{
  "id": "IN11143",
  "type": "CRS Insight",
  "typeId": "INSIGHTS",
  "number": "IN11143",
  "active": true,
  "source": "EveryCRSReport.com",
  "versions": [
    {
      "source": "EveryCRSReport.com",
      "id": 601824,
      "date": "2019-07-10",
      "retrieved": "2019-07-10T22:12:04.944356",
      "title": "Exposed Data Highlights Law Enforcement Use of Selected Technologies ",
      "summary": "Official use of image capturing and facial recognition technology\u2014particularly by law enforcement\u2014has been the subject of recent congressional attention. Specifically, there is interest in facial recognition\u2019s accuracy, the databases against which faces are compared, which individual data are subject to collection and retention, how agencies ensure data security, and public notification regarding the use of facial recognition and other image capturing technology. Many of these issues were highlighted following a recently acknowledged breach of certain data held by a U.S. Customs and Border Protection (CBP) subcontractor. The breach was not of a CBP network. Notably, available information on developments related to the breach remains incomplete. Early speculation about the nature, origins, extent, and implications of the data breach may change, and some media reporting may conflict with official statements.\nOn June 10, 2019, CBP revealed that images of faces and license plates were compromised in a \u201cmalicious cyberattack\u201d on one of its subcontractors that provides automated license plate recognition (LPR) technology to the agency. CBP, in its December 2017 privacy impact assessment (PIA) of LPR technology, noted that data generated from the fixed and mobile LPRs can include the license plate number; digital images of the vehicle\u2019s make, model, and license plate; vehicle registration location; and time, date, and location information about the images captured. It notes that images may also capture the environment surrounding the license plates, including vehicle drivers and passengers, and that \u201cLPR technology is designed to collect information from all vehicles that pass the camera.\u201d\nData Exposure\nCBP suggested, but did not confirm, that Perceptics\u2014a firm providing LPR systems\u2014was the subcontractor involved in the breach. In late May, Perceptics verified that its network had been compromised, and its breached data were reportedly offered\u2014for free\u2014on the dark web. It is not clear whether the breach confirmed by Perceptics is the same one reported by CBP. \nA hacker using the name Boris Bullet-Dodger first alerted the media to the Perceptics hack and reportedly provided certain news sites with direct links to the breached data that had been posted on the dark web. Later, a transparency collective, Distributed Denial of Secrets, posted some of the documents to the surface web as well. Reporters who scoured through the data posted online indicated that in addition to images of faces and license plates, the cache of hacked data includes \u201cdetailed schematics, confidential agreements, equipment lists, budget spreadsheets, internal photos and hardware blueprints for security systems.\u201d However, no photos from passports or travel documents were reportedly compromised.\nFederal Law Enforcement\u2019s Response\nA number of issues arise when events such as this occur, including how the federal government will react and which agencies will respond. A 2016 Presidential Policy Directive (PPD-41) outlined how the government responds to significant cyber incidents, which includes (1) threat response, (2) asset response, and (3) intelligence support. The Department of Justice (DOJ), through the Federal Bureau of Investigation (FBI) and National Cyber Investigative Joint Task Force (NCIJTF), is the designated lead on threat response, which involves investigating and attributing specific cyber activities to particular individuals or entities as well as facilitating intelligence and information sharing. CBP noted that it is \u201cworking closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident\u201d involving the breach of its subcontractor\u2019s data. The FBI has not officially attributed the hack, and neither CBP nor the FBI has released official information on specific actions the federal government may take in response to the breach.\nFederal Law Enforcement Use of Face Data\nIn the course of carrying out their law enforcement duties, various federal law enforcement agencies make use of image capturing, including LPR, and facial recognition technologies. For instance, as part of its responsibility to develop and implement an automatic biometric entry and exit control system for noncitizen travelers into and out of the country, CBP is using a variety of technologies to assist with biometric matching. An article in the Washington Post stated that \u201cCBP makes extensive use of cameras and video recordings at airports and land border crossings, where images of vehicles are captured. Those images are used as part of a growing agency facial-recognition program designed to track the identity of people entering and exiting the [United States].\u201d Notably, it is unclear whether any images exposed in the recent breach of CBP data may be used in CBP\u2019s facial recognition program. CBP is not the only federal agency capturing images containing faces; the FBI, Drug Enforcement Administration, and U.S. Immigration and Customs Enforcement, among others, rely on such information as well. \nThe breach of CBP image data held by a subcontractor highlights ongoing questions about the vulnerability of facial image data captured by the government. Specifically, there are concerns around the collection, use, and protection of these images. These concerns have manifested in actions such as city, state, and federal level efforts to prohibit or bound companies\u2019 and law enforcement\u2019s use of facial recognition technology.\nIn light of these issues, policymakers may continue oversight of federal law enforcement acquisition and use of technologies such as facial recognition and LPR systems as well as agencies\u2019 storage and protection of data. Moreover, they may consider benefits to law enforcement alongside risks to data privacy and security. Policymakers may also examine agencies\u2019 oversight of contractors involved in developing or maintaining these technologies. For instance, some have noted that \u201c[b]reaches of government contractors have been a persistent security issue.\u201d Indeed, while the breach discussed here involved CBP data, the data had purportedly been downloaded to a subcontractor\u2019s network\u2014reportedly in violation of CBP security and privacy rules\u2014where it was subsequently exposed in the breach. As such, lawmakers may question what measures federal agencies have in place to ensure the security of data used by or in the possession of its contractors.",
      "type": "CRS Insight",
      "typeId": "INSIGHTS",
      "active": true,
      "formats": [
        {
          "format": "HTML",
          "encoding": "utf-8",
          "url": "https://www.crs.gov/Reports/IN11143",
          "sha1": "48dd6a74c51568bd7e64778da24713ad6b00dea2",
          "filename": "files/20190710_IN11143_48dd6a74c51568bd7e64778da24713ad6b00dea2.html",
          "images": {}
        },
        {
          "format": "PDF",
          "encoding": null,
          "url": "https://www.crs.gov/Reports/pdf/IN11143",
          "sha1": "17961e937c4c76853e467669afd624e1512cf42c",
          "filename": "files/20190710_IN11143_17961e937c4c76853e467669afd624e1512cf42c.pdf",
          "images": {}
        }
      ],
      "topics": []
    }
  ],
  "topics": [
    "CRS Insights"
  ]
}