Your Papers, Please: The Government Discovers Identity Management

1
Your Papers, PleaseThe Government
DiscoversIdentity Management

• EDUCAUSE Annual Conference
• October 10, 2006
• Steve Worona
• sworona_at_educause.edu

2
Agenda

• Handouts
• Summary of 3 Federal IDM initiatives
• Real ID
• HSPD-12
• CALEA
• Motivations
• Applicability to campus initiatives
• Risks

3
Excluding

• Mandatory data retention
• Coming soon
• RFID-based passports
• State initiatives (e.g., Illinois, California,
  New Jersey)
• Un-legislated activities
• NSA wiretapping
• Voluntary telephone-company record delivery
• Financial-record tracking
• General data-mining

4
Real ID

• NCSL Real ID Summary

5
Real ID

• NCSL Real ID Summary
• Financial concerns
• Congress 100M aggregate
• States Billions
• CA 500M over 5 years
• VA 35M-169M plus 63M/year
• The dreaded National ID spectre
• Note shared database provision
• If all the states have to do the same thing in
  the same mannerLeticia Van de Putte, NCSL
  President
• DMV delays
• Drivers licenses for undocumented residents

6
HSPD-12

• Homeland Security Presidential Directive 12
• GWB August 27, 2004
• FIPS-201
• Federal Information Processing Standard 201
• PIV
• Personal Identity Verification
• http//csrc.nist.gov/policies/Presidential-Directi
  ve-Hspd-12.html
• Implementation_of_HSPD-12.pdf
• http//www.osec.doc.gov/osy/HSPD12/EnrollmentOffi
  cials.htm
• Quick Start for Enrollment Officials

7
CALEA

• Old The term call-identifying information
  means dialing or signaling information that
  identifies the origin, direction, destination, or
  termination of each communication generated or
  received by a subscriber by means of any
  equipment, facility, or service or a
  telecommunications carrier.
• New The term communication-identifying
  information means dialing, routing, addressing
  or signaling information that identifies the
  origin, direction, destination, processing,
  transmission, or termination of each
  communication generated or received by a
  subscriber or other person by means of any
  equipment, facility, or service or a
  communications carrier. Such term includes source
  and destination Internet protocol and other
  protocol addresses, the port number, packet file
  size, and user authentication and logon
  information, including session time and duration.

8
Were from the GovernmentAnd Were Here to Help
You

• GPEA (10/21/1998)

9
Were from the GovernmentAnd Were Here to Help
You

• GPEA (10/21/1998)
• http//www.whitehouse.gov/omb/fedreg/gpea2.html
• GPEA is an important tool to improve customer
  service and governmental efficiency through the
  use of information technology. This improvement
  involves transacting business electronically with
  Federal agencies and widespread use of the
  Internet and its World Wide Web.

10
Were from the GovernmentAnd Were Here to Help
You

• GPEA (10/21/1998)
• http//www.whitehouse.gov/omb/fedreg/gpea2.html
• As public awareness of electronic communications
  and Internet usage increases, demand for on-line
  interactions with the Federal agencies also
  increases. Moving to electronic transactions and
  electronic signatures can reduce transaction
  costs for the agency and its partner.
  Transactions are quicker and information access
  can be more easily tailored to the specific
  questions that need to be answered. As a result
  data analysis is easier. These access and data
  analysis benefits often have a positive spillover
  effect into the rest of the agency as awareness
  of the agencys operations is improved. In
  addition, reengineering the work process
  associated with the transactioncan give rise to
  other efficiencies.

11
Were from the GovernmentAnd Were Here to Help
You

• GPEA (10/21/1998)
• Fewer IDs
• Reduce, Recycle, Reuse

12
Were from the GovernmentAnd Were Here to Help
You

• GPEA (10/21/1998)
• Fewer IDs
• Reduce, Recycle, Reuse
• Remember

13
Were from the GovernmentAnd Were Here to Help
You

• GPEA (10/21/1998)
• Fewer IDs
• Reduce, Recycle, Reuse
• Remember
• Better user security
• Identity theft
• No SSNs
• Crypto
• Data theft
• Strong authentication

14
Were from the GovernmentAnd Were Here to Help
You
15
Were from the GovernmentAnd Were Here to Help
You
Ourselves!
16
Were from the GovernmentAnd Were Here to Help
You
Ourselves!

• Authorization

17
Were from the GovernmentAnd Were Here to Help
You
Ourselves!

• Authorization
• Deterrence

18
Were from the GovernmentAnd Were Here to Help
You
Ourselves!

• Authorization
• Deterrence
• Apprehension Prosecution

19
Were from the GovernmentAnd Were Here to Help
You
Ourselves!

• Authorization
• Deterrence
• Apprehension Prosecution

20
On Campus Same List

• GPEA
• Fewer IDs
• Better user security
• Authorization
• Deterrence
• Apprehension and Prosecution

21
On Campus Leverage

• Pre-existing identities
• Recall e-mail evolutionary path
• Standards
• Risk assessment
• Insurance
• Uniformity across campus(es?)
• Economies of scale
• Built-in smart-card readers
• Biometric devices
• Federations
• InCommon
• Fed/Fed

22
On-Campus Mandates

• CALEA
• Most campuses exempt from current version
• Even for non-exempt, no additional authentication
  requirement
• Data retention
• Watch this space
• HSPD-12
• Most on-campus contractors/investigators exempt

23
Risks Tech/Finance

• Leading-edge effects
• The sooner you start, the longer it takes
• Many unknowns
• Many options
• Liability
• Why would you want to do that?
• No good deed goes unpunished
• If we can make this work, were home free

24
Risks Social/Cultural

• Next week the U.S. Supreme Court will hear a case
  to decide whether or not all Americans must have
  identification on them at all times. The case has
  been brought by a cowboy in Nevada who was asked
  to show ID while he was leaning against his
  pickup truck on the side of the road near his
  ranch. The police officer did not offer any
  specific reason why he demanded proof of
  identity. Having committed no crime, Dudley
  Hiibel, the cowboy, refused and was arrested.
  He was later convicted for Delaying a Peace
  Officer. In America, still a free country,
  citizens should not be required to provide
  identification papers at any whim of the
  authorities. The Washington Times, 2/22/04

25
Two Months Later (6/22/04)

• In what may become a major boost to US law
  enforcement and antiterrorism efforts, the US
  Supreme Court Monday upheld a Nevada law that
  makes it a criminal offense for anyone suspected
  of wrongdoing to refuse to identify himself to
  police.
• Civil libertarians see the decision as a
  significant setback. And it remains unclear to
  what extent it may open the door to the issuing
  of national identification cards or widespread
  identity operations keyed to terrorist profiling
  at bus terminals, train stations, sports
  stadiums, and on city streets.

26
continued

• The ruling marks the first time the nations
  highest court has endorsed a provision compelling
  citizens to reveal information in a
  citizen-police encounter that may become a police
  investigation.
• The 5-to-4 decision says that neither the Fourth
  Amendments right to privacy nor the Fifth
  Amendments guarantee against self-incrimination
  bars states from passing laws requiring citizens
  to identify themselves.

27
Do We Want to Live in aYour Papers, Please
Society?

• There are good people with bad papers and
  bad people with good papers. Bertolt Brecht

28
The Identity Projecthttp//papersplease.org

• What does an ID, any ID, do for security? The
  honest answer is not much. If anything,
  relying on ID for security purposes actually
  makes things worse a false sense of security
  fosters complacency.
• Showing ID only affects honest people. If
  youre dishonest, you can obtain false documents
  or steal the identity of an honest person.
• If a 19 year-old college student can get a fake
  ID to drink, why couldnt a bad person get one,
  too? And no matter how sophisticated the
  security embedded into the ID, wouldnt a
  well-financed terrorist be able to falsify that,
  too? The answer to both questions is obviously
  yes.
• Honest people, on the other hand, go to Pro-Life
  rallies. Honest people go to Pro-Choice rallies,
  too. Honest people attend gun shows. Honest
  people protest the actions of the President of
  the United States. Honest people fly to
  political conventions. What if those with the
  power to put people on a no fly list decided
  that they didnt like the reason for which you
  wanted to travel? The honest people wouldn't be
  going anywhere.

29
The Importance of Anonymity

• Anonymous pamphlets, leaflets, brochures and
  even books have played an important role in the
  progress of mankind. Persecuted groups and sects
  from time to time throughout history have been
  able to criticize oppressive practices and laws
  either anonymously or not at all. Hugo Black,
  Talley v. California, 1960

30
Déjà Vu?

• Homeland Security Monitored Students
• surveillance by the Pentagon database of
  military protests and demonstrations at
  institutions of higher education
• Although there does not appear to be any direct
  terrorist nexus to the event, a large gathering,
  especially on a college campus, may gain momentum
  and create public safety concerns. I do not see
  an issue of civil liberties being violated,
  rather proactive precautionary measures being
  taken by DHS and DoD.
• William H. ParrishAssoc. Prof. of Homeland
  Security, VCU

31
OK to Authenticate All Net Traffic?
My Government Yes No
My Campus No Yes
32
The Tradeoff

• They that can give up essential liberty to
  obtain a little temporary safety deserve neither
  liberty nor safety. Benjamin Franklin (1755)

33
The Tradeoff

• They that can give up essential liberty to
  obtain a little temporary safety deserve neither
  liberty nor safety. Benjamin Franklin (1755)
• While the Constitution protects against
  invasions of individual rights, it is not a
  suicide pact. Arthur Goldberg (1963)

34
The Constitution Is Not a Suicide Pact
35
The Constitution Is Not a Suicide Pact
36
Or

• Give me Liberty or give me Death!
• Patrick Henry
• (Delegate, Virginia, 1775)

37
Or

• Give me Liberty or give me Death!
• Patrick Henry
• (Delegate, Virginia, 1775)
• You have no civil liberties if youre dead!
• Patrick Roberts
• (Senator, Kansas, 2006)

38
The Tradeoff Rorschach

• Law enforcement is not supposed to be easy.
  Where it is easy, its called a police state.
  Jeff Schiller, in Wired (1999)

39
The Eternal Value of Privacy(Bruce Schneier)

• The most common retort against privacy advocates
  is this line If you arent doing anything
  wrong, what do you have to hide?
• Some clever answers If Im not doing anything
  wrong, then you have no cause to watch me.
  Because the government gets to define whats
  wrong, and they keep changing the definition.
  Because you might do something wrong with my
  information.
• My problem with quips like these as right as
  they are is that they accept the premise that
  privacy is about hiding a wrong. Its not.
  Privacy is an inherent human right, and a
  requirement for maintaining the human condition
  with dignity and respect.
• Cardinal Richelieu understood the value of
  surveillance when he famously said, If one would
  give me six lines written by the hand of the most
  honest man, I would find something in them to
  have him hanged. Watch someone long enough, and
  youll find something to arrest or just
  blackmail with.
• Privacy protects us from abuses by those in
  power, even if were doing nothing wrong at the
  time of surveillance.
• We do nothing wrong when we make love or go to
  the bathroom. We are not deliberately hiding
  anything when we seek out private places for
  reflection or conversation. We keep private
  journals, sing in the privacy of the shower, and
  write letters to secret lovers and then burn
  them. Privacy is a basic human need.

40
End