Date: Thu, 31 Aug 95 11:24:18 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V7#018 Computer Privacy Digest Thu, 31 Aug 95 Volume 7 : Issue: 018 Today's Topics: Moderator: Leonard P. Levine Re: A Netscape Story Re: A Netscape Story Re: Fair Credit Reporting SSN Horror Stories Computer Privacy Digest Outrage Telcos and Info-privacy Database for Deadbeat Dads [long] Info on CPD [unchanged since 08/01/95] ---------------------------------------------------------------------- From: dougw@highz.as.arizona.edu (Doug Williams) Date: 28 Aug 1995 17:16:28 GMT Subject: Re: A Netscape Story Organization: University of Arizona, Tucson, AZ glew@galstar.com (Gordon A. Lew) writes: Evan Rosser wrote: I am not too concerned about undocumented playful hacks. It has a long history -- i.e. "MAKE LOVE"/Not war? on DEC-20's, developers' pictures in the Mac SE ROM's, etc. As a matter of fact, there are more such things in Netscape -- try typing "about:mozilla" as a URL to load. A quick scan through the Solaris executable (version 1.1N) with the command 'strings netscape | grep about' produced the following list: (Note that about:mozilla does NOT appear). about: about:ari about:atotic about:blythe about:chouck about:dmose about:ebina about:hagan about:jeff about:jg about:jwz about:kipp about:marca about:mlm about:montulli about:mtoy about:paquin about:robm about:sharoni about:sk about:timm These all seem to point to the homepages of the various programmers at Netscape. -=[doug]=- ------------------------------ From: mannd@server2.CandW.ag (Dave Mann) Date: 28 Aug 1995 18:53:58 +0400 Subject: Re: A Netscape Story Evan Rosser wrote: I am not too concerned about undocumented playful hacks. It has a long history -- i.e. "MAKE LOVE"/Not war? on DEC-20's, developers' pictures in the Mac SE ROM's, etc. As a matter of fact, there are more such things in Netscape -- try typing "about:mozilla" as a URL to load. My objection to "Easter Eggs" and cutesy code doodles is that they introduce uncertainty into an already uncertain system. Every line of code adds an additional potential for fraud, waste, abuse, malfunction and/or just plan slop. We argue that adding 100KB to a bloated 20MB program is no big deal. At the end of the day the Clueless user pays for it. But, yes, I used to put peace symbols on punch cards and make the KSR-33's play "In a Gadda Da Vida" with the BEL function, when I worked with the DIAOLS/COINS behemoth at the Pentagon. I was young then. I still have the punched tape someplace. |-----------------------------------------------------------------------------| | Dave Mann - VP2EHF | | Dorothea Mann - VP2EE | | E-Mail: mannd @ candw.com.ai {or} vp2ehf @ aol.com {or} vp2ee @ aol.com | | dave @ datahaven.com.ai {or} 74227.3127 @ compuserve.com | | | | Post Office Box 599, The Valley, Anguilla, British West Indies | | Telephone: 809-497-2150 | | FAX: 809-497-3557 | |-----------------------------------------------------------------------------| ------------------------------ From: Barry Schrager <71370.2466@compuserve.com> Date: 28 Aug 95 17:03:49 EDT Subject: Re: Fair Credit Reporting What is the legal obligation of the credit information provider (in this case - Trans Union) to provide the identity and authorization of a requestor? Are they legally reponsible? In this case: 1. The subject requested a consumer copy of her credit report. 2. The report showed an inquiry from an entity -- a credit bureau. 3. The credit bureau's telephone number supplied by Trans Union was always busy, so the subject requested Trans Union supply her with the authorization. 4. The entity that requested the information from the credit bureau (as supplied by Trans Union) had a disconnected telephone number and an address at a mail drop (similar to Mail Boxes, etc.) 5. Trans Union stated they would send an investigator out and if there was no good explaination, they would drop the credit bureau as a correspondent. 6. They verbally told subject that there was no authorzation, they would be dropping the credit bureau as a correspondent, and that they would be supplying a real address and telephone number for the entity that requested the report. 7. Trans Union has still not supplied any information nor confirmed that they were dropping the credit bureau. The subject believes that she has been investigated because she is a witness in a multi-million dollar RICO lawsuit. This information has been passed on to Trans Union so they know that this is based upon more than curiosity. What legal rights does she have against Trans Union? They have been stonewalling the subject in her attempts to obtain information as to who received an authorized credit report for over three months. If they had been forthcoming in the beginning, it would not have come to this point. Does she have to file a lawsuit? Are there any government agencies that oversee this industry? Is there a complaint bureau? Are there any financial penalties that can be imposed against Trans Union? Thank you for your help. -- Barry Schrager ------------------------------ From: "Michael O'Donnell" Date: 31 Aug 1995 08:47:10 -0400 Subject: SSN Horror Stories I'm not nearly as well versed on SSN abuse as I'd like to be. I've read Chris Hibbard's "What to do when they ask for your SSN" and that's a great place to start but what I think I'd really like to have is a compendium of SSN horror stories. Does anybody know where such a collection might be found? Also, my employer just notified me and many of my coworkers that applications for AmEx cards had been submitted in our names and we could come pick up the cards. Of course, they never bothered to inform us that they were doing this and they never obtained our permission, they simply handed over our SSN's and various other items of personal info to AmEx. When I complained, their attitude was essentially, "You got a problem with that? Well, too bad." ------------------------------ From: Robert Ellis Smith <0005101719@mcimail.com> Date: 28 Aug 95 16:40 EST Subject: Computer Privacy Digest Outrage It's outrageous that the Digest would run a recommendation for a new newsletter that doesn't have any track record (Aug. 21 Digest) when it has rejected my continual efforts to bring my well-established newsletter to the attention of Computer Privacy Dige st participants. I have been at this privacy business for more than 20 years. In the past several years, I have tried to respond to Digest submissions that sought specific information about the law or company policies. Later, I submitted lists of the highlights from my newsletter each month for readers to use in any way they wanted, but the moderator said that this was "too commercial." Then I tried submitting stories from PRIVACY JOURNAL that would interest Digest rea ders. Then I questioned why the moderator includes endless recruiting notices, new-product notes, announcements of conferences, sign-offs from participants that include their corporate identities, even advertisements for illicit dealers of personal infor mation (including their 800 phone numbers). All of these are commercial. A few months back, the moderator included a puff piece on a book on cryptography published by a large publishing house. When I questioned how this fit in with the supposed "non-co mmercial" policy, the moderator told me that this was a "book review of legitimate interest to readers." Perhaps a Digest reader or two who relies on PRIVACY JOURNAL and can vouch for the quality of the newsletter will submit a statement to Computer Privacy Digest RECOMMENDING it. That's the only way we can bring this publication to the attention of Digest participants. Robert Ellis Smith, Publisher, Privacy Journal. ------------------------------ From: Peter Marshall Date: 31 Aug 1995 15:36:44 GMT Subject: Telcos and Info-privacy Organization: Eskimo North (206) For-Ever ---------- Forwarded message ---------- Date: 30 Aug 1995 23:40:33 -0500 From: jbsajual@sover.net To: Multiple recipients of list Subject: Re: "Deception" [....] All I know is the data is there, that it is far richer than any available data set from any other source imaginable, and that when it comes to "unleashing" the LEC or introducing competition, the LEC is in a extraordinarily strong position both to defend its turf, and expand its products simply because it is in a position to know so much more about the customer. The IXC doesn't have the information that can be derived from analysing local calls... The cable provider's present data set is far poorer because the minute-by-minute choices the consumer make aren't recorded in the same way as telephone calls. The Cable co may know if I have the Disney channel, but it can't tell the program I watched, the length of time I watched it, etc. The information set they are working with is far thinner than what is available to the LEC. By contrast the LEC has at its disposal an extraordinary data set that virtually no other industry can match. If knowledge is power, then the LEC has a database of unparalleled value. Even if it is argued that they don't presently make constructive use of that database (and this whole thread suggests otherwise)it has to be assumed that eventually someone WILL notice the value of this information, and in a de-regulated environment, make use of it. This has implications for valuing the LEC as a corporation, for assessing its potential future business opportunities, for assessing the likelihood of effective competition emerging in anything like the short term, and -- in my mind -- whether traditional regulatory concerns around issues of access and price should be replaced by concerns about privacy and unfair use of the information that can be derived from call analysis. [....] I frankly wonder how much attention this issue has gotten from state and federal regulators. Is there a solution? (or should we go out and buy as much Bell Atlantic stock as possible? :) -- Jack Bryar *************************************************************** Sajual Systems & Consulting, Inc. "Technical Due Diligence" (sm) Investigations Project Management and Prototyping Cambridge MA and Grafton VT 802-843-6101 Fax: 802-843-2640 Partner - NORTHERN MEDIA SOLUTIONS Telecommunications Applications Evangelists and Strategic Integration Consulting (802)843-2500 email: info@nmsi.com *************************************************************** ------------------------------ From: "Prof. L. P. Levine" Date: 29 Aug 1995 13:08:06 -0500 (CDT) Subject: Database for Deadbeat Dads [long] Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Monday 28 August 1995 Volume 17 : Issue 30 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator From: simsong@vineyard.net (Simson L. Garfinkel) Date: 28 Aug 1995 08:12:52 -0400 Subject: Database for Deadbeat Dads SOCIAL INSECURITY PLAN TO MAKE IT EASIER TO TRACK DOWN 'DEADBEAT DADS' WORRIES PRIVACY ADVOCATES Simson Garfinkel, Special to the Mercury News San Jose Mercury News, 17 July 1995, Business Monday, Page 1F Copyright 1995, Simson Garfinkel ELEVEN years late, the 1984 as envisioned by George Orwell finally may arrive. Welfare reform legislation moving through Congress could dramatically increase the use of Social Security numbers by state governments as a way to track people from cradle to grave. The proposal, which would create or expand a series of national data banks, is designed to track people who don't want to be found. With support among both Democrats and Republicans, the proposal is striking fear among the guardians of privacy, who believe the legislation would increase the government's surveillance of the American public. ''What we are facing is the single greatest step toward big brother government since Watergate,'' said Donald L. Haines, a legislative counsel with the American Civil Liberties Union in Washington. Nevertheless, the proposal has received relatively little attention because the expanded use of Social Security numbers is one of the few areas of agreement between the Republican-controlled Congress and the Clinton administration. Welfare reform was one of President Clinton's campaign promises, and it also was one of the 10 tenets of the Republican Party's ''Contract with America.'' Called the ''Personal Responsibility Act,'' the U.S. House of Representatives passed its version of the bill March 24. The Senate version, retitled the ''Family Self-Sufficiency Act of 1995,'' passed a committee vote June 9. Although the committee, chaired by Sen. Bob Packwood, R-Ore., made substantial changes to the House bill, the sections dealing with the expanded use of Social Security numbers remained essentially intact. At the heart of the legislation is the desire to do something about so-called ''deadbeat dads'' - and moms - who refuse to pay court-ordered child support payments. Both Congress and the Clinton administration believe that a large amount of the money spent on the government's Aid to Families with Dependent Children program could be saved if more single parents obtained child support orders, and if those orders were better enforced. 'People normally say that there is a $34 billion gap'' between the $14 billion that is annually paid in child support and the $48 billion that theoretically could be collected, says Jane Checkan of the Health and Human Service's Administration on Children and Families in Washington. Checkan's figures are for the year 1993, the last year available. In an attempt to close this gap, the welfare reform legislation mandates increased surveillance of all American citizens. By tracking Americans when they change jobs or receive state driver's or professional licenses, the legislation's backers hope to give deadbeat dads nowhere to hide. The legislation also calls for mandatory reporting of Social Security numbers by people getting marriage licenses or divorced, and in paternity proceedings. These reports are designed to make it easier for single parents to obtain support orders, and to make it easier for state welfare agencies to figure out the identity of a spouse when a single parent applies for benefits. 'Ten million women are potentially eligible to child support for their kids,'' Checkan said. But many people do not take advantage of their legal rights. ''Forty-two percent do not have an award in place.'' Welfare reform pushed Checkan said that it is estimated that as much as 8 percent of the government's Aid to Families with Dependent Children payments could be eliminated if child support orders were obtained and enforced. ''That's why, in the Clinton proposal, that child support is such a major part of welfare reform,'' she said. Currently, many government agencies maintain databases that are indexed by Social Security numbers. Nevertheless, the databases are of limited use for welfare enforcement. Some of the databases are restricted by statute so that their information may not be used for purposes other than that which they were collected. A move to unify standards Others are not cross-indexed with databases of current address, employment and child support orders. Still other databases cannot easily be searched against, because the information is not in a uniform format. One of the intents of the legislation, sponsors say, is to bring order to this computational chaos by mandating standard data representation and indexing strategies. Basing the databanks on Social Security numbers is key to its success, said Bill Walsh, chief of California's Child Support Management Bureau, part of the Department of Social Services. ''I'll tell you, the Social Security number is probably the most important piece of data that there is in trying to locate parents that we can't find in order to establish child-support orders, or in cases where we have already established an order, to get payment on those orders,'' he said. A national database also could make it easier to track down the 30 percent of dads who live outside the state, said Walsh. Although such a database currently exists, the proposed legislation would greatly expand its reach, by creating a virtual dragnet that could not be escaped. Civil libertarians worry Walsh said his department is in favor of creation and expansion of the national databanks, because they ''allow us to have access to more and better data in order to locate parents who owe child support.'' Nevertheless, a growing number of civil libertarians are questioning the creation of large-scale national databanks, and the expanded use of Social Security numbers, for tracking down deadbeat dads. ''It's a databank that could be used to allow people to track people down for purposes having nothing to do with (child support),'' said Haines of the ACLU. Haines is especially worried that the system could be used to find victims of domestic violence who are attempting to hide from their assailants. ''An unfortunate truth is that in our justice system today, for many victims of domestic violence, their only hope for relief is to escape into some level of anonymity,'' he said. ''Protective orders don't work or aren't enforced.'' Although the legislation would prohibit the unauthorized use of the system, Haines characterized such use as ''inevitable.'' As an example, he noted how some abusive men find runaway spouses using surreptitious means, such as privileged data reserved for law enforcement. Potential for fraud Other privacy advocates are concerned that the databanks could be used as the basis for financial fraud. ''I think that there is a real danger using (information) provided for one purpose for another purpose,'' said Claudia Terraza, an attorney with the Privacy Rights Clearinghouse at the University of San Diego. ''I see a real problem with people getting access to your Social Security number and from there, being able to find out your credit report, or for finding out other information that they could use for fraudulent purposes.'' Privacy advocates are most upset about the expansion of the Federal Parent Locator Service. As written, the legislation would create a national database of virtually all U.S. citizens - parents or not - with the stated purpose of tracking them so that any individual's most recent address and employer can be easily determined at any time. The legislation also would help enforce court- ordered parental visitation rights. Staff members working on both the House and Senate versions of the legislation said that lawmakers were aware of the privacy issues, and had tried to put ''privacy protection'' measures into the legislation without compromising the central goal of creating a national location registry. ''We had a long discussion about (privacy issues) - and the (lawmakers) were the main people doing the talking,'' said a staffer. ''There were some members who were real sensitive, and they were absolutely adamant that (the Social Security number) could not be required to be on the license itself.'' Nevertheless, the legislation does require states to ask drivers for their Social Security numbers when they are issued driver's licenses or professional licenses, and for those numbers to be reported to the central registry. ''What all of that means is that we will have a de facto national ID system in this country, which is going to be this database, and with a de facto national ID card, which will be your Social Security card/driver's license, all without a debate on whether or not Americans deserve to be subjected to a Soviet- or Nazi-style national ID system,'' Haines said. Effort failed in '60s This is not the first time that the federal government has proposed creating a national databank. A proposal in the late 1960s called for the creation of a national data center that would ''pull together the scattered statistics in government files on citizens and to provide instant, total recall of significant education, health, citizenship, employment records and in some cases personal habits of individuals,'' reported an article in the Feb. 25, 1968 issue of The New York Times. At the time, the proposal was opposed by privacy advocates like Columbia University Professor Alan F. Westin and University of Michigan Law School Professor Arthur R. Miller. Information centers ''may become the heart of the surveillance system that will turn society into a transparent world in which our home, our finances, our associates, our mental and physical conditions are bared to the most casual observer,'' Miller told the Times. The national data center was never built, and today the controversy has been largely forgotten. Nevertheless, says Marc Rotenberg, director of the Electronic Privacy Information Center, one of the important issues raised at the time was the danger of entrusting a single federal agency with so many different files. ''These proposals invariably reach further than originally intended,'' said Rotenberg. ''If the Social Security number is used today to catch welfare cheats, it can be used tomorrow to identify political dissidents. ''It is of course ironic that such a proposal would go through the Congress at the very same time that the Republican majority is urging greater relaxation of government regulation.'' - - - - - - - - - - - - - - - - - - - - - - - - INFOBOX: THEY'VE GOT YOUR NUMBER Legislation currently before the Senate would mandate the creation or expansion of three national databanks. Each databank would be indexed by Social Security number. Together, they would track every American. (box) Federal Parent Locator Service: Would contain a record of every driver's license and professional license issued in individual states. (box) Federal Case Registry of Child Support Orders: Besides tracking every child support order issued by the states, this database also would contain records of every marriage, every divorce and every paternity determination case in the United States. (box) State Directory of New Hires: This federal database would be updated every time an American started working for a new employer. It would contain the employee's name, address, job description, and the name of their employer. ------------------------------ From: "Prof. L. P. Levine" Date: 11 Aug 1995 09:39:43 -0500 (CDT) Subject: Info on CPD [unchanged since 08/01/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V7 #018 ****************************** .