Biometric data belonging to millions of Americans may or may not be at risk—it is frankly unclear—based on a BuzzFeed report published Tuesday. At least two experts are concerned anyway, according to the site.
The full story, well-sourced and exhaustively reported, details how code developed by a Russian company found its way into fingerprint-recognition software reportedly used by the Federal Bureau of Investigation (FBI), the TSA PreCheck program, as well as some 18,000 other American law enforcement agencies including the New York City Police Department.
According to BuzzFeed, a French company called Sagem Sécurité, later renamed Morpho, supplied the software but “deliberately concealed” that a portion of the code was purchased from a Russian firm called Papillon AO. Sagem Sécurité reportedly paid the equivalent of about $6 million upfront to use the code in its own fingerprint-analysis program, in addition to some recurring annual fees.
Per BuzzFeed, Papillon has boasted in marketing materials about collaborating on product development with various Kremlin agencies, including the Ministry of Defense and the Federal Security Service, Russia’s chief security agency, also known as the FSB. BuzzFeed states that the association raises “concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems.”
While a former policy director for the National Security Agency told BuzzFeed that knowledge of the company’s secret Russian-made code would have made him “nervous,” and a former Morpho employee said it would have left him “a little bit” concerned, none of the sources appear to claim the actual code itself contains a backdoor. BuzzFeed suggests that none of the cybersecurity experts it consulted had examined the code—had they, we’d likely know whether any proof of this speculative backdoor actually exists—and neither of the two sources named as whistleblowers were personally involved in implementing the code or the sale of it to the FBI, the report says.
No other details regarding a potential backdoor appear in the article; Papillon denies that a backdoor exists; and the FBI notes, generally speaking, that the security behind any software it purchases is scrutinized prior to being rolled out. Moreover, the contract reviewed by BuzzFeed is also said to contain a statement that, to the best of Papillon’s knowledge, the code it licensed to Morpho does not contain any backdoor or trojan-like capabilities.
The report is contextualized with references to the cyberattacks that targeted top Democrats during the 2016 election—which US intelligence has attributed with high confidence to the Russian government—as well as a more recent controversy involving Moscow-based Kaspersky Labs, software from which federal agencies are no longer allowed to use, per a Department of Homeland Security mandate and, later, legislation signed by President Donald Trump. (Kaspersky is suing the Trump administration over the ban.)
The code BuzzFeed’s article centers around was sold roughly a decade ago, according to an unsigned copy of a licensing agreement between Morpho and Papillon obtained by BuzzFeed. And with regard to Kaspersky, the fact that the company shuttled data back and forth was a known function of its antivirus software, not a backdoor, and the company isn’t being credibly accused of having compromising “Kremlin-ties” as much as it is getting hacked.
A key clause in the contract stipulates that the companies agreed “not to disclose [the contract] by any means,” BuzzFeed reports. Whether foreign companies are disclosing the origins of their source code when selling software to the US government is, by itself, probably a big deal.
One of the whistleblowers cited by the website is party to an antitrust lawsuit against Morpho’s former parent company, Sofran—Morpho is now owned by a US firm and has been renamed Idemia, just to keep things confusing—which alleges that Sofran and Papillon had secretly agreed not to compete for contracts in certain countries including, apparently, the United States. A federal judge dismissed the case this year on technicalities, and it is currently on appeal.
The FBI declined to respond to BuzzFeed’s specific inquiries about the biometric software—which is not surprising—but otherwise noted: “As is typical for all commercial software that we operate, appropriate security reviews were completed prior to operational deployment.”
You can read the entire story in all of its complexity at BuzzFeed.