Date: Thu, 05 Nov 92 12:48:25 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#096 Computer Privacy Digest Thu, 05 Nov 92 Volume 1 : Issue: 096 Today's Topics: Moderator: Dennis G. Rears 1-800-CURB-DWI Risks Of Cellular Speech Re: 15th National Computer Security Conference SSN for study room "Privacy For Sale" and information/advice (long) Re: SSN and unique IDs Re: ssn and traffic tickets Re: ssn and traffic tickets The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- Organization: Catalogic, Mountain View, California [Voice: 415-961-4649] Date: Thu, 5 Nov 1992 00:49:35 -0800 From: Robert Lenoil Subject: 1-800-CURB-DWI The following article appeared in comp.dcom.telecom: >From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr) >Subject: Cell Phones to Cut DWI Requested by State Police >Date: 2 Nov 92 20:35:36 GMT >Organization: TELECOM Digest > >A letter to the editor in today's {Newsday} (11/02/92) by a New York >State Police Captain requested the use of cell and land-line phones >for reporting drunk and/or dangerous drivers. > >The article reads: > >"Regarding the letter by Dorothy Enright ["Put Car Phone to Good Use," >Oct. 19]: "The Division of State Police has invited the public to >assist the police in DWI enforcement by establishing the *DWI >(numerically, it's *394). By dialing that number the public may >report persons who are suspected of operating vehicles under the >influence of alcohol or drugs. If the area of the reported violation >is customarily patrolled by a local police agency, the agency having >the nearest available patrol will be notified and asked to respond and >investigate. > >"This effort is backed up by a toll-free telephone land-line, >1-800-CURB-DWI (1-800-287-2394). Although the system is intended >primarily for reporting suspected intoxicated drivers, the reckless >and erratic operators described by Enright constitute a hazard that >the state police wish to be informed of." > > >Dave Niebuhr Internet: niebuhr@bnl.gov / Bitnet: niebuhr@bnl >Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093 I wonder what safeguards are built into this system. It seems all too easy to "report" someone and cause them no end of grief. Can you call this number and file an anonymous report, and would that be sufficient grounds for police to stop and search a person's vehicle? That could be a great way to ruin the day of someone who double-parked in front of your car. [Moderator's Note: This doesn't really have any thing to do with privacy but I thought I would let it in due to it potential to be abused. ._dennis] ------------------------------ Date: 02 Nov 92 12:00:22 EST From: Dave King <71270.450@compuserve.com> Subject: Risks Of Cellular Speech [Moderator's Note: This was forwarded from the Risks Digest by Monty Solomon . ._dennis] [The following was distributed here at work by our security folks. I was surprised at the degree to which cellular traffic has apparently become public speech. But then, perhaps my surprise is just a reflection of my naivete. I'm not sure how Canada's laws compare to ours, but given how difficult it must be to catch someone at this, I can't imagine things are much different here in the 'States. (But then if it's so difficult, how'd they do the study???) Dave] Two Bell Canada security managers shared some startling data with us recently. In a three-month study of the Metro Toronto area earlier this summer, Bell found that 80 percent of all cellular telephone traffic is monitored by third parties. Even more eye-opening is the fact that 60 percent of monitored calls are taped for closer scrutiny and culling of marketable information. The chance of being monitored and taped is even higher in rural areas, where air traffic is lighter. Scanners cost as little as $200, and are sold in virtually every shopping mall in Toronto. Marketable information includes the obvious -- mergers, take-overs, market and product plans, but the listeners are also looking for voice/phonemail access codes and passwords. The digitized tones are translated into numbers quite easily. "Phone phreaks", the telecommunications equivalent of computer hackers, use these numbers to break into voicemail systems. One misuse which is growing in frequency is the setting up of "pirate" voicemail boxes, often by organized crime. Pirated boxes give them the ability to disseminate information on drug deals, as one example, with little or no risk of detection. We ask you to be extremely cautious when using your personal or business cellular phone. Do not discuss confidential business matters, and avoid calling in for phonemail messages via your cellular phone. David L. King, IBM SE Region Information & Telecomm Systems Services Department CAY, Mail Drop D072, 10401 Fernwood Road, Bethesda MD 20817 301 571-4349 ------------------------------ Date: Mon, 2 Nov 92 23:39:31 EST From: Brinton Cooper Subject: Re: 15th National Computer Security Conference Organization: The US Army Research Laboratory [Moderator's Note: The following is a letter from Dorothy Denning to RISKS DIGEST and Brint's reply. ._dennis] Date: Tue, 27 Oct 92 08:55:33 EST From: denning@cs.cosc.georgetown.edu (Dorothy Denning ) Subject: Re: 15th National Computer Security Conference in RISKS DIGEST 13.87 In response to my earlier message about registering encryption keys, some people have asked how can I be sure that criminals won't use non-registered keys. I don't have a foolproof answer, but consider phone calls. Most people who want to encrypt will buy a commercial product with a built-in key. The key could be registered when the product is bought. Yes there could be a black market in non-compliant products, and the likelihood of that increases every day that we fail to take action on this issue. Peter Boucher also asked about the benefits of registering keys with a federal agency. After discussing this problem with law enforcement officials and criminologists, I am convinced we are facing a potential crisis in law enforcement if we lose the capability to conduct court authorized taps. The economic value alone of conducting lawful electronic surveillance is estimated in the billions. Much of this is related to organized crime. Larry Hunter asked how can we be sure that the key centers won't collude with the Department of Justice and give out the key. If the relationship between the phone companies and DOJ is any indication, this won't happen. The folks at the phone companies are so fussy about court orders that they send them back if the semicolons aren't right. And don't forget that even if the key center (which I envisioned as a non-governmental agency) and DOJ collude, they still need to get the bit stream from the phone companies. But if this doesn't satisfy you, Silvio Micali has an even tighter scheme that would allow your private key to be broken up into five piece and shared with 5 trustees. All five pieces would be needed to restore the key, but the pieces could be verified as allowing proper restoration without the need to actually put them together. He calls this "fair public-key cryptosystems." Dorothy Denning Brint's Reply: Date: Mon, 2 Nov 92 23:38:32 EST From: Brinton Cooper To: denning@cs.cosc.georgetown.edu Subject: 15th National Computer Security Conference In Risks-digest, you write (in part): . ...I am convinced we are facing a potential crisis in law . enforcement if we lose the capability to conduct court authorized taps. The . economic value alone of conducting lawful electronic surveillance is estimated . in the billions. Much of this is related to organized crime. . . Larry Hunter asked how can we be sure that the key centers won't collude . with the Department of Justice and give out the key. If the . relationship between the phone companies and DOJ is any indication, this . won't happen. The folks at the phone companies are so fussy about court . orders that they send them back if the semicolons aren't right. And . don't forget that even if the key center (which I envisioned as a . non-governmental agency) and DOJ collude, they still need to get the bit . stream from the phone companies. But if this doesn't satisfy you, . Silvio Micali has an even tighter scheme that would allow your private . key to be broken up into five piece and shared with 5 trustees. All . five pieces would be needed to restore the key, but the pieces could be . verified as allowing proper restoration without the need to actually put . them together. He calls this "fair public-key cryptosystems." First, I should hate to think that my right to safety from illegal search and seizure and/or illegal eavesdropping on my telephone conversations rested on the good will and integrity of a phone company! Second, it's difficult to envision a non-governmental agency, created by the government but not really government. The Post Office purports to be a non-governmental agency but isn't. It's employees still look and act like US Civil Servants, and the P.O. can easily conduct a "mail cover" for a governmental agency without a court order. You must remember that court orders, search warrants, and the like are useful only when the information or evidence gathered under their aegis is to be used in court against a suspect. If information is being gathered for political purposes, to blackmail someone, or to subvert the law (Watergate, Iran-Contra, the Italian bank, etc), the information will never see a public forum. Thus, the constraints of court orders are obviated. The FBI needs to fund its own R&D out of its budgetary resources, just as the rest of the government at all levels must do. There is talent that can "red team" modern telecommunications and find trapdoors when necessary. You must never forget that the gravest threat to our freedom is, and always has been, government itself. _Brinton Cooper ------------------------------ From: Chris Nelson Subject: SSN for study room Followup-To: comp.society.privacy Organization: Rensselaer Polytechnic Institute, Troy, NY Date: Tue, 3 Nov 1992 05:27:44 GMT Apparently-To: comp-society-privacy@cis.ohio-state.edu Today, I planned to meet a friend at the library to study. So that we wouldn't disturb others, I stopped at the front desk to reserve a study room. The form I was given had a blank for "SSN". I know that RPI uses the social security number as a student ID for most non-foriegn students and am accustomed to the staff's failure to distinguish between SSN and student ID number (a rather non-PC, non-multicultural affront to our guests, I'd say). To combat this failure, I make a point of asking anyone who asks for my "soc"(ugh!) if what they want is my student ID number. In this case, I was told that, no, what they needed was my SSN as that was what the Bursar billed by and they considered that number security against damage to the room, failure to return the key, etc. Setting aside, for the moment, the fact that I could trash a large part of the library outside the study rooms without giving anyone my student number (or any other form of ID), WHY ON EARTH SHOULD I HAVE TO GIVE A LIBRARIAN MY SOCIAL SECURITY NUMBER TO STUDY WITH A FRIEND IN THE LIBRARY?!? If you read this on rpi.general, I'm very interested in your comments. If you read this on c.s.p, it's a flame or an anecdote as you wish to interpret it; I'm sorry if I'm wasting bandwidth (and I guess I'd welcome your comments, too). Chris -- ------------------------------+---------------------------------------------- Chris Nelson | Rens-se-LEER is a county. Internet: nelsonc@cs.rpi.edu | RENS-se-ler is a city. CompuServe: 70441,3321 | R-P-I is a school in Troy! ------------------------------ Date: Tue, 3 Nov 92 11:02:04 EST From: Douglas Monroe Subject: "Privacy For Sale" and information/advice (long) Organization: AT&T I have just finished reading a book titled "Privacy for Sale" by Jeffrey Rothfeder Simon & Schuster 1992 ISBN 0-671-73492-X regarding the demise of privacy in the age of the computer. The ease with which personal finance, medical histories, credit, etc. information is obtained, by practically anyone with the time and or money to find out, is truly alarming. The lack of protection by the laws of this country are perhaps even more alarming. While the author does a good job of narrating the abuses of private information and introductions of the people and organizations who profit from our personal tidbits, he misses the mark when it comes to instructing people on what to do to protect themselves from such abusers. Many organizations are mentioned but no addresses or phone numbers are given. Mr. Rothfeder, at the end of the book, gives us some helpful but lacking advice. In an effort to expound on his advice I have put together some additional information which I thought might be helful to those interested in inquiring about the quality and quantity of information held on you personally. I would whole heartedly recommend the book for all consumers to read and use this information to protect yourself in the abscence of governmental protection against data abuse. Below paraphased from pages 207-208 (without permission) with my comments added: --> Get a copy of your credit report adn check it for inaccuracies and evidence of unauthorized snoopers. TRW P.O. Box 2350 Chatsworth, California 91313-2350 Cost: 1 free report per year Procedure: In writing only Phone:(800) 392-1122 Equifax PO Box 740241 Atlanta, GA 30374-0241. FAX request to: (404) 612-2668 Cost:$8.00 (Maryland +$5.00, ME & MT +$3.00) Procedure: Write or fax Phone:(800) 685-1111 Trans-Union 25249 Country Club Blvd, P.O.Box 7000, North Olmsted OH 44070. Cost: ? Procedure: ? I presume in writing Phone:(216) 779-7200 All must have the following information to respond to your request-- 1. Full name including middle initial 2. Spouse name, (if you have one.) 3. Home address. 4. Year of Birth. 5. Social Security Number (They must have this) 6. Verification of your address (copy of Driv. license or a bill with the address clearly indicated). -->Don't share personal information with anyone who does not have the right to see it. Don't write SS# or phone #, address, credit card numbers if it is not appropriate to do so. Don't provide this info over the phone to unknown callers. no argument here. --->If you don't want junk mail notify credit reporters, credit grantors, and the Direct Marketing Assoc. that you would like to be removed from their mailing lists. See addresses above for credit reporters, write to your credit card providers, and Direct Marketing Assoc. 11 West 42nd St. NY, NY 10163-3861. Also ask to be removed from the telephone preferences list while you're at it. ---> Strike back when somebody has invaded your privacy. Notify the offending party that you're outraged and won't do business anymore. Tell the tale to anyone with media power--Congressmen, Bankers Assoc., AMA, FTC, BBB, and newspapers. ---> Notify licensing officials if you learn the a private investigator has inappropriately gained information about you. A few more points mentioned: -->The Physicians Computer Network in Laurence Harbor, NJ is providing free PC's to many physicians. PCN requires that they always be connected to the network so they can "scour the patient records of the M.D.s looking for interesting tidbits, and pull data for marketing lists" Page 193 Ask your physician if she/he subscribes to this network and avoid them if they do. -->The Medical Information Bureau (MIB) is a vast databank containing the summaries of health conditions for more than 12 million Americans. Insurance underwriters scan MIB files to decide how much to charge for a policy, or whether to even issue the policy. Page 184 Obviously, inaccurate data can be extremely harmful. Call MIB to get a form to request that they disclose your medical records to you (or your physician) not that much can be done to correct errors Medical Information Bureau PO Box 105 Essex Station Boston MA 02112 617 426-3660 follow instructions on voice mail. Two more things: Write to the FBI to inquire about National Crime Information Center (NCIC) and Uniform Crime Reporting (UCR) records they might be maintaining on you. Federal Bureau of Investigation F.O.I.P.A Section (Freedom of Inf./Privacy Act) J.Edgar Hoover Bldg 9th and E Streets NW Washington, DC 20535 Phone 202 324-5520 Procedure: Provide Full Name, Date of Birth, Place of Birth, Address Request must be signed *and* notarized! Go to your local library or buy the book, read it, then WRITE YOUR CONGRESSPERSON! tell them you are appalled at the lack of data privacy in America. Tell them you demand that they support legislation such as the proposed Data Protection Board (not yet out of committee) to protect us from information abusers! Disclaimer: no connection whatsoever with the author of the referenced book. -- Doug Monroe dwm@pruxl.att.com or monwel@cbnewsk.att.com ------------------------------ From: Stephen M Jameson Subject: Re: SSN and unique IDs Date: 3 Nov 92 12:05:17 Organization: General Electric Advanced Technology Labs Reply-To: sjameson@atl.ge.com In article nelsonc@deneb.cs.rpi.edu (Chris Nelson) writes: > >A scenario: NIST standardizes such an algorithm (perhaps with some >local parameters so that a third party with my SSN and a company's FID >_still_ couldn't get my ID) and use of it becomes compulsory as use of >SSNs by private entities becomes illegal; phased in over a 4-5 year >period, perhaps. > I know that "privacy" as used in this newsgroup usually refers to specific kinds of privacy, but doesn't the whole idea of "use of it becomes compulsory" and "becomes illegal" denote government violation of privacy on the part of the individuals who are not compelled or prohibited from taking certain actions? -- Steve Jameson General Electric Aerospace sjameson@atl.ge.com Advanced Technology Laboratories Moorestown, New Jersey **************************************************************************** ** . . . but I do not love the sword for its sharpness, nor the arrow ** ** for its swiftness, nor the warrior for his glory. I love only that ** ** which they defend . . . ** ** -- Faramir, "The Two Towers" ** **************************************************************************** ------------------------------ From: Stephen M Jameson Subject: Re: ssn and traffic tickets Date: 3 Nov 92 12:07:59 Organization: General Electric Advanced Technology Labs Reply-To: sjameson@atl.ge.com In article bsc835!ehunt@uunet.uu.net (Eric Hunt) writes: >In Alabama, your SSN is printed on your driver's license. It's *not* the >DL#, but it is printed on the card itself. > >How many other states also have the SSN printed on the license? Delaware does. -- Steve Jameson General Electric Aerospace sjameson@atl.ge.com Advanced Technology Laboratories Moorestown, New Jersey **************************************************************************** ** . . . but I do not love the sword for its sharpness, nor the arrow ** ** for its swiftness, nor the warrior for his glory. I love only that ** ** which they defend . . . ** ** -- Faramir, "The Two Towers" ** **************************************************************************** ------------------------------ From: zoltan egyed Subject: Re: ssn and traffic tickets Reply-To: EGYED@lns62.tn.cornell.edu Organization: Wilson Lab, Cornell U., Ithaca, NY, 14853 Date: Thu, 5 Nov 1992 00:30:35 GMT Apparently-To: comp-society-privacy@uunet.uu.net In article , Eric Hunt writes: >> In article fns-nc1!fns-nc1.fns.com!vib@concert.net (Victor Bur) writes: >> As for traffic tickets, I don't think it's illegal to forget your SSN >> and to not have it written down anywhere handy. Just tell the cop he >> will have to forgive your traffic infraction because your SSN is not >> available. > >In Alabama, your SSN is printed on your driver's license. It's *not* the >DL#, but it is printed on the card itself. > >How many other states also have the SSN printed on the license? >--- >Eric Hunt | bsc835!ehunt@uunet.uu.net (preferred) >Birmingham-Southern College | eric.hunt@the-matrix.com >Birmingham, Alabama 35254 | ^--- Nothing longer than 100 lines > > It's on my Tennessee driver license, called as "audit number". :-(((((( Zoltan ------------------------------ End of Computer Privacy Digest V1 #096 ******************************