Protecting Society by Protecting Information - PowerPoint PPT Presentation

About This Presentation
Title:

Protecting Society by Protecting Information

Description:

Title: PowerPoint Presentation - Protecting Society by Protecting Information Author: Adam Last modified by: Adam Created Date: 8/31/2005 10:30:03 PM – PowerPoint PPT presentation

Number of Views:155
Avg rating:3.0/5.0
Slides: 23
Provided by: Adam1235
Learn more at: http://www.ncstl.org
Category:

less

Transcript and Presenter's Notes

Title: Protecting Society by Protecting Information


1
Protecting Society by Protecting Information
  • Reducing Crime by Better Information Sharing
  • Adam Shostack
  • adam_at_informedsecurity.com

2
Disclaimer
  • These slides are for a panel presentation, where
    my time is severely limited
  • As such, I skip over benefits of information
    sharing to present a fairly one-sided picture, in
    the expectation that fellow panelists will cover
    other perspectives well.

3
Information Sharing (Ideal)
  • Information is rapidly and securely shared
    amongst law enforcement to prevent serious crime
    catch criminals
  • This is a very worthwhile goal
  • My talk focus on deviations from ideal
  • Not because all uses are deviations, but because
    as a society we must consider how things break

4
Privacy and Info Sharing Both Protect People
  • Our panel title sets up a false dichotomy
  • Goal is to protect people
  • False data, misuse of data is a burden
  • How much information should we share achieve
    that?
  • Use the No-Fly List as an example application
  • No fly list exists because of terrorists

5
No Fly List
  • Typical Information Sharing Application?
  • Data brought to bear to prevent criminal
    activity/terrorism
  • Data gathered from a plethora of sources
  • No privacy policy around the data
  • We hear only about failures

6
Whos on The No-Fly List?
7
No Fly List Analysis
  • Assembled from a plethora of sources
  • No privacy policy
  • Using privacy in sense of Fair Information
    Practices
  • Notification, Consent, Access, Correction,
    Reliability
  • Large quality problems
  • False positive vs. real hit frequency
  • Waste of officer time

8
Information Sharing (nightmare)
  • Kafka-esque
  • Denied civil rights (travel, voting)
  • ID theft victims being arrested
  • No ability to solve problem
  • Orwellian World
  • Surveillance for its own sake
  • Stalkers
  • All the data sold to marketeers

9
Info Sharing Economics
  • Building systems is expensive, hard
  • Outsource to private sector!
  • Choicepoint, Siesint
  • Data shared is data shared
  • Data will update other records
  • (Eg, Change of address)

10
Info Sharing by Data Brokers
  • Choicepoint disclosed that it had agreed to pay
    as much as 7 million to settle an Illinois
    class-action lawsuit by insurance agents.
  • The agents said ChoicePoint took information from
    their inquiries about potential insurance clients
    and then sold the names back to them and to
    competitors as sales leads."

11
Info Sharing with Whom?
  • Siesint, a Lexis Nexis Company
  • MATRIX
  • 320,000 records accessed
  • 57 account breaches
  • detected and reported
  • How much data was from law enforcement?

12
Commercial Databases
  • Data sales to all sorts, for all sorts of
    purposes
  • Stalking
  • ID Theft
  • Revenge
  • EPIC Phone complaint
  • Real ID Act, home addresses
  • Judge Lefkow (?)

13
Increased Information Sharing
  • More information sharing through companies will
    lead to more crime
  • Stalking, ID theft, Assaults
  • More data capture will increase value of ID theft
  • Is this trade-off worthwhile?
  • Hard to say need more on how lists work
  • Some 9/11 Hijackers were on lists
  • Too many lists, too many people on them?

14
Economics of Fraudulent ID
  • Increase in document checking
  • Getting harder to exist without papers
  • 15 million illegal immigrants need paper
  • So did 19 terrorists
  • Demand facilitates supply
  • Hijacker Alghamdi (pictured)
  • A facilitator helped him get VA ID

15
Economics of Fraudulent ID
  • Economic incentives hard to resist
  • Arrests across the country
  • Katrina will lead to a groundswell of fraudulent
    issuance as processes are relaxed for hurricane
    survivors who need ID
  • More ID checking, more acceptable reasons to
    evade

16
Is There A Laffer Curve of ID?
17
Why Does This Matter?
  • If information sharing is based on database
    data, the quality of that data is dropping
    rapidly
  • Easier investigation by computer may distract
    from other avenues

18
Alternatives?
  • Pose requirements as what to achieve
  • Need to distinguish between Johnnie Thomas and
    Johnnie Thomas
  • Not how to achieve it
  • Need social security numbers to distinguish JT
    and JT

19
Share Queries, Not Data
  • Move to allowing database queries, rather than
    shipping data
  • Allows data to be stored, managed, corrected, by
    creators
  • The FBIs database is updated, but
  • bad data whose source is unknown, corrupts new
    lists.

20
Share Less Invasive Data
  • Fingerprints vs
  • Left thumb to right thumb, my fingerprints
  • Right loop, whorl, right loop, whorl, right
    loop...
  • Using a 4 class system, over a million
    permutations
  • Hard to loan IDs when its a million to one match
  • 5 class (arch/tented arch) close to a billion
    possibilities

21
Conclusions
  • Privacy protects people
  • Information sharing protects people
  • Privacy can improve information sharing

22
Questions, Comments?
  • Thank you for your time and attention
Write a Comment
User Comments (0)
About PowerShow.com