We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

Bruce Schneier on stupid security checks

Bruce Schneier is an expert on technical aspects of electronic security. His book Applied Cryptography is considered the “bible” for people implementing cryptography based security, privacy, and authentication systems.

Having written this book in 1995, the subtext of which was that technical solutions could solve many or all of our privacy and security issues, Schneier slowly became more and more conscious of the fact that the weaknesses in security or privacy systems were the result of human rather than technology failure. It wasn’t so much the systems themselves as the way the systems were used and relied upon that determined the quality of security and privacy. In particular, blind faith in technology was extremely dangerous, both in terms of making people overconfident that systems would always work correctly, and in terms of adding additional layers of unnecessary inflexibility and bureacracy. Schneier then wrote another book Secrets and Lies: Digital Security in a Networked World discussing essentially how security systems should be established so as to be actually secure. Probably the most important point was that human systems have to be flexible and intelligent. Simply requiring ID of everybody is not especially useful without human beings constantly asking the question of why ID is being asked for. Plus this type of system is predictable, and holes in it are easily found. And it needlessly invades people’s privacy.

In any event, Mr Schneier writes a monthly newsletter discussing these types of issues, which is at least partly aimed at publicising his consultancy business. This month’s issue has some very interesting thoughts on just how we should deal with organisations – government and non government – that needlessly invade our privacy for asking for identification and recording excessive information about their customers. An extract

I had to travel to Japan last year, and found a company that rented local cell phones to travelers. The form required either a Social Security number or a passport number. When I asked the clerk why, he said the absence of either sent up red flags. I asked how he could tell a real-looking fake number from an actual number. He said that if I didn’t care to provide the number as requested, I could rent my cell phone elsewhere, and hung up on me. I went through another company to rent, but it turned out that they contracted through this same company, and the man declined to deal with me, even at a remove. I eventually got the cell phone by going back to the first company and giving a different name (my wife’s), a different credit card, and a made-up passport number. Honor satisfied all around, I guess.

It’s stupid security season. If you’ve flown on an airplane, entered a government building, or done any one of dozens of other things, you’ve encountered security systems that are invasive, counterproductive, egregious, or just plain annoying. You’ve met people — guards, officials, minimum-wage workers — who blindly force you to follow the most inane security rules imaginable.

Is there anything you can do?

In the end, all security is a negotiation among affected players: governments, industries, companies, organizations, individuals, etc. The players get to decide what security they want, and what they’re willing to trade off in order to get it. But it sometimes seems that we as individuals are not part of that negotiation. Security is more something that is done to us.

Our security largely depends on the actions of others and the environment we’re in. For example, the tamper resistance of food packaging depends more on government packaging regulations than on our purchasing choices. The security of a letter mailed to a friend depends more on the ethics of the workers who handle it than on the brand of envelope we choose to use. How safe an airplane is from being blown up has little to do with our actions at the airport and while on the plane. (Shoe-bomber Richard Reid provided the rare exception to this.) The security of the money in our bank accounts, the crime rate in our neighborhoods, and the honesty and integrity of our police departments are out of our direct control. We simply don’t have enough power in the negotiations to make a difference.

It would be different if the pharmacist were the owner of the pharmacy, or if the person behind the registration desk owned the hotel. Or even if the policeman were a neighborhood beat cop. In those cases, there’s more parity. I can negotiate my security, and he can decide whether or not to modify the rules for me. But modern society is more often faceless corporations and mindless governments. It’s implemented by people and machines that have enormous power, but only power to implement what they’re told to implement. And they have no real interest in negotiating. They don’t need to. They don’t care.

But there’s a paradox. We’re not only individuals; we’re also consumers, citizens, taxpayers, voters, and — if things get bad enough — protestors and sometimes even angry mobs. Only in the aggregate do we have power, and the more we organize, the more power we have.

The whole thing is well worth reading, as are the back issues of the newsletter.

Comments are closed.