How to Fight
WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
I landed in Los Angeles at 11:30 p.m., and it took me another hour to get to my hotel. Every room in the city was booked, and I was lucky to get a reservation where I did. When I checked in, the clerk insisted on making a photocopy of my driver's license. I tried fighting, but it was no useI needed the hotel room. There was nowhere else I could go. The clerk didn't really care if he rented the room to me or not. He had rules to follow, and he was going to follow them.
My wife needed a prescription filled. Her doctor called it in to a local pharmacy, and when she went to pick it up, the pharmacist refused to fill it unless she disclosed her personal information for his database. The pharmacist even showed my wife the rulebook. She found the part that said: "A reasonable effort must be made by the pharmacy to obtain, record and maintain at least the following information..." And the part that stated: "If a patient does not want a patient profile established, the patient shall state it in writing to the pharmacist. The pharmacist shall not then be required to prepare a profile as otherwise would be required by this part."
Despite this, the pharmacist insisted on getting her personal information. My wife was stuck. She needed the prescription filled. She didn't want to wait the few hours for her doctor to phone the prescription in somewhere else. The pharmacist didn't care; he wasn't going to budge.
It's stupid security season. If you've flown on an airplane, entered a government building or done any one of dozens of other things, you've encountered security systems that are invasive, counterproductive, egregious or just plain annoying. You've met peopleguards, officials, minimum-wage workerswho blindly force you to follow the most inane security rules imaginable.
Is there anything you can do?
In the end, all security is a negotiation among affected players: governments, industries, companies, organizations, individuals. The players get to decide how much security they want and what they're willing to trade in order to get it. But it sometimes seems as though we as individuals are not part of that negotiation. Security is more something that is done to us.
Our security depends largely on the actions of others and the environment we're in. Tamper-resistant food packaging depends more on government regulations than on our purchasing choices. The security of a letter mailed to a friend depends more on the ethics of the postal workers who handle it than on the brand of envelope we choose to use. The security of the money in our bank accounts, the crime rate in our neighborhoods and the honesty and integrity of our police departments are out of our direct control. We simply don't have enough power in the negotiations to make a difference.
I had no leverage when I tried to check into that hotel room without first giving up a photocopy of my driver's license. My wife had no leverage when she tried to fill her prescription without divulging a bunch of optional personal information. If I try to protest airline security, I'm definitely going to miss my flight, and I might get myself arrested. There's no parity, because those who implement security regulations have no interest in changing them and no power to do so. They're not the ones who control the security system; it's best to think of them as nearly mindless robots. In fact, the security system relies on them behaving this way, replacing the flexibility and adaptability of human judgment with a three-ring binder of "best practices" and procedures.
It would be different if the pharmacist were the owner of the pharmacy, or if the person behind the registration desk owned the hotel, or even if the officer were a neighborhood beat cop. In those cases there's more parity. I can negotiate my security directly, and they can decide whether or not to modify the rules for me. But modern society is more often faceless corporations and mindless governments. It's implemented by people and machines that have enormous power, but only the power to implement what they're told to implement. And they have no real interest in negotiating. They don't need to. They don't care.
But there's a paradox. We're not only individuals; we're also consumers, citizens, taxpayers, voters andif things get bad enoughprotesters and sometimes even angry mobs. Only in the aggregate do we have power, and the more we organize, the more power we have. And the only way to change security is to step outside the system and negotiate with the people in charge. Outside the system we have power.
After my hotel stay, I wrote to the hotel management and told them that I was never staying there again. (Unfortunately, I am collecting an ever-longer list of hotels I will never stay in again.) My wife has filed a complaint against that pharmacist with the Minnesota Board of Pharmacy. John Gilmore has gone further: He hasn't flown since Sept. 11, and he's suing the government for the constitutional right to fly within the U.S. without showing a photo I.D.
Three points about fighting back. First, one-on-one negotiationsbetween customer and pharmacy owner, for examplecan be effective, but they also allow all kinds of undesirable factors like class and race to creep in. It's unfortunate but true. I'm a lot more likely to engage in a successful negotiation with a police officer over the level of security in my neighborhood than a black person is.
Second, naming and shaming doesn't work. Just as it doesn't make sense to negotiate with a clerk, it doesn't make sense to insult him. Instead, say, "I know you didn't make the rule, but if the people who did ever ask you how it's going, tell them the customers think the rule is stupid and insulting and ineffective." Other companies are making the same security decisions and they need to know that it's not working.
Third, don't forget the political process. Elections matter, and political pressure by elected officials on corporations and government agencies has a real impact. One of the most effective forms of protest is to vote for candidates who share your ideals.
The more we band together, the more power we have. A large-scale boycott of businesses that demand photo I.D.s would bring about a change. Conference organizers, for instance, have more leverage with hotels than individuals. The USENIX conferences, held by the Advanced Computing Systems Association, tries to avoid using hotels that demand personal identification from guests. A large group of single-issue voters supporting candidates who promise to work against stupid security would also make a difference.
Sadly, I believe things will get much worse before they get better. Many people seem not to be bothered by stupid security; it even makes some feel safer. In the U.S., people are now used to showing their photo I.D.s everywhere; it's the new security reality post-Sept. 11. They're used to intrusive security and they believe the people who say it's necessary.
It's important that we pick our battles. My guess is that most of the effort spent fighting stupid security is wasted. No hotel has changed its practice because of my strongly worded letters or refusal to stay there. My wife will probably make that pharmacist's life miserable for a while, but the practice will probably continue at that pharmacy. Gilmore, unfortunately, will probably lose in court.
Still, we can make a difference. Gilmore's suit is generating all sorts of press and raising public awareness. And the recent Boycott Delta campaign had a real impact: passenger profiling is being revised because of public complaints. And due to public outrage, the Pentagon's Terrorism Information Awareness program, led by former national security advisor John Poindexter, while not out of business, is looking shaky.
When you see counterproductive, invasive or just plain stupid security, don't let it slip by. Write a letter. Create a Web site. File a Freedom of Information Act request. Make some noise. You don't have to join anything; noise need not be more than individuals standing up for themselves.
You don't win every time. But you do win sometimes.