Topic: Telecom, Internet & Information Policy

“New Hampshire Joins Montana in Real ID Victory”

So reports Wired’s “Threat Level” blog as the Department of Homeland Security capitulates in the face of New Hampshire’s rejection of REAL ID. The same thing happened with Montana.

The key? The renegade states send a nice letter that is not a request for an extension of a looming deadline but touts the security of their driver’s licenses, which the Department of Homeland Security accepts as an official extension request. That lets DHS save face, even as it backs down from repeated threats to punish the citizens of rogue states.

New Hampshire wins.

Passport Snooping Is Just the Beginning

Following up on the story earlier this week that the passport files of all three major presidential candidates had been snooped on, Brian Bennett writes in the April 7 issue of Time about plans to distribute passport information very widely indeed, such as to the Department of Homeland Security, IRS, employers, and foreign governments.

Meanwhile, the State Department has a video interview up on its website about passport privacy. Addressing the issue in a long format on a widely accessible medium is a good thing, so congratulations are due State for addressing the issue.

However, the lead question asked of Under Secretary for Management Patrick Kennedy is a big waste of time: “Does every State Department employee have access to personal data that’s given us for passports or other reasons?” That pitch is so slow it doesn’t even reach the plate. But there is some interesting information about the State Department’s data security practices later in the video.

Unaddressed is Brian Bennett’s reporting on the proposal for wholesale sharing of passport information.

Stewart Baker Should Start at the Beginning

Department of Homeland Security Assistant Secretary for Policy Stewart Baker has posted the second in a series on the REAL ID Act at the DHS Leaderhip blog. I assessed his first try here.

This one raises the privacy issues with REAL ID, and it claims that privacy advocates “can’t and won’t tell you precisely how REAL ID threatens privacy.” Knowing his smarts and savvy, I’m confident that Stewart is feigning unawareness of my book Identity Crisis and the hearings in Congress that have exposed the many threats to privacy from REAL ID specifically, and national ID systems generally. He has also had the opportunity to read the DHS Privacy Committee’s report, which cited and discussed “serious risks” to privacy from the REAL ID program.

It’s true that privacy is a complex subject, and the complexity is preserved by the fact that a number of different interests are often lumped together under the “privacy” heading. But Stewart has certainly had the opportunity to read the Privacy Committee’s “framework document,” which articulates each of these interests. For a more thorough study of privacy in its strongest sense (control over personal information), he could re-read (or perhaps just read) my 2004 study “Understanding Privacy—and the Real Threats to It.”

The claim that privacy advocates won’t articulate the privacy problems with REAL ID is a shift from earlier public comments where Baker reportedly expressed puzzlement about privacy concerns with REAL ID, or his failure to understand them. One can’t be puzzled by the privacy concerns with REAL ID at one point in time and later claim that privacy concerns haven’t been articulated. There’s something else afoot.

I suspect it’s the fact that Baker gives higher priority to implementing REAL ID than to protecting Americans’ privacy. He just can’t bring himself to say so because it wouldn’t be popular or politic. (To be clear: He makes claims that REAL ID will protect privacy, but they do not pass muster.)

Baker should address the privacy consequences of REAL ID in a way that is not feigned ignorance or dismissiveness, but he should do something else first: Tell us what REAL ID is good for. The burden of proof in the debate over REAL ID is not on privacy advocates to say why not, but on proponents of the national ID law to say why.

No proponent of REAL ID, including Stewart Baker, has ever articulated how the program will cost-effectively secure the country against any threat. In fact, the Department of Homeland Security declined to articulate how REAL ID works to benefit the country in its analysis of the REAL ID regulations it issued. This is something I discussed, along with the privacy concerns, in my May 2007 testimony to the Senate Judiciary Committee:

The Department of Homeland Security has had two years to articulate how REAL ID would work. But the cost-benefit analysis provided in the proposed rules issued in March … helps show that implementing REAL ID would impose more costs on our society than it would provide security or other benefits. REAL ID would do more harm than good.

This is true if you assign no value to privacy at all. Americans do value their privacy and civil liberties, but the conversation should start at the beginning–with an articulation from Stewart Baker of how REAL ID provides cost-effective security.

Newseum Opens April 11th - Will it Keep Up?

The new Newseum opens April 11th, and its an impressive project in many respects.

It’s a striking but tasteful modern building, with the text of the First Amendment inscribed on its front. The location on Pennsylvania Avenue close to the Capitol has a defiant quality that I admire.

As I walked past yesterday, I observed its display along the sidewalk of current front pages from newspapers around the country and world. It’s a tribute to the importance and vibrancy of the newsgathering enterprise and free speech. Tourists were gathered along the front of the building taking in the headlines.

But I don’t read newspapers. I get my news from a wide array of sources almost entirely online. Sooner or later, I thought as I walked, some state is going to punch a hole in the Newseum’s display, as the state will no longer have a newspaper. Soon enough, most people will get their news in new formats - as I do - from sources and in media of all kinds: blogs, email, traditional news outlets’ online editions, and so on.

Will the decline of the newspaper mislead people into thinking that our vibrant tradition of newsgathering and reporting is on the wane? It’s something to think about.

The “founding partners” of the Newseum are some of the oldest of the old-school establishment media figures. (Good for them, by the way, for supporting this worthy venture.) They and the Newseum’s leadership may think that things are changing for the worse when they’re changing for the better - when news is all around us, in dozens of different formats, provided by tens of thousands of subject-matter experts and on-scene reporters with true local knowledge.

The Newseum’s planned exhibits include room for new media, but by and large they lean toward exalting the newsgathering industry. That industry has had an important role, no question, but I think it is a role that will diminish over time. I hope the Newseum will actively pursue reporting on all the news, not just the news that’s fit to print.

“Montana Wins REAL ID Standoff”

So reports the Missoulian on the Department of Homeland Security’s capitulation in the face of Governor Schweitzer’s resolute rejection of REAL ID.

On Friday, Montana Attorney General Mike McGrath notified the Department of Homeland Security that the state will not comply with REAL ID but will pursue the identity security policies it deems appropriate. McGrath urged DHS not to penalize the state for rejecting REAL ID.

DHS Assistant Secretary for Policy Stewart Baker chose to interpret McGrath’s letter as a request for an extension of the REAL ID compliance deadline and granted it.

In other words, DHS has abandoned any pretense that it can tell states what to do. A showdown with recalcitrant states around the May 11 compliance deadline would require the Transportation Security Administration to disrupt the passenger air travel system, something DHS evidently recognizes to be a losing proposition.

Montana wins.

More reporting at the Threat Level blog.

Seth Stodder’s Weak Defense of ATS-P

Seth M.M. Stodder with the Center for Strategic and International Studies, a former director of policy and planning for U.S. Customs and Border Protection, has a piece in the Federalist Society’s Engage magazine defending the Automated Targeting System — specifically ATS-P, which is a system for screening border crossers.

The piece starts with the gripping example of a man named Ra’ed Mansour al-Banna who was turned away from the U.S. border and later blew himself up in Iraq. DHS Assistant Secretary for Policy Stewart Baker (who undoubtedly now lives in fear of my relentless blogging!) told the story at a CSIS event in December 2006:

[In 2003,] he showed up at O’Hare International Airport in Chicago with a valid passport from Jordan, a valid visa to come to the United States to conduct business and he asked to be admitted. There’s no bar to his being admitted other than the fact that he had been selected for a second look by our Automated Targeting System. He was flagged as somebody who just ought to be looked at more closely.

And so one of the CBP officers did exactly that: interviewed him, asked him a bunch of questions about what he intended to do in the United States, and concluded, at the end of the day, he just didn’t like the answers. He wasn’t confident that this guy was going to live up to the obligations that we imposed under the visa and he said, I’m sorry, you’ve got a valid visa, you’ve got a valid passport, you’re not going to come into the United States, and he sent him back to Jordan. Eighteen months later, of course, he was in Hillah, Iraq driving the vehicle-borne IED.

Baker is a smart man and he chooses his words carefully. If al-Banna had been identified by ATS-P as a likely terrorist, Baker would have said so. But he didn’t. He talked about visa obligations.

Maybe the system identified him as a potential visa over-stayer — he had lived in California for two years — and when al-Banna couldn’t convince his interviewer otherwise, CBP excluded him. Maybe, as some news reports have it, CBP sent al-Banna back to Jordan because he falsified details on his visa application (after which he “became withdrawn, holing up in a makeshift studio apartment, sleeping late, and displaying a new interest in religion”). Others say that “Homeland Security officials had no reason to suspect that Albanna had become a terrorist.” Until the full story has been examined, this is anecdotal luck at best, not proof of a successful system.

In his paper, Stoddard claims to take on criticisms I have leveled at the program — and some I haven’t. Here’s the relevant part of Stoddard’s article:

Some have disagreed with the 9/11 Commission’s assessment of ATS-P’s effectiveness in assisting CBP, and have asserted that ATS-P is simply ineffective. Jeff Jonas and Jim Harper of the Cato Institute have asserted that, in general, “[t]hough data mining has many valuable uses, it is not well suited to the terrorist discovery problem,” because of the purported absence of “terrorism patterns” which [sic] to draw strategic intelligence. During a panel at the Center for Strategic and International Studies (CSIS), Jim Harper applied this analysis to ATS-P as well. But Jonas and Harper do not appear to understand all of ATS-P’s functions—including its link analysis function, operationalizing specific tactical intelligence by drawing linkages between known facts (e.g., a credit card number used by a known terrorist) and travelers seeking admission to the United States (e.g., if the PNR on a traveler indicates that traveler used that same credit card number to purchase his ticket). To the extent this conclusion also is pointed at ATS-P, Jonas and Harper may be uninformed. Indeed, the ultimate testimony to ATS-P’s effectiveness is not al-Banna, but its continued use by CBP and CBP’s ongoing efforts to improve it.

(link added)

Now let’s review what I said at the CSIS event:

The story of the suicide bomber in Iraq was gripping and thrilling, frankly, but I think it was an invitation to us to indulge in what’s known as the post hoc ergo propter hoc fallacy. That’s Latin for “because it followed in time, there must be correlation.” Because ATS existed, he was stopped at the border. It may be true, but [it’s] not necessarily true. Had he gotten into the country, he would have done in this country what he was able to do in Iraq. Maybe true, but probably not true. The infrastructure isn’t here and the support isn’t here to be able to pull off that kind of thing. So it’s, again, a gripping story, but not necessarily a good basis for policymaking.

In addressing what ATS is, it’s a check against the no-fly list. I think most people are aware of that. Link analysis, it makes pretty good sense in many cases. [Baker d]idn’t address the question of the risk score, which is the most concerning, I think, to most people, for a variety of reasons. And exactly how that risk score is created isn’t known, and I imagine that Secretary Baker and others would refuse to tell us how that risk score is created because that would create a security breach in the system. But it’s precisely there that the capacity for rank unfairness in the system is created. And it’s a system that doesn’t just apply, as I understand it, to foreigners coming to the country, but to everyone traversing the border, and that’s – I’m sorry to be so parochial, but I’m most interested in the rights of American citizens who are traveling internationally and returning to the country.

(emphases added)

Now, it’s true that I am less informed about ATS-P than Stodder and Baker. Homeland Security folks hold inside information and they try to use secrecy as a trump card. My oral recitation of ATS-P’s details lacks polish, but I know enough to have specifically approved of link analysis while disapproving predictive data mining. In our paper, Jeff Jonas and I excluded link analysis (referred to as “subject-based analysis”) from our criticisms. Stodder refutes an objection I did not make, suggesting that I’m uninformed.

And he does not address the objection I did make, based on the paper Jeff Jonas and I published: predictive data mining won’t catch terrorists.

His evidence that ATS-P works?: “[I]ts continued use by CBP and CBP’s ongoing efforts to improve it.” It takes several logical leaps and generous inferences to make that good evidence.

The only other successes with finding immigrating terrorists he cites beyond al-Banna (if indeed he was a terrorist at the time) are “Millennium Bomber” Ahmed Ressam and Mohammed al-Qahtani. Those two, though, were picked up by alert CBP officers unaided by ATS-P (so far as we know — and one expects we would know).

Two terrorists that perhaps should have been picked up by ATS-P but weren’t are Nawaf al-Hazmi and Khalid al-Midhar, 9-11 attackers who entered the country and lived openly in the United States even though they were known to be linked to the bombing of the U.S.S. Cole. Before U.S. authorities failed to look for them, ATS-P failed to pick them out for additional questioning at the border. That’s typical of data mining for terrorism: high false positives and high false negatives.

Let’s Talk Passport Privacy!

With the revelation that the passport files of all three major presidential candidates were wrongly accessed, Sen. John McCain’s office issued the following statement:

The U.S. government has a responsibility to respect the privacy of all Americans. It appears that privacy was breached and I expect a thorough review and a change in procedures as necessary to ensure the privacy of all passport files.

Yes, the government does have a responsibility to respect our privacy, retaining as confidential the data it collects as a condition of our exercising the right to travel.

And all the presidential candidates might want to take a look at a recent State Department notice in the Federal Register. It would open passport files to:

  • the Department of Homeland Security,
  • the Department of Justice, including the FBI, the BATFE, the U.S. Marshals Service, and other components,
  • the Internal Revenue Service,
  • INTERPOL and other international organizations,
  • the National Counterterrorism Center,
  • the Social Security Administration,
  • public and private employers,
  • Members of Congress,
  • contractors, and
  • foreign governments.

So, yes, let’s talk about passport privacy!