New Zealand and its Five Eyes partners have for the past 15 years built a burgeoning network to share ever more information about the people who cross each country’s border. Photo / Brett Phibbs
The independent research that informs this reporting was funded through a Fulbright scholarship undertaken at Georgetown University in Washington DC. The views and information do not represent the Fulbright Programme, the US government or the New Zealand Government.
What started as a scheme to check the identities of a few thousand asylum seekers has spiralled into a vast network of data about everyone who comes and goes from the Five Eyes nations.
On the third floor of a central Auckland office building, people are silently queueing. The atmosphere is tense. It’s always tense.
Day after day, people lined up at the United States Consulate anxiously wait, clutching the myriad documents they need to work or study in America. They’ve sent in their applications, given up their personal details, their social media handles, their photos, and evidence of their reason for visiting. They press their fingerprints on to a machine to be digitally recorded. Then, a brief (and sometimes harsh) interview with an official at a counter window in full view of an uneasy queue.
Travellers do all of this in exchange for the privilege of visiting someone else’s country — and on the assumption that what they share about themselves won’t go any further. After all, you can’t refuse to give it, and you can’t ask for it back.
But in 2024, that personal information can crisscross the planet in seconds. There’s no way of knowing how it is used, or which countries it ends up in.
New Zealand, the US, Australia, Canada, and the United Kingdom — commonly known as the Five Eyes partners — have for the past 15 years built a burgeoning network to share ever more information about the people who cross each country’s border.
At first, the agreement was to check mainly asylum seekers’ fingerprints with one another — up to 3000 fingerprints each annually. When there was a match, more information would be shared.
But the hunger for more data has had that jump to 30,000 and then 400,000 — per country, per partner, per year — a total of 8 million checks. And it’s now not only asylum seekers, but any traveller, visitor or migrant. Those “maximums” can also be increased by mutual consent. The UK now says it may reach the point where it checks everyone it can with its Migration 5 partners.
This has all happened largely without public discussion and seemingly little oversight.
But a months-long RNZ investigation has drawn out key details. Using background interviews with officials and experts, documents obtained from countries under official information laws, US Congressional reports and archive records, this is the story of how Migration 5 was formed, what is being shared and why it has all been such a closely guarded secret.
The birth of the Migration 5
Migration 5′s goal has developed into a slogan: “Known to One, Known to All.” The five countries want to share everything they know about everyone who enters their respective countries.
It was preceded by a defence pact reached after World War II for intelligence sharing. New Zealand, Australia, Canada, the US and the UK built on those arrangements over time.
After the September 11, 2001 terror attacks on the US, a “no-fly list” was shared among states. But it had errors caused by its reliance on names. Photos were more readily available than fingerprints through immigration records, but matching them is much more fraught, controversial and inaccurate.
Biometrics was quickly recognised as a better way to track the “bad guys”.
The case for biometrics
The alliance — formerly called the Five Country Conference (FCC) — initially conducted its matches and information-sharing by sending fingerprints through a system hosted by Australia.
Manual checks on biometrics and other information were time-consuming and turnaround times were days rather than hours at the beginning.
Instead of keeping fingerprints of only criminals and terrorists on a centralised database and comparing travellers’ prints against them, Migration 5 took the opposite approach. Its countries would keep biometrics of any traveller, and allow its partners to access them if they found a match. They did not need to have a reason to look at the records.
This was facilitated via the High Value Data Sharing Protocol, agreed by the FCC in the late 2000s.
New Zealand began sharing data with the FCC countries in 2011.
In the same year, the Migration 5 group (M5) was working on the next iteration of technology to speed up the process of biometric checks, enable automation and increased numbers: the Secure Real-Time Platform (SRTP).
M5 documents stress it was not building a global database because countries could not “go fishing” for data. Instead, a request with anonymised fingerprints would be sent and checked bilaterally, and destroyed unless a match was found.
The main limitation to fingerprints for Migrant 5 was that only people who needed visas generally had to provide them — usually via privately owned visa application centres overseas — and it did not capture fingerprints or other information from visa-waiver countries. There were 80 joint centres by 2017.
Electronic travel authorisations (ESTAs, or ETAs) began in the US in 2009. Eventually, all its partners — New Zealand months before the pandemic — made the same move.
However, gaps remained for countries wanting knowledge of first-time travellers, including those arriving on ETAs or through the land borders with Canada and Mexico.
In the 2010s, the FCC looked again at sharing more readily available biographic data — such as names, and dates of birth — in an expanded and more nuanced version of the No-Fly List. Passenger name records taken from airlines and travel agents could now also be stored, compared and shared.
Deals done on the down-low
The data-matching — to weed out false identities, criminals and terrorists — increased more than hundredfold over its first decade.
At the same time, a patchwork of memorandums of agreement, arrangement and implementation were signed here and elsewhere in the M5 countries. None of them were published here. New Zealand’s agreement with the UK could not even be released under the Official Information Act. Only one was signed by a minister, the rest by officials.
The memorandums and their many annexes are not legally binding. The UK exchanged notes via its embassy with the US to signal that both countries had expanded the data checks to include their countries’ citizens. There was no discussion on the move in its parliament.
In 2013, the US and UK signed a deal for automated data-sharing in Queenstown.
It didn’t reference the migration alliance between the UK, New Zealand, Australia, Canada and the US, nor did it suggest that each of the countries was agreeing to do the same. It went largely unnoticed.
“The audacity of the agreement is astonishing,” says UK immigration professor and lawyer Elspeth Guild.
Despite its advanced operations and data reach, little has been publicly shared about Migration 5′s existence, the protocol the five signed to use one another’s data on migrants and refugees, or how policies and ideas are discussed.
The agreements that underpin it are obscure and can be changed without approval from a watchdog, minister or parliament. Privacy impact assessments are the only public notification in New Zealand of their existence. In contrast, data-sharing agreements between domestic government agencies are published in full on official websites, as are regular reviews.
Among the bilateral agreements and other joint documents signed by New Zealand, all but one were signed by officials. The exception was the agreement with the US signed by then-Immigration Minister Michael Woodhouse in May 2017.
He told RNZ via email: “The FCC framework (as it was known then) and data sharing protocols were in place well before I became minister and was largely administered by INZ. Apart from attending an FCC forum in Queenstown during my time, I don’t have a strong recollection of it being on my radar.”
An implementing arrangement signed a few months later by an unidentified MBIE official, a fortnight after the Labour-NZ First coalition agreement was signed in November 2017, has more information on the deal, including details of whose data was being shared.
The 35 items of information that can be shared among M5 members include an applicant’s family members, medical history and travel records. The New Zealand agreement with Canada allows it to share details of New Zealand residents, a group of more than 1.1 million people.
By 2020, with barely a word spoken in public about the group’s existence, officials from all five countries were meeting each month, and plans were drawn up with a vision of the touchless border of the future. It now shares tourists, migrants and refugee claimants’ personal data among its partners on an unprecedented scale.
‘Nothing to hide’
Sebastian was 6 weeks old when he was identified by an airport check-in assistant as being on the terrorist no-fly list.
“She took us aside and in a hushed voice, she told us, ‘it’s because he’s getting flagged’,” says his Canadian dad Zamir Khan, of the moment a year later when it happened again, and they found out their toddler was being mistaken for someone with the same name.
He spearheaded an advocacy group of other families with babies on watchlists for six years before the Canadian government fixed the system. It’s made him wary of immigration regimes that have no oversight, and despite his above-average knowledge of border systems as a result of his work, he has never heard of Migration 5.
He’s worried that an understandable focus on terrorism has led to border policies that are less evidence-based and fair. “What I’m against is implementing systems and having no accountability or transparency or reporting to show that they’re doing more good than harm.
“People who aren’t bad actors may get a bad mark on their record. And I can only imagine if it happened in that system how difficult, if not impossible, it would be to scrub that kind of information or to ever redeem yourself.”
In the Migration 5′s original data-sharing plans, the member nations could keep data for a maximum of 10 years. Now, it’s up to the country that receives the information, and the time limits it has in domestic law. For the US, that is 75 years.
New Zealand, which retains biometric data it collects from migrants for 50 years, has agreements for up to 400,000 requests each year — 1.6 million if that is taken up by each of the four partners. These maximums can be increased by “mutual consent”. It also shares the biographic data with the Cook Islands and both biometric and biographic information with Japan.
Jamie Duncan, of Toronto University, who is researching Migration 5 data-sharing, says the next step is centralising information into a single repository that all countries can access at the same time. “In a similar way to the FBI no-fly list, there is no clear framework for accountability and no mechanisms for redress,” he says.
In New Zealand, a Biometric Capability Upgrade (BCU), costing $35 million, will go live in October after tests are finished and pending governance approval.
Immigration Risk and Border general manager Michael Alp says early detection prevents people caught up in fraud and potential trafficking from coming into the country. “When completed, the BCU will also provide additional capability in matching images and improve efficiency. This means that applications will be able to progress through the identity stage of processing faster.
“Being part of M5 allows us to deliver our immigration functions more effectively, and therefore improve the overall integrity of the immigration system. The SRTP is not based in one country. Each country in the M5 hosts their own version of the system, and the systems communicate with one another to enable data sharing. Members do not share their own citizens’ data.”
The extent and secrecy of the network concerns Chris Jones, director of UK civil liberties organisation Statewatch. Jones says people may feel their unblemished travel and police records leave them unaffected, but that’s not the case.
“Biometric data is counted as a sensitive category of personal data, it merits high levels of protection. There needs to be great justification as to when organisations can collect it, and when they can share it,” Jones says.
“We’re not just going to be talking about terrorists and criminals here, there’s all sorts of people will be caught up in that — people who need protection, people who want to see their families, people who just want to visit the country and for some reason they are deemed suspicious.
“They are systems that won’t do what’s intended and don’t really comply with the rule of law as we understand it, because they turn everyone into a suspect.”
People may never find out their visa rejection was based on a data error by a country they once visited, he says. Mistakes, overreach of states and breaches through tech failures or hacking are all worrying possibilities and loss of privacy a very real consequence.
“It doesn’t matter if you have never done anything wrong, and you supposedly have nothing to fear. The only thing I ever say to that argument is: ‘Why do you have curtains on your house’?
“It’s a question of what should your own government be allowed to know about you? And then, what should a foreign government be allowed to know about you? And even if those things are justified, why is all this not publicly clear and known and out in the open and vetted by your elected representatives?”
New Zealand’s Privacy Commissioner Michael Webster has drafted biometrics rules, addressing how and what should be disclosed about their collection, and how agencies should demonstrate benefits outweigh risks. Webster says his office’s involvement in Migration 5 data-sharing has been limited to privacy impact assessments, although he could review the agreements if there was a complaint.
New Zealand privacy legislation covers the collection, safeguarding and deletion of data, but the 2009 Immigration Act allows it as an exemption, including to share information overseas.
“In this area — because of the carve-out — Immigration New Zealand need to have regard for my feedback, but that’s as far as it goes,” says Webster. “So they will take on board what I’m saying and I think we try and give it our best shot in terms of our concerns. And then it’s their accountability from that point on, in terms of how that information is then managed and dealt with.”
The 2009 act was contentious at the time for other reasons, and biometrics do not loom large in the Hansard debates. A submission by the Human Rights Commission, one of few submitters that touched on it, suggests it was not known that data-sharing agreements were already being drawn up. “The commission is not convinced that there are compelling reasons for requiring biometric data to be collected from everyone who wishes to come to New Zealand. It is concerned that this could set a precedent for the compulsory collection of biometric information in other areas or lead to data being exchanged with other countries.”
What happens when the system is wrong
Human rights advocates and lawyers say the more use border agencies make of bulk data — containing information on large numbers of people who are not a security concern — the more important independent oversight becomes.
They fear that with no public knowledge of figures such as how many errors have occurred, how many visas have been rejected as a result, and whether people have been refused boarding, there can be no confidence in whether officials have been justified in looking at a traveller’s record, or whether the scale of data-sharing is proportionate to the risks it is addressing.
How valuable are the nuggets of information that are gleaned, compared with the loss of privacy? Does one country pass its visa decisions on an individual to another, and if it does, how much does that influence another’s?
Simon Laurent is an Auckland immigration lawyer who fears that process has affected one of his clients. “A scenario that we’ve observed is where somebody has been identified by one of the other Migration 5 countries as having used a second identity in order to try and get visas for that country. And the only basis for making that finding was because of a photo-matching exercise.
“In the case I’m talking about, the evidential basis for making that conclusive finding is pretty thin. If they [Immigration New Zealand] were to conduct their own verification, and use more markers of shared identity for example, they might come up with a different result. Which calls into question the integrity of a system that allows one country to blindly adopt the findings of another without doing due diligence.”
Biometric and biographic data are sensitive and marketable information, he adds, that could be held in many locations at risk from hackers.
He raises — as do other lawyers — the fear of what could happen to asylum seekers and refugees if their information falls into the wrong hands, is sent by a partner to a third country, or misinformation is provided by a partner country.
For refugee and protection claims, there are exceptions to confidentiality that allow the sharing of relevant information when it’s safe to do so, says INZ’s Michael Alp.
“There are rules on how the information is handled. Refugee Protection Officers use a discretionary power, under the act, that requires claimants to provide biometric information to determine refugee and protection status. While nearly all adult claimants provide their biometric information, in rare cases where there may be concerns about sharing information with M5 partners for any reason, officers can elect not to require this or to only match with some partner states. A person may also decline to provide biometric information if they have a concern and provide an explanation for their refusal.”
But even the act of looking for information on an asylum seeker’s claim has not always ended well, as the “agent of persecution” can find them. In other cases, such as former theology professor Ahmed Zaoui, who was forced to flee to New Zealand and fight accusations that he was a terrorist, asylum seekers’ home countries pass on false information about them through other governments.
And data breaches do happen, sometimes with grave consequences.
Migrants and travellers who have their data shared could face an unwarranted visa rejection that could also have profound impacts on their lives. For refugees and their families, it could be fatal.
The single window
The concerns raised in 2009 by the Human Rights Commission about biometric data being exchanged between nations were prescient.
The Migrant 5 group is now well beyond basic sharing among states. The limits have been repeatedly raised and the next step is, potentially, to eliminate any ceiling completely.
A “single window” through which partner countries can view one another’s immigration and customs data sets is the goal. Then, “the possibility of eventual integration”.
New Zealand’s role is not only as one of the five member states. It has been hosting, and paying for, the administrative centre of the project.