Schneier on Security
A blog covering security and security technology.
« Tracking Bot Networks |
| The Failure of Two-Factor Authentication »
March 14, 2005
Ideas for Privacy Reform
EPIC just published a very good paper by Daniel Solove and Chris Hoofnagle that offers suggested proposals for privacy reform in the wake of all the recent privacy breaches (ChoicePoint, Lexis/Nexis, Bank of America, DWS, etc.).
Posted on March 14, 2005 at 12:49 PM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I hope that Solove & Hoofnagle's paper gets the attention of those who will be influencial in determining what regulations may be imposed on U.S. data brokers.
For instance, the idea of freezing credit reports sidesteps the heavy reliance on preventative infosec safeguards in current regulations such as Gramm-Leach-Bliley and HIPAA.
One might interpret the freezing of credit reports as more of a detection approach. I think there's a lot of merit in this concept.
For more detail on this, see Hoofnagle's paper entitled "Putting Identity Theft on Ice: Freezing Credit Reports to Prevent Lending to Impostors."
Simple. Just make the data brokers liable for consequential damages for inaccurate information.
I agree with Lightning. My only real problem with Solove and Hoofnagle is their seeming reliance on the FTC to police this mess. I know someone is going to have to but I fear their apparent approach would just add to an already obese bureaucracy. By levying HUGE fines against the violators and placing at least SOME of the responsibility for detection on other businesses I think the system could help police itself. [sarcasm]We all know that the vast majority of businesses are looking out for us little people right?[/sarcasm]
Now this was a particularly interesting bit from the paper:
In conjunction with the universal notice, the FTC shall develop a centralized mechanism for
people to exercise their rights with respect to their personal information. Such a mechanism
would mimic the Do Not Call website, which allows individuals to opt-out of telemarketing and
verify their enrollment by visiting a single website.
Many interesting security implications are raised by this. How do you identify the people in the opt-out registry? How do you authenticate requests to deny distribution of certain information? (A malicious person might try to cause difficulties for someone by forging a request to deny all credit data to potential lenders.) How do you determine who may or may not search the registry or read information in it? How do you keep this from acting as the "central key" to all the information on a person, effectively moving us closer to having one central database?
There's a huge can of worms here waiting to be opened.
Personally, my first instinct would be to avoid such a central registry and instead make it the responsibility of the data collectors to contact each individual with information about what they're collecting and how they're using it, and solicit permission to do so, as well as offer the ability to review the information. This avoids any centralized system, and also avoids certain types of error. For example, if I'm contact regarding a file that appears to have nothing to do with me, I can point that out, rather than have a company mistakenly believe that this file does correspond with my life. (Or I might just say it does, and use the information for identity theft. Who knows?)
Great paper, right up to the point where they suggest making it illegal to use SSN.
Isn't the main problem with SSN that companies have chosen to use it as a password, when it was never declared to be a personal secret (the nature of a password) in the first place? So, why not declare that it's now public, and make it illegal for companies to use it (alone) as a password? At best it's merely a disambiguator. Why keep trying to treat as secret a number which, for many people, has long ago ceased to be so?
Legislate that companies may no longer rely on knowledge of one's SSN as an indicator of identity.
Do you want the Good or Bad news first?
There may be a way to do this preserving privacy using public key cryptography and digital signatures.
Alice is an public individual or entity, Bob is a registered data holder, Curt is a privacy data register agent, and Darin is privacy data protection agent.
Alice registers her identity details ( name, SSID, current address ) along with her preferences and a public key, "Ap", with Darin.
Alice receives a public key from Darin, "Dp", to verify communications.
Darin verifies Alice's identity ( how? ), and then generates a unique key, "Ak".
Darin registers Alice's identity details along with Ak and Ap with Curt.
Curt has a copy of Alice's identity details associated with Darin's Ak and Ap.
Bob registers with Curt as a data holder, passing Curt a public key, "Bp", and receiving Curt's public key "Cp".
Bob passes Alice address, name etc, along with a unique ID "Bk" to Curt in a package encrypted with Cp.
Curt searches his data base and sends a tuple of Bk, Ak, Ap and Darrin address to Bob in an package encrypted with Bp.
When Bob performers an action where Alice should be notified or consulted, Bob creates a form ( including the public key Bp and reference Bk ) encrypted with Ap, in a package, "BA", address to Ak and sends it to Darin.
Darin receives BA from Bob and digitally signs it, and passes it on to Alice.
Alice receives BA from Darin, verifies it using Dp and can then choose to either:
1) Take note of the form or chose to ignore it;
2) Complete the form and send the result back to Bob, encrypted with Bp;
3) Complain to Bob directly;
4) Take action through the authorities or sue Bob using Darin's digital signature of BA as proof.
Neither Darin or Curt hold the unencrypted details of BA. The origin of BA could be obscured so Darin does not know who it comes from. Bob could cache Alice's privacy contact details for a limited period ( three months? ) to limit Curt's ability to perform traffic analysis. Alice is free to change from Darin to another privacy data protection agent, but would have to wait for Bob's timeout of Alice's privacy contact details before it is switched to the new provider. The latter is preferable to Curt's having to keep a record of each registered data holder that has Alice's details.
Any centralized register and tracking system could be used by the authorities or any good lawyer to further erode privacy. Each individual/entity would still have "more global" unique key: Ak . Although this would change when they change registered data holder agent, it would still greatly assist data matching. All it would take a subpoena demanding that the centralized register agent forward the list of registered data holders and subpoenas to the registered data holders demanding that they forward a copy of an individual or companies data. Given the current political climate, do you really trust this current administration to legislate limits to such access by the courts, not to mention certain government agencies?
While it's true that everyone and their brother are using SSN, that fact doesn't make it a safe thing to do. The ONLY organization that can legitimately use SSN as a personal identifier is the Social Security Administration and other Federal agencies. For years local municipalities used SSN as drivers license numbers but that has changed. Many people used to print the SSN on their checks to help ease the stress of check writing...that has changed.
We won't be able to do away with SSN usage outside the acceptable authorities overnight but we are making significant headway. To throw up our hands and declare it's a public number is defeatist and dangerous.
I had above noted Hoofnagle's "credit report freeze" as a different method to detect and stop identity theft.
Here are a few more thoughts about this . . .
Approaches that rely on liability and/or regulation to counter identity theft will ultimately fall short since:
-- Liability is an issue of "due care" not perfection (in other words, if an entity or person has exercised "due care," then said entity or person is not liable)
-- In today's legal environment, damages are fairly limited and in the case of identity theft the victim's damages are typically limited to emotional stress and time (I highly doubt that courts are going to grant monetary awards of much size for emotional stress and time)
-- Regulation will never impose monetary fines of sufficient size to put the hurt on entities like Choicepoint
Liability and regulation might very well help to reduce identity theft but without perfect information security--haven't we given up on that dream?--these types of problems will continue to be with us.
Approaches like California's SB 1386 disclosure law are useful (and I'd support a national version of this) but the damage is typically already done by the time an entity like Choicepoint finds out about the problem and subsequently discloses it. (In other words, it's typically an individual who's been impacted by identity theft who notifies a law enforcement agency and then law enforcement notifies the entity whom they believe was the root cause. That's how it happened in the recent Choicepoint debacle. By this time the deed has long been done.) As Solove & Hoofnagle's "Model Privacy Regime" paper notes:
"Many identity thefts would be stopped at their incipiency if only the victim has known about the access to the victim's credit records and could have blocked access."
Solve & Hoofnagle then go on to suggest their solution of freezing credit reports.
What I find so intriguing about this suggestion is that it doesn't try to solve the identity theft problem via liability, regulation, or disclosure. Rather freezing credit reports would stop the identity theft before it occurred. Or to put it in infosec lingo, frozen credit reports are a fail closed mechanism.
Solove & Hoofnagle's faith in the wisdom and benevolence of government would be funny if it weren't so threatening to civil liberties. I cherish my right to call Bruce a long-haired weirdo (while taking responsibility for any damages if I were to do so wrongly), and Solove & Hoofnagle's belief that they can protect that right with provisions about this being my "principle business" or that being "personal information" exposes a broad ignorance of the workings of reality.
The real problem is by using the more than outdated word "Privacy". Such concept should be obsolete to such a technological world.
Time to think of a new label... how about "cevinpl", a tad more fitting.
David, thanks for your analysis. Though I'd not worked out any myself, I agree that there are various cryptological schemes that could make some sort of central registry work, assuming that the central registry itself is not compromised. But as you also point out, we've not had much luck in preventing that sort of thing in the past, and such a registry could be an extremely valueable target in many ways, even if it held very limited information.
That leads into the SSN issue that pilgrim brings up, and I think he's missed the point. I do strongly, strongly advocate making it illegal to refuse service to someone who will not provide an SSN, unless it's a tax- or social-security-related issue. A bank or employer has good reason to need my SSN; they're giving me income, and that needs to be reported. Sprint has no reason whatsoever to need my SSN, yet when I lived in the United States they would not give me a phone without one.
The reason I so strongly support this measure is not to preserve the secrecy of the SSN, but to move us further away from, rather than closer to, having a common identifier shared by all entities. This a) helps to preserve privacy by limiting information sharing, and b) (perhaps paradoxically) makes confusing two identities harder. (Basically, if you look up information using a presumed-unique SSN, you're inclined to believe you got the right result back. If you look up information using idenitifiers known not to be unique, and you get back several results, you are forced to confront the fact that you may not have gotten what you thought you got.)
In Canada it's been the case for many years that you're not allowed to refuse service to someone not providing a Social Insurance Number, and yet the credit reporting and other systems there work just fine.
I guess you know that according to french law, since 1978, ChoicePoint CEO (hte man himself) would have faced a maximal 3 years (jail) condamnation and that this has been raised to 5 years since summer 2004.
Don't you think this could help improve some conmpanies security efforts?
Mayflower Compact Coalition (Wangstas Fo' Shizzle My Nizzle)...
RNC Chairman Ken Mehlman today attended the unveiling of the 21st Century Mayflower Compact at the Mayflower Hotel in Washington D.C.. The nine-point agenda includes support for school choice and private Social Security accounts. The Coalition is advised in part by former House Speaker Newt Gingrich�s consulting firm.
African Americans often reach different and surprising conclusions on social issues that the casual (Caucasian) observer just won�t understand. For example, Black folks still want to see Michael Jackson find happiness. His high-pitched voice and soulful delivery is the soundtrack of generations and has a permanent place in the Black community�s psyche, no matter the plastic surgery, skin bleaching and alleged child molestation charges. Possibly, it�s the �he�s still Black� phenomenon that African Americans well understand. They want Michael Jackson�s name cleared. In short, they want him to make good music and just leave the damn kids alone.
Likewise, Blacks see Old Age Survivors and Disability Insurance Program, popularly known as Social Security, as an entitlement forced into place during a period when �bigots� wanted to run things. And against the odds, a well respected Franklin Roosevelt was able to established needed protection for the public from the economic fears of old age, sickness, accident, and unemployment. As its original name suggest, African Americans believe the insurance program was created to do much more than provide an old age benefit.
Wangstas (whites and uh oh oreos) are extremely white people who attempt to be �gangsta� (cool with Black people) in order to �pimp out.� They dress, speak and act for all practical purposes as an African American aside from the fact that they are not. Normally they are hated by the fam for being fake.
The White House and its oreos who support overhauling Social Security have launched a highly targeted campaign to convince Black people that President Bush�s plan to create private investment accounts will have special benefits for them. The ghetto fab element about the GOP message to African Americans: �The shorter life expectancy of Black males means Social Security in its current form is not a favorable deal.�
Proponents of privatizing social security who claim no group has as much at stake in the debate over reform as African Americans, in fact, are right. Black families of workers who become disabled or die are much more likely than their Caucasian counterparts to be dependent on the grip available from disability and/or survivor benefits. Blacks make up 12 percent of the U.S. population, but 23 percent of African American children receive survivor benefits, and 18 percent of the community are disability beneficiaries.
Although the wangstas are making a special effort to appeal to the strizzeet with the 21st Century Mayflower Compact, the �lower life expectancies� illusion appears to reached every one except the African American senior. Their attempt to focus on a very narrow element of the system (current program based on longevity is unfair) is misplaced and doesn�t gain cool points. What the oreos fail to realize is their attempt to be �down� for da brothas... is just �gosh-darn� obnoxious (using their vernacular) and another clue identifying the new face of segregation.
Social Security is an insurance program that protects workers and their families against the income loss that occurs when a worker retires, becomes disabled, or dies. All workers will eventually either grow too old to compete in the labor market, become disabled, or die. President Roosevelt created the program to insure all workers and their families against these universal risks, while spreading the costs and benefits of that insurance protection among the entire workforce.
It is a �pay as you go� program, which means the Federal Insurance Contribution Act (FICA) payroll tax paid by today�s workers are not set aside to pay their own benefits down the road, but rather go to pay the benefits of current recipients. The tax is progressive. The low-wage workers receive a greater percentage of pre-retirement earnings from the program than higher-wage workers. And, in the 1980's, Congress passed reforms to raise extra tax revenues above and beyond the current need and set up a trust fund to hold a reserve.
As was the case when the program was established, higher-wage workers still oppose the social nature of the program. They argue low rates of return as a reason to switch from the current �pay-as-you-go� system to one in which individual workers claim their own contribution and decide where and how to invest it. In short, rather than sharing the risk across the entire workforce to ensure that all workers and their families are protected from old age, disability, and death, higher-wage workers want to enable opportunity to reap gains from private investment without having to help protect lower-wage workers from their disproportionate risks.
Allowing high-wage workers (who are more likely to live long enough to retire) opportunity to opt out of the general risk pool and devote all their money to retirement without having to cover the risk of those who may become disabled or die, is da fo� shizzle identifying the republican party�s desire to return to a segregated society.
Roosevelt�s benefit formula currently in place intentionally helps low income earners. Lifetime earnings directly factor into the formula. And, thirty-five percent of Black workers born between 1931 and 1940 had lifetime earnings that fell into the bottom fifth of earnings received by workers born in these years. African Americans� median earnings (working-age in jobs covered by Social Security in 2002) were about $21,200, compared to $28,400 for all working-age people.
HNIC, President Bush, does acknowledge the difficulty Blacks will have in accumulating enough savings in their individual accounts to provide for a secure retirement once the progressivity of the current system is eliminated. However, he has only suggested allowing lower-income workers to place higher portions of their income into the uncertainties of investment accounts (creating even more risk).
Yes! Private accounts would be passed on to children or other heirs. But, what the HNIC and his oreos doesn�t explain is lower-income workers would be forced to buy an annuity large enough (when combined with their traditional Social Security benefit) to ensure that they would at least have a poverty level income for retirement.
Yo� playa... da new private Social Security account fizzle sucks!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.