Date: Thu, 03 Feb 94 10:33:51 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#026 Computer Privacy Digest Thu, 03 Feb 94 Volume 4 : Issue: 026 Today's Topics: Moderator: Leonard P. Levine Networks and Democracy Electronic Cross-Checking Re: SSN other concerns Re: SSN on Payroll Checks Re: SSN other concerns RE: OHIO laws about SSN on checks RE: OHIO laws about SSN on checks Re: OHIO laws about SSN on checks Re: OHIO laws about SSN on checks Re: SSN on Payroll Checks Re: SSN other concerns Re: SSN other concerns Re: WIRED Magazine Report SSN End of String The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: dan@iguwnext.tuwien.ac.at (Dan Temmer) Date: 2 Feb 1994 09:22:59 GMT Subject: Networks and Democracy Organization: Technical University Vienna, Austria The enlargement of international Computernetworks and the impact on democracy I would like to demonstrate the influence of the fluently growing international computer networks, especially internet, on democracy. Following a short introduction on the history of computernetworks, i am going to show, how direct democracy is being supported by networks. Later on, i would like to insist on the danger of combining networks and databases regarding the aspects of privacy, cross-matching, media-concentration and information elites. A short history of Computernetworks Computer Networks appeared in the 60 s and where a creation of the military. Under the supervision of the Advanced research Project Agency, Arpanet, wich still exists, was born. In the 70 s, a decentral network based on Unix machines was developped by universitys and private users: UUCP (Unix to Unix copy). Dataexchange occured with modem s and telephone lines (today: glas-fibre cables). Because of the fact, that UUCP was only designed for e-mail exchange, 2 american universitys developped a computer net, wich was able to publish news like on a blacb-board: the system was called usenet. Internet itself is based on a conglomeration of local networks using the same protocol (TCP/IP). Direct democraty is supported by Networks Direct democracy differs from representative democracy as following: everyone has the possibility to vote for a certain subject, not only the representatives of the people, but there can be a logistic problem regarding the fact that there will not be enough space for everyone to assist a vote. Representative democracys do not have this problem, because there is only a certain number of representatives, but do they always represent the interests of their voters? How do networks support direct democracy? It happens by to ways: First, there is the possibility of electronic votes, wich resolves the space problem (the precondition is that everyone who has the right to vote must have an acces to the network). Then, voters also have a better acces to governement data and information about governement activities (this concerns also representative democracy). Electronic voting is already made possible: IBM developped a program called Consensor, NIPO (on of the three biggest oppinion polling institutes of the netherlands) gets already his data online from people they gave to computers and modems. Finally, "Electronic Governement" became an well known slogan: it stays for a access to governement data of the white house like the budget, laws , congressional directories or other statistical data like census of population and housing, etc... How democracy is endangered by networks The age of surveillance has finally broken in. Privacy is endangered by the following facts: 1- computer matching is the easyest and most rapidly growing form of surveillance made possible through telecommunication links (between databases). In the U.S., comparision, via social security numbers (SSN), of two lists of persons resident in separare organisations can produce a "hit" when the SSN appears on both lists (example: bank account and application for public assistance) or when a person does not appear where he is expected (example: draft registration list) 2- Every action (especially voting) wich happens on the net can be surveilled by governement or by private or commercial institutions. This stands in opposition to the privacy of post. 3- The surveillance is extensive and depersonalized automatic and self initiated: when an individual logs on to a terminal on the network, uses an automatic teller machine when punching in his personal identification number or uses a gate in a parking lot by paying with his credit card, he has initiated without his knowledge a process wich changes his data history (a kind of automatic, remote sensoring) Information elites and media concentrations The idea of public acces to information by networks is to reduce the social gap. in fact, the contrary can be produced. Only 13% of all Americans posess a PC, and of them only 10% posess a modem: the technology itself is an obstacle to information, wich can only passed by education. The industry has find out for a long time that Communication becomes more and more the market for the future. The war has already broken out between the giant telecommunication firms on who will dominate the market and who will eat whom. Therefore, giant takeovers and conglomeration happen in this industrial sector, creating only a few institutions who have the acces to most of the information and the control of it via the networks Literature "Domesticating Cyberspace" by Gary Stix, Scientific American, August 1993 Fridolin N. 71, Oktober 1993 "Democracy and new technology" by Iain McLean (University of Oxford) Computerworld n. 37, September 1993 "Information Privacy and the Crisis of Control" by Oscar H. Grandy, Jr. Dan Temmer, University of technology of Vienna (Austria) e-mail: dan@iguwnext.tuwien.ac.at ------------------------------ From: erwin@trwacs.fp.trw.com (Harry Erwin) Date: 2 Feb 1994 13:54:25 GMT Subject: Electronic Cross-Checking Organization: TRW Systems Integration Division The IRS is getting into cross-checking of 1099s. The found a financial institution that was filing 1099s for me that I hadn't heard from in five years. I had assumed they had gone bankrupt when I stopped getting letters from them... Apparently they hadn't. Now I have to get an up-to-date address for them... Cheers, -- Harry Erwin Internet: herwin@gmu.edu or erwin@trwacs.fp.trw.com Working on Katchalsky networks.... ------------------------------ From: Dave Gomberg Date: Tue, 01 Feb 94 09:07:11 PST Subject: Re: SSN other concerns You know, I joined this list because I thought it might have something to do with privacy. I have now concluded it is the home of paranoid rantings about ssns. If someone wants to steal from you or make up credit records about you, it is trivial for them to do it with or without your ssn. Getting the ssn for a name, or the name for an ssn is so easy that it is foolish to think you are "protecting" something. All you are doing is singling yourself out as someone who will be trouble to deal with. You self-identify as a potential problem. Are you sure that is what you want to do? [Note to ed: please remove me from this list. Thanks. Dave] Dave Gomberg, role model for those who don't ask much in their fantasy lives. GOMBERG@UCSFVM Internet node UCSFVM.UCSF.EDU fax-> (415)731-7797 For info on West Coast Live send email to West_Coast_Live-Request@netcom.com ------------------------------ From: rerodd@eos.ncsu.edu (Richard Roda) Date: Tue, 1 Feb 1994 17:35:52 GMT Subject: Re: SSN on Payroll Checks Organization: North Carolina State University, Project Eos ua602@freenet.victoria.bc.ca (Kelly Bert Manning) writes: >Privacy Journal reported that the major credit bureaus autmatically change the address in their files if they get more than one credit application report with a new address on it.< >You seem to be missing the point that businesses and individuals have a common interest in wiping out this kind of fraud, which adds up to a lot of money every year. The person the SSN was assigned to has no obligation to any of the creditors. They are completely out on a limb with almost no hope of recovering the amounts.< I am not a lawyer, but sometimes I play one on the Internet :-). Isn't it true that if the credit report is not true and you are able to prove it is not true that you could sue for liable or commercial slander? -- PGP & RIPEM Public keys by finger | rerodd@eos.ncsu.edu (Richard E. Roda) Disclaimer-------------------------------------------------------------- | The opinions expressed above are those of a green alien who spoke to | | me in a vision. They do not necessarily represent the views of NCSU | | or any other person, dead or alive, or of any entity on Earth. | ------------------------------------------------------------------------ Disclaimer? There are too many lawyers around. Q: Why do rats not infest the houses of lawyers? A: Professional courtesy. ------------------------------ From: tenney@netcom.com (Glenn S. Tenney) Date: Tue, 1 Feb 1994 13:42:24 -0800 Subject: Re: SSN other concerns At 9:06 AM 2/1/94 -0500,Dave Gomberg wrote: >This is wrong. Dale, give me your year of birth, your current street address (don't even tell me the town) and a written request that I pull your credit record and I will, and for free. I don't need your ssn, but I will get it in the process. It will cost about $1.< >What everyone on the other side of this debate seems to miss is that the info is too valuable to pass up. We need it to do business. If you are not willing to identify yourself, I wouldn't do business with you. It's that simple. Not on credit anyway.< Since you know that you can pull up a credit report without the SSN, then it's clear that you DON'T need the SSN for your business needs. It doesn't help at all. As it happens, I have seen my credit reports and they don't have my SSN on them because I don't authorize it to be disclosed. In some cases, the company has made up a number (I have no idea where they got it from) but its not mine. The point is that the credit agencies don't need the SSN (as you've noted), shouldn't give it out, and shouldn't even have "you" ask for it. That would go a long way in helping -- it's been pointed out that nearly all financial institutions will provide all information and will process almost any account change over the phone with just a name and SSN. >... I don't care about the key, I care about the info. Deprive me of the info and you are out of the game. Sayonara.< With a name and address (not even dob) you can pull up a credit report, so no one is remotely suggesting that you be deprived of info. --- Glenn Tenney tenney@netcom.com Amateur radio: AA6ER (415) 574-3420 Fax: (415) 574-0546 ------------------------------ From: Robert Ellis Smith <0005101719@mcimail.com> Date: Tue, 1 Feb 94 13:27 EST Subject: RE: OHIO laws about SSN on checks Frank Tompkins on Jan 31 asked about an Ohio law limiting merchants from gathering personal information on personal checks. The law, 1349.17, actually applies to credit-card sales. As in other states, merchants may not record SSNs or phone numbers of credit-card slips. Cal. Ga. Iowa, Kansas, Md., Mn, Nev., NY Va. and other states have similar laws affecting CHECKS. This information comes from Compilation of State and Federal Privacy Laws, a reference book available for $29 -- with a 20 percent discount for Digest readers -- from PRIVACY JOURNAL, PO Box 28577, Providence RI 02908, 401/274 7861, e-mail: rsmith, mcimail 510 1719. ------------------------------ From: Vincent Broerman <0005461808@mcimail.com> Date: Tue, 1 Feb 94 18:09 EST Subject: RE: OHIO laws about SSN on checks This message is directed to Frank Tompkins: Frank...I too ran into problems with a merchant in Ohio regarding ssn and accepting checks. The merchant's response was....they are doing me a favor by making it convienent to write a check. If I don't want to give them a ssn I can pay cash, however, they will not accept a check w/o a ssn.......If you can find any more information regarding this, I will be very interested in reading it. ------------------------------ From: poivre@netcom.com (poivre) Date: Wed, 2 Feb 1994 01:27:28 GMT Subject: Re: OHIO laws about SSN on checks Organization: NETCOM On-line Communication Services (408 241-9760 guest) Frank Tompkins (TOMPKINS@vm1.cc.uakron.edu) wrote: >So I made one up. It was accepted verbally without checking my drivers license!!!< Well, i hope you used one of the null numbers (see SSN FAQ to check which ones) on your check instead of someone elses. -- . . . . . . . . . . . . . . . . . . . . . . . . . . poivre@netcom.com : #include lychees@marble.bu.edu : ^^^^^^^^^^^^^^^^^^^^^^^ ykliu@mailbox.syr.edu : . . . . . . . . . . . . . . . . . . . . . . . . . . >>>>>>>>>>>>>>>>>>>>> On Since: November, 1991.<<<<<<<<<<<<<<<<<<<<<<<<<<<< . . . . . . . . . . . . . . . . . . . . . . . . . . ------------------------------ From: Zaf Date: Wed, 2 Feb 1994 00:48:49 -0500 (EST) Subject: Re: OHIO laws about SSN on checks Since we are on the subject of SSN, I was wondering if you had to show your SSN to a potential landlord before leasing a room in that landlords house. Does anyone know? If so...why? Any input would be much appreciated. ------------------------------ From: tcj@netcom.com (Todd Jonz) Date: Wed, 2 Feb 1994 10:50:41 GMT Subject: Re: SSN on Payroll Checks Organization: Sanity Cruise Enterprises, Ltd. Joe Wisniewski x8421 (joew@resumix.portal.com) writes: >My employer went to a new payroll system, ADT. Got our first check today. Guess what was on it. Yup, ss#.< GOMBERG@UCSFVM.UCSF.EDU (Dave Gomberg) at Computer Privacy Digest replies: >Let me ask why I care if someone (or lots of folks) knows my SSN? < With an account number and the last four digits of the account holder's SSN, Bank of America provides an automated telphone account inquiry service via which you can get detailed information about his account balance, recent deposit amounts, cleared check number and amounts, etc. Joe's pay stub or direct deposit notification contains all of the information required to make the telephone robot spill its guts. Until very recently, this information also appeared on BofA's ATM receipts as well. I wonder if one can request that this "service" *not* be provided for a specified account? ------------------------------ From: ran@cbebl1.att.com Date: Wed, 2 Feb 94 08:37:35 EST Subject: Re: SSN other concerns Organization: AT&T fin@panix.com (David Finan) writes: >What I don't understand is why, the Fed (Dept Health, somthing and Welfare) didn't inform the blood company of their obligation under the law to inform citizens of the privacy act in relation to the SSN and what uses it would be put to.< >Lawyer story. The folks told me that therer had been a lawyer who also balked at providing his SSN. He went away and later came back, unhappy, and said '...has to give the number.' "HAS TOO"?!?! My employer encourages but does not require blood donation. But this is the story I was told. I thought that this was a voluntary thing for everyone.< A while back I actually looked up in the library a whole slew of federal laws regarding the SSN and the Privacy Act of 1974. What follows below is what I found out. It'll take a while to get back to the blood issue, but for those who cannot wait, the upshot is that Congress has authorized the use of the SSN for blood donations. So, now onwards to seeing how we got there. If you'd like your own copies of the laws I mention here, I'll tell you where to look in your library to find them. [Note: I am not a lawyer, and what I present here is just stuff I picked up looking in the library over the past week; the legal beagles may want to add to/correct it if necessary.] The first thing to know is that there are two places to look for US laws in the library. The first is "U. S. Code". This is codified law, and has citations like 5 USC 552a, which is read as "Title 5 of the U. S. Code, Section 552a". The other place to look is in "Statutes at Large". These are what Congress actually passes. Citations look like Pub. L. 93-579, 88 Stat. 1897, which means "Public Law number 93-579 (93 means passed by the 93rd Congress), and may be found in Volume 88 of Statutes at Large, page 1897". What is relevant to us is that Public Laws often say things like "Title 5, United States Code, is amended by adding after section 552 the following new section: Section 552a . . .". But Public Laws also add new law that is not necessarily included in U.S. Code. So, how does that apply the Privacy Act and SSn authorization? First of all, the Privacy Act of 1974 is another name for Pub. L. 93-579 (thus, the citation in the SSN FAQ [which says that the Privacy Act is 5 USC 552a] is incorrect), The Privacy Act created the existance of the U. S. Code Section 5 USC 552a. 5 USC 552a only puts privacy restrictions on Federal Agencies (not State or Local). However, 5 USC 552a is NOT the Privacy Act of 1974, since the Privacy Act, after establishing 5 USC 552a in Section 3, also goes on to do other things, one of which, in Section 7, addresses State and Local government: Sec. 7. (a) (1) It shall be unlawful for any Federal, State or local government agency to deny any individual any right, benefit, or privilege provided by law because of such individual's refusal to dis- close his social security account number. (2) the provisions of paragraph (1) of this subsection shall not apply with respect to-- (A) any disclosure which is required by Federal statute, or (B) the disclosure of a social security number to any Federal, State, or local agency maintaining a system of records in exist- ence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted prior to such date to verify the identity of an individual. (b) Any Federal, State, or local government agency which requests an individual to disclose his social security account number shall inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is soli- cited, and what uses will be made of it. So, this section is NOT part of the U. S. Code, but is just hanging out there as a "Public Law". The SSN FAQ also mentions that the Tax Reform Act of 1976 gave authority to state or local tax, welfare, driver's license, or motor vehicle registration authorities to use the number in order to establish identities. This is Pub. L. 94-455, Title XII, Section 1211(b), 90 Stat. 1711, and it modifies 42 USC 405 (codification of the Social Security Act) in the manner mentioned above. However (and the SSN FAQ does not mention this), Pub. L. 100-485, Title I, Section 125, 102 Stat. 2353, goes on to modify 42 USC 405 even further, and says that each state MUST require parents to supply their SSNs as part of getting birth certificates for new children (for possible child support). There have also been other changes that I haven't tracked, (gotten further citations on) but 42 USC 405(c)(2)(C) now has the following requirements on SSNs: 1. the states may use SSNs for tax, welfare, driver's license or motor vehicle registration identification. 2. each state MUST require parents to supply their SSNs as part of getting birth certificates for new children (for possible child support). 3. stores accepting food stamps must give Dept. of Agriculture the SSN of the owner of the store. 4. users of federal crop insurance must give their SSNs to the Federal Crop Insurance Corporation. 5. SSNs disclosed as above are confidential and shall not be disclosed to unauthorized people. A reference is made to the Internal Revenue Code as to penalties. However, I'm still trying to puzzle this one out. It seems to apply only to laws passed after 1990, which means points 2-4 above. Point 1, passed in 1988, seems not to be covered, and that leaves a hole big enough to drive a semi through. Now, on to the blood bit. It seems that Pub. L. 100-647, Title VIII, Section 8008(a)(1), 102 Stat. 3783 further modified 42 USC 405 (the Social Security Act codification) to add the following section [42 USC 405(c)(2)(D)]: (D) (i) It is the policy of the United States that-- (I) any State (or any political subdivision of a State) and any authorized blood donation facility may utilize the social security account numbers issued by the Secretary for the purpose of identifying blood doners, and (II) any State (or any political subdivision of a State) may require any individual who donates blood within such State (or political subdivision) to furnish to such State (or political subdivision), to any agency thereof having related administrative responsibility, or to any authorized blood donation facility the social security number (or numbers, if the donor has more than one such number) issued to the donor by the Secretary. (ii) If and to the extent that any provision of Federal Law enacted before November 10, 1988, is inconsistent with the policy set forth in clause (i), such provision shall, on and after November 10, 1988, be null, void, and of no effect. (iii) For the purposes of this subparagraph-- (I) the term ``authorized blood donation facility'' means an entity described in section 1320b-11(h)(1)(B) of this title, and (II) the term ``State'' includes the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, the Commonwealth of the Northern Marianas, and the Trust Territory of the Pacific Islands. So there you have it (creep, creep, creep). -- ". . . and shun the frumious Bandersnatch." Robert Neinast (ran@cbebl1.att.com) AT&T-Bell Labs ------------------------------ From: mike@upolu.upolu.gsfc.nasa.gov (Mike Jones) Date: 2 Feb 94 18:17:46 GMT Subject: Re: SSN other concerns Organization: NASA Goddard Space Flight Center -- InterNetNews site fin@panix.com (David Finan) writes: >have read alot here on the SSN privacy issue. Here's an example [... tried to donate blood ...] there is a new requirement from the Fed health folks (i can give dept names but this is being done on the fly) that ALL blood doners MUST provide the blood bank with the SSN or their blood won't be taken.< I donated blood today, at a US gov't facility. They did ask for my SS number (about 4 times) but when I told them no they still took my blood. I suspect they where making it up as they went along. ------------------------------ From: bernie@fantasyfarm.com (Bernie Cosell) Date: Wed, 2 Feb 1994 17:09:29 GMT Subject: Re: WIRED Magazine Report Organization: Fantasy Farm, Pearisburg, VA Robert Jacobson writes: >WIRED Magazine recently carried an article on a new federal scheme to track _all_ financial transaction passing over any sort of telecom network. I suppose this means that all exchanges of money that can be electronically encoded and recorded, then transmitted, will be accessible to federal (and international?) security agencies.< As a practical matter, I have always assumed that that was the case *anyway*. I know that the various institutions have to journal and archive every transaction, and I think it would be naive to assume that they would be somehow held 'secret' against a group of prosecutors armed with warrants. Granted this kind of automation of it would make it _easier_, but this just highlights a common problem that shows up on this newsgroup: the financial/personal analog of "security by obscurity". The ostrich-like idea that because something _seems_ tricky to you [e.g., getting your financial records without your SSN] that you're safe, secure and privacy-assured, when the reality is that that only puts off the most casual browsers. >... Given that the most personal behavior is often indicated by financial trans- actions (using credit cards, etc., but cash also once it enters the electronic till), is this the single most invasive police scheme yet devised?> Probably not. The info is already there for the taking, much of it *already* has to be reported to the feds, and while the details of what you report are sketchy, it doesn't seem like there are any new privacy barriers being broken down. Remember the simple rule of thumb: if you're using *anything* other than cash, you can be assured that your transaction is _not_ private. period. And even if you pay cash, your transaction might not be private, but it is for-sure that anything _less_ than cash just has too many people in the loop, and too many people who have to 'know' who you are to approve the transaction, for even a pretense of privacy. -- Bernie Cosell bernie@fantasyfarm.com Fantasy Farm Fibers, Pearisburg, VA (703) 921-2358 ------------------------------ From: "Prof. L. P. Levine" Date: Thu, 3 Feb 1994 08:57:14 -0600 (CST) Subject: SSN End of String Organization: University of Wisconsin-Milwaukee I think we have seen most of the new ideas about the danger of revealing Social Security Numbers versus the ever present nature of the number posted. I am sure that this discussion will continue in the future, but for now let us allow one last round of discussion and terminate this string with the next issue of the digest. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of Computer Privacy Digest and Professor of Computer Science | comp.society.privacy. University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V4 #026 ****************************** .