Date: Tue, 27 Apr 93 17:03:28 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V2#038 Computer Privacy Digest Tue, 27 Apr 93 Volume 2 : Issue: 038 Today's Topics: Moderator: Dennis G. Rears New Disclosures in 2600 Cas SSN for Health Identifier Clipper Chip Re: electronic mail privacy Re: SSN Clipper Chip Re: SSN on college applications? Re: Credit card application Re: Credit card application The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- Organization: CPSR Civil Liberties and Computing Project From: Dave Banisar Date: Sun, 25 Apr 1993 9:43:32 EST Subject: New Disclosures in 2600 Cas New Disclosures in 2600 Case As you may recall, last November at a shopping mall outside of Washington, DC, a group of people affiliated with the computer magazine "2600" was confronted by mall security personnel, local police officers and several unidentified individuals. The group members were ordered to identify themselves and to submit to searches of their personal property. Their names were recorded by mall security personnel and some of their property was confiscated. However, no charges were ever brought against any of the individuals at the meeting. Computer Professionals for Social Responsibility ("CPSR") filed suit under the Freedom of Information Act and today received the Secret Service's response to the FOIA lawsuit, in which we are seeking agency records concerning the break-up of the meeting. I think it's safe to say that our suspicions have now been confirmed -- the Secret Service *did* obtain a list of names from mall security identifying the people in attendance at the meeting. There are three main points contained in the Secret Service's court papers that are significant: 1) The agency states that the information it possesses concerning the incident was obtained "in the course of a criminal investigation that is being conducted pursuant to the Secret Service's authority to investigate access device and computer fraud." 2) The agency possesses two relevant documents and the information in those documents "consists solely of information identifying individuals." 3) The information was obtained from a "confidential source," and the agency emphasizes that the FOIA's definition of such a source includes "any private institution which provided information on a confidential basis." Taken together, these facts seem to prove that the Secret Service wanted names, they had the mall security people collect them, and they came away from the incident with the list they wanted. The agency asserts that "[t]he premature release of the identities of the individual(s) at issue could easily result in interference to the Secret Service's investigation by alerting these individual(s) that they are under investigation and thus allowing the individual(s) to alter their behavior and/or evidence." CPSR, in conjunction with EFF and the ACLU, is planning to challenge the actions of the mall security personnel, the local police and the Secret Service on the ground that the incident amounted to a warrantless search and seizure conducted at the behest of the Secret Service. David Sobel CPSR Legal Counsel dsobel@washofc.cpsr.org ------------------------------ Date: Sun, 25 Apr 93 11:27:21 MDT From: "Kevin S. McCurley" Subject: SSN for Health Identifier I just returned from the 9th annual Conference on Computerized Medical Records, and discovered that the President's task force on Health Care Reform is very likely to adopt the Social Security Number (SSN) as a patient identifier for electronic medical records. The Computer-based Patient Record Institute (CPRI) and others are apparently in substantial agreement with this, so that it now appears there is very little political will to fight it. I believe strongly that this is a mistake. I am aware of several potential problems in using this as a standard, but I am interested in soliciting further comments on this subject. I am particularly interested in potential threats from the private sector rather than the government, since I think that they carry more political weight and I have less documentation for them. Some problems I foresee: 1. the government may use it as a means of tracking down tax dodgers, illegal aliens, deadbeat dads, delinquent student loans, etc, discouraging these people from seeking appropriate health care. 2. many people have multiple SSNs, 3. a large group of people (in excess of 10,000 I am told) all use the same SSN (it was printed in a certain brand of wallet as a sample!), 4. It is tied to credit reports, 5. it is available to issuers of credit cards, 6. it does not cover legitimate foreign visitors to our country, 7. it is printed on driver's licenses in most states, making it difficult to protect from unauthorized linkage to virtually every other identification encounter. If you have comments on these or other potential problems, please send them to mccurley@cs.sandia.gov, and use the string "SSN" in the subject line. I am desparately seeking documented evidence rather than anecdotal evidence. Any references to specific cases are greatly appreciated. Kevin S. McCurley Sandia National Laboratories ------------------------------ Date: Sun, 25 Apr 93 18:17:58 -0700 From: "Glenn S. Tenney" Subject: Clipper Chip I received a fax of a letter from Representative Markey (Subcommittee on Telecommunications and Finance) to Ron Brown (Secretary of Commerce). Since encryption and the Clipper chip are raised in this letter, I felt it would be of interest to you. I understand that on 29 April, Mr. Markey will be holding a hearing on the questions raised in this letter. There may also be a follow-on hearing dedicated to the clipper chip, but that's not definite. I'm sending this to a few people (via BCC) and to a few mailing lists (listed in the TO line) related to privacy, encryption, clipper chip, etc. I'l also be posting this to the sci.crypt and alt.clipper newsgroups. Because of the traffic on some of the mailing lists, if you have a comment for me you should email directly to me. I've typed in the letter, which follows. Any errors in transcription are mine... --- Glenn Tenney tenney@netcom.com Amateur radio: AA6ER Voice: (415) 574-3420 Fax: (415) 574-0546 ------------------ letter of interest follows ---------------- April 19, 1993 The Honorable Ronald H. Brown Secretary Department of Commerce 14th and Pennsylvania Ave., NW Washington, DC 20236 Dear Secretary Brown: As you know, I have long been interested in the privacy and security of telecommunications transmissions and data in a networked environment. Recent reports concerning the Administration's endorsement of an electronic encryption standard, based upon "clipper chip" technology, have raised a number of related issues. The international competitiveness of U.S. high tech manufacturers and the software industry is a key factor that the government should consider when addressing issues of encryption and data security. As the nation moves forward in developing the national communications and information infrastructure, security of telecommunications transmissions and network data will be an increasingly important factor for protecting the privacy of users. The "hacker" community can compromise the integrity of telecommunications transmissions and databases linked by the network. The people and businesses that use the nation's telecommunications network and the personal computers linked through it increasingly are demanding that information be protected against unauthorized access, alteration, and theft. I am concerned that the Administration's plan may mean that to remain competitive internationally, U.S. companies would be compelled to develop two products -- one for U.S. government customers, and another for private, commercial users who may want a higher encryption standard. This may inadvertently increase costs to those U.S. companies hoping to serve both markets. To assist the Subcommittee's analysis of this issue, please respond to the following questions: 1. Has the encryption algorithm or standard endorsed by the Administration been tested by any entity other than NSA, NIST or the vendor? If so, please identify such entities and the nature of testing performed. If not, please describe any plans to have the algorithm tested by outside experts and how such experts will be chosen. 2. Under the Administration's plan, what entities will be the holders of the "keys" to decrypt scrambled data? What procedures or criteria will the Administration utilize to designate such key holders? 3. Does the encryption algorithm endorsed by the Administration contain a "trap door" or "back door," which could allow an agency or entity of the Federal government to crack the code? 4. It is clear that over time, changes in technologies used for communications will require new techniques and additional equipment. How will encryption devices adapt to the rapid advancement of telecommunications technology? 5. What additional costs would the proposed encryption place on the Federal government? What is the estimated cost to consumers and businesses which opt for the federal standard in their equipment? 6. What is the Commerce Department's assessment of the competitive impact of the Administration's endorsement of the "clipper chip" technology on U.S. exports of computer and telecommunications hardware and software products? I would appreciate your response by no later than close-of-business, Wednesday, April 28, 1993. If you have any questions, please have your staff contact Colin Crowell or Karen Colannino of the Subcommittee staff at (202) 226-2424. Sincerely, Edward J. Markey Chairman ### ------------------------------ From: "Paul J. Bell" Subject: Re: electronic mail privacy Organization: The 23K Group, Inc. Date: Sun, 25 Apr 1993 18:41:39 GMT In article , Erini Doss writes: |> I need to find out any information possible about |> electronic mail at the workplace. For example, when |> a person writes for social reasons, does his manager |> have the right to read it anytime? Is the employees' |> e-mail considered company property or is it cosidered |> the employees? Is there anything that the company |> considers not theirs or is it considered theirs as |> long as the person is doing it during work hours? |> What about during lunch breaks? What about super- |> users? When do companies feel that they have the |> right to read anyone's mail and who can do it? |> |> Please help, if you have any knowledge of cases at |> compannies or can recommend any info... I'm in |> a bind research poaper is due in less thatn a |> week!! But, jplease don't send over any irrelevant |> material!! |> |> e-mail adress is erini@enterprise.ifp.uiuc.edu |> |> |> Most companies that I have been associated with, and that is a large number, as an employee or consultant, consider that inasmuch as they own the equipment, the software and the networks, and since they pay you to do a specific job, they own all of the data that resides in any and all computers, disk, tapes, etc. This same policy also extends to other forms of data storage such as papers that you write, the contents of your ofice and/or desk and file cabinets. They have the right to plunder your desk as well as any computer data that is maintained on their systems or transits their networks. They also have the right to monitor and record your voice communications paths. This monitoring of voice traffic and in some cases your keyboard traffic requires, in some states (calif comes to mind) prior notification. Note that I am not saying that I agree or disagree with these policies, but as an executive/officer in some large firms, I know that these are indeed the policies in such diverse businesses as airlines and financial services firms. Hope this helps.... paul ------------------------------ From: Mitch Collinsworth Subject: Re: SSN Date: 26 Apr 1993 11:34:06 -0400 Organization: Cornell University Program of Computer Graphics In "Keith F. Lynch" writes: >In article fec@arch2.att.com writes: >> The court system further explained in the summons package that jurors >> are selected, in part, from drivers license files and that drivers >> license numbers are used to differentiate people with the same name >> living at the same address. >Does this mean we are no longer guaranteed the right of jury by our >peers, but now have a right of jury by drivers? >That will be really reassuring to cyclists who get in legal cases >against malicious or incompetent drivers. Implementation of juror solicitations is, I assume, left up to the various courts. In my county, they use drivers licenses, voter registrations, and one other database, which I can't recall at the moment. -Mitch Collinsworth No junk mail, please. ------------------------------ Date: Mon, 26 Apr 93 10:24:45 EDT From: David Carroll Subject: Clipper Chip I've been very disappointed by the discussion that I've seen in this group concerning the proposed Clipper Chip. Most of this discussion has been a review of the technology of that chip and how it might be implemented. A few posters, especially Fred Baube, have dealt with the threshhold question - is it for government to say whether I may conceal the meaning of my communications, whether spoken, written, or electronic? The Fourth Amendment and the Fifth Amendment are meaningless if we waive our rights and blindly trust government power. Even with a legal, warranted search, the government is not guaranteed that it will succeed in finding what it wants, and the protection against self-incrimination provides that we may not be compelled to tell them how to find it. Electronic communication must be just as secure. If I encrypt my own correspondence and only my addressees can decrypt it, the government will have to do without that information. Those tired, old arguments about the needs of law enforcement have been used before to admit tainted evidence, to deny people representation, and to make a mockery of the Bill of Rights. If you want to sell that garbage, go to work for Ollie North trying to suspend our Constitution. Dave Carroll, NYS Div. of the Budget bdcarrd1@budget.bitnet (or if path problems ... bdcarrd1%budget@cunyvm.cuny.edu ***** * DISCLAIMER: * These views are only my own. You didn't seriously think * NEW YORK STATE paid me to have/express an opinion, did you? ***** ------------------------------ From: Dave Subject: Re: SSN on college applications? Date: 26 Apr 93 14:51:47 GMT Organization: Intergalactic Rest Area For Weary Travellers jrf%b31.nihnei.dcrt.nih.gov@PICA.ARMY.MIL (Fidler, Justin) writes: {> {> Often what I receive is a simple brochure with a business reply card. On {> these reply cards, they often ask for quite a few things, notably SSN. My {> question is this: should I include it, and if not, will it lower my chances {> with that college? I wonder if a data-entry clerk who receives a card with a {> blank area may just toss the card. It is more important to me that I have a {> chance getting into a college than if my SSN is released. {> {> It should be noted that SATs are tracked by numerous keywords, the most {> common being SSN. {> I am applying to a college (to get back to learn) I sent them a card leaving off my ssn for more information. I got a letter a few weeks later saying due to my failure to include my SSN on the form. I would not be added to the mailing list. They claim that SSN is used to avoid duplicate mailings. (heh!) they could use a phone number and do better I was thinking of using a part of my phone number (this makes more sense as an identifier number) or my zip code plus 4 (which is 9 digits, and I think this would make a real neat ssn), but they ask for home phone number and address zip on the form. I just made up a ssn starting with 759-xx-xxxx and shipped it off. I have yet to hear back from them. -David =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= China Cat BBS c-cat!david@sed.csc.com (301)604-5976 1200-14,400 8N1 ...uunet!mimsy!anagld!c-cat!david =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ From: Brad Miller Subject: Re: Credit card application Organization: University of Rochester Date: 27 Apr 93 13:48:44 Apparently-To: rutgers!comp-society-privacy In article Matthew B Cravit writes: > I received a credit card application (some kind of student Visa/Mastercard), > and in looking at the application, I see that they want to know: > My Resident Alien number (I am not a US citizen yet) > All sources of income and how much I make per week from each > My checking account NUMBER, bank and BALANCE > The account numbers of any credit cards I have and my monthly payments > The account numbers of any other bank accounts I have and their balances > Social security number > Should I be wary of providing any of this? Do they have a reasonable right to > my Mastercard and AmEx account numbers and checking balance? this sort of question comes up so often in this group, I'm posting this generally. There is a distinct difference between being asked for the above information (e.g. on a credit card application) and being required to supply it (e.g. on an IRS or other government form). In the former case, you don't have to fill out the application if you do not wish to disclose. You have no "reasonable right" to a credit card, so the (implied) point about forcing them not to receive your (eg) SSN is moot. Note that this is distinct from telling them you are willing to be a client, but only if you do not have to disclose, e.g. your SSN. That is simply negotiation. The other, much more important to privacy case is where you MUST disclose information in order to comply with law. In other words, some form of coercion is involved. In your case, the only thing to ask yourself is do you think the information you are giving is reasonable for the service you are applying for, and are you willing to give the information. If the answer to either question is "no", then either do not apply, or open negotiations with the merchant/bank. -- ---- Brad Miller miller@cs.rochester.edu Disclaimer: I disavow any support, or consent for the actions or existance of any so called goverment entity. ------------------------------ From: Brad Miller Subject: Re: Credit card application Organization: University of Rochester Date: 27 Apr 93 13:51:22 Apparently-To: rutgers!comp-society-privacy In article Matthew B Cravit writes: > I received a credit card application (some kind of student Visa/Mastercard), > and in looking at the application, I see that they want to know: > My Resident Alien number (I am not a US citizen yet) > All sources of income and how much I make per week from each > My checking account NUMBER, bank and BALANCE > The account numbers of any credit cards I have and my monthly payments > The account numbers of any other bank accounts I have and their balances > Social security number > Should I be wary of providing any of this? Do they have a reasonable right to > my Mastercard and AmEx account numbers and checking balance? this sort of question comes up so often in this group, I'm posting this generally. There is a distinct difference between being asked for the above information (e.g. on a credit card application) and being required to supply it (e.g. on an IRS or other government form). In the former case, you don't have to fill out the application if you do not wish to disclose. You have no "reasonable right" to a credit card, so the (implied) point about forcing them not to receive your (eg) SSN is moot. Note that this is distinct from telling them you are willing to be a client, but only if you do not have to disclose, e.g. your SSN. That is simply negotiation. The other, much more important to privacy case is where you MUST disclose information in order to comply with law. In other words, some form of coercion is involved. In your case, the only thing to ask yourself is do you think the information you are giving is reasonable for the service you are applying for, and are you willing to give the information. If the answer to either question is "no", then either do not apply, or open negotiations with the merchant/bank. -- ---- Brad Miller miller@cs.rochester.edu Disclaimer: I disavow any support, or consent for the actions or existance of any so called goverment entity. ------------------------------ End of Computer Privacy Digest V2 #038 ******************************