From: Rich Graves <llurch@networking.stanford.edu>
Date: Sun, 28 Apr 1996 18:19:04 +0800
To: Black Unicorn <unicorn@schloss.li>
Subject: Re: www.WhoWhere.com selling access to my employer's passwd file
In-Reply-To: <Pine.SUN.3.93.960427225005.24829J-100000@polaris.mindport.net>
Message-ID: <Pine.GUL.3.93.960427214213.9901G-100000@Networking.Stanford.EDU>
MIME-Version: 1.0
Content-Type: text/plain


On Sat, 27 Apr 1996, Black Unicorn wrote:
> > > [Unicorn of Color:]
> > > Use a nym.
> >[Me:]
> > This doesn't necessarily help if you work or study at a large institution
> > (stanford.edu, for example).
> [Unicorn of Color:]
> I think you took my comment in a smaller scope than it was intended.
> 
> Use a nym.  If you want absolute privacy, work and study under a nym.
> It's hardly difficult, you just have to start early.

I disagree that it's "hardly difficult" for most normal people. There are
bits and pieces of helpful information around, but they tend to be in
tax-protester-type rags that also contain a lot of loony stuff guaranteed
to land you in jail. And many of them are just snake oil scams themselves.
You know the difference, but I'm only starting to learn to, and Joe Schmo
hasn't a chance.

Anyway, I can't work for an organization like Stanford University without
a real name and Social Security number. In theory, I suppose, that real
name and Social Security number don't need to be the only ones I have.

> Depending on someone else (university, employer, government,
> phonecompany etc.) to protect data for you is, in my view, foolish.

In this case, I am the "someone else." How do I behave responsibly when I
have thousands of people coming in every Fall with no clue about privacy
issues?

I have to go after the leaks. Of course I know that none of my clients has
any real security or privacy, but stopping such information from being
trivially available on public web servers at least helps stave off the
random nutcase. Restricting the field to more specific nutcases, with or
without official titles, helps with the threat profile.

It was an uphill battle just to delink identity, location, and DNS
registration. It used to be that you could pinpoint a student's name,
address, and telephone number by their personal computer's static IP
address. They weren't even told that this was possible. On yesterday's
lovey-dovey research/educational Internet where everybody trusted
everybody else, it was just more efficient for troubleshooters and system
administrators to know where everybody was. Now, it's a scarier world, and
we all know that, but it's tough convincing people to change a system that
works. 

My personal choice has been (near-) complete openness, because I
ironically feel more secure if it is trivial for certain very specific
nutcases to verify that I pose no threat to them. I do not wish my enemies
to be paranoid. Paranoid people break things. I've chosen the security of
the high ground rather than the secuurity of the cave. Of course, I'm
learning to keep my personal life personal, and one day, I might find it
useful to disappear.

-rich