Entries Tagged "background checks"

Page 1 of 2

CRB Check Backlash

Against stupid CRB checks:

Last January, Annabel Hayter, chairwoman of Gloucester Cathedral Flower Guild, received an email saying that she and her 60 fellow flower arrangers would have to undergo a CRB check. CRB stands for Criminal Records Bureau, and a CRB check is a time-consuming, sometimes expensive, pretty much always pointless vetting procedure that you must go through if you work with children or “vulnerable adults.” Everybody else had been checked: the “welcomers” at the cathedral door; the cathedral guides; the whole of the cathedral office (though they rarely left their room). The flower guild was all that remained.

The cathedral authorities expected no resistance. Though the increasing demand for ever tighter safety regulation has become one of the biggest blights on Britain today, we are all strangely supine: frightened not to comply. Not so Annabel Hayter. “I am not going to do it,” she said. And her act of rebellion sparked a mini-revolution among the other cathedral flower ladies. In total she received 30 letters from guild members who judged vetting to be either an invasion of privacy (which it certainly is) insecure (the CRB has a frightening tendency to return the wrong results) or unnecessary (they are the least likely paedophiles in the country). Several threatened to resign if forced to undergo it. Thus began the battle of Gloucester Cathedral, between the dean and the flower guild, a battle which is just reaching its final stage as The Spectator goes to press. First the guild asked why the checks were necessary. The answer turned out to be that the flower arrangers shared a toilet with the choirboys, and without checks there would be “paedophiles infiltrating the flower guild.”

I wrote about CRB checks in 2008.

Posted on December 13, 2010 at 6:42 AMView Comments

Faking Background Checks for Security Clearances

What do you do if you have too many background checks to do, and not enough time to do them? You fake them, of course:

Eight current and former security clearance investigators say they have been pressured to work faster and take on crushing workloads in recent years, as the government tried to eliminate a backlog that once topped 531,000 cases.

Investigators have eliminated that backlog, but they now are trying to meet congressionally mandated deadlines to speed up the security clearance process. The 2004 Intelligence Reform and Terrorism Prevention Act requires agencies to issue at least 80 percent of initial security clearances within 120 days after receiving a completed application. This December, agencies must issue at least 90 percent of their initial security clearances within 60 days.

“This job is a shredder, and agents are grist for the mill,” said K.C. Smith, an OPM investigator in Austin, Texas, with 23 years of experience. “There are people who are getting sick, under a lot of stress, their family life is suffering. They are just beat down.”

Investigators say it is common practice to spend nights, weekends and holidays writing up reports, and some don’t report the overtime they work for fear it will be held against them in their performance evaluations.

Some say their superiors have made it clear that the priority is to close cases, and they say they have felt pressure to turn in even incomplete cases that lack crucial interviews or records if it will help them keep their numbers up. A recent Government Accountability Office report found that the Defense Department’s security clearance process is plagued by such incomplete cases: 87 percent of the 3,500 initial top-secret security clearance cases Defense approved last year were missing at least one interview or important record.

It’s all a matter of incentives. The investigators were rewarded for completing investigations, not for doing them well.

Posted on May 28, 2009 at 2:40 PMView Comments

NASA Employees Sue over Background Checks

This is a big deal:

Jet Propulsion Laboratory scientists and engineers sued NASA and the California Institute of Technology on Thursday, challenging extensive new background checks that the space exploration center and other federal agencies began requiring in the wake of the Sept. 11 terror attacks.

[…]

But according to the lawsuit, the Commerce Department and NASA instituted requirements that employees and contractors permit sweeping background checks to qualify for credentials and refusal would mean the loss of their jobs.

NASA calls on employees to permit investigators to delve into medical, financial and past employment records, and to question friends and acquaintances about everything from their finances to sex lives, according to the suit. The requirements apply to everyone from janitors to visiting professors.

The suit claims violations of the U.S. Constitution’s 4th Amendment protection against unreasonable search and seizure, 14th Amendment protection against invasion of the right to privacy, the Administrative Procedure Act, the Privacy Act, and rights under the California Constitution.

Those in more sensitive positions are asked to disclose financial records, list foreign trips and give the government permission to view their medical history.

Workers also must sign a waiver giving investigators access to virtually all personal information.

[…]

“Many of the plaintiffs only agreed to work for NASA with the understanding that they would not have to work on classified materials or to undergo any type of security clearance,” the suit said.

More details here (check out the “Forum” if you’re really interested) and in this article.

Posted on September 4, 2007 at 12:56 PMView Comments

"Clear" Registered Traveller Program

CLEAR, a private service that prescreens travelers for a $100 annual fee, has come to Kennedy International Airport. To benefit from the Clear Registered Traveler program, which is run by Verified Identity Pass, a person must fill out an application, let the service capture his fingerprints and iris pattern and present two forms of identification. If the traveler passes a federal background check, he will be given a card that allows him to pass quickly through airport security.

Sounds great, but it’s actually two ideas rolled into one: one clever and one very stupid.

The clever idea is allowing people to pay for better service. Clear has been in operation at the Orlando International Airport since July 2005, and members have passed through security checkpoints faster simply because they are segregated from less experienced fliers who don’t know the drill.

Now, at Kennedy and other airports, Clear is purchasing and installing federally approved technology that will further speed up the screening process: scanners that will eliminate the need for cardholders to remove their shoes, and explosives detection machines that will eliminate the need for them to remove their coats and jackets. There are also Clear employees at the checkpoints who, although they can’t screen cardholders, can guide members through the security process. Clear has not yet paid airports for an extra security lane or the Transportation Security Administration for extra screening personnel, but both of those enhancements are on the table if enough people sign up.

I fly more than 200,000 miles per year and would gladly pay $100 a year to get through airport security faster.

But the stupid idea is the background check. When first conceived, traveler programs focused on prescreening. Pre-approved travelers would pass through security checkpoints with less screening, and resources would be focused on everyone else. Sounds reasonable, but it would leave us all less safe.

Background checks are based on the dangerous myth that we can somehow pick terrorists out of a crowd if we could identify everyone. Unfortunately, there isn’t any terrorist profile that prescreening can uncover. Timothy McVeigh could probably have gotten one of these cards. So could have Eric Rudolph, the pipe bomber at the 1996 Olympic Games in Atlanta. There isn’t even a good list of known terrorists to check people against; the government list used by the airlines has been the butt of jokes for years.

And have we forgotten how prevalent identity theft is these days? If you think having a criminal impersonating you to your bank is bad, wait until they start impersonating you to the Transportation Security Administration.

The truth is that whenever you create two paths through security — a high-security path and a low-security path — you have to assume that the bad guys will find a way to exploit the low-security path. It may be counterintuitive, but we are all safer if the people chosen for more thorough screening are truly random and not based on an error-filled database or a cursory background check.

I think of Clear as a $100 service that tells terrorists if the F.B.I. is on to them or not. Why in the world would we provide terrorists with this ability?

We don’t have to. Clear cardholders are not scrutinized less when they go through checkpoints, they’re scrutinized more efficiently. So why not get rid of the background checks altogether? We should all be able to walk into the airport, pay $10, and use the Clear lanes when it’s worth it to us.

This essay originally appeared in The New York Times.

I’ve already written about trusted traveller programs, and have also written about Verified Identity Card, Inc., the company that runs Clear. Note that these two essays were from 2004. This is the Clear website, and this is the website for Verified Identity Pass, Inc.

Posted on January 22, 2007 at 7:11 AMView Comments

Airline Passenger Profiling for Profit

I have previously written and spoken about the privacy threats that come from the confluence of government and corporate interests. It’s not the deliberate police-state privacy invasions from governments that worry me, but the normal-business privacy invasions by corporations — and how corporate privacy invasions pave the way for government privacy invasions and vice versa.

The U.S. government’s airline passenger profiling system was called Secure Flight, and I’ve written about it extensively. At one point, the system was going to perform automatic background checks on all passengers based on both government and commercial databases — credit card databases, phone records, whatever — and assign everyone a “risk score” based on the data. Those with a higher risk score would be searched more thoroughly than those with a lower risk score. It’s a complete waste of time, and a huge invasion of privacy, and the last time I paid attention it had been scrapped.

But the very same system that is useless at picking terrorists out of passenger lists is probably very good at identifying consumers. So what the government rightly decided not to do, the start-up corporation Jetera is doing instead:

Jetera would start with an airline’s information on individual passengers on board a given flight, drawing the name, address, credit card number and loyalty club status from reservations data. Through a process, for which it seeks a patent, the company would match the passenger’s identification data with the mountains of information about him or her available at one of the mammoth credit bureaus, which maintain separately managed marketing as well as credit information. Jetera would tap into the marketing side, showing consumer demographics, purchases, interests, attitudes and the like.

Jetera’s data manipulation would shape the entertainment made available to each passenger during a flight. The passenger who subscribes to a do-it-yourself magazine might be offered a video on woodworking. Catalog purchase records would boost some offerings and downplay others. Sports fans, known through their subscriptions, credit card ticket-buying or booster club memberships, would get “The Natural” instead of “Pretty Woman.”

The article is dated August 21, 2006 and is subscriber-only. Most of it talks about the revenue potential of the model, the funding the company received, and the talks it has had with anonymous airlines. No airline has signed up for the service yet, which would not only include in-flight personalization but pre- and post-flight mailings and other personalized services. Privacy is dealt with at the end of the article:

Jetera sees two legal issues regarding privacy and resolves both in its favor. Nothing Jetera intends to do would violate federal law or airline privacy policies as expressed on their websites. In terms of customer perceptions, Jetera doesn’t intend to abuse anyone’s privacy and will have an “opt-out” opportunity at the point where passengers make inflight entertainment choices.

If an airline wants an opt-out feature at some other point in the process, Jetera will work to provide one, McChesney says. Privacy and customer service will be an issue for each airline, and Jetera will adapt specifically to each.

The U.S. government already collects data from the phone company, from hotels and rental-car companies, and from airlines. How long before it piggy backs onto this system?

The other side to this is in the news, too: commercial databases using government data:

Records once held only in paper form by law enforcement agencies, courts and corrections departments are now routinely digitized and sold in bulk to the private sector. Some commercial databases now contain more than 100 million criminal records. They are updated only fitfully, and expunged records now often turn up in criminal background checks ordered by employers and landlords.

Posted on October 24, 2006 at 11:00 AMView Comments

Orlando Airport's CLEAR Program

Orlando Airport is piloting a new pre-screening program called CLEAR. The idea is that you pay $80 a year and subject yourself to a background check, and then you can use a faster security line at airports.

I’ve already written about this idea, back when Steven Brill first started talking about it:

My primary security concerns surrounding this system stem from what it’s trying to do. In his writings and speaking, Brill is very careful to explain that these are not “trusted traveler cards.” He calls them “verified identity cards.” But the only purpose of his card is to divide people into two lines — a fast line and a slow line, a “search less” line and a “search more” line, or whatever….

The reality is that the existence of the card creates a third, and very dangerous, category: bad guys with the card. Timothy McVeigh would have been able to get one of these cards. The DC sniper and the Unabomber would have been able to get this card. Any terrorist mole who hasn’t done anything yet and is being saved for something big would be able to get this card. Some of the 9/11 terrorists would have been able to get this card. These are people who are deemed trustworthy by the system even though they are not.

And even worse, the system lets terrorists test the system beforehand. Imagine you’re in a terrorist cell. Twelve of you apply for the card, but only four of you get it. Those four not only have a card that lets them go through the easy line at security checkpoints; they also know that they’re not on any terrorist watch lists. Which four do you think will be going on the mission? By “pre-approving” trust, you’re building a system that is easier to exploit.

Nothing in this program is different from what I wrote about last year. According to their website:

Your Membership will be continuously reviewed by TSA’s ongoing Security Threat Assessment Process. If your security status changes, your Membership will be immediately deactivated and you will receive a notification email of your status change as well as a refund of the unused portion of your annual enrollment fee.

Think about it. For $80 a year, any potential terrorist can be automatically notified if the Department of Homeland Security is on to him. Such a deal.

Posted on August 8, 2005 at 8:03 AMView Comments

Accuracy of Commercial Data Brokers

PrivacyActivism has released a study of ChoicePoint and Acxiom, two of the U.S.’s largest data brokers. The study looks at accuracy of information and responsiveness to requests for reports.

It doesn’t look good.

From the press release:

100% of the eleven participants in the study discovered errors in background check reports provided by ChoicePoint. The majority of participants found errors in even the most basic biographical information: name, social security number, address and phone number (in 67% of Acxiom reports, 73% of ChoicePoint reports). Moreover, over 40% of participants did not receive their reports from Acxiom — and the ones who did had to wait an average of three months from the time they requested their information until they
received it.

I spoke with Deborah Pierce, the Executive Director of PrivacyActivism. She made a couple of interesting points.

First, it was very difficult for them to find a legal way to do this study. There are no mechanisms for any kind of oversight of the industry. They had to find companies who were doing background checks on employees anyway, and who felt that participating in this study with PrivacyActivism was important. Then those companies asked their employees if they wanted to anonymously participate in the study.

Second, they were surprised at just how bad the data is. The most shocking error was that two people out of eleven were listed as corporate directors of companies that they had never heard of. This can’t possibly be statistically meaningful, but it is certainly scary.

Posted on June 7, 2005 at 7:45 AMView Comments

ChoicePoint Feeling the Heat

AP says:

An executive of embattled data broker ChoicePoint Inc. says the company is developing a system that would allow people
to review their personal information that is sold to law enforcement agencies, employers, landlords and businesses. ChoicePoint’s announcement comes a month after it disclosed
that thieves used previously stolen identities to create what appeared to be legitimate businesses seeking personal
records.

Posted on April 2, 2005 at 9:09 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.