Date: Thu, 05 Nov 92 12:48:25 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V1#096
Computer Privacy Digest Thu, 05 Nov 92 Volume 1 : Issue: 096
Today's Topics: Moderator: Dennis G. Rears
1-800-CURB-DWI
Risks Of Cellular Speech
Re: 15th National Computer Security Conference
SSN for study room
"Privacy For Sale" and information/advice (long)
Re: SSN and unique IDs
Re: ssn and traffic tickets
Re: ssn and traffic tickets
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.200].
----------------------------------------------------------------------
Organization: Catalogic, Mountain View, California [Voice: 415-961-4649]
Date: Thu, 5 Nov 1992 00:49:35 -0800
From: Robert Lenoil <lenoil@catalogic.com>
Subject: 1-800-CURB-DWI
The following article appeared in comp.dcom.telecom:
>From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr)
>Subject: Cell Phones to Cut DWI Requested by State Police
>Date: 2 Nov 92 20:35:36 GMT
>Organization: TELECOM Digest
>
>A letter to the editor in today's {Newsday} (11/02/92) by a New York
>State Police Captain requested the use of cell and land-line phones
>for reporting drunk and/or dangerous drivers.
>
>The article reads:
>
>"Regarding the letter by Dorothy Enright ["Put Car Phone to Good Use,"
>Oct. 19]: "The Division of State Police has invited the public to
>assist the police in DWI enforcement by establishing the *DWI
>(numerically, it's *394). By dialing that number the public may
>report persons who are suspected of operating vehicles under the
>influence of alcohol or drugs. If the area of the reported violation
>is customarily patrolled by a local police agency, the agency having
>the nearest available patrol will be notified and asked to respond and
>investigate.
>
>"This effort is backed up by a toll-free telephone land-line,
>1-800-CURB-DWI (1-800-287-2394). Although the system is intended
>primarily for reporting suspected intoxicated drivers, the reckless
>and erratic operators described by Enright constitute a hazard that
>the state police wish to be informed of."
>
>
>Dave Niebuhr Internet: niebuhr@bnl.gov / Bitnet: niebuhr@bnl
>Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093
I wonder what safeguards are built into this system. It seems all too easy
to "report" someone and cause them no end of grief. Can you call this
number and file an anonymous report, and would that be sufficient grounds
for police to stop and search a person's vehicle? That could be a great way
to ruin the day of someone who double-parked in front of your car.
[Moderator's Note: This doesn't really have any thing to do with privacy
but I thought I would let it in due to it potential to be abused.
._dennis]
------------------------------
Date: 02 Nov 92 12:00:22 EST
From: Dave King <71270.450@compuserve.com>
Subject: Risks Of Cellular Speech
[Moderator's Note: This was forwarded from the Risks Digest by Monty
Solomon <monty@proponent.com>. ._dennis]
[The following was distributed here at work by our security folks. I was
surprised at the degree to which cellular traffic has apparently become
public speech. But then, perhaps my surprise is just a reflection of my
naivete. I'm not sure how Canada's laws compare to ours, but given how
difficult it must be to catch someone at this, I can't imagine things are
much different here in the 'States. (But then if it's so difficult, how'd
they do the study???) Dave]
Two Bell Canada security managers shared some startling data with us recently.
In a three-month study of the Metro Toronto area earlier this summer, Bell
found that 80 percent of all cellular telephone traffic is monitored by third
parties. Even more eye-opening is the fact that 60 percent of monitored calls
are taped for closer scrutiny and culling of marketable information. The
chance of being monitored and taped is even higher in rural areas, where air
traffic is lighter. Scanners cost as little as $200, and are sold in virtually
every shopping mall in Toronto.
Marketable information includes the obvious -- mergers, take-overs, market and
product plans, but the listeners are also looking for voice/phonemail access
codes and passwords.
The digitized tones are translated into numbers quite easily. "Phone phreaks",
the telecommunications equivalent of computer hackers, use these numbers to
break into voicemail systems. One misuse which is growing in frequency is the
setting up of "pirate" voicemail boxes, often by organized crime. Pirated
boxes give them the ability to disseminate information on drug deals, as one
example, with little or no risk of detection.
We ask you to be extremely cautious when using your personal or business
cellular phone. Do not discuss confidential business matters, and avoid
calling in for phonemail messages via your cellular phone.
David L. King, IBM SE Region Information & Telecomm Systems Services Department
CAY, Mail Drop D072, 10401 Fernwood Road, Bethesda MD 20817 301 571-4349
------------------------------
Date: Mon, 2 Nov 92 23:39:31 EST
From: Brinton Cooper <abc@brl.mil>
Subject: Re: 15th National Computer Security Conference
Organization: The US Army Research Laboratory
[Moderator's Note: The following is a letter from Dorothy Denning to
RISKS DIGEST and Brint's reply. ._dennis]
Date: Tue, 27 Oct 92 08:55:33 EST
From: denning@cs.cosc.georgetown.edu (Dorothy Denning )
Subject: Re: 15th National Computer Security Conference in RISKS DIGEST 13.87
In response to my earlier message about registering encryption keys, some
people have asked how can I be sure that criminals won't use non-registered
keys. I don't have a foolproof answer, but consider phone calls. Most people
who want to encrypt will buy a commercial product with a built-in key. The key
could be registered when the product is bought. Yes there could be a black
market in non-compliant products, and the likelihood of that increases every
day that we fail to take action on this issue.
Peter Boucher also asked about the benefits of registering keys with a federal
agency. After discussing this problem with law enforcement officials and
criminologists, I am convinced we are facing a potential crisis in law
enforcement if we lose the capability to conduct court authorized taps. The
economic value alone of conducting lawful electronic surveillance is estimated
in the billions. Much of this is related to organized crime.
Larry Hunter asked how can we be sure that the key centers won't collude with
the Department of Justice and give out the key. If the relationship between
the phone companies and DOJ is any indication, this won't happen. The folks at
the phone companies are so fussy about court orders that they send them back if
the semicolons aren't right. And don't forget that even if the key center
(which I envisioned as a non-governmental agency) and DOJ collude, they still
need to get the bit stream from the phone companies. But if this doesn't
satisfy you, Silvio Micali has an even tighter scheme that would allow your
private key to be broken up into five piece and shared with 5 trustees. All
five pieces would be needed to restore the key, but the pieces could be
verified as allowing proper restoration without the need to actually put them
together. He calls this "fair public-key cryptosystems."
Dorothy Denning
Brint's Reply:
Date: Mon, 2 Nov 92 23:38:32 EST
From: Brinton Cooper <abc@brl.mil>
To: denning@cs.cosc.georgetown.edu
Subject: 15th National Computer Security Conference
In Risks-digest, you write (in part):
. ...I am convinced we are facing a potential crisis in law
. enforcement if we lose the capability to conduct court authorized taps. The
. economic value alone of conducting lawful electronic surveillance is estimated
. in the billions. Much of this is related to organized crime.
.
. Larry Hunter asked how can we be sure that the key centers won't collude
. with the Department of Justice and give out the key. If the
. relationship between the phone companies and DOJ is any indication, this
. won't happen. The folks at the phone companies are so fussy about court
. orders that they send them back if the semicolons aren't right. And
. don't forget that even if the key center (which I envisioned as a
. non-governmental agency) and DOJ collude, they still need to get the bit
. stream from the phone companies. But if this doesn't satisfy you,
. Silvio Micali has an even tighter scheme that would allow your private
. key to be broken up into five piece and shared with 5 trustees. All
. five pieces would be needed to restore the key, but the pieces could be
. verified as allowing proper restoration without the need to actually put
. them together. He calls this "fair public-key cryptosystems."
First, I should hate to think that my right to safety from illegal
search and seizure and/or illegal eavesdropping on my telephone
conversations rested on the good will and integrity of a phone company!
Second, it's difficult to envision a non-governmental agency, created by
the government but not really government. The Post Office purports to
be a non-governmental agency but isn't. It's employees still look and
act like US Civil Servants, and the P.O. can easily conduct a "mail
cover" for a governmental agency without a court order.
You must remember that court orders, search warrants, and the like are
useful only when the information or evidence gathered under their aegis
is to be used in court against a suspect. If information is being
gathered for political purposes, to blackmail someone, or to subvert the
law (Watergate, Iran-Contra, the Italian bank, etc), the information
will never see a public forum. Thus, the constraints of court orders
are obviated.
The FBI needs to fund its own R&D out of its budgetary resources, just
as the rest of the government at all levels must do. There is talent
that can "red team" modern telecommunications and find trapdoors when
necessary.
You must never forget that the gravest threat to our freedom is, and
always has been, government itself.
_Brinton Cooper
------------------------------
From: Chris Nelson <nelsonc@colossus.cs.rpi.edu>
Subject: SSN for study room
Followup-To: comp.society.privacy
Organization: Rensselaer Polytechnic Institute, Troy, NY
Date: Tue, 3 Nov 1992 05:27:44 GMT
Apparently-To: comp-society-privacy@cis.ohio-state.edu
Today, I planned to meet a friend at the library to study. So that we
wouldn't disturb others, I stopped at the front desk to reserve a
study room. The form I was given had a blank for "SSN".
I know that RPI uses the social security number as a student ID for
most non-foriegn students and am accustomed to the staff's failure to
distinguish between SSN and student ID number (a rather non-PC,
non-multicultural affront to our guests, I'd say). To combat this
failure, I make a point of asking anyone who asks for my "soc"(ugh!)
if what they want is my student ID number.
In this case, I was told that, no, what they needed was my SSN as that
was what the Bursar billed by and they considered that number security
against damage to the room, failure to return the key, etc. Setting
aside, for the moment, the fact that I could trash a large part of the
library outside the study rooms without giving anyone my student
number (or any other form of ID), WHY ON EARTH SHOULD I HAVE TO GIVE A
LIBRARIAN MY SOCIAL SECURITY NUMBER TO STUDY WITH A FRIEND IN THE
LIBRARY?!?
If you read this on rpi.general, I'm very interested in your comments.
If you read this on c.s.p, it's a flame or an anecdote as you wish to
interpret it; I'm sorry if I'm wasting bandwidth (and I guess I'd
welcome your comments, too).
Chris
--
------------------------------+----------------------------------------------
Chris Nelson | Rens-se-LEER is a county.
Internet: nelsonc@cs.rpi.edu | RENS-se-ler is a city.
CompuServe: 70441,3321 | R-P-I is a school in Troy!
------------------------------
Date: Tue, 3 Nov 92 11:02:04 EST
From: Douglas Monroe <dwm@pruxl.att.com>
Subject: "Privacy For Sale" and information/advice (long)
Organization: AT&T
I have just finished reading a book titled "Privacy for Sale" by
Jeffrey Rothfeder Simon & Schuster 1992 ISBN 0-671-73492-X
regarding the demise of privacy in the age of the computer. The
ease with which personal finance, medical histories, credit, etc.
information is obtained, by practically anyone with the time and
or money to find out, is truly alarming. The lack of protection by
the laws of this country are perhaps even more alarming.
While the author does a good job of narrating the abuses of private
information and introductions of the people and organizations who
profit from our personal tidbits, he misses the mark when it comes
to instructing people on what to do to protect themselves from such
abusers. Many organizations are mentioned but no addresses or phone
numbers are given. Mr. Rothfeder, at the end of the book, gives us
some helpful but lacking advice. In an effort to expound on his
advice I have put together some additional information which I
thought might be helful to those interested in inquiring about the
quality and quantity of information held on you personally. I would
whole heartedly recommend the book for all consumers to read and
use this information to protect yourself in the abscence of
governmental protection against data abuse.
Below paraphased from pages 207-208 (without permission)
with my comments added:
--> Get a copy of your credit report adn check it for inaccuracies
and evidence of unauthorized snoopers.
TRW
P.O. Box 2350
Chatsworth, California 91313-2350
Cost: 1 free report per year
Procedure: In writing only
Phone:(800) 392-1122
Equifax
PO Box 740241
Atlanta, GA 30374-0241. FAX request to: (404) 612-2668
Cost:$8.00 (Maryland +$5.00, ME & MT +$3.00)
Procedure: Write or fax
Phone:(800) 685-1111
Trans-Union
25249 Country Club Blvd,
P.O.Box 7000, North Olmsted OH 44070.
Cost: ?
Procedure: ? I presume in writing
Phone:(216) 779-7200
All must have the following information to respond to your
request--
1. Full name including middle initial
2. Spouse name, (if you have one.)
3. Home address.
4. Year of Birth.
5. Social Security Number (They must have this)
6. Verification of your address (copy of Driv. license or a bill with
the address clearly indicated).
-->Don't share personal information with anyone who does not have
the right to see it. Don't write SS# or phone #, address, credit
card numbers if it is not appropriate to do so. Don't provide this
info over the phone to unknown callers.
no argument here.
--->If you don't want junk mail notify credit reporters, credit
grantors, and the Direct Marketing Assoc. that you would like to
be removed from their mailing lists.
See addresses above for credit reporters, write to your credit card
providers, and Direct Marketing Assoc. 11 West 42nd St. NY, NY
10163-3861. Also ask to be removed from the telephone preferences
list while you're at it.
---> Strike back when somebody has invaded your privacy. Notify the
offending party that you're outraged and won't do business anymore.
Tell the tale to anyone with media power--Congressmen, Bankers
Assoc., AMA, FTC, BBB, and newspapers.
---> Notify licensing officials if you learn the a private
investigator has inappropriately gained information about you.
A few more points mentioned:
-->The Physicians Computer Network in Laurence Harbor, NJ is providing
free PC's to many physicians. PCN requires that they always be
connected to the network so they can "scour the patient records of
the M.D.s looking for interesting tidbits, and pull data for
marketing lists" Page 193
Ask your physician if she/he subscribes to this network and avoid
them if they do.
-->The Medical Information Bureau (MIB) is a vast databank
containing the summaries of health conditions for more than 12
million Americans. Insurance underwriters scan MIB files to decide
how much to charge for a policy, or whether to even issue the
policy. Page 184
Obviously, inaccurate data can be extremely harmful. Call MIB to
get a form to request that they disclose your medical records to
you (or your physician) not that much can be done to correct errors
Medical Information Bureau
PO Box 105
Essex Station
Boston MA 02112
617 426-3660 follow instructions on voice mail.
Two more things:
Write to the FBI to inquire about National Crime Information Center
(NCIC) and Uniform Crime Reporting (UCR) records they might be
maintaining on you.
Federal Bureau of Investigation
F.O.I.P.A Section (Freedom of Inf./Privacy Act)
J.Edgar Hoover Bldg
9th and E Streets NW
Washington, DC 20535
Phone 202 324-5520
Procedure: Provide Full Name, Date of Birth, Place of Birth, Address
Request must be signed *and* notarized!
Go to your local library or buy the book, read it, then
WRITE YOUR CONGRESSPERSON! tell them you are appalled
at the lack of data privacy in America. Tell them you demand that
they support legislation such as the proposed Data Protection Board
(not yet out of committee) to protect us from information abusers!
Disclaimer: no connection whatsoever with the author of the
referenced book.
--
Doug Monroe
dwm@pruxl.att.com
or monwel@cbnewsk.att.com
------------------------------
From: Stephen M Jameson <sjameson@fergie.dnet.ge.com>
Subject: Re: SSN and unique IDs
Date: 3 Nov 92 12:05:17
Organization: General Electric Advanced Technology Labs
Reply-To: sjameson@atl.ge.com
In article <comp-privacy1.93.8@pica.army.mil> nelsonc@deneb.cs.rpi.edu (Chris Nelson) writes:
>
>A scenario: NIST standardizes such an algorithm (perhaps with some
>local parameters so that a third party with my SSN and a company's FID
>_still_ couldn't get my ID) and use of it becomes compulsory as use of
>SSNs by private entities becomes illegal; phased in over a 4-5 year
>period, perhaps.
>
I know that "privacy" as used in this newsgroup usually refers to
specific kinds of privacy, but doesn't the whole idea of "use of it
becomes compulsory" and "becomes illegal" denote government violation
of privacy on the part of the individuals who are not compelled or
prohibited from taking certain actions?
--
Steve Jameson General Electric Aerospace
sjameson@atl.ge.com Advanced Technology Laboratories
Moorestown, New Jersey
****************************************************************************
** . . . but I do not love the sword for its sharpness, nor the arrow **
** for its swiftness, nor the warrior for his glory. I love only that **
** which they defend . . . **
** -- Faramir, "The Two Towers" **
****************************************************************************
------------------------------
From: Stephen M Jameson <sjameson@fergie.dnet.ge.com>
Subject: Re: ssn and traffic tickets
Date: 3 Nov 92 12:07:59
Organization: General Electric Advanced Technology Labs
Reply-To: sjameson@atl.ge.com
In article <comp-privacy1.94.5@pica.army.mil> bsc835!ehunt@uunet.uu.net (Eric Hunt) writes:
>In Alabama, your SSN is printed on your driver's license. It's *not* the
>DL#, but it is printed on the card itself.
>
>How many other states also have the SSN printed on the license?
Delaware does.
--
Steve Jameson General Electric Aerospace
sjameson@atl.ge.com Advanced Technology Laboratories
Moorestown, New Jersey
****************************************************************************
** . . . but I do not love the sword for its sharpness, nor the arrow **
** for its swiftness, nor the warrior for his glory. I love only that **
** which they defend . . . **
** -- Faramir, "The Two Towers" **
****************************************************************************
------------------------------
From: zoltan egyed <egyed@lns62.tn.cornell.edu>
Subject: Re: ssn and traffic tickets
Reply-To: EGYED@lns62.tn.cornell.edu
Organization: Wilson Lab, Cornell U., Ithaca, NY, 14853
Date: Thu, 5 Nov 1992 00:30:35 GMT
Apparently-To: comp-society-privacy@uunet.uu.net
In article <comp-privacy1.94.5@pica.army.mil>, Eric Hunt <bsc835!ehunt@uunet.uu.net> writes:
>> In article <comp-privacy1.92.6@pica.army.mil> fns-nc1!fns-nc1.fns.com!vib@concert.net (Victor Bur) writes:
>> As for traffic tickets, I don't think it's illegal to forget your SSN
>> and to not have it written down anywhere handy. Just tell the cop he
>> will have to forgive your traffic infraction because your SSN is not
>> available.
>
>In Alabama, your SSN is printed on your driver's license. It's *not* the
>DL#, but it is printed on the card itself.
>
>How many other states also have the SSN printed on the license?
>---
>Eric Hunt | bsc835!ehunt@uunet.uu.net (preferred)
>Birmingham-Southern College | eric.hunt@the-matrix.com
>Birmingham, Alabama 35254 | ^--- Nothing longer than 100 lines
>
>
It's on my Tennessee driver license, called as "audit number". :-((((((
Zoltan
------------------------------
End of Computer Privacy Digest V1 #096
******************************