Entries Tagged "essays"

Page 43 of 44

Getting Out the Vote: Why is it so hard to run an honest election?

Four years after the Florida debacle of 2000 and two years after Congress passed the Help America Vote Act, voting problems are again in the news: confusing ballots, malfunctioning voting machines, problems over who’s registered and who isn’t. All this brings up a basic question: Why is it so hard to run an election?

A fundamental requirement for a democratic election is a secret ballot, and that’s the first reason. Computers regularly handle multimillion-dollar financial transactions, but much of their security comes from the ability to audit the transactions after the fact and correct problems that arise. Much of what they do can be done the next day if the system is down. Neither of these solutions works for elections.

American elections are particularly difficult because they’re so complicated. One ballot might have 50 different things to vote on, all but one different in each state and many different in each district. It’s much easier to hold national elections in India, where everyone casts a single vote, than in the United States. Additionally, American election systems need to be able to handle 100 million voters in a single day — an immense undertaking in the best of circumstances.

Speed is another factor. Americans demand election results before they go to sleep; we won’t stand for waiting more than two weeks before knowing who won, as happened in India and Afghanistan this year.

To make matters worse, voting systems are used infrequently, at most a few times a year. Systems that are used every day improve because people familiarize themselves with them, discover mistakes and figure out improvements. It seems as if we all have to relearn how to vote every time we do it.

It should be no surprise that there are problems with voting. What’s surprising is that there aren’t more problems. So how to make the system work better?

— Simplicity: This is the key to making voting better. Registration should be as simple as possible. The voting process should be as simple as possible. Ballot designs should be simple, and they should be tested. The computer industry understands the science of user-interface — that knowledge should be applied to ballot design.

— Uniformity: Simplicity leads to uniformity. The United States doesn’t have one set of voting rules or one voting system. It has 51 different sets of voting rules — one for every state and the District of Columbia — and even more systems. The more systems are standardized around the country, the more we can learn from each other’s mistakes.

— Verifiability: Computerized voting machines might have a simple user interface, but complexity hides behind the screen and keyboard. To avoid even more problems, these machines should have a voter-verifiable paper ballot. This isn’t a receipt; it’s not something you take home with you. It’s a paper “ballot” with your votes — one that you verify for accuracy and then put in a ballot box. The machine provides quick tallies, but the paper is the basis for any recounts.

— Transparency: All computer code used in voting machines should be public. This allows interested parties to examine the code and point out errors, resulting in continually improving security. Any voting-machine company that claims its code must remain secret for security reasons is lying. Security in computer systems comes from transparency — open systems that pass public scrutiny — and not secrecy.

But those are all solutions for the future. If you’re a voter this year, your options are fewer. My advice is to vote carefully. Read the instructions carefully, and ask questions if you are confused. Follow the instructions carefully, checking every step as you go. Remember that it might be impossible to correct a problem once you’ve finished voting. In many states — including California — you can request a paper ballot if you have any worries about the voting machine.

And be sure to vote. This year, thousands of people are watching and waiting at the polls to help voters make sure their vote counts.

This essay originally appeared in the San Francisco Chronicle.

Also read Avi Rubin’s op-ed on the subject.

Posted on October 31, 2004 at 9:13 AMView Comments

The Security of Checks and Balances

Much of the political rhetoric surrounding the US presidential election centers around the relative security posturings of President George W. Bush and Senator John Kerry, with each side loudly proclaiming that his opponent will do irrevocable harm to national security.

Terrorism is a serious issue facing our nation in the early 21st century, and the contrasting views of these candidates is important. But this debate obscures another security risk, one much more central to the US: the increasing centralisation of American political power in the hands of the executive branch of the government.

Over 200 years ago, the framers of the US Constitution established an ingenious security device against tyrannical government: they divided government power among three different bodies. A carefully thought-out system of checks and balances in the executive branch, the legislative branch, and the judicial branch, ensured that no single branch became too powerful. After watching tyrannies rise and fall throughout Europe, this seemed like a prudent way to form a government.

Since 9/11, the United States has seen an enormous power grab by the executive branch. From denying suspects the right to a trial — and sometimes to an attorney — to the law-free zone established at Guantanamo, from deciding which ratified treaties to ignore to flouting laws designed to foster open government, the Bush administration has consistently moved to increase its power at the expense of the rest of the government. The so-called “Torture Memos,” prepared at the request of the president, assert that the president can claim unlimited power as long as it is somehow connected with counterterrorism.

Presidential power as a security issue will not play a role in the upcoming US election. Bush has shown through his actions during his first term that he favours increasing the powers of the executive branch over the legislative and the judicial branches. Kerry’s words show that he is in agreement with the president on this issue. And largely, the legislative and judicial branches are allowing themselves to be trampled over.

In times of crisis, the natural human reaction is to look for safety in a single strong leader. This is why Bush’s rhetoric of strength has been so well-received by the American people, and why Kerry is also campaigning on a platform of strength. Unfortunately, consolidating power in one person is dangerous. History shows again and again that power is a corrupting influence, and that more power is more corrupting. The loss of the American system of checks and balances is more of a security danger than any terrorist risk.

The ancient Roman Senate had a similar way of dealing with major crises. When there was a serious military threat against the safety and security of the Republic, the long debates and compromise legislation that accompanied the democratic process seemed a needless luxury. The Senate would appoint a single person, called a “dictator” (Latin for “one who orders”) to have absolute power over Rome in order to more efficiently deal with the crisis. He was appointed for a period of six months or for the duration of the emergency, whichever period was shorter. Sometimes the process worked, but often the injustices that resulted from having a dictator were worse than the original crisis.

Today, the principles of democracy enshrined in the US constitution are more important than ever. In order to prevail over global terrorism while preserving the values that have made America great, the constitutional system of checks and balances is critical.

This is not a partisan issue; I don’t believe that John Kerry, if elected, would willingly lessen his own power any more than second-term President Bush would. What the US needs is a strong Congress and a strong court system to balance the presidency, not weak ones ceding ever more power to the presidency.

Originally published in the Sydney Morning Herald.

Posted on October 29, 2004 at 10:21 AMView Comments

World Series Security

The World Series is no stranger to security. Fans try to sneak into the ballpark without tickets, or with counterfeit tickets. Often foods and alcohol are prohibited from being brought into the ballpark, to enforce the monopoly of the high-priced concessions. Violence is always a risk: both small fights and larger-scale riots that result from fans from both teams being in such close proximity — like the one that almost happened during the sixth game of the AL series.

Today, the new risk is terrorism. Security at the Olympics cost $1.5 billion. $50 million each was spent at the Democratic and Republican conventions. There has been no public statement about the security bill for the World Series, but it’s reasonable to assume it will be impressive.

In our fervor to defend ourselves, it’s important that we spend our money wisely. Much of what people think of as security against terrorism doesn’t actually make us safer. Even in a world of high-tech security, the most important solution is the guy watching to keep beer bottles from being thrown onto the field.

Generally, security measures that defend specific targets are wasteful, because they can be avoided simply by switching targets. If we completely defend the World Series from attack, and the terrorists bomb a crowded shopping mall instead, little has been gained.

Even so, some high-profile locations, like national monuments and symbolic buildings, and some high-profile events, like political conventions and championship sporting events, warrant additional security. What additional measures make sense?

ID checks don’t make sense. Everyone has an ID. Even the 9/11 terrorists had IDs. What we want is to somehow check intention; is the person going to do something bad? But we can’t do that, so we check IDs instead. It’s a complete waste of time and money, and does absolutely nothing to make us safer.

Automatic face recognition systems don’t work. Computers that automatically pick terrorists out of crowds are a great movie plot device, but doesn’t work in the real world. We don’t have a comprehensive photographic database of known terrorists. Even worse, the face recognition technology is so faulty that it often can’t make the matches even when we do have decent photographs. We tried it at the 2001 Super Bowl; it was a failure.

Airport-like attendee screening doesn’t work. The terrorists who took over the Russian school sneaked their weapons in long before their attack. And screening fans is only a small part of the solution. There are simply too many people, vehicles, and supplies moving in and out of a ballpark regularly. This kind of security failed at the Olympics, as reporters proved again and again that they could sneak all sorts of things into the stadiums undetected.

What does work is people: smart security officials watching the crowds. It’s called “behavior recognition,�? and it requires trained personnel looking for suspicious behavior. Does someone look out of place? Is he nervous, and not watching the game? Is he not cheering, hissing, booing, and waving like a sports fan would?

This is what good policemen do all the time. It’s what Israeli airport security does. It works because instead of relying on checkpoints that can be bypassed, it relies on the human ability to notice something that just doesn’t feel right. It’s intuition, and it’s far more effective than computerized security solutions.

Will this result in perfect security? Of course not. No security measures are guaranteed; all we can do is reduce the odds. And the best way to do that is to pay attention. A few hundred plainclothes policemen, walking around the stadium and watching for anything suspicious, will provide more security against terrorism than almost anything else we can reasonably do.

And the best thing about policemen is that they’re adaptable. They can deal with terrorist threats, and they can deal with more common security issues, too.

Most of the threats at the World Series have nothing to do with terrorism; unruly or violent fans are a much more common problem. And more likely than a complex 9/11-like plot is a lone terrorist with a gun, a bomb, or something that will cause panic. But luckily, the security measures ballparks have already put in place to protect against the former also help protect against the latter.

Originally published by UPI.

Posted on October 25, 2004 at 6:31 PMView Comments

Security Information Management Systems (SIMS)

The computer security industry is guilty of overhyping and underdelivering. Again and again, it tells customers that they must buy a certain product to be secure. Again and again, they buy the products — and are still insecure.

Firewalls didn’t keep out network attackers — in fact, the notion of “perimeter” is severely flawed. Intrusion detection systems (IDSs) didn’t keep networks safe, and worms and viruses do considerably damage despite the prevalence of antivirus products. It’s in this context that I want to evaluate Security Information Management Systems, or SIMS, which promise to solve a serious network problem: log analysis.

Computer logs are a goldmine of security information, containing not just IDS alerts, but messages from firewalls, servers, applications, and other network devices. Your network produces megabytes of these logs every day, and hidden in them are attack footprints. The trick is finding and reacting to them fast enough.

Analyzing log messages can determine how the attacker broke in, what he accessed, whether any backdoors were added, and so on. The idea behind log analysis is that if you can read the log messages in real time, you can figure out what the attacker is doing. And if you can respond fast enough, you can kick him out before he does damage. It’s security detection and response. Log analysis works, whether or not you use SIMS.

Even better, it works against a wide variety of risks. Unlike point solutions, security monitoring is general. Log analysis can detect attackers regardless of their tactics.

But SIMS don’t live up to the hype, because they’re missing the essential ingredient that so many other computer security products lack: human intelligence. Firewalls often fail because they’re configured and maintained improperly. IDSs are often useless because there’s no one to respond to their alerts — or to separate the real attacks from the false alarms. SIMS have the same problem: unless there’s a human expert monitoring them, they’re not defending anything. The tools are only as effective as the people using them.

SIMS require vigilance: attacks can happen at any time of the day and any day of the year. Consequently, staffing requires five fulltime employees; more, if you include supervisors and backup personnel with more specialized skills. Even if an organization could find the budget for all of these people, it would be very difficult to hire them in today’s job market. And attacks against a single organization don’t happen often enough to keep a team of this caliber engaged and interested.

Back in 1999, I founded Counterpane Internet Security; we sell an outsourced service called Managed Security Monitory, in which trained security analysts monitor IDS alerts and log messages. Because of the information our analysts received from the network — in real time — as well as their training and expertise, the analysts could detect attacks in progress and provide customers with a level of security they were incapable of achieving otherwise.

When building the Counterpane monitoring service in 1999, we examined log-monitoring appliances from companies like Intellitactics and e-Security. Back then, they weren’t anywhere near good enough for us to use, so we developed our own proprietary system. Today, because of the caliber of the human analysts who use the Counterpane system, it’s much better than any commercial SIMS. We were able to design it with our expert detection-and-response analysts in mind, and not the general sysadmin market.

The key to network security is people, not products. Piling more security products, such as SIMS, only our network won’t help. This is why I believe that network security will eventually be outsourced. There’s no other cost-effective way to reliably get the experts you need, and therefore no other cost-effective way to reliably get security.

This originally appeared in the September/October 2004 issue of IEEE Security and Privacy Magazine.

Posted on October 20, 2004 at 6:03 PMView Comments

Technology and Counterterrorism

Technology makes us safer.

Communications technologies ensure that emergency response personnel can communicate with each other in an emergency–whether police, fire or medical. Bomb-sniffing machines now routinely scan airplane baggage. Other technologies may someday detect contaminants in our water supply or our atmosphere.

Throughout law enforcement and intelligence investigation, different technologies are being harnessed for the good of defense. However, technologies designed to secure specific targets have a limited value.

By its very nature, defense against terrorism means we must be prepared for anything. This makes it expensive–if not nearly impossible–to deploy threat-specific technological advances at all the places where they’re likely needed. So while it’s good to have bomb-detection devices in airports and bioweapon detectors in crowded subways, defensive technology cannot be applied at every conceivable target for every conceivable threat. If we spent billions of dollars securing airports and the terrorists shifted their attacks to shopping malls, we wouldn’t gain any security as a society.

It’s far more effective to try and mitigate the general threat. For example, technologies that improve intelligence gathering and analysis could help federal agents quickly chase down information about suspected terrorists. The technologies could help agents more rapidly uncover terrorist plots of any type and aimed at any target, from nuclear plants to the food supply. In addition, technologies that foster communication, coordination and emergency response could reduce the effects of a terrorist attack, regardless of what form the attack takes. We get the most value for our security dollar when we can leverage technology to extend the capabilities of humans.

Just as terrorists can use technology more or less wisely, we as defenders can do the same. It is only by keeping in mind the strengths and limitations of technology that we can increase our security without wasting money, freedoms or civil liberties, and without making ourselves more vulnerable to other threats. Security is a trade-off, and it is important that we use technologies that enable us to make better trade-offs and not worse ones.

Originally published on CNet

Posted on October 20, 2004 at 4:35 PMView Comments

The Legacy of DES

The Data Encryption Standard, or DES, was a mid-’70s brainchild of the National Bureau of Standards: the first modern, public, freely available encryption algorithm. For over two decades, DES was the workhorse of commercial cryptography.

Over the decades, DES has been used to protect everything from databases in mainframe computers, to the communications links between ATMs and banks, to data transmissions between police cars and police stations. Whoever you are, I can guarantee that many times in your life, the security of your data was protected by DES.

Just last month, the former National Bureau of Standards–the agency is now called the National Institute of Standards and Technology, or NIST–proposed withdrawing DES as an encryption standard, signifying the end of the federal government’s most important technology standard, one more important than ASCII, I would argue.

Today, cryptography is one of the most basic tools of computer security, but 30 years ago it barely existed as an academic discipline. In the days when the Internet was little more than a curiosity, cryptography wasn’t even a recognized branch of mathematics. Secret codes were always fascinating, but they were pencil-and-paper codes based on alphabets. In the secret government labs during World War II, cryptography entered the computer era and became mathematics. But with no professors teaching it, and no conferences discussing it, all the cryptographic research in the United States was conducted at the National Security Agency.

And then came DES.

Back in the early 1970s, it was a radical idea. The National Bureau of Standards decided that there should be a free encryption standard. Because the agency wanted it to be non-military, they solicited encryption algorithms from the public. They got only one serious response–the Data Encryption Standard–from the labs of IBM. In 1976, DES became the government’s standard encryption algorithm for “sensitive but unclassified” traffic. This included things like personal, financial and logistical information. And simply because there was nothing else, companies began using DES whenever they needed an encryption algorithm. Of course, not everyone believed DES was secure.

When IBM submitted DES as a standard, no one outside the National Security Agency had any expertise to analyze it. The NSA made two changes to DES: It tweaked the algorithm, and it cut the key size by more than half.

The strength of an algorithm is based on two things: how good the mathematics is, and how long the key is. A sure way of breaking an algorithm is to try every possible key. Modern algorithms have a key so long that this is impossible; even if you built a computer out of all the silicon atoms on the planet and ran it for millions of years, you couldn’t do it. So cryptographers look for shortcuts. If the mathematics are weak, maybe there’s a way to find the key faster: “breaking” the algorithm.

The NSA’s changes caused outcry among the few who paid attention, both regarding the “invisible hand” of the NSA–the tweaks were not made public, and no rationale was given for the final design–and the short key length.

But with the outcry came research. It’s not an exaggeration to say that the publication of DES created the modern academic discipline of cryptography. The first academic cryptographers began their careers by trying to break DES, or at least trying to understand the NSA’s tweak. And almost all of the encryption algorithms–public-key cryptography, in particular–can trace their roots back to DES. Papers analyzing different aspects of DES are still being published today.

By the mid-1990s, it became widely believed that the NSA was able to break DES by trying every possible key. This ability was demonstrated in 1998, when a $220,000 machine was built that could brute-force a DES key in a few days. In 1985, the academic community proposed a DES variant with the same mathematics but a longer key, called triple-DES. This variant had been used in more secure applications in place of DES for years, but it was time for a new standard. In 1997, NIST solicited an algorithm to replace DES.

The process illustrates the complete transformation of cryptography from a secretive NSA technology to a worldwide public technology. NIST once again solicited algorithms from the public, but this time the agency got 15 submissions from 10 countries. My own algorithm, Twofish, was one of them. And after two years of analysis and debate, NIST chose a Belgian algorithm, Rijndael, to become the Advanced Encryption Standard.

It’s a different world in cryptography now than it was 30 years ago. We know more about cryptography, and have more algorithms to choose among. AES won’t become a ubiquitous standard in the same way that DES did. But it is finding its way into banking security products, Internet security protocols, even computerized voting machines. A NIST standard is an imprimatur of quality and security, and vendors recognize that.

So, how good is the NSA at cryptography? They’re certainly better than the academic world. They have more mathematicians working on the problems, they’ve been working on them longer, and they have access to everything published in the academic world, while they don’t have to make their own results public. But are they a year ahead of the state of the art? Five years? A decade? No one knows.

It took the academic community two decades to figure out that the NSA “tweaks” actually improved the security of DES. This means that back in the ’70s, the National Security Agency was two decades ahead of the state of the art.

Today, the NSA is still smarter, but the rest of us are catching up quickly. In 1999, the academic community discovered a weakness in another NSA algorithm, SHA, that the NSA claimed to have discovered only four years previously. And just last week there was a published analysis of the NSA’s SHA-1 that demonstrated weaknesses that we believe the NSA didn’t know about at all.

Maybe now we’re just a couple of years behind.

This essay was originally published on CNet.com

Posted on October 6, 2004 at 6:05 PMView Comments

RFID Passports

Since the terrorist attacks of 2001, the Bush administration–specifically, the Department of Homeland Security–has wanted the world to agree on a standard for machine-readable passports. Countries whose citizens currently do not have visa requirements to enter the United States will have to issue passports that conform to the standard or risk losing their nonvisa status.

These future passports, currently being tested, will include an embedded computer chip. This chip will allow the passport to contain much more information than a simple machine-readable character font, and will allow passport officials to quickly and easily read that information. That is a reasonable requirement and a good idea for bringing passport technology into the 21st century.

But the Bush administration is advocating radio frequency identification (RFID) chips for both U.S. and foreign passports, and that’s a very bad thing.

These chips are like smart cards, but they can be read from a distance. A receiving device can “talk” to the chip remotely, without any need for physical contact, and get whatever information is on it. Passport officials envision being able to download the information on the chip simply by bringing it within a few centimeters of an electronic reader.

Unfortunately, RFID chips can be read by any reader, not just the ones at passport control. The upshot of this is that travelers carrying around RFID passports are broadcasting their identity.

Think about what that means for a minute. It means that passport holders are continuously broadcasting their name, nationality, age, address and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder’s knowledge or consent. It means that pickpockets, kidnappers and terrorists can easily–and surreptitiously–pick Americans or nationals of other participating countries out of a crowd.

It is a clear threat to both privacy and personal safety, and quite simply, that is why it is bad idea. Proponents of the system claim that the chips can be read only from within a distance of a few centimeters, so there is no potential for abuse. This is a spectacularly naïve claim. All wireless protocols can work at much longer ranges than specified. In tests, RFID chips have been read by receivers 20 meters away. Improvements in technology are inevitable.

Security is always a trade-off. If the benefits of RFID outweighed the risks, then maybe it would be worth it. Certainly, there isn’t a significant benefit when people present their passport to a customs official. If that customs official is going to take the passport and bring it near a reader, why can’t he go those extra few centimeters that a contact chip–one the reader must actually touch–would require?

The Bush administration is deliberately choosing a less secure technology without justification. If there were a good offsetting reason to choose that technology over a contact chip, then the choice might make sense.

Unfortunately, there is only one possible reason: The administration wants surreptitious access themselves. It wants to be able to identify people in crowds. It wants to surreptitiously pick out the Americans, and pick out the foreigners. It wants to do the very thing that it insists, despite demonstrations to the contrary, can’t be done.

Normally I am very careful before I ascribe such sinister motives to a government agency. Incompetence is the norm, and malevolence is much rarer. But this seems like a clear case of the Bush administration putting its own interests above the security and privacy of its citizens, and then lying about it.

This article originally appeared in the 4 October 2004 edition of the International Herald Tribune.

Posted on October 4, 2004 at 7:20 PMView Comments

Aerial Surveillance to Detect Building Code Violations

The Baltimore housing department has a new tool to find homeowners who have been building rooftop decks without a permit: aerial mapping. Baltimore bought aerial photographs of the entire city and used software to correlate the images with databases of address information and permit records. Inspectors have just begun knocking on doors of residents who built decks without permission.

On the face of it, this is nothing new. Police always have been able to inspect buildings for permit violations. The difference is they would do it manually, and that limited its use. It simply wasn’t feasible for the police to automatically document every building code violation in any city. What’s different isn’t the police tactic but the efficiency of the process.

Technology is fundamentally changing the nature of surveillance. Years ago, surveillance involved trench-coated detectives following people down streets. It was laborious and expensive, and was only used when there was reasonable suspicion of a crime. Modern surveillance is the police officer sitting at a computer with a satellite image of an entire neighborhood. It’s the same, but it’s completely different. It’s wholesale surveillance.

And it disrupts the balance between the powers of the police and the rights of the people.

Wholesale surveillance is fast becoming the norm. Security cameras are everywhere, even in places satellites can’t see. Automatic toll road devices track cars at tunnels and bridges. We can all be tracked by our cell phones. Our purchases are tracked by banks and credit card companies, our telephone calls by phone companies, our Internet surfing habits by Web site operators.

Like the satellite images, the electronic footprints we leave everywhere can be automatically correlated with databases. The data can be stored forever, allowing police to conduct surveillance backward in time.

The effects of wholesale surveillance on privacy and civil liberties is profound, but unfortunately, the debate often gets mischaracterized as a question about how much privacy we need to give up in order to be secure. This is wrong. It’s obvious that we are all safer when the police can use all possible crimefighting techniques. The Fourth Amendment already allows police to perform even the most intrusive searches of your home and person.

What we need are mechanisms to prevent abuse and hold the police accountable and assurances that the new techniques don’t place an unreasonable burden on the innocent. In many cases, the Fourth Amendment already provides for this in its requirement of a warrant.

The warrant process requires that a “neutral and detached magistrate” review the basis for the search and take responsibility for the outcome. The key is independent judicial oversight; the warrant process is itself a security measure that protects us from abuse and makes us more secure.

This works for some searches, but not for most wholesale surveillance. The courts already have ruled that the police cannot use thermal imaging to see through the walls of your home without a warrant, but that it’s OK for them to fly overhead and peer over your fences without a warrant. They need a warrant before opening your paper mail or listening in on your phone calls.

Wholesale surveillance calls for something else: lessening of criminal penalties. The reason criminal punishments are severe is to create a deterrent because it is hard to catch wrongdoers. As they become easier to catch, a realignment is necessary. When the police can automate the detection of a wrongdoing, perhaps there should no longer be any criminal penalty attached. For example, red-light cameras and speed-trap cameras issue citations without any “points” assessed against drivers.

Another obvious protection is notice. Baltimore should send mail to every homeowner announcing the use of aerial photography to document building code violations, urging individuals to come into compliance.

Wholesale surveillance is not simply a more efficient way for the police to do what they’ve always done. It’s a new police power, one made possible with today’s technology and one that will be made easier with tomorrow’s. And with any new police power, we as a society need to take an active role in establishing rules governing its use. To do otherwise is to cede ever more authority to the police.

This article was originally published in the 4 October 2004 edition of the Baltimore Sun.

Posted on October 4, 2004 at 7:18 PMView Comments

Aerial Surveillance to Detect Building Code Violations

The Baltimore housing department has a new tool to find homeowners who have been building rooftop decks without a permit: aerial mapping. Baltimore bought aerial photographs of the entire city and used software to correlate the images with databases of address information and permit records. Inspectors have just begun knocking on doors of residents who built decks without permission.

On the face of it, this is nothing new. Police always have been able to inspect buildings for permit violations. The difference is they would do it manually, and that limited its use. It simply wasn’t feasible for the police to automatically document every building code violation in any city. What’s different isn’t the police tactic but the efficiency of the process.

Technology is fundamentally changing the nature of surveillance. Years ago, surveillance involved trench-coated detectives following people down streets. It was laborious and expensive, and was only used when there was reasonable suspicion of a crime. Modern surveillance is the police officer sitting at a computer with a satellite image of an entire neighborhood. It’s the same, but it’s completely different. It’s wholesale surveillance.

And it disrupts the balance between the powers of the police and the rights of the people.

Wholesale surveillance is fast becoming the norm. Security cameras are everywhere, even in places satellites can’t see. Automatic toll road devices track cars at tunnels and bridges. We can all be tracked by our cell phones. Our purchases are tracked by banks and credit card companies, our telephone calls by phone companies, our Internet surfing habits by Web site operators.

Like the satellite images, the electronic footprints we leave everywhere can be automatically correlated with databases. The data can be stored forever, allowing police to conduct surveillance backward in time.

The effects of wholesale surveillance on privacy and civil liberties is profound, but unfortunately, the debate often gets mischaracterized as a question about how much privacy we need to give up in order to be secure. This is wrong. It’s obvious that we are all safer when the police can use all possible crimefighting techniques. The Fourth Amendment already allows police to perform even the most intrusive searches of your home and person.

What we need are mechanisms to prevent abuse and hold the police accountable and assurances that the new techniques don’t place an unreasonable burden on the innocent. In many cases, the Fourth Amendment already provides for this in its requirement of a warrant.

The warrant process requires that a “neutral and detached magistrate” review the basis for the search and take responsibility for the outcome. The key is independent judicial oversight; the warrant process is itself a security measure that protects us from abuse and makes us more secure.

This works for some searches, but not for most wholesale surveillance. The courts already have ruled that the police cannot use thermal imaging to see through the walls of your home without a warrant, but that it’s OK for them to fly overhead and peer over your fences without a warrant. They need a warrant before opening your paper mail or listening in on your phone calls.

Wholesale surveillance calls for something else: lessening of criminal penalties. The reason criminal punishments are severe is to create a deterrent because it is hard to catch wrongdoers. As they become easier to catch, a realignment is necessary. When the police can automate the detection of a wrongdoing, perhaps there should no longer be any criminal penalty attached. For example, red-light cameras and speed-trap cameras issue citations without any “points” assessed against drivers.

Another obvious protection is notice. Baltimore should send mail to every homeowner announcing the use of aerial photography to document building code violations, urging individuals to come into compliance.

Wholesale surveillance is not simply a more efficient way for the police to do what they’ve always done. It’s a new police power, one made possible with today’s technology and one that will be made easier with tomorrow’s. And with any new police power, we as a society need to take an active role in establishing rules governing its use. To do otherwise is to cede ever more authority to the police.

This article was originally published in the 4 October 2004 edition of the Baltimore Sun.

Posted on October 4, 2004 at 7:18 PMView Comments

Do Terror Alerts Work?

As I read the litany of terror threat warnings that the government has issued in the past three years, the thing that jumps out at me is how vague they are. The careful wording implies everything without actually saying anything. We hear “terrorists might try to bomb buses and rail lines in major U.S. cities this summer,” and there’s “increasing concern about the possibility of a major terrorist attack.” “At least one of these attacks could be executed by the end of the summer 2003.” Warnings are based on “uncorroborated intelligence,” and issued even though “there is no credible, specific information about targets or method of attack.” And, of course, “weapons of mass destruction, including those containing chemical, biological, or radiological agents or materials, cannot be discounted.”

Terrorists might carry out their attacks using cropdusters, helicopters, scuba divers, even prescription drugs from Canada. They might be carrying almanacs. They might strike during the Christmas season, disrupt the “democratic process,” or target financial buildings in New York and Washington.

It’s been more than two years since the government instituted a color-coded terror alert system, and the Department of Homeland Security has issued about a dozen terror alerts in that time. How effective have they been in preventing terrorism? Have they made us any safer, or are they causing harm? Are they, as critics claim, just a political ploy?

When Attorney General John Ashcroft came to Minnesota recently, he said the fact that there had been no terrorist attacks in America in the three years since September 11th was proof that the Bush administration’s anti-terrorist policies were working. I thought: There were no terrorist attacks in America in the three years before September 11th, and we didn’t have any terror alerts. What does that prove?

In theory, the warnings are supposed to cultivate an atmosphere of preparedness. If Americans are vigilant against the terrorist threat, then maybe the terrorists will be caught and their plots foiled. And repeated warnings brace Americans for the aftermath of another attack.

The problem is that the warnings don’t do any of this. Because they are so vague and so frequent, and because they don’t recommend any useful actions that people can take, terror threat warnings don’t prevent terrorist attacks. They might force a terrorist to delay his plan temporarily, or change his target. But in general, professional security experts like me are not particularly impressed by systems that merely force the bad guys to make minor modifications in their tactics.

And the alerts don’t result in a more vigilant America. It’s one thing to issue a hurricane warning, and advise people to board up their windows and remain in the basement. Hurricanes are short-term events, and it’s obvious when the danger is imminent and when it’s over. People can do useful things in response to a hurricane warning; then there is a discrete period when their lives are markedly different, and they feel there was utility in the higher alert mode, even if nothing came of it.

It’s quite another thing to tell people to be on alert, but not to alter their plans–as Americans were instructed last Christmas. A terrorist alert that instills a vague feeling of dread or panic, without giving people anything to do in response, is ineffective. Indeed, it inspires terror itself. Compare people’s reactions to hurricane threats with their reactions to earthquake threats. According to scientists, California is expecting a huge earthquake sometime in the next two hundred years. Even though the magnitude of the disaster will be enormous, people just can’t stay alert for two centuries. The news seems to have generated the same levels of short-term fear and long-term apathy in Californians that the terrorist warnings do. It’s human nature; people simply can’t be vigilant indefinitely.

It’s true too that people want to make their own decisions. Regardless of what the government suggests, people are going to independently assess the situation. They’re going to decide for themselves whether or not changing their behavior seems like a good idea. If there’s no rational information to base their independent assessment on, they’re going to come to conclusions based on fear, prejudice, or ignorance.

We’re already seeing this in the U.S. We see it when Muslim men are assaulted on the street. We see it when a woman on an airplane panics because a Syrian pop group is flying with her. We see it again and again, as people react to rumors about terrorist threats from Al Qaeda and its allies endlessly repeated by the news media.

This all implies that if the government is going to issue a threat warning at all, it should provide as many details as possible. But this is a catch-22: Unfortunately, there’s an absolute limit to how much information the government can reveal. The classified nature of the intelligence that goes into these threat alerts precludes the government from giving the public all the information it would need to be meaningfully prepared. And maddeningly, the current administration occasionally compromises the intelligence assets it does have, in the interest of politics. It recently released the name of a Pakistani agent working undercover in Al Qaeda, blowing ongoing counterterrorist operations both in Pakistan and the U.K.

Still, ironically, most of the time the administration projects a “just trust me” attitude. And there are those in the U.S. who trust it, and there are those who do not. Unfortunately, there are good reasons not to trust it. There are two reasons government likes terror alerts. Both are self-serving, and neither has anything to do with security.

The first is such a common impulse of bureaucratic self-protection that it has achieved a popular acronym in government circles: CYA. If the worst happens and another attack occurs, the American public isn’t going to be as sympathetic to the current administration as it was last time. After the September 11th attacks, the public reaction was primarily shock and disbelief. In response, the government vowed to fight the terrorists. They passed the draconian USA PATRIOT Act, invaded two countries, and spent hundreds of billions of dollars. Next time, the public reaction will quickly turn into anger, and those in charge will need to explain why they failed. The public is going to demand to know what the government knew and why it didn’t warn people, and they’re not going to look kindly on someone who says: “We didn’t think the threat was serious enough to warn people.” Issuing threat warnings is a way to cover themselves. “What did you expect?” they’ll say. “We told you it was Code Orange.”

The second purpose is even more self-serving: Terror threat warnings are a publicity tool. They’re a method of keeping terrorism in people’s minds. Terrorist attacks on American soil are rare, and unless the topic stays in the news, people will move on to other concerns. There is, of course, a hierarchy to these things. Threats against U.S. soil are most important, threats against Americans abroad are next, and terrorist threats–even actual terrorist attacks–against foreigners in foreign countries are largely ignored.

Since the September 11th attacks, Republicans have made “tough on terror” the centerpiece of their reelection strategies. Study after study has shown that Americans who are worried about terrorism are more likely to vote Republican. In 2002, Karl Rove specifically told Republican legislators to run on that platform, and strength in the face of the terrorist threat is the basis of Bush’s reelection campaign. For that strategy to work, people need to be reminded constantly about the terrorist threat and how the current government is keeping them safe.

It has to be the right terrorist threat, though. Last month someone exploded a pipe bomb in a stem-cell research center near Boston, but the administration didn’t denounce this as a terrorist attack. In April 2003, the FBI disrupted a major terrorist plot in the U.S., arresting William Krar and seizing automatic weapons, pipe bombs, bombs disguised as briefcases, and at least one cyanide bomb–an actual chemical weapon. But because Krar was a member of a white supremacist group and not Muslim, Ashcroft didn’t hold a press conference, Tom Ridge didn’t announce how secure the homeland was, and Bush never mentioned it.

Threat warnings can be a potent tool in the fight against terrorism–when there is a specific threat at a specific moment. There are times when people need to act, and act quickly, in order to increase security. But this is a tool that can easily be abused, and when it’s abused it loses its effectiveness.

It’s instructive to look at the European countries that have been dealing with terrorism for decades, like the United Kingdom, Ireland, France, Italy, and Spain. None of these has a color-coded terror-alert system. None calls a press conference on the strength of “chatter.” Even Israel, which has seen more terrorism than any other nation in the world, issues terror alerts only when there is a specific imminent attack and they need people to be vigilant. And these alerts include specific times and places, with details people can use immediately. They’re not dissimilar from hurricane warnings.

A terror alert that instills a vague feeling of dread or panic echoes the very tactics of the terrorists. There are essentially two ways to terrorize people. The first is to do something spectacularly horrible, like flying airplanes into skyscrapers and killing thousands of people. The second is to keep people living in fear with the threat of doing something horrible. Decades ago, that was one of the IRA’s major aims. Inadvertently, the DHS is achieving the same thing.

There’s another downside to incessant threat warnings, one that happens when everyone realizes that they have been abused for political purposes. Call it the “Boy Who Cried Wolf” problem. After too many false alarms, the public will become inured to them. Already this has happened. Many Americans ignore terrorist threat warnings; many even ridicule them. The Bush administration lost considerable respect when it was revealed that August’s New York/Washington warning was based on three-year-old information. And the more recent warning that terrorists might target cheap prescription drugs from Canada was assumed universally to be politics-as-usual.

Repeated warnings do more harm than good, by needlessly creating fear and confusion among those who still trust the government, and anesthetizing everyone else to any future alerts that might be important. And every false alarm makes the next terror alert less effective.

Fighting global terrorism is difficult, and it’s not something that should be played for political gain. Countries that have been dealing with terrorism for decades have realized that much of the real work happens outside of public view, and that often the most important victories are the most secret. The elected officials of these countries take the time to explain this to their citizens, who in return have a realistic view of what the government can and can’t do to keep them safe.

By making terrorism the centerpiece of his reelection campaign, President Bush and the Republicans play a very dangerous game. They’re making many people needlessly fearful. They’re attracting the ridicule of others, both domestically and abroad. And they’re distracting themselves from the serious business of actually keeping Americans safe.

This article was originally published in the October 2004 edition of The Rake

Posted on October 4, 2004 at 7:08 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.