Travellers’ Surveillance: Why the UN Should Stop Supporting the Surveillance of Travellers in the Name of Countering Terrorism

[Tomaso Falchetta is the Global Advocacy Coordinator at Privacy International]

The last two decades have witnessed a sustained, widespread increase of securitisation and surveillance of international borders with every new major geopolitical development. Among many examples are 9/11, the Syrian conflict and the emergence of the foreign fighters’ phenomenon, COVID-19 Pandemic, etc. These in turn further strengthened the hand of those advocating for the expansion of the surveillance of travellers at borders. Security agencies have started to require access to travellers’ information before they leave their homes, compulsory identification of travellers now includes the collection of fingerprints and facial images, and secret watchlists, dossiers and profiles are being developed.

In this heavily surveilled context, the collection of air travellers’ data (in the form of API and PNR) may seem relatively unintrusive and inconsequential. That is not the case. Processing travellers’ data is seen by many governments and industries as necessary to respond to perceived threats of terrorism, investigate serious crimes, and more broadly, secure borders against illegal entries. Governments rely on the collection and analysis of vast amount of travellers’ data not only to identify known suspects (e.g. individuals listed in government and international organisations watchlists), but also to profile travellers, identify potential threats and act upon probabilistic predictions, ultimately making decisions that affect peoples’ lives, from denying them entry to depriving people of their liberty.

As a result, a growing number of governments require travellers’ data in the form of Advance Passenger Information (API) and Passenger Name Records (PNR) from airlines. API refers to a passenger’s identity and includes full name, date of birth, gender, citizenship and travel document data, while PNR data may contain a wider range of personal data, including passenger contact information, information relating to the means of payment or billing, information concerning baggage and general remarks regarding the passengers, such as meal preferences.

Not surprisingly some states and many private companies are offering products that promise to enable state security agencies (such as border forces) to analyse such travellers’ data (often combining it with other data sources.)

Less obviously, over the last five years the UN has started providing such surveillance capacity to states and its program is growing in reach and scope. Within the UN counter-terrorism architecture, the UN Countering Terrorist Travel Programme (UN CT Travel programme) offers UN Member States a range of support including a purpose-made software, goTravel, that enables government authorities to process travellers’ data.

In 2023, the UN Special Rapporteur on countering terrorism and human rights raised significant concerns about the UN CT Travel programme. Last year, Privacy International, the organisation I work for, published a briefing based on publicly available information on the program raising further concerns.

Some of these concerns are not uncommon to other tech solutions introduced in the name of combating terrorism. Notably, the UN CT Travel programme suffers, like other counter-terrorism policies, of mission creep, as a result of the UN Security Council broadening the purpose of the collection and analysis of API and PNR data from terrorist offences to organised crimes. As what constitutes terrorist offences is not defined by international law and is mostly left at the discretion of states, it risks allowing governments to dictate the range of conducts which justify surveillance measures on travellers. As consistently noted by the UN Special Rapporteur on counter-terrorism and human rights, broad, vaguely defined terrorist offences have led to the criminalisation and prosecution of legitimate exercise of human rights. 

Failing to Adhere to the UN Human Rights Due Diligence Policy

The goTravel software solution, provided for free by the UN CT Travel programme, raises specific concerns, as it is almost unique in the vast array of support that the UN counter-terrorism programmes offer to UN Member States. Specifically, the software provides the technical capabilities to enable security forces to analyse travellers’ data. It is true that other software solutions are on offer and that governments are free to choose from a range of products provided by private companies as well as other states. However, the UN has specific responsibilities when supporting state security forces, spelled out in the UN Human Rights Due Diligence Policy, which applies to UN support to “non-United Nations security forces”, including “border-control and similar security forces”. The policy was complemented by a guidance note in 2015.

Among the key requirements spelled out in the UN Human Rights Due Diligence Policy are prior human rights risk assessment, an implementation framework, and the capacity to intervene when faced with human rights abuses. On all three areas, the UN CT Travel programme is falling short, at least based on the scant publicly available information.

Prior Human Rights Risk Assessment 

With regards to human rights risk assessment, the 2015 guidance note states that the “risk assessment is the exercise by which a UN entity will evaluate whether “there are substantial grounds for believing that there is a real risk of the intended recipient [of support] committing grave violations of international humanitarian, human rights, or refugee law”. Such “grave violations” do not need to be committed as a result of the support provided”.  The Counter-Terrorism Committee Executive Directorate (CTED) (with ICAO and ODC) are expected to conduct “assessment and first ‘deep-dive’ missions.” While the scope of these assessments is not publicly known, the list of UN Member States receiving support from the UN CT Travel programme include a number of States with an “extremely concerning records of systematic human rights abuses”, including Sudan, subject to UN Security Council sanctions, as well as Azerbaijan, the DRC, Ethiopia, Guatemala, Kazakhstan, Mali, Nigeria, Sri Lanka, Tajikistan and Vietnam, as noted in the UN Special Rapporteur’s position paper. As such it looks the UN CT Travel programme is falling short of the requirements of the UN Human Rights Due Diligence Policy.

Specifically, in the context of border security, the consequences of the travellers’ data surveillance supported by the UN CT Travel programme can be serious and wide-ranging, affecting the right to privacy and a range of other human rights, such as freedom of movement and the right to seek asylum, freedom from arbitrary arrest, and freedom of expression. 

The Implementation Process Outlined in the UN Human Rights Due Diligence Policy

The policy puts significant emphasis on the monitoring of “recipient entity’s compliance with international humanitarian, human rights and refugee law” (paragraph 2.c.i), including by setting up “mechanisms for the effective monitoring of the recipient’s behaviour to detect grave violations of international humanitarian, human rights and refugee law and the recipient institution’s responses to any violations” (paragraph 21.c.)

Looking at the UN implementing entities involved in the UN CT travel programme, there seems to be a lack of such monitoring capacity. The Office of Counter-Terrorism and the Office of Drugs and Crimes do not monitor the implementation at a national level. As for the CTED, they do not have the mandate to query the implementation of the agreements (such as the memorandum of understanding) underpinning the relationship between the UN CT travel programme and the beneficiary Member State. It is also notable that the Office of the UN High Commissioner for Human Rights is not an implementing entity of the programme. 

Additionally, there is no publicly available information to suggest that the programme is collecting information from non-UN sources, “including local protection of civilian networks” as demanded by the Due Diligence Policy (paragraph 21.d). In fact, the lack of participation of independent civil society organisations has been one of the concerns noted in a 2023 the UN CT travel programme evaluation report.

The Capacity to Intervene 

As for the capacity to intervene to put an end to human rights abuses, publicly available information points at structural flaws in the UN CT Travel programme that are unlikely to be easily addressed. For example, the sharing of the travellers’ data across government authorities (and potentially to agencies of other states), the compilation of watchlists with names and other personal data of individuals as well as parameters of ‘risk indicators’ to be used for profiling travellers are entirely at the discretion of national state authorities.

With such discretion afforded to UN Member States, it is most concerning that once the goTravel software solution is released to a government, there is no effective mechanism to recall the software should credible allegations of human rights abuses emerge. This lack of capacity to suspend or withdraw the availability of the software seems to be at odd with the requirement in the UN Human Rights Due Diligence Policy, which demands the establishment of “well-defined procedures to guide decisions by responsible United Nations officials on whether or not violations committed by the recipient entity require intervention with the recipient entity or its command elements or, as a final resort, require the suspension or withdrawal of support under this policy” (paragraph 21.e). 

Conclusions

As governments seek to step up their capacities to surveil travellers and companies expand their offers of surveillance data analytics technologies, the UN is not the only player. However, the UN CT Travel programme has grown significantly since its inception five years ago: it now boasts more than 70 states “on board”, with the goTravel software operational in five countries. Some have argued that the UN should not be in the business of supporting states’ surveillance, particularly when it may lead to indiscriminate and untargeted surveillance of all travellers, contributing to human rights violations. What is clear is the current programme fails to mitigate risks of grave human rights abuses and to comply with the UN own human rights due diligence policy. At the very least the programme should be suspended until demonstrably effective measures to address these shortcomings are put in place.