Schneier on Security
A blog covering security and security technology.
« Security in the Cloud |
| Real Fake ID Cards »
February 15, 2006
Gary Marx on Surveillance
Gary T. Marx is a sociology professor at MIT, and a frequent writer on privacy issues. I find him both clear and insightful, as well as interesting and entertaining.
This new paper is worth reading: "Soft Surveillance: The Growth of Mandatory Volunteerism in Collecting Personal Information -- 'Hey Buddy Can You Spare a DNA?'"
You can read a whole bunch of his other articles here.
Posted on February 15, 2006 at 12:21 PM
• 10 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
[In Truro, Mass. at the end of 2004 police politely asked all male residents to provide a DNA sample to match with DNA material found at the scene of an unsolved murder.]
Something similiar was used in Louisiana to find a serial killer. Police rounded up hundreds of white males, took DNA, and later found out the killer was black - oops. Now they refuse to destroy the samples.
Why bother testing the DNA. Just keep getting samples till you find the one guy who won't submit a sample. He's obviously the guilty party, so just convict him then.
Let the suspect prove he's innocent.
If he can't then he must be guilty.
As if prisons just weren't full enough.
One better: just imprison everyone around. That way you assure there's no criminal on the loose, and there won't be crime anymore.
But wait - where's the freedom ?
"There is a chilling and endless regress quality in our drift into a society where you have to provide ever more personal information in order to prove that you are the kind of person who does not merit even more intensive scrutiny. Here we confront the insatiable information appetite generated by scientific knowledge in a risk-adverse society. In such a society knowing more may only serve to increase doubt and the need for more information. ...
In one sense there are two problems with the new surveillance technologies. One is that they don’t work and the other is that they work too well. If the first, they fail to prevent disasters, bring miscarriages of justice, and waste resources. If the second they can further inequality and invidious social categorization and chill liberty. These twin threats are part of the enduring paradox of democratic government which must be strong enough to maintain reasonable order, but not so strong as to become undemocratic. ...
Greater responsibility must be placed on those with the search tools as is the case in Europe. There the emphasis is on the general principle of respect for the dignity of the person as means of privacy protection. (Whitman 2004). [The greater role of liberty as the most salient principle for protecting privacy in the United States (particularly from government) is also supportive of the citizen’s right to volunteer personal information. It ironically also serves to legitimate the liberty claimed by private agents of surveillance, gun owners and purveyors of hate speech. A key issue is how liberty plays out for various kinds of actors.]. This calls attention to the consequences of the actions of the search agent, rather than to the risks and rewards the subject is willing to accept. With respect to surveillance questions, market mechanisms involving choice, whatever their instrumental advantages, are less relied upon in much of Europe." etc.
This seems oddly backwards to me. Do you lack trust because you do not have information, or because you have a sense of authority that compells you to challenge others? This is not just about surveillance, but in the day-to-day profiling we all do. I mean that when some people are given a shotgun, everything starts to look like a pheasant -- can you really say that's a result of an "insatiable information appetite?"
"Why bother testing the DNA. Just keep getting samples till you find the one guy who won't submit a sample. He's obviously the guilty party, so just convict him then."
Interestingly enough, this is kinda, sorta, similar to what actually happened in the first ever genetic fingerprinting case, the rapes and murders of Lynda Mann in 1983 and Dawn Ashworth in 1986, both near Carlton Hayes psychiatric hospital. A suspect who had been seen in the vicinity of the second crime and displayed knowledge of it that could only have been known by someone present at the time was arrested and then confessed to that murder, but genetic fingerprinting, developed in 1985, actually exonerated him (it is now thought that this man, who presumably was insane, had observed the crime from a distance).
Police then asked local men to volunteer DNA samples; nearly 5,000 did so, and none matched the rapist. But later someone was overheard boasting that he had masqueraded as one Colin Pitchfork in order to provide a false sample, and after enquiries several other persons testified that Pitchfork had offered them money to provide a false sample. Pitchfork was confronted with this claim, confessed to both murders, and was convicted -- being detected not by DNA evidence but by his attempts to avoid it. If he had simply declined to volunteer a sample he probably would have gotten away with it.
Focus on criminal investigation scenarios rather misses the point of the Marx article on "soft" domestic intelligence and legal standing of private sector contractors to mediate personal info. Turn your attention to legislation concerning electronic data and the implication of your vote for mid-term relief.
Since 2001, Congress has enacted quite a bit of language (1) to specify digital rights, i.e. disenfranchise individual ownership of "data forms"; (2) promulgate inter-agency reproduction, derivatives, and distribution of "data forms" to other "entities"; (3) extend the reach and pertinence of "data" collected by regulatory bodies; and (4) eviscerate states' laws that broadly protect informed consent or contradict federal mandate.
A vehicle for significant action has been US Dept of HHS which Congress no doubt intended to facilitate HIPAA (1996) for all insureds. However, dismantling individual property rights (Privacy Act, 2004 emended) in favor of a nationalized or "rationalized" electronic data interchange (EDI) has had little or nothing to do with clinical performance or economic needs of patients. Having actually observed industry "knowledge management" pricing and practices across the OECD since '99, I dare say, even the NPV or "net value" ( to quote the National Health IT Coordinator) of "moving the market" is for doctors, clinics, and especially public hospitals, negative. But it does rather dramatically illustrate, in a vacuum of public lobby, unilateral determination of Congress and our Executive to build and sustain domestic surveillance infrastructure over the long, long term.
Most recently, the CDC opened its proposal 42 CFR parts 70 and 71 , re: the regulation of interstate and international travel. The emendments provide CDC new and ambiguous authority to enlist non-medical personnel in "data" collection and indefinite detention of individuals -- in any likelihood they carry a communicable disease. That is "illness" is undefined.
I read the 58pp proposal along with the total of 40 comments over the period Nov 2005 - the 6 Feb 2006. Univ. of Pittsburgh Medical Center provided the brightest summary of the proposal's feasibility and objective (UPMC.pdf).
Public consultation has been extended to 1 March 2006. Do what you ought to define your opinion or mobilize resources to forestall closure of public debate.
"Consent obtained through deception, unreasonable or exploitative seduction, or to avoid dire consequences is hardly consent."
I believe the other term for that kind of consent is "extortion."
Accurate. This is a moral observation of market failure. Where a business "vertical" applies, e.g. medical EMR -- AND -- CIO purchase preference, applies to EDI, capitalist assumptions of "good" or "bad" implicates software consumers. Alas, standardization of medical therapy to an individual is not demonstrable. Then, there's little interest in the systemic application of individual EDI security at this blog. Most players are interested in squid sex and other thought exericises. Great!
"Technologies can be designed to do a better job of protecting personal information and notifying individuals when their information is being collected or has been compromised."
-- G. Marx
That's not going to happen, if you as a software vendor or a consumer assume legislation formally protects First, Second, or Fourth Amendents. Privacy, Data Quality, and Patriot Acts (not to mention US fed agency regulations) have already elimnated individual property rights. In fact, these acts permit distribution of derivative personal information ("data forms") and provide no venue for litigation. Given private-sector EDI compliance, pro-forma owners of "data" necessarily must prohibit distibution of his/her own "data" disclosure to protect his/her privacy.
If a "market" for individual security exists, ISVs have yet to identify or leverage either "cloud" or "end-user" security demand. Where's the ISV "incentive"? Well, epic.org, at least, links to open source vendors offering filter but not HTTP scipting softwware.
"[The business opportunity ] to build the installed base will make the vendor more aggressive about pushing the software onto user's computers than the label would be."
-- "Lessons from the Sony CD DRM Episode"
Music is an interesting "vertical". However, 1999 - 2001, B2B revenue from system integrators ("Big 5" consulting firms) contributed at least 65% to total absolute "software-related" income across the OECD. That is, the total excluded ICT telco and hardware spend but obviously includes (custom and packaged) EDI in supply chain, end-use "security controls" and tag standardization, and HR admin -- think industry VPNs coupled to SAP and PeopleSoft proliferation. So ask yourself WHY such ISVs began versioning SMA product (2002) and WHY Big *4* rely quite heavily on fed EDI spend following collapse of the market in 2000. My observation is change in industry *license* terms, demanding ways and means (so-called "knowledge transfer") to properly internalized costs of system integration and software dev. This is historic marketing "intelligence" at work.
"Using DRM to enforce copyright law exactly as written is almost certainly not the record label's profit-maximizing strategy. ... CD DRM can make money for the record label because it puts software onto users' computers, and the lable can monetize this installed platform."
-- "Lessons from the Sony CD DRM Episode"
Bruce, tell us how MS DRM figures monitarily or morally in the standards( vs. diversiffication) war. MS DMR is $30 PER USER to implement in ANY VPN or internet distribution venture.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.