Posts filed under ‘USA’

The REAL problem: identity inflation

One of the problems with a compulsory national ID system- including a de facto one like REAL ID- is “identity inflation” or sometimes also referred to as “identity creep.”

Since everyone has a gold standard ID, government and businesses find it easier and easier to require one. Soon, situations that previously required only lower quality proof of identity or no identity at all, now require an ID card. Government and businesses find that they have an increasing number of problems that the ID card can “solve.”

There are certainly examples of this happening before. The British ID cards went from 3 functions during World War II to 39 by the time it was abolished.

There are certainly examples of this happening now. In the final regulations, the Department of Homeland Security limited the required use of REAL ID to just three situations: boarding commercial airplanes, entering federal buildings, and entering nuclear power plants. However, only five days later, a senior official from that agency floated the idea of making customers show a REAL ID-compliant driver’s license to purchase over-the-counter cold medicine containing pseudoephedrine to combat illegal drug production.

The senior official went on to say, “The last thing I want to talk about, and very briefly, is the civil liberties objections to REAL ID, because I don’t understand them.” What a gem. He probably doesn’t realise just how accurate his words were! In any case, irony is hardly a strong suite for most government types.

Interestingly, in a generally pro-REAL ID article in Time, this was the one issue over which some concern was expressed, “The great leap forward from a longer arm for the law to “1984” will have to be made by the private sector. How well a watchful federal government will actually be able to track its citizens will depend on how many places demand to see your driver’s license. Airports already do. So do some supermarkets, if you’re buying beer. But what about malls? Movie theaters? Sports stadiums?”

A final perspective of identity inflation comes from, where else, the UK. Identity inflation is also about having more and more information held about people. Currently, the law specifies 50 categories of information that the National Identity Register can hold on each citizen. Why not, gradually, increase that? After all, what’s a few more pieces of information? All for the greater good, the public interest, and all the right stuff. Government’s got a problem to solve? Let’s store that one piece more of information that will “solve” the problem.

As I’ve said before, my opinion is that the REAL problem is more Franz Kafka than George Orwell.


February 6, 2008 at 9:46 pm 3 comments

NZ: Privacy reality check

I spend a lot of my working day thinking about identity-related online services. Protection of privacy in these services is axiomatic. Not only does it make good sense to me, it’s also mandated as one of the policy principles by Cabinet.

The 2007 Privacy & Human Rights Report issued by Privacy International provides a reality check. Across the 47 countries surveyed, the Report says that, “The 2007 rankings indicate an overall worsening of privacy protection across the world, reflecting an increase in surveillance and a declining performance of privacy safeguards.”

New Zealand gets a red colour indicating “Systemic failure to uphold safeguards” as does Australia. Canada gets a yellow for “Some safeguards but weakened protections” while USA and UK get a black for being “Endemic surveillance societies.” Top of the heap is Greece but even it gets only a 3.1 rating out of 5.

The Report lists nine key aspects for New Zealand’s ranking. This seems to have prompted a leading blogger in The New Zealand Herald to call it ‘Systematic failure’ to protect our privacy who goes on to say “From biometric passports to greater sharing of information among Government departments to greater use of surveillance technology, we would certainly seem to be following the lead of countries in the black category. But privacy is a touchy issue for Kiwis and rightly so. Just listen to talkback radio whenever talk of a national ID card emerges in the media.”

According to the Report, of particular concern for NZ is:

– “Court of appeal has had some problematic decisions regarding privacy complaints” and

– “DNA database based on order from high court judge, violent crimes, and convicted burglars; though voluntary samples can be included and increasingly this is being pushed by the police, resulting in more than 80% of samples on database being given ‘voluntarily’.”

I think what’s missing from the Report is people’s perception of the state of privacy in the country being reviewed. Perceptions can be as (if not more) important than the reality.

On that front, in my opinion NZ is doing fine but, as the Report shows, things could be better.

February 4, 2008 at 11:04 pm 2 comments

Biometrics in the Sky

From the outside, it seems that one of the central beliefs in the US government is that if they can collect every person’s biometrics on Earth and put that into a database, then they can substantially solve all their security problems. Federal authorities have pursued this approach almost single-mindedly over the past few years.

Sometimes these efforts have been overt. A good example is the US-VISIT Program where visitors to the US have to endure lengthy delays as everyone’s fingerprints (currently both index fingers but soon all ten) and photograph are taken.

For me personally, after a 12-13 hours flight, the thought of another two hours standing in a line to get my fingers squashed by a “friendly” official so that the fingerprint reader gets an acceptable reading within a couple of attempts means that I try to avoid travelling to or via the US altogether.

In classic government doublespeak, the benefits of US-VISIT are touted as “Protects the privacy of our visitors” and “demonstrate that we remain a welcoming nation.” Yeah, right!

Sometimes the US efforts to collect the biometrics of every single human being have been more subtle. I think the current “Server in the Sky” concept falls into this category. Police from the International Information Consortium (US, UK, Canada, Australia, and NZ) will be able to exchange biometrics and personal information about criminals and suspects. New Zealand is “considering joining the consortium.”

These five countries already share intelligence amongst themselves and co-operate in running Echelon, the global eavesdropping service that can listen into telephone, radio, and email communication.

What’s subtle about this is that anything submitted for matching also gets added to the US biometrics database. And that’s another step forward in the grand plan to collect the world’s biometrics.

What’s wrong with this? Why shouldn’t we all do our bit in the fight against global terror and criminals? If you haven’t done anything wrong, surely you have nothing to fear from having your biometrics in a US database?

You do… because the central belief that collecting the world’s biometrics will substantially solve all the US’s security problems is wrong. Because the US federal authorities have not proven themselves worthy of such trust. Because the US has a long history of subsequent misuse to achieve more pressing national security concerns. Because “acceptable collateral damage” from data inaccuracies means a lot of grief for some innocent people.

January 16, 2008 at 9:02 pm Leave a comment

ID theft from security breaches

How much identity fraud or theft actually comes from breaches involving the disclosure of personal identity information?

This is an important question because of increased publicity around high profile breaches. The fiasco in UK involving 25 million records is an obvious one but also, according to Privacy Rights Clearinghouse, over the past three years there were about 217 million known records containing sensitive personal information involved in security breaches in the US.

The question is also important given the moves to introduce guidelines or laws for data breach notifications, in both New Zealand and Australia.

There isn’t a lot of hard data to go by. That makes the recent study by US firm ID Analytics interesting.

The study looked at over a dozen data breaches involving more than ten million consumer identities. ID Analytics found five separate cases where breached identity data was misused by fraudsters, with two of those cases resulting from employee theft of data.

Very few identities were misused following a data breach.

Smaller breaches had a higher misuse rate than larger breaches. Misuse of personal data ranged from 1 in 200 identities for breaches of fewer than 5,000 individuals to a misuse rate of less than 1 in 10,000 identities for breaches of more than 100,000 individuals. So, data breaches that get major press coverage, generally falling in the latter category, have a misuse rate of under 0.01%.

Therefore, there is some evidence that identity fraud or theft that actually comes from breaches involving the disclosure of personal identity information is quite low. A greater danger comes from internal breaches than external ones.

Hopefully, this will inform a rational debate on the nature of public disclosure for data breaches.

December 10, 2007 at 9:52 pm 2 comments

The feds & your Amazon records

When should US law enforcement authorities (the feds) get access to your details and records at Amazon? Not exactly a rhetorical question given that Amazon is asked several times a year to hand over customer records.

If your answer is “Never, it is none of their business” then that’s probably not correct, especially in a post-9/11 world. In any case, it is widely acknowledged that the right to privacy is not absolute, e.g. in preventing crime or terrorism.

Note that the question was “when”, not “if”. In the US, the feds have access to personal information for their investigations if there is:

(a) a compelling need and close nexus, or

(b) the records may be relevant to the investigation.

While (a) is the norm, clearly (b) presents a very low threshold for the feds to access your records. That explains why they tend to try to find ways to argue that (b) should apply or that some laws, such as the USA Patriot Act, specifically allow for (b).

What happens when the feds get your records under (b)? In most cases, the records turn out to be not relevant but, hey, once they’ve got them, why not just add it to their huge databases so that they can mine it again and again without going through the bother again?

A recent case when Amazon took on the feds is interesting and relevant although it does not carry the same weight as judgements by more senior courts. As The Register reports, “Amazon refused to reveal individual names [but did give email addresses], citing the buyers’ First Amendment right to privacy. The grand jury thought this was silly, and as it continued to push for at least some of the names, the asked US Magistrate Judge Stephen Crocker for protection.”

Recently unsealed court documents (PDF) show that the Judge agreed and the feds, now finding that they no longer needed the information, withdrew.

According to the court documents, the judge used some colourful language. My favourite is, “The subpoena is troubling because it permits the government to peek into the reading habits of specific individuals without their prior knowledge or permission… it is an unsettling and un-American scenario to envision federal agents nosing through the reading lists of law-abiding citizens while hunting for evidence against somebody else.”

“If word were to spread over the Net – and it would – that the FBI and the IRS had demanded and received Amazon’s list of customers and their personal purchases,” he continued, “the chilling effect on expressive e-commerce would frost keyboards across America.”

What about outside America? The impact would be as much, if not more, as the First Amendment would not apply.

For many non-US users of online services- be they ecommerce sites, SaaS providers, or search engines- this aspect of US law is often overlooked. Think about the online services you use and consider which ones store your data in the US.

In all those cases, US law applies and the feds can get your details and records without your knowledge. The only question is whether it will be via (a) or (b).

Data location does indeed matter.

December 4, 2007 at 9:36 pm 6 comments

Privacy breadcrumbs

Loved Bob Blakley’s post The 2007 CECI Award. Bob, add me to the list of people waiting for the next CECI award.

Bob points to an article in My Way where a senior intelligence official says it is time for people in the US to change their definition of privacy, the current one being a bit inconvenient for the US government.

In a related speech the official, Donald Kerr, says “Protecting anonymity isn’t a fight that can be won.” His argument that young people giving up privacy voluntarily in social networking sites such as MySpace and Facebook is reason enough for a more intrusive approach to privacy by government is astounding.

That’s right up there with the guy who decided to re-label invading armies as peacekeeping forces.

Bob also points to a second article, this one in CQ Politics, FBI Hoped to Follow Falafel Trail to Iranian Terrorists Here. Hilarious story of the FBI trying to track down Iranian terrorists based on customer data collected by San Francisco-area grocery stores. No wonder this hare-brained idea was totally unsuccessful.

What next? Require sellers of falafel to demand ID and then hand over all the records to the FBI?

November 12, 2007 at 8:58 pm Leave a comment

NZ’s biggest identity fraudster

123 false identities and “…a full time occupation of serious dishonesty.”

That’s what it took New Zealand’s biggest identity fraudster, Wayne Thomas Patterson, to con the Ministry of Social Development out of $3.4 million benefits over two and a half years. He had so much of cash and gold in his house that the story and video of finding them make it sound like a fun treasure hunt for police.

His preferred point of attack seems to be superannuation where age (65+) is the major determinant of eligibility. Stolen birth certificates and disguises did the rest.

Wayne’s false identities seem to represent the classic cascading of identity documents. Start with forged birth certificates and then move on progressively to genuine driver licences, IRD (tax) numbers, bank accounts, passports, and benefits.

Which also means that multiple government departments- Ministry of Social Development (social welfare benefits), Land Transport New Zealand (driver licences), Inland Revenue Department (tax numbers), and Department of Internal Affairs (passports)- would have reviewed their identity verification processes to prevent this from happening again. Still, it is worth asking how this chain of trust can be broken effectively.

As the Chief Executive of the Ministry of Social Development said, one must keep this in perspective. That Ministry pays out $17 billion a year to a million people. And, it comes out with a net gain of $467,000 thanks to some astute investments that Wayne made with his millions.

This is the third country that Wayne has been jailed in for identity fraud after earlier spending jail time in USA and Australia. Ironically, once he’s out of jail, it will be the Ministry of Social Development that he can look at to help him out. Only, this time it will have to be with his true identity.

October 12, 2007 at 9:48 pm 1 comment

Older Posts Newer Posts

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter