CDR: Re: RISKS
Declan McCullagh
declan at well.com
Fri Sep 22 19:22:27 PDT 2000
Carl is most certainly not an idiot. In fact, there might be a reasonable
argument for this: You're changing the defaults of a contract by specifying
what should be interpreted as reasonable authentication or not. Still,
I don't agree with it, and it's something that should be left up to the
courts, not Washingtonians and their lobbyists.
-Declan
On Fri, Sep 22, 2000 at 01:02:35PM -0400, Marcel Popescu wrote:
> Another idiot who wants more laws:
>
> Date: 17 Sep 2000 19:16:23 -0700
> X-Loop: openpgp.net
> From: "Carl Ellison" <cme at acm.org>
> Subject: Re: Identity theft (PGN, RISKS-21.04)
>
> I used to try to keep my SSN private -- then I realized that that's blaming
> the victim (me). It's not the SSN holder's fault that stores and other
> institutions use improper means for authenticating people. It's the store's
> fault.
>
> Any information held by a credit bureau is public. So is any information
> held by any government agency, if I'm to believe the spam I get
> occasionally.
>
> So, that information is not acceptable for authentication -- even in person,
> but especially online. It's not merely unacceptable when dealing with the
> credit bureau. The credit bureau poisons the information for everyone.
>
> Now -- how do we get consumer protection laws that make it clear that a
> consumer is not liable for any debts incurred by someone claiming to be
> him/her unless there is irrefutable authentication during registration
> (e.g., videotape of the consumer signing up for the service). This means
> killing all issuing of credit online, by mail, by phone, etc.
>
> Maybe I'd stop getting all those credit-card applications in the mail....
>
> [This opens a technical challenge: how can we authenticate anyone, if we
> rule
> out information that an attacker can get?]
>
> - Carl
>
> ---
> All inventions or works of authorship original to me,
> herein and past, are placed irrevocably in the public
> domain, and may be used or modified for any purpose,
> without permission, attribution, or notification.
>
>
>
>
>
More information about the cypherpunks-legacy
mailing list