This site may earn affiliate commissions from the links on this folio. Terms of utilize.

FBI

French whistleblowers have gone public with explosive claims that could trigger a wholesale review of how American law enforcment agencies collaborate with other agencies around the earth — at to the lowest degree, as far as software procurement is concerned. The two whistleblowers merits that their former employer knowingly sold the Federal Bureau of Investigation a fingerprint analysis software parcel that it knew contained code developed past Papillon Systems, a Russian firm with close ties to the Kremlin. They besides claim that this data was deliberately not-disclosed to the FBI.

Buzzfeed claims that this same software parcel was deployed to more than 18,000 other law enforcement agencies across the country (presumably this refers to local and country police, though the TSA is too mentioned). Buzzfeed notes that Papillon'south own public statements boast of close ties to Russia, including piece of work washed for the Federal Security Service (FSB) and close collaboration with the Ministry of the Interior, Ministry of Defense and Ministry building of Justice of Russian federation. The Internal Affairs Ministry is listed as providing "methodic assist" to Papillon.

Simply having bought code built a Russian firm isn't proof that the code is automatically compromised. It's incommunicable to judge the severity of a security breach before you know what the code is and how it works, and nosotros don't have data yet on either point. But at a time when the government has locked down the purchase of Kaspersky products and Russian federation has been credibly defendant of multiple high-contour hacks, including the DNC, US energy infrastructure, and the unclassified computers used by the Joint Chiefs of Staff, information technology's articulate in that location's been a high-level endeavour to by and large compromise United states of america infrastructure and vulnerable systems. How this compares to the efforts the United states undoubtedly makes against Russian efforts and targets is, of class, a affair of conjecture — the Usa is scarcely going to reveal such projects and Russian federation has every reason to continue quiet about any penetration it'southward aware of.

Papillon

Papillon'due south software in action. Prototype by Buzzfeed

This potential security risk dates dorsum about a decade. A French software company, MorphoTrak, signed an understanding with Papillon to license the latter's fingerprint software, with the hopes of using it to land a lucrative FBI contract. An NDA agreement required both companies to remain silent on where the software came from, and Papillon agreed to provide five years of bug fixes and other services. All parties agreed that the provenance of the fingerprint analysis software had to remain private, lest it jeopardize United states of america contracts.

The FBI has not issued much in the way of comment, beyond saying that the software they licensed passed internal review procedures. To reiterate, there is no proof, at present, of any backdoor. But it's an unsettling reminder of the means commercial business and national security may not ever dovetail, and the risks engendered when one model is blithely assumed to be sufficient for very unlike types of products or services.