Nelson Mandela did. It took an act of Congress.

The rest of us? The airport is our Robben Island.

Tim Lee has published a TechKnowledge piece discussing the growing problem of “orphan works” — copyrighted material the owner of which can’t be found.

When I was a young nerd, alerting kids about the exposure of their epidermis was a favorite school-bus taunt, a great one to use on kids whose vocabulary wasn’t above grade-level like mine. “Epidermis” is, of course, a fancy word for skin. A good deal of everyone’s epidermis is showing most of the time, and it doesn’t matter. But kids can unnerve other kids just by telling them that they are exposed in ways they don’t understand, and that’s a fun thing to do.

Such is the flavor of news that data breach reports are up 69 percent so far in 2008. It sounds bad, and in a sense it is: By definition, a “breach” of data is an unintentional release. But the important question is whether a data breach results in any kind of actual harm.

There has been some research on the relationship between data breach and identity fraud, and the connection is fairly weak. New account fraud, which is the most damaging to consumers because of its effect on their financial reputations, takes some guile and work. The limiting factor on new account fraud is probably time and effort, not access to the kinds of information released in the garden variety data breach.

Much credit has been awarded to laws requiring disclosure of data breaches, especially California’s breach disclosure law, S.B. 1386. It’s worth noting that the news item linked first above cites a rise in reports of data breaches, not a rise in actual breaches. One would expect more reports as more entities come into compliance with disclosure laws. The rate of actual breaches and any trends are not part of this reporting.

A paper presented at WEIS 2008 Workshop on the Economics of Information Security last week has some relevant information. The paper is called “Do Data Breach Disclosure Laws Reduce Identity Theft?” and it finds “no statistically significant effect that [data breach disclosure] laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited.”

Of course, data breach disclosure laws may cause firms to improve their data security practices, but doing so for compliance purposes and not for harm prevention will cause them to overspend on data security, with the costs passed on to their customers in the form of higher prices and to owners in the form of lower dividends and stock prices. Spending on security that doesn’t cost-effectively secure against real threats lowers consumer welfare, as economists would say.

The damage that might be done by any data breach is very contextual. Sometimes consumers should be alerted about it, and sometimes alerting them is a waste of everyone’s time. Sometimes other responses are more appropriate, and sometimes data breaches require no response at all. People have worked hard to tailor data breach disclosure laws, but this kind of regulation is inherently a clumsy instrument, and, again, disclosure may not even be the right response.

It’s looking more and more like data breach disclosure laws parallel the schoolyard taunt “your epidermis is showing.” Three years ago, I wrote about data security regulation suggesting that common law liability for holders of sensitive data might be a better way to ferret out the right responses to data breaches, and to make sure that data holders internalize risks. I’m still above grade-level, you see .…

Vint Cerf is the nominal “father of the Internet,” and currently a vice president and “Chief Internet Evangelist” at Google. His employer recently unveiled an “Internet for Everyone” public policy program, which I view with skepticism. (Julian Sanchez nailed the free-lunchism of “Internet for Everyone,” saying, “All this may have a whiff of ‘and a pony’ about it.”)

At the same conference where the Google campaign was introduced, Cerf made a casual comment suggesting that it might be better if the Internet were nationalized. This is a bad idea, and even the blogger who wrote up Cerf’s comment said so.

I posted about it at TechLiberationFront, where Cerf has been good enough to comment. I don’t think policies based on his predisposition in favor of government ownership and control would result in good outcomes. Same goes for Google’s public policy program to the extent it shares those premises.

A month ago, I wrote here and in a TechKnowledge article about the telling imagery that a company called L‑1 Identity Solutions had used in some promotional materials. The cover of their REAL ID brochure featured an attractive woman’s face with her driver license data superimposed over it, along with her name, address, height, eye color, place of birth, political affiliation, and her race. This is where the national ID system advanced by the REAL ID Act leads.

Here’s another example. A group called Family Security Matters has reprinted on its site a blog post supporting the $80 million in grant money that the Department of Homeland Security recently announced, seeking to prop up the REAL ID Act. (I’ve written about it here and here.)

What’s interesting is not that a small advocacy group should support REAL ID, but the image they chose to illustrate their thinking: a man holding his “National Identity Card,” his fingerprint and iris images printed on it, and presumably programmed into it.

Were there ever any doubt that REAL ID was a national identity system and a step toward cradle-to-grave, government-mandated biometric tracking, Family Security Matters has helped clear that up.

We’re now learning the meaning of a new policy that Americans can’t “willfully” refuse to show ID at airports. The Consumerist has a write-up of one man’s experience with IDless travel. It turns out they do a background check on you using, among other things, your political affiliation.

That’s a nice window onto what identity-based security is all about: giving the government deep access into all of our personal lives. Of course, this type of security is easy to evade, and the 9/11 plot was structured to evade it. Checking ID cannot catch someone who has no history of wrongdoing.

Identity checks at airports require law-abiding American citizens to give up their privacy, including their political affiliations, with essentially no security benefit.

I wrote here last week about the limping DHS grant-making process for the REAL ID Act. (Summary: Good money after bad.)

Unsurprisingly, ID card maker Digimarc is touting the spending going to “its” states in a press release. I wrote about the plans of biometric technology company L‑1 to acquire Digimarc’s ID card business in a recent TechKnowledge entitled “L‑1: The Technology Company in Your Pocket.” (Digimarc recently received a higher offer for its ID card business from a French conglomerate. The appetite for national ID systems is certainly higher in old Europe and elsewhere around the globe than in the United States.)

Late Friday, DHS Assistant Secretary for Policy Stewart Baker posted on DHS’ “Leadership Journal” blog about the grants. Late Friday is the time of the week when releases are least likely to get uptake — are DHS web staff trying to suppress Baker? You’d expect to see something like this on Friday morning, or the night before grants are announced.

Anyway, in his blog post, Baker tries to inflate the money available for REAL ID, claiming that this $80 million is really more like $511 million. It’s not. And if it were, it still would be only 3% of the $17 billion cost of implementing REAL ID.

Of course, Baker claims that the costs of implementing REAL ID are lower now, but that’s only because DHS assumed away much participation in the program. I suppose France could have defeated Germany buy building only 27% of the Maginot line, but it’s doubtful. That’s what a national ID card is — a Maginot line that’s easy to avoid. Baker wants us to believe that a bad security system which is also incomplete is therefore … somehow … good.

Baker’s post, like the rest of DHS’ recent efforts, is a tired effort to prop up REAL ID. He tries to skip past the issues, saying “The arguments for having secure identification speak for themselves.” They don’t, and Baker hasn’t spoken for them either.

DHS’ institutional support for REAL ID grows more and more anemic with each passing day. Witness the thoroughly lame effort of the Department to revive it by banning “willful” refusal to show ID at airports. I now find myself in the position of trying to draw attention to the corpse of REAL ID — I do so because government programs like this have to be really dead before they’re truly dead.

Giving away grants that nobody wants. Defending what can’t be defended. I would be tired too. Congress can make everyone’s life better by rescinding these grants and repealing the REAL ID Act.