Emergent Chaos

In “U-Prove Minimal Disclosure availability,” Kim Cameron says:

This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills! But today, just for once, I’m going to pick up an actual Microsoft press release and lay it on you. The reason? Microsoft has just done something very special, and the fact that the announcement was a key part of the RSA Conference Keynote is itself important.

Further, Charney explained that identity solutions that provide more secure and private access to both on-site and cloud applications are key to enabling a safer, more trusted enterprise and Internet. As part of that effort, Microsoft today released a community technology preview of the U-Prove technology, which enables online providers to better protect privacy and enhance security through the minimal disclosure of information in online transactions. To encourage broad community evaluation and input, Microsoft announced it is providing core portions of the U-Prove intellectual property under the Open Specification Promise, as well as releasing open source software development kits in C# and Java editions. Charney encouraged the industry, developers and IT professionals to develop identity solutions that help protect individual privacy.

Kim then goes on to analyze the announcement, which is a heck of an important one.

Disclaimer: I work for Microsoft, and am friends with many of the people involved. I still think this is tremendously important.

Apparently, the government of Puerto Rico has stolen the identities of something between 1.7 and 4.1 million people

Native Puerto Ricans living outside the island territory are reacting with surprise and confusion after learning their birth certificates will become no good this summer.

A law enacted by Puerto Rico in December mainly to combat identity theft invalidates as of July 1 all previously issued Puerto Rican birth certificates. That means more than a third of the 4.1 million people of Puerto Rican descent living in the 50 states must arrange to get new certificates. (“Shock over voided Puerto Rican birth certificates,” Suzanne Gamboa, AP)

If I’m parsing that right, all 4.1 million identities were stolen from their legitimate holders, and 1/3 of those are outside Puerto Rico, leading to an unclear level of actual effort to get the documents replaced.

Now, some people may take umbrage at my claim that this is identity theft. You might reasonably think that fraud by impersonation requires impersonation. But the reason that it’s called identity theft is that the victim loses control of their identity. False claims are tired to their name, ssn, birth certificate, etc. Those claims show up at random. Their sense that they have “a good name” is diminished and assaulted.

You might also claim that I’m exaggerating, but I’m not the one who titled the article “shock.” People are feeling shocked, confused and assaulted by this action.

So despite the not for profit nature of the crime, this is identity theft on the largest scale I’ve heard about in years.

Image from the Oritz family showcase.

• Air Canada is canceling US flights because of security. (Thanks, @nselby!)
• The New York Times reports that “Britain Rejected Visa Renewal for Suspect.” NPR reported that the State Department may have raised some sort of flag, but I don’t have a link.
• ABC is reporting that two of the “al Qaeda Leaders Behind Northwest Flight 253 Terror Plot Were Released by U.S..”
• Spencer Acerkman talks about “al-Qaeda’s Desperate Bid For Relevance, The Failed Plane Attack & Afghanistan:” “First, al-Qaeda’s signatures are redundance and simultaneity. Think 9/11, Madrid, London: all used multiple operatives focused on multiple targets, acting in unison. That’s to ensure something blows up if and when something goes wrong.” (Hmmm, also think US Cole, but the article is worth reading.) Thanks to Jim Harper, who also mentions that-
• On January 13th, CATO will be holding a forum on “The Obama Administration’s Counterterrorism Policy at One Year.”

And for the prurient interest, the underwear, apparently still containing the explosives. It looks like they were cut off with scissors, implying that he was wearing them at the time. I wonder how much explosive energy a human thigh absorbs?

In conversation, a friend mentioned that the media whirlwind overwhelms the right response, which is to go on with our lives. Which is what I shall now do. Look! A burning goat!

• The Economist “The latest on Northwest flight 253:” “the people who run America’s airport security apparatus appear to have gone insane” and “This is the absolute worst sort of security theatre: inconvenient, absurd, and, crucially, ineffective.”
• Business Travel Coalition, via Dave Farber and Esther Dyson, “Aviation Security After Detroit:” “It is welcome news that President Obama has ordered an airline industry security review so long as it is strategic in nature.”
• Stuart Baker, “Six Uncomfortable Answers” which seems to boil down to “identity-based security has failed, let’s not address the good reasons why, and build more of it.” Usually Stewart has been more insightful than this. But then he writes “I asked several questions about how good the screening was in Nigeria and at Schiphol. I now think that it barely matters how good a job those screeners did. Without a reason to treat Abdulmutallab differently from other passengers, the current level of screening wasn’t likely to find the explosives.” Actually, as he points out, no acceptable level of screening is likely to find the explosives.
• The New York Times points out that “Questions Arise on Why Terror Suspect Was Not Stopped :” “That meant no flags were raised when he used cash to buy a ticket to the United States and boarded a plane, checking no bags.” It used to be that that got you extra screening. Why did we stop?
• Gawker, “The Shady Mainstream Media Payday of Flight 253 Hero Jasper Schuringa”
• I lost the link, but someone else pointed out that the new, alleged TSA rules would have made it a crime to get up and stop Abdulmutallab when he tried to set off his bomb.
• This comment on the Flyertalk thread raises the interesting question: are terrorists planning to fail, expecting over-reaction by governments? Provocation would not be a new page in terror playbooks.
• Alleged text of SD 1544-09-06
• Every international traveller to the US is being asked to spend an extra hour on these measures. Cormac Herley’s “So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users” is absolutely irrelevant, unless travel to the US falls. Again. Which, of course, makes the odds of each remaining traveller being a terrorist materially higher.

According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online.

That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they are prohibited, not bad in themselves. It’s important if we want to export freedom of speech and freedom from self-incrimination, to push for an international norm of limiting the powers of governments, not of people. Of course, since the main way that the international reach of governments is limited is through treaties negotiated by, umm, governments, I don’t expect a lot of that soon.

Not to mention the creation of fake Facebook accounts by Iranian intelligence.

But most interesting is this:

Five interviewees who traveled to Iran in recent months said they were forced by police at Tehran’s airport to log in to their Facebook accounts. Several reported having their passports confiscated because of harsh criticism they had posted online about the way the Iranian government had handled its controversial elections earlier this year.

and

One 28-year-old physician who lives in Dubai said that in July he was asked to log on to his Facebook account by a security guard upon arrival in Tehran’s airport. At first, he says, he lied and said he didn’t have one. So the guard took him to a small room with a laptop and did a Google search for his name. His Facebook account turned up, he says, and his passport was confiscated.

So the 2016 Olympics will be in Rio de Janeiro. Some people think this was a loss for Obama, but Obama was in a no-win situation. His ability to devote time to trying to influence the Olympics is strongly curtailed by other, more appropriate priorities. If he hadn’t gone to Copenhagen, he would have been blamed for not caring. If he went, he’s blamed anyway. In reality, he does have some control over what happened. He could have fixed the “harrowing experience” we show the world under the ironic words “Welcome to the United States:”

In the official question-and-answer session following the Chicago presentation, Syed Shahid Ali, an I.O.C. member from Pakistan, asked the toughest question. He wondered how smooth it would be for foreigners to enter the United States for the Games because doing so can sometimes, he said, be “a rather harrowing experience.” (New York Times, “Rio Wins“)

Ironically, the President has experienced harrowing nonsense at borders, see “US Senators Detained In Russia.” He should put someone on fixing the Customs and Immigration service before it costs us even more.

However, it’s really unclear if the “loss” is a loss. “No Games Chicago” was a citizens group advocating against destroying Chicago’s parks and budget for the Olympics, and according to CNN, 45% of the city’s residents didn’t want the games. And as the AP documents in “Olympics Aren’t Necessarily an Economic Bonanza,” the outlandish “economic benefit” numbers that Olympic advocates usually throw around are based on a “multiplier effect” of around 3. Me, I know what an Olympics event costs–Montreal taxpayers paid off the ‘76 Olympics in 2006.

So congratulations, Rio. I hope you don’t bulldoze the less waelthy neighborhoods, and I hope you’re all paid off by 2030 or so.

The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth.

The findings, published Monday in The Proceedings of the National Academy of Sciences, are further evidence that privacy safeguards created in the era before powerful computers and ubiquitous networks are increasingly failing, setting up an “architecture of vulnerability” around personal digital information, the researchers said.

…

“My hope is that publishing these results may open a window of opportunity, so to say, to finally take action,” Mr. Acquisti said. “That S.S.N.’s are bad passwords has been the secret that everybody knows, yet one that so far we have not been able to truly address.”

So reports John Markoff in “Social Security Numbering System Vulnerable to Fraud.”

We’ve all known for a long time that the SSN makes a godawful authenticator. And now Alessandro Acquisti and Ralph Gross have put a final nail in the coffin for anyone using the SSN as an authenticator. I would really hate to be on the witness stand defending a decision to let anyone authenticate to my business with “the last four” because “everyone else is doing it.” Now is the time to go to management and talk to them about improving things.

My favorite response is from the Social Security Administration, “There is an Elephant in the Room; & Everyone’s Social Security Numbers are Written on Its Hide:”

For decades, we have cautioned the private sector, including educational, financial and health care institutions, against using the SSN as a personal identifier.

Ahh, decades of advice. How’s that working out for you guys? I’m sure if you tell everyone just once more, they’ll listen. For the rest of you: not getting going on a fix now will turn out to be career limiting.

What they were emphatically not doing, said Jay Platt, the third-generation proprietor of the ranch, was abiding by a federally recommended livestock identification plan, intended to speed the tracing of animal diseases, that has caused an uproar among ranchers. They were not attaching the recommended tags with microchips that would allow the computerized recording of livestock movements from birth to the slaughterhouse.

“This plan is expensive, it’s intrusive, and there’s no need for it,” Mr. Platt said.

The New York Times reports that not even cattle need Real ID in”Rebellion on the Range Over a Cattle ID Plan.” There’s a web site, NoNAIS.org which is tracking things like

Oklahoma is now mandating Premises ID for anyone wanting participate in the Swine Shows. One more tricky little way that they make “voluntary” into mandatory.

Image: IstockPhoto

We were surprised last week to see that the GAO has issued a report certifying that, “As of April 2009, TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program and had conditionally achieved 1 condition (TSA had defined plans, but had not completed all activities for this condition).”

Surprised, that is, until we we saw how the GAO had defined (re-defined?) those statutory conditions in ways very different from what we thought they meant, or what we think Congress thought they meant.

Read the details at “GAO moves the goalposts to “approve” Secure Flight”

A bunch of folks sent me links to this Photography License, which also found its way to BoingBoing:

Now, bizarrely, if you visit that page, Yahoo wants you to show your (Yahoo-issued) ID to see (Matt’s self-issued) ID.

It’s probably a bad idea to present a novelty version of a DHS document to law enforcement.

It’s a worse idea to live in a country where someone sees enough harassment of photographers to design such a thing so well.

The very worst idea, however, is to discover pressure to send the whole thing down the memory hole.