Full body scan - shield or show?

Semi-Originally posted 06/14/2011 on lubbockonline.com

Due to technical problems, this is a repost from January 4, 2010

Full body scans in airports - they're getting a lot of attention again, both for and against. One blog feels that just by agreeing to fly we are consenting to scanning. Another story on Canada.com agrees. It asks the seemingly reasonable question, "Do we need to see hundreds or thousands killed for the privacy objectors to back off?"

Privacy groups are against the full body scanners, saying they are invasive and demeaning. Flyersrights.org and the ACLU are both against the scanners. In a release on its website the ACLU says:

"We should be focusing on evidence-based, targeted and narrowly tailored investigations based on individualized suspicion, which would be both more consistent with our values and more effective than diverting resources to a system of mass suspicion," said Michael German, national security policy counsel with the ACLU Washington Legislative Office and a former FBI agent. "Overbroad policies such as racial profiling and invasive body scanning for all travelers not only violate our rights and values, they also waste valuable resources and divert attention from real threats."

I have to admit, I lean more toward the ACLU position. Yes, I know that a full body scan might have caught the explosive in the bombers undies - although there are claims that the bomb would have made it through a scanner. But that isn't really the issue. The issue is that we don't need to add any new security measures, we need to properly use the ones we have.

I can't say it enough. The system is broken. People are saying, "We need full body scans to keep anyone else from getting through." No, we need to start making full use of the intel we're gathering. Bush dropped the ball when he didn't follow through on his order that the U. S. intelligence agencies, FBI, CIA, NSA, etc. share information, and Obama is following his example.

The point in this is not that a scanner would have stopped this guy before he could turn himself into a eunich. It is that he should never have made it to the point where he would have to go through a scanner. We had more than enough info to forbid this guy to get on a plane. He was on a watch list, then his father notified the U.S. Embassy that he had been radicalized and might do something dangerous. That would have put him in a "watch very closely" list for me. Not for the U.S. government. According to examiner.com:

"On November 20th the embassy sent a "Visas Viper cable" to the State Department which detailed the father's warning.  The information was then given to the Counter-Terrorism Center in Washington D.C. which ruled that their was insufficient information present to revoke Mutallab's visa."

While people are screaming for more measures to limit our freedoms and take away our rights, the real problem is that the information we are gathering has everything we need to stop these terrorists, if we would only use it. Putting scanners in the mix will not make us safer, it will only be one more layer of false security.

No matter what methods we devise to detect explosives at the airport, our first and best line of defense will always be gathering data to stop terrorists before they can get a ticket. And the evidence shows we're doing a good job of gathering it, we just aren't using what we're getting.

Federal high tech security boondoggles

In an article by Ken Dilanian, swamppolitics.com - the Washingtom Bureau of the Chicago Tribune - reports that a number of high tech security programs initiated by the Bush administration have flopped. The biggest reason for the failure? Failure to properly test the technologies before implementation. A weakness shared by the current technical bandaid, full body scanners.

Technology is an important tool in the war against terror. But according to Brian Jenkins of the Rand Corp the Department of Homeland Security is overly reliant on technology. There is no silver bullet, but new technologies are treated as the final solutions to our national security problems.

From the "virtual fence" aka Project 28, on our southern border to the Real ID Act that Homeland Security Secretary Janet Napolitano has called for Congress to repeal, U.S. high tech anti-terrorism initiatives aren't working as advertised.

In fact, recently the majority, if not all, of the terrorist that have been caught before attempting terrorist acts have, to the best of our knowledge, not been caught through new, high tech gadgetry but through old fashioned investigation and surviellance techniques. Techniques that employ technology, but as a tool, rather than as the lynchpin of the procedure. Maybe it's time we started focusing on the things we know work, and take the time to do proper testing of new technologies before entrusting the lives of our citizens and the security of our nation to them.

Does Arizona have the right idea?

I have to wonder if Arizona’s Jan Brewer doesn’t realize what she’s doing, or if she really believes so strongly in the importance of these racially charged bills that she is willing to sacrifice her political career. Just a few short weeks after passing the controversial immigration law, the Associated Press reports that, “Arizona gov. signs bill targeting ethnic studies". According to the story, “State schools chief Tom Horne, who has pushed the bill for years, said he believes the Tucson school district’s Mexican-American studies program teaches Latino students that they are oppressed by white people.”

Like the immigration bill before it, the purpose of the education bill as described in the story doesn’t seem that objectionable to me. I understand the concerns that the immigration bill could lead to racial profiling. That is a legitimate concern, but doesn’t change the fact that illegal immigrants are here illegally. I'm glad the immigration bill specifically prohibits stopping someone just to ask about their citizenship, but only time will tell if law enforcement abides by that.

I also understand that this education bill could be used as a reason to stop teaching about the contributions minorities have made to this country. It shouldn’t, and there is nothing in the bill to prevent classes on Hispanic (or any other minority) influences on U.S. history. It only prohibits classes intended to only be taught to a specific group. I'm not surprised - if it's illegal to have schools for specific groups, why would it be legal to have classes set up that way?

I do object to the prohibition against teaching “ethnic solidarity." Being proud of your heritage could be considered “ethnic solidarity.” Everyone should be proud of their heritage, and there’s nothing wrong with schools teaching that. But you should be proud of your entire heritage. Whether you are a recent immigrant or your family has lived here for generations (or centuries), whatever continent your ancestors hailed from you should be able to look to your entire history, both your ancestry and your nation, for a sense of pride in your heritage. Schools should promote that. To promote that they should be helping students realize that even though we are all different, we all share many things in common. Apparently the Tucson school districts ethnic studies program doesn’t always do that. According to the AP story:

"Horne, a Republican running for attorney general, said the program promotes "ethnic chauvinism" and racial resentment toward whites while segregating students by race. He's been trying to restrict it ever since he learned that Hispanic civil rights activist Dolores Huerta told students in 2006 that "Republicans hate Latinos."

It’s one thing to promote pride in your heritage. It’s another thing entirely to promote hatred, and that is what you are doing when you tell someone that an entire group of people hates them.

Both of these bills are controversial, although the neither bill should be. Not if they were really written and passed for the stated reasons. Enforcing the law is the duty of law enforcement officers. I believe the oath most of them take is to enforce laws of the community, state and country, not just the laws of whatever level of government (city, state or federal) happens to employ them. Schools are supposed to teach kids and to prepare them for life - and make them productive, loyal citizens. Like it or not, propaganda has always been one purpose of the public school system. It is a legitimate purpose. No modern society can survive if it's children are taught to hate and distrust people who are different - different people are part of our society.

Teaching the bad things that happened in the past does not have to be divisive or disruptive - and should not be. Enforcing legitimate laws - for instance, laws requiring visitors to our country to go through the same established legal channels our citizens have to go through to visit their countries - should not be divisive or disruptive. But sensational headlines and soundbites can cause them to be. So can poorly thought out or carelessly worded laws.

So does Arizona have the right idea? Should we be taking steps to enforce immigration laws? Before you answer, maybe you should cross illegaly into Mexico, Canada, or any European nation and see what happens if you get caught. Should we prohibit/monitor what is taught in classes to make sure it is for the common good? Should we make sure that classes that teach about the contributions of non-caucasions to our country are taught to everyone, so all students benefit from them? Better yet, should we make sure that those contributions are part of the standard classes - requiring that they be taught, not just that they appear in the textbooks?

Based on what I know of the two laws, I would say that they do have the right idea. If giving current illegals amnesty and a path to citizenship worked to discourage illegal immigration, we wouldn't be having this discussion. If an activist speaker was allowed to sat that Republicans (widely portrayed as all rich white people) "hate latinos," that's promoting racial tension, and should not be allowed in schools. Would she have said that if it was a class of all ethnicities? Would she have wanted to speak to such a class? I don't know. And I don't have a problem with her being asked to speak to a class. I do have a problem with classes being used to promote a particular political party or cause, and that's why I think Arizona has it right on the education bill, too.

Could Buzz become Facebook for education?

In his blog entry on ZDNet, "A social networking call to arms" Christopher Dawson looked at Google as the potential social networking provider for education and business. He makes some good points. In the past Google has been considered a nemesis of personal privacy for their retention of user search and email data long after the fact. But they have responded to their users concerns by limiting the time data is kept, and when they made the major blunder at the introduction of Buzz were quick to fix the problem. Facebook, on the other hand, is continually expanding what user information is considered public without consulting users or seeming to care about their wishes. Schools have to keep certain data private, and Facebook does not allow that.

There was a time when Facebook might have been useful as a tool for teachers. That time is long past. But a social network run by Google could work. Google does not make change their privacy policy every six months (or less) in an effort to make more of the user data public. And Google has experience providing secure services in the cloud to businesses already. They already have most of the ingredients of a successful social media site if they can find a way to tie them all together. Google Search, Google Reader, Youtube, Blogger and Google's handling of privacy issues are some pieces of the puzzle. All Google needs is a way to package them together that satisfies the privacy and security needs of educational institutions while providing the social experience people want.

Facebook exposes private chats

In the Bits blog Nick Boltin reports on the Facebook bug that exposed private chats to public scrutiny. Facebook claims the bug was only live a few hours, and has shut down chat until the bug can be fixed (perhaps by the time you read this). This can't help Facebooks reputation in the eyes of the Electronic Frontier Foundation or Senator Charles Schumer (D, NY). Senator Schumer is one of the Senators calling on the FTC to craft privacy guidelines for social networks.

I'm not sure this was really an accident. Yes, I'm being paranoid and cynical, but the Facebook business model is to push for users to make everything public. I wouldn't be surprised if this was a 'live test' to see what kind of reaction results from this "bug".

Message to Google: Respect our citizens privacy

In a story published in the Avalanche-Journal, Barbara Ortutay, AP technology writer reports that 10 nations have written a joint letter to Google CEO Eric Schmidt expressing their concern over the way Google Buzz and Google Streetview handle privacy.

It's good to see that the privacy of citizens is important to their governments. It's sad that the US wasn't represented, but we don't have a privacy commissioner, and anyone who's been paying even mediocre attention to the news for the last 5 years should know that US government isn't exactly worried about citizens privacy.

The letter pulled no punches, saying in part:

"However, we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.  We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws.  Moreover, this was not the first time you have failed to take adequate account of privacy considerations when launching new services."

The other service being referred to was, of course, Google Streetview. Google streetview has been plagued with privacy issues such as pictures of the interior of houses, backyards behind privacy fences, and unobscured pictures of peoples faces without permission.

The commissioners expressed concern that Google was making it a standard business practice to roll out new services without adequate planning and privacy protections:

"It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world."

I only wish we could convince the US government of the importance of the citizens right to privacy. If we all contact our congressman and tell them, maybe we can.

The text of the letter is here.

Biometric National ID - The big lie

In an article on fiercegovernmentit.com David Perera tells us more of the claims and controversy surrounding the proposed biometric national ID cards. The proposed cards would have some type of biometric data to make them tamperproof (there's no such thing) and are supposed to help stop illegal immigration. If you read this blog regularly you've probably already seen my opinion on that.

He links to an opinion piece by Senators Charles E. Schumer (D-N.Y.) and Lindsey O. Graham (R-S.C), the authors of the bill. This piece shows either the duplicity of the two legislators, or their unforgivable ignorance of just what it is they are proposing. Just a few sentences from one paragraph of their article raises all kinds of alarms with me:

Each card's unique biometric identifier would be stored only on the card; no government database would house everyone's information. The cards would not contain any private information, medical information or tracking devices. The card would be a high-tech version of the Social Security card that citizens already have.

Let's look at the two claims individually:

First, if the biometric data is only on the card, there is nothing to check it against. Without a database to check the data on the card against it will be difficult if not impossible to create a card that's really difficult to forge, let alone one that's anywhere near tamperproof. Once someone figures out how to move the biometric data from one card to another a single lost ID can be turned into as many different ID's as they want. The card is only checked against itself, so it will always report that it's legit. In other words, a national database loaded with U.S. citizens personal data is more than a requirement for an even remotely effective national ID, it's an absolute necessity.

Second, it's not supposed to contain any private information. Excuse me, but biometric data is extremely private. Social Security numbers are supposed to be private. By it's nature, an ID card has to have some type of personal data or it can't prove your identity. And don't believe there won't be medical data on it. It won't be there at first, but unless the health care reform bill is repealed, the most logical place for portable health info to go is a chip on an ID card. And don't trust the promises that none of this will happen. "It will not be used as an ID number" was one of the promises used to pass Social Security.

The ACLU and about 45 other organizations sent a letter to President Obama outlining their concerns over a national ID. Along with the concerns I've already noted, they included concerns over cost and enforceability, among others. Regarding cost, they point out that providing biometric ID cards for 1 million transportations workers is expected to cost the Department of Homeland Security 1.9 billion dollars. In other words, it will cost almost $300,000,000,000 dollars to ID the entire U.S. work force. Perhaps more important, they don't believe the plan has a snowballs chance of working:

"Adding insult to injury, this unaffordable scheme will probably never work. Even ignoring the enormous difficulties of creating a system to fingerprint everyone and distributing readers to employers across the country, the truth is that some employers prefer the ambiguity of the current process. Unless significantly greater resources are dedicated to enforcing the law, employers will continue to have a strong incentive to circumvent a broken system. Such enforcement could be accomplished just as easily without a National ID."

If greater resources were dedicated to enforcing the law, there would be less perceived need for a national ID. In other words, this national ID thing is smoke and mirrors to gain more control over law abiding citizens while having minimal impact on the criminals.

Surviellance law needs updating

Scott M. Fulton, III, managing editor of betanews.com, wrote an in-depth article on technewsworld.com about the need to update the Electronic Communications Privacy Act (ECPA), an ancient (in technology terms) law that sought to update the code covering telephone communications so that it also covered computer communications. But it was written in 1986, almost a quarter of a century ago. Computer communications now are radically different than they were then. In 1986 most computer communications were between universities, government agencies and government contractors. Today the communication between those three segments is a fraction of the communications between private companies and citizens.

The Digital Due Process (DDP) group, led by the Center for Democracy and Technology, has defined some principles for Congress to take into consideration when they look at updating the ECPA. The goal is to get internet communications the same protection given to wiretapped telecommunications. This isn't the first time that the DDP has tried to influence policy, but this time they've enlisted two of the more visible company in recent privacy discussion, Microsoft and Google. Their involvement should put some weight behind the DDP's suggested principles.

Internet communications are in dire need of legislative protection. Despite recent court rulings, just how protected online communications such as email are is uncertain. And with more of individuals critical data being stored online or in third party cloud services, the current laws and precedents make the Fourth Amendment moot. By use of the Third Party Doctrine law enforcement can deny Fourth Amendment protections to anything you store online. That includes email, financial data (if you access your bank account online...) and even your dropbox account.

Check out Mr. Fulton's article to learn a lot more about this issue. I've only touched the surface of what he covers. Before I finish, I want to include one quote to emphasize how important it is that current laws be updated, and the standard of how much privacy protection is afforded online data be updated:

"The Supreme Court has said that you can issue a subpoena -- not because you believe the law is being violated, but merely to assure yourself that the law is not being violated." Jim Dempsey, CDT Vice President for Public Policy

I don't know about you, but to me that sounds a lot like assuming guilt without evidence. Kind of flies in the face of "innocent until proven guilty" doesn't it?

Full body scans can't be abused. Right.

Michael Holden reports in Reuters "Oddly Enough" news that a security worker at London's Heathrow airport is in hot water for looking at a coworker who "mistakenly strayed into the scanner."

The 25 year old man is not in deep trouble yet because the incident is still being investigated, but if the investigators conclude he actually did see things he shouldn't have it will put a whole new spin on full body scans. Citizens around the world have been assured repeatedly that security workers wouldn't be able to see their "naughty bits" on the scans. If the investigation proves they can, there could be a massive public outcry.

Of course, the investigation is being carried out by government employees, and the government has a vested interest in finding that nothing actually happened.

Is answering the census safe?

NOTE: Checking Census law reveals that it is illegal to refuse to answer the census questions.

In an opinion piece on csmonitor.com James Bovard examines the possibility that our census answers may not be as private as we're promised they'll be. He looks at the historical record the census bureau has built regarding privacy of census data. It doesn't look too good. The first mar on the bureaus record was the production of a list of Japanese Americans on the East coast within days of Pearl Harbor. Although they are now remembered (when mentioned at all) as "internment camps," or "War Relocation Camps," Japanese Americans were rounded up and put into concentration camps. The Census Bureau denied any such activity until 2000, and denied giving specific names and addresses until it was proved in 2007 that exactly that information had been provided.

The Department of Homeland Security was given similar information by the Census Bureau in 2003-2004 regarding people of Middle Eastern ancestry in the U.S. No roundups occurred, but they would have been much easier with that information.

Mr. Bovard talks about the abuses to citizen privacy in the last 10 years, and points out that all the census is really required to gather by the constitution is a count of citizens, and the number of people living at each address is all that anyone should provide. Especially since the government obviously is more concerned with gathering as much information as it can about citizens than protecting their rights. It was true of the Bush administration, and by all the evidence nothing has changed with the Obama administration. I have no doubt that census data will be used in whatever fashion the government feels the need to use it, no matter what the law says.

Obama supports DNA sampling when arrested

Politico's Josh Gerstein tells us that, "President Obama backs DNA test in arrests." In an interview with John Walsh on America's most wanted the President professed his strong support of gathering DNA of everyone arrested for a felony crime:

"It's the right thing to do, and then, as you well know, John, this is where the national registry becomes so important, making sure that, not only are we getting these DNA tests done state by state, but then, nationally, everybody's talking to each other. That's how we make sure that we continue to tighten the grip around folks who have perpetrated these crimes."

It's a great sentiment. The problem is, that when it comes to DNA testing upon arrest, it's wrong. In the interview John Walsh says that it's no different that taking fingerprints or an arrest photo. But that is not true.

DNA samples, unlike fingerprints, don't just identify you. They have the potential to reveal health issues, genetic relationships (siblings, parents), and possibly potential behaviors. You may give up the right to protect this information if you are convicted, but to take it upon arrest flies in the face of "guilty until proven innocent." Requiring DNA sample of people who have been arrested, but not indicted, let alone convicted, says the exact opposite. It assumes you are guilty until the DNA sample proves you innocent. That is not the way justice is served in the U.S.

See the portion of the interview that talks about DNA (about halfway through on Youtube.

See the entire interview on amw.com

Privacy vs Security at RSA conference

Brian Prince of eWeek Europe reports that U.S. Cyber Defense experts agreed on two things: U.S. cyber security needs beefing up, and doing that while protecting privacy won't be easy. Former head of U.S. Homeland Security Michael Chertoff saw the situation as a balancing act:

“You don’t want necessarily to have the government literally sitting there and operating the internet and opening and closing doors because it’s not hard to imagine a situation like you have in other countries where someone makes a decision that the threat isn’t just an attack by a botnet but an attack on ideas the government doesn’t like. So the key is to build a system that allows a sharing of information that does put on critical infrastructure a responsibility to maintain itself…but preserves a certain gate between them and a certain amount of accountability so that the government can’t simply just roughshod over the privacy.”

That's an important statement - and one that very neatly sums up the difficulty of providing security while maintaining privacy. The rest of the panel discussion showed a real concern and understanding of the importance - and complexity - of maintaining privacy while ensuring security.

Chertoff was one of a three member panel. The other two members were Marc Rotenberg, executive director of the Electronic Privacy Information Center ( EPIC ), and former special advisor on Cyber Security for George W. Bush, Richard Clarke. Richard Clarke is now chairman of Good Harbor Consulting. To be honest, I was a little surprised at the attitude shown by Mr. Chertoff and Mr. Clark. Hearing Mr. Chertoff, co-author of the Patriot Act, talk about the importance of limiting governments ability to invade citizens online privacy was unexptected.

Of course, not everything they said was so pretty. Clark wants a system that is flexible enough that it isn't compromised when some companies don't keep up with the latest patches and malware protections. His idea? Have Tier 1 ISP's do deep packet inspection to detect illicit activity. This is just a liiiiiittle bit contradictory to Mr. Chertoffs statement above. Deep packet inspection would mean they see everything everybody does that goes through a Tier 1 ISP. A lot of traffic will never hit a Tier 1 ISP, but the fact that US citizens would be being treated as criminals with no evidence that they are would be a major constitutional problem. Of course, it should be a major constitutional problem with the nationwide phone tapping that's still going on, and we know how that went. Not surprising at all that Rotenberg saw a slippery slope, "If we go down this road you really have to be very careful because one rationale easily collapses into another."

It was encouraging that Clarke felt the U.S. government had discredited itself over the past ten years where privacy is concerned. He also felt that the agency best equipped to protect the country, both military and civilian, is the NSA. But in an amazing twist, he feels that the NSA is not the agency that should be protecting the private sector. The problem is, there isn't anyone looking out for the private sector:

“The problem is right now no one is defending the private sector,” he continued. “The theory of the Obama administration seems to be cyber-command defends the military, DHS (Department of Homeland Security) – which can’t do it yet – defends the .gov community, and the rest of us are on our own.”

As scary as that is, it's better than being watched by the NSA. And I'm happy that all three panel members seem to agree with that sentiment.

.

The lighter side of data breaches

Apparently a Swiss bank has been the victim of a data breach. Erik Kirschbaum reports through Reuters that German tax dodgers are running scared after data breach. The report says that which bank it was is unknown, but the German government seeing a huge increase in the number of tax dodgers turning themselves in. There is a good reason it's happening. German tax law says that a tax dodger can avoid prosecution if he turns himself in before the government starts to investigate him.

It seems there are a lot of German tax evaders with money in Swiss banks. But they may not have even noticed if the German government wasn't willing to pay 2.5 million Euros for the data. Which allows great quotes like this:

"There's been a delightful rise in tax compliance," said Daniel Abbou, spokesman for the finance department in the city of Berlin after 74 people volunteered this week to pay back taxes on previously undeclared income.

Great stuff.

Obama = Bush

Now that I've got your attention, yes, I mean that. When it comes to citizens privacy rights, I can see no discernable difference between their administrations. Obama is continuing the national phone monitoring that was started by the Bush Adminstration. A program that is unconstitutional and does little if anything to benefit national security.

If that wasn't bad enough, last night I saw two articles talking about a case being argued today in Philidelphia. The first was at Cato-at-liberty.org and was pretty short. The headline says it all:

The Government Can Monitor Your Location All Day Every Day Without Implicating Your Fourth Amendment Rights

The second was an opinion piece by Catherine Crump at the Philadelphia Enquirer. It began with,

"If you own a cell phone, you should care about the outcome of a case scheduled to be argued in federal appeals court in Philadelphia tomorrow. It could well decide whether the government can use your cell phone to track you - even if it hasn't shown probable cause to believe it will turn up evidence of a crime."

The Obama administration is asserting that U.S. citizens have no reasonable expectation of privacy when it comes to their cell phones. This premise comes from the "third party doctrine." The third party doctrine is controversial to say the least, and in the modern age the equivalent of completely removing all Fourth Amendment protections without the pesky need to actually repeal it.

The third party doctrine says that once you knowingly give information to a third party you lose the right to the Fourth Amendment protections. Just to help keep things clear, the Fourth Amendment says:

Fourth Amendment – Protection from unreasonable search and seizure.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The third party doctrine is based on the premise that, since the phone company, your ISP, and any other company you may give data to is not within the four walls of your home or on your person, that data is no longer protected by the Fourth Amendments clause against unreasonable searches and seizures.

Forget whether or not you are doing anything illegal. Under the third party doctrine the government can subpoena your browsing history from your ISP without having to prove probable cause. Anything you put on Facebook (not that Facebook is private), and possibly even anything you backup to Carbonite or other online backup service.  I say possibly to the backup services because they are usually encrypted, so a "reasonable expectation of privacy" can be argued. The same can't be said for email, cell phones, text messages or almost anything sent over the internet.

I don't know about you, but almost everything I do that doesn't involve direct, face to face communication goes through a third party before reaching it's destination. There is almost nothing I do that the government can't look into for no other reason than curiosity using the third party doctrine. Knowing the history of the American colonies and the revolution, I know the founding fathers never intended the government to have that kind of power.

GAO to TSA: Test those scanners first!

In a report by Jaikumar Vijayan on pcworld.com we learn that the Government Accountability Office (GAO) has told the TSA to make sure they properly test the full body scanners they are trying to deploy. The GAO reminds the TSA that another technology, Explosive Trace Portals, was rushed to deployment, and performed so abysmally that only about 1/2 the units purchased were installed, and by the end of 2009 all but 9 were out of service. Those 9 will be gone by the end of the year.

The GAO says that the TSA had not tested the full body scanners by October 2009, but claims to have finished testing by the end of that year. The problem, according to the GAO, is there is no verification that real world tests, ie tests trying to fool or bypass the scanners, were done.

Without such tests - carried out with a sincere desire to get past the scanners - there is no guarantee that the scanners are effective. It's easy to find something carelessly hidden. It's another thing to catch something carefully hidden by someone with a good idea of how to hide it.

If some of the things I've read are correct, as little as a millimeter of skin will keep  these scanners from finding something. Having the amount of skin necessary for a bomb pulled up and sewn down over high explosives doesn't seem very attractive, but we're talking about people who are not expecting to be in one piece for much longer when this is done. Of course, there are less violent ways to hide a bomb inside the body. People smuggle drugs that way all the time.

This really comes down to a cost benefit analysis. The cost of the methods required to get around full body scanners - apparently very low. The cost of the scanners? A very high $130,000 to $170,000 each. Unless the TSA can show the scanners can effectively reduce terrorist attempts, the cost outweighs the benefit. From the information available now, that seems unlikely.

Facebook Twist: Anti-social networking

The Times Online reports that Colin Gunn, a notorious British godfather, has had free access to the internet, and has been using it to intimidate and terrorize via Facebook. He claims to have been given permission for it by prison officials. The suspicion is that they gave him access fearing refusal would be called a human rights violation. On the face of it, this seems silly, but it was only last June that the French version of the Supreme Court declared Internet access to be a fundamental human right. I'm sure they never intended for convicted felons to be able to access the internet from prison and continue to run their gangs. That is exactly what Gunn did, using his Facebook account to send intimidating messges, such as:

“It’s good to have an outlet to let you know how I am, some of you will be in for a good slagging, some have let me down badly, and will be named and shamed, f****** rats.”

Such an endearing character.

This actually isn't a post against Facebook. Facebook had no control over this, and probably shouldn't. The problem here is the idea that internet use is a "human right." If it is any kind of right at all, it is a citizens right, and like many other citizens rights, can be lost once you are convicted of a crime. Matt Asay makes some good points on the subject in his article, "Is Internet access a 'fundamental right'?" from May of last year. As Matt points out, there are rights and responsibilities. It's important not to confuse the two.

Full body scans: Trading privacy for illusion of security?

Hebba Aref has been a privacy advocate for some time. And she experienced anti-muslim prejudice first-hand when she was told that she couldn't be in a picture with Candidate Obama because of her head scarf. That was an overzealous volunteer, and Mr. Obama called her personally to apologize when he found out. I can imagine that was a defining moment in her life.

In the past she has been against full body scanners and profiling in airports. Then she sat six seats in front of a young Nigerian man on Christmas day, 2009, and she remembers the sound of the detonator, the flash, and the terrorist being led down the aisle with no clothes on below the waste.

Her experience that day changed her view of how airport security should be handled. In an article in the Detroit Free Press she says: "I'm always standing up for rights and privacy concerns, but now I hope that body scans will be mandatory," Aref, 27, said Wednesday. "Balanced against national security, it's worth the invasion of privacy. And I acknowledge the fact that there has to be attention paid to Muslims."

Coming close to death is a life changing experience, but often after some time has passed and the fear moves further away people revert to their previous opinions and attitudes. Only time will tell us if Miss Aref will continue to favor body scanners and profiling. But her story, moving as it may be, is just another emotional appeal, and emotional appeals are poor things to build policy on. Granted emotional appeals are the stuff that shapes public opinion, but they're still bad for building policy.

One of the more interesting quotes on full body scanning and privacy  came from an article in the Washington Post on January 4, 2009. It was about the images generated. It said,

"They're virtual. Passengers walk through the machines fully clothed; the resulting image appears on a monitor in a separate room and conceals passengers' faces and sensitive areas."

Correct me if I'm wrong, but I believe "sensitive areas" refers to the breasts and groin on women and the groin on men. If the groin area is concealed, how are we protected from an underwear bomb?

Here are a few other quotes from the same article:

"It covers up the dirty bits," said James Carafano, a homeland security expert at the conservative Heritage Foundation.

"I don't think it's any different than if you go to the beach and put on a bikini," said Brandon Macsata, who started the Association for Airline Passenger Rights.

"It covers up the dirty bits," and it's the same as a bikini ... that sounds to me like the primary area of concealment - the crotch, will be concealed by software in the scanner. That makes it kind of hard for the human viewing the image to see if anythings been added to the area.

I've read that the full body scanners are not designed to detect the types of explosives used in most terrorist attacks. According to an article at newsdaily.com, Dutch Interior Minister Guusje ter Horst said that there is no 100% gaurantee that the new detectors would have caught the underwear bomber.

Adding fuel to the fire - or not, since there's been almost no mention of it anywhere else, the Independent ran an article, Are planned airport scanners just a scam? on January 3rd reporting that British research into full body scanners showed that they would not detect an explosive of the type used by the crotchbomber. According the to article,

"But Ben Wallace, the Conservative MP, who was formerly involved in a project by a leading British defence research firm to develop the scanners for airport use, said trials had shown that such low-density materials went undetected.
Tests by scientists in the team at Qinetiq, which Mr Wallace advised before he became an MP in 2005, showed the millimetre-wave scanners picked up shrapnel and heavy wax and metal, but plastic, chemicals and liquids were missed. "

Other interesting claims are made. Supposedly American experts have stated that traditional airport pat downs wouldn't have stopped Mr. Abdulmutallab from getting on the plane. There's a really simple reason for it. In the U.S. the security people aren't allowed to frisk sensitive areas. Not that frisking those areas will stop everyone. I was with a friend going into "The Who's Last" concert in Dallas in 1983...I think that was the concert...anyway, they were frisking everyone. My friend had a recorder with the mike in his pants. The officer hit the mike,

"What's that!"
"My d**k."

The officer got a surprised look on his face and waved him through. I still wonder if anyone managed to get something more dangerous in that way?

For me the scanner issue isn't really about privacy, although that is important. It's really about using unproven technology without making sure the measures we already have in place are working. To be honest they usually do work, but we need a lot of improvement. And before we spend $165 million on scanners we should spend a few hundred thousand making sure they do what is claimed.

Does anyone remember the bomb sniffing machines they spent millions on after 911? The machines that are mostly decommissioned because they didn't work as claimed, and spent more time broken than working? We don't want that to happen again - but it's probably already to late, because they've already ordered them. And they may not even detect the explosive they're being bought to protect us from.

The more things change the more they stay the same.

[Edited at 12:21 to improve headline by Bert]

Obama shoulders responsibility

Whatever you may think about President Obama's handling of the economy, foreign relations, or the war on terror, yesterday he stepped up to the plate and acted like a leader. He gave a broad outline (which was all he should have given) of what went wrong and what will be done to fix the problems. And that's where it gets sticky. I've been doing a little research on those handy-dandy full-body scanners that everyone's talking about, and I like the idea of using them less now than I did before. In a couple of days I'll go into some of the problems with them. But aside from the full body scanners, it looks like President Obama is taking this threat to our security seriously now and taking real steps to keep us safe from external threats.  That is his primary job as President.

Full body scan - shield or show?

Full body scans in airports - they're getting a lot of attention again, both for and against. One blog feels that just by agreeing to fly we are consenting to scanning. Another story on Canada.com agrees. It asks the seemingly reasonable question, "Do we need to see hundreds or thousands killed for the privacy objectors to back off?"

Privacy groups are against the full body scanners, saying they are invasive and demeaning. Flyersrights.org and the ACLU are both against the scanners. In a release on its website the ACLU says:

"We should be focusing on evidence-based, targeted and narrowly tailored investigations based on individualized suspicion, which would be both more consistent with our values and more effective than diverting resources to a system of mass suspicion," said Michael German, national security policy counsel with the ACLU Washington Legislative Office and a former FBI agent. "Overbroad policies such as racial profiling and invasive body scanning for all travelers not only violate our rights and values, they also waste valuable resources and divert attention from real threats."

I have to admit, I lean more toward the ACLU position. Yes, I know that a full body scan might have caught the explosive in the bombers undies - although there are claims that the bomb would have made it through a scanner. But that isn't really the issue. The issue is that we don't need to add any new security measures, we need to properly use the ones we have.

I can't say it enough. The system is broken. People are saying, "We need full body scans to keep anyone else from getting through." No, we need to start making full use of the intel we're gathering. Bush dropped the ball when he didn't follow through on his order that the U. S. intelligence agencies, FBI, CIA, NSA, etc. share information, and Obama is following his example.

The point in this is not that a scanner would have stopped this guy before he could turn himself into a eunich. It is that he should never have made it to the point where he would have to go through a scanner. We had more than enough info to forbid this guy to get on a plane. He was on a watch list, then his father notified the U.S. Embassy that he had been radicalized and might do something dangerous. That would have put him in a "watch very closely" list for me. Not for the U.S. government. According to examiner.com:

"On November 20th the embassy sent a "Visas Viper cable" to the State Department which detailed the father's warning.  The information was then given to the Counter-Terrorism Center in Washington D.C. which ruled that their was insufficient information present to revoke Mutallab's visa."

While people are screaming for more measures to limit our freedoms and take away our rights, the real problem is that the information we are gathering has everything we need to stop these terrorists, if we would only use it. Putting scanners in the mix will not make us safer, it will only be one more layer of false security.

No matter what methods we devise to detect explosives at the airport, our first and best line of defense will always be gathering data to stop terrorists before they can get a ticket. And the evidence shows we're doing a good job of gathering it, we just aren't using what we're getting.

Do you have the skills?

The feds are looking for people with the skills necessary to move the U.S. into the 21st century, cybersecurity wise. If you have the skills to help secure our networks and a security clearance, you can make some pretty good money, even if you don't have a ton of experience. You do have to have some, but the main point is that you have some experience and a security clearance. Cyber attacks have tripled recently, but cybersecurity talent with security clearance is so rare that government agencies and government contractors are fighting for the same people, and the government can't compete.

The governments inability to pay competitive salaries is hurting our ability to protect important data. The problem isn't being able to figure out how the bad guys might get at it, it's in figuring out how to close the holes we can find. And the ability to respond to a breach varies widely from department to department. The State Department has well equipped and trained staff who can respond quickly, determine the attack vector, and plug the hole, then analyze and determine was to prevent similar attacks in the future. The Commerce Department, which handles data every bit as sensitive as State, lacks similar equipment and training. Both suffered serious breaches. State was able to determine how it was done and prevent data theft. Commerce was never able to determine how the attack was pulled off, although they say no data was compromised. But they still replaced hundreds of workstations.

This is a serious problem. Organized crime and hostile governments (note: in this context, all other governments are hostile) are marshalling major resources at cracking the security in U.S. government and private corporate facilities. It is not the governments place to protect private companies (nor should it be), it is of paramount importance that government agencies are able to keep data safe from prying eyes. Their databases contain information that could do irreparable damage to our ability to compete in the marketplace. They contain data on research in all types of technology that we would not want falling into enemy, and maybe not even friendly, hands. If there is any one area we cannot afford for our government to skimp on, it is national security, and part of that is making sure that we have the best cybersecurity experts providing the best policies and procedures for preventing breaches, and when they do occur, detecting, plugging, and cleaning up after quickly and efficiently.