The government is collecting Americans' faces, but it doesn't know how to protect them. An announcement from Customs and Border Protection that a hacker had accessed photographs of travelers in a "malicious cyber attack" shows how important it is that the government better safeguard its citizens' most sensitive data. But it also raises the question of whether authorities should be stockpiling that data at all.
The customs agency told reporters it could not release the name of the subcontractor it blamed for leaving vulnerable pictures of the license plates and faces of people in vehicles who recently entered and exited the country - and then included the subcontractor's name in the document title of its public statement. Those license plates and faces themselves, it seems, were handled with similar carelessness. And though CBP says the data has not appeared on the "dark Web," a cache of breached files from the implicated firm was being offered online last month as a free download.
Customs and Border Protection has a lot to answer for, including why, if its subcontractor violated its security strictures, it did not catch the shortcomings. Government vendors are alluring targets for bad actors, but a convoluted procurement process can render technologies outdated by the time they actually are used. Agencies will either have to step up their systems for auditing partners' security, or they will have to stop allowing third parties to handle sensitive information. Agencies must also improve their own security practices, especially as data gathered by one agency travels through interconnected databases across government.
There's another option, too: limit the creation of such tantalizing troves of citizens' information. CBP says the hack disclosed this week compromised fewer than 100,000 people. That's small comfort because the Department of Homeland Security's ambitions for data collection are much larger. CBP had gathered the later-stolen images at a land port, but the agency is working on a "biometric entry-exit system" for air travelers - in layman's terms, systematic face scans. The aim is to run the technology on almost all international passengers, or more than 100 million travelers per year. Faces are not the only information gathered at scale: Last week, the State Department announced that the United States would collect the social media usernames of 15 million visa applicants every year.
The line from officials is that the security benefits of these efforts outweigh the privacy concerns, but security is exactly what's at risk when the government cannot take care of the information it hoovers up - and, oftentimes, retains for years or even decades. No system can ever be entirely invulnerable, which is one reason among many that agencies must offer a more compelling rationale than they're in the habit of providing for amassing Americans' data. But before we even get that far, they must show they can do a better job at keeping that data safe.