Topic: Telecom, Internet & Information Policy

Lipstick on a Pig

The Fair, Accurate, Secure and Timely Redress Act of 2007 is a recently introduced bill that would establish a dedicated agency within the Department of Homeland Security to coordinate and streamline the appeals of people who believe they have been wrongly watch-listed by DHS or the Department of Justice. This office would maintain a “Cleared List” of names that have been identified as not representing a risk.

This is not an answer. As I’ve written before, watch-listing is alien to our system of justice and law enforcement. And because of the potential for opening holes in the pseudo-security watch-listing provides, getting “cleared” by this office would be a bureaucratic nightmare.

This proposal is lipstick on a pig. The pig is watch-listing.

More Cost-Ineffective Security: Criminalizing Tourism

I’ve written in the past about the costliness of the Western Hemisphere Travel Initiative compared to its small security benefit.

Here’s more cost-ineffective security: Fingerprinting visitors to the U.S.

The Department of Homeland Security announced this week that it would begin collecting 10 fingerprints from foreign visitors to the United States, an extension of the US-VISIT program. This looks like another self-injurious overreaction to the threat of terrorism.

I don’t think collecting ten fingerprints in the US-VISIT program violates civil liberties. People have a diminished right against search and seizure at our international borders. But it is a serious privacy concern for visitors to the U.S.

Their biometrics are entered into a U.S. government database and they have no idea what may be done with that information in the future. DHS keeps that data for 75 years. Yes, lawful visitors to this country, who come to snap pictures of the Statue of Liberty and teach their kids about the United States, go into a U.S. government database for the rest of their lives. It’s just insulting to the millions of good people who want to visit us.

With that, let’s do a rough cost-benefit analysis of collecting 10 fingerprints from foreign visitors to the U.S. It appears to be another security program whose costs outweigh its benefits.

On the costs side of the ledger:

- First, it treats international visitors to the U.S. like criminals. This erodes the goodwill that the United States enjoys in the world, meaning we are less able to convince foreign governments to work with us on all kinds of very important issues. That cost is not easily quantified, but it is substantial. If we can’t get cooperation from Russia on Iran’s nuclear program, for example, that could cost us hundreds of billions or more in the next decade or two.

- More easily quantified is the reduction in lawful trade and travel: The findings of a House bill meant to encourage foreign tourism recite a 56,000,000, or 17 percent, drop in international visitors to the U.S. versus what was expected from 2001 to 2006. Let’s say 10% of this is caused by fingerprinting in the US-VISIT program – people don’t want to come here if we insult them on arrival. The Commerce Department estimates that these visitors would have spent $98,000,000,000 (valued in 2007 dollars) in the U.S. Ten percent of that is $9.8 billion in lost revenue – a significant loss to the economy caused by our harsh treatment of visitors.

- Then there are the costs of running the program – I don’t know what they are, but they’re probably in the tens of millions to $100 million+ per year in Americans’ tax dollars.

Is it worth it? Let’s look at the benefits:

The DHS release says that since 2004, collecting fingerprints in the US-VISIT program has been used “to prevent the use of fraudulent documents, protect visitors from identity theft, and stop thousands of criminals and immigration violators from entering the country.” It gives no hard numbers, but it would have said “tens of thousands” if it was in that range, so let’s say it’s 10,000 violators they’ve caught. ($9.8 billion/10,000=$980,000) Each violator would have had to do almost a million dollars in damage for this security measure to be cost-effective. The average document fraudster, ID fraudster, and immigration violator does nothing near that much harm.

But perhaps the program prevented a single terrorist, or a small group of them, from entering the country, people who would have done $10 billion in damage. This could only be true if we knew in advance exactly which terrorists were coming into the country. But terrorists are fungible. A terrorist organization can select people to send to the U.S. that have no prior participation in terrorism, people who can pass through US-VISIT. With two exceptions, this is what Al Qaeda did for the 9/11 attacks – sent people without any history of terrorism.

US-VISIT can’t prevent a terrorist organization from infiltrating the country – at best, it might delay their activities a couple of weeks while they select the right people to send. Delaying a terrorist attack that causes $10 billion in damage by a month is worth about $42 million. Obviously, spending $9.8 billion to avoid $42 million in damage is not cost-effective security.

My conclusion is that US-VISIT does more harm to the country than it prevents. I welcome suggested refinements to these numbers. Again, this is very back-of-envelope.

Now, should we pass the legislation to make people feel better about us? I’m not sure that’s the solution. The Senate version of legislation to improve our esteem in the world costs $1.80 per person in the United States - $5.64 per U.S. family.

Why spend this money to make people feel better about us when we could make people feel better about us by spending less! US-VISIT doesn’t significantly add to our protections. Given its costs, we should drop it.

Goose:Gander / Illegal Immigrants:Gun Owners

I’ve spent the last few months studying and writing about electronic employment eligibility verification. This is the idea of requiring every employer in the country to check the immigration status of employees against Department of Homeland Security and Social Security Administration databases. A nationwide EEV program, building on the current Basic Pilot/”E-Verify” program, was treated as a matter of near consensus at the beginning of this past summer’s immigration debate, and the Department of Homeland Security continues to promote it.

There are a lot of weaknesses in EEV. Foremost, such a system would be subject to a lot of document fraud, just like today’s Form I-9. Requiring employers to collect these forms and check the documentation of new employees doesn’t do much to control illegal immigration.

If this process were “strengthened” with a national EEV system, continuing document fraud would drive policymakers inexorably toward “strengthening” the identity cards used in the system. Indeed, the leading immigration bill this summer would have required every new hire in America to present a REAL ID-compliant national ID card. EEV requires a national ID.

This is fine by many people who are angered by illegal immigration. But the folks who want EEV and a national ID might want to be careful what they wish for.

A group called Mayors Against Illegal Guns recently sent a letter to all the major presidential candidates asking a detailed set of questions about their positions on gun control. Among them:

… Do you support a change in federal law to require that gun purchasers show Real ID-compliant identification by 2013?

I believe that REAL ID will not be implemented. In fact, the presence of REAL ID in the immigration bill is what killed it. But if EEV goes forward, it could bring REAL ID back from the dead.

With a national ID and a national infrastructure for regulating individual behavior in place, advocates will immediately seek to expand its uses - including to gun control. So it seems that those fervent opponents of illegal immigration who want a national EEV system have a choice: Will you give up your guns to get rid of illegal immigrants?

Which Secretary Chertoff Do You Believe?

In February, Department of Homeland Security Secretary Michael Chertoff said the following about the REAL ID Act: “If we don’t get it done now, someone is going to be sitting around in three or four years explaining to the next 9/11 Commission why we didn’t do it.”

Alice Lipowicz of Washington Technology reported on REAL ID yesterday:

[Chertoff] and other DHS officials have said that older drivers present a lower terrorism risk and, therefore, might be allowed more time to switch to Real ID licenses. According to the Washington Post, DHS might extend the deadline to 2018 for drivers older than 40 or 50. Moreover, states will have more time to implement the act, Chertoff said.

DHS had previously extended the statutory May 2008 deadline for beginning implementation to December 2009 and recently set 2013 as the deadline for full implementation.

2013 is more than 5 years from now - 2018 is more than eleven. For all Chertoff’s urgency at the beginning of the year, has the Department abandoned its mission to secure the country?

Of course not. But Chertoff and the DHS were clearly trying to buffalo the Congress and the American people on REAL ID earlier this year. They haven’t succeeded.

Happily, this national ID system doesn’t add to our country’s security as its proponents have imagined. We are not unsafe for lacking a national ID. I explored all these issues in my book Identity Crisis.

If REAL ID were a sound security tool, pushing back the deadline for compliance would be a security risk, of course, as would reducing the quality of the cardstock used to make REAL ID-compliant cards - another measure DHS is considering.

Forget security, though. DHS is straining to get the program implemented just so it can claim success and save some face.

“[T]hose who are singing a funeral dirge, I think they’re singing the wrong tune,” Chertoff said November 6th. Alas, as before, Secretary Chertoff is the one more likely to sing a different song.

The Big UK Data Breach

I’ve testified and written several times about how such things as REAL ID and “electronic employment eligibility verification” are threats to our identity system. Collecting identity information in one place is the creation of new security risks. Now the UK has proven it - so we don’t have to!

The sensitive personal details of 25 million Britons could have fallen into the hands of identity fraudsters after a government agency lost the entire child benefit database in the post.A major police investigation is being conducted after Alistair Darling, the Chancellor, admitted yesterday that names, addresses, birth dates, national insurance numbers and bank account details of every child benefit claimant in the country had gone missing.

Most likely, this data is just lost, but in the wrong hands it would provide criminals all they need to impersonate any of these 25 million people.

The persons responsible have been sacked. Specifically, Paul Gray, chairman of HM Revenue & Customs office.

Consumer Product Info - Regulation or Markets?

60 Minutes had an interesting and balanced piece last night on proposals to mandate that fast-food restaurants promote calorie information by placing it directly on their menus.

This fits in a category of regulation that is increasingly prominent: mandated disclosure and promotion of product information. There are plenty of examples: financial privacy notices, real estate purchasing notices, nutrition labeling, etc.

If consumers had unlimited attention, the surfeit of notices would be an unqualified good thing. But consumer attention is not unlimited. Consumers quickly learn to ignore notices that don’t interest them. Notices can easily confuse consumers. Mandated notices often provide information that consumers would already get in more accessible ways.

Nutrition labeling is the sacred cow of mandated disclosure, of course, and mandating calorie notices in restaurants is one of its calves. Everyone who talks about nutrition labeling uses nutrition labeling and so can’t believe that anyone doesn’t. But it certainly hasn’t done anything to change the trend in U.S. obesity since the 1990 law requiring nutrition labeling went into effect.

Note in the 60 Minutes piece how proponents of calorie labeling really are just social engineers. They can’t outlaw you buying that Big Mac, so they’re going to put discouragement in your face using the intermediary of Mickey D’s. They mean well, but I’d just as well have them mind their own business.

Information about products and services is subject to market demand just like every other feature of the things we buy. If you don’t believe me, try running a grocery store without putting price tags on or near the canned peaches.