Date: Wed, 10 May 95 19:53:37 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V6#044 Computer Privacy Digest Wed, 10 May 95 Volume 6 : Issue: 044 Today's Topics: Moderator: Leonard P. Levine Re: California Digital Signature Bill California Bill on CallerID Digital Signature legislation-in-process Re: Could What You Post be Used to Profile You? Privacy of Tax Files Re: ID Microchip Re: ID Microchip Re: What are the VISA Codes? Re: Just how secure *is* public key encryption? Databases Re: SSN Question Info on CPD [unchanged since 12/29/94] ---------------------------------------------------------------------- From: Privacy Rights Clearinghouse Date: 05 May 1995 14:18:53 -0700 (PDT) Subject: Re: California Digital Signature Bill On 26 Apr 1995, Privacy Rights Clearinghouse wrote: Those interested in on-line privacy should be aware of a bill in the California Legislature. A.B. 1577, sponsored by Debra Bowen, addresses the issue of digital signatures. There are versions of the same bill under consideration in Oregon, Washington, and Utah as well. Peter Marshall wrote: It is not clear that a version of this same bill, or a substantially similar measure is "under consideration" in WA. A bill of this topic was intro'd in the '95 regular session of the WA Leg., and had one informational hearing. The bill's prime sponsor explained he had no intent in this session beyond just that, and the measure has gone no further, with the regular Leg. session just concluded here in WA. Wait 'til next year.... The Utah bill, Senate Bill 82, was signed into law on March 9, 1995. The Oregon bill, Senate Bill 992, was introduced on March 20, 1995, sent to the Judiciary Committee on March 23, and subsequently referred to the Ways and Means Committee. The Washington bill, Senate Bill 5959, was introduced on February 17, 1995. It was sent to the Energy, Telecommunications, and Utilities Committee on that date, and no action has been taken on it since. The California Bill, AB 1577, was radically altered on Wednesday, May 3. The original version of the bill was thirty pages long; the new version is one page long. The original version (patterned after Utah S.B. 82) set out a complicated "certification authority" licensing scheme and established a government-run database of public encryption keys. The new version simply establishes the legality of digital signatures under certain circumstances. The American Bar Association is developing model 'Digital Signature' legislation. The chief reporter on the project is Alan Asay, who authored the Utah bill. Thus it is likely that the ABA model legislation will be similar to Utah S.B. 82. As Barry Fraser noted in the previous message that we sent concerning the California bill, the Privacy Rights Clearinghouse believes that privacy issues are inadequately addressed in the current legislation. -- Brad Biddle, Legal Intern | ** Privacy Resources * Consumer Advocacy ** Privacy Rights Clearinghouse | e-mail: prc@acusd.edu OR biddle@acusd.edu Ctr. for Public Interest Law | gopher: gopher.acusd.edu (/USD CWIS /PRC) University of San Diego | telnet: teetot.acusd.edu (login: privacy) CA HOTLINE: 1-800-773-7748 | anon ftp: ftp.acusd.edu (cd pub/privacy) OUTSIDE CA: +1-619-260-4806 |URL:gopher://pwa.acusd.edu/11/USDinfo/privacy ------------------------------ From: Privacy Rights Clearinghouse Date: 08 May 1995 14:58:00 -0700 (PDT) Subject: California Bill on CallerID Californians might be interested in knowing that there is a state bill which proposes to do away with the California Public Utilities Commission's (CPUC) decision regarding the per line blocking default for caller ID. A.B. 1889 was amended on April 24, 1995, to provide that if a caller does not elect either per call or per line blocking, they will automatically be assigned PER CALL blocking. This would coincide with the recent FCC ruling regarding caller ID, which is expected to be appealed by the CPUC. It would gut the CPUC's 1992 ruling that requires those phone customers who already have unlisted/unpublished numbers to be given per line blocking by default (43% of California households). Consumer advocates are urging any Californians who do not want the CPUC's decision to be weakened to contact their state legislators ASAP. AB 1889 is currently in the Assembly Committee on Appropriations. ------------------------------ From: jwarren@well.sf.ca.us (Jim Warren) Date: 08 May 1995 18:07:07 +0800 Subject: Digital Signature legislation-in-process Please circulate this freely. Although this concerns California legislation, for better or worse, California statutes often prompt similar action in other states and even at the federal level. California state Assembly Bill 1577 (Bowen) would mandate and/or permit certain things regarding legal status and use of digital signatures - at least as used in doing business with the state. Its first 8-page version was originally copied from similar Utah legislation; also similar to bills in Washington State and Oregon. A later 1-page version of AB 1577 radically changed things - and bill-author Debra Bowen has committed to giving full and careful consideration to all *timely* input and suggestions regarding this issue before she moves the bill to any final legislative vote. Bowen's aide handling the bill is Bob Alexander, alexanrb@assembly.ca.gov . I suggest that those interested emphasize the word, *TIMELY*. With Bowen's knowledge and with aide Alexander as one of its recipients, an open listserv for public discussion of this issue has been set up by the nonprofit CommerceNet, and extensive comments have already begun circulating. If you are interested in these issues - and legislation impacting this evolving technology - you may wish to [1] subscribe to ca-digsig (below) and [2] check the bill-text, available from sen.ca.gov or from the new Assembly web-page that may or may not be up-n-running yet (http://www.assembly.ca.gov/). The archived mailing list has been established on the CommerceNet WWW server. You may reach the archives at: http://www.commerce.net/archives/ca-digsig/ To subscribe or unsubscribe, simply mail to: ca-digsig-request@commerce.net To send a message to the mailing list, simply mail to: ca-digsig@commerce.net Since most calgovinfo folks aren't gonna be interested in the arcane techno-haggles re digital signatures, personally, I would suggest that most discussion of this might oughta be conducted in that listserv, rather than here in calgovinfo - at least until/unless grassroots political action/advocacy/rabble-rousing is needed/desired. -- Jim Warren, GovAccess moderator; columnist, MicroTimes/Govt.Tech/BoardWatch 345 Swett Rd., Woodside CA 94062; voice/415-851-7075; fax/<# upon request> jwarren@well.com (well.com = well.sf.ca.us) [puffery: James Madison Freedom-of-Information Award, Soc. of Professional Journalists - Nor.Calif.(1994); Hugh Hefner First-Amendment Award, Playboy Foundation (1994); Pioneer Award, Electronic Frontier Foundation (its first year, 1992); founded Computers, Freedom & Privacy confs, InfoWorld, etc.] ------------------------------ From: JF_Brown@pnl.gov (Jeff Brown) Date: 05 May 1995 23:34:26 +0000 (GMT) Subject: Re: Could What You Post be Used to Profile You? Organization: Battelle Pacific Northwest Labs Paul Hanssen (phanssen@uniwa.uwa.edu.au) writes: Isn't it possible for somone (e.g. the government or a private database provider) to get an internet site with a news feed and write a program to sort all incoming articles by person? This information could then be used to make up a profile of likes/dislikes and opinions of that [...] bo774@freenet.carleton.ca says... Have you had an ID for long? Every few months I get some sort of solicitiation based on postings to technical newsgroups, ranging from wannabe programmers who think that I'd pay them to grind micro code for me, to solictations for products. This is not only possible, it's been going on for years. I just recently received a email advertisement which I soon determined was sent to several posters to a particular "comp." newsgroup. My company is downsizing, and someone from a Contract Programmer firm called me to solicit me to join them. So I guess they heard of the downsizing, and somehow got a list of employees, and perhaps of employees in Information Technology. I suspect the latter, but I don't know their information source. -- Jeff Brown JF_Brown@pnl.gov ------------------------------ From: anonymous Date: 07 May 1995 15:58:46 -0400 (EDT) Subject: Privacy of Tax Files [moderator: this person wished to remain anonymous, I post this over my own sig.] One of the posts on the latest edition dealt with the privacy of tax files. The author took two quotes from a newsletter, the first implying that the IRS is making all the information available to just about anyone who wants it. I would appreciate it if any other responses come to that posting if you could (on my anonymous behalf) clarify that the 200 recipients of tax information receive that information ONLY BECAUSE CONGRESS MANDATES THE EXCHANGES OF THE INFORMATION. IRS has NO authority to determine who gets tax information. Congress removed that discretion from the IRS in 1976, when it reformed the tax system. (Also the scope of the disclosures varies -- everyone does not get everything -- far from it.) Now to the reason I didn't feel I could claify this one in open cyberspace -- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. I have ignored postings in the past, however, this one was so out of context, I couldn't let it pass. So if folks have difficulty with these 200 recipients, tell them to write to Congress. ------------------------------ From: Timothy Brown Date: 08 May 1995 15:49:00 -0500 (CDT) Subject: Re: ID Microchip (wjwinn@kocrsv01.delcoelect.com) wrote: > > As a related aside, the media has reported that several far right-wing ^^^^^ What hasn't the "media" reported about "far right-wing" groups recently?! I am a loyal reader of comp.society.privacy, and appreciate the information that is provided in this group. However, last week a posting by Bill Winn (wjwinn@kocrsv01.delcoelect.com) went beyond the pale of personal opinion. An attempt was made to use the current political environment to smear the John Birch Society. I am a member, and volunteer leader in the John Birch Society, and I have read many of the books and other publications put out by JBS, but I have never read anything suggesting a belief that fluoride added to water can be used for mind control. I hope readers of this group have enough sense not to believe all that they read, whether it is on the Internet, or in the local paper. It is clear that now, more than ever, we must work together to prevent our civil liberties from being taken away. Blanket smears against organizations (from the "left" or the "right") harm us all. Communication and truthful information should be used as the basis of you opinions, not sensationalism. Thanks for listening. ------------------------------------------------------------------ | Timothy Brown a.k.a publius@prairienet.org | | Education is our total strategy; the Truth isour only weapon. | | For information about the John Birch Society, | | 'finger publius@prairienet.org' | ------------------------------ From: Robert Ellis Smith <0005101719@mcimail.com> Date: 09 May 95 09:43 EST Subject: Re: ID Microchip Development of ID microchips is not limited to classroom discussions and right-wing paranoia. PRIVACY JOURNAL reported in its June 1994 edition that most animal shelters in the U.S. are currently using these chips to keep track of pets. The main obstacl e has been agreement among the three major manufacturers on uniform standards. They reached agreement on radio frequencies and other standards Oct. 26, according to our November 1994 issue. The manufacturers, which include Trovan in Santa Barbara, Hughes Aircraft in Los Angeles, and BI in Boulder, Colo., now want to move into "the human market." Already breast implants include a unique serial number (which can be recognized without having t o intrude into the body). The garment industry is working on a microchip implant to identify garments. Hughes is working on an implant that would include medical histories that could be read by receivers about 12 inches away, perhaps in an emergency. PRIVACY JOURNAL reported in its September 1994 issue that Congress last summer authorized $900,000 over three years for a private organization to develop a "Missing Alzheimer's Disease Patient Alert Program" (Title XXIV of Public Law 103-322). The same i ssue reported that Lawrence Gold, who does research for the Nielsen TV ratings people in Chicago, proposed a human implant to identify family members watching TV, to include their demographic information. Gold wrote in Marketing Research magazine that he thought new generations of Americans would not object to having these microchip implants. The mainstream press has not reported these news items, but PRIVACY JOURNAL has been on the story. To get subscription information, call us at 401/274-7861 or write to 0005101719@mcimail.com, or PO Box 28577, Providence RI 02908. Robert Ellis Smith, Pu blisher ------------------------------ From: sdabbs@netcom.com (\Steven C. Dabbs) Date: 06 May 1995 01:14:31 GMT Subject: Re: What are the VISA Codes? Organization: NETCOM On-line Communication Services (408 261-4700 guest) Mike Leach (mleach@equity2.sbi.com) wrote: The caller said my friend had won (at least) $2500 worth of prizes... The grand prize was a car and she was one of only 5 finalists. All that was required was a small ($750) purchase made with her (my friend's) visa card. What intrigued me was that the caller wanted to know what code was next to the expiration date on her visa card! (I have 2 visa cards, both with different codes there.) Was this an attempt to figure out her Credit Limit or Rating? usually CV for visa classic or PV for preffered visa(GOLD). A PV has a minimum limit of $5000 as probably has more :) obviously they are targeting those with higher limits.. ------------------------------ From: wilcoxb@cs.colorado.edu (Bryce Wilcox) Date: 06 May 1995 20:14:56 GMT Subject: Re: Just how secure *is* public key encryption? Organization: University of Colorado, Boulder Christopher L. Barnard wrote: Contrary to popular belief, the NSA can decrypt public keys of most practical key sizes. However, the computer resources need to decrypt public-key- encrypted messages make it difficult for the NSA to perform broadband intercept and decryption if many end users use public-key encryption." (I assume they mean "decrypt public-key-encrypted messages"...) Hm. What does "most practical key sizes" mean? It is obviously untrue on the face of it, since 2048-bits is a practical key-size and the NSA can *not* factor 2048 bit PGP. (Unless the NSA has some breakthrough algorithm or technology, but it is unlikely that this magazine would happen to know about it. :-) ) Could somebody estimate what is the largest key size that the NSA *could* currently factor? I'd be surprised if 1024-bit wasn't far out the reach of any current computational effort. -- Bryce bryce.wilcox@colorado.edu ------------------------------ From: Kip Guinn Date: 09 May 1995 10:40:47 -0600 Subject: Databases Rcktexas wrote: Where do I get started in this topic with regard to databases, in particular medical databases: Where do I get a list of medical databases? How do I access them or get information about a client from them? Thanks for your assistance, I wanted to add to this with a question that has been on my mind for some time now: We hear alot about the databases out there, how easy they are to access, how PIs (priv. investigators) can find out all about you in one easy phone call, etc. We also hear about databases that are not subject specific (like a medical or credit database) but all-incompassing, basically pulling in info from the specialized databases and compiling info on you. But. I have never seen ANY of the companies named. Never seen any post about how someone checked them out. Never seen any info on how to go about this. Etc. etc. So, I thought this would be an excellent place to ask: What large database companies (besides SS admin, credit agencies, the obvious ones) are out there and how easy are they to use? How sinister are they? -- Kip trying hard not be scared at this point, but failing... :) ------------------------------ From: Paul Robinson Date: 09 Apr 1995 04:59:53 -0500 (EST) Subject: Re: SSN Question Organization: Tansin A. Darcos & Company, Silver Spring, MD USA gmcgath@condes.MV.COM (Gary McGath) writes: Recently a magazine sent me a set of writer's guidelines, which contained the following remarkable (to me, anyway) claim: "Please understand that, by law, we can not send payment for an article until we have your personal information including your social security number." wmccarth@t4fsa-gw.den.mmc.com (Wil McCarthy), writes in comp-privacy: This requirement stems from the fact that publishers have to withold taxes from payments I do not think this is correct. I am unaware of any withholding requirement for independent contractors. They may believe they are required to withhold 20% of the income recieved if no identification number (Social Security or Taxpayer Identification Number) is obtained, but to the best of my knowledge, there is no withholding to independent contractors. I believe the law does not require it. Whether or not there is actually a statute on the books that clearly and explicitly requires the reports to be filed is is another matter. There may be. On the other hand, the IRS routinely has its people lie to get away with criminal acts, and to collect information which they are not really entitled to have. Most people are so frightened of them that if they were told to do something illegal, they would rather than get the IRS mad at them. With good reason, considering its propensity to have people shot when they want to make an example of someone if they think they can get away with it. to an author if they pay him more than $600 in a year, and as of 1994 I believe they have to file a 1099-MISC on you for "information purposes" if they pay you anything at all. I don't think the law could require someone to report minor sums, assuming the law even requires people to file reports. My guess is that the law, if it even exists, is very ambiguous and is generally interpreted in a manner which is most favorable to the government's efforts at raising fear. The primary purpose of the IRS is not to collect money, it's to scare people into doing whatever the government wants, then into collecting money. There are too many things that the employees get away with that ordinary police officers would be doing prison sentences if their primary purpose was only the collection of money. IRS has no repect for your privacy. Or your human rights, or anything else. [moderator: This posting continued for a while on issues that did not deal with privacy. I had to debate on cutting the whole report or keeping the part that I felt was pertinent.] ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V6 #044 ****************************** .