Date: Tue, 04 Jan 94 11:21:16 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#013 Computer Privacy Digest Tue, 04 Jan 94 Volume 4 : Issue: 013 Today's Topics: Moderator: Leonard P. Levine Interested in Privacy experiences Request for Information about UNABOM from FBI GAO Data Matching Report Re: CBC Newsworld Documentary - US Communication Interception ISSA Conference Info Re: Privacy with Credit Card Transactions Re: Driver Protection Act The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Lane Lenard <72621.2241@CompuServe.COM> Date: 01 Jan 94 17:50:36 EST Subject: Interested in Privacy experiences I am working on a book on privacy issues, especially as they relate to electronic communications and abuse of personal information in databases. If you have had any personal experiences in these areas or have knowledge of such experiences by others, including various forms of eavesdropping, prying by government or private agencies, etc, I'd be interested in hearing them. Please contact me via e-mail or leave a message on the forum. Thanks for your help. Virtually yours, Lane Lenard ------------------------------ From: "Vinton G. Cerf" Date: Thu, 30 Dec 93 23:30:40 -0500 Subject: Request for Information about UNABOM from FBI Folks, I hope you will forgive my posting this to all Internauts but the targets of these bombings are innocent people in academic and research sectors, many of whom are Internet Society members and/or users of the Internet. ------- Forwarded Message These files also refer to a $1M reward. The FBI would like to make you aware of its investigation concerning the UNABOM case. We have made the UNABOM information available to you in the following ways: o Anonymous FTP: Host: naic.nasa.gov Directory: /files/fbi Files: README UNABOM-press-release.txt URL: ftp://naic.nasa.gov/files/fbi o Gopher: Type=1 Name=F.B.I. Gopher Path=1/government-resources/fbi Host=naic.nasa.gov Port=70 URL: gopher://naic.nasa.gov:70/11/government-resources/fbi o World Wide Web: URL: http://naic.nasa.gov/fbi/FBI_homepage.html The information presented on the Internet about the UNABOM investigation has been make available publicly before. Recent electronic media presentations include: CBS's "Eye to Eye" with Connie Chung (12/16/93), and Fox's "America's Most Wanted" (11/23/93). Print media stories about the UNABOM investigation have also appeared: _Washington Post_ (11/27/93), _New York Times_ (10/7/93), etc. The purpose for submitting the information on the Internet is two-fold. First, the Internet is another medium that enables us to reach as wide an audience as possible; to "spread the word." Second, Internet users are precisely the type of individuals that to date have been recipients of explosive devices attributed to UNABOM; scholars and researchers. You are not being asked to place yourself in harm's way. You are encouraged to come forward if you have information that might help identify, arrest, and convict the person(s) responsible for these bombings. Contact the UNABOM Task Force at 1 (800) 701-2662. William L. Tafoya Special Agent, FBI btafoya@orion.arc.nasa.gov ------- End of Forwarded Message ------------------------------ From: Dave Banisar Date: Mon, 3 Jan 1994 15:14:32 EST Subject: GAO Data Matching Report Organization: CPSR Washington Office GAO Data Matching Report ONE HUNDRED THIRD CONGRESS CONGRESS OF THE UNITED STATES HOUSE OF REPRESENTATIVES COMMITTEE ON GOVERNMENT OPERATIONS 2157 RAYBURN HOUSE OFFICE BUILDING WASHINGTON, DC 20515-8143 PRIVACY CONTROLS OVER COMPUTER MATCHING LARGELY IGNORED Rep. Condit Releases New GAO Report A new General Accounting Office (GAO) report found serious deficiencies in implementation of the 1988 Computer Matching and Privacy Protection Act The report was released today by Rep. Gary A. Condit (D-CA), chairman of the Subcommittee on Information, Justice, Transportation, and Agriculture. Computer matching is the identification of similarities or dissimilarities in data found in two or more computer files. Matching is frequently used to identify delinquent debtors or ineligible program recipients. Computer matching has been criticized as an invasion of privacy, and the Computer Matching and Privacy Protection Act was passed to regulate the use of computer matching by federal agencies. In releasing the report, Rep. Condit said: "Most federal agencies have done a lousy job of complying with the Computer Matching Act. Agencies ignore the law or interpret it to suit their own bureaucratic convenience, without regard for the privacy interests that the law was designed to protect. "As a result, we don't have any idea when computer matching is a cost-effective technique for preventing fraud, waste, and abuse. I support reasonable computer matching that saves money. But if we are losing money, wasting resources, and invading privacy, then it makes no sense. "A broader issue is whether agencies can be expected to police their own operations that affect the privacy of the average citizen. Certainly OMB has done little to assist. We may need a different approach to overseeing federal privacy-related activities." GAO found numerous problems with the implementation of the Act's requirements. Cost-Benefit Analyses: The Act requires that matching programs include an analysis of the costs and benefits of the matching. One of the purposes of the Act was to limit the use of matching to instances where the technique was cost effective. GAO found many problems with implementation of this requirement, including poor quality or non-existent analyses. In 41% of cases, no attempt was made to estimate costs or benefits or both. In 59% of cases whem costs and benefits were esfimted, GAO found that not all reasonable costs and benefits were considered; that inadequate analyses were provided to support savings claims; and that no effort was made after the match to validate estimates. o Data Integrity Boards: The Act requires agencies involved in matching activities to establish a Data Integrity Board to oversee the process. GAO found that the Boards were not providing full and earnest reviews of proposed matches. GAO did not find any instance in which a Board pemianently cancelled an ongoing matching program or refused to approve a newly proposed one. GAO did not find evidence that the requirements of the matching act were used by the Boards to determine if a match should be approved. GAO also found that the implementation of the new procedures does not appear to have had major effects on the most important review process, the decision to conduct the match. GAO found that the Data Integrity Boards generally accepted agencies and states cost-benefit analyses despite their "severe methodological flaws and lack of documentation." The documentation often failed to show how costs and benefits were calculated or the time period for expected savings. Agencies rarely estimated the most significant costs. Overall, GAO found that the Data Integrity Boards provide less than a full and earnest review of matching agreements to detem-dne whether to proceed with proposed matches, but rather a regularization of the approval process. The report is titled Computer Matching: Quality of Decisions and Supporting Analyses Little Affected by 1988 Act. The report number is GAO/PEMD-94-2, and the date is October 18, 1993. Copies can be obtained [for free] from GAO by calling 202-512-6000. ------------------------------ From: charlesv@aupair.cs.athabascau.ca (Charles van Duren) Date: 3 Jan 94 16:29:28 GMT Subject: Re: CBC Newsworld Documentary - US Communication Interception ua602@freenet.victoria.bc.ca (Kelly Bert Manning) writes: >This aired Dec 28 on the broadcast CBC network and will be repeated at 18:00 Pacific Time Sun/Jan/2 and 01:00 PST Mon/Jan/3 on the CBC Newsworld satellite/ cable channel. "Satellite Entertainment Guide" lists this as KU-band channel 31 on the Anik E1 satellite, located at 111 degrees west. This particular story takes up the last half hour of the hour long show. [...specific case details omitted...] >This leaves me with the impression that US spy agencies would quickly find themselves with a full set of Skipjack/Clipper keys for use outside the US without specific authorization if the proposals were ever implemented. These keys would be used to routinely monitor any communciations that could be intercepted. About two weeks ago CBC Prime Time did a feature on war crimes in Bosnia, specifically on the possibility of prosecuting the higher-ups who gave the orders. The interviewer confronted Serbian leader Slobodan Milosevic with verbatim evidence, implicating Serbian leadership in war crimes committed by Serbian irregulars, which he said came from satellite transmission intercepts. I believe from what I've read that the US gov't also had very reliable knowledge about the August attempted coup in Moscow. No electronic communication is safe from prying eyes, Get used to it. ------------------------------ From: davelenef Date: Wed, 29 Dec 93 18:18:58 EST Subject: ISSA Conference Info Attention information security professionals. The Information Systems Security Association (ISSA) is holding its 11th Annual Conference and Trade Show March 13-17, 1994, at the Fairmont Hotel, San Francisco, Calif. This info-security conference will feature 72 educational sessions divided among the following tracks: Network, Distributed and Client/Server, Management, Technical, Government/Legal, Audit, Awareness, and Business Continuity. Major security vendors will exhibit at the ISSA trade show. There will be a tour of Silicon Valley corporations. Addresses will be presented by Harry Saal (Network Data General -- the Super Digital Highway), James Settle (FBI -- computer crime investigation), and Gail Warshawsky (Lawrence Livermore -- computer security awareness). For an advance program, registration information, and ISSA membership information, please contact ISSA Headquarters at 312/644-6610 x3410 (voice), or 312-321-6869 (fax). Mention where you saw this notice! ------------------------------ From: cristy@eplrx7.es.duPont.com (Cristy) Date: Sun, 2 Jan 1994 15:50:45 GMT Subject: Re: Privacy with Credit Card Transactions Organization: DuPont Central Research & Development In article Justin Fidler writes: >There was an interesting article in the Washington Post on 26 December 1993 by Jane Bryant Quinn that discusses what information a consumer making a credit card purchase must provide. Excerpts below: When I went to pay by VISA at Staples (a Pep Boys company) they said that they would not accept the card without a driver's license. I informed them that according to their merchants agreement with VISA that they could not require additional ID. The clerk stated it was company policy. After a discussion with the manager and a few calls to corporate they agreed to accept my card without an ID. The total delay was about 15 minutes. I followed up by calling the store manager the next day and wrote a letter to VISA and Staples. VISA's reply was that Staples could not require additional identification to use their card. They said that the Staples VISA account manager would investigate. I did not receive a reply from Staples so I sent another letter. This letter also went unanswered. I then wrote to the newspaper, "Helping Hand." They published my letter and shortly after I received a reply from Staples. They said that the policy of Staples is to ask for identification but a sale may not be refused if a customer does not show identification. I also received a $20 gift certificate. In the next few week I am going to return to Staples and test their policy. I will post a follow-up in a week or two. ------------------------------ From: Sean Donelan Date: Tue, 4 Jan 1994 1:03:30 -0600 (CST) Subject: Re: Driver Protection Act Organization: Data Research Associates, St. Louis MO In article , geoff@ficus.CS.UCLA.EDU (Geoff Kuenning) writes: > I'd be a *lot* happier with this bill if it prohibited selling lists entirely. Otherwise it's a toothless sham. Why does the DMV need to sell my name, anyway? I can't believe it's going to be making a significant amount of money. I doubt that mailing lists are worth a lot more than the per-name postage; even if we assume $1.00 per name, that wouldn't even pay for my fancy new ha-ha-forgery-proof license with the hologram and mag stripe. State driver and motor vehicle records are the best sellers of any state information. According to the Houston Chronicle, the Texas Department of Public Safety made over $50 million last year. Governing magazine reported Georgia increased their sales of driver and motor vehicle records by $16 million; more than paying for the improvements they made to their computer systems to support this increased access. Why does a state sell copies of driver records? - Driver records are "public records." - The information is given voluntarily with no reasonable expectation of confidentiality. - Driving is a public activity. Public accountability of drivers improves public safety. - Open DMV records allow the public to verify fair and equal treatment of all drivers by the DMV. I have several concerns. - What controls can the state place on the users of "public records?" - Is the state collecting the minimum amount of information and keeping it for the minimum amount of time required? - Is the information only used for the purposes stated when it was collected? - Does the state fully inform people what information is required or optional, how it will be used or shared, and what will happen if the information is not provided? - Is the state using privacy as an excuse to keep its own operations secret? - Is the state treating computerized records differently from paper records? -- Sean Donelan, Data Research Associates, Inc, St. Louis, MO Domain: sean@dra.com, Voice: (Work) +1 314-432-1100 ------------------------------ End of Computer Privacy Digest V4 #013 ****************************** .