Date: Tue, 19 Jul 94 10:51:32 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#008 Computer Privacy Digest Tue, 19 Jul 94 Volume 5 : Issue: 008 Today's Topics: Moderator: Leonard P. Levine University of New Mexico use of SSN as ID Monitoring of International Calls and Clipper Privacy at risk: Educational Records Re: Video Camera on Utility Poles Re: Video Camera on Utility Poles Re: Video Camera on Utility Poles Re Sprint Canada and SIN Re: Clipper security and other lies The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: ead@netcom.com Date: 17 Jul 1994 13:15:31 -0700 Subject: University of New Mexico use of SSN as ID Organization: Netcom Folks, What do you make of this paragraph from the application to the University of New Mexico's Office of Graduate Studies: The University of New Mexico uses students' social security numbers as identification at the University. The number is used for record- keeping purposes only. The authority to use the social security number comes from the Board of Regents and was adopted on March 24, 1967. It is mandatory, therefore, that students disclose their numbers in order to enroll at UNM. Is this permitted even if the University complies with the Family Educational Rights and Privacy Act of 1974 (the "Buckley Amendment"), which prohibits them from giving out personal information (e.g. the SSN) on students without permission? Thank you, Eric De Mund ------------------------------ From: ninjo@MIT.EDU Date: 18 Jul 94 19:32:08 EDT Subject: Monitoring of International Calls and Clipper I have been following the Clipper debate and I have a question for all of you Privacy readers out there. A. to my understanding the NSA monitors all international commmunications without the need to get any judges approval. B. with the clipper chip, wouldn't the NSA need to have all the escrowed keys at their disposal, in order for them to continue this monitoring? The reason I bring this up is that, in all the proposals for the clipper that I've seen. There is supposed to be a third party that is entrusted with the escrowed keys. Seems to me that, the NSA's proposal is not entirely realistic. I wonder if the drafters of this proposal realized this. -- John Muir Kumpf ninjo@mit.edu robot fish 'r' us ------------------------------ From: cpsr-announce@cpsr.org Date: 18 Jul 1994 18:03:24 -0700 Subject: Privacy at risk: Educational Records Seattle CPSR Policy Fact Sheet K-12 Student Records: Privacy at Risk --------------------------------------------------------------------------- TOPIC The U.S. education system is rapidly building a nationwide network of electronic student records. This computer network will make possible the exchange of information among various agencies and employers, and the continuous tracking of individuals through the social service, education and criminal justice systems, into higher education, the military and the workplace. WHAT IS THE ISSUE? There is no adequate guarantee that the collection and sharing of personal information will be done only with the knowledge and consent of students or their parents. Changes Are Coming to Student Records National proposals being implemented today include: - An electronic "portfolio" to be kept on each student, containing personal essays and other completed work. - Asking enrolling kindergartners for their Social Security Numbers, which will be used to track each student's career after high school. - Sending High school students' transcripts and "teachers' confidential ratings of a student's work-related behavior," to employers via an electronic network called WORKLINK. At the heart of these changes is a national electronic student records network, coordinated by the federal government and adopted by states with federal assistance. Publication 93-03 of the National Education Goals Panel, a federally appointed group recently empowered by the Goals 2000 bill to oversee education restructuring nationally, recommends as "essential" that school districts and/or states collect expanded information on individual students, including: - month and extent of first prenatal care, - birthweight, - name, type, and number of years in a preschool program, - poverty status, - physical, emotional and other development at ages 5 and 6, - date of last routine health and dental care, - extracurricular activities, - type and hours per week of community service, - name of post-secondary institution attended, - post-secondary degree or credential, - employment status, - type of employment and employer name, - whether registered to vote. It also notes other "data elements useful for research and school management purposes": - names of persons living in student household, - relationship of those persons to student, - highest level of education for "primary care-givers," - total family income, - public assistance status and years of benefits, - number of moves in the last five years, - nature and ownership of dwelling. Many of these information categories also were included in the public draft of the 'Student Data Handbook for Elementary and Secondary Schools', developed by the Council of Chief State School Officers to standardize student record terminology across the nation. State and local agencies theoretically design their own information systems, but the handbook encourages them to collect information for policymakers at all levels. Among the data elements are: - evidence verifying date of birth, - social security number, - attitudinal test, - personality test, - military service experience, - description of employment permit (including permit number,) - type of dwelling, - telephone number of employer. WHO CAN ACCESS THIS COMPREHENSIVE INFORMATION? Officers, employees and agents of local, state and federal educational agencies and private education researchers may be given access to individual student records without student or parent consent, according to the federal Family Educational Rights and Privacy Act of 1974 (20 USC 1232g) and related federal regulations (34 CFR 99.3). Washington state law echoes this federal law. WHAT IS COMING NEXT? Recent Washington state legislation (SB 6428, HB 1209, HB 2319) directly links each public school district with a self-governing group of social service and community agencies that will provide services for families. This type of program is described in detail in the book, Together We Can, published jointly by the U.S. Department of Education and the U.S. Department of Health and Human Services. The book speaks of "overcoming the confidentiality barrier," and suggests creating centralized data banks that gather information about individuals from various government agencies - or in other ways ensuring agencies, "ready access to each other's records." The book calls for a federal role in coordinating policies, regulations and data collection. A group in St. Louis, MO, called Wallbridge Caring Communities, is cited as a model for seeking agreements to allow computer linkups with schools and the social service and criminal justice systems to track school progress, referrals and criminal activity. WHAT HAPPENED TO ONE COMMUNITY In Kennewick, WA, over 4,000 kindergarten through fourth graders were rated by their teachers on how often they lie, cheat, sneak, steal, exhibit a negative attitude, act aggressively, and whether they are rejected by their peers. The scores, with names attached, were sent to a private psychiatric center under contract to screen for "at-risk" students who might benefit from its programs. All of this was done without the knowledge and consent of the children or their parents. CPSR's POSITION CPSR Seattle believes that schools other agencies should minimize the collection, distribution and retention of personal data. Students and/or their parents should decide who has access to detailed personal information. CPSR ACTIONS Representatives of CPSR Seattle have gone to Olympia to: - oppose the use of the Social Security Number as the standard student identifier, - urge legislators to set educational goals that can be measured without invading privacy, - oppose turning over individual student records to law enforcement officials apart from a court order or official investigation. Computer Professionals for Social Responsibility - Seattle Chapter P.O. Box 85481, Seattle, WA 98145-1481 (206) 365-4528 cpsr-seattle@csli.stanford.edu --- CPSR ANNOUNCE LIST END --- ------------------------------ From: tnyurkiw@laplace.uwaterloo.ca (Tom Yurkiw) Date: 18 Jul 1994 00:09:38 GMT Subject: Re: Video Camera on Utility Poles Organization: University of Waterloo bernie@fantasyfarm.com (Bernie Cosell) writes: Tom Yurkiw writes: ... A person standing on a side street in the middle of the night has an expectation of privacy, wheras a person in the town square with 8 cameras pointed at him does not. Is this a tenet of estabished law about 'expectations of privacy', or just your opinion? No, this is not a tenet. This is my own opinion. I am amazed at how quickly many advocates of one thing or another leap to paint a solid black or white world, when reality is, of course, zillions of shades of gray [even if one entertains your distinction, it only raises more questions than it answers: No, I see a clear distinction between *hidden* cameras and visible cameras. Overall, I think that folks are rather liberal with deciding that there are "expectations of privacy" in arenas where the law doesn't make any such distinction. [in particular, as far as I know, if you are out in public [that is, not on private property] you have virtually no 'expectation of privacy', no matter whether it is midnight or noon, or the Rose Garden or a back alley] I wasn't aware that legal expertise was necessary to discuss privacy issues. I'm not really interested in the legal/constitutional implications, since they will differ greatly among jurisdictions. Unquestionably, people have the right to operate all the cameras they want, as long as they don't trespass while doing it. My concern is with *government-operated* cameras. Personally I find the concept of state-operated hidden cameras to be repugnant. I do, however, believe that cameras in public places can sometimes be justified. Recently, the City of Hull, Quebec decided to place video cameras along the main bar strip, due to the large number of fights, stabbings, vandalism, and shootings that have happened in the past. No one walking along "the strip" in Hull on Saturday night has an "expectation of privacy" (not meant in the legal sense). As long as publicly-operated cameras are visible, they can be properly evaluated by the citizens, as to their effectiveness and whether their use is justified. No such evaluation is possible if the state puts hidden cameras all over the place. ------------------------------ From: jgd@dixie.com (John De Armond) Date: 17 Jul 94 23:28:30 GMT Subject: Re: Video Camera on Utility Poles Organization: Dixie Communications Public Access. The Mouth of the South. A couple of posts addressed here: tnyurkiw@lambert.uwaterloo.ca (Tom Yurkiw) said: hopefully in Singapore! Better yet, the homeowner is watching in real-time and is forced to subdue said Armondite while making a citizen's arrest. Of course, the homeowner isn't trained in the niceties of restraining someone painlessly... But since Mr. De Armond is trained in self-defense and is always armed, he dispatches Mr. Kiw (see, dropping the first syllable of a name can be fun) with a double-tap to the chest. flash@csd.uwo.ca (Andrew D. Marshall) said: Professor Levine raises an interesting point. I read John De Armond's post -- in fact, I chose to read the thread because my newsreader showed that he was a contributor to it. I have often seen posts in other newsgroups from him (the one that springs to mind first is misc.consumers.house) and, while I don't always agree with what he has to say, I often find his posts entertaining. The post in this thread attributed to De Armond was consistent stylistically, and in the point of view expressed, to what I've seen elsewhere under his name. The more general issue, which I suspect has been hashed out here and elsewhere, is that of writing style being used to identify an article's writer or, to extend Professor Levine's suggestion, even being used to discredit a writer by imitating his or her style. But like any good writer, I can write in a number of voices and I find the net to be an exquisit place to practice and perfect that art. Though I don't do it so much anymore because of lack of time and interest, I have in the past used two other identities on other hosts for the purpose. Both identities are still active and I occasionally use them. In some instances, my alter-ego has debated me on a topic just to spice things up or when I thought the other side was doing such an incompetent job of stating its case that debate was dying. I mention this for a couple of reasons, not the least of which is to send some of my "fans" off on a frenzy trying to figure out who my alter-egos are. Yes, I'll tell you if you guess correctly - I can always establish another. The larger point is, however, that there is nothing one can to truly validate one's identity or to protect one's privacy. PGP and other crypto products? Not hardly. As long as one can get an account somewhere, as long as open hosts exist, as long as open NNTP servers exist, anyone can create any identity one desires AND make it appear authentic including PGP keys. I don't use PGP because I have no need but if I did, I'd have public keys available for all my identities. So not only do I have to keep my SIN/SSN private, and guard my bank card PIN and all that stuff, if I truly want to maintain my privacy, I probably shouldn't be posting on the net. Not really. This is the other important point I want to make. One can much better preserve his privacy by obscuring reality with noise than he can by trying to build a fort around it. Noise is simply false information presented to appear real. John -- John De Armond, WD4OQC, Marietta, GA jgd@dixie.com Performance Engineering Magazine. Email to me published at my sole discretion Respect the VietNam Vet, for he has survived every attempt by this country to kill him. ------------------------------ From: glr@ripco.com (Glen Roberts) Date: 18 Jul 1994 16:12:32 GMT Subject: Re: Video Camera on Utility Poles Organization: RCI, Chicago, IL Tom Yurkiw (tnyurkiw@lagrange.uwaterloo.ca) wrote: To me, the issue of video cameras **hidden on utility poles, is completely different than the question of **visible cameras in public places. A person standing on a side street in the middle of the night has an expectation of privacy, wheras a person in the town square with 8 cameras pointed at him does not. Which came first? The Chicken or the Egg? For example, many would feel that sitting in a restruant, seeing no one else around, would give us an expectation of privacy on our conversations, but Dunkin-Donuts at 300 locations in MA says no, and installs audio monitoring device (for security). Does the FACT that someone can put in monitoring devices (visible or not) affect our expectations of privacy? Are you not arguing that privacy invasion is OK everywhere... because once the invasion device is installed VISIBLY we have no expectation of privacy there anymore? Or, is the installation of such devices an invasion of our privacy, and something that should be prohibited? -- -------------------------------------- Glen L. Roberts, Publisher, Directory of Elect Surv Equip Suppliers Host Full Disclosure Live (WWCR 5,810 khz - Sundays 7pm central) Box 734, Antioch, Illinois 60002 Fax: (708) 838-0316 Voice/FAX on demand: (708) 356-9646 -------------------------------------- ------------------------------ From: at372@freenet.carleton.ca (David Mitchell) Date: 18 Jul 1994 04:16:13 -0400 Subject: Re Sprint Canada and SIN Michael Slavitch wrote of his encounter with Sprint Canada and its demand for his Social Insurance Number, a demand that was later dropped due to "customer requests". Sprint uses the numbers for customer identification. In Canada, it is illegal to require SIN for a purpose such as that proposed by Sprint. Unfortunately, requiring SSNs seems to be legal in the US and most US companies don't think to check to see if we do things differently. Since SINs are sensitive and important information, and not the kind of thing that you would want to fall into the wrong hands, the law only requires that they be disclosed for certain purposes. Obviously, governments can demand them - that's why they came into existence int he first place. Also, since SINs are used for tax purposes, persons who have to provide information to Revenue Canada about you can demand your number. This group includes financial institutions and employers. Given the damage that can be done if the wrong person has your SIN, it is good practice to refuse to give it out if it isn't required. It would be nice if it were not only illegal for companies like Sprint o demand your SIN, but also illegal to ask for it. However, this would produce howls from the legion of US companies that object to amending forms and filing systems for Canada. -- David Mitchell Tel: (604) 370-1731 Faculty of Law Email: ul155@freenet.victoria.bc.ca Victoria, BC at372@freenet.carleton.ca ------------------------------ From: barmar@Think.COM (Barry Margolin) Date: 18 Jul 1994 21:00:44 GMT Subject: Re: Clipper security and other lies Organization: Thinking Machines Corporation, Cambridge MA, USA lupienj@wal.hp.com (John Lupien) writes: A better question might be "what would the cop do if they DID have Clipper?" Unless the suspect is not only crooked but stupid, they won't be using Clipper for sensitive communications. Crooks currently use ordinary, unencrypted phones for sensitive communications. Clipper phones are at least as secure as unencrypted phones, so why wouldn't they use them? -- Barry Margolin System Manager, Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar ------------------------------ End of Computer Privacy Digest V5 #008 ****************************** .