| March 2005 Archives | « February 2005 | Main | April 2005 » |
March 31, 2005 | Name That Secret Function
A recent government report on Homeland Security's ongoing drive to revamp the nation's airline passenger screening system revealed that there has always been more to the story than the government let on.
The report laid out that the original proposal -- known as CAPPS II - would background check potential passengers using commercial data from companies similar to ChoicePoint, government watch lists and lists of people with outstanding criminal warrants.
The government also planned to use government intelligence databases and computer algorithms to determine whether a passenger might be a hijacker, despite their name not being on a list.
This was widely known and reported.
But in a footnote, the report also said that there one other function that the Transportation Security Administration never told the public since they classified it "Sensitive Security Information."
That's a designation the TSA uses to hide information from would-be terrorists - including the secret that airlines are required to ask passengers for identification.
What could the TSA have possibly wanted to do with CAPPS II that it could not share with the American citizenry?
I'd call and ask what the eighth one was, but they certainly won't tell me. So since we can't know, the only thing we can do is suppose, guess and assume.
So the contest now is: Name that secret function.
Prizes will be awarded in various categories, including a handmade tinfoil cap for the best conspiracy theory and an authentic, fully redacted FOIA response page from the TSA for the most ludicrous suggestion.
Here's a list of the seven functions of CAPPS II the government mostly told the country about.
Table 2: System Capabilities Planned for CAPPS II Capability DescriptionSource: TSA.
- Watch list matching
Comparison of data contained in the passenger's reservation (PNR) with information contained in government watch lists (selectee and no-fly lists) to identify potential threats to aviation security and other individuals of interest to the counterterrorism community- CAPPS I rules application
Matching information in the PNR to CAPPS I rules to identify individuals who should be subject to additional security screening (ed. note These are rules that flag people for paying with cash or buying one-way tickets, etc.)- Identity authentication
Checking PNR (ed. note Passenger Name Record is the technical term for your reservation record) data against commercial databases to assist in confirming the passenger's identity- Criminal checks
Matching PNR data against lists of international fugitives and government "wanted lists" to identify known criminals- Intelligence-based search for unknown terrorists
Using algorithms developed through intelligence modeling to identify previously unknown terrorists by searching for patterns in an individual's travel or transaction history that are indicative of terrorist activities- Use of opt-in lists
Maintaining a list of individuals, who have been previously cleared under credentialing programs, such as registering passengers in advance of making reservations, to minimize the volume of passengers that must be prescreened- Use of alert lists
Providing the capability to create a temporary watch list based on information extracted from current intelligence reports, such as blocks of stolen passports
The relevant footnote about the extra capability is on page 9 and reads:
TSA planned to incorporate eight capabilities into the CAPPS II program. We have only listed seven of these capabilities, because one is Sensitive Security Information.
For those wanting to see the full report it is in .pdf format here.
Posted by Ryan Singel at 10:58 AM | TrackBack
March 31, 2005 | Other People's Posts- Edward Hasbrouck, a travel expert most learned in the ways of airline data/privacy and round-the-world trips on the cheap, is back blogging and has much worth reading on some recent government reports.
- The sage journal known as The Onion has a fine infographic on identity theft, giving us some fine answers to the burning question, "Why do hackers turn to crime?"
- And finally, from a couple of days ago, Adam Shostack of Emergent Chaos lets a little passion show.
Answers include "Teens so hungry for knowledge, they are willing to steal it."
Posted by Ryan Singel at 10:48 AM | TrackBack
March 31, 2005 | RFID Passports AgainThe State Department is continuing on with plans to embed remotely readable chips in American passports. The government is requiring all 27 countries whose citizens don't need visas to enter the United States to start issuing such passports by October.
But the move is being opposed by those who think there are better and less risky technologies.Business travel groups, security experts and privacy advocates are looking to derail a government plan to insert remotely readable chips in American passports, calling the chips homing devices for high-tech muggers, identity thieves and even terrorists.
But the U.S. State Department, which plans to start issuing the new passports to citizens later this year, says its critics are overstating the risks. Officials say that the chips will cut down on passport forgery, improve security and speed up border crossings.
The State Department is also adding technical features to prevent the radio-frequency identification devices, or RFID chips, in new passports from being "skimmed" by unauthorized readers, according to Frank Moss, the deputy assistant secretary for passport services at the State Department.
"We will not issue passports to the American public without mitigating the risk of skimming," Moss said, calling the issue both a technical and a political problem.
The 64-KB chips will include the information from the photo page of the passport, including name, date of birth and a digitized form of the passport picture. The chips include enough space so that fingerprints or iris prints can be added later.
Border agents, using special readers, will be able to call up all the passport information included on the chips on a computer screen. They will also use facial-identification software and a digital camera to verify that the person presenting the passport is the person who was issued the passport.
But Bill Scannell, a publicist and freelance civil liberties provocateur, thinks the risk is far greater than the State Department is admitting. On Monday, Scannell launched an internet campaign called RFID Kills to stop the government's plans.
The site accuses the State Department of putting Americans abroad at risk, saying the chips "turn tourists into targets, and American business travelers will transmit their identities to kidnappers wherever they go."
Scannell and some security experts suggest that the government should use other technology to make passports more secure, such as bar codes or chips that require physical contact to read and cannot be scanned from afar.
Full Wired News story here.
Honestly, I'm getting tired of having to do the he-said, she-said treatment on how far away these chips can be read. I'm working to set up a live test that can show one way or the other how skimmable these passports really are.
Posted by Ryan Singel at 10:41 AM | TrackBack
March 29, 2005 | This Time its PersonalThe University of Berkeley has exposed even more students personal data -- this time by storing the Social Security Numbers and other personal information, including birth dates and addresses of nearly 100,000 alumni, grad students and applicants on a laptop that was stolen on March 11.
The data was unencrypted.
6 months ago, a hacker broke into a research study database, getting access to 600,000 personal records.
Police and UC Berkeley officials hope the thief is interested in the laptop, not the data in it.
I hope so too, since my girlfriend is currently a Berkeley grad student, and according to the criteria in Michael Liedtke's AP story, her data just got stolen.
Word on the campus is that UC Berkeley isn't offering anyone any help with battening down their credit hatches, and are simply advising students to check their credit reports.
Go Bears.
Posted by Ryan Singel at 10:11 AM | TrackBack
March 28, 2005 | Another Day, Another ReportThe Government Accountability Office today released its second report on whether the TSA's efforts to replace the current airline passenger screening system are effective and respect the public's privacy.
As Congress has mandated the GAO certifies the program (now known as Secure Flight) before it can be rolled out, this report calls into question whether the system can be put in place at two airlines (reportedly Delta and JetBlue) in mid-August, as recently announced by Homeland Security's new chief, Michael Chertoff.
Here's what the report had to say:
TSA is making progress in addressing each of the key areas of congressional interest related to the development and implementation of Secure Flight, including developing and testing the system. However, TSA has not yet completed these efforts or fully addressed these areas, due largely to the current stage of the system’s development. For example, while TSA has drafted a concept of operations and system requirements, it has not finalized these key documents or completed test activities that will need to be accomplished before Secure Flight becomes operational. Until requirements are defined, operating policies are finalized, and testing is completed— scheduled for later in the system’s development—we cannot determine whether Secure Flight will fully address these areas of interest.TSA also initiated a number of actions designed to improve the ability of Secure Flight to identify passengers who should undergo additional security scrutiny, in place of the prescreening currently conducted by air carriers. Specifically, TSA officials stated that recently completed initial testing identified improvements over the current prescreening system, and TSA plans to use intelligence analysts to increase the accuracy of data matches. However, the effectiveness of Secure Flight in identifying passengers who should undergo additional security scrutiny has not been fully determined. For example, TSA has not resolved how passenger data will be transmitted from air carriers to TSA to support Secure Flight operations. Further, the ability of Secure Flight to make accurate matches between passenger data and data contained in the terrorist screening database is dependent on the quality of the data used, which has not been determined.
TSA has also strengthened the oversight and management of Secure Flight, and has established relationships with key program stakeholders. However, air carriers expressed concerns regarding the uncertainty of system requirements, and the impact these requirements may have on the airline industry in terms of system modifications and costs. Additionally, TSA has taken steps to minimize potential impacts on passengers and to protect passenger rights during Secure Flight testing. However, TSA has not yet clearly defined the privacy impacts of the operational system or all of the actions TSA plans to take to mitigate potential impacts.
Full report here (.pdf), highlights here (.pdf).
Posted by Ryan Singel at 09:32 AM | TrackBack
March 27, 2005 | The L WordBruce Schneier read the Inspector General report and in response, breaks out the L word -- lie.
UPDATE: Aero-News calls the report a cover-up. Part two and three.
I'm not willing to go so far, though when I heard about the data transfers last year after American Airlines admitted its involvement (also not surprisingly on good Friday), I felt lied to.
I wrote then:
"American Airlines' announcement Friday that it shared more than a million passenger itineraries with four government contractors reveals that Transportation Security Administration officials have repeatedly issued false statements about the development of the passenger-profiling system known as CAPPS II.
American Airlines joins a growing list of carriers that have come forth in recent months to say that they have shared massive amounts of information about their passengers with the TSA. For the past eight months, TSA officials have repeatedly said they were not collecting this data. But American's disclosure raises questions about why the department has given false information about its data collection.
The TSA also may have withheld information improperly from investigators looking into the agency's practices."
The L word is tough -- to really use it, you need to know intent and know that the person knows the truth.
For instance, I don't know that the IG tried to bury this report by releasing it on Good Friday, though it'd been in production for many months. I do know that almost exactly one year ago -- again on Good Friday -- American Airlines revealed its data transfers by dropping the info on an AP reporter late Friday afternoon.
Can I say unequivocally that either attempted to bury their reports?
Nope.
But both sure picked a time that makes it tempting for someone to think so.
My earlier take on the report is here.
Posted by Ryan Singel at 07:20 PM | TrackBack
March 26, 2005 | For the Record: Data Transfers, Misleadings and the Inspector General
The Department of Homeland Security's acting Inspector General released its report on the TSA's role in data transfers between airlines, the agency and its contractors.
Homeland Security officials failed to keep millions of airline passenger records secure and repeatedly made false denials of their involvement in data transfers to the media and Congress, but they did not violate federal law, according to a report released Friday.The report (.pdf) by acting Department of Homeland Security Inspector General Richard Skinner found that the Transportation Security Administration was involved in 14 different data transfers totaling more than 20 million records in 2002 and 2003.
The report describes an array of data dumps from airlines to TSA contractors and paints a picture of an agency unable to keep track of its own operations, leading to false denials of data transfers to the media and inaccurate sworn testimony to the Senate.
However, the department did not violate the Privacy Act, which prohibits secret databases on Americans, since the agency used the records in bulk and did not look up individuals by name, according to the report.
Delta Air Lines, JetBlue Airways and American, Frontier, Continental and America West airlines -- along with three airline record processing firms, all secretly turned over data directly to the TSA and government contractors.
The data included names, addresses, dates of birth, itineraries and credit card numbers.
The data dumps first came to light after Wired News reported in September 2003 that JetBlue had violated its privacy policy by turning over 5 million records to an Army subcontractor.
Those records were augmented with personal records from Acxiom, one of the country's largest data-aggregation companies.
That information included incomes, occupations, vehicle ownership information and Social Security numbers.
Friday's report shows that JetBlue and Acxiom's participation did not stop there.
Acxiom provided, in violation of JetBlue's privacy policy, 2.75 million JetBlue records directly to HNC Software, a company hired by the TSA to build a prototype of an airline passenger-screening system.
Acxiom also separately provided HNC with sensitive personal information from its databases on more than 1 million American Airlines passengers.
The goal of almost all the data transfers was to test a system called CAPPS II, which intended to use computer algorithms to detect terrorist threats to airplanes by comparing itineraries to government watch lists and commercial data.
My full Wired News story here.
There's a lot more to this story than I have time for here but three things:
1) The report is oddly redacted so that all names are removed, including the names of high level government officials, such as Admiral James Loy, who is the one who provided at least two false answers under oath to Congress. He corrected one of them.
2)The Inspector General's office is now being led by Richard Skinner, a lawyer who worked under former Inspector General Clark Kent Ervin before Ervin was ousted by the White House and Maine Republican Senator Susan Collins. Skinner has now reportedly made it department policy that the media not be informed about when reports are released. That's extremely odd -- part of the power of the inspector general's office is that its reports are widely reported on, which increases pressure on the Department to implement any recommendations.
3) The self-serving item. The report talks about misleading the media. Specifically, they are talking about stories I wrote after exposing the JetBlue transfers.
Prior to that event, I had been trying to run down rumors and hunches that the TSA contractors had gotten passenger data secretly. Two separate TSA spokesmen told me untruthfully that those transfers had never happened. In fact, they both acted extremely annoyed that I had the gumption to ask such a question. Later events would prove my hunches to be right.
Those stories here and here and here.
The report had this to say "The responses that the TSA spokesmen provided to Wired News were not accurate. CAPPS II prototypes and components were tested using authentic passenger data on eleven occasions. Moreover, eight of the cases involved the CAPPS II program's [Risk Assessment Engine] prototype vendors."
Those were the companies I asked about: Lockheed Martin, HNC Software (now Fair Isaac), Ascent Technology, and Infoglide Software.
(Oddly enough, Infoglide's president and CEO Michael Shultz lied to me in an interview prior to the stories about the data transfers, when he told me that one could tattoo the Ben Franklin motto "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety" on his forehead and that his company would never try to work on the Total Information Awareness project. I guess he never thought that anyone would dig up his company's rejection letter from Admiral John Poindexter. But EPIC did (872 KB.pdf).)
And finally, for the record, when I broke the story about the JetBlue data transfer to an defense contractor called Torch Concepts, TSA spokesman Brian Turmail threatened to cut off my access if I wrote that the transfer had anything to do with the TSA or CAPPS II. In fact, according to the IG report,
The former CAPPS II program manager said that, following the initial meeting with Torch Concepts, the CAPPS II’s executive sponsor instructed him to assist Torch Concepts. In our interview with the former CAPPS II executive sponsor, he could not recall having given such an instruction, but said that it was possible that he did so. We could find no documentary evidence that would settle the matter.
Posted by Ryan Singel at 04:09 PM | TrackBack
March 23, 2005 | Secondary SnowstormI've been silent the last few days since I've been trying to get in some spring skiing in the Sierras.
What I got instead was a blizzard -- about eight feet over the last five days -- a total white out.
My post putting the lid on the blog on Friday got eaten, but if I can get out of here today (the road is still closed), I'll be back in blog service on Thursday.
In the meantime, don't miss Adam Shostack's due diligence and Kim Zetter's great Wired News story on Choicepoint's background checking service.
Posted by Ryan Singel at 11:53 AM | TrackBack
March 18, 2005 | Popcorn, PopcornAs cable news discovered on Wednesday with their wall-to-wall coverage of the oh-so important steroids-in-baseball controversy, Congressional hearings can make for pretty dramatic television.
On Tuesday, there were two other good episodes, both focused on data brokers, information security and identity theft.
I wrote a little bit about the House hearing, but didn't have time to check out the Senate Banking committee hearing (a continuation of the hearing from last week) until yesterday.
ChoicePoint's vice president Don McGuffey didn't have to suffer quite like ChoicePoint CEO Derek Smith did in the House, but he did face Senator Richard Shelby who meted out his questions like an old-time Southern prosecutor politely building his case.
There was also a great moment between Sens. Shelby and Sarbanes publicly reminiscing about a data privacy hearing from years ago that featured Ralph Nader and Phyllis Schlafly actually agreeing on something.
The video is here. (Real Media player needed)
Also worth noting is that McGuffey revealed that he told ChoicePoint's president Douglas Curling about the theft in late November.
Smith claims not to have learned about the breach of his company's lax security until late December or early January, just before a board meeting.
But if, as McGuffey testified, Curling learned about the police investigation in November, that means Curling knew of the potential damage to the company even as he and Smith began selling 458,600 shares between November 9 and February 15, the day the ChoicePoint story broke. The trades happened bi-weekly, as the men exercised long-held options and continued on past the announcement of the breach.
Together the men made a $16.6 million in profits during that time.
If I were Curling that testimony would scare me, given the Securities and Exchange Commission is already looking into the stock sales.
And Curling likely isn't the only one worried by recent events.
If these hearings are any indication of the level of ire in Congress, the data industry might be well advised to rethink their historical opposition to regulation and instead find a way to keep whatever legislation is coming from killing off their business.
Posted by Ryan Singel at 11:42 AM | TrackBack
March 18, 2005 | Friday Bicycle BloggingI missed out on St. Paddy's day blogging, but I noticed Hit & Run's Jesse Walker pointing to Allen Barra's tribute in Salon to the great Irish writer Flann O'Brien.
I've been an O'Brien fan for years, but not enough of one to be part O'Brien.
Here's an excerpt from his brilliant dark comic whodunnit The Third Policeman (affiliate link).
"There is one puzzle,' I remarked, 'that is hurting the back of my head and causing me a lot of curiosity. It is about the bicycle. I have never heard of detective-work as good as that being done before. Not only did you find the lost bicycle but you found all the clues as well. I find it is a great strain for me to believe what I see, and I am becoming afraid occasionally to look at some things in case they would have to be believed. What is the secret of your constabulary virtuosity?'He laughed at my earnest inquiries and shook his head with great indulgence at my simplicity.
'It was an easy thing,' he said.
'How easy?'
'Even without the clues I could have succeeded in ultimately finding the bicycle.'
'It seems a very difficult sort of easiness,' I answered. ' Did you know where the bicycle was?'
'I did.'
'How?'
'Because I put it there.'
[...]
'Did you ever discover or hear tell of the Atomic Theory?' he inquired.
'No', I answered.
[...]
'Michael Gilhaney,' said the Sergeant, 'is an example of a man that is nearly banjaxed from the principle of the Atomic Theory. Would it astonish you to hear that he is nearly half a bicycle?'
"It would surprise me unconditionally,' I said.
'Michael Gilhaney,' said the Sergeant, ' is nearly sixty years of age by plain computation and if he is itself, he has spent no less than thirty-five years riding his bicycle over the rocky rocksteads and up and down the hills and into the deep ditches when the road goes astray in the strain of winter. He is always going to a particular destination or other on his bicycle at every hour of the day or coming back from there at every other hour. If it wasn't that his bicycle was stolen every Monday he would sure to be more than half-way now.'
'Half way to where?'
'Halfway to being a bicycle himself,' said the Sergeant.
Posted by Ryan Singel at 10:24 AM | TrackBack
March 18, 2005 | Paradox Still a ParadoxDennis Bailey responded to my criticism of his seeming opposition to a nationwide law requiring companies to inform citizens when their personal information has been sold to identity thieves or stolen by ne'er-do-wells who figured out how to get access to a sensitive database.
I asked why someone dedicated to transparency and openness would oppose such a law, based on the flimsy rationale that some thefts might not be known to a company because they were inside jobs.
Instead of answering that question, Bailey takes me to task for supposedly being shocked that anyone could disagree that the Fair Credit Reporting Act should be applied to data brokers.
Bailey must have neglected to finish reading my post, which ends "That's not to say that I think the [FCRA extension] legislation is the right cure, just that if you want to debate its merits, you ought to do so with legitimate arguments."
In fact, Jim Harper of Privacilla and the Cato Institute makes a compelling argument that legislation is not the right approach.
He argues that information technology changes faster than legislation and suggests that if courts held data brokers liable for their mistakes that would provide a strong incentive for them to comply with fair information practices.
What I was doing is pointing out that Bailey argues for the necessity of increased surveillance and tracking of individuals, but says that should only happen if there is a concomitant openness on the part of government and big business - a David Brin-inspired notion of two-way surveillance.
But when it comes to big data brokers that compile dossiers on Americans and list marketing firms that enhance their lists with data bought from data brokers, Bailey thinks they should be immune from the return gaze, because it might cost companies money to comply.
Nevermind that the data can cost people a possible job, a place to live, or, in the case of Amy Boyer or a woman fleeing an abuser, her life.
I just don't get it, unless Bailey is not really serious about accountability.
I'll admit here that Bailey has a point that the proposed law could apply to more than just the biggest data brokers, depending on how the Federal Trade Commission writes the rules (the proposed legislation transfers much of the rule making authority to the FTC).
But I'd be highly surprised if the number came anywhere near a thousand, let alone the thousands he says will be affected.
He also tries to attack me by arguing that it is likely that civil liberties groups use direct mailing lists.
In fact, it wasn't too hard to find a company that claims the ACLU has used one of their lists, but I fail to see how that's relevant to the argument at hand, especially since the issue isn't about the existence of direct marketing lists and I don't work for the ACLU.
I don't have a position on what the appropriate remedy for the power imbalance that has grown up between citizens, data brokers and their government/corporate clients - in fact, I think its such a thorny problem that any single remedy will not solve the problem and have unintended consequences.
But it is pretty clear to almost everyone except Bailey that there's a problem.
Still, Bailey goes on to take another few off-the-topic whacks.
One, he accuses Wired News of being part of a bad acronym (MSM) and implying its one of those old stodgy media giants that loathes the blogosphere. This made me laugh. It should make you laugh too, if you have ever read Wired News.
Now, I don't exactly know what the Mainstream Media is, but if I'm a part of it, no one has ever sent me a membership card.
Personally, I'm pretty sure the term has no meaning and no definition since it tends to mostly get rolled out whenever a self-important blogger needs an easy target (reminds me a bit of the now-dated term "politically correct").
Two, Bailey accuses Wired News of deciding who to publish based on recommendations from privacy and civil liberty's groups.
I won't speak for Wired News -- since I'm a freelancer, not an employee - but I'm pretty sure that's not how they make hiring or publishing decisions.
What Bailey really seems to be implying is that some Wired News writers are highly skeptical of power and listen to and publish the criticisms of civil liberties group.
Since I cover privacy, anti-terrorism and technology, and these groups follow the same issues closely, I'd be a fool not to talk with them and quote them when their criticisms seem vaild.
He seems to be implying - though doesn't quite come out and say it -- that I simply rewrite their press releases and ignore or exclude other sides of an issue.
Now, if Bailey thinks that, I'd love to see him use his blog to take apart one of my pieces.
He's never done that, though he did criticize an article by Wired News staffer Kim Zetter (whose name, in the first rule of journalism, he misspelled) for an article she wrote on RFID badges for school children.
What I think Bailey is trying to criticize is Wired News writers' tendency of not simply swallowing and regurgitating the feel-good assurances of corporations and the government, of being skeptical of claims that there are terrorists lurking under every bed and pedophiliac child molesters drooling at the door of every school, and of questioning the wisdom of a background check society, where a person can't get a job manning a register at a box store because as a 19 year old they got busted trying to finagle their way to cheap cocktails and meaningless sex in a college bar using a fake I.D.
Indeed, I think what Bailey might actually be accusing Wired News of is the sin of journalism.
To that, I happily attempt to plead guilty.
I'll leave the role of sycophant, apologist and scaremonger to him for when he steps up to his microphone in the blogosphere to stick it to the man in the MSM by toadying up to power.
PA
Posted by Ryan Singel at 12:38 AM | TrackBack
March 16, 2005 | Putting the Paradox in Open SocietyI'm generally a fan of Dennis Bailey's Open Society Paradox, but there's much to be intellectually desired in his recent posts defending ChoicePoint.
I don't have much time tonight to argue (my rock n' roll buddy Kelley Stoltz and his band are playing one last gig before they head to the U.K. for a tour -- yeah, that Kelley Stoltz, the one who made it into the UK's MOJO, the best big music magazine in the world, and fought his way into the number 24 spot of MOJO's best 40 albums of 2004. What you haven't heard him on your local radio station, reviewed in Spin or Rolling Stone or even your alt-weekly? Oh, someday you will.)
But I do have time to contend with the following statement from this entry opposing the extension of banking rules (known as FCRA), actually he seems to oppose any rules, to data marketers.
Notifying individuals that their data has been compromised is a nice idea but how many cases happen without a company's awareness? All it takes is a disgruntled employee to carry off some information and the company may not find out about it for years if ever.
That's just absurd.
Bailey seems to be implying that companies should not be forced to reveal when they have sold your SSN to a identity thief with a fake business license, a bottle of white out and four bucks to rent the local Kinkos's fax machine, because the threat could come inside a data marketing company as well? That's a ludicrous statement from someone who says he's dedicated to greater accountability and transparency for all, including those in power.
Wouldn't the embarrassment of having to announce an insider theft or the penalty for not disclosing such a theft make companies take greater precautions -- such as encrypting data, severely restricting who has access to sensitive data and stringent auditing to detect misbehavior before a person could sell or misuse stolen data?
Also the notification legislation is a wholly separate bill from the one that would impose some of the regulations of FCRA to data aggregators.
Though Bailey talks a good game, I'm getting the feeling that Bailey's Open Society is actually mostly a one-way mirror -- with those in power on the dark side of the glass watching everyone else on the other side, and demanding they flash their biometrically-equipped homeland Identification cards on command or whenever they leave their house to get a coffee at the local café.
And one more thing -- just for the sake of the record, the proposed legislation that would extend some of FCRA to data aggregators would not affect "thousand of companies with large databases of personal information," ... "leading to significant economic costs."
It doesn't affect Amazon or eBay, which have millions of records about what citizens have bought and sold, because those companies aren't data brokers under the proposal.
Honestly, there just aren't that many data brokers, and if Bailey had bothered to read the legislation, he'd know that only a handful of companies would be affected. That's not to say that I think the legislation is the right cure, just that if you want to debate its merits, you ought to do so with legitimate arguments.
Posted by Ryan Singel at 09:58 PM | Comments (1) | TrackBack
March 16, 2005 | Former Vs. FormerFormer Department of Homeland Security chief Tom Ridge called former DHS Inspector General Clark Kent Ervin into his office twice in 2004 to scold Ervin for the tone of his reports on the failings of the department and to ask him to try to coordinate the message of his findings with the department, according to Pete Yost of the AP.
During a June 9 meeting, "Ridge said a couple of times, 'Look, are you my IG?' and I said, 'No, I'm not your IG,'" Ervin recalled.Ervin said that when he told Ridge that the inspector general served the public, the former Pennsylvania governor replied, "I had an IG in Pennsylvania and he didn't release things to the Legislature or to the press."
Ervin said he answered: "But I do here. I have a reporting obligation" to Congress.
Ervin said the meeting "was two hours of 'Why are you doing this? Why are you being negative to the department? Why are you releasing reports?' It was a long come-to-Jesus meeting, angry and confrontational. I just spent the whole time trying to educate him about the role of the inspector general."
Ridge had just endured an uncomfortable morning on Capitol Hill. Senators had used one of Ervin's reports to question Ridge about problems, including lost and stolen passports, in a program that allows citizens from certain foreign countries to enter the United States without a visa.
In a subsequent meeting five weeks before the Nov. 2 election, Ervin said, Ridge talked about presenting the inspector general's reports in a way that would make them seem less critical of the department.
According to Ervin, Ridge asked, "What can we do to coordinate our messages on these reports so that you and we are saying the same thing about it?"
Ervin recalled: "I said, `I'm not in the spin business. We don't coordinate our messages with the department. You can characterize it and spin it however you want, but that's your business, not ours, and we're not going to coordinate anything with you.'"
Full story here.
Ridge denied he played politics while at the helm of the DHS, particularly when he was accused of timing trips to announce homeland security grants to help President Bush's re-election campaign.
He also says Ervin is not telling the truth about their meetings.
In a statement, Ridge said: "I did not always agree with the tactics, interpretations, conclusions or recommendations of the inspector general. At no time, however, did I ever ask him to suppress or withhold a specific report.Ervin's statements are "untrue and deserve no further comment," said Ridge, who left as secretary last month.
Now that's a classic non-denial denial.
W. David Stephenson never bought the original line -- see his post here detailing Ridge's meeting with Republican pollster Frank Luntz (another story broken by the AP's Pete Yost).
Also note that Ridge's denial doesn't deal with the real meat of the story.
By all accounts, Ervin is a damn smart and principled guy who had the power to peer into the nooks and crannies of a sprawling Department cobbled together from 22 other agencies just about 2 years ago. You'd think that a head of such a department would want to talk to this guy pretty often, to get a sense of what Ervin thought the department could do better.
Instead, Ervin seems to have been treated with as much acceptance as cops give the head of an Internal Affairs division.
And since this is Sunshine Week, make a note that this blog entry owes its existence to Pete Yost filing Freedom of Information Act requests.
Posted by Ryan Singel at 08:11 AM | TrackBack
March 15, 2005 | ChoicePoint's Mr. Smith Goes To WashingtonChoicePoint CEO Derek Smith and LexisNexis's president Kurt P. Sanford testified before Congress today, and though Smith apologized for his company's data leak, that didn't spare him a public berating by Massachusetts Congressman Edward Markey.
Markey repeatedly tried to get Smith to agree to extend credit monitoring services for longer than a year to folks affected by ChoicePoint's lax security procedures. Smith refused to budge, finally arguing a year was long enough.
One suspected the onslaught was coming given Markey's previous statements on the issue, his co-sponsorship of legislation to curb data marketers and his opening statement (.doc).
It reads, in part:
How would consumers feel if they discovered that while they take extra precautions to guard their personal information, their names, social security numbers, tax records, credit histories and employment documents were piled high into wheelbarrows and baskets and sold to the highest bidder in a bustling market place that is as frenetic and unregulated as the streets of Bombay?
“RIGHT HERE, GET YOUR SOCIAL SECURITY NUMBERS!!!!”
“MEEEEEEEEDICAL RECORDS, EMPLOYMENT HISTORY-CHEAPER BY THE DOZEN.”
"This is an industry still in denial, that still doesn't recognize how highly Americans value their privacy, and hopes to ride out this scandal without Congress making the necessary changes," Markey said. "All I know is Mr. Smith and his company are the largest single contributors to a lobbying effort to block truly effective privacy laws being passed in Congress. That's all I need to know."
Both News.com's Declan McCullagh and Reuter's Andy Sullivan covered the hearing in a responsible manner.
Sullivan here, McCullagh here.
But really, you should listen yourself.
Here's a ten minute MP3 from the hearing.
Posted by Ryan Singel at 12:25 PM | Comments (2) | TrackBack
March 15, 2005 | John Gilmore: A User's ManualCryptome.org has posted an email from Brad Barnhill describing how to get avoid having to show identification at the airport.
As many of you know, John Gilmore is currently suing the government to reveal whether the identification requirement exists and to actually make the law public. (See here and here).
Barnhill's method basically involves getting your boarding pass printed ahead of time using the Internet, bypassing the airline altogether by not checking any bags and then pressing TSA employees to show you the rule. They will likely harass you for acting differently and then just send you to (yup, you guessed it) secondary screening, where they will swab all your stuff for explosives, pat down your chest and make you undo your pants.
Barnhill claims to have all the FAA rules regarding identification rules. I think he is mistaken here in thinking he has all of them. There likely exists a security directive, which is classified, that sets the policy for airlines and TSA employees regarding identification. It's just that they won't show it to you.
Of course, this won't work if your name matches or approximates a name on the selectee or no fly list, since you wouldn't be able to print your boarding pass ahead of time.
If you are on the selectee list (meaning you can fly but you have your boarding pass marked SSSS to tell TSA personnel to screen you closer), you'd need to try the method Slate publicized a few months ago (though others talked about the vulnerability before then and the TSA knew about it, according to Adam Shostack) to get past the gates without triggering secondary screening.
If you are on the no fly list, you'd have to have someone else buy your ticket and then use the Slate method.
So far as I can tell, the Barnhill method isn't a security risk. Anyone using it is going to have their person and their possessions scrutinized.
Oh, and though many, many others pointed to the story already -- go read the Gilmore profile by Pittsburgh Post-Gazette's Dennis Roddy. It's a small masterpiece.
And when you are doing that check out this column he wrote on Saturday that asks questions about the kind of world we live in where companies named after birds of prey are hired by schools to make sure every visitor isn't a sex offender.
Oh, hell, make it a Roddy fest. This one is worth thinking deeply about, too.
Posted by Ryan Singel at 09:44 AM | TrackBack
March 14, 2005 | Freedom of Information ActionsIt's spring out here in San Francisco, and that makes it a good time for Sunshine Week, an effort by the American Society of Newspaper Editors to bring attention to Freedom of Information laws and problems.
SSN pal Noah Shachtman of Defense Tech fame has a good round-up post to introduce you to the project.
There's also a good AP story by Martha Mendoza story about Seth Rosenfeld, an outstanding investigative reporter for the San Francisco Chronicle (yes, they have a few good reporters, including the ever-entertaining Steve Rubenstein). Rosenfeld's claim to fame besides his great, recent work on Hoover's FBI involvement in trying to crush the Free Speech movement at the University of California, Berkeley (see this post), is that he is the author of the longest pending Freedom of Information Act request.
He's still waiting for the FBI to turn over documents he first requested in 1981.
Five judges have already ordered the documents released (he's gotten a lot of them, but not all of them).
I know a little of Rosenfeld's pain. I love the Freedom of Information Act in theory, and though I have no institutional support (read no lawyer), I often try to get information from the government using FOIAs. Mostly, I've had little luck, though many FOIA officers do try their best.
On July 8 2003, I asked DARPA -- the research arm of the Pentagon known for creating both ARPANET (one of the precursors to the Internet) and the Total Information Awareness system.
I had found that the Total Information Awareness program was looking to hire a company to provide TIA with a fake world of information -- a world of records of persons buying things, calling each other, emailing, going to the doctor and joining organizations. The idea was to create a testbed world that would test whether TIA could actually pick out the hints of a terrorist plot within a whirlwind world of data.
I actually thought the idea was pretty cool and was interested in how big the world was and what activities were included. I later found references to this testbed in interviews with Admiral John Poindexter, who originally headed up the program until he was ousted under pressure in August 2003.
Poindexter referred to the testbed as "Vanilla World."
I asked for contracts, for all documents related to the testing of TIA components and for assessments of the efficacy of TIA, among other things.
I got nothing and nothing and nothing.
Finally, I began bugging the fine people in the DoD's FOIA office, who began pressuring DARPA to search for records.
DARPA's response was to impugn my journalism and stonewall.
Finally, 18 months after I first requested documents, DARPA provided me with three documents.
One was a copy of DARPA's report to Congress in 2003 on the Total Information Awareness program. That public document came out in May 20, 2003 and my story on it for Wired News is here.
That report used to be on DARPA's website, but it has since removed the page. Find it here (.pdf) at GlobalSecurity.org.
The second document was a three-page boilerplate explanation of the Information Science and Technology Study Group (ISAT), a group established in 1987 to provide DARPA with an "independent assessment of the state of advanced information science and technology as it relates to DoD issues."
That group produced the third document I got: Security with Privacy : ISAT 2002 Study. The group concluded that the key technologies to introducing a base level of privacy into a data-mining system involves selective revelation (e.g. your data mining program might tell you it found some potential bad guys but you need to get your supervisor or a judge's permission to see the person's name), strong auditing procedures and some privacy rules.
Oh yeah, and this document (.pdf) was originally turned over to the Electronic Privacy Information Center on December 17, 2002, in response to their FOIA and lawsuit. (Find all their TIA FOIA documents here.)
This is what DARPA claims to be the extent of their records on the testing of Total Information Awareness, despite a statement in the report to Congress that it had tested part of TIA on information gleaned from Guantanamo Bay interrogations.
I guess that means that DARPA researchers never wrote a report about testing, never emailed one another about their tests, and never held a meeting that involved anyone taking notes or sending out an email to schedule the meeting.
Which would mean that Total Information Awareness had no information awareness about its own system.
Of course, that's an absurd notion.
DARPA is simply acting in bad faith and abusing the Freedom of Information Act. So now I have to sue them to get them to act in accordance with law.
But there's no penalty really for their actions. If I sue and win, my attorneys-to-be-named-later would get legal fees. If I sue them myself and win, I get no fees for my troubles. No one there gets a reprimand, no one goes down a pay rank -- instead, its far more likely, that person gets a pat on the back for defending their agency from the press and the public.
Unfortunately, this is all to common.
Lee Tien of the Electronic Frontier Foundation has tried to disabuse me of the notion that FOIAs have any force. Instead, Lee has told me over and over, you have to treat FOIAs simply as notice of intent to sue.
Honestly, I hate that notion. I'm a proceduralist and a believer in fairness. I truly do hope and believe that government employees strive to follow the law and act in the public interest. Yeah, I know that's very "Mr. Smith Goes to Washington," but I like to try to keep my cynicism at a minimum.
Thankfully, there's some new legislation (S. 394, known as the OPEN Government Act (.pdf)) introduced by Senators John Cornyn (R-Texas) and Patrick Leahy (D-Vermont) that would speed up the processing of FOIAs and even penalize agencies for not moving fast enough. The bill's other merits include allowing bloggers and writers for smaller Internet publications to get fee waivers and creating an Office of Government Information Services that would audit agencies compliance with FOIA procedures.
Even better, that office would offer an arbitration service requesters could use, instead of getting a lawyer and going to court, to force agencies to release documents or to contest overly broad use of exemptions.
That would be a nice alternative to finding a lawyer to sue the cynical, self-interested folks (and she knows who she is) at DARPA who pretend to follow the law, but do not.
(All that kvetching aside, I also just got this very morning some cool DVDs via an unrelated FOIA request from the Department of the Interior. If there's anything cool in there, I'll post it here.)
Posted by Ryan Singel at 10:52 AM | TrackBack
March 11, 2005 | While You WaitWhile you are taking your shoes off and throwing away any butane lighters you might have on you as you wait in a TSA line, take a moment to check out the following:
- Adam Shostack of Emergent Chaos has been all over the ChoicePoint story. Check his aggregated post out now and after you land.
- DrunkenBlog has a detailed rundown on the CherryOS controversy. For those who don't know what that even means, check out my story about the alleged wholesale theft of open-source code in yesterday's Wired News.
- Kim Zetter over at Wired News has a great story about the price of a background check society for those unfortunate enough to have an inaccurate ChoicePoint file.
- Jonathon Krim of the Washington Post takes another look at the make-up of the Department of Homeland Security's privacy board. It's far better than my Wired News story from a week or so ago.
I like his piece for a number of reasons, but best of all for bringing up why many in the privacy community stayed away: the Non-Disclosure Agreement and the background check. Few people know how to sign an NDA, and then remain able to actively remain part of public debate, without violating that NDA.
Folks at the Center for Democracy and Technology know how, but somehow no one from this group ended up on the board, despite the fact that its executive director, Jerry Berman, who is eminently qualified for the job, applied but was not appointed.
The raft of other stories and the fury on the blogs (Declan for News.com and Leslie Miller in the Associated Press and the kids over at Slashdot) criticizing the panel's make-up almost certainly means the group is on notice that their reports, especially the first one, will be looked on with a cynical eye. It behooves the panel to prove their critics wrong.
UPDATED: I forgot to finish a sentence in the middle of this entry. I also added that Jerry Berman applied for the job.
Posted by Ryan Singel at 02:54 PM | TrackBack
March 11, 2005 | Libertarians and ListsLibertarianism is an intellectually attractive mode of political thinking that combines a belief in free markets, an unflagging belief in individual and corporate liberty, and a full dose of skepticism of government power and regulation.
For the best in this train of thought, check out Reason magazine and its Hit & Run blog.
But libertarianism's biggest weakness, from where I write, is its failure to deal very well with issues of power imbalances.
Generally speaking, libertarians consider individuals and corporations as equal players in society (what libertarians call "the market').
So if I don't like being subject to a background screen prior to employment (something I'm sure none of Reason's writers would agree to), I should not apply for a job at Target or Walmart.
That's easy to say in principle, but it is unrealistic for many people in reality.
All that is a long intro to a pointer to an analysis of the role of the Federal Trade Commission by Electronic Privacy Information Center rockstar Chris Hoofnagle.
Privacy Self Regulation: A Decade of Disappointment is a great read -- detailing the unfulfilled promises of the FTC's policy of letting company's self-regulate their information practices. And unlike most policy analyzes, this one comes complete with a super clever cover.
Oh, and in his blog, Hoofnagle points to a marketing list advertised on Direct Marketing News that advertises a list of 6.1 million people who have been determined to be people who like to live beyond their means using credit.
Once again, that's a marketing list.
Yet one more reason why every Congressman and Senator who voted to line the pockets of credit card companies and turn Americans into indentured slaves should be voted out of office.
Posted by Ryan Singel at 12:11 PM | TrackBack
March 11, 2005 | Move Over FBI, There's a New Abbreviation in TownAs we learned yesterday, the Internet is changing everything.
Can the Federal Trade Commission keep up, even if the Senate gives them the legal equivalent of admin privileges, a T1 connection, a multi-threading processor, a wireless mouse, some IP tracing software, an anti-glare monitor screen and a whole closet full of O'Reilly books?
Today, Andy Sullivan (the Reuters journalist and rock n' roll legend, not the guy famous for his premature "I'm retiring from the blog world" ejaculations and on-air butt scratching) has the goods on yesterday's Senate Banking hearing on ChoicePoint and identity theft. It was the first of several hearings, but unfortunately was frequently interrupted by adjournments for votes.
In fact, ChoicePoint's Vice President Don McGuffey, who was scheduled to testify, never did.
Senator Charles Schumer (D-NY) grilled the head of the FTC, Deborah Platt Majoras, about whether the FTC needed more authority to regulate ChoicePoint, since as a data marketer much of its work isn't regulated by the rules governing credit reports.
Platt Majoras was in a bad way, since the FTC is investigating ChoicePoint.
Now, my guess is, Platt Majoras would love to have more authority, but she can't say in front of the Senate that the FTC currently has no authority over data brokers, without totally undermining the legitimacy of whatever investigation is currently going on.
Schumer and Sen. Bill Nelson (D.-Fl), along with others, want to pass a bill giving the FTC more authority. Nelson's version (.txt) is here.
Schumer took Platt Majoras's inability to give a yes or no answer, as a clear yes, that the FTC needed, as his bill would give, more authority.
There was another piece of news yesterday that can only make one think, 'So what?'
The FTC announced it had reached an agreement with a company called CartManager, which runs checkout and sales services for thousands of small internet-based businesses. Seems the FTC busted the company for renting out customer names and lists, often in violation of the privacy policy of the small businesses.
From the press release:
But CartManager collected and rented the personal information of nearly one million consumers who shopped at merchant sites. The FTC alleges that CartManager did not adequately inform consumers or merchants that it would collect and rent this information and that it acted knowing that renting the information was contrary to many merchants’ privacy policies. The agency charged that CartManager was unfair and violated federal law.
The FTC used its muscle to stop this company from screwing its direct customers (the online stores) and its indirect customers (the Internet's average Jane and Jim Doe).
What did they get?
The settlement bars disclosure of previously collected personal information and bars misrepresentations about the collection, use, or disclosure of personally identifiable information. It requires that CartManager and merchants’ privacy practices be consistent, or, if not, that CartManager post a clear and conspicuous disclosure to consumers on each of its pages stating that consumers are on a CartManager site and that personal information collected on the site will be used, sold, rented, or disclosed to third parties.
Ouch. I can feel the pain from here.
Surely they got fined, too, right?
The settlement also requires that CartManager give up $9,101.63 it made by selling the information.
Maybe Nelson, Schumer, Corzine and Markey should go re-read the Parable of the Talents before the next hearing.
Posted by Ryan Singel at 10:26 AM | TrackBack
March 10, 2005 | An Imperfect StormI've been kept off blog for a week or so now, having been felled by a frayed power cord, a persistent virus (carbon, not silicone), MT plug-in errors (don't you hate it when a string is passed back when a number is expected?) and some nagging existential questions.
Those are all mostly resolved or at the least, put in a bug tracker somewhere.
So I'm back and to prove it, I'm sharing with you a song by the Reuters-writing rockstar Andy Sullivan (not to be confused with the totally non-rock n' roll Andrew Sullivan).
Andy plays guitar and sings. He also covers tech policy. So if there were anyone in the country with the cred to write a song called "The Internet Is Changing Everything," it'd be Andy.
"I saw Alan Greenspan in the bathroom at the MPAA/He used the urinal on the right/He said I bought Amazon at 12 and sold it at 400/Now I drink Dom Perignon every night/The Internet is changing everything/ We've got no secrets anymore/Our every move is logged by the bloggers down the block and the webcams behind every door/"
Find more free DRM-free Sullivan goodness to fill your hard drive or MP3 player here.