James Thew - Fotolia

FBI's Next Generation Identification system exempt from Privacy Act

News roundup: The FBI Next Generation Identification biometrics database is exempt from the Privacy Act. Plus, Salesforce fired two top staffers after DEFCON, and more.

A new rule exempts the FBI's biometrics database from the Privacy Act.

The biometrics database, called the Next Generation Identification system stores the fingerprints and names of government employees, people with a criminal background, people who have applied for citizenship and people who have had background checks done as part of the application process for federal jobs or military service. The database combines biometrics information gathered from state, local, federal and tribal law enforcement agencies.

The final rule, published by the U.S. Department of Justice in the federal register, said that the FBI's Next Generation Identification system will not be subject to the parts of the Privacy Act of 1974 that allow judicial redress and the ability to opt out of the database.

The Privacy Act of 1974 requires federal agencies to make their systems of records -- such as the FBI's Next Generation Identification system -- public. It also prevents agencies from disclosing an individual's records without their written consent, and provides individuals with the ability to access and amend their records.

The new final rule will prevent an individual from knowing whether their fingerprints and associated information -- including names, criminal backgrounds and iris scans -- are stored in the FBI's Next Generation Identification system.

According to the document in the federal register, the exemptions are "necessary to avoid interference with the Department's law enforcement and national security functions and responsibilities of the FBI."

This move by the Justice Department to allow the FBI's Next Generation Identification system to be exempt from the Privacy Act has been met with criticism from privacy advocates.

When a draft of the rule published in May 2016, the American Civil Liberties Union responded with a blog post that claims the Next Generation Identification system  "has the capability to store information on tattoos and such things as voice and gait recognition data," adding that, "with the construction of such a powerful surveillance tool, and all the potential for abuse that it brings, comes the need for checks and balances of commensurate strength."

In other news

  • Salesforce fired two of its senior staff members after they gave a talk at the DEFCON conference last month. Josh Schwartz, director of offensive security based in San Francisco, and John Cramb, senior offensive security engineer in Sydney, Australia, both worked on Salesforce's red team to use offensive methods to test the company's security from within. They presented a modular malware framework called MEATPISTOL at DEFCON and were fired after concluding their presentation and walking off the stage, according to ZDNet, which broke the story. The tool, MEATPISTOL, is an anagram of and similar to the tool Metasploit. MEATPISTOL enables penetration testers to implant malware and take control of the affected system without attacking or exploiting it.
  • An anonymous company will start an invitation-only bug bounty program that offers a possible $250,000 payout per vulnerability. The bug bounty is being run by Bugcrowd and is for an unreleased product. Only selected applicants will have the opportunity to work on the product, and the mystery company is looking for virtual machine (VM) breakout and isolation failures. According to the announcement of the "Super Secret" bug bounty program, the testers should also focus on code execution beyond the confines of a guest VM, privilege escalation vulnerabilities within the VM that possible because of the underlying platform, any vulnerabilities that could potentially leak data, and vulnerabilities to do with the denial or downgrading of service to customers, excluding distributed denial of service.
  • Palo Alto Networks is the first company to sign a Data Exchange Agreement with INTERPOL, according to a blog post from Sean Duca, vice president and regional CSO for Asia Pacific. "Aimed to combat criminal trends in cyberspace, cyberthreats and cybercrime, this agreement marks a mutual commitment to openly share threat intelligence and equip law enforcement officers with powerful information needed to prevent cybercrime," Duca wrote. "In addition to our involvement in the Cyber Threat Alliance and our role earlier this year in the INTERPOL-led operation targeting cybercrime across the ASEAN region, this agreement underscores our commitment to threat intelligence sharing." Palo Alto was one of seven companies to support INTERPOL efforts against ASEAN-based cybercrime earlier this year, which led to the identification of thousands of malicious command and control severs. The blog post also noted that 44% of organizations in the ASEAN region have already started sharing threat intelligence with other companies in their industry, but this marks the first formal agreement.

Next Steps

Learn how FBI cyber investigations handle obfuscation techniques

Discover how cyber investigations are similar to real world investigations

Check out the pros and cons of reporting ransomware attacks to the FBI

Dig Deeper on Security operations and management