Tag: Security

Does the PASS ID Act Protect Privacy?

I’ve written about PASS ID here a couple of times before - first on whether or not it’s a national ID and, second, on the politics of this REAL ID revival bill. Now I’ll take a look at whether it fixes the privacy issues with REAL ID. Privacy is complicated. Buckle up.

The day the bill was introduced, the Center for Democracy and Technology issued a press release giving it a privacy stamp of approval.

“The PASS ID Act addresses most of the major privacy and security concerns with REAL ID,” said Ari Schwartz, Vice-President of CDT. The release cited four ways that PASS ID was an improvement over the bill it’s modeled on, REAL ID.

Interstate Data Sharing?

First, CDT said, PASS ID “[r]emoves the requirement that states ‘provide electronic access’ allowing every other state to search their motor vehicles records.” It’s technically true: The language from REAL ID directly requiring states to share information among themselves came out of PASS ID. But the requirements of the law will cause that information sharing to happen all the same.

Like REAL ID did, PASS ID would require states to confirm that “a person submitting an application for a driver’s license or identification card is terminating or has terminated any driver’s license or identification card” issued by another state.

How do you do that? You check the driver license databases of every other state. Maybe you do this by directly accessing other states’ databases; maybe you do this indirectly, through a “pointer system” or “hub.” But to confirm that you’re talking about the right person, you don’t just compare names. You compare names, addresses, pictures, and other biometrics.

Just like REAL ID, PASS ID would require states to share driver data on a very large scale. It just doesn’t say so. As with REAL ID, the security weaknesses of any one state’s operations would accrue to the harm of all others.

Mission Creep?

Second, CDT says that PASS ID “[l]imits the ‘official purposes’ for which federal agencies can demand a PASS ID driver’s license, thereby helping prevent ‘mission creep.’” Again, it’s technically true, but materially false.

REAL ID had an open-ended list of “official purposes” - things that the homeland security secretary could require a REAL ID for. PASS ID is not so open-ended, but that is a small impediment to only one form of mission creep.

PASS ID places no limits on how the DHS, other agencies, and states could use the national ID to regulate the population. It simply requires the DHS to use PASS ID for certain purposes. A simple law change or amendment to existing regulation would expand those uses to give the federal government control over access to employment, access to credit cards, voting - CDT’s own PolicyBeta blog called a plan to use REAL ID to control cold medicine a “terrifying” example of mission creep. And these are just the ideas that have already been floated.

When I testified before the Senate Judiciary Committee on REAL ID in May 2007, I spoke about what we had recently heard in a meeting of the DHS Privacy Committee:

Ann Collins, the Registrar of Motor Vehicles from the State of Massachusetts, … said, “If you build it, they will come.” What she meant by that is that if you compile deep data bases of information about every driver, uses for it will be found. The Department of Homeland Security will find uses for it. Every agency that wants to control, manipulate, and affect people’s lives will say, “There is our easiest place to go. That is our path of least resistance.”

PASS ID is the same medium for mission creep that REAL ID is. The problem is with having a national ID at all - not with what its enabling legislation says.

Privacy Protections?

Next, CDT says that PASS ID requires “privacy and security protections for PII stored in back-end motor vehicle databases.” (“PII” means “personally identifiable information.”)

A glaring oversight of REAL ID - and the competition for glaring oversights was fierce - was to omit any requirement for privacy and security of the databases states would maintain and share on behalf of the federal government. The DHS took pains in the REAL ID rulemaking to drain this swamp. It tried to require minimal information collection for identity verification and minimal information display on the card and in the machine readable zone. (It failed in important ways, as I will discuss below.) The REAL ID regulation required states to file security plans that would explain how the state would protect personally identifiable information. And it said it would produce a set of “Privacy and Security Best Practices.” None of this mollified REAL ID opponents, and the privacy bromides in the PASS ID Act won’t either.

One of the more interesting privacy “protections” in the PASS ID Act is a requirement that individuals may access, amend, and correct their own personally identifiable information. This is a new and different security/identity fraud challenge not found in REAL ID, and the states have no idea what they’re getting themselves into if they try to implement such a thing. A May 2000 report from a panel of experts convened by the Federal Trade Commission was bowled over by the complexity of trying to secure information while giving people access to it. Nowhere is that tension more acute than in giving the public access to basic identity information.

The privacy language in the PASS ID Act is a welcome change to REAL ID’s gross error on that score. At least there’s privacy language! But creating a national identity system that is privacy protective is like trying to make water that isn’t wet.

Limits on Use of Card Data?

CDT’s final defense of PASS ID is the presence of meager limits on how data collected from national ID cards will be used. Much like with mission creep, the statutory language is beside the point, but CDT points out that PASS ID “prohibits states from including the cardholder’s social security number in the MRZ and places limits on the storage, use, and re-disclosure of that information.”

“MRZ” stands for “machine-readable zone.” In the PASS Act and REAL ID Act, this is referred to as “machine-readable technology,” and in the REAL ID rulemaking, the DHS selected a 2D barcode standard for the back of REAL ID licenses and IDs. Think of government officials scanning your license the way grocery clerks scan your toilet paper and canned peaches.

It’s true that the PASS ID Act bars states from including the Social Security number in that easily scanable data, but it doesn’t prohibit anything else from being scanned - including race, which was included in DHS’ standard for REAL ID.

And don’t think that limits on the storage, use, and re-disclosure of card information would have any teeth. It would create a new crime: scanning licenses, reselling or trading information from them, or tracking holders of them “without lawful authority,” but it’s not clear what “without lawful authority” means. It would probably allow people to give implied permission for all this data-collection and -sharing by handing their cards to someone else. It would certainly allow governments to authorize themselves to collect and trade data from cards en masse.

Not that we should want this “protection.” The last thing we need is another obtusely defined federal crime. Nearly as bad as being required to carry a national ID is making it illegal for people to collect information from it when you want them to!

And in Some Ways PASS ID is Worse

But let’s talk some more about that machine-readable zone. When Congress passed REAL ID, suspicion was strong that the “MRZ” would be an RFID chip - a tiny computer chip that can be read remotely by radio.

Recognizing the insecurity of such devices - and the strong public opposition to it - DHS declined to adopt RFID for the REAL ID Act. It did, however, work with a few states and the U.S. State Department to develop an RFID-chipped license that it calls the “enhanced driver’s license.” This has a long read-range chip that will signal its presence to readers as much as fifteen or twenty feet away. The convenience gain DHS and State sought for themselves at the border would be a privacy loss, as scanning cards could become commonplace in doorways and other bottlenecks throughout the country - your whereabouts recorded regularly, as a matter of course, by public and private entities.

Why do we care about “enhanced drivers licenses”? Because the PASS ID Act would ratify them for use as national IDs. States could push their residents into using these chipped cards if they didn’t want to implement every last detail of PASS ID.

Needless to say, ID cards with long-distance (including surreptitious) tracking are a step backward for privacy. This is one sense in which PASS ID is worse than REAL ID.

Consider more carefully also what PASS ID and REAL ID are about in terms of biometrics. Both require states to “[s]ubject each person applying for a driver’s license or identification card to mandatory facial image capture.”

States across the country are using driver license photos to implement facial-recognition software that will ultimately be able to track people directly - nevermind whether you have an RFID-chipped license or show your card to a government official. They are aiming at preventing identity fraud, of course, but with advancing technology, before too long you will be subject to biometric tracking simply because you posed for an unsmiling digital photo at the DMV. REAL ID and PASS ID are part and parcel of promoting that.

Does PASS ID address “most of the major privacy and security concerns with REAL ID”? Not even close. PASS ID is a national ID, with all the privacy consequences that go with that.

Changing the name of REAL ID to something else is not an alternative to scrapping it. Scrapping REAL ID is something Senator Akaka (D-HI) proposed in the last Congress. Fixing REAL ID is an impossibility, and PASS ID does not do that.

Those Who “Serve” Us Celebrate

adamsThose who think that the college-educated, or soon to be so, should have more and more of their education funded by taxpayers – whether those taxpayers themselves attended college or not – are shooting off the fireworks a bit early this year, celebrating increasingly generous federal aid going into effect today.

Perhaps the most galling part of all the increasingly free-flowing aid is how much is being targeted at people who work in “public service.” Ignoring for the moment that the people who make our computers, run our grocery stores, play professional baseball, and on and on are all providing the public with things it wants and needs, to make policy on the assumption that people in predominantly government jobs are somehow selflessly sacrificing for the common good is to blatantly disregard reality.

Consider teachers, as I have done in-depth. According to 2007 Bureau of Labor Statistics data, adjusted to reflect actual time worked, teachers earn more on an hourly basis than accountants, registered nurses, and insurance underwriters. Elementary school teachers – the lowest paid among elementary, middle, and high school educators – made an average of $35.49 an hour, versus $32.91 for accountants and auditors, $32.54 for RNs, and $31.31 for insurance underwriters.

So much for the notion that teachers get paid in nothing but children’s smiles and whatever pittance a cruel public begrudgingly permits them.

How about government employees?

Chris Edwards has done yeoman’s work pointing out how well compensated federal bureaucrats are, noting that in 2007 the average annual wage of a federal civilian employee was $77,143, versus $48,035 for the average private sector worker. And when benefits were factored in, federal employee compensation was twice as large as private sector. But don’t just take Chris’s word and data to see that federal employment is far from self-sacrificial – take the Washington Post’s “Jobs” section!

And it’s not just federal employees or teachers who are making some pretty pennies serving John Q. Public. As a recent Forbes article revealed, it’s people at all levels of government, from firefighters to municipal clerks:

In public-sector America things just get better and better. The common presumption is that public servants forgo high wages in exchange for safe jobs and benefits. The reality is they get all three. State and local government workers get paid an average of $25.30 an hour, which is 33% higher than the private sector’s $19, according to Bureau of Labor Statistics data. Throw in pensions and other benefits and the gap widens to 42%.

Recently, my wife and I have been watching the HBO miniseries John Adams, and I couldn’t help but make the observation: In Adams’ time, many of those who served the public truly did so at great expense to themselves, often risking their very lives and asking little, if anything, from the public in return. Today, in contrast, many if not most of those who supposedly serve the public do so at no risk to themselves – indeed, unparalleled security is one of the great benefits of their employment – but are treated as if their jobs are extraordinary sacrifices. And so, as we head into Independence Day, it seems the World has once again been turned upside down: In modern America, the public works mightily to serve its servants, not the other way around.

Appointing Another Supreme Commander of NATO

The Obama administration has just carried out one of its standard rituals – choosing a new commander of NATO.  But why are we still in NATO?

Reports the New York Times:

When Adm. James G. Stavridis took over the military’s Southern Command in late 2006, his French was excellent but he spoke no Spanish. Not content to rely on interpreters, he put himself on a crash course to learn the language.

Over the next three years, his fluency was measured not only in the high-level meetings he conducted in the native tongue of his military hosts. He also read the novels of Gabriel García Márquez, the Nobel laureate from Colombia, in the original rich and lyrical Spanish.

Now Admiral Stavridis’s boss, Defense Secretary Robert M. Gates, has given him a new assignment, which starts Tuesday.

“Jim must also learn to speak NATO,” Mr. Gates said.

As the new American and NATO commander in Europe, Admiral Stavridis, 54, becomes the first naval officer appointed to a position previously held by famed ground-warfare generals.

It is two jobs in one, as he oversees all American forces under the United States European Command and — far more important today — serves as the supreme allied commander, Europe, NATO’s top military position. He takes the NATO command as the future viability of the alliance is tested by whether he can rally members to make good on their promises to the mission in Afghanistan.

Adm. Stavridis obviously is a talented officer.  Alas, his chance of winning more meaningful support from the Europeans for the mission in Afghanistan is nil.  The Europeans don’t want to fight, especially in a conflict which they don’t view as their own.

But the most important question these days should be:  why does NATO still exist – at least, a NATO dominated by America?  No one, not even Russia, threatens “Old Europe.” 

Moreover, Europe is well able to defend itself.  The continent has a collective GDP more than ten times that of Russia, and even larger than that of America.  Europe’s population, too, is bigger than those of both Russia and the U.S.  The Europeans needed America’s military aid during the Cold War.  But no longer.

What of the Eastern Europeans, who worry more about Moscow?  We should wish them well, but we have no cause to threaten war on their behalf.  Security guarantees should not be distributed like party favors, inexpensive gifts for friends and acquaintances alike.  Rather, security guarantees should be issued to defend America.  It is hard to make the argument that, say, Albania, is relevant to America’s security, let alone vital to it.  Two decades after the end of the Cold War, we should start reshaping our alliance commitments to reflect our vital interest.

Some Thinking on “Cyber”

Last week, I had the opportunity to testify before the House Science Committee’s Subcommittee on Technology and Innovation on the topic of “cybersecurity.” I have been reluctant to opine on it because of its complexity, but I did issue a short piece a few months ago arguing against government-run cybersecurity. That piece was cited prominently in the White House’s “Cyberspace Policy Review” and – blamo! – I’m a cybersecurity expert.

Not really – but I have been forming some opinions at a high level of generality that are worth making available. They can be found in my testimony, but I’ll summarize them briefly here.

First, “cybersecurity” is a term so broad as to be meaningless. Yes, we are constructing a new “space” analogous to physical space using computers, networks, sensors, and data, but we can no more secure “cyberspace” in its entirety than we can secure planet Earth and the galaxy. Instead, we secure the discrete things that are important to us – houses, cars, buildings, power lines, roads, private information, money, and so on. And we secure these things in thousands of different ways. We should secure “cyberspace” the same way – thousands of different ways.

By “we,” of course, I don’t mean the collective. I mean that each owner or controller of a prized thing should look out for its security. It’s the responsibility of designers, builders, and owners of houses, for exmple, to ensure that they properly secure the goods kept inside. It’s the responsibility of individuals to secure the information they wish to keep private and the money they wish to keep. It is the responsibility of network operators to secure their networks, data holders to secure their data, and so on.

Second, “cyber” threats are being over-hyped by a variety of players in the public policy area. Invoking “cyberterrorism” or “cyberwar” is near-boilerplate in white papers addressing government cybersecurity policy, but there is very limited strategic logic to “cyberwarfare” (aside from attacking networks during actual war-time), and “cyberterrorism” is a near-impossibility. You’re not going to panic people – and that’s rather integral to terrorism – by knocking out the ATM network or some part of the power grid for a period of time.

(We weren’t short of careless discussions about defending against “cyber attack,” but L. Gordon Crovitz provided yet another example in yesterday’s Wall Street Journal. As Ben Friedman pointed out, Evgeny Morozov has the better of it in the most recent Boston Review.)

This is not to deny the importance of securing digital infrastructure; it’s to say that it’s serious, not scary. Precipitous government cybersecurity policies – especially to address threats that don’t even have a strategic logic – would waste our wealth, confound innovation, and threaten civil liberties and privacy.

In the cacophony over cybersecurity, an important policy seems to be getting lost: keeping true critical infrastructure offline. I noted Senator Jay Rockefeller’s (D-WV) awesomely silly comments about cybersecurity a few months ago. They were animated by the premise that all the good things in our society should be connected to the Internet or managed via the Internet. This is not true. Removing true critical infrastructure from the Internet takes care of the lion’s share of the cybersecurity problem.

Since 9/11, the country has suffered significant “critical-infrastructure inflation” as companies gravitate to the special treatments and emoluments government gives owners of “critical” stuff. If “criticality” is to be a dividing line for how assets are treated, it should be tightly construed: If the loss of an asset would immediately and proximately threaten life or health, that makes it critical. If danger would materialize over time, that’s not critical infrastructure – the owners need to get good at promptly repairing their stuff. And proximity is an important limitation, too: The loss of electric power could kill people in hospitals, for example, but ensuring backup power at hospitals can intervene and relieve us of treating the entire power grid as “critical infrastructure,” with all the expense and governmental bloat that would entail.

So how do we improve the state of cybersecurity? It’s widely believed that we are behind on it. Rather than figuring out how to do cybersecurity – which is impossible – I urged the committee to consider what policies or legal mechanisms might get these problems figured out.

I talked about a hierarchy of sorts. First, contract and contract liability. The government is a substantial purchaser of technology products and services – and highly knowledgeable thanks to entities like the National Institutes of Standards and Technology. Yes, I would like it to be a smaller purchaser of just about everything, but while it is a large market actor, it can drive standards and practices (like secure settings by default) into the marketplace that redound to the benefit of the cybersecurity ecology. The government could also form contracts that rely on contract liability – when products or services fail to serve the purposes for which they’re intended, including security – sellers would lose money. That would focus them as well.

A prominent report by a working group at the Center for Strategic and International Studies – co-chaired by one of my fellow panelists before the Science Committee last week, Scott Charney of Microsoft – argued strenuously for cybersecurity regulation.

But that begs the question of what regulation would say. Regulation is poorly suited to the process of discovering how to solve new problems amid changing technology and business practices.

There is some market failure in the cybersecurity area. Insecure technology can harm networks and users of networks, and these costs don’t accrue to the people selling or buying technology products. To get them to internalize these costs, I suggested tort liability rather than regulation. While courts discover the legal doctrines that unpack the myriad complex problems with litigating about technology products and services, they will force technology sellers and buyers to figure out how to prevent cyber-harms.

Government has a role in preventing people from harming each other, of course, and the common law could develop to meet “cyber” harms if it is left to its own devices. Tort litigation has been abused, and the established corporate sector prefers regulation because it is a stable environment for them, it helps them exclude competition, and they can use it to avoid liability for causing harm, making it easier to lag on security. Litigation isn’t preferable, and we don’t want lots of it – we just want the incentive structure tort liability creates.

As the distended policy issue it is, “cybersecurity” is ripe for shenanigans. Aggressive government agencies are looking to get regulatory authority over the Internet, computers, and software. Some of them wouldn’t mind getting to watch our Internet traffic, of course. Meanwhile, the corporate sector would like to use government to avoid the hot press of market competition, while shielding itself from liability for harms it may cause.

The government must secure its own assets and resources – that’s a given. Beyond that, not much good can come from government cybersecurity policy, except the occassional good, long blog post.

Iraq’s Future Is Up to Iraqis

The U.S. is not yet out of Iraq, but American forces have pulled back from Iraqi cities.  Iraq’s future increasingly is in the hands of Iraqis.  And most Iraqis appear to be celebrating.

Reports the Washington Post:

This is no longer America’s war.

Iraqis danced in the streets and set off fireworks Monday in impromptu celebrations of a pivotal moment in their nation’s troubled history: Six years and three months after the March 2003 invasion, the United States on Tuesday is withdrawing its remaining combat troops from Iraq’s cities and turning over security to Iraqi police and soldiers.

While more than 130,000 U.S. troops remain in the country, patrols by heavily armed soldiers in hulking vehicles as of Wednesday will largely disappear from Baghdad, Mosul and Iraq’s other urban centers.

“The Army of the U.S. is out of my country,” said Ibrahim Algurabi, 34, a dual U.S.-Iraqi citizen now living in Arizona who attended a concert of celebration in Baghdad’s Zawra Park. “People are ready for this change. There are a lot of opportunities to rebuild our country, to forget the past and think about the future.”

On Monday, as the withdrawal deadline loomed, four U.S. troops were killed in the Iraqi capital, the military announced Tuesday. No details about the deaths were provided. Another soldier was killed Sunday in a separate attack.

The Bush administration never should have invaded Iraq.  The costs have been high: more than 4,000 dead American military personnel.  Tens of thousands more have been injured, many maimed for life.  Hundreds more military contractors and coalition soldiers have died.  And tens of thousands of Iraqis – certainly more than 100,000, though estimates above that diverge wildly. 

The U.S. has squandered hundreds of billions of dollars and the ultimate cost is likely to run $2 trillion or more, as the government cares for seriously injured veterans for the rest of their lives.  America’s fine fighting men and women have been stretched thin and America’s adversaries, most notably Iran, have been strengthened.  Yet another cause has been added to the recruiting pitch of hateful extremists seeking to do Americans and others harm.

Nevertheless, let us hope that Iraqis take advantage of the opportunity they now enjoy.  It will take enormous statesmanship and restraint to accommodate those of different faiths and ethnicities, forgive past crimes committed by Sunni and Shia forces, eschew violence for retaliation and revenge, resolve even bitter disagreements peacefully, and accept political defeat without resort to arms.

Other peoples who have suffered less have failed to surmount similar difficulties.  But it is no one’s interest, and especially that of the Iraqis, to lapse back into sectarian conflict and political tyranny.  Let us hope – and dare I suggest, pray? – that they prove up to the challenge.

Finally, an Ally That Doesn’t Wait for America

Washington’s willingness to toss security guarantees about the globe like party favors has encouraged other nations to do little for their own defense.  From the European, Japanese, and South Korean standpoint, why spend more when the Americans will take care of you?

But it looks like Australia takes a different view, and is willing to do more to defend itself and its region.  Reports the Daily Telegraph:

The latest defence White Paper recommends buying 100 advanced F-35 jet fighters and 12 powerful submarines equipped with cruise missiles, a capability which no other country in the region is believed to possess.

The “potential instability” caused by the emergence of China and India as major world powers was cited as the most pressing reason for this military build-up. In particular, Australian defence planners are believed to be concerned about China’s growing naval strength and America’s possible retreat as a global power in the decades ahead.

Chinese officials say their country’s growing power threatens no-one. Behind the scenes, Beijing is thought to be unhappy about Australia’s White Paper, with one Chinese academic saying it was “typical of a Western Cold War mentality”.

But the Chinese navy has almost doubled the number of secret, long-distance patrols conducted by its submarines in the past year. The reach of its navy is extending into Australian waters. China is also acquiring new amphibious assault ships that can transport a battalion of troops.

So instead of calling Washington to deal with Beijing, the Australians are building up their own navy.  Novel approach!  Now, how can we implant a bit of the Aussie character in America’s other friends around the globe?

Schneier and Friends on Fixing Airport Security

Security guru Bruce Schneier comes down on the strictly pragmatic side in this essay called “Fixing Airport Security.” Because of terrorism fears, he says, TSA checkpoints are “here to stay.” The rules should be made more transparent. He also argues for an amendment to some constitutional doctrines:

The Constitution provides us, both Americans and visitors to America, with strong protections against invasive police searches. Two exceptions come into play at airport security checkpoints. The first is “implied consent,” which means that you cannot refuse to be searched; your consent is implied when you purchased your ticket. And the second is “plain view,” which means that if the TSA officer happens to see something unrelated to airport security while screening you, he is allowed to act on that. Both of these principles are well established and make sense, but it’s their combination that turns airport security checkpoints into police-state-like checkpoints.

The comments turn up an important recent Fourth Amendment decision circumscribing TSA searches. In a case called United States v. Fofana, the district court for the southern district of Ohio held that a search of passenger bags going beyond what was necessary to detect articles dangerous to air transportation violated the Fourth Amendment. “[T]he need for heightened security does not render every conceivable checkpoint search procedure constitutionally reasonable,” wrote the court.

Application of this rule throughout the country would not end the “police-state-like checkpoint,” but at least rummaging of our things for non-air-travel-security would be restrained.

I prefer principle over pragmatism and would get rid of TSA.