Title: Your Papers, Please: The Government Discovers Identity Management
1Your Papers, PleaseThe Government
DiscoversIdentity Management
- EDUCAUSE Annual Conference
- October 10, 2006
- Steve Worona
- sworona_at_educause.edu
2Agenda
- Handouts
- Summary of 3 Federal IDM initiatives
- Real ID
- HSPD-12
- CALEA
- Motivations
- Applicability to campus initiatives
- Risks
3Excluding
- Mandatory data retention
- Coming soon
- RFID-based passports
- State initiatives (e.g., Illinois, California,
New Jersey) - Un-legislated activities
- NSA wiretapping
- Voluntary telephone-company record delivery
- Financial-record tracking
- General data-mining
4Real ID
5Real ID
- NCSL Real ID Summary
- Financial concerns
- Congress 100M aggregate
- States Billions
- CA 500M over 5 years
- VA 35M-169M plus 63M/year
- The dreaded National ID spectre
- Note shared database provision
- If all the states have to do the same thing in
the same mannerLeticia Van de Putte, NCSL
President - DMV delays
- Drivers licenses for undocumented residents
6HSPD-12
- Homeland Security Presidential Directive 12
- GWB August 27, 2004
- FIPS-201
- Federal Information Processing Standard 201
- PIV
- Personal Identity Verification
- http//csrc.nist.gov/policies/Presidential-Directi
ve-Hspd-12.html - Implementation_of_HSPD-12.pdf
- http//www.osec.doc.gov/osy/HSPD12/EnrollmentOffi
cials.htm - Quick Start for Enrollment Officials
7CALEA
- Old The term call-identifying information
means dialing or signaling information that
identifies the origin, direction, destination, or
termination of each communication generated or
received by a subscriber by means of any
equipment, facility, or service or a
telecommunications carrier. - New The term communication-identifying
information means dialing, routing, addressing
or signaling information that identifies the
origin, direction, destination, processing,
transmission, or termination of each
communication generated or received by a
subscriber or other person by means of any
equipment, facility, or service or a
communications carrier. Such term includes source
and destination Internet protocol and other
protocol addresses, the port number, packet file
size, and user authentication and logon
information, including session time and duration.
8Were from the GovernmentAnd Were Here to Help
You
9Were from the GovernmentAnd Were Here to Help
You
- GPEA (10/21/1998)
- http//www.whitehouse.gov/omb/fedreg/gpea2.html
- GPEA is an important tool to improve customer
service and governmental efficiency through the
use of information technology. This improvement
involves transacting business electronically with
Federal agencies and widespread use of the
Internet and its World Wide Web.
10Were from the GovernmentAnd Were Here to Help
You
- GPEA (10/21/1998)
- http//www.whitehouse.gov/omb/fedreg/gpea2.html
- As public awareness of electronic communications
and Internet usage increases, demand for on-line
interactions with the Federal agencies also
increases. Moving to electronic transactions and
electronic signatures can reduce transaction
costs for the agency and its partner.
Transactions are quicker and information access
can be more easily tailored to the specific
questions that need to be answered. As a result
data analysis is easier. These access and data
analysis benefits often have a positive spillover
effect into the rest of the agency as awareness
of the agencys operations is improved. In
addition, reengineering the work process
associated with the transactioncan give rise to
other efficiencies.
11Were from the GovernmentAnd Were Here to Help
You
- GPEA (10/21/1998)
- Fewer IDs
- Reduce, Recycle, Reuse
12Were from the GovernmentAnd Were Here to Help
You
- GPEA (10/21/1998)
- Fewer IDs
- Reduce, Recycle, Reuse
- Remember
13Were from the GovernmentAnd Were Here to Help
You
- GPEA (10/21/1998)
- Fewer IDs
- Reduce, Recycle, Reuse
- Remember
- Better user security
- Identity theft
- No SSNs
- Crypto
- Data theft
- Strong authentication
14Were from the GovernmentAnd Were Here to Help
You
15Were from the GovernmentAnd Were Here to Help
You
Ourselves!
16Were from the GovernmentAnd Were Here to Help
You
Ourselves!
17Were from the GovernmentAnd Were Here to Help
You
Ourselves!
18Were from the GovernmentAnd Were Here to Help
You
Ourselves!
- Authorization
- Deterrence
- Apprehension Prosecution
19Were from the GovernmentAnd Were Here to Help
You
Ourselves!
- Authorization
- Deterrence
- Apprehension Prosecution
20On Campus Same List
- GPEA
- Fewer IDs
- Better user security
- Authorization
- Deterrence
- Apprehension and Prosecution
21On Campus Leverage
- Pre-existing identities
- Recall e-mail evolutionary path
- Standards
- Risk assessment
- Insurance
- Uniformity across campus(es?)
- Economies of scale
- Built-in smart-card readers
- Biometric devices
- Federations
- InCommon
- Fed/Fed
22On-Campus Mandates
- CALEA
- Most campuses exempt from current version
- Even for non-exempt, no additional authentication
requirement - Data retention
- Watch this space
- HSPD-12
- Most on-campus contractors/investigators exempt
23Risks Tech/Finance
- Leading-edge effects
- The sooner you start, the longer it takes
- Many unknowns
- Many options
- Liability
- Why would you want to do that?
- No good deed goes unpunished
- If we can make this work, were home free
24Risks Social/Cultural
- Next week the U.S. Supreme Court will hear a case
to decide whether or not all Americans must have
identification on them at all times. The case has
been brought by a cowboy in Nevada who was asked
to show ID while he was leaning against his
pickup truck on the side of the road near his
ranch. The police officer did not offer any
specific reason why he demanded proof of
identity. Having committed no crime, Dudley
Hiibel, the cowboy, refused and was arrested.
He was later convicted for Delaying a Peace
Officer. In America, still a free country,
citizens should not be required to provide
identification papers at any whim of the
authorities. The Washington Times, 2/22/04
25Two Months Later (6/22/04)
- In what may become a major boost to US law
enforcement and antiterrorism efforts, the US
Supreme Court Monday upheld a Nevada law that
makes it a criminal offense for anyone suspected
of wrongdoing to refuse to identify himself to
police. - Civil libertarians see the decision as a
significant setback. And it remains unclear to
what extent it may open the door to the issuing
of national identification cards or widespread
identity operations keyed to terrorist profiling
at bus terminals, train stations, sports
stadiums, and on city streets.
26continued
- The ruling marks the first time the nations
highest court has endorsed a provision compelling
citizens to reveal information in a
citizen-police encounter that may become a police
investigation. - The 5-to-4 decision says that neither the Fourth
Amendments right to privacy nor the Fifth
Amendments guarantee against self-incrimination
bars states from passing laws requiring citizens
to identify themselves.
27Do We Want to Live in aYour Papers, Please
Society?
-
- There are good people with bad papers and
bad people with good papers. Bertolt Brecht
28The Identity Projecthttp//papersplease.org
- What does an ID, any ID, do for security? The
honest answer is not much. If anything,
relying on ID for security purposes actually
makes things worse a false sense of security
fosters complacency. - Showing ID only affects honest people. If
youre dishonest, you can obtain false documents
or steal the identity of an honest person. - If a 19 year-old college student can get a fake
ID to drink, why couldnt a bad person get one,
too? And no matter how sophisticated the
security embedded into the ID, wouldnt a
well-financed terrorist be able to falsify that,
too? The answer to both questions is obviously
yes. - Honest people, on the other hand, go to Pro-Life
rallies. Honest people go to Pro-Choice rallies,
too. Honest people attend gun shows. Honest
people protest the actions of the President of
the United States. Honest people fly to
political conventions. What if those with the
power to put people on a no fly list decided
that they didnt like the reason for which you
wanted to travel? The honest people wouldn't be
going anywhere.
29The Importance of Anonymity
- Anonymous pamphlets, leaflets, brochures and
even books have played an important role in the
progress of mankind. Persecuted groups and sects
from time to time throughout history have been
able to criticize oppressive practices and laws
either anonymously or not at all. Hugo Black,
Talley v. California, 1960
30Déjà Vu?
- Homeland Security Monitored Students
- surveillance by the Pentagon database of
military protests and demonstrations at
institutions of higher education - Although there does not appear to be any direct
terrorist nexus to the event, a large gathering,
especially on a college campus, may gain momentum
and create public safety concerns. I do not see
an issue of civil liberties being violated,
rather proactive precautionary measures being
taken by DHS and DoD. - William H. ParrishAssoc. Prof. of Homeland
Security, VCU
31OK to Authenticate All Net Traffic?
My Government Yes No
My Campus No Yes
32The Tradeoff
- They that can give up essential liberty to
obtain a little temporary safety deserve neither
liberty nor safety. Benjamin Franklin (1755)
33The Tradeoff
- They that can give up essential liberty to
obtain a little temporary safety deserve neither
liberty nor safety. Benjamin Franklin (1755) -
- While the Constitution protects against
invasions of individual rights, it is not a
suicide pact. Arthur Goldberg (1963)
34The Constitution Is Not a Suicide Pact
35The Constitution Is Not a Suicide Pact
36Or
- Give me Liberty or give me Death!
- Patrick Henry
- (Delegate, Virginia, 1775)
37Or
- Give me Liberty or give me Death!
- Patrick Henry
- (Delegate, Virginia, 1775)
- You have no civil liberties if youre dead!
- Patrick Roberts
- (Senator, Kansas, 2006)
38The Tradeoff Rorschach
- Law enforcement is not supposed to be easy.
Where it is easy, its called a police state.
Jeff Schiller, in Wired (1999)
39The Eternal Value of Privacy(Bruce Schneier)
- The most common retort against privacy advocates
is this line If you arent doing anything
wrong, what do you have to hide? - Some clever answers If Im not doing anything
wrong, then you have no cause to watch me.
Because the government gets to define whats
wrong, and they keep changing the definition.
Because you might do something wrong with my
information. - My problem with quips like these as right as
they are is that they accept the premise that
privacy is about hiding a wrong. Its not.
Privacy is an inherent human right, and a
requirement for maintaining the human condition
with dignity and respect. - Cardinal Richelieu understood the value of
surveillance when he famously said, If one would
give me six lines written by the hand of the most
honest man, I would find something in them to
have him hanged. Watch someone long enough, and
youll find something to arrest or just
blackmail with. - Privacy protects us from abuses by those in
power, even if were doing nothing wrong at the
time of surveillance. - We do nothing wrong when we make love or go to
the bathroom. We are not deliberately hiding
anything when we seek out private places for
reflection or conversation. We keep private
journals, sing in the privacy of the shower, and
write letters to secret lovers and then burn
them. Privacy is a basic human need.
40End