Date: Sat, 05 Dec 92 13:01:05 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#107 Computer Privacy Digest Sat, 05 Dec 92 Volume 1 : Issue: 107 Today's Topics: Moderator: Dennis G. Rears User-transparent encryption? SSN (cont.) Re: Phone Privacy: Call Records Re: Phone Privacy: Call Records Re: Phone Privacy: Call Records Correcting Credit Reports Radar Detector Prohibitions PBX call records The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Zoltan Egyed Subject: User-transparent encryption? Date: 3 Dec 1992 13:21:34 -0500 Organization: Wilson Lab, Cornell U., Ithaca, NY 14853 As you probably all know, more than enough people have access to root passwords. I am less than satisfied about the security of my mail, calendar file, etc. The obvious answer is encryption. It requires the user to decrypt/encrypt the file every time he uses it. Does anyone know some trick in Unix (maybe using named pipes with the encryption program) to counter this? Maybe the user could start up a program when he logs in, it would take care of the encryption/decryption, and it would be stopped before logout. If you have ideas about it, please email to save bandwidth, I'll summarize. Thanks Zoltan Egyed [Moderator's Note: I know of nothing. Either you trust your adminstrators or you don't. If a sysadmin wanted to read your mail it would be easy for him to get copies of it when you send it or recieve it. ._dennis ] ------------------------------ Date: Thu, 3 Dec 1992 14:50:53 -0500 (EST) From: Eugene Levine Subject: SSN (cont.) Please accept my respectful demurrer to several of the comments posted on this list. First, IMHO, no law-abiding person has any need for my SSN. Some business institutions are required to report information to government agencies for puposes specifically related to the Social Security system. But why any business feels it has a "right" or "need" to my SSN is beyond me. If they want to contribute to my retirement fund, we can work out suitable arrangements. If they want to id me positively, let them use my driver's license, a medium without other intrinsic significance. Second, while no store is required to accept checks from you, it's quite a stretch to get from there to the idea they are somehow doing you a "favor" by accepting your payment on a bank draft. They have no "right" to your business, and if they won't accept your check under reasonable conditions, they won't get your business. Third, I do not agree that we should passively accept as "inevitable" the use of the SSN as a universal identifier. This is, after all, the US of A. The government remains (at least nominally) in our hands, and if intrusive, excessive and unreasoned beuracratization is seeping into our everyday lives, I feel it it would be wise for us to oppose it sooner rather than later. Finally, as many others on this list have done, I have dealt with my state's Registry of Motor Vehicles on this subject. Here in Massachusetts, it took a court case to prohibit the Registry from requiring us to accept the SSN as our license number, and the local offices still try to force it on you at renewal (the main office is aware of the situation, does not try to ignore the law, and has several employees who are themselves users of the "special number"). Queare: if this is such a non-issue, why does it stir such strong emotions. It is not merely of interest to lawyers and computer people - it is a general issue of broad appeal across the entire political spectrum. If there is no unanimity about the issue, I at least suggest there is widespread and deep interest in it. And BTW - thanks to the moderator for allowing the issue to run its full course out here in cyberland :-) I don't think the telephone company "owns" your phone number. They have obviously got certain rights in the number - but that's not like "owning" a house or a trademark. They have the right to prevent issuance of the same number to different customers in the same Area Code (though I think the right of the customer to have exclusive use of a number might be as strong as any interest the phone company has in the number). Again, here in Massachusetts, it is possible - by dint of regulatory decision - to opt out of the caller id system. I was told by the New England tel representative that blocking the id worked on all systems within their purview. It troubles me to know that Virginia does not have to respect my desire for privacy in this regard. And she a fellow "commonwealth" and guardian of freedom! [Moderator's Note: It is the phone company's number. They can take it away from you and give you another number. ._dennis ] Gene Levine elevine@world.std.com ------------------------------ From: Carl Oppedahl Subject: Re: Phone Privacy: Call Records Date: Thu, 3 Dec 1992 17:03:47 GMT Organization: PANIX Public Access Unix, NYC In "Kip J. Guinn" writes: > Do phone companies keep records of local calls made from your telephone? New York Telephone certainly does. Many other telephone companies do, too, I'm sure. >I have heard references to "phone records"--mostly in articles about >someone being investigated by the police--and wonder if they meant >local calls, or long-distance. > I can see where long-distance calls would be in records, but do they >actually keep logs on local calls made from each residential phone? NYTel does. >That would seem to be an awfully huge chunk of data... Yes, which is why NYTel only keeps it for a couple of months. >And a big >invasion of my privacy, too! Caller ID is bad enough for some >people--women's shelter's, etc-- and I don't like the fact that if I >call to complain to the police, or a company, etc, that they know my >home number (which I try to keep fairly private), but if local calls >are routinely logged--heck, what do you do? Here in New York, you can call up today and get a printout (for $2) detailing all the local calls in the previous billing period. And you don't have to have asked for this in advance -- which means they keep track for _everybody_, all the time. >[Moderator's Note: They do not keep track of the local numbers you >call. Here in NYC they do. But perhaps not all telcos do -- perhaps where you live they do not. >Most switches do have the capability to do so if there was a >compelling need. Yes, that's right. All ESS switches, which means all switches where it is possible to get call waiting and equal access long distance selection. >You might disagree with the concept but that >information belongs to the company not to you. I figure that legally the answer to this question differs from state to state. In New York, the state PSC has chosen to enact regulations about this, putting strict limits on what the telco can do with the information. >I hope the fact that >medical records belong to the doctor and not to the patient doesn't >surprise you. ._dennis ] Er, ah ... again I think this varies from state to state. In New York there is a law that the doctor must hand over a copy of the records upon the patient's request. So the information, at least, is not owned by the doctor, although I am prepared to grant that ownership of the underlying paper lies with the doctor. Carl Oppedahl AA2KW (intellectual property lawyer) 30 Rockefeller Plaza New York, NY 10112-0228 voice 212-408-2578 fax 212-765-2519 ------------------------------ Date: Thu, 3 Dec 92 15:36 PST From: John Higdon Reply-To: John Higdon Organization: Green Hills and Cows Subject: Re: Phone Privacy: Call Records Hal Finney writes: > The question of whom calling information "belongs to" is not so > simple. There is no holy writ from above that says the information > about which phone calls I make belongs to the phone company and not to > me. There may not be "holy writ", but there are FCC Rules and Regulations in addition to state utility commission rules. Unfortunately, the proponderance of regulation dictates that call records belong to the utility, who may do with them as they please. Ostensibly, they are for the purpose of billing and traffic management, but until someone passes applicable legislation (or makes rules to the contrary), you have litte control over the data collected by your telco regarding the use of your telephone. It goes even further: a telco is REQUIRED to share such data with any IEC to which it is connected. At that point, you have a jurisdictional shift, since IECs are not necessarily governed by the same set of laws and rules that apply to the LEC. > Alternatively, if enough people feel that calling information should > belong to them and not to the company, they could pass laws requiring > phone companies to not keep individual calling records. Don't count on this happening any time soon. "People" do not pass laws; legislatures pass them. It is highly doubful that there would be any meaningful groundswell of public outcry over the misuse of telco call records that would sway congresscritters to bother with such a non-issue. And it would have to be at the Federal level: as we have seen time and again, state laws restricting any aspect of telephony have little effect given that calls are easily transported out of state and returned, making them "interstate commerce"--something over which states have no control. (My 800 provides ANI on callers from PA just as readily as from any other state, even though PA law prohibits such things.) > If you feel that information about > the specific phone calls you make is and should be private, even > though the phone company inherently learns this information in > providing you with their business, you have every right to feel this > way. And you have every right to take action to retain your privacy. Yes, you may feel any way you wish. Whether there can be anything done about this feeling is another matter. And you certainly have a right to protect your privacy, although in this case (telco call records) I seriously doubt that much will happen. To most people, including myself, it is a non-issue. There are just so many things in this world that one can get lathered about; for me and my house this is not one of them. > [Moderator's Note: I would welcome comments from John H. on what the > phone company owns or doesn't. I am pretty sure they own you phone > number too. ._dennis ] As it stands, the phone company owns and has exclusive rights to your call records (except as it is required to reveal them to other parties as required by tariff), and telco "owns" your phone number as well. -- John Higdon | P. O. Box 7648 | +1 408 264 4115 | FAX: john@ati.com | San Jose, CA 95150 | 10288 0 700 FOR-A-MOO | +1 408 264 4407 ------------------------------ Apparently-To: nucsrl!uunet!comp-society-privacy From: Kevin Mitchell Subject: Re: Phone Privacy: Call Records Date: Fri, 4 Dec 1992 06:06:15 GMT Organization: ddsw1.MCS.COM Contributor, Chicago, IL Actually, Illinois Bell keeps track of local calls made. I pay $3 a month for the detail to be sent to me. It shows which of my phones I made the call on, the number, band, date, time, and number of minutes. I think you can even order these after the fact. -- Kevin Mitchell -- kam@chinet.chi.il.us -- Chicago, IL ------------------------------ Date: Thu, 3 Dec 92 13:35:41 EST From: "John DiLeo, CSB" Subject: Correcting Credit Reports In Issue #105, Allen Warren writes: >Amen to that! 2.5 years ago, my wife and I bought our first house. >I had 3 reported delinquincies of less than $100 each which were reported >to the credit bureau as being over 30 days late. 2 of them I had never >known about until the credit report. Still, I had to take care of each >one both by paying them off AND providing letters of explanation to the >lending institution which eventually gave me the loan. Keep in mind that paying an account off DOES NOT necessarily discontinue the reporting of that account. Three years ago, I went through Bankruptcy proceedings. Six months prior to filing, I had managed to pay off several accounts, two of which had already been "charged off" (declared uncollectable and claimed on their "uncollectables" insurance; yes, creditors ARE insured against uncollectables, that's part of what your interest pays for). The two accounts are still being reported EVERY MONTH as charged off, despite having been paid in full. Also, several accounts which were discharged under my Bankruptcy are still being reported every month with their last status prior to my discharge. Since accounts remain on your record for seven years from the last report date (not the last ACTIVITY date, which would make sense), these items will remain on my record indefinitely without expensive, time-consuming legal action from me (continuing to report the account is harrasment and contempt of court, but I have to SUE them, or at least convincingly threaten to do so, to make them stop). Many creditors--most notably Sears--insist that the reporting cannot be stopped, because "the computer does it automatically each month." While my situation certainly applies to less that 1% of this readership, one should always keep in mind that logic DOES NOT APPLY to credit reports, and it's always "the computer's" fault. I responded to this particular message because most of my problems came to light when I bought a home last year. The explanation package I had to provide was over 60 pages. The basic heuristic which applies is: 1. Anything reported to a credit bureau, by any means, is added to the person's record. 2. If the person complains that an entry is incorrect, ask the creditor. If the creditor confirms the entry, IT IS TRUE. If the creditor admits that the entry is incorrect, remove it/change it. The person may enter an explanation regarding his disagreement with the creditor, but give no assurance that it will remain in place. 3. If the same creditor later provides the same incorrect information, put it back on the report, because IT MUST BE TRUE. To summarize: If the creditor says it, ASSUME IT IS TRUE; if the debtor says it, ASSUME IT IS NOT TRUE. Flawlessly logical, right? 8-( --John DiLeo dileo@brl.mil ------------------------------ Date: Thu, 3 Dec 92 13:36:25 EST From: "John DiLeo, CSB" Subject: Radar Detector Prohibitions In Issue #105, Paul Olson writes: >Yea, radar detectors are illegal in VA. In fact, only VA and DC ban radar >detectors. Personally, I wouldn't live in a state which says I can't own a >radio receiver, not to mention that it's overbuilt, over crowded and you can't >get anywhere on a Saturday because of traffic. If you're going to be working >in DC, I'd look into moving to Maryland. But that's just my opinion. Actually, I'm not so sure about DC. However, radar detectors are illegal in Connecticut, and the presence of one in the passenger compartment of a vehicle (including under the seat, unplugged) can (or at least once did) carry a pretty hefty penalty. If one was permanently installed in another state (the variety where the transceiver is behind the grill, and the control unit is in the dash) you could only be ticketed if they believed it was operating. --John DiLeo dileo@brl.mil ------------------------------ Date: Thu, 3 Dec 92 13:38:11 EST From: "John DiLeo, CSB" Subject: PBX call records In Issue #105, Eric Hunt writes: >I know firsthand that the company I work for had to get a court order before >they could unseal the call records from our internal PBX to find out what >local numbers an employee had been calling. Long Distance numbers were no >problem, but we couldn't touch the local records without court approval. And >this is on our own PBX! I believe this applies only to the records collected by the phone company. If your employer installs its own SMDR, they can do whatever they want with the records. Here at Aberdeen Proving Ground, the SMDR records (for calls to any point outside the installation) are sent to our Division Chiefs for their review, and possible punitive action, depending on their opinion of your phone use. Now, it may be that the Army can do this because we are advised that ALL phone use is subject to monitoring AT ALL TIMES. We have been pre-warned that we may assume no privacy with regard to phone use. --John DiLeo dileo@brl.mil ------------------------------ End of Computer Privacy Digest V1 #107 ******************************