Date: Thu, 27 Jan 94 12:03:29 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#023 Computer Privacy Digest Thu, 27 Jan 94 Volume 4 : Issue: 023 Today's Topics: Moderator: Leonard P. Levine Re: SSN on Payroll Checks Re: SSN on Payroll Checks Public Hearings on Privacy in DC Proposed CPD post re Buckley Amendment US Senate FTP Site On Line Re: Crypto Experts Oppose Clipper Chip Re: Data Encryption and Privacy The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Dave Gomberg Date: Mon, 24 Jan 94 20:54:42 PST Subject: Re: SSN on Payroll Checks I feel the whole SSN thing reeks of paranoia. Accordingly I have retreived the so-called explanation of why you should worry, and am responding to it from the point of view of someone who digs out info about you all the time. > Why you should resist requests for your SSN >When you give out your number, you are providing access to information about yourself.< No, you are giving out info about the Social Security system. Info about yourself is things like name, date of birth, mother's name, place of birth, etc. These have nothing to do with your ssn. >You're providing access to information that you don't have the ability or the legal right to correct or rebut. You provide access to data that is irrelevant to most transactions but that will occasionally trigger prejudice. Worst of all, since you provided the key, (and did so "voluntarily") all the info discovered under your number will be presumed to be true, about you, and relevant.< Believe me cookie, we get the info with or without the ssn. When you conceal the ssn, you give me the message you are someone with something to hide. The heck with you. There are plenty of folks out there who will pay their bills. >A major problem with the use of SSNs as identifiers is that it makes it hard to control access to personal information. Even assuming you want someone to be able to find out some things about you, there's no reason to believe that you want to make all records concerning yourself available.< This point has a germ of truth. There is no way to say it is ok if this person has my bill payment history but they should not be given my bank balance. If you want that, you want more data, not less. >When multiple record systems are all keyed by the same identifier, and all are intended to be easily accessible to some users, it becomes difficult to allow someone access to some of the information about a person while restricting them to specific topics.< See above. But this points to more identifiers, one for each field. How many folks want a different id number for each of the possible things a potential creditor would legitimately want to know? And what borrower or creditor would want to deal with that mess. The heck with it. If you don't want to give me the info, do without the apartment. >Unfortunately, far too many organizations assume that anyone who presents your SSN must be you.< This is bs. Pure and simple. What does it mean????? >When more than one person uses the same number, it clouds up the records. If someone intended to hide their activities, it's likely that it'll look bad on whichever record it shows up on. When it happens accidentally, it can be unexpected, embarrassing, or worse. How do you prove that you weren't the one using your number when the record was made?< As far as it goes, this is true. But you get far more trouble from incomplete, misleading records than you ever do from plain false ones. And you prove it wasn't you by saying so. Then the burden devolves on the company to prove it WAS YOU. My record is now clean (check it and see), but it took a while to acheive that. If this list is about ssns, I quit. SSNs as an issue are garbage, for the lunatic fringe. They should meet the NRA. Dave Dave Gomberg, role model for those who don't ask much in their fantasy lives. GOMBERG@UCSFVM Internet node UCSFVM.UCSF.EDU fax-> (415)731-7797 For info on West Coast Live send email to West_Coast_Live-Request@netcom.com ------------------------------ From: johnl@iecc.com (John R Levine) Date: Tue, 25 Jan 94 17:26 EST Subject: Re: SSN on Payroll Checks Organization: I.E.C.C., Cambridge, Mass. >Let me ask why I care if someone (or lots of folks) knows my SSN? Does it have anything to do with Social Security directly, or would the drawbacks apply to any powerful identifier? If any powerful identifier, why is it more important than my name and dob? Please advise.< The basic problem is that far too many organizations assume that anyone who presents your name and SSN must be you, making it easy to impersonate you for credit theft and other fraudulent purposes. Another, growing, problem is that keying records by SSN makes it possible to easily combine records from otherwise unrelated databases. This aids organizations that compile dossiers of personal information without your knowledge or consent. (Lest this sound paranoid, when's the last time TRW or Equifax asked your permission to compile a file full of credit card, banking, and employment information about you?) Regards, John Levine, johnl@iecc.com, jlevine@delphi.com, 1037498@mcimail.com ------------------------------ From: "Prof. L. P. Levine" Date: Thu, 27 Jan 1994 11:10:54 -0600 (CST) Subject: Public Hearings on Privacy in DC Organization: University of Wisconsin-Milwaukee The following is taken from the EFFector Online, issue 07.02, Jan. 25, 1993, A Publication of the Electronic Frontier Foundation, ISSN 1062-9424: Public Hearings on Privacy in DC -------------------------------- US OFFICE OF CONSUMER AFFAIRS PUBLIC HEARINGS ON INFORMATION AGE PRIVACY Washington, DC: January 26-27, 1994. Public Invited to Participate. Representatives from the public, private and non-profit sectors will present their views on personal privacy and data protection in the information age at public hearings of a U.S. Government task force in early 1994. The hearings will be open meetings of the Privacy Working Group, chaired by Patricia Faley, Acting Director of the United States Office of Consumer Affairs (USOCA). The Working Group is part of a task force set up by the Clinton Administration to consider how to spur development of an "information superhighway." Officially known as the National Information Infrastructure (NII), the "data highway" will be capable of exchanging data, voice and images electronically within a vast network of individuals, businesses, government agencies and other organizations around the world. Ensuring ready access to information is the goal of the Administrative initiative, but protecting individual privacy is essential to its success. The public meeting will examine privacy issues relating to such areas as law enforcement, financial services, information technology, and direct marketing. The previous California meeting, January 10th and llth, was hosted by Jim Conran (Director, California Department of Consumer Affairs) in Sacramento The Washington, DC meeting, January 26th and 27th, will be held at the U.S. Department of Commerce Auditorium, 14th & Constitution Ave. NW. Registration begins at 8:30am, meetings at 9am. The public is invited to attend, question speakers and to make brief comments, but space is limited. Concise written statements for the record should be sent to "Privacy," USOCA, 1620 L Street NW, Washington DC 20036 or faxed to (202)634-4135. United States Office of Comumer Affairs 1620 L Street NW Washington, D.C. 20036-5605 Contact: George Idelson (USOCA) +1 202 634 4344 Patricia Faley (USOCA) +1 202 634 4329 ------------------------------ From: Haim Mendelson Date: Mon, 24 Jan 1994 23:49:54 -0800 (PST) Subject: Proposed CPD post re Buckley Amendment Robert Ellis Smith's post identifies two FERPA loopholes. However, the coverage of FERPA is quite broad. First, FERPA defines "education records" as "those records, files, documents, and other materials which (i) contain information directly related to a student; and (ii) are maintained by an educational agency or institution or by a person acting for such agency or institution". The term "education records" does not include the "records of instructional, supervisory and administrative personnel and educational personnel ancillary thereto which are in the sole possession of the maker thereof and which are not accessible or revealed to any other person except a substitute". Thus, the "sole possession" exemption is lost when the possessor reveals the contents of the records in question to anybody other than a substitute. If the Professor indeed disclosed the content of the records to others, as stated by the student, it would be difficult for the institution to claim this exemption. The second loophole is of a different nature: disclose of information from education records without the student's written consent is allowed to "other school officials, including teachers within the educational institution or local educational agency, who have been determined by such agency or institution to have legitimate educational interests". This does not allow disclosure to individuals who are not "school officials", and again the student's original post suggests that information from his records was disclosed to "outsiders"; if these individuals are not school officials (usually within the same institution), the exemption does not apply. Even with respect to school officials, disclosure is not automatically OK. The institution should have a written policy that, among other things, defines what constitutes "legitimate educational interest", though I suspect the policy will define it in very broad terms. One aspect I would urge the student to consider is the toll of fighting the institution where he is studying. Unless he feels very strongly about it, he may be better off not fueling a vicious cycle of adversity, even if he was not the one who initiated it. Haim Mendelson ------------------------------ From: "Prof. L. P. Levine" Date: Thu, 27 Jan 1994 11:28:00 -0600 (CST) Subject: US Senate FTP Site On Line Organization: University of Wisconsin-Milwaukee The following is taken from the EFFector Online, issue 07.02, Jan. 25, 1993, A Publication of the Electronic Frontier Foundation, ISSN 1062-9424: Senate FTP Site Online ---------------------- A new FTP site has been put on line to hold the publicly available documents and press releases of our Senators. Chris Casey of the office of Sen. Edward Kennedy says "Some progress is being made here on the Hill. The Senate now has an anonymous ftp server running. It's sparsly populated, only Kennedy and Stevens have posted anything so far, but I imagine the rest will find their way shortly. At least it's a start. The fact that the Senate has an anonymous ftp server is not a secret, but I don't think it's widely known either." You can access the server by FTPing to ftp.senate.gov, logging in as "anonymous" (without the quotes) and giving your email address as password. The site's general information bulletin is as follows: Welcome to the United States Senate's Anonymous FTP Server (ftp.senate.gov). This service is provided by the Office of the U.S. Senate Sergeant at Arms and the Senate Committee on Rules and Administration. This server contains general information files about the United States Senate in the directory "general". Directories are also provided for specific Senators' offices, in alphabetical order by two-letter state abbreviations, and for Senate committees and other Senate offices. If an office is not included in the directory, this indicates no files have been posted by that office. No files can be uploaded to this system. Please direct questions about a specific Senate office's use of this service to the Senate office in question. General inquiries not involving a specific Senate office can be directed via Internet e-mail to: ftpadmin@scc.senate.gov Subdirectories for Senator's offices are structured as follows: /member/state_abbrev./senator's_name/releases/filename or /member/state_abbrev./senator's_name/general/filename The "releases" subdirectories contain press releases and related materials, and "general" subdirectories contain information of long-term interest such as office contacts. As of Jan. 24, 1994, the site was not being used very extensively, but individual Senators' directories contained various informational files, such as the following: Ted Stevens (AK): member/ak/stevens/releases -rw-r--r-- 1 1 1321 Jan 21 16:16 Childhood_Immunizations -rw-r--r-- 1 1 828 Jan 21 16:16 Inman_Statement -rw-r--r-- 1 1 3152 Jan 05 11:45 Ketchikan_Subcontractors -rw-r--r-- 1 1 3488 Jan 21 16:16 Seafood_Inspection -rw-r--r-- 1 1 1910 Jan 21 16:17 new_staff -rw-r--r-- 1 1 1661 Jan 21 16:17 tongass_timber Edward Kennedy (MA): member/ma/kennedy/general -rw-r--r-- 1 1 138842 Jan 13 13:49 S1150_Goals_2000 -rw-r--r-- 1 1 1011 Dec 13 15:04 on-line_access -rw-r--r-- 1 1 133477 Dec 27 10:08 s1040.txt member/ma/kennedy/releases -rw-r--r-- 1 1 3591 Jan 14 15:23 Human_Radiation_Experimentation -rw-r--r-- 1 1 1664 Jan 05 11:11 Statement_on_Firearms_Proposal -rw-r--r-- 1 1 16188 Dec 15 14:19 major_accomplishment_93 -rw-r--r-- 1 1 14523 Jan 13 11:58 national_health_reform_debate -rw-r--r-- 1 1 1298 Dec 15 14:18 worker_retraining_grant Please express your interest in this first small step, and encourage your Senators to utilize this new Congressional Internet resource. Ask your Representatives to look into the possibility of a similar system for the House. [Computer Privacy Digest Moderator's note: Rather than logging in with the userid 'anonymous', this system (and many systems like it) permits a login with the userid 'ftp'. This is a small difference, but it does not contain the (incorrect) presumption that no one knows who you are.] ------------------------------ From: news@cbnewsh.att.com Date: Tue, 25 Jan 94 05:19:17 GMT Subject: Re: Crypto Experts Oppose Clipper Chip Organization: NCR, an AT&T Company, Pleasanton CA [ Letter deleted ] P.S. Renaming it "Tessara" isn't good enough .... -- # Bill Stewart NCR Corp, 6870 Koll Center Pkwy, Pleasanton CA 94566 # Email: bill.stewart@pleasantonca.ncr.com billstewart@attmail.com # Phone: 1-510-484-6204 Beeper: 1-510-224-7043 # ViaCrypt PGP Key IDs 384/C2AFCD 1024/9D6465 From: bcm!synercom.hounix.org!mattair@rice.edu (Charles Mattair) Subject: Re: GTE and new Fed Compliance Organization: Synercom Technology, Inc. Houston, TX, USA Date: Tue, 25 Jan 1994 18:49:00 GMT Keith Doyle wrote: >Here's a curious note I just got from GTE: >new federal regulations require GTE to provide the billing name and address of the customer if the telecommunications company handling the call requests that information.< This isn't strictly true - they have always provided this information. >If you wish to deny release of your billing name and address, completely fill in the circle labeled "deny" on the attached Authorization Form and return it to GTE in the enclosed envelope by February 18, 1994.< >So what do you suppose prompted this? Is there a privacy issue going on here?< This is the final [if anything is final WRT Federal regulations] round of a battle between the FCC and the phone companies. I had a two month fight with Southwestern Bell regarding their policies about selling BNA [Billing Name and Address] to essentially anybody. My position was they could sell listing name and address - my phone is listed in a fake name with no published address - whereas theirs was they would sell BNA until otherwise prohibited. Three layers of SWB management and several phone calls to the PUC finally got me to the tariff section of the FCC. It developed the FCC had promulgated a rule to deny SWB's behaviour but it was stayed pending IXC/LEC comments. The problem is exactly as GTE describes: if an IXC/LEC accepts a calling card call billable to a BNA blocked number, they have no way of billing or contacting the debtor other than thru the cards issuer. from what I remember - the stay was issued almost a year ago - the FCC block on BNA delivery was unconditional. So it would appear we have a compromise. You get to choose. I'm not sure but the rule may have also blocked any release of BNA other than for billing purposes, regardless of your choice. Hazy $0.02 worth -- Charles Mattair (temporarily - work) mattair@synercom.hounix.org In a mature society, "civil servant" is semantically equivalent to "civil master." - Robert Heinlein, _The Notebooks of Lazarus Long_ ------------------------------ From: close@lunch.asd.sgi.com (Diane Barlow Close) Date: 25 Jan 1994 19:16:07 GMT Subject: Re: Data Encryption and Privacy Organization: Self employed, eh. gene michael stover writes: >I'll answer your last question first (and then amble into an answer for everything else): ``It is absolutely *IMPOSSIBLE* to penetrate a system using PGP, correct?''< >*Not* correct.< >There currently exist many algorithms for cryptanalysing (decrypting without the key) a PGP message, but they are very expensive to use on the average message. There's nothing to prevent me from putting one of these programs on a spare computer and feed it a PGP message and letting it go. In a few (or a few million ;-) years, I'd probably have the decryption.< > [stuff deleted]< >My guess is that PGP is fine. Same with the three systems you currently use. If the details of the commercial systems are kept secret by the manufacturer, I would suggest you drop them and use PGP because ``security through obscurity'' isn't [Kerckhoff's principle, improved by paraphrasing ;-].< Interesting. In misc.consumers I raised some questions about an article originally posted in misc.invest.real-estate and everyone there was very gung-ho on PGP. Now someone also points out to me that PGP implements the RSA public-key encryption algorithm, and there is a patent on the use of RSA for digital communication, and that includes email. Apparently, if you use PGP to encrypt or sign email which you then send to someone else, and you have not obtained a license for use of the patent from the patent holders, you are "infringing" the patent. So, before you use it, you should think seriously about the legal, ethical, and financial consequences of doing so. That makes my questions about the following post even more pertinent. I have submitted the following to the privacy digest and also to RISKS because the issues cross both the risk and the privacy lines. I'm not trying to pick on Michael Bridgeman or his company; I think that his company is merely the starting point in a discussion about the risks and effects that becoming part of the information highway and using the Internet for personal or financial information raises. Michael cancelled his original article before I could go back and retrieve a copy to include it in its entirety here (the RISKS of posting to the Internet, eh? :-). So what follows is about 3/4 of his original posting; only the contact info has been removed: Michael Bridgeman writes: >Infotech is an Information Provider and we have recently begun providing our services via the Internet. An partial list of some of our services include:< >Individual Credit Reports * Business Credit Reports * Dun & Bradstreet Pre-Tenant Background Check * SS# Locator Service * National Change of Addr Difficult Phone Numbers * Nationwide Marriage, Divorce and Death Records Criminal Records Search * Arrest & Convictions Records * Bank Acct Search Real Property Search * Workers Comp Claims * Consumer Affairs Reports Corporation Search * Tax Lien Search * Corp. Bankruptcy Search * Business Name Search * DMV Records * Registered Voter Search * Nationwide Warrants< > And MUCH MORE!< >Most requests are turned around with 24-48 hrs (depending upon complexity and depth of report needed) Reports can be delivered via Internet, US Mail, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Fax or Overnight. Infotech Adheres to the Fair Credit Reporting Act. Payment may be made via Visa, Mastercard or in advance of services.< > All information is kept in the strictest confidence and PGP delivery is also available ... [rest deleted]< I am now aware that PGP stands for a very good encryption mechanism, but I still feel that there are risks in using the Internet for delivery of such personal information. Although PGP is "available", nowhere in the post does it say that he is going to use it all the time for delivery of personal data. And what about the patent infringement risk issue, raised above? I've been on the Internet for a long time (since '81) and I certainly will be the first to say that I don't follow every little nuance and new development, so it'll probably come as no surprise that *I* hadn't heard of PGP before. How many Internet newbie landlords are going to recognize that PGP means "worlds greatest encryption scheme"? :-) Besides, unless PGP is the ONLY way the info is sent via the Internet, the data won't be safe, and then you have to worry about both parties possessing a PGP license. Otherwise, sending things via e-mail is just like posting them to a newsgroup as far as privacy goes. Personally, my biggest concern wasn't so much the passage of personal data through the system, encrypted or not, but the ease of faking e-mail so that some unscrupulous person could easily give you a fake e-mail address and personal data of another person to retrieve a copy of *that other person's* credit report. I wonder what kind of safeguards they have in place to prevent this, or to make sure that those who contact them via e-mail really are who they say they are? According to what I've read on misc.consumers and elsewhere, you can simply register with any of the credit reporting services as a landlord, and you don't even need an SSN# - just a name and address. $50 and a name and address. Scary, isn't it? So what's to prevent "anyjoe" from getting anyone's credit data through the Internet, now? With security there's not just protection of data, there's authentication. The old "how do I know that you're who you say you are" question. And, concern #3, if he has this data on his Internet site, how safe is it? How many security precautions has he taken on that site to protect the data? Unix machines on the Internet are notorious for having security holes that need to be plugged. A lot of questions and so far no answers! :-) Comments anyone? -- Diane Barlow Close close@lunch.asd.sgi.com I'm at lunch today. :-) ------------------------------ End of Computer Privacy Digest V4 #023 ****************************** .