April 2005

Tonight’s keynote by Daniel Solove (author of The Digital Person) fell on the privacy-as-a-means-to-an-end side of the debate, though he mostly only discussed one danger: identity theft.

Personally I think identity theft is one of the biggest boons to privacy advocates in the past decade, because it finally answers the question “why should I care about privacy if I don’t have anything to hide?” There are several other examples and classes of threat that I think are equally important though:

• Direct threat: using what you know to directly cause me harm. Identity theft is one example, but so is using my contact information to spam or telemarket to me, using my location to know when to rob my house, and using personal information to create false trust when selling me something.
• Profiling: punishing or restricting people with a set of features that are benign in their own right, but that are perceived as correlating with features that are undesirable. Racial profiling is the obvious example: there’s nothing wrong with being black or hispanic, but because these races are perceived as being “more likely to commit crime,” people of this race are singled out for extra hassle and restrictions. Age, religion and gender discrimination are other examples. Data mining brings profiling to a whole new level: now not only can you be harmed because of obvious traits like your race, gender or age, but also subtle things like your purchase habits, where you travel, who you know, what you read and what your politics are. This is both unfair to the individual singled out and harms society by dissuading activity we would rather allow, simply because the activity is sometimes correlated with activity we don’t want.
• Cherry picking: breaking society’s risk-pooling safety systems (i.e. insurance) by giving insurance companies enough data to cherry-pick only the safest people. For the individual, insurance is a way to pool risk so that a catastrophic illness or event doesn’t wipe you out. For an insurance company, insurance is like being a casino owner: they profit by setting their payoff a little higher than the overall risk. If the insurance company has enough information to completely predict who will get sick and who won’t, that’s like playing poker against a psychic — they always fold before you get to bid on a good hand, and take your money when you have a bad one. Of course there’s never enough money to completely predict who will get sick and who won’t, but every extra bit of predictive power takes us further from the ability to effectively pool our risk.

One disappointment I have about CFP is how privacy (step two of the privacy chain I talked about last post) is overshadowing discussion about freedom. I think privacy is important and worth fighting to protect, but I mostly see privacy as a way to keep others from gaining power over me (and thus becoming able to harm me) rather than as an end in itself. Sure I’d rather not have people posting nude pictures of me on the net, but I’m a lot more concerned that information collected about me isn’t used to steal my identity or deny me a loan, employment or insurance. The debate between privacy-as-means-to-an-end folk like me and privacy-as-intrinsically-valuable folk has played itself out several times over the past few days.

Just had a panel on Privacy Risks of New Passport Technologies, discussing among other things the new RFID tag the US is rolling out for passports in the coming months. The tags will contain a digitally signed copy of your photo plus all the information on your data page except the signature, and will be readable at a distance. The readers are designed to read chips about from about ten centimeters away, but the danger is that it’s possible to design devices that read the tag from longer distances. The exact distances possible aren’t clear to me, but a speaker from the ACLU demonstrated reading a passport with the type of RFID being used from three to four feet away. The State Department is now promising the passport cover will include a Faraday cage to prevent reading when the passport is closed, but that won’t help when the passport is opened.

The dangers really boil down to someone snooping or stealing one’s identity at a distance without one’s knowledge or consent:

1. Skimming: a terrorist, spy or criminal can lurk nearby a hotel or airport check-in desk and read the identities of people checking in. They can use this information to pick out victims or gather information on who gathers at a particular meeting or site.
2. Cloning: reading people’s passport info at a distance and using that information to create a copy. To be effective, you’d need to clone the passport of someone who looks like the person who will eventually use the card, since the picture can’t be changed without invalidating the digital signature.
3. Tracking: if an ID chip isn’t contained in a Faraday cage then they could be used to track people as they walk past readers distributed throughout a shopping center, neighborhood or city. This wouldn’t be possible with passports (they say), but there has been talk among policy makers to extend the RFID chip to driver’s licenses and other forms of ID.

Sounds like pretty big flaws in something in theory designed to make us safer, all of which would be solved by simply making the data only communicate through physical contact. The lone proponent on the panel was Deputy Assistant Secretary of State for Passport Services Frank Moss. I was rather unimpressed with his answers — many parts sounded like a song and dance surrounded by apologies for not really understanding the technology (and thus not being able to explain any details. However, he did answer the one main question I had: why the heck did the US push so hard for passports that could be read at a distance? His answer seems to boil down to it was cheaper and a little more flexible. Specifically:

1. Passport manufacturers said it would be cheaper to change their processes to include RFID chips than contact-requiring chips.
2. Different countries want different designs, and rather than specify a single location for a contact-point it was easier to just embed an RFID reader.

I’m sympathetic to the difficulties in standardizing over a hundred national documents, but that’s a piss-poor excuse given the potential security holes it opens up. The follow-up argument of “we were stupid when we pushed for it, but it’s too late now so tough” is equally unacceptable in my mind.

Update 4/14/05: Ed Felton at Freedom to Tinker was at the same panel and has posted his own summary. His conclusion about the reason we’re getting stuck with a contactless system are in line with my own: “In short, this looks like another flawed technology procurement program.”

After a couple days soaking in privacy issues I’m starting to break everything into a three-part chain: identification, information and actions. (Appropriately enough for this conference, these these are fairly well associated with computers, privacy and freedom respectively.)

1. Identification: ability to identify an individual person or class of person. Includes face recognition, mandatory ID cards, DNA, iris scanners, retinal scanners, thumbprint, spyware, phone-home DRM, RFID chips in your clothing and other “Things That Fink,” etc., as well as obvious things like racial profiling and having someone sign their name.
2. Information/Databases: access to information about those people or class of people. Medical, criminal, financial, your race/culture/religion, consumer preference data, where you’ve been, who you know, who you talk to, what you say…
3. Actions: what people with access to this information do. Some are good for the identified person or society (completing financial transactions, stop crime & terrorism, etc.). Many are bad, including police harassment of a particular race or religion, suppression of political dissent and travel of political activists, identity theft, scam games, red-lining, employment and insurance discrimination, price differentiation, loss of social reputation, and coercive advertising.

Many people have just a visceral negative reaction to someone knowing too much about them, but the consequences are mostly in part 3 — that’s where you get stung. That said, sometimes the best way to stop something bad happening in step 3 is to stop steps 1 or 2 from happening, and often you never even find out that you didn’t get a loan or a job due to a privacy violation.

Veronica Pinero’s presentation, Panopticism vis-a-vis criminal records, had an interesting graphic which I’ve reproduced on the right. It’s a map of all the sex offenders living within a 10-block radius of the CFP conference hotel.

The thing that strikes me is how fear-inducing this list is, both because of what it says and what it leaves out. It includes a map, showing that we’re surrounded by no less than 39 sex offenders, and gives their names, mean-looking photos, and the name of the crime they were convicted of. What it leaves out is exactly where they are (addresses only within 100 numbers) and any sort of details of the crime that might help people figure out whether they or their children are actually at risk. I expect most of these guys did horrible things (is there any way “child molestation” can be better than it sounds?). Some I have no idea about, like “indecent liberties,” or even whether “child rape” includes a 19-year-old having sex with his 17-year-old girlfriend. More importantly, I don’t have any way to tell how frightened I should be or what I should do about it. Avoid downtown? Lock myself in my house? Buy duct tape? What good is this information to us, beyond making us even more afraid than we already are?

I’ll be blogging from Computers, Freedom and Privacy 2005 the next few days, so expect a bunch of posts under the “Big Brother” category.