Entries Tagged "fraud"

Page 32 of 32

Illegal Aliens and Driver's Licenses

Has anyone heard of the Center for Advanced Studies in Science and Technology Policy? They released a statement saying that not issuing driver’s licenses to illegal aliens is bad for security. Their analysis is good, and worth reading:

As part of the legislative compromise to pass the intelligence reform bill signed into law by the President today, the administration and Congressional leaders have promised to attach to the first ‘must pass’ legislation of the new year a controversial provision that was rightly dropped from the intelligence reform bill — this provision would effectively prevent the states from issuing driver’s licenses to illegal aliens by requiring ‘legal presence’ status for holders of licenses to be used as ‘national ID.’

Although this provision is being touted by its supporters as a security measure, its implementation in practice will be to undermine national security because it ignores three widely-recognized principles of counter-terrorism security: the shrinking perimeter of defense; the need to allocate resources to more likely targets; and the economics of fraud.

First, the very fact that 13 million illegal aliens are already within our borders means that a perimeter-based defense is porous. The proposed policy would eliminate another opportunity to screen this large pool of people and to separate ‘otherwise law abiding’ illegal aliens from terrorists or criminals by confirming identity when licenses are issued or when such licenses are presented or used for identity screening at checkpoints.

Recognizing the porous nature of perimeter defense does not mean that border security should not be improved or that additional steps to prevent illegal immigration should not be taken, however, not recognizing its porous nature is unrealistic, counter to current trends in security practice, and undermines national security. Rather than excluding 13 million people already within our borders, we should encourage non-terrorist illegal aliens to participate in internal security screening systems.

This leads to the second point. Contrary to the argument made by its supporters that denying illegal aliens licenses would prevent terrorists from ‘melting’ into society, this legislation would guarantee a larger haystack in which terrorists can hide thus making it more difficult for law enforcement to identify them. Counter-terrorism strategy is based on reducing the suspect population so that security resources can be focused on more likely suspects. Denying identity legitimacy to 13 million illegal aliens — the vast majority of whom are not terrorists or otherwise threats to national security — just increases the size of the suspect pool for law enforcement to have to sort through. Since law enforcement resources are already unable to effectively cope with the large illegal alien population why further complicate their task?

Third, the proposed legislation would increase the incentives for fraud by greatly inflating the value of a driver’s license and by creating significant new demand for fraudulent licenses by making the driver’s license actual proof of citizenship or legal status. Arguments in support of the legislation are based in part on denying illegal aliens the de facto legitimacy that a driver’s license currently confers, yet the legislation would actually make such legitimacy a matter of law, thus increasing the demand for fraudulent licenses not only among those illegal aliens wishing to drive but among all 13 million who may now see it as a way to get jobs or otherwise prove their legitimate status.

If 13 million people living within our borders can’t drive, fly, travel on a train or bus, or otherwise participate in society without a driver’s license and they cannot get a legitimate one, then the market will supply them an illegal fraudulent one. State DMV bureaucracies, no matter how well- intentioned, do not have the resources, training, or skill to prevent fraud driven by this additional demand and no federal mandate will be able to prevent organized criminal elements from responding.

On the other hand, if illegal aliens are allowed to get legitimate licenses upon thorough vetting of their identity, then the only ones who will be trying to get fraudulent documents will be terrorists or criminals — who will face increased costs and more opportunities for mistakes if there is less overall demand — and law enforcement resources can be focused on these activities.

Fourteen states currently allow driver’s licenses to be obtained without showing ‘legal presence.’ These laws were enacted for public safety reasons — to ensure that drivers meet some standard to drive and to lower insurance premiums by decreasing the pool of unlicensed and uninsured drivers. In most cases, these laws were passed with the strong support of state law enforcement officials who recognized the advantages of being able to identify drivers and discourage unlicensed drivers from fleeing from minor traffic infractions or accidents because they were fearful of being caught without a license. The analogous arguments hold for national security — the more we can encourage otherwise law abiding people within our borders to participate in the system the easier it will be to identify those that pose a true threat.

There may be legitimate reasons for cracking down on illegal immigration, there may even be reasons to deny illegal aliens driver’s licenses, but counter-terrorism security is not one. This provision was appropriately dropped from the intelligence reform bill and it should not be resurrected in the 109th Congress.

Posted on January 4, 2005 at 8:00 AM

The Digital Person

Last week, I stayed at the St. Regis hotel in Washington, DC. It was my first visit, and the management gave me a questionnaire, asking me things like my birthday, my spouse’s name and birthday, my anniversary, and my favorite fruits, drinks, and sweets. The purpose was clear; the hotel wanted to be able to offer me a more personalized service the next time I visited. And it was a purpose I agreed with; I wanted more personalized service. But I was very uneasy about filling out the form.

It wasn’t that the information was particularly private. I make no secret of my birthday, or anniversary, or food preferences. Much of that information is even floating around the Web somewhere. Secrecy wasn’t the issue.

The issue was control. In the United States, information about a person is owned by the person who collects it, not by the person it is about. There are specific exceptions in the law, but they’re few and far between. There are no broad data protection laws, as you find in the European Union. There are no Privacy Commissioners, as you find in Canada. Privacy law in the United States is largely about secrecy: if the information is not secret, there’s little you can do to control its dissemination.

As a result, enormous databases exist that are filled with personal information. These databases are owned by marketing firms, credit bureaus, and the government. Amazon knows what books we buy. Our supermarket knows what foods we eat. Credit card companies know quite a lot about our purchasing habits. Credit bureaus know about our financial history, and what they don’t know is contained in bank records. Health insurance records contain details about our health and well-being. Government records contain our Social Security numbers, birthdates, addresses, mother’s maiden names, and a host of other things. Many driver’s license records contain digital pictures.

All of this data is being combined, indexed, and correlated. And it’s being used for all sorts of things. Targeted marketing campaigns are just the tip of the iceberg. This information is used by potential employers to judge our suitability as employees, by potential landlords to determine our suitability as renters, and by the government to determine our likelihood of being a terrorist.

Some stores are beginning to use our data to determine whether we are desirable customers or not. If customers take advantage of too many discount offers or make too many returns, they may be profiled as “bad” customers and be treated differently from the “good” customers.

And with alarming frequency, our data is being abused by identity thieves. The businesses that gather our data don’t care much about keeping it secure. So identity theft is a problem where those who suffer from it — the individuals — are not in a position to improve security, and those who are in a position to improve security don’t suffer from the problem.

The issue here is not about secrecy, it’s about control. The issue is that both government and commercial organizations are building “digital dossiers” about us, and that these dossiers are being used to judge and categorize us through some secret process.

A new book by George Washington University Law Professor Daniel Solove examines the problem of the growing accumulation of personal information in enormous databases. The book is called The Digital Person: Technology and Privacy in the Information Age, and it is a fascinating read.

Solove’s book explores this problem from a legal perspective, explaining what the problem is, how current U.S. law fails to deal with it, and what we should do to protect privacy today. It’s an unusually perceptive discussion of one of the most
vexing problems of the digital age — our loss of control over our personal information. It’s a fascinating journey into the almost surreal ways personal information is hoarded, used, and abused in the digital age.

Solove argues that our common conceptualization of the privacy problem as Big Brother — some faceless organization knowing our most intimate secrets — is only one facet of the issue. A better metaphor can be found in Franz Kafka’s The Trial. In the book, a vast faceless bureaucracy constructs a huge dossier about a person, who can’t find out what information exists about him in the dossier, why the information has been gathered, or what it will be used for. Privacy is not about intimate secrets; it’s about who has control of the millions of pieces of personal data that we leave like droppings as we go through our daily life. And until the U.S. legal system recognizes this fact, Americans will continue to live in an world where they have little control over their digital person.

In the end, I didn’t complete the questionnaire from the St. Regis Hotel. While I was fine with the St. Regis in Washington, DC, having that information to make my subsequent stays a little more personal, and was probably fine with that information being shared among other St. Regis hotels, I wasn’t comfortable with the St. Regis doing whatever they wanted with that information. I wasn’t comfortable with them selling the information to a marketing database. I wasn’t comfortable with anyone being able to buy that information. I wasn’t comfortable with that information ending up in a database of my habits, my preferences, my proclivities. It wasn’t the primary use of that information that bothered me, it was the secondary uses.

Solove has done much more thinking about this issue than I have. His book provides a clear account of the social problems involving information privacy, and haunting predictions of current U.S. legal policies. Even more importantly, the legal solutions he provides are compelling and worth serious consideration. I recommend his book highly.

The book’s website

Order the book on Amazon

Posted on December 9, 2004 at 9:18 AMView Comments

Two-Factor Authentication with Cell Phones

Here’s a good idea:

ASB and Bank Direct’s internet banking customers will need to have their cellphone close to hand if they want to use the net to transfer more than $2500 into another account from December.

ASB technology and operations group general manager Clayton Wakefield announced the banks would be the first in New Zealand to implement a “two factor authentication” system to shut out online fraudsters, unveiling details of the service on Friday.

After logging on to internet banking, customers who want to remit more than $2500 into a third party account will receive an eight-digit text message to their cellphone, which they will need to enter online within three minutes to complete the transaction.

It’s more secure than a simple username and password. It’s easy to implement, with no extra hardware required (assuming your customers already have cellphones). It’s easy for the customers to understand and to do. What’s not to like?

Posted on November 23, 2004 at 9:41 AMView Comments

Schneier: Microsoft still has work to do

Bruce Schneier is founder and chief technology officer of Mountain View, Calif.-based MSSP Counterpane Internet Security Inc. and author of Applied Cryptography, Secrets and Lies, and Beyond Fear. He also publishes Crypto-Gram, a free monthly newsletter, and writes op-ed pieces for various publications. Schneier spoke to SearchSecurity.com about the latest threats, Microsoft’s ongoing security struggles and other topics in a two-part interview that took place by e-mail and phone last month. In this installment, he talks about the “hype” of SP2 and explains why it’s “foolish” to use Internet Explorer.

What’s the biggest threat to information security at the moment?

Schneier: Crime. Criminals have discovered IT in a big way. We’re seeing a huge increase in identity theft and associated financial theft. We’re seeing a rise in credit card fraud. We’re seeing a rise in blackmail. Years ago, the people breaking into computers were mostly kids participating in the information-age equivalent of spray painting. Today there’s a profit motive, as those same hacked computers become launching pads for spam, phishing attacks and Trojans that steal passwords. Right now we’re seeing a crime wave against Internet consumers that has the potential to radically change the way people use their computers. When enough average users complain about having money stolen, the government is going to step in and do something. The results are unlikely to be pretty.

Which threats are overly hyped?

Schneier: Cyberterrorism. It’s not much of a threat. These attacks are very difficult to execute. The software systems controlling our nation’s infrastructure are filled with vulnerabilities, but they’re generally not the kinds of vulnerabilities that cause catastrophic disruptions. The systems are designed to limit the damage that occurs from errors and accidents. They have manual overrides. These systems have been proven to work; they’ve experienced disruptions caused by accident and natural disaster. We’ve been through blackouts, telephone switch failures and disruptions of air traffic control computers. The results might be annoying, and engineers might spend days or weeks scrambling, but it doesn’t spread terror. The effect on the general population has been minimal.

Microsoft has made much of the added security muscle in SP2. Has it measured up to the hype?

Schneier: SP2 is much more hype than substance. It’s got some cool things, but I was unimpressed overall. It’s a pity, though. They had an opportunity to do more, and I think they could have done more. But even so, this stuff is hard. I think the fact that SP2 was largely superficial speaks to how the poor security choices Microsoft made years ago are deeply embedded inside the operating system.

Is Microsoft taking security more seriously?

Schneier: Microsoft is certainly taking it more seriously than three years ago, when they ignored it completely. But they’re still not taking security seriously enough for me. They’ve made some superficial changes in the way they approach security, but they still treat it more like a PR problem than a technical problem. To me, the problem is economic. Microsoft — or any other software company — is not a charity, and we should not expect them to do something that hurts their bottom line. As long as we all are willing to buy insecure software, software companies don’t have much incentive to make their products secure. For years I have been advocating software liability as a way of changing that balance. If software companies could get sued for defective products, just as automobile manufacturers are, then they would spend much more money making their products secure.

After the Download.ject attack in June, voices advocating alternatives to Internet Explorer grew louder. Which browser do you use?

Schneier: I think it’s foolish to use Internet Explorer. It’s filled with security holes, and it’s too hard to configure it to have decent security. Basically, it seems to be written in the best interests of Microsoft and not in the best interests of the customer. I have used the Opera browser for years, and I am very happy with it. It’s much better designed, and I never have to worry about Explorer-based attacks.

By Bill Brenner, News Writer
4 Oct 2004 | SearchSecurity.com

Posted on October 8, 2004 at 4:45 PMView Comments

1 30 31 32

Sidebar photo of Bruce Schneier by Joe MacInnis.