Date: Tue, 27 Apr 93 17:03:28 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V2#038
Computer Privacy Digest Tue, 27 Apr 93 Volume 2 : Issue: 038
Today's Topics: Moderator: Dennis G. Rears
New Disclosures in 2600 Cas
SSN for Health Identifier
Clipper Chip
Re: electronic mail privacy
Re: SSN
Clipper Chip
Re: SSN on college applications?
Re: Credit card application
Re: Credit card application
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
Organization: CPSR Civil Liberties and Computing Project
From: Dave Banisar <banisar@washofc.cpsr.org>
Date: Sun, 25 Apr 1993 9:43:32 EST
Subject: New Disclosures in 2600 Cas
New Disclosures in 2600 Case
As you may recall, last November at a shopping mall outside of
Washington, DC, a group of people affiliated with the computer magazine
"2600" was confronted by mall security personnel, local police officers
and several unidentified individuals. The group members were ordered to
identify themselves and to submit to searches of their personal property.
Their names were recorded by mall security personnel and some of their
property was confiscated. However, no charges were ever brought against
any of the individuals at the meeting.
Computer Professionals for Social Responsibility ("CPSR") filed
suit under the Freedom of Information Act and today received the Secret
Service's response to the FOIA lawsuit, in which we are seeking agency
records concerning the break-up of the meeting. I think it's safe to say
that our suspicions have now been confirmed -- the Secret Service *did*
obtain a list of names from mall security identifying the people in
attendance at the meeting.
There are three main points contained in the Secret Service's
court papers that are significant:
1) The agency states that the information it possesses
concerning the incident was obtained "in the course of a criminal
investigation that is being conducted pursuant to the Secret
Service's authority to investigate access device and computer fraud."
2) The agency possesses two relevant documents and the
information in those documents "consists solely of information
identifying individuals."
3) The information was obtained from a "confidential source,"
and the agency emphasizes that the FOIA's definition of such a source
includes "any private institution which provided information on a
confidential basis."
Taken together, these facts seem to prove that the Secret
Service wanted names, they had the mall security people collect them,
and they came away from the incident with the list they wanted.
The agency asserts that "[t]he premature release of the
identities of the individual(s) at issue could easily result in
interference to the Secret Service's investigation by alerting these
individual(s) that they are under investigation and thus allowing the
individual(s) to alter their behavior and/or evidence."
CPSR, in conjunction with EFF and the ACLU, is planning to
challenge the actions of the mall security personnel, the local
police and the Secret Service on the ground that the incident
amounted to a warrantless search and seizure conducted at the
behest of the Secret Service.
David Sobel
CPSR Legal Counsel
dsobel@washofc.cpsr.org
------------------------------
Date: Sun, 25 Apr 93 11:27:21 MDT
From: "Kevin S. McCurley" <mccurley@cs.sandia.gov>
Subject: SSN for Health Identifier
I just returned from the 9th annual Conference on Computerized Medical
Records, and discovered that the President's task force on Health Care
Reform is very likely to adopt the Social Security Number (SSN) as a
patient identifier for electronic medical records. The Computer-based
Patient Record Institute (CPRI) and others are apparently in
substantial agreement with this, so that it now appears there is very
little political will to fight it.
I believe strongly that this is a mistake. I am aware of several
potential problems in using this as a standard, but I am interested in
soliciting further comments on this subject. I am particularly
interested in potential threats from the private sector rather than
the government, since I think that they carry more political weight
and I have less documentation for them. Some problems I foresee:
1. the government may use it as a means of tracking down tax dodgers,
illegal aliens, deadbeat dads, delinquent student loans, etc,
discouraging these people from seeking appropriate health care.
2. many people have multiple SSNs,
3. a large group of people (in excess of 10,000 I am told) all use the
same SSN (it was printed in a certain brand of wallet as a sample!),
4. It is tied to credit reports,
5. it is available to issuers of credit cards,
6. it does not cover legitimate foreign visitors to our country,
7. it is printed on driver's licenses in most states, making it difficult
to protect from unauthorized linkage to virtually every other
identification encounter.
If you have comments on these or other potential problems, please send
them to mccurley@cs.sandia.gov, and use the string "SSN" in the
subject line. I am desparately seeking documented evidence rather
than anecdotal evidence. Any references to specific cases are greatly
appreciated.
Kevin S. McCurley
Sandia National Laboratories
------------------------------
Date: Sun, 25 Apr 93 18:17:58 -0700
From: "Glenn S. Tenney" <tenney@netcom.com>
Subject: Clipper Chip
I received a fax of a letter from Representative Markey (Subcommittee on
Telecommunications and Finance) to Ron Brown (Secretary of Commerce).
Since encryption and the Clipper chip are raised in this letter, I felt it
would be of interest to you. I understand that on 29 April, Mr. Markey
will be holding a hearing on the questions raised in this letter. There
may also be a follow-on hearing dedicated to the clipper chip, but that's
not definite.
I'm sending this to a few people (via BCC) and to a few mailing lists
(listed in the TO line) related to privacy, encryption, clipper chip, etc.
I'l also be posting this to the sci.crypt and alt.clipper newsgroups.
Because of the traffic on some of the mailing lists, if you have a comment
for me you should email directly to me.
I've typed in the letter, which follows. Any errors in transcription are
mine...
---
Glenn Tenney
tenney@netcom.com Amateur radio: AA6ER
Voice: (415) 574-3420 Fax: (415) 574-0546
------------------ letter of interest follows ----------------
April 19, 1993
The Honorable Ronald H. Brown
Secretary
Department of Commerce
14th and Pennsylvania Ave., NW
Washington, DC 20236
Dear Secretary Brown:
As you know, I have long been interested in the privacy and security of
telecommunications transmissions and data in a networked environment.
Recent reports concerning the Administration's endorsement of an electronic
encryption standard, based upon "clipper chip" technology, have raised a
number of related issues. The international competitiveness of U.S. high
tech manufacturers and the software industry is a key factor that the
government should consider when addressing issues of encryption and data
security. As the nation moves forward in developing the national
communications and information infrastructure, security of
telecommunications transmissions and network data will be an increasingly
important factor for protecting the privacy of users.
The "hacker" community can compromise the integrity of
telecommunications transmissions and databases linked by the network. The
people and businesses that use the nation's telecommunications network and
the personal computers linked through it increasingly are demanding that
information be protected against unauthorized access, alteration, and
theft.
I am concerned that the Administration's plan may mean that to remain
competitive internationally, U.S. companies would be compelled to develop
two products -- one for U.S. government customers, and another for private,
commercial users who may want a higher encryption standard. This may
inadvertently increase costs to those U.S. companies hoping to serve both
markets. To assist the Subcommittee's analysis of this issue, please
respond to the following questions:
1. Has the encryption algorithm or standard endorsed by the Administration
been tested by any entity other than NSA, NIST or the vendor? If so,
please identify such entities and the nature of testing performed. If not,
please describe any plans to have the algorithm tested by outside experts
and how such experts will be chosen.
2. Under the Administration's plan, what entities will be the holders of
the "keys" to decrypt scrambled data? What procedures or criteria will the
Administration utilize to designate such key holders?
3. Does the encryption algorithm endorsed by the Administration contain a
"trap door" or "back door," which could allow an agency or entity of the
Federal government to crack the code?
4. It is clear that over time, changes in technologies used for
communications will require new techniques and additional equipment. How
will encryption devices adapt to the rapid advancement of
telecommunications technology?
5. What additional costs would the proposed encryption place on the Federal
government? What is the estimated cost to consumers and businesses which
opt for the federal standard in their equipment?
6. What is the Commerce Department's assessment of the competitive impact
of the Administration's endorsement of the "clipper chip" technology on
U.S. exports of computer and telecommunications hardware and software
products?
I would appreciate your response by no later than close-of-business,
Wednesday, April 28, 1993. If you have any questions, please have your
staff contact Colin Crowell or Karen Colannino of the Subcommittee staff at
(202) 226-2424.
Sincerely,
Edward J. Markey
Chairman
###
------------------------------
From: "Paul J. Bell" <pjb@23kgroup.com>
Subject: Re: electronic mail privacy
Organization: The 23K Group, Inc.
Date: Sun, 25 Apr 1993 18:41:39 GMT
In article <comp-privacy2.36.6@pica.army.mil>, Erini Doss <erini@enterprise.ifp.uiuc.edu> writes:
|> I need to find out any information possible about
|> electronic mail at the workplace. For example, when
|> a person writes for social reasons, does his manager
|> have the right to read it anytime? Is the employees'
|> e-mail considered company property or is it cosidered
|> the employees? Is there anything that the company
|> considers not theirs or is it considered theirs as
|> long as the person is doing it during work hours?
|> What about during lunch breaks? What about super-
|> users? When do companies feel that they have the
|> right to read anyone's mail and who can do it?
|>
|> Please help, if you have any knowledge of cases at
|> compannies or can recommend any info... I'm in
|> a bind research poaper is due in less thatn a
|> week!! But, jplease don't send over any irrelevant
|> material!!
|>
|> e-mail adress is erini@enterprise.ifp.uiuc.edu
|>
|>
|>
Most companies that I have been associated with, and that is a large
number, as an employee or consultant, consider that inasmuch as they
own the equipment, the software and the networks, and since they pay
you to do a specific job, they own all of the data that resides in any
and all computers, disk, tapes, etc. This same policy also extends to
other forms of data storage such as papers that you write, the contents
of your ofice and/or desk and file cabinets. They have the right to
plunder your desk as well as any computer data that is maintained on
their systems or transits their networks. They also have the right to
monitor and record your voice communications paths. This monitoring of
voice traffic and in some cases your keyboard traffic requires, in some
states (calif comes to mind) prior notification.
Note that I am not saying that I agree or disagree with these policies,
but as an executive/officer in some large firms, I know that these are
indeed the policies in such diverse businesses as airlines and
financial services firms.
Hope this helps....
paul
------------------------------
From: Mitch Collinsworth <mkc@graphics.cornell.edu>
Subject: Re: SSN
Date: 26 Apr 1993 11:34:06 -0400
Organization: Cornell University Program of Computer Graphics
In <comp-privacy2.34.3@pica.army.mil> "Keith F. Lynch" <kfl@access.digex.com> writes:
>In article <comp-privacy2.33.3@pica.army.mil> fec@arch2.att.com writes:
>> The court system further explained in the summons package that jurors
>> are selected, in part, from drivers license files and that drivers
>> license numbers are used to differentiate people with the same name
>> living at the same address.
>Does this mean we are no longer guaranteed the right of jury by our
>peers, but now have a right of jury by drivers?
>That will be really reassuring to cyclists who get in legal cases
>against malicious or incompetent drivers.
Implementation of juror solicitations is, I assume, left up to the
various courts. In my county, they use drivers licenses, voter
registrations, and one other database, which I can't recall at the
moment.
-Mitch Collinsworth
No junk mail, please.
------------------------------
Date: Mon, 26 Apr 93 10:24:45 EDT
From: David Carroll <BDCARRD1%BUDGET@cunyvm.cuny.edu>
Subject: Clipper Chip
I've been very disappointed by the discussion that I've seen in this
group concerning the proposed Clipper Chip. Most of this discussion
has been a review of the technology of that chip and how it might
be implemented. A few posters, especially Fred Baube, have dealt with
the threshhold question - is it for government to say whether I may
conceal the meaning of my communications, whether spoken, written,
or electronic? The Fourth Amendment and the Fifth Amendment are
meaningless if we waive our rights and blindly trust government power.
Even with a legal, warranted search, the government is not guaranteed
that it will succeed in finding what it wants, and the protection
against self-incrimination provides that we may not be compelled to
tell them how to find it. Electronic communication must be just as
secure. If I encrypt my own correspondence and only my addressees can
decrypt it, the government will have to do without that information.
Those tired, old arguments about the needs of law enforcement have been
used before to admit tainted evidence, to deny people representation,
and to make a mockery of the Bill of Rights. If you want to sell that
garbage, go to work for Ollie North trying to suspend our Constitution.
Dave Carroll, NYS Div. of the Budget
bdcarrd1@budget.bitnet (or if path problems ...
bdcarrd1%budget@cunyvm.cuny.edu
*****
* DISCLAIMER:
* These views are only my own. You didn't seriously think
* NEW YORK STATE paid me to have/express an opinion, did you?
*****
------------------------------
From: Dave <c-cat!david@uunet.uu.net>
Subject: Re: SSN on college applications?
Date: 26 Apr 93 14:51:47 GMT
Organization: Intergalactic Rest Area For Weary Travellers
jrf%b31.nihnei.dcrt.nih.gov@PICA.ARMY.MIL (Fidler, Justin) writes:
{>
{> Often what I receive is a simple brochure with a business reply card. On
{> these reply cards, they often ask for quite a few things, notably SSN. My
{> question is this: should I include it, and if not, will it lower my chances
{> with that college? I wonder if a data-entry clerk who receives a card with a
{> blank area may just toss the card. It is more important to me that I have a
{> chance getting into a college than if my SSN is released.
{>
{> It should be noted that SATs are tracked by numerous keywords, the most
{> common being SSN.
{>
I am applying to a college (to get back to learn) I sent them a card
leaving off my ssn for more information. I got a letter a few weeks
later saying due to my failure to include my SSN on the form. I would
not be added to the mailing list. They claim that SSN is used to avoid
duplicate mailings. (heh!) they could use a phone number and do better
I was thinking of using a part of my phone number (this makes more sense
as an identifier number) or my zip code plus 4 (which is 9 digits, and
I think this would make a real neat ssn), but they ask for
home phone number and address zip on the form. I just made up a ssn
starting with 759-xx-xxxx and shipped it off. I have yet to hear back
from them.
-David
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
China Cat BBS c-cat!david@sed.csc.com
(301)604-5976 1200-14,400 8N1 ...uunet!mimsy!anagld!c-cat!david
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
------------------------------
From: Brad Miller <miller@cs.rochester.edu>
Subject: Re: Credit card application
Organization: University of Rochester
Date: 27 Apr 93 13:48:44
Apparently-To: rutgers!comp-society-privacy
In article <comp-privacy2.34.8@pica.army.mil> Matthew B Cravit <cravitma@student.msu.edu> writes:
> I received a credit card application (some kind of student Visa/Mastercard),
> and in looking at the application, I see that they want to know:
> My Resident Alien number (I am not a US citizen yet)
> All sources of income and how much I make per week from each
> My checking account NUMBER, bank and BALANCE
> The account numbers of any credit cards I have and my monthly payments
> The account numbers of any other bank accounts I have and their balances
> Social security number
> Should I be wary of providing any of this? Do they have a reasonable right to
> my Mastercard and AmEx account numbers and checking balance?
this sort of question comes up so often in this group, I'm posting this
generally.
There is a distinct difference between being asked for the above
information (e.g. on a credit card application) and being required to
supply it (e.g. on an IRS or other government form). In the former case,
you don't have to fill out the application if you do not wish to
disclose. You have no "reasonable right" to a credit card, so the
(implied) point about forcing them not to receive your (eg) SSN is moot.
Note that this is distinct from telling them you are willing to be a
client, but only if you do not have to disclose, e.g. your SSN. That is
simply negotiation.
The other, much more important to privacy case is where you MUST
disclose information in order to comply with law. In other words, some
form of coercion is involved.
In your case, the only thing to ask yourself is do you think the
information you are giving is reasonable for the service you are
applying for, and are you willing to give the information. If the answer
to either question is "no", then either do not apply, or open
negotiations with the merchant/bank.
--
---- Brad Miller miller@cs.rochester.edu
Disclaimer: I disavow any support, or consent for the actions
or existance of any so called goverment entity.
------------------------------
From: Brad Miller <miller@cs.rochester.edu>
Subject: Re: Credit card application
Organization: University of Rochester
Date: 27 Apr 93 13:51:22
Apparently-To: rutgers!comp-society-privacy
In article <comp-privacy2.34.8@pica.army.mil> Matthew B Cravit <cravitma@student.msu.edu> writes:
> I received a credit card application (some kind of student Visa/Mastercard),
> and in looking at the application, I see that they want to know:
> My Resident Alien number (I am not a US citizen yet)
> All sources of income and how much I make per week from each
> My checking account NUMBER, bank and BALANCE
> The account numbers of any credit cards I have and my monthly payments
> The account numbers of any other bank accounts I have and their balances
> Social security number
> Should I be wary of providing any of this? Do they have a reasonable right to
> my Mastercard and AmEx account numbers and checking balance?
this sort of question comes up so often in this group, I'm posting this
generally.
There is a distinct difference between being asked for the above
information (e.g. on a credit card application) and being required to
supply it (e.g. on an IRS or other government form). In the former case,
you don't have to fill out the application if you do not wish to
disclose. You have no "reasonable right" to a credit card, so the
(implied) point about forcing them not to receive your (eg) SSN is moot.
Note that this is distinct from telling them you are willing to be a
client, but only if you do not have to disclose, e.g. your SSN. That is
simply negotiation.
The other, much more important to privacy case is where you MUST
disclose information in order to comply with law. In other words, some
form of coercion is involved.
In your case, the only thing to ask yourself is do you think the
information you are giving is reasonable for the service you are
applying for, and are you willing to give the information. If the answer
to either question is "no", then either do not apply, or open
negotiations with the merchant/bank.
--
---- Brad Miller miller@cs.rochester.edu
Disclaimer: I disavow any support, or consent for the actions
or existance of any so called goverment entity.
------------------------------
End of Computer Privacy Digest V2 #038
******************************