Oklahoma DPS Commissioner Thompson’s Testimony on REAL ID

 

Kaye Beach

Nov. 28, 2015

This is the testimony of the third speaker at the REAL ID Study held by Rep. Lewis Moore and Rep. Bob Cleveland at the Oklahoma state capitol on Nov. 18, 2015.

Unfortunately no official recording was made so I have taken the trouble to transcribe the  Commissioner’s entire testimony, word for word, for the benefit of those who could not attend the meeting in person.

My next post will be the transcription from the Question and Answer portion of the meeting.

To prevent confusion that may arise from reading this testimony, please note that some the references made by the Commissioner indicating points raised by Howard Houchen and myself, were not actually points we made. (We were puzzled by his references too)

At the Nov. 18th study, none of the speakers suggested that fingerprints or social security numbers could be retrieved from the face of our driver’s license and no one mentioned  “computer chips” on the license or ID card but these were the main issues addressed by Commissioner Thompson in his testimony. Perhaps they were issues raised to him privately or from a previous meeting.

It is understandable that the Commissioner would want to put any such concerns to rest.  What is unimaginable to me is that the Commissioner of the Department of Public Safety apparently does not understand the difference between a photo of a person that exists and a government collected and retained biometric photo.   These two things are quantifiably not the same and the implications of the difference between the two is enormous.

As Professor Laura K. Donahue, who did an exhaustive research paper in 2012 on the growing number of federal programs that are developing their ability to use remote biometric ID, has repeatedly emphasized,

“The level of intrusiveness represents something different in kind—not degree—from what has come before.”

Of course, if no one can agree on the basic facts of the matter, the debate slams shut.

On to the transcript:

Testimony of Department of Public Safety Commissioner, Michael C. Thompson, Nov. 18, 2015, Oklahoma State Capitol, Rm 206, REAL ID Study:

“First off I just want to say the purpose for us, here at DPS, is, uh,  we don’t have an agenda in this discussion. Our sole purpose in this is to provide accurate information to you as legislators to make the difficult decisions you have to make.  …Whether the state of Oklahoma moves forward with implementation of REAL ID or whether it doesn’t that isn’t anything DPS controls.

Unlike Ms. Beach, and I respect her passion and interest in this subject, I personally believe that there are going to be consequences if we don’t comply with REAL ID.

Currently we are, do have an extension through October 2016. Once that extension expires and we’re not down the road to complying with this, I do believe at some point we are going to have consequences. I strongly believe that and I know some people don’t.  And one of them will include getting on an airplane which seems to be kind of a trivial matter but if you want to go to Kansas City to watch the Big Twelve Championship, you are going to have to have a passport.  If these ah these conditions are not fully implemented and if you do get a passport its $110 and you are giving all your information to the federal government so, for me, just, I don’t fully understand the resistance to it but I’m not disrespecting anyone’s opinion on this because the last thing I’m going to do is come in here and be impolite.

Last month, in October, Randy Rogers and Jeff Hankins sat in here to give you interim study about REAL ID and they thought that they did a great job and answered all your questions and I was very surprised later to find out that you weren’t satisfied with the responses that they gave you based upon some independent research that you did.  So the three points that you had strong concerns about, let me just address those first off … I believe there was a strong concern about fingerprints, computer chips and social security numbers.

I’ll start with the one that probably raises the most eyebrows, computer chips. There is no requirement or no plans to put a computer chip on the face of a REAL ID, Oklahoma REAL ID. None.  Randy Rogers and Jeff Hankins told you that and I’m telling you that today. And despite what anyone else tells you differently, that is the truth.  If anyone tells you differently I would love to see the documentation that says we are going to do that because there is no plan to do that.

Ah, there is a fingerprint system that we have in Oklahoma. That fingerprint image stays in Oklahoma, in our databases.

I know Mr. Houchen and Ms. Beach are concerned about us sharing this with a number of folks but I need some kind of proof to that. One of the privileges we have living in this nation is we are entitled to free speech. You can say anything but at some point we have to have documentation to back up these claims that are being made and if they have proof of that I’d like to see it.  There’s no fingerprint that is going to be a part of a REAL ID you can’t, you cannot retrieve  a fingerprint off of a REAL ID.  I know that was a concern for this group here.

And the last thing is the social security number. The social security number will not, will not, be retrievable off a REAL ID …moving forward there’s no requirement for that, there’s no plans for that.

Those are the three things I think you folks has the most heartburn about.  Randy Rogers and Jeff Hankins who answered those questions for you… We have not.., at DPS, we have nothing over here if we don’t have our integrity and good reputation.  There’s nothing that they told you that was untrue and mainly I wanted to point that out that they were very forthcoming and very truthful when they gave you those responses at last month at your REAL ID interim study.

How you  decide to move forward REAL ID is how you decide to move forward with REAL ID.

It is a bit ironic though and I am stealing Randy’s time but I’m not going to need 30 minutes… it is a bit ironic for me that  Ms. Beach talked uh, at length about a  high resolution uh image.  I can google you right now – from Syria and pull up high image, real high resolution image of you off of Google images.”

Kaye Beach: “Can you deny me my ability to pick up my prescription with that photo?”

Rep. Cleveland: “Let’s hold the questions until we get through here.”

Commissioner Thompson: “And I apologize for that.  I shouldn’t be addressing those questions to you personally. But the fact is, our images, your images, pretty much everyone at this tables images, it’s already out there.  It’s not as if we are safeguarding that and holding it in our hands in some kind of lockbox it’s there and its high resolution by the way.

Most people want to go get a driver’s license for the purpose of driving a car or driving an automobile, but most people, ordinary people, and I certainly include myself in that number, we don’t have the ability to go out and write a $30, 000 check  for a car or a $50,000 check for a Ford F150 pickup, we have to go finance that and when we finance that with a lending institution, we write down what our name is, what our social security number is , what our date of birth is, where you lived for the last ten years, who our landlord is, what our wife’s name is, what our wife’s maiden name is, what our child’s name is, what our child’s middle name is, um who your references are, what’s their name, what’s their address, how much do you owe information, you give all that information to a lending institution and feel happy about walking out there with a competitive interest rate to go and buy your Ford F150 or your Toyota Camry but next month when you have to go renew your driver’s license (unintelligible) because we’re asking you some very simple, very basic questions.  For me, I just don’t understand that.

If you walk out of here and go to the restroom and fall and break your leg, before you leave that hospital that doctor is going to have all that information that’s far more intrusive. The information that you would have to provide to get a passport, it’s incredibly intrusive.

Mr. Houchen mentioned SF 86, I’ve filled out a number of them.  I’ve got a top secret clearance with the federal government right now and I agree, Sir,that is a beast to fill out.  It’s like 40 pages.  It’s so intrusive, I start crying every time I have to redo my clearance.  It’s a hard object to fill out but we fill that out because it’s a requirement.  If you go and get your teeth cleaned, you’ve got to give a lot of information to that Dentist before you get your teeth cleaned.

I get, I get the,  uh emotion attached to REAL ID because of where we are at this stage but again, Sir, I promise you, I am not here to try to push an agenda or try to convince you to move forward with this. If you do as a state, great.  If we don’t, I think we are going to have to live with the consequences at some point and that is really our position at DPS.   Once this is passed, if it does get passed, we’re ten years behind the rest of America so we’re going to have a lot of work to do to get this thing pulled off.

And the last thing about the chip because that was a reoccurring subject that came up a number of times.  The people that we do business with, we as the state of Oklahoma, is MorphoTrust.  They represent 42 different states and jurisdictions.  There are 42 people have REAL ID’s with them and none of those states have a chip on the face of their Real ID and if they do, I’d like to see it because unequivocally,  they have told us, specifically,  there is no requirement and no plans to put a chip on the face of a REAL ID.  With that, I’m sure there are a number of questions and I will yield remainder of my time …”

 

 

REAL ID Fright Fest 2015, Oklahoma Edition

Kaye Beach | Oct. 6, 2015

The headlines are scary.

Vaguely worded policies issued by the federal Department of Homeland Security and sensational headlines have allowed misconceptions about the actual consequences of not having a REAL ID to grow.

The very worst possible consequences of not having not having a REAL ID card are actually quite minimal.

To refresh your memory- the REAL ID Act was passed with little to no debate in Congress in 2005 as a rider to a ‘must pass’ military and disaster relief funding bill.  The most controversial portion of the law imposes federal standards upon state driver’s licenses and ID documents.  And contrary to media reports, the REAL ID Act does require the collection and digital retention of every driver license applicants’ biometric facial image.  This fact is acknowledged by the National Conference of State Legislatures as well as other policy professionals so you don’t have to take my word for it.

The biometric and other personal information is required to be shared among the states and is accessible to the federal government.
The consequences for having a REAL ID are far more disturbing than the consequences for not having a REAL ID  which can be summed up like this; Someday, if you do not have a REAL ID compliant driver’s license or one of the umpteen acceptable alternatives, the TSA will look you up in their database to make sure that you are really you and you may be subject to a secondary screening which generally means you will be asked to either go through the naked scanner or get a pat down and they will look in your bags. That’s about it so why are we being treated to this over the top fright fest?
Because fear is one of the only tools DHS has to get the states to comply

Jim Harper at Cato explains:

Right now, the Department of Homeland Security is sending out emissaries to tell state leaders that their residents might soon feel the TSA’s wrath. State motor vehicle bureaucrats and pro-national ID groups are joining them in the effort to herd state leaders over the national ID cliff.
But the threat of TSA enforcement is an empty one. REAL ID “deadlines” have come and gone many times. No state has ever come into compliance with REAL ID. No state will be in compliance in 2016. And the TSA will not begin a program to prevent Americans from traveling by air.

The adoption of the REAL ID standards is (by law) is voluntary for the states. This is not a mandate so implementation can only be accomplished gradually by persuading (or intimidating) the states into compliance. Since the law is so controversial (not to mention convoluted and costly!) states have little incentive to adopt the REAL ID standards.
No one really seems to want a REAL ID — unless they think that the consequences for not having one might be dire.

“. . .by requiring Real ID-compliant licenses to board commercial aircraft, the law could put a lot of public pressure on states to issue licenses that meet its standards.”
Source: USA Today, Real ID is slowly changing state drivers’ licenses, Jan. 22, 2014

Oklahoma has been granted an extension by the Dept. of Homeland Security. An extension means that the state’s driver’s license and ID cards will be accepted just as if the ID was fully REAL ID compliant.
From the Dept. of Homeland Security, REAL ID Enforcement in Brief:
“Individuals holding driver’s licenses or identification cards from these jurisdiction may continue to use them as before.”
The jurisdiction referred to are states where their licenses have been “(1) determined to meet the Act’s standards; or (2) that have received extensions.”

This means that Oklahoma ID’s are acceptable for flying, entering specified federal buildings and entering a nuclear facility, 3 of the four “official purposes” that will require a REAL ID.  There are FOUR official purposes that require a REAL ID but I have yet to hear the media cover the fourth purpose even once.

The REAL ID final rules require a REAL ID complaint driver’s license or ID card for certain specified “official purposes” (defined in Sec 201 of the Act.)
#1 Entering Federal facilities
#2 boarding a Federally-regulated commercial aircraft
#3 Entering a nuclear power plant
and
#4 Any other purpose established by the Secretary of Homeland Security
(Real ID Final Rules http://www.gpo.gov/fdsys/pkg/FR-2008-01-29/pdf/08-140.pdf)

The fourth official purpose is what a good friend of mine refers to as the “dictator clause”  It means just what it says.  The Secretary of Homeland Security can add any other purpose he or she wisher.  No congressional review – no nothing.  Would it bother you if you were required to present your biometric national ID for say….ammo?

That fourth purpose could come in handy for just about anything that needs to be monitored, rationed or controlled.  Ask Oklahoma media to cover THAT!

The DHS will be reviewing the progress of states that have received extensions this month. I predict that Oklahoma will be granted another extension.

On Dec. 29, 2014, the Dept. Of Homeland Security extended the deadline for enforcement upon states that have an extension or are deemed compliant with REAL ID until Oct. 1, 2020. Oklahoma appears to exempt from enforcement until 2020.

In the worst-case-scenario, one where the DHS refuses to grant our state and extension and we become subject to enforcement in order to board a plane “no sooner than 2016,”  it’s still not going to be a big deal for Okies.

Not once has it been publicly asserted by the Department of Homeland Security or the TSA that not having a REAL ID compliant license would ever be a basis for denying a person the ability to board a commercial aircraft or that a U.S. Passport is the only accepted alternative to REAL ID
Clarifying statements have been made by DHS officials though, they just aren’t the ones that make the headlines.
For example, Darrell Williams, former Senior Director, Office of State Issued ID Support, Department of Homeland Security, testified before a Congressional subcommittee that there are a variety of identification alternatives to a REAL ID and that not having a REAL ID compliant license will not prevent a person from boarding a plane. He went on to say to say that even individuals with NO FORM OF ID at all can still be permitted to fly.

Mr. Williams as the former Director of the REAL ID program for the Department of Homeland Security with (which directs the Transportation Security Administration) is very familiar with the policies of both agencies. No publicly available official statement on the matter of REAL ID and boarding a federally regulated commercial aircraft refutes Mr. Williams’ testimony.

Here is the TSA’s list of preferred ID documents:
• Driver’s licenses or other state photo identity cards issued by Department of Motor Vehicles (or equivalent)
• U.S. passport
• U.S. passport card
• DHS trusted traveler cards (Global Entry, NEXUS, SENTRI, FAST)
• U.S. military ID (active duty or retired military and their dependents, and DoD civilians)
• Permanent resident card
• Border crossing card
• DHS-designated enhanced driver’s license
• Airline or airport-issued ID (if issued under a TSA-approved security plan)
• Federally recognized, tribal-issued photo ID
• HSPD-12 PIV card
• Foreign government-issued passport
• Canadian provincial driver’s license or Indian and Northern Affairs Canada card
• Transportation worker identification credential
http://www.tsa.gov/travel/security-screening/identification

Here the TSA goes into a bit more detail regarding its identity verification procedures:

“TSA prefers that passengers use an acceptable ID at the checkpoint and only publishes the acceptable forms of primary ID, such as a driver’s license and passport on its website. However, we understand that, due to extenuating circumstances a passenger may not have an acceptable form of ID when attempting to travel on a commercial aircraft. Therefore, TSA has alternate means to verify identity in order to allow a passenger to travel and may rely on a variety of government-issued documents, commercial databases, and other agencies to verify passenger identity. The alternative means to establish identity are not published on the website in part because TSA prefers that passengers use acceptable ID.

The TSA website informs passengers that, if they do not have acceptable ID, they can alternatively provide additional information and undergo additional screening in order to be cleared. Specifically, the website informs the public that: “If you are willing to provide additional information, we have other ways to confirm your identity, like using publicly available databases, so you can reach your flight.”
(TSA response to congressional inquiry Aug. 7, 2014
https://www.scribd.com/doc/237497624/TSA-Doc)

No one is going to have to get a passport or be barred from flying due to the REAL ID Act.

This press released today by the Oklahoma Senate certainly sounds dire.

Can you imagine if people were unable to enter the Social Security office?  What if you were asked to appear in Federal Court and you don’t have a REAL ID?  What would happen?

Apparently nothing.

REAL ID Act of 2005 Implementation: An Interagency Security Committee Guide
Aug 2015, Interagency Security Committee
“…there is no requirement to produce a REAL ID Act compliant ID to enter a Federal facility for accessing health or life preserving services (including hospitals and health clinics), law enforcement (including participating in law enforcement proceedings or investigations), participating in constitutionally protected activities (including a defendant’s or spectator’s access to court proceedings, access by jurors or potential jurors), voting or registering to vote, or applying for or receiving Federal benefits…”
https://www.dhs.gov/sites/default/files/publications/isc-real-id-guide-august-2015-508_0.pdf

According to the Department of Homeland Security–
REAL ID does NOT apply to the following:
• Entering Federal facilities that do not require a person to present identification
• Voting or registering to vote
• Applying for or receiving Federal benefits
• Being licensed by a state to drive
• Accessing Health or life preserving services (including hospitals and health clinics), law enforcement, or constitutionally protected activities (including a defendant’s access to court proceedings)
• Participating in law enforcement proceedings or investigations

There is too much fear, uncertainty and doubt being pumped out by the media and state officials for me to address in just one post so expect more posts soon.  Until then – don’t let them scare you!

The Immigration Reform Bill – Prodding Forth Real ID, an INTERNATIONAL Biometric ID

Kaye Beach

May 14, 2013

On May 10^th The Blaze ran a headline that asks; Is There a Scary Biometric ‘National ID System’ Tucked into the Immigration Bill?

The answer is YES!

But wait!  There’s more. . .I sometimes feel like I am belaboring the point but it seems to me the distinction between a national and INTERnational biometric identity system is a very important one.

Study that graphic up there.  It is the simple three step recipe for a single, global biometric identification system.  Read this post then look at it again and see if you can grokk what I’m telling you.

The federal Real ID Act of 2005 imposed federal guidelines that use international standards on state driver’s licenses and ID cards.  You may remeber that at least 25 states said no to Real ID by passing either a law or a resolution against the implementation of the Real ID Act.  Nevertheless, Real ID has continued to be implemented in most states to various degrees.

“By the deadline of January 13, 2013, most states will be substantially or materially or fully compliant with REAL ID” —Janice Kephart, Feb. 2012

It is important to note though, that ALL states are capturing and storing applicants’ digital facial images.  And although not all of the states are actually using this facial biometric as intended by the Real ID Act, eventually they will be.   The immigration reform bill (S.744, the ‘Border Security, Economic Opportunity, and Immigration Modernization Act’) will make sure of it.

In case you missed it, now, when you apply for a state driver’s license, a state identification card or any other form of government issued photo ID really, you are having your facial biometrics captured by a high resolution photograph.  High resolution digital cameras capture, map, digitize and database our facial features for the purpose of use by facial recognition technology.

Facial recognition technology enables remote identification and tracking through networked camera systems without our knowledge or consent.  As a matter of fact, facial biometrics is the governments biometric of choice because it can be used to identify and investigate us at-a-distance without our knowledge or consent.

Pay close attention here: This digital image on your state driver’s license or ID card is, by definition, a biometric.

The standard specified in the Real ID regulations for your state driver’s license and ID cards ensures that the digital facial image is facial recognition compatible.  That standard is the adopted standard of the ICAO, the International Civil Aviation Organization, an agency of the UN.

(Want more information?  Read REAL ID – BIOMETRIC FACT SHEET)

International standards exist for one purpose;  to enable the global sharing of that information.

“REAL ID is. . .the current face of a far larger, international government and private economic effort to collect, store, and distribute the sensitive biometric data of citizens to use for the twin purposes of government tracking and economic control.” -PA Rep. Sam Rohr

Real ID is technically voluntary for the states.  What the government has always intended, is for Real ID to be practically mandatory for the citizens.  This is why the threat hangs over our heads that if we do not have a Real ID card by a certian date, we will not be able to fly or enter a federal building.

“In the future, only those state issued Driver Licenses and  Identification cards which are fully compliant with the REAL ID act of 2005 will be authorized for use as identification for official federal
government purposes, such as boarding commercial aircraft and entering  certain regulated federal facilities.” Alabama DMV-STAR ID

The road to Real ID compliance has admittedly been a rather slow and arduous one but the Immigration Reform bill (S.744, the ‘Border Security, Economic Opportunity, and Immigration Modernization Act’), if passed, will put a stop to any state foot dragging on Real ID because citizens will have to have it in order to work!

 A Real ID compliant driver’s license is specifically named as one of the acceptable ID documents in the bill (but all ID documents specified in the bill are biometric ID’s.)

To be perfectly clear – with S.744, producing your government issued, internationally standardized biometric ID is mandatory.  You will not be able gain permission to work without it. 

In authoritarian societies you must always have permission.

Forget privacy.  That is not what this is about.  This is about the balance of power between us and our government.  This is about control.  If we wish to retain control over our own lives, we will not accept government serializing of our bodies and we won’t allow the government to turn our rights into privileges

The Sec. of the Dept. of Homeland Security also has the option to add any other biometric or security feature as a requirement for those who wished to be employed so facial biometrics is the minimum biometric requirement but iris scans, fingerprints, or any other biometric could be required as well.

The new comprehensive immigration reform bill is not the first step in enrolling US citizens in the global biometric identification system.  The first step was that every government issued ID (especially the driver’s license) captured and collected your biometric data and that that data was collected in accordance with international standards.  The second step is to share your biometric data, to connect databases so that they can get that data flowing freely from the state and local databases on to the federal ones and eventually into global data systems.

One other important step in this global system of identification and control is to make sure we have to produce our global biometric ID for everything.  Or at least everything that we do that government wants to track and control.  And don’t forget that with biometric ID, your body IS your ID.  It’s the databases and not the card we should be focusing on.

Here are a few more facts about the bill as drafted;

Requires ALL potential employees to be authorized to work through the Dept. of Homeland Security.  Even If you are already employed when the proposed law goes into effect, you still will have to go through this authorization process.

Authorization hinges upon biometric identification.  Biometric data, including but not necessarily limited to, digital facial image, is required.  Real ID compliant driver’s licenses are cited as one acceptable form of biometric ID but the bill leaves the door open for the Sec. of the Dept. of Homeland Security to add other security requirements as he or she see fit.

The immigration reform bill requires employers to use a “photo tool” to verify the identity of each employee.  The term ‘photo tool’ is simply a euphemism for facial recognition software that will be used to match the facial biometrics provided by the potential employee to a federal database.

Where will this federal database come from?  I asked this question of Mark Lerner, co-founder of The Constitutional Alliance,  the leading expert on biometrics and the Real ID Act.

Here is his reply:

 “The answer will come in the Rulemaking process. There are two possible scenarios. In either scenario the “key” will be the photos stored in state DMV databases. Whether it will be DHS requiring employers to send photos to DHS and DHS having direct or indirect access to state DMV photo databases or whether DHS will require the photos the employers uses to be provided directly to states for the states to compare to photos in the state DMV database remains unclear. I also believe it is clear DHS will get the photo regardless.”

Access to the biometric data held in state DMV databases will be a must. 

There are reasons I have been having a fit trying to get my biometric data OUT of the state Department of Public Safety database.  I think this bill goes a long way in making my argument for me.  Read more about my lawsuit against the state of Oklahoma for the unwarranted collection of my biometric data here.

There is more to this bill to be concerned about  For instance,  the unconstitutional lack of due process.  Every person must prove they are a US citizen before they can work.  If the system says you do not pass muster, you are required to be terminated from your job at the end of an administrative process.   Will have more info on this and other issues soon.

Report on the FBI’s Investigative Data Warehouse 2009

Report on the Investigative Data Warehouse

April 2009

Table Of Contents

1. Overview of the IDW
   
2. IDW Systems Architecture
   
3. Privacy Impact Assessment
   
4. The Future of the IDW is Data Mining
   

In August 2006, the Electronic Frontier Foundation (EFF) sought government records concerning the Federal Bureau of Investigation (FBI)’s Investigative Data Warehouse (IDW) pursuant to the Freedom of Information Act (FOIA). After the FBI failed to respond to EFF’s requests within the timeline provided by the FOIA, EFF filed a lawsuit on October 17, 2006. Records began to arrive in September 2007. On April 14, 2009, the government filed a brief stating that no more documents were going to be provided, despite the Obama Administration’s new guidelines on FOIA.

The following report is based upon the records provided by the FBI, along with public information about the IDW and the datasets included in the data warehouse.

I. Overview of the Investigative Data Warehouse

The Investigative Data Warehouse is a massive data warehouse, which the Bureau describes as “the FBI’s single largest repository of operational and intelligence information.” As described by FBI Section Chief Michael Morehart in 2005, the “IDW is a centralized, web-enabled, closed system repository for intelligence and investigative data.” Unidentified FBI agents have described it “one-stop shopping” for FBI agents and an “uber-Google.” According to the FBI, “[t]he IDW system provides data storage, database management, search, information presentation, and security services.”

Documents show that the FBI began spending funds on the IDW in fiscal year 2002, “and system implementation was completed in FY 2005.” “IDW 1.1 was released in July 2004 with enhanced functionality, including batch processing capabilities.” The FBI worked with Science Applications International Corporation (SAIC), Convera and Chilliad to develop the project, among other contractors. As of January 2005, the IDW contained “more than 47 sources of counterterrorism data, including information from FBI files, other government agency data, and open source news feeds.” A chart in the FBI documents shows IDW growing rapidly, breaking the half-billion mark in 2005. By March 2006, the IDW had 53 data sources and over half a billion (587,186,453) documents. By September 2008, the IDW had grown to nearly one billion (997,368,450) unique documents. The Library of Congress, by way of comparison, has about 138 million (138,313,427) items in its collection.

In addition to storing vast quantities of data, the IDW provides a content management and data mining system that is designed to permit a wide range of FBI personnel (investigative, analytical, administrative, and intelligence) to access and analyze aggregated data from over fifty previously separate datasets included in the warehouse. Moving forward, the FBI intends to increase its use of the IDW for “link analysis” (looking for links between suspects and other people – i.e. the Kevin Bacon game) and to start “pattern analysis” (defining a “predictive pattern of behavior” and searching for that pattern in the IDW’s datasets before any criminal offence is committed – i.e. pre-crime).

II. IDW Systems Architecture

According to an FBI project description, “The IDW system environment consists of a collection of UNIX and NT servers that provide secure access to a family of very large-scale storage devices. The servers provide application, web servers, relational database servers, and security filtering servers. User desktop units that have access to FBINet can access the IDW web application. This provides browser-based access to the central databases and their access control units. The environment is designed to allow the FBI analytic and investigative users to access any of the data sources and analytic capabilities of the system for which they are authorized. The entire configuration is designed to be scalable to enable expansion as more data sources and capabilities are added.”

A DOJ Inspector General report explained: “Data processing is conducted by a combination of Commercial-Off-the-Shelf (COTS) applications, interpreted scripts, and open-source software applications. Data storage is provided by several Oracle Relational Database Management Systems (DBMS) and in proprietary data formats. Physical storage is contained in Network Attached Storage (NAS) devices and component hard disks. Ethernet switches provide connectivity between components and to FBI LAN/WAN. An integrated firewall appliance in the switch provides network filtering.”

1. IDW Subsystems
   

   Pursuant to the IDW Concept of Operations, the IDW has two main subsystems, the IDW-Secret (IDW-S) and IDW-Special Projects Team (IDW-SPT). It also has a development platform (IDW-D) and a subsystem for maintenance and testing (IDW-I).
   

   1. IDW-Secret
      

      The IDW-S system is the main subsystem of the IDW, which is authorized to process classified national security data up to, and including, information designated Secret. However, IDW-S is not authorized to process any Top Secret data nor any Sensitive Compartmented Information (SCI). The addition of IDW-TS/SCI, a Top Secret/Sensitive Compartmented Information level data mart, appears to remain in the planning stages. The IDW-S system is the successor of the Secure Counter-Terrorism/Collaboration Operational Prototype Environment (SCOPE).
      

   2. IDW-Special Projects Team
      

      According to an Inspector General report, “[i]n November 2003, the Counterterrorism Division, along with the Terrorist Financing Operations Section (TFOS), in the FBI began a special project to augment the existing IDW system with new capabilities for use by FBI and non-FBI agents on the JTTFs. The FBI Office of Intelligence is the executive sponsor of the IDW. The IDW Special Projects Team was originally initiated for the 2004 Threat Task Force.” By May 2006, the “Special Project Team provided services to 5 task forces or operations.”
      

      As described by the FBI:
      

      Special Projects Team (SPT) Subsystem
      The Special Projects Team (SPT) Subsystem allows for the rapid import of new specialized data sources. These data sources are not made available to the general IDW users but instead are provided to a small group of users who have a demonstrated “need-to-know”. The SPT System is similar in function to the IDW-S system. With the main difference is a different set of data sources. The SPT System allows its users to access not only the standard IDW Data Store but the specialized SPT Data Store.
      

2. IDW Features
   

   In 2004, the Willie Hulon, then the Deputy Assistant Director for the Counterterrorism Division, said that the FBI was “introducing advanced analytical tools to help us make the most of the data stored in the IDW. These tools allow FBI agents and analysts to look across multiple cases and multiple data sources to identify relationships and other pieces of information that were not readily available using older FBI systems. These tools 1) make database searches simple and effective; 2) give analysts new visualization, geo-mapping, link-chart capabilities and reporting capabilities; and 3) allow analysts to request automatic updates to their query results whenever new, relevant data is downloaded into the database.”
   

   Deputy Assistant Director Hulon also asserted that “[w]hen the IDW is complete, Agents, JTTF [Joint Terrorism Task Force] members and analysts, using new analytical tools, will be able to search rapidly for pictures of known terrorists and match or compare the pictures with other individuals in minutes rather than days. They will be able to extract subjects’ addresses, phone numbers, and other data in seconds, rather than searching for it manually. They will have the ability to identify relationships across cases. They will be able to search up to 100 million pages of international terrorism-related documents in seconds.” (Since then, the number of records has grown nearly ten-fold).
   

   At the FBI National Security Branch’s “request, the FBI’s Office of the Chief Technology Officer (OCTO) has developed an ‘alert capability’ that allows users of IDW to create up to 10 queries of the system and be automatically notified when a new document is uploaded to the database that meets their search criteria.”
   

   “Users can search for terms within a defined parameter of one another. For example, the search: ‘flight school’ NEAR/10 ‘lessons’ would return all documents where the phrase ‘flight school’ occurred within 10 words of the word “lessons.” Users can also specify whether they want exact searches, or if they want the search tool to include other synonyms and spelling variants for words and names.”
   

   “IDW includes the ability to search across spelling variants for common words, synonyms and meaning variants for words, as well as common misspellings of words. If a user misspells a common word, IDW will run the search as specified, but will prompt the user to ask if they intended to run the search with the correct spelling.”
   

   In its 2004 report to the 9-11 Commission, the FBI used an example (shown on the right) to illustrate the planned use of the IDW for data mining and link analysis, showing i2’s Analyst’s Notebook. i2 described the program as “the world’s most powerful visual investigative analysis software,” which is able to analyze “vast amounts of raw, multi-format data gathered from a wide variety of sources.”
   

   By 2006, the IDW was processing between 40,000 and 60,000 “interactive transactions” in any given week, along with between 50 and 150 batch jobs. An example of a batch process is where “the complete set of Suspicious Activity Reports is compared to the complete set of FBI terrorism files to identify individuals in common between them.”
   

3. Datasets in the IDW
   

   According to various
   FBI
   documents, the following 38 data soures were included in the IDW on or before August 2004. Of these, IDW-S included at least the first six items.
   

   1. Automated Case System (ACS), Electronic Case File (ECF). This dataset contains ASCII flat files (metadata and document text) and WordPerfect documents consisting of the ECs, FD-302s, Facsimiles, FD-542s, Inserts, Transcriptions, Teletypes, Letter Head Memorandums (LHM), Memorandums and other FBI documents contained within ACS. The ACS system, which came on-line in October 1995, is the FBI’s centralized electronic case management system. It consists of the following components:
      
      1. Investigative Case Management — used to open a case and assign a unique 9-digit case number, called the Universal Case File Number, which consists of the FBI crime classification number; a two-letter alpha code designating the field office that opened the case; and a consecutive, numerical designator generated by the system.
         
      2. Electronic Case File — used to maintain investigative documentation, such as interview transcripts. Upon approval of a paper document, an electronic copy of the completed document is uploaded to the electronic case file.
         
      3. Universal Index — used to maintain index records for a case and allows the searching of records in a variety of ways.
         

      [NOTE: While ACS is the current FBI case file system, it may soon be replaced. The FBI originally intended to replace ACS with the “Virtual Case File” system. After what the Office of the Inspector General called “FBI’s failed $170 million VCF project,” the FBI now “plans to replace the ACS system with the Sentinel Case Management System. The projected implementation date is 2009.” “When up and running, Sentinel will provide more current case information, audio, video, pictures and multimedia into the IDW system.”]
      

   2. Secure Automated Messaging Network (SAMNet) — ASCII files in standard cable traffic message format (all capitals with specific header), consisting of all messaging traffic sent either from the FBI to other government agencies, or sent from other government agencies to the FBI through the Automated Digital Information Network (AutoDIN), including Intelligence Information Reports (IIRs) and Technical Disseminations (TD) from the FBI, Central Intelligence Agency (CIA), Defense Intelligence Agency (DIA), and others from November of 2002 to present. IDW receives copies of these classified messages up to Secret with no SCI caveats.
      
   3. Joint Intelligence Committee Inquiry (JICI) Documents — Scanned copies (TIFF images and ASCII OCR text) of “all FBI documents related to extremist Islamic terrorism between 1993 and 2002.” These are counterterrorism files that were scanned into a database to accommodate the JICI’s investigation into the attacks of September 11th.
      
   4. Open Source News — Includes various foreign news sources that have been translated into English, as well as a few large U.S. publications. The open source data collected for the FBI comes from the MiTAP system run by San Diego State University. MiTAP is a system that collects raw data from the internet, standardizes the format, extracts named entities, and routes documents into appropriate newsgroups. This dataset is part of the Defense Advanced Research Projects Agency (DARPA) Translingual Information Detection, Extraction and Summarization (TIDES) Open Source Data project.
      
   5. Violent Gang and Terrorist Organization File (VGTOF) — Lists of individuals and organizations who the FBI believes to be associated with violent gangs and terrorism, provided by the FBI National Crime Information Center (NCIC). It includes biographical data and photos pertaining to members of the identified groups in the form of ASCII flat files (data/metadata) and JPEG image binaries (none, one or multiple per subject). The biographical data includes the “individual’s name, sex, race, and group affiliation, and, if possible, such optional information as height and weight; eye and hair colors; date and place of birth; and marks, scars, and tattoos.”
      
   6. CIA Intelligence Information Reports (IIR) and Technical Disseminations (TD) — A copy of all IIRs and TDs at the Secret security classification or below that were sent to the FBI from 1978 to at least May 2004. Intelligence Information Reports are designed to provide the FBI with the specific results of classified intelligence collected on internationally-based terrorist suspects and activities, chiefly abroad.
      
   7. Eleven (11) IntelPlus scanned document libraries — Copies of millions of scanned TIFF format documents and their corresponding OCR ASCII text related to FBI’s major terrorism-related cases. IntelPlus is an application that allows the users to view “Table of Contents” lists from large collections of records. The user is able to display the document whether it is in text form or one of several graphic formats and then print, copy or store the information. The application allows tracking associated documents on related topics and provides a search capability.
      
   8. Eleven (11) Financial Crimes Enforcement Network (FinCEN) Databases — Data related to terrorist financing. “FinCEN requires financial institutions to preserve financial paper trails behind transactions and to report suspicious transactions to FinCEN for its database. FinCEN matches its database with commercial databases such as Lexis/Nexis and the government’s law enforcement databases, allowing it to search for links among individuals, banks, and bank accounts.” At least one of these databases includes all currency transaction report (CTR) forms on bank customers’ cash transactions of more than $10,000: “In 2004, FinCEN first provided the FBI with bulk transfer of [CTRs]” Over 37 million CTRs were filed between 2004-2006.
      
   9. Two (2) Terrorist Financing Operations Section Databases — Biographical and financial reports on terrorism-related individuals. According to Dennis Lormel, Section Chief of the Terrorist Financing Operations Section, TFOS has a “centralized terrorist financial database which the TFOS developed in connection with its coordination of financial investigation of individuals and groups who are suspects of FBI terrorism investigations. The TFOS has cataloged and reviewed financial documents obtained as a result of numerous financial subpoenas pertaining to individuals and accounts. These documents have been verified as being of investigatory interest and have been entered into the terrorist financial database for linkage analysis. The TFOS has obtained financial information from FBI Field Divisions and Legal Attache Offices, and has reviewed and documented financial transactions. These records include foreign bank accounts and foreign wire transfers.”
      
   10. Foreign Financial List — Copies of information concerning terrorism-related persons, addresses, and other biographical data submitted to U.S. financial institutions from foreign financial institutions.
       
   11. Selectee List — Copies of a Transportation Security Administration (TSA) list of individuals that the TSA believes warrant additional security attention prior to boarding a commercial airliner. According to Michael Chertoff, “fewer than” 16,000 people were designated “selectees” as of October 2008.
       
   12. Terrorist Watch List (TWL) — The FBI Terrorist Watch and Warning Unit (TWWU) list of names, aliases, and biographical information regarding individuals submitted to the Terrorist Screening Center (TSC) for inclusion into VGTOF and TIPOFF watch lists. Also called the Terrorist Screening Database (TSDB), the database “contained a total of 724,442 records as of April 30, 2007.”
       
   13. No Fly List — A copy of a TSA list of individuals barred from boarding a commercial airplane. According to Michael Chertoff, 2,500 people were on the “no fly” list as of October 2008.
       
   14. Universal Name Index (UNI) Mains — A copy of index records for all main subjects on FBI investigations, except certain records that might reveal people in witness protection or informants. “A main file name is that of an individual who is, himself/herself, the subject of an FBI investigation.”
       
   15. Universal Name Index (UNI) Refs — A copy of index records for all individuals referenced in FBI investigations, except certain records that might reveal people in witness protection or informants. A “reference is someone whose name appears in an FBI investigation. References may be associates, conspirators, or witnesses.”
       
   16. Department of State Lost and Stolen Passports — A copy of records pertaining to lost and stolen passports. “The Consular Lost and Stolen Passports (CLASP) database includes over 1.3 million records concerning U.S. passports. All passport applications are checked against CLASP, PIERS [Passport Information Electronic Records System], the Social Security Administration’s database, and the Consular Lookout and Support System (CLASS), which includes information provided by the Department of Health and Human Services (HHS) and law enforcement agencies such as the Federal Bureau of Investigations (FBI) and U.S. Marshals Service.” “The overall CLASS database of names has risen to over 20 million records in recent years, including millions of names of criminals from FBI records provided to the State Department under the terms of the USA PATRIOT Act.” “The Online Passport Lost & Stolen System permits citizens to report a lost or stolen passport.” It includes “Name, date of birth (DOB), social security number (SSN), address, telephone number, and e-mail address,” as reported by the citizen.
       
   17. Department of State Diplomatic Security Service — A copy of past and current passport fraud investigations from the “DOS DDS RAMS database.” The Records Analysis Management System (RAMS) Database “allows all Field Offices, Resident Agent Offices (RAO) and the Bureau of Diplomatic Security to track, maintain, and efficiently share law enforcement investigative case information. RAMS contains CLASSIFIED information.” By September 2005, the Department of States was “developing a ‘Knowledge Base’ on-line library that will be a ‘gateway’ to passport information, anti-fraud information, and relevant databases. All passport field agencies and centers can use this system to submit anti-fraud information such as exemplars of genuine and malafide documents, fraud trends in their respective regions, and other information that will be instantly available throughout the department.”
       

   In August 2004, the FBI was considering adding several more datasets: the “FBI’s Telephone Application, DHS data sources such as US-VISIT and SEVIS, Department of State data sources such as the Consular Consolidated Database (CCD), and Treasury Enforcement Communication System (TECS).” A later document shows that at least “most” of the Telephone Application is now in the IDW.
   

   The Telephone Application (TA) “provides a central repository for telephone data obtained from investigations.” “The TA is an investigative tool that also serves as the central repository for all telephone data collected during the course of FBI investigations. Included are pen register data, toll records, trap/trace, tape-edits, dialed digits, airnet (pager intercepts), cellular activity, push-to-talk, and corresponding subscriber information.” Records obtained through National Security Letters are placed in the Telephone Application, as well as the IDW by way of the ACS system.
   

   “The United States Visitor and Immigrant Status Indicator Technology (US-VISIT) Program is an integrated, automated biometric entry-exit system that records the arrival and departure of aliens; conducts certain terrorist, criminal, and immigration violation checks on aliens; and compares biometric identifiers to those collected on previous encounters to verify identity.”
   

   The Consular Consolidated Database (CCD) is a set of databases that includes “current and archived data from all of the Department of State’s Consular Affairs post databases around the world. This includes the data from the Automated Biometric Identification System (ABIS), ARCS, Automated Cash Register System (ACS), Consular Lookout and Support System (CLASS), Consular Shared Tables (CST), DataShare, Diversity Visa Information System (DVIS), Immigrant Visa Information System (IVIS), Immigrant Visa Overseas (IVO), Non-Immigrant Visa (NIV), Visa Opinion Information Service (VOIS), and Waiver Review System (WRS) applications. The CCD also provides access to passport data in the Travel Document Information System (TDIS), Passport Lookout and Tracking System (PLOTS), and Passport Information Electronic Records System (PIERS). In addition to Consular Affairs data, other data from external agencies is integrated into the CCD, such as the ‘Master Death Database from the Social Security Administration.”
   

   The Student and Exchange Visitor Information System (SEVIS) “maintains information on nonimmigrant students and exchange visitors (F, M and J Visas) and their dependents, and also on their associated schools and sponsors.”
   

   The Treasury Enforcement Communication System (TECS) “is a computerized information system designed to identify individuals and businesses suspected of, or involved in violation of federal law. The TECS is also a communications system permitting message transmittal between Treasury law enforcement offices and other Federal, national, state, and local law enforcement agencies.”
   

   Unidentified Additional Data Sources Added to IDW
   

   The FBI set up an Information Sharing Policy Group (ISPG), chaired by the Executive Assistant Directors of Administration and Intelligence, to review requests to ingest additional datasets into the IDW, in response to Congressional “privacy concerns that may arise from FBI engaging in ‘data mining.'” In February 2005, the Counterterrorism Division asked for 8 more data sources. While the names of the data sources are redacted, items 1, 2 and 4 came from the Department of Homeland Security, and items 6, 7 and 8 were additional IntelPlus file rooms. The February 2005 email chain also refers to “2 data sets approved at the meeting yesterday” and “2 data set under consideration.” In context, it appears that one of the two approved datasets was IntelPlus, which contained three file rooms. The FBI would “get all of the DHS data from the FTTTF [Foreign Terrorist Tracking Task Force] including the [Redacted].” In March 2005, the Information Sharing Policy Group approved seven more unidentified datasets for the Special Projects Team version of the IDW. In May 2005, ISPG approved an additional seven unidentified datasets for the IDW-SPT. The IDW Special Projects Team “ingested and published a new telephone-type data source” on two dates: February 18, 2005, and March 18, 2005. In August 2005, the “[Redacted] Reports Collection” was moved from the limited access IDW-SPT to the more widely available IDW-S. “This [Redacted] dataset contains copies of reports regarding [Redacted].”
   

   Data Retention
   

   As of March 2005:
   

   There is no current Disposition Schedule for IDW. We have looked at the system and it is on our list of systems to be scheduled. With no Disposition Schedule, there is really no limitation on importing data, at least not from a records management standpoint. But, they will not be able to delete or destroy any of that information until a Disposition Schedule is approved.
   

   Nevertheless, the IDW has a process to delete files: “it can occur that data for which IDW-S is not authorized is ingested into IDW-S. When such data is discovered on IDW-S it is necessary to delete this data and to update the Document Tracking Database with the appropriate “DEL” status for the file.” The IDW also has a “secure delete” function.
   

III. Privacy Impact Assessment

The E-Government Act of 2002, Section 208, establishes a requirement for agencies to conduct privacy impact assessments (PIAs) for electronic information systems and collections.

A May 12, 2005 email from an unidentified employee in the FBI’s Office of the General Counsel to FBI General Counsel Valerie Caproni notes that the author was “nervous about mentioning PIA in context of national security systems.” The author admitted that “It is true the FBI currently requires PlAs for NS [national security] systems as well as non-NS systems.” However, the author thought that the policy might change. Accordingly the author “recommend[ed] against raising congressional consciousness levels and expectations re NS PlAs.” Caproni’s response is short: “ok.”

This email was in reply to a May 11 email from Caproni expressing her desire “slide something in about PIA” to a give a “sense that we really do worry about the privacy interests of uninvolved people whose data we slurp up.”

However, this strategy failed. Congressional consciousness levels were raised by an August 30, 2006 Washington Post article on the IDW, in which EFF Senior Counsel David Sobel raised the issue of the IDW’s lack of a formally published PIA.

The day the Post article ran, several FBI emails discussed the privacy concerns raised by the IDW. One Office of the General Counsel employee (only identified as Bill) explained the FBI’s desire to play down the concerns: “I’m with [Redacted] in view that if everyone ([Redacted]) starts running around with their hair on fire on this, they will just be pouring gas on something that quite possibly would just fade away if we just shrug it off.”

After these discussions, the FBI released the following response to the article:

Federal Bureau of Investigation
Response to Investigative Data Warehouse (IDW) Press Article for Senate Appropriations Committee
September 7, 2006

There are two concerns being expressed about IDW in the article. One deals with whether the FBI has complied with the Privacy Act’s requirement to publish a “systems notice” in the Federal Register and the other is whether the FBI has complied with the privacy impact analysis requirements of the “E-Government Act.”

The answer to the first question is “yes.” We consider IDW to be part of the FBI’s Central Record System, an “umbrella” system that is comprised of all of the FBI’s investigative files. While it is true that “IDW” isn’t specifically mentioned in the CRS Privacy Act System Notice, we don’t believe that is necessary. The system notice does state: “In recent years … the FBI has been confronted with increasingly complicated cases, which require more intricate information processing capabilities. Since these complicated investigations frequently involve massive volumes of evidence and other investigative information, the FBI uses its computers, when necessary to collate, analyze, and retrieve investigative information in the most accurate and expeditious manner possible.” The system notice describes in reasonable detail what information we obtain, what routine uses we make of it, the authorities for maintaining the system and so forth. This notice is published in the Federal Register and is publicly available. In our view, we are compliant with both the letter and spirit of the Privacy Act in this regard.

The answer to the second question is also “yes.” In fact, since IDW has been categorized as a “national security system,” the E-Government Act does not require it to undergo a privacy impact analysis (PIA) at all. Even so, FBI and DOJ policy requires a PIA to be conducted. For IDW, the FBI has done several PIA’s. We did one for the original system and did others as significant datasets were added to IDW. None of these systems were published since the law does not require them to be conducted in the first place. The point is that we have done far more to analyze the privacy implications of IDW than the law requires. Yes, the analyses have not been conducted in the public domain but Congress weighed the costs and benefits of conducting such an analysis in public and chose to exclude national security systems from that requirement when it passed the E- Government act.

For purposes of the E-Government Act, a National Security System is “an information system operated by the federal government, the function, operation or use of which involves: (a) intelligence activities, (b) cryptologic activities related to national security, (c) command and control of military forces, (d) equipment that is an integral part of a weapon or weapons systems, or (e) systems critical to the direct fulfillment of military or intelligence missions.”

A heavily redacted March 2005 FBI Electronic Communication enclosed a completely redacted Privacy Impact Assessment about the IDW. In August 2007, the Office of the Inspector General conducted an audit of “all major Department [of Justice] information technology (IT) systems and planned initiatives.” The OIG noted that it “did not obtain PIAs or explanations for the FBI’s IDW.”

IV. The Future of the IDW is Data Mining

When the FBI explained the IDW to Congress in 2004, it noted that when FBI Director Mueller testified about the IDW in 2003, he “used the term ‘data mining’ to be synonymous with ‘advanced analysis.’ The FBI does not conduct ‘data mining’ in accordance with the GAO definition, which means mining through large volumes of data with the intention of automatically predicting future activities.”

Nevertheless, in March 2003, the FBI issued its Fiscal Year 2004 (Oct. 2003 – Sep. 2004) budget, in which the Bureau had requested a new “Communications Application”:

The FBI requests $4,600,000 to obtain a software application that is capable of conducting sophisticated link analysis on extremely high volumes of telephone toll call data and other relational data. This software would enable the FBI to leverage modern technology to expeditiously conduct analyses of large collections of relational data.

By 2005, the FBI was still trying to minimize Congressional concerns over data mining. The FBI was concerned that the “distinction between a data mart and a data mining vehicle will be lost on those who just think we are looking into citizens’ lives too much.” On March 1, 2005, an unidentified Office of Congressional Affairs (OCA) employee noted in an email (emphasis original):

We had agreed on the following sentence as a way of avoiding some of the intricacies of data mining policy: “Where permitted by law, and appropriate to an authorized work activity, information gleaned from searching non-FBI databases may be included in FBI systems and, once there, may be accessed by employees conducting searches in furtherance of other authorized activities.”

Unfortunately, I couldn’t get that to fly, since that was the crux of the Senator’s inquiry.

In October 2005 FBI emails discuss the response to the August 2005 GAO report on data mining by the Foreign Terrorist Tracking Task Force (FTTTF). “In 2001, Homeland Security Presidential Directive-2 established the Foreign Terrorist Tracking Task Force (FTTTF) to provide actionable intelligence to law enforcement to assist in the location and detention and ultimate removal of terrorists and their supporters from the US.” The FTTTF “operates two information systems—one unclassified and one classified—that form the basis of its data mining activities,” using tools such as i2 Analyst Notebook application, Query Tracking and Initiation Program (QTIP), and Wareman. In addition to the FBI, “the participants in the FTTTF include the Department of Defense, the Department of Homeland Security’s Bureaus of Immigration and Customs Enforcement and the Customs and Border Protection, the State Department, the Social Security Administration, the Office of Personnel Management, the Department of Energy, and the Central Intelligence Agency.”

In these 2005 emails, an OCA employee suggested a limitation on the scope of the FBI’s response to Congress: “Maybe we say that ‘FTTTF refers to an operational task force. We understand the question to ask about data mining initiatives of FTTTF.'”

Around the same time, an unidentified Office of the General Counsel employee wrote:

Finally – I’m concerned about the statement that we only have 3 data mining projects in the FBI. In the cover letter, you make the point that our definition of data mining only includes large sets of data but I still think the definition is very broad and could include other systems. For example, what about STAS systems? I am not familiar with those systems -(but we are starting work on a PIA so I will be in the near future) but my sense is that they collect and sift through a lot of data. What about EDMS and some of the other systems that collect tech cut data from FISAs and allow analysts to search through the data for relevant info? I would think that could be considered data mining under your definition – but I’ll defer to the CIO’s office on this issue. We just need to make sure we can distinguish these other projects.

A few years later, however, the FBI became less circumspect about marrying the data sets of the IDW with the data mining capabilities of the FTTTF. For the FBI’s FY2007 War Supplemental budget request, the FBI requested $10 million to consolidate the IDW and the FTTTF “and to develop and deploy a robust infrastructure capable of receiving, processing, and managing the quality of substantially increased amounts of additional data.

In its FY2008 “budget justification,” the FBI explained that “[t]he Investigative Data Warehouse (IDW), combined with FTTTF’s existing applications and business processes, will form the backbone of the NSB’s data exploitation system.” The FBI also requested “$11,969,000 … for the National Security Branch Analysis Center (NSAC).” It explains:

Once operational, the NSAC will be tasked to satisfy unmet analytical and technical needs of the NSB, particularly in the areas of bulk data analysis, pattern analysis, and trend analysis. … The NSAC will provide subject-based “link analysis” through the utilization of the FBI’s collection datasets, combined with public records on predicated subjects. “Link analysis” uses datasets to find links between subjects, suspects, and addresses or other pieces of relevant information, and other persons, places, and things. This technique is currently being used on a limited basis by the FBI; the NSAC will provide improved processes and greater access to this technique to all NSB components. The NSAC will also pursue “pattern analysis” as part of its service to the NSB. “Pattern analysis” queries take a predictive model or pattern of behavior and search for that pattern in datasets. The FBI’s efforts to define predictive models and patterns of behavior will improve efforts to identify “sleeper cells.”

“The National Security Analysis Center (NSAC) would bring together nearly 1.5 billion records created or collected by the FBI and other government agencies, a figure the FBI expects to quadruple in coming years.” In June 2007, after seeing this budget request and noting that “[d]ocuments predict the NSAC will include six billion records by FY2012,” the House Science and Technology Committee asked the Government Accountability Office to investigate the National Security Branch Analysis Center.

In 2008, the non-partisan National Research Council issued a 352-page study concluding that data mining is not an effective tool in the fight against terrorism. The report noted the poor quality of the data, the inevitability of false positives, the preliminary nature of the scientific evidence and individual privacy concerns in concluding that “automated identification of terrorists through data mining or any other mechanism is neither feasible as an objective nor desirable as a goal of technology development efforts.”

Acronyms

ABIS

Automated Biometric Identification System

ACS

Automated Case System

ASCII

American Standard Code for Information Interchange

CCD

Consular Consolidated Database

CLASP

Consular Lost and Stolen Passports

CLASS

Consular Lookout and Support System

CIA

Central Intelligence Agency

COTS

Commercial-Off-the-Shelf

CRS

Central Record System

CST

Consular Shared Tables

DARPA

Defense Advanced Research Projects Agency

DHS

Department of Homeland Security

DOJ

Department of Justice

DOS

Department of State

DBMS

Oracle Relational Database Management Systems

DVIS

Diversity Visa Information System

EC

Electronic Communication

ECF

Electronic Case File

EDMS

Electronic Surveillance Data Management System

FBI

Federal Bureau of Investigation

FinCEN

Financial Crimes Enforcement Network

FISA

Foreign Intelligence Surveillance Act

FOIA

Freedom of Information Act

FTTTF

Foreign Terrorist Tracking Task Force

GAO

Government Accountability Office

IDW

Investigative Data Warehouse

IIR

Intelligence Information Reports

ISPG

Information Sharing Policy Group

JICI

Joint Intelligence Committee Inquiry

JTTF

Joint Terrorism Task Force

NAS

Network Attached Storage

NCIC

National Crime Information Center

NSAC

National Security Analysis Center

NSB

National Security Branch of the FBI

NSL

National Security Letter

OCA

Office of Congressional Affairs of the FBI

OCR

Optical Character Recognition

OGC

Office of the General Counsel

OIG

Office of the Inspector General

OPLSS

Online Passport Lost & Stolen System

PIA

Privacy Impact Assessment

PIERS

Passport Information Electronic Records System

QTIP

Query Tracking and Initiation Program

RAMS

Records Analysis Management System

SCOPE

Secure Counter-Terrorism/Collaboration Operational Prototype Environment

SCI

Sensitive Compartmented Information

SEVIS

Student and Exchange Visitor Information System

SPT

Special Projects Team

STAS

Special Technologies and Applications Section

TA

Telephone Application

TECS

Treasury Enforcement Communication System

TFOS

Terrorist Financing Operations Section

TIDES

Translingual Information Detection, Extraction and Summarization

TIFF

Tagged Image File Format

TSA

Transportation Security Administration

TSC

Terrorist Screening Center

TSDB

Terrorist Screening Database

TWL

Terrorist Watch List

TWWU

Terrorist Watch and Warning Unit

UNI

Universal Name Index

US-VISIT

United States Visitor and Immigrant Status Indicator Technology

USA PATRIOT

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism

VCF

Virtual Case File

VGTOF

Violent Gang and Terrorist Organization File

VOIS

Visa Opinion Information Service

WRS

Waiver Review System

Holy Motorola! Abu Dhabi’s Got the Control-a

Burka’s anyone??

 

Aren’t you relieved to live in America?  Our government would never do this sort of thing to us. . . .would they?

Sure as God made little green apples, you bet they would. . .are. . have.

AxXiom

• Motorola selected to provide portfolio MOTOA4 wireless mission critical solutions to Abu Dhabi police

Motorola Inc. (NYSE: MOT), leader in the development and deployment of mission critical communication solutions, today announced a contract win with the Abu Dhabi police force, to provide an end to end wireless mobile video surveillance solution for the force’s vehicles and personnel. The contract, which will be signed at IDEX 2009, will see Motorola supplying the latest from its MOTOA4 mission critical portfolio and delivering innovative and reliable wireless solutions.

The new service will enable control room operators to interact with the video system that delivers real time streaming of video from police vehicles and personnel; in contrast to previous solutions that used recorded video. Not only will the service allow live streaming of video, it will also provide local recording of high resolution video. The recorded video will allow future investigation and analysis of footage by the police and assist in solving crimes. The videos can also be presented as evidence in a court of law. Videos sent from the vehicles and personnel will be made available to the five command and control centres throughout the Abu Dhabi and Mussafah area. To aid the police further, mobile command and control will also be provided. Motorola is delivering the solution with their UAE authorised distributor Safeer Integrated Systems.

Motorola’s advanced suite of applications deliver actionable, accurate, real-time information from the field to the command room. The new contract will enable the Abu Dhabi police force to respond to situations as they happen and make decisions on the basis of the information fed back in real time. A core aspect of the new contract is the provision of the MotoLocator service, the primary purpose of which is to provide location-based video surveillance from police in the field back to the control room. The service, which also shows all the force vehicles on a map, will enable control room operators and management to have real-time knowledge of what is happening in the field and allow them to respond on that basis.

“We’re excited to have been selected to provide the deployment of this cutting edge technology to the Abu Dhabi police force,” said Manuel Torres, vice president and general manager, Motorola Government & Public Safety, EMEA. “At Motorola we pride ourselves on delivering ultra reliable mission critical communications anywhere and at anytime. We hope the strong relationship we have with the Abu Dhabi force grows and deepens in the future”

The new video system can also be used to cost effectively connect other applications used by the Abu Dhabi police, including fixed camera installations, automated speed tracking of vehicles, facial recognition and automatic number plate recognition. In future National ID, electronic passports and fingerprint reading capabilities will be added.

Today’s announcement is a further demonstration of Motorola’s leading role in the delivery of mission critical communications for public safety bodies and its commitment to meeting their evolving needs. Motorola’s mission critical MOTOA4 portfolio provides technology that is second nature by enabling seamless connectivity and putting real time information into the hands of users.

---

You can find this page on internet at :
http://www.eyeofdubai.com/v1/news/newsdetail-28119.htm

RFID-People Tracking. Gotcha!

Drive-by reader for RFID drivers licenses and passport cards

Hacker and researcher Chris Paget has demonstrated the ability to read the globally unique serial numbers on RFID chips in passport cards and electronic drivers licenses in the purses and pockets of pedestians on the street from a passing car, at least 30 feet (9 m) away, and to make cloned copies that broadcast the same ID numbers, using a laptop computer and commercial surplus hardware bought on eBay for $250.

This should be no surprise to anyone.  Pasport cards and electronic drivers licenses (EDLs) for US citizens, like the RFID-enabled I94 (entry-exit) forms that foreign visitors are required to carry throughout their stay in the US, were deliberately designed to ensure that they could be read at this range, and from inside a car.  The idea was for border guards to be able to read the chips for all the passengers in an approaching vehicle, before the vehicle reaches a border checkpoint.  In practice, they’ve been plagued by readability and reliability problems, so they haven’t served this purpose at the borders.  But they have made it possible for third parties to track people carrying these cards, from a distance.

RFID “passport cards” and RFID drivers licenses were a response to popular outrage at the imposition of passport requirements, as part of the “Western Hemisphere Travel Initiative” (WHTI), for US citizens crossing the Mexican and Canadian borders, whether by air or by land or sea.  (We filed formal protests of both these rules as a violation of travelers’ civil liberties and human rights, as guaranteed by the Constitution and by international treaties.)  As a sop to those whose only complaint was about the passport fee, not the infringment of rights, the government offered an option to individual travelers to obtain a passport card, and for states to offer an optional “electronic drivers license”.  (These are currently available in Washington and New York, two of the most populous states on the Canadian border.)  While the fee for a passport card or the surcharge for an electronic drivers license is less than the fee for a passport, the tradeoff for card holders is that both passport cards and EDLs contain longer-range RFID chips than those in RFID passports.

ICAO document 9303, which sets the standards for passports (including “e-passports” with RFID chips), includes specifications for credit card-sized travel documents (passport cards or national ID cards used as travel documents).  The ICAO standards call for these cards to use ISO 14443 type RFID chips — the same short range “proximity” RFID chips used in RFID passports. In practice, these have been demonstrated to be readable from at least 3 feet (1 m) with the crudest equipment, but they are still considered to have a relatively short range.

Instead of following the ICAO standards for short-range ISO 14443 “proximity” RFID chips, the Departments of State and Homeland Security specified longer-range ISO 18000-6C “vicinity” RFID chips for passport cards and EDLs.  These are supposed to be readable from at least 10 m (30 feet), although presumably with suitable equipment they could be read from much further away.  The government knowingly and deliberately prioritized the enabling of longer-range surveillance and tracking over compliance with ICAO standards.  Long-range surveillance and tracking is a feature, not a bug.

Getting a booklet-style e-passport with an RFID chip is no protection: RFID passports can’t be read from quite as far away, but they could still be easily read by equipment that would fit in (for example) a piece of luggage rolled through an airport by an idenity thief. The only way to avoid being tracked wherever you go is (1) not to carry an e-passport, passport card, or EDL, (2) wrap it in metal foil whenever you aren’t actually required to be displaying it or exposing it for reading, or (3) get the Obama Administration and/or Congress to end the passport requirment and the use and deployment of RFID chips in identity documents

http://www.papersplease.org/wp/2009/02/03/drive-by-reader-for-rfid-drivers-licenses-and-passport-cards/

 

Nosy Contractor Sneaks Peek at Obama’s PrivateS-

tuff……

I’m sure this just rarely happens and we should not be concerned at all.

Ax

Former employee sentenced for accessing passport files
Posted: 07:13 PM ET

http://politicalticker.blogs.cnn.com/2009/03/23/former-employee-sentenced-for-accessing-passport-files/

From CNN Justice Producer Terry Frieden

One year after then-presidential candidate Barack Obama called for an investigation into passport snooping of candidates’ passport files by State Department employees, a second of three workers fired and prosecuted over the incident has been sentenced.

WASHINGTON (CNN) – One year after then-presidential candidate Barack Obama called for an investigation into passport snooping of candidates’ passport files by State Department employees, a second of three workers fired and prosecuted over the incident has been sentenced.
Dwayne Cross, 41, of Upper Marlboro, Maryland, was sentenced to 12 months of probation and ordered to perform 100 hours of community service. Cross, a contract employee with access to the private files, pled guilty to accessing passport applications of more than 150 politicians, actors, musicians, athletes, models and other celebrities, the Justice Department announced.
“Cross admitted that he had no official government reason to access and view these passport applications, but that his sole purpose in accessing and viewing these passport applications was idle curiosity,” the Justice Department statement said.
The Justice Department, citing a federal privacy law, would not identify the names of individuals whose files Cross had accessed.
The investigation was triggered in March, 2008, when the State Department acknowledged the files of Senators and presidential candidates Barack Obama, Hillary Clinton and John McCain had been improperly accessed.
The State Department spokesman at the time confirmed Barack Obama’s file had been viewed three times by State Department contractors. Spokesman Sean McCormack said Secretary of State Condoleezza Rice had personally apologized to the candidates and promised an investigation.
The files contain passport applications, extensive private personal data, and other records with biographical information.
Former foreign service officer and intelligence analyst Lawrence Yontz pled guilty to a similar offense and was sentenced in December to one year of probation. Former foreign service officer Gerald Leuders has also pled guilty in the case and is awaiting sentencing.

RFID Passports Cracked-Cheap and Fast 2006

 

  In 2006 encryption on UK chips was broken in under 48 hours-These “Crackers” tell their story;

Original Story piublished by the Gaurdian UK.

AxXiom

Cracked it!

http://blog.wired.com/sterling/2006/11/arphid_watch_fi.html

Three million Britons have been issued with the new hi-tech passport, designed to frustrate terrorists and fraudsters. So why did Steve Boggan and a friendly computer expert find it so easy to break the security codes?

Steve Boggan Friday November 17, 2006

 Guardian http://www.guardian.co.uk/idcards/story/0,,1950226,00.html
Six months ago, with the help of a rather scary computer expert, I deconstructed the life of an airline passenger simply by using information garnered from a boarding-pass stub he had thrown into a dustbin on the Heathrow Express. By using his British Airways frequent-flyer number and buying a ticket in his name on the airline’s website, we were able to access his personal data, passport number, date of birth and nationality. Based on this information, using publicly available databases, we found out where he lived, his profession, all his academic qualifications and even how much his house was worth.

It would have been only a short hop to stealing his identity, committing fraud in his name and generally ruining his life.

Great news then, we thought, that the UK had just begun to issue new, ultra-secure passports, incorporating tiny microchips to store the holder’s details and a digital description of their physical features (known in the jargon as biometrics). These, the argument went, would make identity theft much more difficult and pave the way for the government’s proposed ID cards in 2008 or 2009.

Today, some three million such passports have been issued, and they don’t look so secure. I am sitting with my scary computer man and we have just sucked out all the supposedly secure data and biometric information from three new passports and displayed it all on a laptop computer.

The UK Identity and Passport Service website says the new documents are protected by “an advanced digital encryption technique”. So how come we have the information? What could criminals or terrorists do with it? And what could it mean for the passports and the ID cards that are meant to follow?

First it is necessary to explain why the new passports were introduced, and how they work. After the 9/11 attack on the World Trade Centre, in which fake passports were used, the US decided it wanted foreign citizens who presented themselves at its borders to have more secure “machine-readable” identity documents. It told 27 countries that participated in a visa waiver programme that citizens with passports issued after the 26th of last month must have micro-chipped biometric passports or would have to apply for a US visa. Among those 27 countries are the major EU members, and other friendly nations ranging from Andorra and Iceland to Singapore, Japan and Brunei. The UK, of course, is also included.

(((If we simply returned to the security situation status quo ante on 9/10 instead of 9/11, it would be like the civilized world suddenly got over a massive, self-inflicted stupidity virus. Furthermore, we’d be a lot safer.)))

Standards for the new passports were set by the International Civil Aviation Organisation (ICAO) in 2003 and adopted by the waiver countries and the US. The ICAO recommended that passports should contain facial biometrics, though countries could introduce fingerprints at a later date. All these would be stored on a Radio Frequency Identification (RFID) microchip, which can be accessed from a short distance using radio waves. Similar chips are commonly found in retail, where they are used for stock control.

Fatally, however, the ICAO suggested that the key needed to access the data on the chips should be comprised of, in the following order, the passport number, the holder’s date of birth and the passport expiry date, all of which are contained on the printed page of the passport on a “machine readable zone.”

When an immigration official swipes the passport through a reader, this feeds in the key, which allows a microchip reader to communicate with the RFID chip. The data this contains, including the holder’s picture, is then displayed on the official’s screen. The assumption at this stage is that this document is as authentic as it is super-secure. And, as we shall see later, this could be highly significant.

Once the passports began to be issued in the UK in March, we began laying the foundations for examining them. Phil Booth, national coordinator of the campaign group NO2ID, suggested to his members that they apply for a new passport. Anyone who gets one before ID cards are rolled out will not have to register for a card until their passports expire in 10 years’ time, and this appealed to Booth.

At the same time, Adam Laurie, my computer expert and technical director of the Bunker Secure Hosting, a Kent-based computer security company, and I began laying plans to examine the new passports. Laurie is actually not a scary individual – he is regarded in the industry as a technical wizard who cares about privacy and civil rights – but much of the electronic information he uncovers is. Two years ago, he revealed that Bluetooth mobile phones could be accessed remotely, drained of their contact details, diary entries and pictures, and manipulated to act as bugging devices. The cellphone industry spent millions of pounds plugging the gaps he exposed.

By last month, Booth, Laurie and I each had access to a new biometric chipped passport and were ready to begin testing them. (((Three guys. No budget to speak of. Mayhem ensues.))) Laurie’s first port of call was the ICAO’s website, where the organisation had published specifications for the new travel documents. This is where he learned that the key to opening up the secure chip was contained in the passports themselves – passport number, date of birth and expiry date.

“I was amazed that they made it so easy,” Laurie says. “The information contained in the chip is not encrypted, but to access it you have to start up an encrypted conversation between the reader and the RFID chip in the passport.

“The reader – I bought one for £250 – (((okay, there must have been SOME budget))) has to say hello to the chip and tell it that it is authorised to make contact. The key to that is in the date of birth, etc. Once they communicate, the conversation is encrypted, but I wrote some software in about 48 hours that made sense of it. (((I hate reading stuff like this. “About 48 hours.” Couldn’t it have been at least 48 days or something?)))

“The Home Office has adopted a very high encryption technology called 3DES – that is, to a military-level data-encryption standard times three. So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a ‘secret key’. That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat.” (((Oh jeez. It’s as Neal Stephenson said: cryptography is like a picket fence around your house that consists of one picket ninety miles tall.)))

Within minutes of applying the three passports to the reader, the information from all of them has been copied and the holders’ images appear on the screen of Laurie’s laptop. The passports belong to Booth, and to Laurie’s son, Max, and my partner, who have all given their permission.

But could you – and what use would my passport be to you? A security feature of the chip ensures that information cannot be added or altered, so you couldn’t put your picture on my chip. So is our attack really so impressive?

The Home Office thinks not. It correctly points out that the information sucked out of the chip is only the same as that which appears on the page, readable with the human eye. And to obtain the key in the first place, you would need to have access to the passport to read (with the naked eye) its number, expiry date and the date of birth of its holder.

“This doesn’t matter,” says a Home Office spokesman. “By the time you have accessed the information on the chip, you have already seen it on the passport. What use would my biometric image be to you? And even if you had the information, you would still have to counterfeit the new passport – and it has lots of new security features. If you were a criminal, you might as well just steal a passport.”

However, some computer experts believe the Home Office is being dangerously naive. Several months ago, Lukas Grunwald, founder of DN-Systems Enterprise Solutions in Germany, conducted a similar attack to ours on a German biometric passport and succeeded in cloning its RFID chip. He believes unscrupulous criminals or terrorists would find this technology very useful.

“If you can read the chip, then you can clone it,” he says. “You could use this to clone a passport that would exploit the system to illegally enter another country.” (We did not clone any of our passport chips on the assumption that to do so would be illegal.)

Grunwald adds: “The problems could get worse when they put fingerprint biometrics on to the passports. There are established ways of making forged fingerprints. In the future, the authorities would like to have automated border controls, and such forged fingerprints [stuck on to fingers] would probably fool them.”

But what about facial recognition systems (your biometric passport contains precise measurements of key points on your face and head)? “Yes,” says Grunwald, “but they are not yet in operation at airports and the technology throws up between 20 and 25% false negatives or false positives. It isn’t reliable.”

Neither is the human eye, according to research conducted by a team of psychologists from the University of Westminster in 1996. Remember, information – such as a new picture – cannot be added to a cloned chip, so anyone using it to make a counterfeit passport would have to use one that bore a reasonable resemblance to themselves.

But during Westminster University’s study, which examined whether putting people’s images on credit cards might reduce fraud, supermarket staff drafted in for tests had great difficulty matching faces to pictures. The conclusion was that pictures would not improve security and they were never introduced on credit cards. This means that each time you hand over your passport at, say, a hotel reception or car-rental office abroad to be “photocopied”, it could be cloned with equipment like ours. This could have been done with an old passport, but since the new biometric passports are supposed to be secure they are more likely to be accepted without question at borders.

Given the results of the Westminster study, if a terrorist bore a slight resemblance to you – and grew a beard, perhaps – he would have a good chance of getting through a border. Because his chip is cloned, with the necessary digital signatures, and because you have not reported your passport stolen – you still have it! – his machine-readable travel document will get him wherever he wants to go, using your identity. (((In other words, electronic passport theft is about as handy as regular, commercial identity theft. The real hell would come if the authorities didn’t bother to stare at the passport but simply trusted the signal from the chip. Which was supposed to be the idea in the first place: these arphids are supposed to be making transit SAFER AND FASTER AND MORE CONVENIENT, not just introducing a new level of Rube Goldberg snafu.)))

What about the technical difficulties? The government claims the new biometric passport chips can be read over a distance of just 2cm, but researchers all over the world claim to have read them from further. The physics governing those in British passports says they could be read over a metre, but no one has yet done that. A Dutch team claims to have contacted chips at 30cm.

Laurie has, however, rigged up a piece of equipment that can connect to a passport over 7.5cm. That isn’t as far as the Dutch 30cm, but it is enough if your target subject is sitting next to you on the London Underground or crushed up against you on the Gatwick Airport monorail, his pocketed passport next to the reader you have hidden in a bag. (((“Arphid pickpockets.”)))

It takes around four seconds to suck out the information with a reader; then it can be relayed and unscrambled by an accomplice with a laptop up to 1km away. With a Heath Robinson device we built on Tuesday using a Bluetooth antenna connected to an RFID reader, Laurie relayed details of his son’s passport over a distance of 10 metres and through two walls to a laptop.

Ah, the Home Office will say, but you still need to see the information in the passport that will form the key needed for connection. Well, not necessarily. Consider this scenario: A postman involved with organised crime knows he has a passport to deliver to your home. He already knows your name and address from the envelope. He can get your date of birth by several means, including credit-reference agencies or from the register of births, marriages and deaths (and, let’s face it, he delivers all your birthday cards anyway).

He knows the expiry date – 10 years from yesterday, give or take a day, when the passport was mailed to you. That leaves the nine-digit passport number. NO2ID says reports from its 30,000 members up and down the country are throwing up a number of similarities in the first four digits of the passport number, so that reduces the number of permutations, potentially leaving five purely random numbers to establish.

“If the rogue postman were to take your passport home, without opening the envelope he could put it against a reader and begin a ‘brute force’ attack in which your computer tries 12 different permutations every second until it has the right access codes,” says Laurie. “A five-digit number would take 23 hours to crack at the most. Once all those numbers were established, you could communicate with the RFID chip and steal all the information. And your passport could be delivered to you, unopened and just a day late.”

But is this really credible? Would criminals or terrorists really go to such lengths? (((Governments certainly would; do you think Mossad agents are going to be wandering around with clumsily forged passports?))) Ross Anderson, professor of security engineering at the University of Cambridge computer laboratory, believes they would. “The point is that once you have extracted the data from the chip you can have a forged passport that contains not just forged physical stuff,” he says. “You also have the digital bit-stream so the digital signature of the passport checks out. That makes it possible to travel through borders with it.

“What concerns me is that this demonstrates bad design on the part of the Home Office, and we know that government IT projects have a habit of going terribly wrong. There is a lack of security in what we can see – so what about the 90% of the iceberg in the system that we can’t see?

“There isn’t even a defence against the brute-force attack. In much the same way as you are only allowed three attempts to feed in your PIN number at an ATM, the passport chip could have been made to stop allowing repeated incorrect attempts to contact it. As things stand, a computer can keep trying until it gets the numbers right. To say this doesn’t matter displays a cavalier lack of concern.” (((What it really displays is that government spooks intend to do all this anyway, and they can’t believe that private sector spooks and hobbyists can take the trouble. Rather like the Pentagon unable to believe that Al Qaeda can make serious mischief.)))

The problems we have identified with RFID chips in passports raise all sorts of questions about the UK’s proposed ID card scheme, which will use the same technology. The government has not said exactly what will be contained in the ID card’s chip, but there will be a National Identity Register that could contain around 50 pieces of information about you, ranging from your name, age, and all your addresses, to your national insurance number and biometric details. Eventually, you may need one to access healthcare. It could even replace the passport.

Already, then, criminals and terrorists will have identified just how useful cloned ID cards might be. It would be folly to think their best minds are not on the case.

The Home Office insists that UK passports are secure and among the best in the world, but not everyone agrees. Last week, an EU-funded body entitled the Future of Identity in the Information Society (Fidis) issued a declaration on machine-readable travel documents such as RFID-chipped passports and ID cards. It said the technology was “poorly conceived” and added: “European governments have effectively forced citizens to adopt new … documents which dramatically decrease their security and privacy and increase risk of identity theft.”

(((They did this, not because they want to make private citizens more secure against ID theft, but because they want to install huge databases that track the movements of civil populations generally. The point of electronic ID is to input a suspect passport number and see every place that guy’s been in the last 20 years. Then you compare that the movements of other known malefactors and you’ve got an instant Al Qaeda winnowing-machine.)))

(((Of course some individuals will suffer, but compared to the awesome imaginary benefits of Total Information Awareness, that’s like watching a few Nevada civilians cough up their lungs from atom-bomb tests.)))

The government is now facing demands from the Liberal Democrats and anti-ID card groups for a recall of the passports so that simple devices such as foil covers can be installed – at enormous cost. Such covers would at least stop chips being scanned remotely, though they wouldn’t prevent an unscrupulous hotel receptionist from opening the passport and sucking out its contents the way we did.

It may be that at some point in the future the government will accept that putting RFID chips in to passports is ill-conceived and unnecessary. Until then, the only people likely to embrace this kind of technology are those with mischief in mind.

Guardian Unlimited © Guardian News and Media Limited 2006

REAL ID-lifting the curtain……

Jan 1, 2009

From the Stop Real ID Coalition;

L-1 Identity Solutions shares with China, Biometrics, AAMVA and the Drivers Liscence Agreement-partnering with Mexicao and Canada.  North American Union?

The federal government under the provisions of the 1994 Driver’s Privacy Protection Act has access to our personal information stored in any State’s DMV database. This is precisely why DHS wanted the digital facial image required by the Real ID Act to be in accordance with ICAO adopted standards for compatibility with facial recognition technology. DHS added the requirement for the digital facial image to the Real ID Act so DHS could get around the provisions of the 1974 Privacy Act. They argue now it is not DHS but rather the States that will be collecting the biometric facial image. Although perhaps that is technically true, it is undeniably true that DHS is mandating the States collect the biometric facial image and that DHS knows they can get it from the State DMV databases without a warrant or probable cause. The digital facial image and the standard for it create a biometric sample which is then used to create biometric data from which a template is created.

Th FBI announced they are going to spend $1 billion to create the world’s largest biometric database. Where does anyone think the biometric data for the database will come from?

Yes, there are databases that the federal government does have that currently do contain some biometric data but the Real ID Act will allow for the collection of all licensed drivers biometric samples. The Real ID Act’s primary motivation is to enroll Americans into an international biometric (facial recognition) identification system.

REAL ID WILL CREATE A SURVEILLANCE SOCIETY.

L-1 Identity Solutions has become the de facto issuer of Real ID compliant driver’s licenses and the enhanced driver’s licenses that can be used in lieu of passports to cross our borders. They also have been awarded a contract to produce Passport cards. This same company has provided their facial recognition technology to a Chinese businessman that is competing in a trial by Red China to acquire facial recognition technology. There is a valid question that must be asked, Has L-1 broken federal law that prohibits the transfer of this technology to China. The company’s argument will be they did not provide the technology directly to Red China. That being said they did provide it to a Chinese citizen knowing he would provide it to the government. In fact Chinese authorities have already approached the Chinese citizen and asked that he use the technology to identify dissidents. L-1 gets a percentage of all revenue this “businessman” would get from the Chinese government.

L-1 a few months ago announced they were purchasing Digimarc’s license division. Between the two companies they control nearly 95% of the U.S. production of State driver’s licenses. You would have thought there would be anti-trust considerations. Instead of L-1 having face anti-trust issues they were granted a free pass by the Federal Trade Commission. That should be of no surprise to anyone. The Board of Directors of L-1 reads like a Who’s Who list of former heads of government agencies and departments incluing the likes of George Tenet and Admiral Loy among others.

L-1 formerly known as Viisage Technology has a PDF page that is titled “Real ID Solutions”. On that page is picture of a driver’s license that has a person’s political party on the front of the license. I cannot speak for everyone but I believe it is a fundemental right of all Americans not to have to divuldge their party affiliation unless they want to. Obviously when voting a voter registration card serves the purpose if needed to provide a person’s politcal party of choice. A driver’s license is seen by retailers, banks and others that have NO business knowing yours or mine politcal affiliation.

Robert Mocny of DHS has made no secret of the fact that DHS not only intends to share biometric and other personal information with other governments but also with corporations. He asks the question, How is it right not to share?

The DHS went to great lengths to hide the fact that facial recognition samples are going to be collected under the provisions of the Real ID Act. It is only in the footnotes of the Notice of Proposed Rulemaking that the standard for the photo (digital facial image) mandated by the Real ID Act can be found. Many of the state and national lawmkers I have met with including the committee staffers and counsel I have met with had no idea of the significance of the standard for the digital facial images. In short, they were not aware the standard was international or that it meant the photos collected by States for driver’s licenses would allow the federal government to be able to spy on each of us.

Many times I have heard people say that if a person is doing nothing wrong then they have nothing to worry about. That is not true. Facial recognition technology does not work well in a surveillance application. An IBG (International Biometric Group) study conducted specifically states that facial recogntion technology will not work when large databases such as the one called for by the Real ID Act are used. As a matter of fact there is a very good chance a person will be misidentified as someone other than who they are.

Aside from First, Fourth and Tenth amendment issues, the Real ID Act has another major downside. DHS has named AAMVA (American Association of Motor Vehicle Administrators) the “backbone” of the Real ID Act. AAMVA is an international organization. AAMVA is promoting the Driver’s License Agreement. The agreement calls for the United States, Mexico and Canada to share all drivers information stored in each country’s respective DMV databases. Grant money from the federal government has been available to States to participate in the DLA. http://www.aamva.org/aamva/DocumentDisplay.aspx?id=%7BC600908E-2538-4135-8166-1B25BB682698%7D This is the precusor to the North American Union otherwise named the Security and Prosperity Partnership. If we want to stop the NAU or SPP we MUST repeal the Real ID Act. I have the actual DLA paperwork. Scary does not do it justice. It threatens State’s rights and U.S. sovereignty.

http://stoprealidcoalition.blogspot.com/