Tuesday, 21 March 2017
Testimony in Alaska on the REAL-ID Act
In 2008, the Alaska State Legislature enacted a state law prohibiting any state spending to implement the REAL-ID Act.
Now, in response to Federal threats to interfere with Alaskan residents' freedom of movement if the state government doesn't upload information about all state license and ID-card holders to a national ID database, the state legislature is considering bills to authorize that spending and implementation.
It makes no sense for Alaska to call for repeal of a disliked Federal law of dubious Constitutionality, and simultaneously to authorize state spending to comply with that law, without first getting the courts to rule on whether the (unfunded) mandate for state action or the threatened sanctions against state residents are Constitutional.
Details and links to the proposed legislation and my testimony at PapersPlease.org: Alaska and the REAL-ID Act
Tuesday, 14 March 2017
Palantir, Peter Thiel, Big Data, and the DHS
On Saturday, I joined an ad hoc group of picketers outside the Pacific Heights mansion of Palantir Technologies founder and Trump supporter Peter Thiel (photo gallery from the SF Chronicle, video clip from KGO-TV; more photos from the East Bay Express).
San Francisco and Silicon Valley are among the centers of opposition to President Trump and his fascism, especially as it relates to restrictions on movement, border controls, immigration, and asylum.
Bay Area technology companies and their better-paid classes of employees like to think of themselves as building a better world that reflects the distinctive values that have attracted dreamers and futurists to this region -- as it attracted me, 35 years ago -- from across the country and around the world. But some of these companies are key developers and providers of "big data" tools for the opposite sort of "Brave New World".
As Anna Weiner reported in the New Yorker ("Why Protesters Gathered Outside Peter Thiel's Mansion This Weekend"):
David Campos, a former member of the San Francisco board of supervisors, who emigrated from Guatemala, in 1985, stood on the brick stoop and raised a megaphone. "The reason we're here is to call upon the people who are complicit in what Trump is trying to do," he said. Clark echoed the sentiment. "If your company is complicit, it is time to fight that," she said. Trauss, when it was her turn, addressed Thiel, wherever he was. "What happened to being a libertarian?" she asked. "What happened to freedom of movement for labor?"
Edward Hasbrouck, a consultant with the Identity Project, a civil-liberties group, took the stand, wearing a furry pink tiger-striped pussyhat. "The banality of evil today is the person sitting in a cubicle in San Francisco, or in Silicon Valley, building the tools of digital fascism that are being used by those in Washington," he said. "We've been hearing back that there are a fair number of people at Palantir who are working really hard at convincing themselves that they're not playing a role -- they're not the ones out on the street putting the cuffs on people. They're not really responsible, even though they're the ones who are building the technology that makes that possible."
It's easy to rationalize the creation of technological tools by saying that they can used for good as well as evil. But you can't separate the work of tool-making from the ways those tools are being used. Palantir workers' claims to "neutrality" resemble the claims made in defense of IBM and Polaroid and when they were making and selling "general purpose" computers, cameras, and ID-badge making machines to the South African government in the 1970s. None of this technology and equipment was inherently evil. But in South Africa, it was being used to administer the apartheid system of passbooks and permissions for travel, work, and residence.
The same goes for "big data" today. To understand what's wrong with the work being done by Palantir for the U.S. Department of Homeland Security, it's necessary to look not just at what tools Palantir is building but at how and by whom they will be used; not just at the data tools but at the datasets to which they are applied, the algorithms they use, and the outcomes they are used to determine.Continue reading "Palantir, Peter Thiel, Big Data, and the DHS"
Monday, 27 February 2017
FAQs about travel in the time of Trump
President Trump's emphasis on control of travel and borders has prompted a surge of interest in freedom of movement as a civil liberties and human rights issue. Here are some of my FAQs and analyses of this issue over the last month for the Identity Project:
- FAQ: What should you to do if you are asked for your password at a US airport or border?
- FAQ about searches at airports and US borders: What you probably don't know about one of the few laws that protects some of your rights.
- FAQ about searches and ID demands from passengers on domestic flights: What are your rights?
- Trump's #Muslim Ban is bad. But it's neither new nor unique to the USA: How carrier sanctions and airline collaboration are killing asylum seekers.
- Executive Orders, lawsuits, and the right to travel: What are the implications of the #MuslimBan litigation for other freedom-to-travel issues?
Friday, 27 January 2017
President Trump, Populist Politics, and the Prospects for Privacy
Through no fault of the organizers, who were extremely accommodating of my last-minute proposal for this panel after the US elections, we had less time than we had hoped for. There's video of the session, but I was rushed and probably not always clear.
[My pussy hat -- the symbol of the Women's Marches last weekend after Trump's inauguration -- was popular at CPDP. Photo by kind permission of Wendy M. Grossman. Thanks to Suzanne and another Wendy for knitting and giving me the hat!]
By popular request, below the jump is a summary of the main points I tried to make.
(For those interested in more detail, I've posted my notes on issues I would have liked to raise, if we had more time. I've also posted a separate article at PapersPlease.org on President Trump's executive order repudiating the EU-US agreement on transfers of PNR data from the EU to the US government.)Continue reading "President Trump, Populist Politics, and the Prospects for Privacy"
Wednesday, 18 January 2017
Unresponsive "comments" from Amadeus
Exactly three weeks after a public demonstration of the insecurity of public Web gateways to computerized reservation systems (CRSs) -- a threat to travellers that I've been writing, speaking and telling the CRS operators about for more than 15 years -- one of those companies has responded to my request for comment, but without answering any of my questions.
Here, in its entirety, is the statement I received late Tuesday from Amadeus (which hosts PNR data for airlines and travel agencies and operates the CheckMyTrip.com for viewing PNR data), followed by my comments:Continue reading "Unresponsive "comments" from Amadeus"
Saturday, 14 January 2017
The REAL-ID Act and the TSA proposal to require ID to fly
Much of my work for the last decade as a consultant to the Identity Project (PapersPlease.org) on travel-related civil-liberties and human rights issues has focused on requirements to obtain government permission and/or show government-issued ID credentials in order to travel by common carrier.
The TSA tells travellers they have to show government-issued ID to fly, harasses those who decline to do so, and sometimes has them arrested by local police on trumped-up (will that word now have new meaning?) charges.
But people with no ID at all fly every day. "We have a procedure for that," the TSA says whenever its demands for ID are challenged in court.
Now the TSA has proposed -- in a backhanded way calculated to evade public or Congressional debate or judicial oversight -- to impose a new official requirement for all airline passengers either to show government-issued ID or to certify that they live in a state that the DHS deems sufficiently compliant with the REAL-ID Act 2005. This ID requirement would be an additional prerequisite before the TSA will give them "permission" to pass though its checkpoints or board airline flights.
For more on what's wrong with this proposal, see the comments filed this week with the TSA by the Identity Project and this post from the Identity Project blog.
Thursday, 12 January 2017
"What can I do to protect my PNR data?"
Since the recent public demonstration of some of the security and privacy vulnerabilities of airline reservations systems that I've been writing and speaking about for more than 15 years, people have been asking me, "What can I do to protect myself against stalking, harassment, surveillance, and fraud when I travel?"
Here are some answers from an interview I gave last week to Lucia Blasco of the BBC World Service:Continue reading ""What can I do to protect my PNR data?""
Friday, 30 December 2016
CRS/GDS companies and travellers' privacy
[In the middle of the presentation by SRLabs at 33C3 on Tuesday, Nemanja Nikodijevic discovered that Amadeus had taken its "CheckMyTrip.com" PNR-viewing Web site offline to prevent the vulnerabilities of the site from being demonstrated in real time. Screen capture from CC3C video by permission of SRLabs. Click images for larger versions.]
This past Tuesday at the 33C3 conference in Hamburg, Germany, Karsten Nohl and Nemanja Nikodijevic of SRLabs publicly demonstrated that airline reservations systems still have the same fundamental insecurity, in the same ways that I have been writing and speaking about for more than 15 years.
Lest there be any doubt, while the the team from SRLabs was inspired to investigate this subject in part by an interview with me on a German IT news site, I had no contact with them and was entirely unaware of their work until they contacted me last week. They worked entirely independently of me, and had no access to any information from me except my published writing and public speeches. When they contacted me last week to let me know that they would be giving a presentation on this topic at 33Cc, their research was already complete.
I thought that expert security researchers might have found more vulnerabilities than I had found. Perhaps they did, but haven't yet discussed them publicly. But all of the attacks they demonstrated in their public presentation at 33C3 exploited the lack of real passwords on public Web gateways to Passenger Name Records (PNRs) operated by computerized reservation systems (CRSs/GDSs) for itinerary viewing, and by airlines for online booking, ticketing, check-in, changes, and cancellations.
These specific vulnerabilities have been publicly reported and discussed in print for at least 15 years, starting around the time Amadeus began its beta test of CheckMyTrip.com.
In light of some of the statements attributed to Amadeus -- the target of most of the sample exploits demonstrated by SRLabs -- in other news stories this week, it's important for the public and for government officials with authority over privacy and data protection to understand that this was not a demonstration of new vulnerabilities or anything that wasn't already well-known to Sabre, Amadeus, and Travelport (the current owner of both Galileo/Apollo and Worldspan).
Amadeus' reported responses have focused on the brute-force attack on PNR record locators, but the real problem, which has long been known, is the use of the record locator as though it were a password and without telling travellers that they need to keep it secret like a password that can't be changed if compromised. In many real-world targetted attack scenarios, the attacker will have other ways than trial and error to obtain a record locator. And real-world attacks are likely to be targetted: There are easier ways for hackers to obtain credit card numbers or money. The motivation for hacking a CRS/GDS or obtaining PNR data is to find out where someone will be, and when, so that the cyber-attacker can stalk their victim, surveil her, harass or attack her physically, rob her home while she is away, kidnap her and/or her children, or kill her.
To set the record straight, below is more detail than I would normally go into about the chronology of my reporting on this subject, followed by my recommendations for action and the questions I have asked Amadeus.Continue reading "CRS/GDS companies and travellers' privacy"
Tuesday, 27 December 2016
"Travel data: fraud with booking codes is too easy"
[Some of the privacy and security threats to PNR data and the CRS network, from my testimony in 2013 as an invited expert witness before the Advisory Committee on Aviation Consumer Protection of the U.S. Department of Transportation. Click image for larger version.]
Video, slides, and blog post of presentation by SRLabs at 33C3
(27 December 2016, Hamburg, Germany)
Who's watching you while you travel?
(details of this vulnerability published on my Web site, 18 April 2002)
Flight booking systems lack basic privacy safeguards, researchers say
(by Eric Auchard, Reuters, 27 December 2016)
Reisedaten: Betrug mit Buchungscodes ist zu einfach
(by Patrick Beuth, Zeit, 26 December 2016)
Unsicherheit bei Flugbuchungen: "Greift mehr Legacy-Systeme an"
(by Hauke Gierow, Golem.de, 28 December 2016)
Une étude alerte sur les failles des réservations de vol
(by Alexis Orsini, Numerama.com, 28 December 2016)
33C3: Gravierende Sicherheitslücken bei Reisebuchungssystemen
(by Stefan Krempl, Heise Online, 28 December 2016)
Amadeus-Sicherheitsproblem: Einladung für Cyber-Vandalen
(by Frank Patalong, Der Spiegel, 27 December 2016)
Today at the 33rd Chaos Communication Congress (33C3) in Hamburg, Germany, white-hat hackers from Security Research Labs inspired by news reports in Germany about my work will publicly demonstrate their ability to access and alter other people's airline reservations (PNRs) by exploiting vulnerabilities including ones that I wrote about and called to the attention of all of the four major Computerized Reservation Systems in 2002, but that the CRSs have made a deliberate choice not to close because (a) government authorities have not enforced existing data protection laws (in other countries than the USA, which has no such laws) against CRSs, airlines, or travel agencies, and (b) these travel companies put their profits ahead of passengers' privacy and security.
There's been some advance coverage in German print (mentioning my work) and television news media. (Zeit, Handelsblatt, Der Spiegel.) But the CRS exploits discussed in these news stories are not the most serious of those that I expect the folks from SRLabs (well-known for their previous public exploits) to demonstrate at 33C3. Watch the livestream here at 21:45 CET in Hamburg, 12:45 p.m. PST in San Francisco. Recorded video will be posted later, but I don't know how soon. I'll add a link once it is available.
As I wrote in my book, The Practical Nomad Guide to the Online Travel Marketplace, which was published in early 2001 before 9/11, "Privacy is the Achilles heel of Internet travel planning." In that book (page 121), I also wrote about the vulnerability of the public Web gateways operated by CRS companies -- the vulnerability exploited in today's demonstration at 33C3, of which the first was Sabre's VirtuallyThere.com:
If you make reservations through Travelocity.com or any other Sabre travel agency, you can view your itinerary at Sabre's "Virtually There" Web site (www.virtuallythere.com) by entering your last name and the six-character "record locator"" for your reservations. This is good if you've misplaced your printed itinerary, but at present is dangerously insecure. Anyone who sees your name and record locator on an itinerary (through a window envelope, for example, or over your shoulder in an airport check-in line) can find out your home address, the exact dates you''ll be away, where you are staying, etc. Properly secured, it could be a great feature, and hopefully Travelocity.com will have secured it before you read this. If they haven't, don''t make any reservations in Sabre until they do, unless you want every detail of your trip to be public.
At the time that this was written and this book went to press in 2000, I was already in active discussions with Sabre about this issue. Eventually Sabre made some partial improvements, which I reported on in 2002, but they were insufficient and in any event proved to be temporary.
After each of the other CRS companies launched sites imitating VirtuallyThere.com, and with the same vulnerabilities, and none of them responded to my repeated requests for comment about those vulnerabilities, I went into more detail in an online supplement to the book in 2002:
What else has changed in 2001-2002, since "The Practical Nomad Guide to the Online Travel Marketplace"... went to press? Here are a few of the trends, changes, and news items I think are most significant for consumers and travelers:...
The security and privacy vulnerabilities of the three main Internet itinerary viewing services, VirtuallyThere.com (Sabre), ViewTrip.com (Galileo/Apollo), and CheckMyTrip.com (Amadeus) have not been corrected as of March 2002. I mentioned these in "The Practical Nomad Guide to the Online Travel Marketplace", but I didn't highlight them in the book because I assumed that they would soon be fixed. More than a year later, that hasn't happened.
These services currently do not use secure or secret passwords, and pose an extreme risk of severe privacy invasion. Even if you don't use these services yourself, they make complete details of your itinerary available to anyone who knows your last name and reservation number ("record locator"). Reservation numbers are printed conspicuously on itineraries, and are often visible through window envelopes, or to "shoulder surfers" in check-in lines or any other public place where you might have your itinerary in view. It's fairly obvious that no one who designed these services gave any real thought to their privacy implications (which is typical of Internet services).
Most online and offline travel agencies use either Sabre, Galileo/Apollo, or Amadeus, so you may not be able to avoid having your itinerary revealed in this way....
I urge consumers to complain to Sabre, Galileo, and Amadeus. Demand that they change their security procedures before a stalker, abuser, or kidnapper takes advantage of one of these services.
In comments submitted to a privacy roundtable convened by the U.S. Federal Trade Commission in 2009 and co-signed by organizations including the Consumer Travel Alliance (Travelers United) and the Consumer Federation of America, I wrote:
Travel records are highly vulnerable to unauthorized access....Because no logs are normally kept of access to PNR's or customer profiles stored in a CRS/GDS,... unauthorized access... could go undetected indefinitely.
CRS's/GDS's have deployed insecure public Web gateways that allow anyone who knows your name and "record locator" to view the complete itinerary from your PNR. But a "record locator" is not a password and does not provide adequate access control: record locators are printed and displayed everywhere from itineraries and tickets to boarding pass stubs (frequently discarded after a flight) and the tags on checked luggage, which are exposed to public scrutiny, unattended, while on the carousel at the destination waiting to be claimed....
The absence of access logs in the major CRS's/GDS's makes it impossible for travel companies that use these systems to comply with the fundamental principles of fair information
practices - or even, in many cases, their own claimed privacy policies. Since no access logs are kept or included in PNR's, travel companies themselves don't know who has accessed data they entered. As they have admitted in response to some of our requests, they don't know and thus can't tell consumers who has accessed data about them, which data, or from where in the world.
I'm available today from San Francisco for interviews by e-mail, phone, or video Skype before or after the 33C3 session. I'll also be in Europe for two weeks in late January and early February, possibly with some time in Germany. I'd be happy to participate in public discussions of this issue, or to meet privately with anyone from a CRS or data protection authority who wants to talk about what can and should be done. If you are interested, please get in touch.
In the meantime, here are answers to some of the most frequently-asked questions I've been getting in the last few days:Continue reading ""Travel data: fraud with booking codes is too easy""
Wednesday, 21 December 2016
"This is what 'extreme vetting' means."
I'm quoted at length in a story today in The Verge and on CNBC about the DHS "Analytical Framework for Intelligence" (AFI), a data-mining and profiling system outsourced to a company founded by a member of the Trump transition team and used to "vet" immigrants, foreign visitors, and US citizens, to decide whether or not they are allowed to travel and how they are treated when they travel, on the basis of an aggregated database of government and commercial information:
"When Trump uses the term 'extreme vetting', AFI is the black-box system of profiling algorithms that he's talking about," says Edward Hasbrouck of the Identity Project, a civil liberties initiative that focuses on the rights of travelers. "This is what extreme vetting means."
- "AFI" is the latest DHS name for "extreme vetting" (Edward Hasbrouck, PapersPlease.org)
- Documents suggest Palantir could help power Trump's 'extreme vetting' of immigrants (Spencer Woodman, The Verge.com; reprinted by CNBC)