Topic: Telecom, Internet & Information Policy

There’s No Fixing the FBI’s Computers

While Congress and the Department of Justice consider mandating that ISPs retain data about all of our communications, the FBI, it seems, can’t keep its own IT systems up to date. Putting aside the irony to focus on practical matters, what will bring the FBI up to snuff? I told the reporter in the article linked just above that nothing will.

The problem is institutional; when an organization’s membership doesn’t enjoy feast or famine based on the success of the organization, very little can bring it into focus and create success. … Congressional and public oversight is a weak, weak substitute for competitive pressure.

But the FBI’s computer systems have to be fixed, don’t they? They do. And to get there, you might have to shrink the FBI and law enforcement generally — especially federal law enforcement.

Because of the nature of bureaucracies, I don’t think there is an effective management solution to the FBI’s problems with IT. The better answer occurs at a higher level of abstraction:

Too many risks and threats are being treated as public problems to be dealt with through law enforcement when they should be treated as private problems to be dealt with through security.

To illustrate: Imagine that the nation’s garages had been designed without garage doors. People finding that their lawn mowers and garden tools were being stolen could call the cops (public/law enforcement) or design and install garage doors (private/security). Much going on in Internet security and online anti-fraud these days equates to people without garage doors calling the cops. There should be more personal and corporate responsibility, less government and law enforcement.

Another example: Starting more than 30 years ago, the U.S. government started taking responsibility for airline security (public/law enforcement) rather than leaving it with airlines (private/security). In fact, President Nixon announced expansion of the air marshals program on September 11, 1970, 31 years to the day before 9/11.

Mixed responsibility allowed both the public and private sectors to avoid ownership of the risk that a flight would be commandeered and used as a weapon. After 9/11, the government took further control over airline security and absolved airlines of the liability that might have accrued to them in the courts. (I don’t think they should have been liable for the full consequences of 9/11 or would have been found liable in well-functioning courts, except perhaps for the lives of their passengers.)

The lesson that private owners of critical infrastructure across the country learned is: Failure to secure themselves will bring them protection from liability, subsidies, and government-provided security services. In other words, they have been shown that leaving their garage doors open and calling the cops is better for them than taking responsibility. (In insurance economics, this is called “moral hazard.”)

“How do you fix the FBI’s computers?” You don’t. And you won’t. That’s the best answer I know.

Does it come off as too ideological to argue that the FBI should be smaller? Consider that the management problems at the FBI are merely part of a different ideological choice: having a large federal law enforcement apparatus. It doesn’t have to be this way, and the management problems are a product of the fact that it is.

Does it come off “soft on crime” to argue that federal law enforcement should be reduced? The opposite tack — “tough on crime” — means accepting incompetent law enforcement, which is the best friend crime ever had.

Fraudulent Identity Fraud Statistics

Slate has a great piece up on the use and misuse of statistics by reporters.

The magic number for journalists covering the identity theft beat has been $48 billion—the estimated annual losses suffered by identity theft victims—which carries the Federal Trade Commission’s imprimatur. … Fred H. Cate, a law professor and director of Indiana University’s Center for Applied Cybersecurity Research, notes that if the estimate were accurate, it would wipe out up to half of the banking industry’s $103 billion profits in 2005. “If those numbers were true, we’d have a banking crisis on our hands,” he says.

When I worked on the Hill, I came to recognize a similar dynamic at play: There were things everyone believed and no one questioned. I called them “political facts” because the source of the fact was consensus rather than any measurement or observation. Repetition of political facts in Members’ speeches and floor statements just made them all the more true.

A political fact relating to identity fraud is that it is a stranger crime, often a product of data breaches, that is conducted mainly over the Internet. It sometimes is, but in my book, Identity Crisis, I point out the results of an actual study showing that:

[M]ore than a third of individuals who had been impersonated in a true identity fraud knew … who the perpetrator was. And in more than half of those cases, the perpetrator was a family member or other relative. Other prominent perpetrators of identity frauds are people in companies or financial institutions with access to personal information, as well as friends, neighbors, or in-home employees of impersonation victims. So much for the Internet being the cause of identity fraud, though it certainly plays a role in some cases.

Alas, … my source was a Federal Trade Commission study.

Fake IDs Save Lives in Iraq

A fascinating AP report says that Iraqis are using fake IDs in light of the recent growth in sectarian killings.  The major groups in Iraq are not distinguishable by physical traits, but they are by name.  To avoid being killed, people are getting false identification cards:

Surnames refer to tribe and clan, while first names are often chosen to honor historical figures revered by one sect but sometimes despised by the other. 

For about $35, someone with a common Sunni name like Omar could become Abdul-Mahdi, a Shiite name that might provide safe passage through dangerous areas.

This illustrates very well how genuinely complex security can be.  At any time, the relevant authorities in Iraq could have decreed that all people get (as near as possible) forgery-proof biometric ID cards and carry them at all times - a great way to batten down a country, right? 

Doing so would have fed directly into the strategy being used by the enemies of peace and security in Iraq today: setting up fake checkpoints and killing people who arrive there members of the wrong sect. Identity cards had a role in the Rwandan genocide just over 10 years ago, as well.

Those who believe that identity cards are a simple route to good security, well, they suffer what is so rightly known as the fatal conceit. Central planning that deprives people of control over their lives can be deadly–literally–in surprising and unpredictable ways.

Thank goodness for the fake ID outlets in Iraq today, and thank goodness the promoters of ”secure ID“ in the United States didn’t take their message to Iraq.

The tradeoffs involved in identification are discussed in my book, Identity Crisis.

UK National ID in Collapse - U.S. National ID to Follow?

The Sunday Times (U.K.) reports that “Tony Blair’s flagship identity cards scheme is set to fail and may not be introduced for a generation.” The Times cites leaked e-mails reflecting senior officials’ belief that the plan to subject the U.K. population to the regimentation of a national ID system is falling apart. Even a backup, scaled-down national ID card isn’t “remotely feasible,” according to the e-mails cited by the report. Ministers who are pressing ahead with the plan are “ignoring reality.”

Similar e-mails may well be floating around the U.S. Department of Homeland Security, which will be issuing regulations to flesh out the REAL ID Act this summer this fall after November 7th. (No bureaucrat with an ounce of political acumen would drop a $9-billion-dollar unfunded surveillance-mandate before the mid-term election.)

This is not bad news. A national ID system is useful for controlling a law-abiding population, but not useful for securing against law-breakers, particularly committed threats like terrorists - unless it is part of a total surveillance system.

The failure to implement a national ID system in the U.S. would represent little loss to the nation in terms of security, and a substantial gain in terms of preserved freedom and autonomy. All this is discussed in my new book, Identity Crisis: How Identification is Overused and Misunderstood.

Unlike the U.K., where a national ID is apparently a project identified with Tony Blair, the Bush Administration does not have to look for a face-saving alternative. The U.S. national ID was not a Bush Administration project, but something it accepted in a political bargain. The Administration can now (rightly) declare it impossible to implement and inconsistent with American values, then work with Congress to repeal the REAL ID Act.

Technology Beats Law for Fixing ‘Technology’ Problems

In late 2004, when Congress passed the Video Voyeurism Prevention Act [.pdf], America breathed a sigh of relief knowing that taking naughty photos was now illegal “in the special maritime and territorial jurisdiction of the United States.” That’s just about nowhere as far as thwarting video voyeurism goes, but the symbolism was just too good for Congress to pass up.

Cameras are shrinking in size while improving in quality, and human nature remains unchanged, so video voyeurism is a growing problem. It’s a “technology” problem in the sense that the technology enables carrying a natural human interest to unnatural extremes. Let’s talk about solutions.

Both law and morals are weak tools. You can make it illegal and you can shame the people you catch, but it’s not going to stop. After all, the behavior is carried on in secret already. Legal or illegal, and shameful as it is, video voyeurism is likely to increase.

That’s why I was so happy to read an article this week about a technology to thwart furtive picture-taking. A researcher at Georgia Tech is developing a system that can find and neutralize digital cameras. You see, most digital cameras emit unique visible or invisible beams of light that can be sensed to reveal their whereabouts. Once the sensor identifies a digital camera, it can shine an infrared laser at the camera, overexposing it and rendering it inoperable.

Many people are concerned with RFID and other radio devices. The cure is not to prescriptively regulate, but to empower people with awareness and control over the radio waves around them. I would like to see software radios — and perhaps someone is working on one somewhere — that monitor traffic across the spectrum and observe on our behalf what devices and communications are in our midst. These radios could then give special warnings when RFID readers, unknown cell phones, and other unusual spectrum users are present.

Empowering, pro-technology, non-regulatory.

The First Amendment’s prescription for curing bad speech is to encourage more speech as a counter. A similar principle should be used when technology creates problems: Use more technology to counter them.

Federal Ban on Internet Gambling Marches On

Yesterday, I spoke with an aide to a Republican congressman who, as far as congressmen go, is somewhat libertarian. The aide told me that much to his chagrin, said congressman will be backing the ban on Internet gambling. What’s more, the aide said the congressman actually understands the economics of prohibitions, he just thinks that this will be the one time they don’t apply.

“For some reason, he thinks this is one instance where government can actually pull it off,” the aide said.

Unbelievable.

Internet gambling is already illegal, of course. That’s why gaming sites set up and operate offshore (several are actually traded on the London Stock Exchange). Yet, it’s still a $12 billion industry in the U.S. That means government already is trying, and failing, to prohibit it.

I guess the thinking is — as it is with the drug war — that if we try just a bit harder, spend just a bit more, harass private citizens just a bit more, and give government a bit more power, we’ll be able to buck history and finally make a vice prohibition stick.

Or perhaps lawmakers know it won’t work, and don’t care. The symbolism of trying to take a moral stand against gambling is more important than the policy actually working.

According to the New York Times, the gambling ban moves to the House floor for a vote next week, where it’s almost certain to pass. Here’s the kicker:

The majority leader, Representative John A. Boehner, Republican of Ohio, announced a few days ago that the measure would be voted on this summer as part of what the Republicans call their American Values Agenda.

So because the Republicans have garnered public scorn for the unethical, corrupt, morally bankrupt way they’ve governed over the last decade, they’ve decided to make a last-ditch attempt to hold on to power by passing judgment on the morals of their constituents (most of whom, polls show, oppose the bill).

Super.

The Times piece also looks at the free trade implications of Internet gambling prohibition, often overlooked in the debate. The Goodlatte-Leach bill will certainly exacerbate existing trade tensions between the U.S. and the 80 or so countries that allow online gambling. But many of those tensions have been bubbling over for years.

This bill brings up some new problems.

Because the bill effectively deputizes banks to sniff out and eradicate gambling among their customers (the creepy privacy implications of that alone ought to kill this bill), it amounts to a piece of blatantly protectionist legislation. Its practical effect will be to shield a domestic company (PayPal, which is owned by eBay) from foreign competitors like FirePay and Netteller.

I’ve explained a bit more about how this will work here.

Thus far, when countries like Antigua have challenged the U.S. gambling ban on free trade grounds, the Bush administration has fought tooth and nail to preserve its right to police the private behavior of American citizens. That means the administration has used millions of taxpayer dollars to prevent more liberty-minded countries from making too much freedom available to U.S. taxpayers over the Internet.

Of course, kicking Antigua around is one thing. When Britain mounts a challenge, as it likely will, this will all get much more interesting.

Gotta love the party of limited government.