Schneier on Security
A blog covering security and security technology.
« Cameras in the UK |
| Marx Brothers on Security »
April 10, 2007
Ordinary People Being Labeled as Terrorists
By law, every business has to check their customers against a list of "specially designated nationals," and not do business with anyone on that list.
Of course, the list is riddled with bad names and many innocents get caught up in the net. And many businesses decide that it's easier to turn away potential customers with whose name is on the list, creating -- well -- a shunned class:
Tom Kubbany is neither a terrorist nor a drug trafficker, has average credit and has owned homes in the past, so the Northern California mental-health worker was baffled when his mortgage broker said lenders were not interested in him. Reviewing his loan file, he discovered something shocking. At the top of his credit report was an OFAC alert provided by credit bureau TransUnion that showed that his middle name, Hassan, is an alias for Ali Saddam Hussein, purportedly a "son of Saddam Hussein."
The record is not clear on whether Ali Saddam Hussein was a Hussein offspring, but the OFAC list stated he was born in 1980 or 1983. Kubbany was born in Detroit in 1949.
Under OFAC guidance, the date discrepancy signals a false match. Still, Kubbany said, the broker decided not to proceed. "She just talked with a bunch of lenders over the phone and they said, 'No,' " he said. "So we said, 'The heck with it. We'll just go somewhere else.' "
Kubbany and his wife are applying for another loan, though he worries that the stigma lingers. "There's a dark cloud over us," he said. "We will never know if we had qualified for the mortgage last summer, then we might have been in a house now."
Saad Ali Muhammad is an African American who was born in Chicago and converted to Islam in 1980. When he tried to buy a used car from a Chevrolet dealership three years ago, a salesman ran his credit report and at the top saw a reference to "OFAC search," followed by the names of terrorists including Osama bin Laden. The only apparent connection was the name Muhammad. The credit report, also by TransUnion, did not explain what OFAC was or what the credit report user should do with the information. Muhammad wrote to TransUnion and filed a complaint with a state human rights agency, but the alert remains on his report, Sinnar said.
Colleen Tunney-Ryan, a TransUnion spokeswoman, said in an e-mail that clients using the firm's credit reports are solely responsible for any action required by federal law as a result of a potential match and that they must agree they will not take any adverse action against a consumer based solely on the report.
The lawyers' committee documented other cases, including that of a couple in Phoenix who were about to close on their first home, only to be told the sale could not proceed because the husband's first and last names -- common Hispanic names -- matched an entry on the OFAC list. The entry did not include a date or place of birth, which could have helped distinguish the individuals.
In another case, a Roseville, Calif., couple wanted to buy a treadmill from a home fitness store on a financing plan. A bank representative told the salesperson that because the husband's first name was Hussein, the couple would have to wait 72 hours while they were investigated. Though the couple eventually received the treadmill, they were so embarrassed by the incident they did not want their names in the report, Sinnar said.
This is the same problem as the no-fly list, only in a larger context. And it's no way to combat terrorism. Thankfully, many businesses don't know to check this list and people whose names are similar to suspected terrorists' can still lead mostly normal lives. But the trend here is not good.
Posted on April 10, 2007 at 6:23 AM
• 69 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
So with the help of our own government terrorism works to bring fear into the hearts of our own citizens.
Looks like it will come back to bite these companies...... I'd speculate that these 'lists' only get 'added to', and If they've started turning away people with common names, it can onl y get worse, right?
Matching first OR middle OR last names, with no regard for other data such as birth date, it will not take long before everyone is labelled a terrorist.
There are many unsolved murder cases. The murderers have never been caught, we don't know their names.
We can't do business, unless we know your name. Because, when we don't know your name..... you must be a murderer.
Can the retailers really avoid legal action using the "just following orders" defense?
Does anyone know if the Democrats propose to change any of this if they win the next Presidential election?
Or does no-one ever win an election by proposing sense over drama in security?
Yet another problem with consumer credit reporting.
One could hope that this would be a self-correcting problem though: if enough people are incorrectly listed then there will be negative incentives for anyone to attempt to purchase anything on credit, consumer confidence and spending will dwindle and *hopefully* provide positive incentives for govt, businesses and the list keepers to be as accurate as possible.
Never mind...that would never happen.
> Thankfully, many businesses don't know to check this list and people whose names are similar to suspected terrorists' can still lead mostly normal lives.
I'm not sure we should be thankful. When a policy is obviously silly, the incentive to change it is much greater, and it survives for less.
When few people are inconvenienced, and in a bearable way at it, the incentive for change may not be enough to actually cause a change.
I think the arguments for full disclosure run a similar course.
It would seem to me that a class action lawsuit is in order. Anyone who mistakenly identifies someone as on the list who is not actually on the list is negligent.
IMHO, there should be no requirement to check this list for any transaction that occurs entirely within the USA. Anyone in the USA should be presumed to not be on the list.
>...clients using the firm's credit reports are solely responsible
>for any action required by federal law as a result of a potential
>match and that they must agree they will not take any adverse
>action against a consumer based solely on the report.
Umm... isn't that a contradiction?
> Anyone in the USA should be presumed to not be on the list.
So, American's are never terrorists (cf. Timothy McVeigh)?
If people are going to have lists like this one keeping groups off it is just as crazy as adding all members of any given group to it (such as Muslims for example).
Maybe he should hire a good lawyer ... like Walter F. Murphy.
David, you missed the point. The law mandates that if you do business with someone on the list, you can be criminally liable. That forces people to check the list before doing business with anyone. As a policy matter, there should be not requirement of liability for transactions occurring entirely in the USA. It should only apply to international transactions. If there are terrorists in the USA, that should be handled by other means, like lawful FBI surveillance, not be prohibiting all Americans from doing business with anyone named McVeigh.
Credit reporting is a joke. What percentqage of the information is truly accurate? I dated a person and on my credit report listed "one" of my last names as being his. I couldn't believe it. Explain that while you are in the process of a security clearance. I have no idea how this could have happened. If they are going to use this information as a means to characterize who we are why don't they use one reporting agency and get the information right the first time.
"Anyone in the USA should be presumed to not be on the list."
You were joking, right? 100% of the 9/11 terrorists were in the USA at the time.
Alan, I obviously misconstrued the point you were making. It seems that you are in favor of having such a list and using when undertaking international transactions but not when both parties (buyer and selling) are resident within the US. Is that right?
Now, surely if someone is "bad" enough to be on such a list (but, naturally, not actually "bad" enough to be arrested) then it doesn't actually matter where they happen to reside?
I guess my point is that either these kind of lists are a stupid idea in the first place (as I think Bruce and most people agree - Bruce, tell me if I'm wrong here) or it makes sense to apply them equally everywhere.
Someone is going to invoke Godwin's law, but seriously, how far is the USA from starting to treat Muslims the same way that a certain notorious regime treated Jews? It's already impossible to use air transport, and difficult to get a mortgage, if you have a name like "Hassam" or "Mohammed". Now, it would be simpler if all Muslims just had to wear a big red crescent stitched to their clothes so that they could be banned from airports, wouldn't it? No change in policy; just a simpler, quicker way of enforcing it. And then ....
It baffles me that in the US, after the civil rights movement, it is even slightly legal for the US government to publish a list of undesirables against which anyone having the name "Muhammed" or "Hussein" will match. Throw in "Ali", and I'd guess at least 10% of male Muslims worldwide will have at least one given name matching one of them. Imagine if Mexico started flagging anyone called "James" or "John", and then pretended there was no discrimination against English-speakers.
The segregationist states should have thought of this trick 50 years ago: "I'm sorry, Dr. King. Your middle name closely matches the known terrorist 'Lex Luthor', so I'm afraid we can't risk doing business with you. Have a nice life". Would have saved all that messing around trying to prosecute him for "organising an illegal boycott".
We need a terrorist named John Smith. Seriously matching name fragments is a huge crapshoot. I mean, every third muslim man must have parts of his name on that list.
d00d, why are you looking at me like that?! So what if my middle name is Laden! Who cares?
Hello David, we have lists of countries where US companies cannot do business, and it makes sense to me to have a list of persons residing overseas with whom US nationals are forbidden from doing business. There are people overseas who are criminals that we simply can't touch using USA laws. If however, the "bad" person is inside the USA, then we should use other lawful means to monitor them or go after them. As a policy matter, we should not subject all citizens to the burdens and side effects of the list for transactions that occur entirely in the USA.
The analogy with email RBLs is superb.
Amongst other things, the temptation to recommend suing someone for slander or libel is great.
Just wait until one of these laws about registering all online names passes and, before it's struck down, someone dumps a list of their users' online personas to a government database... or companies just start tracking and marketing this to the government.
Do you know how many different names you've used online in forums, chatrooms, comment boxes? What happens when you post as osama yo mama and one of your known aliases is listed as osama.
Wait until a terrorist the FBI is tracking posts on slashdot as anonymous coward, that gets recorded as an alias, and then everyone who ever posts as anonymous coward gets their name included too.
Id like to get some data on the number of actual terrorists inconvenienced vs. the number of citizens who have their lives impacted. Then maybe an assessment of the cost of cleaning up the mistakes (if it is even possible) and the cost of the terrorist dodging the problem. Lets see:
ratio misses to hits: 100:1 (generous!)
cost of mistake repair: $500 (also generous)
cost of using cash or buying at a flea market: $5
Just hypothetically, we are causing innocent citizens to pay $50,000 in order to cost the terrorist an additional $5....
Terrorist changes name to john smith and sends video to islamic TV station calling for blowing up malls in the US
Something that people are missing here is this tidbit:
Corporations, and businesses have been turned into law enforcement agencies.
This started back during the money laundering days of the "war on drugs". It's just been extended and extended to everything, and now the "war on terror".
To answer an above question, the penalties aren't just on the company. A teller caught not notifying about money laundering is _PERSONALLY_ liable and can (and have) gone to jail. Essentially, every bank teller / rep has become a policeman without a badge.
The "just following orders" defense, also known as the Nuremberg Defense, is not considered viable in court.
This raises an interesting question: if you're criminally liable for transacting with a terrorist but you're criminally liable (on EO grounds) for segregating against Muslims -- Hussein, Ali and Mohammed, in their various transliterations, represent well more than 10% of the Muslim community -- you're sort of stuck as a businessperson. You're just trying to sell trucks, but now you have to do a formal background investigation on many of the people who want to buy. It seems like a very poorly thought-out law. A class-action suit would be very useful in bringing us towards the end game.
What's worse: Muslims, in an attempt to mix better with Westerners, are starting to name their kids as an American would call "normal." Immigrants seeking opportunity are highly savvy to things like changing their names. Over time, the list will start to contain more names like John and Paul. A few marriages and name changes down the road, our next batch of terrorists may have names like Tom Jones.
I remember getting my most recent mortgage and there was actually a fee on it (yes, like $2) for doing that research.
Doesn't this whole list thing go against the foundation of the country -- Innocent until proven guilty (most of the time by a group of your "peers").
Name matching is not proof, it's not even remotely close. Heck, with identity theft as rampant as it is, one could argue that's it is no more then circumstantial.
@suomunona; I am a foreign national. I bet that if I follow your url I'll end up on another unpleasant list somewhere. :-)
Also, re: businesses turning into law enforcement. Sometimes they write and enforce at the same time. Last year the MPAA coerced swedish police to make a number of completely illegal (according to swedish law) search-and-seize operations against swedish ISP:s, to protect their own business interests. Curiously the swedish police feels this is fine and completely rational.
Another No-Fly List Story:
This time a Professor emeritus from Princeton University, who is a distinguished scholar of public law and constitutional law, got on the list.
What was that again about person A only being 6 links away from person B on average? How many linksteps is the DHS checking? Seven?
Sort of relatedly, this was on digg yesterday. Obviously the accuracy is suspect, but if this is a real story, then things are getting no good.
anything you can think of as ....
www dot cuba dat com is listed.
John Smith isn't on the list, but John Hernandez is. That would actually be a not insignificant portion of the population.
If they just added IRA members to the list, we'd probably get 20% of the population making last name hits.
That came from Balkinization originally. It's not so terribly suspect. The web-site is run by eminent names in academic law, and the subject is a Princeton law professor. You don't get much more "credibility" than that on the internets!
"Doesn't this whole list thing go against the foundation of the country -- Innocent until proven guilty"
No, it is consistent. You're innocent, until your name is found in the file, which proves your guilt.
Buy... association. Or soundexation. Or something.
Meet the new McCarthyism.
Take the names you find and run it against the Census Department's list of the most common names in the US. You can then calculate the floor for the number of people with these names (floor because this method doesn't account for how the last name influences the distribution of first names).
For instance, the last names Diaz (250k in the US total), Gonzales (500k), or Hernandez (600k) are on the list. Then given the first names...
Maria and Jose Gonzales: at least 7,000 people.
Or take the name 'Hassan'. Based on the CD's data, there are 15,000 men with this first name.
Looking through that publicly downloadable list that suomunona mentioned, I see 671 people identified by passport number and 15 people identified by social security number. (Download the XML version; it's crystal clear which fields are what.) Talk about the potential for identity theft.
Mark: regarding the "potential for identity theft"-- I'm sure that's the least of your worries if you are "Secretary General of the Palestinian Islamic Jihad" or a leader of Hamas.
Besides, the fact that the identity is on the list of "people not to have any transactions with ever" would prevent a would-be identity thief from doing much with it to say the least!
>Does anyone know if the Democrats
>propose to change any of this if they
>win the next Presidential election?
>Or does no-one ever win an election by
>proposing sense over drama in security?
Oh you poor naive soul.
The "Domestic Wiretapping" scandal of the Bush Administration was enabled by the actions of a Democratic President and I'm pretty sure Democratic Congress, in a bill sponsored by Patrick Leahy, who spent billions of dollars (with, I'm sure a nice profit margin and indirectly decent political kickbacks built in) to put in place the technology on the nation's telecommunications infrastructure to allow such wiretapping of packet switched voice networks to occur.
The Democrats have no interest in privacy or national security beyond anything that a Political Science major can detect on a poll as part of a carefully crafted message. Unfortunately, nothing better can be said of the Republicans -- it's all just short-sited, short-term and purely party politics to see who can wallow at the trough the most.
It would be nice if the courts would start recognizing these things as the punishments that they are, and declaring them illegal since they are delivered without due process.
Hassan is the name of a pretty sizeable town in southern india. Add to that the tendency in those parts to use the town name as your middle or last name and you will have hundreds of people with that name who aren't even muslims.
As has been made clear by so many replies already, trying to identify terrorists solely based on names is the stupidest thing ever. Sounds more like dark-ages security to me.
Man, and I only thought things like this happened on South Park!
Michael: It would be even better if government agencies and officials were subject to the same laws as the rest of us. Like libel and slander.
These days EVERYONE is a Terrorist. Everyone is a suspect. You don't even have the right to be silent. Anything you say or do or don't do will be used as a sign of your guilt whereever and whenever it is convienient.
And there is nothing you can do about it or the Evildoers win.
Add one more nail to the coffin of "innocent until proven guilty by a jury of one's peers". Next up - free speech...oh, wait...
@markm "if government ... were subject to the same laws..."
Better yet, Governmentmental agents and agencies who have (or claim) "special powers" should be held to a "Higher Standard". With greater power comes greater responsibility. Penalties for violation should be severe and very public - and somewhat "contagious" going "uphill" on the bureaucratic food-chain. "Not Knowing" is rarely a good-enough excuse for a common citizen; it is especially insufficient for a specialist who makes and/or enforces the regulations.
Unfortunately, true responsibility is sadly lacking in modern public affairs.
In a previous life I worked for an international bank writing software to perform automatic checks for names on this list. Not sure if it's changed yet, but back then the requests, ie list, came from many different gov't agencies and of course in all different formats. CSV, Excel sheets, Word docs, you name it.
Made automating it quite the PITA.
Another delightful angle is that it isn't ~that~ hard to get someone put on that list. I know of one case in which a high school teacher didn't grade the way a parent wanted, the parent contacted the FBI, and the teacher's family vacations suddently got a lot more difficult.
What is your problem people?
You gave up freedom in the name of security.
This is the price you pay for that.
Suck it up.
Good to know terrorists and other ne'er-do-wells always use their real names.
Every business? I run a business and hadn't heard about this. And I purchase goods all the time without even supplying my name.
Seems like an exaggeration.
DV: it is against the law to do business with anyone one the list. When someone doesn't both to check the list, its because they either don't know about the law, they think the risk is low, or they don't think they will be prosecuted. That is another danger: we have many overbroad laws that most people are not prosecuted for breaking, but anyone could be selectively prosecuted for if they raise the ire of the police or a district attorney. Is that a fair and just system?
"I run a business and hadn't heard about this."
Ignorance of the law is not - and never has been - a defense. You'd better start obeying this law, pronto.
After reading the list I wonder if Jennifer Lopez is being inconvenienced in any way. Many a Lopez can be found on the list of potential evildoers.
What do you expect - a government offering ther list compressed as EXEs to download for the dumb Windows (and DOS) users, and a ZIP for Linux/Unix users. No user shall be able to download an executable!
Dumb department, in my eyes. The do not at all think about computer security.
Considering the number of laws on the books, the claim that ignorance is no excuse is a sick joke.
Considering the number of laws on the books, the claim that ignorance is no excuse is a sick joke. Does anyone remember how long it took Clinton to find a **lawyer** who knew they were supposed to take out social security for a nanny?
Did you notice, that there's a 'Freedom Fighter' on the list too? ;)
That man has to be VERY good, he has tens of aliases.
I couldn't help but be reminded of the "Mark of the Beast" as I read this...
Que sera, sera,
Whatever will be, will be...
Speaking of unreasonable lists, here's an article about someone who supposedly was hindered in boarding a plane because he once publicly criticized the President:
The now 400,000 person long 'terror suspect' list contains certainly more persons than there are terrorists in the world by a good sized factor. I've been taking data points on it as the occasional update leaks out and it points backwards with perfect linearity to the 10,000 person political enemies list that Karl Rove was said to have compiled in 2000.
This goods & services blacklist, while still short, is just more incrementalism. Once everyone is aware of it and if there isn't enough outrage, American dissidents will begin gracing the list.
You know, like the no-fly list: http://rawstory.com/news/2007/...
So, does this mean we can no longer "consult" with the Bin Laden group when we build pipelines in Texas?
This is what happens when the general public overreacts to a threat less likely to kill them than eating a ham sandwich.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.