Carl is most certainly not an idiot. In fact, there might be a reasonable argument for this: You're changing the defaults of a contract by specifying what should be interpreted as reasonable authentication or not. Still, I don't agree with it, and it's something that should be left up to the courts, not Washingtonians and their lobbyists. -Declan On Fri, Sep 22, 2000 at 01:02:35PM -0400, Marcel Popescu wrote:

Another idiot who wants more laws:

Date: 17 Sep 2000 19:16:23 -0700 X-Loop: openpgp.net From: "Carl Ellison" <cme@acm.org> Subject: Re: Identity theft (PGN, RISKS-21.04)

I used to try to keep my SSN private -- then I realized that that's blaming the victim (me). It's not the SSN holder's fault that stores and other institutions use improper means for authenticating people. It's the store's fault.

Any information held by a credit bureau is public. So is any information held by any government agency, if I'm to believe the spam I get occasionally.

So, that information is not acceptable for authentication -- even in person, but especially online. It's not merely unacceptable when dealing with the credit bureau. The credit bureau poisons the information for everyone.

Now -- how do we get consumer protection laws that make it clear that a consumer is not liable for any debts incurred by someone claiming to be him/her unless there is irrefutable authentication during registration (e.g., videotape of the consumer signing up for the service). This means killing all issuing of credit online, by mail, by phone, etc.

Maybe I'd stop getting all those credit-card applications in the mail....

[This opens a technical challenge: how can we authenticate anyone, if we rule out information that an attacker can get?]

- Carl

--- All inventions or works of authorship original to me, herein and past, are placed irrevocably in the public domain, and may be used or modified for any purpose, without permission, attribution, or notification.

On Mon, 25 Sep 2000, Marcel Popescu wrote:

In my opinion, everything should be left to the market to solve, and nothing to politicians. I'd agree with you about the courts if they were private.

If people played 'fair' and actualy stayed within the very limiting confines of theoretical free markets this would work (probably). Unfortunately people don't work that way so it won't work that way. By the time the market can collect the information the abusers are hidding it's too late for the market to correct. In human socieities there must be some form of 3rd party arbitration/regulation. Now the question as to whether this is best served by a central power structure or a more distibuted one (e.g. polyocracy) is an open question. I would say historical evidence shows the distributed model is better because it works on a more local and familiar level. ____________________________________________________________________ He is able who thinks he is able. Buddha The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------