Date: Thu, 17 Dec 92 17:12:12 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#113 Computer Privacy Digest Thu, 17 Dec 92 Volume 1 : Issue: 113 Today's Topics: Moderator: Dennis G. Rears Los Angeles Marathon and SSN Re: Digital Licenses in NY State Re: Digital Licenses in NY State re: Digital licenses in NY state Re: Digital Licenses in NY State Re: Digital Licenses in NY State Blockbuster Video Credit denies millionaire due to credit report DOJ Authorizes Keystroke Mo (really DOJ asks consent..) The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- Date: Wed, 9 Dec 92 14:25:39 EST Newsgroups: rec.running,comps.society.privacy From: "Dennis G. Rears " Subject: Los Angeles Marathon and SSN After running my 5th New York City marathon, I decided it was time to run a different one. I decided on the Los Angeles marathon on March 7th. I started filling out the application and was shocked to see that they wanted social security numbers. Furthermore it states that all information must be provided or the apllication would not be accepted. Why in the world do they want or need SSN? I can understand birthdate, occupation, and TAC number but SSN? While they do offer prize money; there is no way I can qualify as 3:30 marathoner. BTW, I did call the LA marathon office and the guy who answered the phone had no idea why they wanted it. He did say they would still process my application without it. dennis ------------------------------ Date: Thu, 10 Dec 92 09:05:09 PST From: Brian Bousman Subject: Re: Digital Licenses in NY State Organization: Rockwell International, Seal Beach, CA In article , "Roy M. Silvernail" writes: |>nicmad!madnix!zaphod%astroatc.UUCP@cs.wisc.edu (Ron Bean) writes: |> |>> As long as you're not trying to defraud anyone, it's still a |>> valid signature. Since other organizations (such as UPS) are |>> digitising signatures, a better strategy might be to get in the |>> habit of *dating* everything you sign (although the date could |>> still be cut off or altered). |> |>When UPS started that, everybody in my office refused to sign it except |>the boss. He didn't really understand our reservations, but was |>temporarily willing to sign all packages in. Eventually, practicality |>and business sense won out over principle, and we all do something to |>the pad. I elected to print my name. |> It seems to me that if you are worried about your signature being digitized and used for other purposes then you cannot sign *anything* because all it takes is a scanner to get it from a paper version of your signature. ------------- Brian Bousman | Rockwell International bbousman@zeus.muse.rockwell.com | Space Systems Division (310) 797-4745 | Seal Beach, CA --------------------------------------------------------- Of course I don't speak for my company. If I did that they'd have to pay me a lot more money. ------------------------------ From: Mike Brokowski Subject: Re: Digital Licenses in NY State Organization: Northwestern University, Evanston Illinois. Date: Thu, 10 Dec 1992 18:00:14 GMT In article Mike McNally writes: >In article Mike Johnston writes: >> >>Today's (12/3/92) New York Times carried a small article in the Metro >>section describing NY's new licenses. In a nutshell, drivers will >>have *both* their pictures and signatures digitally stored on the >>state's computers. This makes me nervous. > >[...] > >>My biggest problem is this: I don't want my picture and signature >>digitally stored on NY's computers, where it can easily be transmitted >>to anyone the state deem's fit to receive it. This could include >>the Federal Government, other State's and various agencies within >>our own state. I won't even get into the ramifications of having >>my SIGNATURE stored where someone can replicate it, perfectly, every >>time they need to. >> >>It seems the privacy issues here have either been ignored or swept >>under the carpet. > >It seems to me that elementary logic has either been ignored or swept >under the carpet.. The very interesting thing about this post is that >while I'm sure the author earnestly believes this is a privacy issue, >his privacy is not in any significantly greater jeopardy because the >stroage media employed by the NY state DMV has changed. The real issue >is paranoia towards digital technology and its applications. Unless >the author earnestly believes that photocopies and fascimiles of his >motor vehicle permit cannot now be easily transmitted to "the Federal >Government, other State's and various agencies within [his] own state," I >I fail to see how digital storage of information that is already kept >throws his personal privacy into serious danger. Perhaps a re-read of MJ's post is in order then. Nobody argues that without digitized signatures fraud would be impossible. The major, IMO, distinction due to the "storage media" is that the fraud has been transformed from a somewhat difficult to automate, effortsome process to an easily automated one. There will always be some way to get a clerk at the DMV to release information which ought likely not be released, but now it can be done precisely and potentially with even more anonymity than before. On top of this lies the beaurocratic tendency to send as much information as conveiniently possible whenever any information is requested. One's signature could be transferred along with some driving record information to anyone who cares to call himself an insurance company. Even if the request is legitimate, people tend to store all of the information sent to them, so the signature will be sitting in the same file as everything else even if it was never wanted. Frankly, since the digitized version would be both easier to get and more accurate (no losses from multiple photocopying) than both photocopies or facsimiles, I cannot see how anyone could doubt that such a move poses a threat to privacy. ------------------------------ Date: Thu, 10 Dec 92 15:17:23 PST From: Phydeaux Subject: re: Digital licenses in NY state > A colleague of mine recently went home to find the county sheriff waiting >to talk to him about some recent burglaries. Seems they had a tire iron >with his fingerprints all over it at the scene of one of the crimes. Lucky >for him he had a nice airtight alibi. This is a guy whose only crime to >date has been an occasional speeding ticket. Oh yes, how did they know they >were his prints? He's got one of those nice jobs in the defence industry >where they interview everyone you've ever known, done credit and police >checks on you from everywhere imaginable, strap you to a polygraph (i.e., >a "lie detector" for the uninitiated), and fingerprint you. And imagine >how nice it will be when the FBI has all those fingerprint cards digitized >and accessible to even the most remote law enforcement agency (right from >the squad car with live scanning technology) in seconds. Sound far fetched? >Naw, it's from the specifications from the National Crime Information Center Yea ... back when I was about 7 I remember as a class trip we visited the local police station ... I don't remember why, but I seem to recall that they fingerprinted us. This was long before the days when they fingerprinted kids regularly as a "security" measure... I wonder where the fingerprints ended up... reb -- *-=#= Phydeaux =#=-* reb@ingres.com or reb%ingres.com@lll-winken.llnl.GOV ICBM: 41.55N 87.40W h:828 South May Street Chicago, IL 60607 312-733-3090 w:reb Ingres 10255 West Higgins Road Suite 500 Rosemont, IL 60018 708-803-9500 ============================================================================== "You've got to know when to code 'em, know when to load 'em, know when to emulate, know when to run. You never count your money, when your sittin' at the keyboard: there'll be time enough for countin', when the software's done." ------------------------------ From: Christopher R Volpe Subject: Re: Digital Licenses in NY State Date: 11 Dec 92 01:41:18 GMT Reply-To: volpe@ausable.crd.ge.com Organization: GE Corporate Research & Development In article , "Roy M. Silvernail" writes: |> |> When UPS started that, everybody in my office refused to sign it except |> the boss. He didn't really understand our reservations, but was |> temporarily willing to sign all packages in. Eventually, practicality |> and business sense won out over principle, and we all do something to |> the pad. I elected to print my name. |> |> What really bothered me was UPS's attitude when they first introduced |> this marvelous new gadget. They couldn't believe anyone had _any_ |> reason to be concerned. None of the PR droids I spoke with had the |> first idea about technological privacy risks, and one chose to interpret |> my concern as an accusation. Unfortunately, the only way to make some |> people understand a risk is to present an exagerated example... it |> really upset this guy. Why is this new gadget any more dangerous than the status quo? Anyone can digitize a signature from paper using your average image scanner. -Chris -- ================== Chris Volpe G.E. Corporate R&D volpecr@crd.ge.com ------------------------------ From: James Hess Subject: Re: Digital Licenses in NY State Organization: University of California, Irvine Date: 16 Dec 92 17:17:26 GMT In article Mitch Collinsworth writes: >But then a few days later I walked into the polling place for the >primary election and was presented with a new form of sign-in book in >which I was instructed to sign below my name. The book was clearly the >output of a laser printer. My name appeared twice, once in type and >once in a pixel reproduction of my signature. I decided it was already >too late... > > >Needless to say, I voted for the candidate who said we need to reduce >government rather than the one who wanted to expand it. > Not to question your politics, but remember that Bush was director of the CIA, which is not noted for its concerns for privacy or legality. Ask yourself, which parts of government did he propose to reduce or expand? Of course, if you run the country off the books, through Ollie North, you can reduce the visible government... ;-) -Jim- ------------------------------ Date: Friday, 11 Dec 1992 10:51:34 EST From: Jerry Bryan Subject: Blockbuster Video I think this has been discussed before, but I have only been on the list a short time. So.... I just had my first encounter with Blockbuster Video. They wanted my driver's license number, my SSN, a credit card number, where I worked, and my boss's name. I balked on the SSN, they would not give in, and I walked out. What has been the previous discussion about Blockbuster? Would they call my boss and tell on me if I was late with a tape? ------------------------------ From: James Davies Subject: Credit denies millionaire due to credit report Organization: Cray Computer Corporation Date: Fri, 11 Dec 92 22:04:49 GMT (from an AP wire service story, seen in the Rocky Mountain News 12/11/92) Jim Clayton, a "mobile home magnate" from Tennessee with a reported net worth of $265 million, was recently rejected for a VISA card by the American Association of Retired Persons. The reason for the rejection was that there had been frequent requests for his credit report. Firms that do business with his company often get credit reports on top officers. (Business is apparently quite good. :-). After being informed of this, AARP manually intervened to issue him a card. AARP spokesman Ted Bobrow said "One of the important things this points out is that any consumer who is turned down for credit needs to find out why. It could very well be a mistake." Apparently AARP didn't learn anything from this. Jim Davies jrbd@craycos.com ------------------------------ Date: Sat, 12 Dec 1992 02:54:21 +0200 From: Jyrki Kuoppala Subject: DOJ Authorizes Keystroke Mo (really DOJ asks consent..) Organization: Helsinki University of Technology, Finland. In article , Dave Banisar DOJ Authorizes Keystroke Monitoring >Subject: DOJ Authorizes Keystroke Monitoring This headline seems somewhat misleading (except if DOJ has previously recommended against monitoring). Actually U.S. Dept of justi(n)c(as)e and CERT are recommending system administrators to post login banners to get consent for monitoring from users. I don't think the biggest problem here is keystroke monitoring per se, and I can think of situations where monitoring would be appropriate and an OK thing to do. For example, I think monitoring an intruder using an account is OK with permission from the person who is the real account holder. Perhaps also in some very safety-critical, security-critical or privacy-critical environments. But what I very seriously dislike and think is Orwellian is this as part of the recommended login banner: " Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials." Basically, the message is announcing "we have the power to watch everything you do and we will use that power whenever we like and will report any wrongdoings to the Big Brother", and DOJ and CERT are suggesting that everyone put that message as their login banner. If I got this right, this means that the login banner causes acceptance of monitoring keystrokes (and possibly other monitoring) no matter whether the use is authorized or not. I think this is an unacceptable loss of privacy for all the users - it seems the users lose all claims for privacy by using the system. This opens the system for routine surveillance of every action by every user. If the system admin feels like scanning the mail of every user, the user has no recourse, no way to stop it. CERT says that it is a simple matter of pointing out a problem with the U.S. law. The law recognizes a fundamental right, the right to privacy. This is not a bug of the law, it's a feature. I agree that it is a reasonable goal and a good tool to be able to legally monitor intruders, but the "bug fix" CERT and the U.S. justice department are proposing is much worse than the problem itself. Also, I agree it is a good idea to publish a policy of how far privacy extends and how and when it may be violated - but this is not a message publishing a policy, this is a message to get "consent" for any kind of monitoring from every user of the system. The paranoid minds might say the announcement is clearly aimed expressly for the purpose of making routine surveillance legal and all the talk about intruders is just smoke and mirrors. I will refrain from claiming that. But it doesn't really matter - the end result is the same in any case. //Jyrki ------------------------------ End of Computer Privacy Digest V1 #113 ******************************