Europol operated ‘shadow’ IT systems without data safeguards: Report

Europol has operated secret data analysis platforms containing large amounts of personal information, such as identity documents, without the security and data protection safeguards required by EU law, according to a new investigation.

Running in parallel with official databases, the system operated as a “shadow IT environment” for large-scale crime analysis and was used by Europol’s cybercrime unit EC3. Despite containing sensitive data, including that of individuals not suspected of crimes, the system did not track who was accessing or modifying them.

Among these systems is Europol’s Computer Forensic Network (CFN), which was originally established to store digital material linked to investigations. The system, however, evolved into a source for unregulated data analysis, including a large number of photos from passports and ID documents.

The data came from law enforcement authorities in EU member states, with some also provided by the U.S. Federal Bureau of Investigation (FBI).

“Having a parallel processing environment where guardrails cease to exist is cheaper, faster, and more effective,” says a former senior Europol official. “But without these, anyone is at the mercy of the guy in front of the screen.”

The findings were published by a group of investigative outlets, including the UK’s Computer Weekly, German Correctiv and Greek Solomon. The reporting is based on accounts from several former high-ranking officials, internal Europol documents and leaked emails.

The discovery comes as Europe’s police agency is poised to gain additional law-enforcement powers across the continent.

Last year, European lawmakers backed a proposal to give Europol a central role in coordinating the fight against smuggling networks and human trafficking, including processing biometrics. The agency is set to receive an additional 50 million euros (US$57.8 million) in funding and 50 new staff members.

Europol has acknowledged certain data protection issues in the past. In 2019, the agency clashed with the European Data Protection Supervisor (EDPS) over the processing of large and complex datasets, including personal data of people with no clear link to crime. The issue became known as the “Big Data Challenge.”

The policing agency, however, seems to have concealed other data issues from the European data watchdog. Among them is an intelligence tool known internally as Pressure Cooker, which allowed Europol staff to store and analyze operational data without the constraints of EU data laws or the EDPS’s knowledge, the investigation shows.

​Europol has pushed back on the claims made by the report. The agency says that Pressure Cooker is the Internet-Facing Operational Environment (IFOE), which operates in accordance with EU law and in consultation with the EDPS.

Europol also says that the claim it was maintaining a parallel processing environment without guardrails is a “misrepresentation of the facts.” The damage, however, is already beginning to show.

“These revelations are shocking, after so many years of oversight and supposed compliance efforts to ensure respect for personal data and fundamental rights,” European Parliament member Saskia Bricmont (Greens/EFA) said in a statement.

Article Topics

biometric data  |  cybersecurity  |  data protection  |  European Data Protection Board (EDPB)  |  Europol