Data Security of Customs Equipment at the Dutch and EU Borders
Nuctech’s customs control equipment leaks to Beijing and Moscow
The available EU funds should be used to procure European alternatives
European Union Customs authorities should – and if they want to make use of EU funds, are legally required to – refrain from the further procurement of scanning equipment and services from the Chinese company Nuctech. On 9 October 2023, at ‘Nieuwspoort’ of the Dutch Parliament in The Hague, The Netherlands, this was confirmed by top sinologist Didi Kirsten Tatlow. She convincingly demonstrated that Nuctech is fully under the control of the Chinese Communist Party. In its own writings Nuctech says it supports the goals of President Xi Jinping of changing the World Order – together with Russian President Vladimir Putin. On the Financial Times front page of 6 October 2023 Belgian Justice Minister Vincent Van Quickenborne states that initial contracts with Chinese companies are “of a former century” and that these “times of naiveté have changed”.
In this report an abundance of reliable and open-source information is presented that must make all political and other decision makers think twice before prioritizing Chinese low-priced and leaking customs scanning equipment over European and national security and – equally important – over all of our citizens’ privacy.
Infeasible to stop leaks
The market for scanning equipment and services used by Customs authorities in the EU is dominated by mainly Chinese and some US and UK manufacturers – even among some EU security services. Taking into account that it is technically infeasible to guarantee that scanning equipment will not leak data, as described by Simeon Hvarchilkov, Manager at X3 Tech Ltd., it is also from a legal perspective unacceptable that China’s Nuctech remains among the preferred suppliers in almost all EU countries. “China has employed a range of tactics to drive down prices and push out foreign firms,” said Liza Tobin, senior director of research and analysis for economy at the Special Competitive Studies Project (SCSP). Indeed, so far, the European Commission and EU Member States have selected Nuctech to be the provider of choice because of low prices. But for instance Serbia receives Nuctech scanning equipment for free. Why would that be?
Mr. Hvarchilkov explained that “We can’t stop leaks. We can’t expect leaks to not happen. Furthermore, we should expect leaks to be more and more dangerous with the development of information technology. And we have to address the risks of such leaks and what it might mean.” The information security expert reviewed how risks increase in interconnected systems: “The unified file format which is currently being developed and implemented […] contains a lot of metadata, some of which is as sensitive as personal documents or declarations”. This refers to the huge problem of OSINT (Open Source Intelligence) that, combined with all other intel sources, can subject individual persons to whatever use the collector of the data wishes. Mr. Hvarchilkov added that this serious mass intelligence risk can only be mitigated by limiting who would have access to the leaked information.
Nuctech falls under SASAC and cooperates with Russia
According to Didi Kirsten Tatlow, formerly with the German Council on Foreign Relations and now a Senior Reporter at Newsweek, China’s Nuctech falls under the State-owned Assets Supervision and Administration Commission of the State Council (SASAC) and is thus protected against any foreign involvement. It is engaged in public security systems within China, which are deeply implicated in the oppression of large groups of people, including the Uyghur population. Moreover, since 2017, Nuctech has a formal cooperative relationship with Russia regarding cybersecurity as part of China’s Belt and Road Initiative. “This is, of course, Xi Jinping’s vision of an alternative world order, which he has himself said he is building together with Russia.” Liza Tobin added that Nuctech is banned in the US and other countries as it is obligated under Chinese law to support the Government and security services: “In the EU Nuctech will apply Chinese and not European laws”. The particular concern of the US regards the smuggling of nuclear materials and devices. Furthermore, “dependence on China for digital technologies threatens Western critical infrastructure like 5G network hardware, drones, border security screening technology,” she said.
Promise not to spy?!
Member of the Dutch Parliament Nilüfer Gündoğan is one of the MPs that required the Dutch Government to respond to questions regarding Nuctech’s ownership, its capacity to leak data obtained at Dutch and EU outer borders, and perhaps most importantly, its confirmed strategic cooperation with Russia. Even after an overwhelming majority of Dutch MPs demanded a response from the Government, these questions remained largely unaddressed. Dutch State Secretary Aukje de Vries indicated that Nuctech’s international contacts were not relevant for her. “A lot, and I mean truly a lot of naivety is required to believe that Nuctech does not report anything it becomes acquainted with through its scanning equipment and services to Chinese spying services”, Ms Gündoğan said. “Does The Netherlands Government, including our Minister of Justice and Security, really support the judgment of the commercial company PricewaterhouseCoopers that Nuctech has not been seen to spy and anyway signed a promise with the Dutch Government not to spy? Are they aware that leaking of data cannot or can hardly be detected? And that the essence of spying is not to be caught?” Indeed, among the leaders of PwC’s China operations may be members of the Chinese Communist Party. MP Gündoğan therefore advised that using EU funding to procure new Nuctech equipment “has to stop, and it must stop now”.
A fund of 1 billion Euro in the period 2021-2027 has been made available for EU Member States by the European Commission under the Customs Control Equipment Instrument (CCEI). A Legal Opinion by the renowned law firm Arnold & Porter explains that the Commission has the authority to deny CCEI funds if the chosen equipment’s usage might jeopardize public security. Karen Meesen of the PA International Foundation, who gave an overview of the Legal Opinion, added that even when Member States procure customs control equipment outside the CCEI framework, other EU legislation (Directive 2009/81 on public procurement procedures in the field of defence and security) “authorizes Member States to invoke public security grounds” to exclude certain parties of relevant tenders, as was done successfully by Belgium in the case of Nuctech.
If not Nuctech’s, which equipment then should EU customs authorities be procuring? Cor Datema, CEO of the Dutch firm Dynaxion, pleaded for the use of the CCEI fund to buy safe European products and services, possibly developed through Public Private Partnerships. In his view, the EU has the capabilities to create highly advanced scanning equipment and services that are extremely secure. In the words of conference chair Ad Melkert, a former Dutch Cabinet Member and former UN Under-Secretary General, it is essential to support entrepreneurs in this area, who see big chances, but who will need to find the space and the resources to really develop their business, which, in the end, is also key to Europe’s security interests.
Mr Melkert concluded that time is of the essence, “the issue is there today”. “What struck me when first being involved with this file,” he said, is that moving away from highly vulnerable Nuctech equipment and services “should be a no-brainer; and yet the way that EU Member States, including my own Government in The Netherlands, are dealing with it, causes unnecessary headache. So we need to cure that.” He implied that legal cases could be considered eventually, potentially involving the European Court of Justice or national courts.
- Report of the conference
- Transcript of introduction by Ad Melkert and presentation by Didi Kirsten Tatlow and slides
- Transcript of presentation by Nilüfer Gündoğan
- Transcript of presentation by Liza Tobin and slide
- Transcript of presentation on Legal Opinion and slides
- Transcript of presentation by Cor Datema and slides
- Transcript of presentation by Simeon Hvarchilkov and slides
- Q&A and concluding remarks
- Conference program
Some other relevant documents and websites
- Explosive Detection Systems for Hold Baggage Screening and Explosive Detection Systems for Cabin Baggage as approved by ECAC (European Civil Aviation Conference)
- Belgian Justice Minister Vincent Van Quickenborne on Liege Airport’s negotiations with Alibaba, Financial Times, 5 October 2023
- Arnold & Porter Legal Opinion on security aspects – Public procurement of customs control equipment in the European Union, 28 March 2023
- Regulation 2021/1077 (Customs Control Equipment Instrument Regulation)
- Directive 2009/81 on public procurement procedures in the field of defense and security
- Directive 2022/2555 (‘NIS2 Directive) on measures for a high common level of cyber security across the Union
- Nuctech about itself on public security