Date: Mon, 06 Feb 95 13:01:20 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V6#015 Computer Privacy Digest Mon, 06 Feb 95 Volume 6 : Issue: 015 Today's Topics: Moderator: Leonard P. Levine Lying to Protect Privacy Re: Radio Shack and Privacy Re: Radio Shack and Privacy Re: Wastebaskets Re: Wastebaskets Digitized Signatures Legal definition of "Signed" Privacy in Telecommunications Merchant Personal Information Requests Re: Requests for Home Phone Numbers Re: Requests for Home Phone Numbers Re: Requests for Home Phone Numbers Re: Requests for Home Phone Numbers Tracking Deadbeats in Indiana Re: Who is Looking at Your Files? Phone Users Slam Dunked Re: The Cyber Police are Coming Info on CPD [unchanged since 12/29/94] ---------------------------------------------------------------------- From: "Virginia Matzek" Date: 03 Feb 1995 15:19:13 PACIFIC Subject: Lying to Protect Privacy Organization: California Alumni Assoc. It's easy to lie and give out fake names, addresses, telephone numbers, etc. But this is not the "way it should be." Instead, the best solution (as far as I am concerned) is to create laws and grassroot efforts to stop such requests for personal information as a condition of sale. Let's empower the consumers so that they don't have to be placed in the unenviable position of having to lie in order to protect their privacy. Agreed; but what do we do in the meantime to staunch the flow of personal information? Until we have such laws or widespread support, we should educate consumers on how to deal with situations where personal information is requested. Oh, you answered that one yourself. Well, as it happens, I'm a consumer whose sole purpose in joining this digest is to be educated on how to deal with these situations. I've picked up a lot of useful tips (including lying), and I hope y'all will keep them coming. I don't like lying any more than you do, but I find it justified in cases where 1) the information requested is not necessary, and 2) I don't have the energy to engage the drone processing the information in a lengthy discussion of my privacy rights. (Sometimes I do, because I want to educate people and make my dissatisfaction with the intrusion of my privacy known to the intruder; however, after I've already asked the grocery checker not to wrap plastic bags around my frozen juices and expounded on the relative merits of paper and plastic, I find it easier to just alter my phone number by a digit and let the bank assume that the clerk wrote it down wrong on my check.) +----------------------------------------------------------------+ | Virginia Matzek "I love being a writer. | | Associate Editor What I can't stand is the | | California Monthly paperwork." -- Peter De Vries | | | | vmatzek@alumni.berkeley.edu | | phone: 510/642-5781 fax: 510/642-6252 | +----------------------------------------------------------------+ ------------------------------ From: quartz@ix.netcom.com (M. Schwartz) Date: 04 Feb 1995 04:06:56 GMT Subject: Re: Radio Shack and Privacy Organization: Netcom privacy@interramp.com wrote: Sure, Radio Shack isn't the only game in town. But your solution doesn't solve the problem; it ignores it. Convince me that other electronic merchants will treat you any better. Even if you do find more privacy-sensitive merchants, isn't our job -- as privacy sensitive advocates -- to help others from being manipulated? gmcgath@condes.MV.COM (Gary McGath) writes: Well, in my experience, Radio Shack is the only retail outfit of any kind that routinely asks for the phone numbers of people who pay cash. It's their right to do that, and my right not to deal with such bozos. I don't see why it's anyone's "job" to "help" people who are perfectly satisfied with such an arrangement. I haven't had problems with a Radio Shack in years. I always pay cash and when they ask for my personal information, instead of saying "you can't have it", I say: "I don't want to be on your mailing list. There's no logical response to that so they just shut-up. I read somewhere that the Washington, DC area (where I live) has the highest per capita number of non-published residential phone numbers in the country. Perhaps the local Radio Shack folks have been softened up by a privacy-oriented community. ------------------------------ From: gmcgath@condes.MV.COM (Gary McGath) Date: 05 Feb 1995 14:22:04 GMT Subject: Re: Radio Shack and Privacy Organization: Conceptual Design privacy@interramp.com wrote: Instead, the best solution (as far as I am concerned) is to create laws and grassroot efforts to stop such requests for personal information as a condition of sale. I must disagree strongly. As I stated in my earlier message, if people provide personal information as a condition of sale, they are doing so by their consent. In effect, they are bartering information. When the government sets conditions on the transactions which people may make, it inevitably destroys rather than enhancing privacy. In the course of normal, legal activity, only the government can *compel* us to surrender information by threat of force. The more activities it regulates, the more opportunities it has to further encroach on our privacy. Indeed, much of the information which we have to give out in private transactions (loan applications, for example) is the result of government regulation. It is the shy, naive, or less educated that we need to empower by making them aware of their "Privacy Bill of Rights." This is quite condescending. It appears that you're saying that you know that they shouldn't be willing to give out personal information, and you're going to "educate" them till they know that as well as you do, or pass laws if that doesn't work. Do you have suggestions for a "Privacy Bill of Rights?" Please forward them to me, as I am compiling one for future applications. The Bill of Rights was a series of Constitutional amendments restricting the government's power. A set of laws which would enhance the government's power to regulate transactions has no business usurping that name. -- Gary McGath gmcgath@condes.mv.com PGP Signature: 3E B3 62 C8 F8 9E E9 3A 67 E7 71 99 71 BD FA 29 ------------------------------ From: John Medeiros <71604.710@compuserve.com> Date: 04 Feb 95 00:39:02 EST Subject: Re: Wastebaskets G Martin asked: How do you dispose of documents, diskettes or backup tapes that have sensitive info on them? There is a new, but expensive generation of shredders that produce an end product not larger than 1 mm x 3 mm. They handle diskettes very well, provided you take the actual plastic disk out of the sleeve and discard the metal hub from the 3 1/2's. Disassemble tapes and feed them in, no problem. Other companies use huge compactors that handle confidential trash by the box. The machine basically smashes everything together with such power that it's impossible to tell where one box (and its contents) begins or ends. You can also incinerate confidential material, but this technique runs afoul of local air quality laws. None of these techniques are fool proof. They all require the right kind of equipment, and that the equipment be properly maintained. I'm lucky enough to have access to such a shredder at work, but a good question is, does anyone know of a company or service that will do this at a reasonable cost for an individual? ------------------------------ From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Date: 05 Feb 95 12:10:34 EST Subject: Re: Wastebaskets G Martin wrote I think shredders are next to worthless because it's so easy to reassemble the document. For high-security requirements, you can use "cross-cut" shredders which use offset knives to slice paper into small diamond-shaped fragments instead of long parallel ribbons. -- M.E.Kabay,Ph.D. Director of Education, NCSA (Carlisle, PA) Chief Sysop, CompuServe NCSA Forum Mgmt Consultant, LGS Group Inc. (Montreal, QC) ------------------------------ From: STPCB@jazz.ucc.uno.edu Date: 04 Feb 1995 14:00:08 -0600 (CST) Subject: Digitized Signatures This topic might be a bit old but I thought there might be some interest in an actual letter I received from Service Merchandise concerning their system of capturing electronic John Hancocks. I inadvertantly signed on the digitized line over the holidays and contacted the companys corporate office. This is the reply: Dear Mr. Prinkey, Thank you for your recent inquiry concerning our use of electronic Signature Capture. The technology we are using is very similar to the storage and retrieval methodsused by American Express for the last 10 years and by UPS for the last 3 years. The security aspects are an improvement over the conventional paper storage method, since that piece of paper which contains your name, credit card number, expiration date and signature passes thru many hands and is on hand for up to 3 years. The electronic signature is immediately scrambled and stored in a completely separate file that does not contain credit card information. This information can only be accessed at the request of the institutionn that issued the credit card. They must present a unique code that is associated with that transaction prior to receiving a copy. The codes for de-scrambling your signature are not accessible to Service Merchandise employees. We feel comfortable with the seccurity aspects of your credit card transaction because you now leave our store with the only paper copy. Please feel free to contact my office if I can be of any additional assistance. Sincerely, Service Merchandise Company, Inc. Joanne Johnson Customer Relations Senior Representative 800-4-SERVICE end of letter Ultimately, my request to have my signature removed was side-stepped in favor of this explanation of why it was safer for me to have an easily reproduced digital version floating around. I have my opinions on this subject, could others please share theirs? -- Todd Prinkey ~STPCB@JAZZ.UCC.UNO.EDU~ ------------------------------ From: bear@fsl.noaa.gov (Bear Giles) Date: 03 Feb 1995 18:55:37 -0700 Subject: Legal definition of "Signed" Colorado Revised Statues 4-1-201 (39) and Article 1-201 (39) of the revised Uniform Commercial Code define: (39) "Signed" includes any symbol executed or adopted by a party with present intention to authenticate a writing. UCC 1-201 (46): (46) "Written" or "Writing" includes printing, typewriting, or any other intentional reduction to tangible form. ("Tangible form" includes tape recordings, data on computer *media*, etc. Another section (not Article 1) defines "signature", but I realized last night that what it was probably trying to say is that "signature" implies you saw the person sign the document, otherwise it's just a "signed" document.) Now, let's address a few common misconceptions with the model legal language (which has been adopted by at least Colorado). - You must sign in a cursive hand. - You must sign your legal name. - You must sign a name derived from your legal name. - You must sign *a* name. - You must sign legibly. - You must sign in black or blue ink. *None* of that can be supported by the language in CRS 4-1-201 (39). If I wanted to adopt a rubber stamp of Mickey Mouse to sign documents, I have that legal right. The language is intentionally vague, since it must deal with corporations whose officers change (not just names), corporations that must send out thousands or millions of checks (not just handwritten signatures), etc. And Mickey? What am I supposed to do if I have MS, or polio, or one of any number of other neurological diseases? Perhaps a rubber stamp is the only way I *can* "sign" documents. Ok, how about "SEE PHOTO ID" on credit cards? Let's look at UCC 1-201 (10): (10) "Conspicuous": A term [or] clause is conspicuous when it is so written that a reasonable person against whom it is to operate ought to have notifed it. A printed heading in capitals (as: NON-NEGOTIABLE BILL OF LADING) is conspicuous. Language in the body of a form is "conspicuous" if it is in larger or other contrasting type or color. But in a telegram any stated term is "conspicuous". Whether a term or clause is "conspicuous" or not is for decision by the court. Okay. Let's postulate a reasonable clerk at the cash register. I hand over a credit card where I have CONSPICUOUSLY written "see photo id" in the spot where a signature normally goes. This clerk is reasonable, she did not just beam down from Mars. She realizes that signatures can be forged, and that a lost credit card with a "signature" on it gives a criminal ample opportunities to practice prior to fradulent use. Even if she didn't, she is reasonable and recognizes the validity of this point when I mention it to her. She also realizes that driver's licenses (and other common forms of photo IDs) generally contain signatures along with fairly recent photographs, height and weight information, eye and hair color, age, etc. So, since she is reasonable, she'll realize that I'm not trying to defraud her store or Mastercard out of money. I'm not trying to get out of providing a specimen of my signature. I'm being a reasonable person who's a little bit more cautious than most people. So she compares the signature on my credit card slip with the signature on my photo ID. The law clearly states that "conspicuous" must be determined by a court, although it equally clearly defined STATEMENTS IN CAPITALS as conspicuous". Fair enough. That's why I write "SEE PHOTO ID", not "see photo id". Plus my use of "conspicuous" is a slightly different than the intent of the law, although it's clearly analogous. But if anyone still insists that my credit card is "unsigned", I breath- lessly await a citation from a real court where this practice was ruled inappropriate. Otherwise, I'll stop worrying about it and remember the magic phrase to chant at _unreasonable_ store managers: CRS 4-1-201 (39) CRS 4-1-201 (39) CRS 4-1-201 (39) -- Bear Giles bear@fsl.noaa.gov ------------------------------ From: rizzo24@aol.com (RIZZO24) Date: 04 Feb 1995 12:11:15 -0500 Subject: Privacy in Telecommunications Organization: America Online, Inc. (1-800-827-6364) I work for the New York State Assembly and am researching privacy in telecommunications. My focus is on telecommunication carriers and how they protect or invade the privacy of their subscribers/users. Any information on the governing legal rules, company practices and cases of privacy invasion would be appreciated. I am also interested in the potential privacy dangers involved in the more interactive technologies that are currently in place or are being developed. Telephone, cable and wireless are all of interest. Hope you can point me in the right direction. Thanks, -- Jenny RIzzo ------------------------------ From: Privacy Rights Clearinghouse Date: 04 Feb 1995 12:56:21 -0800 (PST) Subject: Merchant Personal Information Requests This in response to the many postings on merchants taking personal information for check or credit card purchases. California, as well as many other states, has enacted laws which limit the collection of personal information when paying by credit card or check. The Privacy Rights Clearinghouse has a free "fact sheet" on these laws. This fact sheet may be obtained by calling 619.298.3396 (800.773.7748 within CA only), or by gopher at gopher.acusd.edu (select "USD Campus-Wide Information System"). California Civil Code section 1747.8 provides that when a consumer pays by credit card, the merchant cannot record any personal information other than what is on the front of the card. This includes address, telephone number, Social Security Number or any other personally identifiable information. There are, however, certain exceptions, such as when the credit card is used as a deposit or to obtain a cash advance. Also, when the personal information is needed for a purpose "incidental but related to" the use of the credit card, the merchant may collect the necessary information (Example: when the purchased product is to be shipped to the buyer's home address). Finally, there is an exception for merchants required by contract to collect personal information from the credit card user. For example, some gasoline companies that issue their own credit cards require their stations to collect personal information. When a consumer pays by check, California Civil Code section 1725 provides that the merchant is prohibited from recording a credit card number. The merchant may request that a consumer voluntarily show a credit card. The only information that the merchant can then record is the type of card (i.e. Visa or Mastercard) and the expiration date. The merchant must inform the consumer that the credit card is not required for accepting the check. Once again, there are exceptions. The merchant can require a credit card if the check is used solely to obtain cash, if the check is used as a deposit, or if the check is used to make a payment on the credit card account. If the credit card also functions as a check guarantee card, the merchant may record the card number. This law specifically provides that merchants can require consumers to show and can record drivers license information. The merchant can also record the consumer's name, address and telephone number. Although many other states have enacted similar laws, the specifics of laws in other states may vary. Contact the Privacy Rights Clearinghouse for more details. ================================================================= Barry D. Fraser fraser@pwa.acusd.edu Online Legal Research Associate Privacy Rights Clearinghouse prc@pwa.acusd.edu Center for Public Interest Law telnet teetot.acusd.edu University of San Diego login: privacy Privacy Hotline: 619-298-3396 BBS: 619-260-4789 In California: 800-773-7748 host: teetot login: privacy ================================================================= ------------------------------ From: "Larry Kilgallen, LJK Software" Date: 04 Feb 1995 21:21:53 -0500 (EST) Subject: Re: Requests for Home Phone Numbers Organization: LJK Software bear@fsl.noaa.gov (Bear Giles) writes: I'm travelling for several weeks and a 3" thick phone bill is sitting in my mailbox when I return home. I owe AT&T $38,217.43 for calling card calls made worldwide. I didn't make those calls. Do I have to pay AT&T? If not, doesn't AT&T have the right to have a reasonable method of contacting me if it suspects fraud on my account, to minimize *its* losses? Rather than a consumption-based account, Compuserve can very well use the method followed by cellular and long distance companies. If exhorbitant charges well beyond the normal pattern are encountered, they disallow further charges until the customer contacts them. No particular method to contact the customer is required (given the lack of cryptographics authentication on cellular phones, external authentication would be required regardless of who contacted whom). I once came back to a hotel to find my room locked. American Express had contacted the hotel to surely get in touch with me because a new card mailed to my address had come back in the mail and they were concerned it was not really me. I was upset at the time, but they _were_ looking out for my interests and they did contact me without having my phone number. Strange charges on American Express (especially large ones) can also lead to the clerk putting you on the phone with American Express who will ask questions such as the name of that magazine you subscribed to last month using AMEX. I gather few card thieves bother to steal recent bills as well. ------------------------------ From: "Larry Kilgallen, LJK Software" Date: 04 Feb 1995 21:29:13 -0500 (EST) Subject: Re: Requests for Home Phone Numbers Organization: LJK Software privacy@interramp.com writes: I leave you all with the following thought. How can a company conduct anonymous or name-only returns but still protect itself against crooks who try to return products they never bought? It is often months later that companies realize that they returned money to ganiffs. I was under the impression that this was a solved problem, years ago, independent of whether identification is provided. from childhood I have seen signes saying "no returns without a receipt". Presumably the store either retains the receipt or marks it (in the case of a partial return of the contents of a receipt). So long as this has been done, I don't see any valid reason for the store to require any further identification. (If receipts are readily forged, the store should fix that problem.) ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 05 Feb 1995 04:46:58 GMT Subject: Re: Requests for Home Phone Numbers Organization: The National Capital FreeNet, Ottawa, Ontario, Canada "Dennis G. Rears" (drears@pica.army.mil) writes: My opinions on providing SSN to merchants have appeared to be disjointed in the past. This is mainly because I haven't had an original post in CPD in about 18 months, only followups. Here's my thoughts: 1. Don't give false information. Either leave it blank or fill it in. Giving false information poorly reflects on one integrity. This may be a cultural difference. There is also a nuance of difference btween alias and false name. An alias is a name that you choose to use for a particular purpose, as opposed to a false name made to disassociate yourself from something. The legal right of canadians to use any alias they choose in most financial transactions has been widely publicized over the decades. My first recollection of reading this was as a teenager in the 60s. 2. Stores should only request information they need. 3. In some cases a credit check is necessary and you do this via SSN. If you don't like they don't have to extend you credit or cash your check. This is literally a situation I've never been in. I've had 2 car loans and a couple of mortgages in my life but I've never bought anything on credit from a merchant. I've also never had a charge card account and usually buy vehicles new without taking out a loan. My wife and I rarely use checks. She caused quite a flap once at a local warehouse type appliance operation when she produced cash to pay for a washer and dryer. On a issue not that has nothing to do with privacy, I am a firm believer in property rights. Part of owning property is have the ability to decide who you want to sell, lease, give, or otherwise convey services or property to. I believe a merchant should have the right to refuse to do business with anybody. How far does that belief extend? Can a healthcare merchant(hospital) refuse to provide life saving care to someone who can pay the going rate but happens to have a skin color the hospital doesn't like to see? Can the owner of a busline refuse to carry blacks unless they consent to ride in the back and give up their seats to whites if the bus fills up? Can someone who owns a restaurant refuse to sell the food they own to people of a particular ethnic or racial background? Allowing merchants to be arbitrary rather than equitable in their choice of clients opens up a wide range of posibilities for them to be discriminatory. If they are in business they should be prepared to treat anyone with sufficient cash to pay in the same manner as anyone else who can pay. ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 05 Feb 1995 04:19:29 GMT Subject: Re: Requests for Home Phone Numbers Organization: The National Capital FreeNet, Ottawa, Ontario, Canada Kelly Bert Manning wrote: This kind of demand for information, backed up by a threat of denial of service is probably why the Quebec government made it the legal right of consumers not to have to provide unneccessary personal information. David Jones (djones@insight.dcss.McMaster.CA) writes: Despite any law to the contrary, some Quebec companies regularly refuse to provide service if personal information is not provided. Case in point: Videotron. [snip] that you would normally rent, but during the special trial service, they loan you the box for free, but you must provide personal information like your Health Insurance Number or your Social Insurance Number Hm, I did mention Direct Broadcast Video Satellites in my previous post, so I guess that we are staying on topic here. Basic cable service is regulated to a minimal degree by the CRTC. What regulations still exist are seldom enforced. I've never been asked for ID when establishing a basic service account, but I've often had to spend several minutes telling their pay TV pushers that I don't want any of the scrambled pay TV channels. The CRTC's cable TV regs don't authorize them to demand any ID and it is well established in Canadian law that consumers may use any alias they choose in most purchases, as long as they pay in full and don't do so as part of a fraud. I recall seeing reports of this in magazines with a nationwide circulation as far back as the 60s and have seen more recent references in a local paper within the last year. There is no public, judicial or legislative thrust to change this long standing state of affairs. Additionally the Currency Act says that all you have to provide is cash in an appropriate combination of denominations. The provincial government used this to end a BC Tel plan to require customers to pay by cheque. Canadian Cablecos can hardly be described as typical in their attitude toward customers or to regulations that are supposed to govern their conduct. Is Videotron's attitude widespread among Quebec businesses? Your post didn't say whether you had taken Videotron to the Quebec analog of small claims court. Does Videotron have any legal judgements to support it's position? Provincial Consumer Affairs ministries/departments don't usually get involved in supporting civil actions by consumers unless they feel that there is a major public interest involved that warrants government backing for a precedent setting civil action. What you describe seems like the cableco analog of the old telco practice of requiring customers to "rent" phone equipment, rather than buying it, with the result that the eventual revenue was much more than what the equipment cost. Consumers didn't win that battle against telcos easily and still have a long way to go against cablecos. The Parti Quebcois has a reputation for being very right wing/pro-business, (by Canadian standards) so the change in government in Quebec may have temporarily reduced the enforcement thrust behind this law. My first experience with a major cableco's attitude toward privacy was in the mid 80s when I received personalized junk mail from Superchannel at my non-published address. I called Shaw cable and confirmed that they had transferred customer names and addresses to this out of province pay TV company. Their tune changed after I filed a written complaint with the CRTC and quoted the relevant sections from the BC Credit Reporting Act. They then claimed to have handled the mailing for Superchannel but didn't bother to get together with Superchannel and put together a story consistent with the facts. When I heard the new story I asked them if they could describe the postage meter stamp on the envelope, ie. date, city, and meter number. After an embarassed pause they suggested that it might be their BC headquarters in North Vancouver. In fact it was Edmonton, Alberta. It is really quite a hoot to be questioning someone, catch them in a lie and see them realizing that they've been caught out when they are in too far to backout without admitting to being a bare faced liar. The CRTC, as usual, bought the Shaw line. The only change has been that pay TV advertising now arrives as non- personalized bulk advertising or gets stuffed in with Cableco bills. What you say about Videotron in Quebec doesn't surprise me. Here in B.C. Rogers Cable is making brave noises about a recently passed BC Consumer law not applying to them because they are a federally regulated service, formerly a total monopoly and still facing almost no competition. They don't have a culture of serving customers or of facing competition. BC's new law is modelled on a similar law in Quebec that is supposed to ban a favourite marketing technique used by Videotron and other Quebec cable operators. The B.C. law was introduced quickly to deal with the tidal wave of protest over Rogers latest negative option billing scheme(ie. we'll start charging you more for channels you probably don't want and hope that you don't notice or complain). It was only within the last few months that they started showing "Full Cable Service" as 2 separate charge items on invoices. They'd listed it as a single line item for years to keep most customers in the dark about the fact that a big part of their bill was for optional channels that they didn't have to pay for if they only wanted basic cable service. Rogers claims that this law doesn't affect them, but they clearly don't have any intention of getting into court. The impact on their bottom line from bad publicity and people lining up for hours to return their Rogers Wonder Boxes and terminate service would be more than they could possibly gain even if they won the case. Rogers also seems to have little regard for the property rights of Concord Pacific and BC Tel. News reports from Vancouver last week described how a convoy of cableco trucks carrying a small army of Rogers technicans descended on the all digital fiber Concord Pacific development last week, uttering fraudulent claims in an attempt to gain access to the network center for the BC Tel phone/video operation there. When their bluff failed they descended into the manholes around the development to see what they could find out about the technology deployed by BC Tel. Rogers seems reluctant to accept that the CRTC has opened up "cable" service to competition just as Rogers Unitel operation competes with Telcos. They claim to be planning to go to court to defend their "monopoly". It doesn't surprise me that a Cableco would dispute Quebec legislation. They seem very unwilling to accept any law that is against their financial interests. Rogers interest in BC Tel's Concord Pacific operation is understandable. BC Tel reportedly charges half as much as Rogers for a comparable bundle of video services. Ted Rogers and Jim Shaw saw Cableco after tax profits explode under the former conservative government, from $18M/year in the early 80s to $200M/year by the end of the decade. Along the way the politically directed CRTC consistently chose the Cableco's interest over consumers. Ted Rogers reportedly raised millions for the Tories during this period. The new Liberal government doesn't seem to have slowed him down much. At recent televised hearings the Chairman of the CRTC asked him if he would go on record as committing to pass along to customers part of economy of scale savings from proposed changes to customers. He said quite bluntly NO. The chairman responsed "that's clear, at least" and went on to give Rogers exactly what he asked for. My original post mentioned the lengths to which Canadians are going to obtain an alternative to Rogers/Shaw/Videotron cable monopolies. I didn't even mention the up front costs involved in a DBS receiver. Cableco arrogance and abysmal level of customer service is at least as big a part of the motivation as the exploding cost of cable service. You also write about Videotron wanting government health plan numbers. Most provinces have a waiting period before new residents are covered. Coverage is not mandatory, although most people choose to be covered, so there is no requirement that people have one and they may very well not have one at the time that they first open an account. Someone who joined the Armed Forces or the RCMP before personal health numbers were introduced and who is still serving probably wouldn't have one. There is also no requirement to have an SIN if you've never been employed and young people don't get one till they get their first job. This could apply to youths moving out of home to college for the first time. Are they supposed to apply for one just to get pay TV? Are foreign students refused this cable service because they can't work and obtain SINs? Has anyone actually taken Videotron to court? In any case it seems like a futile way of checking for credit. There have been many news reports here in BC about how easy it is to defraud the welfare system by going to a "photo ID" store, giving a phony name, and then going to apply for welfare, after which the fraud artist gets a GAIN card and Care Card with their "own" Personal Health Number. The reports described how the Ministry of Social Services doesn't seem to be concerned about reports from mail carriers who notice that several checks with different names arrive at the same address. The Care Cards are the same format as credit cards and a number were shown in a news story about an eastern fraud operation that involved capturing the encoded information from real credit cards and duplicating it on other compatible cards. ------------------------------ From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Date: 05 Feb 95 12:10:30 EST Subject: Tracking Deadbeats in Indiana from the Associated Press news wire via CompuServe's Executive News Service: APn 01/30 0147 Tracking Deadbeats By TED BRIDIS Associated Press Writer EVANSVILLE, Ind. (AP) -- Applying for a fishing license will get some residents here hooked for delinquent child support under a new federal law. The Family Support Act of 1988 sets a deadline of Oct. 1 for states to computerize records on deadbeat parents so they can more easily share information with each other and between their own counties. Indiana has decided to go one step further. By linking its state agencies by computer, welfare workers can use information supplied for such things as fishing and driver's licenses to track down deadbeat parents. The author makes the following key points: * Some officials are enthusiastic about such database linkages, whereas others object to any intrusion into privacy for whatever purpose. * Officials of the prison system in Indiana do not allow other state agencies to retrieve data from the Corrections Dept. computers, arguing that medical information in those files "are protected by federal confidentially laws." -- M.E.Kabay,Ph.D. Director of Education, NCSA (Carlisle, PA) Chief Sysop, CompuServe NCSA Forum Mgmt Consultant, LGS Group Inc. (Montreal, QC) ------------------------------ From: rj.mills@pti-us.com (Dick Mills) Date: 05 Feb 1995 12:29:49 -0500 Subject: Re: Who is Looking at Your Files? In comp.society.privacy [comp.society.privacy V6#009] I wrote: I once lived in Sweden. They don't respect individual rights a whole lot there, but they did have an innovation that impressed me. They have a law which mandates that the individual be sent a copy of any credit reports sent out. Thus I got to see who asked for information on me, when, and what they were told. Not bad. If there were any inaccuracies in the report, I could act in a timely manner to correct it. Jesse Mundis [jesse@oes.amdahl.com in comp.society.privacy V6#011] replied: I like his idea, a lot! That leads me to wonder if we couldn't form privacy rights legislation on the same principle. Instead of attempting to stop digitized signatures, sales records, video rental info, and the thousands of other data gathering activities, we could require that the individual be cc'd whenever this information was transmitted to third parties. A question for the group at large, what process would be required to get legislation like this in place? I've never written up a bill before, but this looks like a good idea. Anyone have a pointer to some specifics, possibly in the EFF or CPSR archives? I guess Jesse and I are the only ones who like this idea. There have been no other posts I've seen yet. Too bad. It could be the answer to a number of issues discussed recently in comp.society.privacy. For example: a) Radio Shack: Let them have the phone numbers! If they start abusing them then they would have to send notice to their customers revealing just what they did with the data. The knowledge that customers will be angry will have a chilling effect on data abuse wannabes. b) Requesting your own credit report isn't enough; several credit bureaus may have data on you [see Re: Credit Reporting comp.society.privacy V6#004]: Actually there is no upper limit on how many people might provide credit information on you. Asking for copies of your credit report is thus not much help. If the law required that you get a copy, then you would be informed regardless of who provided the information. c) Draft Privacy Principles 01/20/95 [comp.society.privacy V6#010]: It should be one of the principles in the draft that the individuals are always notified when their private information is transmitted between third parties. (hmmm I guess I ought to send them the comment myself). d) Police Abuse of Personal Records [comp.society.privacy V6#004]: If the citizens were getting copies when police request information on them from a national center, then abuse would be harder to spot. More important, knowledge that they could not do it secretly would deter police from abusing the data in the first place. Why isn't there more enthusiasm from comp.society.privacy readers? Is it not explained well? -- Dick Mills rj.mills@pti-us.com Power Technologies, Inc. phone +1(518)395-5154 P.O. Box 1058 fax +1(518)346-2777 Schenectady, NY 12301-1058 ------------------------------ From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Date: 05 Feb 95 14:12:46 EST Subject: Phone Users Slam Dunked from the United Press Intl news wire via CompuServe's Executive News Service: UPn 02/03 2014 California takes action to stop 'slamming' LOS ANGELES, Feb. 3 (UPI) -- The state of California took court action Friday to halt a small telephone company from switching the long distance service of thousands of Californians without permission. The complaint, filed in Los Angeles Superior Court, seeks an injunction against Sonic Communications Inc. for allegedly engaging in a practice known as "slamming." Attorney General Dan Lungren requested $5 million in restitution for customers and a $1 million fine. Key points from the article: * Sonic is accused of having sent out cheques for $10 to over 10,000 customers. * The "nearly illegible print on the back" of each cheque "gave the company permission to switch the person's long distance service to Sonic." * Anyone who cashed the cheque automatically had their service switched to Sonic, paying "double or triple" the normal long-distance rates. * Some customers were apparently switched to Sonic without their permission. [Comments from MK: This case is another in a long series demonstrating the poor state of authentication in a range of public and private services. Readers of COMPUTER PRIVACY DIGEST and of the NCSA FORUM on CompuServe have seen cases where registered mail has been handed over to people without identification; credit card applications filled out by criminals using innocent victims names; change of address forms accepted by post offices without verification; and many other cases. A complex society needs adequate non-repudiable forms of identity and authentication. Organizations providing services must require much higher standards of identification and authentication than currently demanded when changes can affect people's pocketbooks, bank accounts, health care, and other important services.] -- M.E.Kabay,Ph.D. Director of Education, Natl Computer Security Assn (Carlisle, PA) Mgmt Consultant, LGS Group Inc. (Montreal, QC) ------------------------------ From: John Medeiros <71604.710@compuserve.com> Date: 03 Feb 95 21:31:13 EST Subject: Re: The Cyber Police are Coming slowdog@wookie.net (slowdog) writes: The net is not a physical place where the Blues have to cruise around looking for people causing physical harm to anyone . . . . The net is a loose confederation of sovereign indivduals (because, in truth, all individuals are inherently sovereign). And the "cybercops" should stay home and watch cable television. Why should we exclude policemen from the use of the Internet? Is it because we don't like what they do? Or is it the things we think they stand for? What other groups should we exclude? Lawyers? Nope, can't do that, we'd lose EFF. How about politicians? No, then they'd take their servers and we'd never know what they're up to. If we are all sovereign, then we cannot exclude anyone, or any group, no matter how we feel about them. Each group is made up of individuals. Each individual is sovereign, no matter who they are. To quote slowdog: Any attempt to infringe upon the right of soveriegn individuals to freely communicate and control their own fate (in this case, on the net) should be met with a response from the -world's- net users. ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V6 #015 ****************************** .