gregh  2007-07-30 04:06  homeland_security  security  tsa   

Bruce Schneier interview with Kip Hawley, Part I:

Kip Hawley: Screening ideas are indeed thought up by the Office for Annoying Air Travelers and vetted through the Directorate for Confusion and Complexity, and then we review them to insure that there are sufficient unintended irritating consequences so that the blogosphere is constantly fueled.

Aha! We've had our hunches.

Imagine for a moment that TSA people are somewhat bright, and motivated to protect the public with the least intrusion into their lives, not to mention travel themselves. How might you engineer backwards from that premise to get to three ounces and a baggie?

The Vice President has investments in a company that manufacturers sample-size bottles.

gregh  2007-03-01 14:39  homeland_security  real_id   

Well, DHS has released Real ID draft regs.

In addition, states have been given another 19 months:

The Bush administration will allow states to postpone the planned May 2008 launch of a program to toughen security requirements for driver's licenses by up to 19 months, in response to complaints about the projected $11 billion cost and potential disruptions, congressional and Department of Homeland Security officials said yesterday."

Time to go read the draft regs...

gregh  2007-02-21 09:07  homeland_security  real_id   

The National Conference of State Legislators has put up a "Countdown to REAL ID" page. There a lot of great resources there, as well as a database inventorying various state legislation concerning driver's licenses and identification cards.

Countdown to REAL ID:

As the May 11, 2008 implementation deadline of the Real ID Act approaches, states are facing an uncertain future. The U.S. Department of Homeland Security (DHS) has failed to release regulations and Congress has appropriated only $40 million to assist states with the implementation. Without adequate assistance from the federal government and regulations to guide state efforts to implement the Real ID Act, state driver’s license security is at a stand still. 

As I write this, the countdown says:
444 days, 10 hours, 44 minutes, 01 seconds

Wouldn't be bad to see some regulations come out of DHS at some point, eh?

gregh  2007-01-21 01:09  homeland_security  information_privacy  Law  real_id   

Following up on my recent post about the DHS recommending a commercial data aggregator to create a new database for the data access requirements of the Real ID Act, it appears that it may not be as dire as original reported by Unreal ID. Specifically, Unreal ID claimed that the DHS recommendation was to:

[h]ave a private data aggregator act as the central database. This is the plan advocated by DHS. The plan calls for the outsourcing of all drivers license and ID card checks to a private corporation, who would then charge the states for each check performed. DHS head Michael Chertoff personally ordered this option to be chosen, according to a senior administration source.

A Wired story takes some issue with this, and provides text of the recommendations Unreal ID was operating from. This is pretty useful. While this entire component of Real ID is awful, it's not quite as bad as I surmised and wrote about previously. Let's look at the suggestions as they exist in this text (whether this is the actual text of the recommendations or not):

First, the States could simply be left to make whatever arrangements they choose among themselves. This approach would maximize State flexibility but could prove burdensome and chaotic in implementation.

There is no doubt that this would prove "burdensome and chaotic." Of course, that's one of the pluses. Imagine the states opening up their databases in ways that made using that access completely unworkable. They'd give up on this unnecessary requirement and it would go away. It's no surprise that DHS would dislike this one; it should be clear that the intention was never really to allow states full access to the databases of other states, but rather to make access easier for federal agencies by standardizing access. Why would Jim Sensenbrenner care about giving all the states access, when it's something they've never pursued?

The language is a bit confusing for this second item, and that's somewhat disturbing. It's disturbing because it's not clear just how it works in conjunction with the third recommendation. I'll explain more below:

Second, the States could create a "federated" or "decentralized" system, in which each State continues to maintain its own records but the interface among databases is standardized. This might be implemented as a "pointer" index that allows States to determine where to find relevant records about applicants. This system would be similar to DOT's Commercial Driver's License Information System (CDLIS).

The third possibility, listed below, does have distinguishing characteristics, but some of the language of this possibility is unclear. It appears to blend federated data and decentralized data. There's no reason states couldn't standardize interfaces to their data without providing some central federation service that provides pointers to the data. That sounds like it comes suspiciously close to the clearinghouse discussed below. Instead, the data could simply be decentralized with standardized access methods used across the states.

Both possibilities sound horrid. The pointer database suggests a database of identifying information -- quick, tell me what other than SSN could be sensibly used as the pointer -- that provides ready access to go gather anything a wily user wants to get out of the system. The "chaotic and burdensome" approach sounds much better. This sounds like a data protection nightmare. After all, this pointer index would, as a matter of course, contain enough information to identify a person. Getting that data would expose a hundreds of millions of identities.

Of course, it would also make it easier for the TIA replacement to find the data.

Finally, there's the third possibility, the "clearinghouse" solution. Here's how it appears in the Wired document:

Third, the States could utilize an intermediary, or clearinghouse, to assemble necessary information about a particular applicant. This approach would require only one entry of information by a State DMV, and one transmission of all verifiable information to the clearinghouse. The clearinghouse would not store data about applicants; instead, it would determine which databases and systems to search and then would provide the relevant information once the data is assembled about that applicant. For example, the clearinghouse would communicate with SSA to verify the applicant's Social Security number (submitting the applicant's full legal name, date of birth and Social Security number provided by the applicant), submit applicant data through EVVE, submit applicant data to USCIS' SAVE program as applicable, and check whether the applicant is licensed in another state through queries to individual States. Once all these lines of data were verified, the clearinghouse would return the full, verified response back to the State DMV. In none of these approaches would a large permanent multistate collection of individual records be created. The "federated" and clearinghouse alternatives are focused on the infrastructure among systems, and would not act as a substitute for the databases that hold the actual information (i.e., the databases would not "dump" into the clearinghouse).

Note that the description is very clear that there would not be "a large permanent multistate collection of individual records" here. Of course, that's patently untrue, because the pointer index of the federation would, in fact, have a gigantic collection of individual records. It would have to, if the goal is to find all records, for example, that pertain to my license and potential licenses I might have had elsewhere, which is really the sole reason to create this monstrosity in the first place (excepting the ulterior motives I suspect are at this requirement's heart.)

It's easy to see why this solution looks like such a good sell. A rogue user from some random state is going to have a much more difficult time acting independently to harvest huge numbers of records from the other states; that risk is greatest when only the individual states will be tracking access, such as in the federated or "burdensome and chaotic" solutions. What's more, this one might be seen as attractive because it doesn't have to store anything, outside of the time that it's assembling these nice little records packages for the state DMVs. However, there's something far more sinister here.

From a data leakage perspective, it's going to be far more difficult to track American citizens if the records of movement are stored in requests between states. First, states would have to give it up. Second, the feds would have to be able to make use of the morass of various audit records. Oh, but that beautiful clearinghouse. It's going to know exactly where I am, when I requested a license or otherwise had business with the DMV. It will quickly put the federal government on a path to track movements of Americans (further on the path than it already is.) The data may come and go, but those logs will be rife with rich information to be mined, intruding into the private comings and goings of Americans.

No, this third option doesn't create a new database. Instead, it creates a new tracking system without the encumbrances of a new database.

The concluding paragraph of the text provided by Wired is someone comical:

In developing such a system, DHS expects that the all appropriate privacy and security mechanisms will be included to reduce the risk of unauthorized access, misuse, fraud, and identity theft. Although DHS considers the third option to have the highest probability of timely and effective implementation, DHS will not require States to adopt one of these approaches as part of these regulations. DHS will consult actively with States and other stakeholders with a view to assisting the States in choosing the alternative that is most likely to reduce the costs of meeting the verification requirement. DHS will be examining ways in which DHS may assist States in most effectively meeting the requirements of the REAL ID Act. This may involve assistance through federal procurements or grants. Any such assistance will likely be provided separately from this NPRM, but DHS welcomes comments on the alternatives and on methods by which it may assist the States in reducing the burden of complying with the requirements of the REAL ID Act.

(emphasis added.) Of course, it's rich enough to read about DHS expecting "all appropriate privacy and security mechanisms" to be included, given their repeated failing ratings for computer security and data protection, when they're even capable of filing their reports. However, the suggestion that they won't be requiring one of these to be selected is something of a joke. After all, does anyone believe that DHS will fund any option a state may choose?

Over at Homeland Stupidity, Michael Hampton has followed up his previous post to put these recommendations in context, concluding:

Don’t be too surprised in a few months when it’s announced that AAMVA got the contract after a lengthy wait, required for the sake of appearances and bureaucracy. After all, they’re already maintaining a similar, but much smaller, database for the states, which holds data on every commercial driver license holder in the country. This is the blueprint on which the national identity database will be built.

It does, oddly, sound a whole lot like the third possibility.

gregh  2007-01-11 13:48  homeland_security  information_privacy  Law  personal_information  Politics  privacy  real_id   

Update: See my follow-up, covering the actual text leading to these suggestions. It's not quite as bad as suggested. It still ain't great.

If the following is actually correct, the Department of Homeland Security is even more worthless than I could have imagined.

UnRealID.com:

The Department of Homeland Security has finished their proposed regulations for implementing the Real ID Act and has sent them to the Office of Management and Budget for approval.  The publication of DHS's REAL ID regulations will follow shortly.  The compliance guidelines are almost one year overdue.

According to a still-secret several hundred-page dossier sent last week by DHS to the Office of Management and Budget, DHS considered three ways to implement the REAL ID Act:

Plan A: Order the individual states to find a way of communicating data to one another.  This idea was given short shrift by DHS, who dismissed it out of hand.
Plan B: Have DHS build a centralized database for the states to query before issuing REAL ID-compliant drivers licenses.  This idea was also rejected.
Plan C: Have a private data aggregator act as the central database.  This is the plan advocated by DHS.  The plan calls for the outsourcing of all drivers license and ID card checks to a private corporation, who would then charge the states for each check performed.  DHS head Michael Chertoff personally ordered this option to be chosen, according to a senior administration source.

One would hope that this would be the final nail in the Real ID coffin, and this would surely bring about swift introduction of the Akaka-Sununu Identification Security Enhancement Act of 2006.

Given the poor data protection histories of the commercial data aggregators, not to mention their incredibly poor histories of data matching, the very idea of them being called upon to manage aggregation of all of the drivers databases sounds more like a cruel joke. There may be more interesting issues.

To begin with, the Real ID Act doesn't call for a large database of driver's license data. In order to issue Real ID-compliant driver's licenses, states must:

(12) Provide electronic access to all other States to
information contained in the motor vehicle database of the
State.
(13) Maintain a State motor vehicle database that contains,
at a minimum--
(A) all data fields printed on drivers' licenses and
identification cards issued by the State; and
(B) motor vehicle drivers' histories, including
motor vehicle violations, suspensions, and points on
licenses.

Driver's license database information is commercial information owned by the states. This is clear from Reno v. Condon:

The motor vehicle information which the States have historically sold is used by insurers, manufacturers, direct marketers, and others engaged in interstate commerce to contact drivers with customized solicitations. The information is also used in the stream of interstate commerce by various public and private entities for matters related to interstate motoring. Because drivers’ information is, in this context, an article of commerce, its sale or release into the interstate stream of business is sufficient to support congressional regulation.

There were already some questions hanging around (most dismissed by commentators) about the Constitutionality of allowing the federal government to require states to grant other states access to their own commercial items without compensation in order to comply with the Real ID Act. Permitting commercial data aggregators to take possession or ownership of that state property without compensation is somewhat more egregious. As things now, those aggregators would be forced to purchase that information from the states; at least in that instance, the coffers of the states are gaining something to help cover the maintenance of that data. Under this plan, it would seem plausible (especially if the aggregators "accidentally" released the information into the public domain) that the states would simply be forced to give it away. This may raise greater Constitutional questions about those portions of the Real ID Act.

It makes the security aspect even worse.

It likely removes the (feckless) Privacy Act and the Computer Matching and Privacy Protection Act from the mix.

In short, I'm currently even a bit skeptical that even the inept Department of Homeland Security could proffer a suggestion as ludicrous as this one; I can't wait to see the actual proposed regulations to find out if it's true.

gregh  2006-12-14 15:00  homeland_security  Law  personal_information  privacy  real_id   

Homeland Security chief defends Real ID plan:

"I think this is an example (of) when security and privacy go hand in hand," the Homeland Security chief said in a half-hour speech at George Washington University here. "It is a win-win for both."

The importance of such documents was magnified by an announcement Wednesday, Chertoff said. Federal authorities reported that they had made more than 1,200 arrests related to immigration violations and unmasked criminal organizations stealing and trafficking in genuine birth certificates and Social Security cards belonging to U.S. citizens.

"Do you think your privacy is better protected if someone can walk around with phony docs with your name and your Social Security number, or is your privacy better protected if you have the confidence that the identification relied upon is in fact reliable and uniquely tied to a single individual?" Chertoff asked rhetorically.

First for the cheap shot: "a win-win for both?" Doesn't the term have two "wins" in it to signify that it's already about both? What would be a win-win for security or privacy alone?

Chertoff ignores the greater privacy implications of Real ID. One is that the states will have to collect a much greater array of information from individuals than they currently do. Another is that they're required to maintain it both electronically (that should make your skin crawl) and in hardcopy. Yet another is that they'll be forced to communicate with a number of other databases (leaking personal information) every time you need to interact with a card-issuing agency. It requires that I carry around a large chunk of machine-readable information on my identification card, and what's worse, makes no limitation on who can read that information and how it can be used. And finally, the Act requires that the states open up their databases to all of the other states. Enrolling in the Real ID system saps a big chunk of my privacy away from me.

Unfortunately, it adds no privacy protections (it even took some away.) The guy who can walk around with papers with my personal information isn't prevented from doing so with Real ID in place. There are no added limitations on the use of social security numbers, or of sensitive transactions, or the release of my records. There's no protection of state records release laws under Real ID, and it seems probable that any state in the Union could decide to start selling the records of any other state.

Is there added security? There's no suggestion of it in the Real ID Act. Much of the act worries about ensuring that cards can't be tampered with or counterfeited (and we all know this is a joke; if someone can make it, someone else can copy it.) There's little effort given to the notion of authenticating a card. Instead, security is supposed to come from looking at a card and making an assumption that if it looks like a Real ID-compliant card, it must be a Real ID-compliant card. That will work well the first time someone knocks over a delivery truck shipping Real ID-compliant cards to the DMV, or a former employee of the company making card materials for an agency absconds with the materials and sells them.

The tough part for me is figuring out who actually is receiving the wins from the win-win. I suppose mostly it's a flailing agency that needs any "positive" progress it can make and an industry anxious to start selling newer, more expensive identification card raw materials.

gregh  2006-12-13 01:01  elections  homeland_security  information_privacy  Law  personal_information  privacy  real_id   

This is good news. Getting through finals kept me from seeing this right away. The text is not currently on Thomas yet, so I'm not sure what the details are. Homeland Security Watch says it rolls back to § 7212 of the Intelligence Reform and Terrorism Prevention Act, but the text from the ACLU press release below makes it sound like it goes even further.

In particular, increased protection of driver's license data from third parties (esp. if beyond what the DPPA provides), encryption of collected data, and the protection of state privacy laws (which weren't impacted by § 7212, anyway) all sound good.

Hopefully, with the new Congress, this thing will stand a chance.

American Civil Liberties Union : ACLU Lauds Akaka-Sununu Real ID Fix Bill, Says Additional Privacy and Civil Liberties Safeguards Still Needed:

WASHINGTON - The American Civil Liberties Union today welcomed the introduction of bipartisan legislation authored by Senators Daniel Akaka (D-HI) and John Sununu (R-NH) that would add privacy and civil liberties safeguards to the Real ID Act. The 'Identification Security Enhancement Act of 2006' would address several of the shortcomings of the controversial legislation adopted last year, including the establishment of a National ID.

. . .

The Real ID Act was adopted last year as part of a must-pass military appropriations bill. The act rolls back civil liberties protections, attacks privacy rights and sets the stage for a national ID. Many diverse groups including the ACLU, the National Association of Evangelicals, the Ancient Order of Hibernians, the National Conference of State Legislatures, the National Governors Association and the American Association of Motor Vehicle Administrators opposed the Real ID Act. Conservative estimates place the minimum cost of the program at $12 billion.

The Akaka-Sununu bill would eliminate most of the requirements that laid the foundation for a National ID card, such as the obligation that all data and systems be standardized. The bill also changes the approach to drivers’ licenses by calling for more flexible 'standards' instead of the current uniform mandates. In perhaps its most significant privacy fix, the legislation prohibits the use of license data by third parties, requires encryption of the data itself and preserves any state privacy laws that may provide greater protections.

(Via Homeland Security Watch.)

gregh  2006-10-31 10:03  homeland_security  information_privacy  Law  personal_information  privacy  real_id   

Of course Total Information Awareness never died.

It helps connect the dots, as I've previously suggested:

Certainly, there's probably good reason to believe that TIA never died. There's also very good reason to believe that one of the great benefits of forcing the electronic opening of all state driver databases is that it would benefit a TIA-like system.

Why else would the federal government force the states to electronically open their databases to all other states, when the states hadn't even been asking for that? Well, of course. It makes it easier for the federal government to collect the information to stuff their databases. Unfortunately, it also leaves everyone else's information more prone to theft. Government agencies haven't exactly shown themselves to be adept at protecting personal information.

NATIONAL JOURNAL: Terrorist Profiling, Version 2.0 (10/20/2006):

The government's top intelligence agency is building a computerized system to search very large stores of information for patterns of activity that look like terrorist planning. The system, which is run by the Office of the Director of National Intelligence, is in the early research phases and is being tested, in part, with government intelligence that may contain information on U.S. citizens and other people inside the country.
 
It encompasses existing profiling and detection systems, including those that create 'suspicion scores' for suspected terrorists by analyzing very large databases of government intelligence, as well as records of individuals' private communications, financial transactions, and other everyday activities.

(Via Schneier on Security.)

gregh  2006-09-05 07:02  homeland_security  security  tsa   

I went to Boston over Labor Day weekend.

As the last things I packed at 5 AM, I didn't give much thought to my toiletries as I threw my deodorant and toothpaste into an outside compartment of my bag and took off. I got to Oakland International, and the security line snaked through baggage claim, past 3 or 4 carousels, and up the back wall. Things didn't look promising. Thankfully, it was 6:00 AM and my flight didn't leave until 7:40.

The line moved very quickly, as it happened. Time wasn't going to be a problem.

But maybe security was? As we were getting ready to land, it struck me that I had inadvertently brought two prohibited items onto the plane: my gel deodorant and my tube of Crest toothpaste. Now, I had nothing evil planned, and the containers did actually hold deodorant and toothpaste. Nonetheless, if these things are so evil, how could they have been allowed to slip by? Surely a toothpaste tube shows up on an x-ray machine? What about a deodorant container?

Now, I don't really feel the current bans are all that meaningful or likely to prevent an attack, but I'd at least like to think items that are obviously not supposed to make it on a plane will be snagged. Especially if they're much more likely to cause a security situation.