Security-by-credential or security-by-inspection

[Greg Broiles]

At 01:10 AM 11/9/2001 +0100, Nomen Nescio wrote:
>[...]
>A few other irrelevant points have been made.  Given that ID is not
>perfectly reliable, do we need to tattoo numbers on people's forearms?
>This is the fallacy of perfection.  ID can be combined with a simple
>thumbprint for biometric identification (already widely used for cashing
>checks) and you will raise the cost of forgery considerably.

Bullshit. There's no real-time on-line database of ordinary citizen 
fingerprints available to match versus ID cards, even if the cards (which 
don't exist and haven't been issued) were available.

Thumbprints taken in banks don't do anything to immediately ID the person 
cashing a check - they provide evidence about who got the money, if the 
check turns out to have been fraudulent or stolen .. but to be worth much, 
the fingerprint needs to be matched to a name (which is only possible if 
that finger of that person has been fingerprinted and archived before, and 
they're both good, readable prints), or to a physical body, which might 
happen after an arrest.

They're evidence which is useful in court, but they don't do a thing to 
tell the bank whether or not the transaction is likely to fail.

So, yeah, sure, thumbprints would let us know if the dead suicide bomber's 
"real name" was really the one he used to rent the truck or buy the plane 
ticket .. or if he just got started on his project early enough to get his 
stolen identity matched to his real fingerprint .. but how, exactly, is 
that going to Save the Children?

I agree that it will help law enforcement agents make a nice crisp 
presentation in Congressional hearings about how they dug up the suicide 
bomber's Permanent Record all the way back to preschool less than 45 
minutes after they turned a daycare center into a slaughterhouse .. but I 
don't really give a shit about that.

The only way you can use fingerprints and ID cards to begin to prevent the 
killing in the first place looks like this:

1.      Reliably fingerprint everyone on the planet and record their "true 
name", whatever that is, and issue ID cards to them with that data.
2.      Cross-reference the data in (1) with existing criminal, 
intelligence, mental health data, making sure that in the process of doing 
that you don't screw up people's right to privacy in medical records, 
reveal existing investigations, or reveal intelligence sources/methods.
3.      Distribute cheap and reliable fingerprint readers all over the 
planet (or maybe all over the US, though it's hard for me to imagine other 
countries will cooperate with (1) unless they get them too) so that 
people's fingerprints can be imaged locally.
4.      Build a real-time database capable of storing & retrieving the data 
from (1) and (2) given fuzzy images from (3), and a network capable of 
providing simultaneous access for millions of clients.
5.      Give access to (4) to everyone who needs it, but prevent them from 
using the data they gather (like fingerprint images and personal data) for 
ID theft or impersonation.
6.      Develop either an algorithm/expert system which decides which 
people ID'd within the system are allowed to do certain things (like "board 
a plane", "buy av gas", "rent a truck", etc), or delegate that decision to 
many thousands of minimum-wage clerks, who will not be susceptible to 
trickery nor bribes.

Can you get that up and running in, say, 60 days?

California has been trying for years to get a vastly less ambitious system 
working even a little bit at the Department of Motor Vehicles - at one 
point (several years in) they figured out that they had to throw away 
everything they'd done so far and start all over again. A project like you 
propose in your casual, offhand manner is probably 100 times more expensive 
and more complicated that California's .. but that doesn't seem to scare 
you. The IRS's computer system is in similar disarray - they can't always 
find records or correlate things, and they've gone ahead and assigned 
everyone nice easy numbers, and they operate on a timeframe of months and 
years, not seconds ticking by at a departure gate or a gas station pump. 
The FBI tried to build a database of disqualified firearm purchasers for 
use in the "instant check" process and it's proved to have an error rate of 
between 5 and 10%.

If the CA DMV, the IRS, and the FBI can't get these sorts of databases up 
and running given their already generous budgets (millions and billions) 
and timeframes measured in years, how can you possibly think that anything 
like this is even possible - even before reaching the "is it a good idea?" 
question.

>   Many of
>the hijackers would have been caught simply by cross-referencing their
>IDs against existing databases.  That's what El Al does and they have an
>excellent safety record in the most terrorist-infested part of the world.

Hmm. Then it's funny that Mohammed Atta (likely the worst-looking on paper, 
since he's the guy who was meeting with an Iraqi intelligence agent in 
Prague and had outstanding criminal/traffic warrants) was able to clear 
Customs when he re-entered the country.

The "ID card" fairy tale still loses.

Further, your "perfection isn't necessary" argument would be reasonable if 
we weren't talking about trying to solve a terrorist problem - but it's my 
impression that's the context of this discussion. The interesting thing 
about terrorism is that its direct effects aren't especially important - 
it's the secondary effects on people not physically affected by the event 
which give terrorism its power. Losing 5000 people in one day to an 
identifiable cause - or the 3 or 4 that we've lost to anthrax - is 
absolutely nothing, statistically speaking. Red meat and cigarettes 
probably kill a WTC's worth of people every day in the US alone - and we 
probably lose an anthrax letter's worth of deaths every day to even more 
obscure stuff like bee stings or wading pools.

Those events are powerful not because of the people killed and property 
damaged, but because of the fear that the other 230 million people in the 
US feel (+ more worldwide), because they're faced with the possibility of 
successful, similar attacks - and that's why a mealy-mouthed "my security 
system isn't perfect but it'll reduce the marginal success rate and that's 
still valuable" doesn't even come close to solving the problem, because 
people are already freaked out about a statistically insignificant risk. 
Reducing that infinitesimal risk further without eliminating it is a waste 
of time.

(Accordingly, some measures do nothing to reduce the actual risk but make 
people feel better because of their superstitious beliefs about the power 
of guns or databases or the application of arbitrary screening and sorting 
rules. The placebo effect created by these measures isn't unimportant - but 
let's create it by more traditional and less risky means, like prayer and 
faith in supreme beings and/or ritual pledges of allegiance or other 
ceremonies, instead of wasting lots of time and money creating unstable 
oppression systems ripe for misuse or takeover.)


--
Greg Broiles -- gbroiles at parrhesia.com -- PGP 0x26E4488c or 0x94245961
5000 dead in NYC? National tragedy.
1000 detained incommunicado without trial, expanded surveillance? National 
disgrace.