Date: Fri, 22 Dec 95 16:58:27 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V7#053 Computer Privacy Digest Fri, 22 Dec 95 Volume 7 : Issue: 053 Today's Topics: Moderator: Leonard P. Levine Must I PAY For My Own Drug Test? Pointer to Official NZ Privacy Case Notes Re: Employer Abuse of Private Email Re: SSN Shown On Payments by Intuit's Banking Service Risks of Checking Accounts Re: Unsolicited email Advertising Re: Unsolicited email Advertising German Service Providers' Databases Nastiness From "Netnet" Conferences/Events of Global Interest Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: "Prof. L. P. Levine" Date: 22 Dec 1995 14:25:54 -0600 (CST) Subject: Must I PAY For My Own Drug Test? Organization: University of Wisconsin-Milwaukee I saw this on the alt.privacy newsgroup. From: bluebird@alpha.c2.org Subject: Must I PAY For My Own Drug Test? Date: 19 Dec 1995 22:06:29 +0100 Organization: Mail to Usenet Gateway at Utopia From the "Believe it or Not" Department: My professional background is in high-end security, primarily diplomatic and executive protection. Terminal illness in the family forced me to move from the city where I worked to a smaller city where there are no opportunities to work in this occupation. Unemployed, broke and desperate, I find myself looking for a job as a lowly guard as such is the only related employment available here. The major companies pay the best wage, but are the most selective. They require, besides the usual California State background checks, psychological and drug testing. OK so far - I have ever used drugs and pass these tests with no problem. To my utter astonishment, I discovered that upon application for employment, Pinkerton Security (which bills itself as the oldest and largest security company in the world) requires applicants to sign forms submitting themselves to pre-employment drug screening FOR WHICH THEY MUST THEMSELVES PAY $20! The $20 is to be deducted from wages and will, after six months successful employment, be _partially_ re-embursed. I cannot believe that it could _possibly_ be legal to require applicants to PAY for processing employer-mandated drug tests! While on one hand it seems that a big company wouldn't dare have application processes that were illegal, it also seems that this is such an egregious requirement that it just _can't_ be lawful. I see big companies getting sued for illegal application procedures fairly frequently, so maybe I overestimate their legal savvy. Does anyone here know the straight skinny on this, or what Federal or California State agency would provide me with the facts? Thanks. ------------------------------ From: stuart@cosc.canterbury.ac.nz Date: 20 Dec 1995 21:56:51 GMT Subject: Pointer to Official NZ Privacy Case Notes Organization: University of Waikato This is a pointer to the web pages of the Office of the (New Zealand) Privacy Commissioner, Bruce Slane. The site contains legally binding guidelines, a collection of case notes, full text of speeches and other relevant data. http://www.kete.co.nz/privacy/welcome.htm What is the role and function of the Privacy Commissioner ? The general functions of the Privacy Commissioner include receiving representations and consulting with those concerned with privacy of the individual and inquiring generally into any matter or procedure or practice, governmental or non-governmental, or any technical development if privacy is being or may be unduly infringed thereby. The Privacy Act 1993 came into force on 1 July 1993 and has as one of its main purposes the promotion and protection of individual privacy in general accordance with the 1980 Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. (note that this is a pointer to the official pages, not an official pointer.) -- There are those who are born UNIX |Stuart Yeates Those who are made UNIX |stuart@cosc.canterbury.ac.nz And those who become UNIX |syeates@cs.waikato.ac.nz For the kingdom of heaven's sake |Matthew 19:12 ------------------------------ From: Ann Cavoukian Date: 22 Dec 1995 07:08:03 -0500 (EST) Subject: Re: Employer Abuse of Private Email I'm the assisstant commissioner for the IPC (Information and Privacy Commission) in Ontario, Canada. In your last CP Digest there was a reference to our homepage, and a suggestion to surf the Ontario government URLs to find it. Since we are not part of the government, you wouldn't be able to find us there. Here's where you can find us: http://www.ipc.on.ca -- Ann Cavoukian ------------------------------ From: michael@piglet.amscons.com (Michael Bryan) Date: 21 Dec 1995 08:39:13 -0800 Subject: Re: SSN Shown On Payments by Intuit's Banking Service Organization: none Michael Bryan wrote: Another user (Robert Mayo) discovered, and I confirmed, that Intuit's online bill payment service sends your payees a printout containing your social security number. The latest information on this is that Intuit has agreed to stop this practice, effective no later than Friday, December 22nd. Updated information is available at this URL: http://www.mc4.com/mayo/quick.html ------------------------------ From: "Prof. L. P. Levine" Date: 22 Dec 1995 10:38:57 -0600 (CST) Subject: Risks of Checking Accounts Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Thursday 21 December 1995 Volume 17 : Issue 57 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator From: trimm@netcom.com (Trimm Industries) Date: 20 Dec 1995 17:00:14 -0800 (PST)F Subject: Risks of Checking Accounts A couple weeks ago I was depositing a check at an ATM, filled out the deposit slip, and was ready to seal it in the envelope when something attracted my attention to the name on the deposit slip -- it wasn't mine! It came out of my pad of (correctly) printed checks, but about half of the deposit slips in the pad were some other guy, from a different state, with a different account number AT A COMPLETELY DIFFERENT BANK! Now, I understand that check printers service many different banks, but this guy's name was distant from mine alphabetically and the account number was quite different. The RISKs here are several and obvious, such as what fate befell _my_ deposit slips, but alas as yet no one has deposited money into my account by using one of my deposit slips by mistake. Okay, life is weird and all that, but the very next week BofA accidentally included someone else's bank statement in with mine, including all their cancelled checks. It occurs to me that this would be a goldmine for a swindler -- here I had a sample of the person's signature, their (substantial) starting and ending bank balance, their check style and account number, as well as their home address. Thus far, not much for a crook to go on. But here's the kicker -- the person paid her phone bill and put her unlisted phone number on the Memo line, paid her Visa bill and put her Visa number on the Memo line, and paid some other bill whose account number was her Social Security Number with an alphabetic prefix, and this was on the Memo field of the appropriate check. I had a dossier on this person and if I was a swindler I could have ruined her life. The RISKS: 1. Banks are idiots. Don't trust them to keep your secrets. 2. Don't put all sorts of important numbers on check Memos. 3. Keep in mind that people can _steal_ your checking statement from your mail. 4. Merchants: don't assume that because someone has a few personal numbers of someone that they are indeed that person. 5. Consider letting the bank store your cancelled checks on microfilm for you (but keep #1, above, in mind.) Gary M. Watson Sigma-Trimm Technologies trimm@netcom.com 350 Pilot Road, Las Vegas, NV 89119 Phone: (800) 423-2024 x2115 [This is clearly RISKS relevant, although some of you may wonder about the computer-relevance. The bottom line seems to be that if we blindly trust technology, we may be more easily led astray. PGN] ------------------------------ From: jcr@mcs.com (John C. Rivard) Date: 21 Dec 1995 14:06:38 -0600 Subject: Re: Unsolicited email Advertising Organization: very little herwin@osf1.gmu.edu (HARRY R. ERWIN) wrote: I have been receiving 'junk email' from a commercial advertiser, netnet@access1.soundcity.net. I have politely asked them to put me on their 'do not contact' list, but I continue to find my mailbox filled with their stuff. What have people found to be the most effective recourse? You didn't mention if you got any reply to your requests (other than more junk mail). If I were you, I'd send a message to "postmaster@soundcity.net" complaining about the situation. There is a very good chance that this sort of thing is against the policy of this ISP. Include a copy of one of the email messages, including all headers. If that doesn't work, check with interNIC to see who owns the domain. You may find that it is a subdomain or "vanity domain" that falls under the control of a bigger service. Then complain to the postmaster there. -- John C. Rivard Opinions expressed yadda yadda--you know the drill ------------------------------ From: mccurley@swcp.com (Kevin McCurley) Date: 22 Dec 1995 04:54:08 GMT Subject: Re: Unsolicited email Advertising Organization: Southwest Cyberport HARRY R. ERWIN wrote: I have been receiving 'junk email' from a commercial advertiser, netnet@access1.soundcity.net. I have politely asked them to put me on their 'do not contact' list, but I continue to find my mailbox filled with their stuff. What have people found to be the most effective recourse? I made the mistake of putting my email address in a mailto: url on a web page early in the days of the web, and have continued to make non-anonymous postings to usenet. As a result I have ended up on numerous databases for telemarketing. On the other hand, I have never had a repeat case because I have a fairly effective way of discouraging them. I follow this procedure: 1. I send them a polite reply asking to never receive email from them again, and pointing out that I have a policy to never do business with companies that advertise by phone or email. 2. Most reply to this agreeing to my terms. Those that do not are placed on my "Nag" list. I happen to receive my email on a unix machine, and I have a crontab that runs once a day to send a piece of email to them asking to be removed from their mailing list. It's basically the same as 1., but a bit more insistent. 3. some email advertisers do not read the email to the address that they sent it from. In that case I begin sending email once a day to the "root" or "postmaster" address at the domain where the mail originated. 4. If I get no response from this after a few days, then I start sending a huge file (1 megabyte) every day with an explanation that I am trying to get someones attention. This is designed to eventually fill their disk and makes them look for what filled it. 5. I have never reached this stage, but the next step is to start sending requests to terminate their service to whoever provides their DNS and routing service. Sites whose postmaster does not respond are considered bad net citizens. 6. Again, I have never reached this stage, but the next step is to start sending the huge file every few minutes until their disk fills. I am not charged by volume for email. I don't really think that step 7 will be necessary, but I'll consider recruiting others to send them email, or simply hacking them to bits. If our society is going to degenerate into a constant state of information warfare, I am not going to be unarmed. Perhaps this will be a new service for www.digicrime.com... -- Kevin McCurley ------------------------------ From: "Prof. L. P. Levine" Date: 22 Dec 1995 10:36:35 -0600 (CST) Subject: German Service Providers' Databases Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Thursday 21 December 1995 Volume 17 : Issue 57 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator From: muewi@informatik.uni-bremen.de (Wilhelm Mueller) Date: 21 Dec 1995 13:44:09 +0100 Subject: German service providers must maintain covert customer databases? This is an excerpt from an article that appeared in the weekly German newspaper *Die Zeit*, No. 52 (22 Dec 1959), p.58 (Bulkware/Telephon-CD gestoppt). [literal translation by WM] [*emphasis* below is *Die Zeit*'s] [further translation by PGN, respecting the original German (not included)]: For others, though, address data will suffice only if it can be easily compared with other databases. Such a practical ["praktisches"!] information system is needed by the German government and secret services. Paragraph 92a TKG-E of a proposal for a new *telecommunications law* published last week would oblige all telephone companies, on-line services, and even private mailboxes to maintain a database at their own expense containing the full names, addresses, and phone numbers of *all customers* -- in case someone is under suspicion. This database must be organised so that it can be accessed by higher places ["hoeheren Orts"!] without the telecommunication provider noticing it. Wilhelm Mueller, Am Wall 139, D-28195 Bremen (office) +49-421-361-10629 muewi@informatik.uni-bremen.de (home) +49-421-169 2525 [Ah, mandatory trap doors are a wonderful opportunity for misuse, internally and externally. We've been around this topic in RISKS many times before, but this is a new context. PGN] ------------------------------ From: Nightwolf Date: Fri, 22 Dec 1995 15:41:59 -0500 (EST) Subject: Nastiness From "Netnet" Organization: Concentric Internet Services For the first time in my life, I broke down and mailbombed another Internet E-mail address. What caused me to take such a step, was receiving a second junk E-Mail after formally requesting that a Spammer take my E-mail address off of their mailing list. Would you believe, that this firm responded to my mailbomb by sending me a new junk E-mail within days of receiving my mailbomb? They did!!! Appended below, is the full header information, only, from both of the two advertisements about which I am complaining. After very carefully thinking about this problem, I have decided to not in any way risk rewarding this firm, by including any other details in this post. I certainly have no desire to encourage these slimebags! Has anyone else reading any of these newsgroups received the same pair of advertisements? If so, then what have you done, or what are you planning to do? Would it be out of line for me to suggest that each person who has received a copy of this advertisement might call the eight hundred number given in the advertisement, and advise whomever answers that you are calling to protest the sending of junk E-Mail? If this is not the best solution, then what is a better idea? Does anyone have any suggestions? Please do let me know! I want to make a point of nipping this damned garbage in the bud!!! -- Nightwolf N-wolf@cris.com From netnet@soundcity.net Return-Path: Received: from access1.soundcity.net by franklin-fddi.cris.com [1-800-745-CRIS (voice)] Errors-To: netnet@access1.soundcity.net Received: (from netnet@localhost) by access1.soundcity.net (8.6.12/8.6.9) id UAA14198; Fri, 15 Dec 1995 20:25:31 -0500 Date: Fri, 15 Dec 1995 20:25:31 -0500 Message-Id: <199512160125.UAA14198@access1.soundcity.net> From: netnet@soundcity.net To: N-wolf@cris.com Subject: Greetings and Salutations! ---------- Forwarded message ---------- Return-Path: Received: from www.soundcity.net by franklin-fddi.cris.com [1-800-745-CRIS (voice)] Errors-To: netnet@www.soundcity.net Received: (from netnet@localhost) by www.soundcity.net (8.6.12/8.6.12) id GAA07835; Wed, 20 Dec 1995 06:27:56 -0500 Date: 20 Dec 1995 06:27:56 -0500 Message-Id: <199512201127.GAA07835@www.soundcity.net> From: netnet@access1.soundcity.net To: N-wolf@cris.com Subject: SAMPO 20" Color Monitor for < $1000! ------------------------------ From: cpsr-global@Sunnyside.COM Date: 22 Dec 1995 04:24:15 -0800 Subject: Conferences/Events of Global Interest Taken from CPSR-GLOBAL Digest 289 CONFERENCE /EVENT SCHEDULE [edited by moderator CPD] CQL'96: Symposium on Computers & the Quality of Life (ACM), Philadelphia, PA, February 14-16, 1996. Contact: liffick@cs.millersv.edu 717 872 3536 717 871-2320 (fax) A Nation Connected: Defining the Public Interest in the Information Superhighway, Annenberg Center, Rancho Mirage, CA, Feb. 20. Contact: barb.macikas@ala.org 800 545-2433 x3201 312 280-3201 Computers, Freedom, and Privacy, M.I.T., Cambridge, MA, March 27-30, 1996. Contact: web.mit.edu/cfp96 cfp96-info@mit.edu Visions of Privacy for the 21st Century: A Search for Solutions, Victoria, BC, CANADA, May 9-11, 1996. Contact: http://www.cafe.net./gvc.foi Society and the Future of Computing (SFC'96), Snowbird, UT, June 16-20. Contact: rxl@lanl.gov http://www.lanl.gov/SFC Australasian Conference on Information Security and Privacy, New South Wales, AUSTRALIA, June 24-26. Contact: jennie@cs.uow.edu.au The Privacy Laws & Business, Cambridge, ENGLAND, July 1-3. Contact: 44 181 423 1300 44 181 423 4536 (fax) Advancd Surveillance Technologies II. Ottawa, ON, CANADA, Sept. 17. Contact: pi@privacy.org Data Protection and Privacy Commissioners, Ottawa, ON, CANADA, Sept. 18-20. Contact: ------------------------------ From: "Prof. L. P. Levine" Date: 22 Nov 1995 14:25:54 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V7 #053 ****************************** .