Date: Mon, 16 May 94 10:35:34 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#066 Computer Privacy Digest Mon, 16 May 94 Volume 4 : Issue: 066 Today's Topics: Moderator: Leonard P. Levine Re: FCC order on interstate Caller ID Re: Credit Check only with Permission Granted Journalists attack credit card account UPENN and SSN Community Nets Crackdown in Italy IRS "Privacy Principles" The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: padgett@tccslr.dnet.orl.mmc.com (padgett peterson) Date: 13 May 1994 17:14:37 GMT Subject: Re: FCC order on interstate Caller ID Organization: Martin-Marietta johnl@iecc.com (John R Levine) said: In other words, per-line blocking is a bad idea because subscribers are too dumb to unblock calls when they want to unblock them, although they're not to dumb to block calls when they want to block them. Not at all (and the negative loading is uncalledfor IMHO). First both have been avaialble for some time in various areas (Florida is per call). Where per line blocking was chosen numerous complaints occurred concerning the impossibility of the user to tell which way star-six-seven would toggle the blocking (is it or isn't it, only the callee will know...). With per call, ther is no question. Second, the person making the call might not be the one who started the blocking & might not even have any idea of what it is (I live in tourist world remember). With per call, thedefault is off. Finally in an emergency situation it is easy to visualize a cartoon where the receiver is saying "sorry, first you must dial star-six-seven before making this call. ". All it would take would be one. Now if there is a special situation where the CNID should *never* be returned or a different number should display, I am sure that the home of the unlisted number will be happy to assist, new source of revenue are always welcome. And let's not forget 0, 911, 800, & 900 ANI. Star-six-seven has no effect for now. I say the FCC is right and per-call blocking should be the default. ------------------------------ From: rivaud@rain.org (L. E. de Rivaud) Date: 13 May 1994 11:28:21 -0700 Subject: Re: Credit Check only with Permission Granted Organization: wherever.com Poivre (poivre@netcom.com) wrote: So no matter how you intend to pay for the car, as long as youre going to test drive it, you will get checked right?? So people should avoid a test drive and just test drive their friend's cars or something. Sure just don't buy a car that costs more than $10,000. Pay cash. Then find an insurance company who doesn't require a ss#. (OR move to a state that does not require auto insurance. Are there any?) ------------------------------ From: "Prof. L. P. Levine" Date: 13 May 1994 21:00:23 -0500 (CDT) Subject: Journalists attack credit card account Organization: University of Wisconsin-Milwaukee Taken from Risks-List: RISKS-FORUM Digest Thursday 12 May 1994 (16:06) Date: 11 May 94 21:51:29 EDT From: "Mich Kabay [NCSA]" <75300.3232@CompuServe.COM> Subject: Journalists attack credit card account >From the Reuter newswire via CompuServe's Executive News Service (GO ENS): "FRANKFURT, May 10 (Reuter) - A journalist from a well-known German satirical magazine has cut off fugitive real-estate tycoon Juergen Schneider from one source of cash -- by ringing up Schneider's credit card company and cancelling his account. The magazine Titanic said journalist Bernd Fritz had telephoned the Eurocard company and blocked the account by giving Schneider's name and date of birth." The article explains that Schneider has been on the run for over a month and has filed for bankruptcy. He is under investigation for credit fraud. Asked for identifying information, including Schneider's bank, the journalist picked a bank at random--and was right. The magazine writers now claim that they will try to block credit cards for other fugitives. [Comment by MK: I have been saying for a long time we need PINs for credit cards! I hold no brief for the accused man, but it does seem odd that someone else be able to cancel a person's account. How would you like it if some prankster cancelled _your_ credit/bank/phone/... account with a simple phone call?] Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn ------------------------------ From: michael.feeley@dscmail.com (Michael Feeley) Date: 15 May 94 14:20:00 -0640 Subject: UPENN and SSN Organization: DSC/Voicenet * Ivyland, PA * (215) 443-9434 Sun 94.05.15 @ 14.19 Late this past winter, the University of Pennsylvania (PENN) notified all employees that we would have to provide the names, dates of birth (DOBs), relationship, sex, student status, disability status and Social Security Numbers (SSNs) for all our dependents when completing our benefits enrollment forms for 1994- 1995 (called Pennflex Open Enrollment). We were told that this was to comply with IRS regulations (the H-2), new accounting procedures (which require future retiree medical expenses to be recognized on an accrual basis), and to enable the electronic transmission of employee and dependent records into the "medical carrier's eligibility systems." A dependent database is to facilitate these needs. Several weeks later I received a call from someone in the Benefits Office requesting the SSNs of my dependents. He didn't know what the Privacy Act was, but assured me with energetic solemnity that the Benefits Office maintained personnel records in "strictest confidence." I indicated I would appreciate a copy of the Privacy Act statement for the SSN request. He informed me in a somewhat injured and huffy tone that he would have to check on it with someone else. Yesterday I received my "Pennflex Confirmation Statement" which included all the information I had provided, the SSN spots were blank. I am to make any necessary corrections, sign and return the form. To my dismay, I also received the Pennflex Confirmation Statement from another PENN employee (a professor in the medical school). This single sheet includes the home address, name (with middle initial), DOB, sex, disability status, and SSN for this man, *AND* the same information for his wife and his two children (as well as his choices for medical, dental, and life insurance coverage). It would appear that PENN does not hold personnel information in "strictest confidence." When I return the material early next week I would like to include some information about the dangers of having such information "leak." I would appreciate posts or email about said dangers (which would be included in a packet accompanying the man's benefits form). I am also thinking of sending it to Judith Rodin the President of PENN. Information, comments and suggestions are most welcome. Thanks in advance. * Michael Feeley Haverford, Pennsylvania, USA ; * michael.feeley@satalink.com (1:273/203) 71534,1343 ; ------------------------------ From: "Prof. L. P. Levine" Date: 16 May 1994 10:13:05 -0500 (CDT) Subject: Community Nets Crackdown in Italy Organization: University of Wisconsin-Milwaukee ---------- Forwarded message ---------- Date: 15 May 1994 11:46:49 -0700 From: Bernardo Parrella To: Multiple recipients of list COMMUNET Subject: Community Nets Crackdown in Italy. -I am sending again this posting-yesterday night bounced back- On May 10-12 1994, the first nationwide crackdown on telecom nets was operated by Italian police. Acting after a warrant issued by a Prosecutor in Pesaro, about 60 Bullentin Board Systems throughout the country have been visited and searched by police officials. Dozens of people were formally accused of "distribution of illegally copied software and appropriation of secret passwords" under the law approved by Italian Parliament in January this year. In several cases police officials didn't know what to search for, thus seizing computers, floppy disks, modems along with electric outlets, answering machines, audiotapes, personal effects. The raids also hit private houses and belongings, and in some places sleeping people were abruptly woken up facing machine guns. After searching probably around one third of the entire network - that includes more than 300 BBSes - police officials closed several Fidonet nodes, but no arrests were made. A still inaccurate figure of people were charged with software piracy, and dozens of computers and related devices were seized - along with thousands of floppy disks, CD-Roms, W.O.R.M.S. Moving after a suspected software piracy ring run by people involved in a Fidonet node, the crackdown started in the night between May 10 and 11 in Milano, targeting in the two following days BBSes in Pesaro, Modena, Bologna, Ancona, Pisa and other cities. Fidonet Italia, member of the worldwide Fidonet network, is a non-profit organization devoted to distribution of shareware and freeware programs as well as to electronic forums on topics ranging from technological to social issues. An essential communication tool for several groups and individuals throughout the country, Fidonet Italia became an active multi-cultural vessel and distributor of several different nodes dedicated to specific issues: Peacelink (solidarity, human rights), Cybernet (cyberpunk), Ludonet (games), Scoutnet, Amynet, and others. For thousands of Italian people, Fidonet BBSes today are invaluable tools of information-exchange, social activism and professional activities. The network policy strictly prohibits any distribution of illegally copied software and fraudulent appropriation of secret passwords. Also, Fidonet is one of the few International organizations which has always stated and pursued a clear position against unauthorized copying software. At the moment, the raids seems to be motivated by accusations against two people involved in a Pesaro-based BBS who were using Fidonet contacts to allegedly distribute illegal copies of computer programs. However, there are no reasons for such a vast law enforcement operation. Most likely the prosecutor acted simply on the basis of the Fidonet telephone numbers list (publicly available) owned by the two suspected of software piracy. The vast majority of the people searched don't have any kind of relationship with the suspected, and many of the search warrants stated a generic "conspiracy with unknown" for the crime of software piracy. Particularly, the random and arbitrary seizures of floppy disks and personal computers are completely unmotivated, because every BBS is a completely independent structure and each sysop is running his/her own hardware and software. The seizures will resolve in a great economic loss for these people and their professional activities will be surely affected from negative publicity. Some of them own small computer-related companies while others are physicians, hobbyists, students who risk personal savings to run their services. Because police officials also seized electronic and paper archives containing data and numbers of the people who logged onto Fidonet nodes, it is evident that investigations are going even further - thus violating the constitutional right to privacy. The first result of this crackdown is that many Fidonet operators decided to shut down immediately their systems all over the country, fearing heavier police intrusions in both their public activities and private lives. While the Italian Parliament recently approved specific laws about copyright and piracy of computer software, there are still no rules to protect personal privacy in the electronic medium. This legislative void inevitably makes the sysop the only responsible person about anything happens onto and around his/her own BBS. Fidonet operators do not want and can not be the target of undiscriminated raids that, forcing them to closing down their activities, cause serious damages to themselves as well as to the entire community. In an article published Friday 13 by the newspaper "La Repubblica", Alessandro Marescotti, Peacelink spokesperson, said: "Just when the worldwide BBS scene is gaining general respect for its important role at the community level, in Italy the law hits those networks that have always been strongly against software piracy. Charging dozens of honest operators with unmotivated accusations, the main goal of this crackdown is directed against the social activities of small community nets - thus clearing the space for commercial networking." While terms and figures of the entire operation should still be clarified, on Sunday 15 Fidonet Italia operators will meet in Bologna to study any possible legal counter-action. ------------------------------ From: "Prof. L. P. Levine" Date: 16 May 1994 10:16:00 -0500 (CDT) Subject: IRS "Privacy Principles" Organization: University of Wisconsin-Milwaukee From the Privacy Forum Digest Sunday, 15 May 1994 (03:10) Date: 4 May 94 15:55:42 MDT From: kristill@robie.cs.trw.com (Laurel Kristick) Subject: IRS "Privacy Principles" In the April 25, 1994 edition of _Federal Computer Week_ was an article titled "Employee guide on protecting taxpayers' privacy planned." The gist of the story is that the IRS plans to provide formal rules for protecting personal information about individual taxpayers. The exact wording of the guidelines is still being negotiated, but includes a warning against "browsing," or opening taxpayer files without authorization. The final paragraph of this article was interesting: "Among other instructions to employees, the guidelines would demand they collect only information they need for their jobs, to ask taxpayers for information before seeking it from third parties and to verify with taxpayers all data obtained from other sources before acting on it." Can one assume that the IRS feels the need to put this in writing because of serious problems with employees violating taxpayers privacy and with accepting non-validated information? ------------------------------ End of Computer Privacy Digest V4 #066 ****************************** .