Anthony Luzzatto Gardner1
(1)
London, UK
Anthony Luzzatto Gardner
Twenty minutes prior to my scheduled 8:40 a.m. departure on a high-speed train from Brussels to Paris on March 22, 2016, one of my bodyguards from Belgian State Security informed me that there had just been an explosion at the Brussels airport. As the cause of the explosion and the damage were still unknown, I decided to board the train and continue with my scheduled speech and meetings with the French government on the transatlantic trade and investment partnership agreement that the US and the EU were negotiating.
After only one hour, however, the scale of the calamity was already clear: At just before 8 a.m., terrorists had detonated two bombs near the check-in counters of Delta and American Airlines, killing and wounding many. Among the dead, as I was to discover later, were the spouse of an employee at our Embassy to NATO and Ambassador André Adam, former Belgian ambassador to the United States, whom I had first met in the Oval Office during the presentation of his credentials to President Bill Clinton in 1994. The two bombs were so powerful that they blew the roof off the main terminal. As a result, much of the airport was shut down for many months, diverting many flights to other Belgian airports and requiring the use of makeshift tents for security screening and check-in. A third bomb had been detonated just after 9 a.m. in the tunnel between the Maalbeek and Arts-Loi metro stops in Brussels, a key artery of the metro system and one used by many employees of the US Mission to the EU and the US Embassy to Belgium.
Finding myself in Paris during the afternoon of March 22 with all air and rail links to Brussels severed, I hitched a ride with a friend to the Belgian border, where the Embassy driver and my bodyguards picked me up. That evening in Brussels, my colleagues, Denise Bauer, US Ambassador to Belgium, and Doug Lute, US Ambassador to NATO, and I received a briefing that made clear the gravity of the situation: Three suicide bombers from the Islamic State of Iraq and the Levant (ISIL) had detonated homemade nail bombs, killing thirty-two people and wounding more than 320 in the deadliest act of terrorism in Belgium’s history. The country was in a state of emergency and the three US embassies were in lock-down. Although all embassy personnel had been accounted for during the successful operation of our emergency procedures, there was obviously significant concern among our staff and their families. The compound containing the US embassies to Belgium and the EU already looked like a heavily protected bunker but plans to erect large gates before one of the entrances were nonetheless accelerated.
Unfortunately, these attacks were not the first of their kind in Belgium or in Europe. Terrorist attacks in Madrid in 2004 and in London in 2005 had killed 192 and 52 people, respectively, with thousands more injured. Between 2010 and 2016, over 300 people were killed by terrorists in the EU. Just under three months after my arrival in Brussels in 2014, a terrorist attack affected me personally and convinced me to make US–EU law enforcement cooperation a key priority of my diplomatic mission. On May 24, a French national of Algerian origin who had returned to Europe after fighting with radical Islamists in Syria walked into the Jewish Museum and randomly opened fire with a Kalashnikov rifle, killing four people. The museum, which I had visited several times, is a stone’s throw from the Sablon district where I had lived for three years in the mid-1990s and is a few minutes walking distance from the US Mission to the EU.
During January 5–7, 2015, French nationals of Algerian descent, members of the Al-Qaeda terrorist group, carried out three attacks on the satirical magazine Charlie Hebdo (that had carried polemical cartoons, including about Islam), as well as on police officers and a kosher supermarket. In mid-February 2015, a Danish national of Palestinian descent murdered two people at a café and a synagogue in Copenhagen. On July 14, 2016, in a terrorist attack for which ISIL claimed responsibility, a Tunisian resident of France deliberately plowed a 19-ton cargo truck into a crowd of thousands along the Promenade des Anglais in Nice as they were celebrating Bastille Day, killing 86 people and injuring 458 others. In August of that year, a heavily armed Moroccan aboard a high-speed train from Amsterdam to Paris attempted a terrorist attack but was thwarted by six passengers including three Americans (two of whom were off-duty members of the Armed Forces). But the worst was yet to come.
On November 13, 2015, three groups of nine men, mostly French and Belgian nationals of Arab descent, conducted six separate suicide bombings and mass shootings in central Paris, including at the Stade de France stadium and the Bataclan concert hall, that killed 130 victims and wounded 413. At least six of the killers had apparently fought with ISIL in Syria and two had apparently re-entered Europe through Greece in early October along with vast refugee flows from Turkey. Following these attacks, the worst acts of violence in France since World War II, France declared a state of emergency and three-day period of mourning, temporarily shut its borders and called in 1500 soldiers to maintain order in Paris. France invoked the Lisbon Treaty’s mutual assistance clause that requires EU member states to offer aid with “all the means in their power” to another member state that is the victim of armed aggression on its territory. The scenes of empty Paris streets, patrolled by heavily armed troops, were out of a bad sci-fi movie about the end of the world. The following January, it was moving to see at least 3.7 million people take to the streets in France, including 1.6 million in Paris, to show solidarity with the victims and France.
I was watching the events from Brussels with extreme concern. Brussels was already on a state of high alert since the shooting at the Jewish Museum. Salah Abdeslam, an accomplice and a brother of a suicide bomber in the Paris attacks, was on the run and thought to be back in Brussels. On the evening of November 13, Belgian police were carrying out multiple late-night raids to find him as the Prime Minister, Charles Michel, warned of imminent Paris-style attacks. The metro, schools, shops, and offices, including those of the European Union and the US embassies, were shut. An advertisement on the front cover of a Belgian weekly rather unhelpfully encouraged its readers to “think about your will.” Even the staff at the US Mission to the EU who had previously been posted to tough places like Baghdad and Kabul were beginning to show the strain. Many would avoid all public places, including restaurants and theaters for many months, and would consult a US government psychiatrist stationed in Brussels.
I was well protected by bodyguards and a heavily armored vehicle that was supposed to withstand a roadside bomb, a rocket-propelled grenade and machine-gun fire. But I was troubled that the vehicle was easily identifiable as one of four similar SUVs in Brussels used by two of the three US ambassadors (Doug Lute, the Ambassador to NATO, had successfully swapped his suburban for a more low-key model) and by the Israeli ambassadors to the EU and Belgium. I was not comforted by the fact that the residence featured an underground panic room with three-inch-thick steel doors that the previous owner, a Russian oligarch, had installed. I hoped that it would never come in handy.
Like others at the embassy, I was beginning to suffer from the stress. In one unnerving incident, I was pulled out of the front row of a very public event by my security detail and brought back to the residence because of an apparent threat to my safety. My wife and I did leave the residence alone, albeit rarely and mostly on weekends, in order to maintain some privacy. As we were driving on one of these occasions through the Soignes forest next to our residence, I had a momentary panic attack as a car sped up behind us from nowhere, overtook us in an abrupt manoeuver and then slowed down. I realized just how quickly we were being engulfed in a collective psychosis when my wife’s five-year-old nephew, on a visit from Madrid in late March 2016, started running through the forest shouting in Spanish “Run, the Jihadis are after us!”
The terrorist attacks kept coming throughout 2016, including in Germany, a country that had been left almost unscathed. On July 18, an ax-wielding teenager from Afghanistan wounded five people aboard a train in Würzburg. Six days later, a Syrian refugee blew himself up outside a wine bar in Anspach, injuring 15 people in Germany’s first suicide bombing. And on December 19, a Tunisian failed asylum seeker deliberately drove a truck into a crowded Christmas market next to the Kaiser Wilhelm Memorial Church in Berlin, leaving 12 people dead and 56 others injured.
Common Themes Emerge
In the course of multiple discussions about the attacks with my staff from the Department of Homeland Security and Department of Justice, several common themes emerged.
One obvious point is that they all featured at least one international element. For example, Mehdi Nemmouche, the perpetrator of the Jewish Museum attack in Brussels was a French national who had previously traveled to Syria and back to France through several countries, using a method known as “broken travel” to avoid detection. The attacker on the high-speed train from Amsterdam had lived in Paris, Vienna, Cologne, and Brussels; he had traveled from France to Belgium to obtain firearms and to board the train. The terrorist at the Kosher supermarket in Paris had met his accomplices in Spain, traveled to Turkey, sent his wife to Syria, and bought weapons in Belgium that had been manufactured in Slovakia and exported by a Slovenian company. Given these international characteristics of terrorism, it became abundantly clear that deeper cooperation among EU member states and even globally, especially between the EU and the US, is essential.
Another common theme is that most of the terrorists were second or even third generation EU citizens of immigrant Arab families who had been born and/or had grown up in Europe where they had been radicalized. As EU citizens, these terrorists had EU passports and therefore were able to travel freely within the Schengen area without being subject to any passport or identity checks. Whereas non-EU nationals arriving in Europe by legal means were normally subject to rigorous checks, EU nationals re-entering Europe were subject to minimal checks to establish identity and to verify travel documents. Some of the terrorists had also exploited the chaos at various European frontiers caused by the massive influx of refugees.
Furthermore, most of the terrorists were already known to at least one of the EU security services. According to press reports, Nemmouche was known to French authorities as a serious criminal and Foreign Fighter in Syria. Ayoub El Khazzani, the perpetrator of the attack on the high-speed train to Paris, was known to Spanish authorities as being connected to Islamic radicals. All of the terrorists involved in the terrorist attacks in Paris in November 2015 were known to the French authorities as having fought for ISIL and were being monitored. Anis Amri, the perpetrator of the attack on the Berlin Christmas market, had been officially classified by the German authorities as a potential terrorist. According to press reports, Amri’s intercepted communications showed that he had volunteered to be a suicide bomber and that he had links to a radical preacher who had recruited people to fight with ISIL in Iraq and Syria. Amri had been under near-constant police surveillance, and even placed in a detention center for eventual deportation, before being released and then going underground. In these and other cases, there was not enough information to prosecute the suspects of a crime.
Although information about the terrorists was often known, it was not always shared effectively among security services. Eight months before the suicide bombings at the Brussels airport, for example, Turkish police had arrested Ibrahim El Bakraoui, one of the terrorists, near the Syrian border for his Jihadi connections. He was also on the FBI’s watch list. After learning that El Bakraoui was a Belgian citizen, the Turks had contacted the police liaison officer in Belgium’s Istanbul consulate to inform him that El Bakraoui would be deported in several weeks. The liaison officer passed the information to Belgium’s federal police, but the latter failed to insert his name into the Schengen Information System (SIS), a European border control and law enforcement database. That was a major failure, especially as Belgium had been warned by foreign intelligence services that ISIS was planning to bomb the Brussels airport and metro system.1
As a result of the failure, El Bakraoui was able to board a flight to Amsterdam, where he promptly disappeared because the Dutch authorities were unaware that he was a dangerous suspect. The Belgian authorities had no way of knowing when he returned home because there are no border checks within the Schengen area of free movement. The Brussels bombings might have been averted had the Belgian police inserted Abdeslam’s name as a foreign terrorist fighter rather than as an ordinary criminal in the SIS. Had that occurred, the French gendarme who checked Abdeslam at the Franco-Belgian border the day after the Paris attacks would have alerted the authorities about a possible terrorist suspect and not released him.
The terrorist attacks shared other features. They shone an uncomfortable spotlight on the fact that existing information tools were not being used to their maximum effect. Of the estimated 6000 EU citizens who had traveled to Syria and Iraq to join ISIL and other extremist groups, EU member states passed less than one-third of those names to Europol, the EU’s agency for law enforcement cooperation, for inclusion in its Focal Point Traveller anti-terror database. Most of the information about foreign fighters came from a handful of member states, indicating that many others were free riders; many member states were rarely consulting the database. The habits of national security services to work bilaterally on a “need to know” basis with trusted partners, rather than on an EU-wide “need to share” basis, were deeply ingrained and hard to change.
Moreover, most of the attacks were low-tech and required little advance planning or financial resources. The Brussels airport bombings were carried out with suitcases full of an unstable white explosive powder known as triacetone triperoxide that can be made with household chemicals (apparently including drain cleaner and nail varnish remover). Some of the attacks used the destructive force of trucks plowing into crowds; some of them used handguns, rifles, knives, and explosive vests. The terrorists had either acted alone, even if they had collaborated with others, or had acted in small groups.
Many of the terrorists had been previously suspected, and even convicted, for serious crimes. For example, Nemmouche has a long criminal history, including arrests for armed robbery, theft and vandalism, and had spent five years in prison prior to his attack on the Jewish Museum. One of the perpetrators of the Charlie Hebdo attack had been convicted of terrorism and sentenced to three years in prison. Amri had served four years in Italian jails for crimes, including arson, prior to his attack on the Berlin Christmas market. It was clear that the likelihood of a terrorist suspect carrying out an attack was much higher if he had a prior record of serious crime. Security and intelligence services, therefore, had to have the full picture of an individual’s prior record and needed access to all relevant databases. Unfortunately, the EU had multiple databases, each built up for a separate purpose, that had to be consulted separately (when the EU’s rigorous data privacy laws allowed).
Most uncomfortably, especially for those of us living in Brussels, was the fact that Belgium appeared to play a supporting role in nearly every one of the attacks. Some of the attacks had been carried out there; some of the perpetrators were Belgians; and even when they were not Belgians, they benefited from planning, accomplices and weapons purchases in Belgium.
Some of the officers in the US embassies started calling Brussels “Jihadi Central,” capital of Belgistan, a “failed state.” (President Trump later called Brussels a “hellhole.”) These descriptions were insulting and inaccurate. Belgium is a peaceful, wealthy and vibrant democracy that is a pleasure to live in. It is also an important partner of the United States on law enforcement matters. Nonetheless, it is undeniable that many features of the country have made it uniquely attractive to terrorists. At least one-quarter of Brussels’ inhabitants are Muslim, making the city the most Muslim capital in Europe. Nearly every attack with a Belgian connection had a link to Molenbeek, a majority Muslim district in Brussels. Molenbeek features many characteristics that have made it an ideal recruiting ground for Islamic extremists: widespread poverty, high unemployment, especially among the substantial youth population, high crime rates, and a transient population. In the words of a former US counterterrorism official, “What Islamic State offers them, in a nutshell, is a fast track from zero to hero.”2 Efforts at integrating Muslims in Belgium, many of whom are second or third generation immigrants, have met with mixed success. Some other European cities and countries had similar difficulties. But it was certainly striking that Belgium supplied more Foreign Fighters to Syria than any other European country on a per capita basis.
Some public reports estimated in 2016 that roughly 335 Belgians had gone to fight in Syria and Iraq. While some were killed or stayed, about 117 were estimated to have returned. These were just a subset of the roughly 670 terrorist suspects on the Belgian Federal Police’s consolidated list. There was no way that the roughly 600 members of the Belgian State Security could keep track of all of them because it requires between 10 and 20 agents to provide round-the-clock surveillance of each suspect. The Belgian State Security was already overstretched in its main job of providing protection for top members of the Belgian government and the EU institutions, visiting dignitaries and some resident diplomats (like the US and Israeli ambassadors).
What made this challenging situation even worse was the extremely complex patchwork of governing bodies in the country: three regions and three linguistic communities, six separate parliaments and 589 communes with significant decision-making powers (usually attributed to larger political entities in other countries). Brussels, with just 1.2 million inhabitants, is composed of 19 communes, each with its own mayor, and is policed by no less than six different forces. By contrast, New York City, a metropolis of 8.5 million, has one mayor and one police force. No wonder that Abdeslam decided to return to Molenbeek, where he was able to reside with family and friends for roughly four months before being apprehended. He was even seen at the barber getting his hair cut and at a shop buying clothes without anyone thinking it necessary to notify the police. According to press reports, he was apprehended about 500 meters from the house where authorities believed he had helped plan the Paris attacks.
EU Efforts to Improve Security
The pan-European, indeed global, nature of the terrorist attacks in 2014–2016 highlighted in stark terms the importance of the EU accelerating and deepening efforts to improve European security, alongside the member states. These efforts had begun well before the attacks. Europol, originally founded in 1994 as the EU’s agency to combat drugs, was refashioned into the EU’s agency to counter serious crime in 1999. Another agency, called Eurojust, was founded in The Hague in 2002 to facilitate coordination among judicial and prosecutorial authorities in cases involving cross-border crime.
The attacks in the US on September 11, 2001, provided the impetus for several important EU measures. For example, the EU introduced a common definition of terrorism (lacking entirely in some member states) and harmonized national criminal laws related to terrorism. Thanks to such legislative harmonization, terrorists and their accomplices are no longer able to avoid apprehension merely by fleeing from one EU member state to another with different laws. The EU also established a common list of terrorist groups. (The US and EU lists feature minor differences, for example, with the former designating the entirety of Hezbollah, and the latter designating just its military wing, as a foreign terrorist group).
Furthermore, the EU facilitated the cross-border apprehension of suspects following arrest. Following the entry into force of a European Arrest Warrant in 2004, law enforcement authorities from a member state where a crime has occurred are able to apprehend suspects located in another member state without delay rather than wait many months, if not years, to do so. It was thanks to this tool that the UK and Belgian authorities were able quickly to bring back from Italy and France the perpetrators of the bombings in London in 2005 and the attack on the Jewish Museum in 2014. The terrorist attacks in Madrid in 2004 led the EU to establish a Counterterrorism Coordinator to act as a bridge between the competent EU institutions and member states’ agencies in the field of counterterrorism. In 2011, the EU also formed a Radicalisation Awareness Network to connect practitioners from around Europe to explore strategies to counter radicalization and violent extremism.
The attacks of 2014–2016 prompted the European Commission to propose a series of measures to enhance security in the EU. Legislation on combating terrorism, adopted in 2017, established new terrorism offenses and stiff penalties for traveling within, outside or to the EU for terrorist purposes (to join the activities of a terrorist group or with the purpose of committing a terrorist attack); organizing and facilitating such travel, including through logistical and material support; training or being trained for terrorist purposes (such as in the making or use of explosives or firearms); inciting, promoting or glorifying terrorism, whether offline or online; and providing or collecting funds with the intention or the knowledge that they are to be used to commit terrorist offenses.
A related package of measures passed in 2017–2018 aims to further limit the ability of terrorists to operate. These measures include tighter controls on and penalties for the acquisition and trafficking of high-capacity weapons, the access to chemical substances often used to make homemade explosives, document fraud and money laundering. The new rules provided authorities greater power to freeze and confiscate assets belonging to terrorists, as well as gain speedy access to and use financial information in criminal investigations. In 2018, the European Commission proposed legislation on “E-evidence” that will make it easier and faster for a judicial authority in one member state to obtain electronic evidence (including e-mails, text, or messages in apps) directly from a service provider—such as an electronic communications service provider, hosting service provider, social network, or online marketplace—in another member state. At the time of writing, the proposal had not yet been approved.
During the past decade, the EU has also taken important steps to enhance the identity checks on people crossing the EU’s external frontiers by air, land, and sea. These checks are important because it is hard to maintain security within the EU if the external frontiers are porous. One of the most important reforms of the past decade has been to ensure that EU citizens are thoroughly checked against all EU databases when they cross an external frontier, just like third country nationals. This is especially significant in light of the number of European-borne terrorists.
One of the critical debates in the European Parliament during my diplomatic assignment related to the passage of an EU-wide Passenger Name Record (PNR) system. PNR data, supplied by passengers at the time of booking and checking in and then stored in airlines’ reservation systems, consists of information such as passenger name, travel dates and itineraries, seat number, baggage, contact details (phone number and e-mail address) and means of payment. When supplied to national authorities, the data can be very useful in detecting suspicious air travel patterns and other indicators that may identify potential terrorists. The reason is that terrorists depend on travel to receive training and indoctrination, to case their targets and to carry out their attacks. Every time terrorists board a plane or cross a border, they give law enforcement authorities a chance to detect and capture them. The problem, of course, is that about 70 million travelers fly between the United States and the EU every year. Terrorists represent a needle in a haystack. To find the needle, one needs to gather and analyze a lot of data.
PNR data is one important tool. Border protection authorities can use PNR data to check travelers’ names against watchlists of known or suspected terrorists. Since terrorists often use false identities or otherwise try to conceal themselves, PNR can reveal hidden connections (such as a common e-mail address) between known terrorists and their unknown associates. Had investigators used this simple technique, they could have uncovered the ties among all 19 of the 9/11 hijackers. PNR data can also be used to spot potential terrorists based on their travel patterns, especially if they use convoluted routings to avoid detection. International cooperation between countries that collect and share PNR data is essential to uncover this technique. Finally, PNR data can be used to identify perpetrators and their accomplices after an attack takes place.3
The United States has been using PNR data since 1992. US privacy laws provide robust safeguards against the misuse of personal information, contrary to the preconceived notions of many Europeans. For example, those laws limit when and with whom that information can be shared, the circumstances in which individuals may request access to their records, and the purposes for which that data may be used. Despite the utility of PNR data, legislation to establish an EU system languished for many years, principally due to concerns in the European Parliament about its compatibility with EU data privacy rules. In the meantime, some EU member states had their own PNR systems, but they were not harmonized or interconnected.
During my frequent trips to Strasbourg for the European Parliament’s plenary sessions, I tried to convince as many parliamentarians as possible that an EU PNR system was an important anti-terrorism tool. Some of the parliamentarians were data privacy ayatollahs, reserving their righteous indignation for the quantity of PNR data that the authorities could collect and for the period they could retain it, rather than for the slaughter of civilians at the hands of terrorists.
Some parliamentarians favored a requirement that PNR data should be deleted once a traveler’s visit ends; others were prepared to accept that such data be retained, but only for several months.4 That would have prevented law enforcement from protecting the public or prosecuting the perpetrators of terrorist attacks. Take the case of Ra’ed al-Banna, a Jordanian citizen, who arrived at Chicago’s O’Hare airport from Amsterdam on July 14, 2003. Although he had a valid passport and US visa, customs officials decided to fingerprint him and put him back on a plane to Jordan because his PNR data and his answers seemed suspicious. Nearly two years later, he drove a car into a crowd in an Iraqi town, detonated a powerful bomb and killed 132 people. Had PNR data on al-Banna not been collected and scrutinized in the United States, the atrocity might well have been committed on US soil. There are many similar cases to this one.
As I followed the tribulations of the EU PNR legislation caused by data privacy concerns, I couldn’t help feeling that Europe was fighting a battle with one hand tied behind its back. Authorities from the EU and the member states had the tools to provide the security that citizens so desperately wanted but were often unable to use them. I often heard the objection that an EU PNR system would not have prevented any of the recent terror attacks of 2014–2015. That was purely speculative; while no one expected it to be a silver bullet, all serious counterterrorism experts expected it to be helpful. The attacks in Paris and Brussels were instrumental in raising public pressure on the European Parliament to stop dragging its feet. French Interior Minister Bernard Cazeneuve was clear in his statement to fellow ministers at the end of November 2015: “[PNR] is absolutely indispensable to combat terrorism. Not a single French citizen or EU citizen will understand why the European Parliament will continue blocking this essential tool.”5 In April 2016, the European Parliament finally approved a system that requires airlines to supply national authorities with PNR data for international flights entering or departing the EU. All EU member states have availed themselves of the additional possibility of requiring airlines to provide this data for intra-EU flights as well.
The Refugee Crisis
The porousness of the EU’s external frontiers was highlighted during the refugee crisis of 2015, in which roughly 1.2 million refugees poured into Europe in the space of several months. The sudden wave was due in large part to the facts that many Syrian refugees had depleted their savings and had lost hope of returning to their homes because of a civil war in Syria that continued unabated. At the same time as the United Nations food aid programs were being cut, the refugees noticed that parts of Europe were open to their arrival. In particular, Chancellor Angela Merkel had put out a welcome mat and refused to impose any cap on asylum seekers. That decision, taken without prior coordination with other EU member states, would foreseeably place enormous strains on EU solidarity.
Europe had already been facing significant humanitarian crises in the preceding few years, mostly due to flows of economic migrants from Northern Africa. In the fall of 2014, Pope Francis had called on Europe to prevent the Mediterranean from becoming a “vast migrant cemetery.” But the 2015 crisis was different because of its scale and because it principally involved refugees rather than economic migrants. For several months, it seemed as if the EU was at long-term risk of losing control on who was entering and on the identity of hundreds of thousands of people circulating freely within the EU.
Two horrific events highlighted the fact that the refugee crisis was above all a humanitarian tragedy. In August 2015, Austrian border police found an abandoned truck contained the decomposing corpses of 59 men, eight women and four children (including a baby girl less than one-year-old). The victims were migrants who had fallen into the hands of migrant smugglers in their desperation to flee horrific conditions in Syria, Iraq, and Afghanistan. The victims had apparently suffocated and had been dead for two days when the discovery was made. The truck had attracted the suspicion of the border police because of decomposing body fluids dripping from the vehicle. As shocking as this was, the discovery was simply a drop in the ocean of human trafficking, often conducted by organized criminal groups.
In September 2015, the front pages of many newspapers in Europe carried the image of a three-year-old Kurdish boy face down on a beach. He had drowned attempting to reach the Greek island of Kos and had washed ashore near the internationally renowned resort of Bodrum. Any parent, indeed any human being, could not help but feel a sense of revulsion, shame, and anger at the smugglers who were treating humans like animals and risking their lives by putting them in unsafe vessels.
One week later in Strasbourg, I watched European Commission President Juncker deliver his annual State of the Union address to a packed hemicycle of parliamentarians. In the address, he made a moving reference to the humanitarian disaster caused by the refugee crisis. It practically reduced me to tears as I recalled that my grandparents had once been refugees:
We can build walls, we can build fences. But imagine for a second it were you, your child in your arms, the world you knew torn apart around you. There is no price you would not pay, there is no wall you would not climb, no sea you would not sail, no border you would not cross if it is war or the barbarism of the so-called Islamic State that you are fleeing.6
The refugee crisis was far more destabilizing for Europe than the preceding financial crisis because it was so much more tangible and emotional. Thousands of people saw first hand the endless lines of desperate people entering their villages. Even those not directly affected worried about whether the human tide would ebb and what consequences it would have on Europe’s culture. Images of refugees being loaded onto German train wagons or handing over their valuables to border guards in Denmark brought back uncomfortable reminders of the past.
The refugee crisis triggered concerns that serious criminals and even terrorists would hide among the refugees to enter the EU and undermine its security. Unfortunately, those concerns tended to overwhelm other, more positive, humanitarian and economic considerations. The vast majority of those fleeing the Syrian civil war, for example, were simply fleeing ghastly conditions in search of a better life. These refugees also represented a major opportunity for Europe, if handled properly, to address its demographic challenge and to revitalize economic growth. In parts of Europe, populations are aging so fast and the birth rate is so low that the age pyramid is inverting rapidly, such that fewer people of working age at the bottom of the pyramid are supporting many more pensioners at the top. Without an influx of young people, for example, Germany’s population was projected to decline to 65 million from 82 million by 2060 and its pensioners were projected to rise from one-fifth of the population to one-third.
Even though a relatively small percentage of the refugees were highly skilled, they represented a potential source of talent. In my public comments on the refugees during my diplomatic mission, I frequently reminded my audiences that of the 98 high-tech firms in the Fortune 500, 45 were founded by immigrants or their children; examples include Sergei Brin of Google, Steve Jobs of Apple and Hamdi Ulukaya, the founder of the billion-dollar Chobani yogurt company, who arrived in the United States as a penniless Kurdish immigrant.
Policing the EU’s External Frontiers
At the same time, however, it was impossible to deny that the porousness of the EU’s external frontiers did pose a security risk to Europe and even to the United States. The fact that several of the perpetrators of the Paris attacks of November 2015 had entered Europe with falsified Syrian passports with the refugee streams only heightened this concern. The mixed record of some European countries, including Germany, in finding employment for immigrants also raised the question of whether there would be hundreds of thousands of young, marginalized and frustrated males ripe for terrorist recruitment.
The difficulty of policing the EU’s external frontiers had already been in evidence for several years. Italy had been pleading for more help from its fellow EU member states to deal with massive refugee flows from Northern Africa. It bore the brunt of a costly naval rescue operation on its own for one year until an EU operation managed by Frontex, the EU’s border security agency, took over in November 2014. But the limitations of Frontex were manifest: It was underfunded, with a budget of only about €100 million (at the time); it relied on voluntary contributions from EU member states; it had few staff and little equipment; and it had a limited right to carry out border management and search and rescue operations. The Economist exaggerated only slightly when it wrote that Frontex “cannot do much more than fingerprint and count migrants as they pass through a country.”7
Italy continued to be on the front lines and justifiably complained of insufficient EU solidarity. EU heads of state would routinely make declarations of support during their summits but wouldn’t loosen their purse strings. Many EU member states simply didn’t feel directly affected by the crisis and were only too happy to let Italy (and Greece) deal with it. Frontex received only a modest budget increase to €114 million in 2015, but the agency was spread even more thinly when it deployed officers and vessels to several Greek islands to help the Greek authorities cope with the massive refugee flows from Turkey. Borders along the Balkan Route from Greece into Croatia, Slovenia, Hungary, and Austria were also being overrun.
The legislative centerpiece of the EU’s asylum system, the Dublin Regulation, was clearly exacerbating the situation because it required applications for asylum to be processed in the first country of entry. The huge problem with the system is that it undermined pan-European solidarity by contradicting the principle of burden-sharing. It allowed other countries that did not want immigrants to return them to the countries where they originally arrived. That may have been sustainable in an age of limited flows of asylum seekers arriving by air, but it was unfair and unsustainable in an age of vast migration flows arriving by sea or land.
As they faced the burden of the refugee crisis largely alone, Italy and Greece, the two principal frontline states, preferred to ensure that the refugees moved along as quickly as possible to their final destinations (usually Germany and Sweden) rather than to process their asylum applications as required under the Dublin Regulation. At first the countries on the Balkan Route tried to stem the flow of refugees with fences, before encouraging them to move northwards. For a while, it seemed that frontiers would reappear among many EU member states and that the Schengen area of free movement was in trouble. The destruction of Schengen, European Commission President Jean-Claude Juncker warned, would not only be body blow to the EU’s self-esteem, but would also presage the demise of the euro and the single market. If the “temporary” re-introduction of border controls within the EU turned out to be permanent, warned the Bertelsmann Foundation, the EU would suffer €470 billion euros in lost economic output over a ten-year period.8
The US government and the US Congress were watching the situation with alarm, not only because of the human cost, but also because of the dangers of serious splits among EU member states and a potential unraveling of the EU itself. Moreover, they were concerned that many of the terrorists, radicalized in Syria and Iraq, had EU passports and could therefore benefit from visa-free entry into the United States under the Visa Waiver Program (VWP). After all, Zacarias Moussaoui, one of the September 11 hijackers, was a French citizen and Richard Reid, who had tried to blow up a plane by detonating his shoe in flight, was a British citizen. Both had traveled to the United States under the VWP.
Five of the 28 EU member states (Bulgaria, Croatia, Cyprus, Poland, and Romania) do not benefit from the VWP because they have fallen short of the statutory requirements. Those five have repeatedly urged the European Commission to withdraw visa-free travel for US citizens until they are included in the program. During the negotiations on a transatlantic Trade and Investment Partnership agreement, Romania had threatened to block eventual ratification if the US did not give its citizens visa-free travel; it successfully pressured Canada to lift its visa restrictions as a condition to ratifying the Canada–EU Free Trade Agreement in 2016.
The US government repeatedly explained that the requirements of the VWP were established by statute; only Congress could amend them (something it was clearly not willing to do) and the executive branch could not simply waive them. As I reminded my interlocutors, several of the five member states were close to meeting the requirements and would probably do so soon. Eliminating US visa-free travel to Europe would simply lead Congress to eliminate all European visa-free travel to the United States, a step that would have a serious impact on transatlantic tourism and business flows. Moreover, I explained that the refugee crisis and the porousness of Europe’s borders did pose legitimate concerns for the United States.
I argued that the EU should therefore acquiesce in the inevitable tightening of VWP conditions in order to save the VWP. That tightening occurred in early 2016 when the US Congress overwhelmingly approved amendments to withhold visa waivers from any person (with certain exemptions) who had traveled to Syria, Iraq, Iran, Sudan, Libya, Somalia, or Yemen on or after March 1, 2011; EU dual nationals of most of these countries were also denied visa waivers, meaning that they had to apply for a visitor visa at a US consulate. The amendments also required all countries participating in the VWP to issue electronic passports and machines capable of reading them at all ports of entry. It threatened to terminate participation of any EU country that failed to share counterterrorism information or to screen travelers against relevant EU and Interpol databases on criminals and terrorists.
In December 2015, the European Commission proposed a proper European Border and Coast Guard (EBCG) to take over from, and improve upon, Frontex. The EBCG was approved in record time and became operational in October 2016. The plans for the agency have called for a budget of over €300 million (significantly exceeding the Frontex budget) and a permanent staff of 1000 by 2020. Member states have agreed to commit a total of at least 1500 field agents to a reserve pool of guards prepared to protect external frontiers within days of a request to do so. According to these plans, the agency would have access to a pool of equipment, including vessels, helicopters and patrol vehicles, owned by EU member states or by itself. The goals of the agency include monitoring and managing borders, collecting personal data and transferring it to Europol, coordinating relief efforts, and conducting search and rescue operations, either at the request of a member state or, in certain urgent situations, even when a member state is unwilling or unable to act.
These plans became even more ambitious by the end of 2018, when President Juncker announced in his annual State of the Union address a proposal to expand the EU border guard force to 10,000 and to grant it powers to bear arms and use force to police frontiers, as well as to return refugees to their home countries when their asylum applications fail. If the plan is approved, the force would even be able to deploy in non-EU third countries with their permission. This would represent a dramatic extension of EU powers in one of the most sensitive areas of member state sovereignty and, therefore, one of the boldest steps in the history of European integration. Some Brexiteers found this to be an outrageous usurpation of powers by the EU. On the contrary, it is a step that member states have urged the EU to take for the simple reason that pan-European challenges like refugee flows and the protection of external frontiers demand a pan-European response.
In order to ensure control over its external borders, it has been necessary to regulate the flow of refugees and migrants at their source. The EU has deployed a naval force to neutralize established refugee smuggling routes in the Mediterranean. A report issued by the House of Lords in 2017 concluded that irregular migration into Europe on the central Mediterranean route had increased and that the operation had led to greater migrant deaths at sea. However, a deal Italy struck with Libya in February 2017 to train, equip, and fund the Libyan coastguard in return for Libya preventing departures of migrants to Europe appears to be successful. Another deal the EU struck with Turkey in 2016 to provide financial assistance and to ease visa restrictions in return for Turkey stemming the westward flow of migrants to Europe has also prevented a repetition of the 2015 migration crisis. Critics of the deal allege that the EU and its member states have arguably had to compromise their principles when striking deals with countries with poor human rights records.
In order to re-establish control over the EU’s external frontiers, the European Commission has also rightly focused on the functionality of the EU’s many databases and information sharing systems. Each has been established with distinct objectives in mind, such as law enforcement and immigration control. The SIS, the most widely used information system for border management and security in Europe, contains information on suspected criminals, forged identity documents, and stolen firearms, vehicles, and property. The Visa Information System contains information on visa applications by third country nationals who require a visa to enter the Schengen area. The Eurodac system contains fingerprints of asylum applicants and third country nationals who are found to have crossed the external borders of the Schengen area unlawfully.
The terror attacks in Europe revealed that these (and other) systems did not always capture the type of information that could prove useful in investigations and sometimes were difficult to search. The member states were not consistently populating the systems with the required information or even consulting them methodically. The identities of Schengen area citizens were subject to minimal checks (such as to verify the authenticity of passports) at external borders, unless they were known to be a risk; some member states were not even carrying out proper checks on third country nationals. The systems could only be queried for the specific purpose with which they were designed and not for general criminal investigatory purposes. Moreover, the conditions for access were overly strict and all (or even several of them) could not be searched at one time (a feature of obvious utility under time pressure).
The failure of some member states to register and fingerprint refugees, as well as to share fingerprints among other member states, were also causing blind spots for law enforcement. Although countries on the EU’s external borders were legally obliged to save and share all fingerprint data of refugees upon arrival, some were not doing so consistently. In late 2015 Greece was even refusing to take possession of 300 Eurodac fingerprinting machines on some of their islands closest to Turkey, citing problems with Internet connections and staff training, and was refusing the deployment of Frontex staff to reinforce its borders. Although it seemed odd at first, it was perfectly logical that Greece preferred the refugees to move onwards to their final destinations than to “own” the problem by installing the machines. Greece’s refusal also seemed to be an attempt to gain leverage in its tense negotiations with the EU about its financial bailout: give us a better deal, Athens seemed to be saying to Brussels, or we can flood the EU with refugees. The situation became so serious that the European Commission sued Greece for its failure to respect its Eurodac obligations and even threatened to suspend Greece from Schengen, a step that would have trapped refugees in Greece and would have turned the country, in the memorable phrase of the Greek deputy minister for migration, into a “cemetery of souls.”9
Transit states were subject to different obligations than those of frontier states. Whereas Austria could take fingerprints of the hundreds of thousands of refugees entering the country to check for a criminal record, it was not legally allowed to save and share that data in the overwhelming majority of cases where the migrants wanted to move elsewhere to claim asylum.10 Even where fingerprints were inputted into the Eurodac fingerprint database, law enforcement officials often had difficulty meeting the strict conditions for access. Worse still, the Eurodac database was not connected to comprehensive pan-European databases on criminals. The combination of the failures of frontier states and the flawed legal regime meant that the EU had no trace of hundreds of thousands of refugees once they had crossed the EU’s external frontiers. The head of Germany’s federal office for migration admitted that there were up to 400,000 people in the country whose identities were unknown to the authorities. 130,000 asylum seekers had simply “disappeared.”11
Over the past few years, the EU has been developing large-scale centralized IT tools to improve the functionality of existing border management and law enforcement information systems. Under new EU rules, these systems are interconnected, interoperable, and searchable simultaneously through a central portal. The rules facilitate the ability of border guards to establish whether an individual’s name or fingerprint appears in one of the many EU databases. Member states are now making greater use of centralized border management and law enforcement systems—not only those established and operated by the EU such as Europol, but also those established and operated by Interpol and the decentralized systems implemented by the member states.
Finally, a new Entry-Exit-System, operational by 2020, will compile biometric data and travel history records relating to third country nationals entering the Schengen area for short-stay visits. The data will be stored in a central database that can be consulted by border and visa authorities, Europol and national law enforcement authorities. The system will enable those authorities to identify persons overstaying their visas and suspects in terror-related investigations. By 2021, a new European Travel Information and Authorization System (ETIAS), similar to the US ESTA, will apply to all visitors from countries who do not need a visa to enter the Schengen Zone. The ETIAS database will enable Frontex to conduct electronic checks of such visitors against a list of wanted persons before they travel to Europe and to detect potentially dangerous visitors according to certain criteria.
US–EU Cooperation
All of these measures will enhance Europe’s security. But the European Union, and its member states, recognize that they cannot ensure strong borders or combat serious crime and terrorism on their own. Many EU member states have long enjoyed strong bilateral police and judicial cooperation with the United States; some, like the UK, are rather protective of their special relationship and occasionally prickly about US–EU collaboration. Nonetheless, EU institutions, including the European Commission and Europol, have also been strengthening international law enforcement cooperation with Washington since the early 2000s. The United States has recognized that the security of the EU has a direct impact on its own security and that US–EU cooperation enhances bilateral law enforcement relationships with EU member states. While the United States has the good fortune of having large oceans to its east and west and is bordered by friendly countries, it cannot remain in splendid isolation from increasingly transnational threats, such as cybercrimes, drug trafficking, child sexual exploitation, terrorism, and migrant smuggling.
The terrorist attacks of September 11, 2001 prompted the US and EU to deepen pre-existing dialogues at cabinet and working level on police and judicial cooperation. These dialogues have covered a host of issues, including counterterrorism and countering violent extremism, terrorist financing, tracing of firearms and explosives, migration and border controls, cybercrime, and cargo security.
The US and the EU also have entered into several international agreements relating to security. In 2001 and 2002, the US and Europol signed several agreements to facilitate the exchange of information, to promote cooperation on combating serious crime and to authorize the exchange of liaison officers. In 2004, another agreement enabled US customs officers in several EU foreign ports to pre-screen maritime cargo containers bound for the United States. A subsequent agreement on the mutual recognition of each side’s “trusted trader” programs facilitates customs procedures for certain shippers.
Two US–EU agreements from 2003 harmonized and made more effective the bilateral accords that already existed between the US and individual EU member states on extradition and mutual legal assistance. Both contain important provisions that enhance information sharing and prosecutorial cooperation. For example, the extradition agreement clarifies the kinds of offenses that justify extradition, facilitates the exchange of information and transmission of documents, and sets rules for determining priority in case of competing requests for extradition. The US–EU Mutual Legal Assistance Treaty (MLAT) allows, among other things, the prompt identification of financial account information in criminal investigations; the acquisition of evidence, including testimony by means of video conferencing; and authorizes the participation of US criminal investigators and prosecutors in joint investigative teams in the EU. The US–EU MLAT also served to establish for the first time mutual legal assistance between the US and some member states that had recently joined the EU.
US–EU agreements on the supply of EU PNR data to the US, the protection of data privacy regarding the transatlantic exchange of law enforcement information, and US access to interbank financial messaging data of European companies have made important contributions to transatlantic security.
The US–EU PNR agreement, reached in 2004 and repeatedly revised to address data privacy concerns in Europe before finally being ratified in 2012, also stemmed from the joint desire to investigate and thwart terrorist attacks through the sharing of information. It requires European airlines to supply PNR data to the US Department of Homeland Security’s Bureau of Customs and Border Protection within 15 minutes of a plane taking off. The agreement seeks to heighten transatlantic security while enabling the continued flow of visitors and respecting data privacy. The US–EU PNR agreement contains data privacy protections that go beyond those required by US law, including the use of encryption and strict administrative controls to limit access to PNR data, and the notification of travelers when their PNR data is disclosed or accessed improperly. The EU has welcomed the fact that the United States has proactively shared analytical information obtained from PNR data with EU member states and Europol.
The second agreement, the Data Privacy and Protection Agreement (DPPA), described in Chapter 5, was ratified in 2016. The agreement covers all transatlantic personal data exchanges for law enforcement purposes. It is known as an “Umbrella” agreement because it complements existing agreements between the US and EU member state law enforcement authorities, creates harmonized data protection rules, and sets a high level of privacy protection for future agreements in the field.
The third and most significant agreement, the US–EU TFTP Agreement, provides the legal framework under which the US Treasury may access and subsequently process financial messaging data held in the EU by a Brussels-based consortium of international banks, called the Society for Worldwide Interbank Financial Telecommunication, for the purpose of investigating, detecting or prosecuting terrorism. Simply put, the SWIFT network is the communication backbone of the formal financial system; it handles most of the millions of daily international interbank messages exchanged among 11,000 financial institutions in more than 200 countries. The messages contain information about banks involved in transactions, account holders, contact information, amounts transferred, and times of payments.
The agreement was first concluded in 2007 after revelations during the prior year that the US Treasury had been secretly issuing subpoenas to access SWIFT data since 2001 under its classified Terrorist Finance Tracking Program (TFTP).12 Under the TFTP Agreement, Europol assesses whether Treasury’s data requests are necessary for the fight against terrorism and its financing. Europol also verifies that each request is tailored as narrowly as possible to minimize the amount of data provided in order to comply with EU data privacy laws. The agreement was amended to satisfy certain EU data privacy concerns but was voted down in the European Parliament in early 2010, before being further revised and approved in mid-2010 (thanks in large part to the effective advocacy of my predecessor Ambassador Bill Kennard and the personal appeals of Vice President Joe Biden).
The TFTP Agreement has proven to be a valuable tool in terrorism-related investigations because it enhances the ability to map terrorist networks by tracking terrorist money flows. US authorities have made extensive use of their ability under the agreement to provide TFTP information to EU and member state authorities. To the rather considerable irritation of certain member states, this is information that they cannot obtain directly from SWIFT themselves. Although there have been repeated proposals to create an EU TFTP equivalent, they have been shot down by data privacy hawks concerned about giving governments another avenue of obtaining personal information. Furthermore, some member states have worried that an EU TFTP would be the first step toward granting the EU more powers in intelligence gathering, a jealously guarded national domain. It is rather ironic that the United States helps the EU enhance European security by obtaining information the EU can’t obtain itself, even though the information is held in Europe by a European company.
Another striking feature about the TFTP Agreement is that its scope excludes intra-EU payments. The reason for the exclusion has been that information about such payments is more likely to concern European citizens and therefore more likely to affect European data privacy rights than international payments information. The problem is that many European terrorists, like those behind the recent attacks in Europe, live, work and travel in Europe, and only conduct financial transactions in Europe. While the TFTP information that the United States provides to Europe contains important leads gleaned from international financial transactions, the terrorists’ financial dealings in Europe remain a black hole.
As of November 30, 2018 the US has shared more than 50,000 TFTP-derived leads with European authorities and EU member state governments. These leads have prevented some terrorist attacks and have assisted the investigation of many others. The US Treasury Department has made a few examples public. They include the August 2017 terror attack in Turku, Finland; the August 2017 on La Rambla, Barcelona; and the April 2017 attack in Stockholm; at the time of his capture he was actively plotting further attacks in Thailand. Moreover, US provided roughly 800 leads based on SWIFT information to Europol and European counterterrorism authorities in response to the attacks in Paris and Brussels. Some of them were provided in real time as the attacks were still under way. SWIFT information has also helped to prevent other attacks, as well as uncover EU-based recruitment of terrorist fighters in Syria and international financial support of terrorist organizations. Despite repeated allegations, especially in the immediate aftermath of the Snowden allegations, that the US Treasury has abused its powers under the agreement, regular US–EU joint reviews have concluded that the agreement is operating as intended.
The Contribution of Europol
The day after the terrorist attacks in Brussels, I traveled to Europol in The Hague to speak at a meeting of law enforcement officials from the EU member states and the United States on the importance of deepening transatlantic counterterrorism cooperation. During my speech, the photos of recent victims of terrorism on both sides of the Atlantic were flashed on the screen behind me. Later that day, I stood next to Rob Wainwright, the director of Europol, as he addressed the entire staff of the agency in the atrium and asked for a minute of silence out of respect for the victims. The mood was somber but resolute. As I looked out on the crowded atrium, with representatives of law enforcement authorities from 42 countries, I thought to myself that Europol represents international cooperation at its finest. The whole will always be greater than the sum of its parts when countries band together to provide mutual assistance and share information to save lives and prosecute criminals.
Europol is perhaps not as well-known as Interpol, an international body founded in 1923 with the aim of promoting police cooperation among its 192 members, but it has been steadily growing in significance. Its international profile certainly benefited from the fact that the film Ocean’s Twelve, released in 2004, featured a Europol investigator (played by Catherine Zeta-Jones) who is on the trail of main character, Danny Ocean (played by George Clooney). Its growing size and responsibilities over the past decade are due in part to the terrorist attacks mentioned earlier; but it is primarily due to the vision and drive of Rob Wainwright, who led the organization between 2009 and 2018.
With a budget of about €125 million and a staff of 1200, Europol focuses on organized crime, terrorism, and other forms of serious crime that affect two or more member states and that require a “common approach by the member states owing to the scale, significance and consequences of the offences.”13 Even two decades after its founding, Europol falls short of German Chancellor Helmut Kohl’s vision of a European FBI with sweeping powers. It relies on member states for information and cooperation, and it does not have enforcement powers, such as the power to arrest suspects. Ocean’s Twelve depiction of Europol was erroneous because it does not engage in operational police work.
Europol has had to deal with the view of the larger EU member states, especially the UK and France, that the EU does not have the legal authority to provide the intelligence work that traditional secret services do (even though there is a small EU unit that does intelligence analysis of issues based on information provided by member state intelligence services). Since 2002 all the intelligence agencies of the EU 28, as well as those from Norway and Switzerland, have met informally outside the EU legal framework as the Counter-Terrorism Group to improve intelligence cooperation. Nonetheless, the EU has demonstrated that Europol and many EU databases usefully supplement the work of member states’ intelligence services.
Europol’s contributions are significant: It serves as an information hub that gathers criminal intelligence from member states, third countries, and other sources and subsequently disseminates that information through a secured communications network. It is also a center of law enforcement expertise that generates strategic reports (such as threat assessments), and a support center for law enforcement operations in the member states (especially complex cross-border operations against high-value targets).
Europol’s strong relationship with US law enforcement authorities took time to establish. When Wainwright, a former intelligence analyst at MI5, Britain’s domestic intelligence service, first met Robert Mueller (then director of the FBI) soon after his appointment to Europol in 2009, Mueller seemed skeptical of the value that Europol could deliver. Mueller made it clear that the FBI wasn’t interested in multilateral cooperation; the only thing that mattered, according to him, was bilateral cooperation. At that time, Europol had only been in existence for a decade and had few credentials and limited means. Moreover, Europol had yet to prove that it could safely collect and store intelligence without data breaches (something that it has succeeded in doing). Mueller probably was unimpressed with Europol because of its lack of enforcement powers and its reliance on the willingness of member state law enforcement authorities to share information. As the member states have increasingly used Europol as a provider of analysis and a clearinghouse of information, the desire of the FBI and other US law enforcement authorities to cooperate with Europol has grown.
Today Europol’s reputation is well-established on both sides of the Atlantic because of its work in many areas such as cybercrime, drug trafficking, child sexual exploitation, terrorism, and migrant smuggling. Europol houses liaison officers from the law enforcement agencies of all EU member states, more than a dozen non-EU countries (including the United States), and EU ones such as Eurojust and non-EU organizations such as Interpol. On each of my visits to Europol I sat down with some of the 40 liaison officers from eleven US law enforcement agencies posted there.14 Despite some turf battles between these agencies, they have played a very constructive role in Europol’s work and also benefit from Europol’s expertise. Every year Europol supports approximately 500 cases involving US authorities, of which 50 are classified as being “high impact.” Europol also has two senior liaison officers working in Washington to ensure a reliable point of contact for US law enforcement authorities.
Cybercrime continues to grow as an area of US–EU law enforcement cooperation. Europol’s European Cybercrime Centre (EC3), established in 2013, has quickly established itself as a major player in forensics, strategy, and operational support to combat transnational cybercrime. Its Joint Cybercrime Action Task Force focuses on high-tech crimes (such as malware and identity theft), transnational payment fraud, crime on the Dark Net, and online child sexual exploitation. By hosting police officers temporarily seconded by EU member state law enforcement authorities and non-EU authorities (including the FBI and the US Secret Service), the task force pools national intelligence related to a specific cybercrime case.
The Dark Net is an anonymous network within the part of the World Wide Web that is not discoverable by means of standard search engines. It is difficult to police because it anonymizes a user’s real Internet Protocol (IP) address by routing traffic through many servers. It can only be accessed using specific software such as TOR (an acronym for The Onion Router). TOR alone is used worldwide by over 750,000 people on a daily basis, with over 2 million directly connected users (half of whom are in Europe) and hosting over 45,000 domains.
The Dark Net was developed to protect freedom and privacy but is being misused by criminals to trade anonymously in a wide range of goods and services such as drugs, firearms, fraudulent documents, counterfeit goods and currency, human trafficking, stolen personal data, and malware. As a significant part of its activity relates to hosting platforms engaging in illicit activity, the Dark Net has become one of the main engines of organized crime in the EU.
The widespread use of lightly regulated virtual currencies as a means of payment between vendors and clients complicates the task of tracing transactions and seizing assets. The most widely used virtual currency, bitcoin, enables pseudonymous (but not anonymous) transactions. The cryptographic addresses of the sender and the recipient of transactions are recorded on a publicly accessible ledger (called a “blockchain”). Although these addresses are not linked to real-life identities, it is possible to unmask the true identity of senders and recipients of bitcoin transactions with sufficient investigative resources.
Unfortunately, new virtual currencies offer a high degree of anonymity by using decentralized systems (without a central server or central supervisory body), combining multiple transactions, hiding the amount of each transaction, and obscuring the origin and recipient of funds. Although there have been few known instances of virtual currencies being used to finance terrorism, that may soon change because terrorists like the anonymity that the new currencies provide. By avoiding the use of traditional financial messaging, these virtual currencies will undermine the ability of the US and the EU to extract useful information from SWIFT through the TFTP Agreement.
In November 2014, EC3 coordinated an operation involving the FBI, the Immigration and Customs Enforcement (ICE) bureau of the Department of Homeland Security, and 21 countries in taking down the “Silk Road 2.0” Dark Net marketplace that was being used by thousands of dealers in drugs, firearms, and dangerous contraband. The operation led to multiple arrests of vendors and the administrators of the marketplace, as well as the seizure of bitcoins, cash, drugs, and gold. The operation also led to the shuttering of hundreds of other online marketplaces. While the takedown of a Dark Net marketplace was not new (the FBI had already acted against the predecessor Silk Road website in 2013), the operation was noteworthy because of its multinational character and speed. What would have taken years to organize without Europol was accomplished in several months.
In June 2017, EC3 was at the center of another multinational operation involving the FBI, the US Drug Enforcement Agency, and the Dutch national police. The operation shut down two of the three largest Dark Net marketplaces that dwarfed the size of Silk Road and facilitated a major underground criminal economy affecting the lives of thousands of people around the world. The AlphaBay and Hansa marketplaces enabled the trading of over 350,000 illicit goods (especially drugs and firearms) among 200,000 members and 40,000 vendors. The value of transactions conducted through them since their creation in 2014 was conservatively estimated at $1 billion.
With the technical and forensic support of EC3, Dutch national law enforcement took covert control of the Dutch servers of Hansa, the third largest Dark Net site, and then monitored the activity of its users without their knowledge. At the same time, the authorities shut down AlphaBay, the largest darknet site, and waited until its users flocked to Hansa to continue trading. After gathering valuable information about the names of buyers and transactions, the operation shut Hansa down as well, and led to arrests and seizures of servers, cryptocurrencies, and intelligence that will lead to further investigations. Once again, Europol had proven its worth as a hub of transatlantic law enforcement information exchange, analysis, and cooperation.
Drugs are increasingly traded online on various platforms, including on the Dark Net. The drug market remains the largest criminal market in the EU. The retail drug market has been conservatively estimated to be worth about €24 billion per year and to account for up to 0.6% of the GDP of many EU member states. The reality is that the market is much, much larger. More than one-third of the organized criminal groups in the EU are involved in the production, trafficking, or distribution of drugs and derive billions of euros of profits from such activities. More than two-thirds of such groups involved in the drug trade are simultaneously involved in other criminal activities. The harm caused by the drug market extends well beyond drug use; it includes the financing of other criminal activities (including terrorism) and corruption.
On one of my visits to Europol, the head of the drugs unit emphasized the growing health risk from synthetic opioids, such as fentanyl derivatives. As I was about to pour a packet of sugar into my morning coffee, he made me sit up by pointing out that fentanyl is 30 times more potent than heroine and that a packet of that size contains thousands of doses, each of which can quickly poison and even kill an individual. Because of their psychoactive effects, such as causing euphoria, these opioids are frequently used as replacements for heroin, cocaine, and other illicit drugs. They are not controlled by international drug conventions and can therefore be manufactured and traded relatively freely in many countries. Organized crime groups therefore consider the opioid market to be a relatively low-risk and high-profit opportunity.
Hundreds of new synthetic compounds have been detected in the past few years alone. These synthetic opioids are typically manufactured by Chinese pharmaceutical and chemical companies, shipped to Europe either in bulk by air or sea cargo or in smaller quantities by express mail services, and subsequently sold through physical shops or online. There is an increasing risk that some of this traffic will flow onwards to the United States where opioid addiction is an alarming health problem. About 47,600 Americans died from overdosing on opioids such as fentanyl in 2017, up from 5000 in 2014. Europol will be a key partner of US law enforcement authorities in tackling this threat.
Another important area of work for the Joint Cybercrime Action Taskforce is transatlantic cooperation to combat online child sexual exploitation. In February 2015, the liaison officer representing the Department of Homeland Security at the US Mission to the EU informed me that law enforcement agencies on both sides of the Atlantic, including Europol, had assisted Romanian police in arresting a Romanian woman who had been sexually abusing her two-year-old daughter, filming the abuse and posting the content online. The woman’s two children, who were found in the house search, were handed over to child custody services. I felt so revolted that I requested a full briefing.
The case arose when the National Center for Missing and Exploited Children (NCMEC) received a report of suspected child sexual abuse on their CyberTipline, a reporting tool for the public and Internet service providers (ISPs) to report child pornography. NCMEC is a private, non-profit entity based in the United States that serves as a national clearinghouse and resource center for victims, families, law enforcement and the public on issues relating to missing and sexually exploited children. ISPs are required by federal law to report child pornography that comes to their attention. Many also take proactive steps to detect and disrupt its redistribution by using technology like Microsoft’s PhotoDNA. That technology creates a unique digital “signature” for a digital photograph, like a fingerprint, that calculates the essential characteristics which can then be compared against other photos to find copies, even when they have been resized or otherwise altered. Microsoft has provided PhotoDNA for free to NCMEC, law enforcement authorities, and many other organizations, including technology companies, to combat child exploitation.
NCMEC examined the report and immediately forwarded the information to the ICE Homeland Security Investigations liaison officer at Europol. Although the case was just one of tens of thousands of referrals made by ICE through Europol to EU member states every year, it was especially urgent because of the age of the victim. EC3 immediately launched an investigation, analyzed and cross-checked the data, and forwarded an intelligence package to Romanian authorities. The suspect was arrested within four days of Europol receiving notice of the case, a remarkably short period. I found the case particularly intriguing when I was told about the sophisticated tools employed to narrow the geographic search for the culprit; it was the presence of just a few objects in the background to the photographs that enabled law enforcement to focus on Romania and eventually the city of Sibiu in Transylvania. The success in that case helped launch a broader initiative called “Trace an Object” in which Europol posts images of objects on its Web site and solicits the public to help identify their origin.
In February 2017, US and European law enforcement authorities, including Europol, concluded a two-year investigation into Playpen, the world’s largest pedophile ring on the Dark Net with over 150,000 users. The Playpen site enabled users to browse for a wide range of videos and photos of boys and girls, including toddlers, under different categories, such as incest and various fetishes. The investigation was one of the largest and most complex ever undertaken in its field. The FBI used malware to hack into Playpen’s Web site and server and then track and identify its users. As a result of the investigation, the FBI convicted Playpen’s founder to 30 years in prison and law enforcement authorities around the world arrested nearly 900 of its members, including 368 in Europe.
Under its “Angel Watch” program, furthermore, the ICE bureau of Homeland Security Investigations provides annually hundreds of alerts to Europol and EU member states about US child sex offenders traveling from the United States so that appropriate actions can be taken under national laws. A small but increasing number of EU member states provide ICE with similar alerts regarding European child sex offenders traveling from Europe to the United States.
Europol’s reputation as an effective law enforcement agency is also due to its actions in the field of counterterrorism. A European Counter-Terrorism Centre (ECTC) serves as a platform for EU member states to pool and share information, as well as coordinate operations, relating to foreign terrorist fighters, firearms trafficking, and the financing of terrorism. The ECTC is also developing a strong working relationship with the US National Counterterrorism Center as it becomes abundantly clear that the defeat of transnational terrorism requires a regional or global approach rather than one focused on bilateral cooperation.
Alarmed by the trend of European Islamist jihadists who were traveling to Syria and Iraq (and sometimes back to Europe) to engage in acts of terrorism, in 2014 the ECTC launched a dedicated database, now part of the broader European Information System (EIS), to enable EU member states collect, analyze, and share information on their recruitment and movements. The response from most member states was initially lukewarm: Europol received information (largely from just five member states) on roughly 2000 suspects, one-third of the 6000 EU nationals that member state security services suspected of being so-called foreign fighters. As of 2018, Europol estimated that one-third of the fighters died in fighting, one-third may have returned to their home countries, and one-third was still unaccounted for.15
At the time of the Brussels attacks in March 2016, Europol had about 4000 intelligence entries relating to terrorism; two years later the figure had more than doubled to 8600. The EIS is now consulted millions of times per year. Importantly, the database is also linked to Europol’s organized crime database, enabling cross-matching of information and the establishment of links between investigations. As many of the terrorists who have attacked Europe had prior criminal records, this is an important contribution. Several US law enforcement agencies have signed agreements to participate in the ECTC’s efforts to combat the “foreign fighter” phenomenon.
The ECTC has also provided operational support to EU member states during investigations launched in the wake of terrorist attacks. Within an hour of the attacks in Paris in November 2015, for example, the ECTC set up a taskforce staffed with 60 Europol officers (joined by US law enforcement) to assist the French and Belgian investigations. Combining its own data with information provided by the member states, information from the US TFTP, and other sources, Europol provided thousands of leads to those investigations and contributed to the disruption of future attacks. The role of the ECTC has continued to grow after the Paris attacks. In 2017, it helped in 439 counterterrorist operations in Europe, up from 127 the year before.
The terrorist attacks of early 2015 underlined once again the malignant role of online terrorist propaganda. Jihadist groups have implemented a sophisticated Internet and social media campaign to recruit followers and glorify terrorism. Although not all terrorist attacks have been entirely due to online content, there is no doubt that some of the attackers were influenced by what they saw online. Some were persuaded by online content to join Islamist fighters in Syria and Iraq and some returned to commit atrocities in Europe. Others did not need to travel and were radicalized and instructed on weapon-making in the comfort of their own homes. Responding to the call of EU member states to address this phenomenon, the ECTC launched an Internet Referral Unit (IRU) in mid-2015 to provide operational support and analysis to the EU member states on online terrorist propaganda, as well as to identify and refer such content to ISPs and social media platforms for subsequent removal.
A related initiative called the EU Internet Forum brings together representatives of EU member state interior ministries, EU agencies, the Internet industry and other stakeholders to reduce accessibility to terrorist content online. The major platforms participating in the Forum, including Google, Facebook, Microsoft, and Twitter, have created a shared database containing tens of thousands of known items of terrorist content and are increasingly developing automated tools for their speedy detection and removal (even when re-uploaded onto different sites). Moreover, the platforms agreed with the European Commission on a “Code of Conduct on Countering Illegal Hate Speech Online” to tackle the spread of such content, including terrorist propaganda and xenophobic or racist hate speech. The code has been a success. As of 2019, all companies that signed the code (including all the large Internet firms) were assessing 89% of flagged content within 24 hours and removing about 70% of it.16
Europol has also coordinated multiple multinational operations by law enforcement authorities, including from the United States, to disable key media outlets affiliated with the terror group ISIS. One such operation in April 2018 took down the Amaq News Agency website, the primary mouthpiece of and multi-lingual propaganda source about the group’s activities worldwide. The operation resulted in the seizure of digital evidence and servers that later helped to identify both the administrators of ISIS Web sites and potentially radicalized individuals.
While the EU Internet Forum led to significant improvements in the removal of terrorist content online, the European Commission and EU member states felt much more could be done and faster. In March 2018, the European Commission proposed a set of voluntary recommendations to Internet companies about actions they should take to curb terrorist content online. According to the recommendations, the companies should remove terrorist content within one hour of notification and should implement proactive measures, including automated detection tools, to remove the content and prevent its reappearance. By the end of 2018, however, the European Commission abandoned the self-regulatory approach and proposed binding legislation, passed in 2019, on the removal of terrorist content within one hour of notification. This was partly driven by the fear that in the absence of EU-wide action many member states would pass their own national legislation.
Europol has also emerged as an important forum for US–EU cooperation on the combat against migrant smuggling. Europol established the European Migrant Smuggling Centre (EMSC) in early 2016 in response to the unprecedented wave of migrants that overwhelmed Europe during the prior year. Migrant smuggling is a fast-growing and highly profitable multi-billion-euro criminal activity, deriving revenues from charging illegal migrants extortionate fees to facilitate their travel into Europe. The goal of the center has been to assist EU member states, through information exchange and operational support, to target and disrupt the financing and conduct of sophisticated criminal networks involved in migrant smuggling. The deployment of EMSC staff to southern Italian ports and Greek islands near Turkey has made an important contribution, especially in the detection of fraudulent documentation and in conducting checks against criminal databases in the event that Frontex and national authorities have concerns during their initial screening.
The United States has a keen interest in disrupting migrant smuggling, not only because of the horrific conditions suffered by migrants at the hands of unscrupulous criminal groups, but also because of the danger that migrants may be able to benefit from visa-free travel from Europe to the United States. Although there is no clear evidence that terrorists have systematically used migrant flows to enter Europe, it is indisputable that some have done so. Reflecting these concerns, ICE and US Customs and Border Protection have joined a special joint operations team established by EMSC to combat illegal migration organized by criminal groups across the Mediterranean.
Prospects for Further Collaboration
I draw several conclusions from my engagement with law enforcement issues during my diplomatic mission in Brussels. First, the EU institutions have made an important contribution to European security, both at the EU’s external borders and within its territory. Member states retain a key role in this regard, of course, but they can’t achieve their goals without an increasingly unified approach. Second, US–EU law enforcement cooperation is also essential, not only to European security but to the security of the US homeland as well. Serious crime and terrorism are increasingly transnational in terms of the organization, recruitment, and financing that make them possible. Bilateral law enforcement cooperation between the United States and individual EU member states will remain a critical tool in combating serious crime, and terrorism, but US–EU cooperation will continue to gain in importance.
Despite the many areas of US–EU relations that have suffered a setback during the Trump administration, law enforcement fortunately continues to be an area of fruitful cooperation. For example, the US and the EU have recently collaborated to reduce the risk that terrorists could exploit portable electronic devices (such as tablets, laptops, and phones), chemicals, and powders to disrupt air travel, while minimizing undue burdens on the industry and passengers. There are several areas where we could go even further. One important opportunity would be to conclude a US–EU agreement to facilitate law enforcement authorities’ access to electronic evidence held in each other’s jurisdiction. The aim should be to conclude such an agreement far faster than the US–EU PNR Agreement or the Umbrella Data Privacy and Protection Agreement that took eight and six years, respectively.
A US–EU Agreement on access to “e-evidence” is necessary because personal devices, digitalization, the Internet, and high-speed communications are transforming crime and law enforcement. Transnational crime (much of it facilitated by the Internet) is on the rise and much of the related evidence is in electronic form, stored in places unrelated to the location of the crime. The Department of Justice and the European Commission have both noted a significant recent increase in cross-border requests for electronic evidence.
The existing method of requesting assistance through an MLAT is not fit for purpose. Most of the mutual legal assistance treaties entered into between the US and the EU member states are so dated that they do not contemplate electronic evidence and do not provide strong procedural protections (such as judicial oversight) or data privacy rights. The average period required to fulfill MLAT requests is ten months because they must be transmitted from one central authority to another and then to foreign prosecutors and, in some instances, to courts. Often the requests must be translated and interpreted by the foreign government. And if the central government’s law enforcement authority transfers the request to a local authority for action, the latter may well place a higher priority on its own investigations.
This delay is increasingly unacceptable in a world in which electronic evidence can be moved, manipulated, or deleted at lightning speed. As a result, governments around the world are increasingly requiring electronic service providers to store evidence locally. And they are seeking alternative means of acquiring evidence, such as asserting extraterritorial jurisdiction or making “voluntary requests” to foreign cloud providers and telecommunications companies, resulting in an increased likelihood that such firms will face a conflict of laws.
The MLAT system sometimes doesn’t make sense because it requires foreign governments to meet US legal requirements rather than satisfy their own (often satisfactory) due process requirements, even when the case is national. Why compel a Belgian investigative magistrate to show “probable cause” to access an e-mail sent by a Belgian suspected jihadist to another Belgian suspected jihadist to plan an attack in Belgium simply because the e-mail is stored in a US server?
The passage of the Clarifying Lawful Overseas Use of Data (CLOUD) Act in the United States in 2018 was an important step toward modernizing US laws requiring acquisition of electronic evidence and toward enabling cross-border cooperation with foreign governments. The act allows federal law enforcement to compel US-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the servers are in the US or abroad. That rendered moot a long-running legal battle between Microsoft and the US government in which Microsoft resisted requests by the FBI, in the course of a drug trafficking investigation, to hand over e-mails of a US citizen that were stored on one of Microsoft’s servers in Ireland.
The CLOUD Act is also significant because it authorizes the executive branch to enter into international agreements with foreign governments whose countries guarantee certain basic standards of due process and data privacy rights that are equivalent to those found in US law. These agreements enable national law enforcement authorities to request electronic service providers to deliver electronic evidence located in the other party’s territory, a far quicker and simpler route than afforded under the MLATs.
The first such signed agreement between the United States and the UK will enable British law enforcement authorities to obtain electronic data such as e-mails, texts, and direct messages from US service providers—such as Google, Facebook, Twitter, and Microsoft—in criminal and national security investigations involving UK citizens. The UK must respect its own laws in doing so and it may not obtain records of any US citizen that might surface in an investigation. US law enforcement authorities have reciprocal rights under the agreement to obtain information from UK companies. The UK has apparently received assurances that information provided to the US under the agreement will not be used in cases involving the death penalty.
The US government faces the key question of whether to replicate the template of the US–UK executive agreement purely on a bilateral basis. For example, it may decide to pursue similar agreements with the other members of the “Five Eyes” intelligence-sharing alliance (Australia, New Zealand, and Canada). With regard to Europe, the US government must choose whether to negotiate with certain “trusted” member states or with the EU as a whole. Although the EU 27 have given the European Commission a mandate to negotiate on behalf of all of them, the US Department of Justice has harbored some reservations about this approach, principally because of concerns about the degree of due process protections in certain member states, such as Hungary and Poland.
Those concerns are overstated because of the robust protections under EU law, especially the EU Charter of Fundamental Rights and the General Data Protection Regulation, as reinforced by the recent regulation on electronic evidence. There are strong reasons justifying a US–EU agreement. Most important, it would provide an opportunity to begin establishing an international norm for cross-border access to evidence stored in the cloud that would be consistent with law enforcement needs and a high level of fundamental rights protection. An agreement could always provide additional safeguards of fundamental rights, beyond those found in EU and US law. And if there is credible evidence that a state does not provide sufficient protection of these rights, the agreement could be curtailed or suspended pending review.
The need for such an agreement is particularly important in light of the EU’s own proposed “E-evidence” legislation that enables member states to compel telecommunications service providers to deliver information held in other EU member states or outside the EU when the information relates to serious crimes committed under their own laws. Before agreeing to sign an “umbrella” agreement with the EU and then detailed executive agreements with individual member states, the Department of Justice would have to conclude that EU law requires member states to satisfy minimum standards relating to data privacy, human rights, and due process. That would be a rather ironic mirror image to the situation the United States faced during the Privacy Shield negotiations described in chapters.
The US and the EU also need to deepen their coordination in the fight against money laundering and the financing of terrorism. The challenge is massive and far from being addressed adequately. According to Wainwright, professional money launderers are running billions of euros of illegal drug and other criminal profits through the banking system with a 99% success rate. Despite banks spending tens of billions of euros on compliance, law enforcement authorities are seizing only a tiny fraction of criminal assets.17 One of the issues holding back progress is the absence of an EU-wide body to coordinate the work of the national Financial Intelligence Units, the agencies that receive and analyze information relating to these crimes. Another issue is that there is no central database to store information: A decentralized computer network provides an information exchange between the agencies. Europol has frequently convened cryptocurrency exchanges, payment processors, and digital wallet providers as well as authorities from EU member states to assess ways to crack down on the use of digital assets for money laundering.
One important way for the US and the EU to deepen their campaign against money laundering and terrorist financing is to build on the Europol Financial Intelligence Public–Private Partnership, a public–private partnership launched in December 2017. The partnership brings together experts from large international banks (including from the United States) and officials from law enforcement and the Financial Intelligence Units of EU and non-EU states. Its purpose is to build a common intelligence picture and understanding of the threats and risks, as well as to facilitate the exchange of intelligence related to on-going investigations.
While there are many uncertainties about the future of US–EU relations, one thing is certain: More and smarter cooperation on law enforcement will be increasingly necessary to confront well-financed and well-organized threats to our common security. Advancing transatlantic coordination will require identifying and working to eliminate obstacles whenever possible. For example, the exclusion of intra-European payment information from the TFTP Agreement should be terminated as this gives European terrorists significant scope to evade detection.
The departure of the UK from the EU presents a risk to the effectiveness of Europol because the UK has been a major contributor to (and beneficiary of) its work. It will be important for the UK to be as tightly involved in Europol’s work as possible, including access to Europol databases. If the UK is treated like a “third country” such as Russia, or even the United States, the operational effectiveness of Europol and US–EU law enforcement cooperation could suffer.
Footnotes
1
“No Poirots: Belgium’s Security Problem,” The Economist, April 2, 2016. https://www.economist.com/europe/2016/04/02/no-poirots.
2
Matthew Levitt, “My Journey to Brussels’ Terrorist Safe Haven,” Politico, March 27, 2016.
3
Speech by Ambassador Nathan Sales, Coordinator for Counterterrorism, “Counterterrorism, Data Privacy, and the Transatlantic Alliance,” German Marshall Fund, July 19, 2018.
4
In the United States, PNR data are held in an active database for up to five years, before being “depersonalized” (made anonymous) and transferred to a dormant database, where they can be held for a further ten years.
5
Zoya Sheftalovich and David Meyer, “Deal Close on EU Passenger Name Records,” Politico, November 30, 2015. https://www.politico.eu/article/deal-close-on-eu-passenger-name-records/.
6
State of the Union 2015: “Time for Honesty, Unity and Solidarity,” Strasbourg, September 9, 2015. http://europa.eu/rapid/press-release_SPEECH-15-5614_en.htm.
7
“A Real Border Guard at Last,” The Economist, December 16, 2015.
8
Dr. Michael Böhmer, Jan Limbers, Ante Pivac, and Heidrun Weinelt “Departure from the Schengen Agreement: Macroeconomic Impacts on Germany and the Countries of the European Union.” https://www.bertelsmann-stiftung.de/fileadmin/files/BSt/Publikationen/GrauePublikationen/NW_Departure_from_Schengen.pdf.
9
Andrew Byrne, “Athens Hits Back at EU Plan to Isolate Greece Over Migrants,” Financial Times, January 25, 2016.
10
“EU Rules Prevent Sharing of Refugee Fingerprints,” Euractiv, February 23, 2016. https://www.euractiv.com/section/global-europe/news/eu-rules-prevent-sharing-of-refugee-fingerprints/.
11
“Germany Reports Disappearance of 130,000 Asylum Seekers,” BBC, February 26, 2016. https://www.bbc.co.uk/news/world-europe-35667858.
12
Eric Lichtblau and James Risen, “Bank Data Is Sifted by US in Secret to Block Terror,” The New York Times, June 23, 2006.
13
COUNCIL DECISION of 6 April 2009 establishing the European Police Office (Europol). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009D0371&from=en.
14
The law enforcement agencies are: Immigration and Customs Enforcement, Customs and Border Protection, the Federal Bureau of Investigation, the Drug Enforcement Agency, the Food and Drug Administration, the Secret Service, the State Department’s bureau of diplomatic security, the Internal Revenue Service, the Bureau of Alcohol, Tobacco and Firearms, the Transportation Safety Administration and the New York Police Department.
15
Giulia Paravicini, “Europe Is Losing the Fight Against Dirty Money,” Politico, April 4, 2018. https://www.politico.eu/article/europe-money-laundering-is-losing-the-fight-against-dirty-money-europol-crime-rob-wainwright/.
16
European Commission Factsheet, February 2019. https://ec.europa.eu/info/sites/info/files/hatespeech_infographic3_web.pdf.
17
Giulia Paravicini, “Europe Is Losing the Fight Against Dirty Money,” Politico, April 4, 2018. https://www.politico.eu/article/europe-money-laundering-is-losing-the-fight-against-dirty-money-europol-crime-rob-wainwright/.