privacy impact assessment – Techdirt (original) (raw)
CBP Updates Privacy Impact Assessment On License Plate Readers; Says Opting Out Involves Not Driving
from the just-five-years-of-surveillance-at-CBP-fingertips dept
The last time the CBP delivered a Privacy Impact Assessment of its automated license plate readers, it informed Americans as far as 100 miles inland that there’s really no privacy being impacted by the deployment of tech capable of capturing millions of plate images every year. If you don’t want to be on the CBP ALPR radar (which is shared with the DEA and other law enforcement agencies), don’t drive around in a properly licensed vehicle.
This impact assessment was not updated when the CBP’s ALPR vendor was hacked and thousands of plate photos — some of which contained photos of drivers and passengers — were taken from the vendor’s servers. The vendor was never supposed to be storing these locally, but it decided to do so and the end result was a lot of leakage the CBP assured everyone contained “no personal information” about the thousands of people and vehicles contained in the photos.
The CBP’s latest Privacy Impact Assessment [PDF] has been turned in and it’s more of the same thing. Want to dodge the feds’ plate readers, stay off the road. (via Zack Whittaker/TechCrunch)
Privacy Risk: There is a risk that individuals who are not under suspicion or subjects of investigation may be unaware of or able to consent to CBP access to their license plate information through a commercial database.
Mitigation: This risk cannot be fully mitigated. CBP cannot provide timely notice of license plate reads obtained from various sources outside of its control. Many areas of both public and private property have signage that alerts individuals that the area is under surveillance; however, this signage does not consistently include a description of how and with whom such data may be shared. Moreover, the only way to opt out of such surveillance is to avoid the impacted area, which may pose significant hardships and be generally unrealistic.
Keep in mind that “impacted areas” aren’t just the places you expect Customs and Border Protection to be. You know… like at the border. It’s also up to 100 miles inland from every border. And “border” is also defined as any entry point, which includes international airports. So, that’s a lot of “impacted area.” There’s really no realistic way to dodge everywhere the CBP operates. And one would think actively dodging CBP-patrolled areas would be treated as suspicious behavior by CBP officers, which could result in far more than license plate records being abused.
The CBP says it will keep privacy violations to a minimum, though. It will only access its database if it has “circumstantial evidence.” So… feel good about that, I guess.
The CBP also says that it probably isn’t actually allowed to perform this collection but it will try its very best not to abuse its ALPR privileges.
There is a risk that CBP does not have the appropriate authority to collect commercially available LPR information from vehicles operating away from the border and outside of CBP’s area of responsibility.
No big deal, says the CBP. It will only retain information about vehicles crossing the border. Or connected to a “person of law enforcement interest.” Or connected to potentially illicit activity. Or for “identifying individuals of concern.” Just those things. And the data not connected to anything in particular will be held onto for a limited time.
Here’s the definition of “limited:”
CBP may access LPR data over an extended period of time in order to establish patterns related to criminal activity; however, CBP has limited its access to LPR data to a five-year period in an effort to minimize this risk.
Really the only thing limited about this is that it isn’t forever. The CBP’s vendor can hold onto this data forever, but CBP agents will only be able to search the last five years of records. Cached searches will be retained for up to 30 days if they’re of interest to the CBP or other law enforcement agencies with access to the database. Uninteresting searches will be dumped within 24 hours.
Five years is a lot of data. That’s not really a mitigation of privacy concerns. The CBP’s Impact Assessment pretty much says the agency plans to use this to reconstruct people’s lives. Its definition of “limited” — the one that means five years of searchable records — is its response to the privacy risk posed by the aggregate collection of travel records over a long period of time. Apparently, the CBP feels five years is long enough for it to do its job. But not long enough that the general public should be worried about it.
Filed Under: alpr, cbp, driving, license plate reader, lpr, privacy impact assessment
DEA Deploying Powerful Spyware Without Required Privacy Impact Assessments
from the disturbing-pattern-of-noncompliance dept
It’s not just the FBI that can’t seem to turn in its privacy-related paperwork on time. The FBI has pushed forward with its biometric database rollout — despite the database being inaccurate, heavily-populated with non-criminals, and without the statutorily-required Privacy Impact Assessment that’s supposed to accompany it. As of 2014, it hadn’t produced this PIA, one it had promised in 2012. And one that applied to a system that had been in the works since 2008.
Unsurprisingly, another federal law enforcement agency hasn’t felt too compelled to produce PIAs for privacy-impacting programs. As Joseph Cox reports for Motherboard, the DEA’s privacy paperwork is lagging far behind its intrusive efforts.
[T]he Drug Enforcement Administration did not carry out a Privacy Impact Assessment—a process which is typically designed to understand and minimize the privacy risks with a particular system or technology—when it bought and ultimately used malware from Italian surveillance company Hacking Team.
Hacking Team sells powerful malware and exploits, which very definitely screw with people’s privacy expectations — both the privacy they correctly (or incorrectly) believe they’re entitled to as well as their expectations of the government, which is supposed to keep citizens’ privacy expectations at the front of its mind. At least, everyone would like to believe the government is equally concerned about citizens’ privacy. That’s what these assessments are supposed to show: that the government has done what it can to minimize unwarranted intrusions.
But these are simply not to be found, to the surprise of no one.
Privacy experts say the news is consistent with the DEA’s repeated failure to complete such assessments around the agency’s surveillance operations.
One such privacy hound — EPIC — points out the DEA still hasn’t handed in a Privacy Impact Assessment on its Hemisphere program. This program put the DEA on the NSA’s level: embedded telco employees providing real-time access to millions of phone records. No warrants needed. No privacy assessment needed either, apparently, despite the program being in operation for more than 25 years at the point the DEA inadvertently disclosed it.
Jeramie D. Scott from the Electronic Privacy Information Center (EPIC) pointed to an April letter the organization sent to Congress urging a committee to scrutinize the DEA’s compliance with PIAs. In that letter, EPIC highlights that the DEA did not conduct a PIA for its use of the controversial Hemisphere program, in which agents can access AT&T call records without a warrant. EPIC also found through a Freedom of Information Act lawsuit that the DEA had not completed a PIA for the agency’s license plate reader database.
But the DEA has an excuse for not completing a PIA on purchased software exploits.
According to the DEA spokesperson, the agency did not carry out a PIA for RCS [Hacking Team’s Remote Control Software] because the agency does not produce them for commercial software products.
Ha! Define “commercial.” Just because the DEA can buy exploits and malware from a private company like Hacking Team hardly makes this spyware a “commercial software product.” While any number of nations with piss-poor civil rights records can avail themselves of Hacking Team’s offerings, your average consumer isn’t able to pick up a copy of RCS. Generally speaking, commercial software can be purchased by nearly anyone and a great many people are familiar with the software’s functions and capabilities. Remote-control spyware, purchased and deployed in secret, isn’t “commercial software.”
Nevertheless, the missing DEA PIAs will continue to go missing. There’s seemingly no one in the DOJ interested in holding these agencies accountable, and there are very few people above the DOJ interested in holding it accountable either. So, the lack of oversight trickles downhill and agencies become more powerful — and more of a threat to privacy — but give nothing back to the community (so to speak).
Filed Under: dea, privacy, privacy impact assessment, spyware
FBI Rolls Out Biometric Database On Schedule, Accompanying Privacy Impact Assessment Still Nowhere To Be Found
from the move-along,-nothing-to-see-but-millions-of-faces dept
The FBI has just announced that all systems are go for its biometric database.
The Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Division announced today the achievement of full operational capability of the Next Generation Identification (NGI) System. The FBI’s NGI System was developed to expand the Bureau’s biometric identification capabilities, ultimately replacing the FBI’s Integrated Automated Fingerprint Identification System (IAFIS) in addition to adding new services and capabilities.
This puts the agency pretty much right on schedule for its stated goal of “full operational capacity in fiscal year 2014.” As was to be expected from its earlier foot-dragging, the press release makes no note of the Privacy Impact Assessment that was supposed to precede the roll out.
The system itself has been in the works since 2008. Coincidentally, this is also the last time anyone at the FBI delivered a Privacy Impact Assessment. Since then, the database’s sweep and power has increased immensely. The PIA promised in 2012 still hasn’t been delivered and there’s no indication at the FBI’s website that one is right around the corner.
The release notes two other tools that will be folded into NGI.
As part of NGI’s full operational capability, the NGI team is introducing two new services: Rap Back and the Interstate Photo System (IPS). Rap Back is a functionality that enables authorized entities the ability to receive ongoing status notifications of any criminal history reported on individuals holding positions of trust, such as school teachers. Law enforcement agencies, probation and parole offices, and other criminal justice entities will also greatly improve their effectiveness by being advised of subsequent criminal activity of persons under investigation or supervision.
Rap Back sounds useful but its tracking of people in “trusted positions” does not include some very specific “trusted positions.” This 2012 presentation on Rap Back [pdf] clearly delineates between “trusted” civilians and those exempt from ongoing criminal background monitoring.
Here’s the relevant info in case you can’t read/see the pic, Rap Back ongoing monitoring and notification service only targets these individuals.
Non-criminal justice applicants, employees, volunteers, and licensees;
Individuals under the supervision or investigation of criminal justice agencies.
Note that “supervision” doesn’t mean employees of criminal justice agencies, but rather parolees and those on probation. Presumably, the criminal justice system will police itself, relying only on pre-employment screenings (if that). The problem is that employees with criminal history have been known to jump from agency to agency without their new employers knowing (or caring) about the incidents that forced the job change. Apparently, this is an acceptable situation despite the fact that the DOJ tends to ignore much of the misconduct that occurs in agencies under its command.
The Interstate Photo System sounds like license plates but is actually the FBI’s facial recognition database. A high error rate and a flood of too-lo-res-to-be-useful photos hasn’t stopped the FBI from pushing this system — basically a searchable mug shot repository that includes millions of non-criminals just for the hell of it. To reach its lofty goals (52 million pics by 2015), the FBI is including generic federal employee records. The potential for the system to return non-criminals in searches for “candidates” remains high, but the FBI has reassuringly stated that it bears no legal responsibility if any of the 18,000 law enforcement agencies that have access arrest the wrong person.
An unvetted system that can be accessed by thousands is a huge problem. The FBI will join the NSA in hoarding massive amounts of irrelevant data with very little oversight. The hoarding mentality has taken over and everyone involved is hesitant to implement stringent minimization and disposal policies because of the irrational fear that something discarded might be needed later.
If and when the privacy assessment arises, I expect it will be filled with paragraphs that underplay the potential civil liberties violations, lots of explanations as to why there’s no expectation of privacy in anything the government collects and some mumbling around the edges about minimization and access control.
While I realize that it’s inevitable that the march of technology would lead to this sort of thing — and while it does have several legitimate uses — my biggest problem with these advances is that the FBI and others continually stress that it’s the only way to keep up with evolving criminal behavior. The justifications deployed point to a constantly-rising criminal threat that has no basis in reality. I cannot buy into the narrative that the best way to combat crime (or terrorism, for that matter) is vast, untargeted databases.
The FBI focuses most of its assets on two opponents: drugs and terrorism. The first is exacerbated by years of bad legislation and policies, and for all the time and money spent, the war doesn’t seem to be on the way to being won. The latter has devolved into the FBI’s proprietary con game, wherein it sets up a mark or two and takes them down. Now, it’s inviting the nation’s law enforcement agencies to run searches on a database populated with non-hit data and leave them holding the bag when the inevitable occurs.
An updated privacy assessment isn’t going to make this a better idea, especially when the FBI (and the law enforcement agencies that feed info to it) are blithely unconcerned that current background check databases are filled with people who were never criminally charged. An internal change is needed — one that makes these agencies more accountable to the public for screwing up their lives. But no one up top is interested in fixing what’s already broken. They just want to roll out new databases that grab more info. If the FBI insists this is the only way to fight crime effectively, then it needs to exercise the sort of vigilance and internal accountability it’s never shown in the past. That starts with a detailed privacy assessment, delivered in a timely fashion. And it’s already failed this small step.
Filed Under: biometric database, doj, fbi, fingerprints, privacy, privacy impact assessment
FBI Refuses To Let Public Know How Its Drone Usage Affects Their Privacy
from the I've-got-plenty-of-nothing-and-nothing's-plenty-for-[REDACTED] dept
The FBI’s production of privacy impact assessments (PIAs) lags far behind its deployment of privacy-impacting technology. From facial recognition software to Stingray devices to its drone usage, the FBI has always violated privacy first and assessed the damage later. In some cases, it hasn’t bothered to assess the impact at all, despite repeated assurances to questioning lawmakers that the required report (and it is required) is (forever) nearing completion.
Its biometric database, which pulls in photos from all over the place for its facial recognition software to peruse, rolled out without the required PIA in 2012. Two years later, the FBI is still promising Eric Holder that the PIA will be completed literally any month now, even as it hopes to have the system fully operational by the end of the 2014 fiscal year.
It has supposedly cranked out a PIA for its drone use — again lagging far behind its first reported deployments in “late 2006.” But the public apparently isn’t allowed to know how the agency’s drone use impacts its privacy. Instead of placing the assessment on its website for public viewing (the default method), the FBI has stashed it behind every shady government entity’s favorite FOIA exception: b(5).
Here’s the entirety of the “responsive documents” returned to MuckRock.
As Shawn Musgrave reports, the FBI withheld EVERYTHING.
Federal law requires the FBI to assess surveillance technologies for potential privacy and/or civil liberties issues. These technology assessments are typically prepared for public posting and review. When it comes to drones, however, the FBI has redacted these privacy reviews in full…
Even the cover sheets have been withheld. The reviews are recognizable only from their titles as provided on the disc of responsive documents sent in May: “1218644-0 – Drone PIA – Drone PIA.PDF” and “1218644-0 – Drone PIA – Drone PIA-Drone PIA Section 2.PDF.”
While the DOJ does allow for redactions and the withholding of documents for certain reasons (“classified, sensitive otherwise protected information”), it also requires responding agencies to file a document stating their reasons for withholding PIAs. The FBI also withheld this document — assuming it even exists.
If I was a betting man, I’d say it’s going to take a lawsuit to get this assessment released. The government’s track record on transparency is horrific, even without the specter of “terrorism” or “drugs” being cited in the FOIA refusal. Since the FBI deals with both, it’s a given that it will fight to withhold information that concerns its surveillance programs’ impact on the public from the same public whose privacy it’s invading. A Privacy Impact Assessment should never be private. While some information will probably need to be redacted, the complete refusal to release this document should be taken as an insult by the public, and as a further indicator of the government’s inherent untrustworthiness.
Filed Under: doj, drones, fbi, pia, privacy, privacy impact assessment