lwn.net/Articles/39909 -> lwn.net/Articles/39909/
The city was booked, and I was lucky to get a reservation where I did. When I checked in, the clerk insisted on making a photocopy of my driver's license. The night clerk didn't really care if he rented the room to me or not. He had rules to follow, and he was going to follow them. Her doctor called it in to a local pharmacy, and when she went to pick it up the pharmacist refused to fill it unless she disclosed her personal information for his database. She found the part where it said that "a reasonable effort must be made by the pharmacy to obtain, record, and maintain at least the following information," and the part where is said: "If a patient does not want a patient profile established, the patient shall state it in writing to the pharmacist. She didn't want to wait the few hours for her doctor to phone the prescription in somewhere else. I had to travel to Japan last year, and found a company that rented local cell phones to travelers. The form required either a Social Security number or a passport number. When I asked the clerk why, he said the absence of either sent up red flags. I asked how he could tell a real-looking fake number from an actual number. He said that if I didn't care to provide the number as requested, I could rent my cell phone elsewhere, and hung up on me. I went through another company to rent, but it turned out that they contracted through this same company, and the man declined to deal with me, even at a remove. I eventually got the cell phone by going back to the first company and giving a different name (my wife's), a different credit card, and a made-up passport number. If you've flown on an airplane, entered a government building, or done any one of dozens of other things, you've encountered security systems that are invasive, counterproductive, egregious, or just plain annoying. You've met people -- guards, officials, minimum-wage workers -- who blindly force you to follow the most inane security rules imaginable. In the end, all security is a negotiation among affected players: governments, industries, companies, organizations, individuals, etc. The players get to decide what security they want, and what they're willing to trade off in order to get it. But it sometimes seems that we as individuals are not part of that negotiation. Our security largely depends on the actions of others and the environment we're in. For example, the tamper resistance of food packaging depends more on government packaging regulations than on our purchasing choices. The security of a letter mailed to a friend depends more on the ethics of the workers who handle it than on the brand of envelope we choose to use. How safe an airplane is from being blown up has little to do with our actions at the airport and while on the plane. We simply don't have enough power in the negotiations to make a difference. I had no leverage when trying to check in without giving up a photocopy of my driver's license. My wife had no leverage when she tried to fill her prescription without divulging a bunch of optional personal information. The only reason I had leverage renting a phone in Japan was because I deliberately sneaked around the system. If I try to protest airline security, I'm definitely going to miss my flight and I might get myself arrested. There's no parity, because those who implement the security have no interest in changing it and no power to do so. I can negotiate my security, and he can decide whether or not to modify the rules for me. But modern society is more often faceless corporations and mindless governments. It's implemented by people and machines that have enormous power, but only power to implement what they're told to implement. Only in the aggregate do we have power, and the more we organize, the more power we have. Even an airline president, while making his way through airport security, has no power to negotiate the level of security he'll receive and the tradeoffs he's willing to make. In an airport and on an airplane, we're all nothing more than passengers: an asset to be protected from a potential attacker. The only way to change security is to step outside the system and negotiate with the people in charge. It's only outside the system that each of us has power: sometimes as an asset owner, but more often as another player. And it is outside the system that we will do our best negotiating. Outside the system we have power, and outside the system we can negotiate with the people who have power over the security system we want to change. After my hotel stay, I wrote to the hotel management and told them that I was never staying there again. First, one-on-one negotiations -- customer and pharmacy owner, for example -- can be effective, but they also allow all kinds of undesirable factors like class and race to creep in. It's unfortunate but true that I'm a lot more likely to engage in a successful negotiation with a policeman than a black person is. For this reason, more stylized complaints or protests are often more effective than one-on-one negotiations. Just as it doesn't make sense to negotiate with a clerk, it doesn't make sense to insult him. One of the most effective forms of protest is to vote for candidates who share your ideals. A large-scale boycott of businesses that demand photo IDs would bring about a change. Sadly, I believe things will get much worse before they get better. They're used to intrusive security, and they believe those who say that it's necessary. My guess is that most of the effort fighting stupid security is wasted. No hotel has changed its practice because of my strongly worded letters or loss of business. Gilmore's suit will, unfortunately, probably lose in court. My wife will probably make that pharmacist's life miserable for a while, but the practice will probably continue at that chain pharmacy. If I need a cell phone in Japan again, I'll use the same workaround. Fighting might brand you as a troublemaker, which might lead to more trouble. Gilmore's suit is generating all sorts of press, and raising public awareness. The Boycott Delta campaign had a real impact: passenger profiling is being revised because of public complaints. And due to public outrage, Poindexter's Terrorism (Total) Information Awareness program, while not out of business, is looking shaky. When you see counterproductive, invasive, or just plain stupid security, don't let it slip by. This kind of thing is nothing new, and normally I wouldn't bother. Anything it considers spam it shunts to another mailbox, which I check occasionally. There I can quickly scan my spam for legitimate e-mail, and specify certain e-mail addresses as ones that should be allowed rather than shunted. Crypto-Gram is fighting a seemingly endless battle against filters of various sorts. There are people who simply can't get this newsletter because it is tagged as spam or porn. Some filters block Crypto-Gram if it is larger than 50K. The most recent issue was blocked by one filter because it contained more than two links to Geocities Web sites. Sadly, the above paragraph will trigger all the same spam filters, so the people who don't get Crypto-Gram because of them will not get this issue either, and hence will never know why. And my stories pale in comparison to Neil Gaiman's experience with the spam filter at DC Comics, publisher of Sandman. It seems that the filter automatically blocked all e-mail containing the word "Sandman" without informing either the sender or the receiver. Gaiman was unable to communicate with his publisher about his own writing. I know that everyone who gets my newsletter has subscribed, but how does any filter know that? But I'm sure that some of my recipients don't remember subscribing. Despite my personal difficulties with sending out Crypto-Gram, I have a lot of sympathy for spam filters. There's a lot of "throwing the baby out with the bathwater" going on, but the bathwater is so foul that many companies don't mind the occasional loss of baby. The spam problem is so bad that draconian solutions are the only workable ones right now. Remember that this only works if your system is as secure as the union ...
|
http://csua.com/feed/