Date: Tue, 04 Jan 94 11:21:16 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#013
Computer Privacy Digest Tue, 04 Jan 94 Volume 4 : Issue: 013
Today's Topics: Moderator: Leonard P. Levine
Interested in Privacy experiences
Request for Information about UNABOM from FBI
GAO Data Matching Report
Re: CBC Newsworld Documentary - US Communication Interception
ISSA Conference Info
Re: Privacy with Credit Card Transactions
Re: Driver Protection Act
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: Lane Lenard <72621.2241@CompuServe.COM>
Date: 01 Jan 94 17:50:36 EST
Subject: Interested in Privacy experiences
I am working on a book on privacy issues, especially as they relate to
electronic communications and abuse of personal information in
databases. If you have had any personal experiences in these areas or
have knowledge of such experiences by others, including various forms
of eavesdropping, prying by government or private agencies, etc, I'd be
interested in hearing them. Please contact me via e-mail or leave a
message on the forum.
Thanks for your help.
Virtually yours,
Lane Lenard
------------------------------
From: "Vinton G. Cerf" <vcerf@CNRI.Reston.VA.US>
Date: Thu, 30 Dec 93 23:30:40 -0500
Subject: Request for Information about UNABOM from FBI
Folks,
I hope you will forgive my posting this to all Internauts but the
targets of these bombings are innocent people in academic and research
sectors, many of whom are Internet Society members and/or users of the
Internet.
------- Forwarded Message
These files also refer to a $1M reward.
The FBI would like to make you aware of its investigation concerning
the UNABOM case. We have made the UNABOM information available to you
in the following ways:
o Anonymous FTP:
Host: naic.nasa.gov
Directory: /files/fbi
Files: README
UNABOM-press-release.txt
URL: ftp://naic.nasa.gov/files/fbi
o Gopher:
Type=1
Name=F.B.I. Gopher
Path=1/government-resources/fbi
Host=naic.nasa.gov
Port=70
URL: gopher://naic.nasa.gov:70/11/government-resources/fbi
o World Wide Web:
URL: http://naic.nasa.gov/fbi/FBI_homepage.html
The information presented on the Internet about the UNABOM
investigation has been make available publicly before. Recent
electronic media presentations include: CBS's "Eye to Eye" with Connie
Chung (12/16/93), and Fox's "America's Most Wanted" (11/23/93). Print
media stories about the UNABOM investigation have also appeared:
_Washington Post_ (11/27/93), _New York Times_ (10/7/93), etc.
The purpose for submitting the information on the Internet is
two-fold. First, the Internet is another medium that enables us to
reach as wide an audience as possible; to "spread the word." Second,
Internet users are precisely the type of individuals that to date have
been recipients of explosive devices attributed to UNABOM; scholars and
researchers.
You are not being asked to place yourself in harm's way. You are
encouraged to come forward if you have information that might help
identify, arrest, and convict the person(s) responsible for these
bombings. Contact the UNABOM Task Force at 1 (800) 701-2662.
William L. Tafoya
Special Agent, FBI
btafoya@orion.arc.nasa.gov
------- End of Forwarded Message
------------------------------
From: Dave Banisar <banisar@washofc.cpsr.org>
Date: Mon, 3 Jan 1994 15:14:32 EST
Subject: GAO Data Matching Report
Organization: CPSR Washington Office
GAO Data Matching Report
ONE HUNDRED THIRD CONGRESS
CONGRESS OF THE UNITED STATES
HOUSE OF REPRESENTATIVES
COMMITTEE ON GOVERNMENT OPERATIONS
2157 RAYBURN HOUSE OFFICE BUILDING
WASHINGTON, DC 20515-8143
PRIVACY CONTROLS OVER COMPUTER MATCHING LARGELY IGNORED
Rep. Condit Releases New GAO Report
A new General Accounting Office (GAO) report found serious
deficiencies in implementation of the 1988 Computer Matching and
Privacy Protection Act The report was released today by Rep.
Gary A. Condit (D-CA), chairman of the Subcommittee on Information,
Justice, Transportation, and Agriculture.
Computer matching is the identification of similarities or
dissimilarities in data found in two or more computer files. Matching
is frequently used to identify delinquent debtors or ineligible
program recipients. Computer matching has been criticized as an
invasion of privacy, and the Computer Matching and Privacy Protection
Act was passed to regulate the use of computer matching by federal
agencies.
In releasing the report, Rep. Condit said: "Most federal agencies have
done a lousy job of complying with the Computer Matching Act.
Agencies ignore the law or interpret it to suit their own
bureaucratic convenience, without regard for the privacy interests
that the law was designed to protect.
"As a result, we don't have any idea when computer matching is a
cost-effective technique for preventing fraud, waste, and abuse. I
support reasonable computer matching that saves money. But if we
are losing money, wasting resources, and invading privacy, then it
makes no sense.
"A broader issue is whether agencies can be expected to police their
own operations that affect the privacy of the average citizen.
Certainly OMB has done little to assist. We may need a different
approach to overseeing federal privacy-related activities."
GAO found numerous problems with the implementation of the Act's
requirements.
Cost-Benefit Analyses: The Act requires that matching programs include
an analysis of the costs and benefits of the matching. One of the
purposes of the Act was to limit the use of matching to instances where
the technique was cost effective. GAO found many problems with
implementation of this requirement, including poor quality or
non-existent analyses. In 41% of cases, no attempt was made to
estimate costs or benefits or both.
In 59% of cases whem costs and benefits were esfimted, GAO found that
not all reasonable costs and benefits were considered; that inadequate
analyses were provided to support savings claims; and that no effort
was made after the match to validate estimates.
o Data Integrity Boards: The Act requires agencies involved in
matching activities to establish a Data Integrity Board to oversee the
process. GAO found that the Boards were not providing full and earnest
reviews of proposed matches. GAO did not find any instance in which a
Board pemianently cancelled an ongoing matching program or refused to
approve a newly proposed one.
GAO did not find evidence that the requirements of the matching act
were used by the Boards to determine if a match should be approved. GAO
also found that the implementation of the new procedures does not
appear to have had major effects on the most important review process,
the decision to conduct the match.
GAO found that the Data Integrity Boards generally accepted agencies
and states cost-benefit analyses despite their "severe methodological
flaws and lack of documentation." The documentation often failed to
show how costs and benefits were calculated or the time period for
expected savings. Agencies rarely estimated the most significant
costs.
Overall, GAO found that the Data Integrity Boards provide less than a
full and earnest review of matching agreements to detem-dne whether to
proceed with proposed matches, but rather a regularization of the
approval process.
The report is titled Computer Matching: Quality of Decisions and
Supporting Analyses Little Affected by 1988 Act. The report number is
GAO/PEMD-94-2, and the date is October 18, 1993. Copies can be obtained
[for free] from GAO by calling 202-512-6000.
------------------------------
From: charlesv@aupair.cs.athabascau.ca (Charles van Duren)
Date: 3 Jan 94 16:29:28 GMT
Subject: Re: CBC Newsworld Documentary - US Communication Interception
ua602@freenet.victoria.bc.ca (Kelly Bert Manning) writes:
>This aired Dec 28 on the broadcast CBC network and will be repeated at
18:00 Pacific Time Sun/Jan/2 and 01:00 PST Mon/Jan/3 on the CBC
Newsworld satellite/ cable channel. "Satellite Entertainment Guide"
lists this as KU-band channel 31 on the Anik E1 satellite, located at
111 degrees west. This particular story takes up the last half hour of
the hour long show.
[...specific case details omitted...]
>This leaves me with the impression that US spy agencies would quickly
find themselves with a full set of Skipjack/Clipper keys for use
outside the US without specific authorization if the proposals were
ever implemented. These keys would be used to routinely monitor any
communciations that could be intercepted.
About two weeks ago CBC Prime Time did a feature on war crimes in
Bosnia, specifically on the possibility of prosecuting the higher-ups
who gave the orders. The interviewer confronted Serbian leader Slobodan
Milosevic with verbatim evidence, implicating Serbian leadership in war
crimes committed by Serbian irregulars, which he said came from
satellite transmission intercepts.
I believe from what I've read that the US gov't also had very reliable
knowledge about the August attempted coup in Moscow.
No electronic communication is safe from prying eyes, Get used to it.
------------------------------
From: davelenef <davelenef@aol.com>
Date: Wed, 29 Dec 93 18:18:58 EST
Subject: ISSA Conference Info
Attention information security professionals.
The Information Systems Security Association (ISSA) is holding its 11th
Annual Conference and Trade Show March 13-17, 1994, at the Fairmont
Hotel, San Francisco, Calif.
This info-security conference will feature 72 educational sessions
divided among the following tracks: Network, Distributed and
Client/Server, Management, Technical, Government/Legal, Audit,
Awareness, and Business Continuity. Major security vendors will exhibit
at the ISSA trade show. There will be a tour of Silicon Valley
corporations.
Addresses will be presented by Harry Saal (Network Data General -- the
Super Digital Highway), James Settle (FBI -- computer crime
investigation), and Gail Warshawsky (Lawrence Livermore -- computer
security awareness).
For an advance program, registration information, and ISSA membership
information, please contact ISSA Headquarters at 312/644-6610 x3410
(voice), or 312-321-6869 (fax). Mention where you saw this notice!
------------------------------
From: cristy@eplrx7.es.duPont.com (Cristy)
Date: Sun, 2 Jan 1994 15:50:45 GMT
Subject: Re: Privacy with Credit Card Transactions
Organization: DuPont Central Research & Development
In article <comp-privacy4.12.1@cs.uwm.edu>
Justin Fidler <jfidler@cap.gwu.edu> writes:
>There was an interesting article in the Washington Post on 26 December
1993 by Jane Bryant Quinn that discusses what information a consumer
making a credit card purchase must provide. Excerpts below:
When I went to pay by VISA at Staples (a Pep Boys company) they said
that they would not accept the card without a driver's license. I
informed them that according to their merchants agreement with VISA
that they could not require additional ID. The clerk stated it was
company policy. After a discussion with the manager and a few calls to
corporate they agreed to accept my card without an ID. The total delay
was about 15 minutes.
I followed up by calling the store manager the next day and wrote a
letter to VISA and Staples. VISA's reply was that Staples could not
require additional identification to use their card. They said that
the Staples VISA account manager would investigate. I did not receive
a reply from Staples so I sent another letter. This letter also went
unanswered. I then wrote to the newspaper, "Helping Hand." They
published my letter and shortly after I received a reply from Staples.
They said that the policy of Staples is to ask for identification but a
sale may not be refused if a customer does not show identification. I
also received a $20 gift certificate. In the next few week I am going
to return to Staples and test their policy. I will post a follow-up in
a week or two.
------------------------------
From: Sean Donelan <SEAN@SDG.DRA.COM>
Date: Tue, 4 Jan 1994 1:03:30 -0600 (CST)
Subject: Re: Driver Protection Act
Organization: Data Research Associates, St. Louis MO
In article <comp-privacy4.12.2@cs.uwm.edu>,
geoff@ficus.CS.UCLA.EDU (Geoff Kuenning) writes:
> I'd be a *lot* happier with this bill if it prohibited selling lists
entirely. Otherwise it's a toothless sham. Why does the DMV need to
sell my name, anyway? I can't believe it's going to be making a
significant amount of money. I doubt that mailing lists are worth a
lot more than the per-name postage; even if we assume $1.00 per name,
that wouldn't even pay for my fancy new ha-ha-forgery-proof license
with the hologram and mag stripe.
State driver and motor vehicle records are the best sellers of any
state information. According to the Houston Chronicle, the Texas
Department of Public Safety made over $50 million last year. Governing
magazine reported Georgia increased their sales of driver and motor
vehicle records by $16 million; more than paying for the improvements
they made to their computer systems to support this increased access.
Why does a state sell copies of driver records?
- Driver records are "public records."
- The information is given voluntarily with no reasonable
expectation of confidentiality.
- Driving is a public activity. Public accountability of
drivers improves public safety.
- Open DMV records allow the public to verify fair and equal
treatment of all drivers by the DMV.
I have several concerns.
- What controls can the state place on the users of "public
records?"
- Is the state collecting the minimum amount of information and
keeping it for the minimum amount of time required?
- Is the information only used for the purposes stated when it was
collected?
- Does the state fully inform people what information is required
or optional, how it will be used or shared, and what will happen
if the information is not provided?
- Is the state using privacy as an excuse to keep its own
operations secret?
- Is the state treating computerized records differently from paper
records?
--
Sean Donelan, Data Research Associates, Inc, St. Louis, MO
Domain: sean@dra.com, Voice: (Work) +1 314-432-1100
------------------------------
End of Computer Privacy Digest V4 #013
******************************
.