825 points by pseudolus 2454 days ago | 198 comments on HN
| Moderate positive Editorial · v3.7· 2026-02-28 12:19:42
Summary Privacy & Surveillance Advocates
BuzzFeed News investigative article reporting on a US Customs and Border Protection data breach exposing traveler photos and license plates to unauthorized access. The piece directly advocates for privacy rights and government accountability, featuring prominent criticism from ACLU and Congressional leaders calling for investigations and limits on surveillance expansion, demonstrating strong alignment with UDHR provisions on privacy, freedom of expression, and security of person.
> On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network
> CBP ... is closely monitoring all CBP work by the subcontractor
What. In the private sector, they'd have been fired and probably legal action levelled against them. The CBP's punishment for this is 'monitoring'? Please tell me I'm reading this wrong...
The sad truth is Congress is the biggest offender of poor network security practices. Every time they bring in Equifax, DHS, etc to explain why they didn't practice basic IT security due diligence or due care I am reminded of the time smart people were hired to implement basic network security for Congress. Once they realized Joe in IT (who was hired to keep hackers out) can see Congressman Bob has a foot fetish, fish fetish, whatever, Congress told IT to turn everything off.
If only someone could have seen this coming, you know, outside of the thousands of people that saw this coming. This is just one of many reasons why mass surveillance is a terrible.
If CBP is not directly forthcoming with facts relating to the breach (specifically, whose information was unlawfully taken from the CBP production network) how does one seek redress for the harms created by the actions of the contractor?
This is yet another reminder that managing the security of your company's third party contractors is just as important as managing your own company's security. Security is a game of weakest links, and it wouldn't have mattered if CBP's internal security was the best in the world if they were allowing access to a third party that doesn't have good security.
It is naturally very difficult to enforce security mandates on a company that isn't your own, but I feel that this is one of the best ways we can improve security overall in our society: companies need to start requiring that everyone they do business with have a strong, independently certified security program, or else no contract will be signed. This is already done for things like data center contracting, but it should be much more widespread and encompass every type of b2b deal.
This is, of course, a serious breach and there will and should of course be consequences for the negligent parties
but
I am struggling to see the threat model being faced here.
biometric data is just a username. I flash my face around all day, and am careless as to where I leave my thumbprint.
The loss of so many photos and names is unlikely to have national level consequences (Compare this to say the Office Of Personnel management breach from some years back - that has horrible implications for US National security for decades) and the personal level consequences are ... hard to see
What this does underline is that we are outrageously careless as an industry with our data (comparable to early industrial "pollution" as Schneier points out). And it is not going to get better without a) career and business ending consequences b) new ways to store / secure data c) a new way of thinking about who owns and what is personal data
Personally I think we need a new form of intellectual property (just as we are trying to work out what kind of company FAANG are (not telcos, not newspapers, what is a platform?) we need to ask what is personal data
This comment is presumed under law to be my property, my copyright. I might license that property away (dunno never read HN T&Cs) but it is mine. But google and apple and others will track that I sat down at a certain time and place to write it, my ISP will see when I sent to which servers.
All of that data is also created by my conscious actions - should that data not also be my property. And if need be licensed - and compensated for its use?
And when (if) my data is held - then we should presume that it can be accessed by my agents for my benefit (from spending patterns to heart data). I would argue that Sometimes surveillance can be good for us - but only in ways similar to doctors knowing more about me can be good for me - the entire industry of medicine has individual interests at its heart and took a long time to get there.
We are heading in that direction (perhaps) but till we get there, carelessness will be the cheapest option, surveillance always bent agansit is (by state or other actors). We should rail against this stupid dumb breach, but punishing the "bad guys" is not even the first step on the road.
If I can make a bad analogy - It's not one incident that people got sick from one chef badly cooking chicken - it's we need to look at factory farming and meat consumption and healthy eating and marketing bias as a whole.
The only way to prevent hackers from getting access to databases that contain our names, picture, and license plate number - is to never create such a database.
The photos were transferred to a subcontractor’s network and later stolen through a “malicious cyberattack,” a CBP spokesperson told TechCrunch in an email.
Anyone think they approved the security of that subcontractor before giving sensitive information to them?
More importantantly, why is that type of data leaving CBP in the first place?
Don't worry folks, I'm sure this won't hinder the CBP and other related agencies from continuing to roll out systems that capture ever more of our data.
I’ll just keep saying this, and getting dismissed by everyone I know - any data security discussion around a centralized data store that doesn’t begin with the recognition that that data store will be compromised, is a discussion that is just a joke.
Great job, thanks guys. Shouts to NSA and the whole security industrial industrial complex for looking out for us. Glad to see all the research and 0day hoarding paid off. Really appreciate it.
“There should never have been the ability to download a database like this off of government servers.”
Sorry that I don't have a ton of links to support this claim, but "believe me" (as our Commander-in-chief would say) that the US Government would cease to function if it were not for subcontractors (read, private companies) performing tasks on behalf of the government. Personally, I don't agree with this way of our government doing business, but that is the way it is.
When I was in college, I worked for an archeology lab, and our lab was the subcontractor, of the subcontractor, of the contractor that had contracted to provide a service to the USACE (US Army Corps of Engineers). And every way along the way, money was skimmed off of the top. It's just "the American way" of doing business.
People lament regulation all the time. I have a feeling the executives of Ingersoll Rand love it every time a new regulation is put into place.
They've helped themselves to what seems to be limitless legal power as well as a functionally infinite budget... and still this type of incident doesn't surprise us in the least. Everyone just expects them to be one of the least competent actors in the space. And they don't disappoint. Hmmm.
> “CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” said an agency statement.
How long will it take the general public and elected officials to understand that the only authorization that matters for digital data is the actual implementation. Policies, legalese, mandates or any other agreements are meaningless.
If the data can be get at from or transferred to outside of a controlled environment, it will.
Just another reminder that there is no accountability left in America, and you reap what you sow. If you want a society that is accountable, you need to start with a culture that values honor and takes shame seriously. You can’t impose a sense of honor from the outside without building it slowly from within, any more than you can impose respect without earning it.
If you ignore these principles, you make room for people who lack self-worth, and those are the most destructive forces in a society because they have nothing to lose.
anyone ? Why is a 3rd party given the ability to store such a large database to conduct such business ?
They should at most store the last 3 months border documents, nothing older than this.
That would imply that security is irrelevant. Maybe you should re-work your rule the say that it will attempt to be hacked. Therefore you should always worry about security.
Sounds like pretty standard PR legalese to me. I guarantee that the same is going to happen to the subcontractor (after a lengthy investigation, to be sure), but it's bad practice to go throwing around public legal threats, especially for the government which likely has a multi-hundred page contract with these people, and especially at such an early point in any investigations going on.
“In the private sector” covers a lot of ground and I have extreme skepticism about your faith in the process unfolding that way: ask yourself how many breaches you’ve been part of and whether anything more than a press release happened along with waiting for the news to die down. How many customers did Experian lose?
(In the enterprise software world, I can tell you how epic failure to perform on an 8+ figure contract unfolds: the sales guy takes a VP out to the next game so they can discuss it over drinks in the corporate box and nothing will change)
They probably are doing some sort of critical service that can't be immediately stopped. That doesn't mean they will get contracts in the future or won't get legal action taken, but it takes time to review all that with the DOJ and decide how to proceed.
>I am struggling to see the threat model being faced here.
We don't really know the full details of the breach, but if the facial recognition database contained names in a column associated with pictures, that data can absolutely be leveraged and cross-referenced against other "fullz" for fraud that even passes a lot of online verification procedures.
Ha. In the private sector, we discovered a vendor was using an actually health database with real users in it for testing their app. It was all covered up, with no monitoring, because we recently bought that vendor.
Why is it terrible. Sure this has the potential to have negative consequences for the people who's data it was but as far as the government cares it's working fine.
You and a whole bunch of other people making the same extremely basic observation. It would be good if you would suggest some alternative strategies, since 'don't bother keeping that data' isn't a realistic option in this context.
Compliance with NIST SP 800-53 is mandatory per statute and DHS policy. That system has an identified ISSO, ISSM, ISSPM, DAO, and AO who are responsible for authority to operate being given. If the paperwork is in place, a government employee signed off on that network's operation. If not, it doesn't have ATO and there's a government employee (the AO or CIO) responsible for allowing a such a network to be connected to government systems and store government-controlled information.
> Anyone think they approved the security of that subcontractor before giving sensitive information to them?
They almost certainly did, actually. FIPS [1] and FISMA [2] are pretty strict requirement for every company contracting with a government agency. IMO it's one of the rare situations where, at least conceptually, the federal government has done something right in terms of security.
Now whether FIPS/FISMA, and the people enforcing it, actually have any teeth or effectiveness is a different topic entirely.
Isn't monetary liability a form of "outsourced responsibility"? I'm not understanding why damages from lawsuits are not sufficiently motivating the industry to take data breaches seriously. Maybe they just aren't awarding enough damages to change behavior?
Correct me if I'm being overly cynical, but this is an oft-repeated truism that is as useless as "the only winning move is not to play." It's technically the truth, but what are we supposed to do, revert all information systems to non-electronic media? What is the intended takeaway from this statement? If anything, it absolves data security efforts of responsibility by pointing out that there's always a chance of data breach as long as there is data.
That's trivially true, but the proper response to bad security is good security, not shutting down the whole system.
The goal isnt to prevent it in an absolute sense. The goal is to raise the cost to either above the value of the data contained therein or compared to other direct means, like in person espionage or military actions.
Single points of failure via centralization, comparable to monoculture in farming
Editorial Channel
What the content says
+0.75
Article 12Privacy
High Advocacy Framing Coverage
Editorial
+0.75
SETL
ND
Article is primarily focused on privacy violations and strongly advocates for privacy protection against unauthorized government data collection and exposure
FW Ratio: 60%
Observable Facts
ACLU statement in article: 'This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers...the need to put the brakes on these efforts'
Article emphasizes database transferred 'without the federal agency's authorization or knowledge'
Expert states: 'The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place'
Inferences
The article advocates for strong privacy protections by limiting government data collection practices
The breach exemplifies privacy violations and serves as evidence that current safeguards are inadequate
+0.70
Article 19Freedom of Expression
High Advocacy Framing Coverage Practice
Editorial
+0.70
SETL
+0.37
Article is investigative journalism exemplifying freedom of opinion and expression through critical reporting on government surveillance practices and policy advocacy
FW Ratio: 60%
Observable Facts
Article authored by named reporters Davey Alba and Hamed Aleaziz with publication date and timestamp
Article contains original investigation and analysis, directly critiquing CBP practices and surveillance expansion
Related investigations referenced show ongoing critical coverage of facial recognition and surveillance programs
Inferences
The article exemplifies freedom of expression by investigating and publicly critiquing government surveillance expansion
BuzzFeed News' editorial model enables freedom of expression through support for investigative journalism on surveillance and privacy
+0.45
Article 3Life, Liberty, Security
High Advocacy Framing Coverage
Editorial
+0.45
SETL
ND
Article directly engages with security of person by reporting on data breach that undermines travelers' personal integrity and security
FW Ratio: 50%
Observable Facts
Article reports 'subcontractor's network was then hacked' exposing photos of up to 100,000 travelers without consent
Expert quoted: 'There should never have been the ability to download a database like this off of government servers'
Inferences
The breach undermines individuals' security of person by exposing biometric and movement data without authorization
The article advocates for strengthened security practices protecting travelers' liberty and personal safety
+0.40
Article 13Freedom of Movement
High Advocacy Framing Coverage
Editorial
+0.40
SETL
ND
Article critiques surveillance systems that restrict freedom of movement through biometric tracking and facial recognition of international travelers
FW Ratio: 67%
Observable Facts
Article reports CBP biometric system aims for facial recognition on 100 percent of international passengers at top 20 US airports
License plate tracking system described as identifying and tracking citizens
Inferences
The article advocates for protecting freedom of movement by limiting comprehensive surveillance of travelers
+0.35
PreamblePreamble
High Advocacy Framing
Editorial
+0.35
SETL
ND
Article implicitly advocates for human dignity through critique of unauthorized data exposure and privacy violations, establishing case for rights protections
FW Ratio: 50%
Observable Facts
Article reports CBP subcontractor 'transferred copies of license plate images and traveler images...to the subcontractor's company network' without authorization
ACLU statement quoted: 'This incident further underscores the need to put the brakes on these efforts and for Congress to investigate'
Inferences
The unauthorized transfer and breach illustrate the article's implicit argument that human dignity requires protection against arbitrary data exposure
The article frames privacy protection as foundational to maintaining human dignity and inalienable rights
+0.35
Article 8Right to Remedy
High Advocacy Coverage
Editorial
+0.35
SETL
ND
Article emphasizes need for effective remedies through Congressional investigation and oversight of the breach
FW Ratio: 67%
Observable Facts
Congressional chairman quoted pledging to hold hearings on how DHS uses biometric information
Article reports Congressional members were notified and investigation underway
Inferences
The article advocates for institutional accountability mechanisms to provide remedies for privacy violations
+0.30
Article 21Political Participation
High Advocacy Coverage
Editorial
+0.30
SETL
ND
Article advocates for public participation in government through Congressional oversight and calls for investigation of CBP data practices
FW Ratio: 67%
Observable Facts
Article quotes Congressional chairman pledging hearings on DHS biometric practices
ACLU statement emphasizes 'Congress to investigate the agency's data practices' is needed
Inferences
The article advocates for citizens' right to participate in government surveillance policy decisions through Congressional accountability
+0.30
Article 30No Destruction of Rights
High Advocacy Framing Coverage
Editorial
+0.30
SETL
ND
Article opposes government actions and policies that undermine recognized human rights to privacy, security, and freedom of movement
FW Ratio: 67%
Observable Facts
ACLU statement: 'This incident further underscores the need to put the brakes on these efforts' to expand surveillance
Article describes surveillance expansion occurring 'in the absence of proper vetting, regulatory safeguards, and what privacy advocates say is in defiance of the law'
Inferences
The article advocates against government actions that diminish or destroy recognized privacy rights
+0.25
Article 1Freedom, Equality, Brotherhood
Medium Advocacy Coverage
Editorial
+0.25
SETL
ND
Article addresses equal treatment of all travelers affected by breach, implicitly affirming equal dignity and rights regardless of citizenship or status
FW Ratio: 50%
Observable Facts
Article states fewer than 100,000 people had information compromised, affecting diverse travelers crossing US borders
Inferences
The coverage of the breach affecting all travelers suggests commitment to equal human dignity principles
+0.25
Article 6Legal Personhood
Medium Advocacy Coverage
Editorial
+0.25
SETL
ND
Article addresses biometric data collection for legal identification, raising concerns about safeguards for recognition as person before law
FW Ratio: 50%
Observable Facts
Article describes CBP's biometric entry-exit system using facial recognition to identify all international travelers
Inferences
The article implicitly advocates for legal controls over biometric data collection and use for identity determination
+0.25
Article 10Fair Hearing
Medium Advocacy Coverage
Editorial
+0.25
SETL
ND
Article reports Congressional calls for public hearings and investigation, supporting right to fair and public accountability
FW Ratio: 50%
Observable Facts
Article states Congressional lawmakers notified and chairman pledged public hearings on government biometric practices
Inferences
The article supports public accountability mechanisms for government violations of privacy rights
+0.25
Article 28Social & International Order
Medium Advocacy Coverage
Editorial
+0.25
SETL
ND
Article advocates for social and international order that protects privacy rights and limits surveillance expansion
FW Ratio: 50%
Observable Facts
Article references lack of 'proper vetting, regulatory safeguards' in CBP facial recognition programs
Inferences
The article advocates for establishing legal frameworks to protect privacy in cross-border surveillance
+0.25
Article 29Duties to Community
Medium Advocacy Coverage
Editorial
+0.25
SETL
ND
Article emphasizes government's duty to community to protect privacy and exercise surveillance responsibility
FW Ratio: 50%
Observable Facts
Article notes CBP violated 'mandatory security and privacy protocols' and states CBP 'takes its privacy and cybersecurity responsibilities very seriously'
Inferences
The article frames privacy protection as a core community duty of government agencies
+0.20
Article 7Equality Before Law
Medium Advocacy Coverage
Editorial
+0.20
SETL
ND
Article implicitly addresses equal protection under law by criticizing unequal privacy safeguards in surveillance practices
FW Ratio: 50%
Observable Facts
Expert quoted: data should be 'wholly governmental and not subject to contractors or subcontractors'
Inferences
The article suggests equal protection requires uniform privacy standards across government operations
+0.20
Article 14Asylum
Medium Advocacy Coverage
Editorial
+0.20
SETL
ND
Article indirectly addresses asylum rights by noting all travelers crossing borders include vulnerable populations affected by breach
FW Ratio: 50%
Observable Facts
Article refers to all travelers crossing US borders, which includes asylum seekers and vulnerable populations
Inferences
The article recognizes that vulnerable travelers including asylum seekers are disproportionately affected by surveillance breaches
ND
Article 2Non-Discrimination
Article does not address discrimination based on protected characteristics
ND
Article 4No Slavery
Article does not address slavery or servitude
ND
Article 5No Torture
Article does not address torture or cruel/inhuman treatment
ND
Article 9No Arbitrary Detention
Article does not directly address arbitrary arrest or detention
ND
Article 11Presumption of Innocence
Article does not address presumption of innocence or criminal justice procedures
ND
Article 15Nationality
Article does not directly address right to nationality
ND
Article 16Marriage & Family
Article does not address family or marriage rights
ND
Article 17Property
Article does not directly address property rights
ND
Article 18Freedom of Thought
Article does not address freedom of thought, conscience, or religion
ND
Article 20Assembly & Association
Article does not directly address freedom of peaceful assembly
ND
Article 22Social Security
Article does not address social security or economic rights
ND
Article 23Work & Equal Pay
Article does not address labor rights or working conditions
ND
Article 24Rest & Leisure
Article does not address right to rest and leisure
ND
Article 25Standard of Living
Article does not address right to adequate standard of living
ND
Article 26Education
Article does not address right to education
ND
Article 27Cultural Participation
Article does not address right to participate in cultural life
Structural Channel
What the site does
+0.50
Article 19Freedom of Expression
High Advocacy Framing Coverage Practice
Structural
+0.50
Context Modifier
ND
SETL
+0.37
BuzzFeed News platform provides free public access enabling bylined journalists to publish critical investigations on government surveillance
ND
PreamblePreamble
High Advocacy Framing
Not applicable for single article content
ND
Article 1Freedom, Equality, Brotherhood
Medium Advocacy Coverage
Not applicable
ND
Article 2Non-Discrimination
Not applicable
ND
Article 3Life, Liberty, Security
High Advocacy Framing Coverage
Not applicable
ND
Article 4No Slavery
Not applicable
ND
Article 5No Torture
Not applicable
ND
Article 6Legal Personhood
Medium Advocacy Coverage
Not applicable
ND
Article 7Equality Before Law
Medium Advocacy Coverage
Not applicable
ND
Article 8Right to Remedy
High Advocacy Coverage
Not applicable
ND
Article 9No Arbitrary Detention
Not applicable
ND
Article 10Fair Hearing
Medium Advocacy Coverage
Not applicable
ND
Article 11Presumption of Innocence
Not applicable
ND
Article 12Privacy
High Advocacy Framing Coverage
Not applicable
ND
Article 13Freedom of Movement
High Advocacy Framing Coverage
Not applicable
ND
Article 14Asylum
Medium Advocacy Coverage
Not applicable
ND
Article 15Nationality
Not applicable
ND
Article 16Marriage & Family
Not applicable
ND
Article 17Property
Not applicable
ND
Article 18Freedom of Thought
Not applicable
ND
Article 20Assembly & Association
Not applicable
ND
Article 21Political Participation
High Advocacy Coverage
Not applicable
ND
Article 22Social Security
Not applicable
ND
Article 23Work & Equal Pay
Not applicable
ND
Article 24Rest & Leisure
Not applicable
ND
Article 25Standard of Living
Not applicable
ND
Article 26Education
Not applicable
ND
Article 27Cultural Participation
Not applicable
ND
Article 28Social & International Order
Medium Advocacy Coverage
Not applicable
ND
Article 29Duties to Community
Medium Advocacy Coverage
Not applicable
ND
Article 30No Destruction of Rights
High Advocacy Framing Coverage
Not applicable
Supplementary Signals
How this content communicates, beyond directional lean. Learn more
Use of terms like 'malicious cyber-attack,' 'hacked,' 'stolen,' 'exposed' — though these are factually accurate technical descriptions of the security breach rather than distortions
build a784502+8ia6 · deployed 2026-02-28 14:33 UTC · evaluated 2026-02-28 14:28:40 UTC
Support HN HRCB
Each evaluation uses real API credits. HN HRCB runs on donations — no ads, no paywalls.
If you find it useful, please consider helping keep it running.