[Ssf] ID cards: what they may be up to
amparo.gutierrez at tiscali.co.uk
Thu Nov 25 23:38:55 GMT 2004
Mail Archive <../top.html>
*Chronological* <mail5.html#01251> --> <msg01252.html>
*Thread* <thrd5.html#01251> --> <msg01252.html>
[IP] Solution for Gov't Security-Privacy Clash?
* From: Dave Farber
* Subject: [IP] Solution for Gov't Security-Privacy Clash?
* Date: Thu, 11 Mar 2004 14:07:56 -0800
Delivered-To: [EMAIL PROTECTED]
Date: Thu, 11 Mar 2004 16:54:44 -0500
From: [EMAIL PROTECTED]
Subject: Solution for Gov't Security-Privacy Clash?
To: [EMAIL PROTECTED]
(Have I not heard this one before?? djf)
Entrepreneur Offers a Solution for Security-Privacy Clash
By Don Clark
11 March 2004
The Wall Street Journal
(Copyright (c) 2004, Dow Jones & Company, Inc.)
JEFF JONAS is a junior-college dropout who once lived in his car for
three months after a company he started went bankrupt. Now, the Las
Vegas software developer is attracting surprising attention for a
brainstorm about a national-security dilemma.
The problem: Government agencies don't like sharing lists of suspected
terrorists or criminals. And companies, including airlines and hotels,
don't like letting agencies sift through lists of their customers in a
hunt for possible terrorists.
After years of helping casinos spot crooks, Mr. Jonas conceived of a way
to break that impasse. He has devised software that helps anonymously
hunt for names in databases. The technology is still being tested, but
is nevertheless generating buzz among both civil libertarians and
Mr. Jonas's system makes information anonymous. It's based on a
mathematical technique known as "one-way hashing," which can turn names,
addresses or other data into strings of digits that are almost
impossible to convert back to their original form.
Companies or government agencies could exchange such strings of digits
rather than words that humans can read. If an encoded file for a suspect
matches an encoded file for a passenger, the government could seek a
court order to receive the original record for that passenger's file.
Mr. Jonas's concept "is a potential breakthrough," says Jim Dempsey,
executive director of the Center for Democracy and Technology, a liberal
policy group in Washington. At the conservative Heritage Foundation,
also in Washington, legal research fellow Paul Rosenzweig agrees that
the approach "offers the possibility of a sort of silver bullet" for
delicate problems such as screening lists of airline passengers.
In-Q-Tel, the venture-capital firm funded by the Central Intelligence
Agency, has invested in Mr. Jonas's closely held company, Systems
Research & Development, or SRD. Another fan is Zoe Baird, the onetime
Clinton administration nominee for attorney general and president of the
Markle Foundation. The nonprofit organization, with input from Mr. Jonas
and others, has issued high-profile reports about using technology to
improve both national security and personal privacy. SRD's technology
"helps with both sides of that equation," Ms. Baird says.
Mr. Jonas, 39 years old, created his first program at 16 and his first
company at 18. He founded SRD in 1983, after rebounding from mistakes
that sunk the initial venture.
These days, SRD software is used by casinos to trigger alerts when
someone on Nevada's list of banned felons and mobsters makes a hotel
reservation. The idea is to establish "who is who," correcting for
different name spellings and other ambiguities -- in some cases,
revealing multiple identity records to be a single, suspicious
individual. Another product focuses on "who knows who," comparing
people's records for links such as past employment and residences. It's
designed to send alarms, for example, if a casino manager handed a
contest prize to a former roommate.
In the late 1990s, Mr. Jonas was invited to give a talk at a government
technology conference. He says some SRD products were later adopted by
agencies he can't identify for purposes he wasn't told about -- though
sometimes officials call after a successful operation, without providing
details that could be used as an endorsement.
"They'll say something like, `You should be a proud American today,' "
says Mr. Jonas. "It's a marketing person's hell."
The Sept. 11 attacks spurred many new security ideas, beyond existing
measures such as the watch lists distributed to airlines. In general,
however, government agencies don't like sharing names with companies out
of fear of tipping off suspects.
Privacy fears are another issue. Congress, for example, last year cut
the funding for a Pentagon office, headed by retired Adm. John
Poindexter, that hoped to mine records about car rentals, ticket
purchases and other transactions for indications of terrorist activity.
A more powerful system for passenger screening devised by the
Transportation Security Administration has been hampered by airlines'
reluctance to share passenger data. In Europe, officials have resisted
plans to share similar information with the U.S.
With data-hashing, "you can hand your data to your worst enemy and they
don't have anything," says Kim Taipale, executive director of the Center
for Advanced Studies in Science and Technology Policy, a policy research
group in New York.
Stewart Baker, a former general counsel of the National Security Agency,
has co-written a paper arguing that such techniques could allow European
countries to share travel records without violating their strict privacy
laws. The SRD technology "is new in the policy debate," says Mr. Baker,
now a partner at the Washington law firm Steptoe & Johnson.
Hashing itself isn't new, nor is the concept of anonymization. But
encoding names and other data that have many potential variations -- and
comparing coded data on hundreds of millions of records -- seemed
impractical. "This is a humongous mathematical problem," says John Seely
Brown, Xerox Corp.'s former chief scientist and a trustee of SRD
Mr. Jonas says a group of government computing experts summoned him last
year to disprove the idea. Though the meeting was scheduled for two
hours, he says he answered their objections in 15 minutes. One reason is
that SRD's software routinely simplifies data before processing it. More
than 100 spellings of Mohammed, for example, would be linked to a single
"root" identity before any data-matching process, he says.
There are still plenty of hurdles. In some cases, Mr. Jonas says,
companies and agencies may be reluctant to exchange even anonymized
data, since there is a theoretical possibility that information could be
gleaned through statistical analyses about how frequently certain coded
files occur in databases. In that event, he predicts that third-party
organizations will be used to carry out searches using the hashed
Penrose Albright, assistant secretary in the Department of Homeland
Security, says he isn't familiar with SRD's technology, but adds that
anonymization of data is "an area we have a great deal of interest in."
He says, though, that SRD must prove that anonymous database searches
can be as fast as ordinary ones.
Mr. Jonas says three tests involving government agencies and companies
will soon begin, and that a number of applications are being studied,
including ones beyond the realm of security. Two banks negotiating to
merge, for example, might compare lists of coded records to see how many
common customers they had before exchanging identifiable names, he says.
Some people with intelligence experience, meanwhile, are enthusiastic
about the possibility of giving analysts information in a form that
makes it all but impossible for them to violate individual privacy. "Any
time the government takes possession of information it's possible for
them to lose track of what it was originally acquired for," says William
Crowell, a former NSA deputy director who is now a private consultant.
"That's when policies go awry."
You are subscribed as [EMAIL PROTECTED]
To manage your subscription, go to
* *[IP] Solution for Gov't Security-Privacy Clash?*, /Dave Farber/
More information about the ssf