Date: Tue, 27 Dec 94 12:37:04 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#078 Computer Privacy Digest Tue, 27 Dec 94 Volume 5 : Issue: 078 Today's Topics: Moderator: Leonard P. Levine Yet Another Bad Use of An SSN School Monitoring Re: 3 Hits and You're Out Re: 3 Hits and You're Out Re: 3 Hits and You're Out Internet Ethics Paper Mother's Maiden Name Credit Card Information Stolen K-12 Student Records: Privacy at Risk Info on CPD, (unchanged since 11/28/94) ---------------------------------------------------------------------- From: jepstein@cordant.com (Jeremy Epstein -C2 PROJECT) Date: 22 Dec 1994 15:02:31 -0500 (EST) Subject: Yet Another Bad Use of An SSN I purchased a new car the other day, and the salesman walked me through a "customer satisfaction" survey that we'll receive from Ford Motor. He said that it'll be coded with his SSN for tracing purposes. Interesting use of that number... ------------------------------ From: collins@nova.umd.edu (Jim C) Date: 22 Dec 1994 17:42:48 -0500 Subject: School Monitoring Organization: University of Maryland University College Recently, the logon banner at my school/internet provider has had an unsettling addition to it: "All usage of this system is monitored for security purposes, and by signing on to the system you are implictly consenting to this monitoring." Yipes! What are the implications of this? Is this even legal? I don't expect to pick up the phone and hear "By using this service you are implictly consenting to being montored for security purposes", I don't expect to go mail a letter and see on the mailbox "By using this service you are implictly consenting to subjecting your mail and parcels to inspection". What is this nonsense? Jim C. PS I hope they are "monitoring" this. ------------------------------ From: "Virginia Matzek" Date: Thu, 22 Dec 1994 10:08:00 PACIFIC Subject: Re: 3 Hits and You're Out Organization: California Alumni Assoc. I've been told that it is a good thing to periodically check on one's own credit, to make sure that there is no mistake in the record. Would this qualify as a "strike" on the aforementioned "3 (or so) strikes and you're out"? Also, does anyone have any advice for me on how to go about doing this? For example, will it cost me anything (to inquire into information about myself)? =================================================================== Virginia Matzek vmatzek@alumni.berkeley.edu "From the keyboard, through the modem, bounced off an ip gateway, through some far-away routers to a logical interface near you... Nothin' but Net!!" -- Ryan Rediske ------------------------------ From: ranck@earn.net (Bill Ranck) Date: 23 Dec 1994 09:02:41 GMT Subject: Re: 3 Hits and You're Out Organization: Universite Paris-Sud, France. Mike Bandy (bandy@aplcomm.jhuapl.edu) wrote: Indeed, I just bought a new house and had to justify to the mortgage company a credit check made by a bank. I had no idea who they were or Now to figure out why the bank really was looking at my credit... The last time I looked at my credit report there were quite a few queries on there from banks I don't deal with. They seem to correspond with mail compaigns offering credit cards. In other words they query *everybody* in the database to find who they are going to solicit. You would think this type of query would be flagged differently though. -- * Bill Ranck +33.1.69.41.24.26 ranck@earn.net * * Technical Staff, European Academic & Research Network (EARN) Orsay, France * ------------------------------ From: mikus@bga.com (Mikus Grinbergs) Date: 23 Dec 1994 13:17:17 GMT Subject: Re: 3 Hits and You're Out Organization: Gone Walkabout Robert Ellis Smith wrote: On Dec. 5, 1994, Geoffrey Knauth asked whether the mere fact that someone inquires into your credit-bureau file may have negative consequences for you. The answer is yes. Credit grantors regard an inquiry from a company into your credit file without any evidence in your credit file that the company subsequently granted you credit as evidence that the company rejected you. To many credit grantors, three inquiries in a short period of time without any granting of credit indicates that your credit applications have been rejected three times. That's enough for other companies to reject you. What I personally find objectionable is to receive unsolicited letters saying: "You have been PRE-APPROVED for our credit card (or vacation rental, or whatever). Just sign here." I make it a point not to respond. Now you tell me that these hucksters (who've run credit checks on me that I haven't authorized) make footprints that look like "credit-denied", unless I accept their offer ? Mind-boggling! ------------------------------ From: VidFreak@ix.netcom.com (Matthew Horn) Date: 24 Dec 1994 06:16:17 GMT Subject: Internet Ethics Paper Organization: Netcom Hi there... I recently wrote two papers for college courses this past semester. The first was one on how different communication on the Internet is from face-to-face communication. The second, and the one I would like to get some discussion on, was about how the Internet could be used to build an Ethical Society. I would put the entire paper here, but I know how tired my eyes get reading long posts on local BBSs. Suffice it to say, that it is a research paper which takes all the available research I had (magazines mainly) and tried to tie them together to show that the Internet's Virtual Communities could be the paving stones for a new ethical structure to begin. I would like to hear from some of you who read this newsgroup about what you see as ethical issues on the computer networks. This could be anything from censorship to being polite. I need to flesh out the paper some so that I can submit it to a national foundation for consideration in their upcoming contest. Thanks for all the help you can give. -- E-Mail me here (VidFreak@ix.netcom.com): Vid.Freak@aol.com matthew.horn@wildcat.olivet.edu ------------------------------ From: Rich24@aol.com Date: 23 Dec 1994 21:27:31 -0500 Subject: Mother's Maiden Name I have followed the discussion on this means of verifying the user of a chargeable service. Why not offer people the option of inputting 4 or 5 different identifying facts such as place of birth, high school name, etc. When the user makes a charge, the company would randomly ask for one of the pieces of information. I realize this system wouldn't eliminate unauthorized use totally, but it might help cut down on fraud. -- Rich Sagall ------------------------------ From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Date: 26 Dec 94 22:15:29 EST Subject: Credit Card Information Stolen In the _Globe and Mail_ (sometimes referred to as the _Groan and Wail_), "Canada's National Newspaper", for 94.12.15 (sorry about the delay in posting), there's a note about the theft of credit card information during ordinary commercial transactions and its use by criminals: Credit-card scheme funded heroin trade, police charge: Personal data gleaned from purchases made at CN Tower. By Peter Moon Globe and Mail TORONTO -- A $1.5 million fraud scheme in which stolen credit-card information was used to finance heroin smuggling has been cracked, poilice say. The scheme involved obtaining confidential information about all credit cards used at the CN Tower during more than three years, RCMP Inspector Dave Douglas said yesterday. According to the author, the stolen credit card information was used to generate cash with the help of dishonest businesses. Apparently a night auditor in the large tourist trap in downtown Toronto obtained "computer records involving every purchase made with about 28,000 cards" from January 1989 to May 1994. The alleged criminals "shared... an acute understanding of how financial institutions operate and how they can benefit from the illicit gains obtainable from credit," said Inspector Douglas. Using credit cards issued by small U.S. banks, "many of whom do not have the security and credit vetting resources of Canada's large chartered banks," the criminals and their business confederates generated phony transactions and shared the proceeds. Apparently "many customers did not bother to check or challenge fraudulent items that appeared on their monthly bills." Detective-Sergeant Charles Konkel of Toronto Metro Police said, "Our evidence... is that it is a multi-multi-million dollar, perhaps billion-dollar enterprise and we're just touching the surface with our investigations." The conspirators turned their stolen funds into gold bullion and took them to Hong Kong, returning with illegal drugs which multiplied their gains. <> M.E.Kabay,Ph.D./DirEd/Natl Computer Security Assn ------------------------------ From: "Prof. L. P. Levine" Date: 23 Dec 1994 06:09:36 -0600 Subject: K-12 Student Records: Privacy at Risk SEATTLE CPSR POLICY FACT SHEET K-12 STUDENT RECORDS: PRIVACY AT RISK --------------------------------------------------------------------------- TOPIC The U.S. education system is rapidly building a nationwide network of electronic student records. This computer network will make possible the exchange of information among various agencies and employers, and the continuous tracking of individuals through the social service, education and criminal justice systems, into higher education, the military and the workplace. WHAT IS THE ISSUE? There is no adequate guarantee that the collection and sharing of personal information will be done only with the knowledge and consent of students or their parents. CHANGES ARE COMING TO STUDENT RECORDS National proposals being implemented today include: - An electronic "portfolio" to be kept on each student, containing personal essays and other completed work. - Asking enrolling kindergartners for their Social Security Numbers, which will be used to track each student's career after high school. - Sending high school students' transcripts and "teachers' confidential ratings of a student's work-related behavior," to employers via an electronic network called WORKLINK. At the heart of these changes is a national electronic student records network, coordinated by the federal government and adopted by states with federal assistance. Publication 93-03 of the National Education Goals Panel, a federally appointed group recently empowered by the Goals 2000 legislation to oversee education restructuring nationally, recommends as "essential" that school districts and/or states collect expanded information on individual students, including: - month and extent of first prenatal care, - birthweight, - name, type, and number of years in a preschool program, - poverty status, - physical, emotional and other development at ages 5 and 6, - date of last routine health and dental care, - extracurricular activities, - type and hours per week of community service, - name of post-secondary institution attended, - post-secondary degree or credential, - employment status, - type of employment and employer name, - whether registered to vote. It also notes other "data elements useful for research and school management purposes": - names of persons living in student household, - relationship of those persons to student, - highest level of education for "primary care-givers," - total family income, - public assistance status and years of benefits, - number of moves in the last five years, - nature and ownership of dwelling. Many of these information categories also were included in the public draft, "Student Data Handbook for Elementary and Secondary Education," developed by the Council of Chief State School Officers to standardize student record terminology across the nation. State and local agencies theoretically design their own information systems, but the handbook encourages them to collect information for policymakers at all levels. Among the data elements are: - evidence verifying date of birth, - Social Security Number, - attitudinal test, - personality test, - military service experience, - description of employment permit (including permit number,) - type of dwelling, - telephone number of employer. WHO CAN ACCESS THIS COMPREHENSIVE INFORMATION? Officers, employees and agents of local, state and federal educational agencies and private education researchers may be given access to individual student records without student or parent consent, according to the federal Family Educational Rights and Privacy Act of 1974 (20 USC 1232g) and related federal regulations (34 CFR 99.3). Washington state law echoes this federal law. WHAT IS COMING NEXT? Recent legislation passed in Washington state (SB 6428-'92, HB 1209-'93, HB 2319-'94) directly links each public school district with a self- governing group of social service and community agencies that will provide services for families. This type of program is described in detail in the book, _Together We Can_, published jointly by the U.S. Department of Education and the U.S. Department of Health and Human Services. The book speaks of overcoming "the confidentiality barrier," and suggests creating centralized data banks that gather information about individuals from various government agencies- or in other ways ensuring agencies, "ready access to each other's records." The book calls for a federal role in coordinating policies, regulations and data collection. A group in St. Louis, MO, called Wallbridge Caring Communities, is cited as a model for seeking agreements to allow computer linkups with schools and the social service and criminal justice systems to track school progress, referrals and criminal activity. WHAT HAPPENED TO ONE COMMUNITY In Kennewick, WA, over 4,000 kindergarten through fourth graders were rated by their teachers on how often they lie, cheat, sneak, steal, exhibit a negative attitude, act aggressively, and whether they are rejected by their peers. The scores, with names attached, were sent to a private psychiatric center under contract to screen for "at-risk" students who might benefit from its programs. All of this was done without the knowledge and consent of the children or their parents. CPSR'S POSITION CPSR Seattle believes that schools and other agencies should minimize the collection, distribution and retention of personal data. Students and/or their parents should decide who has access to personal information. CPSR ACTIONS Representatives of CPSR Seattle have gone to Olympia to: - oppose the use of the Social Security Number as the standard student identifier, - urge legislators to set educational goals that can be measured without invading privacy, - oppose turning over individual student records to law enforcement officials apart from a court order or official investigation. Reports cited: _Goal 2 Technical Planning Subgroup on Core Data Elements_. National Education Goals Panel, Washington, D.C. 4-21-93. (ED# 361 403, TM# 020 509). "Student Data Handbook for Elementary and Secondary Education." Council of Chief State School Officers, Washington, D.C. draft 9-11-92. _Together We Can_. Atelia Melaville, et al. U.S. Government Printing Office. 4-93. (PIP 93-1103). You may redistribute this fact sheet, as long as it is not modified. Computer Professionals for Social Responsibility - Seattle Chapter, P.O. Box 85481, Seattle, WA 98145-1481. (206) 365-4528. cpsr-seattle@csli.stanford.edu 6/15/94 ------------------------------ From: "Prof. L. P. Levine" Date: 28 Nov 1994 08:46:14 -0600 (CST) Subject: Info on CPD, (unchanged since 11/28/94) Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions generally are acknowledged within 24 hours of submission. An article is printed if it is relevant to the charter of the digest and is not redundant or insulting. If selected, it is printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the subject line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V5 #078 ****************************** .