Thank you to the ACLU for allowing me to blog here, and to all of you who sent in questions. Apologies to those I missed, but I didn’t have time to get to them all.

I started this week of guest blogging by posting my essay on the future of privacy. I’d like close with my essay on the value of privacy:

The most common retort against privacy advocates — by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures — is this line: “If you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these — as right as they are — is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

Two proverbs say it best: Quis custodiet custodes ipsos? (”Who watches the watchers?”) and “Absolute power corrupts absolutely.”

Cardinal Richelieu understood the value of surveillance when he famously said, “If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.” Watch someone long enough, and you’ll find something to arrest — or just blackmail — with. Privacy is important because without it, surveillance information will be abused: to peep, to sell to marketers and to spy on political enemies — whoever they happen to be at the time.

Privacy protects us from abuses by those in power, even if we’re doing nothing wrong at the time of surveillance.

More here.

It was demonstrated today at the BlackHat conference.

Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country’s e-passport, since all of them will be adhering to the same ICAO standard.

In a demonstration for Wired News, Grunwald placed his passport on top of an official passport-inspection RFID reader used for border control. He obtained the reader by ordering it from the maker — Walluf, Germany-based ACG Identification Technologies — but says someone could easily make their own for about $200 just by adding an antenna to a standard RFID reader.

He then launched a program that border patrol stations use to read the passports — called Golden Reader Tool and made by secunet Security Networks — and within four seconds, the data from the passport chip appeared on screen in the Golden Reader template.

Grunwald then prepared a sample blank passport page embedded with an RFID tag by placing it on the reader — which can also act as a writer — and burning in the ICAO layout, so that the basic structure of the chip matched that of an official passport.

As the final step, he used a program that he and a partner designed two years ago, called RFDump, to program the new chip with the copied information.

The result was a blank document that looks, to electronic passport readers, like the original passport.

I’ve long been opposed (that last link is an op-ed from The International Herald-Tribune) to RFID chips in passports, although last year I — mistakenly — withdrew my objections based on the security measures the State Department was taking.

That’s silly. I’m not opposed to chips on ID cards, I am opposed to RFID chips. My fear is surreptitious access: someone could read the chip and learn your identity without your knowledge or consent.

Sure, the State Department is implementing security measures to prevent that. But as we all know, these measures won’t be perfect. And a passport has a ten-year lifetime. It’s sheer folly to believe the passport security won’t be hacked in that time. This hack took only two weeks!

The best way to solve a security problem is not to have it at all. If there’s an RFID chip on your passport, or any of your identity cards, you have to worry about securing it. If there’s no RFID chip, then the security problem is solved.

Until I hear a compelling case for why there must be an RFID chip on a passport, and why a normal smart-card chip can’t do, I am opposed to the idea.

Crossposted to the Schneier on Security blog.

There has been an enormous push by the government to field data mining technologies, in the belief that these can be effective in foiling terrorism. I wrote about this back in March, comparing data mining’s effectiveness in catching credit-card fraudsters (good) with its effectiveness in catching terrorists (bad).

I wrote this in 2004 for the San Francisco Chronicle, but it’s still important.

In recent years there has been an increased use of identification checks as a security measure. Airlines always demand photo IDs, and hotels increasingly do so. They’re often required for admittance into government buildings, and sometimes even hospitals. Everywhere, it seems, someone is checking IDs. The ostensible reason is that ID checks make us all safer, but that’s just not so. In most cases, identification has very little to do with security.

Let’s debunk the myths:

First, verifying that someone has a photo ID is a completely useless security measure. All the Sept. 11 terrorists had photo IDs. Some of the IDs were real. Some were fake. Some were real IDs in fake names, bought from a crooked DMV employee in Virginia for $1,000 each. Fake driver’s licenses for all 50 states, good enough to fool anyone who isn’t paying close attention, are available on the Internet. Or if you don’t want to buy IDs online, just ask any teenager where to get a fake ID.

Harder-to-forge IDs only help marginally, because the problem is not making sure the ID is valid. This is the second myth of ID checks: that identification combined with profiling can be an indicator of intention.

Our goal is to somehow identify the few bad guys scattered in the sea of good guys. In an ideal world, what we would want is some kind of ID that denotes intention. We’d want all terrorists to carry a card that says “evildoer” and everyone else to carry a card that said “honest person who won’t try to hijack or blow up anything.” Then, security would be easy. We would just look at people’s IDs and, if they were evildoers, we wouldn’t let them on the airplane or into the building.

This is, of course, ridiculous, so we rely on identity as a substitute. In theory, if we know who you are, and if we have enough information about you, we can somehow predict whether you’re likely to be an evildoer. This is the basis behind CAPPS-2, the government’s new airline passenger profiling system. People are divided into two categories based on various criteria: the traveler’s address, credit history and police and tax records; flight origin and destination; whether the ticket was purchased by cash, check or credit card; whether the ticket is one way or round trip; whether the traveler is alone or with a larger party; how frequently the traveler flies; and how long before departure the ticket was purchased.

Profiling has two very dangerous failure modes. The first one is obvious. Profiling’s intent is to divide people into two categories: people who may be evildoers and need to be screened more carefully, and people who are less likely to be evildoers and can be screened less carefully.

But any such system will create a third, and very dangerous, category: evildoers who don’t fit the profile. Oklahoma City bomber Timothy McVeigh, Washington-area sniper John Allen Muhammed and many of the Sept. 11 terrorists had no previous links to terrorism. The Unabomber taught mathematics at UC Berkeley. The Palestinians have demonstrated that they can recruit suicide bombers with no previous record of anti-Israeli activities. Even the Sept. 11 hijackers went out of their way to establish a normal-looking profile; frequent-flier numbers, a history of first-class travel and so on. Evildoers can also engage in identity theft, and steal the identity — and profile — of an honest person. Profiling can result in less security by giving certain people an easy way to skirt security.

The rest is here.

Taking a cue from a useless American idea, the UK has announced a system of threat levels:

“Threat levels are designed to give a broad indication of the likelihood of a terrorist attack,” the intelligence.gov.uk website said in a posting. “They are based on the assessment of a range of factors including current intelligence, recent events and what is known about terrorist intentions and capabilities. This information may well be incomplete and decisions about the appropriate security response are made with this in mind.”

Unlike the previous secret grading system offering seven levels of threat, the new system has been simplified to five, starting with “low,” meaning an attack is unlikely, to “critical,” meaning an attack is expected imminently. Unlike American threat assessments, the British system is not color-coded.

The current level is “severe”:

“Severe” is the second-highest threat level, but the Web site did not say what kind of attack was likely. The assessment is roughly the same as it has been for a year.

I wrote about the stupidity of this sort of system back in 2004:

In theory, the warnings are supposed to cultivate an atmosphere of preparedness. If Americans are vigilant against the terrorist threat, then maybe the terrorists will be caught and their plots foiled. And repeated warnings brace Americans for the aftermath of another attack.

The problem is that the warnings don’t do any of this. Because they are so vague and so frequent, and because they don’t recommend any useful actions that people can take, terror threat warnings don’t prevent terrorist attacks. They might force a terrorist to delay his plan temporarily, or change his target. But in general, professional security experts like me are not particularly impressed by systems that merely force the bad guys to make minor modifications in their tactics.

And the alerts don’t result in a more vigilant America. It’s one thing to issue a hurricane warning, and advise people to board up their windows and remain in the basement. Hurricanes are short-term events, and it’s obvious when the danger is imminent and when it’s over. People can do useful things in response to a hurricane warning; then there is a discrete period when their lives are markedly different, and they feel there was utility in the higher alert mode, even if nothing came of it.

It’s quite another thing to tell people to be on alert, but not to alter their plans?as Americans were instructed last Christmas. A terrorist alert that instills a vague feeling of dread or panic, without giving people anything to do in response, is ineffective. Indeed, it inspires terror itself. Compare people’s reactions to hurricane threats with their reactions to earthquake threats. According to scientists, California is expecting a huge earthquake sometime in the next two hundred years. Even though the magnitude of the disaster will be enormous, people just can’t stay alert for two centuries. The news seems to have generated the same levels of short-term fear and long-term apathy in Californians that the terrorist warnings do. It’s human nature; people simply can’t be vigilant indefinitely.

[...]

This all implies that if the government is going to issue a threat warning at all, it should provide as many details as possible. But this is a catch-22: Unfortunately, there’s an absolute limit to how much information the government can reveal. The classified nature of the intelligence that goes into these threat alerts precludes the government from giving the public all the information it would need to be meaningfully prepared.

[...]

A terror alert that instills a vague feeling of dread or panic echoes the very tactics of the terrorists. There are essentially two ways to terrorize people. The first is to do something spectacularly horrible, like flying airplanes into skyscrapers and killing thousands of people. The second is to keep people living in fear with the threat of doing something horrible. Decades ago, that was one of the IRA’s major aims. Inadvertently, the DHS is achieving the same thing.

There’s another downside to incessant threat warnings, one that happens when everyone realizes that they have been abused for political purposes. Call it the “Boy Who Cried Wolf” problem. After too many false alarms, the public will become inured to them. Already this has happened. Many Americans ignore terrorist threat warnings; many even ridicule them. The Bush administration lost considerable respect when it was revealed that August’s New York/Washington warning was based on three-year-old information. And the more recent warning that terrorists might target cheap prescription drugs from Canada was assumed universally to be politics-as-usual.

Repeated warnings do more harm than good, by needlessly creating fear and confusion among those who still trust the government, and anesthetizing everyone else to any future alerts that might be important. And every false alarm makes the next terror alert less effective.

The Bush administration used this system largely as a political tool. Perhaps Tony Blair has the same idea.

Crossposted to the Schneier on Security blog

Last week I blogged about airplane sky marshals writing reports on innocent travelers in order to meet a quota. Insane, I know.

The ACLU has asked the Chief Privacy Officer of the Department of Homeland Security to investigate.

“How can I run a blog without being subject to government surveillance? It seems the only way is to use a service hosted in Europe, never add anyone to my friends list, and never mention my location or other personally identifiable info.” — Anonymous from California

True anonymity on the Internet is very difficult. There are many ways you can be tracked via your ISP and your computer. I like Tor, an anonymous Internet communications system that uses a protocol called onion routing to hide your identity, and wish more people would sign up as nodes on the service. (Products like Anonymizer take some steps to hide your identity on the Internet, but they’re best in conjunction with something like Tor.) Used properly, Tor offers real anonymity on the Internet, both for surfing and for posting blog entries.

As to anonymous blogging, the Electronic Frontier Foundation has some great ideas in their “How to Blog Safely” guide. I recommend reading that.

I wrote about this back in March:

It’s easier than you think to create your own police department in the United States.

Yosef Maiwandi formed the San Gabriel Valley Transit Authority — a tiny, privately run nonprofit organization that provides bus rides to disabled people and senior citizens. It operates out of an auto repair shop. Then, because the law seems to allow transit companies to form their own police departments, he formed the San Gabriel Valley Transit Authority Police Department. As a thank you, he made Stefan Eriksson a deputy police commissioner of the San Gabriel Transit Authority Police’s anti-terrorism division, and gave him business cards.

More here.

While we’re on the subject of automobiles, here’s a great article from Wired on stealing cars with high-tech RFID locks. It seems that the criminals have learned how to steal these cars, but the insurance companies refuse to believe it.

“My boyfriend who’s an electrical engineer but mostly does computer work says that the government has been able to track our cars since the 1980s. Is this true? How do they do it?” — Allison, Atlanta

Well, automobiles have unique Vehicle Identification Numbers and can be tracked that way, but I don’t think that’s what you are referring to. You’re asking whether or not there is some automatic vehicle tracking system in place in the country.

No, there isn’t. But that’s changing. Cars that are equipped with roadside assistance technologies like OnStar can be tracked, even without the knowledge or consent of the driver. Cell phones can be tracked, and more and more people drive around with cell phones in their pockets. And lastly, we’re starting to see automatic license-plate scanners that can be used to track cars, even by helicopter.