From the AEGIS e-Journal, Volume 9 Number 10, October 2006
Identity Crisis: How Identification Is Overused and Misunderstood Jim Harper Cato Institute ISBN: 1-930865-85-6 288 pages $13.95 http://www.nbnbooks.com/ 1-301-459-3366 We often quote Bruce Schneier’s dicta on judging policy and practice: 1. What problem is the policy or measure trying to solve? 2. How can it fail in practice? 3. Given the failure modes, how well does it solve the problem? 4. What are the costs, both financial and social, associated with it, and flowing from its unintended consequences? ÆGIS, October 2006 10 5. Given the effectiveness and costs, is the policy or measure worth it? This approach seems critical to us in judging recent demands for increased use of identification. Thus, for example, one might look at the demands for identification before getting onto an airplane. Imagine that this policy had been in full force on 9/11. Would this have made a difference? No, because all the bad guys had perfectly legitimate ID. At present there seem to be three forces behind the new identification policies. The first is the political need to give the impression of doing something. Because of this, security theatre is often thought to be adequate because the question being asked is not related to security. Rather, it is related to the political need to be seen to be taking action, with intrusive – albeit fruitless – measures being most visible and thus most successful. This carries over to the civil sector. In one recent case we went into a building where they had “high security” processes in place, where you had to leave ID with the security desk, visit verification calls were made to the person being visited, and your possessions were X-rayed. Our group’s possessions included knives, guns, personal defense sprays, batons, and a smoke mask containing a canister of some unknown gas (oxygen, its user might hope). All passed through even though all the weapons were clearly visible and elicited some comment, because the building knew that it faced no likely threat, but got an insurance break by having an X-ray machine. The what-problem-are-we-trying-to-solve question building management dealt with was lowering insurance premiums. Another part, of course, is the assumption that bad guys are drooling idiots who will make no attempt to examine the system they are trying to defeat. Thus, many policies assume that a terrorist will fill in occupation as “terrorist” on forms handed them. This, of course, influences enforcement. In one recent case, a group (the leader of which had a diplomatic passport) was held up in INS for several hours because his four year old daughter’s name was on the terrorist watch list. The most critical part of the rational for these increased demands stem largely from a lack of understanding of identity, and the distinctions between identity and authentication and authorization. It is to address this issue that we strongly recommend Jim Harper’s book Identity Crisis. It is our hope – as it is his – that if more people understood the concept of identity that its use might be more sensible. ÆGIS, October 2006 11 It is not our intention to summarize how Identity Crisis addresses the broad area of identity: The book is a quick read, and you should read the whole thing, not a quick précis by us. The important thing to know is that there is strong demand for government increases in demands for changes in identification use, including looking toward a national ID card. This book gives enough information for a reader to understand why a national ID card serves no valid security purpose, though it may have tax and commercial implications of benefit to the issuing jurisdiction. Because increased identification demands may have a drastically effect on civil liberties and privacy, and because changes in social policy and convention are difficult – almost impossible – to undo, this book is important, and should be read by everyone concerned with social policy. The information in Identity Crisis will help you can ask and answer the questions that should and must be asked of these security policies and measures. 7. Subscription/Unsubscription/Copyright Information •• ÆGIS is supported and maintained by voluntary efforts. This publication is owned, published, and copyright © 2006 by The LUBRINCO Group Ltd, Inc. and Financial Examinations and Evaluations, Inc. It is edited jointly by Richard Isaacs (RBIsaacs@lubrinco.com) and L. Burke Files (LBFiles@feeinc.com). LUBRINCO provides services in three high-threat areas, too specialized to be dealt-with in-house, that can adversely affect domestic and international bottom lines. • Corporate counterintelligence. 1. American businesses lose $300 billion annually to competitive intelligence, economic espionage, and information theft. 2. Sarbanes-Oxley requires internal controls tracking the costs, and impact on valuation, of competitive intelligence, economic espionage, and information theft. o LUBRINCO provides private sector access to OPSEC, the government-standard process for identification, valuation, and protection of intellectual property and critical information from competitive intelligence, economic espionage, and information theft. • International asset location and due diligence. o Location of concealed assets in fraud, theft, and divorce. ÆGIS, October 2006 12 o Due diligence to prevent fraud and loss in China, Central and Eastern Europe, Central Asia, the offshore financial centers, Latin America, and the Caribbean. o Financial fraud and anti-money laundering program development and training for compliance with the US International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001 and the EU Revised Money Laundering Directive of 2001. • Protection of management, staff, and families. o In the high-threat environments of Latin America, Africa, the Mid- East, and Southeast Asia. o When traveling and living overseas. o When transporting items of substantial value. LUBRINCO identifies and quantifies threats and vulnerabilities, and their associated risk, then manages the vulnerabilities so you can transfer or live with the residual risk. We prevent disastrous financial loss to your company, and physical harm to you, your family, and your staff. For information on LUBRINCO and its services, or for the archive of all past issues of ÆGIS in PDF format, please go to http://www.lubrinco.com/. Subscription to ÆGIS is available for $15 per year in North America and $20 per year outside of North America. To sign up for a complimentary subscription to ÆGIS or the ÆGIS PDF notification list, go to http://lb.bcentral.com/ex/manage/subscriberprefs?customerid=7768 or send an email to aegis@lubrinco.com. To subscribe to our AvantGo channel, go to http://avantgo.com/channels/_add_channel.pl?cha_id=1773 To be removed from the subscription list, follow the instructions on the mailing you received, or send an e-mail to aegis@lubrinco.com. If you know of anyone else who should be receiving ÆGIS, please send their e-mail address to aegis@lubrinco.com. If there is a topic that you would like to know more about, send it to aegis@lubrinco.com and the editors will consider it as the topic for an article in an upcoming issue. If you would like to submit an article for publication in ÆGIS, send it as an attachment to an e-mail to aegis@lubrinco.com. Submission of an article ÆGIS, October 2006 13 certifies that (a) all information in the article is in the public record, or (b) that you are authorized to release any personal or corporate proprietary information contained in the article, and (c) that none of the article has previously been copyrighted. The submission of materials for publication in ÆGIS constitutes a license to LUBRINCO, and/or Financial Examinations and Evaluations, Inc, their assigns, associates, or affiliates, to abridge and/or edit said submission, and to copyright and publish/republish any submitted materials in whatever written and/or electronic form they may choose. If you would like to go beyond normal fair-use in reproducing articles from this issue of ÆGIS, you may do so freely as long as appropriate source, copyright, accreditation, and link to the LUBRINCO Web site is included. This should be in the form
Article Title, from the October 2006 ÆGIS (© 2006 LUBRINCO & FEE), to be found at http://www.lubrinco.com/. ÆGIS is a forum for the exchange of information, ideas, operating styles, theories, and related topics for corporate managers who make decisions about threats typically outside the expertise available in-house, yet which have the potential to affect their company’s domestic and international bottom lines. Nothing appearing in ÆGIS should be construed as legal advice. The information provided is “general information,” not “specific advice.” The solution to any problem is highly dependent upon the precise facts involved. Thus, before making any reliance upon anything said here, you should consult with an appropriately skilled professional. Opinions expressed by contributors are not necessarily endorsed by the publisher, and may be presented to encourage a dialogue among subscribers. The publisher and any re-publisher cannot be held responsible for any loss incurred as a result of the application of any information published in ÆGIS. Please be safe, and be smart.