Privacy of biometric data in DHS hands in doubt, inspector general says
CBP failed to protect 184,000 facial images of cross-border travelers before massive data breach last year, according to report
An inspector general’s report is casting doubt on the Department of Homeland Security’s ability to protect its massive repository of personal data from hackers amid a push by the Trump administration to vastly expand its collection of biometrics through the use of facial recognition and other tools.
The report, released by the DHS inspector general’s office on Sept. 23, found that U.S. Customs and Border Protection failed to protect a collection of 184,000 facial images of cross-border travelers prior to a massive data breach last year. At least 19 of the images, which were collected through a pilot program at the Anzalduas Port of Entry in Texas, were later posted on the dark web.
The report found that Perceptics, a subcontractor hired to help CBP collect biometric data on border crossers, violated DHS privacy policies when an employee used an unencrypted USB drive to transfer a set of facial scans to its own networks without the agency’s authorization or knowledge. The data set was later obtained by hackers during a ransomware attack on Perceptics’ servers.
“This incident may damage the public’s trust in the government’s ability to safeguard biometric data and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry,” the inspector general’s report said.
If that’s the case, the report has arrived at a tricky moment for DHS, which earlier this month proposed new regulations that would require both U.S. citizens and foreign nationals to submit biometric data in order to apply for a variety of immigration services, such as visas for themselves or family members. The proposal would allow for the collection of facial, iris and voice scans, along with DNA samples.
DHS already maintains the largest database of personal biometric data in the entire federal government, according to the inspector general’s report. It contains information on more than 250 million people, which is shared with the Pentagon and the Justice Department. Still, DHS says the further collection of biometric data, rather than biographic data, will help crack down on immigration fraud.
“Biographic data possess inherent inconsistencies that could result in immigration benefits being granted to ineligible applicants or imposters,” DHS said in its proposal. “Using biometrics for identity verification and management in the immigration lifecycle will help ensure that an individual’s immigration records pertain only to that individual.”
But privacy advocates have expressed concerns.
“Collecting a massive database of genetic blueprints won’t make us safer,” Andrea Flores, the American Civil Liberties Union’s deputy director for immigration policy, said in a statement. “It will simply make it easier for the government to surveil and target our communities and to bring us closer to a dystopian nightmare.”
Of particular concern is the length of time that the regulations would allow DHS to retain personal biometric data, Saira Hussain, a civil liberties attorney with the Electronic Frontier Foundation, told CQ Roll Call. For instance, DHS could require biometric data from an initial visa applicant until that individual becomes a naturalized U.S. citizen, a process that often takes years.
The retention period raises the possibility for misuse, Hussain said.
“When the government collects very sensitive and unique data, like in the case [of the 2019 data breach] or in the case of the proposed regulations for biometric collection, there’s great risk of future misuse by the government or a future breach by potentially malicious actors,” Hussain said.
After last year’s breach, the ACLU was among a group of organizations that called on Congress to investigate how DHS collects and maintains personal biometric data. Sen. Ron Wyden, D-Ore., said the government should explain how it plans to prevent future breaches of biometric information.
“If the government collects sensitive information about Americans, it is responsible for protecting it — and that’s just as true if it contracts with a private company,” Wyden told The Washington Post last year. “These vast troves of Americans’ personal information are a ripe target for attackers.”
CBP officials concurred with a set of three recommendations in the inspector general’s report for increased data protections but disagreed with the report’s central finding.
“CBP recognizes the sensitive nature of the data needed to fulfill its mission obligations and takes seriously requirements related to ... protected data,” the agency said in response to the report. “In short, the main issue of the incident was a subcontractor who disregarded the terms of their contract and normal ethical business principles.”
The agency requires employees of contractors and subcontractors to protect personal data and undergo annual data privacy training, the agency said. Perceptics no longer contracts with CBP, the report said.
Nevertheless, DHS has acknowledged the risk of future data breaches as it seeks to expand its collection of biometric data.
“DHS recognizes that some individuals who submit biometrics [or] DNA could possibly be apprehensive about doing so and [may have] concerns germane to privacy, intrusiveness, and security,” DHS said of its latest plan. “In terms of this proposed rule, data security is an intangible cost, and we do not rule out the possibility that there are costs that cannot be monetized.”