Tag: dhs

Federal employees stole data from Homeland Security

Three employees of the inspector general's office for the Department of Homeland Security (DHS) are accused of stealing a computer system that contained around 246,000 employees' personal data. That information included names, social security numbers and dates of birth, USA Today reports, and one of the suspects is also said to have had in their possession around 159,000 agency case files. The data breach was reported to DHS officials in May and acting DHS Secretary Elaine Duke decided in August to notify the employees whose information was included in the stolen data.

However, the personal information doesn't appear to be the three employees' main target. Instead, investigators say that the employees were working on a knockoff version of the agency's proprietary case management software, which they intended to market and sell to other federal offices. The stolen data was likely going to be used to help them develop and test the software. In a report sent to Congress, the office of the inspector general said it had, "seized all known servers and other devices potentially containing exfiltrated data in the possession of the subjects."

According to the New York Times, one of the suspects has left the inspector general's office while the other two have been suspended as the investigation continues. And USA Today reports that the employees affected by the data breach will be offered an 18-month credit monitoring subscription.

Other government agencies that have been impacted by data breaches in recent years include the Securities and Exchange Commission, the federal government's Office of Personnel Management, the Internal Revenue Service and the Office of the Comptroller of the Currency (OCC). Like this breach, the OCC's data was also taken by an employee.

The inspector general's office has been updating congressional committees about the breach since it was first discovered. The DHS and the US attorney's office for the District of Columbia are both investigating the breach.

Via: New York Times

Source: USA Today


Homeland Security wants to scan your face at the border

Maybe Apple has the right idea when it comes to the future of identification, with Face ID built into the new iPhone X. The Department of Homeland Security wants to scan the faces of people entering or leaving the country, without needing to have anyone get out of their cars. The DHS's Silicon Valley office is hosting an "industry day" on November 14th to find ways to do just that, even if folks are wearing sunglasses and hats or the driver is looking away from the cameras.

"To avoid having travelers in vehicles stop at border crossings, which could create significant traffic delays, U.S. Customs and Border Protection (CBP) is working to implement a face biometric entry-exit system in a way that poses the least impact on travel and trade," said the call for presentations. "This call is looking for innovative solutions to capture facial recognition quality photos from travelers in order to facilitate identity checks without requiring occupants to leave the vehicle."

In the call for proposals, DHS says that photos taken with such a system "will be used to validate the identities of the occupants and document their entry or exit from the United States." The paper also said that photos must be packaged and transmitted to "compare against DHS holdings to validate occupants' identities and document entry/exit." Which sounds a lot like a database of people leaving and entering the country — a requirement that privacy-minded individuals and advocacy groups will likely take issue with. As noted by Gizmodo, DHS has a clause in the request for proposals that asks for "innovative approaches that allow for anonymization of U.S. citizen traveler data who are not 'in-scope' for biometric exit and privacy controls that limit the collection of such information."

Via: Gizmodo

Source: FedBizOpps


Fear of the US government led me to censor myself on Twitter

The day I've been dreading for months is drawing near. On October 18th, the Department of Homeland Security's modified system of records is scheduled to go into effect. The updated policy would affect all US immigrants, whether they are new, existing or permanent residents or even naturalized citizens, and how they are identified by the government. More accurately, it would allow the DHS, Border Patrol and other immigration authorities to collect social media handles as part of an individual's official record. As someone who's working in the US on a visa, I was immediately worried about how it would affect my standing.

The reason the DHS gave for the update is that it is beginning to conduct "more immigration actions in an electronic environment" and that the U.S. Citizenship and Immigration Services (USCIS) is adjudicating "more immigration benefits and requests for action in its USCIS Electronic Immigration System." Basically, people are increasingly applying online, and the changes would reduce the existing reliance on paper records. What the DHS wants to do is be able to officially identify you by your online persona in addition to existing attributes like your name, birthday and address. The update would also add an individual's "country of nationality; country of residence; the USCIS Online Account Number; social media handles, aliases, associated identifiable information, and search results" to one's records.

A DHS spokesperson said in a statement, "This amendment does not represent a new policy." The notice published on September 18th was "an effort to be transparent (and) comply with existing regulations" and "due to updates in the electronic immigration system." Multiple requests for clarity on what would change for immigrants -- whether they would have to fill out new forms asking for their social media handles or what would happen for those with private profiles, were not answered.

I was raised in Singapore, where political criticism can get you sued (if interpreted as libel), arrested (if seen as inciting violence) or even jailed. At my first full-time job, as a marketing executive for a local oil and gas company, my boss told me not to speak in meetings -- playing dumb was always better than potentially making a mistake, he said. For most of my life, I learned to swallow my feelings. My mother's mantra was "Keep your opinions to yourself," and she sternly repeated it as we made our way to family gatherings and social functions.

USA-ELECTION/TWITTER

When I first came to live in the US, in 2008, I was surprised by how liberally people expressed themselves. I learned that individuals' thoughts have value but also, more important, that we are entitled to them. The notion of freedom of speech was new to me, but as I observed the thriving arts and culture in American society, I understood what liberty was worth. Just as people grow and improve by accepting and learning from different opinions, so a country flourishes by embracing and encouraging open discourse.

I got used to the freedom to air my thoughts on any topic in public forums like Twitter and Instagram. I still refrain from saying anything that would make me look insensitive or give away too much personal information, though. Part of me also continues to fear the wrath of the Singapore government; I worry about what could happen to me when I return to visit family should I unwittingly say something too critical. But for the most part I feel carefree. My posts tend to be a mix of my own articles, random musings, funny videos or frustrating stories about poor customer service and bad PR.

Something changed a few months ago, after I first heard of the DHS' plans to incorporate social media into its visa application process. I started to second-guess myself. I avoided weighing in on topics that would show my political leanings. I dutifully wished my followers a happy Fourth of July, shared the results of the Super Bowl and retweeted posts honoring the fallen victims of 9/11. I sent these tweets mostly out of goodwill, but a small part of me felt it was better to look like I participate in American activities.

I started posting what I imagined a immigration officer would like to see, rather than show an unfiltered version of my thoughts. Truth is, Chinese New Year matters more to me than Fourth of July does, and I didn't really care if the Patriots won. I love America, and I love many of its festivities and people, but I can't change the fact that I grew up elsewhere. And honestly, I shouldn't have to.

I continued to tweet, trying mostly to stay on neutral topics. Occasionally, I let myself express anger at institutions or people, but I only feel safe ranting about issues that people agree on regardless of political views.

I don't want to let my fear get in the way of me expressing myself, but it already has.

But it's what people don't see that I found the most telling. I agonized over whether to soften a jokingly violent tweet about New York's subway system. I didn't want someone to come across those thoughts, assume I was serious, and decide I'm a dangerous individual. Who knows what an immigration officer might think? Eventually, I toned down the language and added qualifiers like "I guess" to make it clear I was merely musing.

There are times I've avoided posting altogether. I kept quiet during the white nationalist rally in Virginia and generally don't comment on things Donald Trump does. But things came to a head when I found myself holding back from sharing negative tweets about American gun laws and political gridlock after the Las Vegas shootings. As my feed filled up with statistics showing how the US and its (lack of) gun control policies have led to massive loss of lives, I longed to retweet and share. But I didn't. Instead, I vented in private messages to trusted friends. I felt like I was back in Singapore.

I'm torn. I don't want to let my fear get in the way of me expressing myself, but it already has.

Maybe I'm being paranoid. A DHS spokesperson said the agency already does "and continues to monitor publicly-available social media to protect the homeland." They might already know everything they need to about me from years of unfiltered tweeting. But when your job, life and future depend on how strangers in some government agency perceive you, wouldn't you be careful too? Yes, my profile is public and anyone can already access it and judge me. But it's one thing to allow random people online to decide if they like you -- it's almost debilitating when your beliefs or personality are used to officially determine if you can visit a country.

The good news is, based on the thousands of comments on the proposal's forum, an overwhelming majority of people are against the upcoming update. Many of them argue that the move would be a violation of the First and Fourth Amendments. Some even claim this is a slippery slope toward a Big Brother–like future with the government monitoring the social media of citizens and immigrants alike. It's still unclear exactly how the changes would affect us, or how they are new, given the vague responses from the USCIS and the DHS. At this point though, my social media is no longer an accurate representation of the person I actually am. It's some facade I've created for the powers that be. Which really makes monitoring it useless anyway.


Americans are horrified by DHS plan to track immigrants on social media

Starting October 18 the Department of Homeland Security will collect and store "social media handles, aliases, associated identifiable information, and search results" in the permanent files of all immigrants. This will include new immigrants, in addition to permanent residents and naturalized citizens.

There are around 43 million foreign-born people living in the US right now. And even if you don't personally know someone who'll be made into a terrifying dossier for Trump's anti-immigrant footsoldiers, you'll most certainly show up in those millions of files somewhere as a "like" or other piece of tangential social metadata.

USA-IMMIGRATION/WALL

People who have commented on the Act are comparing it to round-up lists and interment camp dossier building. Considering the Trump administration's plans for using data to hunt immigrants at our borders, those commenters might not be too far off. And what they don't know is that non-immigrants are going to be collateral damage.

The "Modified Privacy Act System of Records" will also include: "publicly available information obtained from the internet, public records, public institutions, interviewees, commercial data providers, and information obtained and disclosed pursuant to information sharing agreements." Commercial data suppliers are companies like Equifax, and "people search" vendors like Intelius and Axicom.

That "people search" websites are involved in the data collection should make use worry for many reasons. With a quick search of your name on any given "people search" website like Intelius or WhitePages, you'll see your name, date of birth, names of family members, current and past addresses, your phone number -- and much more.

U.S. Citizenship and Immigration Services Office (USCIS)

People search sites get their data from public records and corporations selling your information to them (including third-party fine print agreements you agree to by using businesses such as eBay). The information they collect sometimes depends on the site's Terms of Use regarding sharing information with third parties, as well as your privacy selections on that site (e.g., your Facebook likes and interests, your friends, your tweets, the work information you provide to LinkedIn).

The new dossiers on immigrants will include all kinds of information gleaned both directly and indirectly from social media profiles. And worse yet, much of the information might not even be accurate. In a now-removed post from Intelius's blog, the company stated:

In a new age of modern permanent records, popular sites like Facebook and Twitter are the face of a hidden world of commercial data brokers. Moreover, not all information is accurate, and even if consumers are aware, they are unable to erase or correct their personal records.

Intelius conceded in a 2009 SEC filing that the information that it and similar companies sell is often inaccurate and out of date. For example, when I reviewed my people search files before deletion, my first-ever roommates were listed in multiple places as my nearest relatives.

Assistant professor at the University of Denver Sturm College of Law, César Cuauhtémoc García Hernández, told press, "The fact that information gleaned from Facebook or Instagram or other social media networks might not be reliable doesn't mean that it will preclude DHS from using it as a basis for excluding people from the United States."

If you're still wondering what might be in these dossiers, go check out an article on The Guardian in which a woman gets a copy of all 800 (!) pages of her Tinder history (an option only available to EU citizens). It's not what's in her Tinder history that applies here, rather it's what that history contains about a person's activity around that one account that will sober you up.

In addition to her Tinder activity, the company collected her Facebook "likes," her photos from Instagram (even after she deleted the associated account), and much more.

MATCH GROUP-RESULTS/

The Act itself avoids detailing both the method of collection, and security of storage for these expanded dossiers. Perhaps we can expect the DHS and US Citizenship and Immigration Services (USCIS) to protect these records, which will undoubtedly include plenty of US citizens, as thoroughly as it safeguards its other precious data stores.

The US government tried for a while to convince the public that the "metadata" in its Hoovering up of our records was no big deal. At RSA in 2015 Congressman Mike Rogers told the giant security conference's attendees more than once that metadata in bulk surveillance collection "is just the 'To: From:' like the front of an envelope." I suspect we can expect the same kind of run-around (or worse) if this administration is put on the spot.

It's going to be messy, and make no mistake: It will affect all of us. Chances are good that you have friend, co-worker, or family member born outside of the US. Attorney Adam Schwartz told BuzzFeed that this will also affect all US citizens who communicate with immigrants. A close read of the document shows that finding out what is in one's file will be incredibly difficult and correcting any bad info nigh impossible.

It's kind of like they're leveraging Facebook, and all the others, into policing our borders in a wholly different way than a blunt-force "Muslim ban." It's far, far more insidious.

The "Modified Privacy Act System of Records" is set to go into effect on October 18th, though it's in an open comment period until then. The comments so far are overwhelmingly opposed to the changes; the words "horrified," "shocked," and "appalled" are frequent.

Some commenters openly state fears about how this affects their children, others talk about where this is leading us as citizens at the mercy of a data-grabbing government. And there are more than a few mentions of 1930s Germany and Japanese internment.

This is happening. Americans and those who want to be Americans are scared. Those affected by the DHS plan to gather social media aren't stereotypes: they're people, and they're us. It's easy to feel disempowered by this disgusting system, and the overwhelming juggernaut of greedy data-dealers like Facebook -- at whose feet I believe we can squarely lay blame for way too many aspects of our current situation.

But I hope that we'll all look at this hideous and contorted future together, and fight it.

Images: BoJorge Duenes / Reuters (border wall), Getty Images (USCIS), Mike Blake / Reuters (Tinder icon)


US bans use of Kaspersky software in federal agencies

The US government has officially banned the use of Kaspersky security software in all of its federal agencies. Kaspersky has been under suspicion for cyberespionage for several months now, especially due to its ties to the Russian government and the fact that the company is required under Russian law to comply with Russian intelligence agency requests.

According to a statement provided by the Department of Homeland Security to the Washington Post: "The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security."

Kaspersky Lab, on the other hand, firmly denies the accusations, stating that it "doesn't have any inappropriate ties with any government" and that there's "no credible evidence" to back up the "false allegations." It also complained that it's being treated unfairly, and that it's never helped any government in cyberespionage.

The US government has already removed Kaspersky from its approved vendors list back in July amid speculation that it's involved with Russian authorities. Now the government is going so far as to ban it altogether, giving federal agencies three months to remove the software. A draft version of the Senate's National Defense Authorization Act has banned the Department of Defense from using it as well, though The Washington Post notes that the Defense Department doesn't generally use it anyway.

Source: Washington Post


ICE insists it doesn’t use Stingrays to track undocumented immigrants

In a letter (PDF), the acting director of the Immigration and Customs Enforcement (ICE) said that the agency doesn't use its Stingray mobile call-intercepting devices while enforcing immigration laws. It does deploy them when pursuing criminal suspects, however, and individual agents might use them while acting in a joint task force with other federal officers.

"However, such use must be conducted in a manner that protects rights afforded by the United States Constitution, and in compliance with applicable statutory authorities, DHS policy and ICE policy," wrote acting ICE director Thomas Homan.

Homan penned the letter in response to an inquiry by Senator Ron Wyden (D-OR). He confirmed that ICE uses Stingrays in accordance with the DHS's October 2015 directive on cell-intercepting tech, which require a warrant before deploying the devices. Wyden similarly reached out to the US Attorney General's office to clarify about how Stingray use affects ordinary Americans, Ars Technica points out. That letter apparently hasn't received a public response.

Knowing these requirements, the Feds' recent use of Stingray devices to track down a restaurant worker from El Salvador sounds within legal bounds. He was undocumented, but also guilty of a previous hit-and-run, for which he was deported. That wasn't the only crime mentioned in the Stingray warrant, though: Another was unlawful re-entry after deportation (specifically, violating 8 USC 1326a), citing when he came back to the US illegally after getting booted out. It stands to reason that any illegal return to the US after deportation might be enough to justify use of Stingrays in future warrants.

Via: Ars Technica

Source: Thomas Homan to Sen. Ron Wyden (PDF)