Date: Sun, 01 May 94 09:30:51 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#061 Computer Privacy Digest Sun, 01 May 94 Volume 4 : Issue: 061 Today's Topics: Moderator: Leonard P. Levine New Electronic Privacy Group Formed Clipper Petition Delivered to White House Credit Reports Military and law enforcement Re: Visa Privacy Re: Visa Privacy Re: Visa Privacy Re: Credit check only with Permission Granted Re: NSA remarks at "Lawyers and the Internet" Re: Lord Have Mercy On Us All :-( Re: Lord Have Mercy On Us All :-( Re: Long Distance Companies SSN: Do Not Give Your Number to Anyone! The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Dave Banisar Date: 29 Apr 1994 17:02:33 +0000 Subject: New Electronic Privacy Group Formed EPIC Press Release Electronic Privacy Information Center 666 Pennsylvania Ave., SE, Suite 301 Washington, DC 20003 (202) 544-9240 (tel) (202) 547-5482 (fax) epic@cpsr.org (email) April 29, 1994 NEW PRIVACY CENTER ESTABLISHED EPIC TO MONITOR DATA HIGHWAY WASHINGTON, DC -- A new organization was launched today to address growing public concerns about privacy protection for the national information infrastructure. The Electronic Privacy Information Center (EPIC) will focus on emerging threats to personal privacy. Among the threats are the government's controversial Clipper computer encryption proposal, which has caused widespread protests from companies and computer users around the world. Proposals for an information superhighway and recent plans to reform the nation's health care system also involve significant threats to personal privacy. "We have established EPIC to focus public attention on these new privacy issues -- the Clipper Chip, the Digital Telephony Proposal, medical record privacy, and the sale of consumer data." said Marc Rotenberg, director of EPIC. A 1993 poll by the Lou Harris organization found 80 percent of Americans concerned about threats to their privacy. More than two thirds believe they have lost all control over personal information. Still, 70 percent believe that privacy is a fundamental right comparable to "life, liberty and the pursuit of happiness," and a clear majority of Americans favor establishment of a privacy agency within the government. EPIC brings together an unprecedented group of experts from computer science, information law, civil liberties, human rights, public interest advocacy, library and research communities, as well as privacy experts and scholars. Among the members of the EPIC Advisory Board is former Congressman and Presidential candidate John B. Anderson. Mr. Anderson said today at a Capitol Hill press conference he was very pleased by the establishment of the new organization. "Privacy is one of the bedrock American values. EPIC will help ensure that privacy is protected in the information age," said Mr. Anderson. Simon Davies, the Director General of Privacy International, welcomed the launch of EPIC. Speaking from London, England today he said, "EPIC is an exciting initiative on the leading edge of privacy protection. My hope is that EPIC will be the forerunner of many such organizations around the world." EPIC is a joint project of the Fund for Constitutional Government and Computer Professionals for Social Responsibility. FCG is a non-profit charitable organization established in 1974 to protect civil liberties and constitutional rights. CPSR is a national membership organization established in 1982 by professionals in the computing field concerned about the social impact of computer technology. For more information contact EPIC, 666 Pennsylvania Ave., SE Suite 301, Washington, DC 20003. 202 544 9240 (tel), 202 547 5482 (fax) epic@cpsr.org (email). Current materials include a program description and list of Frequently Asked Questions about EPIC. Marc Rotenberg, EPIC Director David L. Sobel, Legal Counsel Dave Banisar, Policy Analyst ------------------------------ From: CPSR National Office Date: 29 Apr 1994 17:12:07 +0000 Subject: Clipper Petition Delivered to White House CPSR PRESS RELEASE Computer Professionals for Social Responsibility P.O. Box 717 Palo Alto, CA 94301 415-322-3778 (voice) 415-322-4748 (fax) cpsr@cpsr.org "CLIPPER" PETITION DELIVERED TO WHITE HOUSE COMPUTER USERS CALL ON ADMINISTRATION TO DROP ENCODING PLAN NEW PRIVACY CENTER ESTABLISHED Washington, DC -- A national public interest organization today delivered to the White House a petition asking for withdrawal of the controversial Clipper cryptography proposal. The Clipper plan would provide government agents with copies of the keys used to encoded electronic messages. The petition was signed by more than 47,000 users of the nation's data highway. The petition drive occurred entirely across the Internet. It is the largest electronic petition to date. Earlier this year, the White House announced support for the Clipper proposal. But the plan has received almost unanimous criticism from the public. A Time/CNN found that 80% of the American public opposed Clipper. Computer Professionals for Social Responsibility began the petition drive in January. In the letter addressed to the President, the organization said that if Clipper goes forward, "privacy protection will be diminished, innovation will be slowed, government accountability will be lessened, and the openness necessary to ensure the successful development of the nation's communications infrastructure will be threatened." The petition asks for the withdrawal of Clipper. It is signed by many of the nation's leading cryptographers including Whitfield Diffie, Martin Hellman, and Ronald Rivest. Users from nearly 3,000 different sites across the Internet are represented. Responses came from more than 1300 companies including Microsoft, IBM, Apple, DEC, GE, Cray, Tandem, Sun, SGI, Mead Data Central, AT&T, and Stratus. Signatures also came from more than 850 colleges and universities and 150 non-profit organizations. Many responses came from public networks such as America Online and Compuserve. Nearly a thousand came from government and military sites including NASA, the Army and the Navy. Next week hearings will be held in Congress on the controversial cryptography proposal, an initiative developed by the FBI and the National Security Agency. Most of the witnesses are expected to testify against the plan. In a related development, the establishment of the Electronic Privacy Information Center was announced today. EPIC is jointly sponsored by CPSR and the Fund for Constitutional Government. It will focus on emerging privacy issues surrounding the information data highway. [see accompanying release]. CPSR is national membership organization, based in Palo Alto, California. For more information about CPSR, contact CPSR, P.O. Box 717, Palo Alto, CA 94302. 415 322 3778 (tel) 415 322 4748 (fax) cpsr@cpsr.org (email). ------------------------------ From: Robert Ellis Smith <0005101719@mcimail.com> Date: 29 Apr 94 22:14 EST Subject: Credit Reports It is a common misconception that someone needs your consent before getting access to your credit report. It's not true. The federal Fair Credit Reporting Act requires only that a requester have a PERMISSIBLE PURPOSE for ordering a credit report -- for credit, employment, insurance or a similar "legitimate business purpose." Otherwise, you need a court order or the consent of the individual. Private detectives generally perpetuate this misconception -- probably because they are often denied credit reports because they don't have a permissible purpose. Lawyers are another group that always want credit reports and usually don't have a permissi ble purpose. These groups either fake it and say they are planning on employing a person (getting a credit report by false pretenses violates federal law) or they go to "information brokers," most of whom are not scrupulous about compliance with the FCRA . Now they're able to order credit reports anonymously on the 'net from entrepreneurs who are also anonymous. As Glenn Roberts pointed out, ANYBODY can buy "header information" from a credit report without regard to the protections in the FCRA. In a misguided policy, the Federal Trade Commission said that header information is not a credit report, even though in the past the same agency had insisted that access to ANY PART of a credit report constitutes access to a credit report and requires a permissible purpose. "Header information" includes address, phone number, age, SSNs, mother's maiden name, and other id entifiers. Even though the FCRA requires a notation in your file whenever someone has access to it, because header information is not covered by the FCRA, you will never know when someone gets this information. This is a prime source of individuals' Soc ial Security numbers, leading to all sorts of fraudulent misappropriation of peoples' identities. And think what someone can do with your mother's maiden name and your bank account number. One exception: Vermont now requires consent. Other states may follow. That's why the credit-reporting business is pushing Congress to PREEMPT tougher state laws. People on the net should write their Members of Congress about this. How do credit bureaus handle the Vermont law? They tell their customers that when they receive a request for a credit report they will simply assume that the requester has secured the consumer's consent. Nobody said keeping track of your privacy rights would be easy. Robert Ellis Smith, Privacy Journal ------------------------------ From: "John A. Thomas" Date: 30 Apr 94 17:07:31 CDT Subject: Military and law enforcement L.L. Lipshitz expresses concern about the "gradual incursion of military technology and personnel into the civilian domain." I certainly agree that the use of the military for civilian law enforcement is a dangerous practice. I do not agree that such a threat now exists. So far, the use of the military in the "War on Drugs" and to enforce immigration policy has been limited to use of the naval and air units for surveillance on the high seas, along with some Army training of foreign anti-drug forces. I understand the Pentagon was opposed to even this involvement. Most officers feel strongly that the job of the military is to fight and defeat the armed forces of hostile states, not to be policemen or aid workers, whether at home or abroad. The President is the commander of the U.S. military, and the military is obviously under civilian control (compare the Chilean constitution!). Military involvement in politics is simply not part of our culture. There hasn't been a military government in the English-speaking world since Oliver Cromwell was Lord Protector. I certainly agree we should oppose efforts to involve the military in law enforcement, but I don't see any subtantial attempt to do so, least of all from the professional military itself. This said, I think the real threat to civil liberties comes from the ever-increasing power of the existing law-enforcement system. The Army or the NSA have no power to make arrests, issue subpoenas, convene grand juries, or bring prosecutions. But the FBI and DEA do. This is why the Digital Telephony proposal is much more threatening than the key-escrow scheme (Clipper), bad as it is. John A. Thomas b858jt@utarlvm1.uta.edu ------------------------------ From: keelings@wu1.wl.aecl.ca (S. Keeling) Date: 28 Apr 1994 14:33:32 -0500 Subject: Re: Visa Privacy Organization: AECL Research, Whiteshell Labs L. Levine wrote: I am the co-author of a book called "A Foreign Visitor's Survival Guide to America". It has been suggested that I use the Freedom of Information act to obtain a list of people applying for visas to come I would just suggest that you be extremely selective about who you choose to target. Governments are vicious, paternalistic, nosey, and vindictive. At best! Even in this 'polite' land of Canada, our mail is opened when it crosses the border. Scale the same to the n'th degree for Indonesians, P. R. China, Korea, India, any Arab country, etc. At the very least, make NO mention of the person's application to emigrate. -- keelings@wl.aecl.ca S. Keeling, AECL - Whiteshell Labs ------------------------------ From: palbert@netcom.com (Phil Albert) Date: 29 Apr 1994 23:49:48 GMT Subject: Re: Visa Privacy Organization: Disorganized "Prof. L. P. Levine" writes: I am the co-author of a book called "A Foreign Visitor's Survival Guide to America". It has been suggested that I use the Freedom of Information act to obtain a list of people applying for visas to come to the United States to create a mailing list of people to send advertisements to. I would like any opinions on the ethics of doing this. That would be a snot-nosed thing to do. For one, the people on that list did not give their names so you could sell them a book. See the name of this newsgroup. If your book is any good, they will find out about it. How many immigrants have heard of "Jurassic Park"? [I'm not implying it's a good book, but you get my point.] For another thing, why use up taxpayer money getting this list through the FOIA? Your request would have NOTHING to do with Freedom of Information, nothing to do with the government. I suggest you contact the airlines and boat companies who carry immigrants over and offer to stock their ship and airport gift stores with the book. Does your book contan the key to immigrants' survival? That is: "Advertisers are not interested in you, and they lie more than they tell the truth." -- Phil Albert, full-time patent attorney and part-time philosopher Voicenet: (415) 543-9600 bizcardnet: Townsend & Townsend Internet: palbert@netcom.com or palbert@cco.caltech.edu ICBMnet: 37 53 00 N, 122 17 30 W, Alt 760' ------------------------------ From: austin@netcom.com (Tony Austin) Date: 28 Apr 1994 21:58:27 -0700 Subject: Re: Visa Privacy Organization: NETCOM On-line Communication Services (408 241-9760 guest) "Prof. L. P. Levine" writes: I am the co-author of a book called "A Foreign Visitor's Survival Guide to America". It has been suggested that I use the Freedom of Information act to obtain a list of people applying for visas to come to the United States to create a mailing list of people to send advertisements to. I would like any opinions on the ethics of doing this. It's ethical because it violates no laws. It's immoral because you are invading their privacy. Ethics applies to the individual or his profession. Morals applies to society at large. These are just opinions, they are based on no philosophical text. Personally I feel it would be a welcome advertisment but who can speak for all. Tony Austin ------------------------------ From: tabrown@gis1dilurb.er.usgs.gov (tim brown) Date: 29 Apr 1994 14:33:27 GMT Subject: Re: Credit check only with Permission Granted Organization: other rivaud@coyote.rain.org (L. E. de Rivaud) writes: I used to work for a BMW dealer who ran credit checks on people all the time without their prior consent. That is common practice in the biz. Tony Austin (austin@netcom.com) wrote: I called TRW in Orange County, California today. I asked how safe my credit information and social security number is. They told me that noone can look at your credit report unless you grant them permission. A fine and a civil lawsuit was mentioned as well. Subsequently I feel a lot safer. Is this a false feeling of security? I received a "pre-approved" VISA application in the mail yesterday. I always like to look at the fine print on the back when I get one of these. I'm glad I took the time on this one. It had an interesting paragraph as follows: "You have the right to prohibit use of information in your file with any credit reporting agency in connection with any transaction which you do not initiate. To assert this right with respest to your file with the agencies listed above, you may call:" TRW - 1.800.422.4879 TU - 1.800.241.2858 EQUIFAX - 1.800.685.1111 However, when I called, guess what number they wanted?! SSN#, of course. I'd like to hear some comments on this. Obviously these companies already have my SSN#, or do they? Perhaps one of the agencies does, but the others may not. I might end up giving out the very information I'm trying to protect. I'd like some feedback on this. p.s. Thanks to all who responded to my post about insurance companies and SSN#'s. -- Timothy A. Brown Civil Engineer - Urbana, IL tabrown@srv1dilurb.er.usgs.gov ------------------------------ From: WHMurray@dockmaster.ncsc.mil Date: 29 Apr 94 11:39 EDT Subject: Re: NSA remarks at "Lawyers and the Internet" Now before anyone thinks I've changed my position, Clipper still sounds to me like a cheap and effective alternative to what is available today, it is the implimentation (read politics) that has flaws but these can be fixed. Until I have a Clipper or two to play with, I am going to reserve technical judgement. That Skipjack might be effective is an open question. However, The flaws of the CLIPPER proposal are fundamental and much more difficult to remedy than my friend suggests. First, it is flawed as to its source. We need codes that we can all trust equally. The government in general, and the world's largest signals intelligence agency in particular is an inappropriate source for such a code. Trust in the Data Encryption Standard has been greatly diminished simply by the fact that the NSA consented to it. Second, it is flawed by secrecy. The only people who can trust a secret algorithm are those who are party to the secret. The effectiveness of modern codes does not rely upon their secrecy but rather upon their complexity. The purpose of secrecy here is not to improve the security of the mechanism but to resist its replication and use. Third, it is flawed by "hardware only." Hardware only is justified by the need for secrecy but both are rooted in the desire to limit application and use. However, "hardware only" so severely restricts use as to leave many requirements unsatisfied. For example, the availability of encryption services is essential to the integrity of a "network operating system." There is simply no way that this requirement can be met by a "hardware only" strategy. While it might be possible to develop a chip or a card with the proper functionality, CLIPPER does not have it. While it might be possible to come up with a chip or a card with the proper functionality, it is clearly not possible to retrofit or deploy it on all of the components that one might wish to include in such a network. Even if it could be done, it would not be within the control of the operating system vendors. They would be in an impossible bind; the functionality is essential to their product, but they would have to rely upon some other source for it and for the customer to buy it and deploy it. None of these problems is easily remedied. They are not easily remedied because it is not in the interest of the government for them to be remedied. Fortunately for us, while we may require the restraint of the government from the use of its coercive power, we do not need its active cooperation. There are already codes available to us that do not suffer from any of these flaws. William Hugh Murray, Executive Consultant, Information System Security 49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840 1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ From: andrew@jester.usask.ca Date: 29 Apr 94 09:55:06 -0600 Subject: Re: Lord Have Mercy On Us All :-( Christopher Zguris <0004854540@mcimail.com> writes: The only problem with non-lethal "take-down" weapons is the potential for abuse. Long before the Rodney King case made the stun gun and taser infamous, police officers here in New York City lost the ability to carry or use the stun gun becuase they used it to coerce confessions. In those cases, the non-lethal stun gun was most definately abused against citizens. The stun gun was used because it left only minimal obvious damage that could be documented, so the offending officers thought they could get away with their actions (many did, and I'm sure it's happened in other cities). An "offensive" weapon like a non-lethal stungun should not be compared to a "defensive" weapon like a Kevlar vest - a Kevlar vest cannot be abused. Handcuffs are not an offensive weapon (you do not throw them at the suspect), but have a potential for abuse. ------------------------------ From: Christopher Zguris <0004854540@mcimail.com> Date: 29 Apr 94 14:45 EST Subject: Re: Lord Have Mercy On Us All :-( elkube@access.digex.net (l.l.lipshitz) writes: Arguably, new technologies applied to protecting citizens is a good thing. However, what frightens me is the gradual incursion of military technology and personnel into the civilian domain. Doesn't the Memo of Understanding between the DoD and the Justice Dept. scare anyone else? What is the Memo of Understanding between the DoD and the Justice Dept.? Perhaps it involves the military industrial complex looking for a new threat to justify the huge defense budget? We already have active military assistance in the War on Drugs and recommendations for further involvement. Here in the Washington, DC area, we've seriously entertained proposals for using National Guard units to patrol our streets to bolster the city's police force. I believe (don't quote me on this one!) military assistance has been suggested or is actually being used in efforts to stem illegal immigration. The idea of our military patrolling our streets is frightening to me as well, but, under certain circumstances I think it would be a good idea to force the military to perform some law enforcement functions. Fighting illegal immigration on our borders (land, sea, and air) _does not_ affect American citizens, it affects people who are coming into this country in violation of our laws (or worse, smuggling drugs). Illegal immigration is a _very_ large problem, unenforceable laws are worthless and protect no-one. I think it incredible that we spend billions of dollars to develope and deploy military technology more than capable for border patrol but _don't_ implement it. Instead, it sits around unused or -- at best -- is used in "war games". If the Navy engaged in patrol and training exercises in support of the woefully underfunded and underequipped Coast Guard we could significantly close our borders to drugs & illegal immigration on the seas and better train military personnel. The same holds true for the air; we have aircraft carriers and all sorts of state-of-the-art communication & control systems that could be very effective if used for our immediate benefit. Christopher Zguris czguris@mcimail.com ------------------------------ From: johnl@iecc.com (John R Levine) Date: 29 Apr 94 19:38 EDT Subject: Re: Long Distance Companies Organization: I.E.C.C., Cambridge, Mass. In the SF Bay Area, if you want cellular phone service from GTE, they ask for your SSN [and refuse to give you service without it] Policies vary widely. Here's my experience: Cellular One Boston (really Southwestern Bell): I went into one of their agents, a local stereo store, picked out the phone I wanted, filled out the credit app without the SSN, the guy called it in, and whoever was on the other end of the phone at Cell One said no SSN, no service. Much to the guy's dismay, I walked out. Other people later told me that if I'd called SWB directly they'd probably have been willing to give me service without the SSN, but I didn't feel like finding out. NYNEX Boston: I called them directly, because they had an attractive free phone/free minutes deal. Guy took the credit app over the phone, said that without an SSN they might need a $400 deposit. (At 7% interest, who's complaining?) When I went to get the phone installed the next week, they didn't want a deposit and the SSN field on the computer printed work order read 000-00-0000. So much for no credit check without the SSN. Cellular One of Vermont (Atlantic Cellular): I called them to get a second number for my phone. The woman who took the order simply couldn't believe that I didn't have my SSN handy, and kept calling me back for a week asking if I'd found it yet. I finally insisted that I'd never ever be able to find it, so how about something else. She asked for a bank reference, I gave her the name and number of the person at the bank who handles my accounts, and she called back about 10 minutes later and said it was all set up. What's really funny is that I gave her the my banker's unlisted direct dial number which she answers herself. If I were a crook, I could easily have given her the number of a confederate who'd pretend to be at the bank. -- Regards, John Levine, johnl@iecc.com, jlevine@delphi.com, 1037498@mcimail.com ------------------------------ From: c-cat!david@uwm.edu (Dave) Date: 30 Apr 94 16:44:46 EDT Subject: SSN: Do Not Give Your Number to Anyone! Organization: China Cat BBS (301)604-5976 jkwiatkowski@attmail.com (John Kwiatkowski ) writes: I saw your message posted in Security. Social Security Numbers were originally started for exactly that...social security reasons ONLY. People and businesses took it upon themselves to start using social security numbers as identifiers. The law says you DO NOT have to [...] me. I admire you for standing up and refusing to give out your social security number.PROTECT YOUR PRIVACY!!!Don't give in to anyone asking for your private info.THEY DON'T HAVE ANY RIGHT TO ASK FOR OR HAVE IT! yes, but I am finding this difficult in the employment search world, I am searching for a new job. many companies now are doing credit checks before hiring employees, where I don't have a problem with this I do have a problem with giving my SSN for this purpose. Trying to explain this to a perspecitve employer without looking like I am trying to hide something tends to be a difficult subject and rather touchy. one recriuter told me to "stop the paranoia and just write down the number", I think I'm going to print off the SSN faq and give it to him. 1) filling out my SSN is too much of a risk, I have no idea who has access to their records nor do I know how long they will keep records or how they dispose of records. 2) filling out a job application with a false information is grounds for dismissial ( if hired). 3) I might not be hired, because I didn't complete the required information. ( I currently choose this route. and refuse to give my SSN until I accept a job offer. I do inform them that if they desire, they can do a credit check with my name, address, phone. ) for the most part so far, I've left the SSN blank on the application, and will say nothing until they ask. on another note, I had an idea when asked by a business ( non government, not required) for my SSN, I would ask them for their company's tax ID number, for they would never divulge their tax ID number ( dumb if they did), I would explain that the SSN is my tax number and I can't divulge it either. I haven't had the opportunity to try this, but I eagerly await the chance to do this. -- David Ristau System 0perator UUCP: uunet!anagld!c-cat!david China Cat BBS INTERNET: david@sed.csc.com 301.604.5976 ------------------------------ End of Computer Privacy Digest V4 #061 ****************************** .