Embed Size (px)
Citation preview
Protecting Society by Protecting Information
Reducing Crime by Better Information Sharing
Adam Shostack
Information Sharing (Ideal) Information is rapidly and securely
shared amongst law enforcement to prevent serious crime & catch criminals
This is a very worthwhile goal My talk: focus on deviations from ideal
Not because all uses are deviations, but because as a society we must consider how things break
Privacy and Info Sharing Both Protect People
Our panel title sets up a false dichotomy Goal is to protect people
False data, misuse of data is a burden How much information should we share
achieve that? Use the No-Fly List as an example
application No fly list exists because of terrorists
No Fly List Typical Information Sharing Application?
Data brought to bear to prevent criminal activity/terrorism
Data gathered from a plethora of sources No privacy policy around the data We hear only about failures
Who’s on The No-Fly List?
No Fly List Analysis Assembled from a plethora of sources No privacy policy
Using privacy in sense of Fair Information Practices:
Notification, Consent, Access, Correction, Reliability
Large quality problems False positive vs. real hit frequency
Waste of officer time
Information Sharing (nightmare)
Kafka-esque Denied civil rights (travel, voting) ID theft victims being arrested No ability to solve problem
Orwellian World Surviellance for its own sake
Stalkers All the data sold to marketeers
Info Sharing Economics Building systems is expensive, hard Outsource to private sector!
Choicepoint, Siesint Data shared is data shared
Data will “update” other records (Eg, Change of address)
Info Sharing by Data Brokers [Choicepoint] disclosed that it had agreed
to pay as much as $7 million to settle an Illinois class-action lawsuit by insurance agents.
The agents said ChoicePoint took information from their inquiries about potential insurance clients and then sold the names back to them and to competitors as sales leads."
Info Sharing with Whom? Siesint, a Lexis Nexis Company
MATRIX 320,000 records accessed 57 account breaches detected and reported
How much data was from law enforcement?
Commercial Databases Data sales to all sorts, for all sorts of
purposes Stalking ID Theft Revenge
EPIC Phone complaint Real ID Act, home addresses Judge Lefkow (?)
Increased Information Sharing More information sharing through companies
will lead to more crime Stalking, ID theft, Assaults More data capture will increase value of ID theft
Is this trade-off worthwhile? Hard to say: need more on how lists work
Some 9/11 Hijackers were on lists Too many lists, too many people on them?
Economics of Fraudulent ID Increase in document checking Getting harder to exist without papers 15 million illegal immigrants need paper So did 19 terrorists Demand facilitates supply Hijacker Alghamdi (pictured)
A facilitator helped him get VA ID
Economics of Fraudulent ID Economic incentives hard to resist Arrests across the country Katrina will lead to a groundswell of
fraudulent issuance as processes are relaxed for hurricane survivors who need ID
More ID checking, more “acceptable” reasons to evade
Is There A Laffer Curve of ID?
Why Does This Matter? If information sharing is based on
“database data,” the quality of that data is dropping rapidly
Easier “investigation” by computer may distract from other avenues
Alternatives? Pose requirements as what to achieve
“Need to distinguish between Johnnie Thomas and Johnnie Thomas”
Not how to achieve it “Need social security numbers to
distinguish JT and JT”
Share Queries, Not Data Move to allowing database queries,
rather than shipping data Allows data to be stored, managed,
corrected, by creators The FBI’s database is updated, but
bad data whose source is unknown, corrupts new lists.
Share Less Invasive Data Fingerprints vs:
Left thumb to right thumb, my fingerprints: Right loop, whorl, right loop, whorl, right loop... Using a 4 class system, over a million
permutations Hard to loan IDs when it’s a million to one match 5 class (arch/tented arch) close to a billion
possibilities
Conclusions Privacy protects people Information sharing protects people
Privacy can improve information sharing
Questions, Comments?
Thank you for your time and attention
