Council of the
European Union
Brussels, 3 June 2019
(OR. en)
9069/19
EXT 1
CT 47
COSI 99
CATS 70
ENFOPOL 217
TELECOM 207
CYBER 146
COMPET 381
RECH 247
CFSP/PESC 365
CSDP/PSDC 235
HYBRID 14
RELEX 481
ESPACE 47
IND 167
NOTE
From:
EU Counter-Terrorism Coordinator
To:
Delegations
Subject:
Disruptive technologies and internal security and justice
Introduction
Convinced of the need to rapidly put the internal security sector in a position to benefit from
digitisation while minimising the risks associated with it, at the beginning of April 2019, with the
support of the General Secretariat of the Council (GSC), the European Commission and a number
of European Union (EU) agencies, the EU Counter-Terrorism Coordinator organised an informal
seminar at ‘thecamp’, a campus in France dedicated to innovation.
9069/19 EXT 1
GdK/km
1
GSC.CTC
EN
The seminar, held over two days, afforded the opportunity to some 40 senior officials of the GSC,
the Commission, the Parliament, the main EU agencies and the European Data Protection
Supervisor (EDPS) to exchange views with around 15 experts in disruptive technologies, which are
innovations that transform parts of the economy. The main lessons set out below can be drawn from
the seminar.
This paper is meant as a contribution to the debate about mobilizing new and disruptive
technologies for security and justice, as well as fully assessing their risks. While developing
European leadership in this field will be a medium-term process, a number of immediate next steps
could be taken.
1. Acceleration of the use of new technologies in the area of internal security
New technologies represent as-yet underexploited potential in the area of internal security, as
regards detection (weak signals indicating cyber attacks, border reconnaissance or terrorist
financing flows, etc), prediction and analysis (use of big data, for example to prevent radicalisation)
and exploration or operational response (offensive capabilities in cybersecurity). The Commission
adopted an ambitious package for cybersecurity in 2017. The work DG HOME has launched on the
use of artificial intelligence (AI) for security is a step in the right direction.
1.1. A European vision of medium-term priorities for new technologies in the area of security
is urgently needed. Technological revolutions are often driven by large non-European digital
groups. The EU is capable of accomplishing major joint projects (Galileo).
It is vital that the EU
decides on the security technologies in which it wishes to play a leading role over the next five
to ten years and then takes steps to implement this vision1.
The EU needs to invest in the next
waves of technology and innovation, in which it can lead rather than merely playing catch-up.
1
China for example is strengthening its industry to become a global leader in new
technologies; the ‘Made in China 2025’ plan is interesting to consider in this context.
9069/19 EXT 1
GdK/km
2
GSC.CTC
EN
1.2. The EU also needs
sovereignty over its data: too many European companies, particularly
those involved in the area of facial recognition, train their algorithms in China because of the ease
of access to data; developing synthetic data or promoting European datasets, the auditability of
algorithms or AI that is less dependent on personal data are all avenues to explore.
It would be important for the EU to define its own
standards for access to the market for facial
recognition or post-quantum solutions.
Civilian/military cooperation at European level would be key for the development and
exploitation of new technologies, in particular with regard to specific large-scale projects such as
Galileo.
The EU would also need to
develop a real foreign policy for data: in addition to promoting our
own datasets, a
major partnership as an alternative to the increasing Chinese facial recognition
offerings would be a considerable asset for the EU.
2. Systematic assessment of the risks and threats arising from new technologies
By its nature, digitisation brings with it systemic risks.
The vulnerability of citizens, economies and
governments increases proportionately to their connectivity and interdependence, and could rocket
due to the arrival of 5G technologies and connected devices. There is now greater awareness of the
scale of cyber threats. In addition,
it is important for the EU to fully understand and anticipate
the threats posed by technological innovations: these may in fact be old technologies whose
development has speeded up as a result of new capabilities.
9069/19 EXT 1
GdK/km
3
GSC.CTC
EN
2.1. For instance,
compromised data (deep fake, fake evidence, hacking, social or political
manipulation, etc.) today represent one of the greatest risks to an AI economy, and soon, quantum
computers will be able to break any encryption, synthetic biology will enable viruses to be recreated
with ease outside of the laboratory and the human body or connected devices could be weaponized.
Social, economic and political changes have the potential to completely disrupt the existing
frameworks for ensuring security: possible scenarios like absolute transparency would allow
every citizen to constantly monitor police activity, blanket data protection would render security
services blind, there could be a shift towards privatised security or a new form of terrorism could
emerge in response to technological developments.
2.2. The digital world functions as an ecosystem in which
the private sector - particularly the
large, foreign technology groups but also globalised communities of individuals -
drives
innovation fuelled by a concentration of talent, infrastructure and capital.
Besides, many of
today’s technological revolutions are silent because they take place away from the public gaze.
The huge growth in synthetic biology, driven by the reduced cost of genome sequencing, the very
high value of human capital and an abundance of funding give rise to technology which is less
complex to handle and more accessible on open source. This
democratisation of technology is not
without risk. Globalised communities of innovators share a belief in the benefits of opening up
technology and in their capacity to regulate themselves. Thereby potentially leaving the door open
to malicious usage, as demonstrated by the widespread use of cryptocurrencies by criminal groups.
2.3. Moreover,
numerous projects using decentralised technologies aim at circumventing or
weakening States, in order to reappropriate market power for the benefit of individuals, including
in the area of functions that have until now been reserved for the State. For instance, in the area of
proving identity, States are now in direct competition with large online companies (which aim at
delivering ‘silent identification’ via their interfaces) or banking consortia. This may soon be the
case in the areas of health, education and even security.
9069/19 EXT 1
GdK/km
4
GSC.CTC
EN
2.4. Finally, the
internet’s multi-stakeholder governance model raises a number of security-
related questions. The difficulty which the private non-profit institution ICANN (Internet
Corporation for Assigned Names and Numbers) has in allowing satisfactory access to the WHOIS
registers by law enforcement and police authorities and the lack of priority regarding lawful
interceptions within international working groups on internet governance or 5G standards
demonstrate the need to address security issues in a more proactive manner in these types of fora.
3. Further developing the European governance framework for technology
Various recent Commission's initiatives in the fields of digital single market, digitizing European
industry, cybersecurity, defence, space to support development of new technologies are welcome
and important. There are growing numbers of civilian and military agencies in the field of
technological innovations in the Member States.
3.1. The EU may need to
further develop and adapt its governance in the technology fields to
be suited to the pace of innovation. It is important to be able to identify the next waves of security
technologies, quickly release sufficient capital with the freedom to fail, encourage tests and
prototyping, and decide quickly whether to accelerate or give up, aiming for industrialisation from
the outset. This methodology would be akin to that adopted by the US defence agency DARPA
(Defense Advanced Research Projects Agency), whose work has resulted in major industrial and
technological achievements in both the civilian and military spheres. In that respect, the proposal
put forward by the President of the French Republic in September 2017 for a
European research
and development agency for disruptive technologies, along the lines of DARPA, merits
consideration and implementation.
In parallel, considerations of urgency require that
a considerable proportion of the principal
technological and investment programmes (e.g. Horizon Europe, Digital Europe and InvestEU,
etc.) within the next Multiannual Financial Framework
be earmarked for security (Challenge 7,
relating to security and freedom, accounts for just under 2.5 % of the Horizon 2020 programme).
9069/19 EXT 1
GdK/km
5
GSC.CTC
EN
3.2. It may be necessary for the EU to
work in a more integrated manner, with the support of the
Member States. This updated form of governance would allow for cluster working, bringing
together entrepreneurs, researchers, funders, the public sector, civil society and the private sector. It
may also ensure
better synchronisation of security investments with military investment,
including in the space sector, which is one of the key factors in the success of the United States and
China in becoming leaders in the information economy.
3.3. Finally, this updated governance may require a new way of creating and applying
data
protection rules to new technologies, taking security interests fully into account. Data
protection regulations are indispensable for building the Security Union and giving back to
Europeans sovereignty over their data, but they should not become obstacles in principle. It is
important that a
modern European framework for personal data encourages the emergence of
new technologies, including for security. The mandates of the agencies may need to be modernized
in this context.
4. Building a joint innovation lab for the European agencies
The European Justice and Home Affairs (JHA), cybersecurity and defence agencies are technology
platforms that are already available for use by the Member States. They have advanced technical
skills and possess a substantial pool of data. The
creation of a joint innovation laboratory for
JHA agencies (the ‘lab’), under the leadership of Europol and with the strong support of other
relevant agencies such as Frontex, Cepol or Eurojust, would provide a real catalyst for innovation in
internal security. It would bring together the relevant European and national elements of the public
sector (institutions, agencies, the EDPS), academia, the private sector (startups, from small
enterprises to large corporations), and the civilian and military sectors across the entire value chain
(research, investment, production), with a view to developing products for the market. This
laboratory would have the following tasks:
9069/19 EXT 1
GdK/km
6
GSC.CTC
EN
4.1. Constantly
evaluating the risks and opportunities presented by new technologies, with the
help of the Member States and other relevant stakeholders. The laboratory would raise awareness of
the risks among the different communities of innovators and would engage in long-term forecasting
work. The lab would identify business needs of the law enforcement and judicial communities in
relation to new technologies (e.g. admissibility of e-evidence, predictive police…).
4.2. Creating a
shared data lake for the agencies in which the data would be reliable, monitored
and used to train AI tools. This would go beyond interoperability of the existing databases. A
trusted European data infrastructure (cloud), coupled with an ability to structure upstream data,
would bring real added value to the simple development of software tools. The laboratory could
work on
standardising data for the agencies. It could conduct
simulations of the misuse of
technologies, along the lines of cyber labs.
4.3. Securing access to and the use of data
in legal terms with the help of the Commission and
the EDPS. Since security, privacy, safety (industry) and transparency of algorithms (ethics) may be
conflicting concepts,
the lab could offer a deconfliction mechanism for dealing with operational
cases. In parallel, the lab could start work on principles and technological tools with the EDPS,
researchers and internet companies, with the aim in particular of exploring pseudonymisation
technologies for data transfers, anonymization technologies for data retention, and the potential of
differential privacy, or of producing specific guidelines for the internal security sector. Specific
ethical rules should also be made available by the laboratory, including in training, by harnessing
the work carried out at European level. The Joint innovation lab would also facilitate the collection
via Eurojust of information on the legal challenges encountered in particular in the field of
admissibility of evidence (i.e. reliability of evidence put in question by new technologies, role of
chain of custody and cross-examination).
9069/19 EXT 1
GdK/km
7
GSC.CTC
EN
4.4. Planning the necessary transformations within the agencies to attract
talent and create new
jobs, for example in data analysis, algorithm creation and control, data infrastructure management
or data labelling. This would also involve developing new methods of cooperation between
academic talent or the private sector and the security professions, which are themselves expected to
evolve. Attracting such talent will involve offering opportunities which combine issues of public
interest with access to exclusive data or technologies. The transformations of the public sector
would need to include a discussion on
future recruitment requirements and a definition of
innovative
training and
management arrangements for security practitioners.
4.5. Initiating
pilot projects, in accordance with the ‘DARPA’ method described above, with the
necessary flexibility. The use of blockchain technology could be trialled, for example to assist the
Europol/Eurojust joint investigation teams, or to create an alternative to informal hawala-style
messaging for the transfer of migrants’ funds or to ensure the traceability of antiquities in order to
prevent them being trafficked for the benefit of terrorist organisations, on the basis of existing
blockchain solutions and in partnership with regional or global players (e.g. the World Bank).
9069/19 EXT 1
GdK/km
8
GSC.CTC
EN