Breached CBP contractor may have been training biometric facial recognition algorithm
Facial images of travelers and license plate data have been stolen from a U.S. Customs and Border Protection (CBP) subcontractor, which appears to have been trying to train a facial biometric algorithm with CBP data it was not supposed to have, drawing immediate criticism from privacy advocates and concerned lawmakers. It is unclear at this time if the breach, first reported by The Washington Post, includes facial images captured for biometric matching as part of CBP’s Biometric Exit program.
An official, speaking anonymously, told The Post that the subcontractor was attempting to use the images to train its algorithms to match license plates with the faces of car occupants, which was outside of the approved use of the data. The images came from the Canadian border, according to the source, and a state actor is not suspected inside the agency.
Images of fewer than 100,000 people have been breached as part of an attack on the federal contractor, a statement from CBP said. While the agency did not identify the subcontractor to the Post, it did provide a statement titled “CBP Perceptics Public Statement.” Perceptics is a company based in Tennessee that provides license plate readers, and has claimed to be CBP’s sole provider of automatic license plate readers for U.S. land borders. Perceptics was hacked in May, and The Register reported thousands of files, including images the publication presumed were of license plates, were available on the dark web.
CBP says in its statement that none of the image data stolen has been identified on the dark web, so it may be a separate incident. The agency also says its own network was unaffected. No passport or other travel document data was stolen, CBP says, and “no images of airline passengers from the air entry/exit process were involved.”
The statement also says that the contractor violated CBP’s policies and mandatory security and privacy protocols in its contract by transferring images to its company network.
Senator Ron Wyden, who has called for the use of facial biometrics by CBP and law enforcement to be scrutinized by the Government Accountability Office (GAO), said the government now has a burden to explain how it will prevent a repeat.
“This incident should be a lesson to those who have supported expanding government surveillance powers – these vast troves of Americans’ personal information are a ripe target for attackers,” said Wyden in a statement reported by TechCrunch.
“The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place,” says ACLU Seior Legislative Counsel Neema Singh Guliani.
The Hill reports that the House Homeland Security Committee, meanwhile, is preparing to hold hearings into the use of biometrics by the Department of Homeland Services (DHS), of which CBP is a part. Committee Chairman Bennie Thompson (D-Miss.) announced the hearing, and criticized DHS for the breach.
“Government use of biometric and personal identifiable information can be valuable tools only if utilized properly,” Thompson said. “Unfortunately, this is the second major privacy breach at DHS this year. We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public.”
The House Committee on Oversight and Reform has held its first two hearings into the use of facial recognition, and expressed bi-partisan support for the rapid enactment of regulation on the technology.