Analysis of GAO report “Personal Information Data Breaches are Frequent”

(Excerpts from a letter to Mr. David Wood of the GAO. The complete letter is here.)
I am writing to you today to comment on your recent report, “Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited, However, the Full Extent Is
” I found GAO’s report and its implied recommendations to be disappointing, and not representative of the usual high quality of GAO reports. This is, as you note, a difficult and challenging field in which to do research. As such, I am hesitant to criticize, and do so because of the esteem in which GAO reports are generally held. For ease of writing, I shall refer to GAO as “you.”

My concerns can be summarized as your analysis of the data fails to pursue important and possibly revelatory data to which the public does not yet have access, your selection of data sources lacks justification, you failed to consider (or discuss) alternate methodologies which may have resulted in different results, you make unjustified assumptions that companies can provide data, and you fail to identify systemic sources of bias in comments on which you rely. I will explain each of these concerns in order.

Failure to pursue important questions

You were charged with “identifying what is known about the incidence and circumstances of breaches of sensitive personal information” (page 3). In a set of paragraphs from page 12 through 17, you list incidence and circumstance, and fail to analyze commonalities between your data sources. You even fail to bring them together to draw attention to how disparate they are:

Source Dates # of Incidents
FBI Unclear 1,300 under investigation
Secret Service 2006 327
House Government Reform Committee Jan 1, 2003-July 10, 2006 788
US CERT FY 2006 477
5 banking regulators “past few years” “several hundred”
FDIC May 2005-Dec 2006 194 at regulated, 14 third party
Office of thrift supervision April 2005-Dec 2006 56 at regulated, 72 third party
New York State Dec 7, 2005-Oct 5, 2006 225
North Carolina state Dec 2005-Dec 2006 91 affecting > 1000 people
Educase survey 2005 127.4 (26% of 490)
American Hospital Assoc. survey of 46 institutions 2006 13 hospitals reported 17 breaches
Attrition Not listed in GAO 500+
Privacy Rights Clearinghouse Not listed in GAO 300+
All except attrition, PRCH Jan 2003-Dec 2006 3688.4*
(Not rigorous)

This chart, in conjunction with your chart on page 26, indicates a several facts, which I believe are critical to the answer to the question of “identifying what is known about the incidence and circumstances of breaches of sensitive personal information.” In particular:

  1. There is no authoritative central source of data. The best available data is kept by private research and advocacy organizations. There is no central clearinghouse to which data must be reported.
  2. The data varies widely between sources. As Chris Walsh pointed out in his paper on “Data on Data Breaches,” what you find depends strongly on where you look.
  3. Collection of this data is a substantial burden and effort, and distracts from the analysis phase of research. Much of the data is not available to the public, inhibiting analysis.
  4. GAO has an opportunity to analyze commonalities in the data and show us a standardized and normalized representation of the data. In my summation, I’ve added the numbers reported, excluding the “several hundred” reported by the five regulators, to get 3688. It seems likely that there is overlap between the reported breaches. We can also note that both the House Government Reform committee (HGRC) list and the FBI list are each larger than the publicly known information. However, we don’t know if the HGRC number is 311 larger than the CERT number because the HGRC period is longer, or if there are FY 2006 breaches reported to one but not the other.

To state critique #4 differently, we don’t know if the breaches covered in the reports are heavily overlapping or not. Do they more closely resemble possibility 1 or possibility 2?


We don’t know. Many people instinctively believe in #2. What we do know is the one time the experiment has been done (New York vs. the University of Washington dataset, derived from Attrition) the data looked a lot more like possibility 1. To effectively answer Congress’s question, we need the answer, and GAO has not provided it.

I believe that a fair answer to the question would have pointed out these issues.

Unjustified data selection.

Starting from the highlights, you state that you examine the 24 largest breaches reported in the media from January 2000 through June 2005. You do not justify this selection. We have reason to believe that the largest breaches are not all reported in the media. (Analysis by Chris Walsh showed that 3 of the 5 largest breaches reported to the State of New York were not in the attrition or Privacy Rights databases on which you relied.)

You do not justify your selection of the largest breaches. We have no reason to believe that the largest incidents have the same likelihood of identity theft, and there are reasons to believe that they will show a lower incidence. In particular, several of the largest incidents involve loss of backup tapes, which are likely in Iron Mountain and UPS warehouses. Some of the others may have been “trophy hunting” by hackers, where, rather than taking the data for profit, they were attacking for reasons of prestige.

A more reasonable methodology might have been to randomly select incidents from the data sets, or to investigate the largest and a random sample, in order to identify if biases (perhaps accounted for by the hypothesis above) were present.

You do not justify the size of your sample set. As you identified, there were at least 572 publicly reported incidents in your time sample (page 11). You examined 4.2% of these, and have no comment on how your sample size was selected.

Alternate methodologies possible

You fail to justify your decision to start from data breaches. An alternative investigative methodology would have been to select a set of victims reporting ID theft to the FTC, FBI, or other source of criminal data, and trace those reports back to their source as best as could be done. This has a challenge in that (as you note) many of the victims of identity fraud do not know how they were victimized. GAO could have presented a list of known breaches to these individuals, and looked for correlations, or considered only the known cases.

Unjustified assumption that companies can supply data

There is an assumption that breached organizations are notified of identity theft by their customers. This assumption shows strongly on page 5, where you write, “available data and interviews with researchers, law enforcement officials and industry representatives indicated that most breaches have not resulted in detected incidents of identity theft.” However, there are several assumptions here. First is that a company who has suffered a breach would be told by a consumer that that consumer has suffered identity theft. Consumers have little motivation to do so, and so looking to companies as a source of data is, at best, a partial answer.

Failure to identify commenter biases

Even if a company’s call center representative was told that, the call center computers likely have no way to record that information. Modern call centers are expensive to run, and are often run from `scripts’ and ‘trees.’ If these trees have not been updated, even a company that had been notified of issues might not have captured and analyzed that information. Even if a company has captured and analyzed that information, it is likely being treated as highly sensitive in conversations with attorneys in order to contain liability. It is unlikely to be shared with industry association representatives, at conferences, etc. The information is likely to be kept close to the chest. Finally, even if the representatives with whom you spoke were aware of fraud, they might be biased against sharing that with you. They are likely aware that Congress is considering further regulations, and may be eager to sweep evidence of the breadth of the problem under the rug, to avoid further regulation.

As a final note before I conclude, you imply that notifications are expensive and complex, and seem to endorse a ‘reasonable likelihood of harm’ standard (although you do not come out and say so). Before you endorse such a standard, I would urge you to pay close attention to the difficulty that that would cause banks (as you cover on page 35). Absent more and better data on the relationship between breaches and fraud, it will be hard to figure the odds of fraud. The best way to get information on the relationship is to expand the datasets available to all researchers to allow and encourage research. A ‘reasonable likelihood of harm’ standard will prevent us from crawling out of the mess that we’re in today.

In conclusion, your failure to pursue important questions about the nature of the data, your failure to justify your data selection or sample sizes, your failure to explain your choice of methodologies in the presence of alternatives, and your assumptions that companies have the data you wanted, and would, unbiased, provide it, cause this report to be deeply flawed, and create a worrisome possibility that anyone relying on it would come to erroneous conclusions.

I would urge you to update your research to take these concerns into account. In the future, I would be happy to work with you on this subject, which I believe to be of considerable import.

[Updates: html typos]

Wretched Term of the Week: Best Practice


This is a peeve I learned from the great Donn Parker. The term “Best Practice” should be avoided. It is inaccurate. misleading, and self-defeating. Here’s why:

  1. Best is a superlative. By using it, one implies that there a single choice that surpasses all others. Rarely is this the case in real life. Security gurus are known for asking probing questions like “What’s your threat model?” or “What goal do you wish to achieve?” Different goals yield different practices.

    Shortly after 9/11, some physical security people I know put some physical security plans in place that many people, including me, sneered at. Harumph, harumph, it doesn’t actually improve security. It’s there just to look like you’re doing something. Some time later, one of them took me quietly aside and told me that the reason they did it was to lower insurance costs. If you’re faced with your insurance bills going up by a million bucks and you can avert that with fifty grand of security theatre, out comes the greasepaint and tap shoes followed shortly by an amateur production of songs from Chicago.

  2. Something that is best doesn’t actually have to be good. If you’re faced with having to choose between a number of bad alternatives, you still look for the best. But best implies good. Admittedly, using best allows you to weasel out of the fact that the decision sucks. In such a dilemma, least bad is better than best because it’s honest.
  3. A superlative implies that it cannot be surpassed. That makes it hard to replace a best practice with one even better. Smart people know that best is always within context and often the life of it being superlative is shorter than the implementation time. But that word works in favor of the clichpoop with the budget. Why set yourself up be on the defensive?

What do you say, then? Parker recommended “Good Practices,” but noted that many best practices need improvement before they can get to good. This the problem — we’re always having to do things that may not be quite so good. Grading on the curve is an old technique, and the same budget holder who will question improving a best practice may not appreciate honesty. Some organizations use “Best Current Practices” which manages to keep from tacitly chiseling them in stone, but still keeps the superlative, and I believe that the superlative is a problem. I think I can count practices that are truly best on one hand once they get more complex than, “look both ways before crossing the street” or “cook the popcorn for only two minutes.”

I recently heard Stephen R. Katz, another pioneer of computer security — the world’s first CISO, mention the same peeve and suggest the term “Standard Acceptable Practice.” The great thing about a term like “Standard Acceptable Practice” is that no one is going to disagree with either, “We have to get this organization to follow Standard Acceptable Practices,” or “We need to improve our Standard Acceptable Practices.”
Photo by andai.

Emergent Chaos and Pirates


… pirate ships limited the power of captains and guaranteed crew members a say in the ship’s affairs. The surprising thing is that, even with this untraditional power structure, pirates were, in Leeson’s words, among “the most sophisticated and successful criminal organizations in history.”

Leeson is fascinated by pirates because they flourished outside the state—and, therefore, outside the law. They could not count on higher authorities to insure that people would live up to promises or obey rules. Unlike the Mafia, pirates were not bound by ethnic or family ties; crews were as remarkably diverse as in the “Pirates of the Caribbean” films. Nor were they held together primarily by violence; while pirates did conscript some crew members, many volunteered.

Mmmmm, chaos and emergent rules that work. Who’da thunk?

Read about pirates in the New Yorker.

Photo: “Tom Ironlocks, Sam Hawkeye and Wilde Oskar posing,” by larsst.

You can’t change your fingerprint


One of the most useful things you can do to protect your passwords is to change them regularly. This bounds the effect of many attacks which obtain your password, by various cracking techniques or by mistakenly entering it in the wrong place. After you’ve changed your password, the old one doesn’t do any good. This doesn’t help if you’re worried about spyware or a compromised server sharing your password, but it does help in many cases, and is the origin of many password change policies.

However, in cases where your finger is used to identify or authenticate you, it’s much harder to change your password. To date, we haven’t seen open market sales of biometric information captured by private sector companies like Disney or Seaworld, but Bob Sullivan identifies a case where a Disney “contractor [was] caught trying to sell Disney data:”

An employee who works for the company that processes Disney Movie Club transactions was caught trying to sell customer credit card information, Disney told its customers this week. The story echoes an incident revealed by Fidelity National Information Services earlier this month.

Now, we know about this because it was credit card data. If it was your fingerprints, you’d be entirely out of luck, and you wouldn’t even know it.

Photo: PartyPig’s password, on Flickr. I think he has a different title.

What If The Hokey Pokey Is What It’s All About?

I’ve always thought that folks in operation security and product security had a whole lot to learn from each other. Unfortunately for the product security people, they now also get to learns about the pain of vendors swooping down on them trying to sell them the latest and greatest crap.
Last night, Mary Ann Davidson shared her spot on opinion of automated testing tools. Her post (go read it now) can be best summarized by this paragraph:

f you are scratching your head saying, “But didn’t you rhapsodize over automated tools in a previous blog entry?,” you are right, I did. But there is a big difference between “this tool helps us do good things in security as one among many good things to do” and “this tool is a substitute for all the other things you need to do to create secure products.”

As operational folks have had the joy of learning over and over again, there are no silver bullets. Firewalls didn’t do it (either as network or host based devices), IDS didn’t do it, IPS isn’t that much of an improvement and AV is only helpful after the fact. Are all these useful as part of a larger strategy?
It’s all about defense in depth and it doesn’t matter if we’re talking about about product security, physical security or operations security. There is no magic button and there are no silver bullets. Don’t believe the hype.

Pseudonyms In The News


The Wall Street Journal reports that the CEO of Whole Foods, John Mackey, posted on the Yahoo! Finance board for Whole Foods under the pseudonym Rahodeb, which is an anagram of Mackey’s wife’s given name. (It’s also an anagram of “A Bread Ho,” but since the WSJ doesn’t stoop to that sort of cheap joke, it falls upon me.)

Rahodeb apparently posted prolifically for eight years, quitting last August. While some people are clucking their tongues at this, it seems that if a CEO is going to natter about his own company, it’s okay if we’re all surprised that it was him when he’s outed.

Mackey says in his defense that he did a lot of trolling. “The views articulated by rahodeb sometimes represent what I actually believed and sometimes they didn’t. Sometimes I simply played ‘devil’s advocate’ for the sheer fun of arguing. Anyone who knows me realizes that I frequently do this in person, too.” For example, when someone on the board made fun of Mackey’s haircut, Rahodeb said, “I think he looks cute!”

His final defense at any tongue-clucking comes from the circumstances under which he stopped posting as Rahodeb. He made a bet with Hubris12000 about the performance of Whole Foods stock, and that bet required that he stop posting if he lost. I think we’ve all seen web boards with both Rahodeb and Hubris12000 and didn’t know which side to cheer for.

Full disclosure: “Mordaxus” is an anagram of “Doxmursa” which is thankfully not my SO’s name. “Pseudonym” is an anagram of “Does my pun?” which is ungrammatical, but an interesting question nonetheless.

Photo “This Bread is Such a Ho” courtesy of Jason and Heather.

Wretched Word of the Week: Killer


The word “killer” gets used in two wretched ways. The first is Killer Application, and the second is product-killer. They’re each wretched in their own special way. It’s not only cliché to use each term, but in using it, you are nearly guaranteed to be wrong.

The original killer application was Lotus 1, 2, 3. It was the killer application because it was the application that made early PCs desirable by large numbers of businesspeople with budgetary authority. They bought 1, 2, 3 and the PC was a means to that end.

Arguably, there hasn’t been another killer application since Lotus. All the ones I think of are diminished in scope. Killer applications are things that appear once in a very long while, and appear when the underlying thing they promote is immature. I can make the case for some uses of the term. It’s been said (and I have said) that email is the killer application of the Internet. Certainly, many people got on the Internet (or stayed on it) because of email, even more than web browsing, even through web browsing gets all the press. One could argue that TiVo was the killer app for satellite TV, or for something. There’s an old MIT saying that if you change something quantitatively by an order of magnitude, you change it qualitatively as well. I think that TiVo (and its brethren like Replay) is the VCR so improved that it’s a new thing.

Nonetheless, killer applications are once-in-a-generation thing. If you see an article that asks, “Will Foo be the Next Killer App?” the answer is almost certainly no. Killer apps are like porn and art. You know one when you see it. If you have to ask, it’s not going to happen — or perhaps it’s better for me to say that betting against is the smart bet.

The second wretched use of “killer” is the product-killer. I’ve been sitting on this post for a couple weeks waiting for someone to write some article about an iPhone-Killer, and Michael Calore of Wired News wins the prize for his, “The $300 Linux-Powered ‘iPhone Killer’ Arrives.

Mind you, I’m as sick of iPhone hype and anti-hype as the next person, and I think that OpenMoko is pretty cool. However, an OpenMoko phone is no more of a iPhone-killer than a different Lotus, the Caterham 7, is a Ferrari-killer. It’s not an insult to the Caterham to say it’s not a Ferrari-killer. It’s no insult that OpenMoko is no iPhone-killer.

Like the Ferrari, the iPhone can’t live up to its reputation and generates a counter-reputation.
But just as importantly, the sort of people who want a Caterham are in general not the same sort of people who lust after Ferraris. The fun workhorse for people who take as much joy in the tinkering as the actual use has a different aura, no less powerful than glitz, but different. Let’s face it, the sort of people who would buy an OpenMoko phone are in general not the sort of people who want an iPhone.

We would expect of sports car columnists that they could tell tell the difference between a Caterham and a Ferrari. I don’t think it’s unreasonable to expect a technology columnist to be able to tell the difference between a cool Linux kit-phone and an iPhone.

Despite the headline, Calore can tell the difference. He gives you an honest assessment of the gotchas:

Keep in mind that this unit (the GTA01) was pushed out early so developers could begin writing device drivers, custom GUIs and some cool apps for the phone. The next revision (GTA02), which will be available starting at $450 in October, will be ready for the mass market. It will have wi-fi, 3-D motion sensors and added graphics accelerators. So this phone isn’t exactly an iPhone killer — the next one will be a contender. AptUsTech has a nice comparison of the NEO 1973 and the iPhone.

If you go look at the comparison, there are a number of techno-lust disappointments for an iPhone-killer. The OpenMoko phone has a GPS and twice the pixels as the iPhone, but no camera, no accelerometer, no WiFi, a CPU running at less than half the speed of the iPhone, and a piddling 64MB of flash. Yes, it takes a microSD card, but give me a break! The suffix “-killer” has been used, and I expect to say, “oh, never mind” not merely look at a “contender.” Yes, many things are coming in the next version of the OpenMoko, but this is comparing apples to orange futures.

(Also note that it isn’t exactly $300, either. The OpenMoko people have executed a sweet marketing coup in making a $300 base model that no one in their right mind would want so they can stress the low price.)

Now, in Calore’s defense, he said in his article that it’s not a killer. In short, the headline is — well — a lie. It isn’t exactly an iPhone-killer, and he’s one of the few people to point out that it isn’t exactly $300.

In more of his defense, I’m quite sure that the real guilty party here is the editor who took his article that says, “isn’t exactly an iPhone-killer” and pointed out that the phone you really want is going to be delivered in a few months for $450, and then created an attention-getting but false headline on it. Let’s face it, when you try to be nice to some cool little guys while keeping your journalistic integrity and that smacks up against ad revenue, guess which one wins?

And that is why, Gentle Reader, we should shun terms like -killer. It’s cliché, and so cliché that its negation gets twisted into the positive. I don’t know why it is that editors have a predilection for this, but it’s happened to me, too. Write something saying that the sky is blue, and you’ll see the headline saying the sky is green. All you can do is shrug and resolve to write better.

Photo of a Ford GT40 by, and selected because I found it searching for “Ferrari Killer.”

The Greek Wiretapping Scandal

handset.jpgThe Athens Affair” is the story all the cool security bloggers are talking about. Now, when Matt Blaze, Bruce Schneier and Steve Bellovin all chime in, it makes life hard for us little guys. I mean, what can I say that they haven’t?

Building facilities for wiretapping is dangerous? Covered. Logging is important? Covered.

Hah-ha! I have an angle! Longtime readers will be shocked to discover that this…is a security breach we’re talking about. And I’m fascinating by security breaches, especially when we get to talk about them. Now, Greek law doesn’t require disclosure, and as Chris pointed out in “Data on Data Breaches,” small breaches are less likely to hit the press than big ones. So we’re pretty lucky to know about this. We’re even luckier that this caught the eye of the legislature, and details came out, which the authors read through, and analyzed and summarized for us.

More seriously, I’d like to respond to this line in the IEEE Spectrum article:

It’s also a rare opportunity to get a glimpse of one of the most elusive of cybercrimes. Major network penetrations of any kind are exceedingly uncommon. They are hard to pull off, and equally hard to investigate.

Excuse me? Major network penetrations are exceedingly uncommon? I’ll accept that documented evidence of major network penetrations, or of attacks this sophisticated* are uncommon. However, absence of evidence is not evidence of absence.

This is, I think, an important point. The story we see is fascinating, but we lack context. Listening to people at security conferences, claims of major network penetrations are exceptionally common. Now, I’ll fully admit that the sweep-it-under-the-rug club would have you believe that everything is fine. Me, I think we need more evidence, more data, and more context. We’re starting to get it through privacy breach laws.

* By ‘this sophisticated,’ I’m referring to the (apparent) creation of a custom rootkit for Ericsson phone switches.

Whose Line Is It Anyway?

For quite a while now, I’ve been claiming that in order for InfoSec to do it’s job properly, it needs to understand the business. Yesterday, Jack Jones again showed that he’s in the same camp when he asked us: “Risk Decision Making: Whose call is it?” There he shares his thoughts how to decide whether or not the Information Security team should be making information risk decisions for a company or if that should come from upper management. True to form, Jack clearly lays out the issue (complete with great graphs). Read the entire post, because it’s really worth it. In particular though, check out the things to consider section.:

The simple fact is, security leadership will never know as much about the business-related elements at the top of the illustration, and business management will never know as much about the risk elements at the bottom. Consequently, if security is empowered to make the major decisions, then they need to spend the time and effort to learn as much as they can about the business-related elements. On the other hand, if business leadership is making the major risk decisions, then security must provide clear, unbiased, and useful information so that the decisions are well informed.

I don’t disagree with Jack in the least. However it’s important to really that even if we’re dealing with that later scenario, this means that security still needs to know a whole lot about the business or they can’t possibly articulate the correct information in a way that senior management can understand.
And if the above rationale isn’t good enough on why you as a security professional need to understand the business, try this on for size:

A decision-maker will to some degree ALWAYS apply his or her own personal risk tolerance to a decision. Consequently, if security leadership has been empowered to make major risk decisions, they should try very hard to be as aware as possible of business management’s risk tolerances. If security leadership isn’t careful on this, then they will, invariably, run into issues where business management doesn’t support security’s decisions. And if the misalignment is bad enough (and I’ve both witnessed this and come close to having it happen to me – long ago) then it can become a “terminal” condition. At the very least it makes the waters far choppier than necessary.

It’s about more than identity theft

Over at his blog, Alex Hutton responds to my claim that data breaches are not meaningful because of identity theft, saying that “Compliance to External Risk Tolerances (PCI) and Government Breach Reporting Laws *DO* make it significantly about Identity Theft.” (“The ‘Insider Statistic’, Good Data, & Risk.”) Alex’s main point is that it’s not insiders, but:

At RMI, we’re no longer surprised when, in incidents we study using FAIR, the sum of probable loss due to Fines & Judgments far exceeds the sum of all other 5 forms of loss an organization can incur (productivity, response, replacement, competitive advantage, and reputation).

Meanwhile, in “Astroglide data loss could result in $18 Million Fine,” Chris Soghoian discusses some clever targeted attacks that could be carried out with the astroglide data. These aren’t obvious (to me), but one of the unfortunate things about criminal innovation is that it spreads.

Now, what interests me about these two posts is that I think they’re both correct. Astroglide’s risk is really from fines. But the risk to Astroglide’s prospective customers isn’t the same. There’s a potentially large externality imposed here, and because they haven’t been notified, Astroglide’s prospective customers are at greater risk.

So, once again, data breaches are not meaningful because of identity theft. They may be relevant to the executive suite today for that reason, but there’s more there there.

The image is a Yahoo Maps map of San Francisco residents who took advantage of the Astroglide offer.

Electronic data: you can sell it and have it

Mike Rothman has the unmitigated temerity to go on vacation and deprive me of his daily rant^H^H^H^Hincite, but not before remarking on the Certegy data loss incident:

So Certegy (a big check processor) loses a couple million records with information like bank accounts and credit card numbers. And Certegy’s president gets interviewed and says because the data was sold to brokers and direct marketers, the information isn’t at risk?!?!?

Now, I trust data brokers and direct marketers as much as anyone, but when information is obtained illegally (as this information is said to have been), what assurance is there that the thief won’t sell it to anyone who will pay the price, not just nice people who will pay the price?
It’s not like this is some guy fencing a stolen TV set.

In Congress Assembled, July 4, 1776


In CONGRESS, July 4, 1776

The unanimous Declaration of the thirteen united States of America,

When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature’s God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation.

We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. –That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, –That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security. —Such has been the patient sufferance of these Colonies; and such is now the necessity which constrains them to alter their former Systems of Government. The history of the present King of Great Britain [George III] is a history of repeated injuries and usurpations, all having in direct object the establishment of an absolute Tyranny over these States. To prove this, let Facts be submitted to a candid world.

He has refused his Assent to Laws, the most wholesome and necessary for the public good.

He has forbidden his Governors to pass Laws of immediate and pressing importance, unless suspended in their operation till his Assent should be obtained; and when so suspended, he has utterly neglected to attend to them.

He has refused to pass other Laws for the accommodation of large districts of people, unless those people would relinquish the right of Representation in the Legislature, a right inestimable to them and formidable to tyrants only.

He has called together legislative bodies at places unusual, uncomfortable, and distant from the depository of their public Records, for the sole purpose of fatiguing them into compliance with his measures.

He has dissolved Representative Houses repeatedly, for opposing with manly firmness his invasions on the rights of the people.

He has refused for a long time, after such dissolutions, to cause others to be elected; whereby the Legislative powers, incapable of Annihilation, have returned to the People at large for their exercise; the State remaining in the mean time exposed to all the dangers of invasion from without, and convulsions within.

He has endeavoured to prevent the population of these States; for that purpose obstructing the Laws for Naturalization of Foreigners; refusing to pass others to encourage their migrations hither, and raising the conditions of new Appropriations of Lands.

He has obstructed the Administration of Justice, by refusing his Assent to Laws for establishing Judiciary powers.

He has made Judges dependent on his Will alone, for the tenure of their offices, and the amount and payment of their salaries.

He has erected a multitude of New Offices, and sent hither swarms of Officers to harass our people, and eat out their substance.

He has kept among us, in times of peace, Standing Armies without the consent of our legislatures.

He has affected to render the Military independent of and superior to the Civil power.

He has combined with others to subject us to a jurisdiction foreign to our constitution and unacknowledged by our laws; giving his Assent to their Acts of pretended Legislation:

For Quartering large bodies of armed troops among us:

For protecting them, by a mock Trial, from punishment for any Murders which they should commit on the Inhabitants of these States:

For cutting off our Trade with all parts of the world:

For imposing Taxes on us without our Consent:

For depriving us, in many cases, of the benefits of Trial by Jury:

For transporting us beyond Seas to be tried for pretended offences:

For abolishing the free System of English Laws in a neighbouring Province, establishing therein an Arbitrary government, and enlarging its Boundaries so as to render it at once an example and fit instrument for introducing the same absolute rule into these Colonies:

For taking away our Charters, abolishing our most valuable Laws, and altering fundamentally the Forms of our Governments:

For suspending our own Legislatures, and declaring themselves invested with power to legislate for us in all cases whatsoever.

He has abdicated Government here, by declaring us out of his Protection and waging War against us.

He has plundered our seas, ravaged our Coasts, burnt our towns, and destroyed the lives of our people.

He is at this time transporting large Armies of foreign Mercenaries to compleat the works of death, desolation and tyranny, already begun with circumstances of Cruelty and perfidy scarcely paralleled in the most barbarous ages, and totally unworthy the Head of a civilized nation.

He has constrained our fellow Citizens taken Captive on the high Seas to bear Arms against their Country, to become the executioners of their friends and Brethren, or to fall themselves by their Hands.

He has excited domestic insurrections amongst us, and has endeavoured to bring on the inhabitants of our frontiers, the merciless Indian Savages, whose known rule of warfare, is an undistinguished destruction of all ages, sexes and conditions.

In every stage of these Oppressions We have Petitioned for Redress in the most humble terms: Our repeated Petitions have been answered only by repeated injury. A Prince whose character is thus marked by every act which may define a Tyrant, is unfit to be the ruler of a free people.

Nor have We been wanting in attentions to our British brethren. We have warned them from time to time of attempts by their legislature to extend an unwarrantable jurisdiction over us. We have reminded them of the circumstances of our emigration and settlement here. We have appealed to their native justice and magnanimity, and we have conjured them by the ties of our common kindred to disavow these usurpations, which, would inevitably interrupt our connections and correspondence. They too have been deaf to the voice of justice and of consanguinity. We must, therefore, acquiesce in the necessity, which denounces our Separation, and hold them, as we hold the rest of mankind, Enemies in War, in Peace Friends.

We, therefore, the Representatives of the united States of America, in General Congress, Assembled, appealing to the Supreme Judge of the world for the rectitude of our intentions, do, in the Name, and by the Authority of the good People of these Colonies, solemnly publish and declare, That these United Colonies are, and of Right ought to be Free and Independent States; that they are Absolved from all Allegiance to the British Crown, and that all political connection between them and the State of Great Britain, is and ought to be totally dissolved; and that as Free and Independent States, they have full Power to levy War, conclude Peace, contract Alliances, establish Commerce, and to do all other Acts and Things which Independent States may of right do. And for the support of this Declaration, with a firm reliance on the protection of divine Providence, we mutually pledge to each other our Lives, our Fortunes and our sacred Honor.

The signers of the Declaration represented the new states as follows:

New Hampshire

Josiah Bartlett, William Whipple, Matthew Thornton


John Hancock, Samual Adams, John Adams, Robert Treat Paine, Elbridge Gerry

Rhode Island

Stephen Hopkins, William Ellery


Roger Sherman, Samuel Huntington, William Williams, Oliver Wolcott

New York

William Floyd, Philip Livingston, Francis Lewis, Lewis Morris

New Jersey

Richard Stockton, John Witherspoon, Francis Hopkinson, John Hart, Abraham Clark


Robert Morris, Benjamin Rush, Benjamin Franklin, John Morton, George Clymer, James Smith, George Taylor, James Wilson, George Ross


Caesar Rodney, George Read, Thomas McKean


Samuel Chase, William Paca, Thomas Stone, Charles Carroll of Carrollton


George Wythe, Richard Henry Lee, Thomas Jefferson, Benjamin Harrison, Thomas Nelson, Jr., Francis Lightfoot Lee, Carter Braxton

North Carolina

William Hooper, Joseph Hewes, John Penn

South Carolina

Edward Rutledge, Thomas Heyward, Jr., Thomas Lynch, Jr., Arthur Middleton


Button Gwinnett, Lyman Hall, George Walton

Image: Washington’s copy of the Declaration of Independence, from the Library of Congress.

PET Award

For the last several years, Microsoft has worked with the Privacy Enhancing Technologies community to support a prize for the best work done in the field. I’ve been involved as a member of the selection committee, but when I joined Microsoft, stepped away from that. It’s important to us that the prize is independent. This year, I MC’d a short ceremony, in which we announced that the award went to

Security Analysis of a Cryptographically-Enabled RFID Device,” by Steve Bono, Matthew Green, Adam Stubblefield, Avi Rubin, Ari Juels and Michael Szydlo. (USENIX Security Symposium, July-August 2005)

Michael Szydlo was on hand to accept the award. The nice crystal is provided by the Ontario Privacy Commissioner’s office.

Caspar Bowden, chief privacy advisor for Microsoft Europe, Middle East and Africa, says, “Any peer-reviewed paper published in the preceeding year is eligible for nomination for the PET Award. We wanted to support a prize that was judged by leading privacy technologists, for leading privacy technologies. It’s a great way for the best researchers from a variety of fields within privacy research to recognise and support the exceptional technical work of their peers.”

The press release is “Microsoft Helps to Promote Privacy With Award Sponsorship