DHS Watchdog Says CBP's Drone Program Is An Insecure, Possibly Rights-Violating Mess

from the your-tax-dollars-thrown-wildly-into-the-air dept

The CBP has drones. How many, it's not really sure. It depends on when you ask. Or how you ask. The EFF's FOIA lawsuit against the agency caused it to suddenly "remember" it had deployed drones 200 more times than it had previously disclosed.

The CBP's drones are a lending library for US law enforcement agencies. An audit of the program found the CBP's drones were more often used by others than by the agency owning them, despite this agency being charged with patrolling thousands of miles of US border -- something that might be aided by some additional eyes in the skies.

But the eyes were worthless. The Inspector General concluded it was an airborne boondoggle. The CBP wasn't malicious, just inept. As the IG saw it, the half-billion slated for drone use would be better spent on more personnel and ground-based surveillance.

Nevertheless, the drones continue to fly. When not straying far from the border to aid inland law enforcement agencies, the agency's unmanned aircraft are still aloft, engaging in surveillance no one can really say for certain is 100% legal. The Inspector General's latest report [PDF] shows the CBP has done very little to ensure its drone deployments are secure or legally-compliant.

CBP has not ensured effective safeguards for surveillance information, such as images and video, collected on and transmitted from its UAS. CBP did not perform a PTA [Privacy Threshold Analysis] for ISR Systems [Intelligence, Surveillance, Reconnaissance] used in the UAS [Unmanned Aircraft Systems] program to collect data because CBP officials were unaware of the requirement to do so. Failure to include ISR Systems in CBP’s information technology inventory enabled system deployment without CBP Privacy Office oversight. Without a privacy assessment, CBP could not determine whether ISR Systems contained data requiring safeguards per privacy laws, regulations, and DHS policy.

This is what's going to have to pass as the "good news" in "good news and bad news." There only appears to be bad news. CBP didn't implement security controls to safeguard its surveillance systems, including a failure to control access to ground control stations housing collected surveillance footage/data. The long string of screw ups listed in this report are the result of serious structural failure.

These information security deficiencies occurred because CBP did not establish an effective program structure, including the leadership, expertise, staff, training, and guidance needed to manage ISR Systems effectively.

This leaves the CBP's drone program susceptible to threats both external and internal. Additionally, the lack of a privacy assessment means the CBP can't say its surveillance doesn't violate civil liberties or local laws. CBP officials seemed to be entirely unaware of the need to perform an impact assessment prior to deployment. But the officials did agree it was someone else's fault they didn't know how to do their job. The IG saw the buck being passed by everyone it spoke to. The final resting place for the oft-passed buck was the outside contractor who set up the ISR system. When in doubt, blame the civilians -- a strategy that makes no sense when you're discussing the lack of compliance with DHS policy and federal regulations.

As the IG sees it, the ISR program operates without authorization or approval. DHS requirements have yet to be met by the CBP, so every one of its hundreds of drone flights have been, at the very least, policy violations.

The CBP also could not provide the IG with a security assessment report for its ISR system, suggesting this has never been done in the program's half-decade-plus of existence. Then there are other system-critical odds and ends the CBP can't seem to get a grip on. Unauthorized media devices/USB drives are being plugged into system-critical hardware. Software patches are delivered irregularly and inconsistently. No one appears to be tasked with monitoring system events on ISR systems and a plethora of outdated software is still in use, which means some system-critical software hasn't been patched in months or years and possibly may never receive another update.

Also described as "inadequate:" personnel management, physical access controls, staffing levels, and systems training.

So far, so government. But this a government agency with access to plenty of funding and advanced tech. It has plenty of tools but uses them poorly. Despite being told its unmanned systems were mostly useless, the CBP continues to pour money on the problems it won't fix, rather than follow the IG's last list of recommendations. It has access to plenty of surveillance tech, but won't provide proper training, perform mandated assessments, or even put together a half-assed organizational chart for its drone operations.

The CBP has shown it can't be trusted with the stuff that's given to it to use in its border patrolling efforts. Sadly though, the response from Congress year after year has been to give it more money and stuff to use poorly, unwisely, and possibly illegally.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 4th amendment, cbp, civil liberties, dhs, drones, inspector general, surveillance