Loss of Privacy

I have said it before many times, chipping people is wrong, no matter what the situation might be.

So, here’s a clip from Good Morning America, touting what a great solution it is to chip Grandma because she has Alzheimer’s.  It’s great, so they say, because it’s been successful in tracking pets.  That’s right folks, that lovely lady who baked you cookies is now your pet.  Ain’t America just great?

Once you believe it’s okay to track pets and animals (check), track children (check), people with medical conditions (check), and track crazy people, old or not (check), it’s only a matter of time before you think it’s okay for someone to track you.

Some time next year, the DHS is going to determine how their spy satellites will be able to help federal and local law enforcement agencies in cases of criminal and civil law.

Until now, only a handful of federal civilian agencies, such as the National Aeronautics and Space Administration and the U.S. Geological Survey, have had access to the most basic spy-satellite imagery, and only for the purpose of scientific and environmental study.

The decision was made three months ago by Director of National Intelligence Michael McConnell, who plans on using the information first on enhancing border security, then analyzing that data for other uses.

Access to the high-tech surveillance tools would, for the first time, allow Homeland Security and law-enforcement officials to see real-time, high-resolution images and data, which would allow them, for example, to identify smuggler staging areas, a gang safehouse, or possibly even a building being used by would-be terrorists to manufacture chemical weapons.

Access to the satellite surveillance will be controlled by a new Homeland Security branch — the National Applications Office — which will be up and running in October. Homeland Security officials say the new office will build on the efforts of its predecessor, the Civil Applications Committee. Under the direction of the Geological Survey, the Civil Applications Committee vets requests from civilian agencies wanting spy data for environmental or scientific study. The Geological Survey has been one of the biggest domestic users of spy-satellite information, to make topographic maps.

Of concern is the legalities of giving access to the satellite data to civil agencies and whether or not it would violate the Posse Comitatus Act.

Even the architects of the current move are unclear about the legal boundaries. A 2005 study commissioned by the U.S. intelligence community, which recommended granting access to the spy satellites for Homeland Security, noted: “There is little if any policy, guidance or procedures regarding the collection, exploitation and dissemination of domestic MASINT.” …..According to defense experts, MASINT uses radar, lasers, infrared, electromagnetic data and other technologies to see through cloud cover, forest canopies and even concrete to create images or gather data.

“You are talking about enormous power,” said Gregory Nojeim, senior counsel and director of the Project on Freedom, Security and Technology for the Center for Democracy and Technology, a nonprofit group advocating privacy rights in the digital age. “Not only is the surveillance they are contemplating intrusive and omnipresent, it’s also invisible. And that’s what makes this so dangerous.”

If you don’t want abuses of this system, then you need to make it transparent and available, at will, to American citizens.  In reality, local law enforcement agencies would not be able to sift through the mountains of data collected from the satellites.  However, many geeks in the world would set up websites tracking illegal border crossings and checking up on the government to see how well they respond to natural disasters.

Using the data for tracking people coming in and out of the country via the borders is a good idea.  I’m not sold on using it for tracking Jimbo growing pot in his back field.  Use a helicopter for that.  It’s already legal without a warrant.  We also don’t have a great track record with the Department of Homeland Security actually addressing privacy issues.

Oversight of the department’s use of the overhead imagery data would come from officials in the Department of Homeland Security and from the Office of the Director of National Intelligence and would consist of reviews by agency inspectors general, lawyers and privacy officers. “We can give total assurance” that Americans’ civil liberties will be protected, Allen said. “Americans shouldn’t have any concerns about it.”

But civil liberties groups quickly condemned the move, which Kate Martin, director of the Center for National Security Studies, a nonprofit activist group, likened to “Big Brother in the sky.” “They want to turn these enormous spy capabilities, built to be used against overseas enemies, onto Americans,” Martin said. “They are laying the bricks one at a time for a police state.”

Forget about laying the bricks for a police state, they’re more than halfway finished.  Fight it now before it’s too late.

RFID expert, Lukas Grunwald, has managed to create buffer overflows in new passports that utilize RFID, which leaves the passports open to sabotage.  Grunwald proved last year that he could clone an RFID chip and has now revealed that, by simply removing the photo and replacing it with an altered one, he can make the system crash.

Grunwald says he’s succeeded in sabotaging two passport readers made by different vendors by cloning a passport chip, then modifying the JPEG2000 image file containing the passport photo. Reading the modified image crashed the readers, which suggests they could be vulnerable to a code-injection exploit that might, for example, reprogram a reader to approve expired or forged passports.

“If you’re able to crash something you are most likely able to exploit it,” says Grunwald, who’s scheduled to discuss the vulnerabilities this weekend at the annual DefCon hacker conference in Las Vegas.

While I have documented that before that this is a possibility, Grunwald has actually done it.

He conducted the attack by embedding a buffer-overrun exploit inside the JPEG2000 file on the cloned chip that contains the passport photo. Grunwald says he tested his exploit on two passport readers that were on display at a security conference he attended.

Buffer-overrun vulnerabilities occur when coding errors in software allow an attacker to overflow a section of memory dedicated to storing a fixed amount of data. Carefully exploited, they often permit the hacker to execute his own instructions on the vulnerable computer, essentially taking over the device — though Grunwald has not attempted that level of compromise on e-passport readers.

If a reader could be compromised using Grunwald’s technique, it might be reprogrammed to misreport an expired passport as a valid one, or even — theoretically — to attempt a compromise of the Windows-based border-screening computer to which it is connected.

He won’t name the vendors that make the readers he crashed, but says the readers are currently in use at some airport entry points. He says there’s no reason to believe that readers made by other vendors would be any more secure.

Most anyone with a little tech knowledge can figure this out too.  All you need to do is spent a little bit of time reading the manuals, posted for you on the International Civil Aviation Organization’s website.  ICAO is part of the United Nations and developed the technology.  Within a couple of weeks, you’ll have all the necessary knowledge to build your RFID own reader and clone a passport.

Creating a buffer overflow, however, can do more than just crash the system.  One could also execute their own code onto the machine, with no one the wiser.  All you need to know is what system is running on the machine.

Over a year ago, Grunwald basically agreed with me that RFID in passports are worthless.

“The whole passport design is totally brain damaged,” Grunwald says. “From my point of view all of these RFID passports are a huge waste of money. They’re not increasing security at all.”

Now, you may believe that, if a passport causes a system to crash then the passport holder will be detained to verify their identity.  In reality, one of two things will happen:

1. The immigration official will look at your passport a little closer, think, “yep, it looks alright to me,” and let you pass, or

2. That particular station will shut down and everyone in that line will go to another line, whereby the passports cause the same problem as in example #1 and the passports are checked via humans.

Either way, the RFID passports will prove, yet again, that they’re useless; that is, unless you want to broadcast to the world that you’re an American and a target.

Since writing my last article and reading the news, there has been a complete 180 and the TSA is going to do just that.  The story is making its way around the world via the Internet as a “smile or else” theory as to what a person should do at the airport.

In what is being called “a new level of absurdity for America,” Newsweek warns us of new Behavior Detection Officers, trained by the TSA.

The Transportation Security Administration hopes to have as many as 500 Behavior Detection Officers on the job by the end of 2008.

In the study of “micro-expressions”—yes, it is actually a field of study and there are some who are arrogant enough to call it a science—it has been decided that when people wish to conceal emotions, the truth of their feelings is revealed in facial flashes. These experts have determined that fear and disgust are the key things to look for because they can hint of deception.

Yes, I am disgusted right now over the very idea of behavior detection officers, yet I would fear them if, for some reason, they pulled me aside at the airport.  Those two things alone will make me guilty of deception at the airport.  There are other people that have other reasons to be disgusted or fearful at the airport.

One could be fearful of flying, of people staring at them, of the big, burly men in tights sitting next to him.  One could also be disgusted at the airport for numerous reasons, including just getting off the phone with a spouse who pissed you off, being ripped off at the food counters, or missing your connecting flight because your first plane was late.  Now, however, if you’re not happy, your a target for the lovely behavior detection officers, and the worst part is, you won’t know who they are.

While there is dispute over the validity of microexpressions, there has been some research [pdf] on the topic [pdf].  The problem with microexpressions is that you know nothing about a person other than they are angry or contemptuous.  This does not give you enough evidence to know what is in that person’s mind.  A Behavior Detection Officer’s inferences about you, as a stranger, will end up being guesswork and conjecture.

Learning microexpressions is an attempt to get away from racial profiling and gut feelings, however, these new officers will receive 16 hours of training before heading out into the field.  Remember, the TSA screeners are mostly still the same old ones as before, they just get paid more and had to watch a three hour training video.  So, how much gut feelings will be removed from the face police is debatable.  Now, you’ve added more people, with little training to detect something that lasts fractions of a second.

The face police, in place at more than a dozen U.S. airports already, aren’t identified as such. But the watcher could be at curbside baggage, the ticket counter or near the metal detectors and X-ray machines.

This policy is just rife for abuse and people are going to end up being freaked out just entering an airport.  Of course, this makes anyone in law enforcement happy.  You must be freaking out because you are guilty of something.

We’ve all had crappy days.  We all get angry and upset.  I’ve yelled at my husband in an airport.  Now, if he pisses me off, it’s, get angry, deal with it, move on, get taken aside by the face police, or let it go, never talk about what just occurred, ignore my husband on vacation, and eventually call a divorce lawyer.  Okay, it’s exaggerating a little bit but I can assure you, the next time I fly, my husband and I will voluntarily choose not to speak at all, which will, eventually, also be cause for concern and we’ll both get pulled aside for questioning.

There is also the fact that anyone can be trained to hide their microexpressions.  This policy is going to do nothing but piss off regular people who are just having a bad day.

Here’s where it gets really absurd. Apparently, these Behavior Detection Officers work in pairs. One scenario is that an officer might move in to “help” a passenger retrieve their belongings after they’ve been screened. And then the officer will ask where the passenger is headed. If the passenger’s reaction sets off alarm bells in the officer’s well-trained mind, another officer will move in and detain them. Let’s be really clear here. If a stranger moved in on me like that, I’d tell that person to go to hell, throw in a few other expletives for good measure and probably give them the finger as I stomped off. Of course, I wouldn’t be stomping very far.

And that is exactly what I would do.  If some whack-job, be it in uniform or not, tried to “help” me, I’d probably hit them with my luggage.  Again, I’d be sitting in a little room, all alone, very soon after as I now have no idea who these officers are.

While trying to look at this system as a better way to handle security so I can carry some water and shampoo without being hassled, the TSA has already proved itself irresponsible, inept, and incapable of human decency.  Why should we think that a TSA employee with 16 hours of training is going to be a highly trained individual?

We have also seen that good ol’ paying attention isn’t as bad as everyone thinks it is.

While we need to do something about security at the airport, I don’t believe this is the right way to go.  It gives too much license to the Behavior Detection Officer to pull people aside for any reason.  Microexpressions last for far too short a time to be disputed by video evidence later on.  On the flip side, they already pull people over for whatever reason they want now, whether it’s a pretty girl or a Middle Eastern looking man.

The fact is, 9/11 is, most likely, the last of its kind.  It takes immense preparation and all the security focus in America is on Airports and airlines.  The terrorists have long changed their tactics (see London car bombs).  The fact is, on 9/11, boxcutters were already illegal.  The suggested, and correct, answer to the problem of terrorists on the plane was, and still is, hardened cockpit doors and more air marshals.  However, if we did that, we couldn’t intrude on everyone who wants to fly, innocent or not.

Great plan by the government.  Appearance of security is everything.  Their true intent is to terrorize and intimidate Americans and instill fear in them.  Keep making me take my shoes off too while you ignore the screening of cargo.  Now, I am tempted to break the rules to prove a point.  To the Behavior Detection Officers, I look forward to sitting in your little white rooms very soon.

New changes in passenger screening will include the TSA taking over control of checking domestic passenger lists against watch lists, removing the airlines from that responsibility.

For international flights, air carriers flying to and from the United States will have to provide manifest information about passengers — either 30 minutes before departure or as each passenger checks in.

That information would then be checked against watch lists. Previously, the federal government was not receiving that information until planes were en route.

Passengers, however, will still be excluded from seeing why they are subjected to extensive searches, kept off flights, or attempt to rectify incorrect information about themselves.

The DHS claims that airlines weren’t performing these tasks consistently or effectively, forcing them to take over control of the operations.

Chertoff, during his press conference, defended the program. “I want to be very straightforward about this: Secure Flight will not do any harm to personal privacy,” he said. “It’s not going to rely on collecting commercial data; it’s not going to assign a risk score to passengers; it’s not going to try to predict behavior. It’s only designed to collect a minimum amount of personal identifying information so that we can do an effective job of matching the traveler to a person whose name and identity is on a watch list.”

They have done such a bang-up job until now that they will revamp their Secure Flight program, eliminating the use of assigning risk scores to passengers and predictive behavior technology.

None of this is intended to protect you.  It’s intended to scare you into believing that you should relinquish your rights so that they can “save and protect” you.  In the next 15-20 years, no one is going to understand what life was like before the government got into the protection business.  Just try asking a teenager today what life would be like without a cell phone.

The scam lives on.  Cargo is still not scanned.  Terrorists are still slipping onto planes.  Non metallic weapons strapped to your legs are not going to be picked up.  It’s still the same illusion they’ve been feeding us for the past six years.  We haven’t learned a thing and we’ve given up our hard fought privacy.