Among Centaurs and Titans

And why Greece's tech-powered border controls should concern us all

and

May 14, 2024

Migration has been a priority for Europe since 2016. However, the ongoing crisis and geopolitical tensions require more than just traditional tactics.

Recently, the EU Parliament voted to expand Eurodac, turning it from a fingerprints database into a wide biometric database, and introduced a new Migration Pact to strengthen border security. MEP Jorge Villalba, who worked on it, deems the regulation necessary and unfairly vilified, while the NGO AccessNow is afraid Eurodac may entail dangerous mass surveillance for migrants and asylum seekers.

In the meantime, with the AI Act being finalised, European Digital Rights (EDRi) warns that it may fall short of setting acceptable standards for human rights protection, notably for migrants.

You've heard this before, but it's worth repeating: technology always comes with values attached, and that can have a big impact on society. Today's story is just one more piece of evidence for this.

Greece is the setting. Homo Digitalis, a Greek NGO founded in 2018 to protect human rights in the digital space, is the main character.

In the summer of 2021, while researching on the Greece’s White Book on Digital Transformation, the state’s strategy for the period 2020-2025, Homo Digitalis’ team stumbled upon some…peculiar and sizeable investments (20 millions overall) to strengthen migration and border management in the Aegean Islands, hosting the largest migration hotspots in Greece.

They found two systems, graced with fancy mythological names, Kentavros and Hyperion, which raised concerns:

According to EDRi, KENTAUROS is a surveillance system deployed in reception and accommodation facilities for asylum seekers. It uses cameras, drones, and AI behavioural algorithms to manage digital and physical security. Reportedly, the video feedback to the algorithms is instantaneous, meaning that the biometric processing falls under the category of real-time surveillance, which is prohibited under the AI Act without special licences and impact assessments.
HYPERION is an asylum seeker management system that controls the access to the facilities through biometric identification of fingerprints, tracks services used by the asylum seeker, and provides a mobile app for asylum requests.

Right away, Homo Digitalis and EDRi initiated research on these systems. The outcome? More questions than answers.

As a consequence, Homo Digitalis addressed a letter asking for information to the Greek Ministry of Migration and Asylum (MMA) on October 2021. They wanted to know more about personal data impact assessments of the two systems and the legal basis, goals and use parameters on the KENTAUROS system.

This open letter was never answered. Following that, Homo Digitalis worked tirelessly on a European and national level, alongside other NGOs and Agencies to promote the matter further. With the support of the LIBE Committee and the UNCHR Representative in Greece, they filed an official complaint to the Greek Data Protection Authority asking to scrutinise the systems and request the justification of these investments as well as their legal basis.

The Greek DPA acted swiftly. In February of 2022, they officially launched the investigation. Two years later, in April 2024, they imposed a fine of €175,000 on the MMA and ordered the MMA to fulfil its obligations as a data controller under GDPR within a 3-month timeframe.

We interviewed Ms Niovi Vavoula, an associate law professor at Luxembourg University specialising in the intersection of Migration and Technology. She described the decision as “excellent, we couldn’t be happier about it”, but she also remarked that the process “took 2 years to go through and this is a lot for a single case.”

This can be a wave or an eye. *Either way, it’s generated with DALL-E*

Ok, you may be asking: “why should I care about Greece?”. Despite migration being a key policy issue, many would rather not hear about the infringements of asylum seekers rights, let alone privacy and data rights (which, by the way, are often considered as bourgeois rights). However as dr. Vavoula clarified: “Data rights and the legal system behind them have teeth. They’re a checklist of easily verifiable obligations and that makes them way more actionable to protect than other fundamental rights, like privacy in general or the right to an effective remedy.”

Have we piqued your interest? Well, then keep reading. Relying on an impressive and thorough research conducted by Stavrina Houssou, MPP in Public Policy and New Technology at Sciences Po and AI Policy Analyst, this Artifacts will dig deeper into this story and, eventually, persuade you why a Greek surveillance system is something we should all be concerned about.

The Story

Given the amount of information we gathered, this Artifacts will be (1) slightly longer and (2) divided into sub-paragraphs to ensure clarity. Let’s start!

Expensive tech investments lacking strategic thought and legal basis

What purpose do those sizeable investments serve? “Unfortunately, I don’t think they serve a purpose”, says Eleftherios Cheilioudakis, lawyer and co-founder of Homo Digitalis. He adds that Greece’s deep economic crisis deterred the state from big digital investments. “It wouldn’t be acceptable to have public employees unpaid, while millions are spent on drones at the borders. But this has changed: the narrative of economic rejuvenation and digitalisation in Greece has opened up the state to increasing digital investments, not necessarily critically made”, he argues.

This context leads to a fruitful environment for high economic intensity experimental investments. He clarifies that: “The adoption of such technologies testifies the rise of a business landscape interlinked with border management and state security which receives substantial EU funding, mostly by the EU Commission. Private actors develop technologies that are neither necessary nor constructive in satisfying the end goal of protecting asylum seekers, examining their applications effectively or granting asylum status. Yet, these firms are well endowed in Brussels, co-affecting the security agenda.”

More troubling is the system’s lack of transparency. Dr Vavoula says: “The securitisation approach of the Greek government often expands to the broader EU approach to migration. These systems were deployed at least partly with EU funds and we've seen that trend booming with more than 50 EU-funded tech and AI projects for migration in recent years, often involving emotion recognition tools”. The lack of scientific evidence for the efficiency and validity of AI tools for emotion recognition is affirmed in the current version of the AI Act.

This raises the question: if security is the reason for using intrusive technology, why is it being deployed in secret and without following legal procedures?

A tech testing ground on the vulnerable

For years, migrants and other vulnerable groups have been subjected to practices deviating from acceptable legal and social norms. Yet, once a line is crossed it is easier to be crossed again. Once rules for the stateless become wiggly, they can soon become so for citizens. “If technologies are developed and bought, and the legal frameworks to use them exist, it’s easy to expand their use gradually. If an intrusive tool fulfils a narrative of security today, tomorrow it can be used in airports for Schengen flights” says Mr. Cheilioudakis. (Something similar has just happened in Italy, btw).

Dr. Vavoula claims that we see similar surveillance tools being used by states first on their Nationals and then on EU Nationals, including biometric systems introduced during COVID. “Therefore, thinking that this case does not concern EU citizens more broadly, is a bit naive. It’s likely that the more these technologies are tested in the future, the more they become a given and, eventually, the more individuals get accustomed to their imposition”, she adds.

A disregard for the rule of law

Is there a reason why this happened in Greece and not somewhere else? Yes, and it is highly tied to the migration problem, which is marked by the limited capacity of reception centres and geographically challenging borders.

Technological support to mitigate such problems could be very relevant if done lawfully. This would mean following predetermined requirements such as explaining the legal basis for employing such systems and conducting impact assessments beforehand. However, the Greek MMA did not follow any of the above.

“There is a techno-solutionist approach and it is however not accompanied by a clear understanding of the potential effects on fundamental rights. Everything goes towards efficiency and modernisation”, dr. Vavoula remarks.

But this case implies a larger political and institutional context. When we asked dr. Vavoula about her assessment on the future of the DPA’s decision, she told us: “It's unclear if the Ministry intends to comply meaningfully. The resistance to this investigation and the efforts to justify their choices is distressing. Saying that the impact assessment would be done ex-post, and not ex-ante, just makes no sense. At the very least, you'd expect a legal basis for deploying these systems. In this case, the systems are deployed without a DPO, which is astonishing given the processing of personal data involved. All these show a clear lack of data protection culture.”

Mr. Cheilioudakis deems such lack of knowledge endemic in Greek political circles: “New Democracy (right-wing) implemented two systems for migration management, while SYRIZA (left-wing) commissioned the smart police initiative which uses devices to transmit biometric data of stopped individuals to the Greek police database (HELLAS). There is a European push for such initiatives. Additionally, as politicians in Greece do not seem savvy enough in tech matters, our efforts in addressing issues through Parliament have mostly fallen on deaf ears.”

Sadly, this is reflected not only in the lack of accountability for the Ministry’s violations but in the government actions to support the mechanisms responsible for data protection. Here Data Protection Authorities (DPA), the responsible national authorities for data protection and the enforcement of the GDPR in EU member states, are key. Incidentally, DPAs are also likely to become the EU AI Act’s enforcement authorities on the national level.

However, the GDPR enforcement has not been particularly optimistic, with several pitfalls, including uneven enforcement from the national DPAs due to diverse capacities and support from governments. The Greek DPA is a case in point: it has a 50-person personnel, despite organic positions for 75, and a reduced budget of 2.200 million.

All in all, intrusive and all-encompassing technologies are a recipe for fundamental rights infringement when not accompanied by protections, constraints and clear allocation of responsibilities – no matter their use case and scope.

Advanced tech will not produce dystopias overnight. But perhaps subtle, covert, unlawful uses of such technologies will render such results overtime if given enough space and not enough scrutiny.

Many thanks to mr. Cheilioudakis and dr. Vavoula for their insightful contributions