Mail promising recipients incredible mortgage rates must rake in piles of Social Security numbers, driver's licence numbers, and bank account information.
The height of criminal gall was the message I received earlier this month. It warned that some of my internet provider's customers had been victims of identity theft, and I was directed to a well-crafted website ostensibly set up by my provider. I checked it out through a cloaking gateway. The site walked me through a maze of harmless questions and "please wait -- checking our records" delays to gain my trust, then it asked for my SSN for account verification.
InfoWorld readers wouldn't fall for this, but we all have countless family members and co-workers who would. For them, an internet-connected computer is an inherently trustworthy appliance. They're typing, not speaking. Nobody can listen in, therefore it must be safe. I can't succinctly explain certificates, signed email, triple DES, and reverse DNS to people who don't know how modems work. I tell them they can't trust the internet sometimes. But I can't explain when to trust and when not to. So, they either have too much faith or too much suspicion. How can I say, "Email that looks like it's from me might be forged," and "Don't open email that has such-and-such for a subject line," and expect them to go online at all?
As much as the tech elite likes to make fun of average internet users -- including nontechnical corporate users -- average users don't live in straw huts and communicate with drums. Most have flush toilets, cellphones, satellite TV, and caller ID, and use them appropriately. They're buried in technology, most of which is -- as it all should be -- invisible. But computers need constant care to keep their users safe. And just to get this out of the way, it is not Microsoft's fault that the internet is turning into a den of pickpockets. It isn't Gates' and Torvalds' duty to make the net a safe place.
We need to equip internet users with a voluntary, airtight system of digital identity. Arguments about complex technological and legislative solutions have stalled the issue. If you consider anonymity a basic right, keep it -- don't get an ID and don't check others'. But don't argue the issue solely from your viewpoint. Scams, thefts, and infections may just be a nuisance to you. If that's so, then put yourself in others' shoes. The vast majority of internet users aren't like you, and thus they are alarmingly vulnerable.
Create a single public standard for verifiable digital identity. Make it free and wholly voluntary. If it is implemented, I'll instruct all of my non-geek acquaintances to get an ID and to suspect communication from those who don't have one.
As steeped as I am in security knowledge, I would so welcome a reliable floodwall against hucksters and vandals that I'd turn away all unidentified traffic. Is that extreme? Won't that block legitimate anonymous contact? I'm way past caring about that. I no longer consider fending off muggers, and constantly patching the fences of those I care about, a sport.
Yager is the technical director of the Infoworld Test Centre.