This thread deals a bit with the issue of entering your VIN into your account profile. In it I talk about my desire to provide certain functionality afforded by you entering your VIN but at the same time keeping it private and secure.

I am thinking of three options:

1. Store the VIN as an encoded value, not the real VIN. This would mean that given a VIN, it would be possible to find the account to which that VIN is registered but it would not be possible to find the VIN for a given account. It would be a one-way encoding, you could not take the encoded value and decode it to get the original value. You could take a value, like a VIN, and encode it and compare the encoded values to determine if they were encoded from the same original value. This is how our passwords work and why we can't tell you what your password is if you lose it.

2. Store the VINs in a separate table from the member account information and indicate in the member table that a VIN has been entered. The VIN table would allow us to see if a VIN has been entered but we would have no way of knowing what account it was entered for. This creates some software issues like if you get a new car the old VIN would still be in the VIN table and the new owner wouldn't be able to register.

3. Both. Given a VIN you could tell if it was in the VIN table by comparing the encoded VIN with the encoded values in the table but his seems redundant.

Encryption is not viable since should I be presented with a court order for your member account information I would need to cough up the password to decrypt also.

I'd like to hear your thoughts and suggestions on how to proceed. I definitely want a way to determine ownership status, the issue is finding a way to do it that everyone feels comfortable with.

 

Why is everyone afraid to give out there VIN? Is there anything that can be done with it? Should I make sure that my VIN can not be seen when I park my car? Putting it into this sight was not a problem with me.

 

The problem is that Honda has used information on this board against members before, and will continue to do this in the future.

If you post, "Oh, man, I accidently over-reved my engine today when I downshifted 5->2, and now my engine sounds bad." Your dealer just may show you your post admitting your guilt, along with posts showing your VIN number.

Or maybe you just admit to occasionally dumping the clutch...now Honda won't do a TSB to fix your transmission.

Any method that CThree chooses should ensure our privacy. I don't like the encoding method because Honda could get a subpeona to check suspected VIN numbers against his database (which would work fine in the scheme described above). Board identities should not be matchable to VINs.

My 4 cents,
Tanq

 

If I am truely honest here, the VIN that I entered was not correct, since the JDM VIN was not accepted by the software. I can't remember exactly what change I had to make, but basically fudged the number in order to get it to work. (I hope you are not going to take away my "Owner" status for this admission.

But the point that I am trying to make is that there is sufficient information regarding VIN no.'s on this site that anyone could enter a fake one to be registered as an owner. Could you therefore not just ask people to enter part of their VIN in order to allay their fears??

 

You lost me right after: "I am thinking of three options:"

I'm not a computer guy. I don't have an issue to do with privacy (at least none that I'm aware of yet). I try not to say anything here that might incriminate me in the eyes of the Honda gods. (For waranty issues)

 

[QUOTE]Originally posted by tokyo_james
[B]If I am truely honest here, the VIN that I entered was not correct, since the JDM VIN was not accepted by the software.

 

14 votes, that is not really enough to address the situation with those owners who have not registered...

i suspect we need some more voting so I'm bringing it up to the top, any more takers?

 

Option 1, encoding the VIN. So lets say you're given a court order to turn over the encoded VIN database and the encoding function. My encoded VIN is <whatever>, so the court takes the function, encodes all valid VINs (which aren't very many, this'll take just a few minute) and discovers that poster Elistan is registered with VIN ####. End result - no additional security.

Option 2, separate table with no links back to individual profiles. Court gets ahold of VIN table, but there's no means to link VIN #### to anybody. End result - anonymity.

Option 3. Agree, redundant.

Option 4, encryption. Actually, how about the VIN get encrypted with the user's personal password? That way you wouldn't be able to reveal the encryption key to the court. Of course, then you wouldn't be able to check for duplicates. Security would only be as good as the user's password - a dictionary attack could be quite fruitful.

Seems to me like #2 is the way to go. No matter how much computing power you throw at it, you'll never be able to link a VIN with a person. In the case of a car being resold... If somebody puts in a VIN that's already in the table, kick out a message "This VIN has already been registered. If you purchased your car used, please contact the admin to arrange transfer." Or some such. Then the admin could look in to it and try to determine if it was a valid request.

(I can't think of a decent way to verify ownership either, alas.)