Aug 07 2010

Public says “No” to national cyberspace ID proposal

In June, the Department of Homeland Security and the President’s Cybersecurity Coordinator published a proposal and request for comments on a for a “National Strategy for Trusted Identities in Cyberspace” (NSTIC).

It’s hard to belive that such a system implemented from the top down at the behest of DHS and the White House would remain, as its proponents claim it would be, truly “voluntary”.

In practice, it will be required for online interactions with government agencies as well as private compnaies, rendering it “voluntary” the way it’s “voluntary” to show ID to travel: you don’t have have government ID credentials as long as you are prepared to walk (or walk on water or paddle a sea kayak if you want to get between, say, Hawaii and the U.S. mainland).

Although the official public comment period lasted only 30 days, many others have pointed out key problems with the NSIC concept. The NSTIC proposal places no value on anonymity; indeed, it evinces an apparent lack of understanding of what anonymity really means. It takes for granted the need for authentication (if we pay in cash, why does a merchant, much less a common carrier or government agency, need to know anything about us other than that our money isn’t counterfeit?) and confuses a policy that purportedly restricts disclosure  of our identity with actual non-knowledge of our identity.  The former protects us from those who comply with their own policies, while the latter protects us from bad actors as well.  But in reality, many of the threats to our freedom come from those who can’t be counted on not to cross the boundaries of privacy “policy”, including those within governments. Actual anonymity, non-linkability of transactions and identities, and the ability of the system (and our anonymity) to survive capture of the “identity provider” and/or the government by malign interests should be key design criteria, but weren’t even considered.

The question now is what the White House and DHS will do with the response to their request for public comment on the NSTIC draft. In the online forum where the public could submit and vote on feedback and ideas for NSTIC, the single most popular suggestion was an anonymous one (no, we didn’t submit it, and we don’t know who did), “Decentralize further, don’t centralize”:

A single centralized identity is inherently less secure than a dozen identities because it creates a single point of failure. Once that identity has been compromised – which will certainly happen no matter what technological measures are taken to protect it because there will always be a user in the chain – an individual’s entire life will be open for hijacking…. This effort will be counterproductive at best and has the potential to cause problems that are orders of magnitude worse than current identity theft issues. And this is before even considering aspects that potentially compromise privacy, anonymous speech, free access to the devices that an individual has purchased, etc.

Instead of attempting to centralize identity, simply ensuring that current best practices are followed would vastly improve online security. Making authentication services responsible for all outcomes of a data theft would be a good first step, as well as outlawing EULA language that forfeits a user’s ability to hold such services responsible for technology failure that result in theft, downtime, and data loss. Providing incentives such as these, combined with increased enforcement, will force corporations large and small to work toward increasing security. There should also be an enforced decoupling of identity data; if one of a user’s accounts is compromised, it should not contain personal identity information like SSNs which would allow another of the user’s accounts to be compromised. Web-based authentication has no need to have access to such information and it should be kept in separate, firewall-divided databases as a matter of law, not just habit.

There was more in this vein from other commenters, such as this on “Multiple roles, multiple identities”:

I play many roles in life. Some associated with my work, some associated with a sports league, others associated with my hobbies. If I can easily get several identities, I can use a different one for each role that I play and the issue of a national identity becomes less of a problem. I don’t have to worry about my employer having a problem with views I have shared as an individual person.

There were also numerous calls for a lengthier public comment period and more explanation of the details of any plan before it is adopted.

We urge the White House and DHS to heed the public comments on the NSTIC draft and scrap this scheme for a single, centralized scheme for de facto mandatory online credentialing and identification.

Aug 02 2010

TSA says all their Standard Operating Procedures are secret

The TSA is still stonewalling our FOIA requests for their Standard Operating Procedures (SOPs), which we presume are among those that have been (illegally) sidetracked and delayed for review by DHS and other administration political commissars.

But after the Associated Press pried loose internal DHS e-mail messages confirming the delays in processing “politically sensitive” FOIA requests and the DHS Inpector General started asking questions, the TSA has responded to a request from Phil Mocek (some months older than ours) for the TSA Screening Management SOP.

Not, of course, that the TSA has actually disclosed any more information about its standard operating procedures. The TSA’s response to Mr. Mocek’s request consists of a blanket claim that the entirety of the Screening Management SOP is exempt from disclosure because it would “benefit those attempting to violate the law” (by exercising their rights?) and “be detrimental to the security of transportation” if disclosed.  Despite having released excerpts from an earlier version of the same document in response to one of our previous FOIA requests, and despite an unredacted copy of the entire document having been posted on a public Federal government website, the TSA now claims that no portion of the current version can be released.

Mr. Mocek’s request had been pending for more than a year before he received even this categorical denisal. In response to his periodic requests for information concerning the status of his request, he was told by the same TSA FOIA office staff who are handling our requests that  “processing” of his request was completed in January 2010, but that the response (i.e. informing Mr. Mocek that his request had been denied in its entirety) was delayed until July for “management review”. According to one e-mail message from the TSA to Mr. Mocek in February, “Your FOIA has been processed and is currently being reviewed by TSA management before a response can be sent to you.” This seems to indicate that Mr. Moceks’s request — and, we presume, our still-pending request for the same document — was subjected to the process of political review and illegal delay described in the documents released to the AP.

[We eventually received a response identical to that sent to Mr. Mocek, denying our request in its entirety.  We have appealed that denial.  To confirm whether our requests were among those improperly delayed or subjected to political scrutiny, we’ve filed new FOIA requests for the documents released to the AP and for all records of the processing of our previous FOIA requests and appeals.]

Jul 30 2010

Washington Post: “Secure Flight may be making your privacy less secure”

We’re quoted today in the Washington Post in a story by Christopher Elliott about how airlines are able to use personal information — collected under government duress for the TSA’s Secure Flight passenger surveillance and control scheme — for the airlines’ own marketing and other purposes.

“Could it be that the information we give airlines doesn’t belong to anyone or, worse, isn’t regulated by anyone?” Elliott asks.

A good question — and “privacy” may be the least of the problems with Secure Flight, as discussed in our testimony (quoted from, in part, in the Post story) at the TSA’s only public hearing on Secure Flight, our more detailed written comments submitted to the TSA, and our FAQ about Secure Flight.

Jul 30 2010

DHS plays politics with FOIA requests

The Associated Press reports that the Department of Homeland Security has been delaying responses to Freedom of Information Act (FOIA) requests — possibly including ours — while they are “reviewed’ by top political advisors:

[T]he Homeland Security Department detoured hundreds of requests for federal records to senior political advisers for highly unusual scrutiny, probing for information about the requesters and delaying disclosures deemed too politically sensitive….

The special reviews at times delayed the release of information to Congress, watchdog groups and the news media for weeks beyond the usual wait….

Political staffers reviewed information requests submitted by reporters and other citizens as a way to anticipate troublesome scrutiny. Days after the nearly catastrophic Christmas Day bombing attempt aboard a Detroit-bound airliner, they asked whether news media or other organizations had filed records requests about the attack.

[To confirm whether our requests were among those improperly delayed or subjected to political scrutiny, we’ve filed new FOIA requests for the documents released to the AP and for all records of the processing of our previous FOIA requests and appeals.]

Jul 27 2010

US but not UK gives travel “permission” for Iroquois lacrosse team

The good news: In one of the first tests of US rules purporting to forbid US citizens from crossing US borders without first obtaining US passports (issued at the government’s apparently standardless discretion), the US Department of State issued “one-time waivers” authorizing the “Iroquois Nationals” lacrosse team to leave the US (and presumably to return, although that’s not entirely clear from news reports) without carrying US passports.

The dispute arose because some Iroquois, like other Native Americans, have for many years used passports issued by their own tribes or nations.  Whether those passports were “passports” within the meaning of US law was largely irrelevant as long as passports were merely a convenience, not a requirement, for international travel.  Lacrosse was an Iroquois invention (for an introduction to the sport, see John McPhee’s essay last year in the New Yorker, “Spin Right and Shoot Left”, included in his latest anthology, “Silk Parachute”), and travel on Iroquois passports was and is especially significant for the Iroquois Nationals team, who compete on behalf of their own nation in international lacrosse tournaments.

While it was framed as a dispute over the sovereignty of the iroquois Confederations and/or the validity of Iroquois-issued passports, the US appears to have seen it purely as a question of whether native Americans who are also US citizens may leave or return to the US without US passports.

At first, the US had threatened to prevent the team from boarding flights to the UK for the international lacrosse championships. But without admitting either the “validity” of Iroquois passports (i.e. not whether they are genuine but whether they satisfy US requirement for exit or entry permits), or the invalidity of the passport requirements for US citizens, the US effectively backed down by granting the team “waivers” and, more importantly, saying that they would not interfere with their departure from the US.

This continues the pattern we have sen to date: We have yet to hear of a case in which the US government has actually prevented a US citizen from leaving or returning to the country on the basis of their not having, or declining to carry or display, a US passport. In every incident that has been brought to our attention, the US government has eventually indicated its willingness to stand aside from interference with departure from or return to the country without passports — although travel has sometimes been frustrated in other ways, such as refusal to give airlines permission to transport them. Presumably, the US government realizes that preventing its own citizens form leaving or returning to the country would be such a flagrant violation of international human rights law as to lead to diplomatic complications, even if it would be difficult to challenge on those grounds in US courts.

The bad news: After finally obtaining “permission” to leave the US without US passports, the Iroquois Nationals lacrosse team was denied visas by the UK — not on the grounds that their passports were invalid, or weren’t issued by a sovereign entity, but on the grounds that their passports don’t contain ICAO-standard “security” features required by the UK for visitors from the US.  It is, again, unclear from news reports what absent “features” were at issue, but they might have included machine-readability (OCR or RFID) or other aspects of formatting or data content.

Jul 23 2010

“The government shouldn’t decide who can fly”

In one of the first statements in the mainstream media to (a) recognize that the essential feature of the TSA’s Secure Flight program is the requirement for domestic US air travelers to receive government permisison to fly and (b) oppose that requirement, The Chicago Tribune has published an op-ed column by Steve Chapman (also appearing in Reason) arguing that, “The government shouldn’t decide who can fly”:

Get rid of the no-fly list entirely. For that matter, get rid of the requirement that passengers provide government-approved identification just to go from one place to another.

Americans have a constitutionally protected right, recognized by the U.S. Supreme Court, to travel freely. They also have the right not to be subject to unreasonable searches and other government intrusions. But in the blind pursuit of safety, we have swallowed restrictions on travel and infringements on privacy we would never tolerate elsewhere….

If the federal government began requiring every citizen to provide identification for each trip in a car or ride on a bus, there would be a mass uprising. Somehow, though, Americans have come to see commercial air travel as a privilege to be dispensed by the government.

Jul 09 2010

Australian government expanding air travel surveillance

Closely following the bad example (controversial both in the US and Australia) of the USA, the government of Australia is moving toward increasing detailed and integrated ID-based surveillance and control of air travelers.

As of the first of this month, under the so-called Enhanced Passenger Assessment and Clearance (EPAC) systems, Australian authorities have real-time access to all passenger name record (PNR) data for all passengers on all international flights to Australia.  And an additional A$24.9 million is being spent by the government over the next two years, in addition to uncounted amounts that airlines and other travel companies will have to spend, to expand the amounts of data collected by airlines and passed on to government agencies as well as the automated profiling (“risk assessment”) conducted on the basis of this data.

The changes and the heightened surveillance and control of travelers to Australia come at the same time that the European Union is simultaneously renegotiating agreements with Australia and the USA for government access to PNR data related to flights to and from the EU.

The Sydney Morning Herald quotes  the president of the Australian Council for Civil Liberties, Terry O’Gorman, as saying that the scheme “increases the risk of a person wrongly being put on a no-fly list.”

Jul 09 2010

Social networks, identity services, and national ID

Most of the reporting on last month’s conference on Computers, Freedom and Privacy (where we joined a panel on current hot topics in privacy) has focused on the issuance of a Social Network User’s Bill of Rights. That’s testimony to the importance of Facebook, but the implications extend even to those who aren’t currently users of Facebook or similar services.

As Brad Templeton has described it, “Facebook [is] mak[ing] a play to be the main provider of what is sometimes called ‘identity’ services on the internet,” with greater domination (monopolization?) of that niche than any previous provider of “single sign-on” services — even Microsoft.  If a third party wants to offer an online service that depends on a unique identifier, and doesn’t want to put the speed bump of needing to remember a separate user name and password or other identifier in front of customers, the default today has become to offer that service as a Facebook app, on the assumption that most potential users are already signed in to Facebook.  You can opt out of Facebook, but that option is a cop-out, not least because then you can’t use any of the other services that, as Facebook apps, rely on Facebook for their user ID and authentication.

Inherent in using Facebook for authentication is that Facebook itself, as the ID services provider, is aware of each ID-verification or authentication event involving any Facebook app, just as a credit bureau has a record of each time a third party has verified your ID or credit using their service. Facebook has a duty to its shareholders to monetize this information, if it can figure out a way to do so, and a legal duty to hand it over to the government in response to a court order.

Worse — and the deeper reason for this blog post — government agencies are increasingly turning to commercial ID services, if not yet to Facebook, as outsourced ID verification services for the provision of government services and the exercise of citizens’ legal rights.

Already the TSA is using an (illegal, but still in operation after more than two full years) ID verification scheme under which would-be airline passengers who decline to display acceptable government-issued credentials are required to “verify” their identity by asking them questions about the information contained in the records about them maintained by Choicepoint or Acxiom.  And the latest issue of Privacy Journal reports that the Social Security Administration is considering a similar system using questions and answers based on the records of commercial data aggregators as a way to “authenticate” individuals for online management of their Social Security accounts.

In such a world, your “identity” is what these companies say it is. Where do these private companies think you lived, and with whom, in a certain year, for example? An identity thief who has gotten your files may be more likely than you are to to know the “correct” answer.  And each time such a commercial service is used to verify your ID for government purposes, the service provider has a record of the transaction to add to its dossier about you, and use for whatever purposes it chooses.

At present, our use of one set of credentials or identifiers to pass through TSA checkpoints (if we choose to provide them), our checking our record of Social Security contributions, and many other dealings with government agencies are tracked separately, using (at least sometimes) separate identifiers. But as we discussed with representatives of the NO2ID, drawing on the UK example, and others at CFP, the more dangerous part of a national ID scheme isn’t necessarily the single national ID card (if any) but the reliance on a single identifier for multiple purposes, and the resulting ease of compilation of a database of transactions and events which are all linked to that ID even when they are carried out by different government agencies or third parties.  That’s just as much of a danger whether the monopolistic ID services provider is a government Ministry of Identity or if it’s Facebook, Acxiom, or Choicepoint.

Jul 06 2010

Lawsuit seeks suspension of TSA virtual strip-searches

Last year the Identity Project was one of more than 30 organizations that filed a joint petition with the DHS requesting a formal rulemaking on use of virtual strip-search machines or “body scanners”, then being referred to by DHS and TSA as “whole body imaging” machines and since re-euphemized as “advanced imaging technology”, as though the name itself could make them inherently more “advanced”.

In May of this year, after the DHS ignored our petition and moved forward with deployment of virtual strip-search machines without a formal rulemaking, we joined most of the same groups in filing a renewed petition for a formal rulemaking (including an opportunity for public comment) and for rescinsion of the rules requring submission to a virtual strip-search as a condition of passage through TSA checkpoints and travel by air common carrier.  We also filed a series of FOIA requests and appeals, which the TSA has to date ignored, for the TSA Standard Operating Procedures, screening-related directives to airlines, and other documents embodying the secret rules that include the virtual strip-search requirements.  We’ve also speculated about what legal recourse travelers denied passage on the basis of refusal to submit to a virtual strip-search might have, particularly in jurisdictions abroad where it would be easier than it is in the USA to raise issues of international human rights law.

This past Friday, July 2nd, the Electronic Privacy Information Center (EPIC) filed a federal lawsuit seeking to have the Court of Appeals for the District of Columbia review the TSA and DHS failure to conduct a formal rulemaking before deploying virtual strip-search machines and issue an emergency stay of the TSA/DHS decision to deploy and require them as a condition of passage through checkpoints and air travel.

The Identity Project was a party to the original petitions for rulemaking, and while we aren’t a party to the EPIC lawsuit, we fully support it.

As EPIC notes in its latest filings, even after September 11th Federal courts have upheld “administrative (warrantless, suspicionless) searches in airports only to the extent that they are limited to what is “necessary” — meaning that they are actually effective and are the least restrictive available means — to detect weapons and explosives. Even beyond the specific issue of virtual strip-searches, this lawsuit is likely to be significant in helping define the bounds of TSA authority to conduct ever more intrusive searches as a condition of common-carrier travel.

The petition filed in May by EPIC, the Identity project, and others stated that, “The undersigned file this petition pursuant to 5 U.S.C. § 553(e), which requires that ‘[e]ach agency shall give an interested person the right to petition for the issuance, amendment, or repeal of a rule.'”  Notwithstanding this explicit statement, the DHS and TSA responded with the bizarre claim that, for unspecified reasons, it did not constitute such a petition.  Unfortunately, that’s characteristic of the behavior of the DHS and TSA, which have repeatedly refused to acknowledge or docket our formal complaints and then falsely claimed, including to the US public and to foreign governments  that they have received no such complaints.

Jul 01 2010

Should the identities of petition signers be public?

We note with interest the recent decision in Doe v. Reed (No. 09-599), which marks the first time in a few years that the Supreme Court has directly (albeit somewhat uncertainly) addressed whether the government can permissibly require individuals to be publicly identified.  Leaving aside what the legal implications of the ruling may be, we think the case carries an important lesson about technology and identity policy.

The case concerned whether individual registered voters can sign petitions to place an initiative or referendum on the ballot without having their identities as signatories made public.

Since the right to vote without having it be made public for whom you have voted is considered fundamental to democracy, it might seem natural that you would be able to sign a petition to put Initiative I or Referendum R on the ballot without having it be a public record which such measure(s) you have endorsed.  But traditionally, the list of signatories for each individual ballot proposition has been considered a public record.

Why? The answer, we suspect, lies in the technological history.

Paper-based technologies have long made it possible to verify that each ballot is cast by a registered voter, and that only one ballot is cast by each voter, while making it impossible to identify, after the fact, which voter has cast any given ballot.  This isn’t rocket science. Even when you submit an absentee ballot by mail in a signed (outer) envelope, for purposes of verification of your entitlement to cast that ballot, the ballot itself is enclosed in a second, inner (anonymous) envelope.  Paper technology —  the envelopes — makes it easy to separate verification of eligibility to vote from identifiability of the individual ballots or votes with specific voters.

On paper, it’s harder to separate the validation of signatures and elimination of duplicates from the counting of signatures.  It could be done, through essentially the same techniques as are used for paper absentee ballots, but that would require a different system than the traditional petition with multiple signatures on each sheet.  There’s really no policy reason behind the public identification of signatories that we have come to take for granted as “natural”. Rather, the lack of any possibility for anonymous endorsement of petitions is a corollary of the technique and format in which signed endorsements for a petition are collected.

There’s a lesson here of wide applicability. Providing for anonymity requires effort.  It requires that the systems be designed to provide for the possibility of anonymity, and that authorization (Is this the signature of a unique registered voter?) be separated from identification (Which voters signed this particular petition?).  If that isn’t a design criterion from the start, it’s likely to be simpler to munge those functions together in ways that preclude anonymity.