Jul 09 2010

Australian government expanding air travel surveillance

Closely following the bad example (controversial both in the US and Australia) of the USA, the government of Australia is moving toward increasing detailed and integrated ID-based surveillance and control of air travelers.

As of the first of this month, under the so-called Enhanced Passenger Assessment and Clearance (EPAC) systems, Australian authorities have real-time access to all passenger name record (PNR) data for all passengers on all international flights to Australia.  And an additional A$24.9 million is being spent by the government over the next two years, in addition to uncounted amounts that airlines and other travel companies will have to spend, to expand the amounts of data collected by airlines and passed on to government agencies as well as the automated profiling (“risk assessment”) conducted on the basis of this data.

The changes and the heightened surveillance and control of travelers to Australia come at the same time that the European Union is simultaneously renegotiating agreements with Australia and the USA for government access to PNR data related to flights to and from the EU.

The Sydney Morning Herald quotes  the president of the Australian Council for Civil Liberties, Terry O’Gorman, as saying that the scheme “increases the risk of a person wrongly being put on a no-fly list.”

Jul 09 2010

Social networks, identity services, and national ID

Most of the reporting on last month’s conference on Computers, Freedom and Privacy (where we joined a panel on current hot topics in privacy) has focused on the issuance of a Social Network User’s Bill of Rights. That’s testimony to the importance of Facebook, but the implications extend even to those who aren’t currently users of Facebook or similar services.

As Brad Templeton has described it, “Facebook [is] mak[ing] a play to be the main provider of what is sometimes called ‘identity’ services on the internet,” with greater domination (monopolization?) of that niche than any previous provider of “single sign-on” services — even Microsoft.  If a third party wants to offer an online service that depends on a unique identifier, and doesn’t want to put the speed bump of needing to remember a separate user name and password or other identifier in front of customers, the default today has become to offer that service as a Facebook app, on the assumption that most potential users are already signed in to Facebook.  You can opt out of Facebook, but that option is a cop-out, not least because then you can’t use any of the other services that, as Facebook apps, rely on Facebook for their user ID and authentication.

Inherent in using Facebook for authentication is that Facebook itself, as the ID services provider, is aware of each ID-verification or authentication event involving any Facebook app, just as a credit bureau has a record of each time a third party has verified your ID or credit using their service. Facebook has a duty to its shareholders to monetize this information, if it can figure out a way to do so, and a legal duty to hand it over to the government in response to a court order.

Worse — and the deeper reason for this blog post — government agencies are increasingly turning to commercial ID services, if not yet to Facebook, as outsourced ID verification services for the provision of government services and the exercise of citizens’ legal rights.

Already the TSA is using an (illegal, but still in operation after more than two full years) ID verification scheme under which would-be airline passengers who decline to display acceptable government-issued credentials are required to “verify” their identity by asking them questions about the information contained in the records about them maintained by Choicepoint or Acxiom.  And the latest issue of Privacy Journal reports that the Social Security Administration is considering a similar system using questions and answers based on the records of commercial data aggregators as a way to “authenticate” individuals for online management of their Social Security accounts.

In such a world, your “identity” is what these companies say it is. Where do these private companies think you lived, and with whom, in a certain year, for example? An identity thief who has gotten your files may be more likely than you are to to know the “correct” answer.  And each time such a commercial service is used to verify your ID for government purposes, the service provider has a record of the transaction to add to its dossier about you, and use for whatever purposes it chooses.

At present, our use of one set of credentials or identifiers to pass through TSA checkpoints (if we choose to provide them), our checking our record of Social Security contributions, and many other dealings with government agencies are tracked separately, using (at least sometimes) separate identifiers. But as we discussed with representatives of the NO2ID, drawing on the UK example, and others at CFP, the more dangerous part of a national ID scheme isn’t necessarily the single national ID card (if any) but the reliance on a single identifier for multiple purposes, and the resulting ease of compilation of a database of transactions and events which are all linked to that ID even when they are carried out by different government agencies or third parties.  That’s just as much of a danger whether the monopolistic ID services provider is a government Ministry of Identity or if it’s Facebook, Acxiom, or Choicepoint.