% fortune -ae paul murphy

The TSA "revolt" - A Thanksgiving Reminder

I doubt there are many unaware of the consumer revolt happening with respect to the American TSA scan and and pat down procedure -and in that context here's the introduction from a March 15, 2010 article by Karin Kloosterman for Isreal21c.org on Israel's top 10 airport security technologies:

Since the attempted terror attack on board a US airplane last Christmas day, airport authorities around the world are in a race to find novel solutions to fight terror. Israeli strategic and technical tactics feature high on their lists. What's the secret to the country's success in keeping Ben Gurion Airport terror free?

"Israel concentrates on the passengers and not their luggage so we have a real edge over the rest of the world in protecting travelers," says Rafi Sela, a top security consultant and former chief security officer at the Israel Airport Authority. "This is in addition to us protecting the whole airport, while the others merely try to achieve aviation security," he tells ISRAEL21c.

Sela, who advises governments and airport authorities all over the world, has become the leading figure advocating Israel's unique approach to airport security in the past six years.

Through his company AR Challenges, he uses approaches and technology services rooted in Israeli innovation to try to help his clients stay one-step ahead of potential terrorists. The global transportation security consultancy, of which he is president, works with high profile clients including Canada's RCMP, the US Navy Seals and airports around the world.

Making use of homegrown technologies, some of them developed by whiz-kids in the Israel Defense Forces (IDF) Intelligence Corps 8200 army unit, Sela believes that Israel's strength in airport security is because it boasts near-invisible protective 'rings' of security around the airport and passengers.

Most airports around the world often lack measures as basic as video surveillance, he explains. "The airports are so concentrated on finding your bottles of water and perfumes that they don't even look at you," says Sela. "The security personnel forget that they are in the business of looking for terrorists."

At Ben Gurion Airport you can take a coffee on board. According to Sela, airport security personnel don't care what you take on the plane. "The security in Israel checks you as a passenger, and not the luggage. If you are cleared as a person then who cares what you bring on the plane with you?"

With that context in mind, I want to repeat much of what I said in this space on December 12th and 13th, 2005:

Bad guy detectors and ID - from Dec 12/05/

Do you know who Deborah Davis is?

Think a possible Rosa Parks for the Patriot Act era - here's the 411 from a supporter web site:

One morning in late September 2005, Deb was riding the public bus to work. She was minding her own business, reading a book and planning for work, when a security guard got on this public bus and demanded that every passenger show their ID. Deb, having done nothing wrong, declined. The guard called in federal cops, and she was arrested and charged with federal criminal misdemeanors after refusing to show ID on demand.

The bus was crossing through the Denver Federal center at the time, and three months later the US attorney in Denver announced a decision not to prosecute, but you can see that what really happened here was a collision between individual rights and government's reflexive belief in identification.

A thousand years ago people in western Europe were identified either as members of noble families or by members of noble families - and that's still fundamentally how it's done in places like Cuba, Vietnam, and Communist China. Even in democracies like Canada, however, we have remenants of that approach: to get a passport, for example, a Canadian has to be vouched for by three qualified professionals - doctors, lawyers, or priests.

In general, however, western governments have been handing the identification job over to computers - that is, to us IT grunts.

Here's the opening paragraph from a report by John Lettice, on the theregister headlined "EU ministers approve biometric ID, fingerprint data sharing"

The European biometric ID card takes another step forward this week, with the European Justice and Home Affairs Council set to approve "minimum security standards" for national ID cards. Alongside this the Council will be roadmapping the rollout of Europe's biometric visa system, which will contain the fingerprints of 70 million people within the next few years, and hearing European Commission proposals for greater sharing of fingerprint data.

There are two very different sets of issues here: the first involving effectiveness and the second human rights.

In thinking about effectiveness, consider that effectiveness comes in two forms. As perfected in East Germany the "Papieren, Bitte" smirk is part of an intimidation policy that really doesn't have anything to do with identification, but that's not what happened in Denver. There the cops barely glanced at identification documents produced by people who choose to comply because the cops really didn't care who these people were - they cared about the response they got when they asked for identification because they hoped that would help them separate the good guys from the bad guys.

Basically what's going on there is that the individual cop has to deal with large numbers of people he doesn't know anything about, and so asking for identification allows him to assess whether the individual confronted exhibits unusual hesitation or other odd behavior -and they have to ask people obviously not guilty of anything because not doing so gives people who are selected for questioning both an excuse not to co-operate and a defence if caught out.

If we set aside the ethical issues so we can concentrate on the technological ones we can see that what's wanted is a kind of social memory: an electronic prostheses making up for the fact that we live in a big world in which the cop probably didn't grow up with all the people he comes in contact with and therefore doesn't know them. In this context the identification document acts as an index to a life history access to which is intended to give the cop a fair chance of knowing enough about the people he's dealing with to separate the good guys from the bad guys.

Notice that this is contextual: you can be the worst kind of street scum or corporate criminal and still have every right to use public transit or get a hamburger at an airport kiosk. In the United States at least, the police can't wander around randomly accosting people on the street to arrest those with unpaid parking tickets or other public malfeasence on their records.

It's the elision (cutting out) of this contextual component in the issue of identification that's at the heart of the design mistakes governments everywhere are making as they embark on national id card schemes. Basically, they're asking everyone to carry an identification card that can be used, on demand, as an index to a life history when all they really need, and all they should get, is a token that lets the cop on the street make the good guy / bad guy call in context and provides no other information.

Nobody's proposing anything like this, and the reason is clear: the bureaucrats know with certainty that they need identification -because that's the only thing they've ever had, and no-one's told them that alternatives exist. The big consulting companies, people like Accenture, EDS, and IBM, are trapped too: they can only respond to an RFI (request for information) on national identification systems with proposals on national identification systems.

In other words this is a closed loop that repeats its mistakes until change is forced on it from outside. That force has to come from the politicians: who have to sell this stuff to the public: show them that sensible alternatives exist, let internal presure for change build from a few expensive failures, and change might have a chance.

The failure process is well underway already. Every major western government has embarked on a national identity card scheme of some kind - and the same people who brought us Canada's two billion dollar gun registery, who can't get the IRS into the ninties, and who blew a few hundred million pounds on the latest failed child welfare information system in the UK, are profitably deploying their usual expertise to take these solutions to new heights.

Meanwhile, of course, Ms. Davis was absolutely right and by the time governments get their national ID cards issued, you can expect her right to refuse to be widely supported in case law - at least in the United States and possibly in the UK.

So what's coming is a collision between an immoveable object (government's tendency to demand identification) and an irresistible force: human rights, into which it should be possible to slip a perceptional change about what's really needed and so get an alternative accepted.

Starting tomorrow I want to talk about how that could be made to work; meanwhile consider that we're the guys caught in the middle - the IT grunts about to receive impossible, and objectionable, marching orders we'll be expected to dog trot around a very large pile of taxpayer money and human rights issues.

National ID - tokens and processes (Dec 13/05)

A national id system that met legitimate law enforcement and defence objectives without compromising human rights would have to have three parts:

  1. a "good guy" indicator or token together with a reader technology.

  2. a separately verifiable authentication mechanism for the token itself - is it, not the information it conveys, legitimate and is the person holding it the person to whom it was issued?

  3. a trustable backend, including issuance and updating processes, for the information conveyed by the token.

Ethical issues aside, making this happen is mostly about process and perception - and only a little bit about technology.

Such a token would have to be small -initially perhaps configured as a card, later possibly as a jewelry or watch component, and finally perhaps as a subcutaneous implant.

The token would have to respond to queries with a simple "Yes/No" response conveying no information beyond contextual legitimacy. Is this person a licensed driver? prohibited within 100 feet of playgrounds? known to be a non criminal citizen of Canada? Authorized to charge some amount to a particular Visa account?

I'm not aware that good candidate token technologies exist yet, but the foundations are certainly there. Nearly eight years ago "Safetyjet" needed iron-clad identification for crew members -and got that by combining a process based on having crew members vouch for each other with one based on a java card that only worked when held by the person it was issued to. That card used a fingerprint and the supplier failed to deliver the body temperture sensor they promised with it, but the basic card is now commercially available and one based on DNA matching isn't that far off.

A card that responds differently to different queries using either infrared or one of the near field methods doesn't exist yet either, but only because no-one's asked for it. The basic Unix ports technology is a natural fit for this kind of multi-layer with access for people with publically mandated information needs - whether bartenders or police officers, they would get the information they need, and nothing more.

YOu'd expect multi-port query gear to appear, of course, but official use can be controlled through well understood legal and organizational processes and there will be little or no value to unofficial use.

Token authentication is needed, but can be managed via something like RSA digital signatures - not impossible to forge, but so difficult as to be fundamentally out of reach for the bad guys, even if they are governments.

Basically the token has to answer three questions: is the token itself real? is the person offering it the person to whom it applies? and, is the person a good guy or a possible bad guy in the present context?

The technologies needed for the first two don't really exist yet, but obvious predecessors do, so how about the backend?

Envision updates to the token happening as "endorsements" and you don't need significant change in existing organizational structures for data management. The passport office, for example, would issue passport equivelency endorsements, motor vehicle departments and courts would handle endorsements for driving related purposes, and so on.

Compared to the national ID schemes being proposed, that's minor change with the only new organizational elements needed those involved in issuing and controlling the tokens themselves and a big potential payoff in cost reduction eleswhere in government as identification cards are made obsolete.

In the intervening five years:

  1. No government has rethought the issue

  2. Every major government effort to develop a unified citizen ID card has failed - and every such failure has been rooted, not in citizen or judicial pushback, but in data processing failure. Basically government's inability to make the system work has created the delays, the costs, and the weaknesses that have allowed those opposed to implementation to claim partial victories in terms of program cancellations, program delays, delayed or altered program rebirths, and weakened political support.

  3. the security problems these efforts were supposed to address have gotten worse; and,

  4. more easily implemented (read: non IT) solutions have proven more expensive, more intrusive, and less effective, than expected.

And, of course, everything that was marginally do-able in terms of making a simple good guy card work in 2005 is much more easily do-able today.

In many ways what's happened is a kind of good news - bad news scenario: on the positive side having bureaucrats spending billions trying to use early twentieth century methods to implement nineteenth century solutions has nicely prevented progress in the wrong direction - but money has momentum, and what seems most likely to come out of the present TSA brohaha is more billion dollar spending on whatever intrusive ID card projects various bureaucracies are selling the political level as sure to work, guaranteed, nothing to it, just write the check already.

What's going on is a confluence of stupid: what the data processing community has learnt from fifty years of failure is how to make money from it, the senior bureaucracy has no idea alternatives exist, politicans equate spending with positive action, and no one's publically making the case that a simple good guy card would be both cheap and effective while preserving basic human rights and freedoms.

All of which leads to a prediction: as payment, membership, and ID come together in multiple wireless technologies we'll see the good guy card idea evolve on its own - with government left behind as it spends both money and individual freedom on the laughably out of date and out of touch.

Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.