A while back, I stumbled across a series of posts by New Orleans sex worker Annie Calhoun on the subject of screening clients who contact her through the internet. I was especially struck by the degree of sophistication she shows in her thinking about security.

I realize that sounds condescending, but I don’t mean it that way. Corporate IT security managers would be thrilled if company employees understood security as well as Annie does.

I’m not a security expert, but as a software developer, I am somewhat familiar with the basic ideas behind information security, such as establishing a subject’s identity and controlling access to resources. What was especially fascinating to me about Annie’s posts is that — in part because she does business over the internet — many of her practices bear a striking resemblance to network security protocols.

Start with her section for newbies that explains why screening is necessary.

Just in case you don’t get where I’m going with this: This man was asking me to meet with him alone, in private, when he was completely unwilling to provide ANY information about himself whatsoever.

[…]

I know literally NOTHING about this man.

The man she’s talking about had sent her an email expressing his wish to meet her but did not want to provide screening information such as his name, employer, and phone number. This is a problem for Annie, because there are certain things she wants to establish about a potential client before she is willing to meet him alone in a private place:

For most of us, the client must:

• be someone we’re willing to spend time alone with,
• agree to provide the requested honorarium in the amount we’ve specified beforehand (on our websites, listings, etc.)
• be someone we feel is not a danger to our personal safety.  We each have our own standards regarding what makes us feel safe.

(“Honorarium” is Annie’s way of saying she wants to be paid. Due to the legal climate, sex workers in America tend toward euphemism.)

In the world of information security, we might call the items in that list claims. They are assertions of fact about the client that Annie needs to establish before she will let him meet her. In a sense, Annie is specifying her access control requirements.

Speaking of which, I’m pretty sure that Annie’s access controls imply an additional implicit claim that she wants to establish about a client before she will meet him: Don’t be a cop. She doesn’t say this explicitly anywhere that I can see, but it seems like an obvious concern. (I’m guessing Annie doesn’t mention her no cops requirement because expressing a desire to hide from the police could be taken as evidence she’s doing something illegal.)

When discussing security, we often talk about establishing one’s identity, but in practice the details of an identity are linked to what the identity is used for.

For example, you can leave comments on this blog by signing in with your Twitter account. That doesn’t really tell me who you are, it just tells me you have the password to a Twitter account. So if @JohnSmith signs in, it doesn’t really prove that John Smith has left the comment. It literally only proves that the comment was left by someone with the password to the @JohnSmith Twitter account. That’s good enough for Twitter, and since I only want to offer people the ability to establish a secure history of comments, that’s good enough for me.

Annie’s got more at stake than I do, so she has more stringent requirements. Before getting further into those, however, let’s look at a screening method that doesn’t satisfy her requirements. She offers this fictionalized example:

To: [email protected]
From: [email protected]
Subject: Appointment with you tonight

Hey Annie,

My name is Bob Ross. You may have heard of me. I’m a painter, and I used to have my own TV show. Remember “happy little trees?” Yeah, I started that whole thing. Anyway, I want to meet with you tonight. I know it’s short notice, but I’m sure you can accommodate a slick guy like me.

Talk to you soon,

Bob Ross the TV Painter

That’s not going to work. It’s the equivalent of letting people comment with their Twitter handle without having to login to Twitter. It doesn’t prove the claim that they are the owner of the Twitter account, it only proves they know the Twitter account exists. The only authority for the claim that they own the account is their own assertion that they do. In matters of security, such self-certifications are worth nothing as an authority for a claim. Similarly, Bob’s letter only proves he knows Bob Ross the TV Painter exists, and his self-certified assertion that he really is Bob Ross the TV Painter doesn’t actually prove that he is.

Going into a little more detail, when you sign in with Twitter, my server receives a message from the Twitter server telling me you correctly logged in to your Twitter account. I trust Twitter because their business model depends on them being a reliable authority for identity claims. I believe that the message came from Twitter because it is signed with a certificate that belongs to Twitter. I trust that the certificate belongs to Twitter because it is authenticated with a chain of certificates that ultimately ends with a top-level public certificate that came installed on my server. Once my blogging software has enough information to link all these things together, I know I can trust your comment to have come from your Twitter identity. I have established a chain of trust.

Annie’s problem with Bob’s insistence that she just Google him is that so far there’s no chain of trust. There’s actually only one trustworthy claim she has about him: That he controls the [email protected] email account. The chain of trust for that claim runs through her email provider, which allows her to exchange email with Bob at that address.

Google does tell her a lot of things about Bob Ross the TV Painter, with all the authority of whatever public news stories and websites it finds for her, but it does not close the chain of trust: It doesn’t prove that Bob Ross the TV Painter is the same person as the owner of the [email protected] mailbox.

This problem can be hard to understand when you;re on the other side of it. After all, you know who you are, right? It’s hard to figure out where the gaps are from the other person’s point of view. I’ve run into this a few times when I missed paying a bill and somebody called to ask for their money. I have to explain to them that while I apologize for my error, and I promise to pay as quickly as possible, there is absolutely no way I’m giving my credit card number to a stranger who called me. If I had called them at their public customer service number, that would establish a chain of trust I could believe in, but when they call me, I have no proof that they are who they say they are.

Annie understands these things, and she goes through some trouble to explain several possible chains of trust to Bob:

What I need is an email address that is associated with you publicly and professionally. For instance, if you work for PBS, and the PBS website lists Bob Ross’s email address as [email protected], that will work perfectly. You can either shoot me a quick email from that account, or I can contact you through that address and you can reply that you’ve received that message. Then, I’ll know that you are really Bob Ross, the TV Painter.

The chain of trust is pretty clear. Annie trusts her email provider, so she trusts the claim that email from [email protected] is from whoever controls the [email protected] email address. As for the claim that the owner of [email protected] is Bob Ross the TV Painter, Annie trusts that Bob’s employer wouldn’t put fake contact information its public website, so if they say that Bob Ross the TV Painter has the email address [email protected], that’s enough to authenticate the claim for her. She now trusts that she’s talking with Bob Ross the TV Painter.

But perhaps Bob Ross is afraid to use his work email address for his dalliances with harlots. That’s why Annie offers a second option: She’ll send him something through his public address, and then he can respond to it through the [email protected] address, thus extending the chain of trust  to that address. In other words, Annie has reinvented the computer science concept of a bearer token.

When you login to your bank’s website, you provide your credentials — your username and password — in order to access the first page of the site. In return, the server generates a cryptographically secure token — basically some random data that would be hard for someone else to guess — and sends it back to your browser. After that, as you navigate around the website, whenever you click to bring up a new page, the browser sends the token along with the page request. (In browser terminology, the token is a cookie.) Since the server knows it gave out that token to a user who provided valid credentials for your account, possession of the token proves you are the owner of the account without your having to send along the username and password with every request.

Annie’s plan works the same way. She can send a message like this to Bob’s public account, referring to a randomly made-up order amount and using a made-up name (this is my example, not hers):

To: [email protected]
From: [email protected]
Subject: Thank you for your order!

Robert,

Thank you for your order. Your credit card will be billed $21.57.

Margaret P. Granholm
Sales Associate

Bob can then respond from the private account that he used to contact Annie earlier:

To: [email protected]
From: [email protected]
Subject: Got your message.

Hey Annie,

Got your message. Here’s the information you asked for: The amount is $21.57 and the sales associate’s name was Margaret P. Granholm.

Talk to you soon,

Bob Ross the TV Painter

The public websites establish the chain of trust to assure her that [email protected] is controlled by Bob Ross the TV Painter. And since she sent that address a token composed of the made-up name and amount, she knows that anyone who has that information must be Bob Ross the TV Painter, so when she gets that token back via the [email protected] address, she can close the loop and verify that [email protected] really is Bob Ross the TV Painter.

She further explains a similar technique over the phone:

Alternatively, you can supply a phone number that is traceable to you. Let’s use the PBS example. PBS lists Bob Ross’s office contact number as (504) 555-5555. I can call that number and ask to speak to Bob Ross, and all you have to say is “Yes Annie, it’s me,” and I’ll know I’ve been emailing back and forth with the right guy.

She also explains how the chain of trust can be broken:

However, if you only supply me with a phone number for a prepaid phone, or a number that, when Googled, is not attached to your name or business, that doesn’t really help me.

Backing away from the details a bit, the purpose of all this is to establish that [email protected] is a client that Annie can do business with rather than somebody who will hurt or arrest her. It’s possible to do this more directly:

And if neither of those methods works for you, you can also provide references (names and contact info or websites) from two established professional companions/providers/escorts you’ve met with in the past. I’ll contact them to make sure you’re safe and a gentleman. When they respond positively, I’ll get back to you and we can set up an appointment.

Elsewhere she clarifies the information she needs about the other escorts:

Generally, when we ask for references, we’re looking for a name, email address, and a link to a website. For example:

• Annie Calhoun
• NOLAcourtesan.com (or the url, whatever)
• [email protected]

This way, the provider can look at my website and see that I’m legit (or even search for my name on various ad, screening, and networking sites) before contacting me).

Notice again, the careful chain of trust: From the public website to the email address to the escort’s emailed verification that the client is safe.

One thing we might wonder is why does Annie put so much trust in public websites. How much does a website really prove? Couldn’t a cop or a serial killer set up fake escort sites? The short answer is that although public websites aren’t hard to set up, they do require an order of magnitude more work than getting a gmail address. That additional work will tend to screen out some bad actors.

Again, this is a common technique in information security. For example, it’s used in encrypted password systems to prevent password guessing. Passwords are stored in a hashed format that is computationally expensive to test, so even if a hacker obtains an encrypted password, it will be time-consuming to test password guesses.

Annie’s basic goal here is to pick verification techniques that are difficult for someone to spoof. A malicious person would have to plan ahead by setting up two fake escort websites with email addresses. And while setting up a website isn’t very hard, it’s considerably harder to setup a convincing website, especially for someone like Annie, who’s actually in the business. She could easily research the other escorts to determine their legitimacy.

To show how this works, let’s use Annie’s own website as an example, and look for signs that she’s legitimate. We can see that her WHOIS entry shows that her domain was registered in March of 2012 and the Wayback Machine starts picking up content from it in May of that year. Furthermore, Annie has purchase an advertising page on the Eros guide for New Orleans and at Preferred 411, and before they shut down U.S. access, she had reviews on The Erotic Review from 2012. Annie is also active on Twitter, and her website and Twitter bio link to each other to close the trust loop.

All of this is evidence of an internet presence going back for years, which is a strong indicator of legitimacy. If the Annie Calhoun identity was only created so that someone could give out fake escort references, the perpetrator must have gone through a lot of trouble to set all this up, and they’ve somehow maintained the fiction for six years without anyone blowing the whistle on them. It seems far more likely that Annie Calhoun is a legitimate escort who began working six years ago, which means that a reference from her is most likely legitimate.

It’s worth noting that Annie doesn’t have to do all the work herself. The online escort industry is large enough that it has spawned a services industry to support it, and escorts like Annie have been able to use screening services to do some of the work. The feds have been shutting things down lately (in their effort to stop sex work by making it more dangerous), but in the past, Date-Check performed screening, The Erotic Review had some kind of whitelist for clients that allowed escorts to vouch for them, and Preferred 411 did both screenings and escort endorsements. 

In computer security terms, these sites act as trusted third parties that verify claims. Some of the sites issue ID codes that escorts can check and others use email addresses, but all of them eventually provide a chain of trust between the potential client and some information that can be used to judge whether he’ll make a good client.

It turns out that a lot of potential clients don’t want to cooperate with the screening process because they don’t like revealing their identity to a stranger. That makes things difficult, but note that Annie’s screening goals — “someone we’re willing to spend time alone with…agree to provide the [correct payment]…be someone we feel is not a danger to our personal safety” — do not include knowing the client’s true name.

Getting the person’s true name is usually a practical requirement for screening, but we could imagine other ways of establishing trust. For example, if several other legitimate sex workers say that the person at the [email protected] email address, and he was a great client, that might be good enough. His control over the email address proves he’s the person the other sex workers met, and their references establish his safety. Annie might consider that sufficiently strong evidence that he meets her standards even if she does not know his name. (Or not. I can’t speak for Annie) The referring sex workers might not establish that the owner of the [email protected] address is Bob Ross the TV Painter, but they do help establish the other claims Annie is interested in, such as agreeable personality, ability to pay, and safety.

Again, Annie doesn’t have to do all of this for herself. If she works for an agency or a brothel, they may provide the screening services. The computer security equivalent would be a trusted third party that enforces compliance to certain standards, such as workflow orchestration services like IFTTT and Zapier, or business coordination services like athenahealth medical billing or Quickbooks payment processing.

I find it fascinating that American sex workers face some of the same security problems as software engineers, and that they solve them in analogous ways. Annie’s thoughts on issues of identity are particularly clear, and they parallel a lot of modern thinking about identity on the internet. If more people learned to think about these issues the way Annie does, a lot fewer people would fall for phishing schemes and other con games.

I normally like to post something light on Fridays, but today I have to address a serious issue. In these post-Backpage days of heightened awareness about online prostitution rings, many concerned parents are asking themselves, “How can I know if my daughter is experimenting with online sex work?”

I’ve been following online sex workers for several years now, and based on my observations, I believe I can offer some helpful signs to look out for:

Five Signs Your Daughter May Be an Online Sex Worker!

1. She can recite the legislative history of the FOSTA-SESTA Act and describe its effects on Section 230 of the Communications Decency Act.
2. She rolls her eyes whenever a news story mentions “sex trafficking.”
3. She is extremely knowledgeable about internet privacy technology and can name an offshore web hosting service off the top of her head.
4. She can explain Operation Choke Point banking regulations.
5. She has a surprisingly vehement dislike for Ashton Kutcher, Demi Moore, Mira Sorvino, Julie Bindel, Swanee Hunt, Cook County Sheriff Tom Dart, and U.S. Senator Kamala Harris.

Special bonus 6th Sign: Her favorite journalist is Elizabeth Nolan Brown.

I hope this helps.

Maggie McNeill has a standing request that allies and supporters of sex workers do something to express that support whenever Friday the 13th rolls around. I had intended write something two weeks ago about my personal experience learning about sex worker rights, but I ran into technical difficulties before I could finish. This post is adapted from that piece.

It’s common to speak of “being an ally” to sex workers. There’s a lot of advice online about how to do that, including a guest post by Stacey Swimme at Honest Courtesan. But to be honest, I don’t think of myself as an ally to sex workers, because a lot of being an “ally” is amplifying sex workers’ voices, and this blog is not about amplifying other people’s voices — it’s a about me having a place to write in my own voice about ideas that I find interesting, and right now I don’t want to write about how much sex workers earn or the politics of review sites or clients who fight the screening process. What I am interested in writing about is the rights and freedoms of people doing something that shouldn’t be a crime.

I’ve spent a lot of time, as a blogger and before, arguing against the War On Drugs. Not only is the War On Drugs wasting resources, destroying lives, and eroding civil liberties, but it’s also a fundamentally evil idea: It’s using violent law enforcement to stamp out a consensual crime — a supposed crime in which all parties are voluntarily participating of their own free will. The War On Drugs hurts a lot of people, but it helps no one, except the people carrying it out, who get paychecks and the enjoyment of feeling smug and self-righteous as they hurt people. I hate everything about it.

I’ve also begun to hate the War on Prostitution. I’ve long been opposed to all consensual crimes — recreational drugs, gambling, pornography, public drunkenness, vagrancy, homosexuality, food trucks, gun ownership, kink, migration, raw milk, incest, risky sports, transgenderism, loitering, status offenses, braiding hair without a license, whatever — because as long as everybody involved has consented freely and competently, I don’t give a shit, and I don’t think it should be a crime. So I’ve always opposed prostitution laws in theory.

My opposition became somewhat less theoretical a few years ago when I bumped into Maggie McNeill in the comments section over at Radley Balko’s old Agitator blog, before it moved to the Huffington Post. At the time, Maggie was an ostensibly retired New Orleans call girl who had recently launched her own blog, The Honest Courtesan. I eventually asked Maggie to contribute to a group blog I had started with some friends, and she provided a bit of content for us.

That blog is dead, but I became a steady reader of Maggie’s blog, and I began to learn more about the legal issues that concern sex workers in this country. The obvious problem is that prostitution is illegal, but the details are important: What are the specific actions that are outlawed? In what manner are those laws enforced? And what effect does that have on the lives of sex workers and others?

I’ve learned that laws against pimping are used to prosecute babysitters who got paid with money earned from prostitution, and that carrying condoms can be used as evidence of prostitution, which makes it harder for sex workers to follow safe sex practices. I’ve learned that cops treat transwomen sex workers as if they were men exploiting women sex workers. I’ve learned that it’s a myth that waves of sex workers come to cities for major events like the Superbowl.

I’ve also been learning some of the terminology. The most disorienting thing for someone coming from the War on Drugs is that the meanings of legalization and decriminalization are reversed for prostitution — if you want it to be all-the-way legal, you want to legalize drugs, but you want to decriminalize prostitution.

The terminology for sex workers is a little frustrating. Words like “whore” and “hooker” can be insulting — although the latter sounds friendly to my ear, and many sex workers claim the former proudly. “Sex worker” is always safe, but it refers to a broad spectrum from escorts to dominatrices, streetwalkers, massage parlor girls, strippers, cam girls, and Hooters waitresses.

“Prostitute” can be problematic because it’s used by law enforcement to oppress sex workers, but I tend to use it a lot because most of my writing is concerned with that part of sex work which is illegal.

(And everybody hates “prostituted women,” which strikes sex workers as an attempt to deny that they have agency in choosing sex work.)

One good thing about the War on Prostitution is that it isn’t as intense as the War on Drugs. Anti-drug law enforcement is vicious and heartless: They can send you to jail for decades for selling drugs, and drug dealers have learned to keep their heads down. There are apparently a few online digital drug markets, but there’s nothing like the thousands of sex worker ads you’ll find on the web. There’s no recreational drug dealing equivalent of a big advertising site like Eros or ratings sites like Erotic Monkey or Rubmaps. Drug dealers just don’t have a big online community. (Or maybe I just doesn’t know how to find it.)

Sex work has benefited from something like benign neglect at times, and this has allowed a lot of sex workers like Maggie to be out in the open. There are blogs like Tits & Sass that have been around for years, and there are advocacy organizations such as the Sex Workers Outreach Project and the Desiree Alliance which work out in the open to advance sex worker causes. Sex workers also have a vibrant presence on Twitter, and I follow a whole bunch of them.

Unfortunately, the situation for sex workers seems to be deteriorating, in ways that are sadly familiar to those of us who know the War on Drugs.

It begins with finding people to demonize. Drug warriors will tell you that cops don’t go after casual users. They claim to only go after drug dealers — the “pushers” and “high-level traffickers” — who seem to practically force young school kids to do drugs. What they don’t tell you is that the laws define drug dealing so broadly that making a purchase with a friend, or even just passing a joint, can be enough to get you charged as a drug dealer.

When it comes to prostitution, cops seem to realize that their pearl-clutching over call girls is a dumb waste of police resources, so they’ve tried to recast what they do as fighting a genuine evil. They’ve hit on the idea of calling everything “sex trafficking,” or even worse, “child sex trafficking.” They talk constantly about the relatively small number of actual child sex trafficking incidents, and they pretend that that’s all there is to sex work. This allows them to justify arresting vast numbers of people on prostitution charges, and it allows them to cast supporters of sex workers as soft on child sex trafficking.

We’re also starting to see other unpleasant features of the War on Drugs, such as federal funding and inter-agency task forces. Federal funding tends to encourage police excesses because the funds are often tied to enforcement intensity: The more arrests, the more money. Because task forces do not operate under any one police agency, they remove control of policing from local governments. (Almost every really outrageous raid turns out to involve a task force.) Throw in additional funding through civil forfeiture of the supposedly ill-gotten gains of sex trafficking, and the result is police forces operating as self-sustaining predators who answer to no one.

One thing that is unique to sex work prohibition is the involvement of a dizzying array of interlocking “rescue” organizations that purport to be fighting sex trafficking and saving women victims. To be sure, the War on Drugs now includes a massive rehab industry that wouldn’t exist if the courts weren’t forcing thousands of people into mandatory drug treatment, but the War on Drugs started with law enforcement.

When it comes to sex work, the rescue industry is in some sense leading the way. They have created the environment and the sex trafficking mythology that makes high-intensity law enforcement seem like a reasonable approach. They participate in law enforcement activities, and they rely on law enforcement to send them women to “rescue.” They even provide funding for prosecutors (which has to be one of the worst charitable programs ever). It’s kind of a rescue industrial complex.

Since 2010, the anti-sex-work prohibitionists have been attacking web sites that support sex workers. One of the first was the Craigslist adult services section. This was soon followed by San Francisco-based MyRedBook.com, the gay-oriented Rentboy.com, and review site TheReviewBoard.net.

Late last month, in the name of fighting sex trafficking, Congress passed the FOSTA/SESTA law, which for the first time breaks Section 230 protections to make websites liable when their users post content that promotes prostitution. Even before the law went into effect, Craigslist shut down their personal ads, Reddit deleted a number of sex work related subreddits, and The Erotic Review stopped serving pages to U.S. visitors. And then the big news hit: The feds shut down Backpage.com.

It’s been a bad month for sex workers. Shutting down these sites — especially Backpage — takes away some of the safest channels for selling their services. For many sex workers, Backpage was part of the path that got them off the streets. Now thanks to a bunch of overbearing law enforcement groups and their self-righteous enablers in the “anti-trafficking” movement, many of them will be forced to return to the dangers of street work.

 

This is the sort of thing I’ve been seeing in Twitter. I only sample a tiny fraction of the sex work community, but I’m seeing a lot of concern over the consequence for sex workers, and it’s all pretty ugly. Here, for example, is my favorite anarchist sex worker explaining the value of online advertising:

Here’s another sex worker, explaining some the the cause-and-effect that’s going to hit the community:

I used to get angry whenever I heard of some new atrocity in the War On Drugs, but I was usually able to keep some emotional distance from the worst of it because I didn’t actually know any drug dealers. It wasn’t personal for me. I knew there was suffering, but I didn’t have to feel it.

But when it comes to sex workers, I follow far too many of them on Twitter. I know it’s just social media, but I feel like I know these people. And the last few weeks have been pretty bad. This bullshit is hurting people I know, and they are bitter, hurt, and angry.

Me, I’m just angry.