The Washington PostDemocracy Dies in Darkness

Hacked documents reveal sensitive details of expanding border surveillance

Far more information was taken in the hack of a Customs and Border Protection contractor than U.S. officials have acknowledged

Cars wait in line at the San Ysidro border crossing in Tijuana, Mexico, earlier this month. Details of U.S. Customs and Border Protection surveillance technologies used here were exposed after a cyberattack. (Cesar Rodriguez/Bloomberg News)

The recent cyberattack on a U.S. Customs and Border Protection subcontractor didn’t expose just the faces and license plates of thousands of U.S. travelers. It also revealed the inner workings of a complex surveillance network that border authorities have long sought to keep secret.

CBP officials have downplayed the significance of the material taken in the hack, saying only that fewer than 100,000 photos of travelers had been compromised and that none of those had been posted to the “dark Web,” the corner of the Internet where stolen documents are often traded and displayed.

That assessment, however, woefully understates the number of sensitive documents that are now freely available on the Web — so much material, totaling hundreds of gigabytes, that The Washington Post required several days of computer time to capture it all.

The documents offer an unusually intimate glimpse of the machinery that U.S. officials depend on for the constant monitoring of legal immigration through the border. They also illuminate the government’s plans for expanding its use of license plate readers and facial-recognition cameras, including such details as how many cameras are focused on which traffic lanes at some of the busiest border crossings in the world.

ICE raids targeting migrant families slated to start Sunday in major U.S. cities

The hoard of hacked documents includes detailed schematics, confidential agreements, equipment lists, budget spreadsheets, internal photos and hardware blueprints for security systems.

The Washington Post traveled to the Mexico-Guatemala border to see how Mexican authorities are trying to stem the flow of migrants. (Video: The Washington Post)

Among potentially sensitive government material are internal Department of Homeland Security handbooks, border surveillance diagrams and dozens of signed nondisclosure agreements between the subcontractor and government authorities, as well as companies such as Microsoft and the defense-contracting giant Northrop Grumman. Microsoft and Northrop Grumman did not respond to requests for comment.

The files also offer extensive detail on — and, in some cases, a literal road map to — equipment that has been installed at U.S. military bases and the United States’ most highly trafficked border gateways.

“This is red meat for their competitors . . . [and] a whole set of domestic and foreign terrorists and criminals who might want to use that information,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, a Washington think tank.

“This is a pretty stark view into one of the cogs of the U.S. surveillance state,” he said, adding that federal authorities “may have to change some of that operational stuff pretty quickly before people take advantage.”

U.S. Customs and Border Protection says photos of travelers were taken in a data breach

Taken as a whole, the documents provide a rare look into the U.S. government’s dependence on a cluster of little-known private contractors to marshal its efforts to monitor who enters and leaves the United States.

The firm whose computer systems appear to have been breached, Perceptics, is an obscure presence in the world of federal contracting: a 40-year-old company based in a strip mall in Farragut, Tenn., a Knoxville suburb, that many privacy advocates say they had never heard of until recently. But its technology, the documents show, helps form the core of a security engine that has photographed virtually every car and truck crossing the border over the past decade in a process for which there is little public oversight.

Hackers posted the cache of documents onto the dark Web, where files are hidden from search engines and accessible only through special software, such as the Tor browser, that allow for enhanced encryption and user anonymity.

The Post obtained a link to the dark Web directory that hackers first sent to the Register, a British tech news site. Some of the documents have since been posted to the broader Internet by the group Distributed Denial of Secrets, making them more easily accessible for a mainstream audience.

The Post provided a detailed outline of the contents of this story to CBP and Perceptics officials before publication, but neither entity provided a comment. None of the documents The Post reviewed was marked classified.

In Eagle Pass, Tex. residents and local authorities say they need more resources to help law enforcement deal with the rising number of migrants crossing over. (Video: Zoeann Murphy/The Washington Post)

The documents include detailed records about multiyear CBP contracts worth hundreds of millions of dollars covering technology upgrades at all ports of entry. The records include the exact names, costs and quantities of hardware components for a number of ports, including San Ysidro, the largest port of entry between the United States and Mexico and one of the busiest border crossings in the world.

One PowerPoint presentation, dated in April, appears to outline a recent visit from CBP officials, who were offered a facility tour and hands-on experience with the license plate scanners. The presentation outlined systems that Perceptics was testing for “face capture for biometrics,” including examples of drivers’ faces being photographed and analyzed. “We overcome blocked faces,” the presentation said, a reference to faces obscured by sunglasses or car visors.

Trump renews pledge to deport millions, but ICE reality is far more limited

The records also include an exhaustive array of photos captured by fixed, handheld and mobile license plate readers made by Perceptics, which has said its scanners capture more than 200 million license plates a year. Many of the reports include photos taken from multiple angles of a single car, truck or motorcycle, showing the license plate, the vehicle and the driver’s unobscured face.

Contract documents from the past decade show that the role of Perceptics in federal security efforts goes beyond license plate readers to providing other equipment, such as bomb-detecting “under-vehicle surveillance systems,” to U.S. border crossings, Drug Enforcement Administration checkpoints, military bases and air stations. Funding documents suggest the company has also worked with officials in the United Arab Emirates as well as with a special-forces unit in Saudi Arabia.

Also available are internal company documents including financial statements, project budgets, internal passwords, sales and marketing material, and information about employees’ performance reviews, insurance coverage and pay.

Few specifics are known about the hack itself. The CBP acknowledged the intrusion in a statement June 10, saying it learned of the cyberattack on May 31. That statement said that no CBP networks or databases were breached and that it had “not yet verified” that the stolen data was from CBP holdings. It blamed an unnamed contractor for leaving confidential material vulnerable to attack, saying it had violated agency rules by moving copies of license plate and travel images onto its private network.

But that account leaves many questions unanswered, including how CBP first learned of the breach. Journalists with the Register published a report on the breach on May 23, eight days before CBP says it became aware of the attack. The Register report detailed the cache of documents and said it appeared to include many license plate images.

CBP officials have declined to comment further, citing an ongoing forensic investigation that “will determine the original sources of the data, and provide the details needed to ensure the appropriate response actions are taken.”

Perceptics officials also decline to comment. While CBP hasn’t confirmed that Perceptics was the company involved in the breach, the company’s name appears on many of the files, and the CBP statement sent to The Post last week included “Perceptics” in the title of the document.

ICE is tapping into a huge license-plate database, ACLU says, raising new privacy concerns about surveillance

A number of other questions remain. CBP said it has “removed from service all equipment related to the breach” but has offered no details, and the agency has declined to say how the hackers broke into the subcontractors’ systems, how long they had access to confidential material and whether other companies had been targeted.

In a letter last week to Department of Homeland Security leaders, Sen. Rick Scott (R-Fla.) asked what CBP had done to prevent future breaches and whether affected travelers had been notified, adding, “Anything other than full transparency is unacceptable.” In a separate letter, Sen. Edward J. Markey (D-Mass.) asked whether the FBI was responding and whether travelers’ other personal information could be at risk. The agency has yet to officially respond to either letter, the senators’ representatives said. The FBI referred comment to CBP.

The breach also raises questions about how aggressively federal authorities monitor the private subcontractors they depend on to fulfill their mandate. The Trump administration has directed intense attention toward the U.S.-Mexico border, with mass arrests and border-security measures such as the “extreme vetting” initiative touted as key to enhancing national security.

But those tactics have also drawn scorn from some lawmakers, who have said the push from federal officials to gather an ever-increasing amount of data in the name of greater security is tantamount to an eternal dragnet that can put people in harm’s way.

“It is outrageous that DHS allowed individuals’ sensitive data to be compromised, but this case also highlights the risks of collecting this information in the first place,” Markey said in a statement this week. “This personal, sensitive [data] becomes a gold mine for bad actors, and the effects could be devastating for the victims of a breach.”

Perspective: Don’t smile for surveillance: Why airport face scans are a privacy trap

More than a million people cross through points of entry on the American border every day, according to CBP, including roughly 300,000 by car, truck and other passenger vehicles. To surveil them, the government relies on companies such as Perceptics, which in 2015 said it was the sole provider of license plate scanners for passenger vehicle inspections “at all land border ports of entry in the United States, Canada and at the most critical lanes in Mexico.”

DHS officials say license plate readers are an important tool for “identifying, apprehending and removing” people crossing the border illegally. But information on all vehicles crossing the border is recorded into a database made accessible to more than a dozen federal agencies, including for drivers not accused of a crime.

Vehicle information, location and time of crossing can be stored on DHS servers for up to two years, or longer if “linked to an active law enforcement investigation,” DHS officials said in 2017. License plate readers are also hidden near “known smuggling routes” and installed on CBP vehicles, allowing them to record the license plates of every vehicle that passes by.

Dave Maass, a senior investigative researcher at the digital rights group Electronic Frontier Foundation who has studied police surveillance, said Perceptics is “virtually unknown” and often overshadowed by Vigilant Solutions, whose license plate reader technology is used by U.S. Immigration and Customs Enforcement and local police agencies.

Both companies, he said, have benefited from an increasingly close relationship between surveillance technology vendors and the government.

Oregon became a testing ground for Amazon’s facial-recognition policing. But what if Rekognition gets it wrong?

“There’s this imbalance of power in making decisions, where the discussions are between law enforcement and salespeople, and policymakers and the public aren’t involved,” Maass said. “The reasons for surveillance end up being driven by profit, as opposed to the needs for public safety," he added. “These agencies shouldn’t be collecting more data than they absolutely need . . . or can absolutely protect.”

It remains unclear who spearheaded the attack. A hacker using the pseudonym “Boris Bullet-Dodger” first contacted journalists last month and offered a list of the stolen files, and a site on the dark Web attributes the attack to Team Snatch, a cybercrime group that has also taken credit for other corporate hacks and ransom attempts.

A site on the dark Web listing Perceptics files also includes large troves of data purportedly taken from other companies, including a New York corporate consulting agency, a German computer system company and a Texas accounting firm.

The Perceptics breach, some experts said, could serve as a milestone for the potential hazards of expanded government monitoring. Rachel Levinson-Waldman, senior counsel at the think tank Brennan Center for Justice, pointed to new State Department rules that require everyone who applies for a U.S. visa to provide details of the social media accounts they used over the past five years.

“This kind of breach highlights the dangers of mass collection of sensitive data. And it should not come as a surprise,” Levinson-Waldman said. “Large-scale collection of personal information is not costless. Congress must exercise vigorous oversight and demand that agencies limit the sensitive information they collect and safeguard the data in their possession.”