Data privacy and security is more important than ever before. Despite existing policies, the number of data breaches is on the rise and unencrypted personal information is getting into the wrong hands.
In 2016, the EU adopted the General Data Protection Regulation (GDPR) to combat the problem of data security. Since then, other data protection laws have gone into effect and businesses all over the world have adopted stricter standards for collecting and storing data. It seems logical to assume the US government would be equally concerned with data privacy, but a recent problem with its drone surveillance program says otherwise.
Drone Surveillance Requires Privacy Compliance
The US government has been using drones for surveillance for quite some time.Pogo.com reported on a research study that found at least 910 state and local public safety agencies have purchased drones – 599 being law enforcement agencies.
Knowing the privacy implications of drone surveillance, you would think government agencies would be on top of data privacy and security regulations, but that’s not the case. In 2018, we learned that the US Customs and Border Protection (CBP) officials were using drones to collect data (images and videos) without considering privacy implications.
An audit conducted by the Office of Inspector General revealed that CBP officials failed to perform a privacy threshold analysis for the Intelligence, Surveillance, and Reconnaissance Systems used to collect data because they were “unaware of the requirement.” A privacy assessment would have determined whether the systems contained data requiring safeguards under privacy laws, regulations and Department of Homeland Security policy.
The drone surveillance program also failed at managing IT security controls that put the actual drones at risk.
Lack of Awareness is Problematic
The stories coming from officials are in conflict. One official claims nobody told him a privacy assessment was required. Another official told the team a privacy analysis was unnecessary since the drone surveillance system didn’t store personally identifiable information.
While it might be true that officials were unaware of the privacy requirements for collecting data, the inadequate oversight is inexcusable.
Somebody should have initiated a communication from the top down, informing the entire team of the privacy safeguard requirements. Unfortunately, the entire project lacked responsibility and accountability. There was no management in place. Nobody was deemed responsible for funding and maintenance.
The main problem, pointed out by CSO Online, is that the drone surveillance systems were never added to CBP’s IT inventory, which created the privacy oversight. Program officials admitted:
“These information security deficiencies occurred because CBP did not establish an effective program structure, including the leadership, expertise, staff, training, and guidance needed to manage ISR Systems effectively. As a result, ISR Systems and mission operations were at increased risk of compromise by trusted insiders and external sources.”
If the government can’t be counted on to protect the privacy of data collected without our consent, that’s not going to sit well with the public.
Dropping the ball on data privacy is out of character for the CBP. The CBP is normally on top of its game and does not let anything slip through the cracks. It sets up extremely detailed processes for everything it manages. For example, CBP takes extreme precautions when letting travelers in and out of the US.
Official-esta.com describes the complex ESTA approval process, noting that: “when you apply for an ESTA online, the system instantaneously crosschecks the biographic information supplied by applicants against multiple databases, including the TSDB (Terrorist Screening Database), records of lost and stolen passports, the SLTD (INTERPOL’S Stolen and Lost Travel Documents database), any previous Visa Waiver Program refusals, visa revocations, expedited removals, as well as records from Public Health departments, including the CDCP (Centers for Disease Control and Preventions) to check for individuals suffering from a communicable disease which constitutes a threat to public health.”
It seems strange that the same attention to detail was not applied to the drone surveillance program.
Government Officials Need Education
It’s possible that the CBP officials involved in the drone surveillance program were just misinformed or not informed at all. This situation highlights the importance of strict oversight wherever data privacy is concerned. Hopefully, the lesson has been learned and new protocols are in place to ensure the oversight shortcomings don’t happen again.