Date: Fri, 27 Jan 95 18:56:32 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V6#011 Computer Privacy Digest Fri, 27 Jan 95 Volume 6 : Issue: 011 Today's Topics: Moderator: Leonard P. Levine Re: Radio Shack Respects My Privacy Re: Radio Shack Respects My Privacy Re: Requests for Home Phone Numbers Re: Requests for Home Phone Numbers Re: Requests for Home Phone Numbers SSN Required for Cellular phone application SSN, The Way to Your Pocket Re: Is the Post Office Subsidized? US Government Regulations and Internet Access Who is Looking at Your Files? A Small but Satisfying Victory Re: Cybersex Seattle Private Caller Card Re: Are the Cyber Police Coming? Info on CPD [unchanged since 12/29/94] ---------------------------------------------------------------------- From: privacy@interramp.com Date: 25 Jan 95 20:49:23 PDT Subject: Re: Radio Shack Respects My Privacy Organization: PSI Public Usenet Link writes: In a recent visit to a local Radio Shack I saw, for the first time, a poster on the cash register with a picture of the big boss saying that Radio Shack Respects Your Privacy. He then goes on to discuss their long standing policy of asking for phone numbers. Seems that they might be getting the point, let's watch. Dear Professor Levine and fellow privacy advocates: Last summer, I too began noticing these signs with "the boss" also. I was impressed by the sensitivity and apparent sincerity of the message. However, allow me to share personal experiences that I believe will make you wonder whether it is in practice or just lip service. At every Radio Shack where I have purchased a product, I have been asked for my telephone number. In many instances, a simple "None" uttered by me is sufficient. In some cases, I have been told that the system has to have a number; when I ask the ckerk to input the store's number, that usually solves the problem. However, several times when I used a credit card in the Fall of 1994 the clerk told me that they had a right to demand my address. When I questioned this practice, the employee pulled out a statement from the back of the store indicating that Mastercard and Visa International allow merchants to request further information (such as address) if the purchaser is deemed suspicious or in cases of purchase by mail order. I called Mastercard Internation, Visa International, Discover Card, and American Express. Apparently they allow their merchants to engage in this practice if they deem the purchaser as "suspicious." However, certain states (such as Pennsylvania) have laws regarding the acquisition of such information. When I asked the Radio Shack employee (who had never met me before) if I seemed "suspicious," he remained silent, and I told him that I am the Editor of Privacy Newsletter, a monthly publication that address privacy concerns. I told him that I intended to document this event, and he decided to ring up the order without further discussion and without collecting my address. By no means did I use my journalistic powers to manipulate this clerk, but he, apparently, did not want any trouble. Last story: While returning a product purchased by credit card but without providing my address, I was told that I could not receive credit unless I provided my name, address, and phone number. (This would have been the same had I paid in cash, also.) I told the individual I did not feel comfortable providing that information. He responded that it was for control purposes, and that Radio Shack needed that information to make sure that it was not a fraudulent return. As a businessperson, I realized Radio Shack's predicament, and I sympathized. This is often the case when I get a refund from the supermarket when they scan a higher price. However, either they respect privacy or they don't. If I had paid cash, I would have been even more adament about not providing information. I provided the information but did not feel happy about it. My conclusion is that the "boss' sign" has sincere intentions and is not intended as a blow off. However, Radio Shack is not doing the best that it can by my book. I leave you all with the following thought. How can a company conduct anonymous or name-only returns but still protect itself against crooks who try to return products they never bought? It is often months later that companies realize that they returned money to ganiffs. If Radio Shack and others truly want to respect our privacy, then I think it's only fair that we try to address their concerns if we are to make progress. John Featherman Privacy Newsletter PO Box 8206 Philadelphia PA 19101-8206 Phone: 215-533-7373 E-mail: privacy@interramp.com [moderator: Short responses also came from: Fidler, Mark G., Ron Bean, Glen L. Roberts, and Winston Edmond.] ------------------------------ From: fec@arch4.ho.att.com (F E Carey) Date: 26 Jan 95 22:11:39 EST Subject: Re: Radio Shack Respects My Privacy I got no end of grief from the salesman, as he even claimed that his loss prevention people had been there that very same day, and he could get in trouble for making a sale without the ID. He grumped the whole way through about how he could make my life easier if I'd make his easier and not get him in trouble. But, in the end, he finally did take my money and tell me I wasn't entitled to a refund or exchange. A few years ago one of my boys worked part time in Radio Shack while he was in school. He was expected to get home info on a very high percentage of his sales and his compensation was affected by failure to achieve this goal. I think the goal was in the 80% - 90% range. No wonder the clerk grumped. He might lose dollars. The loss prevention/no refund stories are a lot of you-know-what. My son and his peers quickly recognized the reluctance of customers to provide phone numbers and home addresses so they got creative. The created a record for their store and used the store phone number as the key. Whenever a customer seemed reluctant to give their phone, the clerk would enter the store number, the store would be counted as a customer and would presumably get the junk mail. The customer was happy, the clerk was happy, and Radio Shack never knew that their system had been corrupted. I also knew an airlines reservation clerk who was beating the automated system that tracked her performance and she won "reservations clerk of the month" every month for a long time. We were surprised they never got suspicious. But this has nothing to do with privacy so I'll save the story of her technique for another forum. Frank Carey at Bell Labs f.e.carey@att.com ------------------------------ From: "Dennis G. Rears" Date: 25 Jan 1995 22:09:55 GMT Subject: Re: Requests for Home Phone Numbers Organization: U.S Army ARDEC, Picatinny Arsenal, NJ Chip Kaye wrote: I recently opened an account on CompuServe and filled in my home phone # on their online form as 555-555-5555. You provided false information. Most likely compuserve was going to extend you credit. I then tried logging onto the account a few days later and was given an 800 number to call to complete my unverified home phone. Good for compuserve. >I would prefer not to give out my >phone number but was told that their policy was to require at least 1 >phone number. I am wondering about the legality of this requirement. Nothing illegal about it. You don't have to provide the number, they don't have to provide you service. You make the choice. I vaguely remember a number of years ago that merchants were prohibited from requesting phone numbers when processing customer credit card purchases. This might have by done by the credit card companies not the state. -- dennis ------------------------------ From: wbe@psr.com (Winston Edmond) Date: 26 Jan 1995 20:49:32 GMT Subject: Re: Requests for Home Phone Numbers Organization: Panther Software and Research I recently opened an account on CompuServe and filled in my home phone # on their online form [...] I would prefer not to give out my phone number but was told that their policy was to require at least 1 phone number. I am wondering about the legality of this requirement. I vaguely remember a number of years ago that merchants were prohibited from requesting phone numbers when processing customer credit card purchases. What you're vaguely remembering is that if you're in a store where the sales clerk is able to verify your in-person signature against the signature on the card, then in some states the store can't refuse to make the sale just because you don't give them yet more personal data. I think similar language is also part of the merchant agreement for MasterCard, VISA, and probably other cards. This doesn't apply to CompuServe on-line forms. If all you've done is fill out an on-line form, they don't have your signature and without an exchange of letters or the ability to call you, they have no way to verify who you are. Is it _legal_ for them to ask you for a phone number? I think so. If you have a non-directory or unlisted number, contact them, tell them of your concern about the number you give them becoming public, and see what happens. I'd guess they'll then send you a paper form to fill out, sign, and mail or FAX back to them. -- WBE ------------------------------ From: bear@fsl.noaa.gov (Bear Giles) Date: 27 Jan 95 17:09:54 GMT Subject: Re: Requests for Home Phone Numbers Organization: Forecast Systems Labs, NOAA, Boulder, CO USA aj027@yfn.ysu.edu (Chip Kaye) writes: I vaguely remember a number of years ago that merchants were prohibited from requesting phone numbers when processing customer credit card purchases. That's in the "merchant's agreement" with the credit card umbrella organizations (e.g., Mastercard International). They can request ID to verify the cardholder's identity, but only prior to requesting authorization and only if they don't record the specific information. Something like "Colo DL" is acceptable, especially for people like me who refuse to sign credit cards. (I write "SEE PHOTO ID" instead.) I recently opened an account on CompuServe and filled in my home phone # on their online form as 555-555-5555. I then tried logging onto the account a few days later and was given an 800 number to call to complete my unverified home phone. I would prefer not to give out my phone number but was told that their policy was to require at least 1 phone number. I am wondering about the legality of this requirement. Let me give you an counterexample. I'm a country hick flying through JFK Int'l and punch in my calling card number like I do back home. Unknown to me, several people with binoculars have written it down and start passing it around to their friends. I'm travelling for several weeks and a 3" thick phone bill is sitting in my mailbox when I return home. I owe AT&T $38,217.43 for calling card calls made worldwide. I didn't make those calls. Do I have to pay AT&T? If not, doesn't AT&T have the right to have a reasonable method of contacting me if it suspects fraud on my account, to minimize *its* losses? Unless you're willing to accept fradulent charges to your Compuserve account, it's unreasonable to demand that Compuserve have no way to contact you in case it suspects fraud. An email to your account is not sufficient, since 1) you may not log in frequently and 2) the criminal could wipe the message before you see it. A letter may not be "timely" enough to prevent significant losses. On the other hand, some computer service providers use a "gas tank" model where you make a deposit and connect/disk/mail charges are taken directly from these funds. When you exhaust the money, services are discontinued until you make another deposit. This limits the risk to both parties, and in such a situation refusing to provide a phone number may be reasonable. -- Bear Giles bear@fsl.noaa.gov ------------------------------ From: isoos@mcs.com (Imre Soos) Date: 25 Jan 1995 13:58:03 Subject: SSN Required for Cellular phone application Organization: Med-E-Systems I recently tried to purchase a cellular phone from Ameritech. I went to their store in person. The application asked for both a social security number and a drivers license number. I told them that I would give them a SSN so they could do a credit check, but that I would not give them my DL number, although I would be happy to show it to them to prove my identity. I spent 30 minutes on the phone with their credit department which informed me that their system could not process an application without a drivers license or a passport number. I even offered to put down a deposit. When I asked if they would be willing to provide me with a written policy statement describing who would have access to their records and what safeguards they would use to ensure that my information would be kept confidential, they said they had none. I realize that the unfortunate reality is that the cellular phone industry is subject to a great deal of fraud, but I do not believe that collecting this information will help reduce it in any substantial way. Given the fact that cellular phone service is nearly a monopoly (a duopoly in every city), there are not a whole lot of competitors to go to who may be more consumer responsive. What's a poor honest consumer to do? Are there any legal precedents in this area? ------------------------------ From: styvesan@cosricon.com Date: 25 Jan 95 02:04:18 EST Subject: SSN, The Way to Your Pocket Organization: Costa Rica Online Many times one may receive a check for services or a product that they would prefer to cash and just quietly put in their pocket. The problem occurs when your SSN is attached to everything. How can you cash this check in private? Many think they can simply go to there bank and cash it, without any record. WRONG! When you present the check, the first piece of information required is - Right... your account number. Remember when you opened that account, what was the first item they asked for after your name? Your SSN. Of course you could go another route. Maybe go to the bank where the check was written from. What's the first item asked for? Your identification or drivers license. What is that connected to? Your SSN. With modern computer technology today, it doesn't take much for the system to compile the SSN's and the amount of cash contributed to the number. Let's say you deposit $100,000 in your checking and write checks for $80,000 . No problem for your return. But if you cashed a good many checks during the year, you will find that your number also has attached this cash amount. This is where everyone gets caught. An auditor may show up at your door and simply request you to verify that in fact you deposited $100,000 and spent $80,000 as you sent in on your return. If you agree, you just committed a felony. They already knew about the checks you cashed at the bank or check cashing service. Computer technology as incredible as it is for modern man, it is continuing to shrink modern mans personal privacy and protection of his assets. However, there are many methods of operating in a modern world, in absolute privacy. Beyond the prying eye of technology. If you would like the answer of how to cash your checks in absolute privacy with no identification, sent a request to styvesan@cosricon.com and receive a FREE copy of "Financial Privacy News". Everything you always wanted to know about privacy, but didn't know who to ask! -- STYVESANT ------------------------------ From: daf1@cec.wustl.edu (Danyel A Fisher) Date: 25 Jan 1995 14:32:52 -0600 Subject: Re: Is the Post Office Subsidized? Organization: Washington University, St. Louis MO Bear Giles wrote: I ignored them for six months or so, but _Byte_ was totally clueless. So I grabbed the convenient response card which already had my name and address printed on it and a red marker and wrote in big letters across the card "LEAVE ME ALONE!" The mail stopped. :-) Wow, you've got it (comparatively) easy. Magazine have a strange cycle with me: they send me offers for free issues (which I accept, natch), offer me the privelege to cancel (which I do), and then keep sending me alternating "cancel" offers, magazines, dunning notices.... After about six months, I got sick of the cycle (no, I didn't want a free issue -- or a subscription -- to this magazine). Additionally, I was sick of dunning notices (I wonder if they could attack my credit line?) So I scribbled up a brief note that said, "I don't want your magazine. Stop sending it to me. You'll never get any money out of me on it, anyway." They stopped. And then I got free magazine offers from a number of them a few weeks later.... -- Sometimes, you meet a person.| Danyel Fisher |To a pessimist, the world I am one of those people. | daf1@cec.wustl.edu |is full of happy surprises ------------------------------ From: Eric Hermanson Date: 25 Jan 95 16:39:27 -0500 Subject: US Government Regulations and Internet Access I am interested in finding out whether the US Government has any plans for regulating the Internet Access Provider industry in the near or far future? About two years ago, the Government began to regulate the cellular phone industry (one of the regulations on that industry is that there cannot be more than two cellular providers in any one metropolitan area. Now SOMEONE please explain the thinking behind that restriction to me!) I suspect that regulation for the Internet is upcoming, but I would like to know when it is planned, and what the regulations might look like. Any info via email would be appreciated. Thank You, -- Eric Hermanson ------------------------------ From: jesse@oes.amdahl.com (Jesse Mundis) Date: 25 Jan 1995 17:57:04 -0800 (PST) Subject: Who is Looking at Your Files? rj.mills@pti-us.com (Dick Mills) wrote: I once lived in Sweden. They don't respect individual rights a whole lot there, but they did have an innovation that impressed me. They have a law which mandates that the individual be sent a copy of any credit reports sent out. Thus I got to see who asked for information on me, when, and what they were told. Not bad. If there were any inaccuracies in the report, I could act in a timely manner to correct it. I like this idea, a lot! That leads me to wonder if we couldn't form privacy rights legislation on the same principle. Instead of attepting to stop digitized signatures, sales records, video rental info, and the thousands of other data gathering activities, we could require that the individual be cc'd whenever this information was transmitted to third parties. A question for the group at large, what process would be required to get legislation like this in place? I've never written up a bill before, but this looks like a good idea. Anyone have a pointer to some specifics, possibly in the EFF or CPSR archives? The idea may be practical or not depending on the scale. If someone pays 5 dollars for my credit report, he can afford a stamp to send me a copy. If a magazine sells 100,000 names from their subscriber list for 1 cent per name, they can't afford to notify everyone. Why not just pass the cost along to whomever is buying your info. If the cost of all the info goes up by an equivilent amount, the info sellers incur no loss (except perhaps for a slight decline in demand due to increased prices) since they are passing the cost along to their customers, and if that means the info buyers buy fewer mailing lists, all the better. The cost of notification could be reduced by condensing all the notifications into a monthy report by some clearing house. Liable bureaus would report electronicly to the clearning house, and a printed rerport sent to the individual once per month. On the other hand, the clearning house itself and the condensed reports themselves could grow to become the biggest security risks. Yeah, I'd much prefer individual notification. For sure, there would be problems in formulating and enforcing such a law. Nevertheless, it sounds to me less dificult than protecting the gathering of raw information or assuring the accuracy of stored information. Agreed. As long as there is profit to be made, people will collect and disseminate information about each other. This kind of legislation would at least even the playing field, and allow the individual to know who is looking at what information. Hey, there is a thought. If the legislation can't be pushed through, there is always the "if you can't beat them, join them" stratagy. Start your own info seller business. The specific records you would collect and sell would be those of who requested any of your customer's OTHER information. Has this been proposed before? No idea. Anyone else know? -- Any opinions expressed above are mine and do not necessarily represent the opinions policies of Amdahl Corporation. Jesse Mundis | Amdahl Corporation | Remember: jesse@oes.amdahl.com | 1250 East Arques Ave M/S 338 | Quality is job 1.1 (408) 746-4796 | Sunnyvale, CA 94088-3470 | -Heard from Maintenance ------------------------------ From: mike@camphq.fidonet.org (Mike Bray) Date: 25 Jan 95 12:18:12 EDT Subject: A Small but Satisfying Victory Last weekend my son fell and hurt himself, so this week I have taken him to a variety of doctors, etc. His primary physician probably already has his SSN, and since we have been there before, they didn't ask me for it. I may have given it to them before I started reading this group. :) The X-ray lab asked me to fill out the customary form, and of course I left the SSN out. Perhaps they didn't pressure me about it because he's only 3. I really don't know. The drones that work in the specialist's office were quite a bit different about this though. While making the appointment, they asked me for my and his SSN. I refused to give mine, and when they got to the place on their screen for his, the lady says, "...then I guess you don't want to give me his either." I told her that I didn't know it... instead refusing to give it. When we got to the office, of course they had me fill out their form, and again I left off anything they didn't specifically need to treat him. Like all SSNs, and stuff about "nearest person not living with you." The woman who then went to enter the data in the computer didn't know how to handle me. She again asked me for my SSN, and I again refused. She was not impressed, probably because she never had anyone not give it to her before. :) She continued to stare at me for another 5 or seconds, then she just huffed "okay" and continued down the form. We saw the doctor, paid our portion, and left. I was all prepared to give my standard "Do you know *why* it's called the Social Security Number? Because it's to be used for that reason, and that reason only. Your organization has nothing to do with Social Security, so you do not need to have it." speech, but didn't need to. A minor victory, but a satisfying one. -- Mike Bray mike@camphq.fidonet.org (or) ...!apple!camphq!mike ------------------------------ From: Ted Lemon Date: 26 Jan 1995 11:38:30 -0800 Subject: Re: Cybersex Seattle Mitch Kabay quotes an AP story about a 51-year-old Seattle man who hits on a 14-year-old New York girl over the Internet, sends her a sexually explicit picture of himself, goes to New York and is caught with the girl in a shopping Mall by her mother. The man is then charged with a misdemeanor for sending her his picture. The author explains that because of similar incidents, legislators are proposing special laws making "sexual communications with minors on computer" a felony. Mitch brings up the relevant question of whether there is a need for such a law, given the presence of existing laws which may already cover this case, but I think a better question to ask is whether such a law will result in innocent people being charged with felonies. Imagine that, for whatever reason, you want to engage in ``Cybersex'' on the Internet. You hook up with somebody through IRC, chat them up, and determine that you're mutually compatible. You then engage in a steamy sexual conversation with this person. A few days later, the FBI shows up at your door, handcuffs you, reads you your rights, and carts you off to Federal prison. Once you've served your time, you still have to register with local authorities as a sex offender. Why? The person with whom you were communicating was a minor whose parents found out about your conversation. They didn't like it, so they called the FBI. You may not have been aware that you were communicating with a minor. Indeed, you may have been told that you were communicating with a 25-year-old. 17-year-olds can be precocious, and 25-year-olds can be naive - over an ASCII connection, how are you to tell? More importantly, how are you to prove that your intentions were good in a society where any evidence of sexual expression is considered to be evidence of a guilty mind? Existing ``statutory rape'' laws provide a means for prosecuting adults who intentionally seek out minors and have sex with them. One could argue that it's also harmful for a child to engage in fantasy sex play over a computer connection, but the responsibility for protecting children from this sort of exposure must rest with the parents and the local community. If a child feels loved and respected, he or she is unlikely to seek sexual conversations with adult strangers on the Internet. -- Ted Lemon Wells Fargo Bank, Information Protection Division mellon@ipd.wellsfargo.com +1 415 477 5045 ------------------------------ From: John Medeiros <71604.710@compuserve.com> Date: 27 Jan 95 00:56:18 EST Subject: Private Caller Card In response to my request for a complete, but non-technical explanation of the Private Caller Card, Dr. Styvesant J. Fishdt provided the following information: Very simply what we have set up is 100 phones lines connected to a computer, utilizing a program searching lines at random. You call an number, the computer then searchs for the first available line and then reconnects you with a dial tone. The location you are calling will receive the forwarded number on callerID. Your phone bill will only reflect a call to an that number. This is a simple method to acheive complete personal privacy. You only pay for the long distance call. ------------------------------ From: bear@fsl.noaa.gov (Bear Giles) Date: 27 Jan 95 17:21:33 GMT Subject: Re: Are the Cyber Police Coming? Organization: Forecast Systems Labs, NOAA, Boulder, CO USA For example, say you participate on a bulletin board for wine connoisseurs, don't be surprised when your mailbox starts to fill up with advertisements from wine retailers. The Internet is not about privacy. By this reasoning, I have no reason to complain if the supermarket survellenace cameras are provided to various companies to compile marketing lists. "Dear Bear: We noticed in a recent trip to Safeway that you briefly picked up our extra chunky peanut butter before purchasing a competing brand. We're so sure you'll prefer our peanut butter that we've included a coupon for a free small jar! Be seeing you, Philbus Smith President, Peanutatous Corp." Certainly this information *can* be compiled, but that's entirely unrelated to the desirability of it being compiled. There are many good reasons such compilations should be discouraged, but only one very weak reason to support them. (Namely, it helps very small companies that can't otherwise afford mass marketing.) -- Bear Giles bear@fsl.noaa.gov ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V6 #011 ****************************** .