Computer Privacy Digest Mon, 18 Oct 93 Volume 3 : Issue: 058 Today's Topics: Moderator: Dennis G. Rears Re: Worse Than Billboards Clinton Health Care Initiative Re: SSN privacy Finding someone Personal Privacy vs. the "Digital Detective"? Re: Digital Cash Re: Digital Cash Re: Clinton Health Care Plan The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- Date: Thu, 14 Oct 1993 15:55:05 +0800 From: Brian Gordon Subject: Re: Worse Than Billboards I find myself disagreeing with two people with whose opinions I rare do -- John Higdon >> Subject: Digital Detective At Your Service > >I never thought that I would have to see this ad here in addition to >everywhere else. Are your advertising rates reasonable? I run an IP >bureau, a long distance aggregation concern, am a telecom and RF >consultant, and do technical consulting in criminal cases. How much per >column inch? and the moderator >[Moderator's Note: I'e received many complaints about this one. This is >one where I wasn't paying attention. I was gone for about 10 days >and really just looked at the headers as opposed to the body of the >article. ._dennis ] I too saw the "ad" several places, and thought that it was especially appropriate for this forum. It was, deliberately, I am sure, a SCREAM to wake people up to the amount of information that is cheaply and readily available about them. No abstractions about "if I have your SS# I can gets lots of stuff about you", but a real catalog of WHAT information ANYONE can get. I thought it was one one the most useful articles posted here in a long time ... [Moderator's Note: I think the problem was it was more of an advertisement than a statement that it was available. ._dennis ] ------------------------------ Acknowledge-To: WHMurray@DOCKMASTER.NCSC.MIL Date: Thu, 14 Oct 93 21:12 EDT From: WHMurray@dockmaster.ncsc.mil Subject: Clinton Health Care Initiative >Dennis D. Steinauer >National Institute of Standards and Technology >A-216 Technology >Gaithersburg, MD 20899 USA nist.gov > >BTW -- The "Card" isn't likely to be a smartcard, massive memory card, or >other such thing -- at least not for a long time. Indeed, it probably won't >even be the SAME card in all ares. I was afraid of that. Actually, all other things equal, I prefer a very smart card. While I do not expect either the bureaucrats or the service providers to give it up, the best solution is one in which all of the data is recorded only on the card, kept in the custody of the data subject, and used only with his cooperation and consent. >The president's plan, in line with the >approach of encouraging technical innovation, initially calls for a minimal >machine readability capability (read "mag strip"). This is 1993. "Minimum machine readability" does not require a "mag strip." In 1993 we do not even need the number, much less a "dumb" card. (What kind of "technical innovation" is a mag stripe card?) The evil is in the data base, not in the card and not in the number. It is in the untintended, unanticipated, and unauthorized secondary uses that will be conceived by the over zealous (those well intentioned and professional people who brought you Waco). It is in the unavoidable errors in the data and in the accidental, but equally unavoidable. disclosures. William Hugh Murray, Executive Consultant, Information System Security 49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840 1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ From: Adrian Demarais Subject: Re: SSN privacy Date: 15 Oct 1993 04:03:13 GMT Organization: Net Access - Philadelphia's Internet Connection Vincent Broerman (0005461808@mcimail.com) wrote: .. why is SSN privacy such a big deal... A name, address, and SS number is all a lot of credit card companies ask for when issuing a card. People have been sued for non-payment of bills accrued by someone issued a card in their name, at a different address. ------------------------------ From: Rajiv A Manglani Newsgroups: alt.privacy,comp.society.privacy,misc.legal Subject: Finding someone Date: 15 Oct 1993 05:17:05 GMT Organization: Massachusetts Institute of Technology Distribution: world I am trying to find a lost relative. All I have is his name, birth date, and social security number. How might I get an address or phone number? Rajiv -- ------------------------------------------------------------------------- Me: Rajiv A. Manglani rajiv@mit.edu La Maison Francaise Brilliant Image 476 Memorial Drive #513 Seven Penn Plaza Cambridge, MA 02139-4319 New York, NY 10001 617. 225. 7690 800. 727. 3278 x200 ------------------------------------------------------------------------- Stuyvesant High School Alumni EMail Address List Maintainer ------------------------------------------------------------------------- ------------------------------ From: Craig Wagner Reply-To: craig.wagner@his.com Date: Fri, 15 Oct 1993 11:29:59 Subject: Personal Privacy vs. the "Digital Detective"? "A> From: "Tansin A. Darcos & Company" Just an observation based upon the following: "A> I once called one of the local offices of a national credit bureau. I "A> pretended to be an employer, and asked them, if I was just interested "A> in getting an occasional listing because I am checking perhaps 5 or 6 "A> people a year as potential employees, and not doing enough business to "A> justify a $15 a month subscription, was it possible for me to obtain "A> reports even though I am not a subscriber. 'Certainly'. I have to "A> send in a written statement indicating (1) that I have a legally "A> authorized reason to obtain the information, and (2) what that reason "A> is, e.g. type of request, employment, credit, etc. "A> I think only the credit reports needed proof of a legitimate business "A> reason. The two requirements enumerated above do _not_ constitute providing "proof" of a legitimate business reason, any more than a felon signing a statement claiming not to be a felon in order to purchase a gun is "proof." Perhaps something more is required, but as stated, I could send in a letter with a fictitious name, using an anonymous mail drop, and get access to anyone's credit rating. Was something else left out? Is a copy of some govt. document "proving" identity also required? ------------------------------ Date: Fri, 15 Oct 93 13:08:34 PDT From: "Dick Murtagh (8-465-4916)" Subject: Re: Digital Cash In article Todd M Cocks writes: > Why is privacy so important ... I know this is taken out of context, but it is imporant none the less. Many use this as an argument against privacy issues. Why is freedom of speech so important ? It's the same question. The right to privacy is protected as a natural right under the 8th amendment. That it isn't specifically stated has more to do with the limitations of the writers than their reverence. If 1789 there were no monolithic computer systems gathering and disseminating information about our private rights. So, there was no need to explicitly state it. "A man who is willing to trade freedom for safety, deserves neither freedom nor safety". Are we willing to trade our freedom for mere convenience ? ------------------------------ From: Ted Oliverio Subject: Re: Digital Cash Organization: NETCOM On-line Communication Services (408 241-9760 guest) Date: Fri, 15 Oct 1993 20:14:10 GMT Please forgive my naivette, I'm lost: How does my digital-cash card act differently than my ATM (debit) card? If it helps, I understand, deeply, how the debit card works. I just have no idea what a digital-cash card is. I also understand that it may just be a proposal and, as such, doesn't exist yet. If this is the case, please explain how your IDEAL digicash-card would work. And how this is different from my debit-card. -- \ Home of "Barrel-Of-Monkey-Enterprises", olie@netcom.com \ Tubing-Central. (If you have to ask...) \ \ Tubors Rule! ------------------------------ From: Steven Minor McClure Subject: Re: Clinton Health Care Plan Organization: Rice University Date: Fri, 15 Oct 1993 20:58:18 GMT >Jerry Whelan wrote: >... >Oops! Lost the card. Sorry we didn't know abot your allergy >to this common anesthetic.... > "I'm sorry sir, no card, no treatment" "...you will have to go to your local health care card office to have a replacement made" "next please!" I think there are very legitimate reasons to have medical records stored in several different places around the country....Hey, accidents happen. There also needs to be some way to keep these out of the hands of snoopers, etc. No one wants bored govt. workers looking through medical histories. Perhaps everyone should have a copy on their personal card, encoded with some very small key (such as a PIN). This data would be mostly protected by physical security. A second copy could be kept around the country in some network, in a distributed fashion, where 2 or 3 binary sequences have to be XOR'd to re- construct the record (similar to key escrow system proposed for Clipper , which, by the way, sucks for that purpose, but might be OK here, assuming that suitable escrow agencies can be found). These binary sequences would have to be stored at several agencies each, to prevent loss in disasters, hard disk crashes, etc. A system could be set up where whenever someone needed to access medical records they would have to prove they are a doctor or something. A permanent record would be made of the transfer at each escrow agency, so it would be impossible for a rogue doctor to get a copy of all three without leaving a 'paper trail' for the patient to find later. By the way, assumed in this scheme is that a patient has complete rights to look at their medical history. Normally, none of this would have to be done. The patient would give the doc. the card and it would be swiped and the medical history would be loaded into the hospital's computer. But, if the card was lost, stolen, or erased, a second copy would be available with only a slight delay. Another assumption here is that the patient would have the responsibility to update the remote files by uploading his card to the escrow agencies on a regular basis. Sorry this was so long. Comments anyone? Steve ------------------------------ End of Computer Privacy Digest V3 #058 ******************************