DATA SECURITY SCANDAL: SENSITIVE SIS-FILES FOUND AT RAILWAY STATION

FECL 52 (December 1997)

Two Belgian officials with access to the Schengen countries' common police and security data base, SIS, are being detained on suspicion of having leaked thousands of highly sensitive personal records from the Schengen Information System (SIS) to circles involved in organised crime. A print copy of SIS-data was found on a railway station in Gent, Belgium in November. The incident has further fuelled longstanding concern about data security and data protection in the SIS. Both the Schengen Secretariat and the Belgian authorities are trying to conceal the scandal from the public.

According to Josef Colbin, assistant prosecutor at the public prosecutor's office in Brussels, the data files found at a place accessible to the public at the Gent railway station concerned one single person registered in the SIS for criminal search. But, the Belgian police seized additional secret files - originating from the SIS - at a house search in the home of a civil servant working at the the Ministry of Justice.

The man was arrested on 3 December and is being detained pending further investigation together with two other suspects - a staff member of the Belgian SIS-SIRENE office and a private acquaintance.

According to preliminary investigation, the main suspect was paid by organised crime circles for providing them with information stored in the SIS. Quoting a spokesman of the Belgian Schengen Secretariat, the news agency Reuters reported that several thousands of secret personal files had been sold to criminal gangs.

In the meantime, officials in Belgium and on the Schengen level are trying hard to play down the significance of the incident as regards data protection and security in the SIS. "The matter is about bribery with international ramifications rather than lacking electronic data security", prosecutor Colbin told the Danish newspaper, Politiken. A spokesman for the Schengen Secretariat referred journalists asking for information on the case to the Belgian authorities, claiming the leak had nothing to do with Schengen and the SIS, but was a "purely Belgian problem". In his turn, director van Rie of Belgium's General Police Support Service is refusing to comment on the case, referring to a Court decision prohibiting any further disclosure of facts relating to the leak.

The leak in the SIS has provoked widespread dismay and consternation. The Danish Minister of Justice, Frank Jensen says the leak is "unacceptable" and has requested a report from his Belgian colleague at the Schengen Executive Committee's meeting of 15 December. Alex Turc, the French president of Schengen's data protection board, the Joint Supervisory Authority (JSA), called an extraordinary meeting for 12 December. Mr Turc said he was "very concerned" about the incident but also pointed out that the mandate of the JSA is limited to the supervision of the central support unit of the SIS (C-SIS) in Strasbourg. The JSA has neither the means nor the competence to check the correct application of data protection and security regulations on the level of the national SIS units (N-SIS). A leading legal expert in the field of electronic data processing and professor at the university of Copenhagen, Peter Blume calls the leak a "scandal" and a "gross breach of security in the SIS". He says the incident shows that "one is obviously unable to control the use of one of the most sensitive data registers existing".

Sources: Klassekampen, 29.11.97; Information, 3.12.97, 4.12.97; Politiken, 4.12.97; Reuters, 15.12.97.

Comment

That sensitive personal files from the SIS, Europe's largest and most advanced electronic data base in the field of criminal search, public order and security, can be found lying around in a railway station, the most public space one can imagine, is a scandal indeed. But for those who have followed the setting up and steady extension of the SIS, the leak does not come as a surprise.

Already in 1995, direct access to the SIS was possible from more than 30,000 computer terminals. In 1996, more than 60 different authorities (in the then 7 countries implementing the Schengen Convention) had direct full or partial access to the SIS. The setting up of the SIRENE network for the exchange of "supplementary information" (relating to search requests in the SIS) is likely to have further widened the circulation of sensitive information.

As late as March 1997, the Schengen countries own data protection body, the JSA, in its first annual report, warned against the barely controllable extent of data storing, processing and exchange enabled by the SIS and the "complementary" SIRENE network (see FECL No.51: "Schengen data protection authority: no phone number, no secretariat, no powers") . Among other things, the JSA expressly criticised the fact that too many people have so-called "super user" access to the SIS, enabling them not only to obtain access to any data base of the system, but also to change their content in such a way that the operation cannot be traced.

After the embarrassing discovery at the Gent railway station, the Schengen officials and ministers in charge will obviously try to appease public concern by announcing a plethora of technical and legal measures preventing leaks in the future. However, some scepticism as to the effect of such measures is called for. As a matter of fact, the real scandal is not the individual leak that occurred in Belgium. The real scandal is the very concept of the SIS as a literally boundless trans-national register not only for criminal search but also for pro-active purposes of maintenance of public order and state security. As long as such a register exists, leaks will continue to occur.

Another disquieting aspect of the story is the question of the responsible authorities attempting to hush up the incident. The leak was first revealed by Portuguese television and not by Belgian mass media. This suggests that the Belgian authorities intended to conceal the scandal.

We may draw the conclusion from the above that it is easier for organised criminal circles to obtain information from the Schengen Information System, than for the public to obtain information on the state of Schengen cooperation.

But this is, of course, a purely Belgian problem...

N.B.