Date: Sat, 29 Jan 94 11:39:48 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#024
Computer Privacy Digest Sat, 29 Jan 94 Volume 4 : Issue: 024
Today's Topics: Moderator: Leonard P. Levine
Re: SF-171s and SSNs
Telemarketing
Data Ships
Home Banking
Re: SSN on Payroll Checks
Re: SSN on Payroll Checks
Re: SSN on Payroll Checks
Re: SSN on Payroll Checks
Re: SSN on Payroll Checks
Re: Buckley Act Outrage
Re: Data Encryption and Privacy
Re: Data Encryption and Privacy
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: rfrank@kaiwan.com (Ronald E. Frank)
Date: Thu, 27 Jan 1994 00:52:56 GMT
Subject: Re: SF-171s and SSNs
Organization: The Mushroom Factory
I can't answer your question regarding who gets to see it; but anyone
who has to withhold taxes presumably needs the SSAN. There should be a
privacy act notice on the form itself which will tell you who gets to
see it.
I doubt if there's a PD program out there; I work in an office where
everybody needs it. There's a $70 program which is copy protected to
the SSAN of the original user (I object, and won't use it). There's a
PD *template* for PerForm Pro, but you need a copy of PerForm.
------------------------------
From: news@cbnewsm.att.com
Date: Thu, 27 Jan 94 19:31:03 GMT
Subject: Telemarketing
Organization: AT&T
I read somewhere recently that there is a new law which requires that
telemarketers provide the name and address of their telemarketing
company, if asked; and that they remove people from their list of
"customers" if asked by someone they have called at least twice.
Can anyone tell me what that law is, and (if possible) supply the
actual text of the law?
-- Chris
------------------------------
From: matyas@scs.carleton.ca (Vaclav Matyas)
Date: Thu, 27 Jan 94 17:01:28 EST
Subject: Data Ships
here's a question/article for the Privacy Digest :
At a place I actually don't remember (cyberspace, magazine or just a
discussion - who knows ?) I heard about (an uncertain) existence of
'data ships' used for providing/transfer of data, which would normally
be under data-related laws in certain countries.
Their expected locations in international/neutral = no one's zones
excludes them from impact of any privacy or computer security related
laws in particular countries or they also might use other legislative
gaps for this purpose.
I guess the information is then accessible through UHF/VHF transmission
or maybe just by phone.
I am particularly interested in cases related to Canadian/North
American context, but would appreciate any information on this problem
anywhere around the world. Of course, a summary (if any) will be posted
later as well.
------------------------------
From: hw42709@vub.ac.be (Beerens Steven)
Subject: Home Banking
Date: 28 Jan 1994 14:04:21 GMT
Organization: Brussels Free Universities (VUB/ULB), Belgium
One of the new applications of banking is the home-banking system.This
system enables you to make financial transactions at home instead of
going to your local bank. You can do this by computer or by telephone.
This way of banking is becoming more and more popular. I think that the
aspect of privacy is here also very important because it concerns
financial transactions. External interference (bugging,failure) is
possible. So when I'm making a financial transaction by phone, it is
technologically possible that somebody is listening. Maybe some of the
members of this newsgroup have had (good or bad) experiences with
banking by phone or computer. If you have,please let me know.
--
Student Communicatiewetenschappen
Vrije Universiteit Brussel
------------------------------
From: Dave Gomberg <GOMBERG@UCSFVM.UCSF.EDU>
Date: Thu, 27 Jan 94 11:04:19 PST
Subject: Re: SSN on Payroll Checks
On Thu, 27 Jan 94 12:03:29 EST Levine says:
>The basic problem is that far too many organizations assume that
anyone who presents your name and SSN must be you, making it easy to
impersonate you for credit theft and other fraudulent purposes.<
Right. I know dozens of places where I just call up, give them an ssn
and they send me a check for 6 figures to my "just changed" new
address. Right.
If you REALLY want to be concerned about fraud, consider I put in a
change of address for you so you have no idea what is going on.
>Another, growing, problem is that keying records by SSN makes it
possible to easily combine records from otherwise unrelated databases.
This aids organizations that compile dossiers of personal information<
More bs. What prevents coordination of data by Name, dob, place of
birth? If you can't find someone to code that for you, I can.
Dave Gomberg, role model for those who don't ask much in their fantasy lives.
GOMBERG@UCSFVM Internet node UCSFVM.UCSF.EDU fax-> (415)731-7797
For info on West Coast Live send email to West_Coast_Live-Request@netcom.com
------------------------------
From: Dave Gomberg <GOMBERG@UCSFVM.UCSF.EDU>
Date: Thu, 27 Jan 94 11:13:40 PST
Subject: Re: SSN on Payroll Checks
Someone commented on landlords and credit checks, implying that they
cost $50. Far from it. If you have a legitimate business with a need
to check credit, and you agree to post your credit experience as well,
the cost drops down below $1 per inquiry for TRW.
Dave Gomberg, role model for those who don't ask much in their fantasy lives.
GOMBERG@UCSFVM Internet node UCSFVM.UCSF.EDU fax-> (415)731-7797
For info on West Coast Live send email to West_Coast_Live-Request@netcom.com
------------------------------
From: "Dick Murtagh (8-465-4916)" <dickm@vnet.IBM.COM>
Date: Thu, 27 Jan 94 12:58:55 PST
Subject: Re: SSN on Payroll Checks
In-Reply-To: Dave Gomberg <GOMBERG@UCSFVM.UCSF.EDU>
>I feel the whole SSN thing reeks of paranoia.<
It doesn't matter why I want to maintain my privacy, it is my right.
Noone would say a paranoid forfeits his freedom of speach because what
he says is nonsense. I want to maintain my privacy, that is enough.
That said, I'm going to defend my position anyway.
The SSN has become the de facto (and, in some cases, de jure) national
identification number. Most government and all credit bureau databases
use SSN as a primary key. Even if the SSA and TRW were the only
entities using SSN that would be one too many. TRW requires only a
name and SSN to produce a report that gives all a person's account
numbers.
If you don't beleive me, post your SSN and I'll post you credit
report.
------------------------------
From: ddrew@Tymnet.COM (Dale Drew)
Date: Thu, 27 Jan 94 14:24:17 PST
Subject: Re: SSN on Payroll Checks
I'd like to throw my $.02 in on the SSN issue:
Everyone seems to be missing one very important point: The fact that
the Social Security Number's purpose is to record financial
transactions between you and the Federal Government. That is all.
In 1973, a US Department of Heath, Education and Welfare task force
compiled a report regarding the dangers of a national numerical
identifier, which led to a provision in the 1973 Privacy Act. This
provision prohibited government agencies from collecting a SSN from
anyone unless the agency could point to a law ALREADY on the books in
1974. Certain government agencies have been excluded (welfare, dmv,
etc)
Private businesses can still demand your SSN, with no apparent legal
recourse for the individual. Providing a SSN blindly can have
devistating effects.
Your SSN is your key to your student records, your credit reports,
phone records, driver's licence information, criminal history and other
information. With JUST your SSN, someone can obtain a credit rating
using your existing credit rating.
Even some banks are using the SSN as an individuals account number,
which can have obvious problems.
Legitimate information databases can locate an individual by providing
just a SSN, or a phone number. The cost of the service ranges from $5
to $100, and is available to ANYONE.
I guard my personal information very closely. Not only because I have
the right to do so, but because my profession demands it. I have
fallen victim to many times because of a piece of what I thought was
"innocent" personal information fell into the hands of those people who
knew how to use it.
=========================================================================
Dale Drew BT North America, Inc.
Manager Global Network Security
Busniess Information Security
Voice: (408) 922-6526 Internet: ddrew@druid.Tymnet.COM
Fax : (408) 922-8870 Dialcom: net.security
------------------------------
From: Chuck Weckesser <71233.677@CompuServe.COM>
Date: 28 Jan 94 06:40:30 EST
Subject: Re: SSN on Payroll Checks
I must take strong exception with Dave who claims that concern over
official abuse, misuse or even indifference to SSN's is a red-herring
issue of little utility.
Wrong! Even if I accept your arguments, which I do not, you neglect the
fact that we must be ever-vigilant as SSN requests and the like have a
habit of snowballing into dangerous slippery-slopes that lead God only
knows where.
And I am a human being, NOT a number!!!
I have a right to be left alone provided that I leave other people
alone. That's it in a nutshell Dave. I respect you as a person and your
right to post your views (and in fact, would rather die than live in
state where I am a number and not a person with my own unique thoughts,
feelings and experiences which define me and which no one can ever rob
me of or duplicate).
You are by no means an exception. Citizen complacency has reached
pandemic proportions. Let me give you a far-fetched idea:
Just suppose - as ludicrous as it sounds - that the federal government
decides to impose a "sexual activity tax" and to collect this tax on
the basis of your SSN. Under those circumstances, would you be less
reluctant to give out your SSN?
Privacy invasions are always small to begin with - they are designed
that way! Privacy invasion is designed to increase at a geometric rate
until the majority of people say "it's not worth my time to fight city
hall."
That's fine. That's your decision to make. But first, the people must
have the facts about privacy invasion and the ramifications thereof
*and then* decide.
'Nuff said.
------------------------------
From: Chuck Weckesser <71233.677@CompuServe.COM>
Date: 28 Jan 94 05:48:21 EST
Subject: Re: Buckley Act Outrage
I am may be involved, rather against my choice, in litigation with a
University that I shall not name. At any rate, I have a comment or two
that I would like to share with the rest of you.
To put it bluntly, the Computer Privacy Digest has directly assisted me
in my battle with this University. For example, I learned here on CPD
that it is unlawful for a state University (which, by the way, receives
large federal aide) to ask for a student's social security number on
something as simple as a routine registration *NOTWITHSTANDING* a
Privacy Act Notice.
I learned that and far more here and I am grateful. As a result of my
persistence, the General Counsel of the University is involved and in
my state, one can get their holds on virtually any information, such as
a faculty member's personnel file, by simply asking for it. The name of
the law, which should be a model across the nation, is simply called
the "Sunshine Act."
Florida is a rather backward state in many respects and it in my
opinion that the good old boys who run this state out of Tallahassee
(which is truly like another state compared with where I live).
When I mentioned the mandatory Privacy Act Notice (I was *not*
asserting that the University could not ask for the information, but
that a Privacy Act notice explaining if the SSN request was mandatory
or not, how the information would be used, and you guy's know the
routine) he is quite angry, I assure you.
The fact is, no one here (except the lawyer's of course who should have
told the administration to begin with) has any notion of Buckley Act
privacy and the Privacy Act, to give just two examples. I had one gomer
tell me, "well, we can find out things like how much football player's
at school here weighs. . . "
I then explained that certain, very limited exemptions cover that sort
of information and a directory is allowed, *but* a student can opt out
of that as well. In short, this is the best list, by far, that I
subscribe to on the net.
It is chockful of very interesting information - and oddly, not at all
esoteric - that I did not previously know. I'm sure that the government
prefers stupid and apathetic citizens who, among other things, don't
vote than to deal with intelligent citizens who abide by the law and
make sure they do too.
One of my favorite pastimes is to pepper the Justice Department and
other agencies with FOIA requests. When I receive a statement saying
that it will cost such and such, I just say, fine, just send me the
first 50 pages (unless it's something I really want).
The point is that I have learned these things here on the Computer
Privacy Digest (except FOIA), and far more than I can list.
As many of you know, the Supreme Court, in Griswold v. Connecticut,
established a "zone of privacy" that has been liberally construed.
Use it or lose it!
Warm Regards
------------------------------
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Date: 28 Jan 1994 21:48:01 GMT
Subject: Re: Data Encryption and Privacy
Organization: Stratus Computer, Marlboro MA
close@lunch.asd.sgi.com (Diane Barlow Close) writes:
>Besides, unless PGP is the ONLY way the info is sent via the Internet,
the data won't be safe, and then you have to worry about both parties
possessing a PGP license. Otherwise, sending things via e-mail is just
like posting them to a newsgroup as far as privacy goes.<
I think you have it backwards. The more different encryption
algorithms in use, the better the security of the data. (It takes
effort to develop an attack against any one algorithm.)
re. PGP vs. RSA's patent
You can buy ViaCrypt PGP (602) 944-0773 { I'm not related to them }
you can also use RIPEM -- free and licensed for non-commercial use
see alt.security.pgp
and alt.security.ripem
--
- <<Disclaimer: All opinions expressed are my own, of course.>>
- Carl Ellison cme@sw.stratus.com
- Stratus Computer Inc. M3-2-BKW TEL: (508)460-2783
- 55 Fairbanks Boulevard ; Marlborough MA 01752-1298 FAX: (508)624-7488
------------------------------
From: "Tansin A. Darcos & Company" <0005066432@mcimail.com>
Date: Sat, 29 Jan 94 08:04 EST
Subject: Re: Data Encryption and Privacy
In a message from Diane Barlow Close <close@lunch.asd.sgi.com>,
> gene michael stover <gangrene!gene@netcom.com> writes:
>>My guess is that PGP is fine. Same with the three systems you
currently use. If the details of the commercial systems are kept secret
by the manufacturer, I would suggest you drop them and use PGP because
``security through obscurity'' isn't [Kerckhoff's principle, improved
by paraphrasing ;-].<<
>Interesting. In misc.consumers I raised some questions about an
article originally posted in misc.invest.real-estate and everyone there
was very gung-ho on PGP. Now someone also points out to me that PGP
implements the RSA public-key encryption algorithm, and there is a
patent on the use of RSA for digital communication, and that includes
email. Apparently, if you use PGP to encrypt or sign email which you
then send to someone else, and you have not obtained a license for use
of the patent from the patent holders, you are "infringing" the
patent. So, before you use it, you should think seriously about the
legal, ethical, and financial consequences of doing so.<
>I am now aware that PGP stands for a very good encryption mechanism,
but I still feel that there are risks in using the Internet for
delivery of such personal information. Although PGP is "available",
nowhere in the post does it say that he is going to use it all the time
for delivery of personal data. And what about the patent infringement
risk issue, raised above?<
Late last year, the owners of the 5 patents dealing with RSA
encryption (PKP Partners, Inc.) made a special arrangement with the
National Institutes of Science and Technology that in exchange for a
trade of certain encryption inventions developed by NIST to them, they
would make the following provisions:
- Individuals using RSA encryption (which would include the methods
used in PGP) may do so *royalty free* and *without having to obtain a
license*;
- Organizations which verify certificates (used for authenticating the
identity of someone) would pay $1 per year, per certificate during
the first 3 years
- Organizations selling software using RSA may do so on a sliding scale
from 1 to 5% of the selling price depending on certain conditions;
- Government agencies may use any of the patents royalty free.
This whole issue was squeaked about many months back when there was a
question about whether the government should be giving technology which
was developed at taxpayers' expense to a private company, and whether
it might have been cheaper to simply use eminent domain and have the
government purchase those patents directly.
So in answer to your comment, it is *no longer* infringing to use PGP
to encrypt messages from an individual.
>I've been on the Internet for a long time (since '81) and I certainly
will be the first to say that I don't follow every little nuance and
new development, so it'll probably come as no surprise that *I* hadn't
heard of PGP before. How many Internet newbie landlords are going to
recognize that PGP means "worlds greatest encryption scheme"? :-)<
PGP uses RSA which is probably the most secure method of encryption.
Almost as secure, but much faster, is a method called "Triple DES" in
which someone encrypts data using the DES encryption method three
times. Supposedly this is only a little less secure than RSA and is
much faster.
>Besides, unless PGP is the ONLY way the info is sent via the Internet,
the data won't be safe, and then you have to worry about both parties
possessing a PGP license. Otherwise, sending things via e-mail is just
like posting them to a newsgroup as far as privacy goes.<
Not true. The vast majority of E-Mail is one hop delivery, e.g. your
computer's mailer, which on Unix systems is called a "sendmail daemon"
will use the Internet to call up port 25 on the recipient's computer
and send mail to them via SMTP. Their sendmail daemon should then
deposit the message in their mailbox. Do you know how much data goes
across the Internet? Terabytes a month. While watching individual
packets is possible, it would be difficult since you can't always be
certain you are getting everything being sent. While the method is not
absolutely secure, it's not really much more public than, say, a
microwave transmission in the clear; if you are in the area you could
pick it up, but unless you are in the channel, you can't. Unless you
have access to one of the computers along the route, you can't access
the message at all. Newsgroups generally flood fill everything to
transmit them to everyone. Mail is done via single port connections
with as few routing hops as possible.
Yes, your site administrator could capture your mail, or the other
ends' could, or anyone in between could monitor packets. But with the
huge amount of traffic going over the Internet every day (Netnews alone
is reaching the 40 Meg a day point) that monitoring people's mail is
relatively difficult except perhaps at the sender's computer or at the
destination site.
And you might not ever know. Someone smart enough to monitor would
know enough about hardware and software and could probably hide what
they are doing from most monitoring.
What encryption does give you is twofold: first is absolute privacy so
even if the message is going to a shared mailbox, only the person who
knows your public key read it; second, since only one key will unlock a
protected message , and since that unlock key is a direct component of
the key used to lock the message against tampering, it provides
authentication of the sender and nondeniability, as well as tamper
checks which may detect changes.
------------------------------
End of Computer Privacy Digest V4 #024
******************************
.