Topic: Telecom, Internet & Information Policy

Which Secretary Chertoff Do You Believe?

In February, Department of Homeland Security Secretary Michael Chertoff said the following about the REAL ID Act: “If we don’t get it done now, someone is going to be sitting around in three or four years explaining to the next 9/11 Commission why we didn’t do it.”

Alice Lipowicz of Washington Technology reported on REAL ID yesterday:

[Chertoff] and other DHS officials have said that older drivers present a lower terrorism risk and, therefore, might be allowed more time to switch to Real ID licenses. According to the Washington Post, DHS might extend the deadline to 2018 for drivers older than 40 or 50. Moreover, states will have more time to implement the act, Chertoff said.

DHS had previously extended the statutory May 2008 deadline for beginning implementation to December 2009 and recently set 2013 as the deadline for full implementation.

2013 is more than 5 years from now - 2018 is more than eleven. For all Chertoff’s urgency at the beginning of the year, has the Department abandoned its mission to secure the country?

Of course not. But Chertoff and the DHS were clearly trying to buffalo the Congress and the American people on REAL ID earlier this year. They haven’t succeeded.

Happily, this national ID system doesn’t add to our country’s security as its proponents have imagined. We are not unsafe for lacking a national ID. I explored all these issues in my book Identity Crisis.

If REAL ID were a sound security tool, pushing back the deadline for compliance would be a security risk, of course, as would reducing the quality of the cardstock used to make REAL ID-compliant cards - another measure DHS is considering.

Forget security, though. DHS is straining to get the program implemented just so it can claim success and save some face.

“[T]hose who are singing a funeral dirge, I think they’re singing the wrong tune,” Chertoff said November 6th. Alas, as before, Secretary Chertoff is the one more likely to sing a different song.

The Big UK Data Breach

I’ve testified and written several times about how such things as REAL ID and “electronic employment eligibility verification” are threats to our identity system. Collecting identity information in one place is the creation of new security risks. Now the UK has proven it - so we don’t have to!

The sensitive personal details of 25 million Britons could have fallen into the hands of identity fraudsters after a government agency lost the entire child benefit database in the post.A major police investigation is being conducted after Alistair Darling, the Chancellor, admitted yesterday that names, addresses, birth dates, national insurance numbers and bank account details of every child benefit claimant in the country had gone missing.

Most likely, this data is just lost, but in the wrong hands it would provide criminals all they need to impersonate any of these 25 million people.

The persons responsible have been sacked. Specifically, Paul Gray, chairman of HM Revenue & Customs office.

Consumer Product Info - Regulation or Markets?

60 Minutes had an interesting and balanced piece last night on proposals to mandate that fast-food restaurants promote calorie information by placing it directly on their menus.

This fits in a category of regulation that is increasingly prominent: mandated disclosure and promotion of product information. There are plenty of examples: financial privacy notices, real estate purchasing notices, nutrition labeling, etc.

If consumers had unlimited attention, the surfeit of notices would be an unqualified good thing. But consumer attention is not unlimited. Consumers quickly learn to ignore notices that don’t interest them. Notices can easily confuse consumers. Mandated notices often provide information that consumers would already get in more accessible ways.

Nutrition labeling is the sacred cow of mandated disclosure, of course, and mandating calorie notices in restaurants is one of its calves. Everyone who talks about nutrition labeling uses nutrition labeling and so can’t believe that anyone doesn’t. But it certainly hasn’t done anything to change the trend in U.S. obesity since the 1990 law requiring nutrition labeling went into effect.

Note in the 60 Minutes piece how proponents of calorie labeling really are just social engineers. They can’t outlaw you buying that Big Mac, so they’re going to put discouragement in your face using the intermediary of Mickey D’s. They mean well, but I’d just as well have them mind their own business.

Information about products and services is subject to market demand just like every other feature of the things we buy. If you don’t believe me, try running a grocery store without putting price tags on or near the canned peaches.

WHTI Should Go

Rep. Bart Stupak (D-MI) has had the good sense to introduce a bill to repeal the Western Hemisphere Travel Initiative.

WHTI is a classic self-injurious overreaction to the threat of terrorism. The reductions in lawful trade and travel produced by WHTI and the direct costs of the program are greater than the damage to the country that would be averted by this readily defeated “security” measure.

Spitzer Gives Up, Will Start Over Later

The New York Times reports today that New York Governor Eliot Spitzer (D) has dropped his plan to issue licenses without regard to immigration status.

His original, correct decision to break the tie between driver licensing and immigration status met with hails of derision from anti-immigrant groups and his political opponents. He attempted to quell the outrage by agreeing to sign New York up for the federal government’s “REAL ID” national ID system, but this did not please anyone. So now he’s back at square one.

He said the state would put on hold the plan to adopt the Real ID, which has been championed by the Bush administration. The governor said he wanted to wait until federal regulations for Real ID licenses were issued next year before deciding how to proceed.

Now that he’s - ahem - studied the issues, one hopes he’ll recognize that REAL ID is costly, privacy-invasive, and ineffective, and he’ll decline to involve his state in the national ID program.

The Antitrust Religion in Action

This summer, David Boaz noted how sad it was that Google’s top executives have apparently diverted their attention away from developing the next hot new technology toward building their Washington presence. Declan McCullagh notes that Google’s generosity, which has flowed primarily to Democrats, may be coming back to bite them, as disgruntled Republicans have suddenly gotten religion when it comes to antitrust and are demanding that Google’s acquisition of Doubleclick receive close scrutiny. Strangely, those same Republicans weren’t so worried about a spate of mergers that involved large telecom firms like SBC and Verizon. I’m sure the disparity has nothing to do with the telecom industry’s generous contributions to their campaigns.

As I point out at Techdirt, these sorts of shenanigans shouldn’t surprise us. Modern antitrust law gives government bureaucrats seemingly unlimited discretion to second-guess corporate mergers based on the flimsiest of pretexts, or to attach arbitrary conditions to merger approvals. Last winter, for example, as a condition of the BellSouth merger, two FCC commissioners coerced AT&T into accepting “network neutrality” rules that Congress had earlier failed to adopt, rules that apply to no one else in their industry. And don’t forget the XM/Sirius debate, in which terrestrial broadcasters—their principal competitors—trotted out the ludicrous argument that the merged company would have no competition. XM and Sirius’s fundamental sin seems to be that they hadn’t invested as much money on Washington lobbyists as the NAB had.

The rule of law demands that government decision-making proceed according to objective, clearly-defined, and predictable rules. Antitrust law as it’s currently enforced doesn’t qualify, and as a result it’s ripe for abuse. And if you believe Edwin Rockefeller, this isn’t new. He argues that antitrust law has always been primarily a weapon for politically-connected companies to use against their rivals.

Identity Systems Aren’t Good Security, and Other Lessons From the Chicago Airport Fake ID Story

AFP is reporting that more than a hundred people with false identification documents were given employee security passes to Chicago’s O’Hare airport.

This is a good opportunity to compare conventional wisdom to actual security wisdom.

CW: This was a breach of the airport’s security system.
W: This was definitely a breach of the airport’s identity system, but identity systems provide very little security. The airport’s security, already weak if it relied on workers’ identities, was little changed.

CW: “ ‘If we are to ensure public safety, we must know who has access to the secure areas of airports,’ said Patrick Fitzgerald, US attorney for the northern district of Illinois.”
W: Public safety can’t be ensured by knowing who has access to the secure areas of airports. Knowing who has access may protect against ordinary threats like theft, but not against the threats to aviation that we care about.

CW: “A fundamental component of airport safety is preventing the use of false identification badges and punishing those who commit or enable such violations.”
W: Preventing the use of false identification is a trivial component of airport safety. It’s a fundamental component of airport safety programs, which are mostly for show. Security expert Bruce Schneier calls them “security theater.”

CW: “Unauthorized workers employed at sensitive facilities such as airports, nuclear power plants, chemical plants, military bases, defense facilities and seaports pose a vulnerability which compromises the integrity of those key assets,’ US Immigration and Customs Enforcement said in a statement.”
W: Authorized workers employed at sensitive facilities pose a vulnerability which compromises the integrity of those very same assets. If you want to prevent some kind of harm, you must make that harm difficult to cause, regardless of who may try.

Security is not easy.