Fingerprinted and Facebooked at the Border

According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online.

That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they are prohibited, not bad in themselves. It’s important if we want to export freedom of speech and freedom from self-incrimination, to push for an international norm of limiting the powers of governments, not of people. Of course, since the main way that the international reach of governments is limited is through treaties negotiated by, umm, governments, I don’t expect a lot of that soon.

Not to mention the creation of fake Facebook accounts by Iranian intelligence.

But most interesting is this:

Five interviewees who traveled to Iran in recent months said they were forced by police at Tehran’s airport to log in to their Facebook accounts. Several reported having their passports confiscated because of harsh criticism they had posted online about the way the Iranian government had handled its controversial elections earlier this year.


One 28-year-old physician who lives in Dubai said that in July he was asked to log on to his Facebook account by a security guard upon arrival in Tehran’s airport. At first, he says, he lied and said he didn’t have one. So the guard took him to a small room with a laptop and did a Google search for his name. His Facebook account turned up, he says, and his passport was confiscated.

Caster Semenya, Alan Turing and “ID Management” products

caster-semenya-cover-girl.jpgSouth African runner Caster Semenya won the womens 800-meter, and the attention raised questions about her gender. Most of us tend to think of gender as pretty simple. You’re male or you’re female, and that’s all there is to it. The issue is black and white, if you’ll excuse the irony.

There are reports that:

Two Australian newspapers reported Friday that gender tests show the world champion athlete has no ovaries or uterus and internal testes that produce large amounts of testosterone. … Semenya is hardly alone. Estimates vary, but about 1 percent of people are born with abnormal sex organs, experts say. These people may have the physical characteristics of both genders or a chromosomal disorder or simply ambiguous features. (“When someone is raised female and the genes say XY,” AP)

For more on the medical end of this, see for example the “Consensus statement on management of intersex disorders” in the Journal of the American Academy of Pediatrics.

The athletics associations rules don’t cover all of these situations well. The real world is far messier and more complex than most people have cause to address. There are a great many apparently simple things that are really complicated as you dig in.

What the sports associations and news media are doing to Semenya is reprehensible. (There are over 10,000 stories listed on Google News, versus 13,000 for Derek Jeter, who just broke a Yankees record.) She didn’t come into running knowing that she had no ovaries. Having to deal with the identity issues that her testing brings up under the harsh light of the entire world (including me) is simply unfair.

It’s unfair in almost the same way as the British government’s treatment of Alan Turing, the mathematician who Time named one of the 100 most important people of the 20th century for his fundamental work on computers and cryptanalysis. Turing was also a convicted homosexual who committed suicide because of his “treatment” with estrogen, which caused him to become impotent and to develop breasts.

This week, Gordon Brown issued an apology entitled “Treatment of Alan Turing was ‘appalling’:”

While Turing was dealt with under the law of the time and we can’t put the clock back, his treatment was of course utterly unfair and I am pleased to have the chance to say how deeply sorry I and we all are for what happened to him. Alan and the many thousands of other gay men who were convicted as he was convicted under homophobic laws were treated terribly. Over the years millions more lived in fear of conviction.

I am proud that those days are gone and that in the last 12 years this government has done so much to make life fairer and more equal for our LGBT community. This recognition of Alan’s status as one of Britain’s most famous victims of homophobia is another step towards equality and long overdue.

Sports officialdom and state governments are different. Sports are voluntary associations, although athletes have little influence on the choices of international sports functionaries. Either way, watching the chaotic world crash onto the inflexible bureaucracies is tremendously frustrating to me.

As more and more of the world is processed by Turing Machines, assumptions that seem obvious to the programmer are exposed harshly at the edges. A friend with a Juris Doctorate recently applied for a job online. The form had a field “year you graduated from high school” that had to be filled out before she went on. Trouble is, she never did quite finish high school. She had the really relevant qualification-a J.D. from a good school. But she had an emotionally wrenching choice of lying on the form or not applying for the job. She eventually chose to lie, and sent a note to the HR people saying she’d done so and explaining why. I doubt the fellow who wrote that code ever heard about it.

I have a challenge to anyone involved in creating an online identity management system: How well does your system handle Semenya?

The typical answer is either that “that’s configurable, although we don’t know if anyone’s done exactly that” or “she’s an edge case, and we deal with the 95% case really well.” If you have a better answer, I’d really like to know about it. And as a product guy, those are likely the decisions I’d make to ship.

I’ll close by echoing Brown’s words: We’re sorry, you deserve so much better.

ID Theft Risk Scores?

A bunch of widely read people are blogging about “ Offers Free ID Theft Risk Score.” That’s Brian Krebs at the Washington Post. See also Jim Harper, “My ID Score.”

First, there’s little explanation of how it’s working.

I got a 240 when I didn’t give them my SSN, and my score dropped to 40 when I submitted my SSN. [Editor’s note: Huh? Giving out your SSN lowers your risk of ID theft? That seems an odd message.]

Everybody talks about identity fraud, but nobody does anything about it. This does something about it – specifically, it will help stop the worrying on the part of people who don’t need to. And it will give people who should worry a few things to do to get their situation under control. The more that can be done to demystify identity fraud, the better – and the less likely there will be unwise legislation and regulation that ultimately harm the interests of consumers.

In “What is My ID Score?” there’s some explanation:

My ID Score is a statistical score that’s based on technology currently used by leading communications, financial services, retail companies, healthcare providers, government agencies, and consumers to assess your risk of identity theft. These companies use ID Analytics’ scoring technology to ensure that fraudsters do not apply for goods and services in an innocent consumer’s name

So I think this is not really your ID theft risk, but the perception that their software has. To put it another way, it’s the trouble someone is likely to experience when they try to open a new account in the name you’re giving

When you put someone’s information in, they ask you a bunch of questions about them, like “which of these phone numbers have you used?” It’s not clear how well that works when the attackers can access the same databases through their breaches.

(This didn’t post when I wrote it, so its old news, new analysis.)

The Cost of Anything is the Foregone Alternative

The New York Times reports:

At least six men suspected or convicted of crimes that threaten national security retained their federal aviation licenses, despite antiterrorism laws written after the attacks of Sept. 11, 2001, that required license revocation. Among them was a Libyan sentenced to 27 years in prison by a Scottish court for the 1988 bombing of Pan Am 103 over Lockerbie.

It’s long been a truism of economics that the cost of anything is the foregone alternative. In this case, a huge amount of our air travel security spending goes into ensuring that you can’t fly if your name and ID don’t quite match (looking at you, Jim), rather than preventing convicted terrorists from getting aviation licenses.

UnClear where the data will go

So Clear’s Verified Line Jumper service has shut down. Aviation Week has a blog post, “
Clear Shuts Down Registered Traveler Lanes

Clear collected a lot of data:

The information that TSA
requires us to request is full legal name, other names used, Social Security number (optional), citizenship, Alien Registration
Number (if applicable), current home address, primary and secondary telephone numbers, current email address, date of birth,
place of birth, gender and height. TSA also lists as optional, but helpful, the following personal information: home addresses,
driver’s license number and employer’s name and address…digital photo and digital images of all of your fingerprints and your irises…your credit card.

This raises a very serious problem with a company like Clear/Verified Identity Pass, Inc. The in-depth, validated customer data is likely to count amongst such a company’s most valuable assets. Their privacy policies make no mention of what would happen to it in the event that the company goes bust.

Does anyone know where Clear was incorporated? Maybe I’ll bid at the bankruptcy auction.

[Update: Tamzen points out that there’s an update on their site, promising that Clear will abide by the “Transportation Security Administration’s Security, Privacy and Compliance Standards” and “take appropriate steps to delete the information.” Google thinks that those standards might refer to “Transportation Security Administration’s Security, Privacy and Compliance Standards.” Me, I wonder why they say “take appropriate steps” rather than just promising to delete it. Back in the day, Brill’s Content might have taken them to task for that.]

More on Privacy Contracts

Law Prof Dan Solove tool the A-Rod question I posted, and blogged much more in depth in A-Rod, Rihanna, and Confidentiality:

Shostack suggests that A-Rod might have an action for breach of contract. He might also have an action for the breach of confidentiality tort. Professor Neil Richards and I have written extensively about breach of confidentiality. The tort is recognized in most states, and it provides for liability whenever one owes a duty of confidentiality and breaches that duty. We observed, however, that the tort has remained “relatively obscure and frequently overlooked” in American law. In contrast, in England, the tort is robust and applies quite broadly. We suggested in our article that the American tort could develop more along the lines of the English tort, and it is, in fact, already beginning to head in that direction. See Neil M. Richards & Daniel J. Solove, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007).

Lots more very interesting analysis. Check it out!

Synthetic Identity “Theft” – The Mysterious Case of Prawo Jazdy

The BBC tells the tale of a Polish immigrant flouting traffic regulations across the emerald isle:

He had been wanted from counties Cork to Cavan after racking up scores of speeding tickets and parking fines.
However, each time the serial offender was stopped he managed to evade justice by giving a different address.

As it turns out, however, there was more (and less) to this dastardly villain’s wild ride than meets the eye.

“Prawo Jazdy is actually the Polish for driving licence and not the first and surname on the licence,” read a letter from June 2007 from an officer working within the Garda’s traffic division.
“Having noticed this, I decided to check and see how many times officers have made this mistake.
“It is quite embarrassing to see that the system has created Prawo Jazdy as a person with over 50 identities.”

BBC News

And thus, the mystery was solved.

Public domain image via

A-Rod had a privacy contract, and so did you

urine sample.jpg

In 2003 the deal was simple: The players would submit to anonymous steroid testing, and if more than 5 percent tested positive, real testing with real penalties would begin in 2004.

But in 2003, the tests were going to be (A) anonymous and then (B) destroyed. Those were the rules of engagement, and in any civilized contest, the rules of engagement are critical. Everything has rules of engagement, even something as life-or-death as war. Ever heard of the Geneva Convention? Those are rules of engagement, and it’s something we are expected to follow — even against a war-time enemy we literally want to kill.

Somebody broke the rules of engagement with A-Rod. Baseball and the union were supposed to destroy the tests in 2003. If there was a master list linking each test to a specific player, that list was supposed to be destroyed, too. This was serious stuff, this confidentiality, and only because it was so serious did players like Alex Rodriguez submit to it. (“A-Rod should sue sinister system that snagged him,” CBS Sports)

So there’s an obvious violation of the contract, which may or may not have specified damages. Are there other torts here?

It seems that given the nature of the literally irreparable harms to reputation that privacy invasions can entail, the law may or may not have reasonable remedies here. (Note that I said irreparable, not un-compensatable or even of great magnitude. Even if it turns out that the tests were flawed, A-Rod’s reputation will be permanently sullied by those who remember the initial burst of news.)

There’s also a tie to Facebook’s latest changing and re-changing of their privacy rules.

The idea that your privacy contract is fungible and flexible inhibits the creation of a real market differentiation around privacy. If a company can change the rules at any time, why bother reading what they say today?

What should the law say about this?

Image: StockXpert.

[Update: Dan Solove has very interesting follow-on analysis in “ A-Rod, Rihanna, and Confidentiality.”]

Children, Online Risks and Facts

There’s an interesting (and long!) “Final Report of the Internet Safety Technical Task Force to the Multi-State Working Group on Social Networking of State Attorneys General of the United States.” Michael Froomkin summarizes the summary.” Adam Thierer was a member of the task force, and has extensive commentary on the primary online safety issue today is peer-on-peer cyber-harassment, not adult [sexual] predation, along with a great link roundup. Kim Zetter at Wired gives unfortunate credence to hyperbolic claims by some attorneys general that “harsh reality defies the statistical academic research underlying the report.” Uh huh. I’m glad Richard Blumenthal knows the truthy, and isn’t going to let facts stand in his way. I’m less glad that Wired chose to portray that as a ‘controversy.’ I’d call it an embarrassment to the state of Connecticut.

The Identity Divide and the Identity Archepelago

(I’d meant to post this in June. Oops! Chaos reigns!)

Peter Swire and Cassandra Butts have a fascinating new article, “The ID Divide.” It contains a tremendous amount of interesting information that I wasn’t aware of, about how infused with non-driving purposes the drivers license is. I mean, I know that the ID infrastructure, is, in essence and aim, an infrastructure of control. Even so, I didn’t realize how far it had gone as a tool of compliance enforcement.

There’s more to say than I can get into this blog post. Short form: go read it. Slightly longer form:

There are lots of details that are just great. For examples:

“The More ID checks in society, the more ID theft matters.” (page 11)

In a discussion of a 2005 deficit reduction act attempt to reduce medicaid fraud: “A GAO study instead found that the major effects of the program were higher administrative costs …and denial of medical benefits to eligible US citizens” (page 14)

“In addition, some state will not issue a state ID until a person has caught up on all outstanding payments due the staet, including traffic fines and child support payments. As ID requirements spread, persons who cannot afford to make all such payments may be denied the right to vote, to receive health insurance, or to become lawfully employed.” (page 16)

“…independent reviews of the E-Verify program have found that employers engage in prohibited employment practices…” (page 18)

My copy of this report is covered in markup, about “the computer is always right,” about linkability, about data shadows. In fact, about the only thing I don’t like is the title. I don’t think this is a divide, I think that identity has become an archepelago, a la the Soviet Gulag system.

In the preface to The Gulag Archepelago, Solzhenitsyn wrote:

And this archipelago crisscrossed and patterned that other country
within which it was located, like a giant patchwork, cutting into its
cities, hovering over its streets. Yet there were many who did not
even guess at its presence, and many, many others who had heard
something vague.

I think the argipelago is a better metaphor than a divide. A divide
exists, and most of us exist on one side of it. But the identity
archipelago! At a moments notice, we can be thrust onto its other
side. A phone call, a letter, and our identity’s connection to the
machine is broken. Our data shadow has sinned, and we are cast into
the archipelago, forced to learn its ways.

In conversation, Peter has said that the Gulag analogy is too over-used, which is a shame. Maybe identity is more like an accident–you’re driving along and 35 and boom, you wake up in the hospital. Maybe it’s more like a vase, dropped and you’re cutting yourself picking up the shards. What’s the right description for the fragile system we have where people get violently yanked into the nightmares?

[Comments have been closed because of a flood of spam against this single entry.]

Travel Chaos

NARA (National Archives) published notice in the Federal Register on October 27, 2008, of TSA’s submission to them (see Schedule Pending #3) of a proposed Records Schedule for Secure Flight Program. The actual Proposed Schedule was not published in the Register, only notice that you can request it and file comments on whether NARA should approve it. The 30 day window to request from NARA a copy of this proposed Records Schedule, along with NARA’s associated appraisal reports, closes November 26. This can be done easily via email – see my request below. After providing a requester with these documents, NARA must wait 30 days for the requester to file comments – and to take all comments into account prior to deciding whether to approve the schedule. Destruction of records requires the approval by NARA of a Records Schedule – see 44 U.S.C. Chapter 33 Disposal of Records. Presumably TSA wouldn’t start collecting domestic airline passenger records under Secure Flight, for program testing purposes or otherwise, without the ability to legally destroy them.

Making a request to NARA for TSA’s Secure Flight Records Schedule, and participating in the comment process, sends a message to NARA that the public is interested and concerned about TSA building files on the travel history of ordinary Americans. To make this request, cut and paste this into an email…

If you don’t want the government building a database of the travel history of innocent Americans, take a minute to visit Papers, please and send in a request.

Watchlist Cleaning Law

Former South African President Nelson Mandela is to be removed from U.S. terrorism watch lists under a bill President Bush signed Tuesday…
The bill gives the State Department and the Homeland Security Department the authority to waive restrictions against ANC members.

This demonstrates that greater scrutiny must be placed on the decisions about who gets placed on terrorist watch lists and other government blacklists. It took a long time for Nelson Mandela to get off the list, and I wonder whether anybody who isn’t of Mandela’s stature stands a chance getting off the list. The story also raises questions about just who is designated a terrorist. There must be greater accountability in creating these lists.

(Dan Solove, “U.S. Government Finally Recognizes that Nelson Mandela Isn’t a Terrorist.”)
I fully agree with what Dan says, and would extend it to creating, maintaining and using such lists. But I wanted to comment on something which struck me. The story says (accurately) that the law “gives the State Department and the Homeland Security Department the authority to waive restrictions,” and also states the sense of Congress. Why doesn’t the bill simply order the removal of all such people, and give them actionable rights if they aren’t removed?

The bill is HR 5690.

Call Centers Will Get More Annoying

There’s an article in “destination CRM,” Who’s Really Calling Your Contact Center?

…the identity questions are “based on harder-to-steal information” than public records and credit reports. “This is much closer to the chest than a lot of the public data being used in other authentication systems,” she says, adding that some companies using public data include Acxiom, ChoicePoint, and LexisNexis. Higginson gives the example of asking someone the birth date of an individual who used to share an address with him. “There is no public data source to have a question like that answered,” Higginson says, arguing that it would take multiple documents to try and piece together exactly who the other individual is, where she lives now, verify that she did at one time share an address with the caller — and then still have to verify her birth date.

A couple of comments:

  • This seems tremendously intrusive. I don’t want some random call center drone to think they know “everything” about me, to quiz me about my life, or to tell me that I’m wrong if I disagree with their database.
  • This perpetuates the idea that we are our data shadows. I’m not a line in a database. I am a living, breathing person.
  • Errors in databases, such as those created by ID theft become more damaging to both the customer and your relationship with them.
  • The data being used is likely something like Choicepoint’s Bridger Insight (PDF). Quoting the press release:

    ProID Quiz lets users authenticate customers’ and prospects’ identities with greater certainty. Prior to servicing an account or conducting a transaction, a customer service representative can generate a “quiz” composed of random, multiple-choice questions. The questions are based on “out of wallet” information such as former roommates or one’s previous home builder.

    So access to the Choicepoint database becomes even more valuable to thieves.

A company which deploys these sort of things will lose me as a customer. As Debix points out, your real customer knows who they are. Involve them via multi-factor or multi-channel communications.

More generally, this seems like it would be symptomatic of a company that had lost sight of their customers. Who stops and thinks, “what our customers really want is to be interrogated. That will make them feel better?”

Identity Theft is more than Fraud By Impersonation

gossip.jpgIn “The Pros and Cons of LifeLock,” Bruce Schneier writes:

In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information harder to use. We all know the former doesn’t work, so that leaves the latter. If Congress wanted to solve the problem for real, one of the things it would do is make fraud alerts permanent for everybody. But the credit industry’s lobbyists would never allow that.

There’s a type of security expert who likes to sigh and assert that ID theft is simply a clever name for impersonation. I used to be one of them. More recently, I’ve found that it often leads to incorrect or incomplete thinking like the above.

The real problem of ID theft is not the impersonation: the bank eats that, although we pay eventually. The real problem is that one’s “good name” is now controlled by the credit bureaus. The pain of ID theft is not that you have to deal with one bad loan, it’s how the claims about that bad loan haunt you through a shadowy network of unaccountable bureaucracies who libel you for years, and treat you like a liar when you try to clear up the problem.

So there’s a third way to deal with identity theft: make the various reporting agencies responsible for their words and the impact of those words. Align the law and their responsibilities with the reality of how their services are used.

I’ve talked about this before, in “The real problem in ID theft,” and Mordaxus has talked about “What Congress Can Do To Prevent Identity Theft.”