Customs & Border Protection Fails Baseline Privacy Requirements for Surveillance Technology

U.S. Customs and Border Protection (CBP) has failed to address six out of six main privacy protections for three of its border surveillance programs—surveillance towers, aerostats, and unattended ground sensors—according to a new assessment by the Government Accountability Office (GAO).

In the report, GAO compared the policies for these technologies against six of the key Fair Information Practice Principles that agencies are supposed to use when evaluating systems and processes that may impact privacy, as dictated by both Office of Management and Budget guidance and the Department of Homeland Security’s own rules.

A chart of the various technologies and how they comply with FIPS

These include:

  • Data collection. “DHS should collect only PII [Personally Identifiable Information] that is directly relevant and necessary to accomplish the specified purpose(s).”
  • Purpose specification. “DHS should specifically articulate the purpose(s) for which the PII is intended to be used.”
  • Information sharing. “Sharing PII outside the department should be for a purpose compatible with the purpose for which the information was collected.”
  • Data security. “DHS should protect PII through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.”
  • Data retention. “DHS should only retain PII for as long as is necessary to fulfill the specified purpose(s).”
  • Accountability. “DHS should be accountable for complying with these principles, including by auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.”

These baseline privacy elements for the three border surveillance technologies were not addressed in any “technology policies, standard operating procedures, directives, or other documents that direct a user in how they are to use a Technology,” according to GAO’s review.

CBP operates hundreds of surveillance towers along both the northern and southern borders, some of which are capable of capturing video more than seven miles away. The agency has six large aerostats (essentially tethered blimps) that use radar along the southern border, with others stationed in the Florida Keys and Puerto Rico. The agency also operates a series of smaller aerostats that stream video in the Rio Grande Valley of Texas, with the newest one installed this fall in southeastern New Mexico. And the report notes deficiencies with CBP’s linear ground detection system, a network of seismic sensors and cameras that are triggered by movement or footsteps.

The GAO report underlines EFF’s concerns that the privacy of people who live and work in the borderlands is violated when federal agencies deploy militarized, high-tech programs to confront unauthorized border crossings. The rights of border communities are too often treated as acceptable collateral damage in pursuit of border security.

CBP defended its practices by saying that it does, to some extent, address FIPS in its Privacy Impact Assessments, documents written for public consumption. GAO rejected this claim, saying that these assessments are not adequate in instructing agency staff on how to protect privacy when deploying the technologies and using the data that has been collected.

In its recommendations, the GAO calls on the CBP Commissioner to “require each detection, observation, and monitoring technology policy to address the privacy protections in the Fair Information Practice Principles.” But EFF calls on Congress to hold CBP to account and stop approving massive spending on border security technologies that the agency continues to operate irresponsibly.

LikedLiked