Schneier on Security: Tagged laws

Entries Tagged "laws"

Page 31 of 32

Banning Matches and Lighters on Airplanes

When Congress voted last year to prohibit passengers from bringing lighters and matches aboard commercial airplanes, it sounded like a reasonable idea for improving airline security.

But as airports and government leaders began discussing how to create flame-free airport terminals, the task became more complicated. Would newsstands and other small airport stores located beyond the security checkpoint have to stop selling lighters? Would airports have to ban smoking and close smoking lounges? How would security screeners detect matches in passengers’ pockets or carry-on bags when they don’t contain metal to set off the magnetometers? And what about arriving international travelers, who might have matches and lighters with them as they walk through the terminal?

It’s the silly security season out there. Given all of the things to spend money on to improve security, how this got to the top of anyone’s list is beyond me.

Posted on March 4, 2005 at 3:00 PM • View Comments

Regulation, Liability, and Computer Security

For a couple of years I have been arguing that liability is a way to solve the economic problems underlying our computer security problems. At the RSA conference this year, I was on a panel on that very topic.

This essay argues that regulation, not liability, is the correct way to solve the underlying economic problems, using the analogy of high-pressure steam engines in the 1800s.

Definitely worth thinking about some more.

Posted on February 25, 2005 at 8:00 AM • View Comments

ChoicePoint

The ChoicePoint fiasco has been news for over a week now, and there are only a few things I can add. For those who haven’t been following along, ChoicePoint mistakenly sold personal credit reports for about 145,000 Americans to criminals.

This story would have never been made public if it were not for SB 1386, a California law requiring companies to notify California residents if any of a specific set of personal information is leaked.

ChoicePoint’s behavior is a textbook example of how to be a bad corporate citizen. The information leakage occurred in October, and it didn’t tell any victims until February. First, ChoicePoint notified 30,000 Californians and said that it would not notify anyone who lived outside California (since the law didn’t require it). Finally, after public outcry, it announced that it would notify everyone affected.

The clear moral here is that first, SB 1386 needs to be a national law, since without it ChoicePoint would have covered up their mistakes forever. And second, the national law needs to force companies to disclose these sorts of privacy breaches immediately, and not allow them to hide for four months behind the “ongoing FBI investigation” shield.

More is required. Compare the difference in ChoicePoint’s public marketing slogans with its private reality.

From “Identity Theft Puts Pressure on Data Sellers,” by Evan Perez, in the 18 Feb 2005 Wall Street Journal:

The current investigation involving ChoicePoint began in October when the company found the 50 accounts it said were fraudulent. According to the company and police, criminals opened the accounts, posing as businesses seeking information on potential employees and customers. They paid fees of $100 to $200, and provided fake documentation, gaining access to a trove of
personal data including addresses, phone numbers, and social security numbers.

From ChoicePoint Chairman and CEO Derek V. Smith:

ChoicePoint’s core competency is verifying and authenticating individuals
and their credentials.

The reason there is a difference is purely economic. Identity theft is the fastest-growing crime in the U.S., and an enormous problem elsewhere in the world. It’s expensive—both in money and time—to the victims. And there’s not much people can do to stop it, as much of their personal identifying information is not under their control: it’s in the computers of companies like ChoicePoint.

ChoicePoint protects its data, but only to the extent that it values it. The hundreds of millions of people in ChoicePoint’s databases are not ChoicePoint’s customers. They have no power to switch credit agencies. They have no economic pressure that they can bring to bear on the problem. Maybe they should rename the company “NoChoicePoint.”

The upshot of this is that ChoicePoint doesn’t bear the costs of identity theft, so ChoicePoint doesn’t take those costs into account when figuring out how much money to spend on data security. In economic terms, it’s an “externality.”

The point of regulation is to make externalities internal. SB 1386 did that to some extent, since ChoicePoint now must figure the cost of public humiliation when they decide how much money to spend on security. But the actual cost of ChoicePoint’s security failure is much, much greater.

Until ChoicePoint feels those costs—whether through regulation or liability—it has no economic incentive to reduce them. Capitalism works, not through corporate charity, but through the free market. I see no other way of solving the problem.

Posted on February 23, 2005 at 3:19 PM • View Comments

T-Mobile Hack

For at least seven months last year, a hacker had access to T-Mobile’s customer network. He’s known to have accessed information belonging to 400 customers—names, Social Security numbers, voicemail messages, SMS messages, photos—and probably had the ability to access data belonging to any of T-Mobile’s 16.3 million U.S. customers. But in its fervor to report on the security of cell phones, and T-Mobile in particular, the media missed the most important point of the story: The security of much of our data is not under our control.

This is new. A dozen years ago, if someone wanted to look through your mail, they would have to break into your house. Now they can just break into your ISP. Ten years ago, your voicemail was on an answering machine in your house; now it’s on a computer owned by a telephone company. Your financial data is on Websites protected only by passwords. The list of books you browse, and the books you buy, is stored in the computers of some online bookseller. Your affinity card allows your supermarket to know what food you like. Data that used to be under your direct control is now controlled by others.

We have no choice but to trust these companies with our privacy, even though the companies have little incentive to protect that privacy. T-Mobile suffered some bad press for its lousy security, nothing more. It’ll spend some money improving its security, but it’ll be security designed to protect its reputation from bad PR, not security designed to protect the privacy of its customers.

This loss of control over our data has other effects, too. Our protections against police abuse have been severely watered down. The courts have ruled that the police can search your data without a warrant, as long as that data is held by others. The police need a warrant to read the e-mail on your computer; but they don’t need one to read it off the backup tapes at your ISP. According to the Supreme Court, that’s not a search as defined by the 4th Amendment.

This isn’t a technology problem, it’s a legal problem. The courts need to recognize that in the information age, virtual privacy and physical privacy don’t have the same boundaries. We should be able to control our own data, regardless of where it is stored. We should be able to make decisions about the security and privacy of that data, and have legal recourse should companies fail to honor those decisions. And just as the Supreme Court eventually ruled that tapping a telephone was a Fourth Amendment search, requiring a warrant—even though it occurred at the phone company switching office—the Supreme Court must recognize that reading e-mail at an ISP is no different.

This essay appeared in eWeek.

Posted on February 14, 2005 at 4:26 PM • View Comments

Fertilizer as a Weapon

In an attempt to protect us from terrorism, there are new restrictions on fertilizer sales in the Kansas (and elsewhere):

Under the rules, retailers would have to obtain the name, address and telephone and driver’s license number of purchasers of ammonium nitrate fertilizer and maintain records, including the date of the sale and the amount purchased, for at least two years.

The administrative guidelines would authorize retailers to refuse to sell ammonium nitrate when it was being purchased out of season, in unusual quantities or in other suspicious circumstances.

The proposal, similar to rules in place in South Carolina and Nevada, is designed to make ammonium nitrate more secure and keep it out of the hands of terrorists….

Posted on February 8, 2005 at 7:58 AM • View Comments

Illegal Aliens and Driver's Licenses

Has anyone heard of the Center for Advanced Studies in Science and Technology Policy? They released a statement saying that not issuing driver’s licenses to illegal aliens is bad for security. Their analysis is good, and worth reading:

As part of the legislative compromise to pass the intelligence reform bill signed into law by the President today, the administration and Congressional leaders have promised to attach to the first ‘must pass’ legislation of the new year a controversial provision that was rightly dropped from the intelligence reform bill—this provision would effectively prevent the states from issuing driver’s licenses to illegal aliens by requiring ‘legal presence’ status for holders of licenses to be used as ‘national ID.’

Although this provision is being touted by its supporters as a security measure, its implementation in practice will be to undermine national security because it ignores three widely-recognized principles of counter-terrorism security: the shrinking perimeter of defense; the need to allocate resources to more likely targets; and the economics of fraud.

First, the very fact that 13 million illegal aliens are already within our borders means that a perimeter-based defense is porous. The proposed policy would eliminate another opportunity to screen this large pool of people and to separate ‘otherwise law abiding’ illegal aliens from terrorists or criminals by confirming identity when licenses are issued or when such licenses are presented or used for identity screening at checkpoints.

Recognizing the porous nature of perimeter defense does not mean that border security should not be improved or that additional steps to prevent illegal immigration should not be taken, however, not recognizing its porous nature is unrealistic, counter to current trends in security practice, and undermines national security. Rather than excluding 13 million people already within our borders, we should encourage non-terrorist illegal aliens to participate in internal security screening systems.

This leads to the second point. Contrary to the argument made by its supporters that denying illegal aliens licenses would prevent terrorists from ‘melting’ into society, this legislation would guarantee a larger haystack in which terrorists can hide thus making it more difficult for law enforcement to identify them. Counter-terrorism strategy is based on reducing the suspect population so that security resources can be focused on more likely suspects. Denying identity legitimacy to 13 million illegal aliens—the vast majority of whom are not terrorists or otherwise threats to national security—just increases the size of the suspect pool for law enforcement to have to sort through. Since law enforcement resources are already unable to effectively cope with the large illegal alien population why further complicate their task?

Third, the proposed legislation would increase the incentives for fraud by greatly inflating the value of a driver’s license and by creating significant new demand for fraudulent licenses by making the driver’s license actual proof of citizenship or legal status. Arguments in support of the legislation are based in part on denying illegal aliens the de facto legitimacy that a driver’s license currently confers, yet the legislation would actually make such legitimacy a matter of law, thus increasing the demand for fraudulent licenses not only among those illegal aliens wishing to drive but among all 13 million who may now see it as a way to get jobs or otherwise prove their legitimate status.

If 13 million people living within our borders can’t drive, fly, travel on a train or bus, or otherwise participate in society without a driver’s license and they cannot get a legitimate one, then the market will supply them an illegal fraudulent one. State DMV bureaucracies, no matter how well- intentioned, do not have the resources, training, or skill to prevent fraud driven by this additional demand and no federal mandate will be able to prevent organized criminal elements from responding.

On the other hand, if illegal aliens are allowed to get legitimate licenses upon thorough vetting of their identity, then the only ones who will be trying to get fraudulent documents will be terrorists or criminals—who will face increased costs and more opportunities for mistakes if there is less overall demand—and law enforcement resources can be focused on these activities.

Fourteen states currently allow driver’s licenses to be obtained without showing ‘legal presence.’ These laws were enacted for public safety reasons—to ensure that drivers meet some standard to drive and to lower insurance premiums by decreasing the pool of unlicensed and uninsured drivers. In most cases, these laws were passed with the strong support of state law enforcement officials who recognized the advantages of being able to identify drivers and discourage unlicensed drivers from fleeing from minor traffic infractions or accidents because they were fearful of being caught without a license. The analogous arguments hold for national security—the more we can encourage otherwise law abiding people within our borders to participate in the system the easier it will be to identify those that pose a true threat.

There may be legitimate reasons for cracking down on illegal immigration, there may even be reasons to deny illegal aliens driver’s licenses, but counter-terrorism security is not one. This provision was appropriately dropped from the intelligence reform bill and it should not be resurrected in the 109th Congress.

Posted on January 4, 2005 at 8:00 AM •

The Electronic Privacy Information Center (EPIC)

For many Americans, the end of the year is charitable contribution time. (The reasons are tax-related.) While there is no shortage of worthy causes around the world, I would like to suggest contributing at least something to EPIC.

Since its founding ten years ago, EPIC has worked to protect privacy, freedom of expression, and democratic values, and to promote the Public Voice in decisions concerning the future of the Internet. They maintain one of the most extensive websites on privacy and free speech issues on the Internet. They litigate Freedom of Information Act, First Amendment, and privacy cases. They publish books on open government and privacy. They train law school students about the Internet and the public interest. They testify frequently before Congress about emerging civil liberties issues. They provide an extensive listing of privacy resources as well as a guide to practical privacy tools.

Remember when it became public that JetBlue (and other airlines) provided passenger information to the U.S. government in violation of their own privacy policies? Or when it was revealed that the CAPPS-II airline passenger profiling system would be used for other, non-terrorism, purposes? EPIC’s FOIA work uncovered those stories.

December 15th is the 213th anniversary of the signing of the Bill of Rights. Read through it again today, and notice how the different laws protect the security of Americans. I’m proud to be a member of EPIC’s Advisory Board. They do good work, and we’re all a lot more secure because of it.

EPIC’s website

U.S. Bill of Rights

Posted on December 15, 2004 at 9:10 AM • View Comments

The Electronic Privacy Information Center (EPIC)

EPIC’s website

U.S. Bill of Rights

Posted on December 15, 2004 at 9:10 AM • View Comments

The Digital Person

Last week, I stayed at the St. Regis hotel in Washington, DC. It was my first visit, and the management gave me a questionnaire, asking me things like my birthday, my spouse’s name and birthday, my anniversary, and my favorite fruits, drinks, and sweets. The purpose was clear; the hotel wanted to be able to offer me a more personalized service the next time I visited. And it was a purpose I agreed with; I wanted more personalized service. But I was very uneasy about filling out the form.

It wasn’t that the information was particularly private. I make no secret of my birthday, or anniversary, or food preferences. Much of that information is even floating around the Web somewhere. Secrecy wasn’t the issue.

The issue was control. In the United States, information about a person is owned by the person who collects it, not by the person it is about. There are specific exceptions in the law, but they’re few and far between. There are no broad data protection laws, as you find in the European Union. There are no Privacy Commissioners, as you find in Canada. Privacy law in the United States is largely about secrecy: if the information is not secret, there’s little you can do to control its dissemination.

As a result, enormous databases exist that are filled with personal information. These databases are owned by marketing firms, credit bureaus, and the government. Amazon knows what books we buy. Our supermarket knows what foods we eat. Credit card companies know quite a lot about our purchasing habits. Credit bureaus know about our financial history, and what they don’t know is contained in bank records. Health insurance records contain details about our health and well-being. Government records contain our Social Security numbers, birthdates, addresses, mother’s maiden names, and a host of other things. Many driver’s license records contain digital pictures.

All of this data is being combined, indexed, and correlated. And it’s being used for all sorts of things. Targeted marketing campaigns are just the tip of the iceberg. This information is used by potential employers to judge our suitability as employees, by potential landlords to determine our suitability as renters, and by the government to determine our likelihood of being a terrorist.

Some stores are beginning to use our data to determine whether we are desirable customers or not. If customers take advantage of too many discount offers or make too many returns, they may be profiled as “bad” customers and be treated differently from the “good” customers.

And with alarming frequency, our data is being abused by identity thieves. The businesses that gather our data don’t care much about keeping it secure. So identity theft is a problem where those who suffer from it—the individuals—are not in a position to improve security, and those who are in a position to improve security don’t suffer from the problem.

The issue here is not about secrecy, it’s about control. The issue is that both government and commercial organizations are building “digital dossiers” about us, and that these dossiers are being used to judge and categorize us through some secret process.

A new book by George Washington University Law Professor Daniel Solove examines the problem of the growing accumulation of personal information in enormous databases. The book is called The Digital Person: Technology and Privacy in the Information Age, and it is a fascinating read.

Solove’s book explores this problem from a legal perspective, explaining what the problem is, how current U.S. law fails to deal with it, and what we should do to protect privacy today. It’s an unusually perceptive discussion of one of the most
vexing problems of the digital age—our loss of control over our personal information. It’s a fascinating journey into the almost surreal ways personal information is hoarded, used, and abused in the digital age.

Solove argues that our common conceptualization of the privacy problem as Big Brother—some faceless organization knowing our most intimate secrets—is only one facet of the issue. A better metaphor can be found in Franz Kafka’s The Trial. In the book, a vast faceless bureaucracy constructs a huge dossier about a person, who can’t find out what information exists about him in the dossier, why the information has been gathered, or what it will be used for. Privacy is not about intimate secrets; it’s about who has control of the millions of pieces of personal data that we leave like droppings as we go through our daily life. And until the U.S. legal system recognizes this fact, Americans will continue to live in an world where they have little control over their digital person.

In the end, I didn’t complete the questionnaire from the St. Regis Hotel. While I was fine with the St. Regis in Washington, DC, having that information to make my subsequent stays a little more personal, and was probably fine with that information being shared among other St. Regis hotels, I wasn’t comfortable with the St. Regis doing whatever they wanted with that information. I wasn’t comfortable with them selling the information to a marketing database. I wasn’t comfortable with anyone being able to buy that information. I wasn’t comfortable with that information ending up in a database of my habits, my preferences, my proclivities. It wasn’t the primary use of that information that bothered me, it was the secondary uses.

Solove has done much more thinking about this issue than I have. His book provides a clear account of the social problems involving information privacy, and haunting predictions of current U.S. legal policies. Even more importantly, the legal solutions he provides are compelling and worth serious consideration. I recommend his book highly.

The book’s website

Order the book on Amazon

Posted on December 9, 2004 at 9:18 AM • View Comments

The Security of Checks and Balances

Much of the political rhetoric surrounding the US presidential election centers around the relative security posturings of President George W. Bush and Senator John Kerry, with each side loudly proclaiming that his opponent will do irrevocable harm to national security.

Terrorism is a serious issue facing our nation in the early 21st century, and the contrasting views of these candidates is important. But this debate obscures another security risk, one much more central to the US: the increasing centralisation of American political power in the hands of the executive branch of the government.

Over 200 years ago, the framers of the US Constitution established an ingenious security device against tyrannical government: they divided government power among three different bodies. A carefully thought-out system of checks and balances in the executive branch, the legislative branch, and the judicial branch, ensured that no single branch became too powerful. After watching tyrannies rise and fall throughout Europe, this seemed like a prudent way to form a government.

Since 9/11, the United States has seen an enormous power grab by the executive branch. From denying suspects the right to a trial—and sometimes to an attorney—to the law-free zone established at Guantanamo, from deciding which ratified treaties to ignore to flouting laws designed to foster open government, the Bush administration has consistently moved to increase its power at the expense of the rest of the government. The so-called “Torture Memos,” prepared at the request of the president, assert that the president can claim unlimited power as long as it is somehow connected with counterterrorism.

Presidential power as a security issue will not play a role in the upcoming US election. Bush has shown through his actions during his first term that he favours increasing the powers of the executive branch over the legislative and the judicial branches. Kerry’s words show that he is in agreement with the president on this issue. And largely, the legislative and judicial branches are allowing themselves to be trampled over.

In times of crisis, the natural human reaction is to look for safety in a single strong leader. This is why Bush’s rhetoric of strength has been so well-received by the American people, and why Kerry is also campaigning on a platform of strength. Unfortunately, consolidating power in one person is dangerous. History shows again and again that power is a corrupting influence, and that more power is more corrupting. The loss of the American system of checks and balances is more of a security danger than any terrorist risk.

The ancient Roman Senate had a similar way of dealing with major crises. When there was a serious military threat against the safety and security of the Republic, the long debates and compromise legislation that accompanied the democratic process seemed a needless luxury. The Senate would appoint a single person, called a “dictator” (Latin for “one who orders”) to have absolute power over Rome in order to more efficiently deal with the crisis. He was appointed for a period of six months or for the duration of the emergency, whichever period was shorter. Sometimes the process worked, but often the injustices that resulted from having a dictator were worse than the original crisis.

Today, the principles of democracy enshrined in the US constitution are more important than ever. In order to prevail over global terrorism while preserving the values that have made America great, the constitutional system of checks and balances is critical.

This is not a partisan issue; I don’t believe that John Kerry, if elected, would willingly lessen his own power any more than second-term President Bush would. What the US needs is a strong Congress and a strong court system to balance the presidency, not weak ones ceding ever more power to the presidency.

Originally published in the Sydney Morning Herald.

Posted on October 29, 2004 at 10:21 AM • View Comments

←Previous 1 … 29 30 31 32 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.