By Spencer Ackerman | August 25, 2010

BAGRAM AIR FIELD, Afghanistan — Don’t think of the U.S. military’s new Detention Facility In Parwan as just a holding pen for suspected insurgents. It’s also an emerging datafarm, storing biometric information on its inmate population. In a country with a shaky commitment to the rule of law, those identifiers could become weapons.

Parwan, with its thousand-or-so detainee population, will become an Afghan-run detention complex next year. By 2014, it’ll become a major Afghan jail, run by the Ministry of Justice to incarcerate convicted criminals, not hold insurgents taken off the battlefield. But Army Brigadier General Mark Martins, who currently runs day-to-day operations at the detention center, explains that there’s a basic problem with Afghanistan’s criminal justice system: It doesn’t have a efficient information infrastructure to identify the people it holds. That’s where he comes in.

Every detainee who comes into Parwan leaves basic information with the Detainee Services Branch during in-processing: Name; father’s name; residence. A mark of any identifying scars, marks or tattoos. Residence of record. After a shower and a medical exam, the DSB scans their irises and collects prints from all of their fingers, rolling their thumbs for a 360-degree view. Its cameras snap five photographs of every detainee’s face. All of this information goes into a military database called the Automated Biometric Information System.

Troops in the field can access the system through a set of portable consoles that the DSB has on hand. The Biometrics Automated Toolset, or BAT, allows troops who detain insurgents on the battlefield to get a quick biometric identification of who they’ve captured, all through talking to the database. One clunky component of it, the Handheld Interagency Identity Detection System (HIIDE), which looks like a big black FunSaver, takes pictures of a captive’s irises, facial features and fingerprints. BATS and HIIDE were used in Iraq, where counterinsurgents like David Kilcullen praised the devices for allowing troops to quickly and positively identify known insurgents during the surge.

But any detective will tell you that a database is only as good as the data it contains. And after 30 years of war, Afghanistan isn’t really in the data-collection game. The U.S. military’s detentions command, known as Joint Task Force-435, is working with the Afghan Ministry of Interior to kick-start an up-to-date records program.

Martins says he and the ministry want “enrollments on 15 percent of fighting-age males,” Afghans between the ages of 14 and 49.  Studies that he’s seen convince him that 15 percent represents a Gladwellian tipping point, allowing the U.S. and the Afghans to match exponentially more latent fingerprints off homemade bombs to Afghans in the system.

But that means biometric information about one million people. And the easiest way to get this information is by locking up a whole lot of Afghans and collecting it against their will, one of the reasons that human rights advocates are wary about the U.S.’s plans to turn over Parwan to the Afghans.

In Iraq, privacy advocates raised similar concerns about weaponizing the biometrics database — essentially, turning it into a military hit list. Afghanistan is filled with corruption, fraud and malicious police officers. Its commitment to the rule of law is, to be charitable, immature. In such a circumstance, a counterinsurgency tool like the biometric database just as easily become predatory, allowing its possessors to take out their political or ethnic rivals and reward their allies. If theWikiLeaks disclosures put Afghans in danger, imagine what iris scans and fingerprints could mean for people who don’t want to pay bribes to crooked cops.

“That’s a policy-significant issue,” Martins admits, “Who holds the data?” According to an October memorandum signed by the U.S. and Afghan governments, the Afghans will. The U.S. might see its collected records become the “biometric component of a national ID” Martins says, good for property ownership records, establishing credit lines and other economic behavior. But first, the biometrics database will be “MOI’s data,” in the hands of the security services — the legacy of ten years of U.S. detention operations in Afghanistan.

Credit: DoD Biometrics

Posted by Howard A. Schmidt to the White House Blog – on June 25, 2010 at 02:00 PM EDT

Cyberspace has become an indispensible component of everyday life for all Americans.  We have all witnessed how the application and use of this technology has increased exponentially over the years. Cyberspace includes the networks in our homes, businesses, schools, and our Nation’s critical infrastructure.  It is where we exchange information, buy and sell products and services, and enable many other types of transactions across a wide range of sectors. But not all components of this technology have kept up with the pace of growth.  Privacy and security require greater emphasis moving forward; and because of this, the technology that has brought many benefits to our society and has empowered us to do so much — has also empowered those who are driven to cause harm.

Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC).  This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.

The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.). Another key concept in the strategy is that the Identity Ecosystem is user-centric – that means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so.

The Department of Homeland Security (DHS), a key partner in the development of the strategy, has posted the draft NSTIC at www.nstic.ideascale.com. Over the next three weeks (through July 19^th), DHS will be collecting comments from any interested members of the general public on the strategy. I encourage you to go to this website, submit an idea for the strategy, comment on someone else’s idea, or vote on an idea. Your input is valuable to the ultimate success of this document. The NSTIC will be finalized later this fall.

Howard A. Schmidt is the Cybersecurity Coordinator and Special Assistant to the President

The Phnom Penh Post
Chrann Chamroeun and Mom Kunthear

Police arrest group after catching one suspect wearing a fake two-star general’s uniform

SEVEN people were sent to Ratanakkiri provincial court on Wednesday after they were found with forged government documents and fake military police uniforms, a provincial military police chief told the Post.

Tuy Sim, Ratanakkiri provincial Military Police chief, said his officials had arrested the group after one of its members was caught wearing a fake general’s uniform.

——————————————————————————–
…when he began to panic they suspected him and took them to the police station.
——————————————————————————–

“Our men had lunch with [one of the suspects] and he was wearing casual clothes, and then later in the day they saw him wearing a two-star general’s military police uniform travelling to a pagoda in a Mitsubishi car with six other people,” Tuy Sim said.

He added that upon raiding the car, police found a gun, four other uniforms and forged documents, including one with the signature of Prime Minister Hun Sen and another that was signed by Minister of Agriculture Chan Sarun.

“They asked him for his name and which unit he came from, and when he began to panic, they suspected him and took them to the police station,” he said.

Illegal logging suspected
Pen Bonnar, provincial coordinator for the rights group Adhoc, told the Post Wednesday that he welcomed the arrests because he believed the group was likely involved in illegal logging.

“I request that authorities further investigate the group, as we have found that a lot of people who have fake police uniforms and forged documents are involved in illegal logging.”

By Jonathan Kent,  BBC News, Kuala Lumpur

Police in Malaysia are hunting for members of a violent gang who chopped off a car owner’s finger to get round the vehicle’s hi-tech security system.

The car, a Mercedes S-class, was protected by a fingerprint recognition system.

Accountant K Kumaran’s ordeal began when he was run down by four men in a small car as he was about to get into his Mercedes in a Kuala Lumpur suburb.

The gang, armed with long machetes, demanded the keys to his car.

It is worth around $75,000 second-hand on the local market, where prices are high because of import duties.

Stripped naked

The attackers forced Mr Kumaran to put his finger on the security panel to start the vehicle, bundled him into the back seat and drove off.

But having stripped the car, the thieves became frustrated when they wanted to restart it. They found they again could not bypass the immobiliser, which needs the owner’s fingerprint to disarm it.

They stripped Mr Kumaran naked and left him by the side of the road – but not before cutting off the end of his index finger with a machete.

Police believe the gang is responsible for a series of thefts in the area.

Submitted by MacRonin on December 13, 2009 – 7:00pm

Real ID Follies Continue with PASS ID Waiting in the Wings: Via EFF.org Updates.

Since 2007, the U.S. State Department has been issuing high-tech “e-passports,” which contain computer chips carrying biometric data to prevent forgery. Unfortunately, according to a March report from the Government Accountability Office (GAO), getting one of these supersecure passports under false pretenses isn’t particularly difficult for anyone with even basic forgery skills.

As 2009 draws to a close, we’re inching ever deeper into the corner that Congress painted us into by passing Real ID under the table in 2005. (Recall that Real ID is the failed, Bush-era attempt to turn state drivers licenses into national ID cards by forcing states to collect and store licensee data in databases, and refusing to accept non-compliant IDs for federal purposes, like boarding a plane or entering a federal building.)

The official deadline for states to comply with the Department of Homeland Security’s (DHS) final Real ID rule is December 31, 2009, and an estimated 36 states will not be in compliance by then, leading to some ambiguity for many citizens. For example, will residents of Montana be able to board planes in January 2010 with only a driver’s license (a state-supplied, technically non-compliant document) and without a passport (an identity document issued by the federal government)?

Past history strongly suggests that DHS will issue last-minute waivers to states that have not amped up their drivers licenses to adhere to Real ID. Early in 2008, states that actively opposed Real ID received waivers from DHS, nominally marking the states as “compliant” despite strongly-stated opposition to ever implementing Real ID.

But waiting in the wings is PASS ID, a bill that attempts to grease the wheels by offering money to the states to implement ID changes. Despite having the appearances of reform, PASS ID essentially echoes Real ID in threatening citizens’ personal privacy without actually justifying its impact on improving security. For this reason, PASS ID is not popular — privacy advocates refuse to support the bill because it still creates a national ID system. It still mandates the scanning and storage of applicants’ critical identity documents (birth certificates, visas, etc.), which will be stored in databases that will become leaky honeypots of sensitive personal data — prime targets for malicious identity thieves or otherwise accessible by individuals authorized to obtain documents from the database. And on the other side, short-sighted surveillance hawks are unhappy with the bill because they support the privacy violations architected into the provisions of the original Real ID Act.

As such, advocates of PASS ID are publicly wringing their hands over the deadline in order to encourage Congress to approve the PASS ID Act before the end of the year. But the fracas over health reform is suffocating any chance for meaningful debate about the merits of PASS ID before the Dec. 31st deadline.

A pragmatic analysis should show that Real ID is dead. To date, 24 states have enacted resolutions or binding legislation prohibiting participation in Real ID, and the varied, desperate efforts to reanimate it are misguided. Whether the states or the federal government signs the invoice, the cost ultimately falls to taxpayers, who should be troubled that neither Real ID nor PASS ID is likely to fulfill the stated goal of stopping terrorists from obtaining identity documents. (Just this week, noted security expert Bruce Schneier linked to a report about government investigators successfully using fake identity documents to obtain high-tech “e-passports,” which were then used to buy plane tickets, and board flights — the point being that a fancy, “secure” identity document doesn’t stop individuals from exploiting a weak bureaucracy.)

On the other hand, the resulting databases filled with scanned identity documents will, create tantalizing targets for identity thieves and headaches for people whose digital documents are pilfered; and a national ID system will invite mission creep from the government as well as private entities like credit reporting agencies and advertisers. It’s high time for reason to replace the reflexive defense of a failed scheme. Congress should repeal Real ID for real and seek more inspired, protective solutions to identity document security.

By STEWART M. POWELL and SUSAN CARROLL Copyright 2009 Houston Chronicle

WASHINGTON — Some illegal immigrants with stolen Social Security numbers are able to gain clearance for employment in the United States even after being checked through the federal government’s pioneering online E-Verify system, senators and the Migration Policy Institute warned Tuesday.

The senators, led by Chuck Schumer, D-N.Y., and John Cornyn, R-Texas, and the well-known think tank said the loophole must be closed before Congress undertakes comprehensive immigration reform and before the Department of Homeland Security requires federal contractors and recipients of economic stimulus funds to use the federal employment verification system.

“The American public will not put faith in us again if we pass immigration reform without an effective, accurate and enforced employer verification program,” declared Cornyn, a member of the Senate Judiciary Committee panel with jurisdiction over immigration, border security and citizenship.

Schumer called for 10 improvements to existing employee verification, led by requiring biometric proof of identity such as fingerprints or enhanced face-reading biometric photographs.

‘Gaping hole’ in E-Verify

The current E-Verify system is “an example of a half hearted and flawed system,” Schumer said at the subcommittee hearing, noting that it does not prevent an illegal immigrant from using the name, Social Security number and address of a U.S. citizen.

Marc Rosenblum, a senior policy analyst with the nonpartisan Migration Policy Institute, based in Washington, D.C., said a “gaping hole” in E-Verify fails to detect identity fraud.

The voluntary E-Verify system enables employers to submit the names and Social Security numbers of prospective hires to the Department of Homeland Security and the Social Security Administration to verify immigration and employment status.

A total of 137,463 employers are using E-Verify from 517,000 employment sites, including 7,043 employers in Texas.

The program is about to expand to require mandatory E-Verify employment checks by private companies awarded government contracts and firms receiving money from the $787 billion economic stimulus package.

Mike Aytes, acting deputy director of the U.S. Citizenship and Immigration Services agency that handles E-Verify, told the committee federal authorities are working to provide prospective employers identification photographs beyond just the photographs generated by immigration agencies to help employers verify applicants’ identities.

“This would represent a significant enhancement to the system, since new hires most often present a driver’s license for (employment eligibility verification) purposes,” Aytes said.

Posted By Mark Roberti, 10.28.2009

RFID JOURNAL BLOG

An international civil society coalition has published a declaration,Global Privacy Standards for a Global World, that—among other things—calls for “a moratorium on the development or implementation of new systems of mass surveillance, including facial recognition, whole body imaging, biometric identifiers and embedded RFID tags, subject to a full and transparent evaluation by independent authorities and democratic debate.”
The declaration is signed by 68 organizations from around the world. While I agree with the coalition’s goal to assure individuals’ privacy, I’m amazed that the group has such a shallow understanding of the nature of technology and its role in furthering the welfare of the human race. Perhaps it pines for the days when people lived in caves, and no one worried about privacy.

The problem is that these organizations have a bias that some technologies are good and some are bad. They believe the ones they declare to be good should be funded by the government and promoted, while the ones they think are bad should be halted until they can be studied and sufficient safeguards can be put in place.

Technologies are neither good nor evil, however. They are tools that can be used for good or evil. It might seem to make sense to call for a moratorium on technology, but who chooses which technologies we should hold off using until they are studied? Should we have a moratorium on any technology that removes carbon dioxide from the atmosphere, for example? My guess is that the organizations that signed the civil society declaration would say no, because anything that reduces carbon dioxide would reduce global warming and would, thus, be a “good” technology.

Renowned physicist Freeman Dyson, however, argues that more carbon dioxide and warmer climates are actually healthy for plants, because they grow better in such conditions, and that could lead to greater food production and less hunger in the world. He also points out that forcing a massive reduction in carbon emissions would slow global economic growth and hurt the world’s poor.

Even if you disagree with Dyson, the reality is that we don’t know what the result of carbon-reducing technologies would be, any more than we know precisely what the impact of global warming will be. So perhaps we should put a moratorium on efforts to reduce carbon dioxide in the atmosphere until we can conclusively prove that it would be good for the planet. Ridiculous? Of course it is—but no more ridiculous than banning any other technology until we understand its every ramification.

The fact is, enacting a moratorium on technology means ending technological advancement as we know it, because you can’t know the implications of a technology until you deploy it. If we had put a moratorium on the deployment and use of the Internet, would the people who studied it have envisioned the rise of social networking and come up with ways to protect privacy while allowing them to flourish? No, of course not—no one saw the phenomenon of social networking coming. Governments must allow technologies to be deployed and address problems as they arise. If we had done with the Internet what these groups are suggesting for RFID, there would be no Internet today—we’d still be studying its implications—and while there would have been greater privacy in the world, no one can argue the world would be better off.

The declaration’s description of RFID as a “mass surveillance” technology betrays the signatories’ bias. RFID could potentially be used as a surveillance technology, but that is definitely not how most companies are looking to deploy it (unless you consider asset- and inventory-tracking “surveillance”). Perhaps these groups are ignorant of the way RFID is being utilized, but I think there’s more to it than that: The people behind this civil society declaration just aren’t thinking very deeply about the issues.

These groups think privacy is good, and that any technology that could infringe on privacy is bad—and that’s a very simplistic view. Surveillance cameras are being used increasingly by governments around the world, and by retailers to reduce theft. These can be abused. Governments can, for instance, use cameras to track political enemies. But what if cameras bring down the overall crime rate in a troubled urban area, and enjoy the wholehearted support of those who live in that area? Are the cameras bad? Should they be removed, as the coalition suggests, until every possible implication of their use can be fully studied?

What if, heaven forbid, the daughter of one of the people behind the declaration were kidnapped on a street corner, or in the parking lot of a shopping mall? Would that person argue that the police should not review the tapes to see if the kidnapper could be identified, because other people might be identified as well, and that it would infringe on their privacy? If the tapes did reveal the identity of the kidnapper and the girl was rescued, would the signer still argue that there should be a moratorium on such surveillance technologies?

Technology issues are simple when you view them through the prism of your own biases, but the reality is that these issues are far more complex than opponents imagine, and it’s laughable to think a bunch of people can sit around and determine how or when new technologies should be used for the benefit of all mankind (Prometheus, after all, never anticipated that there would be arsonists). Let’s hope, for the good of humanity, that the calls for a moratorium go unanswered.

Mark Roberti is the founder and editor of RFID Journal.

Rubenstein Associates

Peter Pochna, 212-843-8007

ppochna@rubenstein.com

or Fordham Law School

www.fordham.law.edu

Fordham Law Study Determines that State Educational Databases Violate Privacy Rights

NEW YORK–(Business Wire)–

The Center on Law and Information Privacy (CLIP) at Fordham Law School released a study today that found state educational databases across the country ignore key privacy protections for the nation`s K – 12 children. The findings come as Congress is considering legislation that would expand and integrate the 43 existing state databases without taking into account the critical privacy failures in the states` electronic warehouses of children`s information.

CLIP found that sensitive, personalized information related to matters such as teen pregnancies, mental health, and juvenile crime is stored in a manner that violates federal privacy mandates. CLIP reports that at least 32% of states warehouse children`s social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health,illness, and jail sentences as part of the children`s educational records. Also,almost all states with known programs collect family wealth indicators.

Some states outsource the data processing without any restrictions on use or confidentiality for K- 12 children`s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into their adult lives.

“If these issues are not addressed, the results could be catastrophic from a privacy perspective,” said Joel Reidenberg, a professor at Fordham Law School and the founding director of CLIP. “We don`t question the legitimacy of collecting data for school accountability, but we urge Congress and state officials to take rapid steps to ensure the data is collected and stored properly and used in compliance with established privacy laws and principles.”

CLIP launched the study in 2008 because state departments of education throughout the country had recently established statewide longitudinal databases to track all K-12 students` progress over time. The trend has been accompanied by a movement to create uniform data collection systems so that each state`s student data systems can be interoperable.

Often the flow of information from the local educational agency to the state department of education was not in compliance with the privacy requirements of the Family Educational Rights and Privacy Act. One state, New Jersey, diverts special education Medicaid funding to pay for an out-of-state contractor to warehouse data, including medical test results. Many states do not have clear access and use rules regarding their longitudinal databases and over 80% of states apparently fail to have data-retention policies and, thus, are likely to hold student information indefinitely. Several states, like Montana, outsource the data warehouse without stipulating privacy protections in the vendor contract. Other states, such as Louisiana and Florida, track a long list of disciplinary matters that could remain on students` records indefinitely.

Even so, House Bill 3221, or the Student Aid and Fiscal Responsibility Act, contains a section that calls for the expansion and further integration of these databases without addressing these privacy concerns. A Senate version of the bill is expected to be released from committee shortly.

“The CLIP study meticulously documents the states` disregard for safeguarding children`s most personal data,” said Barmak Nassirian, Associate Executive Director, American Association of Collegiate Registrars and Admissions Officers. “And yet Congress is poised to fund an ill-thought-through expansion of these systems to include data ranging from pre-birth medical information to education, employment, military, and criminal records.”

The study makes several recommendations for increasing the privacy, transparency and accountability of the databases. These include:

1) Data at the state level should be made anonymous through the use of dual-database architectures.

2) Third party processors of educational records should have comprehensive agreements that explicitly address privacy obligations.

3) The collection of information by the state should be minimized and specifically tied to an articulated audit or evaluation purpose.

4) Clear data-retention policies should be instituted and made mandatory.

5) States should have a Chief Privacy Officer in the department of education who assures that privacy protections are implemented for any educational record database and who publicly reports privacy impact assessments for database programs, proposals, and vendor contracts.

The full report is available at  http://law.fordham.edu/childrensprivacy.

ABOUT THE CENTER ON LAW AND INFORMATION POLICY: With the increasing societal reliance on information technology and rapidly outdated laws, Fordham recognized an evolution in the regulatory challenges facing the global information-based economy. In response to these changes, the Center on Law and Information Policy (CLIP) was founded in 2005 to be on the cutting edge of scholarship and legal education in the emerging field of information law. Learn more: http://law.fordham.edu/clip.

ABOUT FORDHAM LAW SCHOOL: Fordham Law is a vibrant academic community dedicated equally to scholarship, the craft of lawyering, and public service. A leader in American legal education, Fordham Law has earned widespread acclaim and is one of the 15 most selective schools in the nation, measured in terms of the LSAT scores of its most recent graduating class. With a virtually unrivaled record of graduate placement, Fordham Law is one of the top seven law schools measured in

terms of graduates working at the top 25 law firms in the country. The

school-located across the street from Lincoln Center in Manhattan-is only blocks away from Central Park, Times Square, and many of New York City`s most interesting neighborhoods. Learn more: law.fordham.edu.

ABOUT FORDHAM UNIVERSITY: Founded in 1841, Fordham is the Jesuit University of New York, offering exceptional education distinguished by the Jesuit tradition to approximately 14,700 students in its four undergraduate colleges and its six graduate and professional schools. It has residential campuses in the Bronx and Manhattan, a campus in Westchester, and the Louis Calder Center Biological Field Station in Armonk, N.Y.

George Lekakis |  From:Herald Sun |  Tue Oct 20 00:00:00 EST 2009 Tue Oct 20 00:00:00 EST 2009

AUSTRALIA Post is introducing new technology that will enable staff at its 4443 retail outlets to take fingerprints, biometric scans and digital signatures from customers applying for bank accounts, passports and other services.

The Government-owned corporation is secretly testing the Big Brother technology at 25 outlets after its directors approved funding for the project at a March board meeting.

Documents seen by the Herald Sun show Australia Post plans to install the data capture equipment at 375 outlets by the end of June followed by another 400 in 2011.

Trials for the “Identification Services Program Project” are being held at 25 Australia Post-owned outlets in NSW and Western Australia, but the corporation is also planning to install the technology at 2000 privately managed post offices nationwide.

Privacy advocates are worried the new system may create fresh opportunities for organised criminals to exploit weaknesses in the network.

If state and federal governments approve the plan, Australia Post would become the first local organisation allowed to take digital fingerprints for commercial purposes. The power is limited to law enforcement agencies, the courts, spy agencies and the defence force.

Even though the project has been under development for more than six months, the corporation has kept a tight lid on it. There was no specific disclosure about it in Australia Post’s annual report tabled in Federal Parliament last week.

Australia Post spokesman Alex Twomey confirmed fingerprinting capabilities would be introduced over the next two years and that staff would be trained in protocols for storing and transmitting customer information.

“Fingerprint information will be stored for six hours at the outlet and then transferred for storage at a central Australia Post database,” he said. “Under agency agreements, we would then be required to wipe the information after it was sent to government departments or other corporate clients.”

Privacy groups said yesterday they were horrified.

The chairman of the Australian Privacy Foundation, Dr. Roger Clarke, said: “I’m appalled by them appearing to get this technology off the ground without any public scrutiny.

“These types of initiatives are just too important to introduce without public discussion.”

Dr Clarke said securing fingerprints and other data across such a large retail network was a major concern.

“When we’re talking about 4000 outlets, many of which are privately owned, it’s difficult to design a system that will protect all information,” he said.