Dave Molnar has some good comments on ‘Stolen ID Search.’ He writes, starting with a quote from “ben:”
“I can’t believe you are advocating typing your ssn or credit card into a mystery box.”
The idea is that you visit www.stolenidsearch.com, then type your social security number (SSN) or credit card number into the box, and the web site tells you if the number is on their list of “IDs we’ve seen in the wild being traded by evil persons.” If it is, they then helpfully offer you the opportunity to put a freeze on your credit report and purchase other services. The first problem that comes to mind, though, is that typing your SSN into the box gives them your SSN. Now you need to trust that they won’t turn around and sell it to those same evil persons. Maybe you can, maybe you can’t, but it’d be much better if you didn’t need to trust them at all.
Well, this sounds like the scenario for the cryptographic primitive of Private Information Retrieval (PIR). In PIR, a client wants to query a database in such a way that the database learns nothing about the query…. As they say, helger, call your office.
So Dave, why would I trust a PIR implementation to help me here? Have you seen Matt Blaze’s excellent “James Randi Owes me a million dollars?” In that article, Matt talks about the value of ‘strong cryptography’ versus believability to a non-expert audience.