Entries Tagged "tracking"

Page 15 of 15

Security Risks of Frequent-Shopper Cards

This is from Richard M. Smith:

Tukwila, Washington firefighter, Philip Scott Lyons found out the hard way that supermarket loyalty cards come with a huge price. Lyons was arrested last August and charged with attempted arson. Police alleged at the time that Lyons tried to set fire to his own house while his wife and children were inside. According to the KOMO-TV and the Seattle Times, a major piece of evidence used against Lyons in his arrest was the record of his supermarket purchases that he made with his Safeway Club Card. Police investigators had discovered that his Club Card was used to buy fire starters of the same type used in the arson attempt.

For Lyons, the story did have a happy ending. All charges were dropped against him in January 2005 because another person stepped forward saying he set the fire and not Lyons. Lyons is now back at work after more than 5 months of being on administrative leave from his firefighter job.

The moral of this story is that even the most innocent database can be used against a person in a criminal investigation turning their lives completely upside down.

Safeway needs to be more up-front with customers about the potential downsides of shopper cards. They should also provide the details of their role in the arrest or Mr. Lyons and other criminal cases in which the company provided Club Card purchase information to police investigators.

Here is how Safeway currently describes their Club Card program in the Club Card application:

We respect your privacy. Safeway does not sell or lease personally identifying information (i.e., your name, address, telephone number, and bank and credit card account numbers) to non-affiliated companies or entities. We do record information regarding the purchases made with your Safeway Club Card to help us provide you with special offers and other information. Safeway also may use this information to provide you with personally tailored coupons, offers or other information that may be provided to Safeway by other companies. If you do not wish to receive personally tailored coupons, offers or other information, please check the box below. Must be at least 18 years of age.

Links:

Firefighter Arrested For Attempted Arson

Fireman attempted to set fire to house, charges say

Tukwila Firefighter Cleared Of Arson Charges

Posted on February 18, 2005 at 8:00 AMView Comments

Implanting Chips in People at a Distance

I have no idea if this is real or not. But even if it’s not real, it’s just a matter of time before it becomes real. How long before people can surreptitiously have RFID tags injected into them?

What is the ID SNIPER rifle?

It is used to implant a GPS-microchip in the body of a human being, using a high powered sniper rifle as the long distance injector. The microchip will enter the body and stay there, causing no internal damage, and only a very small amount of physical pain to the target. It will feel like a mosquito-bite lasting a fraction of a second. At the same time a digital camcorder with a zoom-lense fitted within the scope will take a high-resolution picture of the target. This picture will be stored on a memory card for later image-analysis.

Edited to add: This is a hoax.

Posted on February 4, 2005 at 8:00 AMView Comments

Fingerprinting Students

A nascent security trend in the U.S. is tracking schoolchildren when they get on and off school buses.

Hoping to prevent the loss of a child through kidnapping or more innocent circumstances, a few schools have begun monitoring student arrivals and departures using technology similar to that used to track livestock and pallets of retail shipments.

A school district in Spring, Texas, is using computerized ID badges to record this information, and wirelessly sending it to police headquarters. Another school district, in Phoenix, is doing the same thing with fingerprint readers. The system is supposed to help prevent the loss of a child, whether through kidnapping or accident.

What’s going on here? Have these people lost their minds? Tracking kids as they get on and off school buses is a ridiculous idea. It’s expensive, invasive, and doesn’t increase security very much.

Security is always a trade-off. In Beyond Fear, I delineated a five-step process to evaluate security countermeasures. The idea is to be able to determine, rationally, whether a countermeasure is worth it. In the book, I applied the five-step process to everything from home burglar alarms to military action against terrorism. Let’s apply it in this case.

Step 1: What assets are you trying to protect? Children.

Step 2: What are the risks to these assets? Loss of the child, either due to kidnapping or accident. Child kidnapping is a serious problem in the U.S.; the odds of a child being abducted by a family member are one in 340 and by a non-family member are 1 in 1200 (per year). (These statistics are for 1999, and are from NISMART-2, U.S. Department of Justice. My guess is that the current rates in Spring, Texas, are much lower.) Very few of these kidnappings involve school buses, so it’s unclear how serious the specific risks being addressed here are.

Step 3: How well does the security solution mitigate those risks? Not very well.

Let’s imagine how this system might provide security in the event of a kidnapping. If a kidnapper — assume it’s someone the child knows — goes onto the school bus and takes the child off at the wrong stop, the system would record that. Otherwise — if the kidnapping took place either before the child got on the bus or after the child got off — the system wouldn’t record anything suspicious. Yes, it would tell investigators if the kidnapping happened before morning attendance and either before or after the school bus ride, but is that one piece of information worth this entire tracking system? I doubt it.

You could imagine a movie-plot scenario where this kind of tracking system could help the hero recover the kidnapped child, but it hardly seems useful in the general case.

Step 4: What other risks does the security solution cause? The additional risk is the data collected through constant surveillance. Where is this information collected? Who has access to it? How long is it stored? These are important security questions that get no mention.

Step 5: What costs and trade-offs does the security solution impose? There are two. The first is obvious: money. I don’t have it figured, but it’s expensive to outfit every child with an ID card and every school bus with this system. The second cost is more intangible: a loss of privacy. We are raising children who think it normal that their daily movements are watched and recorded by the police. That feeling of privacy is not something we should give up lightly.

So, finally: is this system worth it? No. The security gained is not worth the money and privacy spent. If the goal is to make children safer, the money would be better spent elsewhere: guards at the schools, education programs for the children, etc.

If this system makes so little sense, why have at least two cities in the U.S. implemented it? The obvious answer is that the school districts didn’t think the problem through. Either they were seduced by the technology, or by the companies that built the system. But there’s another, more interesting, possibility.

In Beyond Fear, I talk about the notion of agenda. The five-step process is a subjective one, and should be evaluated from the point of view of the person making the trade-off decision. If you imagine that the school officials are making the trade-off, then the system suddenly makes sense.

If a kidnapping occurs on school property, the subsequent investigation could easily hurt school officials. They could even lose their jobs. If you view this security countermeasure as one protecting them just as much as it protects children, it suddenly makes more sense. The trade-off might not be worth it in general, but it’s worth it to them.

Kidnapping is a real problem, and countermeasures that help reduce the risk are a good thing. But remember that security is always a trade off, and a good security system is one where the security benefits are worth the money, convenience, and liberties that are being given up. Quite simply, this system isn’t worth it.

Posted on January 11, 2005 at 9:49 AMView Comments

RFID Passports

Since the terrorist attacks of 2001, the Bush administration–specifically, the Department of Homeland Security–has wanted the world to agree on a standard for machine-readable passports. Countries whose citizens currently do not have visa requirements to enter the United States will have to issue passports that conform to the standard or risk losing their nonvisa status.

These future passports, currently being tested, will include an embedded computer chip. This chip will allow the passport to contain much more information than a simple machine-readable character font, and will allow passport officials to quickly and easily read that information. That is a reasonable requirement and a good idea for bringing passport technology into the 21st century.

But the Bush administration is advocating radio frequency identification (RFID) chips for both U.S. and foreign passports, and that’s a very bad thing.

These chips are like smart cards, but they can be read from a distance. A receiving device can “talk” to the chip remotely, without any need for physical contact, and get whatever information is on it. Passport officials envision being able to download the information on the chip simply by bringing it within a few centimeters of an electronic reader.

Unfortunately, RFID chips can be read by any reader, not just the ones at passport control. The upshot of this is that travelers carrying around RFID passports are broadcasting their identity.

Think about what that means for a minute. It means that passport holders are continuously broadcasting their name, nationality, age, address and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder’s knowledge or consent. It means that pickpockets, kidnappers and terrorists can easily–and surreptitiously–pick Americans or nationals of other participating countries out of a crowd.

It is a clear threat to both privacy and personal safety, and quite simply, that is why it is bad idea. Proponents of the system claim that the chips can be read only from within a distance of a few centimeters, so there is no potential for abuse. This is a spectacularly naïve claim. All wireless protocols can work at much longer ranges than specified. In tests, RFID chips have been read by receivers 20 meters away. Improvements in technology are inevitable.

Security is always a trade-off. If the benefits of RFID outweighed the risks, then maybe it would be worth it. Certainly, there isn’t a significant benefit when people present their passport to a customs official. If that customs official is going to take the passport and bring it near a reader, why can’t he go those extra few centimeters that a contact chip–one the reader must actually touch–would require?

The Bush administration is deliberately choosing a less secure technology without justification. If there were a good offsetting reason to choose that technology over a contact chip, then the choice might make sense.

Unfortunately, there is only one possible reason: The administration wants surreptitious access themselves. It wants to be able to identify people in crowds. It wants to surreptitiously pick out the Americans, and pick out the foreigners. It wants to do the very thing that it insists, despite demonstrations to the contrary, can’t be done.

Normally I am very careful before I ascribe such sinister motives to a government agency. Incompetence is the norm, and malevolence is much rarer. But this seems like a clear case of the Bush administration putting its own interests above the security and privacy of its citizens, and then lying about it.

This article originally appeared in the 4 October 2004 edition of the International Herald Tribune.

Posted on October 4, 2004 at 7:20 PMView Comments

License Plate "Guns" and Privacy

New Haven police have a new law enforcement tool: a license-plate scanner. Similar to a radar gun, it reads the license plates of moving or parked cars and links with remote police databases, immediately providing information about the car and owner. Right now the police check if there are any taxes owed on the car, if the car or license plate is stolen, and if the car is unregistered or uninsured. A car that comes up positive is towed.

On the face of it, this is nothing new. The police have always been able to run a license plate. The difference is they would do it manually, and that limited its use. It simply wasn’t feasible for the police to run the plates of every car in a parking garage, or every car that passed through an intersection. What’s different isn’t the police tactic, but the efficiency of the process.

Technology is fundamentally changing the nature of surveillance. Years ago, surveillance meant trench-coated detectives following people down streets. It was laborious and expensive, and was only used when there was reasonable suspicion of a crime. Modern surveillance is the policeman with a license-plate scanner, or even a remote license-plate scanner mounted on a traffic light and a policeman sitting at a computer in the station. It’s the same, but it’s completely different. It’s wholesale surveillance.

And it disrupts the balance between the powers of the police and the rights of the people.

Wholesale surveillance is fast becoming the norm. New York’s E-Z Pass tracks cars at tunnels and bridges with tolls. We can all be tracked by our cell phones. Our purchases are tracked by banks and credit card companies, our telephone calls by phone companies, our Internet surfing habits by Web site operators. Security cameras are everywhere. If they wanted, the police could take the database of vehicles outfitted with the OnStar tracking system, and immediately locate all of those New Haven cars.

Like the license-plate scanners, the electronic footprints we leave everywhere can be automatically correlated with databases. The data can be stored forever, allowing police to conduct surveillance backwards in time.

The effects of wholesale surveillance on privacy and civil liberties is profound; but unfortunately, the debate often gets mischaracterized as a question about how much privacy we need to give up in order to be secure. This is wrong. It’s obvious that we are all safer when the police can use all techniques at their disposal. What we need are corresponding mechanisms to prevent abuse, and that don’t place an unreasonable burden on the innocent.

Throughout our nation’s history, we have maintained a balance between the necessary interests of police and the civil rights of the people. The license plate itself is such a balance. Imagine the debate from the early 1900s: The police proposed affixing a plaque to every car with the car owner’s name, so they could better track cars used in crimes. Civil libertarians objected because that would reduce the privacy of every car owner. So a compromise was reached: a random string of letter and numbers that the police could use to determine the car owner. By deliberately designing a more cumbersome system, the needs of law enforcement and the public’s right to privacy were balanced.

The search warrant process, as prescribed in the Fourth Amendment, is another balancing method. So is the minimization requirement for telephone eavesdropping: the police must stop listening to a phone line if the suspect under investigation is not talking.

For license-plate scanners, one obvious protection is to require the police to erase data collected on innocent car owners immediately, and not save it. The police have no legitimate need to collect data on everyone’s driving habits. Another is to allow car owners access to the information about them used in these automated searches, and to allow them to challenge inaccuracies.

We need to go further. Criminal penalties are severe in order to create a deterrent, because it is hard to catch wrongdoers. As they become easier to catch, a realignment is necessary. When the police can automate the detection of a wrongdoing, perhaps there should no longer be any criminal penalty attached. For example, both red light cameras and speed-trap cameras all issue citations without any “points” assessed against the driver.

Wholesale surveillance is not simply a more efficient way for the police to do what they’ve always done. It’s a new police power, one made possible with today’s technology and one that will be made easier with tomorrow’s. And with any new police power, we as a society need to take an active role in establishing rules governing its use. To do otherwise is to cede ever more authority to the police.

This essay was originally published in the New Haven Register.

Posted on October 4, 2004 at 7:05 PMView Comments

License Plate "Guns" and Privacy

New Haven police have a new law enforcement tool: a license-plate scanner. Similar to a radar gun, it reads the license plates of moving or parked cars and links with remote police databases, immediately providing information about the car and owner. Right now the police check if there are any taxes owed on the car, if the car or license plate is stolen, and if the car is unregistered or uninsured. A car that comes up positive is towed.

On the face of it, this is nothing new. The police have always been able to run a license plate. The difference is they would do it manually, and that limited its use. It simply wasn’t feasible for the police to run the plates of every car in a parking garage, or every car that passed through an intersection. What’s different isn’t the police tactic, but the efficiency of the process.

Technology is fundamentally changing the nature of surveillance. Years ago, surveillance meant trench-coated detectives following people down streets. It was laborious and expensive, and was only used when there was reasonable suspicion of a crime. Modern surveillance is the policeman with a license-plate scanner, or even a remote license-plate scanner mounted on a traffic light and a policeman sitting at a computer in the station. It’s the same, but it’s completely different. It’s wholesale surveillance.

And it disrupts the balance between the powers of the police and the rights of the people.

Wholesale surveillance is fast becoming the norm. New York’s E-Z Pass tracks cars at tunnels and bridges with tolls. We can all be tracked by our cell phones. Our purchases are tracked by banks and credit card companies, our telephone calls by phone companies, our Internet surfing habits by Web site operators. Security cameras are everywhere. If they wanted, the police could take the database of vehicles outfitted with the OnStar tracking system, and immediately locate all of those New Haven cars.

Like the license-plate scanners, the electronic footprints we leave everywhere can be automatically correlated with databases. The data can be stored forever, allowing police to conduct surveillance backwards in time.

The effects of wholesale surveillance on privacy and civil liberties is profound; but unfortunately, the debate often gets mischaracterized as a question about how much privacy we need to give up in order to be secure. This is wrong. It’s obvious that we are all safer when the police can use all techniques at their disposal. What we need are corresponding mechanisms to prevent abuse, and that don’t place an unreasonable burden on the innocent.

Throughout our nation’s history, we have maintained a balance between the necessary interests of police and the civil rights of the people. The license plate itself is such a balance. Imagine the debate from the early 1900s: The police proposed affixing a plaque to every car with the car owner’s name, so they could better track cars used in crimes. Civil libertarians objected because that would reduce the privacy of every car owner. So a compromise was reached: a random string of letter and numbers that the police could use to determine the car owner. By deliberately designing a more cumbersome system, the needs of law enforcement and the public’s right to privacy were balanced.

The search warrant process, as prescribed in the Fourth Amendment, is another balancing method. So is the minimization requirement for telephone eavesdropping: the police must stop listening to a phone line if the suspect under investigation is not talking.

For license-plate scanners, one obvious protection is to require the police to erase data collected on innocent car owners immediately, and not save it. The police have no legitimate need to collect data on everyone’s driving habits. Another is to allow car owners access to the information about them used in these automated searches, and to allow them to challenge inaccuracies.

We need to go further. Criminal penalties are severe in order to create a deterrent, because it is hard to catch wrongdoers. As they become easier to catch, a realignment is necessary. When the police can automate the detection of a wrongdoing, perhaps there should no longer be any criminal penalty attached. For example, both red light cameras and speed-trap cameras all issue citations without any “points” assessed against the driver.

Wholesale surveillance is not simply a more efficient way for the police to do what they’ve always done. It’s a new police power, one made possible with today’s technology and one that will be made easier with tomorrow’s. And with any new police power, we as a society need to take an active role in establishing rules governing its use. To do otherwise is to cede ever more authority to the police.

This essay was originally published in the New Haven Register.

Posted on October 4, 2004 at 7:05 PMView Comments

1 13 14 15

Sidebar photo of Bruce Schneier by Joe MacInnis.