Over the last two decades, the States with the world’s most advanced border security systems have embraced the concept of the ‘virtual border’. This is characterized by the advanced use of actionable information – interoperable databases, risk analysis, the sharing of advanced passenger information for extensive pre-screening – to their great benefit. The concept has been a paradigm shift when compared to the historical viewpoint of the national border as a fixed, physical line.
Border management in a virtual environment has advanced significantly from geographical borderlines in both space and time. Border management is designed to operate far beyond national boundaries; the time component of border management has also been extended, encompassing the entire pre-emptive review processes of ‘assessing security risks against data’, ‘preventing potential threats prior to arrival’, demarcating lines long before a recognizable border is reached’.
API and PNR as a key element in effectively implementing a virtual border
In the virtual border environment, Advanced Passenger Information (API) and Passenger Name Records (PNR) systems are critical. When they were initially introduced at the end of the 1980s, both systems anticipated that the virtual border would facilitate the clearance of arriving passengers at major international airports.
From a border security perspective, the API system captures the travellers’ biographical information that is contained in the machine-readable zone of a passport during airline check-in. This enables an effective evidence-based traveller risk-assessment and screening system for immigration processing, security and customs purposes.
PNR is typically contained within an airline’s reservation system and is not considered to be ‘verified’ because it is collected and stored at the time of, and then subsequent to, the original booking. PNR data can be used to identify an individual, and it is typically used for risk-based assessments of individuals where other information may not be available. For these reasons, it is more valuable in the identification of suspicious trends, relationships and travel patterns.
If API and PNR data are not systematically checked for incoming and outgoing travellers against national and international watch lists, including the relevant INTERPOL databases that should be routinely utilized when screening passengers, their utility as tools for identifying criminals and terrorists is severely compromised. INTERPOL interdiction operations at border points around the world prove very often that fugitives, terrorists and other known criminals are traversing air, land, and sea borders without detection in countries that do not systematically screen their travellers against INTERPOL’s databases.
In this context, with Resolution 2178 (2014), the UN Security Council called “upon Member States to require that airlines operating in their territories provide advance passenger information to the appropriate national authorities in order to detect the departure from their territories, or attempted entry into or transit through their territories, by means of civil aircraft” and Resolution 2396 (2017) “that Member States shall develop the capability to collect, process and analyse […] PNR data and to ensure PNR data is used by and shared with all their competent national authorities, with full respect for human rights and fundamental freedoms for the purpose of preventing, detecting and investigating terrorist offences and related travel […]”.
Resolution 2178 also acknowledges INTERPOL’s capability to “address the threat posed by foreign terrorist fighters, including through global law enforcement information sharing enabled by the use of its secure communications network, databases, and system of advisory notices, procedures to track stolen, forged identity papers and travel documents, and INTERPOL’s counter-terrorism fora and foreign terrorist fighter programme”.
INTERPOL as an enable for API/PNR worldwide
INTERPOL, through the use of a range of operational tools, is fully committed to fighting travel and identity document misuse globally. This commitment has a long history: INTERPOL’s dedication to preventing travel and identify document misuse dates back nearly document falsification were recognized in a resolution of the first International Criminal Police Commission in 1923. By 1930, specialized units had been established to deal with criminal records, currency counterfeiting and passport forgery.
Central to these efforts is INTERPOL’s Stolen and Lost Travel documents (SLTD) database.
Launched in 2002 in the wake of the 11 September 2001 terror attacks in the United States, the SLTD database is the only global repository of travel and identity documents which have been reported as stolen, lost, revoked, invalidated or stolen blank. Police throughout the 194 Member States can submit documents and search the database, which as of 25 August 2019 contained more than 90 million records submitted by 179 countries, and had been queried two billion times since the start of the year.
By developing the SLTD, INTERPOL provides its partner agencies and Member States the ability to exchange data on fraudulent travel documents both globally and securely.
One of the values the SLTD brings to global security is the possibility that it can be fully and easily integrated in national police and border management systems, including national API/PNR platforms. It is critical that the implementation of a national API/PNR system be coupled with the implementation of integrated access to all of INTERPOL’s policing capabilities, This includes the SLTD and other systems such as the Travel Documents Associated with Notices (TDAWN) application, nominals database and system of colour-coded notices which alert police to wanted criminals, missing persons and more.
The operational value of this integration is evident, since the information related to passengers and travel documents used to check-in or board a flight can be double-checked against the nominal and SLTD databases as well as TDAWN application for timely identification of potential matches.
INTERPOL supports the ‘single-window’ concept which would ensure that API/PNR data transmission from aircraft operators is sent to a common national entry point, thereby reducing the risk of miscommunication, the cost of compliance and the potential impact on the airline industry. In addition, we strongly recommend that the INTERPOL National Central Bureaus (NCBs) in each country collaborate closely on policy and technical API/PNR matters with all concerned API/PNR stakeholders, in order to enhance secure communications between national units in charge of API/PNR such as Passenger Information Units (PIU) or National Targeting Centre (NTC) and their access to INTERPOL’s systems. Only by assigning the NCB with clear responsibilities in national API/PNR system management can the systematic and automatic screening of all passengers and documents against the nominal and SLTD databases as well as TDAWN application, be achieved.
This is especially important in countries which do not have strong relations between agencies, infrastructure in place, or secure government e-mail accounts. Inclusion of the NCB representatives in the interagency PIU or NTC would be a significant asset within those offices to ensure timely and accurate international communication, with the possibility of assistance by the INTERPOL General Secretariat.
INTERPOL strongly supports API standards (i.e. UN/EDIFACT PAXLIST) and recommends their use in the development of standardized and harmonized systems. For the past 15 years, INTERPOL has offered technical solutions to its Member States such as FIND (Fixed INTERPOL Network Device), which is based on ‘web-service’ technology that connects national and border management systems with INTERPOL’s databases to provide full interoperability for screening travellers at borders.
Integrated solutions like these allow immigration and border security officers to automatically search against national, regional and INTERPOL databases with a single query when scanning a passport, and receive a consolidated response from all systems. From the time a travel document is scanned, INTERPOL systems provide a response in an average of less than two seconds. To support this, the INTERPOL Secure Cloud infrastructure provides a robust and global architecture thanks to its multiple datacentres around the world offering high availability around the clock with strong Services Level Agreements for such mission-critical border security applications.
Using the same technology through the full integration of FIND within national API systems, INTERPOL is also encouraging the interactive API (i-API) mechanism, which enables two-way, real-time communication on a passenger-by-passenger transaction basis that is initiated during check-in. This allows governments to issue “Board” or “Do not Board” responses to airline companies in real-time. Of the approximately 100 countries that have extended access to the SLTD database to their borders, generating close to 20 million searches every day against INTERPOL databases from the frontlines, several countries have been conducting advanced checks through their national API/PNR systems for years.
Finally, the technological achievement of integrating access to INTERPOL’s nominal, SLTD and TDAWN databases into national API/PNR systems is just one step towards success. For real-time checks at borders, it is equally important for countries to use these technologies effectively by implementing corresponding National Standard Operating Procedures (NSOPs) to ensure an accurate API data processing flow and appropriate process management of positive matches, or ‘hits’. The use of detailed and effective NSOPs is vital to ensuring that the management of database hit responses is rapid, accurate and appropriate, and all stakeholder agencies within a member country have a clear understanding of their roles and responsibilities.
Maintaining INTERPOL database relevance
There is a recognized need for INTERPOL to maintain the highest credibility of its databases. In this respect the Organization, along with implementing and facilitating integrated solutions for systematic API checks against its databases, also continuously urging its member countries to update its databases in a systematic and timely manner. We offer several technological solutions which facilitate the process of adding records of lost or stolen travel documents to the databases, as well as information on wanted persons. Our member countries can use the INTERPOL Web Services for Data Management (WISDM) portal to manage their records of documents reported as lost, stolen or revoked, or the I-Link application which manages the exchange of police information and international cooperation requests.
Privacy and data protection
The establishment of API systems finds its legal roots within the Chicago Convention, which sets forth internationally recognized standards and obligations for ICAO member countries. National API systems are also subject to domestic legislation within individual countries.
When national authorities receiving API data process them through INTERPOL’s information system to query them against INTERPOL databases, such processing is governed by INTERPOL’s Rules on the Processing of Data (RPD).
The RPD establishes common data processing requirements for INTERPOL’s member countries, in line with international privacy and data protection standards. The Commission for the Control of INTERPOL’s Files (CCF), an independent, impartial body, is responsible for ensuring that the processing of personal data by the INTERPOL General Secretariat conforms to the applicable INTERPOL rules. The applicability of the RPD to API data checked against INTERPOL databases, including the SLTD, guarantees individuals that their personal data shared with airlines will be treated with due respect for their rights, including their rights to privacy and data protection.