Date: Wed, 07 Oct 92 17:28:19 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V1#088
Computer Privacy Digest Wed, 07 Oct 92 Volume 1 : Issue: 088
Today's Topics: Moderator: Dennis G. Rears
Welcome to Our New Users/Status of the forum
Policy for Submissions
Re: SSN and Airline Antitrust Settlement
Re: SSN in login ids / posting grades
Re: Address required on checks
Re: Address required on checks
Address required on checks
Re: Address required on checks
Re: Address required on checks
Re: Big Brother has this message on file!
Re: Computer access to SSN and bank accounts: 48hrs episode
Question on Surrepticious recording of calls in a Federal Agency
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.200].
----------------------------------------------------------------------
Date: Wed, 7 Oct 92 17:10:57 EDT
From: Computer Privacy List Moderator <comp-privacy@pica.army.mil>
Subject: Welcome to Our New Users/Status of the forum
In the last four (4) days I have added about 50 new subscribers to
the electronic maillist portion of this forum. Based upon their net
addresses, they are from a wide range of countries and
education/commercial/government backgrounds. I would like to welcome
them all to the Computer Privacy Digest (CPD).
Readership is still growing on this forum. There are now over 400
direct subscribers to the electronic mail list including about 25
exploder lists. According to the latest USENET traffic poll, there are
an estimated 16,000 readers of the comp.society.privacy newsgroup which
is 1.1 % of all USENET readers.
My initial USENET distribution has been expanded from one to three
sites. I am hoping this will improve propagation throughout
USENET. Originally everything originated from adm.brl.mil.
I am including the occasional policy posting in this digest for all
readers. I actively solicit any articles that are relavant to the
charter of this news group.
The charter of the Computer Privacy Digest:
comp.society.privacy Effects of technology on privacy (Moderated)
This newsgroup is to provide a forum for discussion on the effect of
technology on privacy. All too often technology is way ahead of the
law and society as it presents us with new devices and
applications. Technology can enhance and detract from privacy.
This newsgroup will be gatewayed to an internet mailing list.
Dennis Rears (Moderator of CPD)
------------------------------
Date: Wed, 7 Oct 92 17:12:05 EDT
From: Computer Privacy List Moderator <comp-privacy@pica.army.mil>
Subject: Policy for Submissions
Policy on Posting to the Computer Privacy Digest.
Revision 1.0
27 May 1992
Introduction:
The Computer Privacy Digest is an electronic digest dedicated to the
discussion of how technology affects privacy. The digest is burst into
separate articles and fed into the USENET newsgroup comp.society.privacy.
The newsgroup and digest are different forms of the same forum.
Discussions should be centered around the following topics:
o Technology - What devices are out there now and are on the
drawing boards that will enhance or take away privacy from
individuals and entities.
o Ramifications - What are the ramifications are current and new
technology.
o Public Policy - What should public policy be in regulating,
not regulating, and/or using the technology. Privacy includes the
right of the individual/entitity to privacy against other
individuals, entities, businesses, and the various forms of
government.
o Education - This kind of goes with ramification. One of the
functions of this forum should be to educate people on how
current technology affect their privacy. This can range from
corporate data bases to credit card usage.
1. Submissions:
a. All submissions should be emailed to comp-privacy@pica.army.mil or
posted to the comp.society.privacy newsgroup. Only submissions that
are relavant to the charter of the forum will be published. Please
keep text to under 76 characters per line. Personal attacks, excess
flamage, or libelous postings will not be published.
b. Submissions should not be sent to comp-privacy-request@pica.army.mil.
This address is for drop/add requests, administrative changes, and
confidential requests to the moderator. Those submissions sent to
that address will only be published is explicit permission is granted
to publish by the poster.
c. Anonymous submissions
2. Copyrighted Articles:
a. It is assumed that all articles submitted are in the public
domain. Submission grants permission for distribution and archiving
in the Privacy Digest.
b. I will not publish any articles that contain complete text of a
copyrighted work unless the poster explicitly states that he has
obtained permission from the copyright holder to print in the
Computer Privacy digest. A summary of an article is ok as is any
excerpt that can be justified under the fair use doctrine.
3. Signal to Noise Ratio:
It is my desire to keep a high signal to noise ratio. As a result
a particular posting may not be published or a subject thread might
be terminated when postings start to fail to shed new insight into
the subject. I welcome submissions on new topics and encourage them.
The quality of the digest is up the readers and posters.
Dennis G. Rears
Moderator, The Computer Privacy Digest
------------------------------
From: "David A. Andersen" <davida@bonnie.ics.uci.edu>
Subject: Re: SSN and Airline Antitrust Settlement
Date: 3 Oct 92 19:42:02 GMT
In article <comp-privacy1.87.2@pica.army.mil> egdorf@zaphod.lanl.gov (Skip Egdorf) writes:
>In article <comp-privacy1.78.3@pica.army.mil> rudis+@cs.cmu.edu (Rujith S DeSilva) writes:
>
> The claim forms for the Airline Antitrust Settlement ask for `Social Security
> Number or Tax I.D.'. I've read the SSN guidelines posted here regularly, but
> this case seems different. I really don't want to supply my SSN, and I don't
> see why I legally have to. The terms of the settlement clearly define a
> `Class' of members (loosely, passengers of some airlines during a certain
> period), and say that upon certifying their inclusion in this Class, its
>members are eligible to a share of the settlement. Why should I supply my SSN
> to certify my claim?
>
>A "Settlement" of a monetary amount will be reported to the IRS as
>income for tax purposes. This is essentially the same requirement as a
>bank requesting the SSN so as to be able to report interest on a
>savings account to the IRS. This is permissable under federal law.
Yes, but isn't the value of the settlement going to be less than $600 for
most of the claims? Since it isn't a financial institution, isn't the
$600 minimum in effect?
David Andersen
UC Irvine
[Moderator's Note: Could someone who actually find out where the
requirement for SSN for the Settlement has come from? I don't believe it
stems from a tax requirement. I think this isssue has been beaten to
death. ._dennis ]
------------------------------
From: James Allan <allan@cs.cornell.edu>
Subject: Re: SSN in login ids / posting grades
Organization: Cornell Univ. CS Dept, Ithaca NY 14853
Date: Sun, 4 Oct 1992 01:24:49 GMT
Tom Wicklund <wicklund@intellistor.com> writes:
>Any system of publicly posting grades is going to voilate privacy.
>Whether a student ID is a social security number or a unique within
>the university ID, it can be misused. And most of the time grades
>posted by student ID are still listed in alphabetical order (making it
>easy to find people near the start or end of the alphabet).
>If one wants grade privacy, then professors should be encouraged not
>to post grades. Ideally the university will have a reliable way to
>inform students of grades in a timely fashion.
Posting grades removes some administrative burden, makes it reasonably
easy for the students to doublecheck that grades were recorded
accurately, and makes it easier for the students to have a feeling for
"where the stand" (something which many students are obsessed with).
The problem is not posted grades; the problem is the ID number.
Cornell does not allow student grades to be posted by SSN or by the
students' Cornell ID number. In the classes I teach, I get a 6 or so
character "grading code" from the student and use that to post the
grades (sorted by grading code, not by name). Some students choose to
use their ID's, some use a combination of their initials and numbers,
some use OTHER people's initials (a friend, I suspect), and some use
nonsense phrases like "iamcool". There's essentially no way to guess
which grade is for whom (modulo the case of a "star" student who is an
order of magnitude above everyone else).
I think student-chosen grading codes are a good solution to the
problem. I admit that, unfortunately, many professors here seem to
sidestep or ignore the no-SSN no-ID# routines.
------------------------------
Date: Sun, 4 Oct 1992 7:38:55 -0400 (EDT)
From: "Dave Niebuhr, BNL CCD, 516-282-3093" <NIEBUHR@bnlcl6.bnl.gov>
Subject: Re: Address required on checks
Khan <tmkk@uiuc.edu> writes:
>In article <comp-privacy1.86.8@pica.army.mil> Wm Randolph Franklin <wrf@ecse.rpi.edu> writes:
>>
>>1. Service Merchandise, a local catalog store gets quite unfriendly when
>>I pay in cash. They've told me they must have a name. (So I give them
>>'Mario Cuomo').
>>
>>2. Then there's Radio Shack.
>
>This usually isn't the direct fault of SM or RS. Rather, it's the
>personal insecurity of the clerk who, when faced with a rejection to
>his/her request for marketing information, becomes defensive and
>sometimes even hostile.
>
I'm not about Service Merchandise but the clerks in Radio Shack are
required by company policy to attempt to get a telephone number so that
a database entry can be made and flyers sent to the purchasers.
Dave
Dave Niebuhr Internet: niebuhr@bnl.gov / Bitnet: niebuhr@bnl
Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093
------------------------------
From: "Wm. L. Ranck" <ranck@joesbar.cc.vt.edu>
Subject: Re: Address required on checks
Date: 4 Oct 92 18:32:38 GMT
Mike Brokowski (brokow@casbah.acns.nwu.edu) wrote:
: Radio Shack salepersons always ask "Can I have the last four digits of
: your phone number?" and I just reply "No." Apparently, RS keeps a
: customer database on its computers and sends flyers/ads to those on it.
:
I used to work for Radio Shack about 17 or 18 years ago. At that time
we were told to *ask* for name and address on each sales slip. The key
word was ask. If someone said no or asked why we were to tell them,
quite honestly, that the name and address was for a mailing list.
The corporate policy was that you were supposed to get the name and address
on a high percentage of the slips or else the district manager would hassle
you about it. Some stores didn't emphasize the voluntary part but did
emphasize the percentage 'required'. This kind of pressure leads to
cranky clerks. My manager said to just ask them for it and if the customer
didn't want to give it to not make it a big deal. Other store managers
probably weren't that easygoing.
:
: I am curious about 3) and the money orders. Does anyone know the rules
: for requiring id depending on the amount of yearly purchase? It seems
: to me that a large family could possibly spend over $10k per year at a
: supermarket and simply pay cash (especially at these newer huge stores
: where one can pretty much buy most of life's necessities e.g. food,
: clothing, books, some furniture, toys, pharmaceuticals, et cetera).
An interesting question. The intent of the law requiring reports of large
cash purchases was to catch drug dealers and the like using big wads of
cash to buy cars, boats, jewelry, etc. Some got around the reporting
requirement by splitting up payments into multiple less-than-10K amounts.
So the law was changed to cover that. Mike points out an interesting
consequence of that change. There may be a lot of technical violators
who don't even now it. I routinely write a check for groceries at a
local store, and that is usually the only store I buy groceries from.
I doubt that my annual food bill breaks the 10K limit, but to be honest
I don't know. I would have to go back and add up probably 100 checks or so.
--
*******************************************************************************
* Bill Ranck DoD #496 ranck@joesbar.cc.vt.edu *
*******************************************************************************
------------------------------
Date: Mon, 5 Oct 1992 08:25 EDT
From: JSMITH@guvax.acc.georgetown.edu
Subject: Address required on checks
Regarding Radio Shack's request for customer information:
About fifteen years ago, a good friend of mine managed a
Radio Shack store. At the time, one of Radio Shack's measurements for
store managers was the percentage of sales slips on which the name and
address were filled in. Salespeople were allowed to write "Cash" for
those situations in which customers absolutely refused to divulge any
information, but these were counted against the store manager in
end-of-month calculations. So, my friend made a deal with me: when
customers refused to supply the information, he would initially write "Cash"
on their slip. After they left the store, he would then enter the
name "Brownie Smith" and my home address on the store copy (Brownie
was my dog at the time). Brownie received Radio Shack catalogs for
many years but was eventually purged...once my friend left Radio Shack
for a more lucrative career as a stock broker, Brownie apparently
ceased to make purchases.
In another situation with similar characteristics, Shell Oil
distributed a coupon in several cities' newspapers last summer (I saw
it in _The Washington Post_ and _The New York Times_). The coupon
offered $1 off any gasoline fillup (8 gallons or more). At the bottom
of the coupon was a space for name and address with the heading
"Consumer: Please complete." I tried to redeem the coupon at my
local Shell station without completing the name and address section,
but the attendant refused it. When I argued that the information was
clearly optional and that the offer of $1 was an unconditional one, he
replied "I don't see nothing about optional on the coupon." So, I
wrote to Shell's president in Houston, Texas. I received a very
apologetic letter and a check for $5. But I'm sure they considered me
a privacy zealot and crackpot.
Jeff Smith
Assistant Professor
School of Business Administration
Georgetown University
Washington, DC 20057
[Moderator's Note: I would like to kill the thread on Radio Shack
wanting names, addresses, and phone numbers. The general consensus is
that it is a marketing ploy and a forceful no is all that is required to
avoid giving out this information. ._dennis]
------------------------------
From: Don Simon <infmx!dsimon@uunet.uu.net>
Subject: Re: Address required on checks
Reply-To: infmx!dsimon@uunet.uu.net
Organization: Informix Software, Inc.
Date: Mon, 5 Oct 92 19:04:59 GMT
In article 8@pica.army.mil, wrf@ecse.rpi.edu (Wm Randolph Franklin) writes:
>
>In article <comp-privacy1.85.1@pica.army.mil> on Thu, 24 Sep 92 14:02:46 GMT,
>amdunn@mongrel.UUCP (Andrew M. Dunn) writes:
>
> > Of course, cash will always be accepted without your address on it.
>
>Oh?
>
>1. Service Merchandise, a local catalog store gets quite unfriendly when
>I pay in cash. They've told me they must have a name. (So I give them
>'Mario Cuomo').
>
>2. Then there's Radio Shack.
>
>3. You must give id when spending over $10K with one merchant in, I
>believe, one year, or the merchant can get in serious trouble.
>
>4. I've heard stories about IRS offices refusing to accept cash, though
>I can't vouch for them myself.
>
>There is one loophole however, which is probably still open. You can
>buy money orders anonymously, put whatever name you want on them, and
>then use them to pay people who refuse cash.
>--
>Wm. Randolph Franklin, wrf@ecse.rpi.edu, (518) 276-6077; Fax: -6261
>ECSE Dept., 6026 JEC, Rensselaer Polytechnic Inst, Troy NY, 12180 USA
I believe that it is illegal to refuse US currency in the US, after all
it is the only *legal* tender in this country. The IRS does require
that large cash purchases (> 10,000) have filed a special form, used
for tracking people with possibly illegal cash resources (drug-dealing,
extortion, theft in general).
If someone won't take my money, they won't get my business, there are
millions of businesses in America, and I can guarantee that you can
always find whatever you're looking for somewhere else.
Vote with your feet/wallet...if someone is trying to invade your
privacy, tell them how you feel, and that you will not shop their store
again until they respect your privacy choice.
don simon
------------------------------
From: Steve Barber <sbarber@panix.com>
Subject: Re: Address required on checks
Date: Wed, 7 Oct 1992 04:26:57 GMT
Organization: PANIX Public Access Unix, NYC
Of course, any merchant may refuse to accept a money order as
payment as easily as it can refuse to accept a check, if it
wishes. Cash is it, at least according the Article 3 of the
Uniform Commercial Code. Though of course more places will
take an anonymous money order than will take a check with no
address.
--
Steve Barber sbarber@panix.com
"The direct deed is the most meaningful reflection." - Bill Evans
Nothing I say is legal advice. It can't be. I don't know anything.
------------------------------
From: "J. Porter Clark" <jpc@avdms8.msfc.nasa.gov>
Subject: Re: Big Brother has this message on file!
Organization: NASA/MSFC
Date: 5 Oct 92 17:41:28 GMT
Apparently-To: comp-society-privacy@ames.arc.nasa.gov
On 28 Sep 1992, I posted a message to comp.security.privacy which
started out like this:
> I just found out last week that the local network management
> organization is archiving all network traffic onto 8 mm tape and has
> been doing so for at least six months. They plan on keeping this data
> indefinitely.
I went on to vent righteous indignation about the possibility of misuse
or (at the very least) gratuitous exploitation of this data and the
waste of magnetic tape.
I based my claims about the traffic archiving system on information I
obtained during a training course for LAN managers which I attended.
This information was not correct. I have discussed the operation of
the system with the person who developed and operates it, and I humbly
offer the following corrections.
Our Network Management Center does in fact operate a High-Speed
Ethernet Capture System which is capable of monitoring only one or two
of the 80 or more segments which make up the local network. The NMC
monitors only specific segments in response to requests to troubleshoot
specific problems. These problems include broadcast or multicast
storms and LAT dropouts.
The most important correction is that the tapes are NOT kept for an
indefinite period of time. Instead, they are kept for 1-2 weeks before
being reused. (This was precisely the recommendation I made in the
earlier post.) However, tapes containing unusual network events are
kept longer.
I had also recommended that the system strip out the messages and keep
only the headers of network packets. The NMC claims that it is
necessary to keep the messages to troubleshoot certain types of
problems, including a LAT dropout problem.
There are plans to extend the capabilities of this system, but not
greatly. The current system can miss packets during high traffic
periods, and the NMC hopes to eventually eliminate this problem.
Network Management Center strongly agreed with my privacy concernes and
pointed out that all Ethernet networks should be treated as unsecure
lines. PROMISCUOUS reading programs are common on almost any network
host. Only their lack of performance and overrun detection limit their
network wire-tapping capability on a busy segment. They recommend an
attitude of treating Ethernet like an old time party line with a nosy
busy-body who tries to listen to every call.
In my earlier post, I asked if anyone knew of a good reason (legal or
ethical, perhaps) for not having the net police archive all network
traffic for practically forever. I didn't get any responses better
than something along the lines of "There's probably something illegal
about it." I would still like to hear from anyone who has any insight
into this problem.
--
J. Porter Clark jpc@avdms8.msfc.nasa.gov or jpc@gaia.msfc.nasa.gov
NASA/MSFC Communications Systems Branch
ICON: A picture or symbol that stands for a word. Icons are often used
in programs for young children who cannot yet read.
-- some doctor's waiting-room magazine
------------------------------
From: Steve Forrette <stevef@wrq.com>
Subject: Re: Computer access to SSN and bank accounts: 48hrs episode
Organization: Walker Richer & Quinn, Inc., Seattle, WA
Date: Mon, 5 Oct 1992 23:33:50 GMT
Apparently-To: comp-society-privacy@ames.arc.nasa.gov
Several people wrote to say how easy it is to get a dialup account with a
credit bureau to get people's credit profiles. But, isn't each inquiry logged
in the computer? I, from time to time, will get a copy of my credit profile
in order to check its accuracy. It also lists each inquiry that has been
made within the last year (2 years?). If there were an inquiry from an
organization that I did not recognize or authorize, I would definately look
into it.
Steve Forrette, stevef@wrq.com
------------------------------
Date: Tue, 6 Oct 92 13:31 GMT
From: "Tansin A. Darcos & Company" <0005066432@mcimail.com>
Subject: Question on Surrepticious recording of calls in a Federal Agency
I have a question I am posting from my own Internet account (which I pay
for out of my own pocket) so I can state this specifically and ask a
public question which might be inappropriate for me to ask from a
government account.
I am a private employee of a contractor to a government agency. I work
out of that agency but I am not a government employee.
Some rumors have been floating around to the effect that this agency is
now and/or was recording (unannounced to anyone) telephone calls at this
agency, either calls made from the agency, calls made to the agency, or
both, and perhaps only on certain phone lines.
The rumor has it that in one instance a person (a former federal
employee) got to hear a playback of a recording of some personal calls
they made where they were not supposed to be doing so.
For obvious reasons, unless I have solid legal grounding to know whether
or not this form of activity is legal or otherwise, I would like to get
some background from a Internet news group reader who knows what the law
says, or has a copy of the laws dealing with this.
Please note that I am *NOT* referring to SMDR taping or pen registers,
which is what I thought the person who told me this was referring to
(which would record phone numbers dialed; that is not what I am talking
about; I am talking about the (surrepticious) recording of the audio
content of telephone calls.)
Question: Even for a government agency, is it legal for them to record
calls without notification to the parties involved? I believe this not
only violates the 1968 Federal Wiretap Act but might also violate the
more recent Electronic Communications Protection Act.
I for one don't have anything to worry about; the most I've done is call
MCI's 800 number - which is okay since the agency isn't charged for the
call - but I wonder about the legality of this.
Also, I note that this agency does have a special reports office to
accept calls from the public and reports to the agency by employees,
people under its jurisdiction, and the public, and the first thing the
person on that line does when he or she answers is to report that the
line is recorded. Which strikes me as odd, if the rumor I'm hearing is
true.
I thought the only time where a call could be recorded without the
knowledge of the people on the call - even in a federal agency - is
either if there is a wiretap order from a court or it's a security or
law enforcement agency such as the FBI, NSA, CIA or other such. This
agency is not generally a law enforcement agency.
Could someone tell me if I'm wrong and this type of activity is legal?
These opinions ARE those of the owner of this account.
And nobody else's.
[Moderator's Note: I work for a federal agency (U.S. Army). On all of
our phones a label that states "This telephone is subject to monitoring
at all times. Use of this telephone constitues consent to monitoring".
Since it cleary states the policy I can not object to it. I can go to a
nearby phone and conduct my personal and private business.
I have talked with our telecom folks and they have more or less said
that monitoring is mainly for security purposes (prevent people from
talking classified phones) not for criminal investigation purposes.
._dennis]
------------------------------
End of Computer Privacy Digest V1 #088
******************************