In March 2020, during his return to the Netherlands from abroad, Frank van der Linde, a Dutch citizen and human rights advocate, encountered unexpected scrutiny upon entering the immigration line for European Union citizens at Amsterdam’s Schiphol Airport. While Linde believed the questioning from the immigration officer was routine, his responses were actually recorded and subsequently shared with a public prosecutor as part of an investigation into his international movements.
Linde’s situation underscores the intense data exchange occurring between airlines and government entities whenever travelers fly internationally. This exchange includes sharing detailed personal information, which remains on record for years. This trove of data is increasingly leveraged by technology companies experimenting with algorithmic processes to assess who can cross borders, raising significant concerns about privacy and the potential for misuse.
Linde, known for his advocacy on issues like homelessness, anti-racism, and pacifism, had previously been flagged by Dutch authorities in 2017 as a person of interest under a counter-terrorism initiative. His concerns regarding surveillance became apparent in July 2018 when he sensed potential monitoring of his activities. This prompted him to use freedom of information laws, undertaking numerous legal actions against the government to understand the extent of the observations. Although he was removed from the watchlist in 2019 and received an apology from Amsterdam’s mayor, the scrutiny persisted, especially after he discovered his name on an international travel alert while questioning whether his travel data was being used to monitor him.
In October 2022, Linde formally requested his flight records, known as Passenger Name Records (PNR). These records, maintained by airlines, contain sensitive personal details such as addresses, phone numbers, flight itineraries, and payment information, transmitted to destination countries shortly before departure. While these records may appear benign, they represent a substantial digital footprint that government and private entities can analyze.
In December 2022, the Dutch Passenger Information Unit provided Linde with seventeen travel records, claiming no data had been shared with third parties. Skeptical, Linde appealed this disclosure, which led to a significant revelation in March 2023: the Dutch government had actually shared his PNR information three times with border police, including prior to his March 2020 flight. This incident exemplifies potential vulnerabilities in data handling practices and highlights the risks of data sharing between governmental and law enforcement bodies.
Upon reviewing his PNR records, Linde was taken aback to find inaccuracies; some flights were unaccounted for, and in several instances, records reflected flights he had never undertaken. One notable error indicated a journey to Belfast that Linde had only partially initiated. This situation raises questions regarding the integrity of the data being analyzed, pointing to the concern that misinformed conclusions may arise from erroneous information.
This incident exemplifies tactics that could align with various levels of the MITRE ATT&CK framework, particularly in the context of initial access and information reconnaissance. The systematic data collection and subsequent sharing practices illustrate how adversary strategies may exploit personal data to maintain surveillance and control over individuals of interest. As businesses and individuals increasingly operate within this interconnected landscape, the incidents surrounding Linde serve as a reminder of the pervasive threats in data security, highlighting the need for robust safeguards around personal data.
