advertisement

The recent hack of a U.S. Customs and Border Protection subcontractor’s database confirmed fears that biometric data—such as photo IDs and fingerprints—are vulnerable to hacking.

Due to weak oversight, we don’t really know how tech companies are using facial recognition data

[Photo: Donna Burton/U.S. Customs and Border Protection]

BY DJ Pangburnlong read

For years, activists in the privacy and security communities have warned that biometric data, including photo IDs, fingerprints, and other information, could be hacked by bad actors. This past week, these fears were confirmed as the U.S. Customs and Border Protection agency announced that hackers had gained access to a database containing traveler photo IDs and license plate images that’s managed by subcontractor Perceptics. In recent years, CPB has asked foreign travelers for facial recognition data, fingerprints, and other biometric information, so it’s possible that such information may also be at risk of being obtained by hackers.

If facial recognition (FR) data is compromised, along with other personal information like names and social security numbers, a person’s identity can easily be stolen for financial fraud. Beyond this type of criminal activity, there is the specter of physical risks—such as revealing an individual’s location to a stalker, or handing over home security FR data to a burglar. And, of course, if a government maintains a database of face scans, it can be used to identify and control activists, which is how China is now surveilling its Muslim Uighur minority community.

Agencies are rushing to collect as much information as they can, and it’s outpacing their ability to protect the data, says Dave Maass, a senior investigative researcher at the Electronic Frontier Foundation. The same holds true for biometric vendors marketing their systems to private sector companies.

“To be honest, they should’ve seen this coming, considering that India’s biometric system had been breached just a year before,” Maass says. “We’ve also seen law enforcement misplacing trust in vendors, for whom public safety and cybersecurity may not be their primary concerns.”

Maass expects breaches of surveillance systems like facial recognition tech to continue to grow. Several years ago, the Electronic Frontier Foundation found that automated license plate readers were exposed online, a problem that reporters recently confirmed is proliferating.

“If CBP’s systems were breached, then what threats lie ahead for all these surveillance systems run by local law enforcement around the country that don’t have the resources of the federal government?” says Maass. “Perceptics has been going around using its CBP contracts to establish credibility. We don’t yet know who else contracted with them based on that endorsement.”

Jay Stanley, a senior policy analyst at the American Civil Liberties Union (ACLU), is uncertain if biometric companies are using face data obtained in the private sector beyond simply identifying people. But, he says, this data could be sold to chains of retail stores, whose facial recognition systems could identify customers the moment they set foot in the building. The system could use video analytics to log other information, like how long they stay in the store and where they focused their attention.

PluggedIn Newsletter logo
Sign up for our weekly tech digest.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Privacy Policy

ABOUT THE AUTHOR

DJ Pangburn is a writer and editor with bylines at Vice, Motherboard, Creators, Dazed & Confused and The Quietus. He's also a pataphysician, psychogeographer and filmmaker. More


Explore Topics