Date: Mon, 09 Jan 95 13:44:42 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V6#004 Computer Privacy Digest Mon, 09 Jan 95 Volume 6 : Issue: 004 Today's Topics: Moderator: Leonard P. Levine Police Abuse of Personal Records RCMP Probes Police Misue of Files Re: Credit Reporting Re: Credit Reporting Re: CallerID Opinion Re: CallerID Opinion Re: CallerID Opinion Re: Opening Mail Re: School Monitoring Re: False data Re: Signature Digitizers Re: Signature Digitizers Re: Signature Digitizers Archives for Volume 5 Info on CPD [unchanged since 12/29/94] ---------------------------------------------------------------------- From: Robert Jacobson Date: 07 Jan 95 10:47:20 -0800 Subject: Police Abuse of Personal Records About a decade ago the executive director of the Port of Fresno and the Fresno County (CA) Board of Supervisors had a major falling out over management of the Port. Two supervisors (elected officials) were particularly unhappy with the fiscal condition of the Port and the dictatorial management techniques of the executive director. The Board members convened a series of special hearings prior to seeking the executive director's resignation. While they prepared, the executive director of the Port, drawing on powers delegated to port authorities by state law, deputized a number of his security guards, rendering them "real" policemen. As a result of their new status, the "Port Police" gained access to California's extensive and comprehensive law enforcement information system, including access to confidential materials (like arrests, investigations in process, and so forth -- matters that never go to trial, for example). Wouldn't you know it? Search long enough and you can turn up any- thing: the Port Police found that there were certain investigations of the aggressive supervisors in the past and, in fact, by simply using the system, the Port Police were adding to the supervisors' records! It didn't come out until after the fact, but the series of hearings on the Port of Fresno's management were quietly cancelled and the supervisors went on to other matters. -- Bob Jacobson Former Staff Director Assembly Utilities and Commerce Committee California Legislature ------------------------------ From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Date: 09 Jan 95 13:35:45 EST Subject: RCMP Probes Police Misue of Files The _Globe and Mail_ reports (95.01.07, p. A1) on an ongoing investigation in British Columbia: RCMP can't tighten security on police files: Possible misuse of confidential data on abortion clinic staff probed in B.C. By Robnert Matas, British Columbia Bureau VANCOUBER -- Every year, some police officers in every province are accused of misusing confidential information that they are authorized to obtain, and the RCMP says it cannot figure out how to tighen security. Currently, a police officer in Delta, B.C., is under investigation to determine whether he gained access to confidential files at the RCMP's Canadian Police Information Centre to help the anti-abortion movement. The article goes on to make the following key points: * Workers at several abortion clinics "have been harassed at home by anti-abortion activists, even though their phone numbers are unlisted." * Provincial authorities in B.C. have initiated a review of security arrangements for motor-vehicle databases; they will focus on need-to-know and on audit trails. -- M.E.Kabay,Ph.D. DirEd/Natl Computer Security Assn (Carlisle, PA) Mgmt Consultant/LGS Group Inc. (Montreal, QC) ------------------------------ From: eric@PrimeNet.Com (Eric Smith) Date: 07 Jan 1995 22:13:27 GMT Subject: Re: Credit Reporting Organization: Primenet Scott Coleman wrote: My understanding is that each of us has MULTIPLE credit reports, one with each of several credit bureaus (the big three certainly, and probably some smaller regional and local ones, as well). These reports can differ, depending on which financial institutions report to which bureaus. Thus, by checking "your credit report" (singular) from only one bureau, you may be missing inquiries made for your report at another bureau. As an example, I know my local credit union checks my credit report at some regional credit bureau, but doesn't ask TRW, Trans Union, et. al. You might wish to obtain copies of ALL your credit reports - I'm afraid you may be in for a rather rude awakening. If we had an ounce of sense, we would insist that our politicians give us the right to choose our credit bureaus. We could do so by refusing to vote for those who failed to vote in favor of such a law. Such a law could be very simple, for example it could require that each individual credit bureau get written permission directly from each consumer once per year to continue to keep their file. Then the consumer filling out a credit application could indicate by checking a box on the form which credit bureau they wanted the creditor to check. And appearances to the contrary, this would not invite fraud by criminals applying for credit. They would have to give the creditor a credit bureau that had permission to keep their credit file, or their credit application would be automatically denied by the creditor, just as it is now when the credit report comes back saying "file not found." The logic for this is very clear and hard to argue against. For example, why should you be required to pay money to three different credit bureaus just to find out if there are any mistakes on your file? And why should you be required to support credit bureaus that treat you like dirt? Make them suck up, by voting against them. Make them compete against each other for your favor. You should have the right to say to your credit bureau, "if you put one more mistake on my file, I'm taking my file elsewhere", without having them laugh and dismiss you as another one of those silly consumers who think they have rights. ------------------------------ From: froggy@ix.netcom.com (PHILIP KLOSSNER) Date: 09 Jan 1995 02:38:38 GMT Subject: Re: Credit Reporting Organization: Netcom mea@intgp1.att.com (Mark E Anderson +1 708 979 4716) writes: I receive the so called pre-approved credit cards and credit in the mail about once a week and rip them up without bothering to open the envelope. None of these outfits have touched my credit report from what I've seen. genghis@ilces.ag.uiuc.edu (Scott Coleman) writes: Interesting choice of phrase, that last. Your use of the singular implies that you believe that there is only ONE credit report for each person which may be checked by banks and other parties. My understanding is that each of us has MULTIPLE credit reports, [snip] You might wish to obtain copies of ALL your credit reports - I'm afraid you may be in for a rather rude awakening. You are so right! There are (at least) 3 major bureaus and any number of regional/local ones. Sometimes, when I've applied for something, I get a notice from agencies I've never heard of - no local to LA branch, and not some division of a major. You're equally on target with getting credit report*s*! About 6 months ago, some regional (Dallas, TX) bureau had me as having purchased a Lexus and then promptly disappearing. Much frustration later, this mess is straight with the majors (e.g. TRW) and some smaller ones. But even now, I get "odd rejections", where the report comes from some new "I've never heard of them" bureau. As all likely know, bureaus share info and there is an extensive network of these small agencies out there. In some respects, you may be in luck if you get a report from one - you'll have one more of these (sub)nets to track along. I agree with this thread: never take a credit rejection/report lightly or suppose that the issue stops there. You may have to persue such an issue through quite a nasty maze. ------------------------------ From: les@SAIL.Stanford.EDU (Les Earnest) Date: 07 Jan 1995 23:04:15 GMT Subject: Re: CallerID Opinion Organization: Computer Science Department, Stanford University Carmen C. Richberg writes: The Caller ID Service in North Carolina is now in many calling areas and it continues to grow. It was extremely upsetting when I learned that Caller ID could only be offered with the provision of free universal perline and percall blocking. Thank goodness, North Carolina did it right! If a person can call my home knowing my telephone number, then it is my right to know what number is calling me. Really? I don't recall seeing that in the Bill of Rights. If a person is honest, then they should not have anything to hide. Perhaps they honestly don't want you to have their telephone number. If you get the gadget that displays calling numbers, you obviously have the option of not answering anonymous calls if you choose. -- Les Earnest (Les@cs.Stanford.edu) Phone: 415 941-3984 Computer Science Dept.; Stanford, CA 94305 Fax: 415 941-3934 ------------------------------ From: Panopticon@oubliette.COM (Ian Shook) Date: 07 Jan 95 17:22:12 CST Subject: Re: CallerID Opinion carmen@infi.net (Carmen C. Richberg) writes: The Caller ID Service in North Carolina is now in many calling areas and it continues to grow. It was extremely upsetting when I learned that Caller ID could only be offered with the provision of free universal perline and percall blocking. I must sumarize some of what I removed. Carmen later explicitly stated that she supports a fully functional caller ID system as her right as a phone user, and based it upon the analogy of phoneline is to house as front door is to home. (This should stave off anyone e-mailing her based upon the selection of her text which I am responding to, which taken out of context might seem to imply to some that she is shocked at the caller ID service in itself.) While I was working with the collections personnel at a local mortgage company I saw a magazine which collections people subscribe to often. I must apologize because I don't recall the title, and if anyone else does, please do e-mail me as I was interested enough to subscribe to it. In this magazine there was an article on equipment for sale to the collections community which defeats caller ID call blocking. A computer scientist friend of mine at the UWM confirmed the existence of such equipment. So, it is my understanding that all a person needs is a piece of equipment that reads the blocked information because there is only a single bit set in the message stream that says the information has been blocked. So it is your personal CID equipment that notices the bit and then blocks the information. Therefore anyone with the right equipment, or "wrong" equipment depending on your side in the argument, can read the supposedly blocked information anyway. This was meant for certain government agencies, and certain other private concerns I can imagine. But, I further understand that due to incompatibility between telephone system equipment in different LATAs the caller blocked number may still show up on the recipient's end regardless of the caller's intentions to block, or the type of equipment the receiver has. If anyone has more exact info I look forward to hearing from them. -- Eric Shook, LPD Panopticon Investigative Services Milwaukee, WI Voice/DATA/Fax: (414) 372-6418 E-mail: Panopticon@Oubliette.COM ------------------------------ From: dskidmo@halcyon.com (Don Skidmore) Date: 08 Jan 95 13:15:10 PST Subject: Re: CallerID Opinion Organization: The Lone Net-Surfer :-) ! carmen@infi.net says... I do not view Caller ID as an invasion of privacy for the caller, as some have expressed that oppose Caller ID. In fact, it provides security and privacy. I pay for my telephone service, not the caller. I do not let people enter my home without first asking who is it? Nor, do I want to answer my phone without knowing who is calling. If a person can call my home knowing my telephone number, then it is my right to know what number is calling me. If a person is honest, then they should not have anything to hide. Right on! I would like to see the service be updated with the following: PerCall Blocking only, Anonymous Call Rejection, and Number and Name Delivery in and out of state. Looks like you are about to get at least some of your wish. Effective in April, new FCC regs will require passing Caller-ID info long distance to the extent possible and limits call blocking to per-call blocking. Anonymous call rejection would be a local issue. Sure wish US West would offer it--I'd sign up in a flash. -- __ __ _ __ | Just my opinion? You bet! ___/ /__ / /__ (_)__/ /_ _ ___ | dskidmo@halcyon.com / _ (_- writes: Why not? It is legal. I am employed in the banking industry, in the I work for a payroll service with some "upscale" payees. After a scandal where an employee was caught calling one at home (for a date), my employer researched exactly what activities of employees can be monitored and when. This applies to California, and hasn't been legally tested yet. After this research, employees were explicitly warned (handbook) that: 1. email/internet traffic can be read by the company without specific cause. Logic: it is the company's system and anything said could reflect on the company. There are cases upholding a firm's right to "protect its image" even though that may somewhat impinge on the right of free speech.) 2. phone conversations and vmail may be monitored without cause". 3. finally, there's the standard "... can look through desks, etc." at any time and without cause. Of course, this isn't a school, where it may be that a higher degree of freedom is allowed. But (as I saw in an earlier posting), it seems to be the in thing out here in the work world. Well, as the handbook says: If you don't want us to see it, don't send it... ------------------------------ From: jonsg@diss.hyphen.com (Jon Green) Date: 09 Jan 1995 13:54:11 +0000 (GMT) Subject: Re: False data In a possible past, Leonard P. Levine levine@cs.uwm.edu said: On Dec 30 I went to the Radio Shack at 807 E. Capital Drive in Milwaukee Wisconsin and purchased an adapter plug (part 274-325) for $1.59. When asked for my phone number I gave them the random string 4234 and when I was asked if my name was Maldonaldo, I said "sure". So now I have a receipt with a copy of Mr Maldonaldo's address, phone number and zip and area codes. I sure hope they were as phoney as what I would have given them for this essentially cash, no warantee transaction. In the UK, Tandy (=Radio Shack) appear to have abandoned insisting upon the customer's name and address for each transaction. Even when they did, I used a number of tactics to avoid the dreaded mailing list: 1) "Nahhh, you don't need to know that!" Works for cash transactions, but they used to get iffy about card transactions, despite the fact that they didn't _need_ the n&a details, like any other trader; 2) If they insisted, for card transactions or warranties, I used to write across a vital part of the counterfoil, "Not to be used in any computer database or for marketing purposes" - or words to that effect. This, I believe, would make it a criminal offense under the Data Protection Act for them to do so; 3) If they were _really_ stubborn, or wouldn't accept that wording, I'd simply tell 'em to cancel the whole transaction and get the manager. Ohhh, but they didn't like that one bit! They were the only store in England in which I shopped who would insist on those details, and I abhor aggressive and intrusive marketing. ------------------------------ From: "David C. Frier" Date: 09 Jan 1995 08:58:48 -0500 Subject: Re: Signature Digitizers Organization: Express Access Online Communications, USA On 7 Jan 1995 Moodperson@aol.com wrote about having his signature digitized as part of the process of opening a Sears charge account. In Maryland now, when you obtain or renew your driver's license, your signature is digitized and stored. The process involves your signing your name on a 3x5 card which is fixed over a tablet. The 3x5 card says, rather disingenuously, that the signature *on*that*card* will not become part of your records. Well, of course it won't -- it's the digitization of said signature that becomes part of the record! The clerk then makes a big show of tearing up the card and throwing it away, but she would not give me a blank card to take (I wanted to copy its deceptive verbiage verbatim for this group). The licence now also features a fat magnetic strip and a digitized photgraph. How would I go about finding out just what is in that strip? I don't expect much help along those lines from the MD DMV. --David GB/CM Life is complex: d++(-) H- part real, s+:+ g+ p+ w+ part imaginary. a37 v++ C+++$ N++ U--- W+ M-- -po+ Y+ f t-- j++3 tv- b+++ n--- e+ h---- u** y++++ r+++(-) n---* B-- ------------------------------ From: "Jongsma, Ken" Date: 09 Jan 95 11:59:00 PST Subject: Re: Signature Digitizers With the discussion regarding Sears and signature digitizers heating up, I thought that a recent full page ad by UPS in the latest Business Week was interesting. UPS is using the signatures they've been capturing to be reproduced on a proof of delivery report that can be requested. A shipper can call UPS and provide the package tracking number and according to the ad, UPS will fax back a report with the delivery details and signature of the recipient. I recall that Amoco used to do this a few years back with their Amoco (gasoline) charge card. Similar to what American Express does, Amoco used to reproduce a copy of the signature on the monthly statement. For whatever reason, Amoco only did this for a few years before giving it up. -- Ken Jongsma kjongsma@p06.dasd.honeywell.com ------------------------------ From: mcdunbar@crems.rockwell.com (mcdunbar) Date: 09 Jan 1995 19:06:35 GMT Subject: Re: Signature Digitizers Organization: Rockwell International Corp Moodperson@aol.com says: I recently opened a Sears charge account. Part of the process required me to digitize my signature as I signed through the credit request. I was told this was to prevent forgery. I made a purchase at a Sears store yesterday using a non-Sears credit card. When I refused to sign the receipt on the digitizing pad, I was also told it was to prevent forgery. When I asked for a manager, the clerk immediately relented and let me sign the paper receipt. The cleck explained that the signature was "only going into the computer" and that Sears would never do anything bad with it. The digitizing pad capturing my signature is probably no worse than scanning my signature off the receipt. As technology improves and the digitizing pad can capture not only the outline of the signature, but the pressure and stroke rates, perfect forgeries could be made. On another subject... I called the local cable company to get service installed. They wanted my SSN. When I asked why, I was told thay needed to verify who I was. When I told them they didn't need my SSN, they backed down and hooked up my service anyway. What on earth do they need the SSN for?? -- Mark Dunbar ------------------------------ From: "Prof. L. P. Levine" Date: 09 Jan 1995 13:24:34 -0600 (CST) Subject: Archives for Volume 5 Organization: University of Wisconsin-Milwaukee The archives for CPD Volume 5 are complete and can be found via ftp, gopher, lynx or mosaic at the following addresses: Ftp: ftp.cs.uwm.edu Gopher: gopher.cs.uwm.edu Lynx: gopher://gopher.cs.uwm.edu Mosaic: gopher://gopher.cs.uwm.edu The archives contain indexes for the volume organized by name and by subject as well as the digests themselves. You are free to browse the archives via any of the above servers. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V6 #004 ****************************** .