Biometric ID Cybersurveillance

The implementation of a universal digitalized biometric ID system risks normalizing and integrating mass cybersurveillance into the daily lives of ordinary citizens. ID documents such as driver’s licenses in some states and all U.S. passports are now implanted with radio frequency identification (RFID) technology. In recent proposals, Congress has considered implementing a digitalized biometric identification card—such as a biometric-based, “high-tech” Social Security Card—which may eventually lead to the development of a universal multimodal biometric database (e.g., the collection of the digital photos, fingerprints, iris scans, and/or DNA of all citizens and noncitizens). Such “hightech” IDs, once merged with GPS-RFID tracking technology, would facilitate exponentially a convergence of cybersurveillance-body tracking and data surveillance, or dataveillance-biographical tracking. Yet, the existing Fourth Amendment jurisprudence is tethered to a “reasonable expectation of privacy” test that does not appear to restrain the comprehensive, suspicionless amassing of databases that concern the biometric data, movements, activities, and other personally identifiable information of individuals. In this Article, I initiate a project to explore the constitutional and other legal consequences of big data cybersurveillance generally and mass biometric dataveillance in particular. This Article focuses on how biometric data is increasingly incorporated into identity management systems through bureaucratized cybersurveillance or the normalization of cybersurveillance through the daily course of business and integrated forms of governance

“Success Is Invisible, But Failure Is Public”: Examining The U.S. Office Of Personnel Management Data Records Breach

In 2015, the U.S. Office of Personnel Management (OPM) suffered one of the largest governmentrelated data breaches in U.S. history. A total of 4.2 million personnel records, 21.5 million background check records, and 5.6 million sets of fingerprints were exfiltrated in a sophisticated, multi-stage cyber espionage operation linked to state-sponsored actors. Such a large data breach invited bipartisan criticism of the agency’s handling of the incidents and thrust the federal government’s cybersecurity preparedness into the limelight. This paper seeks to answer a set of five interrelated questions: 1) What happened in the 2015 U.S. Office of Personnel Management Data breach, and what were the impacts? 2) Did a lack of technical capability hinder OPM’s efforts to detect and block unauthorized access to its network? 3) Were organizational and management weaknesses more to blame? 4) Did the cybersecurity posture at OPM before the incidents change after the events in 2014 and 2015? 5) What can be done by the Office of Personnel Management to prevent or mitigate the damage from similar cyber activities in the future? To answer these questions, this paper first introduces the concept of the “cybersecurity toolkit” to better understand contemporary cyber issues. Second, the OPM case study is discussed, including a timeline of events and key actors. Third, this paper examines the technical, management, and compliance-related factors that contributed to the breaches, including a compilation and analysis of OPM Inspector General cybersecurity audit data from 2007 to 2017. Finally, this paper discusses the short- and long-term impacts of the OPM breach and offers recommendations to improve cybersecurity at OPM and within the federal government.Plan II Honors Progra

Personal ID Verification: Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

A letter report issued by the Government Accountability Office with an abstract that begins "To increase the security of federal facilities and information systems, the President issued Homeland Security Presidential Directive 12 (HSPD-12) in 2004. This directive ordered the establishment of a governmentwide standard for secure and reliable forms of ID for employees and contractors who access government-controlled facilities and information systems. The National Institute of Standards and Technology (NIST) defined requirements for such personal identity verification (PIV) credentials based on "smart cards"--plastic cards with integrated circuit chips to store and process data. The Office of Management and Budget (OMB) directed federal agencies to issue and use PIV credentials to control access to federal facilities and systems. GAO was asked to determine the progress that selected agencies have made in implementing the requirements of HSPD-12 and identify obstacles agencies face in implementing those requirements. To perform the work, GAO reviewed plans and other documentation and interviewed officials at the General Services Administration, OMB, and eight other agencies.

Biometric Cyberintelligence and the Posse Comitatus Act

This Article addresses the rapid growth of what the military and the intelligence community refer to as “biometric-enabled intelligence.” This newly emerging intelligence tool is reliant upon biometric databases—for example, digitalized storage of scanned fingerprints and irises, digital photographs for facial recognition technology, and DNA. This Article introduces the term “biometric cyberintelligence” to more accurately describe the manner in which this new tool is dependent upon cybersurveillance and big data’s massintegrative systems. This Article argues that the Posse Comitatus Act of 1878, designed to limit the deployment of federal military resources in the service of domestic policies, will be difficult to enforce to protect against militarized cyberpolicing and cybersurveillance harms that may generate from the domestic use of military grade cybersurveillance tools. Maintaining strict separation of data between military and intelligence operations on the one hand, and civilian, homeland security, and domestic law enforcement agencies on the other hand, is increasingly difficult as cooperative data sharing increases. The Posse Comitatus Act and constitutional protections such as the Fourth Amendment’s privacy jurisprudence, therefore, must be reinforced in the digital age to appropriately protect citizens from militarized cyberpolicing: the blending of military/foreign intelligence tools and operations, and homeland security/domestic law enforcement tools and operations. The Article concludes that, as of yet, neither statutory nor constitutional protections have evolved sufficiently to cover the unprecedented surveillance harms posed by the migration of biometric cyberintelligence from foreign to domestic use

Biometric Cyberintelligence and the Posse Comitatus Act

This Article addresses the rapid growth of what the military and the intelligence community refer to as “biometric-enabled intelligence.” This newly emerging intelligence tool is reliant upon biometric databases—for example, digitalized storage of scanned fingerprints and irises, digital photographs for facial recognition technology, and DNA. This Article introduces the term “biometric cyberintelligence” to more accurately describe the manner in which this new tool is dependent upon cybersurveillance and big data’s massintegrative systems. This Article argues that the Posse Comitatus Act of 1878, designed to limit the deployment of federal military resources in the service of domestic policies, will be difficult to enforce to protect against militarized cyberpolicing and cybersurveillance harms that may generate from the domestic use of military grade cybersurveillance tools. Maintaining strict separation of data between military and intelligence operations on the one hand, and civilian, homeland security, and domestic law enforcement agencies on the other hand, is increasingly difficult as cooperative data sharing increases. The Posse Comitatus Act and constitutional protections such as the Fourth Amendment’s privacy jurisprudence, therefore, must be reinforced in the digital age to appropriately protect citizens from militarized cyberpolicing: the blending of military/foreign intelligence tools and operations, and homeland security/domestic law enforcement tools and operations. The Article concludes that, as of yet, neither statutory nor constitutional protections have evolved sufficiently to cover the unprecedented surveillance harms posed by the migration of biometric cyberintelligence from foreign to domestic use

Mobile Identity, Credential, and Access Management Framework

Organizations today gather unprecedented quantities of data from their operations. This data is coming from transactions made by a person or from a connected system/application. From personal devices to industry including government, the internet has become the primary means of modern communication, further increasing the need for a method to track and secure these devices. Protecting the integrity of connected devices collecting data is critical to ensure the trustworthiness of the system. An organization must not only know the identity of the users on their networks and have the capability of tracing the actions performed by a user but they must trust the system providing them with this knowledge. This increase in the pace of usage of personal devices along with a lack of trust in the internet has driven demand for trusted digital identities. As the world becomes increasingly mobile with the number of smart phone users growing annually and the mobile web flourishing, it is critical to implement strong security on mobile devices. To manage the vast number of devices and feel confident that a machine’s identity is verifiable, companies need to deploy digital credentialing systems with a strong root of trust. As passwords are not a secure method of authentication, mobile devices and other forms of IoT require a means of two-factor authentication that meets NIST standards. Traditionally, this has been done with Public Key Infrastructure (PKI) through the use of a smart card. Blockchain technologies combined with PKI can be utilized in such a way as to provide an identity and access management solution for the internet of things (IoT). Improvements to the security of Radio Frequency Identification (RFID) technology and various implementations of blockchain make viable options for managing the identity and access of IoT devices. When PKI first began over two decades ago, it required the use of a smart card with a set of credentials known as the personal identity verification (PIV) card. The PIV card (something you have) along with a personal identification number (PIN) (something you know) were used to implement two-factor authentication. Over time the use of the PIV cards has proven challenging as mobile devices lack the integrated smart card readers found in laptop and desktop computers. Near Field Communication (NFC) capability in most smart phones and mobile devices provides a mechanism to allow a PIV card to be read by a mobile device. In addition, the existing PKI system must be updated to meet the demands of a mobile focused internet. Blockchain technology is the key to modernizing PKI. Together, blockchain-based PKI and NFC will provide an IoT solution that will allow industry, government, and individuals a foundation of trust in the world wide web that is lacking today

Security during the Construction of New Nuclear Power Plants: Technical Basis for Access Authorization and Fitness-For-Duty Requirements

A technical letter report to the NRC summarizing the findings of a benchmarking study, literature review, and workshop with experts on current industry standards and expert judgments about needs for security during the construction phase of critical infrastructure facilities in the post-September 11 U.S. context, with a special focus on the construction phase of nuclear power plants and personnel security measures

Airport Passenger Processing Technology: A Biometric Airport Journey

A passengers’ traveling journey throughout the airport is anything but simple. A passenger goes through numerous hoops and hurdles before safely boarding the aircraft. Many airports today are implementing isolated solutions for passenger processing. Some of these technologies include automated self-service kiosks and bag tag, self-service bag drop-off, along with automated self-service gates for boarding and border control. These solutions can be integrated with biometric systems to enhance passenger handling. This thesis analyzes the current passenger processing technology implemented at airports around the world and their associated challenges that passengers face. A new passenger processing technology called a biometric single token identification (ID) is presented as a solution to help alleviate current issues. By using a medium-sized international airport as a case study, the results show that a single token ID is beneficial to the time it takes to process a passenger. Furthermore, it demonstrates that implementation of a single token ID with self-service technology can provide enhanced passenger travel experience, improving operational process efficiency, all while ensuring safety and security

Tracking RFID

RFID-Radio Frequency Identification-is a powerful enabling technology with a wide range of potential applications. Its proponents initially overhyped its capabilities and business case: RFID deployment is proceeding along a much slower and less predictable trajectory than was initially thought. Nonetheless, in the end it is plausible that we will find ourselves moving in the direction of a world with pervasive RFID: a world in which objects\u27 wireless self-identification will become much more nearly routine, and networked devices will routinely collect and process the resulting information. RFID-equipped goods and documents present privacy threats: they may reveal information about themselves, and hence about the people carrying them, wirelessly to people whom the subjects might not have chosen to inform. That information leakage follows individuals, and reveals how they move through space. Not only does the profile that RFID technology helps construct contain information about where the subject is and has been, but RFID signifiers travel with the subject in the physical world, conveying information to devices that otherwise would not recognize it and that can take actions based on that information. RFID implementations, thus, can present three related privacy threats, which this article categorizes as surveillance, profiling, and action. RFID privacy consequences will differ in different implementations. It would be a mistake to conclude that an RFID implementation will pose no meaningful privacy threat because a tag does not directly store personally identifiable information, instead containing only a pointer to information contained in a separate database. Aside from any privacy threats presented by the database proprietor, privacy threats from third parties will depend on the extent to which those third parties can buy, barter, or otherwise gain database access. Where a tag neither points to nor carries personal identifying information, the extent of the privacy threat will depend in part on the degree to which data collectors will be able to link tag numbers with personally identifying information. Yet as profiling accelerates in the modem world, aided by the automatic, networked collection of information, information compiled by one data collector will increasingly be available to others as well; linking persistent identifiers to personally identifying information may turn out to be easy. Nor are sophisticated access controls and other cryptographic protections a complete answer to RFID privacy threats. The cost of those protections will make them impractical for many applications, though, and even with more sophisticated technology, security problems will remain. This article suggests appropriate government and regulatory responses to two important categories of RFID implementation. It concludes with a way of looking at, and an agenda for further research on, wireless identification technology more generally

Semi-Annual Report to Congress for the Period of October 1, 2010 to March 31, 2011

[Excerpt] I am pleased to submit this Semiannual Report to Congress, which highlights the most significant activities and accomplishments of the U.S. Department of Labor (DOL), Office of Inspector General (OIG) for the six-month period ending March 31, 2011. During this reporting period, our investigative work led to 207 indictments, 133 convictions, and $155 million in monetary accomplishments. In addition, we issued 29 audit and other reports which, among other things, recommended that$5.7 million in funds be put to better use, and questioned $3.4 million in costs during this reporting period. OIG audits and investigations continue to assess the effectiveness, efficiency, economy, and integrity of DOL’s programs and operations. We also continue to investigate the influence of labor racketeering and/or organized crime with respect to internal union affairs, employee benefit plans, and labor-management relations. During this reporting period, we found that the Occupational Safety and Health Administration (OSHA) had not designed a method to examine the impact of state programs on workplace safety and health to ensure that they were effective and to fully evaluate the merits of any program changes. We also found that OSHA did not follow its own policies and procedures during its investigations of three whistleblower complaints. As a result, OSHA could not provide any assurance that protections were afforded as intended under Federal whistleblower laws. Additionally, the OIG conducted two audits of the Employee Benefits Security Administration (EBSA). We found that EBSA needs to develop a process to determine whether the qualified default investment alternative under the Pension Protection Act is helping to increase employee participation and average investment returns in retirement plans through automatic enrollments. We also found that EBSA does not have adequate assurances that fiduciaries voted solely for the economic benefit of plans or that they monitored proxy voting activities. We also issued eight audit reports related to the American Recovery and Reinvestment Act of 2009 during this reporting period. One audit found that the Employment and Training Administration needs to better ensure the YouthBuild program, which provides low-income youth with job skills and serves their communities by building affordable housing, meets program objectives. Our investigations continue to combat labor racketeering and/or organized crime in internal union affairs, union- sponsored benefit plans, and labor management relations. For example, a major OIG investigation resulted in one of the Gambino Crime Family’s highest ranking members in New Jersey and 20 other defendants being sentenced for racketeering conspiracy and related crimes. A benefit plan investigation resulted in the sentencing of a chiropractor to over five years in prison after he pled guilty to fraudulently billing union health and welfare plans, among others, more than$14 million. OIG investigations also identified vulnerabilities in and fraud against DOL programs. One investigation resulted in a high-ranking Immigration and Customs Enforcement official being sentenced to more than 17 years in prison for filing fraudulent labor certifications and committing Federal Employees\u27 Compensation Act fraud. Another investigation resulted in the imposition of a $55 million judgment against and imprisonment of a husband, wife, and son for their roles in an H-2B visa fraud conspiracy. The OIG remains committed to promoting the integrity, effectiveness, and efficiency of DOL. I would like to once again express my gratitude to the professional and dedicated OIG staff for their significant achievements during this reporting period. I look forward to continuing to work with the Department to ensure the integrity of programs and that the rights and benefits of workers and retirees are protected