Date: Wed, 26 Jul 95 15:06:10 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V7#007 Computer Privacy Digest Wed, 26 Jul 95 Volume 7 : Issue: 007 Today's Topics: Moderator: Leonard P. Levine Re: Social Security Number Abuse by Employer Texas Driver's License Re: Toyr-R-Us Phone Number Request Re: Toyr-R-Us Phone Number Request Re: Social Security Number Abuse by Employer Re: Social Security Number Abuse by Employer Defeating Signature Scans by Sears Kuwait: Telephone Pests Arrested The Information Culture New 8 Mb Smart Cards Re: Question about 'fingering...' The cost of Privacy Re: No Second Chance This Week's Free Online Privacy Article International Internet NewsClips Info on CPD [unchanged since 12/29/94] ---------------------------------------------------------------------- From: sarig@teleport.com (Scott Arighi) Date: 23 Jul 1995 17:42:08 GMT Subject: Re: Social Security Number Abuse by Employer Organization: Teleport - Portland's Public Access (503) 220-1016 sarig@teleport.com (Scott Arighi) noted: Although not a legal point, I found that my bank would allow *anyone* with my checking account no. and my SS. no. to find out my bank balance -- which I view as a rather private matter. Now use a password on the account in addition to the numbers. In your case, it sounds like wmcclatc@internext.com (Bill McClatchie) wrote: This is kind of redundant since most people have their SSN's on the check already. Perhaps people in other areas of the country put their SSN on their checks as a routine matter, but I don't get more than 1-2% of the personal checks that I receive in my business that have the SSN on them. -- Regards. Scott Arighi ------------------------------ From: Maryjo Bruce Date: 23 Jul 1995 14:44:34 -0700 (PDT) Subject: Texas Driver's License I just went to have my driver's license renewed in Texas. I had to provide both right and left thumbprints. Does every state do that? -- Mary Jo Bruce, M.S., M.L.S. Sunshine@netcom.com ------------------------------ From: Kajae@aol.com Date, 24 Jul 1995 02:23:16 -0400 Subject: Re: Toyr-R-Us Phone Number Request WELKER@a1.vsdec.nl.nuwc.navy.mil writes: Anybody out there shared the experience of having Toys-R-Us ask for your phone number before ringing up the sale, regardless of whether cash/check/charge? Yeah, first hand, as a matter of fact. At the Toys-R-Us where I work, the store management sometimes reprograms the registers to require getting the zip code from the customer. Management's explanation was that since there were two other Toys-R-Us stores within twenty miles, plus the fact that there were several other stores (Meijer, Target, Baby World, Sports Authority, Service Merchandise, and Wallmart among others) that compete with us in that same radius, they wanted to know how far their customers came in order to shop at our particular store. *Exactly* why they wanted to know that still remains a mystery (does any other business learn anything from Radio Shack?) They say it's for market survey purposes. The clerk was quite surprised at the tone of voice in my refusal. Probably on the verge of tears is more like it. Customers who go to our or any other store may not know (or care) how user-unfriendly even the most up-to-date cash registers are, especially when they're programmed to do something that isn't entirely necessary. I happen to know that the registers we're using now will not let the cashier complete the transaction (whether it be cash, check, or charge) without getting all of the information it's programmed to ask for - regardless of whether the customer wants to part with it or not. If the register isn't set up to let the cashier skip the marketing part of the transaction, a Department Head or DKC (Designated Key Carrier) would need to be called in order to manually override the prompt. Naturally, doing this takes longer than either getting valid information or just entering jibberish - much to the chagrin of the cashier as well as the two dozen people in line behind you. However, you'll all be happy to know that at my particular store (and perhaps a few others) the managers have figured out (finally) how to program the registers so that the cashiers can skip the little add-ons like zip codes and phone numbers simply by pressing the "Enter" key when prompted for the info. The information-conscious among us can bring this to the attention of the cashier and/or management the next time this happens to them. On a personal note: Always having to stop and ask (or argue with) the customers for their additional personal info always slowed me down (and as a reader of this group I also saw their point) so every time I was prompted for the zip code, I just entered the zip code of the store. Considering what that did to their survey, all parties concerened felt I would be happier building bikes in the back of the storeroom - where no one's right to privacy would be infringed upon... ;j -- Karl Jackson Kajae@aol.com "Always be nice to your cashier. No matter how long you've been waiting in line, they've been there longer!" ------------------------------ From: DLEUCHT@ccmail.gsfc.nasa.gov (David K. Leucht) Date: 25 Jul 1995 12:07:18 Subject: Re: Toyr-R-Us Phone Number Request Organization: NASA Goddard Space Flight Center -- Greenbelt, Maryland USA WELKER@a1.vsdec.nl.nuwc.navy.mil writes: Anybody out there shared the experience of having Toys-R-Us ask for your phone number before ringing up the sale, regardless of whether cash/check/charge? They say it's for market survey purposes. The clerk was quite surprised at the tone of voice in my refusal. Haven't purchased from TRU recently, but Service Merchandise requests a phone number. SM has apparently purchased the phone list for our area. I once gave them the phone number and to my surprise, my name and home address appeared on the clerk's terminal screen. My guess is SM is using the purchase data to construct purchasing profiles of customers; the most likely current use is to determine catalog shipping lists, but one can only wonder what other uses they have for it. Needless to say, I no longer acknowledge possession of a telephone to *any* commercial enterprise. ----------------------------------------------------------------- David K. Leucht Internet: dleucht@ccmail.gsfc.nasa.gov Guidance and Control Branch Voice: (301) 286-4460 NASA/Goddard Space Flight Center FAX: (301) 286-1718 Code 712.1 Greenbelt, MD 20771 ----------------------------------------------------------------- ------------------------------ From: jcr@mcs.com (John C. Rivard) Date: 25 Jul 1995 15:17:59 -0500 Subject: Re: Social Security Number Abuse by Employer Organization: very little wmcclatc@internext.com (Bill McClatchie) wrote: This is kind of redundant since most people have their SSN's on the check already. I hope you are joking. You actually have your SSN printed on your check? Do you also include all your credit card numbers, with their expiration dates? Might as well. -- John C. Rivard  Opinions expressed yadda yadda--you know the drill ------------------------------ From: berczuk@glendower.mit.edu (Steve Berczuk) Date: 1995 20:32:26 GMT Subject: Re: Social Security Number Abuse by Employer Organization: MIT Center for Space Research wmcclatc@internext.com (Bill McClatchie) writes: This is kind of redundant since most people have their SSN's on the check already. Actually no they don't; Though I have wondered why it seems to be the practice in some parts of the country to have the SSN imprinted on the check. Pretty scary considering that with a SSN , and checking acct # you can fill out a credit card application. in MA, it's illegal to require anything other that name/address driver's license number and a phone number on the check. (though if you DL # is the same as your SSN that's another problem; though it can be corrected..) -- Steve Berczuk -berczuk@mit.edu | MIT Center for Space Research Phone: (617) 253-3840 | 37-561 Fax: (617) 253-0861 | Cambridge MA 02139 -- --- Steve Berczuk -berczuk@mit.edu | MIT Center for Space Research Phone: (617) 253-3840 | 37-561 Fax: (617) 253-0861 | Cambridge MA 02139 ------------------------------ From: Paul Robinson Date: 26 Jul 1995 14:37:29 EDT Subject: Defeating Signature Scans by Sears Organization: Tansin A. Darcos & Company, Silver Spring, MD USA Those of you who prefer not to have your signature scanned by Sears or other such places now have a method without requiring you make a scene or cause a problem. First, call your credit card company (or Sears) and tell them you need a replacement card. Explain to them what do they think happens if a clerk places your card on the pad that says, "Do not put bank, atm or credit cards here." They will understand, and send you another card. Now, once you have the replacement, either take that one, or the other one, and demagnetize it for real. (The reason for using the above explanation is to allow you to ask for a new card without demagnetizing yours until you have a replacement, and without lying to them.) Now, when Sears wants to scan your signature, hand the clerk the demagnetized card. The card will not scan. The clerk will therefore use the addressograph charge-slip imprinter ("Slide rack") to create an actual tissue of the transaction. The cash register does not ask for signature when the card cannot be scanned. The meaning of this: 1. Sears gives you back the receipt you signed when signature imaging is used. 2. The image of your signature is only taken to correspond to a transaction you have made. 3. The clerk has no access to anything you signed if your card scans and your signature is imaged. 4. If the card does not scan, Sears does not take the image of your signature. Which leads to the conclusion (my interpretation): Sears takes an image of a signature for one reason, and only one: to have an electronic image of the transaction for processing, so as to reduce the amount of paper they have to generate or process. So if you really do not want to leave a scanned signature with them, here's a way to do so. I found this out when the mag strip on the Discover Card I had didn't work, so this time they did not ask for my signature on the pad. I think it's a great idea, since there isn't even a carbon that would need to be thrown away, and I have no problems with Sears scanning signatures including mine. Other people may disagree, and that's what this message is designed to assist, those who do not want to have their signature imaged but don't want to be considered a "troublemaker." ------------------------------ From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Date: 24 Jul 95 14:29:08 EDT Subject: Kuwait: Telephone Pests Arrested Taken from the Reuters news wire via CompuServe's Executive News Service: RTw 07/23 0201 Kuwait's phone pests nabbed KUWAIT, July 23 (Reuter) - Kuwaiti authorities disconnected 4,288 telephone subscribers for making obscene or nuisance calls in the first six months of 1995 and referred 1,698 of them to police for investigation, newspapers reported on Sunday. About 3,000 telephone lines were monitored in the period to enable abusive callers to those numbers to be traced, the English-language Kuwait Times and Arab Times quoted Ministry of Communication official Adel al-Ibrahim as saying The article makes the following key points: o Several arrests for phone tapping, "carried out by people of low morality or delinquents." o "[A]ffluent young men ... bug cordless phones with expensive surveillance gadgets." M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA) ------------------------------ From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Date: 25 Jul 95 06:17:38 EDT Subject: The Information Culture Taken from the German Press Agency news wire via CompuServe's Executive News Service; translated by MK with the help of Power Translator Deluxe 1.0 from Globalink Inc: dpa 95.07.18 10:33 Wissenschaftler fordern "Informationskultur" im Datennetz Bonn (dpa) - Die rasante Entwicklung in der Telekommunikation mus nach Ansicht von Informatik-Experten eine neuen Form der "Informationskultur" zur Folge haben. Translation: Scientists demand "information culture" in the data network Bonn (German Press Agency) - The rapid development of telecommunications will lead to an "information culture," according to an informatics expert. The article makes the following points: o At a conference in Bonn on Tuesday (18 July), Professor Wolfgang Glatthaar warned of insufficient research on the effects of the growing data superhighway o Professor Glatthaar said that the population must be prepared at all levels of education - especially adult education - for the new technology. "The use of electronic media will be equivalent to today's reading, writings and calculating for every profession and activity.", said Glatthaar. o Glatthaar argued for international agreements to cover responsibility for the quality of information posted to the Net. o He argued against anonymous communications, pseudonyms and deliberate disinformation campaigns. o Frankfurt computer scientist Hans Schussler said that current copyright laws are inadequate to protect the privacy and security of intellectual property. o Werner Schmidt, a commissioner in the Bundesbeauftragten fur den Datenschutz (League for Data Protection), called on industry to create internationally binding guarantees for users. It is already technically possible now, he said, to enforce identification and authentication for all users of data networks. M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA) ------------------------------ From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Date: 25 Jul 95 06:45:15 EDT Subject: New 8 Mb Smart Cards >From the German Press Agency news wire via CompuServe's Executive News Service; translated by MK with the help of Power Translator Deluxe 1.0 from Globalink Inc: Siemens entwickelt Chipkarte als CD-Ersatz Copyright dpa, 1995 Munchen (dpa) - Die Siemens AG (Berlin/Munchen) entwickelt eine eine Mini-Chipkarte als Ersatz fur die Compact Disc (CD). Bei der sogenannten MultiMediaCard, die kleiner als ein Scheckkarte ist, konnen Informationen, wie etwa Software, Nachschlagewerke, Reisefuhrer oder Spiele, Musik oder sogar Photos gespeichert werden. "Tausend CDs als Chipkarten in einer Zigarrenschachtel sind moglich," hies es am Mittwoch aus dem Hause Siemens. Translation: Munich (German Press Agency) - The Siemens INC (Berlin/Munich) is developing a Mini-Smart-Card as a substitute for the Compact Disc (CD). The MultiMediaCard, which is smaller than a credit card, can store information such as software, reference books, guides or games, music or even photos. "Thousands of CDs could fit in a cigar box using Mini-Smart-Cards," announced Siemens on Wednesday (19 July). Key points of interest to security professionals: o No moving parts, minimal power consumption; could be powered by solar cells. o Prototypes and first model using ROS (Record on Silicon) technology hold 8 Mb; expect 64 Mb after 1997. [Comments from MK: this technology will boost the utility of smart cards in many fields, including medical informatics. Availability of extensive storage capacity will allow better identification and authentication techniques such as high-quality voice recognition to reside in access tokens.] -- M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA) ------------------------------ From: leec@xmission.com (Lee Choquette) (by way of leec@xmission.com (Lee Choquette)) Date: 25 Jul 1995 08:53:54 -0700 Subject: Re: Question about 'fingering...' Organization: XMission Internet (801 539 0900) grifter@dircon.co.uk (David Griffiths) wrote: Sorry if this is the wrong place to ask, but I have heard about a system called 'fingering', which I understand is a way of snooping across an individual's activities on the net. Can this be true? I would be very unhappy to think that somebody could be monitoring my every move. Thanks in advance. Don't worry, you have to cooperate to be 'fingered.' To get any information at all about you through the finger command, you have to have a finger daemon (aka finger server) running on *your* computer. You can set up this finger daemon to do whatever you want, but they typically show whether you're logged on or not. If you provide your phone number or other information, they display that, too. Some computers actually tell you what programs the people logged in are running, but yours isn't one of them. You may be happy to know that your computer (dircon.co.uk) gives me no information at all. -- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lee Choquette . . . . . . . .http://www.xmission.com/~leec/ . . . . . . leec@xmission.com . . . . I love work. I could watch it all day. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ------------------------------ From: rdurie6@ibm.net Date: 25 Jul 95 13:48:56 Subject: The cost of Privacy I just got a call today from our friends at Bell Atlantic and they wanted to know if I want Caller ID. I said no, and went into my usual about the invasion of privacy when they told me that for an additional $3.00 per month I could stop my number from being given out. Not only do they sell my phone number which I have not agreed to but now they want me to pay to keep my information private. Boy isn't this a wonderful world! -- Robert Durie ------------------------------ From: berczuk@glendower.mit.edu (Steve Berczuk) Date: 25 Jul 1995 20:41:32 GMT Subject: Re: No Second Chance Organization: MIT Center for Space Research anonymous writes: Being a recovering alcoholic I was saddned to learn that I have been *branded* by the insurance industry for having elected to enter a drug rehab a few years ago. It seems their records show I have a pre-existing condition and therefore am a high-risk.This makes it most difficult to obtain insurance; and worse, any employer whom may provide insurance will be made aware of my past drinking and God knows what else.(they have detailed records of my 35 day hospital stay, I saw it) Alas the problem with this is that you may not be able to get your own insurance for the same reason, and if you can, often coverages provided by group policies that you can get through your employer are not available for non-group policies... There was a news item recently in MA about folks with histories of being abused by spouses being denied insurance. There have been similar issues around folks who have ever had psychotherapy... This brings up an interesting problem: wouldn't common sense make you think that someone who sought out treatment for a problem would be *less of a risk* that someone who had not... I imagine that the problem is that insurers can't make judgements about a hidden affliction, but by taking positions like this it would seem that there is a greater likely hood of folks keeping avoiding treatment for too long... that discussion is perhaps beyond the scope of this group,but better controls on access to and use of medical history might be a way to get at this. -- Steve Berczuk -berczuk@mit.edu | MIT Center for Space Research Phone: (617) 253-3840 | 37-561 Fax: (617) 253-0861 | Cambridge MA 02139 ------------------------------ From: invis@ix.netcom.com (Duane Pitlock) Date: 25 Jul 1995 20:35:23 GMT Subject: This Week's Free Online Privacy Article Organization: Netcom This weeks FREE ONLINE PRIVACY ARTICLE can be accessed by emailing Privacy-Article@Mailback.com, no need to put anything in the SUBJECT or BODY of your message. The Article will automatically be sent to your computer, instantaneously. ------------------------------ From: cpsr-global@Sunnyside.COM Date: 24 Jul 1995 01:28:42 -0700 Subject: International Internet NewsClips Taken from CPSR-GLOBAL Digest 203 [moderator: I have trimmed away items that do not seem to relate to privacy.] Date: 23 Jul 1995 17:27:31 -0600 From: marsha-w@uiuc.edu (Marsha Woodbury) Subject: (@) "International Internet NewsClips" .... Hello folks - Here are excerpts from this week's edition of my weekly column, "International Internet NewsClips." You can find the full column plus archives (as well as book reviews) at the MecklerMedia Web site (http://www.mecklerweb.com) under the Net Day section. Happy reading! Questions, comments, feedback, translations from other languages, etc. most welcome as always - madan Madanmohan Rao Phone: (212) 963-1175 Communications Director Fax: (212) 754-2791 Inter Press Service E-mail: rao@igc.org Room 485, United Nations, New York ------------------------------------------------------------------ Concern About Online Sex And Violence Grows In Australia -------------------------------------------------------- Concern about sex and violence on online services and BBSs has led the Federal Government to seek public comment on draft legislation regulating online content. Questions remain as to how to apply obscenity laws to service providers who knowingly or unwillingly have "objectionable" content on their services. Several approaches are under consideration - self-regulation according to standards developed by consensus with community sentiment, offense provisions, and educational strategies for schools and parents. It is not clear, however, how intermediate agents such as Internet access providers, gateways and database replicators will fare under some of these provisions. (Sydney Morning Herald, Australia; July 18-24, 1995) Internet Usage Records Raise Privacy Concerns --------------------------------------------- Many Internet users fear that individuals could face public humiliation, harassment, or damage their careers if some information about their Internet usage patterns became public. Though information about individual behaviour has always been collected, the tremendous breadth and depth of information about Internet usage raises new concerns. "People need to be fully informed about how the data on each site are being collected, and how their privacy is being protected," according to Ann Bishop, a library science professor. (Chronicle Of Higher Education; July 21, 1995) Porn Issue Sparks Largest Internet Mobilization ----------------------------------------------- The response of the Internet community to allegations of rampant online pornography may be "the largest mobilisation yet on the Internet over a current event." Internet users have made "a practical crusade" out of investigating the study's author and debunking its conclusions. For instance, it appears that Martin Rimm has a history of conducting research in which the results are criticised but that leads to government action, such as his earlier study on gambling in New Jersey. The World Wide Web pages at http://www2000.ogsm.vanderbilt.edu/cyberporn.debate.cgi have useful information on such issues. (Knight-Ridder Business News; July 15, 1995) ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V7 #007 ****************************** .