Date: Mon, 24 Jan 94 20:24:54 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#022
Computer Privacy Digest Mon, 24 Jan 94 Volume 4 : Issue: 022
Today's Topics: Moderator: Leonard P. Levine
Private Info / Credit Reports over the net
SF-171s and SSNs
INMAC and lists for sale
Oceania & Privacy
Crypto Experts Oppose Clipper Chip
Re: Buckley Act Outrage
Re: Buckley Act Outrage
Re: Buckley Act Outrage
Re: Is PGP Really Uncrackable
Re: GTE and new Fed Compliance
Re: SSN on Payroll Checks
Re: SSN on Payroll Checks
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: ar826@yfn.ysu.edu (Hansel E. Lee Jr.)
Date: 22 Jan 1994 02:14:40 GMT
Subject: Private Info / Credit Reports over the net
Organization: Youngstown State/Youngstown Free-Net
I found the following posted on alt.internet.services.
I definitly don't like the idea of this type of information flowing
freely through the net..
Any comments on legality or ethics? Is this appropriate?
-----Forwarded Message Follows-------
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Infotech Information Technologies
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Infotech is an Information Provider and we have recently begun
providing our services via the Internet. An partial list of some of our
services include:
Individual Credit Reports * Business Credit Reports * Dun & Bradstreet
Pre-Tenant Background Check * SS# Locator Service * National Change of
Addr Difficult Phone Numbers * Nationwide Marriage, Divorce and Death
Records Criminal Records Search * Arrest & Convictions Records * Bank
Acct Search Real Property Search * Workers Comp Claims * Consumer
Affairs Reports Corporation Search * Tax Lien Search * Corp. Bankruptcy
Search * Business Name Search * DMV Records * Registered Voter Search *
Nationwide Warrants
And MUCH MORE!
Most requests are turned around with 24-48 hrs (depending upon
complexity and depth of report needed) Reports can be delivered via
Internet, US Mail, Fax or Overnight. Infotech Adheres to the Fair
Credit Reporting Act. Payment may be made via Visa, Mastercard or in
advance of services.
All information is kept in the strictest confidence and PGP delivery is
also available.
If you have questions or would like more infomation contact us at
infotech@fx.net
--
Hansel E. Lee Jr. hansel@freenet.fsu.edu
Standard Disclaimers Apply PGP Public Key on Request
------------------------------
From: daf1@cec1.wustl.edu (Danyel A Fisher)
Subject: SF-171s and SSNs
Date: 22 Jan 1994 23:07:24 GMT
Organization: Washington University, St. Louis MO
I'm filling out SF-171s the next few weeks: I'm applying for summer
jobs. The things want SSNs, of course.
Where is the 171 distributed? Who sees it? What databases get a look
at it? Besides the federal job registry, of course, and the specific
point of employment .... Any privacy problems here? (Or am I just
looking too hard for a conspiracy?)
(While we're at it, BTW, anyone have public-domain SF-171-generating
programs? :) )
--
Danyel Fisher | YOUR | "I think you should always laugh in
212 Beaumont | AD | bed -- people always laugh at me when
5-1849; Box 3142 | HERE! | I'm in bed." Boy George
------------------------------------------------------------------------
| "Do not try to live forever. You won't succeed." -G.B.Shaw |
-------------------------------------------------------------------------
------------------------------
From: mike@camphq.fidonet.org (Mike Bray)
Date: Sun, 23 Jan 94 01:17:26 EDT
Subject: INMAC and lists for sale
Recently Paul Vixie posted a note about INMAC...
>today i got three copies of the INMAC catalogue, sent to myself and
two others at my address. the others do not live here, but one of them
has an account on my internet- connected computer and posts a fair
number of netnews articles.<
Are you sitting down? Get this...
from the November 22nd issue of DM News, page 41...
PC Operator List Names Electronic Bulletin Users
BETHEL, CT -- The new Electronic Bulletin Board Posters/Usenet file is
available from <name deleted>.
The selects include 100,000 users at business address, a 35,000-name
monthly hotline and 35,000 users at home address.
These PC operators post messages on electronic bulletin boards via the
Usenet public-access system.
Faculty and students at colleges/universities, employees in private
industry and personnel in government and the military communicate via
Usenet, submitting messages "with interest 'newsgroups' on a range of
subjects."
The list was compiled by Electronic Data Mining. Contact your list
broker or <name deleted>.
>someone had to cross-reference "From:" field information against the
NIC's "whois" domain database to get the particular combination of
company name, street address, and user full name that was used on this
mailing label.<
Some one? Nah... some program. :)
>I am outraged. i'm going to call "Ken Campbell", the VP+GM of north
america, to try to find out where he bought this mailing list.<
You can call him if you like, and he may even tell you if you ask
nicely. But from that article from DM News, we know at least one place
that does this... Electronic Data Mining.
>I don't expect him to want to tell me, and since he has broken no laws
there's not a lot i can sue him for.<
You'd be suprised at the results you can achieve if you speak nicely to
folks. And don't threaten him because then you'll get nowhere.
>the best i realistically expect is to cause him to stop buying this
particular mailing list in the interests of protecting inmac's public
image.<
I don't expect you'll convince him to stop buying [that] mailing
list[s]. Just give INMAC a call and ask to have all those names put
into their internal supression file. Also, send copies of each mailing
label to the DMA and get them into their supression file as well.
>my immediate goal is to find the company that sold inmac the list, and
then ultimately trace it back to the people who created it, and then
try to talk some sense into them.<
Good luck! <seriously> I doubt you'll be able to convince them to
stop doing what they're doing, but maybe you can get them to add you to
their suppression file too. ...or get them to create one if they don't
already have one.
>help? how can i approach this issue?<
When you call these folks, just be nice. You may just happen to speak
to the right person, and they might just tell you everything you want
to know.
--
Mike Bray mike@camphq.fidonet.org (or) ...!apple!camphq!mike
------------------------------
From: Oceania@world.std.com (Eric S Klien)
Subject: Oceania & Privacy
Date: Sun, 23 Jan 1994 23:40:00 GMT
Organization: The World Public Access UNIX, Brookline, MA
"D.The Right to Encryption: An Oceanian has the Right to encrypt eir
conversations and data. Such encryption cannot be used as evidence that
the Oceanian is doing something wrong or illegal. This Right extends to
all forms of information an Oceanian deems should be secure regardless
of format, whether paper, electronic, holographic or other, and
regardless of content.
An Oceanian has the Right to use any encryption algorithms or computer
software available. The Government may not restrict free trade in
encryption software by calling it "munitions"."
Did this info interest you? Then it is time that you learned about the
new country Oceania, the sea-city in the Caribbean.
To receive more information by e-mail, send your e-mail address to
oceania@world.std.com.
------------------------------
From: Dave Banisar <banisar@washofc.cpsr.org>
Date: Mon, 24 Jan 1994 17:59:34 EST
Subject: Crypto Experts Oppose Clipper Chip
Organization: CPSR Washington Office
Crypto Experts Oppose Clipper
More than three dozen of the nation's leading cryptographers, computer
security specialists and privacy experts today urged President Clinton
to abandon the controversial Clipper encryption proposal. The letter
was coordinated by Computer Professionals for Social Responsibility
(CPSR), which has long sought to open the issue of cryptography policy
to public debate
The group cited the secrecy surrounding the proposal, widespread public
opposition to the plan and privacy concerns as reasons why the
initiative should not go forward.
The letter comes at a crucial point in the debate on cryptography
policy. An internal Administration review of the issue is nearing
completion and the National Security Agency (NSA) is moving forward
with efforts to deploy Clipper technology in civilian agencies,
including the Internal Revenue Service.
CPSR has sponsored several public conferences on cryptography and
privacy and has litigated Freedom of Informa- tion Act cases seeking
the disclosure of relevant government documents. In one pending FOIA
case, CPSR is challenging the secrecy of the Skipjack algorithm which
underlies the Clipper proposal.
For additional information, contact Dave Banisar, CPSR Washington, DC,
(202) 544-9240, <banisar@washofc.cpsr.org>.
=================================================================
January 24, 1994
The President
The White House
Washington, DC 20500
Dear Mr. President,
We are writing to you regarding the "Clipper" escrowed encryption
proposal now under consideration by the White House. We wish to
express our concern about this plan and similar technical standards
that may be proposed for the nation's communications infrastructure.
The current proposal was developed in secret by federal agencies
primarily concerned about electronic surveillance, not privacy
protection. Critical aspects of the plan remain classified and thus
beyond public review.
The private sector and the public have expressed nearly unanimous
opposition to Clipper. In the formal request for comments conducted by
the Department of Commerce last year, less than a handful of
respondents supported the plan. Several hundred opposed it.
If the plan goes forward, commercial firms that hope to develop new
products will face extensive government obstacles. Cryptographers who
wish to develop new privacy enhancing technologies will be
discouraged. Citizens who anticipate that the progress of technology
will enhance personal privacy will find their expectations
unfulfilled.
Some have proposed that Clipper be adopted on a voluntary basis and
suggest that other technical approaches will remain viable. The
government, however, exerts enormous influence in the marketplace, and
the likelihood that competing standards would survive is small. Few in
the user community believe that the proposal would be truly voluntary.
The Clipper proposal should not be adopted. We believe that if this
proposal and the associated standards go forward, even on a voluntary
basis, privacy protection will be diminished, innovation will be
slowed, government accountability will be lessened, and the openness
necessary to ensure the successful development of the nation's
communications infrastructure will be threatened.
We respectfully ask the White House to withdraw the Clipper proposal.
Sincerely,
Public Interest and Civil Liberties Organizations
Marc Rotenberg, CPSR
Conrad Martin, Fund for Constitutional Government
William Caming, privacy consultant
Simon Davies, Privacy International
Evan Hendricks, US Privacy Council
Simona Nass, Society for Electronic Access
Robert Ellis Smith, Privacy Journal
Jerry Berman, Electronic Frontier Foundation
Cryptographers and Security Experts
Bob Bales, National Computer Security Association
Jim Bidzos, RSA Data Security Inc.
G. Robert Blakley, Texas A&M University
Stephen Bryen, Secured Communications Technologies, Inc.
David Chaum, Digicash
George Davida, University of Wisconsin
Whitfield Diffie, Sun Microsystems
Martin Hellman, Stanford University
Ingemar Ingemarsson, Universitetet i Linkvping
Ralph C. Merkle, Xerox PARC
William Hugh Murray, security consultant
Peter G. Neumann, SRI International
Bart Preneel, Katolieke Universiteit
Ronald Rivest, MIT
Bruce Schneier, Applied Cryptography (1993)
Richard Schroeppel, University of Arizona
Stephen Walker, Trusted Information Systems
Philip Zimmermann, Boulder Software Engineering
Industry and Academia
Andrew Scott Beals, Telebit International
Mikki Barry, InterCon Systems Corporation
David Bellin, North Carolina A&T University
Margaret Chon, Syracuse University College of Law
Laura Fillmore, Online BookStore
Scott Fritchie, Twin-Cities Free Net
Gary Marx, University of Colorado
Ronald B. Natalie, Jr, Sensor Systems Inc.
Harold Joseph Highland, Computers & Security
Doug Humphrey, Digital Express Group, Inc
Carl Pomerance, University of Georgia
Eric Roberts, Stanford University
Jonathan Rosenoer, CyberLaw & CyberLex
Alexis Rosen, Public Access Networks Corp.
Steven Zorn, Pace University Law School
(affiliations are for identification purposes only)
------------------------------
From: atkinson@itd.nrl.navy.mil (Ran Atkinson)
Date: Sat, 22 Jan 1994 03:07:13 GMT
Subject: Re: Buckley Act Outrage
Organization: Naval Research Laboratory, DC
"Prof. L. P. Levine" <levine@blatz.cs.uwm.edu> writes:
>Can violations of the Buckley Act and dissemination of information in
student files be punished on a criminal basis? If so, who/where does
one complain?<
A friend I knew whilst in grad school once claimed that he'd
successfully gotten his high school to conform to the Buckley Amendment
by contacting the US Department of Education, Office of Civil Rights in
Washington, DC and presenting the facts to them. The DoE apparently
told the school to either comply with the law or lose _all_ access to
federal funds. The school reportedly then complied.
I would guess that the ACLU might be willing to help.
------------------------------
From: Robert Ellis Smith <0005101719@mcimail.com>
Date: Fri, 21 Jan 94 22:37 EST
Subject: Re: Buckley Act Outrage
The anonymous university student who complained of a disclosure of
personal information by a professor may not get much help from federal
law -- the Buckley amendment. It's not clear that records IN THE SOLE
POSSESSION OF A FACULTY OR STAFF PERSON are pr otected by the law. The
student may be able to sue for invasion of privacy if the information
is sensitive enough and the reason for disclosure was not compelling.
The remedy under the Buckley Amendment is withholding of federal funds
to the university -- an unlikely event, although there is a private
right of action for an aggrieved individual IF the records held by the
professor fit the definition of education records in the law.
On the other hand, if these were educational records as defined by the
law, the law doesn't prohibit disclosure of the information to other
faculty or staff within the institution who "have a legitimate
educational interest" as defined by the institution.
BTW, how does one get access to Domain Name Service, or some other
directory of Internet addresses? It was mentioned in the Digest
January 18. Robert Ellis Smith, Privacy Journal
------------------------------
From: Haim Mendelson <FMENDELSON@GSB-LIRA.STANFORD.EDU>
Date: Sun, 23 Jan 1994 15:52:56 -0800 (PST)
Subject: Re: Buckley Act Outrage
I am a University Professor, not an attorney, but here is my
understanding of what the student can do. Violating FERPA is not a
crime. It may be grounds for administrative procedures against a
knowing violator, but I don't think this is a useful way to proceed.
It is the School's responsibility to follow FERPA. Once a violation
had occurred, the student has three ways to proceed:
1. File a complaint with the US Department of Education. The Department
may theoretically stop all Federal support to the School, but in
practice they will simply have the School correct its procedures if
they investigate and find that a violation had occurred.
2. File a grievance with the School (virtually all Schools have
grievance procedures, and FERPA violations would typically fall within
their scope).
3. Initiate civil litigation that may result in the award of damages
and attorneys fees to the student.
Typically, 1 and 2 must precede 3 (this is called "exhaustion of all
administrative remedies"), and 3 is costly and highly uncertain, so let
me focus on 1 and 2.
First, 1 and 2 are not mutually exclusive, and it may well be that the
School will take 2 more seriously if 1 had been filed, since the School
theoretically risks the loss of future Federal support. The School
would certainly know that this risk is minimal, however.
To file with the US Education Department, the student has to write a
complaint alleging specific violations of FERPA, including all dates,
details, names and any supporting documentation, to:
Family Education Compliance Office
US Dept. of Education
400 Maryland Avenue
Washington, DC 20202
The student can only benefit by calling them first and discussing the
case and filing procedures with them. The US Education Department's
general number is 1-800-572-5580. They will not provide the student
any legal assistance, but they may be helpful.
With respect to 2, the student should check the School's grievance
procedures and follow them. An alternative may be sending a letter to
the Chancellor/President including the complaint filed with the
Education Department and a cover letter saying that this is an official
grievance filed pursuant to the Campus grievance procedure and he is
asking the School to investigate.
If the student was damaged in a measurable way, he should consult an
attorney, since whatever he writes in the grievance will have an impact
on any future litigation.
Finally, the student should assume that there is an adversarial
relationship between himself and the institution, its attorneys, its
administrators etc. and not accept their "advice" at face value.
Good luck.
Haim Mendelson
Stanford University
------------------------------
From: Chuck Weckesser <71233.677@compuserve.com>
Date: 24 Jan 94 10:23:36 EST
Subject: Re: Is PGP Really Uncrackable
With regard to PGP, I would like to ask if anyone is familiar with a
line of security products made by a firm called Kent Marsh, Ltd.
I have purchased all of their security programs but based on what I
have read on the privacy digest, I would have been better off not
spending any of the hundreds of dollars that I did for these programs
and stuck with PGP - for free no less - in lieu of the other.
Anyone who has Kent Marsh products and know how they work are invited
to comment.
------------------------------
From: johnl@iecc.com (John R Levine)
Date: Fri, 21 Jan 94 23:48 EST
Subject: Re: GTE and new Fed Compliance
Organization: I.E.C.C., Cambridge, Mass.
>Here's a curious note I just got from GTE: [note says that if you use
your calling card, your billing name and address may be provided to the
company handling the call, but you can tell GTE not to release it at
the cost of most carriers not accepting the card]<
I got a similar note from New England Tel, oops NYNEX, except that it
just said that if I didn't want the info released, call up and they'll
be happy to cancel my calling card.
This is probably related to the 1992 telephone privacy law. I'll dig
up the LOCIS description and see what it says.
John Levine, johnl@iecc.com, jlevine@delphi.com, 1037498@mcimail.com
------------------------------
From: Dave Gomberg <GOMBERG@UCSFVM.UCSF.EDU>
Date: Fri, 21 Jan 94 22:46:47 PST
Subject: Re: SSN on Payroll Checks
Let me ask why I care if someone (or lots of folks) knows my SSN? Does
it have anything to do with Social Security directly, or would the
drawbacks apply to any powerful identifier? If any powerful
identifier, why is it more important than my name and dob? Please
advise.
Dave Gomberg, role model for those who don't ask much in their fantasy lives.
GOMBERG@UCSFVM Internet node UCSFVM.UCSF.EDU fax-> (415)731-7797
For info on West Coast Live send email to West_Coast_Live-Request@netcom.com
[moderator: Copies of the Social Security Number FAQ can be downloaded
by the following procedure. Come in and browse]
ftp ftp.cs.uwm.edu (on your system)
ftp (answer to login request)
your_userid@your_site (answer to password request)
cd pub/comp-privacy/library (at ftp prompt)
dir (look at what is there)
get ssn-privacy (move document to your filespace)
quit (back to your system)
In addition to the "library" subdirectory there are four subdirectories
named "volume1" - "volume4" that you are free to examine and copy
from.
------------------------------
From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr)
Date: Sat, 22 Jan 94 10:29:37 EST
Subject: Re: SSN on Payroll Checks
In Computer Privacy Digest Volume 4 : Issue: 021
joew@resumix.portal.com (Joe Wisniewski x8421) writes:
>My employer went to a new payroll system, ADT. Got our first check
today. Guess what was on it. Yup, ss#.<
>1. Is this a requirement of ADT, if anyone out there knows?
2. Is there any legal prohibition against this?
(Comapny is in California, I am in Arizona).
3. Has anyone else ever heard of this with their employers?<
My wife's employer used ADT (in NY) and the SSN was on the pay stub,
not the check itself; however, it wouldn't surprise me at all
considering that the SSA doesn't give a damn about the uses of the
SSN.
Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred)
niebuhr@bnl.gov / Bitnet: niebuhr@bnl
Senior Technical Specialist, Scientific Computing Facility
Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093
------------------------------
End of Computer Privacy Digest V4 #022
******************************
.