Date: Fri, 07 May 93 16:22:34 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V2#040 Computer Privacy Digest Fri, 07 May 93 Volume 2 : Issue: 040 Today's Topics: Moderator: Dennis G. Rears Virginia Voters and SSNs I won one! driver's license for jurors (was: Re: SSN) privacy vs banks (was: Re: I won one!) stories about SSN misuse (e-mail only) New NIST/NSA Revelations DMV Records The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Craig Wagner Date: Wed, 28 Apr 1993 12:00:38 -0500 Subject: Virginia Voters and SSNs A while back, some interest was shown in a court ruling against the Commonwealth of Virginia's combined constitutional (if I recall correctly) requirement of the use of a SSN to register to vote and legislated policy of making such lists, along with the SSN, available to the general public. A week or two ago, while voting in a special election in Arlington, Virginia, I noticed a list of voters, with their SSNs, posted on a wall in the polling place. I wrote to the Board of Voter Registration the next day to express my concern. Their reply, which may be of interest to others here, was as follows: "Thank you for your letter of April 21. The list you saw on the wall was the list of those purged for not voting in a four year period. The Code of Virginia requires that this list be posted in each precinct at each election. "The Fourth Circuit Court recently reversed the Federal District Court with its unanimous decision in the social security case of Greidinger v. Davis, and remanded the case to the District Court in order to give the Commonwealth the responsibility to either delete their requirement that a social security number be provided for voter registration or to eliminate the use of the social security number in records open to public inspection and those provided to eligible recipients pursuant to Section 24.1-23 (8) of the Code of Virginia. "The State Board of Elections has advised all electoral boards and registrars that this does not have the effect of changing the procedures we are mandated to follow at this time.* The State Board of Elections, the Court, and the Attorney General are reviewing our current registration and election procedures to eliminate the public display of social security numbers. They will notify us as soon as possible as to any action and decisions they make. "Therefore, you may be assured that your number will not appear on such a list in future elections. "If you have any questions, please give me a call. "Sincerely yours, (name omitted) General Registrar" * the three words preceeding this asterisk were in Bold typeface. ------------------------------ From: Henry Mensch Date: Fri, 30 Apr 93 13:47:14 -0700 Subject: I won one! Date: Thu, 29 Apr 93 00:08:23 GMT From: Bear Giles 1. The _very_ first thing the rep did was call a telephone number to "verify" my SSN. Said verification was nothing more than verifying that SSN had actually been assigned to a person (I don't recall if she read my name or not), but a completely bogus SSN will _not_ work. not true. the number she calls connects to a service which banks subscribe to ... they report all their "bad" banking relationships to the service, and if your number turns up bad then they give you a slip which tells you why they will decline your business. # henry mensch / booz, allen & hamilton, inc. / # "fight the real enemy." -- sinead o'connor, and many others. ------------------------------ From: Jonathan Thornburg Subject: driver's license for jurors (was: Re: SSN) Organization: U of Texas at Austin / Physics Dept / Center for Relativity Date: Sat, 1 May 93 05:03:57 GMT In article Charles Mattair writes: | Texas has just started using DLs instead of voter registration rolls (there | was a perception many people were not registering to avoid jury duty :-( ). | | The result has been, shall we say, a very mixed success. On the positive | side, the pool of potential jurors is definitely up. Other positives | include - actually, the courts and the DA say that's it. Negatives are: | much higher rate of no-shows; lower average level of educational attainment; | lower socio-economic status (that is, much higher percentage of un/under | employeed); much higher percentage of undocumented workers and non-English | speakers; jurors who serve but really don't participate in the process; in | general, a lower quality juror pool. I was under the impression that few of these "negatives" were constitutional grounds for disqualifying prospective jurors. Let's see... perhaps we should only allow prison inmates to serve as jurors, since that way we could really cut the rate of no-shows? Other than not being a US citizen, it seems to me that *none* of the other "negatives" you mention are relevant -- not being poor, not being less educated, not not speaking English, and not being unenthusiastic. Indeed, in order for a jury system to be in any sense fair, it *must* include a representative fraction of people who *are* poor, less educated, don't speak English, etc. It must also include a representative fraction of people who don't have driver's licenses, but the Texas "motor votor" law merely *adds* the driver's license list to the other existing lists they already use, so that's not a problem. - Jonathan Thornburg (temporarily living in Texas, but not an USA citizen) or [until 31/Aug/93] U of Texas at Austin / Physics Dept / Center for Relativity [thereafter] U of British Columbia / {Astronomy,Physics} "One million Americans have two homes; four million Americans have no homes." ------------------------------ From: Jonathan Thornburg Subject: privacy vs banks (was: Re: I won one!) Organization: U of Texas at Austin / Physics Dept / Center for Relativity Date: Sat, 1 May 93 05:13:03 GMT In article Bear Giles writes: >I just opened a new checking and savings account (since my former bank >forgot who hired whom) and several interesting things happened: > >The bad news: > >1. The _very_ first thing the rep did was call a telephone number to > "verify" my SSN. Said verification was nothing more than verifying > that SSN had actually been assigned to a person (I don't recall if > she read my name or not), but a completely bogus SSN will _not_ work. > > (I hadn't been paying attention because I thought she was verifying > my driver's license). > >2. I asked about this and she said the bank _requires_ SSNs for any > account. If I went in with $1000 in cash and tried to open a > savings account, agreeing that 33% of all interest will be paid > to the IRS (and 5% to Colorado) to cover any possible income tax, > _they would refuse my business_. Indeed, they're required by law to get an SSN any time they pay interest. This is so they can report the interest to the IRS, who can in turn cross-match this with your tax return to make sure you report that interest as income. Note, however, that most financial institutions will, if you ask them, agree to use something other than your SSN for your account number, so it's at least not printed on all your cheques... >3. After providing my legal name, I asked if the records could be marked > a/k/a for my use-name. After a bit of hemming and hawing (since I > don't have court documents to force them to do this) they agreed to > accept both names _and_ to print my use-name on the checks. My previous > bank insisted on court papers, but it was an existing account when > I inquired. You're under no obligation to get your cheques through your financial institution. In particular, I don't believe there's any law against your obtaining cheques printed with your account number and the name "Bill Clinton". Whether or not your financial institution will honor them, of course, is up to them... >4. When I handed over my standard "a condition of me doing business with > you is _no_ _mailing_ _lists_" letter she said that the Bank did not > release the names of its customers [ ... ] And you *believed* her? >I had also been told (when investigating banks) that I would be asked for >a 4-digit identifying number -- they don't use readily available information >like SSNs for checkcodes. I wasn't asked today, but this may be because >this rep had recently started. I think you're thinking of a PIN for an ATM card. You only specify this if/when you apply for such a card. - Jonathan Thornburg or [until 31/Aug/93] U of Texas at Austin / Physics Dept / Center for Relativity [thereafter] U of British Columbia / {Astronomy,Physics} "One million Americans have two homes; four million Americans have no homes." ------------------------------ From: noah@cs.washington.edu (Rick Noah Zucker) Subject: stories about SSN misuse (e-mail only) Organization: Computer Science & Engineering, U. of Washington, Seattle Date: Wed, 5 May 93 16:57:17 GMT I just started a new job (not at the University of Washington). I recently received ID cards for the company's medical plan and saw that my social security number was on these cards, and they must be presented at places like doctor's offices and pharmacies. When I do try to explain to the company about why having SSN on these cards is bad (group and employee number would be unique), I would like to show them some examples of the dangers. So, is there a good source of stories about misuse of SSNs (book, easily found magazine or on-line)? You can send me your own too. We all know about these problems, so there is no need to post. Rick Noah Zucker noah@cs.washington.edu ------------------------------ Organization: CPSR Civil Liberties and Computing Project From: Dave Banisar Date: Thu, 6 May 1993 19:31:55 EST Subject: New NIST/NSA Revelations New NIST/NSA Revelations Less than three weeks after the White House announced a controversial initiative to secure the nation's electronic communications with government-approved cryptography, newly released documents raise serious questions about the process that gave rise to the administration's proposal. The documents, released by the National Institute of Standards and Technology (NIST) in response to a Freedom of Information Act lawsuit, suggest that the super-secret National Security Agency (NSA) dominates the process of establishing security standards for civilian computer systems in contravention of the intent of legislation Congress enacted in 1987. The released material concerns the development of the Digital Signature Standard (DSS), a cryptographic method for authenticating the identity of the sender of an electronic communication and for authenticating the integrity of the data in that communication. NIST publicly proposed the DSS in August 1991 and initially made no mention of any NSA role in developing the standard, which was intended for use in unclassified, civilian communications systems. NIST finally conceded that NSA had, in fact, developed the technology after Computer Professionals for Social Responsibility (CPSR) filed suit against the agency for withholding relevant documents. The proposed DSS was widely criticized within the computer industry for its perceived weak security and inferiority to an existing authentication technology known as the RSA algorithm. Many observers have speculated that the RSA technique was disfavored by NSA because it was, in fact, more secure than the NSA-proposed algorithm and because the RSA technique could also be used to encrypt data very securely. The newly-disclosed documents -- released in heavily censored form at the insistence of NSA -- suggest that NSA was not merely involved in the development process, but dominated it. NIST and NSA worked together on the DSS through an intra-agency Technical Working Group (TWG). The documents suggest that the NIST-NSA relationship was contentious, with NSA insisting upon secrecy throughout the deliberations. A NIST report dated January 31, 1990, states that The members of the TWG acknowledged that the efforts expended to date in the determination of a public key algorithm which would be publicly known have not been successful. It's increasingly evident that it is difficult, if not impossible, to reconcile the concerns and requirements of NSA, NIST and the general public through using this approach. The civilian agency's frustration is also apparent in a July 21, 1990, memo from the NIST members of the TWG to NIST director John W. Lyons. The memo suggests that "national security" concerns hampered efforts to develop a standard: THE NIST/NSA Technical Working Group (TWG) has held 18 meetings over the past 13 months. A part of every meeting has focused on the NIST intent to develop a Public Key Standard Algorithm Standard. We are convinced that the TWG process has reached a point where continuing discussions of the public key issue will yield only marginal results. Simply stated, we believe that over the past 13 months we have explored the technical and national security equity issues to the point where a decision is required on the future direction of digital signature standards. An October 19, 1990, NIST memo discussing possible patent issues surrounding DSS noted that those questions would need to be addressed "if we ever get our NSA problem settled." Although much of the material remains classified and withheld from disclosure, the "NSA problem" was apparently the intelligence agency's demand that perceived "national security" considerations take precedence in the development of the DSS. From the outset, NSA cloaked the deliberations in secrecy. For instance, at the March 22, 1990, meeting of the TWG, NSA representatives presented NIST with NSA's classified proposal for a DSS algorithm. NIST's report of the meeting notes that The second document, classified TOP SECRET CODEWORD, was a position paper which discussed reasons for the selection of the algorithms identified in the first document. This document is available at NSA for review by properly cleared senior NIST officials. In other words, NSA presented highly classified material to NIST justifying NSA's selection of the proposed algorithm -- an algorithm intended to protect and authenticate unclassified information in civilian computer systems. The material was so highly classified that "properly cleared senior NIST officials" were required to view the material at NSA's facilities. These disclosures are disturbing for two reasons. First, the process as revealed in the documents contravenes the intent of Congress embodied in the Computer Security Act of 1987. Through that legislation, Congress intended to remove NSA from the process of developing civilian computer security standards and to place that responsibility with NIST, a civilian agency. Congress expressed a particular concern that NSA, a military intelligence agency, would improperly limit public access to information in a manner incompatible with civilian standard setting. The House Report on the legislation noted that NSA's natural tendency to restrict and even deny access to information that it deems important would disqualify that agency from being put in charge of the protection of non-national security information in the view of many officials in the civilian agencies and the private sector. While the Computer Security Act contemplated that NSA would provide NIST with "technical assistance" in the development of civilian standards, the newly released documents demonstrate that NSA has crossed that line and dominates the development process. The second reason why this material is significant is because of what it reveals about the process that gave rise to the so- called "Clipper" chip proposed by the administration earlier this month. Once again, NIST was identified as the agency actually proposing the new encryption technology, with "technical assistance" from NSA. Once again, the underlying information concerning the development process is classified. DSS was the first test of the Computer Security Act's division of labor between NIST and NSA. Clipper comes out of the same "collaborative" process. The newly released documents suggest that NSA continues to dominate the government's work on computer security and to cloak the process in secrecy, contrary to the clear intent of Congress. On the day the Clipper initiative was announced, CPSR submitted FOIA requests to key agencies -- including NIST and NSA -- for information concerning the proposal. CPSR will pursue those requests, as well as the pending litigation concerning NSA involvement in the development of the Digital Signature Standard. Before any meaningful debate can occur on the direction of cryptography policy, essential government information must be made public -- as Congress intended when it passed the Computer Security Act. CPSR is committed to that goal. *************************************************** David L. Sobel CPSR Legal Counsel (202) 544-9240 dsobel@washofc.cpsr.org ------------------------------ Date: Fri, 7 May 93 09:55 EDT From: Rasch@dockmaster.ncsc.mil Subject: DMV Records I am working on a project involving various State laws and regulations of DMV records, and am interested in knowing which States regulate the availability of DMV records. I know that California makes it illegal to have such records. Does anybody know what other states do? In how many states is this information public, how many is it private, and how many is it illegal? Is there a difrference between DMV records (i.e. that John Smith has DL 123-45-6789) and the actual licence itself with photograph? Information is appreciated. ------------------------------ End of Computer Privacy Digest V2 #040 ******************************