This Is Exactly What Privacy Experts Said Would Happen

This Is Exactly What Privacy Experts Said Would Happen
CBP’s trove of biometric data is catnip for bad actors.
Jun 11 2019

U.S. Customs and Border Protection announced yesterday afternoon that hackers had stolen an undisclosed number of license-plate images and travelers’ ID photos from a subcontractor. Privacy and security activists have long argued that as law enforcement vacuums up more data without legal limits, the damage of a possible breach scales up. The lack of restrictions on data collection is why, for many experts, this hack feels like an inevitability.

According to an emailed statement to journalists from CBP, an unnamed subcontractor transferred copies of license-plate images and travelers’ photos from federal servers to its own company network, without CBP’s authorization. Hackers then targeted and successfully breached the subcontractor’s network. CBP reports that its own servers were unharmed by any cyberattack.

CBP doesn’t name the subcontractor, but The Washington Post reports that when CBP officials emailed its public statement to reporters, the subject line read “CBP Perceptics Public Statement.” The Tennessee-based company Perceptics, which furnishes license-plate readers in 43 U.S. Border Patrol checkpoint lanes across Texas, New Mexico, and Arizona, confirmed a breach in late May. CBP hasn’t confirmed whether these incidents are the same attack, but both the U.K. outlet The Register and Vice reported finding scores of traveler data on the dark web in the hours after that breach, including financial information, photos, and location information.

CBP claims it has already conducted a search, but hasn’t found any of the stolen images on the dark web, where hackers sometimes post stolen information for sale. In its statement to The Atlantic, CBP said it’s working with law enforcement to continue the search and survey the full extent of the damage. It hasn’t yet commented on the scope of the breach or offered specifics on the data that were stolen. Perceptics did not immediately respond to a request for comment.

“I would be cautious about assuming this data breach contains only photo data,” said Chad Loder, the CEO of Habitu8, a cybersecurity firm that trains other companies on security awareness. The full scope of the breach may be much larger than what CBP revealed in its original statement, he said. In recent years, CBP has asked travelers for fingerprints, facial data, and, recently, even social-media accounts. “If CBP’s contractor was targeted specifically, it’s unlikely that the attacker would have stopped with just photo data,” Loder told me.

It’s not just the breadth of data federal agencies collect that privacy experts find worrying; it’s also the number of people exposed. For example, CBP reported in April that it has used biometric data to catch 7,000 travelers who overstayed their visa so far. Now consider that the Department of Homeland Security estimates that only 1.47 percent of visa holders overstay their limits, and that only a small minority of travelers in the United States are visa holders. In order to come up with 7,000 needles in the haystack, CBP would need to have surveilled millions more—people who are under no suspicion of committing any crime.

By 2023, the Department of Homeland Security aims to use facial recognition on 97 percent of departing air passengers. There are, to this day, no laws preventing it from doing so.

The breach comes only two weeks after privacy scholars and activists testified for hours on the dangers of facial-recognition technology before the House Committee on Oversight and Reform. During the hearing, some panelists called for a nationwide ban on the technology, citing privacy concerns and the risk of a widespread data breach. While divided on whether to step up regulation or fully ban the technology, the experts agreed that the time for reform is now.


Comments closed.

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s