Russia’s backdoor? Moscow tied to EU’s biometric border system – FT
Nation6 February 2025, 04:32 PM
According to documents reviewed by the newspaper, the French
IT group Atos used employees in Russia to procure software in 2021 for a
top-secret project designed to collect and store biometric data on all non-EU
visitors.
The revelation of Russia’s involvement has raised security
concerns about the EU’s massive border infrastructure overhaul. The system’s
launch remains uncertain after the EU canceled several scheduled dates due to
technical issues.
According to the report, leaked documents suggest that Atos’
Moscow branch operated under a license granting Russia’s FSB security service
access to its work in the country.
Four sources interviewed by the newspaper said that
employees of the Moscow office were directly involved in procuring software for
the border system—a task that typically requires approval from the EU’s
security services.
European Public Prosecutor’s Office (EPPO) is investigating
the involvement of Atos’ Russian unit in the project, the sources said.
EPPO stated that it does not comment on cases or publicly
confirm ongoing investigations.
The EU’s anti-fraud watchdog, Olaf, investigated allegations
of Atos Russia’s involvement last year. A person familiar with the probe said
the agency determined that measures taken by EU-Lisa, the EU agency responsible
for large-scale IT systems, to address “security concerns” were insufficient.
The source said there was not enough evidence to launch a
formal investigation, but EU-Lisa was given recommendations on “eliminating
vulnerabilities.”
“We know that EU-Lisa is working closely with Olaf… the
agency can take any necessary legal action if required,” a European Commission
spokesperson said.
EU-Lisa stated that it was “aware of allegations related to
Atos Russia’s involvement” in the project and that it “never had any
contractual relations with Atos Russia.”
The agency said “no security breaches have been identified”
and that it has “continued systematic security assessments and taken all
necessary measures since learning about the issue.”
However, according to FT, software licenses were purchased
through Atos’ Moscow offices in 2021. There is no evidence that the Moscow
branch of Atos was involved in work on the Entry/Exit System (EES) after Russia
launched its full-scale invasion of Ukraine in 2022.
Since 2016, the Atos branch had operated under a license
issued by the FSB, which covered the development, production, and distribution
of encryption tools, information systems, and telecommunications systems.
Andrei Soldatov, an author and expert on Russian
intelligence services, said such a license gives the FSB a “backdoor” into Atos’
operations in Russia.
“They can see everything this company is working on,”
Soldatov said.
Atos stated that it sold its Russian business in September
2022 following the invasion of Ukraine.
According to leaked documents, Atos used its Russian office
to procure software for part of the EES system that would allow airlines to
check travelers’ information, visa status, and details of four individuals
involved in the software sales at Atos, EU-Lisa, and its suppliers.
The report noted that an employee at Atos’ Moscow office,
Yulia Plavunova, was the “primary” contact person for purchasing cryptographic
certificates from the US company AppViewX, which help verify users of this part
of the EES system. The Moscow address of Atos was also listed in documents
related to software licenses sold by the Swiss group Magnolia for middleware,
which connects different parts of a computer system.
Both AppViewX and Magnolia confirmed that Atos used its
Moscow office for procurement, although their contracts were signed with Atos
France and Atos Belgium. A former Atos employee who worked on the project said
Plavunova was “part of the procurement department” and was “routinely involved
in purchases involving third-party contractors.” The employee said they were
unaware that she worked in Russia and found it “strange” since only “EU-vetted
employees” were supposed to be involved in the project.
According to the main EES contract reviewed by FT, all IT
contractor employees working on the project “must have a valid EU security
clearance issued by the national security authority [in an EU member state]
before being allowed to provide services.”
EU-Lisa stated that “no security breaches have been
identified” because the Atos Russia employee “did not have access to IT
systems, confidential information, or EU-Lisa premises.”
EU-Lisa also said that the software purchased from AppViewX
was never used and that Magnolia software was used until 2022.
Plavunova stated that she left Atos in 2021 and could not
disclose any information belonging to her former employer. She added that her
role as a software buyer “was not related to Atos’ business in Russia” and that
Atos “provided employees with equal opportunities to work in different regions.”
“Being Russian does not mean working for the FSB,” she said.