Topic: Telecom, Internet & Information Policy

Open Business Models and Privacy

I’ve written here before about how Web 2.0 business models, particularly Google’s, are in conflict with current Supreme Court privacy cases denying people a Fourth Amendment interest in information they have entrusted to third parties.

Now comes a very interesting Information Week report on last month’s Web 2.0 Summit:

None other than Google – which has profited enormously from the data users submit to its services and from the data its users generate through use of its services – is thinking seriously about how to give users more control over their data. Though stopping short of a complete data emancipation proclamation at the Web 2.0 Summit, CEO Eric Schmidt said, “The more we can let people move their data around … the better off we’ll be.”

And the better off users’ privacy will be.

Ideology and Critical Infrastructure Protection

I recently received a pair of reports on critical infrastructure protection in the mail, and have now had a chance to read them. Both are written by Kenneth Cukier, reporter for The Economist. They are well-written, thought-provoking, balanced, and blessedly brief. They summarize a roundtable and a working group convened by an organization I had not heard of before called The Rueschlikon Conference.

One is called Protecting Our Future: Shaping Public-Private Cooperation to Secure Critical Information Infrastructures. The other is Ensuring (and Insuring?) Critical Information Infrastructure Protection. They focus on an important question: How do we make sure that the facilities of our networked economy and society survive terrorists acts and natural disasters?

I want to come back to the ‘compliment’ I gave both papers: “balanced.” The first report finds, among other things, that we should “harness the power of the private sector” and “use market forces” to protect critical information infrastructures. It notes that Wal-Mart had 66% of its stores in the region of Hurricane Katrina back in operation 48 hours after the storm. It also notes how, with electrical lines downed by Katrina, BellSouth’s backup generators had kicked in. When fuel supplies ran low, government officials confiscated the fuel being trucked in to keep them running. Yet, for reasons I cannot discern, the report maintains that “public-private cooperation” is what’s needed rather than getting the public sector out of the way.

The second report finds that the marketplace is insufficient to protect critical infrastructure because it lacks proper incentives. It also finds that the insurance industry can create a market for security. It’s got to be one or the other. The “balance” of these reports becomes more and more just contradiction.

A telling line can be found in the second report: “[O]ne person expressed skepticism that relying on the market to solve [critical information infrastructure] security would work, since it seemed to fall too neatly into the modern ideological mantra that markets solve all problems.” In other words, a conclusion in favor of market solutions was avoided because it might further validate markets as a problem solving tool.

The uncomfortable search for “balance” in these otherwise good reports may reflect an ideological preference for government involvement – despite the harm that did in the case of Hurricane Katrina.

It is insufficient, of course, to identify ideological bias (or anti-ideological bias?) in the reports. I did find them useful and interesting, and they inspired a few thoughts that I think deserve more exploration:

  1. Anti-trust law thwarts communication among companies responsible for infrastructure protection. Rather than convening so many government work-groups, the root of the problem in anti-trust law should be addressed.
  2. Government secrecy is one of the things undoubtedly keeping the insurance industry from having the confidence to insure against terrorism risk. Thus, it does not promulgate better terror-security practices among its insureds, and a valuable tool in the struggle against terrorism lies on the shop floor. Rather than subsidies, the government should give the insurance industry information.
  3. People interested in these issues should attend or watch Cato’s upcoming forum on John Mueller’s book Overblown: How Politicians and the Terrorism Industry Inflate National Security Threats, and Why We Believe Them.

If Thanksgiving Travel Woes Get You Down …

… you might want to mark your calendar for December 13th.

The Cato Institute is having a book forum on Overblown: How Politicians and the Terrorism Industry Inflate National Security Threats, and Why We Believe Them (Free Press, 2006). In the book, Ohio State University national security expert John Mueller puts terrorism in the context of other national security threats our country has faced in the past, and challenges us to assess the threat of terrorism rationally.

Yesterday, security expert Bruce Schneier published a TSA Security Round-Up that might make you thankful just to get to and from your family home this holiday. Our country and government can do better.

Wisconsin’s “Sensenbrenner Tax”?

WisPolitics.com reports that the Wisconsin Department of Transporation is proposing to hike a number taxes and fees to pay for various transportation related projects.

Among them, “a $10 ‘federal security verification fee’ for state driver’s license and ID cards to cover the $20.7 million cost of implementation of the federal REAL ID Act.”  WisDOT also proposes doubling the fee for issuance or renewal of the state ID card from $9 to $18.

Wisconsin Representative James Sensenbrenner pushed the REAL ID Act through Congress.

A Turn of the Revolving Door

According to the Hill Climbers section of today’s Roll Call,

Brian Zimmer is saying goodbye to Capitol Hill to join the American Association of Motor Vehicle Administrators.  According to a statement, AAMVA is an association that “actively promotes traffic safety and uniformity among North American jurisdictions.” Zimmer starts today as the company’s new senior vice president of identity management.
Before making the jump, Zimmer worked for the past five years as senior policy adviser and investigator for the House Judiciary Committee. There he helped investigate and conduct the committee’s oversight on issues such as fraud prevention, border security and counterterrorism, among others. 

Specifically, Brian was the Judiciary Committee’s lead staffer on the REAL ID Act, our national ID law.  He is a committed and motivated proponent of that cause.

AAMVA is well recognized (by those who care to follow these issues) as a proponent of driver regulation, national IDs, and even internationally uniform ID systems.  Since at least the late 1930’s AAMVA has been pushing regulatory control of drivers and driving.  As I note in my book, Identity Crisis, “Before September 11, 2001, AAMVA promoted a national identification card as a solution to illegal immigration.  After September 11, 2001, it promoted a national identification card as a solution to terrorism.  If national identification cards are a hammer, AAMVA sees every public policy problem as a nail.”

AAMVA collects about $1 per driver per year (roughly $13 million) for its part in administering the Commercial Drivers License Information System.  AAMVA would make much more as the administrator of databases required by the REAL ID Act.

Brian is a nice guy and, as I say, dedicated to his cause.  His new employment provides a window into AAMVA’s role in the national ID debate.

No, really. Why?

From the homeland security boodoggle department comes PIVMAN - a sort of personal-identity-verification super-hero.

Federal government employees are beginning to carry uniform ID cards under a program created for no apparent reason other than a vague knee-jerk appeal to “security.”  Now along comes PIVMAN, a mobile ID card reader touted by its manufacturer as the reason for all the cards.  The whole story is finally made sense of in SecureID news:

“[PIVMAN] is the first complete out of the box end user application that answers ‘why’ … we built these infrastructures, spending all this time and money,” said Mr. Libin [president of PIVMAN seller Corestreet]. Consider the Department of Defense’s Common Access Card: “We started working with them five years ago and they’ve already issued millions of cards, but no one was really using them. People at DoD had spent all this money for a new card, but there were very few applications for it… . PIVMAN is the first actual end user visible application.”

Get it?  The reason for the ID cards is so that they can be checked

At $24,950 for two handhelds, charging cradles, and the management software, this is all entirely worthwhile.  After all, without these super-expensive card readers, the millions spent on IDs would be wasted!

No, really, there must be some use for this junk.  Let’s try again.

If there’s a disaster, or attack, there are several waves of first responders, explains Mr. Libin. “These people are typically concerned with halting the damage, but pretty quickly after that it becomes a more organized process and you get other types of first responders, such as fire fighters or maintenance workers. You need to control who gets into the disaster scene. You have people with the PIVMAN controlling the perimeter. Anyone getting in presents his or her card, a person scans or swipes the card into the PIVMAN and he quickly knows if it’s a valid card. It also displays what privileges are associated with that card. If you’re allowed to deal with hazardous material, you can be directed to the appropriate place for HAZMAT cleanup and the PIVMAN logs in that activity.”

There you have it.  This stuff makes disaster scenes orderly.  ‘Yes, I understand that the hazardous materials are over there, but the designated area for HAZMAT cleanup is actually behind you.  Thank you for submitting your ID to PIVMAN.  Now go wait where you’re told.’

Let’s try one more time.

“Securing access to our nation’s ports and maritime facilities is a key use-case for the PIVMAN System,” said Mr. Libin following the demonstration. “The mobility of the PIVMAN System speaks to the nature of the maritime industry. Now you will be able to check any individual’s FIPS 201 ID, including TWIC … whether that person is driving a truck or on a ship, the information will always be available, even when networks are not.”

This is close, but still not a sufficient for a digital ID reader.  If it’s about access control, all you need is an analog card and someone with eyeballs.

Matching means to ends is difficult in security.  Selling means to the government in hopes of finding some end for it to serve - not so difficult.