Computer Privacy Digest Wed, 20 Jul 94 Volume 5 : Issue: 010 Today's Topics: Moderator: Leonard P. Levine Privacy Information on Gopher Companies Recording Phone Calls Government E-Mail Directive SIN use in Canada Re: Monitoring of International Calls and Clipper Re: SSN of Dependants Now Required Re: Clipper Security and other lies Re: New National ID Card Proposal Re: University of New Mexico use of SSN as ID The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Privacy Rights Clearinghouse Date: 20 Jul 1994 00:24:20 -0700 (PDT) Subject: Privacy Information on Gopher The Privacy Rights Clearinghouse (PRC) a non-profit consumer education group, now has a gopher site. The gopher site contains State (California) and Federal legislation relating to the issue of privacy and informational fact sheets that are constantly being updated. Some of the topics include; Your Social Security number, junk mail, e-mail in the work place and wiretapping, and many others. Gopher to gopher.acusd.edu. To telnet to the PRC: telnet teetot.acusd.edu, login: privacy. The Privacy Rights Clearinghouse is a service for California consumers. It is administered by the University of San Diego's Center for Public Interest Law. It is funded by the telecommunications Education Trust, a program of the California Public Utilities Commission. It has been in operation since October 1992. Voice (619)298-3396. ------------------------------ From: tenney@netcom.com (Glenn S. Tenney) Date: 20 Jul 1994 02:08:13 -0800 Subject: Companies Recording Phone Calls I know that many companies' support lines have a recorded message saying that "this call may be monitored by supervisory personnel and for training purposes". Well, today I had to call AAA's 800 number for road service and... They don't use any recorded message, they just use the "beep" every 10 (or is it 15) seconds that they're required to do if they're recording the phone call. I spoke with a supervisor who explained that they record all incoming road service calls now in California, that they use them for training purposes, and they use them in case there's any dispute. The supervisor said that I'm the first person she knew of who complained. She did say that I could call the local AAA office and ask for her extension and then she'd take the road service call... Personally, I do NOT want to have any of my phone calls recorded (unless absolutely necessary). I have no assurances that AAA *only* uses the recordings for those purposes. Does anyone share my concern that this ever increasing recording of calls is a potentially significant violation of our privacy...? --- Glenn Tenney tenney@netcom.com Amateur radio: AA6ER (415) 574-3420 Fax: (415) 574-0546 ------------------------------ From: binskeep@crl.com (Bob Inskeep) Date: 20 Jul 1994 16:30:29 -0700 Subject: Government E-Mail Directive Organization: CRL Dialup Internet Access Organization: (415) 705-6060 [login: guest] Two friends had been corresponding with me via a Military and Government net. Both recently stopped their e-mail with me and stated that they had received a rather lengthy instruction prohibiting personal e-mail on gov systems. I would like to obtain a copy of the instruction, if it exists. Any help would be appreciated. Thanks. ------------------------------ From: "Kyle Friesen (604) 387-5629" Date: 20 Jul 1994 16:07:00 -0700 (PDT) Subject: SIN use in Canada David Mitchell recently commented on the use of the Social Insurance Number (SIN) in Canada. He wrote: "In Canada, it is illegal to require SIN for a purpose such as that proposed by Sprint." I would like to clarify the issue of SIN usage in Canada by the private sector. The Privacy Commissioner of Canada recently issued a fact sheet on the SIN which our office (the B.C. provincial equivalent to the federal Privacy Commissioner) frequently mails to interested callers (see below). The Treasury Board Secretariat (a part of the Government of Canada) in Ottawa has issued guidelines for SIN use within the Government of Canada, resulting in a narrowing of approved uses over a multi-year period. However, TBS does not regulate the use of the SIN in the private sector, including Sprint Canada. Here is the Privacy Commissioner's fact sheet in its entirety: [begin quotation] "Social Insurance Numbers (SIN) Who can ask me for my SIN? Anyone can ask you for your SIN - there is no law to stop them. Canadians find themselves asked for their SIN by landlords, stores, libraries and even hockey teams. However, you do not have to give it to them. Well, who must I give it to? There are a few federal laws which require you to give your SIN for specific purposes. These are: () for Old Age security, Unemployment Insurance and Canada Pension Plan contributions or claims (the original purposes for the SIN); () for Income Tax identification; () to your employer to send your contributions to UI, CPP and Income Tax; () to banks, trust companies, caisse populaires and stock brokers when they sell you financial products (GICs or Canada Savings Bonds) or services (bank accounts) that generate interest. They declare your interest to Revenue Canada for income tax purposes; () for various Veterans Affairs benefits programs; () for Canada Student Loans; () for two Native peoples' programs (Rural and Native Housing Program and Social Assistance and Economic Development Program); and () for Gasoline and Aviation Gasoline Excise Tax Applications, Canadian Wheat Board Act, Labour Adjustment Benefits Act, Tax Rebate Discounting Regulations, Race Track Supervision Regulations and the National Dose Registry for Occupational Exposures to Radiation. Why do other organizations ask for my SIN? Many stores, financial institutions and even landlords use the SIN to check your credit rating. Credit bureaus use SINs as credit file numbers. Other organizations simply use it as a client number to save them setting up their own numbering systems. And finally, it has simply become a bad habit - it's on the form but no-one knows why. What can happen if I refuse to give my SIN? If you refuse, the organization may deny you the service. This is not illegal even thought successive federal privacy commissioners - and a Parliamentary committee - have said it should be. What can someone find out if they have my SIN? No-one can get access to your federal government records just because he or she has your SIN. The Privacy Act sets out strict rules limiting other peoples' access to your personal information in federal data banks. However, who uses your SIN outside the federal government - and how - depends on how well the organization protects its files. Can a provincial government use the SIN? The law does not prevent provinces (or local governments) from using SINs. In Prince Edward Island, for example, parents of newborns must get the baby a SIN for the health care plan. And provincial governments use the SIN when they administer federal funds (like the Quebec Pension Plan or welfare). However, all provinces (except Alberta and PEI) have privacy laws to protect personal information - including SINs - in government files. And the Quebec privacy lawcovers the private sector. Some provinces are reviewing their uses of the SIN. If you are concerned about your provincial government's use of the number (and/or the private sector in Quebec), call your provincial information and privacy commissioner (or ombudsman where there is no commissioner). See the blue pages of your telephone directory. Why should I worry about the SIN, it's just a number. True, it's just a number and individual file numbers are not necessarily a privacy problem. But the SIN is very powerful because it is unique, accurate and widely used. Computer technology now makes it possible to use the SIN to find and match your information from one database to another. Theoretically, technology makes it possible to assemble a detailed profile about you - what you buy, read, eat, where and when you travel, your medical history, your financial situation. This amounts to 'data surveillance', or monitoring you through your daily transactions. This can pose a serious threat to our autonomy. So what can I do when asked for my SIN? () Ask if you are required by law to provide it (see the list above); () Ask why the person needs it, how it will be used and to whom it will be given; () If not required by law (and you are not satisfied with the explanation), tell the person you prefer not to use the SIN and offer other identification; () If the organization refuses to give you the product or service unless you give your SIN, complain to senior management and possibly to your provincial or federal privacy commissioner (or ombudsman, where there is no commissioner); () If you would like better legal protection for your SIN, call or write your federal member of parliament." [end quotation] __ R. Kyle Friesen Barrister and Solicitor Office of the Information and Privacy Commissioner of British Columbia tel. (604) 387-5629 / fax (604) 387-1696 Internet: kfriesen@galaxy.gov.bc.ca [moderator: This was not delivered as an ASCII file and required considerable editing. Typos and missing data are mine. LPL] ------------------------------ From: tnyurkiw@lambert.uwaterloo.ca (Tom Yurkiw) Date: 19 Jul 1994 16:55:56 GMT Subject: Re: Monitoring of International Calls and Clipper Organization: University of Waterloo ninjo@MIT.EDU writes: I have been following the Clipper debate and I have a question for all of you Privacy readers out there. A. to my understanding the NSA monitors all international commmunications without the need to get any judges approval. B. with the clipper chip, wouldn't the NSA need to have all the escrowed keys at their disposal, in order for them to continue this monitoring? This was exactly the issue recently raised in a Canadian newspaper (The Ottawa Citizen). It is all very well for Americans to haggle over whether the escrowed keys are safe because of the necessity of court orders, etc. but foreign countries have no such protection. So really, that leaves Canada, (and other countries with two options): 1. use Clipper and trust the U.S. government in good faith. heh! 2. each develop their own "Clipper" system. This would require cross-border electronic "gateways" and create horrendous technical problems with respect to translation, etc. for that reason, other countries should oppose Clipper. -- Tommy the Yurk ------------------------------ From: hibbert@netcom.com (Chris Hibbert) Date: 19 Jul 1994 20:51:41 GMT Subject: Re: SSN of Dependants Now Required Organization: NETCOM On-line Communication Services (408 261-4700 guest) Christopher Hoover wrote: My employer has asked me to list all my dependents, their relationships to me, and their *social security numbers*. This is a new requirement from the Omnibus Budget Reconciliation Act of 1993. It's not supposed to take effect until 1/1/95. If your employer's request is valid, it should be accompained by a Privacy Act Notice. Wehn they ask, point to a copy of a W2 and the Privacy Act notice it has to demonstrate what you want. I'm still trying to find out more about this. -- Chris Hibbert protecting privacy in the computer age is hibbert@netcom.com like trying to change a tire on a moving car. ------------------------------ From: lupienj@wal.hp.com (John Lupien) Date: 19 Jul 94 16:54:05 EDT Subject: Re: Clipper Security and other lies From: barmar@Think.COM (Barry Margolin) Crooks currently use ordinary, unencrypted phones for sensitive communications. Clipper phones are at least as secure as unencrypted phones, so why wouldn't they use them? The crooks you mention are the same stupid ones that I mention above. The ones that can expect to survive a caper or two not only don't use phones for sensitive conversations, they don't use "plaintext english" - the law enforcement community is well aware of this fact, and the clipper proposal is not a means of addressing that problem. -- John R. Lupien lupienj@wal.hp.com ------------------------------ From: "Justin Fanning" Date: 20 Jul 1994 18:46:38 EDT Subject: Re: New National ID Card Proposal Organization: Long... Short... (Futures, Melbourne) In Australia, the PI-led campaign led to the dissolution of both houses of the federal Parliament in 1987 after hundreds of thousands marched in protest. The Australian campaign brought together groups from all parts of the political spectrum from the Communist Party to the Libertarian Alliance, farmers and conservation groups, rock stars, academics, large businesses such as banks and mining corporations, but the overwhelming support came from the public who created the biggest civil protest in Australian history. So then they called it a "Tax File Number" and everyone was happy. -- Justin T. Fanning Justin@futures.apana.org.au ------------------------------ From: khinedi@bu.edu (Kareem Hinedi) Date: 20 Jul 1994 20:41:02 GMT Subject: Re: University of New Mexico use of SSN as ID Organization: Boston University ead@netcom.com wrote: What do you make of this paragraph from the application to the University of New Mexico's Office of Graduate Studies: The University of New Mexico uses students' social security numbers as identification at the University. The number is used for record- keeping purposes only. The authority to use the social security number comes from the Board of Regents and was adopted on March 24, 1967. It is mandatory, therefore, that students disclose their numbers in order to enroll at UNM. Is this permitted even if the University complies with the Family Educational Rights and Privacy Act of 1974 (the "Buckley Amendment"), which prohibits them from giving out personal information (e.g. the SSN) on students without permission? from the way I understand it, assuming UNM is a state institution, they can require the use of the SSN as an identifier as long as they post a privacy act notice somewhere (which tells you if and why disclosure of the SSN is mandatory -- and if so, what are the cosequences of not releasing it, and whom they might release it to). One question: what about international students who don't have a SSN when they first come to the US. I am positive, they have some sort of override mechanism. WHen I worked at a university as a computer programmer, students who did not have SSNs were given an ID nunmber of the form: 000-mm-ddyy where mm is month of birth, dd is day of birth, and yy is year of birth. If the number was already assigned, they used 001-mm-ddyy, then 002-mm-ddyy. I don't remember ever seeing an ID number above 004 and this was a fairly large university. (this question would also apply to the rare 17-18 year olds who don't have a SSN either -- they are actually very rare nowadays given that the SSN is required for a parent to claim a child as a dependant for income tax). -- Kareem A. Hinedi Boston University School of Public Health ------------------------------ End of Computer Privacy Digest V5 #010 ******************************