FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say

schwit1 shares an exclusive report via BuzzFeed: The fingerprint-analysis software used by the FBI and more than 18,000 other U.S. law enforcement agencies contains code created by a Russian firm with close ties to the Kremlin, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems. The Russian code was inserted into the fingerprint-analysis software by a French company, said the two whistleblowers, who are former employees of that company. The firm -- then a subsidiary of the massive Paris-based conglomerate Safran -- deliberately concealed from the FBI the fact that it had purchased the Russian code in a secret deal, they said. The Russian company whose code ended up in the FBI's fingerprint-analysis software has Kremlin connections that should raise similar national security concerns, said the whistleblowers, both French nationals who worked in Russia. The Russian company, Papillon AO, boasts in its own publications about its close cooperation with various Russian ministries as well as the Federal Security Service -- the intelligence agency known as the FSB that is a successor of the Soviet-era KGB and has been implicated in other hacks of U.S. targets.

Cybersecurity experts said the danger of using the Russian-made code couldn't be assessed without examining the code itself. But "the fact that there were connections to the FSB would make me nervous to use this software," said Tim Evans, who worked as director of operational policy for the National Security Agency's elite cyberintelligence unit known as Tailored Access Operations and now helps run the cybersecurity firm Adlumin. The FBI's overhaul of its fingerprint-recognition technology, unveiled in 2011, was part of a larger initiative known as Next Generation Identification to expand the bureau's use of biometrics, including face- and iris-recognition technology. The TSA also relies on the FBI fingerprint database.

Re:This is getting ridiculous

[CajunArson]

If only the Russians weren't white, this type of criticism would sound like KKK propaganda (which it basically is but it's OK because Russians are the new equivalent of blacks in the Jim Crowe south).

Re:This is getting ridiculous

[ShanghaiBill]

Even better would be to just go open source, without regard for the country of origin. As long as we can read the code, we can see for ourselves if it is compromised. Why should "fingerprint analysis" need to be proprietary?

Re:Analyze the code...

[AHuxley]

Re "Who wrote it doesn't matter, so long as it does the job it's supposed to."
US code only worked with modern quality digital images and file formats.
The French used Russian code that could accept fingerprints from old paper files.
The FBI did tests and accepted the French innovations that allows for the accurate importing of old US paper records. The French outsmarted their US competitors by knowing what the FBI wanted.

Re:This is getting ridiculous

[superwiz]

So any private company in that state writing software must be spies? I mean they could be... But shouldn't that be suggested by some evidence other than their location? I mean, I get it that the oweful summary says Safran bought the code, but doesn't actually say if they bought a license to redistribute or bought the source cod.e Presumably, they can audit the code if they bought the source code. And I find it difficult to believe that Safran would have bought a license to distribute without some fairly severe security sandboxing.

By the way, French have a history of (state-sanctioned) industrial espionage, so why isn't it a problem in itself that it is the French company that produced the product?