On Monday, officials with Customs and Border Protection revealed that cyber-attackers had stolen photos of tens of thousands of travelers crossing the United States border. According to the Washington Post, the photos—which included pictures of people traveling in vehicles as well as license plates—came from a database built by a government subcontractor.
The Post discovered strong indications that this contractor was working to develop advanced algorithms that could connect images of people to their license plates through facial recognition techniques. The breach immediately renewed privacy concerns long raised by civil liberties advocates.
“This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers,” Neema Singh Guliani, senior legislative council for the American Civil Liberties Union, said in a statement emailed to Pacific Standard. “This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.”
In February, when congressional Democrats and President Donald Trump clashed in the government shutdown battle over border wall funding, Guliani co-wrote a post on the ACLU’s website exhorting Congress not to support a “smart wall” approach to border security. In the post, she expressed concern about the government’s ability to utilize new technologies—like facial recognition—while also implementing the proper privacy safeguards.
The government’s collection of biometric data on the border has gone far beyond just facial recognition: In May, I wrote about a pilot program the Department of Homeland Security introduced to DNA test asylum seekers arriving on the southern border. Though the DHS said the rapid DNA tests would only be administered with prior consent and that the results wouldn’t be stored in a database, privacy advocates still raised the alarm. As Vera Eidelman, staff attorney with the ACLU’s Speech, Privacy, and Technology Project, told me in May: “The fact that [the government] is even building out this surveillance infrastructure—using the pretext of the border—should trouble us all.” Eidelman added that it’s “not hard to imagine” various government agencies creating a centralized government database.”
Among the concerns about border authorities expanding surveillance infrastructure is the question of how that technology could be used on American citizens far from the actual border. Though many people might think of the U.S. border as simply lines that divide the U.S. from Mexico and Canada, CBP’s jurisdiction expands far beyond that. According to federal law, the “border zone” extends 100 miles inland from every border and every coast, meaning cities like San Francisco and Philadelphia are within CBP’s mandate. As I reported in April:
This gives CBP enormous power and leeway. More than two-thirds of Americans—about 200 million people—live in the border zone. Every inch of Michigan, Florida, Hawaii, and Maine lies within it. This means CBP agents can run operations, pursue people of interest, and put up checkpoints in neighborhoods where the majority of Americans live.
In her post in February, Guliani noted that CBP has operated surveillance drones and collected aerial data far from the physical coast or border.