Date: Sat, 03 Oct 92 15:39:46 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V1#087
Computer Privacy Digest Sat, 03 Oct 92 Volume 1 : Issue: 087
Today's Topics: Moderator: Dennis G. Rears
Sacramento, CA privacy conference
Re: SSN and Airline Antitrust Settlement
Re: SSN in login ids
Re: Privacy vs. Anonymity
Re: SSN in login ids / posting grades
Re: Teletrac
Re: Address required on checks
Re: Address required on checks
Re: Blockbuster & video rental records
Re: Blockbuster & video rental records
FOIA Request for the FDA?
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.200].
----------------------------------------------------------------------
Date: Wed, 30 Sep 1992 16:45:18 -0700
From: Bruce R Koball <bkoball@well.sf.ca.us>
Subject: Sacramento, CA privacy conference
If you think it's appropriate, please consider posting the following
notice to the next Privacy Digest.
Thanks,
Bruce
Bruce R. Koball Motion West (voice) 510 540-7503
bkoball@well.sf.ca.us 2210 Sixth St (messages) 510 548-2450
bkoball@netcom.com Berkeley, CA 94710 (fax) 510 845-3946
Privacy in the Information Age:
Balancing the Right to Privacy and the Right of Access
Sponsored by Government Technology Magazine,
Sacramento, California
Produced by Government Technology Conference, Sacramento and
Riley Information Services Inc., Toronto, Canada
This one day conference and training session will be held at the
Sacramento Convention Centre on November 16th, 1992.
The conference will deal with many of the seminal privacy issues facing
society today. It will address subjects and issues of importance to
both the public and private sectors. An array of privacy experts and
professional from the public and private sectors in California and from
Washington, D.C. and Canada will gather to debate the issues driving
privacy today and offer possible solutions. The sessions will be
interactive with discussion and questions from the audience urged.
Following is a short synopsis of the topics and speakers for the one day
agenda.
Opening Session: 8:30am The State of Privacy in California Today:
Speaker: A. A. Pierce, Undersecretary, Business, Transportation and
Housing Agency, State of California
Keynote Address: A New Privacy Balance for the 90s: What the Public
Wants, What a Free Society Needs.
Speaker: Alan F. Westin, Professor of Public Law and Government,
Columbia University and author of Privacy and Freedom.
Professor Westin will discuss recent survey data on privacy concerns of
citizens and analyze the recent public attitudes to privacy as seen in
relation to the forces of developing technology and society's demands
for wider openness. How will all these competing demands be met so all
social needs are satisfied?
Panel: What are the Dangers of Eroding Privacy?
The debate goes on as to what extent should there be privacy regulation
in our society. If we are to do this comprehensively how will we
accomplish this goal? But do we really need extensive regulation or any
at all?
This will be a point/counterpoint session between Professor Goeroge
Trubow of John Marshall Law School in Chicago and Jim Warren, Founder of
Computer, Freedoms and Privacy Conferences and Columnist for MicroTimes
Panel: Balancing the Right of Acccess and the Right to Privacy.
Freedom of Information laws endow on the citizen the basic right of
access to government information, the right to know what it's government
is doing and why. But there is also the right to protect the privacy of
the individual, creating competing interests.
Speakers: Ronald L. Plesser, lawyer, Piper and Marbury, Washington, D.C.
and former General Counsel, US Privacy Commission.
Webster Guillory, Chairman, National Organization of
Black County Officials
Peter Gillis, Director, Information Management Practices,
Treasury Board Secretariat, Federal Government of Canada
Panel: Privacy and Fair Information Practices: Practical
Guidelines
Professor George Trubow and privacy expert Thomas B. Riley, Toronto,
Canada, will present actual Guidelines that can be used in the workplace
whether it be the public or private sector.
Luncheon Address: Dr. Ann Cavoukian, Assistant Commissioner/Privacy,
Office of the Information and Privacy Commissioner/Ontario,
Toronto, Ontario, Canada
"Investigating Privacy Complaints: A Canadian Experience."
In Canada there exists the Office of Privacy Commissioner which not only
takes complaints and appeals from the public in their dealings with the
Privacy Act but serves to act as an important forum to identify key
privacy issues? What can be learned from this experience?
Panel: Privacy, Security and Electronic Records: What are the Ground Rules
While security is a central issue in protecting privacy, there is also
the question of what constitutes an electronic record? There is much
regulatory confusion on this subject and speakers will work to address
the complex matrix.
Speakers: Joseph Pujals, State Information Security Manager,
Department of Finance, CA
Robert Gellman, Chief Counsel, House of Representatives
Subcommittee on Information, Washington, D.C.
Panel: Data Matching and Tracking of Files: What are the Privacy Rights?
How Far Should we Go?
Should data matching and tracking be allowed? What is the greater good
or is there an important compromise? What are specific examples of such
practices and how are they being handled?
Speakers: Evan Hendricks, Publisher, Privacy Times, Washington, D.C.
Kathleen M. Lucas, Plaintiff Counsel for Barbara Luck -
Luck vs. Southern Pacific, San Francisco
Chris Hibbert, Manager, Software Development Xanadu Corporation
and member, Computer Professionals for Social Responsibility.
Panel: Privacy and Electronic Networks: Caller ID and Telemarketing.
Junk mail, junk fax, telemarketing, caller ID. Do you want it? Do you
need it? If not-what can you do about it?
Speakers: Ken McEldowney, Executive Director, Consumer Action, San Francisco
Evelyn Pine, Executive Director, Computer Professionals for
Social Responsibility
Beth Givens, Project Director, Centre for Public Interest Law,
University of California, San Diego
John Schweizer, Manager, Consumer Affairs, Pacific Bell
Closing remarks at 4:45pm will be delivered by Tom Riley who will offer
a synthesis of issues presented for the day and a prognosis for the
future.
Conference Cost: $199.
To register for the conference or to obtain a promotional brochure with
fuller information please phone: Deborah Furlow, Government Technology
Conference, Sacramento, CA, (916)363-5000.
------------------------------
From: egdorf@zaphod.lanl.gov (Skip Egdorf)
Subject: Re: SSN and Airline Antitrust Settlement
Organization: Los Alamos National Laboratory
Date: Wed, 30 Sep 1992 22:53:17 GMT
In article <comp-privacy1.78.3@pica.army.mil> rudis+@cs.cmu.edu (Rujith S DeSilva) writes:
The claim forms for the Airline Antitrust Settlement ask for `Social Security
Number or Tax I.D.'. I've read the SSN guidelines posted here regularly, but
this case seems different. I really don't want to supply my SSN, and I don't
see why I legally have to. The terms of the settlement clearly define a
`Class' of members (loosely, passengers of some airlines during a certain
period), and say that upon certifying their inclusion in this Class, its
members are eligible to a share of the settlement. Why should I supply my SSN
to certify my claim?
A "Settlement" of a monetary amount will be reported to the IRS as
income for tax purposes. This is essentially the same requirement as a
bank requesting the SSN so as to be able to report interest on a
savings account to the IRS. This is permissable under federal law.
They should, however, provide you with the notification required by the
1974 privacy act acknowledging that this is the case.
They PROBABLY want the SSN for some reason other than the legal one...
Skip Egdorf
hwe@lanl.gov
------------------------------
From: "Carl M. Kadie" <kadie@herodotus.cs.uiuc.edu>
Subject: Re: SSN in login ids
Organization: University of Illinois, Dept. of Comp. Sci., Urbana, IL
Date: Thu, 1 Oct 1992 02:02:48 GMT
Apparently-To: comp-society-privacy@ux1.cso.uiuc.edu
Eric Hunt <bsc835!ehunt@uunet.uu.net> writes:
>The University of Alabama/Birmingham's Engineering dept uses a student's
>full SSN as a part of their computer login ids. This machine in Internet
>reachable.
>
>I was wondering what relevant laws, if any, applied to this situation?
[...]
I think this is likely a violation of FERPA. I'm enclosing information.
============== ftp.eff.org:pub/academic/law/ferpa ===========
[From _College and University Student Records: A Legal Compendium_,
Edited by Joan E. Van Tol, 1989]
================== p. 119 ===============
The regulations ... were significantly modified in 1988. ... The
new regulations amend the definition of directory information
and establish a standard for the designation of directory information.
The new definition is:
' ... information contained in an education record of a student which
would not be considered harmful or an invasion of privacy if
disclosed. It includes, but is not limited to, the student's name,
address, telephone list, date and place of birth, major field of
study, participation in officially-recognized activities and sports,
weight and height of members of athletic teams, date of attendance,
degrees and awards received, and the most recent previous educational
agency or institution attended.'
The new standard -- that which would not be considered harmful or an
invasion of privacy if disclosed -- permits the educational
institution to exercise its discretion in the designation and and
release of directory information provided that the eligible student
does not object to the disclosure.
======================== p. 106 ============
[From the regulations: 34 C.F.R., 99.37 (1988)]
99.37 What conditions apply to disclosing directory information?
(a) An educational agency or institution may disclose directory information
if it has given public notice to parents of students in attendance and
eligible student is attendance at the agency or institutional of --
(1) The types of personally identifiable information that the
agency or institution has designed as directory information;
(2) A parent's or eligible student's right to refuse to let the agency
or institution any or all of those types of information about the
student as directory information; and
(3) The period of time within which a parent or eligible student has
to notify the agency or institution in writing that he or she does
not want any or all of those types of information about the student
designed as directory information.
================== p. 155 ================
[from a reprint of an article printed in 1982 in _Computer/Law
Journal_ by a Ms. Hyman.]
... A waiver of FERPA rights made pursuant to section 99.7 must be
exercised by the student {109} and can apply to all FERPA rights
{110}. Wavers must be signed {111}, and are most commonly given
regarding letters of recommendation for admission {112}. Institutions
may request students to waive their right of access to these letters,
but they may not require a waiver as a condition for admission or
services.{113}.
[References]
{110} 34 C.F.R. 99.7(a) (1980)
{113} 34 C.F.R, 99.7(b) (1980) [Which I think cooresponds to this section of the 1988
regulations - cmk]
====================== p. 104 =================
[34 C.F.R. 99.12 (1988)]
99.12 What limitations exist on the right to inspect and review
records? ...
(b) A postsecondary institution does not have to permit a student to
inspect and review educational records that are -- ...
(3) Confidential letters and confidential statement of recommendation
places in the student's records ..., if
(i) The student has waived his or her right to inspect and review
those letters and statements;
...
(c) A waiver under paragraph (b)(3)(i) of this section is valid only
if --
(i) The educational agency or institution does not require the waiver
as a condition for admission to or receipt of a service or benefit
form the agency or institution;
...
============================================
--
Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign
------------------------------
From: "Michael E. Adams" <madams@ecst.csuchico.edu>
Subject: Re: Privacy vs. Anonymity
Date: 1 Oct 1992 12:49:17 GMT
Organization: California State University, Chico
In article <comp-privacy1.86.7@pica.army.mil> nastar!phardie@emory.mathcs.emory.edu (Pete Hardie) writes:
>[...]
>Anonymity helps those who hold unpopular views/lifestyles/etc.
>[...]
>Basically, I hold to the idea that my actions are not to be recorded unless
>there is a demonstrated need, simply because if there is data on me, someone,
>somewhere, will find a way to abuse it, whether legally, economically, or
>otherwise.
Read it, Learn it, and Live it. It's time to put limits on data collection.
--
Hi! I am a .signature virus. Copy me into your .signature to join in!
------------------------------
Date: Thu, 1 Oct 92 16:19:20 MDT
From: Tom Wicklund <wicklund@intellistor.com>
Subject: Re: SSN in login ids / posting grades
In comp.society.privacy Dave Grabowski <dcg5662@hertz.njit.edu> writes:
> A few weeks ago, I posted a msg about how NJIT uses student's SSN's
>for Student ID's and for UNIX System ID's as well. It was the custom for
>exam grades to be posted by SSN as well, but as I just found out today,
>it seems that, at least in the Physics Dept., this is no longer going to
>be done. They have now changed it so that the listing is done by >FIRST
>NAME< only. This has GOT to be the most ridiculous way to post grades.
>The Prof. mentioned that in one of his other classes, there were three
>"Mark"'s in a row. Another person (who was checking her grade while I
>was) said, "Nobody else has my name, anyway" (it was something obscure,
>like Aretha).
Any system of publicly posting grades is going to voilate privacy.
Whether a student ID is a social security number or a unique within
the university ID, it can be misused. And most of the time grades
posted by student ID are still listed in alphabetical order (making it
easy to find people near the start or end of the alphabet).
If one wants grade privacy, then professors should be encouraged not
to post grades. Ideally the university will have a reliable way to
inform students of grades in a timely fashion.
------------------------------
From: Colin Plumb <a418plum@cdf.toronto.edu>
Subject: Re: Teletrac
Date: Fri, 2 Oct 1992 01:43:11 -0400
In article <comp-privacy1.84.6@pica.army.mil> you write:
>Re: transponders on cars - you don't need it - the license plate is enough.
>Optical character recognition technology is about good enough to read
>license plates today, and keeps getting faster as algorithms improve
>and number-crunching chip speed doubles every year or two.
>So all they need is a good video camera and a reader.
>The main advantage of transponders is that the stationary equipment is
>likely to be cheaper, and you can force the car owners to buy the transponders.
I was working at a company that put together a response to a request for
proposals from the South Korean government to do this. The idea is that,
over the highway, arches hold TV cameras aimed down to see cars' licence
plates. The system was to read them, match them against a database,
and if the plate showed up, alert the cop shop a few km down (no junctions
in the way!). An unreadable plate would be sent to the cops for manual
reading.
Any such system could, of course, easily be adapted to time-stamp and log
*every* car, although the proposal didn't ask for that.
This was 1991. Big Brother is here (well, *there*), boys and girls.
It was buildable, although it would require some tuning to get the
readability rate up against mud, fog, variable lighting, and whatnot.
(I wasn't directly involved, and didn't want to be.)
--
-Colin
------------------------------
From: Mike Brokowski <brokow@casbah.acns.nwu.edu>
Subject: Re: Address required on checks
Organization: Northwestern University, Evanston Illinois.
Date: Fri, 2 Oct 1992 05:07:37 GMT
In article <comp-privacy1.86.8@pica.army.mil> Wm Randolph Franklin <wrf@ecse.rpi.edu> writes:
>
>1. Service Merchandise, a local catalog store gets quite unfriendly when
>I pay in cash. They've told me they must have a name. (So I give them
>'Mario Cuomo').
They do get unfriendly at times, but they have yet to refuse my cash.
>2. Then there's Radio Shack.
Radio Shack salepersons always ask "Can I have the last four digits of
your phone number?" and I just reply "No." Apparently, RS keeps a
customer database on its computers and sends flyers/ads to those on it.
Once, the clerk sneered "Ok, but we can't give you a refund or exchange
if the product is defective without this information." I told him that
such a policy constituted an illegal precondition of sale in this state
and that unless he had reason to believe I was involved in fraud, the
receipt, original product, and packaging were all he could require for
transactions under $25 (my purchase was about $3.50). Of course, all
of that is crap as far as I know; I was just annoyed at his attitude.
But he bought it and I made the purchase anonymously. (I can't say
what would've happened if I had needed to return the item.) I suspect
that the clerk just made up the 'no refund/exchange' line as a response
to intransigent customers (like me ;->).
>3. You must give id when spending over $10K with one merchant in, I
>believe, one year, or the merchant can get in serious trouble.
>
>4. I've heard stories about IRS offices refusing to accept cash, though
>I can't vouch for them myself.
>
>There is one loophole however, which is probably still open. You can
>buy money orders anonymously, put whatever name you want on them, and
>then use them to pay people who refuse cash.
>--
>Wm. Randolph Franklin, wrf@ecse.rpi.edu, (518) 276-6077; Fax: -6261
>ECSE Dept., 6026 JEC, Rensselaer Polytechnic Inst, Troy NY, 12180 USA
>
I am curious about 3) and the money orders. Does anyone know the rules
for requiring id depending on the amount of yearly purchase? It seems
to me that a large family could possibly spend over $10k per year at a
supermarket and simply pay cash (especially at these newer huge stores
where one can pretty much buy most of life's necessities e.g. food,
clothing, books, some furniture, toys, pharmaceuticals, et cetera).
- Mike
------------------------------
From: Khan <tmkk@uiuc.edu>
Subject: Re: Address required on checks
Organization: University of Illinois at Urbana
Date: Fri, 2 Oct 1992 18:25:50 GMT
In article <comp-privacy1.86.8@pica.army.mil> Wm Randolph Franklin <wrf@ecse.rpi.edu> writes:
>
>1. Service Merchandise, a local catalog store gets quite unfriendly when
>I pay in cash. They've told me they must have a name. (So I give them
>'Mario Cuomo').
>
>2. Then there's Radio Shack.
This usually isn't the direct fault of SM or RS. Rather, it's the
personal insecurity of the clerk who, when faced with a rejection to
his/her request for marketing information, becomes defensive and
sometimes even hostile.
I am in the habit of refusing to give out my address when making
purchases at these types of stores. I've seen a wide range of responses.
Often, the clerk feels the need to "explain" why they are asking for my
address after I tell them I don't want to give it.
The most extreme reaction I ever received was from a very attractive
young woman in a (now defunct) small video+electronics store chain. She
became VERY distraught when I refused to provide my name and address for
a $30 cash purchase. Finally, she made up a name (she somehow came up
with "Polk," even though she spelled it "Poke") and wrote it down on the
receipt. I'll probably get flamed for saying this, but it was my
impression that this particular young lady was not at all used to having
men say "no" to her requests. ;-)
My point is, the hostility and other reactions you get from clerks are
from the clerks themselves. RS definitely does not tell its employees
"if they won't give their name, cuss 'em out!" ;-)
------------------------------
Date: Fri, 2 Oct 92 01:45:00 CDT
From: Jim Mccoy <mccoy@aristotle.ils.nwu.edu>
Reply-To: mccoy@ils.nwu.edu
Subject: Re: Blockbuster & video rental records
In article <comp-privacy1.84.4@pica.army.mil>, Mike Johnston writes:
>
> Recently my local corner video store shutdown and I was forced to find
> a membership elsewhere. Since the only other store of consequence in my
> town was Blockbuster Video, I decided to go there. [...]
>
> [Regarding the memebership info he was given...] Imbedded
> with the standard legalese about being responsible for rented tapes and
> such is a clause that states, from memory:
>
> Member grants Blockbuster Video the right to release all information
> generated by or through the use of the membership card.
>
> In other words, they can give out my rental records to someone without
> permission. This is disturbing.
>
You might want to check out the Video Privacy Protection Act of 1988. I
think that the latest reference to this I have seen is in _Privacy for
Sale_ (by Jeffrey Rothfeder, a must read for people who are interested in
this stuff...). I believe that it prevents stores from releasing just this
sort of information, but perhaps someone more familiar with it could
clarify this point...
jim
--
------------------------------< Jim McCoy >------------------------------------
j-mccoy@nwu.edu | "I'd love to stay and chat, but I'm
mccoy@ils.nwu.edu | having an old friend for dinner..."
#include <disclaimer.h> | -Dr. Hannibal Lector
-----------------------<"To thine own self be true">--------------------------
------------------------------
From: John Nagle <nagle@netcom.com>
Subject: Re: Blockbuster & video rental records
Organization: Netcom - Online Communication Services (408 241-9760 guest)
Date: Sat, 3 Oct 1992 17:36:09 GMT
shearson!jenny!mjohnsto@uunet.uu.net (Mike Johnston) writes:
>Recently my local corner video store shutdown and I was forced to find
>a membership elsewhere. Since the only other store of consequence in my
>town was Blockbuster Video, I decided to go there. The application
>process was fairly quick and painless IE you show them ID and a valid
>credit card and you're a member in just a few minutes. After you join
>they give you a notepad sized piece of paper which explains the
>terms of the membership.
>I glanced at this note when I got home and was quite surprised. Imbedded
>with the standard legalese about being responsible for rented tapes and
>such is a clause that states, from memory:
> Member grants Blockbuster Video the right to release all information
> generated by or through the use of the membership card.
>In other words, they can give out my rental records to someone without
>permission. This is disturbing.
The exact text, from "Membership Terms and Conditions" marked
"2/92" and "810151" reads, in paragraph 3:
"Member authorizes BLOCKBUSTER Video to release information contained
in this Application or generated by or through the use of the
membership card."
Question for the lawyers out there: does this constitute a wavier of the
Video Rental Privacy Act?
I refused to "join" Blockbuster because of their overreaching terms.
Fortunately, we have many local video rental stores run by independents.
John Nagle
------------------------------
Subject: FOIA Request for the FDA?
From: Sean Petty <seanp@undr.org>
Reply-To: Sean Petty <undr!seanp@gvls1.gvl.unisys.com>
Date: Sat, 03 Oct 92 12:30:42 EDT
Organization: The Underground - Pennsylvania
I am presently in the position that I need to exercise the FOIA
to get some information from the Food and Drug Administration
about an approved but questionable drug. What I would like to
know is if someone has a generic request form that applies to
the FDA, or one that they have used in the past.
I would like to get any and all information about this drug from
them, so anyone who can offer any information, files, etc. would
be greatly appreciated.
Sean
---
Sean Petty undr!seanp@tredysvr.Tredydev.Unisys.COM
ICBMnet: 39'58'12"N 75'84'26"W seanp@undr.org
------------------------------
End of Computer Privacy Digest V1 #087
******************************