DHS Watchdog Says CBP's Drone Program Is An Insecure, Possibly Rights-Violating Mess
from the your-tax-dollars-thrown-wildly-into-the-air dept
The CBP has drones. How many, it's not really sure. It depends on when you ask. Or how you ask. The EFF's FOIA lawsuit against the agency caused it to suddenly "remember" it had deployed drones 200 more times than it had previously disclosed.
The CBP's drones are a lending library for US law enforcement agencies. An audit of the program found the CBP's drones were more often used by others than by the agency owning them, despite this agency being charged with patrolling thousands of miles of US border -- something that might be aided by some additional eyes in the skies.
But the eyes were worthless. The Inspector General concluded it was an airborne boondoggle. The CBP wasn't malicious, just inept. As the IG saw it, the half-billion slated for drone use would be better spent on more personnel and ground-based surveillance.
Nevertheless, the drones continue to fly. When not straying far from the border to aid inland law enforcement agencies, the agency's unmanned aircraft are still aloft, engaging in surveillance no one can really say for certain is 100% legal. The Inspector General's latest report [PDF] shows the CBP has done very little to ensure its drone deployments are secure or legally-compliant.
CBP has not ensured effective safeguards for surveillance information, such as images and video, collected on and transmitted from its UAS. CBP did not perform a PTA [Privacy Threshold Analysis] for ISR Systems [Intelligence, Surveillance, Reconnaissance] used in the UAS [Unmanned Aircraft Systems] program to collect data because CBP officials were unaware of the requirement to do so. Failure to include ISR Systems in CBP’s information technology inventory enabled system deployment without CBP Privacy Office oversight. Without a privacy assessment, CBP could not determine whether ISR Systems contained data requiring safeguards per privacy laws, regulations, and DHS policy.
This is what's going to have to pass as the "good news" in "good news and bad news." There only appears to be bad news. CBP didn't implement security controls to safeguard its surveillance systems, including a failure to control access to ground control stations housing collected surveillance footage/data. The long string of screw ups listed in this report are the result of serious structural failure.
These information security deficiencies occurred because CBP did not establish an effective program structure, including the leadership, expertise, staff, training, and guidance needed to manage ISR Systems effectively.
This leaves the CBP's drone program susceptible to threats both external and internal. Additionally, the lack of a privacy assessment means the CBP can't say its surveillance doesn't violate civil liberties or local laws. CBP officials seemed to be entirely unaware of the need to perform an impact assessment prior to deployment. But the officials did agree it was someone else's fault they didn't know how to do their job. The IG saw the buck being passed by everyone it spoke to. The final resting place for the oft-passed buck was the outside contractor who set up the ISR system. When in doubt, blame the civilians -- a strategy that makes no sense when you're discussing the lack of compliance with DHS policy and federal regulations.
As the IG sees it, the ISR program operates without authorization or approval. DHS requirements have yet to be met by the CBP, so every one of its hundreds of drone flights have been, at the very least, policy violations.
The CBP also could not provide the IG with a security assessment report for its ISR system, suggesting this has never been done in the program's half-decade-plus of existence. Then there are other system-critical odds and ends the CBP can't seem to get a grip on. Unauthorized media devices/USB drives are being plugged into system-critical hardware. Software patches are delivered irregularly and inconsistently. No one appears to be tasked with monitoring system events on ISR systems and a plethora of outdated software is still in use, which means some system-critical software hasn't been patched in months or years and possibly may never receive another update.
Also described as "inadequate:" personnel management, physical access controls, staffing levels, and systems training.
So far, so government. But this a government agency with access to plenty of funding and advanced tech. It has plenty of tools but uses them poorly. Despite being told its unmanned systems were mostly useless, the CBP continues to pour money on the problems it won't fix, rather than follow the IG's last list of recommendations. It has access to plenty of surveillance tech, but won't provide proper training, perform mandated assessments, or even put together a half-assed organizational chart for its drone operations.
The CBP has shown it can't be trusted with the stuff that's given to it to use in its border patrolling efforts. Sadly though, the response from Congress year after year has been to give it more money and stuff to use poorly, unwisely, and possibly illegally.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, cbp, civil liberties, dhs, drones, inspector general, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
See also: local police departments and military equipment.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Trump, as always, has the perfect solution
[ link to this | view in chronology ]
'We should care... why again?'
The long string of screw ups listed in this report are the result of serious structural failure.
I'm not quite sure that 'screwing up' is the proper description of what's going on, so much as 'displaying indifference to'.
'Screwing up' implies that they tried but didn't do it right, however from what it sounds like they didn't even get that far, and instead just shrugged off any requirements as something they didn't care about and didn't need to bother with.
So long as they keep getting plenty of money despite their indifference, why would they spend more effort than they have to?
[ link to this | view in chronology ]
Re: serious structural failure
Yup -- serious structural failure in our entire Federal Government.
These CBP abuses are but minor symptoms of an entirely dysfunctional and scary government power structure. Another dozen Federal agencies are 10 times worse than CBP -- the NSA makes CBP look like choir boys.
If you can't see the fundamental problem here-- then you can't fix it or defend youself against it.
[ link to this | view in chronology ]
Re: Re: serious structural failure
Especially after this current administration and congress has been voted in the party and group that cry the most about the 'evil federal government' is the party that does everything it can to expand its power and remove any accountability.
[ link to this | view in chronology ]
Re: Re: Re: serious structural failure
[ link to this | view in chronology ]
Blame
Might as well blame the local drugstore for violating someone's privacy because they sold you the film. How does this make any sense at all? "The guy at Walgreens never said I couldn't sneak into people's houses at night and photograph all their stuff!"
[ link to this | view in chronology ]
Re: Blame
"Civilians" refers to people not currently in the military. This includes law enforcement.
Last I checked, the border patrol was not a branch of the armed services.
[ link to this | view in chronology ]
Re: Re: Blame
"ci·vil·ian
səˈvilyən/Submit
noun
plural noun: civilians
a person not in the armed services or the police force.
synonyms: noncombatant, nonmilitary person, ordinary citizen, private citizen; informalcivvy
"family members and other civilians were quickly evacuated from the post"
INFORMAL
a person who is not a member of a particular profession or group, as viewed by a member of that group.
"I talk to a lot of actresses and they say that civilians are scared of them""
[ link to this | view in chronology ]
Re: Re: Re: Blame
"Civilian refers to persons who are not members of the armed forces and is used chiefly in contrast to military"
Police are part of the civil service. They take a civil service test. They enforce civil law, not martial law.
Do we have a problem with militarization of the police? Maybe we should stop thinking they're the army. Confusing the two is pernicious. I think my new project is to research when law enforcement started getting shoehorned into the formal definition, instead of the informal definition.
[ link to this | view in chronology ]
Re: Re: Re: Re: Blame
According to Webster's DICTIONARY (the actual dictionary, not a book of synonyms), it means:
1 : a specialist in Roman or modern civil law
2a : one not on active duty in the armed services or not on a police or firefighting force
2b : outsider sense 1
And outsider 1 is:
1 : a person who does not belong to a particular group
So civilian meaning someone not in our group IS an acceptable usage according to the dictionary, and is not a recent change like 'literal'. It's been that way for as long as I've been alive.
[ link to this | view in chronology ]
Re: Re: Blame
[ link to this | view in chronology ]
and if this security being used is so good, why not use it to replace known security problems.
[ link to this | view in chronology ]
What a summary...
Six different initialisms 13 times in four sentences... People have been making fun of this nonsense since the New Deal. Why does it still happen?
[ link to this | view in chronology ]
Re: What a summary...
Expand all the initialisms.
Which paragraph do you prefer now? ; ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
CBP and abbreviations
Usually I knock sites because they'll list a title and then the abbreviation, and then not mention the agency at all any more in the article. In that case the abbreviation is unnecessary.
But here... It's necessary to understand who you're talking about.
[ link to this | view in chronology ]
Re: CBP and abbreviations
They've been in the news often enough and recently enough that I wouldn't think it really necessary to give the expansion of the initialism - unless you know of another entity whose name is abbreviated the same way, which might result in uncertainty about which is meant?
[ link to this | view in chronology ]
[ link to this | view in chronology ]