At the border, asylum seekers are "guilty until proven innocent"

There are few places in the world where an individual is as vulnerable as at the border of a foreign country.

As migration continues to be high on the social and political agenda, Western countries are increasingly adopting an approach that criminalises people at the border. Asylum seekers are often targeted with intrusive surveillance technologies and afforded only limited rights (including in relation to data protection), often having the effect of being treated as “guilty until proven innocent”.

This seems to be the case in Germany, one of the European countries that has been most involved in the so-called migration crisis that exploded in 2015. According to UNHCR, the country currently hosts 1.1 million refugees, the fifth highest refugee-hosting country in the world.

But in the past few years, Germany has also been heavily experimenting with an intrusive technology in the asylum process: the central German migration authority (the Bundesamt für Migration und Flüchtlinge, or BAMF) uses mobile phone extraction technology in the asylum application procedure.

This is not an isolated case, as European countries are increasingly using smartphone surveillance to investigate asylum seekers, either to assess asylum claims or to enforce the EU Dublin III Regulation (according to which asylum claims have to be processed in the first EU country the person entered).

In a recent study “Invading Refugees’ Phones: Digital Forms of Migration Control”, German NGO GFF (Gesellschaft für Freiheitsrechte / Society for Civil Rights) shed light on how this happens in Germany, “regardless of any concrete suspicion that the asylum-seekers made untruthful statements regarding their identity or country of origin”.

In theory, GFF explains, this should be a last resort measure, only to be used if there are no other methods with which the desired objective can be achieved. In practice, since many origin countries do not issue passports and many types of documents are not recognized by Germany, this applies to a large number of people: according to official numbers, 54.2% of all first-time applicants in 2018 and 49.1% in 2019 were unable to produce a valid passport, passport replacement or identification document.

Weaponising your phone against you: the German way

In the past few years, governments have adopted the dubious move of using migrants’ electronic devices as verification tools. This practice is facilitated by the use of mobile extraction tools, which allow an individual to download key data from a smartphone, including contacts, call data, text messages, stored files, location information, and more.

The assumption that obtaining data from digital devices leads to reliable evidence is flawed, even more in the case of asylum seekers: in the course of a long and dangerous trip, they may have swapped phones, they may have accessed certain sites or liked certain social media activity for a whole variety of reasons, and they may have been in touch with people whose name spelling appears on watchlists for a whole variety of reasons. And just because a person fleeing persecution from government forces does not want an agent flicking through their photos and messages, it also doesn’t mean that they are automatically lying.

In 2017 the German Federal Parliament, further developed legislation surrounding the evaluation of data carriers, approving the “Gesetz zur besseren Durchset-zung der Ausreisepflicht” (Law on Better Enforcement of the Obligation to Leave the Country), which came into force in July 2017. The GGF report explains that “among other things, this law broadened the provisions on detention pending deportation and custody of persons leaving the country, as well as the powers of the BAMF to pass on data to other authorities. In addition, the legal option of reading out refugees’ data carriers was added”.

Data-sharing, including with other government departments is one of the many concerns with the use of mobile phone extraction technology. The aforementioned 2017 law, provides the legal basis for data carrier evaluation, but also extended the possibility of transmitting data from the BAMF to other bodies, such as security authorities or the intelligence services. According to documents obtained by GFF, data transfers from the BAMF to other government agencies have increased substantially, from little more than 500 in 2015 to more than 10,000 in 2017 (even though the total number of asylum applications fell significantly during that period).

Since then, BAMF has routinely been extracting and analyzing electronic devices (the term “data carrier” allows the evaluation of a large number of other devices, such as simpler feature phones, USB sticks, hard disks, laptops or even fitness wristbands) belonging to more than 28,000 people seeking asylum in Germany in order to determine their owner’s origin and identity.

As the GFF report sets out, according to the aforementioned law, refugees are currently legally obliged to comply with the request to hand over their phone, and may even have to change settings for the authorities to extract data. This also applies to mobile devices of children, especially if no one else in their family is in possession of another device. “The extraction of mobile devices has no age limit“, BAMF internal instruction states.

However, GFF argues that the current law violates the German constitutional law, which protects the right of the individual to self-determination when it comes to personal data:

“Data carrier evaluations circumvent the basic right to informational self-determination, which has been laid down by the German Federal Constitutional Court. Refugees are subject to second-class data protection. At the same time, they are especially vulnerable and lack meaningful access to legal remedies.”

This is why the organisation says it is currently challenging the mobile phone data analysis in three different German administrative courts together with three plaintiffs and their lawyers. The plaintiffs come from Syria, Afghanistan and Cameroon. The long-term goal of the strategic litigations is to have the constitutionality of the legal basis reviewed by the Federal Constitutional Court, which is the only court that can “quash” a legal basis, i.e. declare it null and void.

An intrusive and unnecessary measure that violates people’s rights

As our work in the UK has demonstrated, even where certain statutes are relied upon to carry out mobile phone extraction, they are often inadequate and do not deal with the specific and unique intrusions posed by use of these technologies - raising numerous questions as to the legality of their use.

Mobile phone extraction also raises significant issues. BAMF claims asylum seekers are providing consent, because they are required to sign a form confirming that the device was handed over to the authorities. According to the GFF report, which relies on the descriptions given by both the persons concerned and their lawyers, not only is no information provided regarding the purposes for which the device may be used (as well as what data may be gathered, how it will be used, and with who it may be shared) but the power imbalance between the BAMF and asylum seekers further highlights how this cannot constitute a valid legal basis for this data intensive procedure.

Mobile phone extraction: how does it work?

Mobile phone extraction tools are devices that allow the authorities that have them, for example the police (or the immigration authorities in Germany as set out above) to download data from mobile phones, including: contacts, call metadata, text messages, stored files (including photos, videos, audio files, documents, etc.), app data, location information, and Wi-fi network connections (which can reveal the locations of any place where we’ve connected to wi-fi, such as our workplace and properties we’ve visited.)

Mobile phone extraction allows authorities, such as law enforcement, to access and download all of the data stored on a mobile phone. For most people, this will include the most private information they store anywhere, including their contacts, messages, web browsing history and banking information. Some tools can also download data stored in the cloud, which may include app-based data, including for popular platforms like Facebook, Google, Twitter, Instagram and more.

The information accessed by the authorities, such as police, will not only relate to one individual, but will contain personal data, such as messages or photos, related to others such as their family, friends and colleagues. The lack of strong and effective legal frameworks and a lack of implementation of others, such as data protection, mean that authorities may store all of this data indefinitely and combine it with other information they hold to build up an even more comprehensive, and therefore intrusive, picture of our lives.

According to the GFF study, the German authorities can read:

• Country codes of contacts in the address book
• Incoming and outgoing calls by duration and country code
• Incoming and outgoing SMS and messages by country code
• Language used in incoming and outgoing SMS and messages
• Browsing history according to country endings of visited web sites
• Login names and email addresses used in apps
• Location data from photos, possibly also from apps

Unsurprisingly, mobile phone extraction is also a lucrative business: Cellebrite, one of the companies tested by the BAMF, is a surveillance firm marketing itself as the “global leader in digital intelligence”, and has been offering its digital extraction devices to authorities interrogating people seeking asylum. By analysing the phone, Cellebrite claims its technology can audit a “person’s journey to identify suspicious activity prior to arrival”, track their route, run a keyword and image search through their device to identify “traces of illicit activity”, and review their online browsing and social media activity.

Is this happening in other countries?

Mobile phone extraction or similar systems are employed or about to be deployed by migration authorities in several European countries.

In Denmark, the police began reading and storing data from smartphones, SIM cards and other data carriers in 2015, as part of asylum procedures and without suspicion of crimes (503 in 2017), as reported by Danish daily newspaper Dagbladet Information.

In Norway Data extraction takes place during the registration process, similarly to German practice. Social media information is also systematically analyzed in connection with asylum applications. In October 2017, the Norwegian daily Aftenposten reported on plans for new Arrival Centers in which the Immigration Directorate and the Police Immigration Service would be permitted to use GPS paths, pictures, apps, internet activities, messages and contacts to examine asylum seekers’ applications.

In Belgium, the use of mobile phone extraction is legally allowed, though there are no reports of the law being implemented. The Belgian Data Protection Commissioner criticized the legislative initiative and stated that digital information should only be requested when needed, rather than systematically. A complaint against the law was lodged with the Belgian Constitutional Court in 2018 by CIRé (Coordination et Initiatives pour Réfugiés et Étrangers) and is currently pending.

In Austria, since September 2018, public security authorities have been permitted to remove and evaluate data carriers from refugees. The GFF report explains that “The security authorities are allowed to forward the result of the evaluation and the backup copyto the Federal Office of Foreign Affairs and Asylum. According to a reply to an inquiry by the Austrian Ministry of the Interior in July 2019, it is partly due to data protection reasons that themeasures have not yet been applied.”"

The Austrian digital rights NGO epicenter.works has criticized the fact that the police can make complete backup copies of data carriers.

Photo by Flo Karr on Unsplash