Secondary Screening

Archives
By Date
April 2006
March 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
By Category
Airline Security Measures
Bicycles
Book Reviews
Congress
Data Mining
Department of Homeland Security
Freedom of Information
Government Secrecy
Miscellany
Other People's Writing
Privacy
Security Measures
The Courts
The New Web
Threat Level
Recent Entries
New Not Always Improved
Hunter S. Thompson's Dead
More on Choicepoint
Lighter Security
Really Choice
A B C R F I D
Aggregate Responses
Affiliate Marketing is the Bane of the Interwebs
Now even Truste Knows the Equation: FreeIpods.com=FreeSpam.com?
For Your Weekend Screening Pleasure
Published articles
Wired News Articles
Links
Wired News
DefenseTech
Practical Nomad
BeSpacific
DHS Privacy Office
Memory Hole Blog
Electronic Privacy Information Center
Privacy Digest
Electronic Frontier Foundation
Homeland Security Institute
Secrecy News
Emergent Chaos
EPIC West's Chris Hoofnagle
Prawfs Blog with Daniel Solove
Ann Harrison
Reuter's Andy Sullivan
Schneier on Security
Talk Left
Reason's Hit & Run
W. David Stephenson
Phillip Carter's Intel Dump
Project on Government Oversight
Technology Liberation Front
Edward Felten's Freedom to Tinker
Contact
Email me
415.375.3150
Subscribe
Feed: Your Reader
Atom
RSS 1.0
RSS 2.0
RSD
About Ryan Singel
I'm a San Francisco-based freelance journalist who covers antiterrorism programs, civil liberties, the Internet and privacy.
February 2005 Archives « January 2005 | Main | March 2005 »
February 21, 2005 | New Not Always Improved

Dennis Bailey over at Open Society Paradox points to an Economist article critical of RFID-enabled passports, which will include all data from the data pages of a passport -- including a digital version of the passport picture -- on a unencrypted 64K RFID chip.

He then defends going forward with the plan, despite the objections:

While it makes sense to try and employ encryption technology to scramble the passport's information, we need to keep in mind that even though any technology can be hacked that shouldn't stop us from going forward to implement new solutions. This new passport would be much harder to forge than the older paper-based version and for that reason, it is an improvement.

This is both right and wrong.

The U.S. government has no plans to use encryption, which means that no other country's passports will use it.

Bailey is right that the new passport will be harder to forge with the inclusion of RFID chips, especially since the chip would be digitally signed to prevent changes to the data in the chip. That's a solid security measure.

But, the chips create a new hazard, since older passports, which have a ten year expiration, will remain valid until they expire.

An unencrypted RFID enabled passport can be skimmed by a hidden reader most easily when the bearer is showing it at a money-changer, giving it to a hotel for safe keeping in the safe or checking into a hostel.

The data -- inluding the digital photo -- can then be used to create a phony version of the *old* passport, using the name, passport number, and possibly even the picture of a real passport holder.

The person whose ID has been swiped would have no idea their passport has been copied, unlike someone whose passport has been lost and reported.

This is a genuine security risk.

There are other considerations (which I don't have time to get into here), but this scenario by itself is, as they say, a non-trivial problem.

Moreover, the most significant opposition I've heard and reported on regarding RFID-enabled passports isn't from neo-luddites.

It's from folks in the high-tech security business and even from the government's own contractors, who seem to think the proposal actually is not an improvement over current passports.

Posted by Ryan Singel at 06:24 PM | TrackBack

February 21, 2005 | Hunter S. Thompson's Dead

My friend Chris wrote to tell me this last night. My spam filter decided that either I wasn't interested in the news or that Thompson was too risque to put in a subject line. It filed the email in the possible spam folder. Wish it were one more fake email.

As a college kid, I loved the first three pages of "Fear and Loathing in Las Vegas,"

We were somewhere around Barstow on the edge of the desert whent he drugs began to take hold. I reemeber saying something like "I feel a bit lightheaded; maybe you should drive...." And suddenly there was a terrible roar all around us and the sky was full of what looked like huge bats, all swooping and screeching and diveing around the car, which was going about a hundred miles an hour with the top down to LAs Vegas. [...] No point mentioning the bats, I thought. The poor bastard will see them soon enough.

When I got older, I realized that "Fear and Loathing on the Campaign Trail '72" was his real masterpiece. Vegas, drugs and the 1970's were too easy a target for Thompson's .44 magnum.

Nixon, the media and American retail politics were harder and more important prey.

I'll miss Hunter S. Thompson, however unimpressive his later books were.

He always could see the fucking bats before the rest of us could.

Posted by Ryan Singel at 03:06 PM | TrackBack

February 17, 2005 | More on Choicepoint

Choicepoint is now mailing notices to more than 100,000 Americans whose personal data might have been improperly sold to scammers who persuaded the nation's premier identity verification and background check company that they were legitimate businesses.

The notices are now going even to those who fall outside of a California law that requires such disclosure.

Robert O'Harrow, Jr. of the Washington Post has a great round-up and advances the story in his piece.

One of the nation's biggest information services has begun warning more than 100,000 people across the country they may be targets of fraud, following disclosures the company inadvertently sold personal and financial records to fraud artists apparently involved in a massive identity theft scheme.

ChoicePoint Inc. electronically delivered thousands of reports containing names, addresses, Social Security numbers, financial information and other details to people in the Los Angeles area posing as officials in legitimate debt collection, insurance and check-cashing businesses.

At least 700 victims have had their mailing addresses changed, apparently by people connected to the scheme, authorities said. Identity thieves often change the addresses of victims in order to gain control of credit card offers and other mail. No one knows the extent of the fraud or the financial impact, authorities said. Only one suspect has been arrested. [...]

Company officials said they were sending out more letters to 110,000 addresses throughout the country that may be connected to the reports delivered to the fraudsters.

"We have reason to believe your personal information may have been obtained by unauthorized third parties, and we deeply regret any inconvenience this event may cause you," the letters say.

Authorities said the number of records involved may go higher as the investigation continues. "This is way far more reaching," said Los Angeles Sheriff's Department Lt. Robert Costa, commander of an identity theft unit. "I believe that when we're done it will be more than a half million nationally. It's huge."

Alpharetta, Ga.-based ChoicePoint maintains databases with billions of records about nearly every adult in America, including credit reports and criminal records. Over the past seven years, it has acquired more than 50 other information companies. Like others in the industry, the company routinely sells dossiers to police, lawyers, reporters and intelligence and homeland security officials across the Internet.

[...]

The ChoicePoint case began unfolding last fall. Initially, company employees assumed the requests for information were legitimate, because the applicants appeared to work at registered companies in the Hollywood area. But company investigators noticed that applications for access to the company's massive databases were coming from Kinko's stores, sometimes via fax machines.

A ChoicePoint official said dossiers, possibly including thousands of credit reports, were delivered to personal computers over the World Wide Web or mailed to suspects who had opened close to 50 accounts with the company. The reports, including credit reports, typically cost between $5 and $17, company officials said.

[...]

Investigators still do not know the extent to which the information was used or resold. They have been receiving assistance from postal inspectors. But the case has not gone as smoothly as investigators would have liked. Police said that's in part because ChoicePoint did not appear willing to quickly share information about the case, an allegation the company denies.

"We've been following up on leads while waiting for ChoicePoint," said Costa, the sheriff's department investigator who leads the Southern California High Tech Task Force's identity theft detail.

ChoicePoint spokesman James Lee said the company learned for the first time yesterday the case involved people in states outside California. He said the company has done everything it can to bolster security immediately and help with the investigation. The company also is considering "fundamental changes" in security procedures and customer authentication.

"We're not to blame, but we're taking responsibility," Lee said. "The people committing the fraud were smarter and quicker than we were.

"It's a wake-up call," he said. "Everybody needs to be ever vigilant and diligent."

A wake-up call, indeed.

Vigilance and diligence in this case would mean opting-out of Choicepoint's database, but that's not possible.

You can't opt-out.

So how is one supposed to be vigilant then?

Posted by Ryan Singel at 12:56 PM | Comments (3) | TrackBack

February 15, 2005 | Lighter Security

According to a CNN story by Mike M. Ahlers, the Transportation Security Administration is delaying implementation of a new ban on butane lighters that was included in last year's intelligence reform bill at the behest of Senators Byron Dorgan and Ron Wyden.

Passengers still can carry butane lighters aboard commercial aircraft this week despite a law banning them that was scheduled to take effect Tuesday.

The Intelligence Reform Act, passed by Congress and signed by President Bush in December, orders the Transportation Security Administration to ban butane lighters within 60 days of the legislation's enactment, which would have been February 15.

But the TSA on Monday said that the ban "is currently under review," declining all other comment.

Lawmakers voting to ban butane lighters cited the case of Richard Reid, a Briton who tried unsuccessfully to ignite a shoe bomb while on a flight from Paris, France, to Miami, Florida, in December 2001. The flight, with nearly 200 people aboard, was diverted to Boston, Massachusetts. Reid was sentenced to life in prison.

Members of Congress said that Reid's attempts to ignite the bomb may have been undetected if he had used an odorless lighter instead of a match.

Some ridiculed TSA rules that allow passengers to carry on two butane lighters and four books of matches. Torch-style lighters are prohibited.

The bill only explicitly bans butane lighters (BIC style lighters), though the article states that the TSA is also thinking about banning matches.

Currently you can take a Zippo or a bic or matches on board. And there's very little reason to try to stop that practice.

My earlier post on this inanity is here.

But what I love even more about this CNN article is that it quotes David Stempler of the Airline Passengers Association, talking about how his members feel about the possible ban.

"Most of our members thought that they [lighters] probably weren't allowed to begin with," said David Stempler of the Air Travelers Association.

"Basically we support the banning of lighters and matches. The hesitation has to do with the ability to detect [the items]. There may be a lot of inadvertent carriage of these items. How's the enforcement going to be managed?"

He added, "We'd like it to go into effect sooner rather than later. The government has its processes. We just don't want them to drag their feet too long."

Stempler gets quoted a lot. But I've never heard of anyone who has joined his organization. Mostly it seems his organization is about selling membership in a traveler discount program run by Cendant, one of the four big airline reservation companies. In fact, when privacy activist Bill Scannell posted the website registration information about Stempler's association, it turns out that Cendant owned and maintained his website.

Stempler has since changed the registration information, but I've seen no evidence that Stempler actually represents the flying public (and 20 minutes on the FlyerTalk forums would make any sane person question how any one organization could actually try to do that).

Yet journalists continue to quote Stempler as if he represented the public, and the TSA still includes him as a representative of the public on their air safety advisory board.

Posted by Ryan Singel at 10:42 AM | TrackBack

February 15, 2005 | Really Choice

As many of you may have read elsewhere, one of the nation's largest data aggregators, Choicepoint, allowed criminals posing as legitimate businesses to look through data on American citizens, according to Bob Sullivan's MSNBC article.

The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint aggregates and sells such personal information to government agencies and private companies.

Last week, the company notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties," according to ChoicePoint spokesman James Lee.

California law requires firms to disclose such incidents to the state's consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area.

Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.

"The only incident that has been confirmed is in California," he said.

ChoicePoint maintains a dossier on virtually every American consumer, according to Daniel J. Solove, George Washington University professor and author of "The Digital Person."

The Atlanta-based company says it has 10 billion records on individuals and businesses, and sells data to 40 percent of the nation's top 1,000 companies. It also has contracts with 35 government agencies, including several law enforcement agencies.

The incident was discovered in October, when ChoicePoint was contacted by a law enforcement agency investigating an identity theft crime. In that incident, suspects had posed as a ChoicePoint client to gain access to the firm's rich consumer databases.

Subsequent research by ChoicePoint revealed that about 50 fake companies had been set up and then registered with ChoicePoint to access consumer data.

California consumers who received warning letters from the firm last week were "in some way connected to searches" conducted by those fake accounts, Lee said.

The firm was only given clearance by law enforcement officials to disclose the incident two weeks ago, Lee said

While the criminals had access to ChoicePoint data, it's not clear what, if any, information was stolen, said Chuck Jones, another ChoicePoint spokesman. The letters were sent as a precaution, he said..

There's much too note in here, such as the effectiveness of the new California database-intrusion disclosure law, but let's stop for a moment and smell the irony.

Choicepoint is a data-aggregator, but unlike Axciom, it doesn't specialize in selling marketing lists to Ron Popeil or selling your unlisted phone number to timeshare salesmen.

Choicepoint bills itself as the "leading provider of identification and credential verification services for business and government."

So the nation's best firm at credential verification allowed 50 fake companies to get at its database and did not figure it out until the cops told them.

So that leaves two options. Either Choicepoint doesn't screen its customers closely because it wants more buisness, which makes them both greedy and incompetent, or their credential verification service does not work so well, which makes them incompetent and useless.

Wonder which one it is?

Posted by Ryan Singel at 10:17 AM | TrackBack

February 10, 2005 | A B C R F I D

Kim Zetter at Wired News has a story out today on a California elementary school that decided to track its students using RFID badges.

Problem is the school forgot to tell the parents what it was doing ahead of time.

Parents of elementary and middle school students in a small California town are protesting a tracking program their school recently launched, which requires students to wear identification badges embedded with radio frequency, or RFID, chips.

School superintendents struck a deal with a local maker of the technology last year to test the system to track attendance and weed out trespassers.

But students and parents, who weren't told about the RFID chips until they complained, are upset over what they say are surreptitious tactics the school used to implement the program. They also question the ethics of a monetary deal the school made with the company to test and promote its product, using students as guinea pigs.

"This is not right for our kids," said Michele Tatro, whose daughter received a badge. "I'm not willing for anybody to track me and I don't think my children should be tracked, either."

As you might notice in the story, the school claims the badges are for students' safety, but can't privide a good example of how the system actually protects students. They do have a good surveillance purpose, however, something even the principal admits when talking about the need to get as much money from the state as possible given the state's per-student-per-day funding basis.

What's even better is reading the parents' complaint to the school. These are not Marin hippies who have read one too many Counterpunch or Alternet articles without indulging in a grain or two of organic sea salt.

RFID is not new technology and is rapidly becoming the preferred method of inventory control in the retails sales and manufacturing industry. This technology allows for immediate inventory control and has even been reported to allow retailers to track consumers' buying preferences and spending habits. Even in this application many concerns have been raised by privacy protection groups about the complete invasion of privacy this technology allows. Yet, I can find no references of RFID being used to track elementary or junior high students in a California public school. Our children are not 'inventory'.

Education is about teaching respect and tolerance for each other. It is not 'big brother' monitoring every move, or children being made to feel they have fewer rights than criminals convicted of serious crimes.

'And he shall make all, both little and great, rich and poor, freemen and bondmen, to have a character in their right hand or on their foreheads: And that no man might buy or sell, but he that hath the character or the name of the beast, or the number of his name' (Revelation Chapter 13: 16-17). Have we reached the point where parents don't have any rights and schools will decide what is best for their children? Are not our moral convictions and religious beliefs protected? Do our children not have a right to a good education free from fear of retaliation.

The whole letter, including the parents' story of how they learned about the RFID chip in the badge (they protested the mandatory badge before they even knew the chip was in it), can be found here (.pdf)

One other thing, I'm guessing you'll be hearing from these parents for some time, even if the school capitulates.

Don't be surprised to see them on Capitol Hill testifying some day soon.

Think they won't have any cred?

Well, I hear tell that the three most vocal parents opposing the badges also all work in law enforcement.

Posted by Ryan Singel at 04:13 PM | TrackBack

February 10, 2005 | Aggregate Responses

Today's Wired News story on those who abuse affiliate marketing programs inspired quite a few in the affiliate marketing community to write in.

Some thought I painted with too broad a brush and did not understand how legitimate companies operated.

A couple people who either run or used to run affiliate programs thought the story was dead on.

I also got an interesting email from Mark O'Connor, the CEO of Hearsay.com, which runs a collection of blogs that collect selected news articles on range of subjects (click a topic on the left menu to see an example or two).

His company isn't thrilled with affiliate marketing.

O'Connor wrote (excerpt quoted with his permission):

We've been experimenting with affiliate programs at Hearsay for about 3-4 months, and it's not yielding much for us at this point. So if our experience is an indicator, it's more likely you'll see sites drop the affiliate marketers, rather than the other way around. From an advertiser's perspective, it's the holy grail. They get to have their ads served up to a targeted audience for free, in my case intellectual property attorneys. We get nothing unless one of our visitors chooses to visit their site (through our link to it), and purchases something. We get nothing for future revenue generated from that client, or for clients that use our site to identify products or services to purchase - but contact the company directly.

Instead of the advertiser "trusting" the publisher in terms of demographics, the publisher now needs to trust the advertiser. The advertiser or its agregator reports the statistics. And Google is no different. They don't even share the details of their relationship with the advertisers that are served up on our sites. All I get to see is roll-up statistics. So the bottom line appears to be that it's good times for advertisers and advertising aggregators, and bad times for "little-guy" publishers. What we need is a publishers' cooperative for advertising so we can yield the market power of Google or Yahoo. You'll always have the scammers beating the systems that you describe in your piece. My fear is that the biggest scammers today are the biggest names in the business.

Posted by Ryan Singel at 03:32 PM | Comments (1) | TrackBack

February 10, 2005 | Affiliate Marketing is the Bane of the Interwebs

Check today's Wired News for my story on the ongoing abuse of affiliate marketing schemes and some enforcement actions against companies that let people spam on their behalf.

Though I didn't have the space to get into it, affiliate spam also clutters search results and is responsible for almost all of the comment and trackback spam sent to blogs.

The biggest annoyance on the internet is not the guy trying to sell you a knockoff watch or prescription painkillers, it's the marketing scheme that rewards spammers who drive customers to his site.

Affiliate marketing, a system in which a business pays a commission to those who drive paying purchasers to its website, is responsible for much of the spam that clogs inboxes, search results contaminated with useless pages selling ring tones, and a never-ending barrage of pings and fake TrackBacks that have driven many bloggers to shut down comments on their sites.

The system allows individuals and other businesses to become freelance marketers for a company and generate income from individuals following links on websites or in e-mails sent to them.

Though the system has become much abused, some affiliate marketing is legitimate.

Found this comment on the article from a group blog called Threadwatch that focuses on Marketing and Related Technologies.

Wired are giving affiliates a bit of a rough ride today...

The CAN-SPAM stuff is not new news of course but it's always interesting to see how the more mainstream media views both affilates and seo's.

The question is, in the media's eyes, who are the worst scum, afiiliates or SEO's?

I won't answer the last question, but I love that I'm now a part of the mainstream media.

Posted by Ryan Singel at 08:54 AM | TrackBack

February 09, 2005 | Now even Truste Knows the Equation: FreeIpods.com=FreeSpam.com?

It's a long and sordid tale of affiliate marketing spam, consumer fetishism, onliners obsessed with getting a free lunch by inviting five of thier friends to come to the restaurant and pay so they can then invite five of their friends to come pay for their free lunch tomorrow, and a plodding -- but relentless -- compliance analyst.

Yes, it's hard to believe but TrustE finally pulled its green seal of good privacy housekeeping from the sites of Gratis Internet, the fine folks who unleashed onto the Internet an army of affiliate-link dropping scavengers all seeking the holy grail of modern hip capitalism: the free (and DRM laden) Ipod.

The AP has the story on TrustE's Wedsnesday announcement that it was breaking up with FreeIpods.com, FreeHandbags.com and FreeHDTV.com (among others).

I've little desire to recap my run-in with the ethical forces that run GratisInternet and TrustE, but my experiences with both can be found in this series of postings about their never-ending "permission-based" marketing (1, 2), TrustE's joke of an investigation, and my analysis of Gratis Internet's pyramid-scheme business model (which is legal, mind you).

But suffice it to say that I signed up, got spam, could not stop it, finally got TrustE employee Alexander Yap to investigate, and then "learned" that Gratis Internet hadn't violated their privacy policy, but that TrustE would force Gratis Internet to modify their policy and change some business practices.

That all happened in September,October and November.

Now the AP reports in February that:

TRUSTe said Gratis violated promises involving the protection of children's information and changed how it managed the private information of its customers without adequately notifying them. But TRUSTe said that, due to a confidentiality agreement, it could not disclose exactly how Gratis had violated any agreements.

In a statement, TRUSTe said Gratis had agreed to some changes in its business policies as requested but ''did not complete the entire process.''

Now what the hell that means will remain super-double secret between TrustE and Gratis Internet.

But giving in late night to that old reporting itch, I'm going to do what's known in the trade as "advancing the story."

When TrustE investigated my complaint, they could not find any violation. I ridiculed that assertion and even publicly gave Detective Yap a clue about how to track down who had been given my email address.

Funny thing is I never heard back from Yap.

When the phone rang in November or December, it was a PR flack from Gratis Internet, calling me to say that I was not a crank.

In fact, as I learned over a couple of cordial but mostly off-the-record conversations, I was right.

Gratis Internet had violated its promise never to share email addresses.

They admitted as much.

Though I could never quite get an answer as to how it happened, Gratis Internet said they had found that one of its marketing partners had violated the terms of service and they had terminated their relationship.

Their PR guy swore up and down that Gratis wasn't interested in spamming, that he was not just pimping his company and that they were really, really good guys.

I even got email from one of the principals, Rob Jewell, attesting to their good intentions.

Now, the explanation sounded a little shady, because they never explained how a third party got a hold of my email address when their privacy policy said the company sent emails on behalf of other companies. They also were unable to produce their privacy policy from the time when I originally signed up and they did not tell me which company was the one at fault.

It was also sketchy that they blamed one company, when my emails came from a number of companies.

But since the world is much more interesting than this shady group, I never followed up to find out the real details. I never even blogged the conversations, though the spam did immediately stop.

I have the emails and my notes from the conversation.

I'll post them here for posterity and search crawlers tomorrow.

But I assume that's unneccessary, since I'm so sure the news that a cautious and mostly ineffective third-party privacy group has actually decertified one of its paying customers will convince the free-lunchers of the world -- who used their pulpits and message boards to promote Gratis Internet -- that its time to cease and desist and recant.

But who can take anything on faith or reason anymore?

So I'll be checking the serial Gratis proselytizer Gary Leff's View from the Wing blog to see whether the news is enough to unconvert the willfully blind proselytizers who heralded the ethics of getting the goods of the empire for kind of free at the expense of others and their inboxes.

(Thanks to SSN pal Adam Shostack for pointing me to the AP story.)

Posted by Ryan Singel at 11:07 PM | TrackBack

February 04, 2005 | For Your Weekend Screening Pleasure

A few things I meant to blog this week but was unable to get to:

Department of Homeland Security's Chief Privacy Officer Nuala O'Connor Kelly released the first annual privacy report to Congress. It's an accounting both of the year in privacy for homeland security, as well as an explanation of her role and actions.

There's some good stuff in here for those who love such things, including a speech she gave to some non-American privacy officials describing America's patchwork of privacy laws. There's also a promise of a couple reports on the horizon, including one on the Matrix information system and one about data transfers from corporations to TSA and its contractors.

The body of the report is here (.pdf) and the appendix can be found here (.pdf).

Dibya Sarkar of Federal Computer Week covered the report here.

The office also released its newsletter called Privacy Matters (.pdf) It's a cute little number and I like the pictures and the history of folks I have only talked to over the phone.

But the best part is the biography of Lisa Dean, the Transportation Security Administration's privacy officer. Dean used to work on privacy for the conservative Free Congress Foundation and then worked for a time as for the liberal/libertarian Electronic Frontier Foundation. It was a pretty surprising pick (my story about it here.)

Just weeks ago, Dean organized a coalition of privacy groups to ask Congress to hold hearings on the TSA's proposed passenger-screening system, known as CAPPS II. The system would search travelers' backgrounds before boarding by sifting through government and commercial databases.

The letter, which Dean signed, said the "TSA's most recent public explanation of CAPPS II ... showed that there has been a significant expansion in the scope of the program and confirmed our fear that CAPPS II would be used for purposes other than aviation security."

Now, Dean's job will be to make sure the program's privacy protections are strong enough that Congress would not step in.

Here's how Privacy Matters described her background:

Ms. Dean joined the federal government following employment in the private sector where she gained experience in privacy protection and access issues, and she organized a coalition to advocate for stronger federal and state privacy protections for personal information.

Sounds like the short bios that people give when they go on talk shows and aren't allowed to say they work for Ben and Jerry's so instead have to say I work for a independent, socially conscious ice cream company based in Vermont.

The major dailies had a couple good things this week too.

Start with this behind-the-scenes look at bureaucratic bickering, written by Washington Post reporter John Mintz.

For a insider's take on why Chertoff should not be nominated, see this Los Angeles Times editorial by FBI whistleblower Jesselyn Radack.

In Wednesday's hearings, Chertoff was asked by Sen. Daniel K. Akaka (D-Hawaii) about the retaliation against me. Chertoff responded, "Senator, first, I had no part in any way, shape or form in any retaliation against this individual for any reason, let alone giving advice."

I don't believe him now, just as I didn't in 2003 when he told Congress that my office and I had not been "asked for advice" about Lindh's interrogation. When Chertoff was later confronted with e-mails that contradicted him, he acknowledged our involvement but said he didn't consider my advice "official."

Chertoff and the Justice Department mishandled Lindh's interrogation, then tried to cover it up and went after me for doing my job. Chertoff should not be confirmed as director of Homeland Security.

Michael Janofsky of the The New York Times covered the Senate hearing about the FBI's technology boondoggle -- a failed $170 million dollar virtual case file system.

Mr. Mueller's concession came on the same day the inspector general of the Justice Department issued a 95-page report chronicling the failure of the Federal Bureau of Investigation to complete the third phase of technological upgrades, a $581 million project known as Trilogy that began in late 2000. The project took on urgency after the September 2001 terrorist attacks, when it became clear that agents who still relied heavily on pens and paper could not easily send and share vital information.

And finally for a little bit of dark humor, there's this Washington Post story by David Snyder about political infighting in Maryland over seven armored vehicles bought with more than a million dollars in homeland security grants.

In an event billed as a triumph for homeland security and government cooperation in Maryland, a phalanx of armored police vehicles paraded around the State House yesterday, taking several local leaders for a spin.

But something was missing from the brief martial display-cum-news conference. In fact, two things were missing: Baltimore Mayor Martin O'Malley (D) and Howard County Executive James N. Robey (D).

The two boycotted the gathering, saying Gov. Robert L. Ehrlich Jr. (R) was attempting to claim credit where none was due.

They all should have boycotted the waste of a million dollars to buy the equivalent of Bradley Fighting Vehicles for Maryland. Unless Homeland Security has some intel they aren't sharing with anyone, I don't think I have heard of a single threat scenario that would justify buying 7 armored vehicles for the state of Maryland. Don't these guys have a national guard, in case Al Qaida actually invades?

Posted by Ryan Singel at 06:17 PM | TrackBack

February 04, 2005 | A Search By Any Other Name

Slate has been running excerpts from a book called Safe: The Race to Protect Ourselves in a Newly Dangerous World (affiliate url here, normal url here).

I plan to get to it soon, but want to talk first about today's excerpt, which concerns data mining, Total Information Awareness and an technique called one-way hashing. I'll include a snippet from today's Slate story, but if you want to really follow the argument here, first go read the whole piece

This excerpt is about technology created by Jeff Jonas, a computer scientist who founded a company called SRD, which gained venture capital from the CIA and was recently bought by IBM. His software was originally used to look for casino cheaters, by looking for hidden links between individuals.

But the death of TIA was not the end of data mining's application for security questions. In fact many of the most controversial TIA projects simply switched funding sources to classified ones. Finding a way to scan and exchange data remains an active interest of intelligence agencies. One question, then, is whether there are technical ways to mine networked data and preserve both secrecy and privacy at the same time. Jonas thinks he has an answer, which [Jeff Jonas] says came to him after he heard that the government had trouble keeping its watch-list data under wraps. He also knew-from the TIA controversy and the firestorm of criticism over airlines such as JetBlue giving passenger data to the government-that Americans are becoming increasingly skeptical of corporations handing over their personal data to the government. What Jonas came up with is a means to anonymize information but still allow it to be searched for links. He named it ANNA, and he says it's the answer to "how to know everything about everyone without knowing anything about anyone."

ANNA works like this: The software takes a set of data and applies a mathematical encryption formula that converts each piece of data-a name, an address, a phone number-into an indecipherable string of characters. The name al-Midhar, for example, could be transformed into cbd034409c22929518fa494f99dc9964. It's called a one-way hash, and in the case of ANNA, the hash function serves to create an anonymous version of the information stored in the database. Each string of numbers is unique, so if two pieces of data differ by even a letter or a comma, the resulting hash will be completely different. ANNA also takes the common data errors found by NORA-misspellings of names, transposed birth dates-and hashes them as well. Then it does the same for the names and other information on the watch list (which might include birth dates, addresses, or Social Security numbers). Once all the data is hashed, NORA or another system could search for matches between the unique numbers without ever revealing the underlying data.

Let's say the government is looking for a particular suspect, John Doe, and wants to find out if certain companies have any data about him. It runs a hash on "John Doe," his birth date, Social Security number, and any other information it has on him. The result is a string of letters and numbers. It then hands that string over to the companies, which have run the same hash function on all of their data. Then the company simply looks for matching strings in its database. If it finds one, it alerts the government, which then could obtain a court order to un-anonymize the data.

First, Jeff Jonas is a really smart guy. I've met him before and interviewed him for at least one story.

Jonas used to be a severe critic of Total Information Awareness-style data mining, which looks for patterns of behavior to find possible suspects. He contrasted that with his system, which starts with a suspicion about an individual and then looks to see who that individual is connected to. I assume, though I don't know, that he is still of this opinion.

Now, Jonas's system would anonymize data, but despite the attempt to look for misspellings, transposed digits and variations on names, there is huge room for error in such a matching system. For instance, every David Nelson would share the same hash number. Databases also differ significantly in their ability to differentiate between individuals. A National Rifle Association email list may only contain a name and an email address, while a bank would have much more. Unless, every individual has a unique identifier attached to their every transaction, there is a huge problem with incorrect identification.

Moreover, what kinds of databases does Jonas envision his system having immediate access to? As part of the Markle Task Force report on the need for a centralized national security IT structure, he wrote (.pdf) this:

Counterterrorism officers should be able to identify known associates of the terrorist suspect within 30 seconds, using shared addresses, records of phone calls to and from the suspect’s phone, emails to and from the suspect’s accounts, financial transactions, travel history and reservations, and common memberships in organizations, including (with appropriate safeguards) religious and expressive organizations.

Now, Jonas is here talking about a system that would have access to your emails, online behavior, your purchase records, lists of what numbers you called, where you have traveled and what political and religious groups you belong to.

Maybe that's something the country would agree to, but do not think it is not a massive change.

Two other points, anonymization was much talked about with Total Information Awareness.

Just because government agencies or algorithms don't know your name, that does not mean you are not being surveilled.

Imagine if a little spider robot sneaked into your house every day, poking around for drugs and plugging into your computers' USB port to search for child pornography or unauthorized MP3s.

It doesn't know your name, but if it finds something suspicious, it alerts an officer, who gets authorization from his superior or a judge to reveal your identity and further search your house.

Now, to be fair, that's a real world analogy to an anonymized Total Information Awareness model that has suffered from mission creep.

In the original TIA conception, the little partly-blind spider would only look in your computer and the ones of every company and hospital for indicators that you were part of a terrorist conspiracy, though it might come by a couple times a day.

In Jonas's ANNA model, the blinkered spider would only look visit your house, your work and your church, if you were a terrorism suspect or if you had a connection to a terrorist suspect, such as living in the same apartment building or visiting the same chat room.

And finally, there is nothing that prohibits the government from using information about other possible crimes when conducting a legitimate search and there's no technical barrier to using a system like ANNA to track down mobsters, file traders or recreational drug users.

Those are political questions. I don't mean to disparage the idea of anonymization using one-way hashes -- it could be a very useful tool for protecting privacy and civil liberties.

However, I'm skeptical of its misuse in political arguments, and I'm distrustful of Wired Magazine-style techno-evangelism.

That said, I'm still planning on buying Safe later today.

(And just a note about the history of Total Information Awareness -- it was not The New York Times that first revealed the program's existence in November 2002 as today's Slate excerpt would have it. Wired News freelancer Elliot Borin beat the newspaper of record by almost three months.>

Posted by Ryan Singel at 08:45 AM | Comments (1) | TrackBack

February 02, 2005 | We Take Visas and Your Phone Records

Well-known French DJ Laurent Garnier has canceled his planned tour of the States as he refuses to comply with a privacy-invasive process of getting a working visa for the States. (via Boing Boing)

He writes on his website:

In order to obtain this new visa, the rules have once again changed since November 2004 and I would now have to not only fill in an exceedingly probing application form, but also be interviewed by a member of the Embassy staff, and provide proof of ownership of my house, details of my bank account, my mobile phone records, personal information on all my family members and more. I consider these demands to be a complete violation of my privacy and my civil liberties and I refuse to comply.

I am horrified by these new regulations and feel really sad that this is what some call freedom and democracy.

It has now become almost impossible for an artist to come and perform in the United States. And until this new legislation changes I will unfortunately refuse to comply with this nonsense.

Thank you for your understanding.

Laurent Garnier

Now Garnier lives in one of 27 waiver countries, which means he does not need a visa to visit the United States.

But for him to legally come tour the country and make money, Garnier has to get a work visa. I've gone through a process of getting a visa for other countries, who mainly want to make sure that visitors are not planning to become long-term residents.

But asking for phone records?

Like Garnier, I'd tell the State Department to keep their visa. (Though Cory called this Homeland Security, visas are handled by the State Department)

As a journalist, there is no way I would ever show any government agent a list of what numbers I called.

If I were a businessman, I'd also not turn over these records.

I'm intrigued as to whether these questions are requirements or simply something that the State Department is now allowed to ask for if it wants to. A State Department secondary screening, if you'll let me.

For those of you who don't care, because you are American and this is ostensibly in place to protect your country, know that border security measures tend to become reciprocal.

Posted by Ryan Singel at 09:38 AM | Comments (1) | TrackBack

February 02, 2005 | Dodgy Degrees

Today's Wired News has the low down on a new government effort to fight the proliferation of diploma mills on the Internet by providing a searchable database of all accredited schools.

How bad is it? Hard to say in terms of money, but note that the schools even use the phrase "diploma mill" to drive traffic to their sites (note the ads in this Google search).

The agency created the database in response to calls for action from Congress in 2004 following revelations about high-level government officials holding questionable degrees and concerns that diploma mills are using the internet to deceive would-be students.

"Obviously diplomas become a growing concern as the internet has made it easier for these schools to proliferate," said Education Department spokeswoman Jane Glickman. "The department has no direct way to shut them down, but we want people to know what's a legitimate school and what's not."

The white-list database could be a useful tool for would-be students and prospective employers who do not know how to distinguish between Hamilton University, a diploma mill in Wyoming, and Hamilton College, a small, distinguished and legitimately accredited liberal arts school in New York.

Such a tool could be invaluable for those tempted to judge a school by its website.

For instance, Kansas State University's digital learning program's website looks to have been designed in 1998, while Almeda University's public face features roll-over drop-down menus and an online chat feature.

But Kansas State offers legitimate classes, while Almeda University, which is not accredited by a recognized agency, grants degrees based on life experience.

Full story here.

For a different take on degrees based on life experience, look at this post on a blog about life experience degrees.

UPDATE: A Wired News reader wrote in to tell me that Google is placing ads for diploma mills underneath the story on the wired.com site. Ahh, the interweb does have a sick sense of humor sometimes.

Posted by Ryan Singel at 09:19 AM | TrackBack

Powered by
Movable Type 3.2