Date: Tue, 12 May 92 18:18:22 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#023 Computer Privacy Digest Tue, 12 May 92 Volume 1 : Issue: 023 Today's Topics: Moderator: Dennis G. Rears Re: TRW Reports What's to hide? Mother's maiden name CLID user interface Re: SSN's from AT&T [alt.comp.acad-freedom.talk] Seminole ACCESS The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- From: David Ratner Subject: Re: TRW Reports Date: 12 May 92 20:21:56 GMT jrbd@craycos.com (James Davies) writes: >In article zimmer@gw.wmich.edu writes: >> >>Montgomery Wards, when successfully soliciting business over the phone >>with you, does ask for private information you've previously supplied >>them to verify you are who they think you are. >It's been my experience that most organizations use the same piece of >"private information" for verification -- your mother's maiden name. >This is about as secure as using your social security number in some sense, >in that someone who cared could easily find it out with a little research. >AT&T asked for this when I called their Universal Card 800 number with >a change request last week. I've been tempted to make up a different >"mother's maiden name" for each organization that asks (including, in the >past, various utility companies and banks), but I worry that I'll forget it >and they won't have any way of resetting my "password" (after all, your >mother's maiden name isn't supposed to change, right?). I knew a family that received a credit card using a phoney maiden name. [Just in case, we will call them "him" and "her"]. He made up the number, but one day she needed to get account info, he wasn't around, and she didn't know the fictious data. Turns out the person on the other end "prompted her" in the right direction so that she was able to eventually guess it. (Turned out to be the name of their dog). So even though she didn't know it, she was given "hints" until she finally guessed it. This has happened to me as well. In attempting to prove who I was to one of my credit-card companies, I was asked "how much was your last bill?". (Like someone could've just stolen my bill from the mailbox in the first place!) Well I guessed (I think I was close, but not close enough). So she followed up with "well, what was a recent major purchase", and to be honest, I had forgotten. She prompted me with "something for your car", and then I replied with the correct answer - my car stereo. Dave -- * * *** * * | Dave Ratner * * * * * * / \ ratner@cs.ucla.edu * * * * *** \ / *** *** *** * * | "Wham Bam, thank you Van Damme!" ------------------------------ Date: Tue, 12 May 92 17:04 EDT From: michael.scott.baldwin@att.com Subject: What's to hide? John Higdon wants to know: Just what is it that you believe that "heat seeking technology" is going to reveal about you? Then he writes: For instance, most nations have laws against the usual drugs... Only when drug usage becomes a problem to others are the laws (which are in place just for this circumstance) enforced. I would like to be as confident as you are that the laws are only enforced when there is a "problem," but I'm not. Laws that are selectively enforced are DANGEROUS, and this country has a hangup with victimless "crimes" like prostitution, "unnatural" sex, drug use, and gambling. They are used to harrass minorities and unwanted people. I am guilty of all of the above- mentioned crimes, and I do not relish the idea of some government official or obnoxious neighbor making my life very difficult. Robert E. Laughlin writes: Another [thing in life that is not free] is privacy. This country is based on the idea. See the constitution, where it talks about billeting troops in your house or unusual search and seizure. The U.S. Constitution doesn't have nearly the protection for privacy as some state constitutions do (e.g., California). I would be very hard- pressed to try to back up your claim that this country is "based on the idea"! As has been mentioned, the Supreme Court (Bowers v. Hardwick) does not see any privacy right in the Constitution, and even invoked Judeo-Christian teachings to support laws that invade our privacy. And these laws are not trifling: in Georgia, sodomy is a FELONY with up to 20 YEARS in jail. The Jester writes: However what I have failed to see is a single cogent explanation of WHY the rationale of "If you have nothing to hide, then you have nothing to fear" is a bankrupt one. Let me try, without using examples: the definition of what it is that you have to "hide" rests with the government, not you. If the legal system creates bankrupt laws that make your private life punishable, then you end up hiding and fearing for simply living your life and pursuing your own happiness. ------------------------------ Date: Tue, 12 May 92 17:10 EDT From: michael.scott.baldwin@att.com Subject: Mother's maiden name James Davies writes: I've been tempted to make up a different "mother's maiden name" for each organization that asks (including, in the past, various utility companies and banks). Most phone companies let you put a "passcode" on your account which can be any word or number. AT&T Universal does let you have a passcode, but they hack it into the mother's maiden name field and put a notation on your account. I happen to use the same passcode (*not* my mother's maiden) for all my accounts so it's not the most secure, but the passcode I use is harder to figure out than my mom's name and I only remember one. ------------------------------ Date: Tue, 12 May 92 17:16 EDT From: michael.scott.baldwin@att.com Subject: CLID user interface Conrad Kimball writes that the CLID blocking user interface is deficient, and then blows this up into a rigged scheme for phone companies to rake in the loot. Plenty of phone services have bad interfaces (why can't I change my call forwarding when I'm not at home?) but that never caused a ruckus. The real issue is what information is passed around under whose control, and the user interface is secondary to that. Let's not confuse issues further. ------------------------------ Date: Tue, 12 May 92 17:34 EDT From: michael.scott.baldwin@att.com Subject: Re: SSN's from AT&T Several people have written to me challenging my statement that SSN's are only divulged for ex-employees. I was being overly simplistic, sorry. SSN's are divulged on mail bounces if the SSN lookup fails in the corporate database. Now, that database is *supposed* to contain all AT&T employees, but AT&T is a large and changing company. We get feeds from payroll (AT&T used to have SEVENTEEN payrolls, now only 3) which are quite accurate, but unfortunately they don't include NCR and Paradyne employees. For political reasons, they do not want to give us their personnel data. Also, there are a few small categories of pseudo-employees (summer hires, etc.) that do not show up in any database. Of course, we are trying to get NCR and Paradyne into the database and make it as accurate as possible, but it is not trivial. Some of the bounces were for mail to people whose whole buildings went over to NCR, thus dumping them from our database. Almost every AT&T payroll and personnel system uses SSN as a unique key. We can't do much about that (not that I personally care, anyway). There is various software that asks for SSN, and none that I know bothers to explain why it is needed or who will see it. I don't see why that's important: we have corporate rules about it that they can look up if they want to. Dave Neibuhr writes: | My employer specifically states that, when logging into a computer system, | no personal identification whatsoever is to be used as a method of access | any system. This includes employee id number. I assume you keep records of which logins belong to which employees though. If my login is "mike", isn't that "personal identification" of some sort? ------------------------------ From: "Carl M. Kadie" Subject: [alt.comp.acad-freedom.talk] Seminole ACCESS Followup-To: comp.society.privacy,alt.comp.acad-freedom.talk,soc.libraries.talk Date: Tue, 12 May 1992 18:06:25 GMT [A repost - Carl] >Newsgroups: alt.comp.acad-freedom.talk >From: otto@systems.cc.fsu.edu (John G. Otto) >Message-ID: <9205121714.AA18456@systems.cc.fsu.edu> >Date: Tue, 12 May 1992 17:14:58 GMT ~Subject: Seminole ACCESS The included article from the campus paper, FSView (>), appears with permission of the publisher. FSU is the Florida State University. > Seminole Access replaces ID cards for Fall '92 > FSView Tuesday, 1992 April 14 > by Shannon Greene > Beginning next fall, all FSU students will have a new ID card, a new > ATM card, a new long distance calling card, and a new debit [sic] card. > But instead of carrying around each of these individually, the Seminole > Access Card will allow students to receive the benefits of all of the > above without the burden of five or six cards. Beginning next, all FSU students, faculty and staff will have a new ID card, a new ATM card, a new long distance calling card, and a new credit card, *whether they want it or not*. The Seminole ACCESS card will force students to allow the university to record their every financial transaction, every book they check out from the library or borrow on reserve, and eventually, their every move in or out of any building or any door on which an ACCESS limiter has been installed, all in a data base conveniently accessible to the administration. > According to Dianna Allen, systems coordinator, the reason for the > change, besides convenience, is personal safety. Because students > are carrying around cash and checks, the rate of campus muggings has > increased, as well as the rate of vending machine robberies, Allen said. According to Robert Basham, responding to an inquiry addressed to the ACCESS office, fields of information would only be accessible to those officials who have a need to know the information. It appears that those officials have also been given free rein to decide what constitutes such a need. Upon investigation, it was found that librarians, for instance, have access to information other than that related to the checking out and return of library materials, or fines for late return. > Allen also says that by eliminating excess cash carried by students and > creating a new debit [sic] system for vending, this rate will decrease. > "We are trying to make the campus a cashless society.", she says. By eliminating cash, we can track every purchase (though, probably due to high costs, vending machine transactions will most likely not be tied to other information in the data base). > The benefits of the card are numerous. It can be used as an ATM "money > card" at any MAX or Publix [grocery chain] Presto location in the > state. There will be a 75 cents charge for Access card use at all ATMs. Not only will your actions on the FSU campus be traced, but you can make it possible for off campus purchases to be traced as well. Over 200 businesses have already signed up. > The card will also be coded as an MCI calling card, accessible only with > a personalized PIN. And the debit [sic] card will allow for easy use of > laundry and vending all over campus if there is cash in the account. The card also discourages choice in selection of a long distance telephone service by forcing the student to have an account with MCI as well as any other service the student may have freely chosen. And they may even track when you do your laundry. > The card will replace FSU IDs in the coming fall and will cost $5. > However, all current FSU students can get a free card now at [the > Seminole] Access Office [in the Union]. > The cards have a black and white photo of the student, as well as > library numbers and Seminole Access numbers printed on the front. > The card is electronically coded with the student's social[ist > in]security number. Federal law prohibiting government agencies from requiring disclosure of the socialist insecurity number in exchange for services or privileges has been been ignored because it would be an inconvenience for the university to respect people's privacy. > "Everything is done electronically.", Allen says. This means ID > validation, fee payments, and financial aid awards will all be done > with the Access card. Financial aid rebates can be wired directly > into the account, tuition payments can be automatically deducted, and > validation will be coded in instead of the stickers students are > used to. Your account can be raided by the university without informing you ahead of time and, if you want to challenge a transaction record, you get to come grovel at the feet of the Seminole ACCESS bureaubums to beg to have it corrected. Isn't that special. If someone in power decides to cut you off and lock you out, it's soo much easier with the Seminole ACCESS system. > However, any student who does not want his rebate deposited in his > account can go to cooperating banks, and have a check issued for > his rebate amount at no extra cost to the student, Allen said. What ever happened to the legal tender laws which have forced us to accept these greenbacks in lieu of real money? If the university has a debt to me, I should be able to collect it from the university in cash, and I should be able to pay cash for what I owe them. > Besides the programs starting up in fall '92, there are many projects > in the works for the future. Dorm security will be increased by using > the card with a PIN for residence hall entry, and attendance in large > mandatory [?] classes will be taken via an electronic system to save > time. PINs are too short to be very secure. With people cracking 100 digit encryption keys using their home computers, one would expect a 4 numeral code to be child's play. Industry experts [e.g. Charles Knox] recommend that passwords be about 8 characters long (letters, numerals and other characters) so as to strike a balance between security and the frustrations of memory failure & typographical errors. > All these plans should be complete within the next several years. -- Carl Kadie -- I do not represent EFF; this is just me. =kadie@eff.org, kadie@cs.uiuc.edu = ------------------------------ End of Computer Privacy Digest V1 #023 ******************************