Tag: technology

Does the PASS ID Act Protect Privacy?

By
Jim Harper

I’ve written about PASS ID here a couple of times before - first on whether or not it’s a national ID and, second, on the politics of this REAL ID revival bill. Now I’ll take a look at whether it fixes the privacy issues with REAL ID. Privacy is complicated. Buckle up.

The day the bill was introduced, the Center for Democracy and Technology issued a press release giving it a privacy stamp of approval.

“The PASS ID Act addresses most of the major privacy and security concerns with REAL ID,” said Ari Schwartz, Vice-President of CDT. The release cited four ways that PASS ID was an improvement over the bill it’s modeled on, REAL ID.

Interstate Data Sharing?

First, CDT said, PASS ID “[r]emoves the requirement that states ‘provide electronic access’ allowing every other state to search their motor vehicles records.” It’s technically true: The language from REAL ID directly requiring states to share information among themselves came out of PASS ID. But the requirements of the law will cause that information sharing to happen all the same.

Like REAL ID did, PASS ID would require states to confirm that “a person submitting an application for a driver’s license or identification card is terminating or has terminated any driver’s license or identification card” issued by another state.

How do you do that? You check the driver license databases of every other state. Maybe you do this by directly accessing other states’ databases; maybe you do this indirectly, through a “pointer system” or “hub.” But to confirm that you’re talking about the right person, you don’t just compare names. You compare names, addresses, pictures, and other biometrics.

Just like REAL ID, PASS ID would require states to share driver data on a very large scale. It just doesn’t say so. As with REAL ID, the security weaknesses of any one state’s operations would accrue to the harm of all others.

Mission Creep?

Second, CDT says that PASS ID “[l]imits the ‘official purposes’ for which federal agencies can demand a PASS ID driver’s license, thereby helping prevent ‘mission creep.’” Again, it’s technically true, but materially false.

REAL ID had an open-ended list of “official purposes” - things that the homeland security secretary could require a REAL ID for. PASS ID is not so open-ended, but that is a small impediment to only one form of mission creep.

PASS ID places no limits on how the DHS, other agencies, and states could use the national ID to regulate the population. It simply requires the DHS to use PASS ID for certain purposes. A simple law change or amendment to existing regulation would expand those uses to give the federal government control over access to employment, access to credit cards, voting - CDT’s own PolicyBeta blog called a plan to use REAL ID to control cold medicine a “terrifying” example of mission creep. And these are just the ideas that have already been floated.

When I testified before the Senate Judiciary Committee on REAL ID in May 2007, I spoke about what we had recently heard in a meeting of the DHS Privacy Committee:

Ann Collins, the Registrar of Motor Vehicles from the State of Massachusetts, … said, “If you build it, they will come.” What she meant by that is that if you compile deep data bases of information about every driver, uses for it will be found. The Department of Homeland Security will find uses for it. Every agency that wants to control, manipulate, and affect people’s lives will say, “There is our easiest place to go. That is our path of least resistance.”

PASS ID is the same medium for mission creep that REAL ID is. The problem is with having a national ID at all - not with what its enabling legislation says.

Privacy Protections?

Next, CDT says that PASS ID requires “privacy and security protections for PII stored in back-end motor vehicle databases.” (“PII” means “personally identifiable information.”)

A glaring oversight of REAL ID - and the competition for glaring oversights was fierce - was to omit any requirement for privacy and security of the databases states would maintain and share on behalf of the federal government. The DHS took pains in the REAL ID rulemaking to drain this swamp. It tried to require minimal information collection for identity verification and minimal information display on the card and in the machine readable zone. (It failed in important ways, as I will discuss below.) The REAL ID regulation required states to file security plans that would explain how the state would protect personally identifiable information. And it said it would produce a set of “Privacy and Security Best Practices.” None of this mollified REAL ID opponents, and the privacy bromides in the PASS ID Act won’t either.

One of the more interesting privacy “protections” in the PASS ID Act is a requirement that individuals may access, amend, and correct their own personally identifiable information. This is a new and different security/identity fraud challenge not found in REAL ID, and the states have no idea what they’re getting themselves into if they try to implement such a thing. A May 2000 report from a panel of experts convened by the Federal Trade Commission was bowled over by the complexity of trying to secure information while giving people access to it. Nowhere is that tension more acute than in giving the public access to basic identity information.

The privacy language in the PASS ID Act is a welcome change to REAL ID’s gross error on that score. At least there’s privacy language! But creating a national identity system that is privacy protective is like trying to make water that isn’t wet.

Limits on Use of Card Data?

CDT’s final defense of PASS ID is the presence of meager limits on how data collected from national ID cards will be used. Much like with mission creep, the statutory language is beside the point, but CDT points out that PASS ID “prohibits states from including the cardholder’s social security number in the MRZ and places limits on the storage, use, and re-disclosure of that information.”

“MRZ” stands for “machine-readable zone.” In the PASS Act and REAL ID Act, this is referred to as “machine-readable technology,” and in the REAL ID rulemaking, the DHS selected a 2D barcode standard for the back of REAL ID licenses and IDs. Think of government officials scanning your license the way grocery clerks scan your toilet paper and canned peaches.

It’s true that the PASS ID Act bars states from including the Social Security number in that easily scanable data, but it doesn’t prohibit anything else from being scanned - including race, which was included in DHS’ standard for REAL ID.

And don’t think that limits on the storage, use, and re-disclosure of card information would have any teeth. It would create a new crime: scanning licenses, reselling or trading information from them, or tracking holders of them “without lawful authority,” but it’s not clear what “without lawful authority” means. It would probably allow people to give implied permission for all this data-collection and -sharing by handing their cards to someone else. It would certainly allow governments to authorize themselves to collect and trade data from cards en masse.

Not that we should want this “protection.” The last thing we need is another obtusely defined federal crime. Nearly as bad as being required to carry a national ID is making it illegal for people to collect information from it when you want them to!

And in Some Ways PASS ID is Worse

But let’s talk some more about that machine-readable zone. When Congress passed REAL ID, suspicion was strong that the “MRZ” would be an RFID chip - a tiny computer chip that can be read remotely by radio.

Recognizing the insecurity of such devices - and the strong public opposition to it - DHS declined to adopt RFID for the REAL ID Act. It did, however, work with a few states and the U.S. State Department to develop an RFID-chipped license that it calls the “enhanced driver’s license.” This has a long read-range chip that will signal its presence to readers as much as fifteen or twenty feet away. The convenience gain DHS and State sought for themselves at the border would be a privacy loss, as scanning cards could become commonplace in doorways and other bottlenecks throughout the country - your whereabouts recorded regularly, as a matter of course, by public and private entities.

Why do we care about “enhanced drivers licenses”? Because the PASS ID Act would ratify them for use as national IDs. States could push their residents into using these chipped cards if they didn’t want to implement every last detail of PASS ID.

Needless to say, ID cards with long-distance (including surreptitious) tracking are a step backward for privacy. This is one sense in which PASS ID is worse than REAL ID.

Consider more carefully also what PASS ID and REAL ID are about in terms of biometrics. Both require states to “[s]ubject each person applying for a driver’s license or identification card to mandatory facial image capture.”

States across the country are using driver license photos to implement facial-recognition software that will ultimately be able to track people directly - nevermind whether you have an RFID-chipped license or show your card to a government official. They are aiming at preventing identity fraud, of course, but with advancing technology, before too long you will be subject to biometric tracking simply because you posed for an unsmiling digital photo at the DMV. REAL ID and PASS ID are part and parcel of promoting that.

Does PASS ID address “most of the major privacy and security concerns with REAL ID”? Not even close. PASS ID is a national ID, with all the privacy consequences that go with that.

Changing the name of REAL ID to something else is not an alternative to scrapping it. Scrapping REAL ID is something Senator Akaka (D-HI) proposed in the last Congress. Fixing REAL ID is an impossibility, and PASS ID does not do that.

Topics: 
Telecom, Internet & Information Policy

Some Thinking on “Cyber”

By
Jim Harper

Last week, I had the opportunity to testify before the House Science Committee’s Subcommittee on Technology and Innovation on the topic of “cybersecurity.” I have been reluctant to opine on it because of its complexity, but I did issue a short piece a few months ago arguing against government-run cybersecurity. That piece was cited prominently in the White House’s “Cyberspace Policy Review” and – blamo! – I’m a cybersecurity expert.

Not really – but I have been forming some opinions at a high level of generality that are worth making available. They can be found in my testimony, but I’ll summarize them briefly here.

First, “cybersecurity” is a term so broad as to be meaningless. Yes, we are constructing a new “space” analogous to physical space using computers, networks, sensors, and data, but we can no more secure “cyberspace” in its entirety than we can secure planet Earth and the galaxy. Instead, we secure the discrete things that are important to us – houses, cars, buildings, power lines, roads, private information, money, and so on. And we secure these things in thousands of different ways. We should secure “cyberspace” the same way – thousands of different ways.

By “we,” of course, I don’t mean the collective. I mean that each owner or controller of a prized thing should look out for its security. It’s the responsibility of designers, builders, and owners of houses, for exmple, to ensure that they properly secure the goods kept inside. It’s the responsibility of individuals to secure the information they wish to keep private and the money they wish to keep. It is the responsibility of network operators to secure their networks, data holders to secure their data, and so on.

Second, “cyber” threats are being over-hyped by a variety of players in the public policy area. Invoking “cyberterrorism” or “cyberwar” is near-boilerplate in white papers addressing government cybersecurity policy, but there is very limited strategic logic to “cyberwarfare” (aside from attacking networks during actual war-time), and “cyberterrorism” is a near-impossibility. You’re not going to panic people – and that’s rather integral to terrorism – by knocking out the ATM network or some part of the power grid for a period of time.

(We weren’t short of careless discussions about defending against “cyber attack,” but L. Gordon Crovitz provided yet another example in yesterday’s Wall Street Journal. As Ben Friedman pointed out, Evgeny Morozov has the better of it in the most recent Boston Review.)

This is not to deny the importance of securing digital infrastructure; it’s to say that it’s serious, not scary. Precipitous government cybersecurity policies – especially to address threats that don’t even have a strategic logic – would waste our wealth, confound innovation, and threaten civil liberties and privacy.

In the cacophony over cybersecurity, an important policy seems to be getting lost: keeping true critical infrastructure offline. I noted Senator Jay Rockefeller’s (D-WV) awesomely silly comments about cybersecurity a few months ago. They were animated by the premise that all the good things in our society should be connected to the Internet or managed via the Internet. This is not true. Removing true critical infrastructure from the Internet takes care of the lion’s share of the cybersecurity problem.

Since 9/11, the country has suffered significant “critical-infrastructure inflation” as companies gravitate to the special treatments and emoluments government gives owners of “critical” stuff. If “criticality” is to be a dividing line for how assets are treated, it should be tightly construed: If the loss of an asset would immediately and proximately threaten life or health, that makes it critical. If danger would materialize over time, that’s not critical infrastructure – the owners need to get good at promptly repairing their stuff. And proximity is an important limitation, too: The loss of electric power could kill people in hospitals, for example, but ensuring backup power at hospitals can intervene and relieve us of treating the entire power grid as “critical infrastructure,” with all the expense and governmental bloat that would entail.

So how do we improve the state of cybersecurity? It’s widely believed that we are behind on it. Rather than figuring out how to do cybersecurity – which is impossible – I urged the committee to consider what policies or legal mechanisms might get these problems figured out.

I talked about a hierarchy of sorts. First, contract and contract liability. The government is a substantial purchaser of technology products and services – and highly knowledgeable thanks to entities like the National Institutes of Standards and Technology. Yes, I would like it to be a smaller purchaser of just about everything, but while it is a large market actor, it can drive standards and practices (like secure settings by default) into the marketplace that redound to the benefit of the cybersecurity ecology. The government could also form contracts that rely on contract liability – when products or services fail to serve the purposes for which they’re intended, including security – sellers would lose money. That would focus them as well.

A prominent report by a working group at the Center for Strategic and International Studies – co-chaired by one of my fellow panelists before the Science Committee last week, Scott Charney of Microsoft – argued strenuously for cybersecurity regulation.

But that begs the question of what regulation would say. Regulation is poorly suited to the process of discovering how to solve new problems amid changing technology and business practices.

There is some market failure in the cybersecurity area. Insecure technology can harm networks and users of networks, and these costs don’t accrue to the people selling or buying technology products. To get them to internalize these costs, I suggested tort liability rather than regulation. While courts discover the legal doctrines that unpack the myriad complex problems with litigating about technology products and services, they will force technology sellers and buyers to figure out how to prevent cyber-harms.

Government has a role in preventing people from harming each other, of course, and the common law could develop to meet “cyber” harms if it is left to its own devices. Tort litigation has been abused, and the established corporate sector prefers regulation because it is a stable environment for them, it helps them exclude competition, and they can use it to avoid liability for causing harm, making it easier to lag on security. Litigation isn’t preferable, and we don’t want lots of it – we just want the incentive structure tort liability creates.

As the distended policy issue it is, “cybersecurity” is ripe for shenanigans. Aggressive government agencies are looking to get regulatory authority over the Internet, computers, and software. Some of them wouldn’t mind getting to watch our Internet traffic, of course. Meanwhile, the corporate sector would like to use government to avoid the hot press of market competition, while shielding itself from liability for harms it may cause.

The government must secure its own assets and resources – that’s a given. Beyond that, not much good can come from government cybersecurity policy, except the occassional good, long blog post.

Topics: 
Telecom, Internet & Information Policy

New Technology Charts Old Repression

By
Doug Bandow

The fact that North Korea is a monstrous tyranny is well-known.  Google Earth is helping map that tyranny in extraordinary detail, from the opulent palaces of the elite to the horrid labor camps for the victims. 

Reports The Independent:

US researchers are using the internet to reveal what life is really like behind the closed borders of the world’s last Stalinist dictatorship

The most comprehensive picture of what goes on inside the secret state of North Korea has emerged from an innovative US project. The location of extraordinary palaces, labour camps and the mass graves of famine victims have all been identified. The online operation that has penetrated the world’s last remaining iron curtain is called North Korea Uncovered. Founded by Curtis Melvin, a postgraduate student at George Mason University, Virginia, it uses Google Earth, photographs, academic and specialist reports and a global network of contributors who have visited or studied the country. Mr Melvin says the collaborative project is an example of “democratised intelligence”. He is the first to emphasise that the picture is far from complete, but it is, until the country opens up, the best we have.

Palaces

The palatial residences of the political elite are easy to identify as they are in sharp contrast to the majority of housing in the deeply impoverished state. Though details about many palaces’ names, occupants and uses are hard to verify, it is known that such buildings are the exclusive domain of Kim Jong-Il, his family and his top political aides. Kim Jong-Il is believed to have between 10 and 17 palaces, many of which have been spotted on Google Earth:

1) Mansion complex near Pyongyang

This may be Kim Jong-Il’s main residence. His father lived here surrounded by the huge, ornate gardens and carefully designed network of lakes. Tree-lined paths lead to a swimming pool with a huge water slide, and next to the complex there is a full-size racetrack with a viewing stand and arena. There is a cluster of other large houses around the mansion, forming an enclosed, elite community. It appears to be reached via an underground station on a private railway which branches off from the main line.

The new technology is creating a new variant to the old saying:  you can run, but you can’t hide.  Tyrants can run their countries but they can’t hide their abuses.

We still have yet to figure out how to toss thugs like Kim Jong-il into history’s trashcan.  But better understanding their crimes is an important part of the process.

Topics: 
Foreign Policy and National Security, Telecom, Internet & Information Policy

Patching up the Education Monopoly

By
David Boaz

The Eli and Edythe Broad and Bill and Melinda Gates foundations have sponsored a report, “Smart Options: Investing the Recovery Funds for Student Success,” on how to spend $100 billion of “stimulus money” on improving America’s schools, according to Jay Mathews in The Washington Post. Ideas include national standards, better teacher evaluations, special help for struggling students, and more.

But let’s try a thought experiment. Bill Gates made his money in software. Eli Broad made his money building houses. Imagine a slightly different universe, say one in which Henry Wallace and Al Gore had become president, and we had monopoly providers of both software and housing. How good do you think the software and the housing would be? And if the U.S. Department of Technology and the U.S. Department of Housing announced that they would be spending another $100 billion, what would happen?

minitelIt seems clear that the way to improve housing and software in that world would be to open the fields up to competition, or even to privatize them. A government monopoly provider of software would be lucky to have given us Minitel by now. And monopoly provision of housing was tried in much of the world during the 20th century, with poor results. So if we were afflicted with these albatrosses, surely we’d recognize that deregulation, competition, and privatization would produce better results by far.

So then why don’t we realize it when we’re afflicted with a virtual government monopoly on the provision of education? Why are zillions of smart people studying and debating how to improve the performance of a sluggish, stagnant, tax-funded government monopoly? Maybe we shouldn’t be so sure that we’d see the failure of the software or housing monopoly either. Whatever enterprise the government chooses to monopolize – and there’s really nothing inherent or inevitable about which enterprises that will be – will most likely become a massive bureaucratic undertaking, and we will find it difficult to imagine how the enterprise could be privately run.

But Bill and Melinda, Eli and Edythe, Jay, Barack – the evidence on monopoly vs. competitive provision of services is out there. To a great extent it’s the history of the 20th century. Check it out.

Topics: 
Education and Child Policy

How Serious Is U.S. Ed. Productivity Collapse

By
Andrew J. Coulson

A commenter at Joanne Jacobs’ edu-blog wonders “how serious this ‘collapse’ is.” I offered the following response:

How serious of a collapse is it? Total k-12 expenditures in this country were about $630 billion two years ago (see Table 25, Digest of Ed Statistics 2008). The efficiency of our education system is less than half what it was in 1971 (i.e., we spend more than twice as much to get the same results — see Table 181, same source).

So if we’d managed to ensure that education productivity just stagnated, we’d be saving over $300 billion EVERY YEAR. If we’d actually seen productivity improvements in education such as we’ve seen in other fields, we’d be saving at least that much money and enjoying higher student achievement at the same time.

My guess is that most people would consider saving $3 trillion per decade and more fully realizing children’s intellectual potential are both very important.

Another commenter observes that spending has of necessity increased due to the combination of rising salaries and a failure to deploy new technologies to lower costs. This is true to a point, but the total employee/student ratio in public schools has also grown dramatically over the same period. A few years ago I calculated that taxpayers would save more than $100 billion annually if the public schools just went back to the employee/student ratio of 1970. And the savings are still massive even if you account for a roughly 10% increase in teachers for expanded special education services.

Ultimately, though, you have to ask WHY public schools have failed to use technology to lower costs as virtually every other field has successfully done. The answer is that doing so is difficult and so won’t happen without the freedom and powerful systemtic incentives to MAKE it happen. The only system of freedoms and incentives that makes productivity growth the norm is the free enterprise system.

Topics: 
Education and Child Policy

Limiting the TSA’s Use of “Strip Search Machines”

By
Jim Harper

I wrote here in February about the push and pull over “strip search machines,” also known as “whole-body imaging” and “millimeter wave scanning.”

The question is joined: How do you maintain privacy with a technology that’s fundamentally intrusive? Maybe by using it less. This week, Rep. Jason Chaffetz (R-UT) introduced a bill to limit the use of whole-body imaging.

H.R. 2027, the Aircraft Passenger Whole-Body Imaging Limitations Act of 2009, would place several limits:

  • Whole-body imaging could not be the sole or primary method of screening a passenger, and it could only be used as a follow-up to other methods like metal detection.
  • Passengers would have the right to opt for a pat-down search instead of whole-body imaging.
  • Passengers subject to whole-body imaging would have to be provided information about the technology and the images it generates, on privacy policies, and the right to have the pat-down search instead.
  • Images of passengers generated by whole-body imaging technology could not be stored, transferred, shared, or copied in any form after the passenger has passed through the security system.

Most of these protections are already TSA policy, but agency policies are relatively easy to change compared to federal law. Without limitations like this, these machines are on the natural, mission-creepy path to becoming mandatory.

Rules, of course, were made to be broken, and it’s only a matter of time — federal law or not — before TSA agents without proper supervision find a way to capture images contrary to policy. (Agent in secure area guides Hollywood starlet to strip search machine, sends SMS message to image reviewer, who takes camera-phone snap. TMZ devotes a week to the story, and the ensuing investigation reveals that this has been happening at airports throughout the country to hundreds of women travelers.)

So this bill is a step forward, but from a very backwards position. Ultimately, as I wrote before, the solution is to return responsibility for security to the airlines and airports, who are most interested in and capable of balancing all the factors that go into safe travel, including passengers’ privacy, comfort, and peace of mind.

Topics: 
Foreign Policy and National Security, Telecom, Internet & Information Policy

Appointees Are Like Astronauts

By
Jim Harper

Did you ever notice how astronauts are praised simply for being astronauts? They have heroism imputed to them simply for what they might do in the future.

So it is with political appointees, such as the chief technology officer President Obama named Saturday morning during his weekly radio and Internet address. Reports the Wall Street Journal:

Silicon Valley execs and tech bloggers sounded genuinely excited about Obama’s choice Saturday morning and tech industry lobbying groups TechNet and the Business Software Alliance quickly released statements of support, as did several tech heavyweights.

Would any group with business before the government, hoping for influence and goodies from the White House, not praise an appointee? We learn from these paeans precisely nothing.

To me, Aneesh Chopra is an empty vessel. He looks like a nice person and appears to have suitable experience for the job he’s been named to. My substantive comments about him will wait until there is something on which to comment. I look forward to his first space-walk.

Topics: 
Telecom, Internet & Information Policy

Pages