While I’m gone

So I am in Austin… again… but while I have nothing interesting to say, check out why secrity guru Bruce Schneier has to say about fighting stupid invasions of privacy and security.

i

From: Bruce Schneier
To:
Date: Tue Jul 15, 2003 07:09:25 AM EDT
Subject: CRYPTO-GRAM, July 15, 2003

CRYPTO-GRAM

July 15, 2003

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@c…

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on computer security and cryptography.

Back issues are available at
. To subscribe, visit
or send a blank message
to crypto-gram-subscribe@c…

Copyright (c) 2003 by Counterpane Internet Security, Inc.

How to Fight

I landed in Los Angeles at 11:30 PM, and it took me another hour to get
to my hotel. The city was booked, and I was lucky to get a reservation
where I did. When I checked in, the clerk insisted on making a
photocopy of my driver’s license. I tried fighting, but it was no
use. I needed the hotel room. There was nowhere else I could go. The
night clerk didn’t really care if he rented the room to me or not. He
had rules to follow, and he was going to follow them.

My wife needed a prescription filled. Her doctor called it in to a
local pharmacy, and when she went to pick it up the pharmacist refused
to fill it unless she disclosed her personal information for his
database. The pharmacist even showed my wife the rule book. She found
the part where it said that “a reasonable effort must be made by the
pharmacy to obtain, record, and maintain at least the following
information,” and the part where is said: “If a patient does not want a
patient profile established, the patient shall state it in writing to
the pharmacist. The pharmacist shall not then be required to prepare a
profile as otherwise would be required by this part.” Despite this,
the pharmacist refused. My wife was stuck. She needed the
prescription filled. She didn’t want to wait the few hours for her
doctor to phone the prescription in somewhere else. The pharmacist
didn’t care; he wasn’t going to budge.

I had to travel to Japan last year, and found a company that rented
local cell phones to travelers. The form required either a Social
Security number or a passport number. When I asked the clerk why, he
said the absence of either sent up red flags. I asked how he could
tell a real-looking fake number from an actual number. He said that if
I didn’t care to provide the number as requested, I could rent my cell
phone elsewhere, and hung up on me. I went through another company to
rent, but it turned out that they contracted through this same company,
and the man declined to deal with me, even at a remove. I eventually
got the cell phone by going back to the first company and giving a
different name (my wife’s), a different credit card, and a made-up
passport number. Honor satisfied all around, I guess.

It’s stupid security season. If you’ve flown on an airplane, entered a
government building, or done any one of dozens of other things, you’ve
encountered security systems that are invasive, counterproductive,
egregious, or just plain annoying. You’ve met people — guards,
officials, minimum-wage workers — who blindly force you to follow the
most inane security rules imaginable.

Is there anything you can do?

In the end, all security is a negotiation among affected players:
governments, industries, companies, organizations, individuals,
etc. The players get to decide what security they want, and what
they’re willing to trade off in order to get it. But it sometimes
seems that we as individuals are not part of that
negotiation. Security is more something that is done to us.

Our security largely depends on the actions of others and the
environment we’re in. For example, the tamper resistance of food
packaging depends more on government packaging regulations than on our
purchasing choices. The security of a letter mailed to a friend
depends more on the ethics of the workers who handle it than on the
brand of envelope we choose to use. How safe an airplane is from being
blown up has little to do with our actions at the airport and while on
the plane. (Shoe-bomber Richard Reid provided the rare exception to
this.) The security of the money in our bank accounts, the crime rate
in our neighborhoods, and the honesty and integrity of our police
departments are out of our direct control. We simply don’t have enough
power in the negotiations to make a difference.

I had no leverage when trying to check in without giving up a photocopy
of my driver’s license. My wife had no leverage when she tried to fill
her prescription without divulging a bunch of optional personal
information. The only reason I had leverage renting a phone in Japan
was because I deliberately sneaked around the system. If I try to
protest airline security, I’m definitely going to miss my flight and I
might get myself arrested. There’s no parity, because those who
implement the security have no interest in changing it and no power to
do so. They’re not the ones who control the security system; it’s best
to think of them as nearly mindless robots. (The security system
relies on them behaving this way, replacing the flexibility and
adaptability of human judgment with a three-ring binder of “best
practices” and procedures.)

It would be different if the pharmacist were the owner of the pharmacy,
or if the person behind the registration desk owned the hotel. Or even
if the policeman were a neighborhood beat cop. In those cases, there’s
more parity. I can negotiate my security, and he can decide whether or
not to modify the rules for me. But modern society is more often
faceless corporations and mindless governments. It’s implemented by
people and machines that have enormous power, but only power to
implement what they’re told to implement. And they have no real
interest in negotiating. They don’t need to. They don’t care.

But there’s a paradox. We’re not only individuals; we’re also
consumers, citizens, taxpayers, voters, and — if things get bad enough
— protestors and sometimes even angry mobs. Only in the aggregate do
we have power, and the more we organize, the more power we have.

Even an airline president, while making his way through airport
security, has no power to negotiate the level of security he’ll receive
and the tradeoffs he’s willing to make. In an airport and on an
airplane, we’re all nothing more than passengers: an asset to be
protected from a potential attacker. The only way to change security
is to step outside the system and negotiate with the people in
charge. It’s only outside the system that each of us has power:
sometimes as an asset owner, but more often as another player. And it
is outside the system that we will do our best negotiating.

Outside the system we have power, and outside the system we can
negotiate with the people who have power over the security system we
want to change. After my hotel stay, I wrote to the hotel management
and told them that I was never staying there again. (Unfortunately, I
am collecting an ever-longer list of hotels I will never stay in
again.) My wife has filed a complaint against that pharmacist with the
Minnesota Board of Pharmacy. John Gilmore has gone further: he hasn’t
flown since 9/11, and is suing the government for the constitutional
right to fly within the U.S. without showing a photo ID.

Three points about fighting back. First, one-on-one negotiations —
customer and pharmacy owner, for example — can be effective, but they
also allow all kinds of undesirable factors like class and race to
creep in. It’s unfortunate but true that I’m a lot more likely to
engage in a successful negotiation with a policeman than a black person
is. For this reason, more stylized complaints or protests are often
more effective than one-on-one negotiations.

Second, naming and shaming doesn’t work. Just as it doesn’t make sense
to negotiate with a clerk, it doesn’t make sense to insult
him. Instead say: I know you didn’t make the rule, but if the people
who did ever ask you how it’s going, tell them the customers think the
rule is stupid and insulting and ineffective.” While it’s very hard
to change one institution’s mind when it is in the middle of a fight,
it is possible to affect the greater debate. Other companies are
making the same security decisions; they need to know that it’s not
working.

Third, don’t forget the political process. Elections matter; political
pressure by elected officials on corporations and government agencies
has a real impact. One of the most effective forms of protest is to
vote for candidates who share your ideals.

The more we band together, the more power we have. A large-scale
boycott of businesses that demand photo IDs would bring about a
change. (Conference organizers have more leverage with hotels than
individuals. The USENIX conferences won’t use hotels that demand ID
from guests, for example.) A large group of single-issue voters
supporting candidates who worked against stupid security would make a
difference.

Sadly, I believe things will get much worse before they get
better. Many people seem not to be bothered by stupid security; it
even makes some feel safer. In the U.S., people are now used to
showing their ID everywhere; it’s the new security reality
post-9/11. They’re used to intrusive security, and they believe those
who say that it’s necessary.

It’s important that we pick our battles. My guess is that most of the
effort fighting stupid security is wasted. No hotel has changed its
practice because of my strongly worded letters or loss of
business. Gilmore’s suit will, unfortunately, probably lose in
court. My wife will probably make that pharmacist’s life miserable for
a while, but the practice will probably continue at that chain
pharmacy. If I need a cell phone in Japan again, I’ll use the same
workaround. Fighting might brand you as a troublemaker, which might
lead to more trouble.

Still, we can make a difference. Gilmore’s suit is generating all
sorts of press, and raising public awareness. The Boycott Delta
campaign had a real impact: passenger profiling is being revised
because of public complaints. And due to public outrage, Poindexter’s
Terrorism (Total) Information Awareness program, while not out of
business, is looking shaky.

When you see counterproductive, invasive, or just plain stupid
security, don’t let it slip by. Write the letter. Create a Web
site. File a FOIA request. Make some noise. You don’t have to join
anything; noise need not be more than individuals standing up for
themselves.

You don’t win every time. But you do win sometimes.

Privacy International’s Stupid Security Awards:

Stupid Security Blog:

Companies Cry ‘Security’ to Get A Break From the Government:

Gilmore’s suit:

Relevant Minnesota pharmacist rules:

How you can help right now:

Tell Congress to Get Airline Security Plan Under Control!

TIA Update: Ask Your Senators to Support the Data-Mining Moratorium Act
of 2003!

Congress Takes Aim at Your Privacy

Total Information Awareness: Public Hearings Now!

Don’t Let the INS Violate Your Privacy

Demand the NCIC Database Be Accurate

Citizens’ Guide to the FOIA