Articles by Jim Harper

Jim HarperJim is the Director of Information Policy Studies at The Cato Institute, the Editor of Web-based privacy think-tank Privacilla.org, and the Webmaster of WashingtonWatch.com. Prior to becoming a policy analyst, Jim served as counsel to committees in both the House and Senate.


Don’t Bother to “LifeLock” Yourself

by on May 19, 2008 · 18 comments

I’m often asked what one can do to avoid becoming the victim of “identity theft” – actually identity fraud, the use of one’s personal information to impersonate, typically in the financial services world.

My advice is usually “not very much,” and I specifically recommend against any of the credit or ID theft monitoring services. My rough cost-benefit analysis of these services is that it isn’t worth $8 or $10 per month to avoid the relatively low risk of being a victim of any kind of serious identity fraud. Credit card fraud is the most common form of ‘identity theft.’ It threatens no liability and only a little bit of inconvenience to most consumers in the United States – consumers that are prudent, anyway. And I’ve never understood what these services would or could do to prevent or mitigate a true impersonation fraud.

The one thing they might do is place “fraud alerts” on your identity with credit bureaus, but that’s burning the village to save it. Anticipatorily sullying your own credit file may reduce your likelihood of being a subject of identity fraud, yes, but it destroys the benefit of having good credit in the first place – that’s what you’re trying to protect.

Now comes news that LifeLock, one of the most prominent purveyors of “proactive identity theft protection,” is being sued in several states. The allegations cluster around . . . oh, I’ll put it this way: B.S.ing people into paying them money. I don’t know whether the specific allegations are merited, or whether selling people assurance about something they needn’t fear is actionable, but my gut is that LifeLock is closer to a scam than a real service. It’s certainly not worth $100+ a year.

Check your bank and credit card statements when they come. You might get a copy of your credit file from each of the major credit bureaus if you’ve got a big financial transaction like a mhome purchase or refinancing. Other than that, my advice is to relax and have a good time. You’re not going to avoid being a subject of identity fraud using these services, and only in the rare, exotic case will being a victim of identity fraud cause you a great deal of harm.

SHARE: 18 comments

L-1: The Technology Company in Your Pocket

by on May 12, 2008 · 8 comments

Inspired by the promotional brochure I recently came across, I’ve taken a look at L-1 Identity Solutions in a Cato TechKnowledge paper. Though it has better options, L-1 and its new acquisition, Digimarc ID Systems, seem likely to continue lobbying for the REAL ID Act. My concluding line may be a little obvious: “A corporate lobbying operation can do as much harm to liberty as any government agency or official.”

SHARE: 8 comments

REAL ID Deadline Passes – Zero Compliance

by on May 12, 2008 · 17 comments

Yesterday – Sunday, May 11, 2008 – was the statutory deadline for state compliance with the REAL ID Act. Not a single state has begun issuing nationally standardized IDs as called for by the law. Nor are they putting driver information into nationally accessible databases.

Matthew Blake of the Washington Independent has a solid recap of the situation.

SHARE: 17 comments

Tracking Your Race and Your Politics

by on May 5, 2008 · 11 comments

Can a company have a Freudian slip? If it’s possible, L-1 Identity Solutions has commited one.

In a promotional brochure for REAL ID Act “solutions,” it implicitly touts the ability to track people by race and by political party. This is not required by the REAL ID Act, but it’s not barred by it either.

In my testimony to Congress and in a post here, I pointed out the concern that REAL ID could be used for racial tracking. Political party is a new one, but who knows what would happen should the system be implemented.

Excerpt of L1 REAL ID promotion

SHARE: 11 comments

The Singing Revolution – Held Over Another Week

by on May 2, 2008 · 5 comments

D.C.-based TLFers, if you haven’t seen it yet, The Singing Revolution has been held over for another week at the E Street Cinema. Find showtimes here.

Non-D.C.-based TLFers, check out The Singing Revolution Web site for upcoming showings in your town.

Here’s my earlier post on the movie.

SHARE: 5 comments

Upcoming Event: See South Carolina Governor Mark Sanford Make Sense of the REAL ID Act

by on May 1, 2008 · 4 comments

Last week, Minnesota Governor Tim Pawlenty (R) vetoed a transportation bill that included a provision objecting to the federal REAL ID Act. The bill would have required the federal government to pay 95 percent of the cost of issuing national IDs before Minnesota would participate. Claiming political machinations were afoot, Pawlenty said that he preferred “something more reasonable like 50 or 60 percent.” One wonders what principle of federalism, liberty, or privacy could possibly support his willingness to accept a 50% unfunded surveillance mandate.

A much clearer vision will be on display next week when Governor Mark Sanford (R-SC) joins Senator Jon Tester (D-MT) here at the Cato Institute to discuss the REAL ID Act. South Carolina has barred itself from participating in the national ID system created by the Act, and Governor Sanford defiantly refused to ask the Department of Homeland Security for an extension of the compliance deadline earlier this year.

Senator Tester represents a state that has been similarly defiant. He is an original cosponsor of legislation that would repeal the REAL ID Act and restore the identification security provisions of the Intelligence Reform and Terrorism Protection Act, which REAL ID repealed.

The event is called The REAL ID Rebellion: Whither the National ID Law?, next Wednesday, May 7th, at noon, and it will be Webcast.

SHARE: 4 comments

Amateurs Study Cryptography; Professionals Study Economics

by on April 28, 2008 · 15 comments

What a delightful chapter title in Adam Shostack’s and Andrew Stewart’s new book, The New School of Information Security. Adam is a guy I’ve known for a lot of years now – somehow. He always seems to pop up in the places I go – both physically (at conferences and such) – and intellectually. He blogs at Emergent Chaos and maintains a list of his interesting papers and presentations on his personal homepage.

Adam and his co-author have produced a readable, compact tour of the information security field as it stands today – or perhaps as it lies in its crib. What we know intuitively the authors bring forward thoughtfully in their analysis of the information security industry: it is struggling to keep up with the defects in online communication, data storage, and business processes.

 Shostack and Stewart helpfully review the stable of plagues on computing, communication, and remote commerce: spam, phishing, viruses, identity theft, and such. Likewise, they introduce the cast of characters in the security field, all of whom seem to be feeling along in the dark together.

Why are the lights off? Lack of data, they argue. Most information security decisions are taken in the absence of good information. The authors perceptively describe the substitutes for information, like following trends, clinging to established brands, or chasing after studies produced by or for security vendors.

The authors revel in the breach data that has been made available to them thanks to disclosure laws like California’s SB 1386. A libertarian purist must quibble with mandated disclosure when common law can drive consumer protection more elegantly. But good data is good data, and the happenstance of its availability in the breach area is welcome.

In the most delightful chapter in the book (I’ve used it as the title of this post), Shostack and Stewart go through the some of the most interesting problems in information security. Technical problems are what they are. Economics, sociology, psychology, and the like are the disciplines that will actually frame the solutions for information security problems.

In subsequent chapters, Shostack and Stewart examine security spending and advocate for the “New School” approach to security. I would summarize theirs as a call for rigor, which is lacking today. It’s ironic that the world of information lacks for data about its own workings, and thus lacks sound decision-making methods, but there you go.

The book is a little heavy on “New School” talk. If the name doesn’t stick, Shostack and Stewart risk looking like they failed to start a trend. But it’s a trend that must take hold if information security is going to be a sound discipline and industry. I’m better aware for reading The New School of Information Security that info sec is very much in its infancy. The nurturing Shostack and Stewart recommend will help it grow.

SHARE: 15 comments

NCSL Calls for Repeal of REAL ID

by on April 23, 2008 · 7 comments

The National Conference of State Legislatures wants the REAL ID Act gone. It supports S. 717, the Identification Security Enhancement Act of 2007, which would repeal the REAL ID Act and reinstitute a negotiated rulemaking process on identity security that was established in the 9/11-Commission-inspired Intelligence Reform and Terrorism Prevention Act.

It’s not a foregone conclusion that an organization like this would reject a behemoth of a project like building a national ID and surveillance system. The NCSL isn’t a small-government organization, and it could just as well have lobbied for billions of dollars in funding.

SHARE: 7 comments

MN Gov. Pawlenty Supports National ID Law

by on April 21, 2008 · 4 comments

Says WCCO.com:

Pawlenty has threatened to veto a major transportation bill because it includes language that would hamper Minnesota’s ability to comply with the [REAL ID Act].

SHARE: 4 comments

Sensors and Social Consequences

by on April 19, 2008 · 6 comments

A “sensor” is a device that measures a physical quantity and converts it into a signal that can be read by an observer or instrument. Sensors that convert analog information into digital form are the most interesting. The information they collect is easy to store, transmit, and reuse.

Digital sensors are all around – the keyboard on your computer, your cell phone, the surveillance cameras in your office building, and so on.

Lots of good things come from having these sensors around, and the systems they attach to – that’s for sure. But they don’t always serve our interests. Let’s take a look at an example of digital sensing gone wrong.

A colleague of mine recently returned from a business trip to Las Vegas, where he engaged in important and sober work. He arrived home late from his trip, and his patient and loving wife, already in bed, engaged him in some conversation. Fairly quickly, she asked him whether he had enjoyed himself at the strip bar (!). My hard-working and serious colleague was concerned. Why, on returning to the warm glow of his happy home-life, should he be asked this question?

Continue reading →

SHARE: 6 comments

← Previous Entries

Next Entries →