Date: Sat, 29 Jul 95 08:54:10 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V7#008 Computer Privacy Digest Sat, 29 Jul 95 Volume 7 : Issue: 008 Today's Topics: Moderator: Leonard P. Levine Re: Texas Driver's License Re: Social Security Number Abuse by Employer Re: Social Security Number Abuse by Employer Re: Social Security Number Abuse by Employer Re: Social Security Number Abuse by Employer More SSN Abuse Information Collection at Sears Phone Sales EC Adopts Privacy Directive Re: BC Telephone Co. Publishes Another Unlisted Home address Privacy in Commercial Use of the Internet Time Magazine Eats Crow Info on CPD [unchanged since 12/29/94] ---------------------------------------------------------------------- From: coleman@alexia.lis.uiuc.edu (Scott Coleman) Date: 27 Jul 1995 17:23:34 GMT Subject: Re: Texas Driver's License Organization: University of Illinois at Urbana In Maryjo Bruce writes: >I just went to have my driver's license renewed in Texas. I had to >provide both right and left thumbprints. Does every state do that? No. CA: Right thumb print. IL: No thumb print. -- Scott Coleman, President ASRE (American Society of Reverse Engineers) asre@uiuc.edu and From: idela!markb@ide.com (Mark Bells Home Account) California does. They use an electronic imaging system where the applicant puts her/his thumb on a little glass plate. The operator then has a remarkably good image on a PC screen and can ask the applicant to make any adjustments (lighter, heavier, etc.). I had the operator show me what she was seeing and it was a high quality image. This of course is captured digitally and stored somewhere. I asked if it is encoded on the magnetic strip on the license but she said no, all that the strip had was name and address. -- Mark Bell IDE Northidge, CA and From: JF_Brown@pnl.gov (Jeff Brown) organization: Battelle Pacific Northwest Labs Washington State does not. and From: levine@cs.uwm.edu organization: University of Wisconsin-Milwaukee Wisconsin demands only that you give your SocSocNo, it does not appear in the license but is held in the computer records. ------------------------------ From: JF_Brown@pnl.gov (Jeff Brown) Date: 26 Jul 1995 19:40:29 +0000 (GMT) Subject: Re: Social Security Number Abuse by Employer Organization: Battelle Pacific Northwest Labs wmcclatc@internext.com says... This is kind of redundant since most people have their SSN's on the check already. I certainly hope not! NOT MINE! -- Jeff Brown JF_Brown@pnl.gov ------------------------------ From: coleman@alexia.lis.uiuc.edu (Scott Coleman) Date: 27 Jul 1995 17:20:40 GMT Subject: Re: Social Security Number Abuse by Employer Organization: University of Illinois at Urbana wmcclatc@internext.com (Bill McClatchie) writes: This is kind of redundant since most people have their SSN's on the check already. Actually, my experience is exactly the opposite. Having worked retail for many years in my pre-graduate days, I have had the opportunity to observe firsthand the printing on many, many checks. Very few had the SSN preprinted on them. As for myself, my checks have my name and PO Box number. This is enough to satisfy those merchants which use check guarantee services which require a preprinted name and address. If the merchant wants more, he has to ask me for it (and justify his request before it will be granted). -- Scott Coleman, President ASRE (American Society of Reverse Engineers) asre@uiuc.edu "An Irishman is never drunk as long as he can hold onto one blade of grass and not fall off the face of the earth." ------------------------------ From: mitcht@alaska.net (Mitch Thompson) Date: 29 Jul 1995 08:02:07 GMT Subject: Re: Social Security Number Abuse by Employer Organization: Internet Alaska, Inc. mitcht@alaska.net said: in MA, it's illegal to require anything other that name/address driver's license number and a phone number on the check. (though if you DL # is the same as your SSN that's another problem; though it can be corrected..) An example I can give is that, being in the military, whenever I shop at the on-base BX and/or commissary (or, really, any place on a military installation where I might have to write a check) my SSN is always required as part of the identification process. In 12 years of service, I never really questioned it, but I think that when it comes time to order new checks, my phone #/SSN will not be imprinted on them, just to see what happens. One thing I think is funny is how often the military harps on your SSN being Privacy Act information, and how often you are required to give it out. Just see how far you get if you don't! I still have my 1962 SS card from shortly after I was born and at the bottom it says "For Social Security and Tax Purposes - Not for Identification". I notice on my son's (1991) it doesn't say that. When did they stop that, I wonder? -- Mitch Thompson, Anchorage, Alaska USA (E-Mail me for public PGP v2.6 key). PGP Key fingerprint = 1C 4E 12 29 4C 6D 29 90 8F B6 0B 2F 42 71 B6 4E --------------------------------- "The gift of God is eternal life" -- Romans 6:23 ------------------------------ From: wmcclatc@internext.com (Bill McClatchie) Date: 27 Jul 1995 15:27:12 -0400 Subject: Re: Social Security Number Abuse by Employer Well I wrote the following, and have gotten several responces to it. So I will elaborate some. wmcclatc@internext.com (Bill McClatchie) wrote: This is kind of redundant since most people have their SSN's on the check already. First , no my SSN is not on my checks. And neither is a currently correct mailing address or phone number. And yes, SSN's are on many people's checks - And people get these there the same way you get your name, address, and phone number on them. Some people request it, and others don't realize it is there until they get their checks since banks now feel that it is more conveinant for people to have this on their checks. And I work in retail, and have for several years - and this has been in practice in areas where drivers liscence numbers are the SSN's. Since retailers can ask for a drivers liscence before taking a check, and write this info down on the check - or request the customer put it there - a great deal of people feel that it is easier and less hassle to just have the information put on. [moderator: Since Bill McClatchie started this string, let us give him the last word on it.] ------------------------------ From: PHILS@RELAY.RELAY.COM (Philip H. Smith III, (703) 506-0500) Date: 27 Jul 95 07:44:50 EDT Subject: More SSN Abuse A local Washington, DC TV station was recently doing a story on Jack Kent Cooke, owner of the Washington Redskins (among other things). As part of the story, they were discussing his refusal to discuss his income publicly, and mentioned that they had a copy of his tax return. They then SHOWED the front page of a tax return filled out with his name and address, including an SSN! One can only hope that it was NOT his real SSN... -- phsiii (of course, I memorized it Just In Case) ------------------------------ From: Robert Gellman Date: 28 Jul 1995 09:42:00 -0400 (EDT) Subject: Information Collection at Sears In response to the recent postings about retailers collecting information from their customers, I offer my own experience. I went to Sears to buy an appliance costing several hundred dollars. The clerk asked for my phone number. I refused. He entered 555-1212. He then asked for my address. I refused. He would not sell me the item unless I gave my address. I was paying by non-Sears credit card. I went to another retailer and was asked for the same information. I refused. They shrugged and sold me what I wanted anyway. -- Bob Gellman ------------------------------ From: Maryjo Bruce Date: 26 Jul 1995 21:27:19 -0700 (PDT) Subject: Phone Sales Is there any reliable way to stop phone sales calls. On July 24 I left for a meeting at 5 pm and returned at 10:30pm. There were 25 calls on my caller id box. My entire half hour answering machine tape was full. Since it was my birthday, visions of birthday wishes danced in my head. However, twenty-two of the calls were sales calls. One firm calls me 3x daily, 4 days/week sometimes. When I call their number on the caller id box, I get a message saying it is a non-working number. Through the phone co I located the business. I phoned personally and asked to be put on the no-call list. A phone co rep did the same in my behalf. They told us both to buzz off. They continued calling. I then sent a written request to an address given me by the phone co asking that all sales calls to my number be stopped. It had no effect at all. My number is unpublished and unlisted. The situation is getting out of control. Is there any way to make these people stop? They seem fearless. -- Mary Jo Bruce, M.S., M.L.S. Sunshine@netcom.com ------------------------------ From: Monty Solomon Date: 27 Jul 1995 00:45:17 -0400 Subject: EC Adopts Privacy Directive forwarded message from Marc Rotenberg Apologies for the long message. If you are not interested in privacy issues or the development of international standards for the GII, simply delete this message. Otherwise, read on. The European Community has taken a major step this week to protect the privacy interests of citizens and consumers. The passage of the Directive on the Protection of Personal Data is the culmination of a process that began over a decade ago to address growing concerns about the impact of technology on society. There are, of course, many questions remaining about the scope and implementation of the Directive. But there is no doubt that this a significant event in the ongoing effort to preserve human rights in the information age. The announcement from the European Commission follows. Marc Rotenberg, director Electronic Privacy Information Center (www.epic.org) -------- EUROPEAN COMMISSION PRESS RELEASE: IP/95/822 DOCUMENT DATE: JULY 25, 1995 COUNCIL DEFINITIVELY ADOPTS DIRECTIVE ON PROTECTION OF PERSONAL DATA The Directive on the protection of personal data has been formally adopted by the Council of Ministers. ``I am pleased that this important measure, which will ensure a high level of protection for the privacy of individuals in all Member States, has been adopted with a very wide measure of agreement within the Council and European Parliament'' commented Single Market Commissioner Mario Monti. ``The Directive will also help to ensure the free flow of Information Society services in the Single Market by fostering consumer confidence and minimising differences between Member States' rules. Moreover, the text agreed includes special provisions for journalists, which reconcile the right to privacy with freedom of expression,'' he added. ``The Member States must transpose the Directive within three years, but I sincerely hope that they will take the necessary measures without waiting for the deadline to expire so as to encourage the investment required for the Information Society to become a reality.'' The Directive will establish a clear and stable regulatory framework necessary to guarantee free movement of personal data, while leaving individual EU countries room for manoeuvre in the way the Directive is implemented. Free movement of data is particularly important for all services with a large customer base and depending on processing personal data, such as distance selling and financial services. In practice, banks and insurance companies process large quantities of personal data inter alia on such highly sensitive issues as credit ratings and credit-worthiness. If each Member State had its own set of rules on data protection, for example on how data subjects could verify the information held on them, cross-border provision of services, notably over the information superhighways, would be virtually impossible and this extremely valuable new market opportunity would be lost. The Directive aims to narrow divergences between national data protection laws to the extent necessary to remove obstacles to the free movement of personal data within the EU. As a result, any person whose data are processed in the Community will be afforded an equivalent level of protection of his rights, in particular his right to privacy, irrespective of the Member State where the processing is carried out. Until now, differences between national data protection laws have resulted in obstacles to transfers of personal data between Member States, even when these States have ratified the 1981 Council of Europe Convention on personal data protection. This has been a particular problem, for example, for multinational companies wishing to transfer data concerning their employees between their operations in different Member States. Such obstacles to data transfers could seriously impede the future growth of Information Society services. As the Bangemann Group report to the Corfu European Council remarked: ``Without the legal security of a Union-wide approach, lack of consumer confidence will certainly undermine the rapid development of the information society.'' As a result, the Corfu European Council called for the rapid adoption of the data protection Directive. To prevent abuses of personal data and ensure that data subjects are informed of the existence of processing operations, the Directive lays down common rules, to be observed by those who collect, hold or transmit personal data as part of their economic or administrative activities or in the course of the activities of their association. In particular, there is an obligation to collect data only for specified, explicit and legitimate purposes, and to be held only if it is relevant, accurate and up-to-date. The Directive also establishes the principle of fairness, so that collection of data should be as transparent as possible, giving individuals the option of whether they provide the information or not. Moreover, individuals will be entitled to be informed at least about the identity of the organisation intending to process data about them and the main purposes of such processing. That said, the Directive applies different rules according to whether information can be easily provided in the normal course of business activities or whether the data has been collected by third parties. In the latter case, there is an exemption where the obligation to provide information is impossible or involves disproportionate effort. The Directive requires all data processing to have a proper legal basis. The six legal grounds defined in the Directive are consent, contract, legal obligation, vital interest of the data subject or the balance between the legitimate interests of the people controlling the data and the people on whom data is held (i.e. data subjects). This balance gives Member States room for manoeuvre in their implementation and application of the Directive. Under the Directive, data subjects are granted a number of important rights including the right of access to that data, the right to know where the data originated (if such information is available), the right to have inaccurate data rectified, a right of recourse in the event of unlawful processing and the right to withhold permission to use their data in certain circumstances (for example, individuals will have the right to opt-out free of charge from being sent direct marketing material, without providing any specific reason). In the case of sensitive data, such as an individual's ethnic or racial origin, political or religious beliefs, trade union membership or data concerning health or sexual life, the Directive establishes that it can only be processed with the explicit consent of the individual, except in specific cases such as where there is an important public interest (e.g. for medical or scientific research), where alternative safeguards have to be established. As the flexibility of the Directive means that some differences between national data protection regimes may persist, the Directive lays down the principle that the law of the Member State where a data processor is established applies in cases where data is transferred between Member States. The Directive also establishes arrangements for monitoring by independent data supervisory authorities, where necessary acting in tandem with each other. In the specific case of personal data used exclusively for journalistic, artistic or literary purposes, the Directive requires Member States to ensure appropriate exemptions and derogations exist which strike a balance between guaranteeing freedom of expression while protecting the individual's right to privacy. For cases where data is transferred to non-EU countries, the Directive includes provisions to prevent the EU rules from being circumvented. The basic rule is that the non-EU country receiving the data should ensure an adequate level of protection, although a practical system of exemptions and special conditions also applies. The advantage for non-EU countries who can provide adequate protection is that the free flow of data from all 15 EU states will henceforth be assured, whereas up to now each state has decided on such questions separately. For their part, the Council and the Commission have made it clear that they consider that the European Union institutions and bodies should be subject to the same protection principles as those laid down in the Directive. END OF DOCUMENT ------------------------------ From: klassen@sol.UVic.CA (Melvin Klassen) Date: 27 Jul 95 19:31:19 GMT Subject: Re: BC Telephone Co. Publishes Another Unlisted Home address Organization: University of Victoria, Victoria B.C. CANADA ua602@freenet.victoria.bc.ca (Kelly Bert Manning) writes: Vancouver TV stations aired a story of a woman forced to move to a transistion [sic] house today after BC Tel published her home address. She had called BC Tel 4 times before the new directory came out, to confirm that the address would not be published. BC Tel claimed to need to have the home address "for billing" and had promised to just list a PO box number. A while back a womens' shelter had to close down after BC Tel negligently published the address. They didn't "close", they just moved. BC Tel's initial response after the angry woman contacted them was to offer a $20 gift certificate. After being contacted by news reporters BC Tel spokes- woman Michelle Gagon seemed to be offering to help with relocation expenses. BCTel's most-recent offer is $1500 (CDN), plus "incidental" expenses, but she is demanding $9000 (CDN). ------------------------------ From: MIRZA A R Date: 28 Jul 1995 13:41:12 +0100 (BST) Subject: Privacy in Commercial Use of the Internet I am interested in privacy in the commercial use of the internet. I am especially interested in the threat posed for large organisations using the internet, methods to overcome these threats to become more secure, and any other relevant issues. I would be grateful for any responses. ------------------------------ From: "Prof. L. P. Levine" Date: 26 Jul 1995 20:14:41 Subject: Time Magazine Eats Crow Organization: University of Wisconsin-Milwaukee This is a reprint of a portion of an electronic newsletter BONG that addresses the issue very well in my opinion. I include it here with permission. From: mlinksva@netcom.com (Mike Linksvayer) Date: 26 Jul 1995 20:14:41 -0700 Subject: BONG Bull No. 332! ********************************************************************* The Burned-Out Newspapercreatures Guild's Newsletter <<<<<<<<>>>>>>>>>>>>>>>>>>>>>> BONG Bull <<<<<<<<<<<<<<<<<>>>>>>>>> Charley Stough, Chief Copyboy ********************************************************************* Copyright (c) 1995 by BONG. All rights reserved. To subscribe: E-mail to LISTSERV@NETCOM.COM. In the text say SUBSCRIBE BONG-L. [...] EXCERPT. Here is the opener for this week's News From the Net column, available to clients of the New York Times News Service, the most noble wire service of them all. (Non-NYTNS client editors may arrange for one-time rights by contacting columnist Charles Stough directly at copyboy@dmapub.dma.org.) ... Unwittingly, as it ate crow in its July 24 edition, Time magazine underscored the power of the new Internet medium. Admitting fatal flaws in its earlier report of Internet pornography -- a college student's "study" of computer porn lumped private, adults-only links, called bulletin boards or "BBS's", with the public Usenet special-interest groups shared by millions of adults and children worldwide. And it made appalling miscounts on the statistical side. And there were other errors, some of which Time now admits. Usenet? BBS? Huh? The difference is this. Imagine the world's busiest airport, its terminals chockablock with millions of people and groups chattering away in all languages about all subjects, its runways buzzing with cargo linking it to every other place on the planet. That's the Internet. Now imagine a tiny closet-sized lounge far past Gate 89-W, with a "Members Only" sign on the door. That's a BBS, trading its wares in code, dealing through credit cards. If a BBS distributes pornography, it's in a digusting trade. But it's not public. A child would accidentally stumble upon porn on the Internet about as easily as a tot in O'Hare Airport would accidentally wander into a locked frequent-fliers' club, order a pitcher of Singapore slings and fax an order for $2 million worth of Botswanan war bonds to the Bank of Tokyo. Someone at Time knew all this when it frightened moms with its lurid cover story about Internet porn. But not everybody at Time, obviously. (And how about the illustrations? A naked man having sex with a computer? Come on, Time guys!). Now here's the fun part. Time's shoddy reporting set off a blizzard of rebuttal in the Internet.itself, exposing Time's "scholar," his record of doubtful scholarship, salacious publishing of his own, and the grievous research flaws in this study. You can still see it and even join the discussion, if you have a computer and modem and open the Usenet group called alt.culture.usenet. Time had to back down. Once a world-class publishing powerhouse able to define truth with its own vision, Time was beaten back by Internet users. None had more than a computer and a modem, and yet with the new power of the press -- the press of a button -- any of them could place an article before millions of readers more than Time ever reached in its best week of ink-on-paper printing. Is something new and wonderful going on in mass communications now? No. What Time magazine's editors didn't know is that it already had happened. [...] ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V7 #008 ****************************** .