Thursday, January 15, 2009

.

On vetting Internet communication

We all remember when Sarah Palin thought she was talking with France’s Président de la République, Nicolas Sarkozy. How silly! She should have known. Certainly, the prankster gave her plenty of obvious clues.

Ha, ha!

But easy though it be to make fun of her for it, identifying who’s really on the other end of a conversation — by phone, or by Internet — is a difficult problem. No less a source than the New York Times got caught in a similar trap with a letter purporting to come from Bertrand Delanoë, the mayor of Paris, in late December (see the Editor’s Note that’s appended to the letter).

In reaction to that embarrassment, the Times published this last weekend:

A few weeks ago, as many of you will recall, we published what turned out to be a fake letter over the name of the mayor of Paris, whose office later confirmed that he did not write it. We apologized to him, and to you, the readers. And since then, we have worked to tighten our verification system for letters and enforce it more rigorously.

We encourage our readers to keep writing letters, of course, and we are all for full and vigorous (but civil) debate. But we are asking for your help as we “trust but verify.”

From now on we will adhere unfailingly to our existing standards: we will consider only letters with full contact information — your name, address, current location and daytime and evening telephone numbers (not for publication). If your letter is being considered, we will call you and send back an edited version for your approval before publication.

[...]

The readers of this page deserve to know that the letters we publish are legitimate. While no verification procedure involving strangers and operating on a degree of trust can be completely foolproof, we will work to ensure that an error like this doesn’t happen again.

That’s certainly a laudable goal, verifying the source of every letter they publish, I’m quite certain that it’s impossible to do in general. For a letter purporting to come from a public figure, such as Mayor Delanoë, of course, it’s trivial: the paper can easily contact the mayor’s office directly, independent of the information supplied in the letter. But what about a letter from Joe Sixpack — or Barry Leiba?

As we know from the worlds of computer logins and customer service centers, the key to authentication — verifying the identity that’s provided to us — is having some mechanism that’s independent of the communication at hand. Before you can log in to your bank’s web site, you have to have set up a shared secret using some other mechanism. If you call for customer service, you’ll be asked questions that attempt to confirm that you have enough information about yourself and your account that you probably — to a level of certainty that satisfies them — are who you say you are.

But when you write to the New York Times, and you’re not a well known figure, the only information they can depend on having is contained in the communication itself. Requiring you to provide full contact information will filter out some of the true cranks, to be sure. For others, though, it’s easy enough to give bogus contact information, so that when they call to confirm, the call and the confirmation will go off without a hitch... and yet they’ll still be publishing a letter that isn’t from who it says it is.

Maybe that doesn’t matter. No one would really care to spoof a letter from me, and a letter saying it’s from Governor Paterson would likely be challenged by an independent call to the governor’s office. But what about someone in between? There are plenty of people whose names might carry more credibility than mine would, whose names people might want to falsely attach to letters to the editor, who would nevertheless not likely be subject to independent verification.

This is all related to the spam we get. Some of it is crafted to “come from” the IRS, or some such, and we — most of us, anyway — know that it doesn’t, really. Some of it says it comes from such non-existent folks as — to take some examples from my recent batch — “Daisy”, “Brittany”, “Hernando Mangold”, “Rodney Cluff”, and, um, “Ruby Hardon” (get it?). We don’t worry about those. But there’s the in-between stuff, the ones that spoof the identities of real people, and we, those of us who try to filter the junk out, have to deal with it appropriately.

Is the Times really going to hire a whole staff to check these things? Or, more likely, are we all going to just accept that authentication of this type of communication is hard to do, and that mistakes will be made?

No comments: