This Is Exactly What Privacy Experts Said Would Happen

CBP’s trove of biometric data is catnip for bad actors.

A traveler scans their fingerprints at an airport checkpoint.
Shannon Stapleton / Reuters

U.S. Customs and Border Protection announced yesterday afternoon that hackers had stolen an undisclosed number of license-plate images and travelers’ ID photos from a subcontractor. Privacy and security activists have long argued that as law enforcement vacuums up more data without legal limits, the damage of a possible breach scales up. The lack of restrictions on data collection is why, for many experts, this hack feels like an inevitability.

According to an emailed statement to journalists from CBP, an unnamed subcontractor transferred copies of license-plate images and travelers’ photos from federal servers to its own company network, without CBP’s authorization. Hackers then targeted and successfully breached the subcontractor’s network. CBP reports that its own servers were unharmed by any cyberattack.

CBP doesn’t name the subcontractor, but The Washington Post reports that when CBP officials emailed its public statement to reporters, the subject line read “CBP Perceptics Public Statement.” The Tennessee-based company Perceptics, which furnishes license-plate readers in 43 U.S. Border Patrol checkpoint lanes across Texas, New Mexico, and Arizona, confirmed a breach in late May. CBP hasn’t confirmed whether these incidents are the same attack, but both the U.K. outlet The Register and Vice reported finding scores of traveler data on the dark web in the hours after that breach, including financial information, photos, and location information.

CBP claims it has already conducted a search, but hasn’t found any of the stolen images on the dark web, where hackers sometimes post stolen information for sale. In its statement to The Atlantic, CBP said it’s working with law enforcement to continue the search and survey the full extent of the damage. It hasn’t yet commented on the scope of the breach or offered specifics on the data that were stolen. Perceptics did not immediately respond to a request for comment.

“I would be cautious about assuming this data breach contains only photo data,” said Chad Loder, the CEO of Habitu8, a cybersecurity firm that trains other companies on security awareness. The full scope of the breach may be much larger than what CBP revealed in its original statement, he said. In recent years, CBP has asked travelers for fingerprints, facial data, and, recently, even social-media accounts. “If CBP’s contractor was targeted specifically, it’s unlikely that the attacker would have stopped with just photo data,” Loder told me.

It’s not just the breadth of data federal agencies collect that privacy experts find worrying; it’s also the number of people exposed. For example, CBP reported in April that it has used biometric data to catch 7,000 travelers who overstayed their visa so far. Now consider that the Department of Homeland Security estimates that only 1.47 percent of visa holders overstay their limits, and that only a small minority of travelers in the United States are visa holders. In order to come up with 7,000 needles in the haystack, CBP would need to have surveilled millions more—people who are under no suspicion of committing any crime.

By 2023, the Department of Homeland Security aims to use facial recognition on 97 percent of departing air passengers. There are, to this day, no laws preventing it from doing so.

The breach comes only two weeks after privacy scholars and activists testified for hours on the dangers of facial-recognition technology before the House Committee on Oversight and Reform. During the hearing, some panelists called for a nationwide ban on the technology, citing privacy concerns and the risk of a widespread data breach. While divided on whether to step up regulation or fully ban the technology, the experts agreed that the time for reform is now.

The more information the government collects, the more attractive that information is to bad actors, and the more people have to be involved in storing and securing it—all of whom have their own associated risk vectors. At the scale that DHS hopes to achieve, that means any vulnerability could prove disastrous. Andrew Ferguson, a law professor at the University of the District of Columbia who testified at the May hearing, told me that accuracy issues compromise the reliability of facial recognition, and current legislation is far too weak to prevent misuse. “The technology is not ready for prime time,” he said. “And as was just demonstrated with the hack, the security systems are not ready for prime time either.”

Sidney Fussell is a former staff writer at The Atlantic, where he covered technology.