Leaked UK Government Document on National ID
Seems the UK government has plans to coerce its citizens into a national ID database. Actual pdf document is here, and hopefully mirrored elsewhere.
Entries Tagged "ID cards"
Page 4 of 10
TSA Misses the Point, Again
They’re checking IDs more carefully, looking for forgeries:
Black lights will help screeners inspect the ID cards by illuminating holograms, typically of government seals, that are found in licenses and passports. Screeners also are getting magnifying glasses that highlight tiny inscriptions found in borders of passports and other IDs. About 2,100 of each are going to the nation’s 800 airport checkpoints.
The closer scrutiny of passenger IDs is the latest Transportation Security Administration effort to check passengers more thoroughly than simply having them walk through metal detectors.
[…]
More than 40 passengers have been arrested since June in cases when TSA screeners spotted altered passports, fraudulent visas and resident ID cards, and forged driver’s licenses. Many of them were arrested on immigration charges.
ID checks have nothing to do with airport security. And even if they did, anyone can fly on a fake ID. And enforcing immigration laws is not what the TSA does.
In related news, look at this page from the TSA’s website:
We screen every passenger; we screen every bag so that your memories are from where you went, not how you got there. We’re here to help your travel plans be smooth and stress free. Please take a moment to become familiar with some of our security measures. Doing so now will help save you time once you arrive at the airport.
I know they don’t mean it that way, but doesn’t it sound like it’s saying “We know it doesn’t help, but it might make you feel better”?
And why is this even news?
So Jason—looking every bit the middle-aged man on an uneventful trip to anywhere—shows a boarding pass and an ID to a TSA document checker, and he is directed to a checkpoint where, unbeknown to the security officer on site, the real test begins.
He gets through, which in real life would mean a terrorist was headed toward a plane with a bomb.
To be clear, the TSA allowed CNN to see and record this test, and the agency is not concerned with CNN showing it. The TSA says techniques such as the one used in Tampa are known to terrorists and openly discussed on known terror Web sites.
Also relevant: “Confessions of a TSA Agent“:
The traveling public has no idea that the changes the TSA makes come as orders sent down directly from Washington D.C. Those orders may have reasons, but we little screeners at a screening checkpoint will never be told what the background might be. We get told to do something, and just as in the military, we are expected to make it happen—no ifs, ands or buts about it. Perhaps the changes are as a result of some event occurring in the nation or the world, perhaps it’s based on some newly received information or interrogation. What the traveling public needs to understand the necessity for flexibility. If a passenger asks us why we’re doing something, in all likelihood we couldn’t tell them even if we really did know the answer. This is a business of sensitive information that is used to make choices that can have life changing effects if the information is divulged to the wrong person(s). Just trust that we must know something that prompts us to be doing something.
I have no idea why Kip Hawley is surprised that the TSA is as unpopular with Americans as the IRS.
EDITED TO ADD (1/30): The TSA has a blog, and Kip Hawley wrote the first post. This could be interesting….
EDITED TO ADD (1/31): There is some speculation that the “Confessions of a TSA Agent” is a hoax. I don’t know.
UK's Privacy Chernobyl
I didn’t write about this story at first because we’ve seen it so many times before: a disk with lots of personal information is lost. Encryption is the simple and obvious solution, and that’s the end of it.
But the UK’s loss of 25 million child benefit records—including dates of birth, addresses, bank account information, and national insurance numbers—is turning into a privacy disaster, threatening to derail plans for a national ID card.
Why is it such a big deal? Certainly the scope: 40% of the British population. Also the data: bank account details; plus information about children. There’s already a larger debate on the issue of a database on kids that this feeds into. And it’s a demonstration of government incompetence (think Hurricane Katrina).
In any case, this issue isn’t going away anytime soon. Prime Minister Gordon Brown has apologized. The head of the Revenue and Customs office has resigned. More is certainly coming.
And this is an easy security problem to solve! Disk and file encryption software is cheap, easy to use, and effective.
Driver's License Printer Stolen and Recovered
A specialized printer used to print Missouri driver’s licenses was stolen and recovered.
It’s a funny story, actually. Turns out the thief couldn’t get access to the software needed to run the printer; a lockout on the control computer apparently thwarted him. When he called tech support, they tipped off the Secret Service.
On the one hand, this probably won’t deter a more sophisticated thief. On the other hand, you can make pretty good forgeries with off-the-shelf equipment.
Master Forger Sentenced in the UK
Magic fingers and an unerring eye gave “Hologram Tam,” one of the best forgers in Europe, the skills to produce counterfeit banknotes so authentic that when he was arrested nearly £700,000 worth were in circulation.
Thomas McAnea, 58, who was jailed for six years and four months yesterday, was the kingpin of a professional operation based in Glasgow that, according to police, had the capacity to produce £2 million worth of fake notes a day enough potentially tom destabilise the British economy. More may remain out there undetected.
[…]
“Some of Hologram Tam’s money is still out there. It’s that good that if I gave you one of his notes, you wouldn’t know it,” a police source said.
The detectives also found templates for other forgeries including passports, driving licences, ID cards, bank statements, utility bills, MoT certificates, postage and saving stamps and TV licences.
Photo ID Required to Buy Police Uniforms
In California, if you want to buy a police uniform, you’ll need to prove you’re a policeman:
Assembly Bill 1448 by Assemblyman Roger Niello, R-Fair Oaks, makes it a misdemeanor punishable by up to a $1,000 fine for vendors who do not verify the identification of those purchasing law enforcement uniforms. Previous law made it illegal to impersonate police but did not require an ID check at the point of purchase. The measure takes effect Jan. 1.
Niello said AB 1448 is necessary because many law enforcement agencies require officers to purchase uniforms through outside retailers rather than their own departments.
I’ve written a lot about the problem of authenticating uniforms. This isn’t going to solve that problem. But it’s probably a good idea all the same.
Cows Get Photo IDs in India
You can’t make this stuff up.
Authorities say crime syndicates find it easy to tamper with branding or tattooing of the cattle—hence the idea for photo identity cards which should be difficult to falsify.
Valid for two years, each laminated cattle ID card displays the picture of the animal and its owner. It also carries vital information about the animal, such as its colour, height, sex and length of horns.
It carries the owner’s name and address and sometimes other details about the animal—like one “horn missing” or “half tail lost”.
Does anyone really think this will improve security?
U.S. Government Threatens Retaliation Against States who Reject REAL ID
REAL ID is the U.S. government plan to impose uniform regulations on state driver’s licenses. It’s a national ID card, in all but cosmetic form. (Here is my essay on the security costs and benefits. These two sites are also good resources.)
Most states hate it: 17 have passed legislation rejecting REAL ID, and many others have such legislation somewhere in process. Now it looks like the federal government is upping the ante, and threatening retaliation against those states that don’t implement REAL ID:
The cards would be mandatory for all “federal purposes,” which include boarding an airplane or walking into a federal building, nuclear facility or national park, Homeland Security Secretary Michael Chertoff told the National Conference of State Legislatures last week. Citizens in states that don’t comply with the new rules will have to use passports for federal purposes.
This sounds tough, but it’s a lot of bluster. The states that have passed anti-REAL-ID legislation lean both Republican and Democrat. The federal government just can’t say that citizens of—for example—Georgia (which passed a bill in May authorizing the Governor to delay implementation of REAL ID) can’t walk into a federal courthouse without a passport. Or can’t board an airplane without a passport—imagine the lobbying by Delta Airlines here. They just can’t.
Conversation with Kip Hawley, TSA Administrator (Part 3)
This is Part 3 of a five-part series. Link to whole thing.
BS: Let’s talk about ID checks. I’ve called the no-fly list a list of people so dangerous they cannot be allowed to fly under any circumstance, yet so innocent we can’t arrest them even under the Patriot Act. Except that’s not even true; anyone, no matter how dangerous they are, can fly without an ID or by using someone else’s boarding pass. And the list itself is filled with people who shouldn’t be on it—dead people, people in jail, and so on—and primarily catches innocents with similar names. Why are you bothering?
KH: Because it works. We just completed a scrub of every name on the no-fly list and cut it in half—essentially cleaning out people who were no longer an active terror threat. We do not publicize how often the no-fly system stops people you would not want on your flight. Several times a week would low-ball it.
Your point about the no-ID and false boarding pass people is a great one. We are moving people who have tools and training to get at that problem. The bigger issue is that TSA is moving in the direction of security that picks up on behavior versus just keying on what we see in your bag. It really would be security theater if all we did was try to find possible weapons in that crunched fifteen seconds and fifteen feet after you anonymously walk through the magnetometer. We do a better job, with less aggravation of ordinary passengers, if we put people-based layers further ahead in the process—behavior observation based on involuntary, observable muscle behavior, canine teams, document verification, etc.
BS: We’ll talk about behavioral profiling later; no fair defending one security measure by pointing to another, completely separate, one. How can you claim ID cards work? Like the liquid ban, all it does is annoy innocent travelers without doing more than inconveniencing any future terrorists. Is it really good enough for you to defend me from terrorists too dumb to Google “print your own boarding pass”?
KH: We are getting at the fake boarding pass and ID issues with our proposal to Congress that would allow us to replace existing document checkers with more highly trained people with tools that would close those gaps. Without effective identity verification, watch lists don’t do much, so this is a top priority.
Having highly trained TSOs performing the document checking function closes a security gap, adds another security layer, and pushes TSA’s security program out in front of the checkpoint.
BS: Let’s move on. Air travelers think you’re capricious. Remember in April when the story went around about the Princeton professor being on a no-fly list because he spoke out against President Bush? His claims were easily debunked, but the real story is that so many people believed it. People believe political activity puts them on the list. People are afraid to complain about being mistreated at checkpoints because they’re afraid it puts them on a list. Is there anything you can do to make this process more transparent?
KH: We need some help on this one. This is the biggest public pain point, dwarfing shoes and baggies.
First off, TSA does not add people to the watch-lists, no matter how cranky you are at a checkpoint. Second, political views have nothing to do with no-flys or selectees. These myths have taken on urban legend status. There are very strict criteria and they are reviewed by lots of separate people in separate agencies: it is for live terror concerns only. The problem comes from random selectees (literally mathematically random) or people who have the same name and birth date as real no-flys. If you can get a boarding pass, you are not on the no-fly list. This problem will go away when Secure Flight starts in 2008, but we can’t seem to shake the false impression that ordinary Americans get put on a “list.” I am open for suggestions on how to make the public “get it.”
BS: It’s hard to believe that there could be hundreds of thousands of people meeting those very strict criteria, and that’s after the list was cut in half! I know the TSA does not control the no-fly and watch lists, but you’re the public face of those lists. You’re the aspect of homeland security that people come into direct contact with. Some people might find out they’re on the list by being arrested, or being shipped off to Syria for torture, but most people find out they’re on the list by being repeatedly searched and questioned for hours at airports.
The main problem with the list is that it’s secret. Who is on the list is secret. Why someone’s on is secret. How someone can get off is secret. There’s no accountability and there’s no transparency. Of course this kind of thing induces paranoia. It’s the sort of thing you read about in history books about East Germany and other police states.
The best thing you can do to improve the problem is redress. People need the ability to see the evidence against them, challenge their accuser, and have a hearing in a neutral court. If they’re guilty of something, arrest them. And if they’re innocent, stop harassing them. It’s basic liberty.
I don’t actually expect you to fix this; the problem is larger than the TSA. But can you tell us something about redress? It’s been promised to us for years now.
KH: Redress issues are divided into two categories: people on the no-fly list and people who have names similar to them.
In our experience, the first group is not a heavy user of the redress process. They typically don’t want anything to do with the U.S. government. Still, if someone is either wrongly put on or kept on, the Terrorist Screening Center (TSC) removes him or her immediately. In fact, TSA worked with the TSC to review every name, and that review cut the no-fly list in half. Having said that, once someone is really on the no-fly list, I totally agree with what you said about appeal rights. This is true across the board, not just with no-flys. DHS has recently consolidated redress for all DHS activities into one process called DHS TRIP. If you are mistaken for a real no-fly, you can let TSA know and we provide your information to the airlines, who right now are responsible for identifying no-flys trying to fly. Each airline uses its own system, so some can get you cleared to use kiosks, while others still require a visit to the ticket agent. When Secure Flight is operating, we’ll take that in-house at TSA and the problem should go away.
BS: I still don’t see how that will work, as long as the TSA doesn’t have control over who gets on or off the list.
DHS Data Privacy and Integrity Advisory Committee's Report on REAL ID
The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security has issued an excellent report on REAL ID:
The REAL ID Act is one of the largest identity management undertakings in history. It would bring more than 200 million people from a large, diverse, and mobile country within a uniformly defined identity system, jointly operated by state governments. This has never been done before in the USA, and it raises numerous policy, privacy, and data security issues that have had only brief scrutiny, particularly given the scope and scale of the undertaking.
It is critical that specific issues be carefully considered before developing and deploying a uniform identity management system in the 21st century. These include, but are not limited to, the implementation costs, the privacy consequences, the security of stored identity documents and personal information, redress and fairness, “mission creep”, and, perhaps most importantly, provisions for national security protections.
The Department of Homeland Security’s Notice of Proposed Rulemaking touched on some of these issues, though it did not explore them in the depth necessary for a system of such magnitude and such consequence. Given that these issues have not received adequate consideration, the Committee feels it is important that the following comments do not constitute an endorsement of REAL ID or the regulations as workable or appropriate.
I’ve written about REAL ID here.
Sidebar photo of Bruce Schneier by Joe MacInnis.