Date: Sun, 26 Dec 93 15:09:33 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#011 Computer Privacy Digest Sun, 26 Dec 93 Volume 4 : Issue: 011 Today's Topics: Moderator: Leonard P. Levine e-mail privacy SS Used as Password Driver Protection Act Re: Cellular Phone Security Re: Maryland to introduce high-tech drivers' license Re: Encryption At School The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Sharon Shea Date: Thu, 23 Dec 1993 08:57:40 -0500 (EST) Subject: e-mail privacy Hello list, Thanks for all your replies. I tried to repspond to everyone, but my mail since my post has been overwhelming. (As anyone secretly monitoring my mail will surely know.) Yes, my case (and Tewhey's) at MIT have been a real circus. FYI, my problems started when I was brought in to hear that there was a complaint against me, that I would be throughly investigated in every aspect of my professional behavior, that I could be terminated and that no, I would not be allowed to see the detail of the charges against me. You heard that right, I would not be allowed to see the complaint. This could happen only at the discretion of the investigator (which, incidently, he decided to do). Most of the 'charges' were not related to me, but were a sad diatribe about how shabbily Tewhey had been treated. Also, there was nothing in the 'charges' that specified a definite statement, a time or place that I was involved in. It did, however, mention things such as what awful friends I had (people that Tewhey had reason to to be upset about). The complainant didn't know these individuals. The charges were dismissed. These charges, BTW, were handed around to others before I even knew of their existance (and while I was charged but had not yet been allowed access to the charges). The stuff on my hard drive was accessed by Tewhey friends, was given to Tewhey, not part of the investigation. The contents of the e-mail, FYI, was a pretty benign inquiry about 'who *is* this guy Tewhey & do you know what's up with him since I seem to be brought into a very bizarre business around his issues and harassment?' The reply was 'I dunno' and that was it. I have learned: If someone is up to no good - duck. Don't report any controversial issue to anyone above you, particularly through what is presented as a confidential, legitimate avenue for this sort of stuff. *Particularly* when asked. They are looking for what you know, and you can be killed for reporting in confidence. I do appreciate the many answers that I have received - they've been helpful and very supportive. If you've been amused, well, I suppose some good comes of this in being able to entertain the masses. I do think it is very important to discuss the boundaries between what of belongs to the corporation, and what belongs to our privacy and right to moral expression. The one suggestion (that has come in a few times) that I don't trust (where did trust go?) is to consult with the MIT's attorneys. Hmmm....just can't bring myself to do that. I do, however, Much appreciate any info on MIT policy around these issues. Comparing them with state and federal laws, and then examining the implementation of the 'rules', or 'policy' is just amazing. And I do have my own attorney. -Sharon ------------------------------ From: "Prof. L. P. Levine" Date: Mon, 20 Dec 1993 20:04:38 -0600 (CST) Subject: SS Used as Password A friend in asked me to post this. For reasons that have nothing to do with the posting he asked me to post it anonymously for him. "Had an interesting experience making a purchase at the Bombay Company in Milwaukee Wisconsin today. I tried to purchase two gifts with a credit card. The clerk asked if I would like to be on the mailing list for their catalog, and I agreed. As she rang up the order she then asked for my mailing address, which I provided, and then she asked for my Social Security number! Why? She said: "It's for your protection. If you make a catalog order by phone and pay for it with a credit card, we'll know that it really is you making the purchase." I told her that if that was the reason, we'd make it really difficult for someone wishing to commit fraud. We'll make up a number! I told her to put down: 000-00-0000. Geesh! ------------------------------ From: "Prof. L. P. Levine" Date: Thu, 23 Dec 1993 11:30:52 -0600 (CST) Subject: Driver Protection Act Two bills have recently been posted, one in the US House by Representative James P. Moran, D-VA and the other in the US Senate by Senator Barbara Boxer D-CA. Both deal with the question of privacy for drivers. They are available for ftp from: ftp.cs.uwm.edu, pub/comp-privacy/library as butler.bil and moran.bil and from: ftp.eff.org, pub/eff/legislation as s1589 and hr3365. A short excerpt from the salient parts of them follows. Any act of omission on my part is an attempt at brevity. Anyone who feels that I have omitted important parts of these two bills should feel free to download those parts I have omitted and post them as a part of his or her argument. Omissions are marked with the symbol [...]: [...] This Act may be cited as the "Driver's Privacy Protection Act of 1993". [...] "2721. Prohibition on release of certain personal information by States "(a) IN GENERAL.-It shall be unlawful for any person or other entity to disclose personal information derived from an individu- al's motor vehicle records to any other person or entity, other than to the individual, except as permitted under this chapter. "(b) EXCEPTIONS.-Personal information referred to in subsection (a) of this section may be disclosed for any of the following uses: "(1) For use by any Federal or State court in carrying out its functions. "(2) For use by any Federal or State agency in carrying out its functions. "(3) For use in connection with matters of automobile and driver safety, including manufacturers of motor vehicles conduct- ing a recall of motor vehicles. "(4) For use in the normal course of business by a le- gitimate business (including an insurer or insurance support organization) or its agents or employees or contractors, but only- "(A) to verify the accuracy of personal information submitted by the individual to the business; and "(B) if such information as so submitted was not correct, to obtain the correct information, but only for the purpose of pursuing remedies against an individual who provided false information or presented a check or similar item that was not honored. "(5) For use in any civil or criminal proceeding in any Federal or State court. "(6) For use in research activities, if the motor vehicle department determines that such personal information will not be used to solicit the individual and that the individual is not identified or associated with the requested information. "(7) For use in marketing activities, if the motor vehicle department- "(A) has provided in a clear and conspicuous manner to the individual an opportunity to prohibit such disclosure; "(B) has received assurances that the information will be used, rented, or sold solely for a permissible use under this chapter, including marketing activities; and "(C) has received assurances that each entity that sells or uses the information so obtained keeps complete records identifying each purpose for which the information is used and each organization that receives the information. "(8) For purposes of reselling the personal information for a permissible use under paragraph (7) of this subsection, but only if each person or other entity that sells or uses the infor- mation so obtained keeps complete records identifying- "(A) each purpose for which the information is used; and "(B) each person or other entity that receives the information. "(9) For use by any insurer or insurance support organi- zation, or its employees, agents, and contractors, but only in connection with claims investigation activities or antifraud activities. "(c) WAIVER PROCEDURES.-(1) Each State shall establish and carry out procedures under which- [...] "(B) any motor vehicle department of the State may enter into an agreement with any business (including an insurer or insurance support organization) or its agents, employees, or contractors, based upon a certification that the business has obtained or will have obtained consent from the individual to whom the information pertains, to obtain requested personal information from such department. [...] The term 'personal information' is information that identifies an individual, including an individual's photograph, driver's identification number, name, address, telephone number, social security number, and medical and disability information. Such term does not include information on vehicular accidents, driving violations, and driver's status. end of excerpt -- Leonard P. Levine e-mail levine@cs.uwm.edu Professor, Computer Science Office 1-414-229-5170 University of Wisconsin-Milwaukee Fax 1-414-229-6958 Box 784, Milwaukee, WI 53201 ------------------------------ From: decastro@netcom.com (Richard A. De Castro) Date: Sat, 25 Dec 1993 20:59:26 GMT Subject: Re: Cellular Phone Security Organization: NETCOM On-line Communication Services (408 241-9760 guest) eck@panix.com (Mark Eckenwiler) writes: >>I hope this is yet another hoax. >Apparently not. Mr Grosso is listed in Martindale-Hubbell as an AUSA, >so unless the post is forged, this is a gen-you-wine remark from a >federal prosecutor. Lets hope that he applies more diligence to other US laws. Personally, I think that ECPA is a sham, designed by incompetents (both in government and in industry) to show people who don't understand the technology they're using that they have DONE SOMETHING TO MAKE SURE THEY ARE SAFE! -- ========================================================================== decastro@netcom.com Warning: I am a trained professional. No, Really! Do Not try this yourself - it could get ugly.. Richard A. De Castro - California, North America, Sol-3 ========================================================================== ------------------------------ From: silvers3@husc9.harvard.edu (Jolyon Silversmith) Date: 23 Dec 1993 02:10:02 GMT Subject: Re: Maryland to introduce high-tech drivers' license Organization: Harvard University Science Center In article Paul Robinson writes: >In "State to Fight Fraud With High-Tech Driver's License" (Page MD-1, >Washington Post, Dec 16), Richard Tapscott reports on Maryland's new >License to be issued January 1. The license is already being issued... When I renewed my licence today (December 22) it was being issued at the MVA office I was at for the first time... >- The photos of two front example licenses appear in the Post in color; > the back of the new license is shown in black and white; the current > license has the back printed in blue. This may be the way the post > photographed it rather than actual appearance. Nope. The back is printed only in black. In some ways, this seems like a step backwards... I should note that the back is NOT laminated, only the front (because of the magnetic strip, I assume); both sides of the old licence were laminated. Otherwise, this summary was accurate. One additional change, though: to be an organ donor, you must say so when the licence is issued, as it is printed on the card rather than affixed by a sticker. I suppose this will mean that if you change your mind, you'll have to get a new licence? Also, the "ghost" photograph under the hologram looks very odd. My eyes are completely covered by the "weight" and "sex" data, and the colors are noticebly lighter then in the "real" photo... -- Jolyon ("Jol") Silversmith_____________________________________________________ silvers3@husc.harvard.edu Former Director: Civil Liberties Union of Harvard Mather House 188 Editor: The Mather Messenger (House Newsletter) Cambridge, MA 02138 Submissions Editor: Lighthouse Magazine ____________ I have a firm grip on reality. Now I can strangle it. ____________ ------------------------------ From: decastro@netcom.com (Richard A. De Castro) Date: Sat, 25 Dec 1993 21:01:52 GMT Subject: Re: Encryption At School Organization: NETCOM On-line Communication Services (408 241-9760 guest) Chris Burris writes: > Suppose that I wrote a simple encryption program and ran it at school, > and the administration searched my disk. Could the administration > force me to give them the encryption key even if i refused? Who's computer is it? If it's yours, no, they can't (privacy and property laws). If it's there computer, they have a better case, but probably not. They can, of course, just erase the encrypted data, and send you home. Never say anything you're not willing to repeat in Court! Including on disk. -- ========================================================================== decastro@netcom.com Warning: I am a trained professional. No, Really! Do Not try this yourself - it could get ugly.. Richard A. De Castro - California, North America, Sol-3 ========================================================================== ------------------------------ End of Computer Privacy Digest V4 #011 ****************************** .