Essays in the Category "Laws and Regulations"
Page 7 of 10
Strong Laws, Smart Tech Can Stop Abusive 'Data Reuse'
We learned the news in March: Contrary to decades of denials, the U.S. Census Bureau used individual records to round up Japanese-Americans during World War II.
The Census Bureau normally is prohibited by law from revealing data that could be linked to specific individuals; the law exists to encourage people to answer census questions accurately and without fear. And while the Second War Powers Act of 1942 temporarily suspended that protection in order to locate Japanese-Americans, the Census Bureau had maintained that it only provided general information about neighborhoods…
Testimony before the Senate Judiciary Committee
Testimony of Bruce Schneier
Security technologist, author, founder and CTO of BT Counterpane
“Will REAL ID Actually Make Us Safer?
An Examination of Privacy and Civil Liberties Concerns”
Senate Judiciary Committee
Room 226, Dirksen Senate Office Building
Tuesday, May 8, 2007
STATEMENT
I appreciate the opportunity to appear before the Committee today to discuss privacy issues. My name is Bruce Schneier. I am a security technologist, author, and CTO of BT Counterpane. The expertise I bring to this committee is less in the privacy and civil liberties realms, and more in the security realm. As such, I will focus my comments on the insecurities of the REAL ID system, the ineffectiveness of identity-based security systems, and the need to find smart and effective solutions to new security challenges. I’d like to emphasize at the start that this is an enormously interesting, important, and subtle topic, and I appreciate the decision of the Committee to hold these hearings…
On Police Security Cameras
Wholesale Surveillance
San Francisco police have a new law enforcement tool: a car-mounted license-plate scanner. Similar to a radar gun, it reads the license plates of moving or parked cars—250 or more per hour—and links with remote police databases, immediately providing information about the car and its owner. Right now, the police check for unpaid parking tickets. A car that comes up positive on the database is booted.
On the face of it, this is nothing new. The police have always been able to run a license plate check. The difference is they would do it manually, and that limited its use. It simply wasn’t feasible for the police to run the plates of every car in a parking garage, or every car that passed through an intersection. What is different isn’t the police tactic, but the efficiency of the process…
Information Security and Externalities
This essay is an update of Information security: How liable should vendors be?, Computerworld, October 28, 2004.
Information insecurity is costing us billions. There are many different ways in which we pay for information insecurity. We pay for it in theft, such as information theft, financial theft and theft of service. We pay for it in productivity loss, both when networks stop functioning and in the dozens of minor security inconveniences we all have to endure on a daily basis. We pay for it when we have to buy security products and services to reduce those other two losses. We pay for the lack of security, year after year…
Do Federal Security Regulations Help?
This essay appeared as part of a point-counterpoint with Marcus Ranum.
Regulation is all about economics. Here’s the theory. In a capitalist system, companies make decisions based on their own self-interest. This isn’t a bad thing; it’s actually a very good thing. We don’t want companies to act as public charities; we want them to act as for-profit entities. But there are often effects of company decisions that are not borne by the companies; these are known as “externalities” to the decision. Companies aren’t going to take externalities into account, because, well, because they’re someone else’s problem. If we as a society want externalities to factor into company decisions, then we have to make those externalities internal. Once we do that, the natural engine of capitalism will take over…
Make Vendors Liable for Bugs
Have you ever been to a retail store and seen this sign on the register: “Your purchase free if you don’t get a receipt”? You almost certainly didn’t see it in an expensive or high-end store. You saw it in a convenience store, or a fast-food restaurant. Or maybe a liquor store. That sign is a security device, and a clever one at that. And it illustrates a very important rule about security: It works best when you align interests with capability.
If you’re a store owner, one of your security worries is employee theft. Your employees handle cash all day, and dishonest ones will pocket some of it for themselves. The history of the cash register is mostly a history of preventing this kind of theft. Early cash registers were just boxes with a bell attached. The bell rang when an employee opened the box, alerting the store owner—who was presumably elsewhere in the store—that an employee was handling money…
The Anti-ID-Theft Bill That Isn't
California was the first state to pass a law requiring companies that keep personal data to disclose when that data is lost or stolen. Since then, many states have followed suit. Now Congress is debating federal legislation that would do the same thing nationwide.
Except that it won’t do the same thing: The federal bill has become so watered down that it won’t be very effective. I would still be in favor of it—a poor federal law is better than none—if it didn’t also pre-empt more-effective state laws, which makes it a net loss.
Identity theft is the fastest-growing area of crime. It’s badly named—your identity is the one thing that cannot be stolen—and is better thought of as fraud by impersonation. A criminal collects enough personal information about you to be able to impersonate you to banks, credit card companies, brokerage houses, etc. Posing as you, he steals your money, or takes a destructive joyride on your good credit…
Your Vanishing Privacy
Over the past 20 years, there’s been a sea change in the battle for personal privacy.
The pervasiveness of computers has resulted in the almost constant surveillance of everyone, with profound implications for our society and our freedoms. Corporations and the police are both using this new trove of surveillance data. We as a society need to understand the technological trends and discuss their implications. If we ignore the problem and leave it to the “market,” we’ll all find that we have almost no privacy left.
Most people think of surveillance in terms of police procedure: Follow that car, watch that person, listen in on his phone conversations. This kind of surveillance still occurs. But today’s surveillance is more like the NSA’s model, recently turned against Americans: Eavesdrop on every phone call, listening for certain keywords. It’s still surveillance, but it’s wholesale surveillance…
Uncle Sam is Listening
Bush may have bypassed federal wiretap law to deploy more high-tech methods of surveillance.
When President Bush directed the National Security Agency to secretly eavesdrop on American citizens, he transferred an authority previously under the purview of the Justice Department to the Defense Department and bypassed the very laws put in place to protect Americans against widespread government eavesdropping. The reason may have been to tap the NSA’s capability for data mining and widespread surveillance.
Illegal wiretapping of Americans is nothing new. In the 1950s and ’60s, in a program called “Project Shamrock,” the NSA intercepted every single telegram coming in or going out of the United States. It conducted eavesdropping without a warrant on behalf of the CIA and other agencies. Much of this became public during the 1975 Church Committee hearings and resulted in the now famous Foreign Intelligence Surveillance Act …
Fatal Flaw Weakens RFID Passports
In 2004, when the U.S. State Department first started talking about embedding RFID chips in passports, the outcry from privacy advocates was huge. When the State Department issued its draft regulation in February, it got 2,335 comments, 98.5 percent negative. In response, the final State Department regulations, issued last week, contain two features that attempt to address security and privacy concerns. But one serious problem remains.
Before I describe the problem, some context on the surrounding controversy may be helpful. RFID chips are passive, and broadcast information to any reader that queries the chip. So critics, myself …
Sidebar photo of Bruce Schneier by Joe MacInnis.