Hacker News new | past | comments | ask | show | jobs | submit login

According to the report, CBP is passing the buck on this one.

They created policies that could be ignored. That’s on them. They shouldn’t be able to use their position to avoid accountability or to scapegoat their contractors (that they likely hired without due diligence).

Government agencies should never be seen as victims. They hold power and authority that nobody else can hope to enjoy. There is no higher power to hold them to account because the electorate had already been subverted to maintain their position. So they should not be protected from fucking up. In this context, God or the Lord is not a higher power, it is also a scapegoat.

With great power comes everybody else’s responsibility... said only by people in this century.

Edit: to follow this up, CBP is also the agency that sucks up all the data on your phone and laptop. They have treasure troves of license plates, passport photos, and titty and dick pics.

They cannot absolve themselves of liability when they are invading everybody’s privacy. If they say they don’t use the data, and they are acting out of ignorance, then that’s a solid case for not collecting it in the first place.

As it stands, the US needs a GDPR.

There’s a lot going on here, and I’m no fan of CBP but this is pretty much a low-grade by the book contractor failure here. They receive training on all of these things, and have gone through a lengthy award and due diligence process and then all it takes is one person thinking “hey I think I’ll take a sample dataset back to my Dev laptop to test things.” Could be a newbie or a senior - who knows, but it’s happened before.

Go after CBP for constitutionality of collection, for working outside of borders where they are legally not allowed to work, etc, but in this case I’d say let’s not blow things too out of proportion.

Remember when OMB lost hundreds of thousands of detailed compromising personal background check reports with all the identifying information including biometrics? This sounds like some port of entry data you could get with a camera in public.

Further: they are not absolving themselves. They are probably working their asses off right now to make sure this never happens again but somebody is going to pay for credit protection and insurance, and it should be the contractor that ignored their contract and all sensible security policy. So, there is is in the press release.

Lastly: I don’t think GDPR fixes this. Government (especially intel community and law enforcement) keeps the data as long as their record schedules allow.

Thankfully, laws about breaches required them to reveal this to us within a certain time. Privacy Officers have really hard jobs. To do them well is hard and thankless. Glad this one stuck to the law.

> There’s a lot going on here, and I’m no fan of CBP but this is pretty much a low-grade by the book contractor failure here.

Maybe government agencies shouldn't be allowed to contract out. And if they are, then they should be held ultimately responsible for their choice of contractors.

Non-military, executive branch headcount has remained relatively consistent in absolute numbers since the 1950s, believe it or not, at ~2 million, even though the budget has expanded enormously. Sources:

Historical table: https://www.opm.gov/policy-data-oversight/data-analysis-docu...

A concurrence in my assessment: https://www.nationalreview.com/2017/02/federal-government-gr... ("So, since 1960, federal spending, adjusted for inflation, has quintupled and federal undertakings have multiplied like dandelions, but the federal civilian workforce has expanded only negligibly, to approximately what it was when Dwight Eisenhower was elected in 1952." Note I'm not necessarily agreeing with the sentiments expressed elsewhere in that article.)

AFAIU for over half a century there's been something of a gentlemen's agreement in Congress among Democrats and Republicans that keeps the official headcount fixed while expanding government through contractors--the closest thing to a wide-spread "conspiracy" (tongue-in-cheek) I've ever seen. Of course, lobbyists and the contracting industry play a huge part in maintaining the system, but IMO that overlays the long-term political equilibrium reached in Congress.

One reason I finger Congress, and not lobbyists, as the principal supporters of the system is that Democrats would much rather have full-time federal employees, so they're clearly compromising. It's hard to say what Republicans want, but to many Republicans hiring contractors 1) squares limited government with electoral pressures to "do stuff" at the federal level, and 2) superficially provides better price signaling through competitive bidding (though if we're honest that's... complicated). Note how the numbers remain conspicuously stable across major domestic and international political shifts. It's fascinating.

State and local government workforces have ballooned, and a lot of federal expenditures are administered via state-based programs. But that doesn't conflict with the "conspiracy" noted above, it's arguably just a way for the Democrats and Republicans to jockey around it.

Indeed. CBP made the choice to subcontract w/o proper controls. It is still CBP's fault.

Given that the contractor violated the data handling rules in their contract, the only possible remedy is revocation of their facility security clearance, followed immediately by revocation of the personnel security clearances of everyone who claimed that these systems were operating in accordance with their SSPs.

I'd like to believe that this will happen, but I've seen plenty of cause for FSCs to be revoked and almost no FSC revocations.

And remunerations for all citizens that were affected in the form of cash payments.


Nah, Americans can be subject to their own laws, they were voted for. I'd go for remunerations for non-US citizens who had no choice in the matter (e.g. by being sent to the US for work.) Maybe see us as a bit more equal.

> made the choice to subcontract w/o proper controls

seems to have worked out very well for the army, and their contractors.

So well in fact, that a senator is on a campaign to pass legislation to specifically address the military case (leaving cases like the CBP which should be as obvious as from the get go, to be dealt individually too). The system is so broken in its lack of accountability that even well intentioned people are driven to insanity as the norm.

> They cannot absolve themselves of liability when they are invading everybody’s privacy.

This is incorrect. They can absolve themselves of liability an act with impunity.

You and I might not like that, but it is fact.

I accept it as fact insofar as it actually happens, and calling it a fact makes it immutable.

I think that giving the benefit of objectiveness makes it easier for them to continue down this path.

I’m shocked that there aren’t a bunch of public resignations. I’m also shocked that there aren’t more details - for example - let us know the scope of all the data that company had access to, so we can get an idea of the maximum exposure the public faces.

Government agencies should never be seen as victims.

That's a weird absolute, and that's before the side dish of theology and... Spiderman? You can be powerful or negligent or whatnot and still be a victim.

In this case, CBP is collecting this data without the direct consent of _the people_, so who in this case is accountable?

It's not _the people_ who made the decision to collect this data.

You can bear responsibility for something and still be a victim. It's really bizarre to suggest this is somehow not the case and to try to support that point with deities, comics and a call for GDPR legislation (for US federal agencies?). This kind of comment is the Markov chain with which threads are anchored to the bottom of the Abyss of Meaninglessness.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact