Date: Sat, 29 Jan 94 11:39:48 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#024 Computer Privacy Digest Sat, 29 Jan 94 Volume 4 : Issue: 024 Today's Topics: Moderator: Leonard P. Levine Re: SF-171s and SSNs Telemarketing Data Ships Home Banking Re: SSN on Payroll Checks Re: SSN on Payroll Checks Re: SSN on Payroll Checks Re: SSN on Payroll Checks Re: SSN on Payroll Checks Re: Buckley Act Outrage Re: Data Encryption and Privacy Re: Data Encryption and Privacy The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: rfrank@kaiwan.com (Ronald E. Frank) Date: Thu, 27 Jan 1994 00:52:56 GMT Subject: Re: SF-171s and SSNs Organization: The Mushroom Factory I can't answer your question regarding who gets to see it; but anyone who has to withhold taxes presumably needs the SSAN. There should be a privacy act notice on the form itself which will tell you who gets to see it. I doubt if there's a PD program out there; I work in an office where everybody needs it. There's a $70 program which is copy protected to the SSAN of the original user (I object, and won't use it). There's a PD *template* for PerForm Pro, but you need a copy of PerForm. ------------------------------ From: news@cbnewsm.att.com Date: Thu, 27 Jan 94 19:31:03 GMT Subject: Telemarketing Organization: AT&T I read somewhere recently that there is a new law which requires that telemarketers provide the name and address of their telemarketing company, if asked; and that they remove people from their list of "customers" if asked by someone they have called at least twice. Can anyone tell me what that law is, and (if possible) supply the actual text of the law? -- Chris ------------------------------ From: matyas@scs.carleton.ca (Vaclav Matyas) Date: Thu, 27 Jan 94 17:01:28 EST Subject: Data Ships here's a question/article for the Privacy Digest : At a place I actually don't remember (cyberspace, magazine or just a discussion - who knows ?) I heard about (an uncertain) existence of 'data ships' used for providing/transfer of data, which would normally be under data-related laws in certain countries. Their expected locations in international/neutral = no one's zones excludes them from impact of any privacy or computer security related laws in particular countries or they also might use other legislative gaps for this purpose. I guess the information is then accessible through UHF/VHF transmission or maybe just by phone. I am particularly interested in cases related to Canadian/North American context, but would appreciate any information on this problem anywhere around the world. Of course, a summary (if any) will be posted later as well. ------------------------------ From: hw42709@vub.ac.be (Beerens Steven) Subject: Home Banking Date: 28 Jan 1994 14:04:21 GMT Organization: Brussels Free Universities (VUB/ULB), Belgium One of the new applications of banking is the home-banking system.This system enables you to make financial transactions at home instead of going to your local bank. You can do this by computer or by telephone. This way of banking is becoming more and more popular. I think that the aspect of privacy is here also very important because it concerns financial transactions. External interference (bugging,failure) is possible. So when I'm making a financial transaction by phone, it is technologically possible that somebody is listening. Maybe some of the members of this newsgroup have had (good or bad) experiences with banking by phone or computer. If you have,please let me know. -- Student Communicatiewetenschappen Vrije Universiteit Brussel ------------------------------ From: Dave Gomberg Date: Thu, 27 Jan 94 11:04:19 PST Subject: Re: SSN on Payroll Checks On Thu, 27 Jan 94 12:03:29 EST Levine says: >The basic problem is that far too many organizations assume that anyone who presents your name and SSN must be you, making it easy to impersonate you for credit theft and other fraudulent purposes.< Right. I know dozens of places where I just call up, give them an ssn and they send me a check for 6 figures to my "just changed" new address. Right. If you REALLY want to be concerned about fraud, consider I put in a change of address for you so you have no idea what is going on. >Another, growing, problem is that keying records by SSN makes it possible to easily combine records from otherwise unrelated databases. This aids organizations that compile dossiers of personal information< More bs. What prevents coordination of data by Name, dob, place of birth? If you can't find someone to code that for you, I can. Dave Gomberg, role model for those who don't ask much in their fantasy lives. GOMBERG@UCSFVM Internet node UCSFVM.UCSF.EDU fax-> (415)731-7797 For info on West Coast Live send email to West_Coast_Live-Request@netcom.com ------------------------------ From: Dave Gomberg Date: Thu, 27 Jan 94 11:13:40 PST Subject: Re: SSN on Payroll Checks Someone commented on landlords and credit checks, implying that they cost $50. Far from it. If you have a legitimate business with a need to check credit, and you agree to post your credit experience as well, the cost drops down below $1 per inquiry for TRW. Dave Gomberg, role model for those who don't ask much in their fantasy lives. GOMBERG@UCSFVM Internet node UCSFVM.UCSF.EDU fax-> (415)731-7797 For info on West Coast Live send email to West_Coast_Live-Request@netcom.com ------------------------------ From: "Dick Murtagh (8-465-4916)" Date: Thu, 27 Jan 94 12:58:55 PST Subject: Re: SSN on Payroll Checks In-Reply-To: Dave Gomberg >I feel the whole SSN thing reeks of paranoia.< It doesn't matter why I want to maintain my privacy, it is my right. Noone would say a paranoid forfeits his freedom of speach because what he says is nonsense. I want to maintain my privacy, that is enough. That said, I'm going to defend my position anyway. The SSN has become the de facto (and, in some cases, de jure) national identification number. Most government and all credit bureau databases use SSN as a primary key. Even if the SSA and TRW were the only entities using SSN that would be one too many. TRW requires only a name and SSN to produce a report that gives all a person's account numbers. If you don't beleive me, post your SSN and I'll post you credit report. ------------------------------ From: ddrew@Tymnet.COM (Dale Drew) Date: Thu, 27 Jan 94 14:24:17 PST Subject: Re: SSN on Payroll Checks I'd like to throw my $.02 in on the SSN issue: Everyone seems to be missing one very important point: The fact that the Social Security Number's purpose is to record financial transactions between you and the Federal Government. That is all. In 1973, a US Department of Heath, Education and Welfare task force compiled a report regarding the dangers of a national numerical identifier, which led to a provision in the 1973 Privacy Act. This provision prohibited government agencies from collecting a SSN from anyone unless the agency could point to a law ALREADY on the books in 1974. Certain government agencies have been excluded (welfare, dmv, etc) Private businesses can still demand your SSN, with no apparent legal recourse for the individual. Providing a SSN blindly can have devistating effects. Your SSN is your key to your student records, your credit reports, phone records, driver's licence information, criminal history and other information. With JUST your SSN, someone can obtain a credit rating using your existing credit rating. Even some banks are using the SSN as an individuals account number, which can have obvious problems. Legitimate information databases can locate an individual by providing just a SSN, or a phone number. The cost of the service ranges from $5 to $100, and is available to ANYONE. I guard my personal information very closely. Not only because I have the right to do so, but because my profession demands it. I have fallen victim to many times because of a piece of what I thought was "innocent" personal information fell into the hands of those people who knew how to use it. ========================================================================= Dale Drew BT North America, Inc. Manager Global Network Security Busniess Information Security Voice: (408) 922-6526 Internet: ddrew@druid.Tymnet.COM Fax : (408) 922-8870 Dialcom: net.security ------------------------------ From: Chuck Weckesser <71233.677@CompuServe.COM> Date: 28 Jan 94 06:40:30 EST Subject: Re: SSN on Payroll Checks I must take strong exception with Dave who claims that concern over official abuse, misuse or even indifference to SSN's is a red-herring issue of little utility. Wrong! Even if I accept your arguments, which I do not, you neglect the fact that we must be ever-vigilant as SSN requests and the like have a habit of snowballing into dangerous slippery-slopes that lead God only knows where. And I am a human being, NOT a number!!! I have a right to be left alone provided that I leave other people alone. That's it in a nutshell Dave. I respect you as a person and your right to post your views (and in fact, would rather die than live in state where I am a number and not a person with my own unique thoughts, feelings and experiences which define me and which no one can ever rob me of or duplicate). You are by no means an exception. Citizen complacency has reached pandemic proportions. Let me give you a far-fetched idea: Just suppose - as ludicrous as it sounds - that the federal government decides to impose a "sexual activity tax" and to collect this tax on the basis of your SSN. Under those circumstances, would you be less reluctant to give out your SSN? Privacy invasions are always small to begin with - they are designed that way! Privacy invasion is designed to increase at a geometric rate until the majority of people say "it's not worth my time to fight city hall." That's fine. That's your decision to make. But first, the people must have the facts about privacy invasion and the ramifications thereof *and then* decide. 'Nuff said. ------------------------------ From: Chuck Weckesser <71233.677@CompuServe.COM> Date: 28 Jan 94 05:48:21 EST Subject: Re: Buckley Act Outrage I am may be involved, rather against my choice, in litigation with a University that I shall not name. At any rate, I have a comment or two that I would like to share with the rest of you. To put it bluntly, the Computer Privacy Digest has directly assisted me in my battle with this University. For example, I learned here on CPD that it is unlawful for a state University (which, by the way, receives large federal aide) to ask for a student's social security number on something as simple as a routine registration *NOTWITHSTANDING* a Privacy Act Notice. I learned that and far more here and I am grateful. As a result of my persistence, the General Counsel of the University is involved and in my state, one can get their holds on virtually any information, such as a faculty member's personnel file, by simply asking for it. The name of the law, which should be a model across the nation, is simply called the "Sunshine Act." Florida is a rather backward state in many respects and it in my opinion that the good old boys who run this state out of Tallahassee (which is truly like another state compared with where I live). When I mentioned the mandatory Privacy Act Notice (I was *not* asserting that the University could not ask for the information, but that a Privacy Act notice explaining if the SSN request was mandatory or not, how the information would be used, and you guy's know the routine) he is quite angry, I assure you. The fact is, no one here (except the lawyer's of course who should have told the administration to begin with) has any notion of Buckley Act privacy and the Privacy Act, to give just two examples. I had one gomer tell me, "well, we can find out things like how much football player's at school here weighs. . . " I then explained that certain, very limited exemptions cover that sort of information and a directory is allowed, *but* a student can opt out of that as well. In short, this is the best list, by far, that I subscribe to on the net. It is chockful of very interesting information - and oddly, not at all esoteric - that I did not previously know. I'm sure that the government prefers stupid and apathetic citizens who, among other things, don't vote than to deal with intelligent citizens who abide by the law and make sure they do too. One of my favorite pastimes is to pepper the Justice Department and other agencies with FOIA requests. When I receive a statement saying that it will cost such and such, I just say, fine, just send me the first 50 pages (unless it's something I really want). The point is that I have learned these things here on the Computer Privacy Digest (except FOIA), and far more than I can list. As many of you know, the Supreme Court, in Griswold v. Connecticut, established a "zone of privacy" that has been liberally construed. Use it or lose it! Warm Regards ------------------------------ From: cme@ellisun.sw.stratus.com (Carl Ellison) Date: 28 Jan 1994 21:48:01 GMT Subject: Re: Data Encryption and Privacy Organization: Stratus Computer, Marlboro MA close@lunch.asd.sgi.com (Diane Barlow Close) writes: >Besides, unless PGP is the ONLY way the info is sent via the Internet, the data won't be safe, and then you have to worry about both parties possessing a PGP license. Otherwise, sending things via e-mail is just like posting them to a newsgroup as far as privacy goes.< I think you have it backwards. The more different encryption algorithms in use, the better the security of the data. (It takes effort to develop an attack against any one algorithm.) re. PGP vs. RSA's patent You can buy ViaCrypt PGP (602) 944-0773 { I'm not related to them } you can also use RIPEM -- free and licensed for non-commercial use see alt.security.pgp and alt.security.ripem -- - <> - Carl Ellison cme@sw.stratus.com - Stratus Computer Inc. M3-2-BKW TEL: (508)460-2783 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298 FAX: (508)624-7488 ------------------------------ From: "Tansin A. Darcos & Company" <0005066432@mcimail.com> Date: Sat, 29 Jan 94 08:04 EST Subject: Re: Data Encryption and Privacy In a message from Diane Barlow Close , > gene michael stover writes: >>My guess is that PGP is fine. Same with the three systems you currently use. If the details of the commercial systems are kept secret by the manufacturer, I would suggest you drop them and use PGP because ``security through obscurity'' isn't [Kerckhoff's principle, improved by paraphrasing ;-].<< >Interesting. In misc.consumers I raised some questions about an article originally posted in misc.invest.real-estate and everyone there was very gung-ho on PGP. Now someone also points out to me that PGP implements the RSA public-key encryption algorithm, and there is a patent on the use of RSA for digital communication, and that includes email. Apparently, if you use PGP to encrypt or sign email which you then send to someone else, and you have not obtained a license for use of the patent from the patent holders, you are "infringing" the patent. So, before you use it, you should think seriously about the legal, ethical, and financial consequences of doing so.< >I am now aware that PGP stands for a very good encryption mechanism, but I still feel that there are risks in using the Internet for delivery of such personal information. Although PGP is "available", nowhere in the post does it say that he is going to use it all the time for delivery of personal data. And what about the patent infringement risk issue, raised above?< Late last year, the owners of the 5 patents dealing with RSA encryption (PKP Partners, Inc.) made a special arrangement with the National Institutes of Science and Technology that in exchange for a trade of certain encryption inventions developed by NIST to them, they would make the following provisions: - Individuals using RSA encryption (which would include the methods used in PGP) may do so *royalty free* and *without having to obtain a license*; - Organizations which verify certificates (used for authenticating the identity of someone) would pay $1 per year, per certificate during the first 3 years - Organizations selling software using RSA may do so on a sliding scale from 1 to 5% of the selling price depending on certain conditions; - Government agencies may use any of the patents royalty free. This whole issue was squeaked about many months back when there was a question about whether the government should be giving technology which was developed at taxpayers' expense to a private company, and whether it might have been cheaper to simply use eminent domain and have the government purchase those patents directly. So in answer to your comment, it is *no longer* infringing to use PGP to encrypt messages from an individual. >I've been on the Internet for a long time (since '81) and I certainly will be the first to say that I don't follow every little nuance and new development, so it'll probably come as no surprise that *I* hadn't heard of PGP before. How many Internet newbie landlords are going to recognize that PGP means "worlds greatest encryption scheme"? :-)< PGP uses RSA which is probably the most secure method of encryption. Almost as secure, but much faster, is a method called "Triple DES" in which someone encrypts data using the DES encryption method three times. Supposedly this is only a little less secure than RSA and is much faster. >Besides, unless PGP is the ONLY way the info is sent via the Internet, the data won't be safe, and then you have to worry about both parties possessing a PGP license. Otherwise, sending things via e-mail is just like posting them to a newsgroup as far as privacy goes.< Not true. The vast majority of E-Mail is one hop delivery, e.g. your computer's mailer, which on Unix systems is called a "sendmail daemon" will use the Internet to call up port 25 on the recipient's computer and send mail to them via SMTP. Their sendmail daemon should then deposit the message in their mailbox. Do you know how much data goes across the Internet? Terabytes a month. While watching individual packets is possible, it would be difficult since you can't always be certain you are getting everything being sent. While the method is not absolutely secure, it's not really much more public than, say, a microwave transmission in the clear; if you are in the area you could pick it up, but unless you are in the channel, you can't. Unless you have access to one of the computers along the route, you can't access the message at all. Newsgroups generally flood fill everything to transmit them to everyone. Mail is done via single port connections with as few routing hops as possible. Yes, your site administrator could capture your mail, or the other ends' could, or anyone in between could monitor packets. But with the huge amount of traffic going over the Internet every day (Netnews alone is reaching the 40 Meg a day point) that monitoring people's mail is relatively difficult except perhaps at the sender's computer or at the destination site. And you might not ever know. Someone smart enough to monitor would know enough about hardware and software and could probably hide what they are doing from most monitoring. What encryption does give you is twofold: first is absolute privacy so even if the message is going to a shared mailbox, only the person who knows your public key read it; second, since only one key will unlock a protected message , and since that unlock key is a direct component of the key used to lock the message against tampering, it provides authentication of the sender and nondeniability, as well as tamper checks which may detect changes. ------------------------------ End of Computer Privacy Digest V4 #024 ****************************** .