National ID – Adam Shostack & friends

Voter Records, SSN and Commercial Authentication

Verifiedbyvisa

A Wednesday letter from the Presidential Advisory Commission on Election Integrity gives secretaries of state about two weeks to provide about a dozen points of voter data. That also would include dates of birth, the last four digits of voters’ Social Security numbers… (NYTimes story) Of this writing, 44 states have refused.

I want to consider only the information security aspects of the letter, which also states that “Please be aware that any documents that are submitted to the full Commission will also be made available to the public.”

Publishing a list of SSNs is prohibited by 42 USC 405(c)(2)(C)(Viii), but that only applies to “SSNs or related record[s].” Related record means “any record, list, or compilation that indicates, directly or indirectly, the identity of any individual with respect to whom a social security account number or a request for a social security account number is maintained pursuant to this clause.” So its unclear to me if that law prohibits publishing the last 4 digits of the SSN in this way.

So, if a list of names, addresses, datas of birth and last four digits of the SSN of every voter are made available, what does that to to they myth that those selfsame four digits can be used as an authenticator?

I’d like to thank the administration for generating so much winning in authentication, and wish the very best of luck to everyone who now needs to scramble to find an alternate authentication technique.

Image credit: Jeff Hunsaker, “Verified by Visa: Everything We Tell Folks to Avoid.”

Shocking News of the Day: Social Security Numbers Suck

The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over the telephone or re-set a password.

All banks in the report used some version of the Social Security number as a means of authenticating the customer, Javelin found. The pervasive use of Social Security numbers was surprising, given the importance of Social Security numbers as a tool for identity theft, said Phil Blank, managing director of security, risk and fraud at Javelin. (“Banks Rely Too Heavily On Social Security Numbers, Report Finds“, Ann Carrns, New York Times)

Previously here: “Social Security Numbers are Worthless as Authenticators” (2009), or “Bad advice on SSNs” (2005).

Nymwars: Thoughts on Google+

There’s something important happening around Google+. It’s the start of a rebellion against the idea of “government authorized names.” (A lot of folks foolishly allow the other side to name this as “real names,” but a real name is a name someone calls you.)

Let’s start with “Why Facebook and Google’s Concept of ‘Real Names’ Is Revolutionary” by “Alex Madrigal.” He explains why the idea is not only not natural, but revolutionary. Then move on to “Why it Matters: Google+ and Diversity, part 2” by “Jon Pincus.” From there, understand see “danah boyd” explain that ““Real Names” Policies Are an Abuse of Power . One natural reaction is ““If you don’t like it, don’t use it. It’s that simple.” ORLY?” as “Alice Marwick” explains, it’s really not that simple. That’s why people like “Skud” are continuing to fight, as shown in “Skud vs. Google+, round two.”

What’s the outcome? Egypt, Yemen and Saudi Arabia require real names. “South Korea is abandoning its “real name” internet policy”

So how do we get there? “Identity Woman” suggested that we have a ““Million” Persona March on Google ,” but she’s now suspended. “Skud” posted “Nymwars strategy.”

This is important stuff for how we shape the future of the internet, and how the future of the internet shapes our lives. Even if you only use one name, you should get involved. Get involved by understanding why names matter, and get involved by calling people what they want to be called, not what Google wants to call them.

Rights at the "Border"

“I was actually woken up with a flashlight in my face,” recalled Mike Santomauro, 27, a law student who encountered the [Border Patrol] in April, at 2 a.m. on a train in Rochester.

Across the aisle, he said, six agents grilled a student with a computer who had only an electronic version of his immigration documents. Through the window, Mr. Santomauro said, he could see three black passengers, standing with arms raised beside a Border Patrol van.

“As a citizen I’m offended,” he said. But he added, “To say I didn’t want to answer didn’t seem a viable option.”

From the NYTimes, “ Border Sweeps in North Reach Miles Into U.S..”

If you think this is ok, where in the US should it not be legal for the armed agents of the state to demand your papers without any grounds for suspicion of wrongdoing?

Similarly, if a law student doesn’t see not answering police questions as a “viable option,” what do we do to restore balance to the Constitution?

Previously on Emergent Chaos: “100 Mile Constitution Free Zone.”

How not to address child ID theft

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” numbers. Unfortunately, credit issuers do not currently have the ability to verify if a SSN belongs to an adult or a minor. If they knew that the SSN presented belonged to a minor they would automatically deny opening a credit account.

Years ago, the Identity Theft Resource Center envisioned a simple solution to this problem. It is called the Minors 17-10 Database and ITRC has been talking with various government entities and legislators about this concept since July 2005. (…)

The creation of a Minors 17-10 Database would provide credit issuers the tool to verify if the SSN provided belongs to a child. This proposed SSA record file would selectively extract the name, month of birth, year of birth, and SSN of every minor from birth to the age of 17 years and 10 months. This record file, maintained by SSA, would be provided monthly to approved credit reporting agencies. When a credit issuer calls about the creditworthiness of a SSN, if
the number is on the Minors 17-10 Database, they would be told that the SSN belongs to a minor.

That’s from a press release mailed out by the normally very good Identity Theft Resource Center. Unfortunately, this idea is totally and subtly broken.

Today, the credit agencies don’t get lists from the SSA. This is a good thing. There’s no authorization under law for them to do so. The fact that they’ve created an externality on young people is no reason to revise that law. The right fix is for them to fix their systems.

The right fix is for credit bureaus to delete any credit history from before someone turns 18. Birth dates could be confirmed by a drivers license, passport or birth certificate.

Here’s how it would work:

Alice turns 18.
Alice applies for credit and discovers she has a credit history
Alice calls the big three credit agencies and ~~gets a runaround~~ explains she’s just turned 18, and apparently has credit from when she was 13.
The credit agency asks for documents, just like they do today (see “when do I need to provide supporting docs”)
The credit agency looks at the birthday they’ve been provided, and substracts 18 years from the year field.
The credit agency removes the record from the report

It’s easy, and doesn’t require anything but a change in process by the credit bureaus. No wonder they haven’t done it, when they can convince privacy advocates that they should get lists of SSN/name/dob tuples from Uncle Sam.

A Blizzard of Real Privacy Stories

Over the last week, there’s been a set of entertaining stories around Blizzard’s World of Warcraft games and forums. First, “World of Warcraft maker to end anonymous forum logins,” in a bid to make the forums less vitriolic:

Mr Brand said that one Blizzard employee posted his real name on the forums, saying that there was no risk to users, and the experiment went drastically wrong. “Within five minutes, users had got hold of his telephone number, home address, photographs of him and a ton of other information,” said Mr Brand.

The customers apparently really liked their privacy, and “Blizzard backs off real-name forum mandate.” Which, you’d think, would end the uproar. But no. This morning, “Gamers Who Complained About Blizzard’s Forum Privacy See Email Addresses Leaked” by the Entertainment Software Rating Board. Interestingly, the ESRB Online Privacy Policy is one of the few that does not start “your privacy is important to us.” Who knew that line was important?

The key lesson is that your customers think about identity differently than you do, and trying to add it to a system is fraught with risk. (Don’t even get me started on the jargon “identity provider.”)

Showing ID In Washington State

Back in October, I endorsed Pete Holmes for Seattle City Attorney, because of slimy conduct by his opponent. It turns out that his opponent was not the only one mis-conducting themselves. The Seattle PD hid evidence from him, and then claimed it was destroyed. They have since changed their story to (apparent) lies about “computer problems.” See “Local computer security expert investigates police practices” in the Seattle PI. Some choice quotes:

…a charge was leveled against him in Seattle Municipal Court for obstructing a public officer. Controversial laws known as obstruction, “stop and frisk” and “stop and identify” statutes have been abused in other cities like New York, studies and news stories show. An obstruction case cited in a 2008 Seattle Post-Intelligencer investigation ended with a federal jury hitting Seattle police with a six-figure penalty.

Rachner’s criminal defense attorney sought dismissal of his gross misdemeanor charge, citing the Washington State Supreme Court decision that says arresting a person for nothing more than withholding identification is unconstitutional. One reason cited by the court: This practice allows police too much discretion to pick targets and punish with arrest. Also, the state constitution is more protective of these rights than the U.S. constitution.
…

The microphone picks up Letizia explaining the arrest to Rachner and a police sergeant, citing only the failure to provide identification as the reason Rachner was in handcuffs. No other provocations before the arrest were documented.
…

“The explanation is our servers failed,” said Seattle Police spokesman Sgt. Sean Whitcomb. “Data was lost, more than his, and it took some time to recover it.” “There is absolutely nothing in the activity log to support that claim,” said Rachner. “Moreover, if the video was unavailable, it was dishonest of them to claim the video could no longer be obtained because it was past the 90-day retention period. It is completely at odds with what they told me in writing.”

I say these are lies because their story keeps changing.

I hate paying the salaries of people who can’t tell me the truth, and I think I’ll be writing city hall for an explanation. If you live in Seattle, I suggest you do the same.

News from RSA: U-Prove

In “U-Prove Minimal Disclosure availability,” Kim Cameron says:

This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills! But today, just for once, I’m going to pick up an actual Microsoft press release and lay it on you. The reason? Microsoft has just done something very special, and the fact that the announcement was a key part of the RSA Conference Keynote is itself important.

Further, Charney explained that identity solutions that provide more secure and private access to both on-site and cloud applications are key to enabling a safer, more trusted enterprise and Internet. As part of that effort, Microsoft today released a community technology preview of the U-Prove technology, which enables online providers to better protect privacy and enhance security through the minimal disclosure of information in online transactions. To encourage broad community evaluation and input, Microsoft announced it is providing core portions of the U-Prove intellectual property under the Open Specification Promise, as well as releasing open source software development kits in C# and Java editions. Charney encouraged the industry, developers and IT professionals to develop identity solutions that help protect individual privacy.

Kim then goes on to analyze the announcement, which is a heck of an important one.

Disclaimer: I work for Microsoft, and am friends with many of the people involved. I still think this is tremendously important.

Puerto Rico: Biggest Identity Theft ever?

Apparently, the government of Puerto Rico has stolen the identities of something between 1.7 and 4.1 million people

Native Puerto Ricans living outside the island territory are reacting with surprise and confusion after learning their birth certificates will become no good this summer.

A law enacted by Puerto Rico in December mainly to combat identity theft invalidates as of July 1 all previously issued Puerto Rican birth certificates. That means more than a third of the 4.1 million people of Puerto Rican descent living in the 50 states must arrange to get new certificates. (“Shock over voided Puerto Rican birth certificates,” Suzanne Gamboa, AP)

If I’m parsing that right, all 4.1 million identities were stolen from their legitimate holders, and 1/3 of those are outside Puerto Rico, leading to an unclear level of actual effort to get the documents replaced.

Now, some people may take umbrage at my claim that this is identity theft. You might reasonably think that fraud by impersonation requires impersonation. But the reason that it’s called identity theft is that the victim loses control of their identity. False claims are tired to their name, ssn, birth certificate, etc. Those claims show up at random. Their sense that they have “a good name” is diminished and assaulted.

You might also claim that I’m exaggerating, but I’m not the one who titled the article “shock.” People are feeling shocked, confused and assaulted by this action.

So despite the not for profit nature of the crime, this is identity theft on the largest scale I’ve heard about in years.

Image from the Oritz family showcase.

Abdulmutallab/Flight 253 Airline Terror links

Air Canada is canceling US flights because of security. (Thanks, @nselby!)
The New York Times reports that “Britain Rejected Visa Renewal for Suspect.” NPR reported that the State Department may have raised some sort of flag, but I don’t have a link.
ABC is reporting that two of the “al Qaeda Leaders Behind Northwest Flight 253 Terror Plot Were Released by U.S..”
Spencer Acerkman talks about “al-Qaeda’s Desperate Bid For Relevance, The Failed Plane Attack & Afghanistan:” “First, al-Qaeda’s signatures are redundance and simultaneity. Think 9/11, Madrid, London: all used multiple operatives focused on multiple targets, acting in unison. That’s to ensure something blows up if and when something goes wrong.” (Hmmm, also think US Cole, but the article is worth reading.) Thanks to Jim Harper, who also mentions that-
On January 13th, CATO will be holding a forum on “The Obama Administration’s Counterterrorism Policy at One Year.”

And for the prurient interest, the underwear, apparently still containing the explosives. It looks like they were cut off with scissors, implying that he was wearing them at the time. I wonder how much explosive energy a human thigh absorbs?

In conversation, a friend mentioned that the media whirlwind overwhelms the right response, which is to go on with our lives. Which is what I shall now do. Look! A burning goat!