Carl is most certainly not an idiot. In fact, there might be a reasonable argument for this: You're changing the defaults of a contract by specifying what should be interpreted as reasonable authentication or not. Still, I don't agree with it, and it's something that should be left up to the courts, not Washingtonians and their lobbyists. -Declan On Fri, Sep 22, 2000 at 01:02:35PM -0400, Marcel Popescu wrote:
Another idiot who wants more laws:
Date: 17 Sep 2000 19:16:23 -0700 X-Loop: openpgp.net From: "Carl Ellison" <cme@acm.org> Subject: Re: Identity theft (PGN, RISKS-21.04)
I used to try to keep my SSN private -- then I realized that that's blaming the victim (me). It's not the SSN holder's fault that stores and other institutions use improper means for authenticating people. It's the store's fault.
Any information held by a credit bureau is public. So is any information held by any government agency, if I'm to believe the spam I get occasionally.
So, that information is not acceptable for authentication -- even in person, but especially online. It's not merely unacceptable when dealing with the credit bureau. The credit bureau poisons the information for everyone.
Now -- how do we get consumer protection laws that make it clear that a consumer is not liable for any debts incurred by someone claiming to be him/her unless there is irrefutable authentication during registration (e.g., videotape of the consumer signing up for the service). This means killing all issuing of credit online, by mail, by phone, etc.
Maybe I'd stop getting all those credit-card applications in the mail....
[This opens a technical challenge: how can we authenticate anyone, if we rule out information that an attacker can get?]
- Carl
--- All inventions or works of authorship original to me, herein and past, are placed irrevocably in the public domain, and may be used or modified for any purpose, without permission, attribution, or notification.