The contractor whose biometric data collected on vehicles and individuals crossing into the United States was hacked might face criminal charges in the incident, a Customs and Border Protection official told lawmakers Wednesday.
“I’m not opposed to biometric technology and recognize it can be valuable to homeland security and facilitation,” said House Homeland Security Committee Chairman Bennie Thompson (D-Miss.). “However, its proliferation across DHS raises serious questions about privacy, data security, transparency, and accuracy. The American people deserve answers to those questions before the federal government rushes to deploy biometrics further.”
“Not only does federal law authorize DHS to use biometrics to verify identities, it requires CBP to collect biometric entry and exit data for all foreign nationals,” said Ranking Member Mike Rogers (R-Ala.). “This requirement has been the long-standing bipartisan mandate. Recent technological advancements have finally made it possible.”
CBP Office of Field Operations Deputy Executive Assistant Commissioner John Wagner stressed to lawmakers that “CBP is only comparing the picture taken against photos of previously provided by travelers to the U.S. government for the purposes of international travel” and “this is not a surveillance program.”
“As far as our partnerships with the industry stakeholders, CBP has developed standards of the business requirements that are partners have all agreed to if their camera is sending a photo to CBP: the business requirements clearly stipulate they cannot keep the photos,” he said.
Wagner added that “we are solving a very difficult challenge — biometric exit.”
“We’re solving it by focusing on improving the overall travel experience. We’re building a tokenless, efficient, secure international travel experience,” he said. “Airlines and cruise lines have reported reduced boarding times and increased passenger satisfaction using the system. The system allow us to build a world-class travel system in the U.S. This will be the envy of the world as we try to keep pace with a record-breaking growth in international travel.”
Thompson asked about last month’s revelation that images of travelers and vehicles collected by CBP at unspecified locations and illicitly transferred to subcontractor Perceptics’ network were stolen in a data breach, noting his “concern about how we control the data we collect.”
“What we were doing with that subcontractor is we were testing their camera on the U.S.-Mexico land border in a standalone pilot system,” Wagner said. “So it wasn’t integrated into the main CBP network and we were testing the taking of the photographs and the license plates and the ability to take a picture enough for a person in a vehicle and whether that would be matchable.”
“In this case, apparently, as far as I understand, the contractor physically removed those photographs from the camera itself and put it on to their own network which was then breached. The CBP network was not hacked,” he said, adding “that is why our relationship has been severed with them and we are conducting an investigation.”
Wagner said the contractor “potentially” may face criminal or civil action in the case.
“Depending on what the investigation — and our Office of Professional Responsibility is investigating this, the IG is investigating this. Depending on the circumstances, how the data was taken and the intentions of why and, you know, how it was used there potentially could be criminal actions,” he said.
When a data breach happens, contractors are “supposed to report it to us almost immediately” and it’s also reported to Congress “if it meets a certain threshold,” Wagner clarified.
“What protocols does CBP have in place to oversee contractor and subcontractor data security practices?” asked Rep. Xochitl Torres Small (D-N.M.).
“They go through background checks, they are vetted, they are cleared, they are trained on use of the systems that they are going to work on. As far as having the audit controls on, this was a standalone pilot so it was outside of our normal network and we apparently did not have the same level of controls and audit capabilities on that because it was a standalone, closed system,” Wagner said.
“Those are things being put into place now on all of those systems to make sure you can’t connect a portable media drive on that and extract information. You know, our main network has these protocols on them but we didn’t have them on this type of a system.”
Rep. Lou Correa (D-Calif.) asked Wagner whether “the way facial recognition is being used by your department is affecting, unduly burdening for travelers — race, gender, nationality.”
“No, in a review of our data we are not seeing any significant error rates that are attributable to a specific demographic and that is why we have also partnered with NIST to come in and review our data and help us look at it and make sure,” Wagner replied.
“We are reviewing internally our own data and we are not seeing noticeable discrepancies in that, but we have partnered with NIST and throughout the summer and fall we will be examining our data very closely to make sure that we are not unduly hurting people of a specific demographic.”
Charles Romine, Information Technology Laboratory director at the National Institute of Standards and Technology, told lawmakers that “it is unlikely that we will ever achieve a point where every single demographic is identical in performance across the board, whether that is age, race, or sex, but we want to know just exactly how much the difference is.”
Rep. Mike McCaul (R-Texas) highlighted the BITMAP program administered by ICE to collect the passport information and fingerprints of individuals from certain countries transiting through Central or South America on their way to the U.S. border. “Can you in this setting, I don’t know if that’s possible, give us some indication of the numbers of special interest aliens that have been stopped in this program and also known or suspected terrorists?” he asked.
“I would have to get back to you on that. I don’t have any today,” Wagner responded.
“How significant is it?” McCaul asked.
“It is significant,” Wagner said. “I mean, it is an absolute vulnerability that as we have seen terrorists can exploit and it’s a vulnerability we need to address.”
CBP Breach: Subcontractor Network Wrongly Holding Biometric Data Gets Hacked