Topic: Telecom, Internet & Information Policy

The Big UK Data Breach

I’ve testified and written several times about how such things as REAL ID and “electronic employment eligibility verification” are threats to our identity system. Collecting identity information in one place is the creation of new security risks. Now the UK has proven it - so we don’t have to!

The sensitive personal details of 25 million Britons could have fallen into the hands of identity fraudsters after a government agency lost the entire child benefit database in the post.A major police investigation is being conducted after Alistair Darling, the Chancellor, admitted yesterday that names, addresses, birth dates, national insurance numbers and bank account details of every child benefit claimant in the country had gone missing.

Most likely, this data is just lost, but in the wrong hands it would provide criminals all they need to impersonate any of these 25 million people.

The persons responsible have been sacked. Specifically, Paul Gray, chairman of HM Revenue & Customs office.

Consumer Product Info - Regulation or Markets?

60 Minutes had an interesting and balanced piece last night on proposals to mandate that fast-food restaurants promote calorie information by placing it directly on their menus.

This fits in a category of regulation that is increasingly prominent: mandated disclosure and promotion of product information. There are plenty of examples: financial privacy notices, real estate purchasing notices, nutrition labeling, etc.

If consumers had unlimited attention, the surfeit of notices would be an unqualified good thing. But consumer attention is not unlimited. Consumers quickly learn to ignore notices that don’t interest them. Notices can easily confuse consumers. Mandated notices often provide information that consumers would already get in more accessible ways.

Nutrition labeling is the sacred cow of mandated disclosure, of course, and mandating calorie notices in restaurants is one of its calves. Everyone who talks about nutrition labeling uses nutrition labeling and so can’t believe that anyone doesn’t. But it certainly hasn’t done anything to change the trend in U.S. obesity since the 1990 law requiring nutrition labeling went into effect.

Note in the 60 Minutes piece how proponents of calorie labeling really are just social engineers. They can’t outlaw you buying that Big Mac, so they’re going to put discouragement in your face using the intermediary of Mickey D’s. They mean well, but I’d just as well have them mind their own business.

Information about products and services is subject to market demand just like every other feature of the things we buy. If you don’t believe me, try running a grocery store without putting price tags on or near the canned peaches.

WHTI Should Go

Rep. Bart Stupak (D-MI) has had the good sense to introduce a bill to repeal the Western Hemisphere Travel Initiative.

WHTI is a classic self-injurious overreaction to the threat of terrorism. The reductions in lawful trade and travel produced by WHTI and the direct costs of the program are greater than the damage to the country that would be averted by this readily defeated “security” measure.

Spitzer Gives Up, Will Start Over Later

The New York Times reports today that New York Governor Eliot Spitzer (D) has dropped his plan to issue licenses without regard to immigration status.

His original, correct decision to break the tie between driver licensing and immigration status met with hails of derision from anti-immigrant groups and his political opponents. He attempted to quell the outrage by agreeing to sign New York up for the federal government’s “REAL ID” national ID system, but this did not please anyone. So now he’s back at square one.

He said the state would put on hold the plan to adopt the Real ID, which has been championed by the Bush administration. The governor said he wanted to wait until federal regulations for Real ID licenses were issued next year before deciding how to proceed.

Now that he’s - ahem - studied the issues, one hopes he’ll recognize that REAL ID is costly, privacy-invasive, and ineffective, and he’ll decline to involve his state in the national ID program.

The Antitrust Religion in Action

This summer, David Boaz noted how sad it was that Google’s top executives have apparently diverted their attention away from developing the next hot new technology toward building their Washington presence. Declan McCullagh notes that Google’s generosity, which has flowed primarily to Democrats, may be coming back to bite them, as disgruntled Republicans have suddenly gotten religion when it comes to antitrust and are demanding that Google’s acquisition of Doubleclick receive close scrutiny. Strangely, those same Republicans weren’t so worried about a spate of mergers that involved large telecom firms like SBC and Verizon. I’m sure the disparity has nothing to do with the telecom industry’s generous contributions to their campaigns.

As I point out at Techdirt, these sorts of shenanigans shouldn’t surprise us. Modern antitrust law gives government bureaucrats seemingly unlimited discretion to second-guess corporate mergers based on the flimsiest of pretexts, or to attach arbitrary conditions to merger approvals. Last winter, for example, as a condition of the BellSouth merger, two FCC commissioners coerced AT&T into accepting “network neutrality” rules that Congress had earlier failed to adopt, rules that apply to no one else in their industry. And don’t forget the XM/Sirius debate, in which terrestrial broadcasters—their principal competitors—trotted out the ludicrous argument that the merged company would have no competition. XM and Sirius’s fundamental sin seems to be that they hadn’t invested as much money on Washington lobbyists as the NAB had.

The rule of law demands that government decision-making proceed according to objective, clearly-defined, and predictable rules. Antitrust law as it’s currently enforced doesn’t qualify, and as a result it’s ripe for abuse. And if you believe Edwin Rockefeller, this isn’t new. He argues that antitrust law has always been primarily a weapon for politically-connected companies to use against their rivals.

Identity Systems Aren’t Good Security, and Other Lessons From the Chicago Airport Fake ID Story

AFP is reporting that more than a hundred people with false identification documents were given employee security passes to Chicago’s O’Hare airport.

This is a good opportunity to compare conventional wisdom to actual security wisdom.

CW: This was a breach of the airport’s security system.
W: This was definitely a breach of the airport’s identity system, but identity systems provide very little security. The airport’s security, already weak if it relied on workers’ identities, was little changed.

CW: “ ‘If we are to ensure public safety, we must know who has access to the secure areas of airports,’ said Patrick Fitzgerald, US attorney for the northern district of Illinois.”
W: Public safety can’t be ensured by knowing who has access to the secure areas of airports. Knowing who has access may protect against ordinary threats like theft, but not against the threats to aviation that we care about.

CW: “A fundamental component of airport safety is preventing the use of false identification badges and punishing those who commit or enable such violations.”
W: Preventing the use of false identification is a trivial component of airport safety. It’s a fundamental component of airport safety programs, which are mostly for show. Security expert Bruce Schneier calls them “security theater.”

CW: “Unauthorized workers employed at sensitive facilities such as airports, nuclear power plants, chemical plants, military bases, defense facilities and seaports pose a vulnerability which compromises the integrity of those key assets,’ US Immigration and Customs Enforcement said in a statement.”
W: Authorized workers employed at sensitive facilities pose a vulnerability which compromises the integrity of those very same assets. If you want to prevent some kind of harm, you must make that harm difficult to cause, regardless of who may try.

Security is not easy.

What You Need to Know About Driver Licensing and Illegal Aliens

After 700 words of Sturm und Drang about lawsuits and partisan machinations over whether illegal aliens should be able to get drivers’ licenses, CNSNews.com reporter Fred Lucas quoted me briefly:

“Identification systems aren’t a good security tool,” Harper told Cybercast News Service. “Driver licensing isn’t a good tool for immigration control. It will just result in illegal immigrants driving without a license.”

That sums it up nicely. Just thought I’d share it.

(The story says that unlicensed driving dropped by a third when New Mexico de-linked driver licensing and immigration status. Actually, unlicensed driving dropped by two thirds, from 33% to 11%, lower than the national average.)