This may seem horrific to the people who expect at-the-door vaccination checks to screen people out. Even the most well-designed app can’t do that. Louisiana’s mobile driver’s license comes close—the “bouncer” scans the QR code and pulls up your name, photo, and vaccination status from an official state database. But even there, there’s a real risk of “deep fakes”—indeed, there have already been cases of anti-vax pharmacists entering fraudulent information in official immunization registries. That’s pretty much the perfect crime, once it’s been pulled off. The only way one could ever catch it would be to start taking random antibody titers of restaurant patrons.
This sounds like a mistake people new to computer security sometimes make. You hear “well, here’s how you could defeat that control, so we shouldn’t do it”. It’s not that simple. It’s absolutely true that sometimes the assurance isn’t worth it, sure, but sometimes it is. And not only because of “ritual deterrence”.
Remember that the goal isn’t, or shouldn’t be, to get “perfect” success. It’s to cut down on the number (and impact) of failures. That’s true in computer security, and even more true in disease spread.
Even if you can’t make violations impossible, making them significantly harder truly does reduce the number of actual problems. That applies even when you’re dealing with professional criminal adversaries who aren’t deterred in any way by “rituals” and who fully understand the limitations of your measures. It applies even more than that when you’re dealing with casual adversaries. And, frankly, it applies even more than that when you’re dealing with stupid adversaries, who are surprisingly common in some circumstances.
It’s significantly harder to find a complicit pharmacist, or to otherwise subvert a public record, than it is to simply fake a piece of paper. The difficulty very probably deters a large number of people, and the complexity creates a real risk of getting caught.
Auditing is interesting. A lot of auditors really do seem to get conditioned to performing rituals, without really giving thought to impact. And since the formal rules auditors are asked to enforce are often SO BADLY THOUGHT OUT, I suppose that maintaining your sanity as an auditor might force you to avoid looking to hard at effectiveness beyond ritual. But that effectiveness really is there, or at least can be.
… and, by the way, it sounds like you notaries need to up your game. At least if somebody comes to you with state-issued ID from the state you’re operating in, there is really no reason you should not be able to at least check the photo in the issuer’s database.
No, we don’t need to “up our game”. It’s simply not a legal requirement for laypeople—civilians—to identify fakes. And it shouldn’t be. That’s not our role. We help prevent fraud by emphatically communicating, through our words and our affect, that signing your name to something is a big fucking deal.
Auditors don’t need to “up their game” either for systems to be effective. The role of venues is to communicate the mandate to its targets (the general public), not to “enforce” it.
Employers are another matter because they have the infrastructure to implement engineering controls (chipped ID cards, key fobs, turnstiles, panic buttons)
This sounds like a mistake people new to computer security sometimes make. You hear “well, here’s how you could defeat that control, so we shouldn’t do it”. It’s not that simple. It’s absolutely true that sometimes the assurance isn’t worth it, sure, but sometimes it is. And not only because of “ritual deterrence”.
Remember that the goal isn’t, or shouldn’t be, to get “perfect” success. It’s to cut down on the number (and impact) of failures. That’s true in computer security, and even more true in disease spread.
Even if you can’t make violations impossible, making them significantly harder truly does reduce the number of actual problems. That applies even when you’re dealing with professional criminal adversaries who aren’t deterred in any way by “rituals” and who fully understand the limitations of your measures. It applies even more than that when you’re dealing with casual adversaries. And, frankly, it applies even more than that when you’re dealing with stupid adversaries, who are surprisingly common in some circumstances.
It’s significantly harder to find a complicit pharmacist, or to otherwise subvert a public record, than it is to simply fake a piece of paper. The difficulty very probably deters a large number of people, and the complexity creates a real risk of getting caught.
Auditing is interesting. A lot of auditors really do seem to get conditioned to performing rituals, without really giving thought to impact. And since the formal rules auditors are asked to enforce are often SO BADLY THOUGHT OUT, I suppose that maintaining your sanity as an auditor might force you to avoid looking to hard at effectiveness beyond ritual. But that effectiveness really is there, or at least can be.
… and, by the way, it sounds like you notaries need to up your game. At least if somebody comes to you with state-issued ID from the state you’re operating in, there is really no reason you should not be able to at least check the photo in the issuer’s database.
No, we don’t need to “up our game”. It’s simply not a legal requirement for laypeople—civilians—to identify fakes. And it shouldn’t be. That’s not our role. We help prevent fraud by emphatically communicating, through our words and our affect, that signing your name to something is a big fucking deal.
Auditors don’t need to “up their game” either for systems to be effective. The role of venues is to communicate the mandate to its targets (the general public), not to “enforce” it.
Employers are another matter because they have the infrastructure to implement engineering controls (chipped ID cards, key fobs, turnstiles, panic buttons)