gnu@toad.com (John Gilmore) (03/01/90)
jgro@apldbio.com (Jeremy Grodberg) wrote: > When calls are > placed from the subscribers phone, the fictitious id# is displayed > instead of the real phone number. Since this number is tied to a > phone number, it serves the same identification purpose: A receipient > who is familiar with the number knows what phone a call is coming > from, if they are familiar with the number displayed. The flaw in this scheme is that it assumes that called parties will not cooperate to exchange information about you. Since the fictitious id is the same every time you make a call, anybody could look up your fictitious ID in the TRW credit database and immediately get access to your full address, credit history, and true phone number. All it takes for your fictitious ID to be entered in the TRW database is for you to phone up Sears or Amex from your phone and during the course of your conversation, identify yourself to them in some other way (e.g. by name and address to ship something to). Sears would have a two-way agreement with TRW that they will provide info as well as looking up info (that's how all the current credit reporting works). The anonymity you fought so hard for in the "great CPID debates" would be gone a month after they installed the system. To really provide privacy to the caller, a different random fictitious ID could be provided to each callee. This would permit each callee to determine that they are being called from the same phone as previous calls, but not let two callees correlate information about the caller. Note the two parts of that: You could tell that someone in Joe's house is calling since it always displays 1234567 when that house calls you. (Of course, you have no idea if Joe is calling you or not -- it could be the plumber or pizza delivery driver phoning from Joe's. That wouldn't stop businesses from assuming that such a person was authorized to transact business for Joe, but that's off the topic.) The second part is that various people who are called from Joe's house would not be able to cross-correlate to determine that they are both being called by Joe or his plumber. Imagine the TRW database again. Under the randomizing scheme, only a company to whom you had provided other identification (such as your name, credit card number, etc) would be able to look you up -- though they can pull up your info from your CPID on subsequent calls. But if you tell Sears this info, and Sears tells TRW, Amex will still not be able to use it, since Amex will not see your CPID as 1234567 the same way Sears does. David Chaum wrote a paper on this which explains it better than I can. He calls these randomized identifiers "digital pseudonyms" and the intent is that you use a different one with everyone you do business with. He has built cryptosystems that implement this securely in smart cards. It's called "Security without Identification: Card Computers to make Big Brother Obsolete". Copies are available from him at chaum@cwi.nl. An earlier version of the paper was in CACM, Oct 1985. I would much rather that the telcos started selling phones and pay phones with a slot for a cryptographically secure smart card to establish credentials (like identification or creditworthiness) or do small data transfers. But that would be a lot more work than forcing CPID on the public. So what if it would provide both real security and real privacy? Businesses and government would rather have your life history in front of them, and most individuals don't care enough to object or propose better things.