Date: Sat, 05 Dec 92 13:01:05 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V1#107
Computer Privacy Digest Sat, 05 Dec 92 Volume 1 : Issue: 107
Today's Topics: Moderator: Dennis G. Rears
User-transparent encryption?
SSN (cont.)
Re: Phone Privacy: Call Records
Re: Phone Privacy: Call Records
Re: Phone Privacy: Call Records
Correcting Credit Reports
Radar Detector Prohibitions
PBX call records
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: Zoltan Egyed <egyed@lns598.tn.cornell.edu>
Subject: User-transparent encryption?
Date: 3 Dec 1992 13:21:34 -0500
Organization: Wilson Lab, Cornell U., Ithaca, NY 14853
As you probably all know, more than enough people have access to root
passwords. I am less than satisfied about the security of my mail,
calendar file, etc. The obvious answer is encryption. It requires the
user to decrypt/encrypt the file every time he uses it. Does anyone
know some trick in Unix (maybe using named pipes with the encryption
program) to counter this? Maybe the user could start up a program when
he logs in, it would take care of the encryption/decryption, and it
would be stopped before logout. If you have ideas about it, please
email to save bandwidth, I'll summarize. Thanks
Zoltan Egyed
[Moderator's Note: I know of nothing. Either you trust your
adminstrators or you don't. If a sysadmin wanted to read your mail it
would be easy for him to get copies of it when you send it or recieve
it. ._dennis ]
------------------------------
Date: Thu, 3 Dec 1992 14:50:53 -0500 (EST)
From: Eugene Levine <elevine@world.std.com>
Subject: SSN (cont.)
Please accept my respectful demurrer to several of the comments
posted on this list.
First, IMHO, no law-abiding person has any need for my
SSN. Some business institutions are required to report information
to government agencies for puposes specifically related to the Social
Security system. But why any business feels it has a "right" or "need"
to my SSN is beyond me.
If they want to contribute to my retirement fund, we can work out
suitable arrangements. If they want to id me positively, let them
use my driver's license, a medium without other intrinsic significance.
Second, while no store is required to accept checks from you,
it's quite a stretch to get from there to the idea they are somehow
doing you a "favor" by accepting your payment on a bank draft. They
have no "right" to your business, and if they won't accept your
check under reasonable conditions, they won't get your business.
Third, I do not agree that we should passively
accept as "inevitable" the use of the SSN as a universal
identifier. This is, after all, the US of A. The government remains
(at least nominally) in our hands, and if intrusive, excessive and unreasoned
beuracratization is seeping into our everyday lives, I feel it
it would be wise for us to oppose it sooner rather than later.
Finally, as many others on this list have done, I have dealt
with my state's Registry of Motor Vehicles on this subject.
Here in Massachusetts, it took a court case to prohibit the Registry
from requiring us to accept the SSN as our license number, and the local
offices still try to force it on you at renewal (the main office is aware of
the situation, does not try to ignore the law, and has several employees
who are themselves users of the "special number").
Queare: if this is such a non-issue, why does it stir such
strong emotions. It is not merely of interest to lawyers and computer
people - it is a general issue of broad appeal across the entire political
spectrum. If there is no unanimity about the issue, I at least suggest
there is widespread and deep interest in it.
And BTW - thanks to the moderator for allowing the issue to
run its full course out here in cyberland :-)
I don't think the telephone company "owns" your phone number. They have
obviously got certain rights in the number - but that's not like
"owning" a house or a trademark. They have the right to prevent
issuance of the same number to different customers in the same Area
Code (though I think the right of the customer to have exclusive use of
a number might be as strong as any interest the phone company has in
the number). Again, here in Massachusetts, it is possible - by dint of
regulatory decision - to opt out of the caller id system. I was told by
the New England tel representative that blocking the id worked on all
systems within their purview. It troubles me to know that Virginia does
not have to respect my desire for privacy in this regard. And she a
fellow "commonwealth" and guardian of freedom!
[Moderator's Note: It is the phone company's number. They can take it
away from you and give you another number. ._dennis ]
Gene Levine
elevine@world.std.com
------------------------------
From: Carl Oppedahl <oppedahl@panix.com>
Subject: Re: Phone Privacy: Call Records
Date: Thu, 3 Dec 1992 17:03:47 GMT
Organization: PANIX Public Access Unix, NYC
In <comp-privacy1.104.9@pica.army.mil> "Kip J. Guinn" <kguinn@diana.cair.du.edu> writes:
> Do phone companies keep records of local calls made from your telephone?
New York Telephone certainly does. Many other telephone companies do, too,
I'm sure.
>I have heard references to "phone records"--mostly in articles about
>someone being investigated by the police--and wonder if they meant
>local calls, or long-distance.
> I can see where long-distance calls would be in records, but do they
>actually keep logs on local calls made from each residential phone?
NYTel does.
>That would seem to be an awfully huge chunk of data...
Yes, which is why NYTel only keeps it for a couple of months.
>And a big
>invasion of my privacy, too! Caller ID is bad enough for some
>people--women's shelter's, etc-- and I don't like the fact that if I
>call to complain to the police, or a company, etc, that they know my
>home number (which I try to keep fairly private), but if local calls
>are routinely logged--heck, what do you do?
Here in New York, you can call up today and get a printout (for $2)
detailing all the local calls in the previous billing period. And you
don't have to have asked for this in advance -- which means they keep
track for _everybody_, all the time.
>[Moderator's Note: They do not keep track of the local numbers you
>call.
Here in NYC they do. But perhaps not all telcos do -- perhaps where you
live they do not.
>Most switches do have the capability to do so if there was a
>compelling need.
Yes, that's right. All ESS switches, which means all switches where
it is possible to get call waiting and equal access long distance
selection.
>You might disagree with the concept but that
>information belongs to the company not to you.
I figure that legally the answer to this question differs from state to
state. In New York, the state PSC has chosen to enact regulations about
this, putting strict limits on what the telco can do with the information.
>I hope the fact that
>medical records belong to the doctor and not to the patient doesn't
>surprise you. ._dennis ]
Er, ah ... again I think this varies from state to state. In New York
there is a law that the doctor must hand over a copy of the records upon
the patient's request. So the information, at least, is not owned by
the doctor, although I am prepared to grant that ownership of the
underlying paper lies with the doctor.
Carl Oppedahl AA2KW (intellectual property lawyer)
30 Rockefeller Plaza
New York, NY 10112-0228
voice 212-408-2578 fax 212-765-2519
------------------------------
Date: Thu, 3 Dec 92 15:36 PST
From: John Higdon <john@zygot.ati.com>
Reply-To: John Higdon <john@zygot.ati.com>
Organization: Green Hills and Cows
Subject: Re: Phone Privacy: Call Records
Hal Finney <ghsvax!hal@uunet.uu.net> writes:
> The question of whom calling information "belongs to" is not so
> simple. There is no holy writ from above that says the information
> about which phone calls I make belongs to the phone company and not to
> me.
There may not be "holy writ", but there are FCC Rules and Regulations
in addition to state utility commission rules. Unfortunately, the
proponderance of regulation dictates that call records belong to the
utility, who may do with them as they please. Ostensibly, they are for
the purpose of billing and traffic management, but until someone passes
applicable legislation (or makes rules to the contrary), you have
litte control over the data collected by your telco regarding the use
of your telephone.
It goes even further: a telco is REQUIRED to share such data with any
IEC to which it is connected. At that point, you have a jurisdictional
shift, since IECs are not necessarily governed by the same set of laws
and rules that apply to the LEC.
> Alternatively, if enough people feel that calling information should
> belong to them and not to the company, they could pass laws requiring
> phone companies to not keep individual calling records.
Don't count on this happening any time soon. "People" do not pass laws;
legislatures pass them. It is highly doubful that there would be any
meaningful groundswell of public outcry over the misuse of telco call
records that would sway congresscritters to bother with such a
non-issue. And it would have to be at the Federal level: as we have
seen time and again, state laws restricting any aspect of telephony
have little effect given that calls are easily transported out of state
and returned, making them "interstate commerce"--something over which
states have no control. (My 800 provides ANI on callers from PA just as
readily as from any other state, even though PA law prohibits such
things.)
> If you feel that information about
> the specific phone calls you make is and should be private, even
> though the phone company inherently learns this information in
> providing you with their business, you have every right to feel this
> way. And you have every right to take action to retain your privacy.
Yes, you may feel any way you wish. Whether there can be anything done
about this feeling is another matter. And you certainly have a right to
protect your privacy, although in this case (telco call records) I
seriously doubt that much will happen. To most people, including myself,
it is a non-issue. There are just so many things in this world that one
can get lathered about; for me and my house this is not one of
them.
> [Moderator's Note: I would welcome comments from John H. on what the
> phone company owns or doesn't. I am pretty sure they own you phone
> number too. ._dennis ]
As it stands, the phone company owns and has exclusive rights to your
call records (except as it is required to reveal them to other parties
as required by tariff), and telco "owns" your phone number as well.
--
John Higdon | P. O. Box 7648 | +1 408 264 4115 | FAX:
john@ati.com | San Jose, CA 95150 | 10288 0 700 FOR-A-MOO | +1 408 264 4407
------------------------------
Apparently-To: nucsrl!uunet!comp-society-privacy
From: Kevin Mitchell <nucsrl!ddsw1.mcs.com!kam@uunet.uu.net>
Subject: Re: Phone Privacy: Call Records
Date: Fri, 4 Dec 1992 06:06:15 GMT
Organization: ddsw1.MCS.COM Contributor, Chicago, IL
Actually, Illinois Bell keeps track of local calls made. I pay $3
a month for the detail to be sent to me. It shows which of my phones
I made the call on, the number, band, date, time, and number of minutes.
I think you can even order these after the fact.
--
Kevin Mitchell -- kam@chinet.chi.il.us -- Chicago, IL
------------------------------
Date: Thu, 3 Dec 92 13:35:41 EST
From: "John DiLeo, CSB" <dileo@brl.mil>
Subject: Correcting Credit Reports
In Issue #105, Allen Warren writes:
>Amen to that! 2.5 years ago, my wife and I bought our first house.
>I had 3 reported delinquincies of less than $100 each which were reported
>to the credit bureau as being over 30 days late. 2 of them I had never
>known about until the credit report. Still, I had to take care of each
>one both by paying them off AND providing letters of explanation to the
>lending institution which eventually gave me the loan.
Keep in mind that paying an account off DOES NOT necessarily discontinue
the reporting of that account. Three years ago, I went through Bankruptcy
proceedings. Six months prior to filing, I had managed to pay off several
accounts, two of which had already been "charged off" (declared uncollectable
and claimed on their "uncollectables" insurance; yes, creditors ARE insured
against uncollectables, that's part of what your interest pays for). The two
accounts are still being reported EVERY MONTH as charged off, despite having
been paid in full.
Also, several accounts which were discharged under my Bankruptcy are still
being reported every month with their last status prior to my discharge.
Since accounts remain on your record for seven years from the last report
date (not the last ACTIVITY date, which would make sense), these items will
remain on my record indefinitely without expensive, time-consuming legal
action from me (continuing to report the account is harrasment and contempt
of court, but I have to SUE them, or at least convincingly threaten to do so,
to make them stop). Many creditors--most notably Sears--insist that the
reporting cannot be stopped, because "the computer does it automatically
each month."
While my situation certainly applies to less that 1% of this readership,
one should always keep in mind that logic DOES NOT APPLY to credit reports,
and it's always "the computer's" fault. I responded to this particular
message because most of my problems came to light when I bought a home last
year. The explanation package I had to provide was over 60 pages.
The basic heuristic which applies is:
1. Anything reported to a credit bureau, by any means, is added to the
person's record.
2. If the person complains that an entry is incorrect, ask the
creditor. If the creditor confirms the entry, IT IS TRUE. If the creditor
admits that the entry is incorrect, remove it/change it. The person may
enter an explanation regarding his disagreement with the creditor, but give
no assurance that it will remain in place.
3. If the same creditor later provides the same incorrect information,
put it back on the report, because IT MUST BE TRUE.
To summarize: If the creditor says it, ASSUME IT IS TRUE; if the debtor
says it, ASSUME IT IS NOT TRUE. Flawlessly logical, right? 8-(
--John DiLeo
dileo@brl.mil
------------------------------
Date: Thu, 3 Dec 92 13:36:25 EST
From: "John DiLeo, CSB" <dileo@brl.mil>
Subject: Radar Detector Prohibitions
In Issue #105, Paul Olson writes:
>Yea, radar detectors are illegal in VA. In fact, only VA and DC ban radar
>detectors. Personally, I wouldn't live in a state which says I can't own a
>radio receiver, not to mention that it's overbuilt, over crowded and you can't
>get anywhere on a Saturday because of traffic. If you're going to be working
>in DC, I'd look into moving to Maryland. But that's just my opinion.
Actually, I'm not so sure about DC. However, radar detectors are illegal
in Connecticut, and the presence of one in the passenger compartment of a
vehicle (including under the seat, unplugged) can (or at least once did)
carry a pretty hefty penalty. If one was permanently installed in another
state (the variety where the transceiver is behind the grill, and the control
unit is in the dash) you could only be ticketed if they believed it was
operating.
--John DiLeo
dileo@brl.mil
------------------------------
Date: Thu, 3 Dec 92 13:38:11 EST
From: "John DiLeo, CSB" <dileo@brl.mil>
Subject: PBX call records
In Issue #105, Eric Hunt writes:
>I know firsthand that the company I work for had to get a court order before
>they could unseal the call records from our internal PBX to find out what
>local numbers an employee had been calling. Long Distance numbers were no
>problem, but we couldn't touch the local records without court approval. And
>this is on our own PBX!
I believe this applies only to the records collected by the phone
company. If your employer installs its own SMDR, they can do whatever they
want with the records. Here at Aberdeen Proving Ground, the SMDR records
(for calls to any point outside the installation) are sent to our Division
Chiefs for their review, and possible punitive action, depending on their
opinion of your phone use.
Now, it may be that the Army can do this because we are advised that ALL
phone use is subject to monitoring AT ALL TIMES. We have been pre-warned
that we may assume no privacy with regard to phone use.
--John DiLeo
dileo@brl.mil
------------------------------
End of Computer Privacy Digest V1 #107
******************************