CDR: Re: RISKS

Declan McCullagh declan at well.com
Fri Sep 22 19:22:27 PDT 2000 

Carl is most certainly not an idiot. In fact, there might be a reasonable
argument for this: You're changing the defaults of a contract by specifying
what should be interpreted as reasonable authentication or not. Still,
I don't agree with it, and it's something that should be left up to the
courts, not Washingtonians and their lobbyists.

-Declan


On Fri, Sep 22, 2000 at 01:02:35PM -0400, Marcel Popescu wrote:
> Another idiot who wants more laws:
> 
> Date: 17 Sep 2000 19:16:23 -0700
> X-Loop: openpgp.net
> From: "Carl Ellison" <cme at acm.org>
> Subject: Re: Identity theft (PGN, RISKS-21.04)
> 
> I used to try to keep my SSN private -- then I realized that that's blaming
> the victim (me).  It's not the SSN holder's fault that stores and other
> institutions use improper means for authenticating people.  It's the store's
> fault.
> 
> Any information held by a credit bureau is public.  So is any information
> held by any government agency, if I'm to believe the spam I get
> occasionally.
> 
> So, that information is not acceptable for authentication -- even in person,
> but especially online.  It's not merely unacceptable when dealing with the
> credit bureau.  The credit bureau poisons the information for everyone.
> 
> Now -- how do we get consumer protection laws that make it clear that a
> consumer is not liable for any debts incurred by someone claiming to be
> him/her unless there is irrefutable authentication during registration
> (e.g., videotape of the consumer signing up for the service).  This means
> killing all issuing of credit online, by mail, by phone, etc.
> 
> Maybe I'd stop getting all those credit-card applications in the mail....
> 
> [This opens a technical challenge: how can we authenticate anyone, if we
> rule
> out information that an attacker can get?]
> 
>  - Carl
> 
> ---
> All inventions or works of authorship original to me,
> herein and past, are placed irrevocably in the public
> domain, and may be used or modified for any purpose,
> without permission, attribution, or notification.
> 
> 
> 
> 
>

More information about the cypherpunks-legacy mailing list