Published on July 15th, 2019 📆 | 8424 Views ⚑
0Perceptics Lobbied Congress to Downplay Security Issues
Few people had ever heard of Perceptics, a Tennessee-based subcontractor that sells license plate readers to U.S. Customs and Border Protection, before last month, when news emerged that the company had been hacked and that sensitive data â including images of license plates and drivers â had been released on the dark web.
The hack is just the sort of privacy breach that civil liberties advocates have long warned could come from massive government data collection, especially when it is contracted out to private firms. And it comes at a time when the CBP is under scrutiny for monitoring activists and journalists at the U.S.-Mexico border and airports.
Yet while photos of faces and license plates of some 100,000 U.S. drivers are now freely available online, the CEO of Perceptics, John Dalton, claimed in an email a few years ago that âCBP has none of the privacy concerns at the border that all agencies have inland.â
Writing to one of his companyâs lobbyists in 2013, Dalton suggested that the border agency offered Perceptics an opportunity to make greater use of license plate images, stating, âData mining and looking at traffic patterns/abnormalities are strong analytics for CBP, and could be for others.â Dalton appeared to be referring to the CBPâs relatively unfettered powers of search and seizure within 100 miles of the border. In contrast, for agencies other than CBP, âthere is much concern with ACLU state level lawsuits and elsewhere around privacy issues, so this is a live challenge,â he wrote.
The CEO of Perceptics claimed in an email a few years ago that âCBP has none of the privacy concerns at the border that all agencies have inland.â
Daltonâs email and other internal documents laying out Percepticsâ strategy to politically defend its products are among the data taken from the company by an anonymous hacker and analyzed by The Intercept.
âObviously, we donât agree with the blanket assertion that there are no privacy concerns at the border,â said Nate Freed Wessler, of the American Civil Liberties Unionâs Speech, Privacy, and Technology Project. âThe government position is that they have latitude to do whatever they want there, and we vigorously disagree with that.â
Wherever they are used, said Wessler, license plate readers, or LPRs, are concerning when the data they collect is retained and analyzed, providing a gold mine of location information as people go about their daily lives in their cars.
âEspecially for people who live in border communities, who live binational lives, it can really be sensitive information,â he said. And as the Perceptics hack shows, data that is retained is also vulnerable to unintended release or use, whether by hackers or unscrupulous government employees or contractors.
Daltonâs emails distinguish between analyzing data and merely capturing it but suggest that Perceptics could be in the business of both. In response to the suggestion by an industry colleague that they âneed to really hit back hard on separating technology with policy (data collection vs. data use)â in order to ward off privacy concerns, Dalton wrote, âPerceptics can do anything any of these extremes want and everything in between. That is just the kind of customer friendly company we are.â
He continued, âFor CBP, we do not host any data at all, as we are a complex sensor; for the Pentagon, the vehicle data is hosted/stored on our provided hardware/software solution, database and user interface. In any system, the data can be dumped just about under any set of timing or other conditions.â
In early July, CBP suspended Perceptics from receiving any further contracts with the federal government, citing âevidence of conduct indicating a lack of business honesty or integrity.â The suspension apparently came because the company âhad transferred copies of license-plate and traveler images onto its private network in violation of agency rules,â according to the Washington Post. A CBP official told the paper that Perceptics was trying to ârefine its algorithms to match license plates with the faces of a carâs occupants, which the official said was outside of CBPâs sanctioned use.â
Neither CBP nor Perceptics responded to questions from The Intercept. Reached for comment, Cristina Antelo, a lobbyist who has worked with Perceptics for over a decade as part of the Podesta Group and at her own shop, said that the companyâs position on privacy has always been about the distinction between the technology, which Perceptics provides, and its use, which is determined by the customer.
When she spoke with members of Congress, she said, âThe question was always what happens to that data: Who has access to it, where is it stored? Does ICE get access to it? How long would you keep it? Our response at that time is that those are all valid policy concerns, and that is a policy issue for Congress to determine.â
Preempting Privacy Concerns
Perceptics nonetheless showed a strong interest in shaping Congressâs determinations around license plate policy. The company engaged in years of lobbying to preempt criticism of its products from privacy advocates, insisting that what happened to the data that its license plate readers captured was none of its business â even as the company worked on controversial trials pairing its camera systems with other companiesâ facial recognition products.
Perceptics staff and lobbyists tracked the reaction to stories about ICE gaining access to license plate databases and the DEA building them out, the emails show. In monthly reports spanning several years, the Podesta Group detailed its work on appropriations bills and other spending vehicles. In 2014, for instance, Podesta Group representatives mentioned monitoring legislation regulating location data collection, saying that their staff would âpreemptively meet if necessary to ensure LPRs do not get drawn further into the privacy conversation.â In 2015, Podesta Group representatives spoke about building a âpossible coalition against LPR bans,â according to one of the reports.
After Donald Trump took office, Antelo and other Podesta staff provided updates on government negotiations over border spending, which sometimes raised the concern that Trumpâs hard-line immigration demands would end up scuttling spending on technology and hurt her clientsâ bottom line.
âA Trump presidency doesnât guarantee a bonanza for Perceptics.â
âA Trump presidency doesnât guarantee a bonanza for Perceptics,â Antelo wrote in a January 2017 email to a Perceptics executive, noting the administrationâs pledge to cut budgets. âWe might want to do some pre-emptive defense of Percepticsâ programs early on, in addition to affirmatively pushing for more funding,â she continued. In an October 2017 update, Podesta staffer Lucia Alonzo wrote that the administration was holding âto the idea of a southern border wall â there is little mention of other types of technology and infrastructure.â Their job, she said, âcontinues to be ensuring our LPR language is in any future compromise package.â
In a February 2018 email, Antelo described meetings with staffers for Democrats Peter Aguilar, a California congressman, and Michael Bennet, a Colorado senator and presidential candidate: âBoth staffer brought up privacy and data mgmt concerns generally and seemed content with the response that we have no input as to how the data is managed and that it is a valid policy discussion for CBP.â Antelo wrote that when Bennetâs staff asked âabout privacy and security of LPR data Perceptics camera captures, we gave them the standard response.â
Staffers for Democratic Sen. Bob Menendez, of New Jersey, on the other hand, âassured us their office has no objection to LPRs. In the larger discussion of DACA/border security, they said they donât really have a problem with border tech, but rather dramatic stuff like the wall.â
âMichaelâs staff raised flags about the privacy risks associated with license plate reader technology and the recent data breach appears to bear out their concerns,â according to Courtney Gidner, a spokesperson for Bennet. âThis event has underscored the risks of collecting such information in the first place and how it is stored and protected.â (The offices of Aguilar and Menendez did not respond to requests for comment.)
About-Face
Antelo insisted that Perceptics âmakes cameras, really good cameras, and we sell cameras. We do not do facial recognition, we never have and are not developing it.â
But recent emails make clear that Perceptics was at the very least involved in trials to work with other companies that do do facial recognition. The company worked on a pilot for CBPâs âVehicle Face System,â which, as reported by The Verge last year, was aimed at scanning driversâ faces through the windshields of their cars, in order to match drivers with the photos on file in government databases. Emails and other Perceptics documents reference work with Unisys, another contractor, on the project.
One email discussing Percepticsâ success in identifying people in cars for policing HOV lanes references âa CBP projectâ that was âtouting high match rates using facial recognition.â In June 2018, an email chain about naming ânew products for our borders marketâ referenced efforts they called âFace Findâ and âFace at Speed.â The suggested names from one employee? â1. Big Brother 2. Voyeur 3. Mug shot 4. Head shot 5. paparazzo.â
In Brownsville, Texas, in December 2018, a Perceptics employee was instructed to âhold off on the face cam for the moment. We didnât have permission to install that in Brownsville, and with privacy concerns we need to do some thinking before we install any face capture utilities within the CBP facilities.â
âTechnology that is used at the border doesnât stay at the border.â
âWeâve never had full insight into what CBP is collecting and what they are storing, and what piece of the puzzle each subcontractor has,â said Neema Singh Guliani, a senior legislative counsel with the ACLU. But, she said, although CBP has rolled out face recognition technology in airports and at pedestrian crossings, for her, there are âbig questions about whether CBP has explicit authority to use face recognition.â
âTechnology that is used at the border doesnât stay at the border,â said Mana Azarmi, policy counsel with the Center for Democracy and Technology. âAutomatic license plate readers are fairly ubiquitous, and if they manage to attach the software to these cameras and get readable images, then it spreads, we have the ability for law enforcement to do real-time facial recognition of drivers which is something weâve always warned of.â
Gloss