Date: Wed, 07 Oct 92 17:28:19 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#088 Computer Privacy Digest Wed, 07 Oct 92 Volume 1 : Issue: 088 Today's Topics: Moderator: Dennis G. Rears Welcome to Our New Users/Status of the forum Policy for Submissions Re: SSN and Airline Antitrust Settlement Re: SSN in login ids / posting grades Re: Address required on checks Re: Address required on checks Address required on checks Re: Address required on checks Re: Address required on checks Re: Big Brother has this message on file! Re: Computer access to SSN and bank accounts: 48hrs episode Question on Surrepticious recording of calls in a Federal Agency The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- Date: Wed, 7 Oct 92 17:10:57 EDT From: Computer Privacy List Moderator Subject: Welcome to Our New Users/Status of the forum In the last four (4) days I have added about 50 new subscribers to the electronic maillist portion of this forum. Based upon their net addresses, they are from a wide range of countries and education/commercial/government backgrounds. I would like to welcome them all to the Computer Privacy Digest (CPD). Readership is still growing on this forum. There are now over 400 direct subscribers to the electronic mail list including about 25 exploder lists. According to the latest USENET traffic poll, there are an estimated 16,000 readers of the comp.society.privacy newsgroup which is 1.1 % of all USENET readers. My initial USENET distribution has been expanded from one to three sites. I am hoping this will improve propagation throughout USENET. Originally everything originated from adm.brl.mil. I am including the occasional policy posting in this digest for all readers. I actively solicit any articles that are relavant to the charter of this news group. The charter of the Computer Privacy Digest: comp.society.privacy Effects of technology on privacy (Moderated) This newsgroup is to provide a forum for discussion on the effect of technology on privacy. All too often technology is way ahead of the law and society as it presents us with new devices and applications. Technology can enhance and detract from privacy. This newsgroup will be gatewayed to an internet mailing list. Dennis Rears (Moderator of CPD) ------------------------------ Date: Wed, 7 Oct 92 17:12:05 EDT From: Computer Privacy List Moderator Subject: Policy for Submissions Policy on Posting to the Computer Privacy Digest. Revision 1.0 27 May 1992 Introduction: The Computer Privacy Digest is an electronic digest dedicated to the discussion of how technology affects privacy. The digest is burst into separate articles and fed into the USENET newsgroup comp.society.privacy. The newsgroup and digest are different forms of the same forum. Discussions should be centered around the following topics: o Technology - What devices are out there now and are on the drawing boards that will enhance or take away privacy from individuals and entities. o Ramifications - What are the ramifications are current and new technology. o Public Policy - What should public policy be in regulating, not regulating, and/or using the technology. Privacy includes the right of the individual/entitity to privacy against other individuals, entities, businesses, and the various forms of government. o Education - This kind of goes with ramification. One of the functions of this forum should be to educate people on how current technology affect their privacy. This can range from corporate data bases to credit card usage. 1. Submissions: a. All submissions should be emailed to comp-privacy@pica.army.mil or posted to the comp.society.privacy newsgroup. Only submissions that are relavant to the charter of the forum will be published. Please keep text to under 76 characters per line. Personal attacks, excess flamage, or libelous postings will not be published. b. Submissions should not be sent to comp-privacy-request@pica.army.mil. This address is for drop/add requests, administrative changes, and confidential requests to the moderator. Those submissions sent to that address will only be published is explicit permission is granted to publish by the poster. c. Anonymous submissions 2. Copyrighted Articles: a. It is assumed that all articles submitted are in the public domain. Submission grants permission for distribution and archiving in the Privacy Digest. b. I will not publish any articles that contain complete text of a copyrighted work unless the poster explicitly states that he has obtained permission from the copyright holder to print in the Computer Privacy digest. A summary of an article is ok as is any excerpt that can be justified under the fair use doctrine. 3. Signal to Noise Ratio: It is my desire to keep a high signal to noise ratio. As a result a particular posting may not be published or a subject thread might be terminated when postings start to fail to shed new insight into the subject. I welcome submissions on new topics and encourage them. The quality of the digest is up the readers and posters. Dennis G. Rears Moderator, The Computer Privacy Digest ------------------------------ From: "David A. Andersen" Subject: Re: SSN and Airline Antitrust Settlement Date: 3 Oct 92 19:42:02 GMT In article egdorf@zaphod.lanl.gov (Skip Egdorf) writes: >In article rudis+@cs.cmu.edu (Rujith S DeSilva) writes: > > The claim forms for the Airline Antitrust Settlement ask for `Social Security > Number or Tax I.D.'. I've read the SSN guidelines posted here regularly, but > this case seems different. I really don't want to supply my SSN, and I don't > see why I legally have to. The terms of the settlement clearly define a > `Class' of members (loosely, passengers of some airlines during a certain > period), and say that upon certifying their inclusion in this Class, its >members are eligible to a share of the settlement. Why should I supply my SSN > to certify my claim? > >A "Settlement" of a monetary amount will be reported to the IRS as >income for tax purposes. This is essentially the same requirement as a >bank requesting the SSN so as to be able to report interest on a >savings account to the IRS. This is permissable under federal law. Yes, but isn't the value of the settlement going to be less than $600 for most of the claims? Since it isn't a financial institution, isn't the $600 minimum in effect? David Andersen UC Irvine [Moderator's Note: Could someone who actually find out where the requirement for SSN for the Settlement has come from? I don't believe it stems from a tax requirement. I think this isssue has been beaten to death. ._dennis ] ------------------------------ From: James Allan Subject: Re: SSN in login ids / posting grades Organization: Cornell Univ. CS Dept, Ithaca NY 14853 Date: Sun, 4 Oct 1992 01:24:49 GMT Tom Wicklund writes: >Any system of publicly posting grades is going to voilate privacy. >Whether a student ID is a social security number or a unique within >the university ID, it can be misused. And most of the time grades >posted by student ID are still listed in alphabetical order (making it >easy to find people near the start or end of the alphabet). >If one wants grade privacy, then professors should be encouraged not >to post grades. Ideally the university will have a reliable way to >inform students of grades in a timely fashion. Posting grades removes some administrative burden, makes it reasonably easy for the students to doublecheck that grades were recorded accurately, and makes it easier for the students to have a feeling for "where the stand" (something which many students are obsessed with). The problem is not posted grades; the problem is the ID number. Cornell does not allow student grades to be posted by SSN or by the students' Cornell ID number. In the classes I teach, I get a 6 or so character "grading code" from the student and use that to post the grades (sorted by grading code, not by name). Some students choose to use their ID's, some use a combination of their initials and numbers, some use OTHER people's initials (a friend, I suspect), and some use nonsense phrases like "iamcool". There's essentially no way to guess which grade is for whom (modulo the case of a "star" student who is an order of magnitude above everyone else). I think student-chosen grading codes are a good solution to the problem. I admit that, unfortunately, many professors here seem to sidestep or ignore the no-SSN no-ID# routines. ------------------------------ Date: Sun, 4 Oct 1992 7:38:55 -0400 (EDT) From: "Dave Niebuhr, BNL CCD, 516-282-3093" Subject: Re: Address required on checks Khan writes: >In article Wm Randolph Franklin writes: >> >>1. Service Merchandise, a local catalog store gets quite unfriendly when >>I pay in cash. They've told me they must have a name. (So I give them >>'Mario Cuomo'). >> >>2. Then there's Radio Shack. > >This usually isn't the direct fault of SM or RS. Rather, it's the >personal insecurity of the clerk who, when faced with a rejection to >his/her request for marketing information, becomes defensive and >sometimes even hostile. > I'm not about Service Merchandise but the clerks in Radio Shack are required by company policy to attempt to get a telephone number so that a database entry can be made and flyers sent to the purchasers. Dave Dave Niebuhr Internet: niebuhr@bnl.gov / Bitnet: niebuhr@bnl Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093 ------------------------------ From: "Wm. L. Ranck" Subject: Re: Address required on checks Date: 4 Oct 92 18:32:38 GMT Mike Brokowski (brokow@casbah.acns.nwu.edu) wrote: : Radio Shack salepersons always ask "Can I have the last four digits of : your phone number?" and I just reply "No." Apparently, RS keeps a : customer database on its computers and sends flyers/ads to those on it. : I used to work for Radio Shack about 17 or 18 years ago. At that time we were told to *ask* for name and address on each sales slip. The key word was ask. If someone said no or asked why we were to tell them, quite honestly, that the name and address was for a mailing list. The corporate policy was that you were supposed to get the name and address on a high percentage of the slips or else the district manager would hassle you about it. Some stores didn't emphasize the voluntary part but did emphasize the percentage 'required'. This kind of pressure leads to cranky clerks. My manager said to just ask them for it and if the customer didn't want to give it to not make it a big deal. Other store managers probably weren't that easygoing. : : I am curious about 3) and the money orders. Does anyone know the rules : for requiring id depending on the amount of yearly purchase? It seems : to me that a large family could possibly spend over $10k per year at a : supermarket and simply pay cash (especially at these newer huge stores : where one can pretty much buy most of life's necessities e.g. food, : clothing, books, some furniture, toys, pharmaceuticals, et cetera). An interesting question. The intent of the law requiring reports of large cash purchases was to catch drug dealers and the like using big wads of cash to buy cars, boats, jewelry, etc. Some got around the reporting requirement by splitting up payments into multiple less-than-10K amounts. So the law was changed to cover that. Mike points out an interesting consequence of that change. There may be a lot of technical violators who don't even now it. I routinely write a check for groceries at a local store, and that is usually the only store I buy groceries from. I doubt that my annual food bill breaks the 10K limit, but to be honest I don't know. I would have to go back and add up probably 100 checks or so. -- ******************************************************************************* * Bill Ranck DoD #496 ranck@joesbar.cc.vt.edu * ******************************************************************************* ------------------------------ Date: Mon, 5 Oct 1992 08:25 EDT From: JSMITH@guvax.acc.georgetown.edu Subject: Address required on checks Regarding Radio Shack's request for customer information: About fifteen years ago, a good friend of mine managed a Radio Shack store. At the time, one of Radio Shack's measurements for store managers was the percentage of sales slips on which the name and address were filled in. Salespeople were allowed to write "Cash" for those situations in which customers absolutely refused to divulge any information, but these were counted against the store manager in end-of-month calculations. So, my friend made a deal with me: when customers refused to supply the information, he would initially write "Cash" on their slip. After they left the store, he would then enter the name "Brownie Smith" and my home address on the store copy (Brownie was my dog at the time). Brownie received Radio Shack catalogs for many years but was eventually purged...once my friend left Radio Shack for a more lucrative career as a stock broker, Brownie apparently ceased to make purchases. In another situation with similar characteristics, Shell Oil distributed a coupon in several cities' newspapers last summer (I saw it in _The Washington Post_ and _The New York Times_). The coupon offered $1 off any gasoline fillup (8 gallons or more). At the bottom of the coupon was a space for name and address with the heading "Consumer: Please complete." I tried to redeem the coupon at my local Shell station without completing the name and address section, but the attendant refused it. When I argued that the information was clearly optional and that the offer of $1 was an unconditional one, he replied "I don't see nothing about optional on the coupon." So, I wrote to Shell's president in Houston, Texas. I received a very apologetic letter and a check for $5. But I'm sure they considered me a privacy zealot and crackpot. Jeff Smith Assistant Professor School of Business Administration Georgetown University Washington, DC 20057 [Moderator's Note: I would like to kill the thread on Radio Shack wanting names, addresses, and phone numbers. The general consensus is that it is a marketing ploy and a forceful no is all that is required to avoid giving out this information. ._dennis] ------------------------------ From: Don Simon Subject: Re: Address required on checks Reply-To: infmx!dsimon@uunet.uu.net Organization: Informix Software, Inc. Date: Mon, 5 Oct 92 19:04:59 GMT In article 8@pica.army.mil, wrf@ecse.rpi.edu (Wm Randolph Franklin) writes: > >In article on Thu, 24 Sep 92 14:02:46 GMT, >amdunn@mongrel.UUCP (Andrew M. Dunn) writes: > > > Of course, cash will always be accepted without your address on it. > >Oh? > >1. Service Merchandise, a local catalog store gets quite unfriendly when >I pay in cash. They've told me they must have a name. (So I give them >'Mario Cuomo'). > >2. Then there's Radio Shack. > >3. You must give id when spending over $10K with one merchant in, I >believe, one year, or the merchant can get in serious trouble. > >4. I've heard stories about IRS offices refusing to accept cash, though >I can't vouch for them myself. > >There is one loophole however, which is probably still open. You can >buy money orders anonymously, put whatever name you want on them, and >then use them to pay people who refuse cash. >-- >Wm. Randolph Franklin, wrf@ecse.rpi.edu, (518) 276-6077; Fax: -6261 >ECSE Dept., 6026 JEC, Rensselaer Polytechnic Inst, Troy NY, 12180 USA I believe that it is illegal to refuse US currency in the US, after all it is the only *legal* tender in this country. The IRS does require that large cash purchases (> 10,000) have filed a special form, used for tracking people with possibly illegal cash resources (drug-dealing, extortion, theft in general). If someone won't take my money, they won't get my business, there are millions of businesses in America, and I can guarantee that you can always find whatever you're looking for somewhere else. Vote with your feet/wallet...if someone is trying to invade your privacy, tell them how you feel, and that you will not shop their store again until they respect your privacy choice. don simon ------------------------------ From: Steve Barber Subject: Re: Address required on checks Date: Wed, 7 Oct 1992 04:26:57 GMT Organization: PANIX Public Access Unix, NYC Of course, any merchant may refuse to accept a money order as payment as easily as it can refuse to accept a check, if it wishes. Cash is it, at least according the Article 3 of the Uniform Commercial Code. Though of course more places will take an anonymous money order than will take a check with no address. -- Steve Barber sbarber@panix.com "The direct deed is the most meaningful reflection." - Bill Evans Nothing I say is legal advice. It can't be. I don't know anything. ------------------------------ From: "J. Porter Clark" Subject: Re: Big Brother has this message on file! Organization: NASA/MSFC Date: 5 Oct 92 17:41:28 GMT Apparently-To: comp-society-privacy@ames.arc.nasa.gov On 28 Sep 1992, I posted a message to comp.security.privacy which started out like this: > I just found out last week that the local network management > organization is archiving all network traffic onto 8 mm tape and has > been doing so for at least six months. They plan on keeping this data > indefinitely. I went on to vent righteous indignation about the possibility of misuse or (at the very least) gratuitous exploitation of this data and the waste of magnetic tape. I based my claims about the traffic archiving system on information I obtained during a training course for LAN managers which I attended. This information was not correct. I have discussed the operation of the system with the person who developed and operates it, and I humbly offer the following corrections. Our Network Management Center does in fact operate a High-Speed Ethernet Capture System which is capable of monitoring only one or two of the 80 or more segments which make up the local network. The NMC monitors only specific segments in response to requests to troubleshoot specific problems. These problems include broadcast or multicast storms and LAT dropouts. The most important correction is that the tapes are NOT kept for an indefinite period of time. Instead, they are kept for 1-2 weeks before being reused. (This was precisely the recommendation I made in the earlier post.) However, tapes containing unusual network events are kept longer. I had also recommended that the system strip out the messages and keep only the headers of network packets. The NMC claims that it is necessary to keep the messages to troubleshoot certain types of problems, including a LAT dropout problem. There are plans to extend the capabilities of this system, but not greatly. The current system can miss packets during high traffic periods, and the NMC hopes to eventually eliminate this problem. Network Management Center strongly agreed with my privacy concernes and pointed out that all Ethernet networks should be treated as unsecure lines. PROMISCUOUS reading programs are common on almost any network host. Only their lack of performance and overrun detection limit their network wire-tapping capability on a busy segment. They recommend an attitude of treating Ethernet like an old time party line with a nosy busy-body who tries to listen to every call. In my earlier post, I asked if anyone knew of a good reason (legal or ethical, perhaps) for not having the net police archive all network traffic for practically forever. I didn't get any responses better than something along the lines of "There's probably something illegal about it." I would still like to hear from anyone who has any insight into this problem. -- J. Porter Clark jpc@avdms8.msfc.nasa.gov or jpc@gaia.msfc.nasa.gov NASA/MSFC Communications Systems Branch ICON: A picture or symbol that stands for a word. Icons are often used in programs for young children who cannot yet read. -- some doctor's waiting-room magazine ------------------------------ From: Steve Forrette Subject: Re: Computer access to SSN and bank accounts: 48hrs episode Organization: Walker Richer & Quinn, Inc., Seattle, WA Date: Mon, 5 Oct 1992 23:33:50 GMT Apparently-To: comp-society-privacy@ames.arc.nasa.gov Several people wrote to say how easy it is to get a dialup account with a credit bureau to get people's credit profiles. But, isn't each inquiry logged in the computer? I, from time to time, will get a copy of my credit profile in order to check its accuracy. It also lists each inquiry that has been made within the last year (2 years?). If there were an inquiry from an organization that I did not recognize or authorize, I would definately look into it. Steve Forrette, stevef@wrq.com ------------------------------ Date: Tue, 6 Oct 92 13:31 GMT From: "Tansin A. Darcos & Company" <0005066432@mcimail.com> Subject: Question on Surrepticious recording of calls in a Federal Agency I have a question I am posting from my own Internet account (which I pay for out of my own pocket) so I can state this specifically and ask a public question which might be inappropriate for me to ask from a government account. I am a private employee of a contractor to a government agency. I work out of that agency but I am not a government employee. Some rumors have been floating around to the effect that this agency is now and/or was recording (unannounced to anyone) telephone calls at this agency, either calls made from the agency, calls made to the agency, or both, and perhaps only on certain phone lines. The rumor has it that in one instance a person (a former federal employee) got to hear a playback of a recording of some personal calls they made where they were not supposed to be doing so. For obvious reasons, unless I have solid legal grounding to know whether or not this form of activity is legal or otherwise, I would like to get some background from a Internet news group reader who knows what the law says, or has a copy of the laws dealing with this. Please note that I am *NOT* referring to SMDR taping or pen registers, which is what I thought the person who told me this was referring to (which would record phone numbers dialed; that is not what I am talking about; I am talking about the (surrepticious) recording of the audio content of telephone calls.) Question: Even for a government agency, is it legal for them to record calls without notification to the parties involved? I believe this not only violates the 1968 Federal Wiretap Act but might also violate the more recent Electronic Communications Protection Act. I for one don't have anything to worry about; the most I've done is call MCI's 800 number - which is okay since the agency isn't charged for the call - but I wonder about the legality of this. Also, I note that this agency does have a special reports office to accept calls from the public and reports to the agency by employees, people under its jurisdiction, and the public, and the first thing the person on that line does when he or she answers is to report that the line is recorded. Which strikes me as odd, if the rumor I'm hearing is true. I thought the only time where a call could be recorded without the knowledge of the people on the call - even in a federal agency - is either if there is a wiretap order from a court or it's a security or law enforcement agency such as the FBI, NSA, CIA or other such. This agency is not generally a law enforcement agency. Could someone tell me if I'm wrong and this type of activity is legal? These opinions ARE those of the owner of this account. And nobody else's. [Moderator's Note: I work for a federal agency (U.S. Army). On all of our phones a label that states "This telephone is subject to monitoring at all times. Use of this telephone constitues consent to monitoring". Since it cleary states the policy I can not object to it. I can go to a nearby phone and conduct my personal and private business. I have talked with our telecom folks and they have more or less said that monitoring is mainly for security purposes (prevent people from talking classified phones) not for criminal investigation purposes. ._dennis] ------------------------------ End of Computer Privacy Digest V1 #088 ******************************