Topic: Telecom, Internet & Information Policy

Baltimore Sun: Deep-Six REAL ID

The Baltimore Sun opinion page recognizes that the REAL ID Act’s national ID system “will neither weed out terrorists nor make a dent in the flow of illegal immigration - the two problems it was devised to address.”  In light of the exorbitant cost and impossibility to implement, its advice is to junk the REAL ID Act.

Feariness about Data Loss

In the spirit of Stephen Colbert’s “truthiness,” here’s another useful term for the pop lexicon:

fear i ness (fir’ e-nes) n. The quality of being feared, even though logic and/or evidence indicates there is little to fear.

A prime example of feariness right now is data loss — the loss of control over confidential information that could lead to violation of a person’s privacy, identity theft, and fraud. This feariness has been fanned by the recent thefts of government and corporate computer hardware containing important data files.

Though privacy violations and fraud are worrisome, an article in today’s New York Times explains that much of the alarm over data loss is just feariness:

The veterans’ laptop episode underscores the crucial distinction between data loss and malicious data theft — a distinction that has often been glossed over or ignored in the recent wave of alarming disclosures of data breaches at government agencies, universities, companies and hospitals. In most cases, the consequences — financial and otherwise — of the data losses have been slight.

But while high-profile data breaches are common, there is no evidence of a surge in identity theft or financial fraud as a result. In fact, there is scant evidence that identity theft and financial fraud have increased at all. Even when computer networks are cracked into, and troves of personal information intentionally stolen, fraudsters can typically exploit only a tiny fraction of it.

Readers of Cato’s Regulation Magazine already know this story. In last spring’s issue, Tom Lenard and Paul Rubin describe how the incidence of data theft–inducing fraud is fairly stable, how most of that fraud is the product of the theft of old-fashioned paper statements instead of electronic information, and how the response to data loss (including government-mandated response) is far more costly in aggregate than any resulting fraud.

Harpers Denounce Border Plan, ID Systems

A prominent Harper spoke out this week against the plan to require passports or passport-‘lite’ ID cards for crossing the U.S.-Canada border. That’s Canadian Prime Minister Stephen Harper. 

He is no relation to the Cato Institute’s director of information policy studies, Jim Harper, who spoke out about the Western Hemisphere Travel Initiative’s PASS card system two weeks ago

The Western Hemisphere Travel Initiative (WHTI) sounds like a wonderful thing. It’s hard to be against travel. But WHTI is actually about shrinking commerce and travel among the friendly countries in our region.

In the Intelligence Reform and Terrorism Prevention Act of 2004, Congress pushed the Department of Homeland Security to create an “automated biometric entry and exit data system” for people crossing the borders. A prominent proposal is the PASS card, which stands for People Access Security Service. It is envisioned as a card containing an RFID chip that is to be given to passport holders. The chip would alert the DHS when a person arrives at a border crossing. 

“Pre-positioning” data by sending an electronic signal from 30 or more feet sounds like it would make border crossings go faster. But moving identification data is not what takes time at border crossings — it’s checking to see if the person and the identity information match up. 

An RFID-chipped PASS card would mean that lots more information about American citizens’ movements would be collected. It’s a system not just verifying that travelers are citizens or legal aliens — it’s a system for collecting information about our comings and goings, yet another dimension of our lives revealed to the government to do with as it will.

Congress seems held in thrall by national ID systems. Last week, the House passed a bill to require showing identification cards for voting. And, of course, we already have the REAL ID Act, which by May 2008 will have states issuing drivers’ licenses and ID cards to national standards (sharing driver information nationwide, too) — if states comply. Harper of the Cato Institute testified to a New Mexico legislative committee about that issue last week. The National Conference of State Legislatures reports that compliance with the REAL ID Act will cost $11 billion dollars nationwide.

Identification seems to offer an easy technological quick-fix for ailments like illegal immigration and terrorism. But what most of these schemes would do is further regiment and control law-abiding people while merely inconveninencing criminals, terrorists, and any other threat with a modicum of sophistication and motivation.

My book Identity Crisis has more on this and all other facets of identification.

Privacy Debacle Top Ten

Wired News reporter Annalee Newitz has compiled a “top ten” list of privacy debacles

It’s easy to quibble with the results, but I was delighted to see “The Creation of the Social Security Number” at #1.  Our national identifier has used its government backing to push aside all others and enable government and corporate surveillance on a scale that would never have occurred under natural conditions.

In Identity Crisis: How Identification is Overused and Misunderstood, I discuss how the uniform identification system we’ve built around the Social Security Number is insecure for individuals, making information about them too readily available to governments, corporations, and crooks. 

The fix is nothing so ham-handed as banning uses of Social Security Numbers.  Rather, it will be necessary to remake our identification systems so that they are diverse and competitive, and thus solicitous of individuals’ interests.

Watching the “Lack of Competition” Meme

Ars Technica — a wonderful publication with brief, informative, and interesting pieces on technology — is showing a little sloppliness in covering the broadband competition issue. The question whether there is sufficient competition in the provision of broadband Internet service underlies the debate about “net neutrality” — whether there should be public utility regulation of broadband.

Discussing FTC chair Deborah Majoras’ speech at the PFF Aspen Summit, an Ars reporter casually observes, “[M]arket forces really do not exist when it comes to broadband.” That’s at least overstatement. A little more caution would be good given the centrality of the issue.

To show the existence of a duopoly (which is not inherently a competition-free situation), the report links to an earlier Ars piece interpreting a study as showing “not much” competition between DSL and cable. But that conclusion goes only to price competition. And it’s a little overstated, too.

The actual study, from a group called Kagan Research, seems to show that DSL is the low-cost option (and getting lower), while cable is the high-bandwidth option (getting higher in bandwidth while dropping in cost more slowly). That diminishes head-to-head price(-only) competition because each is focused on a different niche. But they’re still in competition.

The Kagan Research analyst concludes: “Eventually, cable will probably have make [sic] some reductions to cater to the lower end of the consumer market simply to get more customers.” So the study author believes more direct price competition is coming.

That’s some distance from “market forces really do not exist when it comes to broadband.” There is some price and quality competition among the major broadband platforms. Substitutes (such as getting broadband at work and getting information and entertainment offline) play a role in the competition question. And several competitors wait in the wings, to become viable through improvements in technology, new investment, or bad behavior by the current platforms.

I hasten to add that I am not satisfied with the current level of competition. I would like it to be more intense along all fronts and in all regions.

Data Mining or the Fourth Amendment?

Boalt Hall Law Professor and Visiting AEI Scholar John Yoo writes in a short piece on the AEI website that we should consider using data mining to pursue terrorists. He makes at least two errors: one historical and one statistical.

Discussing the recent vogue for making U.S. law more like Britain’s, Yoo writes:

[I]ncreasing detention time or making warrants easier to come by merely extends an old-fashioned approach to catching terrorists. These tools require individualized suspicion and “probable cause”; police must have evidence of criminal activity in hand. Such methods did not prevent 9/11, and stopping terrorists, who may have no criminal record, requires something more.

It’s hard to put aside that the vogue for making U.S. law more like Britain’s would undo part of what the Revolutionary War was fought for. And Yoo’s placement of the phrase “probable cause” in quotes — I hope that’s not to suggest that the language of the Fourth Amendment is quaint.

But putting all that aside, Yoo’s first error has to do with more-recent history. He argues that traditional investigative methods “did not prevent 9/11.” But traditional investigative methods weren’t applied to the problem. 

Operatives like Khalid al Midhar — an individual with jihadist connections known to the United States — entered the country, left in June 2000, and returned July 4, 2001 on a visa the United States gave him. As the 9/11 Commission pithily noted, “No one was looking for him.” Traditional investigative methods can’t be said to have failed when they weren’t being used.

Yoo’s second error is to believe that data mining can help locate terrorists. Data mining cannot be made useful in counterterrorism: The absence of terrorism patterns means that it is impossible to develop useful algorithms. The corresponding statistical likelihood of false positives would cause the results of a data mining operation to waste the time and energy of investigators while threatening civil liberties. 

Data mining does give a “lift” to marketers’ attempts to find people with certain propensities and interests. But the ”failure rate” (if the goal is to find new, willing customers) is typically above 95%. This is with hundreds of thousands, or even millions, of patterns to work with. Data mining also helps ferret out credit card fraud — again, using the thousands of instances of this crime that happen each year to develop useful algorithms.

Probability theory teaches that the percentage of false positives a test produces will rise dramatically as the incidence of the sought-after condition drops. If you’re searching American society for left-handed people (8–15% of the population) a data mining operation might work pretty well.  If you’re searching for the 10, 12, or two terrorists in the United States, an imperfect test will be useless, time-wasting, and thus harmful to the national security mission.

No, the Fourth Amendment is good policy as well as a part of the not-old-fashioned Constitution. It is better to focus investigations, not broaden them. The best way to find wrongdoing is to look where there is probable cause to believe something is afoot.