Date: Sat, 15 Jan 94 14:25:24 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#018 Computer Privacy Digest Sat, 15 Jan 94 Volume 4 : Issue: 018 Today's Topics: Moderator: Leonard P. Levine Form 1040 FOIA and Copyright INMAC using mailing list derived from internet materials FBI Pushes for Enhanced Wiretap Capabilities Re: What happened to VA driver's license changes? Re: Autoland Credit Scam Re: SSN reqd by public schools; DL reqd with credit card CPSR Address re: California Drivers license GAO Data Matching Report The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: "Prof. L. P. Levine" Date: Sat, 15 Jan 1994 10:50:57 -0600 (CST) Subject: Form 1040 Organization: University of Wisconsin-Milwaukee Those of you who pay US taxes might want to look at the front of the book that arrived a few days ago. There is a hole in the cover through which your name and address appears with NO Social Security Number showing. When you open the cover, there is a label to affix to your return that has the SSN. Last year the mailing label showed the SSN. Is it possible that someone is actually listening? By the way, Form 1 from the State of Wisconsin (the equivalent to 1040) has still got the old style exposed SSN. Leonard P. Levine e-mail levine@cs.uwm.edu Professor, Computer Science Office 1-414-229-5170 University of Wisconsin-Milwaukee Fax 1-414-229-6958 Box 784, Milwaukee, WI 53201 ------------------------------ From: reed@interval.com (David P. Reed) Date: Fri, 14 Jan 1994 09:54:28 -0500 Subject: FOIA and Copyright The recent note by James Love of Nader's Taxpayer's Assets Project attempt to break West's control of the Juris database raises interesting issues related to the use of FOIA to allow one taxpayer to seize another's property. (Let me make it clear that I'm not commenting on the dispute about Juris, instead I'm extending the argument Love makes). FOIA is apparently being used to request a free copy of the contents of West's Juris database from the gov't. Apparently the cost of purchasing it from West is considered a barrier, and FOIA is being used to get it cheaper. [The general issue of whether the gov't should make judicial opinions available through channels other than West is more complex, but the FOIA approach tries to bypass those issues] Now suppose that I sell the government a copyrighted work (a book, play, computer program, whatever). If a citizen decides that the gov't cost to make a copy of that work is less than it costs to buy it in the commercial marketplace, he/she can bypass the commercial source, and ask the gov't to give it to them under the FOIA, since it is a taxpayer asset. There is an exemption when it is in a library (obviously since the Lib of Congress gets copies of all books, this would be a problem). But where does it cross between a library and a taxpayer asset? If a gov't employee in the course of doing his job records a movie on HBO for later viewing under fair use (this is clearly not a library function), one might argue the FOIA gives an entrepreneur the right to request it for distribution to taxpayers free. Looks like a new business opportunity, especially if you can get the FCC to do so on a regular basis. ------------------------------ From: paul@vix.com (Paul A Vixie) Date: 14 Jan 94 20:18:10 Subject: INMAC using mailing list derived from internet materials Organization: Vixie Enterprises today i got three copies of the INMAC catalogue, sent to myself and two others at my address. the others do not live here, but one of them has an account on my internet-connected computer and posts a fair number of netnews articles. someone had to cross-reference "From:" field information against the NIC's "whois" domain database to get the particular combination of company name, street address, and user full name that was used on this mailing label. i am outraged. i'm going to call "Ken Campbell", the VP+GM of north america, to try to find out where he bought this mailing list. i don't expect him to want to tell me, and since he has broken no laws there's not a lot i can sue him for. the best i realistically expect is to cause him to stop buying this particular mailing list in the interests of protecting inmac's public image. my immediate goal is to find the company that sold inmac the list, and then ultimately trace it back to the people who created it, and then try to talk some sense into them. my overall goal is to see to it that "commercializing the internet" does not translate to "bombarding people with electronic and physical junk mail since all of their name and address information is so easy to find." if we don't draw a line in the sand and vigorously enforce a non-junkmail culture, we will shortly see a time when "netfind" and other tools no longer operate because noone will give out any information about their users. al gore's information superhighway, whose technology level will no doubt resemble the internet's in the same way that DOS resembles UNIX, is going to magnify whatever problems we have. i don't want this to be one of the problems we have. help? how can i approach this issue? -- Paul Vixie Redwood City, CA Also: , , decwrl!vixie!paul , , <{bind-workers,objectivism}-request@vix.com> ------------------------------ From: "Prof. L. P. Levine" Date: Sat, 15 Jan 1994 10:18:36 -0600 (CST) Subject: FBI Pushes for Enhanced Wiretap Capabilities Organization: University of Wisconsin-Milwaukee The following was taken from the CPSR Alert, issue 3.01, Thu, 13 Jan 1994 15:42:37 EST, Dave Banisar , CPSR Washington Office In the past month, FBI officials have indicated publicly that they are continuing to push for enactment of legislation to mandate the building in of electronic surveillance capabilities into most telecommunications equipment. In addition, there are also reports that the Department of Justice is investigating the possibility of recommending changes in the law to allow for military personnel and equipment to be used by law enforcement for electronic surveillance of Asian speakers. On December 8, FBI Director Louis Freeh spoke at the National Press Club where he stated: In order to keep up with the criminals and to protect our national security, the solution is clear. We need legislation to ensure that telephone companies and other carriers provide law enforcement with access to this new technology. Communications Daily reported that the FBI and the telecommunications carriers have formed a working group to discuss the problem and that the companies might implement the capabilities voluntarily. This working group has met several times. Scripps Howard News Service reported on December 5 that the Department of Justice is considering proposing new legislation to allow the military to assist with wiretaps of Asian suspects. Currently the military is prohibited by the 1878 Posse Comitatus Act, which prohibits the use of military personal and resources in civilian law enforcement activities. It was amended in 1981 to allow for use of military personal and equipment for advice and assistance in drug interdiction. Freeh reportedly told Scripts Howard that "I think that if we had access to 50 or 100 qualified linguists in the Asian language[s] we could probably monitor by ten times our ability to do court-authorized surveillances of Asian organized crime groups." Civil liberties groups are concerned about the military conducting domestic electronic surveillance, especially in light of the recent disclosures by CPSR of the National Security Agency's role in the development of the Digital Signature Standard and the Digital Telephony Proposal. Sources inside the administration indicate that the long awaited inter-agency review of government encryption policy, including Clipper, the Digital Telephony Proposal and export control is due out by the end of January. The report is expected to be classified. ------------------------------ From: news@cbnewsh.att.com Date: Fri, 14 Jan 94 02:43:10 GMT Subject: Re: What happened to VA driver's license changes? Organization: NCR, an AT&T Company, Pleasanton CA "Bayardo Alvarez" writes: I live in Virginia and recently had my license renewed. Not only is the SSN still the DL number, but know it has a magnetic strip. I didn't have a chance to ask the attendant what is stored in that strip. Does someone have any information? Sorry, officer, I don't know why my driver's license won't read. I keep it nice and safe in this magnetic badge holder along with my ID for the cyclotron lab! It did get bent once, but I ironed it, so it's nice and flat again. :-) :-) Some state, maybe CA, has a magnetic strip on the back of their license that uses the standard credit-card industry mag-stripe formats. I don't know how much of the data was on it (I think the article was in comp.society.privacy or alt.privacy; maybe it's archived?), but I think it was basically the same information as on the front. I've heard they don't put anything there now. # Bill Stewart NCR Corp, 6870 Koll Center Pkwy, Pleasanton CA 94566 # Email: bill.stewart@pleasantonca.ncr.com billstewart@attmail.com # Phone: 1-510-484-6204 Beeper: 1-510-224-7043 # If people were required to *know* all the laws, and not just to obey them, # the government would be overthrown tomorrow! (From a button by Nancy Lebovitz) ------------------------------ From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr) Date: Fri, 14 Jan 94 07:55:32 EST Subject: Re: Autoland Credit Scam >From: news@cbnewsh.cb.att.com (NetNews Administrator) bill.stewart@pleasantonca.ncr.com billstewart@attmail.com writes: >More to the point, are you sure it isn't the street address of the >local mail-box company? Most of them are perfectly happy to take mail >with addresses like > 123 Main St. #432 >and the post office will deliver them. One of my daughters asked me if I would co-sign a car loan for her and when the salesman called me and asked for some very basic information, one of the questions was "can I have a credit card account number?" I told him that I'd prefer not to give it due to the Autoland scam and that anyway, it would be made known during a credit check. His reply: "Don't blame you, I'll leave it blank." My daughter decided not to get the car due to the deal the salesman proposed so it was a moot issue (I hope). Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred) niebuhr@bnl.gov / Bitnet: niebuhr@bnl Senior Technical Specialist, Scientific Computing Facility Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093 ------------------------------ From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr) Date: Fri, 14 Jan 94 08:00:22 EST Subject: Re: SSN reqd by public schools; DL reqd with credit card >From: news@cbnewsh.cb.att.com (NetNews Administrator) bill.stewart@pleasantonca.ncr.com billstewart@attmail.com >Apparently, Visa allows them to ask for other id when the credit card isn't signed on the back. Both MasterCard and Visa allow a merchant to check for identification if a credit card isn't signed. One of the best ones that happened to me was a few years ago in a J. C. Penny's store on Long Island. I'd forgotten to sign my card and went to use it for paying for a purchase. The clerk checked the back, noticed that it was unsigned and asked me to sign it then and there which I did. She *never* asked for further proof of ID. Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred) niebuhr@bnl.gov / Bitnet: niebuhr@bnl Senior Technical Specialist, Scientific Computing Facility Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093 ------------------------------ From: kec@stubbs.ucop.edu Date: Fri, 14 Jan 94 12:07:20 PST Subject: CPSR Address Organization: University of California, Berkeley writes: > I understand that there is a group Computer Professionals for Social Responsibility: i would also like to get in touch with them. CPSR can be reached at cpsr@cpsr.org. Karen Coyle CPSR/Berkeley Chapter ------------------------------ From: reb@ingres.com (Phydeaux) Date: Fri, 14 Jan 1994 13:57:55 -0800 Subject: re: California Drivers license >They took my name, my address, my license number and my $10. They then took my picture and my fingerprints. What legal right do they have to take copies of your fingerprints -- and for that matter, your photograph? What's next, cavity searches and drug screening? What happens if you refuse to submit to fingerprinting? It's supposed to be a license to drive a motor vehicle, not a centralized repository for personal information. ------------------------------ From: "Prof. L. P. Levine" Date: Sat, 15 Jan 1994 10:15:09 -0600 (CST) Subject: GAO Data Matching Report Organization: University of Wisconsin-Milwaukee The following was taken from the Computer underground Digest, Thu Jan 13 1994 Volume 6 Issue 06 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET). The report was posted there by Dave Banisar Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. ONE HUNDRED THIRD CONGRESS CONGRESS OF THE UNITED STATES HOUSE OF REPRESENTATIVES COMMITTEE ON GOVERNMENT OPERATIONS 2157 RAYBURN HOUSE OFFICE BUILDING WASHINGTON, DC 20515-8143 PRIVACY CONTROLS OVER COMPUTER MATCHING LARGELY IGNORED Rep. Condit Releases New GAO Report A new General Accounting Office (GAO) report found serious deficiencies in implementation of the 1988 Computer Matching and Privacy Protection Act. The report was released today by Rep. Gary A. Condit (D-CA), chairman of the Subcommittee on Information, Justice, Transportation, and Agriculture. Computer matching is the identification of similarities or dissimilarities in data found in two or more computer files. Matching is frequently used to identify delinquent debtors or ineligible program recipients. Computer matching has been criticized as an invasion of privacy, and the Computer Matching and Privacy Protection Act was passed to regulate the use of computer matching by federal agencies. In releasing the report, Rep. Condit said: "Most federal agencies have done a lousy job of complying with the Computer Matching Act. Agencies ignore the law or interpret it to suit their own bureaucratic convenience, without regard for the privacy interests that the law was designed to protect. "As a result, we don't have any idea when computer matching is a cost-effective technique for preventing fraud, waste, and abuse. I support reasonable computer matching that saves money. But if we are losing money, wasting resources, and invading privacy, then it makes no sense. "A broader issue is whether agencies can be expected to police their own operations that affect the privacy of the average citizen. Certainly OMB has done little to assist. We may need a different approach to overseeing federal privacy-related activities." GAO found numerous problems with the implementation of the Act's requirements. Cost-Benefit Analyses: The Act requires that matching programs include an analysis of the costs and benefits of the matching. One of the purposes of the Act was to limit the use of matching to instances where the technique was cost effective. GAO found many problems with implementation of this requirement, including poor quality or non-existent analyses. In 41% of cases, no attempt was made to estimate costs or benefits or both. In 59% of cases whem costs and benefits were esfimted, GAO found that not all reasonable costs and benefits were considered; that inadequate analyses were provided to support savings claims; and that no effort was made after the match to validate estimates. o Data Integrity Boards: The Act requires agencies involved in matching activities to establish a Data Integrity Board to oversee the process. GAO found that the Boards were not providing full and earnest reviews of proposed matches. GAO did not find any instance in which a Board pemianently cancelled an ongoing matching program or refused to approve a newly proposed one. GAO did not find evidence that the requirements of the matching act were used by the Boards to determine if a match should be approved. GAO also found that the implementation of the new procedures does not appear to have had major effects on the most important review process, the decision to conduct the match. GAO found that the Data Integrity Boards generally accepted agencies and states cost-benefit analyses despite their "severe methodological flaws and lack of documentation." The documentation often failed to show how costs and benefits were calculated or the time period for expected savings. Agencies rarely estimated the most significant costs. Overall, GAO found that the Data Integrity Boards provide less than a full and earnest review of matching agreements to detem-dne whether to proceed with proposed matches, but rather a regularization of the approval process. The report is titled Computer Matching: Quality of Decisions and Supporting Analyses Little Affected by 1988 Act. The report number is GAO/PEMD-94-2, and the date is October 18, 1993. Copies can be obtained [for free] from GAO by calling 202-512-6000. ------------------------------ End of Computer Privacy Digest V4 #018 ****************************** .