Protecting Society by Protecting Information Reducing Crime by Better Information Sharing Adam Shostack

Slides:

Advertisements

Similar presentations

IT: Communication and Impacts

Advertisements

No Cop on the Beat: Underenforcement in E-Commerce and Cybercrime Peter P. Swire Ohio State University & Center for American Progress Fordham CLIP Information.

1.04 -THE LAW- System of Rules

The right to privacy: should people have complete privacy, or should the state be able to investigate their private communication, or their employers?

By: Jason Baltazar MIS 304 Credit Card Fraud and Prevention.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/

Some Thoughts on Cyber-Resiliency, Time, and Surveillance Peter Swire Huang Professor of Law and Ethics Georgia Institute of Technology NAS/NRC Forum on.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

Deter, Detect, Defend: The FTC’s Program on Identity Theft.

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2012, Team-Tiger- Northwestern McCormick MSIT 2013 Confidential 1 ©2011, Cognizant Northwestern McCormick MSIT October 20 th, 2012 Information Security.

Beyond “I Fought The Law” Educating Law Enforcement about Privacy Services Adam Shostack.

DNA Databases Ethical Issues and Legal Implications.

Identity and Economics: Terrorism and Immigration Adam Shostack Privacy Curmudgeon

Privacy & Personal Information -- Why do we care or do we?

Protect Yourself from Identity Theft

PREDATORY LENDING Be a SMART Consumer!. WHAT ARE MY RIGHTS AS A CONSUMER? SAFETY SERVICE CONSUMER EDUCATION TO BE INFORMED TO BE HEARD TO CHOOSE.

Data Protection Act.

New York State Center of Excellence in Bioinformatics & Life Sciences R T U Discovery Seminar /UE 141 MMM – Spring 2008 Solving Crimes using Referent.

Data Protection Act. Lesson Objectives To understand the data protection act.

Fraud Prevention and Investigation Branch. Fraud Prevention- Everyone’s Responsibility.

Privacy and Encryption The threat of privacy due to the sale of sensitive personal information on the internet Definition of anonymity and how it is abused.

Chapter 9: Protecting the Consumer Consumer Laws.

Police Technology Chapter Eight

MONEY MANAGEMENT II Billing Errors/Disputes & Identity Theft.

Texas House of Representatives Committee on Criminal Jurisprudence Testimony of Randall S. James Banking Commissioner Texas Department of Banking August.

IDENTITY THEFT By: Jessica Rodriguez. Info on Identity Theft Identity theft is the fastest growing crime in the USA. The number of cases nationwide in.

Chapter 18 - The Fourth Amendment and National Security.

Forum IIIB Group 7 Open Access to Personal Information Introduction- Steve Ayers Pros- Michelle Peterson Cons- Christie Christman Conclusion- Audrey Clausen.

Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.

30/09/09Copyright - The Earl of Erroll1 Lord Erroll - Merlin Member of the HOUSE of LORDS - an Independent Peer PITCOMParliamentary Information Technology.

Ideal Jobs FBI. Field Criminal Justice Criminal Justice is study of the law and is mostly of thinking of the Criminal mind. Jobs: Local law Enforcement:

Important points and activities.  The objective is to secure life, property, information in the event of a disaster and to facilitate business continuity.

IDENTITY THEFT. Illegally obtaining personal information such as name, social security, drivers license, or mothers maiden name, address, bank/credit.

Identity Theft Ashley Gowin Sabrina Prophet. What is Identity Theft? Identity theft is when someone uses your personal information such as your name,

Science and Environment Area of Impact.  UK Citizens  Citizens that had exposed their biological data (DNA) with the scientists in one way or another.

Data Protection Act AS Module Heathcote Ch. 12.

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

Why the Data Protection Act was brought in  The 1998 Data Protection Act was passed by Parliament to control the way information is handled and to give.

The Rights of the People and the States Amendments 9-10.

Legal issues The Data Protection Act Legal issues What the Act covers The misuse of personal data By organizations and businesses.

1 st Choice Document Destruction th Avenue, Milaca, Minnesota Office: Cell:

By: Asfa Khan and Huda Mukhtar

How can reform of secured transactions laws in the region be operationalized and sustained? 12 November

1 Canadian Privacy Policy: Customizing E.U. Standards Remarks by Jennifer Stoddart Privacy Commissioner of Canada Privacy Symposium: Summer 2007 August.

Group 1 FBI, CIA, and Homeland Security. Intoduction Original meaning of Encryption is “secrete writing” The purpose: To secure electronic commerce and.

Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.

The Patriot Act Is Spying on US citizens Ethical?

DATA PROTECTION ACT (DPA). WHAT IS THE DATA PROTECTION ACT?  The Data Protection Act The Data Protection Act (DPA) gives individuals the right.

CS 6v Privacy Nothing to Hide? Dr.Murat Kantarcioglu Presentation based on “Database Nation”

1.04 Understand legal and ethical issues THE LAW- System of Rules 1.

Fingerprint Classification Maor Sharf. A fingerprint can be used by many organizations for many purposes: Fingerprints Police Biometric ID Security.

Unit 2- Privacy and Cyberspace Kaizen MIDTERM Definition of Terms How is Technology eroding our privacy and anonymity? Protecting privacy online.

The Wolf in Sheep’s Clothing: Identity Theft Professional Development Institute Truman State University.

Chapter 16. Let’s Play a Game Name That Crime!

Kelsey Bretz. FBI history Authorization Apple UDIDs Acceptable use of information? Conclusion References.

Privacy and Public Policy Implications of IoT

The vulnerability of economic markets to crime in 2015

Add video notes to lecture

Chapter 9 Non-Cash Assets.

Errors, Fraud, Risk Management, and Internal Controls

Privacy of Client Data.

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Other Sources of Information

Unit 7 – Organisational Systems Security

IT and Society Week 2: Privacy.

Presentation transcript:

Protecting Society by Protecting Information Reducing Crime by Better Information Sharing Adam Shostack

Information Sharing (Ideal) Information is rapidly and securely shared amongst law enforcement to prevent serious crime & catch criminals This is a very worthwhile goal My talk: focus on deviations from ideal Not because all uses are deviations, but because as a society we must consider how things break

Privacy and Info Sharing Both Protect People Our panel title sets up a false dichotomy Goal is to protect people False data, misuse of data is a burden How much information should we share achieve that? Use the No-Fly List as an example application No fly list exists because of terrorists

No Fly List Typical Information Sharing Application? Data brought to bear to prevent criminal activity/terrorism Data gathered from a plethora of sources No privacy policy around the data We hear only about failures

Who’s on The No-Fly List?

No Fly List Analysis Assembled from a plethora of sources No privacy policy Using privacy in sense of Fair Information Practices: Notification, Consent, Access, Correction, Reliability Large quality problems False positive vs. real hit frequency Waste of officer time

Information Sharing (nightmare) Kafka-esque Denied civil rights (travel, voting) ID theft victims being arrested No ability to solve problem Orwellian World Surviellance for its own sake Stalkers All the data sold to marketeers

Info Sharing Economics Building systems is expensive, hard Outsource to private sector! Choicepoint, Siesint Data shared is data shared Data will “update” other records (Eg, Change of address)

Info Sharing by Data Brokers [Choicepoint] disclosed that it had agreed to pay as much as $7 million to settle an Illinois class-action lawsuit by insurance agents. The agents said ChoicePoint took information from their inquiries about potential insurance clients and then sold the names back to them and to competitors as sales leads."

Info Sharing with Whom? Siesint, a Lexis Nexis Company MATRIX 320,000 records accessed 57 account breaches detected and reported How much data was from law enforcement?

Commercial Databases Data sales to all sorts, for all sorts of purposes Stalking ID Theft Revenge EPIC Phone complaint Real ID Act, home addresses Judge Lefkow (?)

Increased Information Sharing More information sharing through companies will lead to more crime Stalking, ID theft, Assaults More data capture will increase value of ID theft Is this trade-off worthwhile? Hard to say: need more on how lists work Some 9/11 Hijackers were on lists Too many lists, too many people on them?

Economics of Fraudulent ID Increase in document checking Getting harder to exist without papers 15 million illegal immigrants need paper So did 19 terrorists Demand facilitates supply Hijacker Alghamdi (pictured) A facilitator helped him get VA ID

Economics of Fraudulent ID Economic incentives hard to resist Arrests across the country Katrina will lead to a groundswell of fraudulent issuance as processes are relaxed for hurricane survivors who need ID More ID checking, more “acceptable” reasons to evade

Is There A Laffer Curve of ID?

Why Does This Matter? If information sharing is based on “database data,” the quality of that data is dropping rapidly Easier “investigation” by computer may distract from other avenues

Alternatives? Pose requirements as what to achieve “Need to distinguish between Johnnie Thomas and Johnnie Thomas” Not how to achieve it “Need social security numbers to distinguish JT and JT”

Share Queries, Not Data Move to allowing database queries, rather than shipping data Allows data to be stored, managed, corrected, by creators The FBI’s database is updated, but bad data whose source is unknown, corrupts new lists.

Share Less Invasive Data Fingerprints vs: Left thumb to right thumb, my fingerprints: Right loop, whorl, right loop, whorl, right loop... Using a 4 class system, over a million permutations Hard to loan IDs when it’s a million to one match 5 class (arch/tented arch) close to a billion possibilities

Conclusions Privacy protects people Information sharing protects people Privacy can improve information sharing

Questions, Comments? Thank you for your time and attention