Ministerie van Justitie

Toespraak van Programmadirecteur informatievoorziening drs. W.Ph.G. Voogt

AL SIET MEN DE LUI, MEN KENT ZE NIET (Don't judge a book by its cover)

Ladies and gentlemen, Mr Chairman, 

That well-known phenomenon, the after-lunch ‘dip’, is upon us, and I have the honour of trying to keep you awake and alert. Perhaps we can draw inspiration from our border security officers, who have to remain alert to possible threats 24 hours a day, seven days a week.  

My name is Willem Voogt. For most of my career, I have been involved with the subject of today's meeting: ports, security and technology. In my time as a Royal Netherlands Naval officer, I was of course concerned with national security and our ports. But I was also responsible for streamlining and integrating ICT facilities within the Dutch armed forces as a whole: the navy, army and air force. Cost savings were part of the objective, but mainly we were looking to improve the armed forces' operational efficiency and effectiveness.
I am not here in my capacity as a former naval officer, however – I retired on the first of November, although hopefully you can't tell. I’m here today as Director of the Information Systems Section at the office of the National Coordinator for Counterterrorism, or NCTb, a position I have held for the last two years.

The NCTb was established following the terrorist rail attacks in Madridin March 2004. Its main task is to coordinate the activities of government and private organisations which are involved in combating terrorism.

My office within the NCTb is responsible for promoting, initiating and coordinating ICT where it relates to counterterrorism, law enforcement and crisis management. We operate at the cutting edge of security, technology and process management, working closely with the Netherlands’ investigative and intelligence services.  Technology has a major part to play in security, but if I have learned one thing in my career: it is that you cannot ignore the human factor, however good your technology might be. Let me give you a couple of examples. In the last century, when cars were first fitted with anti-lock brake systems, or ABS, the designers and manufacturers were surprised to learn that they did not result in fewer accidents. On the contrary, cars with ABS were involved in more accidents than those without it. Why? Because drivers relied too heavily on the system, believing it would enable them to concentrate less and take greater risks on the road.

You can see the same effect when it comes to security cameras. There’s a well known example of a department store where thefts increased after cameras were installed. Again, the new technology did not have the desired result, and again the reason was that people had unrealistic expectations. Professionals trained to observe and monitor customer behaviour suddenly believed that the cameras were there to do their job for them. They became less alert, less attentive. Security staff viewing the monitors focused only on people who were acting in a clearly suspicious manner. At the same time, the most average looking customers, who previously would have been monitored closely on the shop floor, were suddenly left to their own devices. This phenomenon is known as 'the illusion of control’. We trust in the belief that more cameras and new technologies remove the need for us to stay alert. But this is untrue. Technology on its own does not offer greater security.

The lesson we should take from these stories is clear. The more sophisticated our technology, the higher the standards required of the people who work with it every day. With this in mind, when we speak of future developments in the security field, we should make sure that we do not think only in terms of technology. People’s behaviour, knowledge and capabilities are just as important in providing effective security. 

The same is true of our use of surveillance cameras. If we use them passively – if we are just staring at an image on a screen – we are throwing money down the drain. Cameras can serve many purposes including prevention, pattern recognition and enforcement. But it is essential that people have the right skills and training to understand and interpret what they see. Equally, if not more, important is that security does not come at the cost of civil liberties. My vision of national security is one in which society can function without restrictions, while at the same time, the safety and well-being of individuals and organisations is given the highest possible priority. This means organising security in such a way that it does not limit our ability to go about our daily business. I assume that everyone here agrees with that principle. Our Portof Rotterdam, for example, could not maintain its prominent position in world trade if security measures made it impossible to function effectively. 

We need to keep this principle in mind for the future too. No one can say for sure what the future will bring. We have plenty of scenario studies and projections for the future, but ultimately, we have to expect the unexpected. There will always be people and events that come out of nowhere to change the course of history. In the 1970s and 1980s, there was a spate of books which looked forward to the magic year 2000. If you look at them now, you won't find the fall of the Berlin Wall within their pages. Nor the rise of new world powers like Indiaand China, nor fundamentalism, email or the internet. 

So while projections and scenario studies might be useful tools, they do not remove the need for us, as security professionals, to think carefully about the future. After all, the only certainty about the future is that those who do not think about it will be unprepared for whatever comes. What we can expect is a rise in passenger and goods transport in the next ten to fifteen years. Each year, around fifty million people pass through the Netherlands’ largest airport, Schiphol. By the year 2020, that number is expected to have more than doubled. And we can expect to see the same thing here in Rotterdam and elsewhere. 

This enormous growth presents us with a major challenge. We will be dealing with much more passengers and goods than is now the case. We will need to be able to prevent the entry or exit of people who pose a security risk, either here or elsewhere. And at the same time we will need to ensure that bona fide passengers and legal goods can move as freely, and therefore as quickly, across our borders as possible. Given this degree of growth, I believe that retaining our current border control methods will ultimately be counterproductive. It will also lead to longer queues and delays at the borders and all the consequences this entails, not least for our economies. We have inherited current border control methods from the past. Where passenger transport is concerned, the guiding principle has always been nationality. Has the passenger come from his own country, or from a country for which a visa is, or is not, required? Later, faced with terrorism, organised crime and the threat of fast-spreading epidemics, border control acquired a new dimension. Another part of the legacy was the notion that security begins and ends at one’s own border. That our actions in the Netherlands affected the Netherlands and no one else. We didn't need help from other countries and they didn't need us. 

In the past, the number of different public and private organisations involved in border control was easy to keep track of. Now, in the age of globalisation and the associated increase in the international movement of people and goods, we are seeing a huge range of organisations, from many different countries, represented at our air and seaports. Continuing to work as we have always done, basically means more of the same: more people, more technology, more costs. And this will take up more space, which, in a densely populated country like ours, is truly scarce. Space that could be used for other purposes. If we continue with the same approach in the future, eventually we will hit a dead end. The task awaiting us in the next ten to fifteen years requires a new way of thinking. We need to find new solutions for border control. We need a new paradigm. 

I believe we can summarise that new paradigm in three simple words: smarter, faster, better

• Smarter for the controls
• Faster for the: processing of passengers and goods
• Better the organisation, use of information, ICT, cooperation and shared experience

Smarter
Current border control methods have much in common with primitive mining techniques. Enormous quantities of soil are sifted in the hope of finding a diamond or a lump of gold. In border control, we are looking for the proverbial needle in a haystack. I believe we must be smarter in how we do this, and that we should focus on places where we know we have the best chance of ‘striking gold’. There’s a term for this approach: positive profiling.

At this moment, virtually every passenger is checked and this is unsatisfactory for everyone concerned. Passengers need to be at the airport hours before their flights leave and they have to wait in line to be checked. This costs the airlines money and they are forced to adapt their business processes to accommodate security delays. The result is a negative effect on our economy. Positive profiling makes the security process faster and more efficient. The technique assumes that the vast majority of passengers are bona fide travellers and pose no security risk. For them, the current system of border controls is inconvenient and time-consuming. In fact, a single, brief inspection should be sufficient for this kind of person.

We would do better to focus our efforts on the small number of passengers who may not be bona fide. After all, they are the ones who pose a security risk. And the question you are no doubt all asking is how we can distinguish bona fide travellers from people who pose a threat. We do it with profiling, a form of analysis that observes and evaluates characteristics, whether of people, goods or situations. Which characteristics are observed and how they are evaluated depends on the level of risk which can be detected. A potential terrorist has different characteristics from a traveller who may be unwittingly carrying a highly infectious disease. 

Positive profiling is a robust analytical technique. It is used by the insurance industry, which evaluates clients based on estimated future risks. It is used in law enforcement as a means of selecting suspect companies or locations for investigation. And it is used by the Dutch Tax and Customs Administration. Here in Rotterdam, too, Dutch Customs has introduced positive profiling. It would be impossible for them to inspect every one of the millions of containers that enter and leave the port. A sample has to be selected, and the authorities use this technique to determine which containers will be inspected. The key to positive profiling is selection. In fact, selection is often the key to successful strategies. In a national security context, it means concentrating on the things that may pose a risk. In police strategies, it means focusing on potential victims, offenders, locations and timings.  

Positive profiling can also be used in a border control context. It means targeting attention on offenders or goods which pose a threat to the legal order. Positive profiling could bring real benefits for passengers, carriers and the organisations tasked with border control. Profiling actually requires only two steps:

1. evaluating the security risk posed by the passenger (risk assessment)
2. establishing the passenger’s identity as accurately as possible

Let’s consider the risk assessment first.

Risk assessment
It is essential that the authorities can establish in advance whether or not a passenger should be considered bona fide. In order to do so, certain details need to be available before the traveller reaches the border. We don’t need a full life history. We don’t even need detailed background information. In principle, the only details required are those already known to the carrier prior to departure – details such as passport number, travel destination and flight number. The general term is API or advanced passenger information. The carrier may also have additional information, such as credit card details, travel history and so forth. This information is broader than the API details and is known as PNR, or passenger name record.

Having temporary access to API details, supplemented with PNR information where possible, makes it possible to compare this data with information stored in a number of other databases. So before travellers even reach a border, they can be divided into two groups: one bona fide and the other potentially not. In principle, the group of bona fide passengers can cross the border as swiftly as possible, provided procedures at the border are well organised and that it is possible to establish the identity of the bona fide passenger quickly. 

Faster
To establishing identity, we need something that can tell us whether the person trying to cross the border is who he or she claims to be. With today’s available technology, we can use an RFID, or radio frequency ID chip, to do just that. It may sound far-fetched, but right here, in Rotterdam’s Baja Beach Club disco, regulars can have a chip implanted into their arm. They can use it to pay, or as a kind of bonus card, with special privileges such as free entrance for you and a guest. And the disco isn’t the only place we can find these chips. They are used throughout the consumer world, to identify PCs, printers, audio equipment and vehicles. This is comparable to identification techniques which use biometrics, such as iris scanning and fingerprinting. From a security point of view, biometric identification is ideal, for there is a direct relationship between the method of identification and the person being identified. This means that identification and authentication can take place simultaneously and thus faster, the second of our key words.

The United Kingdom plans to implement this type of system shortly. It is part of their Strategic Action Plan for the National Identity Scheme. One of the reasons for the scheme is the fact that Londonwill be hosting the Olympic Games in 2012. For the authorities, this will mean dealing with huge numbers of foreign visitors. The application of biometrics here could be very useful indeed. I believe that we should definitely not rule out the large scale introduction of biometrics in the future. We should think about it very seriously. It would be beneficial for everyone. Firstly for travellers, for whom biometrics would mean less inconvenience, shorter waiting times and, once they have seen the results, a feeling of greater security. It would benefit the carriers, by speeding up the security and boarding process. Finally, the system would speed up border controls, making them more efficient and more cost-effective.

Here and elsewhere, however, the use of such technology is still unimaginable for most people. In fact, it’s practically taboo. Concerns are raised whenever such technologies are discussed in the context of the relationship between citizens and government, and they are mainly emotional concerns. People view it as a step in the direction of Orwell’s totalitarian state, where Big Brother sees and controls everything. People tend to miss the point that Orwell’s book was actually a warning against such a state, not a handbook for it. But whatever its merits, introducing biometrics on a large scale now would meet with too much opposition. Having said that, I am still optimistic about the future.

A recent pilot project at Schiphol airport gives further cause for optimism. This was a security scan pilot, where a body scan is made using radio waves that reflect off the skin. The scan is made inside a closed chamber and reveals more than existing methods. As well as metal objects, the scan can also detect plastics and ceramics. And it takes no longer than a couple of seconds to perform. 

Before it started, there was some resistance to the pilot, partly because of the use of this technology. But the pilot was ultimately a success – people found the process worked well, was customer-friendly and saved them time. So in the longer term, I feel positive about the application of biometrics. In the short term, we can try to promote the acceptance and use of this technology. I believe the key word here is trust. People’s concerns about the use of personal data are not entirely unfounded. The government sometimes seems like a bottomless pit of information. People already have to submit personal details to countless organisations in countless locations. And they often feel that it is not their interests that are being served. Despite all the information the government requires us to provide, people don’t have the impression that government services are improving as a result. Instead of getting simpler, it seems increasingly difficult to find one’s way through the bureaucratic maze. 

The association in the public mind between an inefficient, unresponsive government and what it perceives as an interfering government is perhaps at the root of this resistance to information capture, biometrics and so forth. So I consider it an important challenge for the future that we try to remove this resistance and above all this lack of trust. We can do this firstly by making our intentions as clear as possible. After all, we are not talking about a government that wants to pry into all its citizens’ affairs. We are talking about safeguarding national security in the way I have already outlined: promoting the safety and well-being of society – individuals and organisations – while ensuring that it is not inconvenienced or disrupted by security procedures. We simply cannot emphasise this message strongly enough. 

Second, we should try to encourage public acceptance of biometrics by generating enthusiasm for what it can offer. This technology need not be viewed as just the latest curb on our civil liberties. We can also show people the advantages. Less inconvenience and quicker security checks at the border or the airport. And we can promote acceptance by offering incentives. What about preferential seat allocation on aircraft? Anyone on a transatlantic flight, and taller than 1.80 metres, will surely find that an attractive option! 

Better
The third keyword in this new paradigm is better. Here I am thinking of the organisation of border controls and the management of risk. And as we consider this aspect, I’m afraid we will need to ask ourselves some searching questions.  

The organisation of information and security is not one of the government’s strong points. Last spring, the Advisory Committee on Security and Intelligence published a worrying report. It did not grade the bodies responsible for information and security, but if it had done, the grade would not have been very high. The report spoke of poor cooperation between government organisations, too little sharing of information, fragmented legislation and problems in the relations between public and private organisations. Many of the problems the advisory committee identified are not new. In fact they have surfaced in previous reports. But the recommendations that emerged soon became bogged down in the bureaucratic trenches. I believe it is high time that we learn from these experiences. It’s time to start implementing these recommendations at a practical level. Taking concrete steps to improve would be an improvement in itself. And we will have to improve if we want to work faster.

Both the government and the authorities tasked with border control ask various things of passengers and private companies. We expect passengers to cooperate as we establish their identities, and I’ve already indicated my preference for using biometrics to do this. We ask private companies to provide information on passengers in a timely fashion. It is only logical, then, that the border authorities should have their own affairs in order. By the time the bona fide traveller reaches the border, the authorities should already have done what they need to do to ensure that the traveller can proceed quickly and easily. If the government wants to achieve this goal, it will first need to do two things:

• collection of information: reduce complexity
• analysis: remove the sources of errors

We must reduce the complexity of collecting information. There are currently a great many people and organisations asking for and providing all kinds of data. Most exchanges are bilateral, and every organisation has its own rules on how it handles the information it receives. This is already a highly complex structure, but it is one which unfortunately is also characterised by high and low-trust relationships. Add to this the difficulty, due to privacy laws, of supervising how information is used, and a complex set-up gets even harder to untangle. But this complex matrix of givers and receivers of information can be made simpler, and it must be done by promoting a higher trust environment. As far as I’m concerned, the one-stop shop principle is the most obvious solution. In my view, the onus is on the government to take the initiative and work closely, as a reliable partner, with the various private parties involved. 

Whenever someone arrives at a border, we need to know with the greatest possible certainty whether he or she is bona fide or not. The quality of our information analysis deserves the highest priority, in the interests of every bona fide passenger. The first step, as I see it, is to eliminate, as far as possible, the sources of errors. One unfortunate, but all too familiar problem is the lack of information sharing. The facts are all available, but accurate conclusions cannot be drawn because the information is spread across numerous organisations. This problem haunts every dedicated politician or civil servant. 

One way to address this could be to manage risk analysis in a more collaborative way. Both here and elsewhere, the experience of so-called fusion centres in producing common analyses has been incredibly encouraging. Within a fusion centre, organisations maintain their own autonomy but analyse data as a parts of a wider team. A team that is greater than the sum of its parts.  

Ladies and gentlemen, 

I began by expressing my hope that this lecture would keep you awake through the after lunch ‘dip’. I hope I have succeeded, and that that my message has been loud and clear. 

In the next ten to twenty years, we will face the challenge of dealing effectively with the expected increase in travellers and goods moving across land, air and sea. If we continue to approach, and organise, border control activities in the same way, we will create problems for everyone. Ourselves, the public, and the business community. We need a new approach. We need a new paradigm. 

• Smarter
• Faster
• Better

Thank you.