<i> 36C3 preroll music</i>

Herald: Next is Bijan. Bijan. Bijan, I 
pronounce this. Pretty persian. Yeah. He's

an attorney, ein Rechtsanwalt it is called in
deutsch, and he works for the Gesellschaft

für Freiheitsrechte in Berlin. If I'm
right. Good. Give them a welcome.

applause, please. It's early in the
morning. We're going to kick back here.

<i>applause</i>

Bijan: Early in the morning, only at the
Congress you can call 12:30 early in the

morning, but it is. And, um, well, if
you've ever sat on a plane and wondered

what the person three rows behind you is
eating, whether they flying alone, whether

they have checked in their luggage or only
hand luggage and what visa they were using

when they were buying their plane ticket,
then you're probably a police officer or

should join the national police of any EU
member state, because that is exactly what

the national polices in Germany and
Austria and other Europeans member states,

Europe, member states of the European
Union, can do. Thanks to the PNR

directive, which is the topic of today's
talk. And we are going to talk and explain

to you what the PNR directive and the laws
transposing it into national law are all

about, why this is problematic and what we
can do and what we are actually doing

against it in order to stop it. And Walter
will start off with a few infos.

Walter: Yeah. Hello. So firstly, I would
like to introduce into Epicenter Works,

because we have already a history on
bringing down data retention laws. So

probably you know us from our fight
against data retention in Europe when we

still were called "AKA Vorrat Österreich".
I am working for Epicenter Works on a

voluntary basis. And I would like to
mention my colleague Angelika Adensamer

who did the main work on this for
Epicenter Works. But she cannot be at

Congress this year. So, flight data. It is
said, I've heard that at any given point

in time, one million people are on a plane
in the skies flying around the globe. As

you can see here. And today, although in
times of resource exhaustion, we should

talk about that anyway. I am convinced
today we are talking about the data

protection issue about it. A big one. And
we are talking about passenger name

records. So what is a passenger name
record, anyway? A passenger name record,

as you can see here, is a data set
compiled of 19 different data fields. So

you can get about up to 60 different data
points on one single passenger on one

single flight. So, for instance, you have
data in there like the first and second

name, address, but also other things,
metadata. More important things, like the

means of payment you made, the point in
time when you booked the flight and things

like that. And as a specific problem about
it is that there is also a free text field

so airline employees can enter data there
and which we cannot control. And

altogether we have a quite big data set of
each passenger on each flight. So this is

common in the airline industry. But in
2016, the PNR directive came about. So

what is the PNR directive? It is a piece
of European legislation , which was

enacted in April 2016. And when we have
European legislation, it's important to

mention that it doesn't come out of the
blue out of Brussels, but it is enacted

together with from the commission, the
European Parliament and the council. And

the council are the governments of our
member states. So we have to keep in mind

that member states governments, have a
big say when things like this are enacted.

And it is a directive. And that means that
every single member state has to transpose

the content of the directive into its
national law. And this had to be done

until the 25th May of 2018. This was the
the tenth transposition deadline. And for

instance, Austria and Germany made laws to
transpose that into their national law. So

what had they to enact? They had to enact
laws prescribing that all airlines have to

transfer data of all passengers, all
passenger name records of every flight,

and they have to be pushed to a national
police database. So unlike the telecom

data retention I already mentioned, the
data is not kept where it where where it

is created. But it has to be pushed from
the private sector, from the airlines, to

police database, databases. And the data
retention directive prescribes that every

flight leaving or entering the European
Union must be covered by that. But in

addition, every single member state also
covered flights within the EU. So you have

we have the full take now. Flights within
the EU as well as flights leaving or

entering the EU. And every single record
of every single passenger of every single

flight is in a police database and will be
compared with existing databases, for

instance, of known criminals or of stolen
passports and the like. And they try to

find matches there. And what they are also
going to do is matching with predetermined

criteria. So they will come up with flight
patterns of known perpetrators, for

instance, when they booked a flight and so
on. They will algorithmically try to find

patterns there, and then they will compare
your flight passenger name records with

that data. And if you have a similar
behavior, than a previous perpetrator,

previous criminal, for instance, then
you're already under suspicion. And this

data in these databases are stored for
five years and can be further used by

different law enforcement agencies. So
that data is not only compared and then

deleted again. The storage time is five
years and they do something called

depersonalization about six months after
the data was created. But this is not in

any way an anonymisation, but they just
remove some data and it can easily be

identified again. So the person the data
belongs to can easily be identified for

the whole period of five years. So you
probably asked yourself already: First, is

this effective? Well, this runs already
since last year, so we have some data.

First, I will present to you the data from
Austria. In Austria, we found out that

already until the 30th of September, 2019,
almost 24 passenger name records where

forwarded to the passenger name unit at
the Bundeskriminalamt and

11 900 000 thousand different people
were subject to that. And of these, almost

24 000 000 passenger name records, the
algorithms that checking against databases

already brought up 190 000
matches. So every single match,

every single output the algorithm has,
must be checked by a human employee. So we

have sitting there people who have to
check. Even this is not even the data of a

year. And they have to check
190 000 matches and only 280

of them are actual hits. So if a person
checks what the algorithm outputs there,

then only in 0.15% of the cases
the policewoman or policeman

come to their conclusion: This is actually
relevant for us. And if you do the math,

this means that only 0.001% percent of all
that 24 million passenger name data, your

data which is checked, actually leads to a
hit. And we don't even know how many

actual false positives remain in these
220. This is only what the police will

inspect afterwards. So we have no numbers
or results if they had actual

investigative results on that. But what we
can say is that there are 21 employees,

qualified employees, working in the
passenger name, Passenger Information Unit,

and this costs almost 2 million euros per
year and only for checking that data in

the small country of Austria. And Bijan
now will present to you the data in German.

Bijan: The number, the data of the big
neighbor, because you said small country

Austria. In Germany the numbers are
surprisingly similar. We also had - have

numbers up until mid of August 2019, and
we have had almost 32 million passenger

name records checked, which generated
automatic results of matches of about

240 000, which then were checked by 40
police officers and there remained only

910 actual hits. So the fail rate was
99.6% and 0.003% all PNRs checked led to

actual hits. And even of that number, just
as in Austria, we are not sure how many

false positives remain. We know that there
were considerably a considerable amount of

false positives. We estimate them to be in
the hundreds. But the law enforcement did

not specify what actually, how many
supposed positives remained, even among

the 910. And one of the results we know is
that it led to 57 arrests. We don't know

for which crimes. We don't know whether
these people actually committed a crime,

whether they were suspected for crime,
whether they were just on a watch list.

But 57 arrests, assuming this is these
were legitimate, this means that 0.0002%

of all PNRs checked led to an arrest. And
if you try to to transpose this to other

situations in life, you could go to a to a
market, to to some, uh, to some festival

or what not, and just ask randomly people,
and you would probably have with a similar

probability, an arrest in the end at the
end of the day. So if this holds that this

whole PNR processing holds is this
effectiveness is the standard that we are

happy with, then you can easily take this
to all other sorts of walks of life. And

this is true, in our opinion, a big
problem, because it will lead to a digital

surveillance state, which is has come
quite near with these new tools that the

PNR directive provide. What we've now just
shown are the the automatic is the checks

against databases. That was the one thing
that the PNR directive provides for. The

other one is the checking against
predetermined criteria. And this is where

the voodoo kind of starts, because the
idea that you can merely from the data

that is in the PNR, in your passenger name
record, derive whether you are suspicious,

or dangerous even is, at least in our
opinion, pretty much voodoo, and it has

serious consequences. And it might lead to
automatic profiling affecting hundreds of

millions of people, possibly, because
everybody is checked when they and when

they use a plane. Everybody PNR record is
checked against these automatic , against

these predetermined criteria, and not just
for crimes such as terrorism or organized

crime, where you could maybe make a case
that there exists such a thing as a

pattern of movements where you can
identify a terrorist suspect, but it is

also used for crimes such as fraud or
forgery or cyber crime where I would argue

you cannot find the typical cyber
criminals flight pattern, flight patterns.

It's just not possible. And so but but the
PNR directive itself is only the one

thing. We are fighting this for reasons
that go way beyond the PNR processing so

the processing of PNR flight data, because
it may set a dangerous precedent for other

mass surveillance. Already now PNR
processing is being discussed for buses

that cross borders, for ships and trains.
And there are some countries such as

Belgium that have already enacted the very
much. And why stop there, might a police

officer argue. Why not include rental cars
that cross borders? Why not at some point

include private cars that cross borders?
Why not get away with that requirement of

crossing borders? Why not have everybody
checked all the time, maybe via their

mobile phones? So when we give way to this
sort of data processing with such a low

threshold of effectiveness, we open the
door for all sorts of, um, of activity

that at least from our point of view, is
illegal. And the question you were maybe

asking yourself or maybe not. Is this
legal? We are convinced it is not. And

luckily, we could rely on a legal opinion
that the European Court of Justice ECJ has

rendered a two and a half years ago. There
is one PNR agreement in place between the

EU and the USA, which has not been
challenged yet. And another agreement was

supposed to be known or was negotiated
between the EU Commission and Canada, and

the EU Parliament then presented the
question to the ECJ whether this agreement

would be violating fundamental rights of
the Charter of Fundamental Rights of the

European Union. And the ECJ concluded that
it would, in the form that it was proposed

to it, breach Article 7 and 8 of that
charter's. Article 7 as the right to

privacy in Article 8 is the right to have
your data protected, your personal data

protected. And we are, of course, relying
heavily on that, on the arguments that the

court developed and developing them even
further, because; as you can imagine, the

PNR, the agreement with Canada and the PNR
directive are quite similar. So what are

these arguments that we are bringing up?
And we've shown already that the

effectiveness is highly doubtful. And this
leads us to concluding that the PNR

directive is disproportionate. So it
violates human fundamental rights. For

several reasons. One being a point that
we've both raised already that PNR

processing indiscriminately affects all
passengers. And this is a very important

point, because it makes it shows the
difference between PNR processing under

the PNR directive and what was formerly
the the data retention of

telecommunications data. Because the
latter would require a specific case,

something must have had happened in order
for the law enforcement to ask for the

telecommunications data of the
telecommunications provider. But our

PNR data on flights is checked all the
time, always, against databases, and even

more importantly, the predetermined
criteria, which we, of course, do not know

nothing about. And this brings with it
especially the last point, the

predetermined criteria, are high risk of
false accusations. We've already seen that

99.6% of data base matching, automatic
data is matching is wrongful. And imagine

how much higher the number would be with
checking against predetermined criteria.

And that the reason why we expect many
false accusations, false positives, is the

so-called base rate fallacy, which
basically says that when you're looking

for a very small amount of people in a
large dataset and you have a significant

fail rate, you're very likely to produce
more false positives, maybe many more

false positives than true positives. So
actual suspects, or not suspects, but

actual terrorists. So, for instance, when
you if you're checking 100 million flight

passengers. And you're looking for 100
terrorists, and you have even a fail rate

of 0.1%, not the 99.6 that we're talking
about now, but even just 0.1%, this would

render this would this would render
100 000 flight passengers subject to to

to being suspected terrorists. So you
would have 100 000 false positives, 100

terrorists that let's assume all of them
so that they had a positive success rate

of 100 percent identifying positively as a
terrorist suspect. Then you will have

100 000 false positives, 100 people that
are correctly suspected. But everybody, of

course, will be treated the same. And what
I've listed here are just the obvious

things, stigmatization at the airport by
interrogation, searches of luggage of

people and arrests, missing flights.
And depending on the country

you're in you may be in much more trouble
after that. The second point is that the

data is being stored way too long. As
Walter has already mentioned 5 years. Why

do you need 5 years worth of data to check
a database entry or against a

predetermined criteria? Of course, you
don't needed it for that. Because you

could do that immediately after a person
has boarded. You can perform the check and

then you could get rid of the data, delete
it after it's being used. The reason why

they're storing it so long as that law
enforcement and intelligence agencies have

an interest that goes beyond that checking
after boarding, they want to keep the data

and check it in future, criminal
investigations in future, looking into a

person, what where they've traveled and so
on and so forth. But that has nothing to

do with the original purpose of PNR, the
PNR directive. And what at least everybody

here will know in all data storing, so
data storing is in itself a problem. It's

in itself a violation of fundamental
rights when there is no legitimate reason

to do so. But also all data storage puts
the data stored at risk. And as we've

mentioned already, there's the payment
data, especially there's other other

sensitive data with whom you've traveled,
whether you've traveled with light luggage

or not, where you have gone to, via which
place and so on and so forth. Another

point, which is a bit more complicated is
that the director does not sufficiently

differentiate between crimes where
automatic profiling could make sense and

others. So as I have said, there may be a
point in saying that the typical

terrorists would fly from A to B via C
without checking in luggage using this or

that tourist office and so on and so
forth. So maybe just assume that this is

the case. This, no one can can tell me
that there is a typical flight pattern of

a fraudster where you could ask someone
define which way a fraudster typically

flies and identify such a person. So what
the directive would have needed to do if

they wanted had wanted to check against
predetermined criteria would have been to

identify for which crimes - exactly, and
only for these - you can use such a voodoo

miracle weapon. And finally, these are not
the only arguments, but the more most

important ones. We expect that the false
positives especially will lead to

discrimination against minorities. And one
example that the German National Police,

the Bundeskriminalamt has given us for a
predetermined criteria are young men

flying from airports from the south of
Turkey to a major European city. So

they're thinking about former IS fighters,
IS terrorists. And as you can easily

imagine what kind of people will be
sitting in in in a on a plane that's

coming from the south of Turkey to Germany
or to any other European country. Of

course, this will affect them
disproportionately, affect minorities. And

it is already now highly intransparent
what how these these predetermined

criteria are developed. And imagine a near
future where law enforcement will

naturally try to involve artificial
intelligence and finding patterns in the

raw data of flight movements of PNR data,
of the treasure they're now hoarding with

a five year worth of data. And at the
latest, at that point in time, it will be

impossible for us to understand why a
certain criterion was defined and how how

to challenge it when you're in the
position to be arrested at the airport,

for instance. So what can we do? And
that's where we come in. The two

organizations that we are. We are no
typical advocacy organizations, but we do

strategic litigation. Because
unfortunately no advocacy worked on the

PNR directive. It came into force pretty
much as the, um, as national law

enforcement wanted it to be. And so there
is one instance, one authority at the time

that in Europe, in Germany, in Europe, the
European Union, the courts, which can

which can ideally, um, dismiss of the
reasons of the motivations of law

enforcement to have such a directive
enforced and can try to objectively assess

whether this is actually legal and should
remain in force, stay in force or not. And

we did this through litigation both in
Germany and in Austria, and both are

having the same goal, which is to present
to the European Court of Justice the

question whether the PNR directive and any
national law that is transposing the PNR

directive is in violation of the Charter
of Fundamental Rights. Why do we have to

go? Why is the ECJ important? Because when
you have a national law that directly

transposes a European law, a directive,
then then only the ECJ can declare such a

law void. There is no way for, for
instance, in Germany, the federal

constitutional court, the
Bundesverfassungsgericht, to say that this

law should not be applied any longer. This
question must be presented to the ECJ. So

how could we get to the ECJ? This actually
was a process that took us quite a bit of

time. It's been two years in the making. A
year ago, we launched six different

complaints of six different plaintiffs
that are flying all over Europe, that we

booked flights for them that led them to a
European member states, a European Union

member states and two states outside of
the European Union. And we sent the

complaints to three different courts. The
one, two complaints were directed against

the German national police and went to the
administrative court in Wiesbaden, and

four others were directed against the
airplane airlines. So we tried to

diversify as much as possible in order to
find a judge that would agree with us that

this is problematic and this needs
checking. And we are optimistic that

either the court in Wiesbaden or the court
in Cologne will soon present these very

questions to the court, whether the German
transposition law and the PNR directive

itself are violating fundamental rights
after European of the Charter of the

European Union.
Walter: So as Bijan already mentioned, our

aim is to bring our case as quick as
possible to the European Court of Justice.

So we had different options. And in Austria,
we went a third way. We brought a case

before the Austrian Data Protection Authority
against the Fluggastdatenzentralstelle

im Bundeskriminalamt, a passenger
named unit. And we we brought several

different cases and we also found out that
different, smaller things which we are on.

But the main thing is that this case
already went as planned to the

Bundesverwaltungsgericht, so the federal
administrative court in Austria. And from

there, we hope that is also soon forwarded
to the European Court of Justice. And

theoretically, it would be enough if one
case hits the European Court of Justice.

But practically, it is, of course, very
important to have different strategies

because there are different speeds and so
on. So that's why we also should mention

another case, the the Belgian case. So
this Belgian human rights organization,

they also brought the case before a
Belgian court. In this case, it was

directly the Belgian constitutional court.
So they had a direct way to the

constitutional court, unlike our cases in
Austria, where this or in Germany where

this was not possible. And therefore, the
Belgian constitutional court already

referred this case to the European Court
of Justice. And we are hoping that our

case will be soon or cases, or at least
some of them will soon be joined with this

case at the European Court of Justice, and
then decided together. So to sum up, we

have actually a very infringing piece of
legislation the PNR directive, PNR

processing, as Bijan explained to us in
more detail, is extremely intrusive in all

flight passengers' fundamental rights. It
violates fundamental rights, especially

because it is already... is also
ineffective and disproportionate. So we

heard about these different things. The
base rate fallacy that it is ineffective

and disproportionate because it is not
really possible to find specific suspects

in such amount of data with without having
a lot, a real lot of false positives. So

other arguments are that it is data
retention in the first place. So also

already the retention of the data of
people like you and me is a big problem

and unlawful. And this general suspicion
it leads to. So everybody becomes a

suspect and can become practically a
suspect, can get problems practically from

that legislation without being a criminal.
And yeah, we have strong arguments as we

showed you already, the case of the Canada
PNR directive, the PNR agreement with

Canada is very similar in practice to the
PNR directive. So the arguments already

held before the European Court of Justice.
So actually, it's a shame that this was

not stopped earlier. And civil rights
organizations as we are have to do that.

And that's what we do. And that's also why
we depend on donations. So that's also

important to stress that our work people
having people fully employed to do things

like that cost some money. And that's
where you can find us. So we have a

campaign website, nopnr.eu in German
and English. And you can find us, of

course, on our website and both websites
and find ways how to join us, how to

support us. And also still today, you can
meet us at our assembly in the CCL

building the about freedom assembly, where
both the Gesellschaft für Freiheitsrechte

and Epicentre Works have their desk and
you can ask all the question. But first,

ask all your questions now. Thank you.

<i>Applause</i>

Herald: Thank you, Walter and Bijan, for
this very clarifying statements. I suppose

there are quite some questions here in the
audience. Only I'm looking at someone

who's grabbing a microphone now. I see the
signal angel. Yes. The mic is not on. Can

someone help him? Signal Angel needs a mic.
Yes, it's almost there. Brains are

working.
Signal Angel: Thank you. Is there a cheap

method to spam for some trees, for
example, by booking flight under a false

name and then canceling the flight?
Bijan: Well, I think it's it's difficult

to say. I didn't get the very first words.
Sorry.

Signal Angel: Yes, the very first one was:
is there a cheap method to spam, to spam

for some trees?
Bijan: Yeah. Theoretically, I don't think

that anything could speak against that.
Yeah, but the problem is that you would

need to cancel very late because, um, I
think the first time they push the data,

the airlines are pushing the data to the
national police is, 48 hours before the

before boarding. So that might come to
become a bit expensive.

<i>Laughter</i>

Walter: I would want to make a general
remark also on that. Of course, here,

especially here, thoughts like that, how
to hack the system are very important and

can help. But our general approach is to
take legal action to protect all people at

the same way, and not only those who who
are able to protect themselves or hack the

system or whatever. So that's the reason
why we both go this general way to bring

that down. Completely.
Herald: And other question here. Yes.

Sorry, sir. Please.
Q: What do you expect as a result of your

litigation if you are successful in court?
Will ... do you expect the courts to

strike down the directive entirely, or do
you expect another legislative process to

do the same thing again or to fix, quote
unquote, the directive in very small ways

just to to drag out this battle and
continue the practice. What do you think

the effects will be?
Bijan: Well, we think that the European

Court of Justice, if it follows our
argument, our reasoning, it should it will

strike down the PNR directive entirely,
because the way it is set up is

fundamentally not in in accordance with
what it earlier ruled so far. Unless it

will change its its entire history of
ruling on data retention and so on and so

forth. But of course, we will expect the
member states to push for another

legislation that may be similar, but not
the exact same thing. So I can imagine

something of a of the sort of data
retention of telecommunications, as it

were, and with airlines retaining the data
and keeping it for a shorter period of

time and only giving it out when there is
a specific request with, where there is a

specific reason for law enforcement to ask
for the data. I could imagine such a thing

coming up again and then we would need to
check whether this is illegal or not. And

maybe go through the whole procedure as
well. But it is it would be an immense

success if the PNR directive as it stands
would be void. Declared void.

Herald: Thank you. Someone else has a
question. I see the person here.

Microphone one, please.
Q: Hel-lo, yeah. Okay, so you had the

agreement that, uh, there are a lot of
false positives when they checked up PNR

data. Um, do we have any information how
long it takes for them to react on the PNR

data if they get a positive hit? So maybe
they won't react after the person has

landed and already, uh, is in the country?
Bijan: They claim that they can act

immediately, but we can't know that for
sure. So the fact that they had 57 arrests

at the airports signals that at least that
in some respects this is true. But we

cannot know for sure how much, how quickly
they they they kind of react. And keep in

mind, this is only the start. So, so far
in Germany, right up until the point where

this the data that I presented for Germany
came about, there were only 9 airlines, I

think, that were linked to the system. So
expect there to be much more data coming

in. And once they start with a
predetermined criteria thing, this will

multiply probably. Um, even so, I cannot
imagine unless they they ... have this

new, um, thing with hundreds of people
involved that they can act immediately in

each and every case.
Herald: Thank you. There is a question

again on the Internet. Yes.
Signal Angel: Yes. How come, you haven't

tried voiding the local at one provisions
that this PNR there for intra EU flights? <i>(???)</i>

That seems most likely against Schengen
provisions.

Bijan: We have addressed that as well. We
have picked intra-EU flights also. We have

not just picked flights that go extra EU,
but, we've also made the point about the

the violation of Schengen criteria. But
that is not so much that is not the focus

of our argument because they are, in our
opinion, much stronger ones. Because with

Schengen you would need to argue that it's
practically impossible to enter the

country without being held up and you're
not being held up in a physical form, at

least not in general, generally. And so
this argument is a bit more difficult than

having an actual border checking of
people. But we're making this point, of

course. And but we rely on other points
that we think are stronger.

Herald: Okay. Please. Microphone number
one, please.

Q: Is there also data being collected on
flights inside a country. So, for example,

from Munich to Berlin.
Bijan: Not yet. Not under the directive.

And theoretically, of course, that the
German legislator or any other legislator

could decide to include that as well, but
not so far.

Herald: Number two, please. Microphone.
Yeah.

Q: I was wondering how much, uh, false
negatives are in there. You know, that,

like, uh, these big databases. If I don't
act like a normal terrorist or something

than I am?
Bijan: We don't we don't know,

unfortunately, not yet. Um, I did. I think
it would be very interesting, especially

for the predetermined criteria , to see
how many they miss. Um, but yeah. No, not

nothing at.
Herald: Yeah, and there is no undo button,

I think. No. No. No undo. That's always
the thing that I that I'm worried about,

you know. Then you have an announcement
about France's data that go out and then

you can't have an undo. So what do we do
then? It's always new. Yeah, you can keep

this for five years now. But who says it's
there for five years and what kind of

interpretation to get out of it for five
years? After five years?

Bijan: You can't know in
which database you will be transferred in

the meantime, because law enforcement can
access the data of that very data set and

forth for that data and the PNR data set
and put it in another data set because

they have whatever reason to do so. And
then these are again enlarged and

enlarged. And then you will find another
reason why they should remain in there for

a longer time. So, yeah. That's why we're
fighting this now and hoping to change the

future.
Herald: How do you see your chances?

Actually, uh, a long term or short term
chances to get to that point is that?

Bijan: We are very convinced that we will
be successful, because otherwise we

wouldn't have started this. This is one of
our principles. We only do things that we

are convinced of being able to win and we
think that we will win this. And what will

come out of it? Referring to the I think
the second and the second question

earlier. And what will be happening in the
future with other legislation? I can't

know. But one argument the police is
always making or in private, at least to

me, are is that they're saying, well,
people will get used to it and it won't be

in in five or 10 years. Nobody's gonna be
wondering about things like this. And this

is exactly what we are working against,
that this never becomes normal, because if

this becomes normal, as I've argued
before,

<i>applause</i>
Herald: needs an applause Yes.

Bijan: If it becomes normal, as I've
argued before, it is easy to extend it to

all sorts of life and ways of life and
walks of life. And this then would be in a

surveillance state par excellence.
Herald: We were very close there. So we

need to support them really hard. There is
one last question I suggest. No. There is

two questions. Number two. Yes.
Q: Does the PNR directive apply only for

regular scheduled flights? So does it also
apply for private flights? The general

aviation business flights, etc.?
Bijan: Good question. I don't know.

Actually, I look into that and. Write me!
Come, come here later and I'll check and

I'll give you an answer.
Herald: Then there is one at number one.

Q: I just wanted to ask a question in
response to the idea that this is becoming

very normal, because one thing that I
think has become very normal that hasn't

been mentioned explicitly is the idea that
people can be essentially put on a watch

list as being a potential criminal in the
absence of a crime. And we have these

terrorist watch lists all over the world
now. That is now the new normal. And I

think that's very problematic. And can you
just maybe talk about: Do we, do you see a

future where we can actually get back to,
you know, only arresting or investigating

people because of probable cause, for
example?

Bijan: Oh, I hope that this will be our
future. But, uh, about that point, that

very point, I'm not too optimistic, to be
honest. I am optimistic about one other

one. Another thing that is that these
instruments that are now being created

will prove to be highly ineffective, as
we've so now see now already with checking

against databases, that is already a lot
of work and very tedious work. But with

the idea that you can define criteria for
people that that are legitimately to be

suspected of committing a crime in the
future, I think it will prove, at least

for the next few decades, to be quite
impossible. And this is I don't know if

this came across correctly sufficiently,
but this is really the core issue that we

have with the PNR directive. They are
claiming that they can find suspects of

crimes or future crimes. Imagine! Not not
someone that has committed a crime or that

will definitely commit a crime, but that
can reasonably be suspected of committing

a crime in the future, and then act upon
that. And that is really a huge step into

what I called voodoo, about the
expectation that you can take data and

prevent crime. Minority Report times.
Yeah. To the power five. I don't know.

Herald: Sit back and relax. Thank you
Bijan and thank you, Walter, for this

fantastic lecture. Please support them at
noPNR dot EU, go to their booth as well.

And thank you all.

<i>36C3 postroll music</i>

Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!