Archive for the ‘Telecom, Internet & Information Policy’ Category
Should Government Identity Documents Use RFID?
Interesting question – and perhaps simpler than many people think.
Back in June, the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (on which I serve) published a draft report on the use of RFID for human tracking. (“RFID” stands for radio frequency identification, a suite of technologies that identify items – and, if put in cards, track people – by radio.) The report poured cold water on using RFID in government-mandated identity cards and documents. This met with some consternation among the DHS bureaus that plan to use RFID this way, and among the businesses eager to sell the technology to the government.
Despite diligent work to put the report in final form, the Committee took a pass on it at its most recent meeting in September – nominally because new members of the Committee had not had time to consider it. The Committee is expected to finish this work and finalize the report in December.
But skeptics of the report continue to come out of the woodwork. Most recently, the Center for Democracy and Technology wrote a letter to the Privacy Committee encouraging more study of the issue, implicitly discouraging the Committee from finding against RFID-embedded government documents. CDT invited ”a deeper factual inquiry and analysis [that] would foster more thoughtful and constructive public dialog.”
If the correct answer is ”no,” do you have to say “yes” to be constructive? RFID offers no anti-forgery or anti-tampering benefit over other digital technologies that can be used in identification cards - indeed it has greater security weaknesses than alternatives. And RFID has only negligible benefits in terms of speed and convenience because it does not assist with the comparison between the identifiers on a card and the bearer of the card. This is what takes up all the time in the process of identifying someone. (If that’s too much jargon, you need to read my book Identity Crisis: How Identification is Overused and Misunderstood.)
I shared my impression of CDT’s comments in an e-mail back to Jim Dempsey. Jim and CDT do valuable work, but I think they are late to this discussion and are unwittingly undermining the Privacy Committee’s work to protect Americans’ privacy and civil liberties. My missive helps illustrate the thinking and the urgency of this problem, so after the jump, the contents of that e-mail:
Google Office vs. Government “Request”
TechCrunch is a terrific blog covering new Internet products and companies. Edited by Michael Arrington, it’s a clearinghouse of information on ”Web 2.0″ – the agglomeration of innovations that could take online life and business through their next leaps forward.
In this recent post, TechCrunch briefly assessed some concerns with Google’s office strategy. Google has online offerings in the works that could substitute for the word processing and spreadsheet software on your computer – just like Gmail did with e-mail.
And just like Gmail, documents and information would remain on Google’s servers so they can be accessed anywhere. This is a great convenience, but brings with it several problems, namely:
The fact that unauthorized document access is a simple password guess or government “request” away already works against them. But the steady stream of minor security incidents we’ve seen (many very recently) can also hurt Google in the long run.
Arrington’s post goes on to highlight a series of small but significant security lapses at Google. If Google wants companies and individuals to store sensitive data on their servers, they have to be pretty near perfect - or better than perfect.
Then there is government “request.” Arrington makes appropriate use of quotation marks to indicate irony. Governments rarely “request” data in the true sense of that term. Rather, they require its disclosure various ways – by warrant or subpoena, for example, by issuing “national security letters,” or by making a technical “request” that is backed by the implicit threat of more direct action or regulatory sanctions.
On resisting government demands for data, Google has been better than most - an awfully low hurdle. It opposed a subpoena for data about users’ searches earlier this year. But Google has a long way to go if it wants people to believe that leaving data in their hands does not provide easy (and secret) access to the government. Indeed, thanks to the recently passed cybercrime treaty, doing so may well provide access to foreign governments, opening the door to corporate espionage and any number of other threats.
At a meeting of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee in San Francisco last July, I asked Google Associate General Counsel Nicole Wong what the company is doing about its ability to protect information from government “request,” given the sorry state of Fourth Amendment law with respect to personal information held by third parties. Her answer, which I must summarize because the transcript is not yet online, amounted to “not much.” (Eventually, the transcript should be linked from here.)
Google has issued a “me too” about an effort to invite regulation of itself. That project is going nowhere, but if it did get off the ground, it would do nothing about government access to the information that Google holds for its customers.
Government access to data is a big flaw in Google’s nascent effort to move into online productivity services.
Net Regulation Proponent Concedes: Markets Work
Other than the religious devotees of regulation, most observers of the drive for “network neutrality” regulation have recognized that the essential question is whether there is sufficient competition among broadband providers. If there is enough competition, broadband providers can’t use their market power to do bad things to consumers and public utility regulation of broadband is not needed.
Columbia law professor and champion of net neutrality regulation Tim Wu is quoted in the October 14 Economist admitting consumers’ power to influence broadband providers:
“The public reaction has already been as powerful and effective as any law,” says Timothy Wu, a professor at Columbia Law School who is credited with coining the term “net neutrality”. The debate has put the telecoms companies on notice that they are being watched closely, he says, and has forced them to make public pledges not to block or degrade access. “Shame can have more power than litigation,” says Mr Wu. “The market and consumers can control bad practices, but consumers actually have to be aware of what is going on for that to happen.”
It’s an interesting strategic and ethical question whether brandishing the regulation cudgel is appropriate, but as long as it’s agreed that consumers have influence in the broadband marketplace, that question can wait for another day.
Getting Data Breach in Perspective
Indiana University law professor and cybersecurity/informatics expert Fred Cate wrote sensibly in this weekend’s Washington Post about data security and identity fraud. “The fact is that few if any [data] breaches lead to identity theft or other consumer injuries.”
When a Department of Veterans Affairs laptop with data on 26.5 million veterans was stolen earlier this year, VA notified all of them and asked Congress for $160.5 million to cover the cost of one year of credit monitoring. Even if the laptop had not been returned (the data untouched), this reaction would have been overkill.
Washington has a hard time responding to problems dispassionately and proportionately. If only this failing could be the crisis du jour – even just for a day.
How, Again, Is This a Good Use of My Tax Dollars?
This week, Robert Cresanti, the under secretary of commerce for technology, presented the first-ever “Recognition of Excellence in Innovation” award to ODIN Technologies of Dulles, Virginia.
Why on earth a federal bureaucrat should run around giving awards to local firms is beyond me. Perhaps Technology Under Secretary Cresanti could have taken the day off. Or maybe just retired, if no actual work is pressing for his time.
Let’s make the “Recognition of Excellence in Innovation” award a really special honor by discontinuing it. (Tell ODIN that nobody could ever reach the standard they’ve set.)
I mean, really. Mad as hell and not gonna take it any more. Happy Friday.
Voter Fraud and Other Political Facts
The House bill to require photo ID for voting rests on the premise that voter fraud is a significant problem. It turns out that premise is a little shaky. A report prepared for the U.S. Election Assistance Commission has found little evidence of polling-place fraud, according to USA Today.
The Commission on Federal Election Reform (Carter-Baker Commission) found “no evidence of extensive fraud in U.S. elections or of multiple voting,” though it does occur and could affect a close election. To inspire confidence in the system, the Commission recommended using the national ID card created by the REAL ID Act as a voter registration card. Proof of citizenship would be required to get a driver’s license, tightening government control of the citizenry just a little more.
I’ve written here before about “political facts,” things made true by consensus rather than any measurement or observation. The soaring costs of identity fraud and its relationship to data breaches are political facts that have a lot of currency in Washington today.
Another political fact getting a lot of attention and lather is the notion that child pornography has become a $20 billion dollar industry. “Exponential” growth of this problem is being used to justify legally mandated retention of data about our online travels by Internet service providers. Exploitation of children is loathsome, but it turns out the $20 billion figure is bunk.
One wonders how many other problems Congress addresses itself to might be exaggerated or even fictional.
WSJ Weighs in Against ‘REAL Bad ID’
This morning’s Wall Street Journal opinion page blasts Republicans for passing the REAL ID Act. [subscription required]
Keyed to a recent report showing the costs of compliance at $11 billion, the piece notes that all Americans will have to reapply for their drivers’ licenses and ID cards if states go along with this unfunded federal surveillance mandate. It also addresses whether a national ID protects against terrorism or provides effective immigration control and finds REAL ID wanting on both counts. My book Identity Crisis shows why.
Sooner rather than later, Congress will recognize its error in passing the REAL ID Act. Most likely it will try to kick the can down the road. Look for a quiet attempt to change the deadline for getting a national ID in everyone’s hands.
But that is not the solution. If Congress wants a national ID, it should have hearings, markup and pass legislation, then fund and implement a national ID itself.
Congress didn’t have a single hearing or up-or-down vote on the REAL ID Act. This much exposure would kill a national ID plan, of course.
Bureaucracy and Lost Privacy
In my book Identity Crisis: How Identification is Overused and Misunderstood, I argue that identification is required of us too often by both corporations and government as we go about our business. I also do my best to articulate the reasons why this is bad, and how we can escape it.
With my senses tuned to the overuse of identification, I’m keenly aware of the osmotic process by which institutions soak up information about us, pass it around, and use it in ways we may not prefer.
Here’s an example from real life: I have recently spoken at several conferences dealing with identification, identity, financial risk management, and the like. When the time came to get reimbursement for my travel, one of the conference organizers asked me to give my Social Security Number if I was going to rely on faxed receipts for reimbursement.
The e-mail thread below shows how complex IRS regulations require financial administrators in the corporate world to over-comply, collecting (and possibly filing with the government) information that neither entity needs.
This is bureaucracy in action (both public and private), and it’s the constant drip, drip, drip of privacy going away.
[Names have been changed to protect the guilty.]
Sending Up Security
People are highly tuned risk managers. Daily, we make decision about risky things like crossing streets. To do so, we analyze the speed and density of traffic, light conditions, our own physical skills, and myriad other factors to determine whether to cross in the middle of a block or at a controlled intersection.
Five years since 9/11, people are getting better at assessing the risks of terrorist acts. And people are growing increasingly skeptical of the risk choices being made for them by the Department of Homeland Security. The evidence? Their willingness to see security lampooned.
The writers at The Onion are undoubtedly finding a good reception for this send-up of the Transportation Security Administration’s liquids rules.
And people are diverting themselves from their exasperation with airport security using this fun game.
A basic indictment of government-provided security is in daily newspapers’ comic sections this morning. Syndicated cartoon Bizarro by Dan Piraro is titled “Orientation Seminar at Homeland Security.” It depicts a teacher at a chalkboard that says “Inconvenience = Security.” (Available online here early next month).
The funny bone is a highly tuned instrument, and it’s showing the dissonance in air security today.
Baltimore Sun: Deep-Six REAL ID
The Baltimore Sun opinion page recognizes that the REAL ID Act’s national ID system “will neither weed out terrorists nor make a dent in the flow of illegal immigration – the two problems it was devised to address.” In light of the exorbitant cost and impossibility to implement, its advice is to junk the REAL ID Act.
Feariness about Data Loss
In the spirit of Stephen Colbert’s “truthiness,” here’s another useful term for the pop lexicon:
fear i ness (fir’ e-nes) n. The quality of being feared, even though logic and/or evidence indicates there is little to fear.
A prime example of feariness right now is data loss — the loss of control over confidential information that could lead to violation of a person’s privacy, identity theft, and fraud. This feariness has been fanned by the recent thefts of government and corporate computer hardware containing important data files.
Though privacy violations and fraud are worrisome, an article in today’s New York Times explains that much of the alarm over data loss is just feariness:
The veterans’ laptop episode underscores the crucial distinction between data loss and malicious data theft — a distinction that has often been glossed over or ignored in the recent wave of alarming disclosures of data breaches at government agencies, universities, companies and hospitals. In most cases, the consequences — financial and otherwise — of the data losses have been slight.
Harpers Denounce Border Plan, ID Systems
A prominent Harper spoke out this week against the plan to require passports or passport-’lite’ ID cards for crossing the U.S.-Canada border. That’s Canadian Prime Minister Stephen Harper.
He is no relation to the Cato Institute’s director of information policy studies, Jim Harper, who spoke out about the Western Hemisphere Travel Initiative’s PASS card system two weeks ago.
The Western Hemisphere Travel Initiative (WHTI) sounds like a wonderful thing. It’s hard to be against travel. But WHTI is actually about shrinking commerce and travel among the friendly countries in our region.
In the Intelligence Reform and Terrorism Prevention Act of 2004, Congress pushed the Department of Homeland Security to create an “automated biometric entry and exit data system” for people crossing the borders. A prominent proposal is the PASS card, which stands for People Access Security Service. It is envisioned as a card containing an RFID chip that is to be given to passport holders. The chip would alert the DHS when a person arrives at a border crossing.
“Pre-positioning” data by sending an electronic signal from 30 or more feet sounds like it would make border crossings go faster. But moving identification data is not what takes time at border crossings — it’s checking to see if the person and the identity information match up.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
