Date: Wed, 01 Feb 95 11:37:25 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V6#013 Computer Privacy Digest Wed, 01 Feb 95 Volume 6 : Issue: 013 Today's Topics: Moderator: Leonard P. Levine Re: Requests for Home Phone Numbers Check Security Phone Numbers as IDs Tracking of News and WWW Routes Re: US Government Regulations and Internet Access Re: Credit Card Signatures Re: Credit Card Signatures Wastebaskets Careless News Media Re: Radio Shack and Privacy Infection Data Info on CPD [unchanged since 12/29/94] ---------------------------------------------------------------------- From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 31 Jan 1995 06:11:28 GMT Subject: Re: Requests for Home Phone Numbers Organization: The National Capital FreeNet, Ottawa, Ontario, Canada In his role as the previous moderatory Mr. Rears and I have expressed differing opionions in the past about this issue. I'm hoping that we get around to some new angles and opinions this time around. In a previous posting, "Dennis G. Rears" (drears@pica.army.mil) writes: Chip Kaye wrote: I recently opened an account on CompuServe and filled in my home phone # on their online form as 555-555-5555. You provided false information. Yah so? This kind of demand for information, backed up by a threat of denial of service is probably why the Quebec government made it the legal right of consumers not to have to provide unneccessary personal information. Businesses cannot refuse a request to provide goods or services just because a consumer refuses to provide irrelevant personal information. Most likely compuserve was going to extend you credit. Quite an assumption. Here in BC there is a major dial in subscription information service that does nothing on credit. You deposit at least $100 up front. Money gets deducted as you use it. If the balance reaches zero before you send more your service stops. Also it is settled case law here in Canada that a company cannot insist that you do business on credit. One of the big encyclopedia companies ended up on the losing end of that judgement. They wanted all customers to buy on credit, using their loan subsidiary and refused to sell for cash. They don't try that line since someone took them to court and established that a vendor cannot make use of their credit and financing a mandatory condition of purchase. They cannot use a high demand or the perceived superiority of their product to coerce customers into using credit or providing irrelevant personal information for creit screening. I would prefer not to give out my phone number but was told that their policy was to require at least 1 phone number. I am wondering about the legality of this requirement. Nothing illegal about it. You don't have to provide the number, they don't have to provide you service. You make the choice. The US seems to have a much broader pattern of laws than Canada due to the large number of states. Is there no US jurisdicition where it is illegal to refuse to provide goods or services simply because a customer refuses to provide unneccessary personal information? My major concern about this kind of "turn on your caller ID or I won't sell to you" mindset is that hardwire phone numbers can be easily related to an address because they greatly narrow the geographic area for which an information seeker has to search unavoidable public records. On the other hand a cellular phone provides no such link. The only billing information for the account could be a charge card account and the cardholders name. Basically we end up with two classes of telephone users. The affluent who can afford cell phones and who can turn them off if they don't want to be traced or harrassed by junk phone calls and those who expose their phone and residential address every time they make a call. Some canadians get around CRTC attempts to restrict access to US direct broadcast satellites by getting post office boxes at border towns and opening a VISA/Mastercard account at a US bank. This gives the US broadcaster an out for saying that they didn't realize that they were delivering a service to a Canadian. Funny how vendors can be very lax about checking who their customers are, or where they live, when it is in their financial and regulatory interest not to know too much. ------------------------------ From: jepstein@cordant.com (Jeremy Epstein -C2 PROJECT) Date: 31 Jan 1995 09:15:40 -0500 (EST) Subject: Check Security Christopher Zguris <0004854540@mcimail.com> wrote: True story: a friend of mine gave two checks to her accountant, one for $825 in the accountants name, and one for $125 made out to a major insurance company. The accountant sent the $825 check to the insurance company by mistake, and they cashed it _even though_ it was NOT made out to them. More trivia, the dopes who say you can delay paying the I.R.S. by not signing the check are full of it, the I.R.S. will cash it anyway. In fact, I don't think there are any situations where the bank will say no to the I.R.S. Not that this has anything to do with privacy, but... About a year ago this time, I sent my mortgage company a check dated January 1993 (instead of January 1994). They bounced it back, sending me a notice that the check was stale (and assessing a late charge). [I complained; they removed the late charge.] So I sent another check in, attaching the original with a note to show this is what happened, and writing in large letters VOID across the old check. BOTH checks were deposited. Luckily I had enough in my account to cover both, so I didn't make a fuss (and I didn't have to make a payment the next month). It would have been interesting to ask the bank to explain their security if an apparantly year-old check clearly marked VOID could clear the system! -- Jeremy ------------------------------ From: "Bruce O'Neel" Date: 31 Jan 1995 12:16:41 -0500 (EST) Subject: Phone Numbers as IDs mr@world.std.com (Michael J Rollins) wrote: Has any one else noticed the new trend of businesses answering their phones with an immediate request for a phone number. This first happened to me when I called several months ago to inquire about maybe getting an account at AOL. Since then, it has also happened when I called a few other companies. Most recently, it happened last week when I called the customer service number at AT&T. It appears that this is in fact being done as a sort of password situation, since all of the numbers where this has so far happened are of the eight hundred variety. Yes, I had noticed. This produced a humorous situation with Pizza Hut. I had some friends move in next store. I went over and ordered pizza from their phone the night they moved in. Their voice line was a recycled phone number and Pizza Hut wouldn't take it because they already had it assigned to another person in our area. Ergo, it couldn't be the correct number. Luckily for our stomachs they also had a data line phone number which allowed me another number to satisify Pizza Hut. -- bruce ------------------------------ From: kirby6@psu.edu (kirby6@psu.edu) Date: 31 Jan 1995 19:37:42 GMT Subject: Tracking of News and WWW Routes Organization: Penn State University As a student with a net connection I find myself spending time in some of the less "politically correct" Usenet groups as well as Web sites. Is it possible for my school admins. to keep track of the sites I visit or the news servers I connect to, or even the groups I read? Is every connection through the campus gateway logged somehow or would I have to be a specific target? When I connect to a site does that site also record my connection? Do admins even have time to be concerned with this? What I'm wondering is just how any of this information might be used to "profile" me later. Be it through sales to marketers, restriction of account, or whatever? Do privacy laws apply to any of this? Your answers would be greatly appreciated. Could you please suggest other news groups for this post. -- regards, kirby6@psu.edu ------------------------------ From: kasley@chip.fnal.gov Date: 31 Jan 1995 13:55:36 Subject: Re: US Government Regulations and Internet Access Eric Hermanson wrote: (one of the regulations on that industry is that there cannot be more than two cellular providers in any one metropolitan area. Now SOMEONE please explain the thinking behind that restriction to me!) Bear Giles bear@fsl.noaa.gov replied: An informed guess is that there is a limited number of cellular phone frequencies with current technology. This is the bandwidth allocated to celphones divided by the bandwidth required for each channel. Actually, the limitation on the number of service providers in any one geographic area dates back to the mid-70's when the present cellular system was being developed. At that time, mobile phone service used the IMTS system (Improved Mobile Telephone System). IMTS was improved because all call setup was handled automatically instead of by a human operator ("MTS"). IMTS was provided by two licensees: typically the VHF frequencies were "owned" by an ATT operating company (remember Ma Bell and her monopoly?) while the UHF frequencies went to whoever the local "non-wireline" radio common carrier might be (In Chicago, this was Rogers Radiocomm, long since absorbed into something else.). When the frequency allocations plans were being made for cellular, the FCC wanted to prevent Ma Bell from monopolizing ALL of the cellular channels. Thus, the FCC decided to split the cellular band into two banks of channels: one for the local Bell operating company and one for the local RCC. The lockout situation referred to above has nothing to do with the assignment of channels between the banks. Each provider has some 300+ individual channels available to his system. When a call crosses cell boundaries, it is handed-off to a new channel in the same system by the cell site base stations. Each base station has a limited number of channels; it would simply be too expensive for every cell site to support all 300+ channels. If all channels on the destination cell are busy, the system must either find a useable free channel in a different adjacent cell or dump the call. Call blocking is not a new phenonmenon; the equivalent condition happens on the landline network when the switches can't find a circuit to put a call through; for that case, you get a fast "all trunks busy" signal. The number of subscribers that a system can support is determined by call blocking statistics and is not a simple N/n calculation. It is based on the available resources (size of the cells, nr of channels in each cell, bunches of other factors) and a blocking rate goal. Again, similar calculations have been done for decades by the landline people. The two service provider rule is a legacy from the days of the ATT monolith. Indeed, allocations for the new PCS bands are being made by auction. The winners are those companies with the deep pockets needed to "buy" and "develop" scarce radio real estate. -- paul kasley wa9vyb kasley@chip.fnal.gov ------------------------------ From: m.sargent@genie.geis.com Date: 01 Feb 95 06:08:00 UTC Subject: Re: Credit Card Signatures Bear Giles writes: That's in the "merchant's agreement" with the credit card umbrella organizations (e.g., Mastercard International). They can request ID to verify the cardholder's identity, but only prior to requesting authorization and only if they don't record the specific information. Something like "Colo DL" is acceptable, especially for people like me who refuse to sign credit cards. (I write "SEE PHOTO ID" instead.) In fact, in one circumstance, both VISA and MasterCard can require (except where prohibited by local law) that additional identification be presented, and that the ID information (driver's license number, etc) be recorded. That circumstance is the very one Mr. Giles practices - the use of an unsigned card. Since June 1st, 1994 (for MasterCard) and January 1st, 1995 (for VISA), merchants have been instructed to refuse all unsigned cards. A specific procedure has been established to deal with unsigned cards: - Require an additional form of signed identification, such as a driver's license or passport. - Record any pertinent information about the identification provided (license number, serial number, expiration date, etc), if allowed by local law. - Request that the cardholder sign the card. - Confirm that the newly signed signature matches that of the other piece of identification provided. - The merchant MUST get authorization for the transaction, regardless of the amount. If the cardholder refuses to sign the card, the merchant is required to terminate the transaction. As far as VISA and MasterCard are concerned, an unsigned card is an invalid card. If an unsigned card is used illegally, the card issuer has the right to file a compliance case against the merchant. Another VISA/MasterCard requirement, which went into effect October 1st, 1994, may explain the increased use of digital signature capturing. If a customer requests a copy of a transaction, the merchant is required to provide the best possible reproduction available of the charge receipt. If the customer believes the copy to be illegible and disputes the charge, the issuing bank can request mediation by VISA or MasterCard. An unfavorable ruling will generate a "fine" of between $10.00 and $25.00 per ruling, depending on card type. A "digital receipt" isn't prone to the image degradation that occurs with carbon paper and xerography. -- Matt Sargent [ m.sargent@genie.geis.com ] ------------------------------ From: "Robert E. Hatfield" Date: 31 Jan 1995 16:58:36 -0800 Subject: Re: Credit Card Signatures Organization: Seattle Pacific University Jesse Mundis wrote: Heh, I did the same thing last time UPS came around with their pad. I just clearly wrote my first initial followed by a squiggly line, then my last initial followed by an other squiggly line. I've seen enough signatures that look like that before. Apparently, so had the UPS guy who just entered the name on the pad. ;-) I think I'll have fun with a different signature each time. I have been doing the unrecognizable varying signature now for a couple of years with no problems. It works great. ------------------------------ From: G Martin Date: 01 Feb 1995 00:08:16 -0500 (EST) Subject: Wastebaskets How careful are you about what you put in your wastebasket at work, or your trash at home? I was recently making photocopies at a Mailbox, Etc. and noticed what looked like a tax form in the waste basket next to the copy machine. I retrieved it and found that it was a medical claim form. On the form, the person who completed it listed her name, phone number, address, checked a box indicating she was single, her SSN, DOB, signature and a description of a medical condition she had. I made no copies of this document, I just mailed it to her with my name and phone number attached. She called me as soon as she opened it, and told me she was glad I handled it the way I did. She said she'd never be that careless again. but she and I were talking about what she could have done instead. Which leads me to a question I'd like to ask all of you. How do you dispose of documents, diskettes or backup tapes that have sensitive info on them? I think shredders are next to worthless because it's so easy to reassemble the document. And just putting it in the trash just invites someone with bad intentions to pull it out and possibly misuse the information. I told her the only safe way I could think of was to take it home and burn it. How about all of you? -- Gary Martin gmartin@FREENET.COLUMBUS.OH.US ------------------------------ From: G Martin Date: 01 Feb 1995 00:16:46 -0500 (EST) Subject: Careless News Media Saw a story on one of our local TV stations on Monday that just stunned me with its stupidity and carelessness. They were interviewing a man who worked for the water company reading meters. The main point of the story was to ask them for their ID when they come to their door. Then the camera zoomed in real close on his ID card as he flipped it over and exposed both sides to the camera. I videotaped the news that day as I usually do, and replayed the tape in slow motion. Sure enough, I was able to EASILY read his name, SSN, DOB, and various physical descriptions like hair color. Columbus is a city of 500,000 people, and they had to have given that information to at least tens of thousands of people, some of who are likely criminals. I couldn't believe the stupidity of it. The next day, I called the TV station first to tell them what they had done. I spoke to the General Manager and he seemed genuinely surprised. I also contacted an ATF agent. He said that the guy is at great risk of his SSN, etc. being used for all kinds of illegal purposes from buying guns, to credit cards, etc. His advice was that the guy contact his office, the Secret Serivce (for credit card fraud), his local credit bureau, etc., etc., etc. and try to head off any potential damage before it happens. My next call was to the media director at the water company. The media director had been standing right next to him when the cameras took the pictures. She treated me like I was bothering her, and was very rude. She said she'd warn the employee who's ID was aired, but I didn't believe her. I called back again and asked to speak to her boss. He was very understanding, and said they'd do what they could to help the employee out. He also said he was going to make up a phoney ID card in case they ever need to show one again in the media. How could the media have been so careless?!? they may have ruined this guys life with their stupidity. Other than the possible risks I've mentioned, what other risks might he face? Has anyone else seen the media to anything like this? -- Gary Martin gmartin@FREENET.COLUMBUS.OH.US ------------------------------ From: privacy@interramp.com Date: 01 Feb 95 11:27:35 PDT Subject: Re: Radio Shack and Privacy Organization: PSI Public Usenet Link E.J. Barr wrote: Mr. Featherman; If you're dumb enough to want to do business with a firm such as Radio Shack, the grief and agrivation you get, is to be expected. Want to put an end to it? Stop doing business with Radio Shack. It's that simple. Dear E.J. Barr, Thank you for your comment. While I agree that consumers should express their views with their wallets, I find your approach to be a cop-out. Radio Shack is not the only company that has violated individuals' right to privacy. Most companies do so. Radio Shack is simply one of the more visible enterprises out there. Your approach inherently assumes that consumers have infinite choices. I've got news for you. Most consumers don't have many choices. Certain electronic devices (such as Tandy scanners) are available only at Radio Shack. The point is that I suggest changing the system and starting a grassroots effort while you support consumer exodus. I respect your view, but urge you to consider the following: In regulated industries, such as telecommunications (phone companies) or other utilities (electric, gas, and water companies) where there are natural monopolies, how would you suggest that people deal with these firms -- by leaving and not being able to obtain these services -- or by putting pressure on the firms? Sure, Radio Shack isn't the only game in town. But your solution doesn't solve the problem; it ignores it. Convince me that other electronic merchants will treat you any better. Even if you do find more privacy-sensitive merchants, isn't our job -- as privacy sensitive advocates -- to help others from being manipulated? -- John Featherman Editor Privacy Newsletter PO Box 8206 Philadelphia PA 19101-8206 Phone: 215-533-7373 E-mail: privacy@interramp.com ------------------------------ From: rdurie6@ibm.net Date: 01 Feb 95 00:17:03 Subject: Infection Data If the Red Cross sends the name of a person who donated HIV-positive blood to the CDC, what is the CDC going to do with the information? They don't know who that person has had sex with, so how does providing the name to the CDC protect anyone? The CDC won't have a clue as to who to contact, so the only way the information could be useful is if people could use a computer to see if a prospective, or past, partner is on the list. But that means that *anybody* could access the information, which is *not* acceptable to privacy advocates. The needs of Public Health require that exposure data be collected, and that individuals with exposures to communicable diseases are informed, is a long standing and well established Public policy concern. If we simply replace the exposure from HIV to say the Plague then would there be an issue? I think not. As potential victims of the disease we should be informed. The only way we are informed is if those with the disease knew they were infected, and inform those who risk infection. 2) Whether the results of HIV and/or other STD (Sexually transmitted disease) tests should be made available to persons or organizations other than the health professionals directly involved in the notification, testing and treatment procedures. If the results are disseminated, should it be in statistical form only or should some persons from government, industry, research or other fields be able to obtain the identities of those tested and the results of the individual tests? The data must be available to organizations with the resources required to compile and construct exposure profiles. If education is useful then how do we develop what we teach? As for identities of individuals, it becomes very important that the exposure be related to a source. The only way to maintain exposure modalities is to confirm that person "A" got disease "C" from person "B." Hypothetical; if person B got disease C without exposure though some yet unknown source how would you test it. The development of our current understanding of HIV started with finding out how one man's sexual partners became ill and their sexual contacts. If the CDC had been restricted from learning his partners names and their sexual relationships, the development of HIV as a sexually transmitted disease would have been severally restricted. Because of the nature of HIV and it's ability to mutate, the transmission modalities of HIV must be constantly monitored. God forbid that HIV mutate to an airborne virus. 3.) Whether blood collection agencies have the right to collect lifestyle information and test donor blood for contagious diseases of any type in an attempt to screen out potentially unacceptable donors. Additionally, are the results of these screens the property of the blood collection agency for further use as they see fit, or does the "screenee" have the right to control the use of the information (or somewhere in-between)? The development of profiles of types of individuals is becoming less important as HIV spreads throughout the general population. Further, it may the basis of discrimination suits. If the information is not collected with any specific identifiers, (SOC # or name) then who cares? If there are personal identifiers, then it seems to me to be an attempt to develop it for another purpose. ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V6 #013 ****************************** .