A while back, I stumbled across a series of posts by New Orleans sex worker Annie Calhoun on the subject of screening clients who contact her through the internet. I was especially struck by the degree of sophistication she shows in her thinking about security.
I realize that sounds condescending, but I don’t mean it that way. Corporate IT security managers would be thrilled if company employees understood security as well as Annie does.
I’m not a security expert, but as a software developer, I am somewhat familiar with the basic ideas behind information security, such as establishing a subject’s identity and controlling access to resources. What was especially fascinating to me about Annie’s posts is that — in part because she does business over the internet — many of her practices bear a striking resemblance to network security protocols.
Start with her section for newbies that explains why screening is necessary.
Just in case you don’t get where I’m going with this: This man was asking me to meet with him alone, in private, when he was completely unwilling to provide ANY information about himself whatsoever.
I know literally NOTHING about this man.
The man she’s talking about had sent her an email expressing his wish to meet her but did not want to provide screening information such as his name, employer, and phone number. This is a problem for Annie, because there are certain things she wants to establish about a potential client before she is willing to meet him alone in a private place:
For most of us, the client must:
- be someone we’re willing to spend time alone with,
- agree to provide the requested honorarium in the amount we’ve specified beforehand (on our websites, listings, etc.)
- be someone we feel is not a danger to our personal safety. We each have our own standards regarding what makes us feel safe.
(“Honorarium” is Annie’s way of saying she wants to be paid. Due to the legal climate, sex workers in America tend toward euphemism.)
In the world of information security, we might call the items in that list claims. They are assertions of fact about the client that Annie needs to establish before she will let him meet her. In a sense, Annie is specifying her access control requirements.
Speaking of which, I’m pretty sure that Annie’s access controls imply an additional implicit claim that she wants to establish about a client before she will meet him: Don’t be a cop. She doesn’t say this explicitly anywhere that I can see, but it seems like an obvious concern. (I’m guessing Annie doesn’t mention her no cops requirement because expressing a desire to hide from the police could be taken as evidence she’s doing something illegal.)
When discussing security, we often talk about establishing one’s identity, but in practice the details of an identity are linked to what the identity is used for.
For example, you can leave comments on this blog by signing in with your Twitter account. That doesn’t really tell me who you are, it just tells me you have the password to a Twitter account. So if @JohnSmith signs in, it doesn’t really prove that John Smith has left the comment. It literally only proves that the comment was left by someone with the password to the @JohnSmith Twitter account. That’s good enough for Twitter, and since I only want to offer people the ability to establish a secure history of comments, that’s good enough for me.
Annie’s got more at stake than I do, so she has more stringent requirements. Before getting further into those, however, let’s look at a screening method that doesn’t satisfy her requirements. She offers this fictionalized example:
My name is Bob Ross. You may have heard of me. I’m a painter, and I used to have my own TV show. Remember “happy little trees?” Yeah, I started that whole thing. Anyway, I want to meet with you tonight. I know it’s short notice, but I’m sure you can accommodate a slick guy like me.
Talk to you soon,
Bob Ross the TV Painter
That’s not going to work. It’s the equivalent of letting people comment with their Twitter handle without having to login to Twitter. It doesn’t prove the claim that they are the owner of the Twitter account, it only proves they know the Twitter account exists. The only authority for the claim that they own the account is their own assertion that they do. In matters of security, such self-certifications are worth nothing as an authority for a claim. Similarly, Bob’s letter only proves he knows Bob Ross the TV Painter exists, and his self-certified assertion that he really is Bob Ross the TV Painter doesn’t actually prove that he is.
Going into a little more detail, when you sign in with Twitter, my server receives a message from the Twitter server telling me you correctly logged in to your Twitter account. I trust Twitter because their business model depends on them being a reliable authority for identity claims. I believe that the message came from Twitter because it is signed with a certificate that belongs to Twitter. I trust that the certificate belongs to Twitter because it is authenticated with a chain of certificates that ultimately ends with a top-level public certificate that came installed on my server. Once my blogging software has enough information to link all these things together, I know I can trust your comment to have come from your Twitter identity. I have established a chain of trust.
Annie’s problem with Bob’s insistence that she just Google him is that so far there’s no chain of trust. There’s actually only one trustworthy claim she has about him: That he controls the [email protected] email account. The chain of trust for that claim runs through her email provider, which allows her to exchange email with Bob at that address.
Google does tell her a lot of things about Bob Ross the TV Painter, with all the authority of whatever public news stories and websites it finds for her, but it does not close the chain of trust: It doesn’t prove that Bob Ross the TV Painter is the same person as the owner of the [email protected] mailbox.
This problem can be hard to understand when you;re on the other side of it. After all, you know who you are, right? It’s hard to figure out where the gaps are from the other person’s point of view. I’ve run into this a few times when I missed paying a bill and somebody called to ask for their money. I have to explain to them that while I apologize for my error, and I promise to pay as quickly as possible, there is absolutely no way I’m giving my credit card number to a stranger who called me. If I had called them at their public customer service number, that would establish a chain of trust I could believe in, but when they call me, I have no proof that they are who they say they are.
Annie understands these things, and she goes through some trouble to explain several possible chains of trust to Bob:
What I need is an email address that is associated with you publicly and professionally. For instance, if you work for PBS, and the PBS website lists Bob Ross’s email address as [email protected], that will work perfectly. You can either shoot me a quick email from that account, or I can contact you through that address and you can reply that you’ve received that message. Then, I’ll know that you are really Bob Ross, the TV Painter.
The chain of trust is pretty clear. Annie trusts her email provider, so she trusts the claim that email from [email protected] is from whoever controls the [email protected] email address. As for the claim that the owner of [email protected] is Bob Ross the TV Painter, Annie trusts that Bob’s employer wouldn’t put fake contact information its public website, so if they say that Bob Ross the TV Painter has the email address [email protected], that’s enough to authenticate the claim for her. She now trusts that she’s talking with Bob Ross the TV Painter.
But perhaps Bob Ross is afraid to use his work email address for his dalliances with harlots. That’s why Annie offers a second option: She’ll send him something through his public address, and then he can respond to it through the [email protected] address, thus extending the chain of trust to that address. In other words, Annie has reinvented the computer science concept of a bearer token.
When you login to your bank’s website, you provide your credentials — your username and password — in order to access the first page of the site. In return, the server generates a cryptographically secure token — basically some random data that would be hard for someone else to guess — and sends it back to your browser. After that, as you navigate around the website, whenever you click to bring up a new page, the browser sends the token along with the page request. (In browser terminology, the token is a cookie.) Since the server knows it gave out that token to a user who provided valid credentials for your account, possession of the token proves you are the owner of the account without your having to send along the username and password with every request.
Annie’s plan works the same way. She can send a message like this to Bob’s public account, referring to a randomly made-up order amount and using a made-up name (this is my example, not hers):
Thank you for your order. Your credit card will be billed $21.57.
Margaret P. Granholm
Bob can then respond from the private account that he used to contact Annie earlier:
Got your message. Here’s the information you asked for: The amount is $21.57 and the sales associate’s name was Margaret P. Granholm.
Talk to you soon,
Bob Ross the TV Painter
The public websites establish the chain of trust to assure her that [email protected] is controlled by Bob Ross the TV Painter. And since she sent that address a token composed of the made-up name and amount, she knows that anyone who has that information must be Bob Ross the TV Painter, so when she gets that token back via the [email protected] address, she can close the loop and verify that [email protected] really is Bob Ross the TV Painter.
She further explains a similar technique over the phone:
Alternatively, you can supply a phone number that is traceable to you. Let’s use the PBS example. PBS lists Bob Ross’s office contact number as (504) 555-5555. I can call that number and ask to speak to Bob Ross, and all you have to say is “Yes Annie, it’s me,” and I’ll know I’ve been emailing back and forth with the right guy.
She also explains how the chain of trust can be broken:
However, if you only supply me with a phone number for a prepaid phone, or a number that, when Googled, is not attached to your name or business, that doesn’t really help me.
Backing away from the details a bit, the purpose of all this is to establish that [email protected] is a client that Annie can do business with rather than somebody who will hurt or arrest her. It’s possible to do this more directly:
And if neither of those methods works for you, you can also provide references (names and contact info or websites) from two established professional companions/providers/escorts you’ve met with in the past. I’ll contact them to make sure you’re safe and a gentleman. When they respond positively, I’ll get back to you and we can set up an appointment.
Elsewhere she clarifies the information she needs about the other escorts:
Generally, when we ask for references, we’re looking for a name, email address, and a link to a website. For example:
- Annie Calhoun
- NOLAcourtesan.com (or the url, whatever)
- [email protected]
This way, the provider can look at my website and see that I’m legit (or even search for my name on various ad, screening, and networking sites) before contacting me).
Notice again, the careful chain of trust: From the public website to the email address to the escort’s emailed verification that the client is safe.
One thing we might wonder is why does Annie put so much trust in public websites. How much does a website really prove? Couldn’t a cop or a serial killer set up fake escort sites? The short answer is that although public websites aren’t hard to set up, they do require an order of magnitude more work than getting a gmail address. That additional work will tend to screen out some bad actors.
Again, this is a common technique in information security. For example, it’s used in encrypted password systems to prevent password guessing. Passwords are stored in a hashed format that is computationally expensive to test, so even if a hacker obtains an encrypted password, it will be time-consuming to test password guesses.
Annie’s basic goal here is to pick verification techniques that are difficult for someone to spoof. A malicious person would have to plan ahead by setting up two fake escort websites with email addresses. And while setting up a website isn’t very hard, it’s considerably harder to setup a convincing website, especially for someone like Annie, who’s actually in the business. She could easily research the other escorts to determine their legitimacy.
To show how this works, let’s use Annie’s own website as an example, and look for signs that she’s legitimate. We can see that her WHOIS entry shows that her domain was registered in March of 2012 and the Wayback Machine starts picking up content from it in May of that year. Furthermore, Annie has purchase an advertising page on the Eros guide for New Orleans and at Preferred 411, and before they shut down U.S. access, she had reviews on The Erotic Review from 2012. Annie is also active on Twitter, and her website and Twitter bio link to each other to close the trust loop.
All of this is evidence of an internet presence going back for years, which is a strong indicator of legitimacy. If the Annie Calhoun identity was only created so that someone could give out fake escort references, the perpetrator must have gone through a lot of trouble to set all this up, and they’ve somehow maintained the fiction for six years without anyone blowing the whistle on them. It seems far more likely that Annie Calhoun is a legitimate escort who began working six years ago, which means that a reference from her is most likely legitimate.
It’s worth noting that Annie doesn’t have to do all the work herself. The online escort industry is large enough that it has spawned a services industry to support it, and escorts like Annie have been able to use screening services to do some of the work. The feds have been shutting things down lately (in their effort to stop sex work by making it more dangerous), but in the past, Date-Check performed screening, The Erotic Review had some kind of whitelist for clients that allowed escorts to vouch for them, and Preferred 411 did both screenings and escort endorsements.
In computer security terms, these sites act as trusted third parties that verify claims. Some of the sites issue ID codes that escorts can check and others use email addresses, but all of them eventually provide a chain of trust between the potential client and some information that can be used to judge whether he’ll make a good client.
It turns out that a lot of potential clients don’t want to cooperate with the screening process because they don’t like revealing their identity to a stranger. That makes things difficult, but note that Annie’s screening goals — “someone we’re willing to spend time alone with…agree to provide the [correct payment]…be someone we feel is not a danger to our personal safety” — do not include knowing the client’s true name.
Getting the person’s true name is usually a practical requirement for screening, but we could imagine other ways of establishing trust. For example, if several other legitimate sex workers say that the person at the [email protected] email address, and he was a great client, that might be good enough. His control over the email address proves he’s the person the other sex workers met, and their references establish his safety. Annie might consider that sufficiently strong evidence that he meets her standards even if she does not know his name. (Or not. I can’t speak for Annie) The referring sex workers might not establish that the owner of the [email protected] address is Bob Ross the TV Painter, but they do help establish the other claims Annie is interested in, such as agreeable personality, ability to pay, and safety.
Again, Annie doesn’t have to do all of this for herself. If she works for an agency or a brothel, they may provide the screening services. The computer security equivalent would be a trusted third party that enforces compliance to certain standards, such as workflow orchestration services like IFTTT and Zapier, or business coordination services like athenahealth medical billing or Quickbooks payment processing.
I find it fascinating that American sex workers face some of the same security problems as software engineers, and that they solve them in analogous ways. Annie’s thoughts on issues of identity are particularly clear, and they parallel a lot of modern thinking about identity on the internet. If more people learned to think about these issues the way Annie does, a lot fewer people would fall for phishing schemes and other con games.