Re: Comment on Turing document - identifying a human vs. an individua l from Charles McCathieNevile on 2003-11-08 (wai-xtech@w3.org from November 2003)

From: Charles McCathieNevile <charles@sidar.org>
Date: Sat, 8 Nov 2003 11:38:59 +0000
To: Al Gilman <asgilman@iamdigex.net>
Cc: Michael Cooper <michaelc@watchfire.com>, <wai-xtech@w3.org>
Message-Id: <2506D408-11E0-11D8-A531-000A958826AA@sidar.org>

This is related to the problem that IMS approached in profiling - 
people don't want to give away more information than is required for a 
particular purpose. P3P also had to address this issue. In principle a 
federated identity system should allow for this flexibility.

But there is nothing to prevent people from generating a million 
federated identities automatically. I have created federated identities 
for non-existent people without much difficulty - unless you have a 
reliable certification authority this will continue to allow spammers 
to do so.

There are also potential serious security concerns raised by federated 
identity systems in current deployment...

But Al's pipe dream is my paranoid nightmare. When someone in a small 
business in Columbia writes to me in the fervent hope that I will look 
at Blindux, the idea that they should put up a deposit that I can just 
decide to keep is going to be a large disincentive. But not to have 
discovered that the system exists would have cost me a great deal.

cheers

Chaals

On Friday, Nov 7, 2003, at 22:29 Europe/Lisbon, Al Gilman wrote:

>
> At 03:44 PM 2003-11-07, Michael Cooper wrote:
>
>> I just reviewed http://www.w3.org/TR/2003/WD-turingtest-20031105/ and 
>> would
>> like to comment a couple of the proposed solutions. The Federated 
>> Identity
>> Systems provide the ability for people to identify themselves to a 
>> Web site,
>> and implicitly to identify that they are human, not a robot. A 
>> concern with
>> this is that it requires the user to identify themselves uniquely, not
>> simply prove they are human, which is the goal. This raises a privacy
>> concern, that you must identify yourself to the maintainer of a free
>> resource that otherwise allows anonymous access to humans. While some
>> resources, by their nature, require specific identifying information, 
>> others
>> can (even should) permit anonymous access and the Turing test should 
>> support
>> that.
>>
>> I propose that this consideration be included in the commentary in a 
>> future
>> draft.
>
> Good point.
>
>
> My favorite pipe dream on the spam front is to apply economic pressure.
> Make the unrecognized person requesting access to your inbox pony up a
> deposit.  If the recipient considers the message a spam, they keep the
> deposit.  If they say the message is OK, the sender keeps the deposit.
> It's that simple.  Would separate advertisers that people welcome from
> spammers who live off the unrealistically free cost of IP.
>
--
Charles McCathieNevile                          Fundación Sidar
charles@sidar.org                                http://www.sidar.org

Received on Saturday, 8 November 2003 06:41:06 UTC