Date: Sat, 03 Oct 92 15:39:46 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#087 Computer Privacy Digest Sat, 03 Oct 92 Volume 1 : Issue: 087 Today's Topics: Moderator: Dennis G. Rears Sacramento, CA privacy conference Re: SSN and Airline Antitrust Settlement Re: SSN in login ids Re: Privacy vs. Anonymity Re: SSN in login ids / posting grades Re: Teletrac Re: Address required on checks Re: Address required on checks Re: Blockbuster & video rental records Re: Blockbuster & video rental records FOIA Request for the FDA? The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- Date: Wed, 30 Sep 1992 16:45:18 -0700 From: Bruce R Koball Subject: Sacramento, CA privacy conference If you think it's appropriate, please consider posting the following notice to the next Privacy Digest. Thanks, Bruce Bruce R. Koball Motion West (voice) 510 540-7503 bkoball@well.sf.ca.us 2210 Sixth St (messages) 510 548-2450 bkoball@netcom.com Berkeley, CA 94710 (fax) 510 845-3946 Privacy in the Information Age: Balancing the Right to Privacy and the Right of Access Sponsored by Government Technology Magazine, Sacramento, California Produced by Government Technology Conference, Sacramento and Riley Information Services Inc., Toronto, Canada This one day conference and training session will be held at the Sacramento Convention Centre on November 16th, 1992. The conference will deal with many of the seminal privacy issues facing society today. It will address subjects and issues of importance to both the public and private sectors. An array of privacy experts and professional from the public and private sectors in California and from Washington, D.C. and Canada will gather to debate the issues driving privacy today and offer possible solutions. The sessions will be interactive with discussion and questions from the audience urged. Following is a short synopsis of the topics and speakers for the one day agenda. Opening Session: 8:30am The State of Privacy in California Today: Speaker: A. A. Pierce, Undersecretary, Business, Transportation and Housing Agency, State of California Keynote Address: A New Privacy Balance for the 90s: What the Public Wants, What a Free Society Needs. Speaker: Alan F. Westin, Professor of Public Law and Government, Columbia University and author of Privacy and Freedom. Professor Westin will discuss recent survey data on privacy concerns of citizens and analyze the recent public attitudes to privacy as seen in relation to the forces of developing technology and society's demands for wider openness. How will all these competing demands be met so all social needs are satisfied? Panel: What are the Dangers of Eroding Privacy? The debate goes on as to what extent should there be privacy regulation in our society. If we are to do this comprehensively how will we accomplish this goal? But do we really need extensive regulation or any at all? This will be a point/counterpoint session between Professor Goeroge Trubow of John Marshall Law School in Chicago and Jim Warren, Founder of Computer, Freedoms and Privacy Conferences and Columnist for MicroTimes Panel: Balancing the Right of Acccess and the Right to Privacy. Freedom of Information laws endow on the citizen the basic right of access to government information, the right to know what it's government is doing and why. But there is also the right to protect the privacy of the individual, creating competing interests. Speakers: Ronald L. Plesser, lawyer, Piper and Marbury, Washington, D.C. and former General Counsel, US Privacy Commission. Webster Guillory, Chairman, National Organization of Black County Officials Peter Gillis, Director, Information Management Practices, Treasury Board Secretariat, Federal Government of Canada Panel: Privacy and Fair Information Practices: Practical Guidelines Professor George Trubow and privacy expert Thomas B. Riley, Toronto, Canada, will present actual Guidelines that can be used in the workplace whether it be the public or private sector. Luncheon Address: Dr. Ann Cavoukian, Assistant Commissioner/Privacy, Office of the Information and Privacy Commissioner/Ontario, Toronto, Ontario, Canada "Investigating Privacy Complaints: A Canadian Experience." In Canada there exists the Office of Privacy Commissioner which not only takes complaints and appeals from the public in their dealings with the Privacy Act but serves to act as an important forum to identify key privacy issues? What can be learned from this experience? Panel: Privacy, Security and Electronic Records: What are the Ground Rules While security is a central issue in protecting privacy, there is also the question of what constitutes an electronic record? There is much regulatory confusion on this subject and speakers will work to address the complex matrix. Speakers: Joseph Pujals, State Information Security Manager, Department of Finance, CA Robert Gellman, Chief Counsel, House of Representatives Subcommittee on Information, Washington, D.C. Panel: Data Matching and Tracking of Files: What are the Privacy Rights? How Far Should we Go? Should data matching and tracking be allowed? What is the greater good or is there an important compromise? What are specific examples of such practices and how are they being handled? Speakers: Evan Hendricks, Publisher, Privacy Times, Washington, D.C. Kathleen M. Lucas, Plaintiff Counsel for Barbara Luck - Luck vs. Southern Pacific, San Francisco Chris Hibbert, Manager, Software Development Xanadu Corporation and member, Computer Professionals for Social Responsibility. Panel: Privacy and Electronic Networks: Caller ID and Telemarketing. Junk mail, junk fax, telemarketing, caller ID. Do you want it? Do you need it? If not-what can you do about it? Speakers: Ken McEldowney, Executive Director, Consumer Action, San Francisco Evelyn Pine, Executive Director, Computer Professionals for Social Responsibility Beth Givens, Project Director, Centre for Public Interest Law, University of California, San Diego John Schweizer, Manager, Consumer Affairs, Pacific Bell Closing remarks at 4:45pm will be delivered by Tom Riley who will offer a synthesis of issues presented for the day and a prognosis for the future. Conference Cost: $199. To register for the conference or to obtain a promotional brochure with fuller information please phone: Deborah Furlow, Government Technology Conference, Sacramento, CA, (916)363-5000. ------------------------------ From: egdorf@zaphod.lanl.gov (Skip Egdorf) Subject: Re: SSN and Airline Antitrust Settlement Organization: Los Alamos National Laboratory Date: Wed, 30 Sep 1992 22:53:17 GMT In article rudis+@cs.cmu.edu (Rujith S DeSilva) writes: The claim forms for the Airline Antitrust Settlement ask for `Social Security Number or Tax I.D.'. I've read the SSN guidelines posted here regularly, but this case seems different. I really don't want to supply my SSN, and I don't see why I legally have to. The terms of the settlement clearly define a `Class' of members (loosely, passengers of some airlines during a certain period), and say that upon certifying their inclusion in this Class, its members are eligible to a share of the settlement. Why should I supply my SSN to certify my claim? A "Settlement" of a monetary amount will be reported to the IRS as income for tax purposes. This is essentially the same requirement as a bank requesting the SSN so as to be able to report interest on a savings account to the IRS. This is permissable under federal law. They should, however, provide you with the notification required by the 1974 privacy act acknowledging that this is the case. They PROBABLY want the SSN for some reason other than the legal one... Skip Egdorf hwe@lanl.gov ------------------------------ From: "Carl M. Kadie" Subject: Re: SSN in login ids Organization: University of Illinois, Dept. of Comp. Sci., Urbana, IL Date: Thu, 1 Oct 1992 02:02:48 GMT Apparently-To: comp-society-privacy@ux1.cso.uiuc.edu Eric Hunt writes: >The University of Alabama/Birmingham's Engineering dept uses a student's >full SSN as a part of their computer login ids. This machine in Internet >reachable. > >I was wondering what relevant laws, if any, applied to this situation? [...] I think this is likely a violation of FERPA. I'm enclosing information. ============== ftp.eff.org:pub/academic/law/ferpa =========== [From _College and University Student Records: A Legal Compendium_, Edited by Joan E. Van Tol, 1989] ================== p. 119 =============== The regulations ... were significantly modified in 1988. ... The new regulations amend the definition of directory information and establish a standard for the designation of directory information. The new definition is: ' ... information contained in an education record of a student which would not be considered harmful or an invasion of privacy if disclosed. It includes, but is not limited to, the student's name, address, telephone list, date and place of birth, major field of study, participation in officially-recognized activities and sports, weight and height of members of athletic teams, date of attendance, degrees and awards received, and the most recent previous educational agency or institution attended.' The new standard -- that which would not be considered harmful or an invasion of privacy if disclosed -- permits the educational institution to exercise its discretion in the designation and and release of directory information provided that the eligible student does not object to the disclosure. ======================== p. 106 ============ [From the regulations: 34 C.F.R., 99.37 (1988)] 99.37 What conditions apply to disclosing directory information? (a) An educational agency or institution may disclose directory information if it has given public notice to parents of students in attendance and eligible student is attendance at the agency or institutional of -- (1) The types of personally identifiable information that the agency or institution has designed as directory information; (2) A parent's or eligible student's right to refuse to let the agency or institution any or all of those types of information about the student as directory information; and (3) The period of time within which a parent or eligible student has to notify the agency or institution in writing that he or she does not want any or all of those types of information about the student designed as directory information. ================== p. 155 ================ [from a reprint of an article printed in 1982 in _Computer/Law Journal_ by a Ms. Hyman.] ... A waiver of FERPA rights made pursuant to section 99.7 must be exercised by the student {109} and can apply to all FERPA rights {110}. Wavers must be signed {111}, and are most commonly given regarding letters of recommendation for admission {112}. Institutions may request students to waive their right of access to these letters, but they may not require a waiver as a condition for admission or services.{113}. [References] {110} 34 C.F.R. 99.7(a) (1980) {113} 34 C.F.R, 99.7(b) (1980) [Which I think cooresponds to this section of the 1988 regulations - cmk] ====================== p. 104 ================= [34 C.F.R. 99.12 (1988)] 99.12 What limitations exist on the right to inspect and review records? ... (b) A postsecondary institution does not have to permit a student to inspect and review educational records that are -- ... (3) Confidential letters and confidential statement of recommendation places in the student's records ..., if (i) The student has waived his or her right to inspect and review those letters and statements; ... (c) A waiver under paragraph (b)(3)(i) of this section is valid only if -- (i) The educational agency or institution does not require the waiver as a condition for admission to or receipt of a service or benefit form the agency or institution; ... ============================================ -- Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign ------------------------------ From: "Michael E. Adams" Subject: Re: Privacy vs. Anonymity Date: 1 Oct 1992 12:49:17 GMT Organization: California State University, Chico In article nastar!phardie@emory.mathcs.emory.edu (Pete Hardie) writes: >[...] >Anonymity helps those who hold unpopular views/lifestyles/etc. >[...] >Basically, I hold to the idea that my actions are not to be recorded unless >there is a demonstrated need, simply because if there is data on me, someone, >somewhere, will find a way to abuse it, whether legally, economically, or >otherwise. Read it, Learn it, and Live it. It's time to put limits on data collection. -- Hi! I am a .signature virus. Copy me into your .signature to join in! ------------------------------ Date: Thu, 1 Oct 92 16:19:20 MDT From: Tom Wicklund Subject: Re: SSN in login ids / posting grades In comp.society.privacy Dave Grabowski writes: > A few weeks ago, I posted a msg about how NJIT uses student's SSN's >for Student ID's and for UNIX System ID's as well. It was the custom for >exam grades to be posted by SSN as well, but as I just found out today, >it seems that, at least in the Physics Dept., this is no longer going to >be done. They have now changed it so that the listing is done by >FIRST >NAME< only. This has GOT to be the most ridiculous way to post grades. >The Prof. mentioned that in one of his other classes, there were three >"Mark"'s in a row. Another person (who was checking her grade while I >was) said, "Nobody else has my name, anyway" (it was something obscure, >like Aretha). Any system of publicly posting grades is going to voilate privacy. Whether a student ID is a social security number or a unique within the university ID, it can be misused. And most of the time grades posted by student ID are still listed in alphabetical order (making it easy to find people near the start or end of the alphabet). If one wants grade privacy, then professors should be encouraged not to post grades. Ideally the university will have a reliable way to inform students of grades in a timely fashion. ------------------------------ From: Colin Plumb Subject: Re: Teletrac Date: Fri, 2 Oct 1992 01:43:11 -0400 In article you write: >Re: transponders on cars - you don't need it - the license plate is enough. >Optical character recognition technology is about good enough to read >license plates today, and keeps getting faster as algorithms improve >and number-crunching chip speed doubles every year or two. >So all they need is a good video camera and a reader. >The main advantage of transponders is that the stationary equipment is >likely to be cheaper, and you can force the car owners to buy the transponders. I was working at a company that put together a response to a request for proposals from the South Korean government to do this. The idea is that, over the highway, arches hold TV cameras aimed down to see cars' licence plates. The system was to read them, match them against a database, and if the plate showed up, alert the cop shop a few km down (no junctions in the way!). An unreadable plate would be sent to the cops for manual reading. Any such system could, of course, easily be adapted to time-stamp and log *every* car, although the proposal didn't ask for that. This was 1991. Big Brother is here (well, *there*), boys and girls. It was buildable, although it would require some tuning to get the readability rate up against mud, fog, variable lighting, and whatnot. (I wasn't directly involved, and didn't want to be.) -- -Colin ------------------------------ From: Mike Brokowski Subject: Re: Address required on checks Organization: Northwestern University, Evanston Illinois. Date: Fri, 2 Oct 1992 05:07:37 GMT In article Wm Randolph Franklin writes: > >1. Service Merchandise, a local catalog store gets quite unfriendly when >I pay in cash. They've told me they must have a name. (So I give them >'Mario Cuomo'). They do get unfriendly at times, but they have yet to refuse my cash. >2. Then there's Radio Shack. Radio Shack salepersons always ask "Can I have the last four digits of your phone number?" and I just reply "No." Apparently, RS keeps a customer database on its computers and sends flyers/ads to those on it. Once, the clerk sneered "Ok, but we can't give you a refund or exchange if the product is defective without this information." I told him that such a policy constituted an illegal precondition of sale in this state and that unless he had reason to believe I was involved in fraud, the receipt, original product, and packaging were all he could require for transactions under $25 (my purchase was about $3.50). Of course, all of that is crap as far as I know; I was just annoyed at his attitude. But he bought it and I made the purchase anonymously. (I can't say what would've happened if I had needed to return the item.) I suspect that the clerk just made up the 'no refund/exchange' line as a response to intransigent customers (like me ;->). >3. You must give id when spending over $10K with one merchant in, I >believe, one year, or the merchant can get in serious trouble. > >4. I've heard stories about IRS offices refusing to accept cash, though >I can't vouch for them myself. > >There is one loophole however, which is probably still open. You can >buy money orders anonymously, put whatever name you want on them, and >then use them to pay people who refuse cash. >-- >Wm. Randolph Franklin, wrf@ecse.rpi.edu, (518) 276-6077; Fax: -6261 >ECSE Dept., 6026 JEC, Rensselaer Polytechnic Inst, Troy NY, 12180 USA > I am curious about 3) and the money orders. Does anyone know the rules for requiring id depending on the amount of yearly purchase? It seems to me that a large family could possibly spend over $10k per year at a supermarket and simply pay cash (especially at these newer huge stores where one can pretty much buy most of life's necessities e.g. food, clothing, books, some furniture, toys, pharmaceuticals, et cetera). - Mike ------------------------------ From: Khan Subject: Re: Address required on checks Organization: University of Illinois at Urbana Date: Fri, 2 Oct 1992 18:25:50 GMT In article Wm Randolph Franklin writes: > >1. Service Merchandise, a local catalog store gets quite unfriendly when >I pay in cash. They've told me they must have a name. (So I give them >'Mario Cuomo'). > >2. Then there's Radio Shack. This usually isn't the direct fault of SM or RS. Rather, it's the personal insecurity of the clerk who, when faced with a rejection to his/her request for marketing information, becomes defensive and sometimes even hostile. I am in the habit of refusing to give out my address when making purchases at these types of stores. I've seen a wide range of responses. Often, the clerk feels the need to "explain" why they are asking for my address after I tell them I don't want to give it. The most extreme reaction I ever received was from a very attractive young woman in a (now defunct) small video+electronics store chain. She became VERY distraught when I refused to provide my name and address for a $30 cash purchase. Finally, she made up a name (she somehow came up with "Polk," even though she spelled it "Poke") and wrote it down on the receipt. I'll probably get flamed for saying this, but it was my impression that this particular young lady was not at all used to having men say "no" to her requests. ;-) My point is, the hostility and other reactions you get from clerks are from the clerks themselves. RS definitely does not tell its employees "if they won't give their name, cuss 'em out!" ;-) ------------------------------ Date: Fri, 2 Oct 92 01:45:00 CDT From: Jim Mccoy Reply-To: mccoy@ils.nwu.edu Subject: Re: Blockbuster & video rental records In article , Mike Johnston writes: > > Recently my local corner video store shutdown and I was forced to find > a membership elsewhere. Since the only other store of consequence in my > town was Blockbuster Video, I decided to go there. [...] > > [Regarding the memebership info he was given...] Imbedded > with the standard legalese about being responsible for rented tapes and > such is a clause that states, from memory: > > Member grants Blockbuster Video the right to release all information > generated by or through the use of the membership card. > > In other words, they can give out my rental records to someone without > permission. This is disturbing. > You might want to check out the Video Privacy Protection Act of 1988. I think that the latest reference to this I have seen is in _Privacy for Sale_ (by Jeffrey Rothfeder, a must read for people who are interested in this stuff...). I believe that it prevents stores from releasing just this sort of information, but perhaps someone more familiar with it could clarify this point... jim -- ------------------------------< Jim McCoy >------------------------------------ j-mccoy@nwu.edu | "I'd love to stay and chat, but I'm mccoy@ils.nwu.edu | having an old friend for dinner..." #include | -Dr. Hannibal Lector -----------------------<"To thine own self be true">-------------------------- ------------------------------ From: John Nagle Subject: Re: Blockbuster & video rental records Organization: Netcom - Online Communication Services (408 241-9760 guest) Date: Sat, 3 Oct 1992 17:36:09 GMT shearson!jenny!mjohnsto@uunet.uu.net (Mike Johnston) writes: >Recently my local corner video store shutdown and I was forced to find >a membership elsewhere. Since the only other store of consequence in my >town was Blockbuster Video, I decided to go there. The application >process was fairly quick and painless IE you show them ID and a valid >credit card and you're a member in just a few minutes. After you join >they give you a notepad sized piece of paper which explains the >terms of the membership. >I glanced at this note when I got home and was quite surprised. Imbedded >with the standard legalese about being responsible for rented tapes and >such is a clause that states, from memory: > Member grants Blockbuster Video the right to release all information > generated by or through the use of the membership card. >In other words, they can give out my rental records to someone without >permission. This is disturbing. The exact text, from "Membership Terms and Conditions" marked "2/92" and "810151" reads, in paragraph 3: "Member authorizes BLOCKBUSTER Video to release information contained in this Application or generated by or through the use of the membership card." Question for the lawyers out there: does this constitute a wavier of the Video Rental Privacy Act? I refused to "join" Blockbuster because of their overreaching terms. Fortunately, we have many local video rental stores run by independents. John Nagle ------------------------------ Subject: FOIA Request for the FDA? From: Sean Petty Reply-To: Sean Petty Date: Sat, 03 Oct 92 12:30:42 EDT Organization: The Underground - Pennsylvania I am presently in the position that I need to exercise the FOIA to get some information from the Food and Drug Administration about an approved but questionable drug. What I would like to know is if someone has a generic request form that applies to the FDA, or one that they have used in the past. I would like to get any and all information about this drug from them, so anyone who can offer any information, files, etc. would be greatly appreciated. Sean --- Sean Petty undr!seanp@tredysvr.Tredydev.Unisys.COM ICBMnet: 39'58'12"N 75'84'26"W seanp@undr.org ------------------------------ End of Computer Privacy Digest V1 #087 ******************************