Pages

Wednesday, February 04, 2004

Privacy International in cooperation with the Foundation for Information Policy Research, Statewatch and the European Digital Rights Initiative have just published a report on the air travel privacy issue. The report is called:"Transferring Privacy: The Transfer of Passenger Records and the Abdication of Privacy Protection" and is to be the first report in a series Privacy International call "Towards an International Infrastructure for Surveillance of Movement."

They accuse the European Commission of intending undermine the privacy rights of air travellers, systematic deception and subterfuge in relation to the promise to take a hardline on negotiations with the US over transfer of passenger data and covertly planning an EU surveillance system which "will be used not only for purposes of anti-terrorism, but also for immigration, law enforcement and customs" and a global air travel sureveillance system similar to the one being built by the US.

Privacy International are also calling for an investigation into these affairs by the European Parliament and for legal action against the Commission "to ensure that
this dangerous subterfuge does not occur in the future."

Pretty strong stuff.

Bruce Schneier is crystal clear as ever on "IDs and the illusion of security" over at sfgate.com.

"Everywhere, it seems, someone is checking IDs. The ostensible reason is that ID checks make us all safer, but that's just not so. In most cases, identification has very little to do with security...

...verifying that someone has a photo ID is a completely useless security measure. All the Sept. 11 terrorists had photo IDs. Some of the IDs were real. Some were fake...

...Harder-to-forge IDs only help marginally, because the problem is not making sure the ID is valid. This is the second myth of ID checks: that identification combined with profiling can be an indicator of intention.

Our goal is to somehow identify the few bad guys scattered in the sea of good guys. In an ideal world, what we would want is some kind of ID that denotes intention. We'd want all terrorists to carry a card that says "evildoer" and everyone else to carry a card that said "honest person who won't try to hijack or blow up anything." Then, security would be easy. We would just look at people's IDs and, if they were evildoers, we wouldn't let them on the airplane or into the building.

This is, of course, ridiculous, so we rely on identity as a substitute. In theory, if we know who you are, and if we have enough information about you, we can somehow predict whether you're likely to be an evildoer...

"Profiling has two very dangerous failure modes. The first one is obvious. Profiling's intent is to divide people into two categories: people who may be evildoers and need to be screened more carefully, and people who are less likely to be evildoers and can be screened less carefully.

But any such system will create a third, and very dangerous, category: evildoers who don't fit the profile...
...Profiling can result in less security by giving certain people an easy way to skirt security.

There's another, even more dangerous, failure mode for these systems: honest people who fit the evildoer profile. Because evildoers are so rare, almost everyone who fits the profile will turn out to be a false alarm...

...Security is a trade-off; we have to weigh the security we get against the price we pay for it. Better trade-offs are to spend money on intelligence and analysis, investigation and making ourselves less of a pariah on the world stage...

...Identification and profiling don't provide very good security, and they do so at an enormous cost. Dropping ID checks completely, and engaging in random screening where appropriate, is a far better security trade-off. "

Can't fault Schneier's analysis on security. And the UK government could learn from this - the latest inquiry will presumably ultimately blame the intelligence community for the war in Iraq. Then there will be a 'review' and re-organisation of the intelligence services and more laws mandating blanket collection of personal data, which already overstretched law enforcement and intelligence services will somehow extract relevant information from. They'd be better off listening to Schneier - Better trade-offs are to spend money on intelligence, analysis and investigation.

No comments:

Post a Comment