Date: Tue, 01 Feb 94 09:06:33 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#025 Computer Privacy Digest Tue, 01 Feb 94 Volume 4 : Issue: 025 Today's Topics: Moderator: Leonard P. Levine WIRED Magazine Report SSN other concerns OHIO laws about SSN on checks Re: Buckley Act Outrage Re: Buckley Act Outrage Re: SSN on Payroll Checks Re: SSN on Payroll Checks Re: SSN on Payroll Checks Re: SSN on Payroll Checks Re: Data Encryption and Privacy SSN other concerns Re: SSN on Payroll Checks Open Clipper Petition The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Robert Jacobson Date: Sat, 29 Jan 94 14:10:35 -0800 Subject: WIRED Magazine Report WIRED Magazine recently carried an article on a new federal scheme to track _all_ financial transaction passing over any sort of telecom network. I suppose this means that all exchanges of money that can be electronically encoded and recorded, then transmitted, will be accessible to federal (and international?) security agencies. Given that the most personal behavior is often indicated by financial trans- actions (using credit cards, etc., but cash also once it enters the electronic till), is this the single most invasive police scheme yet devised? Or was WIRED just being sensational? More info, please! ------------------------------ From: fin@panix.com (David Finan) Date: 29 Jan 1994 22:42:49 -0500 Subject: SSN other concerns Organization: PANIX Public Access Internet and Unix, NYC have read alot here on the SSN privacy issue. Here's an example I was called last week by the local blood bank (NY Blood Services) and told that there was a blood emergency. Well I'm a good citizen and B+ (see i'm not paranoid about some info), so I took time off from work, went down to donate and was given a form that asked for my stats (including my SSN). I filled out everything EXCEPT the SSN. Gave the form to the blood taker (phlem something...cant even pronounce it don't ask me to spell it). He checked it over (so THEY are doing their jobs) and said '...need your SSN' I said 'uh huh. why?' He stated that there is a new requirement from the Fed health folks (i can give dept names but this is being done on the fly) that ALL blood doners MUST provide the blood bank with the SSN or their blood won't be taken. The reason I was given was public health. Appaarently people are using the blood donation process to either a) test themselves for HIV or b) donating to poison the rest of us. The fact that these people are doing their job is why I didn't make a stink to them. But I was _quickly_ passed from the vampire to his supervisor to the office manager and then given a name at the home office and she gave me the blood suckers head guy's name. Appaarently I wasn't the first to balk at this requirement. (story about lawyer follows). There was NEVER any mention made about the privacy act of 1974. The number was merely "required" to confirm identity, for " public health" reasons. The sad part of this is that I DO see their point and yet I won't donate any more. (I did donate about 4 pts a year previous). Implied guilt trip and all that. What I don't understand is why, the Fed (Dept Health, somthing and Wellfare) didn't inform the blood company of thier obligation under the law to inform citizens of the privacy act in relation to the SSN and what use's it would be put to. Lawyer story. The folks told me that therer had been a lawyer who also balked at providing his ssn. He went away and later came back, unhappy, and said '...has to give the number.' "HAS TOO"?!?! My employer encourages but does not require blood donation. But this is the story I was told. I thought that this was a voluntary thing for everyone. I'm not sure who said that the SSN "ONLY" records A finacial transaction between the individual and the gov't but you are wrong. Now it's medical records. So lets see ... finacial records...medical records...what else is there? criminal records...genetic records? -- The name of the game is know your enemy. ------------------------------ From: TOMPKINS@vm1.cc.uakron.edu (Frank Tompkins) Date: Mon, 31 Jan 1994 21:05:22 GMT Subject: OHIO laws about SSN on checks Organization: The University of Akron Can anyone direct me to any documents that define under what conditions an OHIO merchant can require you to provide your social security number before they will honor a check? I recently tried to properly ID myself with driver's license (SSN blanked out), multiple bank and gas credit cards, check guarantee card (which guarantees the bank will honor the check if imprinted with the card as long as the signatures match) and even my divers "C" card, but the merchant refused my check without a social security number. So I made one up. It was accepted verbally without checking my drivers license!!! I'm in the process of writing the vendor a letter about this absurdity, and would like to quote OHIO laws, precedents, etc. Thanks for any information! - Frank ************************************************************************* Frank Tompkins : Internet: Tompkins@VM1.CC.UAKRON.EDU Systems Programmer : Bitnet: Tompkins@AKRONVM University of Akron : Voice: (216) 972-7967 Akron, Ohio 44325-3501 : Fax: (216) 972-5238 "I have not failed, I've just found 10,000 ways that won't work" - Thomas Edison ------------------------------ From: "John M. Sulak" Date: 30 Jan 1994 02:31:31 -0600 Subject: Re: Buckley Act Outrage Organization: The Black Box (713) 480-2684 Chuck Weckesser <71233.677@CompuServe.COM> writes: >Florida is a rather backward state in many respects and it in my opinion that the good old boys who run this state out of Tallahassee (which is truly like another state compared with where I live).< >As many of you know, the Supreme Court, in Griswold v. Connecticut, established a "zone of privacy" that has been liberally construed.< Florida's constitution amemded in the early 80s by the voters against the wishes and strong recommendations of the Republican and Democratic parties, contains an explicit right to privacy. Libertarians beleived that the 9th and 10th Amendments of the US constition were continually broken and could no longer be counted on as a guarantee of privacy. ------------------------------ From: "John M. Sulak" Date: 1 Feb 1994 07:23:52 -0600 Subject: Re: Buckley Act Outrage Organization: The Black Box (713) 480-2684 Chuck Weckesser <71233.677@CompuServe.COM> writes: >Florida is a rather backward state in many respects and it in my opinion that the good old boys who run this state out of Tallahassee (which is truly like another state compared with where I live).< >As many of you know, the Supreme Court, in Griswold v. Connecticut, established a "zone of privacy" that has been liberally construed.< Florida's constitution amemded in the early 80s by the voters against the wishes and strong recommendations of the Republican and Democratic parties, contains an explicit right to privacy. Libertarians beleived that the 9th and 10th Amendments of the US constition were continually broken and could no longer be counted on as a guarantee of privacy. ------------------------------ From: poivre@netcom.com (P. B. Hutson.) Date: Sun, 30 Jan 1994 01:59:16 GMT Subject: Re: SSN on Payroll Checks Organization: NETCOM On-line Communication Services (408 241-9760 guest) John R Levine (johnl@iecc.com) wrote: >The basic problem is that far too many organizations assume that anyone who presents your name and SSN must be you, making it easy to impersonate you for credit theft and other fraudulent purposes.< This is very true. Think of the last time someone who needed your SSN required you to show them the card to prove its really yours. The only people who wants to see the cards are employers and gov't welfare agencies. When you apply for credit cards, open bank accounts, rent an apartment, get utilities, etc etc etc, they never ask to see the card so its easy for the bad guys to impersonate you. I mean, for such an important number as the SSN is, you'd think people would be more careful with it. Instead, this all important number is so insecure, its laughable. I'd like to get rid of the SSN completely but if society insists on using it, then i'd like to see more security features for the number and tamper-proof must-show cards. -- poivre@netcom.com : #include lychees@marble.bu.edu : ^^^^^^^^^^^^^^^^^^^^^^^ ykliu@mailbox.syr.edu : >>>>>>>>>>>>>>>>>>>>> On Since: November, 1991.<<<<<<<<<<<<<<<<<<<<<<<<<<<< ------------------------------ From: ua602@freenet.victoria.bc.ca (Kelly Bert Manning) Date: Sat, 29 Jan 94 21:57:41 PST Subject: Re: SSN on Payroll Checks In a previous article, GOMBERG@UCSFVM.UCSF.EDU (Dave Gomberg) says: >Right. I know dozens of places where I just call up, give them an ssn and they send me a check for 6 figures to my "just changed" new address. Right.< No, but they can easily open up a number of credit card accounts, checking accounts, and loans. Sounds like you should check out the "weekly SSN request" thread in alt.privacy. One of the respondents to that thread describes the consequences of someone who found out her husbands SSN using it to impersonate him. Often the first the victim know of it is when they get rejected for a loan and discover that the credit reporting bureau files show an out of state address and a huge portfolio of bad loans and cards they know nothing about. Privacy Journal reported that the major credit bureaus autmatically change the address in their files if they get more than one credit application report with a new address on it. You seem to be missing the point that businesses and individuals have a common interest in wiping out this kind of fraud, which adds up to a lot of money every year. The person the SSN was assigned to has no obligation to any of the creditors. They are completely out on a limb with almost no hope of recovering the amounts. ------------------------------ From: palbert@netcom.com (Phil Albert) Date: Sun, 30 Jan 1994 20:43:29 GMT Subject: Re: SSN on Payroll Checks Organization: Disorganized Dave Gomberg writes: >I feel the whole SSN thing reeks of paranoia. Accordingly I have retreived the so-called explanation of why you should worry, and am responding to it from the point of view of someone who digs out info about you all the time.< Well, Dave. Put up, or shut up. Post your SSN, or keep it secret. If you do the latter, you agree with the rest of us that your SSN is not something to willy-nilly disclose. -- Phil Albert, full-time patent attorney and philosopher, part-time car thief Voicenet: (415) 543-9600 bizcardnet: Townsend & Townsend Internet: palbert@netcom.com or palbert@cco.caltech.edu ICBMnet: 37 53 00 N, 122 17 30 W, Alt 760' ------------------------------ From: johnl@iecc.com (John R Levine) Date: Sun, 30 Jan 94 18:12 EST Subject: Re: SSN on Payroll Checks Organization: I.E.C.C., Cambridge, Mass. >>Unfortunately, far too many organizations assume that anyone who >presents your SSN must be you.< > >This is bs. Pure and simple. What does it mean????? Actually, it's true, even though it should be BS. What it means is that if I call up pretty much any business in the country and give them your name and your SSN, they will believe that I am you and will let me do anything I want in your name, e.g. set up credit accounts and bill stuff to them, transfer money out of your bank accounts, discuss your personal medical history, you name it. Yes, in theory you're not responsible for such fraudulent transactions, but in practice the amount of effort required to persuade them that it wasn't in fact you and to back out the transactions is enormous. Regards, John Levine, johnl@iecc.com, jlevine@delphi.com, 1037498@mcimail.com ------------------------------ From: flb@flb.optiplan.fi (F.Baube[tm]) Date: Sat, 29 Jan 94 23:32:51 EET Subject: Re: Data Encryption and Privacy <0005066432@mcimail.com> States: >Yes, your site administrator could capture your mail, or the other ends' could, or anyone in between could monitor packets. But with the huge amount of traffic going over the Internet every day (Netnews alone is reaching the 40 Meg a day point) that monitoring people's mail is relatively difficult except perhaps at the sender's computer or at the destination site.< >And you might not ever know. Someone smart enough to monitor would know enough about hardware and software and could probably hide what they are doing from most monitoring.< In his book "The Puzzle Palace", about the National Security Agency (Fort Meade MD), Bramford suggests that the NSA can monitor all voice traffic into and out of the US. He further suggests that, with the assistance of allies like the UK doing surveillance *within* the US, the NSA may also (quite legally !) have access to some or all voice traffic _internal_ _to_ the US. He also suggests that the NSA is consistently about five years ahead of the publicly-known "state of the art" in the relevant areas. It does not require a great leap of imagination to extend this to the Internet. I would think it merely prudent, not paranoid, to assume that the NSA can and does 1) monitor all Internet traffic, perhaps even traffic _internal_to_ the US; and 2) archive it (what's 40 MB a day to people with acres of computers ?); and 3) possibly also analyze this traffic for interesting content by AI programs that are well in advance of the publicly-known "state of the art". It's not a secret that the NSA does have vast resources at its disposal. And as in arms controls negotiations, prudence dictates that one act based on the other's capabilities, not intentions, however well-meaning they may be. Note that I am _not_ suggesting that the NSA would necessarily _do_ anything with this information; I mean only to suggest that it's available, at their fingertips should a "need" arise. Further, hypothetical uses are left to the reader's imagination. :-) -- Fred Baube(tm) GU/MSFS/88 baube@optiplan.fi #include ------------------------------ From: Dave Gomberg Date: Sun, 30 Jan 94 08:36:17 PST Subject: SSN other concerns >Your SSN is your key to your student records, your credit reports, phone records, driver's licence information, criminal history and other information. With JUST your SSN, someone can obtain a credit rating using your existing credit rating.< This is wrong. Dale, give me your year of birth, your current street address (don't even tell me the town) and a written request that I pull your credit record and I will, and for free. I don't need your ssn, but I will get it in the process. It will cost about $1. What everyone on the other side of this debate seems to miss is that the info is too valuable to pass up. We need it to do business. If you are not willing to identify yourself, I wouldn't do business with you. It's that simple. Not on credit anyway. Now I couldn't care less if the key is ssn (which it mostly isn't, despite all the suggestions on this list), or name and dob, or thumbprint digitized, or zodiacal chart (based on time of birth to the microsecond). I don't care about the key, I care about the info. Deprive me of the info and you are out of the game. Sayonara. Dave Gomberg, role model for those who don't ask much in their fantasy lives. GOMBERG@UCSFVM Internet node UCSFVM.UCSF.EDU fax-> (415)731-7797 For info on West Coast Live send email to West_Coast_Live-Request@netcom.com ------------------------------ From: ua602@freenet.victoria.bc.ca (Kelly Bert Manning) Date: Mon, 31 Jan 94 01:11:00 PST Subject: Re: SSN on Payroll Checks GOMBERG@UCSFVM.UCSF.EDU (Dave Gomberg) says: >Right. I know dozens of places where I just call up, give them an ssn and they send me a check for 6 figures to my "just changed" new address. Right.< No, but they can easily open up a number of credit card accounts, checking accounts, and loans. Sounds like you should check out the "weekly SSN request" thread in alt.privacy. One of the respondents to that thread describes the consequences of someone who found out her husbands SSN using it to impersonate him. Often the first the victim know of it is when they get rejected for a loan and discover that the credit reporting bureau files show an out of state address and a huge portfolio of bad loans and cards they know nothing about. Privacy Journal reported that the major credit bureaus autmatically change the address in their files if they get more than one credit application report with a new address on it. You seem to be missing the point that businesses and individuals have a common interest in wiping out this kind of fraud, which adds up to a lot of money every year. The person the SSN was assigned to has no obligation to any of the creditors. They are completely out on a limb with almost no hope of recovering the amounts. ------------------------------ From: Dave Banisar Date: Mon, 31 Jan 1994 17:12:59 EST Subject: Open Clipper Petition Organization: CPSR Washington Office Electronic Petition to Oppose Clipper Please Distribute Widely This is an open petition drive with a listserv address so that anyone on the net can sign on to oppose the clipper proposal. We will deliver the petition to the president. As far as I know, its the first time that anyone has done this (well the Lotus Marketplace campaign but that was somewhat different). On January 24, many of the nation's leading experts in cryptography and computer security wrote President Clinton and asked him to withdraw the Clipper proposal. The public response to the letter has been extremely favorable, including coverage in the New York Times and numerous computer and security trade magazines. Many people have expressed interest in adding their names to the letter. In response to these requests, CPSR is organizing an Internet petition drive to oppose the Clipper proposal. We will deliver the signed petition to the White House, complete with the names of all the people who oppose Clipper. To sign on to the letter, send a message to: Clipper.petition@cpsr.org with the message "I oppose Clipper" (no quotes) You will receive a return message confirming your vote. Please distribute this announcement so that others may also express their opposition to the Clipper proposal. CPSR is a membership-based public interest organization. For membership information, please email cpsr@cpsr.org. For more information about Clipper, please consult the CPSR Internet Library - FTP/WAIS/Gopher CPSR.ORG /cpsr/privacy/crypto/clipper ===================================================================== The President The White House Washington, DC 20500 Dear Mr. President: We are writing to you regarding the "Clipper" escrowed encryption proposal now under consideration by the White House. We wish to express our concern about this plan and similar technical standards that may be proposed for the nation's communications infrastructure. The current proposal was developed in secret by federal agencies primarily concerned about electronic surveillance, not privacy protection. Critical aspects of the plan remain classified and thus beyond public review. The private sector and the public have expressed nearly unanimous opposition to Clipper. In the formal request for comments conducted by the Department of Commerce last year, less than a handful of respondents supported the plan. Several hundred opposed it. If the plan goes forward, commercial firms that hope to develop new products will face extensive government obstacles. Cryptographers who wish to develop new privacy enhancing technologies will be discouraged. Citizens who anticipate that the progress of technology will enhance personal privacy will find their expectations unfulfilled. Some have proposed that Clipper be adopted on a voluntary basis and suggest that other technical approaches will remain viable. The government, however, exerts enormous influence in the marketplace, and the likelihood that competing standards would survive is small. Few in the user community believe that the proposal would be truly voluntary. The Clipper proposal should not be adopted. We believe that if this proposal and the associated standards go forward, even on a voluntary basis, privacy protection will be diminished, innovation will be slowed, government accountability will be lessened, and the openness necessary to ensure the successful development of the nation's communications infrastructure will be threatened. We respectfully ask the White House to withdraw the Clipper proposal. ------------------------------ End of Computer Privacy Digest V4 #025 ****************************** .