DHS’s Customs and Border Protection drone surveillance privacy and security failures

Would it surprise you that a government agency collecting data via drones, data such as images and videos, failed to consider privacy implications of that data? You probably are not shocked that privacy was overlooked regarding this type of surveillance, but apparently U.S. Customs and Border Protection (CBP) officials were shocked to know it was required. According to an audit by the Office of Inspector General, CBP officials didn’t bother to do a privacy threshold analysis because they “were unaware of the requirement to do so.”

fail stampTheDigitalArtist (CC0)

But hey, why stop at a single, albeit huge, privacy fail when you can fail at security too? That’s right, when it comes to CBP’s drone surveillance program, the OIG detected failures in IT security controls as well as failures which put CBP’s unmanned aircraft systems and operations at risk. In fact, the audit (pdf) by the Department of Homeland Security’s Office of Inspector General resulted in 10 recommendations to improve CBP’s unmanned aircraft systems program.

Not only did it not occur to CBP to perform a privacy assessment for the Intelligence, Surveillance, and Reconnaissance (ISR) Systems used in the unmanned aircraft systems (UAS) program, but the agency also failed to include ISR systems in CBP’s IT inventory; that meant the system was deployed without any CBP Privacy Office oversight. Without accessing the privacy of the surveillance systems, then CBP was unable to determine if the images and video collected and transmitted from the drones needed safeguards as are required by privacy laws, regulations and even DHS policy.

“Various CBP officials” claimed they lacked awareness of privacy requirements before deploying drone surveillance systems. At one point, the OIG was told there was no need for a privacy analysis as the surveillance system did not collect and store personally identifiable information (PII). The next person in charge claimed that no one told him a privacy assessment was required. The OIG noted that a contractor was in charge “given difficulties hiring a government employee.”