Shostack + Friends Blog Archive


A Quintet of Facebook Privacy Stories

It’s common to hear that Facebook use means that privacy is over, or no longer matters. I think that perception is deeply wrong. It’s based in the superficial notion that people making different or perhaps surprising privacy tradeoffs are never aware of what they’re doing, or that they have no regrets. Some recent stories that […]


Happy Data Privacy Day! Go check out PrivacyFix

It’s Data Privacy Day, and there may be a profusion of platitudes. But I think what we need on data privacy day are more tools to let people take control of their privacy. One way to do that is to check your privacy settings. Of course, the way settings are arranged changes over time, and […]


Should I advertise on Twitter?

Apparently Twitter sent me some credits to use in their advertising program. Now, I really don’t like Twitter’s promoted tweets — I’d prefer to be the customer rather than the product. (That is, I’d like to be able to give Twitter money for an ad-free experience.) At the same time, I’m curious to see how […]


Proof of Age in UK Pilot

There’s a really interesting article by Toby Stevens at Computer Weekly, “Proof of age comes of age:” It’s therefore been fascinating to be part of a new initiative that seeks to address proof of age using a Privacy by Design approach to biometric technologies. Touch2id is an anonymous proof of age system that uses fingerprint […]


Study: More than 90% of Americans Take Action on Privacy

That’s my takeaway from a new study of 2,000 households by Consumer Reports: There are more than 150 million Americans using Facebook at this point, and that number is growing. … a new exhaustive study from Consumer Reports on social networking privacy found that 13 million American Facebook users have never touched their privacy settings. […]


More on Real Name Policies

There were a couple of excellent posts about Google+ which I wanted to link in, but the post took a different path: “Google+ and The Trouble With Tribbles” The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook […]


Yes, Google+ Is a Failure

One of the most common bits of feedback about my post “Google+ Failed Because of Real Names” is that Google+ is now a huge service, and that the word failed is an exaggeration, or a trick of the rhetorician. Some folks might advise me to stop digging a hole, put down the shovel and walk […]


Google+ Failed Because of Real Names

It’s now been a few months since the launch of Google+, and it’s now fairly clear that it’s not a mortal threat to Facebook, or even Orkut. I think it’s worth thinking a bit about why Google+ isn’t doing better, despite its many advantages. Obviously, Google wants to link Google+ profiles to things in the […]


Google+ is not a space for free expression

Earlier today I noticed something funny. My Google profile picture — the picture associated with my Gmail account, my GChat account, my Google+ account, etc — had vanished. A bug? Nope. It turns out, Google — without telling me — went into my account and deleted my profile picture. See “Dear Google+” for the details […]


"Can copyright help privacy?"

There are semi-regular suggestions to allow people to copyright facts about themselves as a way to fix privacy problems. At Prawfsblog, Brooklyn Law School Associate Professor Derek Bambauer responds in “Copyright and your face.” Key quote: One proposal raised was to provide people with copyright in their faceprints or facial features. This idea has two […]


CIA Reveals Identity of Bin Laden Hunter

In the Atlantic Wire, Uri Friedman writes “Did the CIA Do Enough to Protect Bin Laden’s Hunter?” The angle Friedman chose quickly turns to outrage that John Young of Cryptome, paying close attention, was able to figure out from public statements made by the CIA, what the fellow looks like. After you’re done being outraged, […]


Nymwars: Thoughts on Google+

There’s something important happening around Google+. It’s the start of a rebellion against the idea of “government authorized names.” (A lot of folks foolishly allow the other side to name this as “real names,” but a real name is a name someone calls you.) Let’s start with “Why Facebook and Google’s Concept of ‘Real Names’ […]


MySpace sells for $35 Million, Facebook to follow

So MySpace sold for $35 million, which is nice for a startup, and pretty poor for a company on which Rupert Murdoch spent a billion dollars. I think this is the way of centralized social network software. The best of them learn from their predecessors, but inevitably end up overcrowded. Social spaces change. You don’t […]


"Proof" that E-Passports Lead to ID Theft

A couple of things caught Stuart Schechter’s eye about the spam to which this image was attached, but what jumped out at me was the name on the criminal’s passport: Frank Moss, former deputy assistant secretary of state for passport services, now of Identity Matters, LLC. And poor Frank was working so hard to claim […]


Israeli Draft, Facebook and Privacy

A senior officer said they had found examples of young women who had declared themselves exempt posting photographs of themselves on Facebook in immodest clothing, or eating in non-kosher restaurants. Others were caught by responding to party invitations on Friday nights – the Jewish Sabbath. (“Israeli army uses Facebook to expose draft dodgers,” Wyre Davies, […]


Use crypto. Not too confusing. Mostly asymmetric.

A little ways back, Gunnar Peterson said “passwords are like hamburgers, taste great but kill us in long run wean off password now or colonoscopy later.” I responded: “Use crypto. Not too confusing. Mostly asymmetric.” I’d like to expand on that a little. Not quite so much as Michael Pollan, but a little. The first […]


Jon Callas on Comedies, Tragedy and PKI

Prompted by Peter Gutmann: [0] I’ve never understood why this is a comedy of errors, it seems more like a tragedy of errors to me. Jon Callas of PGP fame wrote the following for the cryptography mail list, which I’m posting in full with his permission: That is because a tragedy involves someone dying. Strictly […]


Credit Scores and Deceptive Advertising

Frank Pasquale follows a Joe Nocera article on credit scores with a great roundup of issues that the credit system imposes on American citizens, including arbitrariness, discriminatory effects and self-fulfilling prophecies. His article is worth a look even if you think you understand credit scores. I’d like to add one more danger of credit scores: […]


Showing ID In Washington State

Back in October, I endorsed Pete Holmes for Seattle City Attorney, because of slimy conduct by his opponent. It turns out that his opponent was not the only one mis-conducting themselves. The Seattle PD hid evidence from him, and then claimed it was destroyed. They have since changed their story to (apparent) lies about “computer […]


News from RSA: U-Prove

In “U-Prove Minimal Disclosure availability,” Kim Cameron says: This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills! But today, just for once, I’m going to pick up an actual […]


Can I see some ID?

Or, Security and Privacy are Complimentary, Part MCVII: Later, I met one executive who told me that at the same time of my incident at another restaurant owned by the corporation, a server was using stolen credit card numbers by wearing a small camera on him. He would always check ID’s and would quickly flash […]


We Take Your Privacy Seriously

So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login. Boy, am I glad […]


Fingerprinted and Facebooked at the Border

According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online. That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they […]


Deny thy father and refuse thy gene sequence?

There’s a fascinating article in the NYTimes magazine, “Who Knew I Was Not the Father?” It’s all the impact of cheap paternity testing on conceptions of fatherhood. Men now have a cheap and easy way to discovering that children they thought were theirs really carry someone else’s genes. This raises the question, what is fatherhood? […]


Bob Blakley Gets Future Shock Dead Wrong

Bob Blakley has a very thought provoking piece, “Gartner Gets Privacy Dead Wrong.” I really, really like a lot of what he has to say about the technical frame versus the social frame. It’s a very useful perspective, and I went back and forth for a while with titles for my post (The runner up […]


Dear ChoicePoint: Lying like a cheap rug undercuts all that

ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized […]


Caster Semenya, Alan Turing and "ID Management" products

South African runner Caster Semenya won the womens 800-meter, and the attention raised questions about her gender. Most of us tend to think of gender as pretty simple. You’re male or you’re female, and that’s all there is to it. The issue is black and white, if you’ll excuse the irony. There are reports that: […]


Renaming the blog to Emergent Chaos (I)

In 2007, Artist Kristin Sue Lucas went before a judge to get a name change to…Kristin Sue Lucas. She’s put together a show called “Refresh” and one called “Before and After.” My favorite part is where the judge wrestles with the question “what happens when you change a thing to itself:” JR: And I don’t […]


What's in a name?

Brian Jones Tamanaha has an interesting post about our database-driven society. The core of it is that English is bad at recording some names. The solution? Force people to change their official names for the convenience of the database: During public hearings on the voter identification legislation in the House, state Rep. Betty Brown, R-Terrell, […]


Dear $LOCALBANK That I Use

Keeping a database of all of your ATM PINs in a clear (or possibly encrypted but easily reversible) text database is not a good idea. I honestly can’t see any use value for this, especially when they won’t tell you what your PIN is even if you have multiple forms of government issued identification. No […]


ID Theft Risk Scores?

A bunch of widely read people are blogging about “ Offers Free ID Theft Risk Score.” That’s Brian Krebs at the Washington Post. See also Jim Harper, “My ID Score.” First, there’s little explanation of how it’s working. I got a 240 when I didn’t give them my SSN, and my score dropped to 40 […]


Origins of time-sync passwords

In “Who Watches the Watchman” there’s an interesting history of watchclocks: An elegant solution, designed and patented in 1901 by the German engineer A.A. Newman, is called the “watchclock”. It’s an ingenious mechanical device, slung over the shoulder like a canteen and powered by a simple wind-up spring mechanism. It precisely tracks and records a […]


Social Security Numbers are Worthless as Authenticators

The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth. The findings, published Monday in The Proceedings of the National […]


Rebellion over an ID plan

What they were emphatically not doing, said Jay Platt, the third-generation proprietor of the ranch, was abiding by a federally recommended livestock identification plan, intended to speed the tracing of animal diseases, that has caused an uproar among ranchers. They were not attaching the recommended tags with microchips that would allow the computerized recording of […]


Publius Outed

The pseudonymous blogger, Publius, has been outed. Ed Whelan of the National Review outed him in what appears to be nothing more than a fit of pique at a third blogger, Ed Volokh, and Publius commented on Volokh’s criticism of Whelen, so Whelen lashed out at Publius. Or so it seems from the nosebleed bleachers […]


Need ID to see Joke ID card

A bunch of folks sent me links to this Photography License, which also found its way to BoingBoing: Now, bizarrely, if you visit that page, Yahoo wants you to show your (Yahoo-issued) ID to see (Matt’s self-issued) ID. It’s probably a bad idea to present a novelty version of a DHS document to law enforcement. […]


Little Bobby Drop tables

In 1999 Syse Data was converted to a limited liability company, and has since been trading under the name Syse Data AS[1]. As the names are so similar, searches for our company in the official Norwegian registry of just-about-anything (Brønnøysundregistrene) often resulted in potential customers looking up the wrong company. To prevent this confusion we […]


Identity is Mashed Up

I posted last month about Bob Blakely’s podcast with Phil Windley. Now (by which I really mean last month, wow I’m running behind!) Bob posts that the “Relationship Paper Now Freely Available,” and I’m embarrassed to say I stole Bob’s opening sentence. Now that I’ve actually read the paper, I’d like to remix the ideas […]


Would Anne Fadiman buy a Kindle?

If you like books, if you like to read, you need a copy of Anne Fadiman’s “Ex Libris: Confessions of a Common Reader.” You especially need to read it if you care an iota about identity management, because the major themes in her essays are not only about books, but about identity. (In case you’re […]


Identities are Created Through Relationships

I’m listening to this really interesting podcast by Bob Blakley and Phil Windley. What really struck me was where Bob said “thinking of identity as an artifact all by itself is unsatisfactory because we can talk about an identity and the attributes of an identity leaves out important details about how identities are created and […]


The Presentation of Self in Everyday Tweeting

Chris Hoff pointed to an interesting blog post from Peter Shankman. Someone* tweeted “True confession but I’m in one of those towns where I scratch my head and say ‘I would die if I had to live here!’” Well it turns out that… Not only did an employee find it, they were totally offended by […]


Children, Online Risks and Facts

There’s an interesting (and long!) “Final Report of the Internet Safety Technical Task Force to the Multi-State Working Group on Social Networking of State Attorneys General of the United States.” Michael Froomkin summarizes the summary.” Adam Thierer was a member of the task force, and has extensive commentary on the primary online safety issue today […]


The Identity Divide and the Identity Archepelago

(I’d meant to post this in June. Oops! Chaos reigns!) Peter Swire and Cassandra Butts have a fascinating new article, “The ID Divide.” It contains a tremendous amount of interesting information that I wasn’t aware of, about how infused with non-driving purposes the drivers license is. I mean, I know that the ID infrastructure, is, […]


Identity Manglement

It was Dopplr that drove me over the edge on this rant. I almost feel bad for starting off with them, because as you will see, they’re just the bale of hay that broke the camel’s back. I was updating my travel schedule, which included a trip to St. Louis. It told me that by […]


What’s in a name? A Candidate by any other name…

For those who haven’t been listening closely to their NPR, it turns out that there are at least eight Barack Obamas running for election in Brazil this year. Yes, you heard that right. Under Brazilian law, it turns out, candidates are allowed to run for office under any name, as long as it’s not offensive. […]


No Privacy Chernobyls

Over at the Burton Identity and Privacy Strategies blog, there’s a post from Ian Glazer, “Trip report from the Privacy Symposium,” in which he repeats claims from Jeff Rosen: I got to hear Jeffery Rosen share his thoughts on potential privacy “Chernobyls,” events and trends that will fundamentally alter our privacy in the next 3 […]


Authenticating Alan Shimel is Certifiably Hard

Alan Shimel got hacked, and he’s blogging about it, in posts like “I’m back.” It sounds like an awful experience, and I want to use it to look at authentication and certificates. None of this is intended to attack Alan in any way: it could happen to any of us. One of the themes of […]


Watchlist Cleaning Law

Former South African President Nelson Mandela is to be removed from U.S. terrorism watch lists under a bill President Bush signed Tuesday… The bill gives the State Department and the Homeland Security Department the authority to waive restrictions against ANC members. This demonstrates that greater scrutiny must be placed on the decisions about who gets […]


Call Centers Will Get More Annoying

There’s an article in “destination CRM,” Who’s Really Calling Your Contact Center? …the identity questions are “based on harder-to-steal information” than public records and credit reports. “This is much closer to the chest than a lot of the public data being used in other authentication systems,” she says, adding that some companies using public data […]


On Banking Security

Dave Maynor comments: Blizzard is going to sell a One Time Password device…Isn’t it kind of funny when an online game has better security than most banks? Blizzard Entertainment, Inc. today introduced an optional extra layer of security for World of Warcraft®, its award-winning massively multiplayer online role-playing game. Designed to attach to a keychain, […]


UK Passport Photos?

2008 and UK passport photos now have the left eye ‘removed’ to be stored on a biometric database by the government. It’s a photo that seems to say more to me about invasion of human rights and privacy than any political speech ever could. Really? This is a really creepy image. Does anyone know if […]


Praises for the TSA

We join our glorious Soviet brothers of the TSA in rejoicing at the final overthrow of the bourgeoisie conception of “liberty” and “freedom of expression” at the Homeland’s airports. The People’s Anonymous Commissar announced: This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining […]


Saving the Taxpayers Money

The Washington Times reports, “Outsourced passports netting govt. profits, risking national security.” It is the first of a three-parter. Interesting comments: The United States has outsourced the manufacturing of its electronic passports to overseas companies — including one in Thailand that was victimized by Chinese espionage — raising concerns that cost savings are being put […]


Saying it loud — OpenID leads to phishing

Kim Cameron not only admits what Ben Laurie has said here, here, and here, but he says it succinctly: OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies – the more it succeeds, the more dramatically phishable it will become. There you have it. It has long been […]


ANSI on Identity Fraud

Tomorrow at 2 Eastern, ANSI will be hosting a Identity Theft Prevention and Identity Management Standards Panel. Key analysts, industry leaders, and members of the Identity Theft Prevention and Identity Management Standards Panel (IDSP) will lead an online discussion of a new report that promotes access to and implementation of tools and processes that can […]


Bye-Bye Pay By Touch!

I’ve always been concerned about biometric systems for payment. I don’t want my fingerprint to be able to access my bank account: I leave fingerprints all over the place. I’m glad to see that biometrics pioneer Pay-By-Touch is shifting focus: Pay By Touch, which has made a major push in POS biometric payments, is backing […]


What's an Identity Oracle (LLPersonas)

Adam: So you say “my oracle.” Who is that? Is it an entity which I control? To be cynical, how does ‘my identity oracle’ differ from Choicepoint? Bob Blakely:My oracle most assuredly does not belong to me. It’s a commercial enterprise. It differs from choicepoint in that it has contracts with its data subjects which […]


More on LLPersonae, Identity Oracles, and RCSL

Adam: But applying for a job is exactly what you describe, “organizations with whom you don’t have a lot of history and interaction.” For an awful lot of people, they apply for jobs broadly. One cashiership is as good as another. And there are a lot of places where I’d like to protect my privacy. […]


Limits of Limited Liability Personas?

Adam: I have some cost questions, but I think more importantly, this can limit my exposure to, say, a credit card, but I can get most of this without paying Delaware a couple of hundred bucks. I get a PO box, a limited credit card, and a voice mail service. What’s the advantage that’s worth […]


Bob Blakely on the LLP

Adam: The LLP is a great analogy because that’s exactly what the Limited Liability Partnership was, and is, for-controlling liability in transactions. The growth of the limited liability corporation allows me, as an investor, to invest a set amount of money, and know the limits of my exposure to management errors. But I can’t do […]


Mike Neuenschwander on Limited Liability Personas: Intro

I was deeply intrigued when I read an article in the New York Times, “Securing Very Important Data: Your Own.” Mike Neuenschwander of the Burton Group proposed an idea of “limited liability personas.” I thought this was so cool that I emailed him, proposing we interview him for the blog. He’s agreed, and here’s part […]


I am not an eyeball, I am a free man!

Kim Cameron has a very interesting article on the distinction between accounts and credentials, “Grab them eyeballs! Any cred at all!:” s this logical? It all escapes me. Suppose I start to log in to Dare’s blog using an AOL OpenID. Does that make money for AOL? No. I don’t have to give AOL two […]


Fake Steve and Real Mackey

So with the small, literal men at the New York Times poking through the veil of anonymity that allowed Fake Steve to produce the best blog since “The Darth Side,” we have a serious threat to the stability of the republic, which is the false hope that by assigning people names, we can control them. […]


Welcome iouhgijudgviujs, please log in!

Ben Laurie has shown time and again that OpenID is Phishing Heaven. It’s also a huge boon for anyone who wants to start tracking on the web. I firmly agree that if you want to steal from people or invade their privacy, OpenID is for you. I also know that there are people I respect […]


Laurie, Cameron and Brands (Oh My!)

There’s a fascinating exchange going on between Ben Laurie, Kim Cameron, and Stefan Brands. This is utterly fascinating if you have any interest at all in online identity, but haven’t had the time to compare systems. I’d try to contribute, but I’ve been in the midst of a large project at work. Archival links: Stefan: […]


Facebook Hangover

On Dave Farber’s list, Brock Meeks pointed us to a delightful Facebook Smackdown. Brock says, What do Facebook, the CIA and your magazine subscription list have in common? Maybe more than you think… Trust me, it’s worth the look. And indeed it is worth looking at, along with Patrick Schitt’s contribution of the background […]


Credentica White Paper & Presentation

The title of Stefan Brands’ blog post, “New Credentica white paper and other materials,” pretty much says it all. If you think about identity management, you should go check these out. Our white paper discusses all of the features of the U-Prove SDK without going into technical detail. The basic features are: transient ID Tokens; […]


"Free the Grapes" Externalizes Risk

Or so “Shipcompliant” would have us believe, with a blog post entitled “Free the Grapes! Updates Wine Industry Code for Direct Shipping Practices.” The new addition to the Code is step 4, which specifies that wineries should verify the age of the purchaser of the wine at the time of transaction for all off-site transactions […]


No RFID In Real ID

So DHS finally released the proposed new standard for drivers licenses as mandated under the Real ID Act. It’s a rather long document (over 150 pages) so I haven’t had a chance to read the whole thing but 27B Stroke 6 has some highlights, including: While some expected Homeland Security to require the licenses to […]


Identity theft numbers: Javelin vs. FTC

So there was a bunch of press last week from a company (Javelin) claiming that ID theft was falling. Consumer Affairs has a long article contrasting Javelin and FTC numbers, well summarized by the claim that “FTC Findings Undercut Industry Claims that Identity Theft Is Declining.” I think that there’s an interesting possibility which isn’t […]


FTC Accepting Comments on ID Theft

The President’s Identity Theft Task Force announced that it is seeking public comment on various possible recommendations to improve the effectiveness and efficiency of the federal government’s efforts to reduce identity theft. The Task Force is chaired by Attorney General Alberto R. Gonzales and co-chaired by Federal Trade Commission Chairman Deborah Platt Majoras and participants […]


Two On Identity

There’s the Budapest Declaration on Machine Readable Travel Documents: By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international Machine Readable Travel Documents which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilises technologies […]


Debix Launches

I’m also really excited to share the news that my friends at Debix have launched their service, and it’s now available to the public. It is, in my opinion, the best identity theft preventative measure available today, and you should seriously consider signing up. The way it works is that they put a lock on […]


Ali, by Any Other Name

Bob Blakely used to be fond of saying that privacy is the ability to lie and get away with it. To have to hide one’s name is considered deeply shameful. But with sectarian violence surging, Iraqis fear that the name on an identification card, passport or other document could become an instant death sentence if […]


ID Theft as a Not-For-Profit Activity

The New York Times has an article, “Some ID Theft Is Not for Profit, but to Get a Job,” about immigrants using other people’s SSNs so they can get jobs, and the impact that this has (because of the databases that run our lives): “All that was happening was that the illegal alien who had […]


An Odd IDology

So over at the “ID Space,” jdancu (who I assume is John) writes some responses to questions I posted to Kim Cameron’s blog. The article is “Knowledge Verification In Practice…” Kim also has a response, “Law of Minimal Disclosure or Norlin’s Maxim?” Since this is part of a continuing conversation, let me summarize by stating […]


Identity 2.1

Dave Weinberger absolutely nails why I worry about the whole Identity 2.0 plan, in “Anonymity as the default, and why digital ID should be a solution, not a platform.” If you know what Identity 2.0 means, you owe it to yourself to read this post. If you build Identity 2.0 platforms/solutions/best-of-breeds, you owe it to […]


The Down Side of "Strong" Authentication

Brad Stone has a great article in Wired about his car being stolen and the insurance company insisting that he must be lying because he still had all of his fancy RFID enabled keys. This assumption that the security system is perfect is going to continue to bite consumers especially as banks move to two-factor […]


"Privacy" International

As mentioned by Ben Laurie; Simon Davies, the Director of Privacy International, was quoted in IT Weeks’s Will industry rescue the identity card? as saying: “I’ve believed for some months that a ‘white knight’ consortium from industry is needed,” Davies said. “Companies that can see the benefits of the ID card idea should approach the […]


How Damaging is a Breach?

Pete Lindstrom is looking at an important set of questions: How likely is it that a given breach will result in harm to a person? What’s the baseline risk? Data is nonexistent on these questions, which means we get to throw around our pet theories. For example, we know of 800 ID thefts from the […]


ID Theft and the 18-24 Set

Matt Rose has an interesting post, “What is Higher Education’s Role in Regards to ID Theft?:” A recent study by the US Justice Department notes that households headed by individuals between the ages of 18 and 24 are the most likely to experience identity theft. The report does not investigate why this age group is […]


The SSN Is Also A Poor Identifier

There’s an idea floating around that a major problem with SSNs is their dual use as identifiers and authenticators. (For example, Jeremy Epstein, “Misunderstanding the risks of SSNs,” in RISKS-24.29) This is correct, but the phraseology leads to people trying to solve the problem by saying “if we just used SSNs as ID numbers, and […]


Compartmentalization of Identity

Kim Cameron has a post, “IBM Researcher Slams UK Identity Card Scheme” in which he writes: He couldn’t be more right. My central “aha” in studying the British government’s proposal was that the natural contextual specialization of everyday life is healthy and protective of the structure of our social systems, and this should be reflected […]


Blogrolling Kim Cameron

I’ve added Kim Cameron’s Identity Blog to the blogroll. There’s a great post “Inebriation and the Laws of Identity” about what happens to you when you’re not firm and resolved about when you hand over your ID. Hint to Paul Toal: The data is used for fraud prevention, and will stay in their databases forever. […]


Counting In Background Checks

There’s some fascinating presentation of numbers in the BBC’s “Criminal records mix-up uncovered:” Education Secretary Alan Johnson told the BBC only 0.03% of the nine million “disclosures” the agency makes had been wrong, so the issue had to be put “into context”. He is so right! Let’s put those numbers in context, shall we? The […]


Homeland Security Privacy Office Slams RFID

Via Kim Cameron (“Homeland Security Privacy Office Slams RFID Technology“), I read about “The Use of RFID for Human Identification.” This is an important report. The money quote is useful because it comes out of DHS: Against these small incremental benefits of RFID are arrayed a large number of privacy concerns. RFID deployments’ digitally communicated […]


ID Theft, meet IRS

One of the things that makes building secure products such a challenge is how hard people will work to steal. Clever criminals who come up with new attacks will spread them around. Today’s attacks often seem to center on identity. “Identity” seems to be hard-wired into our brains (or at least our society) as a […]


President Bush Calls for National ID Card

[Bush] also proposed to cut back on potential fraud by creating an identification card system for foreign workers that would include digitized fingerprints. He said that a tamperproof identification card for workers would “leave employers with no excuse” for violating the law. Of course, that means the rest of us will need the cards, too, […]


I Would Prefer Not

First, apologies to Kim Cameron for taking a while to get to posting this. Being at a conference in Montreal, I was distracted from in-depth blog entries. Go figure. Anyway, in a back and forth on to develop a short explanation of Infocard, we are at: The relying party states what assertions it wants, the […]


Infocard: Have I Started a Trend?

After I posted “Infocard, Demystified,” I’m finding a whole lot of articles about it. Mario posted links to “A First Look at InfoCard” and “Step-by-Step Guide to InfoCard” in MSDN magazine, which are useful, but longer descriptions. In “What InfoCard Is and Isn’t,” Kim Cameron reprints an article from Computer Security Alert. So now I […]


US Travel ID to have RFID Readable at 25 feet

Declan McCullagh and Anne Broache have the story in “New RFID travel cards could pose privacy threat:” Homeland Security has said, in a government procurement notice posted in September, that “read ranges shall extend to a minimum of 25 feet” in RFID-equipped identification cards used for border crossings. For people crossing on a bus, the […]


Infocard, Demystified

For every product, there are thousands of sentences which result in the reply “well, why didn’t you just say that?” The answer, of course, is that there are thousands, and often its not clear which is the right one. For me, the useful sentence is that ‘Infocard is software that packages up identity assertions, gets […]


Kudos to Avis

I happened to look recently at the little card that Avis puts in the cars of frequent renters. The idea is that you land, get to Avis, see your name on a board, and walk directly to the car with one fewer line to stand in. So as you drive away, the fellow who checks […]


Better ID Theft Statistics: 3% of US households in first half 2004

The 2004 National Criminal Victimization Survey includes ID theft data, for the first time. From a CSOOnline blog post, “DOJ Study: ID Theft Hit 3.6M In US:” About 3 percent of all households in the U.S., totaling an estimated 3.6 million families, were hit by some sort of ID theft during the first six months […]


Government Issued Data and Privacy Law

I’d like to say more about the issue of privacy law, and clarify a bit of jargon I often use. (Alex Hutton pointed out it was jargon in a comment on “There Outta be a Law“.) As background, some people have objected to privacy laws as being at odds with the First Amendment guarantees of […]


Identity Theft and Child Pornography

The CBC has a story on how “Global child porn probe led to false accusations:” An international investigation of internet-based child pornography has led to accusations against innocent victims of credit card fraud, a CBC News investigation has found. In other cases, victims of identity theft found themselves fighting to save their reputations, jobs and […]


I am not a Probabalistic Polynomial Time Turing Machine; I am a Free Man!

In a jargon-rich yet readable essay, (“Cryptographic Commitments“) David Molnar discusses the assumptions that he brings to his work as a cryptographer. Its fascinating to me to see someone lay out the assumptions portion of their orientation like this, and I think readers can ignore the specifics and get a lot out of the essay. […]


Identity is Hard, Let’s go Shopping.

Kim Cameron, in the course of saying nice things about us (thanks, Kim!) says: “In my view, the identity problem is one of the hardest problems computer science has ever faced.” I think this is true, and I’d like to tackle why that is. I’m going to do that in a couple of blog posts, […]


What’s in a Name?

A rose by any other name might smell as sweet, but it would certainly be confusing to order online. Consistent naming is useful, but requires much effort to get right. In identity management, which I hadn’t thought of as closely related to taxonomies, Zooko has argued that names can be “secure, decentralized or human memorable […]


Economics of Detecting Fake ID

During 2005, the Vail Police Department alphabetized hundreds of drivers licenses, passports and other shoddy identification that will be incinerated at year’s end. Once the IDs come through the department’s doors, they’re gone for good, Mulson said. A liquor license allows bars to confiscate any ID that is fake or appears to be fake. Glendining […]


Secretly Admiring

Quick! Name the speaker: In a lot of countries, statements like “this person is over 18”, “this person is a citizen”, the governments will sign those statements. When you go into a chat room, for example, in Belgium, they’ll insist that you present not necessarily the thing that says who you are, but the thing […] Sent 'Race-Customized' Valentines

How are’s Valentine’s Day e-mails targeted? Very simply: one version of their e-mail targets black singles, another targets East Indian lonely hearts, and other versions target the Asian and Hispanic loveless. (Our multi-cultural bots were lucky enough to get one of each). There’s nothing wrong with that on the surface. But we wondered how […]


The Leaf of Trust

One of the most interesting and controversial aspects of Phil Zimmerman’s PGP was that it avoided any central repositories of information, relying instead on what Phil labeled the “web of trust.” The idea was that Alice “trusts” Bob, and Bob “trusts” Charlie, there’s some transitive trust that you can establish.[1] (I’m going to stop putting […]


It Depends What The Meaning of "Credit Report" Is

Bob Sullivan has a must-read article “Her ATM card, but her impostor’s picture” about a woman whose SSN is being used by someone else: For years, Margaret Harrison believed she had an impostor. There were signs her Social Security number was living a double life. Four years ago, an unemployment office in West Virginia almost […]


New Passports More Secure than Wet Paper Bags (Barely)

Remember the US Government plan to put a radio chip in your passport? The one whose security has never been seriously studied, whose justification seemed to boil down to a hope that it would speed processing, but even that was wrong? The one whose security gets worse every time anyone competent looks at it? Well, […]


Introducing Debix

I’m at Black Hat Federal this week, helping introduce Debix. Of all the systems that I’ve heard about to combat identity theft, Debix’s stands far above the crowd, which is why I’ve joined their advisory board: In the physical world, we have the ability to place locks on everything from cars to safety deposit boxes […]


Investing in Identity Theft: The Job Fair

For Aisha Shahid and dozens of others who went to an advertised job fair in Chattanooga and got offers of nightclub work in Atlanta, Memphis and Miami, the “dream jobs” turned out to be an identity theft scam. A man who identified himself as record company and music group president William Devon took applications and […]


Real ID Even More Expensive Than Predicted

Bruce Schneier links to an AP article about the hideous costs of the RealID Act. Early estimates were for $120 million, current estimates are for $300 million for the first year alone, and that’s just for three states, Pennsylvania, Virginia and Washington state. So we can safely say that nationally we’re looking at billions of […]


More Victims of Money Laundering Regulations

In a comment on “Atlantis Resort (Bahamas) 50,000, Hacker,” Ian Grigg explains that the reason Bahamas Casinos collected 55,000 SSNs is that the various and sundry “anti-money laundering” regulations force them to, or be labeled “naughty.” Err, ‘non-compliant.’ How’s that for NewSpeak? There’s a pretty large steamroller behind such rules and regulations, and the push […]


Fingerprint Readers and the Economics of Privacy

I used to feel bad advocating for privacy laws. I’m generally down on laws restricting private contracts, and privacy laws seemed to be an intellectual inconsistency. I’ve resolved that feeling because almost a great many privacy invasive systems depend on either social security numbers, or government issued identity documents. It seems quite consistent to restrict […]


Fake Fingerprints

Fingerprint scanning devices often use basic technology, such as an optical camera that take pictures of fingerprints which are then “read” by a computer. In order to assess how vulnerable the scanners are to spoofing, Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They […]


Web Certificate Economics

In a comment on “Build Irony In,” “Frank Hecker writes:” First, note that the “invalid certificate” message when connecting to using Safari is *not* because the certificate is from an unknown CA (or no CA at all); it’s because the certificate is issued to the server/domain (note the dash) and thus doesn’t match […]


Is the Database Half-Wrong, or Half-Right?

More than 8,000 people have been mistakenly tagged for immigration violations as a result of the Bush administration’s strategy of entering the names of thousands of immigrants in a national crime database meant to help apprehend terrorism suspects, according to a study released on Thursday. The study, conducted by the Migration Policy Institute, a research […]


Deborah Davis Charges Dropped, Rally to Proceed

Ann Harrison reports: The government dropped all charges against Deborah Davis yesterday for failing to show her ID on a Denver public bus. Officials claim that passengers still have to show ID to transit through the Denver Federal Center, but said there were no clear signs to inform them of this requirement. Davis’ lawyers are […]


EPIC on RFID Passports

According to documents (pdf) obtained by EPIC under the Freedom of Information Act, a government report found significant problems with new hi-tech passports. Tests conducted last year revealed that “contactless” RFID passports impede the inspection process. At a meeting of a Privacy Advisory Committee today in Washington, EPIC urged (pdf) the Department of Homeland Security […]


Economics of Fake ID (Kremlin Edition)

Russian security agents have arrested a group of policemen and civilians suspected of forging Kremlin passes. The items seized included identity cards guaranteeing entry to President Vladimir Putin’s offices, the FSB security service said. … According to security officials, some of the items were being sold at a car market in the south of Moscow, […]


Like Taking Candy from a Database

Candice “Candy” Smith, 44, of Blue Springs, Mo., pleaded guilty to making unauthorized inquiries into data aggregator LexisNexis’s database of non-public information on millions of consumers, such as driver’s license information and credit-history data. Many people might assume that only cops can look up this type of information, but Smith was granted access to the […]


Guerrilla Identity Protection

Next time you call customer service to manage one of your accounts and they ask you for pseudo-private information like your SSN or Mother’s maiden name, ask them for their name. When they ask why (feel free to prompt since this probably isn’t completely out of the ordinary) let them know that you are keeping […]


Fake ID Markets

Social Security cards run about $20, green cards about $70 and a California driver’s license between $60 and $250. The price jumps up for higher-quality documents, such as IDs with magnetic strips containing real information — often from victims of identity theft. … “You name it, they can make it,” said Los Angeles Deputy City […]


More on Deborah Davis

The story of Deborah Davis is getting lots of attention. Rob sent me Refusal to present ID sparks test of rights, which includes: “I boarded the bus and spoke with the individual, Deborah N. Davis . . . asking why she was refusing,” wrote the first Federal Protective Service officer in an incident report posted […]


Properties of National ID Systems

In “learning from others,” Jerry Fishenden writes at length about National ID systems and their impact on society. His post includes a list of properties an ID system should have, (originally from Niels Bjergstrom). His theme that these systems don’t only have ‘features,’ but properties is an important one. I’d like to suggest two additions: […]


American Express and Privacy

There’s a fascinating story at imedia connection, “Why Consumers Trust American Express:” How has American Express retained its position? Kimberly Forde, an American Express spokesperson, told me that “American Express is very pleased to be recognized by consumers for its ongoing and strong commitment to privacy.” Moreover, she felt that American Express had done a […]


Check images increase forgery and ID theft risks?

The October 26 on-line edition of American Banker (gotta pay to see it, so no link from me) discusses new technologies as possible enablers of check forging, in an article by Daniel Wolfe, “The Tech Scene: Check Images A New Frontier For Forgery?” The overall point is that since banks store check images and provide […]


Interesting Tidbits (Adam)

John Gruber has an interesting article on the economics of being a one-man software shop, “The Life.” He uses the case of Brent Simmons and NetNewsWire to shed light on why the life of a small software development shop is so hard. Jeff Veen of Adaptive Path has announced “MeasureMap,” a new blog-focused log analysis […]


UK ID Cards a Doubly Bad Idea

Microsoft UK National Technology Officer Jerry Fishenden warns that the push for a national ID card in Great Britain could lead to identity fraud on a gigantic scale unlike anything that has been seen before. The Register reports… and Charles Clarke confirms that ID cards will be a massive waste of both time and money […]


Real ID, Real Unfunded Mandate, Real Unnecessary

It seems to be standard that major new government programs cost more than we expect. Federal Computer Week has a story, “Real ID costs rising:” Earlier this year, Congressional Budget Office officials said nationwide implementation of the Real ID Act would cost $100 million in five years. The act requires minimum national standards and physical […]


Security Implications of Economics of ID Cards

Some of the precepts that proponents of national ID often put forth is that it can make “illegal immigration more unpleasant for immigrants,” or “a national ID system has some substantial potential to be the cornerstone of a national fraud-prevention system.” These are attractive notions, but will not be borne out in reality. Actually, the […]


More on Preserving the Internet Channel Against Phishers

A new survey is reported in “Privacy and Security Concerns Flatten Interest in Online Banking” (Government Technology): After years of dramatic growth in online banking penetration, the percentage of Americans who conduct personal banking activities online remained unchanged during the 12-month period ending August 2005. According to results from a new survey of 1,000 American […]


WiKID Goes Open Source

WiKID is a two-factor authentication system. It consists of: a PIN, stored in the user’s head; a small, lightweight client that encapsulates the private/public keys; and a server that stores the public keys of the client’s and the user’s PIN. When the user wants to login to a service, they start the client and enter […]


US Air Force Hack and TSA

I just blogged about a breach of data which could be used for ID theft in “US Air Force, 33,000 SSNs, Hacker.” I’d like to tie that to a story I mentioned earlier this week, “TSA May Loosen Ban on Razorblades, Knives:” The Aug. 5 memo recommends reducing patdowns by giving screeners the discretion not […]


Two On ID Theft

Newsfactor has a long story, “U.S. Passes the Buck on Identity Theft,” which discusses the Identity Theft Penalty Enhancement Act of 2004, some of a current crop of products designed to reduce ID theft risks at businesses, and the need to shift liability. Speaking of shifting liability, in “Despite Claims of “Exceptional” Security, Acxiom’s Defenses […]


Passport Forgery Legal in UK?

The arrest of the Algerian-born Britain with 452 forged European passports at Bangkok’s Don Muang airport is only the latest in incidences of document forging in Thailand. … But here’s the rub: The suspect, 35 year old Mahieddine Daikh, may not be charged with any crime. To date none of the government’s whose forged passports […]


Long Bits of Stuck in McCarran International Airport

Kudos to McCarran International Airport (Las Vegas) for having free wifi. And congrats to my fellow Defcon attendees for stealing the cookie that authenticates me to this blog off that wireless net. Tech Policy points to Bill West at Counterterror blog, in “Liberty & Security vs. Terror – an American Perspective.” Its worth reading in […]


Random Thoughts on Specter-Leahy

Senators Specter and Leahy have proposed a new law on identity theft and privacy. Some thoughts as I read it. But first, what the hell are they doing preventing me from copying sections? Frigging DRM. Quotes shall be shorter than they otherwise would. Title III, 301.b.1 (pg21): “A data broker shall, upon the request of […]


ID Card Program Stopped Over Security Concerns

So reports the LA Times (Bugmenot) in “Pot ID Card Program Shelved:” California health officials Friday suspended a pilot program that issues photo identification to medical marijuana users out of concern that a recent U.S. Supreme Court ruling could make the state and ID holders targets for federal prosecution.


Backup Tapes?

Allan Friedman asks for comments on Lauren Weinstein’s post to Interesting People: (Lauren W) Ironically, it’s true that the probability of lost backup tapes being used opportunistically for ID theft is probably fairly low, at least in comparison to all the “ID theft supermarkets” that are out there — crooked commercial and government employees willing […]


Equifax CEO: ID Theft is an epidemic

But [Equifax CEO] Chapman acknowledges Equifax has “no silver bullet” when it comes to thwarting fraud. One popular belief is that checking a credit report once a year is a defense. That doesn’t protect consumers, Chapman said. “It’s not going to help and the public is starting to learn that,” Chapman said. He decried the […]


UK ID Cards, Choicepoint, and Privacy

Usually, government ministers wait until a new program has been rolled out before they start reneging on their promised of how it will work. But in the brave new world of UK ID cards, they’re being honest. As the Independent reports in “Ministers plan to sell your ID card details to raise cash“: Personal details […]


Identity Thieves Drain Unemployment

But the most underpublicized identity theft crime is one in which thieves defraud state governments of payroll taxes by filing fraudulent unemployment claims. It can be a fairly lucrative scheme, too. File a false unemployment claim and you can receive $400 per week for 26 weeks. Do it for 100 Social Security numbers and you’ve […]


On Real ID, and Hearings

Privacy Law has a post, “Senate to Hold Security Breach and ID Theft Hearings” about a June 16 2005, Senate Committee on Commerce, Science and Transportation hearing on identity theft. The DailyBulletin editorializes against the Real ID act, “


Markets in Social Security Numbers

Social security numbers used to be just for social security. But the government is the only actor in the marketplace who can produce something, and also mandate demand for it. In the case of SSNs, they’ve created a large demand by declaring that Uncle Sam gets to decide who you may hire. (The gossip-mongers credit […]


Small Bits: Wives Vs. The Dark Side, Diamonds, FRCA, Brill & Lexis-Nexis

VikingZen posts her Two Cents about Revenge of The Sith, and closes with: My big question: Why didn’t Padme just release a can of whoop-ass on her husband? I mean, they’re secretly married, the guy’s off in some outer galaxy playing space cowboy while she’s lugging around a pregnant belly full of twins? How about […]


The Strange Case of Syed Maswood

A year after federal agents raided his home in a terrorism investigation, Muslim businessman Syed Maswood is lucky to get on an airplane without being detained and searched. But that didn’t stop him from getting an invitation to dine with U.S. President George W. Bush. Maswood, a nuclear engineer who has not been charged with […]


Perspectives on "Identity Theft"

WYFF-TV, “The Carolina Channel,” interviews two fraudsters who made money impersonating others. If you have any doubt these people are scum, one impersonated his own brother, and stole $71,000. In another, on Dave Farber’s list, victim Tom Goltz writes: Speaking as a victim of identity theft, there is absolutely nothing that an individual can do […]


Small Bits of Chaos all Starting with Names

Mike Solomon, of PithHelmet fame, comments on RSS spam, and promises to do something about it. (Incidentally, I’ve been wondering about NetNewswire’s cookie behavior when you load pages, but some rummaging in it’s files didn’t seem to turn up cookies, and I needed to go blog earn money.) Alan Chapell (whose blog is looking much […]


Hasbrouck on RFID Passports

In his closing CFP keynote, Bill Scannell of asked for voice votes by the audience on whether a series of government measures including the use of secretly and remotely-readable RFID chips in passports were stupid or evil. “Both” seemed to be the predominant response. I and some others (including Ryan Singel of Wired News […]


Ed Felten on Passports

Yesterday at CFP, I saw an interesting panel on the proposed radio-enabled passports. Frank Moss, a State Department employee and accomplished career diplomat, is the U.S. government’s point man on this issue … In the Q&A session, I asked Mr. Moss directly why the decision was made to use a remotely readable chip rather than […]


Rational Response?

Sitting at a coffeeshop today, I listened to the fellow behind me try to get Dell and Equifax to agree to fix his credit. It seems that his father passed away recently, in debt to Dell over a computer. That debt is now on his credit report, despite his not being a co-signer for the […]


59 breaches at Lexis-Nexis

[T]he company said just 2% of those informed by the company in March of the security breach had accepted its offer of free credit monitoring and none had reported identity theft. All the others will also be offered the services it said. (From CNN, or see the statement here.) So, let’s review. A slew of […]


Lexis Nexis, Tenfold

Lexis Nexis is saying that they understated the number of victims in last month’s incident. It is not 32,000, but 310,000. Kudos to them for stepping up and admitting to it. It’s the right thing both ethically and strategically. Reed spokesman Patrick Kerr said that the first batch of breaches was uncovered by Reed during […]


Small Bits: Biometrics in Drivers Licenses, Cars, Privacy Art

Grits for Breakfast writes about his testimony before the Texas House in Biometrics debate hinged on ID theft: The committee also seemed surprised that DPS had included facial recognition technology in their drivers license re-engineering RFP, even though the Legislature did not approve it. My understanding is that the AAMVA (American Association of Motor Vehicle […]


"Public Availability of Private Information"

Screendiscussion makes a case for criminal records searching as an adjunct to a background check: One of the biggest downsides is that the records can only be searched by name, an occurrence that is becoming more common even at the lower courts. This might not be a problem if the name being searched is pretty […]


Three Times is Enemy Action

With the announcement yesterday of a stolen laptop with 30 years of alumni social security numbers on it, and the October break-in that led to 1.4 million people being exposed, how long until California forbids the University from holding such numbers? Clearly, they’re not to be trusted; students have no choice but to provide that […]


Discretionary Disclosure

A man who pleaded guilty to hacking into an Arkansas data company’s computer system and stealing personal identification files was sentenced Wednesday to nearly four years in federal prison. Daniel J. Baas, 26, of suburban Milford, entered his plea in December 2003, after being indicted that August. Baas was a systems administrator for Market Intelligence […]


Bad advice on SSNs

Bad advice on use of social security numbers abounds, often in technical documentation. Credit goes to reader Jonathan Conway for digging many these out. There are a few very common errors which we can find, thank to Jonathan’s research: Social security numbers are un-changing. No, they are not. Victims of identity theft, domestic abuse, or […]