Page 140 of 145
Last month I blogged about a very good paper by Daniel Solove and Chris Hoofnagle that gave specific legislative proposals for privacy reform. They’ve published a revised version, based in part on comments from people who read this blog.
From TheNewspaper.com:
The fictional police spy helicopter from the movie Blue Thunder is taking a big step toward becoming a reality. Police in the UK have successfully tested a 160 MPH helicopter that can read license plates from as much as 2,000 feet in the air. The Eurocopter EC135 is equipped with a camera capable of scanning 5 cars every second. Essex Police Inspector Paul Moor told the Daily Star newspaper: “This is all about denying criminals the use of the road. Using a number plate recognition camera from the air means crooks will have nowhere to hide.”
The use of Automated Plate Number Recognition (ANPR) is growing. ANPR devices photograph vehicles and then use optical character recognition to extract license plate numbers and match them with any selected databases. The devices use infrared sensors to avoid the need for a flash and to operate in all weather conditions.
This is an example of wholesale surveillance, and something I’ve written about before.
Of course, once the system is in place it will be used for privacy violations that we can’t even conceive of.
One of the companies that sells the camera scanning equipment touts it’s potential for marketing applications. “Once the number plate has been successfully ‘captured’ applications for it’s use are limited only by imagination and almost anything is possible,” Westminister International says on its website. UK police also envision a national database that holds time and location data on every vehicle scanned. “This data warehouse would also hold ANPR reads and hits as a further source of vehicle intelligence, providing great benefits to major crime and terrorism enquiries,” a Home Office proposal explains.
The only way to maintain security is not to field this sort of system in the first place.
Identity theft is the new crime of the information age. A criminal collects enough personal data on someone to impersonate a victim to banks, credit card companies, and other financial institutions. Then he racks up debt in the person’s name, collects the cash, and disappears. The victim is left holding the bag. While some of the losses are absorbed by financial institutions—credit card companies in particular—the credit-rating damage is borne by the victim. It can take years for the victim to clear his name.
Unfortunately, the solutions being proposed in Congress won’t help. To see why, we need to start with the basics. The very term “identity theft” is an oxymoron. Identity is not a possession that can be acquired or lost; it’s not a thing at all. Someone’s identity is the one thing about a person that cannot be stolen.
The real crime here is fraud; more specifically, impersonation leading to fraud. Impersonation is an ancient crime, but the rise of information-based credentials gives it a modern spin. A criminal impersonates a victim online and steals money from his account. He impersonates a victim in order to deceive financial institutions into granting credit to the criminal in the victim’s name. He impersonates a victim to the Post Office and gets the victim’s address changed. He impersonates a victim in order to fool the police into arresting the wrong man. No one’s identity is stolen; identity information is being misused to commit fraud.
The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. This is what’s been in the news recently: ChoicePoint, LexisNexis, Bank of America, and so on. But data privacy is more than just fraud. Whether it is the books we take out of the library, the websites we visit, or the contents of our text messages, most of us have personal data on third-party computers that we don’t want made public. The posting of Paris Hilton’s phone book on the Internet is a celebrity example of this.
The second issue is the ease with which a criminal can use personal data to commit fraud. It doesn’t take much personal information to apply for a credit card in someone else’s name. It doesn’t take much to submit fraudulent bank transactions in someone else’s name. It’s surprisingly easy to get an identification card in someone else’s name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.
Proposed fixes tend to concentrate on the first issue—making personal data harder to steal—whereas the real problem is the second. If we’re ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.
Fraudulent transactions have nothing to do with the legitimate account holders. Criminals impersonate legitimate users to financial intuitions. That means that any solution can’t involve the account holders. That leaves only one reasonable answer: financial intuitions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.
They can’t claim that the user must keep his password secure or his machine virus free. They can’t require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards. Those aren’t reasonable requirements for most users. The bank must be made responsible, regardless of what the user does.
If you think this won’t work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They’re not hurting for business; and they’re not drowning in fraud, either. They’ve developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They’ve pushed most of the actual costs onto the merchants. And almost no security centers around trying to authenticate the cardholder.
That’s an important lesson. Identity theft solutions focus much too much on authenticating the person. Whether it’s two-factor authentication, ID cards, biometrics, or whatever, there’s a widespread myth that authenticating the person is the way to prevent these crimes. But once you understand that the problem is fraudulent transactions, you quickly realize that authenticating the person isn’t the way to proceed.
Again, think about credit cards. Store clerks barely verify signatures when people use cards. People can use credit cards to buy things by mail, phone, or Internet, where no one verifies the signature or even that you have possession of the card. Even worse, no credit card company mandates secure storage requirements for credit cards. They don’t demand that cardholders secure their wallets in any particular way. Credit card companies simply don’t worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction.
This same sort of thinking needs to be applied to other areas where criminals use impersonation to commit fraud. I don’t know what the final solutions will look like, but I do know that once financial institutions are liable for losses due to these types of fraud, they will find solutions. Maybe there’ll be a daily withdrawal limit, like there is on ATMs. Maybe large transactions will be delayed for a period of time, or will require a call-back from the bank or brokerage company. Maybe people will no longer be able to open a credit card account by simply filling out a bunch of information on a form. Likely the solution will be a combination of solutions that reduces fraudulent transactions to a manageable level, but we’ll never know until the financial institutions have the financial incentive to put them in place.
Right now, the economic incentives result in financial institutions that are so eager to allow transactions—new credit cards, cash transfers, whatever—that they’re not paying enough attention to fraudulent transactions. They’ve pushed the costs for fraud onto the merchants. But if they’re liable for losses and damages to legitimate users, they’ll pay more attention. And they’ll mitigate the risks. Security can do all sorts of things, once the economic incentives to apply them are there.
By focusing on the fraudulent use of personal data, I do not mean to minimize the harm caused by third-party data and violations of privacy. I believe that the U.S. would be well-served by a comprehensive Data Protection Act like the European Union. However, I do not believe that a law of this type would significantly reduce the risk of fraudulent impersonation. To mitigate that risk, we need to concentrate on detecting and preventing fraudulent transactions. We need to make the entity that is in the best position to mitigate the risk to be responsible for that risk. And that means making the financial institutions liable for fraudulent transactions.
Doing anything less simply won’t work.
We’ve all known that you can intercept Bluetooth communications from up to a mile away. What’s new is the step-by-step instructions necessary to build an interceptor for yourself for less than $400. Be the first on your block to build one.
Is there anyone who can make a reasonable argument that RFID won’t be similarly interceptable?
These comments on the security of electronic passports are an excellent primer on the dangers of the technology. Definitely read Attachment 1: “Security and Privacy Issues in E-Passports,” a more technical paper by Ari Juels, David Molnar, and David Wagner.
I’ve been worried about the government getting comprehensive data on airline passengers in order to check their names against a terrorist “watch list.” Turns out that the government has another reason for wanting passenger data.
Although privacy experts worry about the government gathering personal information on airline travelers, Delta Airlines is handing over electronic lists of passengers from some flights to help stop the spread of deadly infectious diseases.
The lists will allow health officials to notify more quickly those travelers who might have been exposed to illnesses such as dengue fever, flu, plague, SARS and biological agents, the Centers for Disease Control and Prevention told a congressional panel on Wednesday.
It’s the same story: a massive privacy violation of everybody just in case something happens to a few.
As an example of the CDC’s notification efforts, Schuchat cited the case of a New Jersey resident who returned from a trip to Sierra Leone in September with Lassa fever. The patient flew to Newark via London and took a train home. Only after he died a few days later did the CDC confirm the disease.
CDC worked with the state, the airline, the railroad, the hospital and others to identify 188 people who had been near the patient. Nineteen were deemed at-risk and 16 were contacted; none of those contacted came down with the disease. It took more than five days to notify some passengers, Schuchat said.
It’s unclear how this program would reduce that “five days” problem. I think it’s a better trade-off for the airlines to be ready to send the CDC the data in the event of a problem, rather than them sending the CDC all the data—just in case—before there is any problem.
I have very mixed feelings about this report:
Anticipating attacks from terrorists, and hardening potential targets against them, is a wearying and expensive business that could be made simpler through a broader view of the opponents’ origins, fears, and ultimate objectives, according to studies by the Advanced Concepts Group (ACG) of Sandia National Laboratories.
“Right now, there are way too many targets considered and way too many ways to attack them,” says ACG’s Curtis Johnson. “Any thinking person can spin up enemies, threats, and locations it takes billions [of dollars] to fix.”
That makes a lot of sense, and this way of thinking is sorely needed. As is this kind of thing:
“The game really starts when the bad guys are getting together to plan something, not when they show up at your door,” says Johnson. “Can you ping them to get them to reveal their hand, or get them to turn against themselves?”
Better yet is to bring the battle to the countries from which terrorists spring, and beat insurgencies before they have a foothold.
“We need to help win over the as-yet-undecided populace to the view it is their government that is legitimate and not the insurgents,” says the ACG’s David Kitterman. Data from Middle East polls suggest, perhaps surprisingly, that most respondents are favorable to Western values. Turbulent times, however, put that liking under stress.
A nation’s people and media can be won over, says Yonas, through global initiatives that deal with local problems such as the need for clean water and affordable energy.
Says Johnson, “U.S. security already is integrated with global security. We’re always helping victims of disaster like tsunami victims, or victims of oppressive governments. Perhaps our ideas on national security should be redefined to reflect the needs of these people.”
Remember right after 9/11, when that kind of thinking would get you vilified?
But the article also talks about security mechanisms that won’t work, cost too much in freedoms and liberties, and have dangerous side effects.
People in airports voluntarily might carry smart cards if the cards could be sweetened to perform additional tasks like helping the bearer get through security, or to the right gate at the right time.
Mall shoppers might be handed a sensing card that also would help locate a particular store, a special sale, or find the closest parking space through cheap distributed-sensor networks.
“Suppose every PDA had a sensor on it,” suggests ACG researcher Laura McNamara. “We would achieve decentralized surveillance.” These sensors could report by radio frequency to a central computer any signal from contraband biological, chemical, or nuclear material.
Universal surveillance to improve our security? Seems unlikely.
But the most chilling quote of all:
“The goal here is to abolish anonymity, the terrorist’s friend,” says Sandia researcher Peter Chew. “We’re not talking about abolishing privacy—that’s another issue. We’re only considering the effect of setting up an electronic situation where all the people in a mall, subway, or airport ‘know’ each other—via, say, Bluetooth—as they would have, personally, in a small town. This would help malls and communities become bad targets.”
Anonymity is now the terrorist’s friend? I like to think of it as democracy’s friend.
Security against terrorism is important, but it’s equally important to remember that terrorism isn’t the only threat. Criminals, police, and governments are also threats, and security needs to be viewed as a trade-off with respect to all the threats. When you analyze terrorism in isolation, you end up with all sorts of weird answers.
AP says:
An executive of embattled data broker ChoicePoint Inc. says the company is developing a system that would allow people
to review their personal information that is sold to law enforcement agencies, employers, landlords and businesses. ChoicePoint’s announcement comes a month after it disclosed
that thieves used previously stolen identities to create what appeared to be legitimate businesses seeking personal
records.
Sidebar photo of Bruce Schneier by Joe MacInnis.