18 Jun 2024

NZ at the centre of cross-govt group sharing millions of personal traveller records between countries

From In Depth Special Projects, 5:00 am on 18 June 2024

Before anyone had even imagined the controversial AUKUS pact, New Zealand had quietly accumulated membership of some 36 ‘Anglosphere’ networks.

So far, debate about the idea of New Zealand joining the so-called ‘AUKUS pillar two’ has ensnared a former prime minister, the current foreign minister and a former Australian foreign minister. And not in any sort of small way

There are currently no official details about what the ‘alliance’ proposed by AUKUS pillar two would mean for New Zealand. 

Perhaps sharing ideas and information about cyber security? Or infrastructure? Or customs information and migrant data? Perhaps New Zealand might even host this sort of work? 

If that’s what we thought we were debating with AUKUS pillar two, we’re at least a decade too late. 

As a member of the so-called ‘Five Eyes’ nations, New Zealand’s connection into networks across the United States, Canada, Australia and the United Kingdom have developed in a range of areas and with ever-greater depth for several years. 

New Zealand hosts and pays for the administration of 'Migration 5’, a scheme which has driven the matching of up to eight million people's biometrics a year. 

It’s part of an estimated 36 ‘Anglosphere’ networks, covering 140 departments, agencies or regulatory authorities and around 1500 Anglosphere policy officials. 

“I don't think anyone would comprehend that we have the closeness of relationship that we do with the Five Eyes partners,” says Caitlin MacDonald, a New Zealand privacy consultant in the public and private sector, and member of the Privacy Foundation’s Surveillance Working Group.

US Secretary of State Antony Blinken meets with New Zealand Foreign Minister Winston Peters in the Treaty Room of the State Department in Washington, DC, April 11, 2024. (Photo by ROBERTO SCHMIDT / AFP)

Foreign Minister Winston Peters, meeting with US Secretary of State Antony Blinken in April. Photo: AFP

Close, and getting closer 

The domes that for decades marked the site of the Waihopai Valley Spy Base, in Marlborough, always had something of a sci-fi quality about them.

Erected in 1989, they were the most prominent symbol of New Zealand’s involvement in the so-called ‘Five Eyes’ network. They might even have distracted the news media, the wider public and even elected MPs from the networks between the countries that were developed in other areas. 

Australian academic Tim Legrand says there are three dozen of these different networks that have accumulated over two or three decades. 

“These networks across many portfolios establish shared policy narratives, pool institutional functions, synchronise policy, transfer best practices and undertake real-time sharing of information and intelligence,” he says. 

“Video conferencing, shared secure databases, annual conferences, secondments and embedding of senior officials all add to the deep bonds the five [countries] have forged.” 

Much of what’s shared has nothing to do with spying or international intrigue but domestic policy, starting with social welfare in the 1980s. 

The extent of the collaborations is vast and has gone unmapped for decades.

A months-long RNZ investigation has drawn out key details about one of the networks – Migration 5. It exists in the shadows, without a website (a bare-bones page was taken down in 2016), any published meeting agendas or minutes and most of its agreements hidden from the public.

It’s the same or similar for a legion of other 5s – the Border 5 (customs), the Usual 5 (cyber security), the Critical 5 (infrastructure), among them.

The British embassy in Washington, with the New Zealand embassy behind it.

 The British embassy in Washington, with the New Zealand embassy behind it. Photo: Gill Bonnett/RNZ

Migration 5 

New Zealand joined the migration alliance - then called the Four Country Conference (FCC) - in 2009. Two years earlier, the FCC agreed a migrant data-sharing protocol called the Hunter Valley Declaration. 

When the Five Country Conference transformed those arrangements from 3000 checks on migrants and refugees to cover all travellers – a total of up to eight million each year – there was no formal announcement.  

Officials from all five countries now have video calls each month, and meet twice a year, with networks within each forum having much more frequent messaging, calls and meetings. 

The FCC later became Migration 5. Little about them is published, although an annual communique from ministers gives high-level statements about policy trends and aims. Although data-sharing may be the most important part of the alliance, its other work includes sharing immigration trends, tradecraft and policies. Its work also helps to fight online child sexual abuse.

A New Zealand ministerial briefing notes Migration 5 was a consultative forum that later became an ‘action-oriented body focused on collaboration on joint initiatives and information exchange’. 

Its six working groups include a returns network, which helps authorities send people eligible for deportation to their home country.

New Zealand hosts the alliance’s permanent administration staff. The “permanent secretariat” in New Zealand does “reporting and coordination” work and provides “neutral governance advice,” according to Immigration NZ. That work equates to approximately one full-time equivalent staffing position – the cost is covered by Immigration NZ.

In March this year, the government’s Digital, Data and Insights group hosted M5 partners in Wellington for face-to-face meeting of the Data Sharing Working Group and the new Criminal Database Checking sub-group. These meetings were organised by New Zealand at relatively short notice, after the United States was unable to host as planned due to budget constraints, according to a briefing to immigration minister Erica Stanford. 

New Zealand will take its turn as chair of a full Migration 5 (M5) meeting next year. 

A 2011 document appeared to suggest New Zealand was also expected to host the server for Secure Real-Time Platform (SRTP), which powers the rapid exchange of traveller and migrant data. 

Chart showing bilateral security between NZ, UK, US, CAN, and AUS

A duplicate image of a 2011 document which seemed to place New Zealand at the centre of a planned data sharing platform. Photo: RNZ

Requests for agenda and minutes of FCM and M5 have been refused. 

Costs, benefits 

The opaqueness of Migration 5 means lines of accountability are blurred and future plans secretive.

Data-sharing has also been included in previous New Zealand technology upgrades without cost breakdowns.

Canada’s current multi-million dollar updates are believed to include interoperability components, and the other four countries are at various stages of completing their technology upgrades. 

Elspeth Guild, an immigration lawyer and professor, is among those curious about how the Five Eyes countries decided to go about migrant data-sharing.

“It always seemed to me that this was super US-driven, that nobody else was quite so concerned, or at least not so convinced that the expenditure on this is value for money in their counterterrorism operations,” Guild says.

Those costs are many millions of dollars in making technology interoperable, as well as staff costs, travel and accommodation. The existence of a Five Eyes Technology Collaboration Strategy has been noted, but not published. 

Collage of traveller, plane and visa application

Photo: RNZ

A ‘shadowy world of regulators’ 

None of the ‘5’s are household names and – as public-servant level networks – neither are they meant to be. 

Critics such as Professor Anne-Marie Slaughter see them as part of a “shadowy world of regulators bent on ‘de-politicising’ global issues” and raising “the spectre of agencies on the loose, unrestrained by democratic accountability”.

Cooperating on issues such as migration policy can be a controversial area for governments, as borders are viewed as central to sovereignty. Collaboration, though, can be critical for national security.

Legrand found out from his interviewees that the precursor to the 5’s - the Belmont Conference - was born “in the corridors and nice restaurants around the OECD”. 

In an attempt to find out what that may look like more recently, RNZ examined US congressional returns. They show several visits by Migration 5 and Border 5 delegations over many years, including a $2800 lunch bill for the US Department of Homeland Security hosting a 28-person Border 5 session in Washington DC in 2018, and a $3400 shared bar tab for 31 people later the same day. 

It also gives a glimpse into ministerial life - dinner at DC’s Michelin-recognised Blue Duck Tavern in Georgetown for five ministers in 2022, and 24 staff dined at The Smith brasserie. 

Enter, the ministers 

While officials appear to drive much of the work of the 5’s, ministers have not been unaware of its activities and have helped to set its agenda.

Immigration ministers started attending the gathering of ministers from the five countries (FCM) eight years ago. Its ministers met in Wellington last year, with issues such as people-smuggling and cyber-security on the agenda.

FCM’s priorities in recent years have also included fighting cybercrime, child sex exploitation and human trafficking. The Quintet of Attorney-Generals meets at the same time as FCM to look at complex cross-border issues.

At its 2018 meeting, the Border of the Future Strategic Vision 2030 was on the table. New Zealand, Australia, Canada, the UK and the US would work together to build the ‘touchless’ border at ports of entry for legitimate travellers and trade. They would benefit from each other’s work on emerging technologies, digitalisation and artificial intelligence, to improve real-time intelligence and information sharing. It would protect privacy and ‘investigate legislative or policy barriers’ to what it hoped to achieve.

The ministers said at the time the group “has matured to become the pre-eminent forum for collaboration among the five countries on domestic security issues.”

A year later, they declared the five countries had “a history of driving new technologies” to enhance border security and achieve faster movement of lawful travellers and goods. The ministers agreed to “leverage our investments in emerging technologies, including digitalisation and artificial intelligence” while protecting privacy.

Stylised illustration of biometric data and facial recognition technology

Photo: RNZ

The oversight question

New Zealand officials have recognised the potential for public concern about privacy, the use of information by foreign agencies or companies, and automated or algorithmic immigration decision making. But in the same breath, they have noted few concerns about the same issues overseas.

A lack of transparency worries academics, including the executive director at the Center on Privacy & Technology at Georgetown Law in Washington DC, Emily Tucker.

“Oversight, transparency and accountability are important to prevent abuse in individual cases, but also just to make it possible for political communities to step back and say: ‘Wait a minute, is this actually how we want to arrange power in our individual society or in our global society?’”

Data-sharing technology poses risks, Tucker says.

“I have so many levels of concern. It's totally possible to concede the necessity of being able to verify someone's identity for legitimate immigration processing, and not have that be the trump card that just creates unquestioned permission for anything that is necessary to have maximal efficiency in undertaking those bureaucratic tasks.

“The more sophisticated the networks become, and the more sophisticated technologies that are overlaid upon those networks, the bigger the risk of abuses.”

Caitlin MacDonald, a New Zealand privacy consultant, says a watchdog is needed to ensure information gathered for one purpose is not used for targeting, enforcement and profiling later.

Retention of data also needs oversight, she says.

“With the introduction of not only intelligence sharing, you've got artificial intelligence and sorting algorithms and profiling that can happen, making sure there's a way to be able to call out whether that’s fair or not [is important]. And the Privacy Commissioner is a really good start but I don’t think they’re well-resourced enough to do it.”

In her work, she’s been surprised by the lack of checks and balances on border agencies, compared to the intelligence community, and at how much personal data is shared with other countries.

“We have an obligation under the Privacy Act to tell people what we're doing with their data. But that's still quite high level and you can keep it basically as high level as you want, which I think is one of the failings of the Privacy Act and of government departments generally.

“It’s difficult to know what you’re going to want to do with data when you get it, and you don't necessarily want to declare or claim what you're going to do with it. It's in the interest of the agency to make it a little bit fuzzy.”

Stylised illustration of a family of four leaving a plane

Photo: RNZ

Less time in airport queues, but at what cost? 

Although the scale of transnational data-sharing may have raised privacy concerns, the next stage of Five Eyes developments may take those to another level.

A technology roadmap sets out how the five nations will grow increasingly closer, with a border of the future featuring digital travel credentials on smartphones, faster visa processing, and smoother airport visits. Yet other parts are contentious.

Not much is known about the next places the data may end up.

The European Union has been unhappy with data protection in the US and Australia for some time. But it, too, has started making immigration databases interoperable between countries.

The difference there is that the move has been subject to intense debate and parliamentary scrutiny. Challenges have been brought in British and EU courts.

Courts there have suggested a sliding scale – that the justification for fundamental rights’ interference needs to be a serious validated threat to national security, including terrorism and serious crime.

In the US, IDENT (which is being replaced by HART) is “the largest US Government biometric database and the second largest biometric database in the world, containing over 270 million identities from over 40 US agencies,” according to an official document.

Controversially, the US has made membership of its visa-waiver programme – countries whose citizens do not need visas – contingent on their governments joining in data-sharing.

The UK NGO Statewatch reported last year that the EU and USA are discussing a proposed Enhanced Border Security Partnership which would involve “continuous and systematic” transfers of biometric data in both directions. It would include most of the 27 members of the European Union, Israel, Japan, South Korea – together with the US, Britain, New Zealand and Australia.

National security justifications of course may persuade citizens and politicians to put aside concerns they may have, while others pause for thought.

South China Morning Post columnist Alex Lo is one to have put the situation into stark relief

“The West will soon be sharing their citizens’ biometric data,” Lo wrote.

“If you already think China’s state surveillance is intrusive and dystopian, you have not yet seen the brave new world that is just over the horizon.”

The independent research that informs this reporting was funded through a Fulbright scholarship, undertaken at Georgetown University in Washington DC. The views and information do not represent the Fulbright Program, the US government or the New Zealand government.