Date: Tue, 27 Oct 92 16:14:48 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#093 Computer Privacy Digest Tue, 27 Oct 92 Volume 1 : Issue: 093 Today's Topics: Moderator: Dennis G. Rears Re: question on surrepticious Re: Posting grades by SSN Re: ssn and traffic tickets encryption Re: Citibank photo credit card Two Line Cordless Phones and Recording Looking for References SSN and unique IDs The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- From: "james.j.menth" Subject: Re: question on surrepticious Organization: AT&T Distribution: usa Date: Fri, 23 Oct 1992 19:35:15 GMT In article bu676@cleveland.freenet.edu (Cheryl L. Kerr) writes: > >During a recent legal problem, I was advised by my attorney that >it is completly legal to tape a face-to-face or phone conversation >with out notifying the other party(ies) involved as long as YOU ARE >A PARTY TO THE CONVERSATION (e.g. Only you need to know it is being >taped). Since I wasn't involved in any clandestined work, I didn't >get any legal info on wire taps. > This was probably good advice in your state, as it is in mine, however although individual states may not pass legislation less restrictive than Federal laws they can usually go the other way. The phone books usually have a section in the front (Mine was titled "Your Responsi- bilities") that gives the policy applicable in your area. Jim Menth jjm@cbnewsb.cb.att.com ------------------------------ From: David Ratner Subject: Re: Posting grades by SSN Organization: UCLA, Computer Science Department Date: 23 Oct 92 22:00:40 GMT Apparently-To: comp-society-privacy@uunet.uu.net rinewalt@gamma.is.tcu.edu (Dick Rinewalt) writes: >Posting grades is not necessary for a double check on grade reporting. >Alternatives are: >1. At TCU, the Registrar sends each faculty member printouts of the >results of scanning the grade sheets for his/her courses. This provides >the capability of detecting both types of grade reporting errors; >however, not all faculty take the time to check this against the >gradebook. >2. I encourage my students to pick up the graded final exam. This allows >them to know their grades early and seeing their mistakes is part of the >educational experience. Unfortunately, only 10-20% of them do so. >Dick Rinewalt Computer Science Dept Texas Christian Univ >rinewalt@gamma.is.tcu.edu 817-921-7166 I disagree. For number 1, as you pointed out, not all faculty members will take the time to check the report against the gradebook, especially for large classes. Even if they do check it, they don't really have a vested interest in FINDING a mistake, so they might just scan it, whereas a student will look much more closely. For number 2, some classes/schools don't allow you to keep your final exam, and allowing each student to look at it requires patience by the professor to individually handle each student when they come to ask for the final. For large classes, this could become extremely tiring for a professor trying to get work done (i.e. every five minutes having some student coming into his office asking for his/her final). Now, the student must "stake out" the professors office to find a time when he is in, because after the first 10-15 students come asking, the prof will undoubtably run and hide! It seems much easier for all parties if grades can be posted. I personally don't care if my grade is posted by my ssn. In one class at Cornell a waiver was actually sent to all students, and if they signed it they authorized the posting of their grade by ssn --- otherwise they had to physically ask the prof. Why not have each student make up some random number to post grades by, if that's what it takes. Dave Ratner -- * * *** * * | Dave "Van Damme" Ratner * * * * * * / \ ratner@cs.ucla.edu * * * * *** \ / *** *** *** * * | "Wham Bam, thank you Van Damme!" ------------------------------ From: Eric Smith Subject: Re: ssn and traffic tickets Organization: Netcom - Online Communication Services (408 241-9760 guest) Date: Sat, 24 Oct 1992 09:01:02 GMT Apparently-To: comp-society-privacy@ames.arc.nasa.gov In article fns-nc1!fns-nc1.fns.com!vib@concert.net (Victor Bur) writes: ... >I don't know whether it is a local "feature" or nationwide, but the pledge >response cards for the last (and still going) United Way fund-raising >Campaign contain a line for SSN. I think it's outrages! > >[Moderator's Note: Why? Ignore it and don't give it to them. ._dennis] >Victor It's become a national habit to ask for the SSN on forms whether it is needed or not. It seems almost as if the people who design the forms do it without even thinking about whether it is needed or not, simply because it is a habit. One thing it's useful for is to help evaluate the attitudes of the person filling out the form. If they leave the SSN field blank, it indicates they aren't a totally cooperative person, and if you are evaluating a large stack of forms to arbitrarily accept some and reject others, you might automatically reject all those that don't seem totally cooperative, depending on what the forms are for. In the case of United Way, if you really feel strongly about it, why not just send them a note saying you are waiting till they remove that question from their forms before you pledge. As for traffic tickets, I don't think it's illegal to forget your SSN and to not have it written down anywhere handy. Just tell the cop he will have to forgive your traffic infraction because your SSN is not available. ------------------------------ From: REDELSS JOHN W Subject: encryption Organization: University of Alaska - Fairbanks Date: Sun, 25 Oct 1992 04:03:00 GMT Will it ever be possible to network with computers in privacy and security? Several years ago in an OMNI article I read that encryption would eventually make true privacy possible for everyone. It went into the math and the software technology more than I can remember, but it sounded good to me. Deos anyone know anything about this? ------------------------------ From: "Wm. L. Ranck" Subject: Re: Citibank photo credit card Date: 26 Oct 92 14:48:12 GMT Dave Grabowski (KxiK) (dcg5662@hertz.njit.edu) wrote: : >And who do you think pays for all the credit card fraud? Can you : >say membership fees, outrageous interest rates etc...? I knew you could. : > : 1) Get a credit card with a small (or nonexistant) membership fee. : They do exist. Actually, CitiBank is only $20/year. 2) Interest rates? : Pay your bill on time. Not to get embroiled in a flame war here, but merchants who accept credit cards are charged from 2 to 5 percent for every charge they deposit in the bank. That is why credit card companies can afford to have no-fee cards and no interest on promptly paid bills. They get the interest up front. Why do you think there is a "service charge" for cash advances? In other words, the credit card folks make money on every charge even if you pay the bill right away. In fact the annualized rate of return for purchases where only the merchant charge is applied works out to between 24 and 60 percent! Do you really think the merchants pricing doesn't reflect the cost of theose credit charges? -- ******************************************************************************* * Bill Ranck ranck@joesbar.cc.vt.edu * * DoD #496 Bikes past and present: CB175, CB550F, Norton 750, CB350F, XV535 * ******************************************************************************* ------------------------------ Date: Mon, 26 Oct 92 21:38:40 EST From: "Dennis G. Rears" Subject: Two Line Cordless Phones and Recording I recently purchased a Southwestern Bell two line cordless phone. The controls are like a regular 2 line phone to include memo, redial, hold, conference, clear, and touchtone/pulse keys. There is also a an on/off switch on the handset. I have two lines coming into my apartment each with a individual answering machine hanging off it. A key feature/bug on the phone is that the on/off switch does not release the line. I have to manually press the Line 1/Line 2 key off to release the line. Tonight I decided to test one of my answering machines. From line one, I dialed Line two, heard my answering machine pick up and left a test message. I then hit the on/off key. Interestly, I heard a two way conversation on my answering machine. It seems that instead of releasing the line it picked up another conversation that was on the same frequency. After experimenting with it for about 3 hours I have determined I can get about 20-30 seconds of other conversations recorded just by blind luck. In a 1200 unit apartment complex there are a lot of cordless phone conversations going on. If I had some free time I would check this out a little bit more. Can you imagine if I can do it this, what a trained person can? I had always heard from the telecom digest that cordless phone conversations can be heard with a decent radio scanner but this is interesting on easy it is. I am posting to the telecom digest for telecom related issues and the computer privacy digest for privacy issues. dennis ------------------------------ From: fielden@spot.Colorado.EDU (j. a. fielden) Subject: Looking for References Organization: University of Colorado, Boulder Date: Tue, 27 Oct 1992 19:24:58 GMT I am researching the topic: "Dangers of Misuse of Information" for a paper. I'm looking for any references(books, articles, papers, newspapers articles) on the related areas: 1. Privacy issues Who owns information such as demographic, shopping patterns, etc. Can consumers obtain information about themselves, correct it or block it's use. Medical records - are they secure, who has access, can patients obtain their records etc. Other information such as credit card records, video rentals, phone records etc. 2. Borders If information is stored in a database that is located in another state/country who's laws apply. Ex. If a U.S. company has info about me in a database located in Canada can they be forced to provide me with that information? 3. Any other ways in which information could be used in a way that is either detrimental or an invasion of privacy. Given the number of groups this is posted to PLEASE, E-MAIL ALL REPLIES. If requested I can either e-mail or post a summary. Thanks, -jf ------------------------------ From: Chris Nelson Subject: SSN and unique IDs Organization: Rensselaer Polytechnic Institute, Troy, NY Date: Tue, 27 Oct 1992 18:41:51 GMT Apparently-To: comp-society-privacy@cis.ohio-state.edu Many private entities argue that they must use the SSN for identification purposes because it is the only reliably unique identifier. The uniqueness is an important point; I've been bumping into Chris Nelsons my whole life. Until recently, I've not been able to offer a suitable way for a company to see if you were already in their system (without checking all variations of your name), then inspiration struct: use a one-way encryption. Consider a meat-grinder function which takes as inputs your SSN and the companies federal tax ID number and puts out a unique ID based on those numbers (that is, no two SSNs would generate the same key). I'd have to produce my SSN but it would never have to be recorded (ideally, it would be illegal to record it). Also, my ID with different companies would be different (making invasion of privacy through sharing of data that much harder). A scenario: NIST standardizes such an algorithm (perhaps with some local parameters so that a third party with my SSN and a company's FID _still_ couldn't get my ID) and use of it becomes compulsory as use of SSNs by private entities becomes illegal; phased in over a 4-5 year period, perhaps. One problem I see is that the problem space is small enough (nine digit SSNs) that an interative search could produce the SSN for a specified ID. Still, this seems to address some privacy concerns. Any comments? [Moderator's Note: I think the problem people have with SSNs is that it is a national identifier number (NIN). Whether the NIN is the SSN or not doesn't really make a difference. ._dennis ] -- ------------------------------+---------------------------------------------- Chris Nelson | Rens-se-LEER is a county. Internet: nelsonc@cs.rpi.edu | RENS-se-ler is a city. CompuServe: 70441,3321 | R-P-I is a school in Troy! ------------------------------ End of Computer Privacy Digest V1 #093 ******************************