March 25 2008 by The Systemic Analyst.

The RCMP decision to publicly release even less information around the use of tasers should come as no surprise. Just ask the simple question, to whom is the RCMP accountable?

Citing privacy concerns and on-going investigations, the RCMP has chosen to begin omitting the following information in public releases on the use of tasers:

• Whether the target was armed;
• The reason for firing the taser;
• What other tactics were employed before firing;
• The dates of firings;
• Related injuries as a result of the firing, including head traumas; and
• The duration of the shock sustained.

Although none of the above appears to be a real breach of privacy, should there be pending law suits there is an argument for the repression of some of the details as they relate to ongoing investigations only.

Such selective releasing of information will do little to help the beleaguered reputation of the RCMP. At a time when the public seems to be demanding ever more accountability from the boys in red, one would think that now, while the organization is being politically pinned up for reforms, that the RCMP would be disclosing more information, not less. Of course, such thinking relies upon the premise that the RCMP is a highly accountable organization with simple processes by which members of the public can ask questions, be answered and see changes to the system as a result. Naturally, not all public demands or requests can be reasonably accommodated given security, judicial or ‘greater good’ situations. However, in such cases a genuine attempt must be made to consider all matters and a viable explanation provided. Unfortunately, despite the very public announcements surrounding moves to reform the RCMP, the measures introduced so far smack of bureaucratic mumbo-jumbo and, as it has been the case across the board in governmental reforms, will do nothing in the end.

Just try to understand the measures enacted to reform the RCMP and your head will start spinning: A new reform council created as a result of a separate task force, applauded by a new commissioner (who to outsiders appears not to be part of the law enforcement establishment) all announced by, quite likely, an unsuspecting minister. It’s like a Canadian episode of “Yes, Minster!” but without the humour.

Let’s begin with the force’s reporting structure. The RCMP, as per the official website ”is headed by the Commissioner, who, under the direction of the Minister of Public Safety Canada, has the control and management of the Force and all matters connected therewith.” You might recall, that in July of 2007, a new commissioner was appointed; a man hailed as being the first person to take on the role with a background from outside of the RCMP. While that might be true, the image promoted of the career bureaucrat, William Elliott, is slightly misleading to those who don’t understand how Canada’s permanent bureaucracy works.

Mr. Elliott first began working in the government at the Office of the Deputy Prime Minister. Joining the Department of Justice in 1992, he worked there until being appointed as Assistant Deputy Minister, Safety and Security, at Transport Canada in 2000. In 2003, Mr. Elliott was made Assistant Secretary to the Cabinet, Security and Intelligence, in which role he supported the National Security Advisor (NSA) to the Prime Minister, until he was himself appointed as the NSA from 2005-2006.

The NSA, interestingly, is guided by the Advisory Council on National Security (ACNS), which in turn is comprised of a series of experts. For example, the current Council, which is chaired by Norman Inkster a former RCMP commissioner and president of Interpol, includes four former high-ranking police officers, four academics, two career bureaucrats and a few private sector representatives.

Thus, the current RCMP commissioner, who was once closely advised by former top-level law enforcement officers, is responsible for the “control and management of the Force and all matters connected therewith.” Mr. Elliott does report publicly to the Minister of Public Safety, Stockwell Day, who as a result is politically held accountable for the RCMP.

Mr. Day, like most of our representatives, is a career politician. As such, he relies on advice and guidance to make decisions on security measures. First among those advisers is a small group of political staff, which works for the minister. Unlike the ministerial offices of the Liberals, the Conservatives employee considerably fewer staff. Often, such advisors might not have experience in the subject matter they are covering and, as the adjective “political” implies, are focused on communications and public affairs.  As a result, these advisors rely upon information put forward by interested parties (read: interest groups), a smattering of concerned citizens and the permanent bureaucracy.

The only other source of information stems from the analysis put forward by non-profit organizations, such as think tanks, associations and universities, all of which receive considerable funding from the various departments and agencies asking for submissions. Furthermore, the new measures that were implemented to make the government more accountable limit those experts, which can be commissioned to conduct analysis and other studies, eliminating any private-sector individuals or organizations from partaking.

There is a propensity within bureaucracy to simply follow the status-quo. Thus, a culture of doing things in certain ways develops which continues unchallenged as all employed by the system are swept along with the bureaucratic tide. It would  also be interesting to see how many bureaucrats employed by the department of Public Safety are former law enforcement, intelligence or military personnel. Having had dealings with the department there appears to be a high rate of turn over between the security establishment and the bureaucracy, which could account for the often law enforcement-oriented security bills that are pushed forward by the permanent bureaucracy. 

The dominance by the law enforcement and intelligence establishment in all matters relating to security is evident in the appointments for the myriad of reform-focused bodies announced by Mr. Day following a series of RCMP scandals.

The Task Force (so called because a costly group of experts is assigned a task with a somewhat predetermined outcome, and thus host consultations to hear what concerns select, invited members of the public have on issues only to ignore what isn’t complementary to their goals in the final report of recommendations) on Governance and Cultural Change in the RCMP was created in July of 2007. Consisting of several former bureaucrats including Norman Inkster (who also advises the NSA, see above), the “Task Force” recommended the creation of yet another body, the RCMP Reform Implementation Council.

Trusting the recommendations put forward by the “Task Force,” Mr. Day recently announced the creation of the new reform council, which members include two private sector representatives, a career bureaucrat, and two former police officers, one being Beverley Busson, former RCMP commissioner and a member of the Advisory Council to the NSA (again see above).

It could be argued that in order to truly understand the issues at hand, these various bodies, boards and departments should have representatives from the law enforcement, intelligence and military communities. Such close ties between those communities and the people responsible for oversight should raise concerns as to how accountable organizations, such as the RCMP, actually are. Is it reasonable to assume that former law enforcement officers are the best source for creating, driving and overseeing security measures?

Of course, many on the inside will point to the oversight bodies that exist to ensure accountability of law enforcement and intelligence agencies. Indeed, as Insp. Troy Lightfoot, who helps oversee RCMP Taser use, said to the press recently “I can tell you that there are many accountability systems in place with regards to police actions. You have the courts, you have coroners’ inquests, you have a multitude of oversight bodies. There is a complaints process that can be followed.”

This oversight process, however, isn’t all it’s cracked up to be. A 2006 report entitled “Civilian Oversight of the RCMP’s National Security Functions” notes that most complaints must first be filed through the RCMP before reaching the Commission. Furthermore, the commission does not have the power to review the RCMP’s duties and functions or put forward binding recommendations that the RCMP would have to follow. In fact, none of the bodies, which provide oversight to our intelligence agencies, the RCMP, CSIS and CSE, have the power to present binding recommendations.

As with the appointed councils and advisors, there is also the question of who is tasked with the responsibility of oversight and review; what sort of background do they have? The current head of the Commission for Public Complaints Against the RCMP is Paul E. Kennedy. His 25-year bureaucratic career includes “roles as General Counsel for the Canadian Security Intelligence Service” or CSIS, after which he provided “expert advice and support to the Minister in relation to law enforcement and national security matters…In May of 2004, following the creation of Public Safety and Emergency Preparedness Canada, Mr. Kennedy was appointed as Senior Assistant Deputy Minister with responsibility for national security and emergency preparedness.” Undoubtedly, Mr. Kennedy has enjoyed the same sources of advice and insight as other high-ranking officials. That being said, Mr. Kennedy is considered to be somewhat a “thorn in the side” of the RCMP as he has been quite vocal on speaking up against the approaches of the organization.

Mr. Kennedy’s predecessor, Shirley Heafey,  hasn’t had much nice to say about her days as head of the Commission. As the Ottawa Citizen reported

“She had a “dreadful” time due to what she called “direct interference” by the Martin government with her independent role.

In allegations denied by former government officials, Ms. Heafey said she and her office were audited “to death” and there was an effort to forestall a public hearing by her commission into allegations that the Mounties covered up sexual abuse by an RCMP staff sergeant at the now-defunct Kingsclear youth training centre in New Brunswick.”

The political climate, and the high-level executives in the public service, really made my life extremely difficult,” she says in an exclusive interview with The Lawyers Weekly.”

The deputy prime minister’s office and the people in the Privy Council Office were quite concerned about the fact that I had to say what I had to say.”

Ms. Heafey contended “they made a lot of requests to me about the work I was doing (and) you know you don’t challenge the RCMP without accepting that you may have to pay a price. They are a national icon … and the government, in the last two years under Mr. (then-prime minister Paul) Martin, was very touchy about some of the things I did. They were trying to remind me to shut up.”

The Executive Director of the Security and Intelligence Review committee or SIRC leads all review of CSIS activities. The current Executive Director,Susan Pollak, began her career with another intelligence agency, CSE, moving to the Privy Council in 1984 and becoming the Principal advisor to the Deputy Clerk on Security and Intelligence in 1987.

The only current Commissioner responsible for any oversight of our intelligence and security agencies who doesn’t appear to have any direct background with the law enforcement or intelligence communities is Charles D. Gonthier. The current CSE Commissioner is an 80-year old lawyer from Quebec.

I suppose that at least some review is better than none. The Canada Border Services Agency, which will be increasingly collecting information on Canadian citizens as we move towards hi-tech identity documents, has no review mechanism according to the report.

And so there it is. The RCMP decides to release less information at the very time they are supposedly being pressed to be more transparent. Only, the people appointed to the unending layers of bureaucracy that are the commissions, task forces, councils, boards, departments and offices responsible for such reforms are often experts with a distinguished career inside law enforcement or intelligence agencies or are informed and advised by such people. Thus, instead of acting the part and appearing to be a changing organization coping with its issues, the RCMP behaves as it increasingly has – we are the law, if you’re not with us, you’re against us.

This isn’t a RCMP-specific problem, either. It’s more an endemic problem we are facing with a growing bureaucracy in this country. Until we begin to look at issues in security from a systemic perspective, which must include an assessment of the role of bureaucracy in developing, implementing and overseeing security measures, we will continue to have serious issues.  

As I mentioned in an article last week, the tradition of keeping the security profession a closed-in, insular looking field will negatively impact our state of security long-term. A stale bureaucratic outlook will only further complicate the matter. Furthermore, the reform of any single security organization cannot occur without a simultaneous revision of how both government and average Canadians approach the issue of Canada’s national security. It’s time to stop blinding ourselves with individual security issues and tools (such as wiretapping and tasers) and move onto a wider assessment of the state of security in Canada.

Considering the RCMP reforms, and indeed any reforms around security in this country, is a bit like peeling back the layers of an onion. On the surface, especially to an uninformed observer, the reforms and the bodies created to oversee them appear solid, devoid of any funny smell. Ask a few questions, peel back the layers and soon enough your eyes are watering from a slight burning sensation and something starts to stink…

Posted in Wiretapping & Surveillance, Identity Management, Biometrics, Security Measures, North America, Politics | 1 Comment »

March 18 2008 by The Systemic Analyst.

The Toronto Star has published an article that shows yet another facet of wiretapping - the impact the use of the tool has on the Ontario judicial system. It’s very encouraging that topics in security are finally receiving analysis from a variety of angles as opposed to the most prevalent ”security versus privacy” arguments which leave little room for solid assessment of measures. Of course, we still have a long way to go in, what should only be viewed as a necessary, rethinking of national security. 

For far too long national security has been a very hush-hush topic. Security was regarded as an area the law abiding public need not concern itself with, or so they were encouraged, and thus they left it to a handful of specialists chiefly from the law enforcement, intelligence and military communities. Questioning approaches to security was strongly discouraged among the ranks of those who were responsible for security and at times was utterly ignored when such concern arose from the public. This does not make for the best environment to encourage innovation that can take the concept of security into a new era.

We are, however, now at a potential national security crossroads. We could choose to stop the rush on a number of national security measures that only seek to enhance traditional approaches, thoroughly assess the usefulness of those approaches and take from them what we can in the development of new measures. Or, we could choose to continue down this path of stringing up cameras, issuing expensive hi-tech identity documents and opening up the gates to ever more wiretapping. The long-term implications of the latter are very grave.

Although few seem to realize it yet our current approaches to national security, far from having the intended effect of increasing stability, will actually lead to growing insecurity long-term. Taking a step back to consider the situation from a broader perspective this conclusion becomes apparent.

The closed in nature of the security community has not only stifled innovation, but it has also led to an “us versus them” perspective. This is a mindset that has caused a segment of the industry to feel that they are the law and are somehow separate and apart from the masses. Fortunately, the majority in the field do still have the best interest of the public at heart and work tirelessly to keep us safe. However, this brotherhood which develops as a result of the burden to protect also fosters a “we know what’s best” mentality that causes a sort of blindness in the leadership of the security industry. Thus, there is a tendency to push ahead almost bullishly measures that the security community believes appropriate, indeed, the only answer.

The public, on the other hand, readily accepts that those people who opt to put their lives on the line for the sake of the greater whole deserve respect. And rightly so. As a result, the public is happy to let the security industry decide for itself, quietly in back rooms, the future of security measures. Thus, with no questions asked enhancements to existing measures such as wiretapping or passports are accepted by the public. If the specialists tell us we need it, then we must. 

Unfortunately, we forget that those in the security profession are still humans. Despite the professional role assumed, humans (whether they be police officers, intelligence agents, soldiers or bureaucrats) are still susceptible to the same vices and sins as the average person. So, in the absence of demand from outside of the security sector, little to no proper analysis has been done on measures such as wiretapping or hi-tech identity documents that can prove that enhancements to existing approaches will, in fact, increase security. This, of course, will not stop the measure from being implemented.

Once something goes wrong, however, the public will suddenly be enraged. Demanding that the agency responsible be held accountable. Given the closed-mentality so characteristic of the security industry,  the response will be typical - cold and offended - how can you even ask, we slave to protect you! (If you think this exaggerated, consider the recent responses by some Canadian law enforcement agencies to taser incidents.) Rates of such response-reaction between the public and the security profession will only increase as the ineffectiveness of enhanced traditional approaches is revealed. Over time, the public will turn away from the security establishment with mistrust.

The impact on the state of security will be catastrophic. Despite the closed-in mentality of the security profession, success in the field is dependent on the symbiosis between law enforcement and a co-operative public.  It’s a relationship built on trust and respect - lose it and suddenly the security establishment will find itself wondering just who is it trying to protect? After all, humans are still animals with survival instincts. Should they feel that the system is not protecting them from real threats they will take matters into their own hands - and have done so very recently.

This isn’t our only option. As I mentioned earlier, we now sit at a crossroads where there is another direction open to us. We could open national security up to a wider debate, bringing in thinkers and experts from a variety of backgrounds to conduct assessments of individual existing measures as well as systemic analysis around security on which we can build strategic plans and measures. What better way to secure a society, than to have the society secure itself?

The choice is ours. 

Posted in Identity Management, Wiretapping & Surveillance, Biometrics, Security Measures, North America | 1 Comment »

March 17 2008 by The Systemic Analyst.

Social Technologies issued a news release last week offering its vision of the future of security involving the use of emerging technologies. While the analysis provided a clear and realistic picture of the direction in which the western world is headed in terms of national security, it (like most coverage on the subject matter) failed to dig deeper asking why we find ourselves in such a state of insecurity in the first place?

If an uniformed observer were to suddenly take up the topic of national security they might be surprised to find a limited discussion on something so important it could soon impact our every movement. He or she would undoubtedly find an extremely polarized argument with security buffs shouting “if only we could convince the masses that increased hi-tech surveillance is the only answer” on one side and the privacy advocates on the other screaming “Big Brother”. Thus, would the now confused observer be left with but two options - accept a future of ever-more minute surveillance in the name of stability or vehemently oppose the tightening grasp of a government that has already proved itself untrustworthy. Neither approach is very conducive in the long-term to maintaining whatever degree of security possible -  in fact, both will probably only make our fragile Western world more unstable.

The problem is this, although most Westerners seem complacent today and eagerly give up civil liberties in the name of security, they aren’t as unobservant as some would think. Should authorities continue to press for increased surveillance of the masses and not actually provide the heightened state of security promised, not only will those segments of society that are already criminal increase their unlawful activity, but prepare for those law abiding segments to take matters into their own hands, turning ever-more away from the law enforcement and government that seems now so desperate to secure its hold over the people. It’s a risky game the security profession now plays with stable society, failing to address the root causes of insecurity while layering on intrusive “security” measures that aren’t well thought out.

In the defence of my profession, which given the nature of many of the solutions now hyped (biometrics, new and improved CCTV systems, dragnet wiretapping etc) has been widely seen as the key conspiratorial implementer of George Orwell’s prophecies, national security is a new field full of wrinkles needing ironed out. The industry is full of stale thinking, and no wonder, the field is mostly comprised of former law enforcement and intelligence officers, defence-turned-security analysts and increasingly high-tech specialists. Those who profess some fundamental understanding of security were schooled exclusively in how to manage a situation or crime only after it has occurred. Those who were schooled in preventative measures tend to have tactics involving brute force, surveillance and psychological warfare applied mainly to enemy populations. And finally, those who develop the technology are driven by the market, producing tools that fit the needs of their clients not necessarily making solutions designed to actually increase security, but facilitate existing approaches. Given these limitations, the industry shouldn’t really be expected to come up with the proactive solutions we need that won’t threaten our way of life, which was once thought to be freedom.

The government, which had been widely believed to have the interest of the people at heart, fails to provide the objective analysis needed to prevent the implementation of poorly thought out national security measures. It’s difficult to take on such a role when those employed by the various departments responsible include the above security experts and a smattering of career-bureaucrats who are notoriously under-informed on core subject matter. Furthermore, as is the case with almost every government file, from foreign affairs to education to health care, there is a total lack of strategic and systemic analysis, meaning issues are only individually addressed without ever fully understanding how that problem fits into the greatly whole.

As a result, we have rapid uptake of hi-tech national identity documents without any solid analysis of how such an undertaking will effectively increase security. The security industry develops and endorses the idea, the government readily agrees and the people are told it’s a good thing, it will be more difficult for official documents to be forged. Meanwhile, it isn’t the forgery rate that truly threatens our security, it’s the possibility of terrorists crossing our borders (or so we are told). If terrorists are really as well organized as it is claimed, then certainly they will not risk entering a country with cheap, forged documents. Indeed, there are better ways to breach border security legitimately:

1. Find a domestic citizen who has no criminal background to carry out the attack;
2. Assume a deceased citizen’s identity, acquire the necessary supporting documents and apply for the official documents thereby living under an official identity illegitimately; or
3. Acquire a legitimate identity from a country sponsoring terrorism.

How fancy micro-chipped identity documents will answer any of the above threats, I don’t know. Do expect, however, increased wait times at border crossings as agents and travellers struggle to adopt the technology and suffer slow database verification speeds (that is to say, if the traveller is being checked against a wider system and not just against the document in hand). Be aware that automated kiosks that allow travellers to verify their own documents just made it that much easier for a nervous suspect to cross the border. And, perhaps 5 to 10 years down the road, anticipate a very angry public that after having bought into the costly national security measures now being implemented found themselves even more vulnerable to the threat of terrorism and other crime. Moreover, those angry mobs will have lost their faith in a system that continuously sold them empty promises.

Wouldn’t it just have been better to begin asking why we find ourselves with increasing stability in the first place? Why we are the target of terrorism? Or how the break down of families and communities might be contributing to increasing rates of crime? Or perhaps how our “correctional system” fails to correct criminal tendencies? Answering these, and many more, questions objectively (meaning outside of the government and beyond the reach of market influence) are far more likely the key to increasing security than cameras and biometrics.

Posted in Identity Management, Wiretapping & Surveillance, Biometrics, Security Measures, North America | No Comments »

March 10 2008 by The Systemic Analyst.

Is there a day that goes by where yet another useless “security” measure isn’t announced somewhere in the world? National biometric ID card schemes, unlimited dragnet wiretapping, CCTV cameras everywhere and anywhere - and to what avail? None of these measures will actually increase security. Traditional reactionary approaches can barely keep up with apprehending criminals after the fact, how can they be expected to prevent crime and terrorism simply because the measure is expanded or put into more widespread use? Whatever happened to the idea of quality over quantity, anyway? There must be some global department whose sole responsibilities it is to develop useless measures and brand them as “security”.

Clearly, the TTC has access to its recommendation as the commission recently announced its plans to implement 10,000 cameras in trains, streetcars and buses across the city in addition to the existing 1,500 at a cost of $21 million. Apparently, the system will not be monitored and, assures TTC chairman Adam Giambrone, only the police will have access to the footage. 

So, what’s the point of the system?

If the system is to act as a deterrent, as in the little signs posted near the camera telling people “you’re on camera” cause would-be criminals to rethink their actions, then expect only rebellious suburban teens to be deterred. As a result, the drop in crime rate due to the use of these cameras will be negligible, at best. Psychopaths, pathological criminals, drunks and terrorists won’t care about the cameras, only “normal” people who carefully consider odds and consequences will find themselves unnerved by the constant watch.

Besides, with no one there to actually apprehend criminals (and apparently no one manning the cameras), how useful is the system even after the fact? In terms of solving crimes, CCTV cameras have proven to be very ineffective as upwards of 80% of the images are of such poor quality that accurate identification cannot be made. Rendering the system considerably ineffective.

Of course, if the headlines are any indication CCTV does offer something - unlimited fulfillment of human fascinations with brutality, murder and sex. Just think, Toronto too will now be able to offer headlines of the latest act of public sex or murder caught on camera with its 72 million hours of CCTV footage taped a year! Seen in that light, it’s no wonder why Giambrone told the Toronto Star ”It would be unusual if only Toronto were segregated when every major city with a transit authority has a surveillance system.” Who wants to miss out on that blockbuster opportunity?

As a security analyst, however, I’d appreciate it if those implementing systems like CCTV would start labelling them more appropriately, as sensationalist measures, for example. All of these attempts to push measures through under the very serious guise of security is giving our profession a bad name.  

Posted in Identity Management, Wiretapping & Surveillance, Biometrics, North America | No Comments »

March 10 2008 by The Systemic Analyst.

ZDNet News published the following update on U.K. ID card plans:

“Home secretary Jacqui Smith also announced on Thursday that compulsory ID cards for all British citizens may now be delayed until 2015, subject to a future Parliamentary vote.

But the government still intends to force foreign nationals living in Britain to register their biometric details on the National Identity Register and carry an ID card by the end of this year.

Smith also set out plans to issue ID cards to people working in airports and other high security-risk areas from next year, a plan that has come under fire from trade unions.

After that the target is students and young people, who will voluntarily have the option of registering for an ID card from 2010.

Anyone renewing or applying for a new passport from 2011 onwards will be required to add their biometric details to the National Identity Register, but they won’t now be forced to pay for a physical ID card and can instead choose to just use their passport.

The government estimates the combined cost of getting a biometric passport and ID card would be around £100.

For the few who are likely to actually want a standalone biometric ID card, they will also have the option of paying to get one without getting a new passport.

The latest ID card consultation plans also reveal that people will face fines of up to £1,000 for missing appointments to register their biometric details on the National Identity Register.”

Why so few people seem to have realized the futility of using identity cards as a preventative measure in the “war on terrorism” is beyond me. Identity as a basis for national security measures is only as solid as identity is fixed. Biometric identifiers cannot and will not truly make identity a firm concept - how can it? A fingerprint or an iris scan can just as well be attached to a fraudulent official identity as to a legitimate one. Makes one wonder, what’s the point?

Posted in Identity Management, Biometrics, Europe, Politics | No Comments »

March 4 2008 by The Systemic Analyst.

The Daily Mail published the following article recently:

“Mass fingerprinting, biometric passports, identity cards and international identity databases will not protect Britain and other European countries from terrorists or criminals.

This startling admission comes in a leaked European Commission report prepared for Home Secretary Jacqui Smith and other EU Home Affairs Ministers.

The report undermines Gordon Brown’s claims about the need for controversial new passports and identity cards to protect the country from terror attacks.

It raises new questions about the true purpose of Government databases, which will store intimate details of everyone in Britain, including their picture, fingerprints and confidential personal information.

The EU report, obtained by The Mail on Sunday, says most people behind terror attacks in the UK and Europe were living in the EU legally and so would not be affected by increased security measures.

It says: “None of the policy options contribute markedly to reducing terrorism or serious crime.”

In view of the latest terrorist acts in the area of the EU… the perpetrators have mainly been EU citizens or foreigners residing and living here with official permits.”

But it does say that the new technology could save money by using automated checks at borders.” 

Finally, someone is talking a bit of sense regarding the use of identity-based measures as a preventative approach to security. Unfortunately, their reasoning doesn’t go far enough as the leaked report goes on to indicate that the use of automated document checking points at borders makes sense.

I’ve said it before and I’ll say it again - automated scanners at borders are a sieve. Allowing people to scan travel documents without the watchful eye of an alert border guard will only facilitate the entry of threats. Although every government assures its public regarding these programs that only those individuals who have been pre-approved will be allowed to use such machines consider this, electronic identity document programs cannot detect the following threats: Those travelling under legitimately established identities that have been registered under false pretences and those travelling with official documents based on a false identity established by the issuing state for espionage or terrorist purposes. At the very least, an alert border guard might notice that the person carrying a legitimate passport, who appears to have no known criminal record, is unduly nervous and escalate the matter. Whereas the scanner, well, it will probably flash “go” to the relieved threat.

Posted in Identity Management, Biometrics, Europe | No Comments »

February 1 2008 by The Systemic Analyst.

The Province has reported that “Canadians driving into the U.S. or arriving by sea are now required to have government-issued photo ID and proof of citizenship” as part of the new regulations under the Western Hemisphere Travel Initiative driven by the U.S. The changes mark a renewed focus on border issues between Canada and the U.S. and the pressure on provincial, state and federal governments to adopt enhanced identity-based security measures.

Unfortunately, no one seems to be asking whether enhanced measures actually enhance national security. In fact, the rush to implement costly technologies with no analysis of identity as the fundamental basis for security should be alarming. With reoccurring claims that biometrics and self-scanning kiosks will not just nab criminals but prevent terrorism, further analysis of what identity is and how it is established should be conducted and publicly disclosed.

Of course, the findings of such a study would likely go against prevalent thinking in the field of security and would directly lead to a grinding halt on billions being spent on measures that can’t fulfill the promises attached to them. Many might ask, how would asking questions about security that threaten to turn an entire industry upside down help increase security? Simple, continuing blindly promising false-security to millions of people, spending billions of tax-payer dollars on faulty measures will undermine security in ways that rethinking security never could. The good-faith of the masses once lost will be lost forever. As we have reported before security is dependent on co-operative citizenry - lose that symbiosis, and lose security.

The flaws of an identity-based proactive national security scheme are simple and obvious:

1.) Individuals who pose a threat but have no previous criminal record will pass undetected,

2.) False official identities can be established, particularly if the official identity was established in or the supporting documents used to establish the official identity come from another country; and

3.) The intent of an individual to commit a crime cannot be determined through automated identity based systems, whereas a border guard might detect some nuances in an individual’s behaviour.

As a result, the argument, that biometrics and electronic documents are solutions that prevent terrorism, is faulty. If we continue to ignore this fact, implementing ever-more measures based on faulty-reasoning, our state of security (and public faith in the system) will be damaged beyond repair.

For more information on the problems with identity as a basis for security read Identity in Security: The Problem With Billy.

Posted in Identity Management, Biometrics, Security Measures, North America | No Comments »

January 14 2008 by The Systemic Analyst.

The following article, written by Sandro Contenta, was published today in the Toronto Star:

“Passengers undergo stringent measures at airports but experts report `gaping security holes’ behind the scenes

Restricted areas at Pearson International Airport, where thousands of employees work and load scores of planes daily, are less secure than those used by passengers, says Peel police Supt. Ed Toye, the airport’s top cop.

“It’s not as shut down and secure as the public side,” Toye said, referring to what security analysts say is the most vulnerable area of any airport.

While security in Pearson’s restricted areas has greatly improved over the past five years, Toye said in an interview, it lags behind the tight controls on passengers because Transport Canada fixed the “front end” of the operation before focusing on what goes on behind the scenes. “You got to start at the front end of the boat, but the back end is still leaking.”

“But,” he added, “it’s not like the leak has gone unnoticed – they’re monitoring it and they’re fixing it,” he said, referring to Transport Canada.

Transport Canada, which acknowledges an “air cargo security gap” at Pearson, has a $26 million budget to design and test a cargo security program for the airport, but it will take years before it’s up and working, the agency’s director of air cargo security said.

Stephen Conrad said the security procedures being developed will focus on installing screening equipment that can handle cargo and enhancing the “chain of custody” from shipper to airport. “We do actually want to have the same level of security” for cargo as for checked luggage, he said in an interview.

Meanwhile, said Senator Colin Kenny, chair of the Senate Standing Committee on National Security and Defence, the “gaping security holes” at Pearson and other airports denounced by the committee in its report last year remain wide open and an inviting target.

Kenny, who notes the federal government has taken little action since his committee’s report on security at Canada’s 89 main airports – which handled almost 94 million passengers in 2005 – described the gap between passenger and non-passenger security as “a psychological con game.

“I find it ironic that passengers are still undoing their belt buckles or having their shoes taken off and being hassled to no end when they’re getting on a flight and nobody seems to be caring at all about the people who are working around the plane on a day-to-day basis,” Kenny said in a recent interview.

Kenny cites four primary security concerns: Inadequate checks of airport employees; unscreened airmail and general cargo; unscreened baggage on chartered planes, including executive jets; and inadequate checks on caterers and trucks bringing food to the airport.

“Pearson is perhaps the most defiant,” Kenny noted. “They seem almost to be proud of the lack of security they have there and their attitude is pretty arrogant,” he charges.

Scott Armstrong, spokesperson for the Greater Toronto Airports Authority, which runs Canada’s busiest airport, describes Kenny’s report as “meant to raise the hairs on the back of your neck.”

Especially telling, Armstrong says, is Pearson’s security record. The existing security measures are “reasonable,” he said, citing the 31 million passengers who used Pearson last year without incident.

But security at Pearson came under scrutiny again last week when a 20-year-old man ran past a checkpoint at Terminal 1 and boarded an Air Canada plane. The unarmed man was eventually arrested.

While that incident renewed the focus on passenger screening, security analysts and police say the real security gap at Pearson and most airports worldwide is behind the scenes. Since the 9/11 attacks on the U.S., governments have instead stressed tougher screening of passengers to create a public perception of security, analysts argue.

“It’s a smoke and mirrors trick,” says Alicia Wanless, executive director of Toronto’s International Perspectives security think-tank.

But Armstrong, Pearson’s spokesperson, insists Pearson is safe.

“The senate committee raises very valid, very interesting points,” he said. “However, you have to have systems in place that balance the fact that we still have an operation to run and the fact that that operation has to be safe and secure.”

Armstrong said security was significantly beefed up last year with the introduction of biometric identity passes for employees at 29 Canadian airports. Staff entering restricted areas must now undergo iris and fingerprint scans.

The high-tech passes, Toye says, have transformed restricted areas into “gated communities” – if a theft occurs, police can immediately track who was in the area.

“I don’t know of any other country in the world that has it,” Toye says. “Even the Israelis have come over and said they’re really envious of that biometric card. To me that’s high praise.”

But Wanless says biometrics is wrongly seen as a security panacea, particularly since it doesn’t guard against people with fake identities getting the passes in the first place.

Kenny wants biometric passes that do more, such as signalling a breach in security if employees enter a restricted area outside their work hours.

Still, the biometric passes are expected to make the work of criminals at Pearson more difficult. A year ago, seven baggage handlers were arrested in connection with the theft of thousands of dollars of electronic goods from luggage.

There’s more agreement on the fact employees are searched or manually screened, but randomly – Kenny says an average of once every 50 times they show up for work.

Checks of mail and cargo that end up on passenger planes is even more sporadic, Kenny says. Canada Post sends 1.9 million pieces of mail every day by air, mostly on passenger planes. Airlines also move about 660,000 tonnes of cargo. Yet little of it is checked for explosives, he charges. All passengers’ checked luggage, on the other hand, is scanned with X-ray machines.

And, Transport Canada’s Conrad notes, air carriers are responsible for ensuring cargo conforms to a “layered” security approach, from verifying proper documentation to searching merchandise, if necessary.

At the moment, Toye says, bomb-sniffing dogs are used to check the “bulk” of airline cargo at Pearson, but not all containers are sniffed.

And Armstrong concedes there’s “room for improvement.”

Increased security is also being considered at other Pearson facilities, such as the Derry Rd. site where private and executive jets take off and land, says Jean Barrette, Transport Canada’s director of security operations.

Kenny says there are few security requirements at such facilities, where bags and passengers are not screened before boarding. On the food front, Pearson officials dismiss claims that delivery trucks aren’t searched. Toye says even police have to open the trunks of their cars when entering a restricted area.

Food crates are brought to a central warehouse and inspected for explosives before being delivered to airport shops or planes, Toye says.

What’s clear is that despite safety concerns at Pearson and other airports, American security analysts say Canada has done a better job improving security in restricted areas than the U.S. “We still have great gaping holes that can lead to a major attack against that system,” says Andrew Thomas, an Ohio business professor who has written three books on airport security.”

Posted in In The News, Biometrics, Security Measures, North America | No Comments »

January 9 2008 by The Systemic Analyst.

The following is a great editorial from the Times Union illustrating the poor FBI track record for using technology successfully. It should act as warning for the new biometric mega-clearinghouse:

It seems like an idea for the times — a massive new database that will contain biometric information on people coming and going within the United States. A database, in other words, that will help government officials keep track of potential terrorists entering and leaving the country, as well as searching for wanted criminals. There are just two problems. One is that the FBI will be collecting and storing the information, as part of a $1 billion, 10-year effort. The other is that the FBI will be keeping track of who will have access to the data pool.

The FBI can claim its share of successes in tracking down criminals, of course. That success has burnished the agency’s image over the years. But when it comes to computers, the FBI’s record is deplorable.

One example: In 2004, the agency admitted that its new computer system, which had cost hundreds of millions of dollars and took four years to install, was so bad — and so incapable of finding suspected terrorists — that it had to be junked, and replaced by a new one that won’t be up and running until 2009. An investigation by The Washington Post discovered that the botched system had been installed with no backup plan — a lapse that one computer expert attributed to pure stupidity.

Another example: The Seattle Post Intelligencer, our sister paper, reported in 2003 that a homicide case in Washington state had gone unsolved for 10 years because police officials were unable to match the victim’s dental records when they tapped into the FBI’s National Crime Information Center. It turned out that the dental records had been improperly stored. That raises this question: If the FBI can’t keep track of dental records, which are basic to any investigation, how will it keep track of a new database that will collect iris patterns, facial contours, scars and other physical characteristics? Thomas E. Bush III, assistant director of the agency’s Criminal Justice Information Services Divisions, says the new database will be “bigger, faster, better.” Better than what? The 2004 disaster?

The agency’s plans for monitoring those who will be given access to the database. Why? The answer is in a name — Robert Hanssen, the double agent who used his computer expertise to mine the FBI database for secret intelligence that he later sold to the Soviet Union. The agency says it has since improved internal security, but that’s simply not enough.

Congress must demand assurances that the new computer system will work as promised and that proper safeguards will protect the privacy rights of all Americans. One computer debacle costing hundreds of millions of dollars was bad enough. A $1 billion follow-up would be intolerable.

THE ISSUE: The FBI plans a huge database to collect biometric information.

THE STAKES: Strong safeguards are needed to prevent abuses.

Posted in Biometrics, North America | No Comments »

January 8 2008 by The Systemic Analyst.

The FBI seems to be creating an international clearinghouse of biometric data, if this Washington Post article is any indication. In a massive biometric system that is already storing new personal data such as facial images, finger and palm prints, international law enforcement agencies can look forward to cross searching millions (more likely billions when all is said and done) of biometric files including “iris patterns, face-shape data, scars and perhaps even the unique ways people walk and talk”, according to the Post.

Although touted as a necessary tool for police, known and suspected criminals won’t be the only individuals with files stored in the gargantuan system. As the Post reports:

“The FBI will also retain, upon request by employers, the fingerprints of employees who have undergone criminal background checks so the employers can be notified if employees have brushes with the law.”

So much for trust in fellow man.

Americans might find comfort in knowing that they are not alone in being so closely watched as “more than 1.5 million Iraqi and Afghan detainees, Iraqi citizens and foreigners” have also been included in the system, contributing biometric data such as fingerprints, iris and face patterns and, in a separate system housed by the Department of Defense, DNA.

Anyone wishing to visit the U.S. can consider themselves apart of the group too. In addition to scanning irises at some airports, the Department of Homeland Security is also compiling a database containing millions of fingerprints of travelers passing through border checkpoints.

Allowing access to some “900,000 federal, state and local law enforcement officers” across the U.S., it is hoped that the system will eventually be capable of facilitating spot-check searches. Such applications of the system will included scanning fingerprints of drivers pulled over by police and capturing iris patterns “at distances of up to 15 feet, and of faces from as far away as 200 yards.”

Canadians are already enjoying access to the “underground facility the size of two football fields,” according to the Post, as part of the search requests reaching the FBI servers each second. The system will also be interoperable with much of the Anglo-world, as standards, used by Britain, Canada, Australia and New Zealand, are employed.

It is debatable whether such an extensive effort is worth the tangible gains to be made in curtailing crime as a result of developing the large system.

With numerous points of access not just across the country but also internationally, the obvious question remains how the system will be secured? Unless the connectivity employed is so advanced that industry experts have no knowledge of it, it is probable that the data stored in this massive database is realistically vulnerable to attack, thus compromising the overall integrity of the system.

This is to say nothing of the human factor – always the biggest drawback to using technology in futile attempts to solve man’s problems. Even if those 900,000 people given access are screened beforehand at least one of them will allow the system to be compromised, deliberately or unintentionally.

The Post article reports, “The Pentagon has already matched several Iraqi suspects against the FBI’s criminal fingerprint database” which now houses some 55 million sets of records. In a system that will include anyone who has ever applied for a serious job, traveled to the U.S. or was ever stopped and questioned by police, is making “several matches” really relevant? Anyone can be in the system, verifying that with a search won’t really prove anything, it will just provide the person searching with ever-more information on individuals unlucky enough to believe that such measures will increase security.

Posted in Identity Management, Biometrics, Middle East | No Comments »