EU-wide counter-terror rules are paving the way to allow authorities to crack down on people before any crime has been committed.

Also known as a predictive policing, the move is raising serious fundamental rights issues, as people innocent of any wrongdoing may end up falsely accused or arbitrarily detained.

Student or retired? Then this plan is for you.

Such tactics are already being employed by Israeli security services on Palestinians, sometimes with devastating consequences for victims and their families.

But with the recent spate of terrorist attacks across Europe, the prospects for predictive policing are becoming more enticing for security services, amid broader EU moves that also appear to restrict online freedom.

In March, member states adopted a directive on combating terrorism - an EU-wide law on blocking access to websites that aim to provoke the public to commit a terrorist offence.

A vague definition of terrorism, including its "glorification", is being used detain people.

Spain issued 27 convictions last year alone - up from 19 in 2015 - on the basis of terrorist glorification.

Among them is Cesar Montana Lehman, a rapper also known as Cesar Strawberry. A Spanish court jailed him earlier this year following a series of tweets from 2013.

The tweets, which Lehman described as humorous, included a comment that he wanted to send the Spanish king a "cake-bomb" for his birthday.

Lehman says there was no intention to commit actual acts of terrorism. But the Supreme Court ruled that intention was "irrelevant."

Similar stories have emerged elsewhere, with France now normalising its state of emergency and giving police extra powers to detain people without search warrants.

Last year, a 22-year old was given a six month jail sentence for consulting the website on terrorism by an US academic who works for a Washington-based think tank.

Dozens of European intelligence agencies at the Dutch-led Counter-Terrorism Group (CTG) have also since launched an "interactive operative real-time information system" to track people suspected of being "jihadist troublemakers".

The new EU directive on combating terrorism follows a voluntary code of conduct drawn up by the European Commission and signed by major IT companies Microsoft, YouTube and Twitter in 2015.

The code obliges companies to review content flagged up as hate speech and incitement to violence within 24 hours and to take action.

Multiple tools and approaches

A so-called EU Internet Referral Unit (EU IRU) was set up in mid-2015 within the EU's Hague-based police agency, Europol, to help inform the internet firms of illegal content.

A year after its launch, internet platforms had removed over 91 percent of the unit's 11,000 referred messages. The year after 82 percent of its 20,548 referrals were removed.

But the figures don't reveal how many of the referrals to member states led to the opening of an investigation. When pressed, the EU IRU is unable to respond.

The EU commission doesn't know either. Instead, the Brussels executive, as of last month, is telling firms to automate the removal and detection of the offending content without proper oversight.

Jan Ellermann, a senior specialist in the Europol Data Protection Office, explains in an article "Terror won't kill the privacy star" in the magazine ERA Forum published by the Academy of European Law, that the EU IRU is able to conduct further investigations.

"The EU IRU is not restricted to the referrals as such but has the possibility to conduct further analysis within the scope of Europol's mandate, i.e. to prevent and combat serious crime and terrorism," he writes.

As for the toolkit used, Ellermann notes that Europol is looking into multiple tools and approaches in order to crawl and harvest online content.

This includes conducting real time data correlation as well as real-time trends monitoring and custom application programming interface (API) data harvesting scripts, he said.

"For the purpose of more in-depth analysis of information obtained from publicly available sources including social media, Europol is also looking into tools for 'fingerprinting' voices, face recognition technology as well as audio to text converters with the ability to subsequently translate e.g. Arabic texts into English," he said.

When asked if such automated decision-making practices is in line within the legal framework for Europol, Ellermann replies that is the case.

The Danish case

In Denmark, lawmakers have amended and pushed through laws that allow police to cast wide data nets.

Last year, Denmark's national police, Rigspolitiet, purchased the POL-INTEL platform from the American software company Palantir Technologies, as reported by Danish daily Information.

Palantir Technologies was behind XKeyscore, one of the more intrusive tools used by US National Security Agency.

POL-INTEL combines and analyses information from different sources such as police databases, social media, CCTV-cameras in public areas and automated number plate recognition operated by traffic patrols, paving the way to predict a crime before any offence have been committed.

After its purchase, Danish lawmakers amended national laws on personal data. They also adopted a new law on blocking homepages. Both allowed police to make full use of the platform.

If, or when, so-called 'Facebook arrests' are carried out in EU member countries this will be regulated on a national level.

In Denmark, the legal situation is anything but transparent for citizens, notes professor Henrik Udsen at Copenhagen University, in a memo published by thinktank Justitia.

Furthermore the surveillance of Danish citizens on the net makes use of data retention rules based on a EU directive from 2006, which has been deemed in breach of fundamental rights by the EU-court in Luxembourg.

The Court annulled the directive in 2014 for all member countries. This has created a legal vacuum, which has yet not been filled.

Predictive policing is not entirely new to member states. Chris Jones, a researcher for the London-based civil group Statewatch, has mapped out its use by British police forces.

These programs aim to predict where crimes in geographical zones are likely to take place. They do not single out possible suspect.

But social media changes this picture.

Now software programmes combine updates and comments on platforms like Facebook, public data sources, crime statistics, and CCTV- monitoring.

Predictive policing can then be targeted on an individual level, as is extensively done by Israel on the occupied area of the West Bank.

The Israelis – 'before they know themselves'

Suad Zariquat, a 29-year-old Palestinian from a village outside Hebron was arrested and handed a screenshot of a Facebook post featuring a picture of her husband, killed in a car crash with the text, "May God unite us in heaven."

"I told the investigator we use the word 'shahda' (from "shahid", Arabic for "martyr") regularly. The fact that I wrote it on Facebook doesn't mean I'll do anything, even when someone dies in a car accident we call him shahid," she said.

Following the interrogation Zariqat was issued with a four-month administrative detention order – detention without trial that is used as pre-emptive detention by Israel, mostly against Palestinians in the West Bank.

Israel's Intelligence Affairs Minister Yisrael Katz – who also serves as a member of the security cabinet – confirmed at his office in Tel Aviv that there is a possibility some Palestinians, arrested after having been marked out by the predictive system, were not actively and fully planning to carry out an attack - and perhaps did not decide to carry out an attack at the time of their arrest. Katz says this may happen in "borderline cases."

"Because of the unique system that was developed and put into operation here, hundreds of cases of attacks of this sort have been prevented. In the dilemma of whether or not to act – it could be that you also include borderline cases here," Katz added.

After a peak of 80 attempted attacks in October 2015, the number of attacks has since steadily declined. Since April 2016, the number of attempts has dropped to less than 20 a month, according to Israeli foreign ministry data.

"Arrests were made, terror attacks went down, that means these are the folks, no way around it. Statistically, these are the right people. If we missed this way or that way in a few cases? The cause is deserving (the means) – preventing terror attacks. It is not as if someone invented a way to haunt someone on Facebook," according to Katz.

A European connection

These Israeli experiences from the West Bank have not passed unnoticed by EU authorities.

In meetings with Israeli officials in 2016, the EU's counterterrorism coordinator, Gilles de Kerchove, expressed interest in adopting Israeli technologies, similar to the software platforms provided by US-based Palantir.

De Kerchove discussed at length the EU's plan to battle online incitement and its difficulty in finding enough speakers of Middle Eastern languages to manually monitor content.

In practice European police forces have gained the same tactics and similar rights to use them as the Israeli forces have in the occupied areas of Palestine.

Such use in the EU either falls outside the scope of European fundamental rights, or is in breach of these rights, as is the case with data retention.

A new EU general data regulation, to be applied from 25 May 2018, carries a clear exemption for foreign and security matters – article 2.2 (a) and (b).

In foreign and security matters the EU has no legislative competence.