Privacy, Security & Government Surveillance

Real Problems for REAL ID in NH

by Tim Lee on November 9, 2006 · 2 comments

Jim Harper persists in posting hist best stuff over at that other blog instead of here. Yesterday, he noted that one of the big losers in New Hampshire’s state legislative races was the REAL ID Act:

Jeb Bradley was one of “several Washington officials . . . urging state senators to support Real ID” when the state legislature was considering a bill to reject it. He was defeated by Carol Shea-Porter, a surprise victor who enjoyed little help from national Democrats. Here’s Shea-Porter speaking at an anti-REAL-ID rally. Representing the Second District, Charlie Bass was an original co-sponsor of the REAL ID Act, and he touted that fact on his Web site. His replacement is Paul Hodes. Hodes is not a full-throated critic of REAL ID, but he did tell AP, “I do not favor creating a new central federal database using the permanent images of these documents. . . . A piece of paper is not the solution to securing our borders from terrorism. We need to better coordinate our existing law enforcement databases and watch lists.” The Republican leadership of the state senate gutted and killed New Hampshire’s bill to reject REAL ID earlier this year. In a debate Monday, Republican Senate President Ted Gatsas said “There’s no question REAL ID makes sense.” Ted Gatsas will no longer be Senate President. Democrats took control of the New Hampshire State Senate for only the second time since 1911. Gatsas’ re-election bid was too close to call overnight, but it now appears he narrowly beat back his Democratic opponent. As to REAL ID opponents, Governor John Lynch was re-elected. Voters gave control of the New Hampshire Executive Council (an additional legislative body that would have to approve the acceptance of federal funds for implementing REAL ID) to Democrats for good measure.

I don’t really understand why opposition to REAL ID would be considered a Democratic issue. Aren’t the Republicans supposed to be the party of federalism?

2 comments

State Department Tech? Only When it Serves Us . . .

by Jim Harper on November 8, 2006

The State Department has a notice of proposed rulemaking out on the “card format passport.” They are laying the groundwork for a card-style passport Americans would use when they travel to Canada, Mexico, and the Caribbean.

What’s special about it?: “Vicinity read technology would allow the passport card data to be read at a distance of up to 20 feet from the reader.” That’s right: a promiscuous RFID chip would make your serial number widely available to whomever with a reader might want to know your whereabouts. (The system would not put personal data beyond this identifier on the card.)

If you have concerns about it, the comment period lasts until December 18, 2006. You can e-mail— wait, there’s no e-mail address.

Instead, it says, “Comments by Internet are to be sent to http://www.regulations.gov/index.cfm.” So you must go there and search for the Federal Register notice and submit your comment— wait, they are not accepting comments online either.

This Agency does NOT accept electronic comments for this Federal Register document. You must print out this comment and submit it to the agency by any method identified in the Federal Register document for the rule you are commenting on. The agency’s contact information will also appear on the printed comment form. Your comment will not be considered until this agency receives it. For further information, follow directions in the specific Federal Register document or contact the specific agency directly.

Legal Process is Good Business

by Jim Harper on November 7, 2006 · 2 comments

Over on Cato@Liberty, I’ve written a couple of times about how government access to data threatens many new and forthcoming business models.

TechDirt, a favorite tech-business blog, writes today about some ISPs’ perceived lack of cooperation with law enforcement. That ‘lack of cooperation’ is asking for a warrant before revealing customer data. “But requiring a warrant is a check against abuse; without them it’s hard for ISPs to judge the legitimacy and seriousness of a request. By valuing privacy, they better serve their customers, and ensure that law enforcement is only pursuing cases within the scope of the law.”

Very nice to see a business-oriented blog showing how privacy protection nests with commercial interests and good government.

2 comments

Lost Laptop Follies, Part 3

by Adam Thierer on November 3, 2006 · 6 comments

In recent blogs, I’ve been documented the troubling reports of government losing laptops and compromising private information. And as I mentioned in another report, Rep. Tom Davis (R-VA), the Chairman of the committee, has introduced H.R. 6163, the “Federal Agency Data Breach Protection Act” to try to get this problem under control, although the legislation would really do nothing of the sort.

Sadly, there’s more news to report on this front.

Continue reading →

6 comments

Oops

by Tim Lee on November 2, 2006 · 2 comments

Mike Masnick has some depressing news:

Within the security community, there’s been a lot of talk about “security theater” when it comes to the airline business. In the last few years, plenty of new security measures have been put in place–but just because we can see or deal with new security measures (dump your liquids, everyone!), does it actually make us any safer. While there’s been a ton of attention paid in the last week to a security researcher who showed just how easy it was for anyone to create their own boarding pass to get past the security check point, a much scarier story is sent in by Damon, who points out for all of the security changes, new technologies and new processes it doesn’t do a damn bit of good if the TSA screeners let people with weapons through the checkpoint. That’s exactly what happened at Newark airport, where a “secret shopper” (or should that be “secret bomber”?) test found that 20 out of 22 weapons got through the security clearing process. Now aren’t you glad that you have to remove your shoes and can’t bring a bottle of water on board any more? If we’re serious about air travel security, then it’s about time that we actually focused on security–not play-acting to make people think that something’s been done.

Let me repeat that: 20 out of 22 weapons got through. That’s more than 90 percent failure.

The fundamental problem here is that the TSA has no particular incentive to make air travel safer. They have to act like they’re responding to terrorist threats, but as long as they appear to be “doing something,” it doesn’t matter if any of their “security measures” actually accomplish anything. And, not surprisingly, it appears that to a first approximation, they don’t.

2 comments

Another Reason to Be Wary of Age Verification & Data Retention Mandates

by Adam Thierer on October 30, 2006 · 2 comments

We’ve spent a lot of time here on the TLF discussing our reservations about age verification and data retention mandates. We object on many grounds, but privacy and data security concerns are typically at the top of our list.

Government officials or others supporting mandatory data collection / retention always assure us that our personal information will be secure and that it will not fall into the wrong hands. And then something like this happens in Utah and reminds us why we were right to be concerned:

In a jaw-dropping embarrassment, the state of Utah has mistakenly divulged e-mail addresses of kids on its so-called child-protection do-not-e-mail list–a registry proponents claim is foolproof. The gaffe stems from four citations the state issued recently against companies it alleges sent e-mail to children’s addresses on its do-not-e-mail registry promoting alcohol, gambling and pornography. According to court papers, when Justin Weiss, director of legislative affairs for the E-mail Sender and Provider Coalition, requested copies of the citations from Utah, the state complied but failed to redact the e-mail addresses of the children in the complaints. “I have no personal knowledge of how many other unredacted copies may have been sent out to other individuals that made information requests like mine,” said Weiss in an affidavit. State officials are reportedly mortified over the incident. “A fair amount of trust has been placed with us and this is not a good thing,” Utah’s Department of Commerce Director Francis Giani reportedly told the Salt Lake Tribune. “I’m sick about it.”

As you should be. But I also hope others heed the lesson here: Despite government assurances to the contrary, government-collected personal information is never perfectly secure. That’s why we must always be vigilant about limiting how much personal information our government can get its hands on. Read Jim Harper’s fine new book, Identity Crisis: How Identification is Overused and Misunderstood, to learn more about these dangers.

2 comments

Fake Boarding Pass Generator Analyzed

by Jim Harper on October 27, 2006

I have examined the CAPPS program and the fake boarding pass generator in a longish post over on Cato@Liberty.

At the tail end, I say “The fake boarding pass generator does not create a new security weakness. It reveals an existing one. Though some people may want to, it’s important not to kill the messenger . . . .”

Michael Hampton of the enteraining and insightful HomelandStupidity.us quickly pointed me to the views of Congressman Ed Markey (D-MA), which are reflected in Ryan Singel’s post on 27B Stroke 6: Congressman Ed Markey Wants Security Researcher Arrested.

Update: Do check the post on this topic at HomelandStupidity. Scroll down for a YouTube video send-up of identity-based security.

Meet Grandma at the Gate This Thanksgiving!

by Jim Harper on October 26, 2006 · 6 comments

With the holidays approaching, a new program providing greater access to airport concourses is underway. At select airports throughout the country, non-travelers can now enter and meet arriving loved ones, as was routine just a few years ago.

Everyone entering the concourse will still be subject to physical security checks, but the program permits travelers to pass through security and board planes without showing ID to transportation authorities or by using a false/pseudonymous ID.

Has the Transportation Security Administration seen fit to restore convenience, privacy, and freedom to air travelers? Seen the light on identification-based security and relented on ID/boarding card checks? Well, no.

A PhD student in the Security Informatics program at Indiana University has created a generator that anyone can use to mock up their own boarding pass. He notes a number of different uses for it – among them, meeting your elderly grandparents at the gate, or evading the TSA’s no-fly list. So far, it’s only good for Northwest Airlines, but others would be equally easy to design.

Checking the ID and boarding pass is intended to communicate to personnel at the concourse checkpoint that a person has been run past the watch list and “no-fly” list. It provides a sort of second credential, linked by name to the ID of the person who has been reviewed. This spoof easily breaks that link. Fake a credential matching any ID you have, and you are in the concourse.

I wouldn’t recommend using this system without a careful check of the law – if you are allowed to see it. It’s probably illegal to access an airport concourse this way and the TSA would bring the full weight of its enforcement powers down on you if you were caught. Needless to say, making it illegal to evade security is what keeps the terrorists in line.

Hmm. Or maybe security procedures actually need to work.

And that’s the researcher’s point: Comparing a boarding pass to an identification document at the airport does little to prevent a watch-listed or no-fly-listed person from passing (except perhaps to inconvenience him a little more than everyone else). Indeed, identification-based security is swiss-cheesed with flaws.

The first problem is that you have to know who the bad guys are. If you don’t know who is bad, your ID-based security system can’t catch them. If you do know who is bad, you have to make sure that they aren’t using an alias. The cost of doing so may vary, but defrauding or corrupting identity systems is an option that will never be closed to wrongdoers. Making an identity system costly for bad guys to defeat also makes it costly for good people to use. Witness the REAL ID Act.

The linear response to the exposure of this flaw could be to “tighten up” the system – perhaps by discontinuing the use of self-printed boarding passes. The right response is to abandon the folly of identity-based security and use security methods that address tools and methods of attack directly.

There’s plenty on identity and identity-based security in my book Identity Crisis.

6 comments

Should Government Identity Documents Use RFID?

by Jim Harper on October 24, 2006

Interesting question – and perhaps simpler than many people think.

Back in June, the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (on which I serve) published a draft report on the use of RFID for human tracking. The report poured cold water on using RFID in government-mandated identity cards and documents. This met with some consternation among the DHS bureaus that plan to use RFID this way, and among the businesses eager to sell the technology to the government.

Despite diligent work to put the report in final form, the Committee took a pass on it at its most recent meeting in September – nominally because new members of the Committee had not had time to consider it. The Committee is expected to finish this work and finalize the report in December.

But skeptics of the report continue to come out of the woodwork. Most recently, the Center for Democracy and Technology wrote a letter to the Privacy Committee encouraging more study of the issue, implicitly discouraging the Committee from finding against RFID-embedded government documents. CDT invited “a deeper factual inquiry and analysis [that] would foster more thoughtful and constructive public dialog.”

If the correct answer is “no” do you have to say “yes” to be constructive? RFID offers no anti-forgery or anti-tampering benefit over other digital technologies that can be used in identification cards – indeed it has greater security weaknesses than alternatives. And RFID has only negligible benefits in terms of speed and convenience because it does not assist with the comparison between the identifiers on a card and the bearer of the card. This is what takes up all the time in the process of identifying someone. (If that’s too much jargon, you need to read my book Identity Crisis: How Identification is Overused and Misunderstood.)

I shared my impression of CDT’s comments in an e-mail back to Jim Dempsey. Jim and CDT do valuable work, but I think they are late to this discussion and are unwittingly undermining the Privacy Committee’s work to protect Americans’ privacy and civil liberties. My missive helps illustrate the thinking and the urgency of this problem, so after the jump, the contents of that e-mail:

Continue reading →