[Ssf] ID cards: what they may be up to

Amparo amparo.gutierrez at tiscali.co.uk
Thu Nov 25 23:38:55 GMT 2004

Mail Archive <../top.html>


    *Chronological* <mail5.html#01251> --> <msg01252.html> 	

	    *Thread* <thrd5.html#01251> --> <msg01252.html>

  [IP] Solution for Gov't Security-Privacy Clash?


    * From: Dave Farber
    * Subject: [IP] Solution for Gov't Security-Privacy Clash?
    * Date: Thu, 11 Mar 2004 14:07:56 -0800


Date: Thu, 11 Mar 2004 16:54:44 -0500
Subject: Solution for Gov't Security-Privacy Clash?
(Have I not heard this one before?? djf)

Entrepreneur Offers a Solution for Security-Privacy Clash
By Don Clark
1170 Words
11 March 2004
The Wall Street Journal
(Copyright (c) 2004, Dow Jones & Company, Inc.)

JEFF JONAS is a junior-college dropout who once lived in his car for 
three months after a company he started went bankrupt. Now, the Las 
Vegas software developer is attracting surprising attention for a 
brainstorm about a national-security dilemma.
The problem: Government agencies don't like sharing lists of suspected 
terrorists or criminals. And companies, including airlines and hotels, 
don't like letting agencies sift through lists of their customers in a 
hunt for possible terrorists.

After years of helping casinos spot crooks, Mr. Jonas conceived of a way 
to break that impasse. He has devised software that helps anonymously 
hunt for names in databases. The technology is still being tested, but 
is nevertheless generating buzz among both civil libertarians and 
security zealots.
Mr. Jonas's system makes information anonymous. It's based on a 
mathematical technique known as "one-way hashing," which can turn names, 
addresses or other data into strings of digits that are almost 
impossible to convert back to their original form.
Companies or government agencies could exchange such strings of digits 
rather than words that humans can read. If an encoded file for a suspect 
matches an encoded file for a passenger, the government could seek a 
court order to receive the original record for that passenger's file.
Mr. Jonas's concept "is a potential breakthrough," says Jim Dempsey, 
executive director of the Center for Democracy and Technology, a liberal 
policy group in Washington. At the conservative Heritage Foundation, 
also in Washington, legal research fellow Paul Rosenzweig agrees that 
the approach "offers the possibility of a sort of silver bullet" for 
delicate problems such as screening lists of airline passengers.
In-Q-Tel, the venture-capital firm funded by the Central Intelligence 
Agency, has invested in Mr. Jonas's closely held company, Systems 
Research & Development, or SRD. Another fan is Zoe Baird, the onetime 
Clinton administration nominee for attorney general and president of the 
Markle Foundation. The nonprofit organization, with input from Mr. Jonas 
and others, has issued high-profile reports about using technology to 
improve both national security and personal privacy. SRD's technology 
"helps with both sides of that equation," Ms. Baird says.
Mr. Jonas, 39 years old, created his first program at 16 and his first 
company at 18. He founded SRD in 1983, after rebounding from mistakes 
that sunk the initial venture.
These days, SRD software is used by casinos to trigger alerts when 
someone on Nevada's list of banned felons and mobsters makes a hotel 
reservation. The idea is to establish "who is who," correcting for 
different name spellings and other ambiguities -- in some cases, 
revealing multiple identity records to be a single, suspicious 
individual. Another product focuses on "who knows who," comparing 
people's records for links such as past employment and residences. It's 
designed to send alarms, for example, if a casino manager handed a 
contest prize to a former roommate.
In the late 1990s, Mr. Jonas was invited to give a talk at a government 
technology conference. He says some SRD products were later adopted by 
agencies he can't identify for purposes he wasn't told about -- though 
sometimes officials call after a successful operation, without providing 
details that could be used as an endorsement.
"They'll say something like, `You should be a proud American today,' " 
says Mr. Jonas. "It's a marketing person's hell."
The Sept. 11 attacks spurred many new security ideas, beyond existing 
measures such as the watch lists distributed to airlines. In general, 
however, government agencies don't like sharing names with companies out 
of fear of tipping off suspects.
Privacy fears are another issue. Congress, for example, last year cut 
the funding for a Pentagon office, headed by retired Adm. John 
Poindexter, that hoped to mine records about car rentals, ticket 
purchases and other transactions for indications of terrorist activity. 
A more powerful system for passenger screening devised by the 
Transportation Security Administration has been hampered by airlines' 
reluctance to share passenger data. In Europe, officials have resisted 
plans to share similar information with the U.S.
With data-hashing, "you can hand your data to your worst enemy and they 
don't have anything," says Kim Taipale, executive director of the Center 
for Advanced Studies in Science and Technology Policy, a policy research 
group in New York.
Stewart Baker, a former general counsel of the National Security Agency, 
has co-written a paper arguing that such techniques could allow European 
countries to share travel records without violating their strict privacy 
laws. The SRD technology "is new in the policy debate," says Mr. Baker, 
now a partner at the Washington law firm Steptoe & Johnson.
Hashing itself isn't new, nor is the concept of anonymization. But 
encoding names and other data that have many potential variations -- and 
comparing coded data on hundreds of millions of records -- seemed 
impractical. "This is a humongous mathematical problem," says John Seely 
Brown, Xerox Corp.'s former chief scientist and a trustee of SRD 
investor In-Q-Tel.
Mr. Jonas says a group of government computing experts summoned him last 
year to disprove the idea. Though the meeting was scheduled for two 
hours, he says he answered their objections in 15 minutes. One reason is 
that SRD's software routinely simplifies data before processing it. More 
than 100 spellings of Mohammed, for example, would be linked to a single 
"root" identity before any data-matching process, he says.
There are still plenty of hurdles. In some cases, Mr. Jonas says, 
companies and agencies may be reluctant to exchange even anonymized 
data, since there is a theoretical possibility that information could be 
gleaned through statistical analyses about how frequently certain coded 
files occur in databases. In that event, he predicts that third-party 
organizations will be used to carry out searches using the hashed 
Penrose Albright, assistant secretary in the Department of Homeland 
Security, says he isn't familiar with SRD's technology, but adds that 
anonymization of data is "an area we have a great deal of interest in." 
He says, though, that SRD must prove that anonymous database searches 
can be as fast as ordinary ones.
Mr. Jonas says three tests involving government agencies and companies 
will soon begin, and that a number of applications are being studied, 
including ones beyond the realm of security. Two banks negotiating to 
merge, for example, might compare lists of coded records to see how many 
common customers they had before exchanging identifiable names, he says.
Some people with intelligence experience, meanwhile, are enthusiastic 
about the possibility of giving analysts information in a form that 
makes it all but impossible for them to violate individual privacy. "Any 
time the government takes possession of information it's possible for 
them to lose track of what it was originally acquired for," says William 
Crowell, a former NSA deputy director who is now a private consultant. 
"That's when policies go awry."

You are subscribed as [EMAIL PROTECTED]
To manage your subscription, go to

Archives at: 


    * *[IP] Solution for Gov't Security-Privacy Clash?*, /Dave Farber/

More information about the ssf mailing list