Laboratories of Security?

There’s a story in USA Today, “Most fake bombs missed by screeners.” It describes how screeners at LAX find only 25% of bombs, at ORD, they find 40%, and at SFO, 80%:

At Chicago O’Hare International Airport, screeners missed about 60% of hidden bomb materials that were packed in everyday carry-ons — including toiletry kits, briefcases and CD players. San Francisco International Airport screeners, who work for a private company instead of the TSA, missed about 20% of the bombs, the report shows. The TSA ran about 70 tests at Los Angeles, 75 at Chicago and 145 at San Francisco.

I could go on at length about how bad air travel has gotten, and how security theatre is crushing the travel and tourism industries in the US. Rather I’d like to focus on the emergent chaos aspects of this story: the reality that even TSA bureaucracy can’t impose standards on airports, and why that would be a good thing, if they could accept it.

Before I do, I want to comment that missing 75% of the bombs is probably ok. There are very few airliners bombed in the US. I think it’s less than 10 in history. So the issue is not really false negatives, where the screener misses a real fake bomb, but false positives, where the screener shuts down either someone’s day or the airport. Given that every single bomb smuggled past security last year at US airports was fake, they are far more likely than real bombs.

Now, there’s an opportunity for dramatic improvement in the way we run airport security. “Just run them all like they run SFO!” Orin Kerr makes this point, “I would think the real story is the dramatic gap between the performance of TSA employees and private sector employees.”

More importantly, what comes out of this study for me is the emergent chaos of running a large mission like airport security, and the value of that variation for learning.

If all airports were run exactly the same, we’d have missed this opportunity for learning.

So ask yourself, what do I standardize on too much? Where is there too much structure, inhibiting learning? How can we harness chaos, and what emerges? (I talk in more deatil about a very similar point in the latest post in my threat modeling series on the SDL blog, “Making Threat Modeling Work Better.”)

Photo: Frisk, by Tim Whyers. (Machine by Tim Hunkin, we’ve mentioned it previously.)

Breaches: Coverup & Disclosure

There’s an interesting case of breach non-disclosure documented in the Edmonton Sun, “Privacy breach at MacEwan.” It’s interesting for a few reasons. First, the breach wasn’t disclosed:

MacEwan College was cited in the auditor general’s report this week after a tipster told the AG’s office about the security breach in 2006. It mirrored access problems in 2002-2003, the AG’s report confirmed.

The college chose not to tell those whose personal information was included in the accessible journal entries based on an assessment of risk by its Freedom of Information and Protection of Privacy office, said MacEwan spokesman Gordon Turtle.

You’ll note that I’m writing about it anyway.

Secondly, people are upset:

Public institutions engender trust, and that’s just one of several reasons why students should have been told, even if the college was confident the breach was minor, said MacEwan Student Union president Justin Benko.

“Based on what the auditor report says, if bank account information and credit card numbers and signatures were readily available and obvious, there should’ve been something said,” he said.

Benko’s opinion is interesting. There’s no Canadian law explicitly requiring breach disclosure, but there’s an expectation of disclosure. (There are also interpretations by Privacy Commissioners that read disclosure into existing laws.)

It also seems that the risk assessment was wrong. If you’re covering up a breach because of a risk assessment, you might want to have another, and include crisis communication in the assessment.

What’s an Identity Oracle (LLPersonas)

Adam: So you say “my oracle.” Who is that? Is it an entity which I control? To be cynical, how does ‘my identity oracle’ differ from Choicepoint?

Bob Blakely:My oracle most assuredly does not belong to me. It’s a commercial enterprise. It differs from choicepoint in that it has contracts with its data subjects which require it to protect their privacy and other

Adam:So the Oracle is making money on both sides of the deal? From me and from an employer?

Bob Blakely:The oracle is making money by providing a service to the individual. Like broadcast TV, Google, or a real estate buyer’s agent, it doesn’t necessarily have to charge the individual for that service; the cost
could be borne by the relying parties.

Adam:If the Oracle doesn’t charge me, do we have a meeting of the mind and an exchange of value? As I’m sure you know, those are the core
elements of a contract.

On a related note, what’s to prevent a rogue oracle organization? I
think that there’s both value in me paying, and all sorts of risks,
such as oracle capture by customers or the moral issues of me having to
pay to get data about me validated.

Bob Blakely: The oracle might make money on you but more likely is charging your transaction partners, in the same way that your real estate buyer’s agent gets paid by the seller. But unlike today’s identity providers, it has obligations to you.

You could ask the same question about the relationship between you and a
pro-bono lawyer, or a realtor (if you’re buying a house), or any one of a
number of other professionals and businesses who work on your behalf but charge others for the privilege. American Express works this way – you pay a (small) yearly fee, but most of their money comes from charging retailers.

What prevents a rogue oracle organization is lawsuits (based on contract law) and the inability to continue in business due to bad publicity.

The difference between an oracle and other identity providers is that the other providers don’t offer you the contract which would let you take action against them; instead you have to rely on someone like the FTC taking action on your behalf, without the possibility of personal recovery for loss.

How to Better Cite Blogs

Via BoingBoing, we learn that the NIH has a guide to citing blogs. Cool! Respectworthy! And a little lacking as a citation format. Here’s their first sample:

Bernstein M. Bioethics Discussion Blog [Internet]. Los Angeles: Maurice Bernstein. 2004 Jul – [cited 2007 May 16]. Available from:

There are at least two major problems with this citation format.

Firstly, the URL to the post itself is missing. I might want to cite ““How to Cite Blogs” by the NIH / National Library of Medicine” on Kidney Notes. In which case, I should print the URL “” It strikes me as rare to want to cite a blog in general, rather than in particulars. We get to example 29 before we see this.

Secondly, I should include a real, full date. When I cited is uninteresting. When I visited might be. When the post was posted certainly is. Only a small fraction of the citations include a date of publication, and those refer to (say) June, 2006.

More on LLPersonae, Identity Oracles, and RCSL

Adam: But applying for a job is exactly what you describe, “organizations
with whom you don’t have a lot of history and interaction.” For an
awful lot of people, they apply for jobs broadly. One cashiership is
as good as another.
And there are a lot of places where I’d like to protect my privacy.
The Red Cross requires your SSN if you want to volunteer. The DMV
wants it. Dave Birch talks about brands and reputation in a comment,
and I think that there are a lot of places where The Presentation of
Self in Everyday Life
really comes into play, and you want to present
one front or another.
How could we extend LLPersonas to reduce the demand in these other
Bob Blakely: think an Identity Oracle – not an LLP – is what’s desired when applying for a job. It would work like this:
I apply for the job. The employer alerts me that background investigation will be required. I direct the employer to my Identity Oracle.
The employer says to the Oracle “For this job I require a US citizen with no felony arrests, no felony or misdemeanor convictions, a valid motor vehicle operator’s license, and a good driving safety record. Is this applicant eligible for the position?”
The Oracle then uses its information (and perhaps supplementary information it develops through investigation; this information will be protected under my existing personal information protection contract with the Oracle) to answer the question.
[At which point I jump in by assuming RCSL is primarily about reputation. Bzzzt!]
Chris: What work have you done regarding the Relational Continuity Sockets Layer?
There has been a ton of work done regarding reputation management among
autonomous agents, protocols for distributed reputation systems, etc. Can
you provide an example of the RCSL in action that shows its distinctive
properties, and why they are important/useful?
Bob Blakely: [I]t’s important to say that RCSL isn’t really a reputation management system. It’s a way to build relationships which are scoped in time and also in committment of resources. A useful analogy here is that of a card game; at each round one antes a set of resource to qualify for the round, and one obeys certain rules for the hand. In an analogous way the RCSL enables creation of predefined relationships which have both rules (for what can & can’t be done in the relationship) and roles (for which participant can do what at any particular time; compare this with a game like Bridge where the roles for the players differ).
The notion here is to design the resource committment rules, rules of play, and roles to limit risk of all types to the various parties.
The game may require reputation as a condition of entry, and it may change reputation as an effect of the outcome, but in this respect reputation is simply another resource – and is not the only kind of commodity which could be used.
[Stay tuned for more on RCSL in the next post from our interview with Bob and Mike]

TSA Violates Your Privacy, Ties themselves in Little Knot of Lies

There’s a story in InformationWeek about the latest TSA privacy violation, “TSA Promises Privacy For Subjects Of Clothing-Penetrating Scans:”

milimeter wave radar image

“We are committed to testing technologies that improve security while protecting passenger privacy,” said TSA administrator Kip Hawley in a statement. “Privacy is ensured through the anonymity of the image: It will never be stored, transmitted, or printed, and it will be deleted immediately once viewed.” (Emphasis added)

Ensuring privacy, as the TSA describes it, involves having security officers view images from remote locations. Thus, the security officer cannot identify the passenger, visually or by some other means, but can send word to fellow officers if a threat is detected.

Hey Kip, precisely how do images go to a remote location to be viewed without being transmitted?

Call Congress and ask why TSA is allowed to outright lie to people.

There’s other good analysis of the proposal in the Information Week article. I simply wanted to comment on the obvious inconsistency in what TSA is claiming.

Limits of Limited Liability Personas?

I have some cost questions, but I think more importantly, this can
limit my exposure to, say, a credit card, but I can get most of this
without paying Delaware a couple of hundred bucks. I get a PO box,
a limited credit card, and a voice mail service. What’s the
advantage that’s worth incorporating?

At the same time, there seem to be real limits to doing this under
today’s law. I don’t think the Gap would be ok running a background
check on AdamCorp 4735, a Nevada LLP. And as I’m sure you
remember, a yet-anonymous contractor to the Gap lost data on 800,000
job applicants
. (Infoworld via PogowasRight.)

Bob Blakely:
These are very good questions. The difficulty with just getting a PO box and a
secured credit card today is that if someone steals the credit card number and
runs a bunch of charges up in some foreign jurisdiction where validation
procedures aren’t very good, you may get a ding on your personal credit record,
which you then have to clean up even if you don’t end up getting stuck with the
charges. If you get the credit card in the name of the LLP, then nothing goes
on your record. If the situation gets really ugly, you can simply forfeit the
money backing the card, close the LLP, and walk away – with no damage to your
personal reputation that needs to be cleaned up. This severability is the real
advantage of incorporation. If you set up an LLC through the Company
Corporation, you can even get $50,000 worth of insurance against legal fees in
case someone tries to stick you with personal liability for the LLC’s actions.

The Gap wouldn’t run a background check unless you applied for a job. I don’t
think that LLPs will apply for jobs; I do think that they’ll be used in a lot
of transactions with intermittent or remote transactional partners, to buffer
risks associated with people and organizations with whom you don’t have a lot
of history and interaction.

Mike Neuenschwander:
I think an LLP could even work for employment-in fact, it already happens with
LLCs. That doesn’t mean the person has to be anonymous. But we need a system
that helps build reputations of these entities, so the owners take pride in

Bob Blakely on the LLP

The LLP is a great analogy because that’s exactly what the Limited Liability Partnership was, and is, for-controlling liability in transactions. The growth of the limited liability corporation allows me, as an investor, to invest a set amount of money, and know the limits of my exposure to management errors. But I can’t do that with myself. It’s all in, all the time.

Does this work under the law today? Could I just set myself up with a Delaware LLPartnership of one and go?

I’m going to use LLPartnership & LLPersona rather than writing “limited liability” each time.

I also offered Mike and Bob the ability to go ‘off the record.’

Bob Blakely:
There are probably some open questions here; we’re not lawyers so you should
ask one. However, the intention of using an LLC as an LLP (persona, not
partnership) is that you can endow it with a set of resources ( e.g. a secured credit card backed by a specific amount of money in an account opened for the LLP) which are thus not connected to your personal resources, give it its own name, give it its own address, and then use it (as the controlling director) to do business in a way which does not require you to reveal personal information and which does not attach your personal assets to transactions (and hence shelters your resources from the affairs of the LLP).

I definitely do not want Burton Group or us personally to be off the record on this; we are the inventors of this concept and we want it to be adopted and credited to us.

We also want to encourage related developments such as the Relational
Continuity Sockets Layer (which provides a meeting place for LLPs who can
interact according to a specified set of rules and generate public outcomes fortheir transactions), and the Identity Oracle, which is kind of a clearinghouse for creating LLPs and managing the relationship between LLPs and personal information about individuals (you’d go to an Identity Oracle, perhaps let it set up your LLP, and then tell it your personal information and give it specific instructions about how to act as your agent with respect to that information, with the intention that it should use the information in your interest to answer questions, but not divulge the information itself). All of these things are our inventions and we want to be publicly associated with them.

You read more about the identity oracle and the relational continuity sockets layer.

Mike Neuenschwander on Limited Liability Personas: Intro

I was deeply intrigued when I read an article in the New York Times, “Securing Very Important Data: Your Own.” Mike Neuenschwander of the Burton Group proposed an idea of “limited liability personas.” I thought this was so cool that I emailed him, proposing we interview him for the blog. He’s agreed, and here’s part 1.

Adam: So why don’t we start out with what’s the problem you’re trying to
solve, and what’s the way you’d like to solve it?

Mike: Great question. It’s difficult for me to be succinct on this, so bear with me:

The problem that LLP addresses is an underlying problem that’s evidenced by a wide range of social issues. These problems are so common, they’re front page news items familiar to even to people who don’t own computers. These issues include:

  • identity theft, phishing, and traditional theft
  • terrorism and crime – the fear of which helps promote government identity campaigns like REAL ID
  • inappropriate access to regulated items such as alcohol, adult content, and lotteries
  • financial exploitation (esp. for reporting financial numbers – hence the SOX regulations for accountability)
  • privacy invasion
  • password fatigue, with people trying helplessly manage dozens of usernames and passwords, etc.

I’ve heard it posited (by folks I call the “identerati”) that the “Net is missing an identity layer” and that’s why we see this list of social problems. I disagree. To me, such problems are symptomatic of poorly structured relationships. That is to say, the underlying “problem” is the lack of apparatus for promoting stable, fair, and safe relations. And when relations go bad, things get really ugly.

So for the last few years, I’ve looked for scenarios in which parties cooperate in difficult but non-coercive contexts. Social science and evolutionary biology have a lot to say about this topic (through studies in collaborative action theory, social dilemmas, and social emotions). From my understanding of these sciences, symmetry among participants is essential to collaborative outcomes. So, it doesn’t really matter how good the identity metasystem is or how benevolent its owner is-without symmetry in the relation it represents, it will produce exploitive results. As a society, we have to insist on symmetry. But in business-to-person relations there’s currently no symmetry at all-particularly in the legal context. LLP is meant to help natural persons have access to the same legal treatment as corporations. It turns business-to-person relations in to B2B relations.

Adam again: I’m hoping that this interview involves some emergent chaos, from my co-bloggers and from the audience. We’ve already asked questions, but please, offer up your thoughts and comments.

Finally, you can read more on the Burton blog.

Breach Laws Charts

At The Privacy Symposium that Harvard Law just held, I had a fascinating conversation with Julie Machal-Fulks of the law firm of Scott & Scott. Scott and Scott have published a one page breach laws chart, with just five variables.

Julie Brill of the Vermont Attorney General’s office also mentioned that she maintains a chart. (She also had insightful things to say about the so-called “patchwork” of laws, and where the effort to comply goes: to report to the smallest fraction of customers that a company may report to.)

If you know of others, please let us know. I’ll update this post as I learn more.

Bank Note of the Year

Who knew there’s an International Bank Note Society? Or that they have a prize for best bank note of the year? This year’s winner is the “1,000-franc note issued by the Banque Centrale des Comores, the central bank of the Comoros, an archipelago located between Madagascar and the east coast of southern Africa.”


Don’t miss the discussion of the note’s security features:

Despite a low face value (approximately US$2.70 at current exchange rates), the 1,000-franc note sports an impressive array of security features. Portions of the design are printed with the intaglio process, imparting a tactile element to the raised ink, along with the latent image created by the BCC embossed above the signatures. Counterfeiting is made more difficult through the use of microtext, incorporation of a perfect-registration device, and the inclusion of Omron rings. The paper contains an embedded security strip that fluoresces under UV light, and a watermark of a crescent moon, four stars, and the letters BCC. Finally there is an iridescent band on the front of the note that can be seen only when tilting the note at an angle to the light.

Incidentally, the term “Omron rings” seems to describe what’s better known as the “EURion Constellation,” the set of rings that break various scanning devices.

Via Davi’s Flying Penguin.

Emergent Breasts Handled By Ohio’s Finest

Yesterday CNN reported that Ohio State Representative Matthew Barrett was giving a presentation to a group of High School students a photo of a naked woman appeared instead of the expected graphic. The State Highway Patrol seized the USB drive containing the presentation and in less than 24 hours determined that the image had been downloaded by one of Rep Barrett’s four children. Contrast this with the case of Julie Amero. It has been going on for about three years now and is still potentially facing a new trial.

  • How good is the forensic ability of the State Highway Patrol and is this a valuable use of their very limited resources?
  • Was there actually any harm done after all, how many high school kids (even in Ohio) have not seen a picture of a topless women?
  • What was Rep Barrett thinking when he allowed his kids to use his USB drive and/or computer that he uses for work?

Lessons learned:

EWeek on The Gap Breach

Lisa Vaas has a great article in eWeek, “Let’s Demand Names in Data Fumbles

That unnamed vendor should indeed be taken to task. The Gap is now in the process of contacting an enormous number of people in the United States and Canada whose information may have been compromised, and it’s providing credit reporting services to those affected for up to a year, at what surely must be a significant cost—particularly galling, given that the vendor broke the terms of an agreement that the information that wound up stolen be encrypted.

Highly worth reading. There’s a new normal emerging around breaches, and it’s going to be good for computer security.

Even if you’re a victim today, remember that there’s no way to improve except by studying what’s going wrong.

In closely related news, StoreFront Backtalk has a story about merchants suggesting that the card associations, live Visa, ought to do better. Today, they requiring merchants to hold card numbers and protect them. Why not hold less sensitive data? See “Retail Group Lobbying To Have Credit Card Data No Longer Stored .”