Topic: Telecom, Internet & Information Policy

How Did You Like the Cybercrime Treaty Debate?

Perhaps you weren’t aware of the Senate’s debate over the cybercrime treaty. You would be like most people. The Senate quietly approved the cybercrime treaty yesterday.

The treaty is the product of years of diligent work among governments’ law enforcement departments to increase their collaboration. It lacks a dual criminality requirement, so Americans may be investigated in the United States for things that are not crimes here. And it applies not just to “cyber” crimes but to digital evidence of any crime, so foreign governments now may begin using U.S. law enforcement to help them gather evidence in all kinds of cases.

 But you already knew that if you were following the debate. You were following the debate, weren’t you?

ID-Based Security Is Broken - and Can’t Be Fixed

The Government Accountability Office testified to the Senate Finance Committee today that investigators were easily able to pass through borders using fake documents. Indeed, sometimes documents were not checked at all.

“This vulnerability potentially allows terrorists or others involved in criminal activity to pass freely into the United States from Canada or Mexico with little or no chance of being detected.”

That’s true, but shoring up that vulnerability would add little security while devastating trade and commerce at the border.

Identity-based security works by comparing the identity of someone to their background and determining how to treat them based on that. To start, you need accurate identity information. That’s not easy to come by from people who are trying to defeat your identity system.

Here’s a schematic of how identification cards work from my book Identity Crisis.

As you can see, proof of identity involves three steps: Info goes from the person to the card issuer; info goes from the issuer to the verifier via the card; and the verifier checks to make sure the person and the card match.

Each of these steps is a point of weakness. Let’s take them in reverse order:

Obviously, as the GAO found, if nobody looks at the ID card, the “verifier check” can’t be done and the system fails. If the verifier is careless, the system will also fail. This weakness can be fixed with machine-read biometrics, but that is time-consuming and it typically subjects everyone to monitoring, tracking, surveillance – whatever you prefer to call it.

If the card can be forged or altered, this compromises card security, the second point of weakness in the process. Weakness in card security (non-obvious forgery) is what GAO sought to expose when it stumbled across the fact that border agents weren’t checking IDs at all. Card security can also be fixed various ways, though the best, such as encryption, will also tend to increase monitoring, tracking, and surveillance of every card-holder.

The first step is the hardest by far to fix: getting accurate information about people onto cards. For anyone wanting to defeat the current U.S. identification system, there is a substantial trade in documents that are false but good enough to fool Department of Motor Vehicle employees into issuing drivers’ licenses and cards. Criminals also regularly use the option of corrupting DMV employees to procure false documents. Can this problem be curtailed? Yes. Solved? No.

For the sake of argument, let’s fix all these things with a cradle-to-grave, government-mandated, biometric tracking system. Enough to make even the irreligious think “mark of the beast.” Even then, we will not have effective security against serious criminals and terrorists. The greatest weakness of identification-based security remains.

Knowing who a person is does not reveal what they think or what they plan to do. Examples are legion in terrorism, and routine in crime, of people with no record of wrongdoing being the ones who act.

For example, Al Qaeda selected operatives for the 9/11 attacks who had no known records of involvement in terrorism. (See 9/11 Commission report, page 234.) It was operating in a mode to defeat watch-listing well before the spasm of watch-listing that underlies identification-checks like the ones GAO has found so flawed.

If we were to have a comprehensive, mandatory, biometric identification system, it would help find bad people after they are identified, but do little to secure against attackers who are not already known. Al Qaeda planners would have to continue factoring in a risk they have already accounted for.

And having such a system should be a big “if.” Subjecting all Americans to increased monitoring, surveillance, and tracking, then delaying their lawful trade and travel at the borders, would do a lot of damage to liberty and commerce. It would provide only a tiny margin of security – almost no margin against sophisticated threats.

Getting to Government Transparency

There’s technology policy, and there’s how technology affects policy.

That’s why I found my colleague Chris Edwards’ recent Tax & Budget Bulletin so interesting.  He discusses a number of federal databases that bring some transparency to federal spending, including the Federal Assistance Award Data System and the Federal Audit Clearinghouse.  Between them, they reveal quite a bit of information about federal spending and the staggering number and amount of subsidies and grants handed out by the federal government each year.

Edwards also hails a proposal by Senator Tom Coburn (R-OK) to create a comprehensive Internet database of federal contracts, grants, and other payments.  It would be a great leap forward in terms of transparency about spending, like the Thomas system was for the legislative process.

Advocates from across the political spectrum want a government that “works.”  Most believe that their perspective would “win” if the politics and government worked.  Whatever the case, transparency is widely agreed to be good — the more the better.

Thomas was an improvement.  Yet it hasn’t transformed the legislative process the way some might have hoped.  Lawmaking remains murky and confusing to the vast majority of the public.  Even if it was done well, a federal spending database probably wouldn’t transform the politics of government spending either.

Information technology will surely help, but transparency isn’t enough.  The twin problems that must be overcome are rational ignorance and rational inaction.  It’s hard to learn about government, and hard to affect it, so people make better uses of their time.  Operating a lemonade stand would be far more lucrative and enjoyable for most people than campaigning for a tax reduction.  (The piece linked here is a good discussion of rational ignorance.)

There are some efforts to defeat the twin plagues of ignorance and inaction.  GovTrack.us, for example, attacks ignorance with more information presented more accessibly than Thomas.  Wikipedia founder Jimmy Wales recently took after inaction with a wiki devoted to campaigns

My favorite — because I run it — is WashingtonWatch.com.  It displays pending legislation with its price-tag per person, per family, etc. and it gives visitors a chance to air their views.  A little run at ignorance, a little run at inaction.  Given time, it could blossom into transformed government.  In the meantime, the more transparency the better.

Boehner Cites, Promotes Americans’ Anxiety

National Journal’s Hotline has dutifully reprinted House Majority Leader John Boehner’s open letter of encouragement to fellow Republicans as they go into the summer recess. In it, Boehner cites Americans’ ongoing anxiety about a number of issues.

“International threats are also contributing to the anxiety American families feel,” he writes.  He continues:

[Terrorists are] bent on destablizing democracies throughout the world. And they are more determined than ever to penetrate our leaking borders and carry out their murderous ambitions against innocent citizens on American soil.

Naturally, Boehner derides Democrats for failing to do security like Republicans do security.

Last year, for example, 152 Democrats voted against the REAL ID Act, which implemented needed driver’s license reforms, making it more difficult for potential terrorists to obtain driver’s licenses or state ID cards, and ensuring that states improve their data security.

Nevermind that false ID was not part of the modus operandi of the 9/11 terrorists. Identification requirements are not very good for tracking or controlling criminals and essentially worthless for stopping suicidal terrorists, but they are very good for tracking and controlling law-abiding citizens.

In Blind Spot: The Secret History of American Counterterrorism, Timothy Naftali frames this kind of letter:

The politics of fear have … prevented a serious national conversation about the true dimensions of the threat. The public has no idea of the tradeoffs between security and freedom. Their elected representatives speak of doing everything necessary to protect them, while each political party argues that it is more likely than the opposition to keep the nation secure.

This perspective turns the Boehner letter into a caricature. Naftali adds, “The American public should be informed that the terrorists cannot win any war against the United States … .”

Ready to Pay More for Longer Lines at the DMV?

The Decatur (Alabama) Daily News reports that a server shut-down froze driver licensing operations on Friday.

Lines that tend to be long on the best days meandered double-file through hallways at the Morgan County Courthouse after a computer server in Montgomery shut down at about 12:45 p.m. The faulty server, which came back online at 3, is owned and maintained by Oregon-based Digimarc Co., a state contractor, according to [the Alabama Department of Public Safety].

Digimarc is one of several companies that are in the business of licensing and regulating driving. Another cited in the story is AAMVA, the American Association of Motor Vehicle Administrators, which operates a variety of driver surveillance programs under the AAMVAnet brand.

AAMVAnet is the conduit most states use to access various databases involved in driver license applications and renewals. Alabama uses the service for commercial driver license information, problem-driver point systems and Social Security number verification.

AAMVA is particularly interesting because it styles itself as a neutral interlocutor on motor vehicle administration, police traffic services and highway safety. But according to its non-profit disclosure form, its $30 million in 2003 revenue was comprised of $11 million in government grants and more than $14 million from “contracts/user fees” - most of it likely from operation of the Commercial Driver License Information System.

Anyone who understands the role of self-interest in guiding organizations - even ‘non-profits’ like AAMVA - must recognize that this is an advocate for increased driver regulation and surveillance, most recently through the REAL ID Act’s national identification card. If REAL ID is implemented, AAMVA stands to increase its revenue ten times over.

Department of Public Safety spokeswoman Martha Earnhardt told the Decatur Daily News, “As more and more states go through AAMVAnet, it hasn’t been able to handle the volume.” But AAMVA intends to move you into the national ID program - long lines or not - using your state and federal tax dollars.

More on AAMVA and the REAL ID Act can be found in my book Identity Crisis: How Identification is Overused and Misuderstood.

The New Social Engineering

Apparently I’m behind the times. I’ve always understood the term “social engineering” to mean what the American Heritage Dictionary calls “the practical application of sociological principles to particular social problems,” or what Mises called “treat[ing] human beings in the same way in which the engineer treats the stuff out of which he builds bridges, roads, and machines.”

But in Thursday’s Wall Street Journal I discover that “social engineering” now means “tactics that try to fool users into giving up sensitive financial data that criminals can use to steal their money and even their identities.” It includes “phishing” and other online scam tactics. If you Google “social engineering,” you can wade through pages and pages before you find any links to the older meaning.

I guess there is a connection between the two kinds of social engineering. One online tech dictionary says, “Social engineering is manipulating people into doing what you want, in much the same way that electrical engineering is manipulating electronics into doing what you want.”

That definition would probably embrace the kind of social engineering that libertarian scholar Wendy McElroy criticizes here, or the wide variety of schemes — from Mao to McNamara, from urban renewal to rural resettlement — that James C. Scott discussed in his book Seeing Like a State.

Perhaps the classic critique of social engineering, before the term was invented, comes from Adam Smith in The Theory of Moral Sentiments:

The man of system, on the contrary, is apt to be very wise in his own conceit; and is often so enamoured with the supposed beauty of his own ideal plan of government, that he cannot suffer the smallest deviation from any part of it. He goes on to establish it completely and in all its parts, without any regard either to the great interests, or to the strong prejudices which may oppose it. He seems to imagine that he can arrange the different members of a great society with as much ease as the hand arranges the different pieces upon a chess-board. He does not consider that the pieces upon the chess-board have no other principle of motion besides that which the hand impresses upon them; but that, in the great chess-board of human society, every single piece has a principle of motion of its own, altogether different from that which the legislature might chuse to impress upon it. If those two principles coincide and act in the same direction, the game of human society will go on easily and harmoniously, and is very likely to be happy and successful. If they are opposite or different, the game will go on miserably, and the society must be at all times in the highest degree of disorder.

U.S. Manufacturing Expands along with China’s Economy

Sen. Charles Schumer (D-N.Y.) renewed his threat this week to demand a vote in the Senate on legislation that would impose steep tariffs on imports from China if the Chinese government does not move promptly to strengthen its currency.

Like many other members of Congress, Schumer believes that China has “manipulated” the value of its currency in a way that makes Chinese goods artificially cheap in the U.S. market while discouraging U.S. exports to China. One result, according to Schumer, has been serious damage to America’s manufacturing base.

Three news items this week, though, should give Congress pause before it slaps tariffs on imports from China:

  • The latest reports from Beijing confirmed that China’s economy continues to grow rapidly. China’s economy reached an annualized growth rate of 11 percent in the second quarter and more than 10 percent for the first half of 2006. 
  • But China’s growth is not coming at the expense of the U.S. economy or U.S. manufacturing. The U.S. Federal Reserve Board of Governors reported this week that U.S. manufacturing output is up 5.7 percent so far in 2006 compared to a year ago. Indeed, according to a recent Cato study, U.S. manufacturing output is up 50 percent in the past 12 years along with our expanding trade with China.
  • The number of Internet users in China has reached 123 million. That gives China the second largest group of users in the world, behind the 200 million users in the United States.

Rapid economic growth in China is not coming at the expense of the U.S. manufacturing sector. But that growth is creating a growing middle class in China that is increasingly engaged not only in the global economy but in the global sharing of ideas.America’s economic relationship with China was the topic of a lively discussion at a Cato policy forum this week. You can view or listen to the event here.