Date: Thu, 10 Dec 92 09:40:25 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#111 Computer Privacy Digest Thu, 10 Dec 92 Volume 1 : Issue: 111 Today's Topics: Moderator: Dennis G. Rears Re: SSNs as IDs Re: SSN Re: SSN DOJ Authorizes Keystroke Mo Re: Digital Licenses in NY State Re: Digital Licenses in NY State Re: Digital Licenses in NY State Re: Digital Licenses in NY State The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- Date: Tue, 8 Dec 1992 8:18:11 -0500 (EST) From: "Dave Niebuhr, BNL CCD, 516-282-3093" Subject: Re: SSNs as IDs My employer has a nice way of assigning employee IDs. Start with 00001 and end with 99999 for permanent and temporary employees and it is called a life number. The number is issued sequentially for each new employee and stays with that person even if he/she leaves and returns. All others: retirees if consulting, contractors, collaborators, students, etc, are issued an ID consisting of the first letter of their last name followed by four digits issued sequentially. After almost 28 years on the job, I've never seen a guest ID above the low 6,000s. The medical insurance ID that I have is issued via a six-digit number with two numbers following to indicate the dependent. Retirement is based on the plan's numbering scheme (no SSN needed except for IRS and Social Security issues); the dental plan is the only one that has to be changed and is getting quite difficult even after I've gone over the issues with the personnel section quite a few times. Dave Dave Niebuhr Internet: niebuhr@bnl.gov / Bitnet: niebuhr@bnl Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093 ------------------------------ Date: Tue, 8 Dec 92 18:34 PST From: John Higdon Organization: Green Hills and Cows Subject: Re: SSN "BLACKMAN, EDWARD B" writes: > >[Moderator's Note: It is the phone company's number. They can take it > >away from you and give you another number. ._dennis ] > > Only because we allow them to. Local carriers (the ones that assign your > number) are regulated monopolies. If the entity in charge of regulating > the telcos took away the power to reassign numbers, there isn't a thing > they could do about it. Oh, so naive. Ninety-nine percent of the practices and regulations in any given PUC's books are written by the regulated utilities themselves. The PUC commissioners are a bunch of ignorant hacks who probably have difficulty dialing a telephone, much less regulating a telephone company. For that reason, most of the real action is accomplished by advisors, boards, engineers, and (unfortunately) judges, who are themselves hopeless ignoramuses. Within a broad framework, these people ensure that all regulation conforms to the regulated entities' wishes and best interest. Side note: I once recounted on Telecom Digest an instance where the CPUC approved a tariff for a long distance company without even reading it for factual errors. That tariff is currently under challenge. Your telephone number is a technical expediency to provide a machine-readable ID for each subscriber. Area codes, prefixes, and (at least in recent past) the last four digits are created and assigned out of technical considerations. In the days of SXS, there were heavy constraints on the assignment of numbers, even within a prefix. At any time it considers it expedient, the telco can rearrange numbers in any manner it deems necessary to provide proper service. Granted, this is rarely done, but it does remain within the telco's purview as a technical consideration. Therefore, you can kiss 'goodbye' any romantic notions or attachments regarding your telephone number. And you can also forget about "forcing" the telco's to operate in any other fashion with the power of regulation. -- John Higdon | P. O. Box 7648 | +1 408 264 4115 | FAX: john@ati.com | San Jose, CA 95150 | 10288 0 700 FOR-A-MOO | +1 408 264 4407 ------------------------------ From: "david.g.lewis" Subject: Re: SSN Organization: AT&T Date: Wed, 9 Dec 1992 16:31:41 GMT In article "BLACKMAN, EDWARD B" writes: >> I don't think the telephone company "owns" your phone number. > >>[Moderator's Note: It is the phone company's number. They can take it >>away from you and give you another number. ._dennis ] > >Only because we allow them to. Local carriers (the ones that assign your >number) are regulated monopolies. If the entity in charge of regulating >the telcos took away the power to reassign numbers, there isn't a thing >they could do about it. The Georgia PUC has done just that on a limited basis in the 404 NPA split. Although it's not what people typically think of as "reassigning numbers", an NPA split does just that. The Georgia PUC has countermanded part of the 404 NPA split, mandating that somewhere on the order of 200 CO codes that BellSouth and Bellcore, as NANP Administrator, had planned to move into the new North GA NPA (810?) should instead remain in 404. Of course, this royally screws up the plans to alleviate CO code exhaust in the Atlanta metro area which the NPA, the whole reason for the NPA split, increasing the likelihood that another NPA split will be needed in the near future, but hey, why should technical planning interfere with politics? ------------------------------ Organization: CPSR, Washington Office From: Dave Banisar Date: Tue, 8 Dec 1992 9:29:57 EDT Subject: DOJ Authorizes Keystroke Mo DOJ Authorizes Keystroke Monitoring Subject: DOJ Authorizes Keystroke Monitoring CA-92:19 CERT Advisory December 7, 1992 Keystroke Logging Banner ----------------------------------------------------------------- The CERT Coordination Center has received information from the United States Department of Justice, General Litigation and Legal Advice Section, Criminal Division, regarding keystroke monitoring by computer systems administrators, as a method of protecting computer systems from unauthorized access. The information that follows is based on the Justice Department's advice to all federal agencies. CERT strongly suggests adding a notice banner such as the one included below to all systems. Sites not covered by U.S. law should consult their legal counsel. ------------------------------------------------------------------ The legality of such monitoring is governed by 18 U.S.C. section 2510 et seq. That statute was last amended in 1986, years before the words "virus" and "worm" became part of our everyday vocabulary. Therefore, not surprisingly, the statute does not directly address the propriety of keystroke monitoring by system administrators. Attorneys for the Department have engaged in a review of the statute and its legislative history. We believe that such keystroke monitoring of intruders may be defensible under the statute. However, the statute does not expressly authorize such monitoring. Moreover, no court has yet had an opportunity to rule on this issue. If the courts were to decide that such monitoring is improper, it would potentially give rise to both criminal and civil liability for system administrators. Therefore, absent clear guidance from the courts, we believe it is advisable for system administrators who will be engaged in such monitoring to give notice to those who would be subject to monitoring that, by using the system, they are expressly consenting to such monitoring. Since it is important that unauthorized intruders be given notice, some form of banner notice at the time of signing on to the system is required. Simply providing written notice in advance to only authorized users will not be sufficient to place outside hackers on notice. An agency's banner should give clear and unequivocal notice to intruders that by signing onto the system they are expressly consenting to such monitoring. The banner should also indicate to authorized users that they may be monitored during the effort to monitor the intruder (e.g., if a hacker is downloading a user's file, keystroke monitoring will intercept both the hacker's download command and the authorized user's file). We also understand that system administrators may in some cases monitor authorized users in the course of routine system maintenance. If this is the case, the banner should indicate this fact. An example of an appropriate banner might be as follows: This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials. ------------------------------------------------------------------- Each site using this suggested banner should tailor it to their precise needs. Any questions should be directed to your organization's legal counsel. -------------------------------------------------------------------- The CERT Coordination Center wishes to thank Robert S. Mueller, III, Scott Charney and Marty Stansell-Gamm from the United States Department of Justice for their help in preparing this Advisory. --------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in FIRST (Forum of Incident Response and Security Teams). Internet E-mail: cert@cert.org Telephone: 412-268-7090 (24-hour hotline) CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4), on call for emergencies during other hours. CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 ------------------------------ From: Mike Johnston Subject: Re: Digital Licenses in NY State Organization: Lehman Brothers Date: Tue, 8 Dec 1992 15:47:25 GMT Apparently-To: uunet!comp-society-privacy In article Mike McNally writes: >My biggest problem is this: I don't want my picture and signature >digitally stored on NY's computers, where it can easily be transmitted >to anyone the state deem's fit to receive it. This could include >the Federal Government, other State's and various agencies within >our own state. I won't even get into the ramifications of having >my SIGNATURE stored where someone can replicate it, perfectly, every >time they need to. > >It seems the privacy issues here have either been ignored or swept >under the carpet. It seems to me that elementary logic has either been ignored or swept under the carpet.. The very interesting thing about this post is that while I'm sure the author earnestly believes this is a privacy issue, his privacy is not in any significantly greater jeopardy because the stroage media employed by the NY state DMV has changed. The real issue is paranoia towards digital technology and its applications. Unless the author earnestly believes that photocopies and fascimiles of his motor vehicle permit cannot now be easily transmitted to "the Federal Government, other State's and various agencies within [his] own state," I I fail to see how digital storage of information that is already kept throws his personal privacy into serious danger. This line of reasoning relies upon the supposed 'fact' that the government is the friendly, benign institution that some would like us to think it is. It is not and never has been, but, then, this depends upon which side of the political fence you sit. I reject any charges of 'paranoia' based upon my opinions. I've been active in the computer industry for 15 years and have served in a variety of capacities both hardware and software related. I understand quite well the uses and abuses possible with modern computing machinery. Technologists who see the world through rose colored glasses and reject criticism of their technology out-of-hand are the ones that are likely to be bit first if ever any biting is done. Time will tell. I continue to maintain that privacy issues are not given the attention they currently deserve. Hopefully this will change in the near-term future. Meanwhile, I predict we will see more and more cases of the abuse of information technology, along with the gradual increase in public awareness that it merits. MJ -- Michael R. Johnston, System Administrator mjohnsto@shearson.com "The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable man." - G.B. Shaw ------------------------------ From: mccann@Eng.Sun.COM (Hoops McCann) Subject: Re: Digital Licenses in NY State Date: 8 Dec 92 13:45:11 Organization: SunConnect - A Sun Microsystems Business In article shearson!jenny!mjohnsto@uunet.uu.net (Mike Johnston) wrote: > > Today's (12/3/92) New York Times carried a small article in the Metro > section describing NY's new licenses. In a nutshell, drivers will > have *both* their pictures and signatures digitally stored on the > state's computers. This makes me nervous. > > The reasons given are 'easier storage and retrieval and will result in > more secure and higher-quality licenses and ID's'. Also noted is that > duplicate licenses will be available within three weeks WITHOUT visiting > the DMV. This is probably the hardest part of all to believe, as anyone > who's ever tried to get ANYTHING from Motor Vehicles will attest. I haven't felt the need for higher quality ID. But I can see another, unstated, use for digitally encoded signatures: Easier government fraud. For example, consider my experience. Last year I was assessed ~$2,000 for back taxes. Taxes which had been deducted from my wages, but weren't paid to the IRS by my employer. The IRS, unable to get the money from my previous employer simply assessed me again for it. I contested it and had it sent to "Tax court". That court determined that I really didn't owe anything. That was fine until the IRS seized by bank account. When I demanded why, they produced a document stating that I agreed to the assessment of ~$2,000 with my signature. Except it really wasn't my signature. It was sort of like my signature, but the letters were wrong. Whoever signed it for me had actually mispelled my name. For those of you who want to know what I did about it, I did nothing. I contacted several lawyers, one of which put it to me bluntly. It would cost me alot more than $2,000 to take it to court. The IRS has no one who can be held accountable, so a criminal complaint is futile. Pay the $2k and consider it the price of living in the US. So you see, a digital signature would help remove the human-error in document forgery, and lessen the potential chagrin of those agents of government tasked with ensuring you comply through whatever means necessary. Documents can be printed with your signature already on them for your convenience. ------------------------------ From: Steve Johnson Subject: Re: Digital Licenses in NY State Organization: TRW Systems Division, Fairfax VA Date: Tue, 8 Dec 1992 23:20:05 GMT Mike McNally writes: [...] >>Today's (12/3/92) New York Times carried a small article in the Metro >>section describing NY's new licenses. In a nutshell, drivers will >>have *both* their pictures and signatures digitally stored on the >>state's computers. This makes me nervous. >[...] >It seems to me that elementary logic has either been ignored or swept >under the carpet.. The very interesting thing about this post is that >while I'm sure the author earnestly believes this is a privacy issue, >his privacy is not in any significantly greater jeopardy because the >stroage media employed by the NY state DMV has changed. The real issue >is paranoia towards digital technology and its applications. Unless >the author earnestly believes that photocopies and fascimiles of his >motor vehicle permit cannot now be easily transmitted to "the Federal >Government, other State's and various agencies within [his] own state," I >I fail to see how digital storage of information that is already kept >throws his personal privacy into serious danger. > -mcnally. A colleague of mine recently went home to find the county sheriff waiting to talk to him about some recent burglaries. Seems they had a tire iron with his fingerprints all over it at the scene of one of the crimes. Lucky for him he had a nice airtight alibi. This is a guy whose only crime to date has been an occasional speeding ticket. Oh yes, how did they know they were his prints? He's got one of those nice jobs in the defence industry where they interview everyone you've ever known, done credit and police checks on you from everywhere imaginable, strap you to a polygraph (i.e., a "lie detector" for the uninitiated), and fingerprint you. And imagine how nice it will be when the FBI has all those fingerprint cards digitized and accessible to even the most remote law enforcement agency (right from the squad car with live scanning technology) in seconds. Sound far fetched? Naw, it's from the specifications from the National Crime Information Center (NCIC) 2000 RFP and the Integrated Automated Fingerprint Identification System (IAFIS) RFP. The moral of this story: if you are ever robbed of any posession (like the tire iron he had) or ever touch anything be sure to tell the police or have a good alibi. It get's just a little scary to think how things could have turned out if he hadn't been at home with his wife and kids that night and hadn't reported the breakin of his truck earlier. Now even good guys need to worry. ------- Any views expressed are those of myself and not my employer. -------- Steven C. Johnson, WB3IRU / VK2GDS | TRW | johnson@trwacs.fp.trw.com FP1 / 3133 | [129.193.172.90] 1 Federal Systems Park Drive | Phone: +1 (703) 968.1000 Fairfax, Virginia 22033-4412 U.S.A. | Fax: +1 (703) 803.5189 -- ------------------------------ Subject: Re: Digital Licenses in NY State From: "Roy M. Silvernail" Date: Wed, 09 Dec 92 20:09:36 CST Organization: Villa CyberSpace, Minneapolis, MN nicmad!madnix!zaphod%astroatc.UUCP@cs.wisc.edu (Ron Bean) writes: > As long as you're not trying to defraud anyone, it's still a > valid signature. Since other organizations (such as UPS) are > digitising signatures, a better strategy might be to get in the > habit of *dating* everything you sign (although the date could > still be cut off or altered). When UPS started that, everybody in my office refused to sign it except the boss. He didn't really understand our reservations, but was temporarily willing to sign all packages in. Eventually, practicality and business sense won out over principle, and we all do something to the pad. I elected to print my name. What really bothered me was UPS's attitude when they first introduced this marvelous new gadget. They couldn't believe anyone had _any_ reason to be concerned. None of the PR droids I spoke with had the first idea about technological privacy risks, and one chose to interpret my concern as an accusation. Unfortunately, the only way to make some people understand a risk is to present an exagerated example... it really upset this guy. At the same time, they also got really upset with our suggestions; signing a different name, a nickname, or printing manuscript characters. None of these, they claimed, was a signature. As you might expect, UPS has conveniently forgotten that they demanded I _sign_ the pad. I print, he accepts it and we go on about our work. So far, nobody's clipboard has been hijacked and I haven't seen my purloined siggie attached to any incriminating faxes. Perhaps the risks were overstated in the beginning. But UPS hasn't started dumping the clipboards' contents by radio, yet. Wonder if they're familiar with the terms 'encryption' and 'scanner'? -- Roy M. Silvernail -- roy%cybrspc@cs.umn.edu - OR- cybrspc!roy@cs.umn.edu "I like Santa Claus as well as the next guy, but do you really want a hard drive that's spent 6000 miles at the bottom of a canvas sack in a wooden sleigh powered by airborne reindeer?" -- me ------------------------------ End of Computer Privacy Digest V1 #111 ******************************