A couple of weeks ago, I wrote about the Equifax and First American Financial Corp breaches. I noted that the situation was out of hand and that even the curmudgeons at Irreal were ready to put aside their distaste for government intrusion into our affairs and demand that they mandate severe and certain penalties for companies that collect our information and then fail to protect it.
It turns out, though, that the government isn’t any better at safeguarding the data they collect—often involuntarily—from us. Customs and Border Protection has been rushing to put its program to gather biometric data into place but apparently hasn’t devoted much thought into protecting that data. The CBP announced that on May 31, 2019 they learned that one of their subcontractors has suffered a breach and lost a database of photos of travelers and scans of license plates. The extent of the loss isn’t known but, of course, the CBP is “taking the incident very seriously.”
“Very seriously” is the same old refrain we always hear from people who couldn’t be bothered to protect the information they gather about us. I haven’t read anything about anyone being fired or about contractors being terminated1. No, “very seriously” means “We’ll pretend to do something but really won’t. Now move along and don’t bother us anymore. We’ve got data to collect.” And, indeed, CBP is pushing to expand their biometric data collection programs significantly.
Understand that this isn’t data collected from known suspects or trouble makers. It’s data from everyday citizens just like you and me who happened to be unlucky enough to use an airport that already had the program in place. It’s bad enough they’re collecting it but it’s intolerable that once they did they couldn’t be bothered to safeguard it. It’s fine to blame “a contractor” but we here at Irreal say, “You collect the data, you own the responsibility to protect it.”
Remember this story the next time the FBI or some other government agency says they need a private key to your data but don’t worry, they’re the government and can protect it. They can’t. If not even the ultra-secure NSA can do a credible job of protecting their data, you can be sure the other agencies won’t be able to.
Footnotes:
Quite the contrary, the CBP tried to protect the identity of the offending contractor but couldn’t manage even that competently. See the linked Wired article for the details.