Date: Tue, 27 Oct 92 16:14:48 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V1#093
Computer Privacy Digest Tue, 27 Oct 92 Volume 1 : Issue: 093
Today's Topics: Moderator: Dennis G. Rears
Re: question on surrepticious
Re: Posting grades by SSN
Re: ssn and traffic tickets
encryption
Re: Citibank photo credit card
Two Line Cordless Phones and Recording
Looking for References
SSN and unique IDs
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.200].
----------------------------------------------------------------------
From: "james.j.menth" <jjm@cbnewsb.cb.att.com>
Subject: Re: question on surrepticious
Organization: AT&T
Distribution: usa
Date: Fri, 23 Oct 1992 19:35:15 GMT
In article <comp-privacy1.92.8@pica.army.mil> bu676@cleveland.freenet.edu (Cheryl L. Kerr) writes:
>
>During a recent legal problem, I was advised by my attorney that
>it is completly legal to tape a face-to-face or phone conversation
>with out notifying the other party(ies) involved as long as YOU ARE
>A PARTY TO THE CONVERSATION (e.g. Only you need to know it is being
>taped). Since I wasn't involved in any clandestined work, I didn't
>get any legal info on wire taps.
>
This was probably good advice in your state, as it is in mine, however
although individual states may not pass legislation less restrictive
than Federal laws they can usually go the other way. The phone books
usually have a section in the front (Mine was titled "Your Responsi-
bilities") that gives the policy applicable in your area.
Jim Menth jjm@cbnewsb.cb.att.com
------------------------------
From: David Ratner <ratner@pram.cs.ucla.edu>
Subject: Re: Posting grades by SSN
Organization: UCLA, Computer Science Department
Date: 23 Oct 92 22:00:40 GMT
Apparently-To: comp-society-privacy@uunet.uu.net
rinewalt@gamma.is.tcu.edu (Dick Rinewalt) writes:
>Posting grades is not necessary for a double check on grade reporting.
>Alternatives are:
>1. At TCU, the Registrar sends each faculty member printouts of the
>results of scanning the grade sheets for his/her courses. This provides
>the capability of detecting both types of grade reporting errors;
>however, not all faculty take the time to check this against the
>gradebook.
>2. I encourage my students to pick up the graded final exam. This allows
>them to know their grades early and seeing their mistakes is part of the
>educational experience. Unfortunately, only 10-20% of them do so.
>Dick Rinewalt Computer Science Dept Texas Christian Univ
>rinewalt@gamma.is.tcu.edu 817-921-7166
I disagree. For number 1, as you pointed out, not all faculty members
will take the time to check the report against the gradebook, especially
for large classes. Even if they do check it, they don't really have
a vested interest in FINDING a mistake, so they might just scan it, whereas
a student will look much more closely.
For number 2, some classes/schools don't allow you to keep your final exam,
and allowing each student to look at it requires patience by the professor
to individually handle each student when they come to ask for the final.
For large classes, this could become extremely tiring for a professor
trying to get work done (i.e. every five minutes having some student
coming into his office asking for his/her final). Now, the student
must "stake out" the professors office to find a time when he is in, because
after the first 10-15 students come asking, the prof will undoubtably run
and hide!
It seems much easier for all parties if grades can be posted. I personally
don't care if my grade is posted by my ssn. In one class at Cornell a
waiver was actually sent to all students, and if they signed it they
authorized the posting of their grade by ssn --- otherwise they had to
physically ask the prof. Why not have each student make up some random
number to post grades by, if that's what it takes.
Dave Ratner
--
* * *** * * | Dave "Van Damme" Ratner
* * * * * * / \ ratner@cs.ucla.edu
* * * * *** \ /
*** *** *** * * | "Wham Bam, thank you Van Damme!"
------------------------------
From: Eric Smith <erc@netcom.com>
Subject: Re: ssn and traffic tickets
Organization: Netcom - Online Communication Services (408 241-9760 guest)
Date: Sat, 24 Oct 1992 09:01:02 GMT
Apparently-To: comp-society-privacy@ames.arc.nasa.gov
In article <comp-privacy1.92.6@pica.army.mil> fns-nc1!fns-nc1.fns.com!vib@concert.net (Victor Bur) writes:
...
>I don't know whether it is a local "feature" or nationwide, but the pledge
>response cards for the last (and still going) United Way fund-raising
>Campaign contain a line for SSN. I think it's outrages!
>
>[Moderator's Note: Why? Ignore it and don't give it to them. ._dennis]
>Victor
It's become a national habit to ask for the SSN on forms whether it is
needed or not. It seems almost as if the people who design the forms
do it without even thinking about whether it is needed or not, simply
because it is a habit.
One thing it's useful for is to help evaluate the attitudes of the
person filling out the form. If they leave the SSN field blank, it
indicates they aren't a totally cooperative person, and if you are
evaluating a large stack of forms to arbitrarily accept some and
reject others, you might automatically reject all those that don't
seem totally cooperative, depending on what the forms are for.
In the case of United Way, if you really feel strongly about it, why
not just send them a note saying you are waiting till they remove that
question from their forms before you pledge.
As for traffic tickets, I don't think it's illegal to forget your SSN
and to not have it written down anywhere handy. Just tell the cop he
will have to forgive your traffic infraction because your SSN is not
available.
------------------------------
From: REDELSS JOHN W <ksjwr@acad3.alaska.edu>
Subject: encryption
Organization: University of Alaska - Fairbanks
Date: Sun, 25 Oct 1992 04:03:00 GMT
Will it ever be possible to network with computers in privacy and security?
Several years ago in an OMNI article I read that encryption would eventually
make true privacy possible for everyone. It went into the math and the
software technology more than I can remember, but it sounded good to me. Deos
anyone know anything about this?
------------------------------
From: "Wm. L. Ranck" <ranck@joesbar.cc.vt.edu>
Subject: Re: Citibank photo credit card
Date: 26 Oct 92 14:48:12 GMT
Dave Grabowski (KxiK) (dcg5662@hertz.njit.edu) wrote:
: >And who do you think pays for all the credit card fraud? Can you
: >say membership fees, outrageous interest rates etc...? I knew you could.
: >
: 1) Get a credit card with a small (or nonexistant) membership fee.
: They do exist. Actually, CitiBank is only $20/year. 2) Interest rates?
: Pay your bill on time.
Not to get embroiled in a flame war here, but merchants who accept credit
cards are charged from 2 to 5 percent for every charge they deposit in the
bank. That is why credit card companies can afford to have no-fee cards
and no interest on promptly paid bills. They get the interest up front.
Why do you think there is a "service charge" for cash advances?
In other words, the credit card folks make money on every charge even
if you pay the bill right away. In fact the annualized rate of return for
purchases where only the merchant charge is applied works out to between
24 and 60 percent! Do you really think the merchants pricing doesn't reflect
the cost of theose credit charges?
--
*******************************************************************************
* Bill Ranck ranck@joesbar.cc.vt.edu *
* DoD #496 Bikes past and present: CB175, CB550F, Norton 750, CB350F, XV535 *
*******************************************************************************
------------------------------
Date: Mon, 26 Oct 92 21:38:40 EST
From: "Dennis G. Rears" <drears@pilot.njin.net>
Subject: Two Line Cordless Phones and Recording
I recently purchased a Southwestern Bell two line cordless phone. The
controls are like a regular 2 line phone to include memo, redial, hold,
conference, clear, and touchtone/pulse keys. There is also a an on/off
switch on the handset. I have two lines coming into my apartment each
with a individual answering machine hanging off it. A key feature/bug on
the phone is that the on/off switch does not release the line. I have to
manually press the Line 1/Line 2 key off to release the line.
Tonight I decided to test one of my answering machines. From line one, I
dialed Line two, heard my answering machine pick up and left a test
message. I then hit the on/off key. Interestly, I heard a two way
conversation on my answering machine. It seems that instead of
releasing the line it picked up another conversation that was on the same
frequency. After experimenting with it for about 3 hours I have
determined I can get about 20-30 seconds of other conversations recorded
just by blind luck. In a 1200 unit apartment complex there are a lot of
cordless phone conversations going on. If I had some free time I would
check this out a little bit more.
Can you imagine if I can do it this, what a trained person can? I had
always heard from the telecom digest that cordless phone conversations
can be heard with a decent radio scanner but this is interesting on easy
it is. I am posting to the telecom digest for telecom related issues and
the computer privacy digest for privacy issues.
dennis
------------------------------
From: fielden@spot.Colorado.EDU (j. a. fielden)
Subject: Looking for References
Organization: University of Colorado, Boulder
Date: Tue, 27 Oct 1992 19:24:58 GMT
I am researching the topic: "Dangers of Misuse of Information" for
a paper. I'm looking for any references(books, articles, papers,
newspapers articles) on the related areas:
1. Privacy issues
Who owns information such as demographic, shopping patterns, etc.
Can consumers obtain information about themselves, correct it or
block it's use.
Medical records - are they secure, who has access, can patients
obtain their records etc.
Other information such as credit card records, video rentals, phone
records etc.
2. Borders
If information is stored in a database that is located in another
state/country who's laws apply.
Ex. If a U.S. company has info about me in a database located in
Canada can they be forced to provide me with that information?
3. Any other ways in which information could be used in a way that
is either detrimental or an invasion of privacy.
Given the number of groups this is posted to
PLEASE, E-MAIL ALL REPLIES.
If requested I can either e-mail or post a summary.
Thanks,
-jf
------------------------------
From: Chris Nelson <nelsonc@deneb.cs.rpi.edu>
Subject: SSN and unique IDs
Organization: Rensselaer Polytechnic Institute, Troy, NY
Date: Tue, 27 Oct 1992 18:41:51 GMT
Apparently-To: comp-society-privacy@cis.ohio-state.edu
Many private entities argue that they must use the SSN for
identification purposes because it is the only reliably unique
identifier. The uniqueness is an important point; I've been bumping
into Chris Nelsons my whole life.
Until recently, I've not been able to offer a suitable way for a
company to see if you were already in their system (without checking
all variations of your name), then inspiration struct: use a one-way
encryption.
Consider a meat-grinder function which takes as inputs your SSN and
the companies federal tax ID number and puts out a unique ID based on
those numbers (that is, no two SSNs would generate the same key). I'd
have to produce my SSN but it would never have to be recorded
(ideally, it would be illegal to record it). Also, my ID with
different companies would be different (making invasion of privacy
through sharing of data that much harder).
A scenario: NIST standardizes such an algorithm (perhaps with some
local parameters so that a third party with my SSN and a company's FID
_still_ couldn't get my ID) and use of it becomes compulsory as use of
SSNs by private entities becomes illegal; phased in over a 4-5 year
period, perhaps.
One problem I see is that the problem space is small enough (nine
digit SSNs) that an interative search could produce the SSN for a
specified ID. Still, this seems to address some privacy concerns.
Any comments?
[Moderator's Note: I think the problem people have with SSNs is that it
is a national identifier number (NIN). Whether the NIN is the SSN or
not doesn't really make a difference. ._dennis ]
--
------------------------------+----------------------------------------------
Chris Nelson | Rens-se-LEER is a county.
Internet: nelsonc@cs.rpi.edu | RENS-se-ler is a city.
CompuServe: 70441,3321 | R-P-I is a school in Troy!
------------------------------
End of Computer Privacy Digest V1 #093
******************************