Page 15 of 15
Ross Anderson’s Security Engineering is a great book. And I’m not saying that because I wrote the foreword. Since it was published in 2001, I have regularly recommended it to engineers interested in security.
None of this is news. What is news is that you can download the book, free and legally.
The Science of Fingerprints: Classification and Uses, FBI, 1963. Introduction by J. Edgar Hoover.
You can buy a real copy here.
Here’s an absolutely fascinating interview with Robert Pape, a University of Chicago professor who has studied every suicide terrorist attack since 1980.
RP: This wealth of information creates a new picture about what is motivating suicide terrorism. Islamic fundamentalism is not as closely associated with suicide terrorism as many people think. The world leader in suicide terrorism is a group that you may not be familiar with: the Tamil Tigers in Sri Lanka.
….TAC: So if Islamic fundamentalism is not necessarily a key variable behind these groups, what is?
RP: The central fact is that overwhelmingly suicide-terrorist attacks are not driven by religion as much as they are by a clear strategic objective: to compel modern democracies to withdraw military forces from the territory that the terrorists view as their homeland. From Lebanon to Sri Lanka to Chechnya to Kashmir to the West Bank, every major suicide-terrorist campaign—over 95 percent of all the incidents—has had as its central objective to compel a democratic state to withdraw.
….TAC: If you were to break down causal factors, how much weight would you put on a cultural rejection of the West and how much weight on the presence of American troops on Muslim territory?
RP: The evidence shows that the presence of American troops is clearly the pivotal factor driving suicide terrorism.
If Islamic fundamentalism were the pivotal factor, then we should see some of the largest Islamic fundamentalist countries in the world, like Iran, which has 70 million people—three times the population of Iraq and three times the population of Saudi Arabia—with some of the most active groups in suicide terrorism against the United States. However, there has never been an al-Qaeda suicide terrorist from Iran, and we have no evidence that there are any suicide terrorists in Iraq from Iran.
….TAC: Osama bin Laden and other al-Qaeda leaders also talked about the “Crusaders-Zionist alliance,” and I wonder if that, even if we weren’t in Iraq, would not foster suicide terrorism. Even if the policy had helped bring about a Palestinian state, I don’t think that would appease the more hardcore opponents of Israel.
RP: I not only study the patterns of where suicide terrorism has occurred but also where it hasn’t occurred. Not every foreign occupation has produced suicide terrorism. Why do some and not others? Here is where religion matters, but not quite in the way most people think. In virtually every instance where an occupation has produced a suicide-terrorist campaign, there has been a religious difference between the occupier and the occupied community.
….TAC: Has the next generation of anti-American suicide terrorists already been created? Is it too late to wind this down, even assuming your analysis is correct and we could de-occupy Iraq?
RP: Many people worry that once a large number of suicide terrorists have acted that it is impossible to wind it down. The history of the last 20 years, however, shows the opposite. Once the occupying forces withdraw from the homeland territory of the terrorists, they often stop—and often on a dime.
Pope recently published a book, Dying to Win: The Strategic Logic of Suicide Terrorism. Here’s a review.
UPDATED TO ADD: Salon reviewed the book.
Even though it’s five years old, here’s a new review of my previous book: Secrets and Lies.
Here’s a new review of Beyond Fear.
This is an interview with me from ITConversations.
In both Secrets and Lies and Beyond Fear, I discuss a key difference between attackers and defenders: the ability to concentrate resources. The defender must defend against all possible attacks, while the attacker can concentrate his forces on one particular avenue of attack. This precept is fundamental to a lot of security, and can be seen very clearly in counterterrorism. A country is in the position of the interior; it must defend itself against all possible terrorist attacks: airplane terrorism, chemical bombs, threats at the ports, threats through the mails, lone lunatics with automatic weapons, assassinations, etc, etc, etc. The terrorist just needs to find one weak spot in the defenses, and exploit that. This concentration versus diffusion of resources is one reason why the defender’s job is so much harder than the attackers.
This same principle guides security questioning at the Ben Gurion Airport in Israel. In this example, the attacker is the security screener and the defender is the terrorist. (It’s important to remember that “attacker” and “defender” are not moral labels, but tactical ones. Sometimes the defenders are the good guys and the attackers are the bad guys. In this case, the bad guy is trying to defend his cover story against the good guy who is attacking it.)
Security is impressively tight at the airport, and includes a potentially lengthy interview by a trained security screener. The screener asks each passenger questions, trying to determine if he’s a security risk. But instead of asking different questions—where do you live, what do you do for a living, where were you born—the screener asks questions that follow a storyline: “Where are you going? Who do you know there? How did you meet him? What were you doing there?” And so on.
See the ability to concentrate resources? The defender—the terrorist trying to sneak aboard the airplane—needs a cover story sufficiently broad to be able to respond to any line of questioning. So he might memorize the answers to several hundred questions. The attacker—the security screener—could ask questions scattershot, but instead concentrates his questioning along one particular line. The theory is that eventually the defender will reach the end of his memorized story, and that the attacker will then notice the subtle changes in the defender as he starts to make up answers.
Last week, I stayed at the St. Regis hotel in Washington, DC. It was my first visit, and the management gave me a questionnaire, asking me things like my birthday, my spouse’s name and birthday, my anniversary, and my favorite fruits, drinks, and sweets. The purpose was clear; the hotel wanted to be able to offer me a more personalized service the next time I visited. And it was a purpose I agreed with; I wanted more personalized service. But I was very uneasy about filling out the form.
It wasn’t that the information was particularly private. I make no secret of my birthday, or anniversary, or food preferences. Much of that information is even floating around the Web somewhere. Secrecy wasn’t the issue.
The issue was control. In the United States, information about a person is owned by the person who collects it, not by the person it is about. There are specific exceptions in the law, but they’re few and far between. There are no broad data protection laws, as you find in the European Union. There are no Privacy Commissioners, as you find in Canada. Privacy law in the United States is largely about secrecy: if the information is not secret, there’s little you can do to control its dissemination.
As a result, enormous databases exist that are filled with personal information. These databases are owned by marketing firms, credit bureaus, and the government. Amazon knows what books we buy. Our supermarket knows what foods we eat. Credit card companies know quite a lot about our purchasing habits. Credit bureaus know about our financial history, and what they don’t know is contained in bank records. Health insurance records contain details about our health and well-being. Government records contain our Social Security numbers, birthdates, addresses, mother’s maiden names, and a host of other things. Many driver’s license records contain digital pictures.
All of this data is being combined, indexed, and correlated. And it’s being used for all sorts of things. Targeted marketing campaigns are just the tip of the iceberg. This information is used by potential employers to judge our suitability as employees, by potential landlords to determine our suitability as renters, and by the government to determine our likelihood of being a terrorist.
Some stores are beginning to use our data to determine whether we are desirable customers or not. If customers take advantage of too many discount offers or make too many returns, they may be profiled as “bad” customers and be treated differently from the “good” customers.
And with alarming frequency, our data is being abused by identity thieves. The businesses that gather our data don’t care much about keeping it secure. So identity theft is a problem where those who suffer from it—the individuals—are not in a position to improve security, and those who are in a position to improve security don’t suffer from the problem.
The issue here is not about secrecy, it’s about control. The issue is that both government and commercial organizations are building “digital dossiers” about us, and that these dossiers are being used to judge and categorize us through some secret process.
A new book by George Washington University Law Professor Daniel Solove examines the problem of the growing accumulation of personal information in enormous databases. The book is called The Digital Person: Technology and Privacy in the Information Age, and it is a fascinating read.
Solove’s book explores this problem from a legal perspective, explaining what the problem is, how current U.S. law fails to deal with it, and what we should do to protect privacy today. It’s an unusually perceptive discussion of one of the most
vexing problems of the digital age—our loss of control over our personal information. It’s a fascinating journey into the almost surreal ways personal information is hoarded, used, and abused in the digital age.
Solove argues that our common conceptualization of the privacy problem as Big Brother—some faceless organization knowing our most intimate secrets—is only one facet of the issue. A better metaphor can be found in Franz Kafka’s The Trial. In the book, a vast faceless bureaucracy constructs a huge dossier about a person, who can’t find out what information exists about him in the dossier, why the information has been gathered, or what it will be used for. Privacy is not about intimate secrets; it’s about who has control of the millions of pieces of personal data that we leave like droppings as we go through our daily life. And until the U.S. legal system recognizes this fact, Americans will continue to live in an world where they have little control over their digital person.
In the end, I didn’t complete the questionnaire from the St. Regis Hotel. While I was fine with the St. Regis in Washington, DC, having that information to make my subsequent stays a little more personal, and was probably fine with that information being shared among other St. Regis hotels, I wasn’t comfortable with the St. Regis doing whatever they wanted with that information. I wasn’t comfortable with them selling the information to a marketing database. I wasn’t comfortable with anyone being able to buy that information. I wasn’t comfortable with that information ending up in a database of my habits, my preferences, my proclivities. It wasn’t the primary use of that information that bothered me, it was the secondary uses.
Solove has done much more thinking about this issue than I have. His book provides a clear account of the social problems involving information privacy, and haunting predictions of current U.S. legal policies. Even more importantly, the legal solutions he provides are compelling and worth serious consideration. I recommend his book highly.
The book’s website
Order the book on Amazon
Sidebar photo of Bruce Schneier by Joe MacInnis.