Unfortunate Jest: Endorsement by the Department of Defense? 

Written By Hosch & Morris

 Privacy Plus+    

Privacy, Technology and Perspective   

Unfortunate Jest: Endorsement by the Department of Defense?  This week, we’re pointing out a serious privacy and security problem affecting the U.S. Department of Defense’s procurement process and, therefore, the commercial world. Namely, we’ve been seeing companies selling access to privacy-sensitive technologies, like facial recognition platforms, by advertising their contract-wins with the DOD as if those wins are endorsements of the technologies.  

Yet even with minimum diligence, we’ve found that some of those technologies aren’t supported by formal information security and privacy programs and that some companies’ privacy notices are inaccurate on their face.  Thus, in effect, companies are using the DOD’s imprimatur to mislead customers about the technologies that they are selling. While we won’t name names, we can say, unreservedly, that this is dangerous.  

At this moment, the DOD continues to press forward with its procurement of facial recognition and other biometric technologies. You can review the DOD’s “contract opportunities” by clicking on the following link and searching for “facial recognition” or “biometric”:  

https://sam.gov/search  

Some of the “contract opportunities” seem a bit wacky to us. For example, the Bureau of Indian Affairs is soliciting “facial recognition software” under a perpetual license. We find this unlikely. For reference, most facial recognition software is offered not under licenses but as software-as-a-service (“SAAS”), which integrates AI to store and process the data. And this is why data security and privacy are so important in this context. The government entrusts commercial operators to process and safeguard personal data in connection with the services. Hence, security, confidentially, use restrictions, and data retention, among other things, are critical. For a quick reference on the difference between licensed software and SAAS services, and a checklist for some key contract provisions, you can review our post entitled: “SAAS Services vs. Licensed Software,” which is available at the following link: 

https://www.hoschmorris.com/privacy-plus-news/saas-services-vs-licensed-software   

Further, in a cursory review, we’ve noticed that at least a couple of “contract opportunities” listed on the DOD’s website barely include terms addressing privacy or security—one only refers to the DFARS 52.239-1 safeguards, but those “safeguards” date back to 1996. We’d like to see the DOD do better, especially where service providers are marketing their facial recognition platforms by touting their DOD contracts.  

--  

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.  

Hosch & Morris https://hoschmorris.com
Previous

Facebook Gave Police Data to Prosecute a Teenager for Abortion. What’s next?
Next

 Ain’t Gonna Cut It: The (current) American Data Privacy Protection Act