Date: Mon, 24 Jan 94 20:24:54 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#022 Computer Privacy Digest Mon, 24 Jan 94 Volume 4 : Issue: 022 Today's Topics: Moderator: Leonard P. Levine Private Info / Credit Reports over the net SF-171s and SSNs INMAC and lists for sale Oceania & Privacy Crypto Experts Oppose Clipper Chip Re: Buckley Act Outrage Re: Buckley Act Outrage Re: Buckley Act Outrage Re: Is PGP Really Uncrackable Re: GTE and new Fed Compliance Re: SSN on Payroll Checks Re: SSN on Payroll Checks The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: ar826@yfn.ysu.edu (Hansel E. Lee Jr.) Date: 22 Jan 1994 02:14:40 GMT Subject: Private Info / Credit Reports over the net Organization: Youngstown State/Youngstown Free-Net I found the following posted on alt.internet.services. I definitly don't like the idea of this type of information flowing freely through the net.. Any comments on legality or ethics? Is this appropriate? -----Forwarded Message Follows------- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Infotech Information Technologies %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Infotech is an Information Provider and we have recently begun providing our services via the Internet. An partial list of some of our services include: Individual Credit Reports * Business Credit Reports * Dun & Bradstreet Pre-Tenant Background Check * SS# Locator Service * National Change of Addr Difficult Phone Numbers * Nationwide Marriage, Divorce and Death Records Criminal Records Search * Arrest & Convictions Records * Bank Acct Search Real Property Search * Workers Comp Claims * Consumer Affairs Reports Corporation Search * Tax Lien Search * Corp. Bankruptcy Search * Business Name Search * DMV Records * Registered Voter Search * Nationwide Warrants And MUCH MORE! Most requests are turned around with 24-48 hrs (depending upon complexity and depth of report needed) Reports can be delivered via Internet, US Mail, Fax or Overnight. Infotech Adheres to the Fair Credit Reporting Act. Payment may be made via Visa, Mastercard or in advance of services. All information is kept in the strictest confidence and PGP delivery is also available. If you have questions or would like more infomation contact us at infotech@fx.net -- Hansel E. Lee Jr. hansel@freenet.fsu.edu Standard Disclaimers Apply PGP Public Key on Request ------------------------------ From: daf1@cec1.wustl.edu (Danyel A Fisher) Subject: SF-171s and SSNs Date: 22 Jan 1994 23:07:24 GMT Organization: Washington University, St. Louis MO I'm filling out SF-171s the next few weeks: I'm applying for summer jobs. The things want SSNs, of course. Where is the 171 distributed? Who sees it? What databases get a look at it? Besides the federal job registry, of course, and the specific point of employment .... Any privacy problems here? (Or am I just looking too hard for a conspiracy?) (While we're at it, BTW, anyone have public-domain SF-171-generating programs? :) ) -- Danyel Fisher | YOUR | "I think you should always laugh in 212 Beaumont | AD | bed -- people always laugh at me when 5-1849; Box 3142 | HERE! | I'm in bed." Boy George ------------------------------------------------------------------------ | "Do not try to live forever. You won't succeed." -G.B.Shaw | ------------------------------------------------------------------------- ------------------------------ From: mike@camphq.fidonet.org (Mike Bray) Date: Sun, 23 Jan 94 01:17:26 EDT Subject: INMAC and lists for sale Recently Paul Vixie posted a note about INMAC... >today i got three copies of the INMAC catalogue, sent to myself and two others at my address. the others do not live here, but one of them has an account on my internet- connected computer and posts a fair number of netnews articles.< Are you sitting down? Get this... from the November 22nd issue of DM News, page 41... PC Operator List Names Electronic Bulletin Users BETHEL, CT -- The new Electronic Bulletin Board Posters/Usenet file is available from . The selects include 100,000 users at business address, a 35,000-name monthly hotline and 35,000 users at home address. These PC operators post messages on electronic bulletin boards via the Usenet public-access system. Faculty and students at colleges/universities, employees in private industry and personnel in government and the military communicate via Usenet, submitting messages "with interest 'newsgroups' on a range of subjects." The list was compiled by Electronic Data Mining. Contact your list broker or . >someone had to cross-reference "From:" field information against the NIC's "whois" domain database to get the particular combination of company name, street address, and user full name that was used on this mailing label.< Some one? Nah... some program. :) >I am outraged. i'm going to call "Ken Campbell", the VP+GM of north america, to try to find out where he bought this mailing list.< You can call him if you like, and he may even tell you if you ask nicely. But from that article from DM News, we know at least one place that does this... Electronic Data Mining. >I don't expect him to want to tell me, and since he has broken no laws there's not a lot i can sue him for.< You'd be suprised at the results you can achieve if you speak nicely to folks. And don't threaten him because then you'll get nowhere. >the best i realistically expect is to cause him to stop buying this particular mailing list in the interests of protecting inmac's public image.< I don't expect you'll convince him to stop buying [that] mailing list[s]. Just give INMAC a call and ask to have all those names put into their internal supression file. Also, send copies of each mailing label to the DMA and get them into their supression file as well. >my immediate goal is to find the company that sold inmac the list, and then ultimately trace it back to the people who created it, and then try to talk some sense into them.< Good luck! I doubt you'll be able to convince them to stop doing what they're doing, but maybe you can get them to add you to their suppression file too. ...or get them to create one if they don't already have one. >help? how can i approach this issue?< When you call these folks, just be nice. You may just happen to speak to the right person, and they might just tell you everything you want to know. -- Mike Bray mike@camphq.fidonet.org (or) ...!apple!camphq!mike ------------------------------ From: Oceania@world.std.com (Eric S Klien) Subject: Oceania & Privacy Date: Sun, 23 Jan 1994 23:40:00 GMT Organization: The World Public Access UNIX, Brookline, MA "D.The Right to Encryption: An Oceanian has the Right to encrypt eir conversations and data. Such encryption cannot be used as evidence that the Oceanian is doing something wrong or illegal. This Right extends to all forms of information an Oceanian deems should be secure regardless of format, whether paper, electronic, holographic or other, and regardless of content. An Oceanian has the Right to use any encryption algorithms or computer software available. The Government may not restrict free trade in encryption software by calling it "munitions"." Did this info interest you? Then it is time that you learned about the new country Oceania, the sea-city in the Caribbean. To receive more information by e-mail, send your e-mail address to oceania@world.std.com. ------------------------------ From: Dave Banisar Date: Mon, 24 Jan 1994 17:59:34 EST Subject: Crypto Experts Oppose Clipper Chip Organization: CPSR Washington Office Crypto Experts Oppose Clipper More than three dozen of the nation's leading cryptographers, computer security specialists and privacy experts today urged President Clinton to abandon the controversial Clipper encryption proposal. The letter was coordinated by Computer Professionals for Social Responsibility (CPSR), which has long sought to open the issue of cryptography policy to public debate The group cited the secrecy surrounding the proposal, widespread public opposition to the plan and privacy concerns as reasons why the initiative should not go forward. The letter comes at a crucial point in the debate on cryptography policy. An internal Administration review of the issue is nearing completion and the National Security Agency (NSA) is moving forward with efforts to deploy Clipper technology in civilian agencies, including the Internal Revenue Service. CPSR has sponsored several public conferences on cryptography and privacy and has litigated Freedom of Informa- tion Act cases seeking the disclosure of relevant government documents. In one pending FOIA case, CPSR is challenging the secrecy of the Skipjack algorithm which underlies the Clipper proposal. For additional information, contact Dave Banisar, CPSR Washington, DC, (202) 544-9240, . ================================================================= January 24, 1994 The President The White House Washington, DC 20500 Dear Mr. President, We are writing to you regarding the "Clipper" escrowed encryption proposal now under consideration by the White House. We wish to express our concern about this plan and similar technical standards that may be proposed for the nation's communications infrastructure. The current proposal was developed in secret by federal agencies primarily concerned about electronic surveillance, not privacy protection. Critical aspects of the plan remain classified and thus beyond public review. The private sector and the public have expressed nearly unanimous opposition to Clipper. In the formal request for comments conducted by the Department of Commerce last year, less than a handful of respondents supported the plan. Several hundred opposed it. If the plan goes forward, commercial firms that hope to develop new products will face extensive government obstacles. Cryptographers who wish to develop new privacy enhancing technologies will be discouraged. Citizens who anticipate that the progress of technology will enhance personal privacy will find their expectations unfulfilled. Some have proposed that Clipper be adopted on a voluntary basis and suggest that other technical approaches will remain viable. The government, however, exerts enormous influence in the marketplace, and the likelihood that competing standards would survive is small. Few in the user community believe that the proposal would be truly voluntary. The Clipper proposal should not be adopted. We believe that if this proposal and the associated standards go forward, even on a voluntary basis, privacy protection will be diminished, innovation will be slowed, government accountability will be lessened, and the openness necessary to ensure the successful development of the nation's communications infrastructure will be threatened. We respectfully ask the White House to withdraw the Clipper proposal. Sincerely, Public Interest and Civil Liberties Organizations Marc Rotenberg, CPSR Conrad Martin, Fund for Constitutional Government William Caming, privacy consultant Simon Davies, Privacy International Evan Hendricks, US Privacy Council Simona Nass, Society for Electronic Access Robert Ellis Smith, Privacy Journal Jerry Berman, Electronic Frontier Foundation Cryptographers and Security Experts Bob Bales, National Computer Security Association Jim Bidzos, RSA Data Security Inc. G. Robert Blakley, Texas A&M University Stephen Bryen, Secured Communications Technologies, Inc. David Chaum, Digicash George Davida, University of Wisconsin Whitfield Diffie, Sun Microsystems Martin Hellman, Stanford University Ingemar Ingemarsson, Universitetet i Linkvping Ralph C. Merkle, Xerox PARC William Hugh Murray, security consultant Peter G. Neumann, SRI International Bart Preneel, Katolieke Universiteit Ronald Rivest, MIT Bruce Schneier, Applied Cryptography (1993) Richard Schroeppel, University of Arizona Stephen Walker, Trusted Information Systems Philip Zimmermann, Boulder Software Engineering Industry and Academia Andrew Scott Beals, Telebit International Mikki Barry, InterCon Systems Corporation David Bellin, North Carolina A&T University Margaret Chon, Syracuse University College of Law Laura Fillmore, Online BookStore Scott Fritchie, Twin-Cities Free Net Gary Marx, University of Colorado Ronald B. Natalie, Jr, Sensor Systems Inc. Harold Joseph Highland, Computers & Security Doug Humphrey, Digital Express Group, Inc Carl Pomerance, University of Georgia Eric Roberts, Stanford University Jonathan Rosenoer, CyberLaw & CyberLex Alexis Rosen, Public Access Networks Corp. Steven Zorn, Pace University Law School (affiliations are for identification purposes only) ------------------------------ From: atkinson@itd.nrl.navy.mil (Ran Atkinson) Date: Sat, 22 Jan 1994 03:07:13 GMT Subject: Re: Buckley Act Outrage Organization: Naval Research Laboratory, DC "Prof. L. P. Levine" writes: >Can violations of the Buckley Act and dissemination of information in student files be punished on a criminal basis? If so, who/where does one complain?< A friend I knew whilst in grad school once claimed that he'd successfully gotten his high school to conform to the Buckley Amendment by contacting the US Department of Education, Office of Civil Rights in Washington, DC and presenting the facts to them. The DoE apparently told the school to either comply with the law or lose _all_ access to federal funds. The school reportedly then complied. I would guess that the ACLU might be willing to help. ------------------------------ From: Robert Ellis Smith <0005101719@mcimail.com> Date: Fri, 21 Jan 94 22:37 EST Subject: Re: Buckley Act Outrage The anonymous university student who complained of a disclosure of personal information by a professor may not get much help from federal law -- the Buckley amendment. It's not clear that records IN THE SOLE POSSESSION OF A FACULTY OR STAFF PERSON are pr otected by the law. The student may be able to sue for invasion of privacy if the information is sensitive enough and the reason for disclosure was not compelling. The remedy under the Buckley Amendment is withholding of federal funds to the university -- an unlikely event, although there is a private right of action for an aggrieved individual IF the records held by the professor fit the definition of education records in the law. On the other hand, if these were educational records as defined by the law, the law doesn't prohibit disclosure of the information to other faculty or staff within the institution who "have a legitimate educational interest" as defined by the institution. BTW, how does one get access to Domain Name Service, or some other directory of Internet addresses? It was mentioned in the Digest January 18. Robert Ellis Smith, Privacy Journal ------------------------------ From: Haim Mendelson Date: Sun, 23 Jan 1994 15:52:56 -0800 (PST) Subject: Re: Buckley Act Outrage I am a University Professor, not an attorney, but here is my understanding of what the student can do. Violating FERPA is not a crime. It may be grounds for administrative procedures against a knowing violator, but I don't think this is a useful way to proceed. It is the School's responsibility to follow FERPA. Once a violation had occurred, the student has three ways to proceed: 1. File a complaint with the US Department of Education. The Department may theoretically stop all Federal support to the School, but in practice they will simply have the School correct its procedures if they investigate and find that a violation had occurred. 2. File a grievance with the School (virtually all Schools have grievance procedures, and FERPA violations would typically fall within their scope). 3. Initiate civil litigation that may result in the award of damages and attorneys fees to the student. Typically, 1 and 2 must precede 3 (this is called "exhaustion of all administrative remedies"), and 3 is costly and highly uncertain, so let me focus on 1 and 2. First, 1 and 2 are not mutually exclusive, and it may well be that the School will take 2 more seriously if 1 had been filed, since the School theoretically risks the loss of future Federal support. The School would certainly know that this risk is minimal, however. To file with the US Education Department, the student has to write a complaint alleging specific violations of FERPA, including all dates, details, names and any supporting documentation, to: Family Education Compliance Office US Dept. of Education 400 Maryland Avenue Washington, DC 20202 The student can only benefit by calling them first and discussing the case and filing procedures with them. The US Education Department's general number is 1-800-572-5580. They will not provide the student any legal assistance, but they may be helpful. With respect to 2, the student should check the School's grievance procedures and follow them. An alternative may be sending a letter to the Chancellor/President including the complaint filed with the Education Department and a cover letter saying that this is an official grievance filed pursuant to the Campus grievance procedure and he is asking the School to investigate. If the student was damaged in a measurable way, he should consult an attorney, since whatever he writes in the grievance will have an impact on any future litigation. Finally, the student should assume that there is an adversarial relationship between himself and the institution, its attorneys, its administrators etc. and not accept their "advice" at face value. Good luck. Haim Mendelson Stanford University ------------------------------ From: Chuck Weckesser <71233.677@compuserve.com> Date: 24 Jan 94 10:23:36 EST Subject: Re: Is PGP Really Uncrackable With regard to PGP, I would like to ask if anyone is familiar with a line of security products made by a firm called Kent Marsh, Ltd. I have purchased all of their security programs but based on what I have read on the privacy digest, I would have been better off not spending any of the hundreds of dollars that I did for these programs and stuck with PGP - for free no less - in lieu of the other. Anyone who has Kent Marsh products and know how they work are invited to comment. ------------------------------ From: johnl@iecc.com (John R Levine) Date: Fri, 21 Jan 94 23:48 EST Subject: Re: GTE and new Fed Compliance Organization: I.E.C.C., Cambridge, Mass. >Here's a curious note I just got from GTE: [note says that if you use your calling card, your billing name and address may be provided to the company handling the call, but you can tell GTE not to release it at the cost of most carriers not accepting the card]< I got a similar note from New England Tel, oops NYNEX, except that it just said that if I didn't want the info released, call up and they'll be happy to cancel my calling card. This is probably related to the 1992 telephone privacy law. I'll dig up the LOCIS description and see what it says. John Levine, johnl@iecc.com, jlevine@delphi.com, 1037498@mcimail.com ------------------------------ From: Dave Gomberg Date: Fri, 21 Jan 94 22:46:47 PST Subject: Re: SSN on Payroll Checks Let me ask why I care if someone (or lots of folks) knows my SSN? Does it have anything to do with Social Security directly, or would the drawbacks apply to any powerful identifier? If any powerful identifier, why is it more important than my name and dob? Please advise. Dave Gomberg, role model for those who don't ask much in their fantasy lives. GOMBERG@UCSFVM Internet node UCSFVM.UCSF.EDU fax-> (415)731-7797 For info on West Coast Live send email to West_Coast_Live-Request@netcom.com [moderator: Copies of the Social Security Number FAQ can be downloaded by the following procedure. Come in and browse] ftp ftp.cs.uwm.edu (on your system) ftp (answer to login request) your_userid@your_site (answer to password request) cd pub/comp-privacy/library (at ftp prompt) dir (look at what is there) get ssn-privacy (move document to your filespace) quit (back to your system) In addition to the "library" subdirectory there are four subdirectories named "volume1" - "volume4" that you are free to examine and copy from. ------------------------------ From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr) Date: Sat, 22 Jan 94 10:29:37 EST Subject: Re: SSN on Payroll Checks In Computer Privacy Digest Volume 4 : Issue: 021 joew@resumix.portal.com (Joe Wisniewski x8421) writes: >My employer went to a new payroll system, ADT. Got our first check today. Guess what was on it. Yup, ss#.< >1. Is this a requirement of ADT, if anyone out there knows? 2. Is there any legal prohibition against this? (Comapny is in California, I am in Arizona). 3. Has anyone else ever heard of this with their employers?< My wife's employer used ADT (in NY) and the SSN was on the pay stub, not the check itself; however, it wouldn't surprise me at all considering that the SSA doesn't give a damn about the uses of the SSN. Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred) niebuhr@bnl.gov / Bitnet: niebuhr@bnl Senior Technical Specialist, Scientific Computing Facility Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093 ------------------------------ End of Computer Privacy Digest V4 #022 ****************************** .