Topic: Telecom, Internet & Information Policy

Uber and Lyft Leave Austin Over Fingerprint Requirement

The ridesharing companies Uber and Lyft have withdrawn from Austin, Texas after voters there failed to pass Proposition 1, which would have repealed regulations requiring Uber and Lyft to include fingerprints as part of their driver background checks. This is a disappointing result, especially given that fingerprinting is, despite its sexy portrayal in forensic TV shows, not a perfect background check process and needlessly burdens rideshare companies.

Austin’s ordinances require rideshare companies to implement fingerprints as part of their background check system by February 2017. Under the rules the fingerprints would be submitted to the Texas Department of Public Safety, which would then send the records to the Federal Bureau of Investigation (FBI). As I pointed out in my Cato paper on ridesharing safety, the FBI fingerprint data are hardly comprehensive: 

Some have faulted Uber and Lyft for not including fingerprint scans as part of their background checks. However, fingerprint databases do not contain a full case history of the individual being investigated, and in some instances an FBI fingerprint check may unfairly prevent a qualified taxicab driver applicant from being approved. The FBI fingerprint database relies on reporting from police departments, and other local sources, as well as other federal departments and is not a complete collection of fingerprints in the United States.

Critics of the FBI fingerprint database point to its incomplete or inaccurate information. In July 2013 the National Employment Law Project (NELP) released a study on the FBI’s employment background checks and found that “FBI records are routinely flawed.” Also, while law enforcement agencies are diligent when it comes to adding fingerprint data of arrested or detained persons to the federal data, they are “far less vigilant about submitting the follow-up information on the disposition or final outcome of the arrest.”

This lack of vigilance is significant because, as the NELP study goes on to point out, “About one-third of felony arrests never lead to a conviction. Furthermore, of those initially charged with a felony offense and later convicted, nearly 30 percent were convicted of a different offense than the one for which they were originally charged, often a lesser misdemeanor conviction. In addition to cases where individuals are initially overcharged and later convicted of lesser offenses, other cases are overturned on appeal, expunged, or otherwise resolved in favor of the worker without ever being reflected on the FBI rap sheet.”

Yes, Michael, REAL ID Is a Nationwide Data-Sharing Mandate

Baton Rouge IT consultant Michael Hale is right to be concerned about the unfunded mandates in the REAL ID Act. The U.S. national ID law requires states to issue driver’s licenses and share driver data according to federal standards. States complying with REAL ID will find that the U.S. Department of Homeland Security (DHS) dictates their driver licensing policies and the expenditure of state funds in this area forevermore. But he raises that concern at the tail end of a letter to the editor of The New Orleans Advocate that broadly endorses the national ID law based on incorrect information. Here’s some information that Mr. Hale and every American concernced with our liberty and security should know.

Mr. Hale believes that state driver data “will continue to be maintained by each individual state, and each state will decide who gets access to this information.” This is not the case. The REAL ID Act requires states to share driver data across a nationwide network of databases. The DHS and other national ID advocates downplay and deny this, but they are not persuasive because the requirement is right there in the statute:

To meet the requirements of this section, a State shall adopt the following practices in the issuance of drivers’ licenses and identification cards: …
(12) Provide electronic access to all other States to information contained in the motor vehicle database of the State.
(13) Maintain a State motor vehicle database that contains, at a minimum–
(A) all data fields printed on drivers’ licenses and identification cards issued by the State; and
(B) motor vehicle drivers’ histories, including motor vehicle violations, suspensions, and points on licenses.

Mr. Hale says, “The Real ID Act allows states to either adopt the Real ID or to come up with their own version of secure ID that Homeland Security can approve.” This is not true. The option of issuing a non-federal license or ID does not waive the obligation to share driver data nationwide.

Unlike the Department of Homeland Security and its pro-national ID allies, Mr. Hale gamely tries to argue the security merits of having a national ID. “The purpose of all this is to create a trustworthy form of ID that can be used to ensure air travel security,” he says. “The first step in securing a flight is to make sure everyone on board is who they claim to be.”

That argument is intuitive. In daily life, knowing who people are permits you to find them and punish any bad behavior. But U.S. federal public policy with national security implications and billions of taxpayer dollars at stake requires more articulate calculation.

The costs or impediments a national ID system would impose on dedicated terrorists, criminal organizations, and people lacking impulse control is minimal. For billions of dollars in taxpayer dollars expended, millions of hours standing in DMV lines, and placement of all law-abiding Americans into a national tracking system, REAL ID might mildly inconvenience the bad guys. They can, for example, bribe a DMV employee, spend a few thousand dollars to manufacture a false identity, or acquire the license of someone looking similar enough to themselves to fool lazy TSA agents. I analyzed all dimensions of identification and identity systems in my book, Identity Crisis: How Identification is Overused and Misunderstood.

There are other security measures where dollars and effort deliver more benefit. Or people might be left in control of their dollars and time to live as free Americans.

The Department of Homeland Security consistently downplays and obscures the true nature of the REAL ID Act’s national ID policy, and it never even tries to defend its security merits in any serious way. In the information technology community, the security demerits of having a national ID system backed by a web of databases as required by the law seems relatively clear.  People familiar with information technology tend to be more concerned, not less, with the power and peril of a national ID system.

The quest continues to make active citizens like Mr. Hale more aware of all dimensions of this issue.

Feinstein-Burr, Encryption and the “Rule of Law”

There’s a lot to say about the substance of the misguided anti-encryption legislation sponsored by Sens. Dianne Feinstein and Richard Burr, which was recently released as a “discussion draft” after a nearly-identical version leaked earlier this month.  I hope to do just that in subsequent posts.  But it’s also worth spending a little time on the proposal’s lengthy  pre-amble, which echoes the rhetorical tropes frequently deployed by advocates for mandating government access to secure communications and stored data. 

The bill is somewhat misleadingly titled the “Compliance With Court Orders Act of 2016”—which you’d think would be a matter for the Judiciary Committee, not the Senate Select Committee on Intelligence—and begins with the high minded declaration that “no person or entity is above the law.”  Communication services and software developers, we are told, must “respect the rule of law and comply with all legal requirements and court orders.”  In order to “uphold the rule of law,” then, those persons and entities must be able to provide law enforcement with the plaintext—the original, un-garbled contents—of any encrypted message or file when so ordered by a court.

The politest way I can think of to characterize this way of framing the issue is: Nonsense.  Whatever your view on mandates of the sort proposed here, they have little to do with the principle of “the rule of law”: The idea that all citizens, including those who wield political power, must be governed by neutral, publicly known, and uniformly applicable rules—as opposed to, say, the whims and dictates of particular officials.  This formal principle says nothing about the content of the legal obligations and restrictions to which citizens are subject—only that those restrictions and obligations, whatever they are, should be known and consistently applied.  In effect, Feinsten and Burr are pretending that a sweeping and burdensome new regulatory requirement is nothing more than the application of a widely-revered formal principle central to free societies.  We can debate the merits of their proposed regulation, but this talking point really ought to be laughed out of the room.

There are two wholly different kind of scenarios in which technology companies have recently been charged with placing themselves “above the law” by declining to assist law enforcement.  Both are specious, but it’s worth distinguishing them and analyzing them separately.

First, you have the kind of situation at issue in the recent conflict between Apple and the FBI, which has received so much media coverage. In this instance, it is clear that Apple was indeed capable of doing what the FBI wanted it to do: Write a custom piece of software that would disable certain security features on the work iPhone used by a deceased terrorist, enabling the FBI to crack the phone’s passcode and unlock the data within.  Sen. Feinstein condemned the company for fighting that order in court, declaring: “Apple is not above the laws of the United States, nor should anyone or any company be above the laws. To have a court warrant granted, and Apple say they are still not going to cooperate is really wrong.”  A similar view of the conflict was implicit in a slew of lazy news headlines that characterized Apple as “defying” a court’s order.

All of this, however, reflects a profound and rather disturbing misunderstanding of how our legal system operates.  Subpoenas and court orders routinely issue initially in response to a request from the government, with no opposing arguments heard.  But the recipients of those orders, as  a matter  of course, have an essential legal right to contest those orders in an adversarial hearing.  Here, Apple raised a variety of different objections—among them, that the statute invoked by the government, the All-Writs Act, did not actually authorize orders of the sort that the FBI had sought; and that even if the statute could be generally interpreted to permit such orders, that this one imposed an excessive and unreasonable burden on Apple. 

Olympia Considers Putting Washingtonians into the National ID System

Tacoma, Washington’s News Tribune has editorialized about the REAL ID Act in a way that will be unfamiliar to followers of the national ID law and its implementation. The state has been “dawdling,” it says, by not moving forward on the national ID. The Department of Homeland Security (DHS) has been “patient to a fault” and “dispensed grace” to the 28 states (NT’s number) that have escaped federal punishment. Next we’ll be told that the federal government is efficient and responsive.

If you’re just tuning in, last fall DHS began a major, concerted effort to bring state governments in line with the provisions of the REAL ID Act, a federal law designed to create a national ID system. Washington State has resisted this federal power-grab up over the last decade, but Senator Curtis King (R) recently introduced legislation that would bring Washington into compliance. This threatens Washingtonians privacy and liberty.

Passed in 2005, the REAL ID Act is a federal law designed to coerce states into adopting uniform standards for driver’s licenses and non-driver IDs. Compliance would also require the Washington State Department of Licensing to share drivers’ personal data and documents with departments of motor vehicles across the country through a nationwide data sharing system. If fully implemented, REAL ID would create a de facto national ID card administered by states for DHS. The back-end database system the law requires would expose data about drivers and copies of basic documents, such as birth certificates and Social Security cards, to hacking risks and access by corrupt DMV employees anywhere in the country.

Idaho May Implement REAL ID—by Mistake

Ten years ago, Idaho came out strongly against the REAL ID Act, a federal law that seeks to weave state driver licensing systems into a U.S. national ID. But Department of Homeland Security bureaucrats in Washington, D.C., have been working persistently to undermine state resistance. They may soon enjoy a small success. A bill the Idaho legislature sent to the governor Friday (HB 513) risks putting Idahoans all the way in to the national ID system.

Idaho would be better off if the legislature and Governor Butch Otter (R) continued to refuse the national ID law outright.

Idaho’s government was clear about the federal REAL ID Act in 2008. The legislature and governor wrote into state law that the national ID law was “inimical to the security and well-being of the people of Idaho.” They ordered the Idaho Transportation Department to do nothing to implement REAL ID.

Since then, the DHS has threatened several times to prevent people living in non-compliant states from going through TSA checkpoints at the nation’s airports. The DHS has always backed down from these threats—the feds would get all the blame if DHS followed through—but the threats have done their work. Compliance legislation is on the move in a number of states.

One of those states is Idaho, where that bill with Governor Otter would call for compliance with the REAL ID Act’s requirements “as such requirements existed on January 1, 2016.” That time limitation is meant to keep Idahoans out of the nation-wide database system that the REAL ID Act requires. But the bill might put Idahoans into the national ID system by mistake.

When the original “REAL ID Rebellion” happened with Idaho at the forefront, DHS was under pressure to show progress on the national ID. DHS came up with a “material compliance checklist,” which is a pared-back version of the REAL ID law. Using this checklist, DHS has been claiming that more and more states are in compliance with the national ID law. It is a clever, if dishonest, gambit.

Practical state legislators in many states have believed what the DHS is telling them, and they think that they should get on board with the national ID law or else their state’s residents will be punished. DHS is successfully dividing and conquering, drawing more power to Washington, D.C.

Introducing “American Big Brother: A Century of Political Surveillance and Repression”

The public relations and legal battle between the Federal Bureau of Investigation and Apple over the company’s use of encryption has put the focus on executive branch surveillance in a way not seen since Edward Snowden’s revelations almost three years ago. However, as the historical record demonstrates, the FBI’s domestic spying on the American public dates almost from the Bureau’s creation in July 1908. In the years that followed the FBI’s birth, other federal agencies–some civilian, some military–initiated their own warrantless domestic surveillance operations. Throughout this period, Congress was more frequently aiding and abetting this surveillance and repression, rather than preventing it or reining it in.

As the showdown between Apple and the FBI illustrates, what has changed is the technology used to accomplish the surveillance–technology that now gives federal law enforcement and intelligence agencies the ability to surreptitiously access the computers, smartphones, and even home appliances of tens of millions of Americans.

Today, the Cato Institute is launching a timeline that chronicles the history and implications of these developments: American Big Brother: A Century of Political Surveillance and Repression.

Too often, federal domestic surveillance of citizens was a prelude to government actions aimed at subverting civil society organizations opposed to American involvement in foreign wars, aiding conscientious objectors, advancing civil rights and political autonomy for people of color, the creation of labor unions, and even surveillance of candidates running for or holding office–including members of Congress and presidential contenders.  

As political scientist Robert Justin Goldstein noted in his 1978 book, Political Repression in Modern America: 1870-1976, “American social scientists have not seriously considered political repression as one important factor which helps explain the narrowness of the American political spectrum…” Put differently, through the use of surveillance, agent provocateur’s, and outright violence, federal officials often decided what political views were or were not permissible to hold and practice in the American political system.

FBI Discovers It Can Access That iPhone After All

Update:  The FBI is now explicitly denying that the method described in this post is the one they’re planning to employ—so apparently my suspicion was mistaken and they may well be employing a truly novel technique.  The more general point, I think, is still valid: The relative speed with which an outside firm was able to demo a solution once the case hit the headlines should raise legitimate questions about how serious an independent effort FBI made before claiming “necessity” and turning to compulsion to access the phone.  Manifestly someone out there has the capability, meaning this protracted and costly lawsuit could have been avoided—and the phone cracked weeks or months ago—had they only approached the right parties for assistance.  Original post follows.

In a third-act twist worthy of M. Night Shyamalan, the FBI has announced that it has just discovered a method, provided by an unnamed “third party,” of breaking into deceased San Bernardino shooting suspect Syed Farook’s iPhone without help from Apple. As a result, the hearing at which Apple and DOJ lawyers were scheduled to square off today has been postponed for at least two weeks while the Bureau tests out this “new” approach, potentially rendering the legal battle with Cupertino moot.

The scare quotes in the previous sentence are there to signal my skepticism that there is a genuinely novel technique in play here — which matters because the FBI has been consistently representing to the courts that Apple’s assistance, and an order to compel that assistance, was “necessary” to access the data — which is to say, that the FBI had no viable alternative methods to decrypt the contents of the phone. Yet from the beginning of the public debate over this case, the technical experts I talked with consistently pointed to two distinct approaches the Bureau might employ that wouldn’t require Apple to write or authenticate a line of code.

First, there are potential methods of extracting the phone’s UID — a secret master encryption key, unique to each device, physically embedded in its processor chip. With that key, which is designed to be difficult to read and unknown even to Apple, the FBI could crack the encryption protecting the iPhone data in a matter of minutes. Though cumbersome, time-consuming, and expensive, these methods would almost certainly still be cheaper than a protracted legal battle with a deep-pocketed tech titan — though they would also inherently carry some risk of destroying the key information, rendering the iPhone data permanently inaccessible.

The second and more plausible method was described in some detail weeks ago by ACLU technology fellow Daniel Kahn Gillmor, and even referenced by Rep. Darrell Issa at recent hearing with FBI director James Comey. Read Gillmor’s post for the details, but in essence it involves removing the phone’s “effaceable storage” to make a backup copy of the key material that is erased to render the phone’s data permanently inaccessible after too many incorrect passcode guesses. When FBI hits their guess limit, they “re-flash” the backed-up data to the phone and get another round of guesses. Security researcher Jonathan Zdziarski argues cogently that this is the most probable option.

If that’s the case, the Bureau ought to have some explaining to do, because this alternative surely should not have been unknown to FBI’s forensic experts. If we’re uncharitable, we might suspect the FBI of being less than forthcoming with the court about a range of feasible alternatives they should have been aware of. If we’re more charitable, then at least it seems as though they did not make a very serious effort to explore alternatives before pleading “necessity.” A high profile terrorist attack must have seemed like an ideal test case for the proposition that technology companies can be compelled, under existing law, to hack their own security on the government’s behalf — which might have sapped enthusiasm at Main Justice for abandoning it in favor of an attack that would give them this data, but be unlikely to work on newer model phones. Of course, that cost-benefit calculus might look different once it became clear that this would be a long legal slog, with Silicon Valley more generally lining up to back Apple — not a quick and easy PR win for the government. No doubt the FBI will plead reluctance to disclose too much about their “sources and methods” of accessing data on the phone, but they should at least be under some pressure to confirm, generally, whether they’re using some variant of an approach they ought to have known about well before this past weekend. If so, that ought to affect the credibility their representations of necessity are afforded by future courts in similar cases.

And, of course, there will be no shortage of similar such cases: There are a dozen underway already, and hundreds more locked iPhones in the hands of various law enforcement agencies. Since the method outlined above will (probably) not work on newer iPhones, the underlying legal questions raised by this case will still need to be resolved—though perhaps by courts that have learned to regard FBI’s technical affidavits with bit more skepticism.