” 

The current practices of border guards in various EU member states are very controversial: police have been accused of violent crimes against people coming from visa-free countries like Albania and Serbia. In spring, officials in Poland and Ukraine were accused of stopping and intimidating people of African, Middle Eastern and South Asian descent trying to flee the war in Ukraine.  

Some member states may not even keep statistics for why people with passports from visa-free countries are turned away. “In my view, it is possible that this statistical data could be replaced by testimonies by border guards on an anecdotal basis, in order to create some idea of what's happening on the ground,” Vavoula says.