Date: Tue, 01 Feb 94 09:06:33 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#025
Computer Privacy Digest Tue, 01 Feb 94 Volume 4 : Issue: 025
Today's Topics: Moderator: Leonard P. Levine
WIRED Magazine Report
SSN other concerns
OHIO laws about SSN on checks
Re: Buckley Act Outrage
Re: Buckley Act Outrage
Re: SSN on Payroll Checks
Re: SSN on Payroll Checks
Re: SSN on Payroll Checks
Re: SSN on Payroll Checks
Re: Data Encryption and Privacy
SSN other concerns
Re: SSN on Payroll Checks
Open Clipper Petition
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: Robert Jacobson <cyberoid@u.washington.edu>
Date: Sat, 29 Jan 94 14:10:35 -0800
Subject: WIRED Magazine Report
WIRED Magazine recently carried an article on a new federal scheme to
track _all_ financial transaction passing over any sort of telecom
network. I suppose this means that all exchanges of money that can be
electronically encoded and recorded, then transmitted, will be
accessible to federal (and international?) security agencies. Given
that the most personal behavior is often indicated by financial trans-
actions (using credit cards, etc., but cash also once it enters the
electronic till), is this the single most invasive police scheme yet
devised? Or was WIRED just being sensational? More info, please!
------------------------------
From: fin@panix.com (David Finan)
Date: 29 Jan 1994 22:42:49 -0500
Subject: SSN other concerns
Organization: PANIX Public Access Internet and Unix, NYC
have read alot here on the SSN privacy issue.
Here's an example
I was called last week by the local blood bank (NY Blood Services) and
told that there was a blood emergency. Well I'm a good citizen and B+
(see i'm not paranoid about some info), so I took time off from work,
went down to donate and was given a form that asked for my stats
(including my SSN). I filled out everything EXCEPT the SSN.
Gave the form to the blood taker (phlem something...cant even pronounce
it don't ask me to spell it). He checked it over (so THEY are doing
their jobs) and said '...need your SSN' I said 'uh huh. why?' He stated
that there is a new requirement from the Fed health folks (i can give
dept names but this is being done on the fly) that ALL blood doners
MUST provide the blood bank with the SSN or their blood won't be
taken.
The reason I was given was public health. Appaarently people are using
the blood donation process to either a) test themselves for HIV or b)
donating to poison the rest of us.
The fact that these people are doing their job is why I didn't make a
stink to them. But I was _quickly_ passed from the vampire to his
supervisor to the office manager and then given a name at the home
office and she gave me the blood suckers head guy's name. Appaarently
I wasn't the first to balk at this requirement. (story about lawyer
follows).
There was NEVER any mention made about the privacy act of 1974. The
number was merely "required" to confirm identity, for " public health"
reasons.
The sad part of this is that I DO see their point and yet I won't
donate any more. (I did donate about 4 pts a year previous). Implied
guilt trip and all that.
What I don't understand is why, the Fed (Dept Health, somthing and
Wellfare) didn't inform the blood company of thier obligation under the
law to inform citizens of the privacy act in relation to the SSN and
what use's it would be put to.
Lawyer story. The folks told me that therer had been a lawyer who also
balked at providing his ssn. He went away and later came back,
unhappy, and said '...has to give the number.' "HAS TOO"?!?! My
employer encourages but does not require blood donation. But this is
the story I was told. I thought that this was a voluntary thing for
everyone.
I'm not sure who said that the SSN "ONLY" records A finacial
transaction between the individual and the gov't but you are wrong.
Now it's medical records.
So lets see ... finacial records...medical records...what else is
there? criminal records...genetic records? -- The name of the game is
know your enemy.
------------------------------
From: TOMPKINS@vm1.cc.uakron.edu (Frank Tompkins)
Date: Mon, 31 Jan 1994 21:05:22 GMT
Subject: OHIO laws about SSN on checks
Organization: The University of Akron
Can anyone direct me to any documents that define under what conditions
an OHIO merchant can require you to provide your social security number
before they will honor a check? I recently tried to properly ID myself
with driver's license (SSN blanked out), multiple bank and gas credit
cards, check guarantee card (which guarantees the bank will honor the
check if imprinted with the card as long as the signatures match) and
even my divers "C" card, but the merchant refused my check without a
social security number.
So I made one up. It was accepted verbally without checking my drivers
license!!!
I'm in the process of writing the vendor a letter about this absurdity,
and would like to quote OHIO laws, precedents, etc.
Thanks for any information!
- Frank
*************************************************************************
Frank Tompkins : Internet: Tompkins@VM1.CC.UAKRON.EDU
Systems Programmer : Bitnet: Tompkins@AKRONVM University of
Akron : Voice: (216) 972-7967 Akron, Ohio 44325-3501
: Fax: (216) 972-5238
"I have not failed, I've just found 10,000 ways that won't work"
- Thomas Edison
------------------------------
From: "John M. Sulak" <sulak@blkbox.COM>
Date: 30 Jan 1994 02:31:31 -0600
Subject: Re: Buckley Act Outrage
Organization: The Black Box (713) 480-2684
Chuck Weckesser <71233.677@CompuServe.COM> writes:
>Florida is a rather backward state in many respects and it in my
opinion that the good old boys who run this state out of Tallahassee
(which is truly like another state compared with where I live).<
>As many of you know, the Supreme Court, in Griswold v. Connecticut,
established a "zone of privacy" that has been liberally construed.<
Florida's constitution amemded in the early 80s by the voters against
the wishes and strong recommendations of the Republican and Democratic
parties, contains an explicit right to privacy. Libertarians beleived
that the 9th and 10th Amendments of the US constition were continually
broken and could no longer be counted on as a guarantee of privacy.
------------------------------
From: "John M. Sulak" <sulak@blkbox.COM>
Date: 1 Feb 1994 07:23:52 -0600
Subject: Re: Buckley Act Outrage
Organization: The Black Box (713) 480-2684
Chuck Weckesser <71233.677@CompuServe.COM> writes:
>Florida is a rather backward state in many respects and it in my
opinion that the good old boys who run this state out of Tallahassee
(which is truly like another state compared with where I live).<
>As many of you know, the Supreme Court, in Griswold v. Connecticut,
established a "zone of privacy" that has been liberally construed.<
Florida's constitution amemded in the early 80s by the voters against
the wishes and strong recommendations of the Republican and Democratic
parties, contains an explicit right to privacy. Libertarians beleived
that the 9th and 10th Amendments of the US constition were continually
broken and could no longer be counted on as a guarantee of privacy.
------------------------------
From: poivre@netcom.com (P. B. Hutson.)
Date: Sun, 30 Jan 1994 01:59:16 GMT
Subject: Re: SSN on Payroll Checks
Organization: NETCOM On-line Communication Services (408 241-9760 guest)
John R Levine (johnl@iecc.com) wrote:
>The basic problem is that far too many organizations assume that
anyone who presents your name and SSN must be you, making it easy to
impersonate you for credit theft and other fraudulent purposes.<
This is very true. Think of the last time someone who needed your SSN
required you to show them the card to prove its really yours. The only
people who wants to see the cards are employers and gov't welfare
agencies. When you apply for credit cards, open bank accounts, rent an
apartment, get utilities, etc etc etc, they never ask to see the card
so its easy for the bad guys to impersonate you.
I mean, for such an important number as the SSN is, you'd think people
would be more careful with it. Instead, this all important number is
so insecure, its laughable.
I'd like to get rid of the SSN completely but if society insists on
using it, then i'd like to see more security features for the number
and tamper-proof must-show cards.
--
poivre@netcom.com : #include <disclaimer.h>
lychees@marble.bu.edu : ^^^^^^^^^^^^^^^^^^^^^^^
ykliu@mailbox.syr.edu :
>>>>>>>>>>>>>>>>>>>>> On Since: November, 1991.<<<<<<<<<<<<<<<<<<<<<<<<<<<<
------------------------------
From: ua602@freenet.victoria.bc.ca (Kelly Bert Manning)
Date: Sat, 29 Jan 94 21:57:41 PST
Subject: Re: SSN on Payroll Checks
In a previous article, GOMBERG@UCSFVM.UCSF.EDU (Dave Gomberg) says:
>Right. I know dozens of places where I just call up, give them an ssn
and they send me a check for 6 figures to my "just changed" new
address. Right.<
No, but they can easily open up a number of credit card accounts,
checking accounts, and loans. Sounds like you should check out the
"weekly SSN request" thread in alt.privacy. One of the respondents to
that thread describes the consequences of someone who found out her
husbands SSN using it to impersonate him. Often the first the victim
know of it is when they get rejected for a loan and discover that
the credit reporting bureau files show an out of state address and
a huge portfolio of bad loans and cards they know nothing about.
Privacy Journal reported that the major credit bureaus autmatically
change the address in their files if they get more than one credit
application report with a new address on it.
You seem to be missing the point that businesses and individuals have a
common interest in wiping out this kind of fraud, which adds up to a
lot of money every year. The person the SSN was assigned to has no
obligation to any of the creditors. They are completely out on a limb
with almost no hope of recovering the amounts.
------------------------------
From: palbert@netcom.com (Phil Albert)
Date: Sun, 30 Jan 1994 20:43:29 GMT
Subject: Re: SSN on Payroll Checks
Organization: Disorganized
Dave Gomberg <GOMBERG@UCSFVM.UCSF.EDU> writes:
>I feel the whole SSN thing reeks of paranoia. Accordingly I have
retreived the so-called explanation of why you should worry, and am
responding to it from the point of view of someone who digs out info
about you all the time.<
Well, Dave. Put up, or shut up. Post your SSN, or keep it secret. If
you do the latter, you agree with the rest of us that your SSN is not
something to willy-nilly disclose.
--
Phil Albert, full-time patent attorney and philosopher, part-time car thief
Voicenet: (415) 543-9600 bizcardnet: Townsend & Townsend
Internet: palbert@netcom.com or palbert@cco.caltech.edu
ICBMnet: 37 53 00 N, 122 17 30 W, Alt 760'
------------------------------
From: johnl@iecc.com (John R Levine)
Date: Sun, 30 Jan 94 18:12 EST
Subject: Re: SSN on Payroll Checks
Organization: I.E.C.C., Cambridge, Mass.
>>Unfortunately, far too many organizations assume that anyone who
>presents your SSN must be you.<
>
>This is bs. Pure and simple. What does it mean?????
Actually, it's true, even though it should be BS. What it means is
that if I call up pretty much any business in the country and give them
your name and your SSN, they will believe that I am you and will let me
do anything I want in your name, e.g. set up credit accounts and bill
stuff to them, transfer money out of your bank accounts, discuss your
personal medical history, you name it.
Yes, in theory you're not responsible for such fraudulent transactions,
but in practice the amount of effort required to persuade them that it
wasn't in fact you and to back out the transactions is enormous.
Regards,
John Levine, johnl@iecc.com, jlevine@delphi.com, 1037498@mcimail.com
------------------------------
From: flb@flb.optiplan.fi (F.Baube[tm])
Date: Sat, 29 Jan 94 23:32:51 EET
Subject: Re: Data Encryption and Privacy
<0005066432@mcimail.com> States:
>Yes, your site administrator could capture your mail, or the other
ends' could, or anyone in between could monitor packets. But with the
huge amount of traffic going over the Internet every day (Netnews alone
is reaching the 40 Meg a day point) that monitoring people's mail is
relatively difficult except perhaps at the sender's computer or at the
destination site.<
>And you might not ever know. Someone smart enough to monitor would
know enough about hardware and software and could probably hide what
they are doing from most monitoring.<
In his book "The Puzzle Palace", about the National Security Agency
(Fort Meade MD), Bramford suggests that the NSA can monitor all voice
traffic into and out of the US. He further suggests that, with the
assistance of allies like the UK doing surveillance *within* the US,
the NSA may also (quite legally !) have access to some or all voice
traffic _internal_ _to_ the US.
He also suggests that the NSA is consistently about five years ahead of
the publicly-known "state of the art" in the relevant areas.
It does not require a great leap of imagination to extend this to the
Internet.
I would think it merely prudent, not paranoid, to assume that the NSA
can and does
1) monitor all Internet traffic, perhaps even traffic _internal_to_ the
US; and
2) archive it (what's 40 MB a day to people with acres of computers ?);
and
3) possibly also analyze this traffic for interesting content by AI
programs that are well in advance of the publicly-known "state of the
art".
It's not a secret that the NSA does have vast resources at its
disposal. And as in arms controls negotiations, prudence dictates that
one act based on the other's capabilities, not intentions, however
well-meaning they may be.
Note that I am _not_ suggesting that the NSA would necessarily _do_
anything with this information; I mean only to suggest that it's
available, at their fingertips should a "need" arise.
Further, hypothetical uses are left to the reader's imagination. :-)
--
Fred Baube(tm) GU/MSFS/88
baube@optiplan.fi
#include <disclaimer.h>
------------------------------
From: Dave Gomberg <GOMBERG@UCSFVM.UCSF.EDU>
Date: Sun, 30 Jan 94 08:36:17 PST
Subject: SSN other concerns
>Your SSN is your key to your student records, your credit reports,
phone records, driver's licence information, criminal history and other
information. With JUST your SSN, someone can obtain a credit rating
using your existing credit rating.<
This is wrong. Dale, give me your year of birth, your current street
address (don't even tell me the town) and a written request that I pull
your credit record and I will, and for free. I don't need your ssn,
but I will get it in the process. It will cost about $1.
What everyone on the other side of this debate seems to miss is that
the info is too valuable to pass up. We need it to do business. If
you are not willing to identify yourself, I wouldn't do business with
you. It's that simple. Not on credit anyway.
Now I couldn't care less if the key is ssn (which it mostly isn't,
despite all the suggestions on this list), or name and dob, or
thumbprint digitized, or zodiacal chart (based on time of birth to the
microsecond). I don't care about the key, I care about the info.
Deprive me of the info and you are out of the game. Sayonara.
Dave Gomberg, role model for those who don't ask much in their fantasy lives.
GOMBERG@UCSFVM Internet node UCSFVM.UCSF.EDU fax-> (415)731-7797
For info on West Coast Live send email to West_Coast_Live-Request@netcom.com
------------------------------
From: ua602@freenet.victoria.bc.ca (Kelly Bert Manning)
Date: Mon, 31 Jan 94 01:11:00 PST
Subject: Re: SSN on Payroll Checks
GOMBERG@UCSFVM.UCSF.EDU (Dave Gomberg) says:
>Right. I know dozens of places where I just call up, give them an ssn
and they send me a check for 6 figures to my "just changed" new
address. Right.<
No, but they can easily open up a number of credit card accounts,
checking accounts, and loans. Sounds like you should check out the
"weekly SSN request" thread in alt.privacy. One of the respondents to
that thread describes the consequences of someone who found out her
husbands SSN using it to impersonate him. Often the first the victim
know of it is when they get rejected for a loan and discover that the
credit reporting bureau files show an out of state address and a huge
portfolio of bad loans and cards they know nothing about.
Privacy Journal reported that the major credit bureaus autmatically
change the address in their files if they get more than one credit
application report with a new address on it.
You seem to be missing the point that businesses and individuals have a
common interest in wiping out this kind of fraud, which adds up to a
lot of money every year. The person the SSN was assigned to has no
obligation to any of the creditors. They are completely out on a limb
with almost no hope of recovering the amounts.
------------------------------
From: Dave Banisar <banisar@washofc.cpsr.org>
Date: Mon, 31 Jan 1994 17:12:59 EST
Subject: Open Clipper Petition
Organization: CPSR Washington Office
Electronic Petition to Oppose Clipper
Please Distribute Widely
This is an open petition drive with a listserv address so that anyone
on the net can sign on to oppose the clipper proposal. We will deliver
the petition to the president. As far as I know, its the first time
that anyone has done this (well the Lotus Marketplace campaign but that
was somewhat different).
On January 24, many of the nation's leading experts in cryptography and
computer security wrote President Clinton and asked him to withdraw the
Clipper proposal.
The public response to the letter has been extremely favorable,
including coverage in the New York Times and numerous computer and
security trade magazines.
Many people have expressed interest in adding their names to the
letter. In response to these requests, CPSR is organizing an Internet
petition drive to oppose the Clipper proposal. We will deliver the
signed petition to the White House, complete with the names of all the
people who oppose Clipper.
To sign on to the letter, send a message to:
Clipper.petition@cpsr.org
with the message "I oppose Clipper" (no quotes)
You will receive a return message confirming your vote.
Please distribute this announcement so that others may also express
their opposition to the Clipper proposal.
CPSR is a membership-based public interest organization. For
membership information, please email cpsr@cpsr.org. For more
information about Clipper, please consult the CPSR Internet Library -
FTP/WAIS/Gopher CPSR.ORG /cpsr/privacy/crypto/clipper
=====================================================================
The President
The White House
Washington, DC 20500
Dear Mr. President:
We are writing to you regarding the "Clipper" escrowed encryption
proposal now under consideration by the White House. We wish to
express our concern about this plan and similar technical standards
that may be proposed for the nation's communications infrastructure.
The current proposal was developed in secret by federal agencies
primarily concerned about electronic surveillance, not privacy
protection. Critical aspects of the plan remain classified and thus
beyond public review.
The private sector and the public have expressed nearly unanimous
opposition to Clipper. In the formal request for comments conducted
by the Department of Commerce last year, less than a handful of
respondents supported the plan. Several hundred opposed it.
If the plan goes forward, commercial firms that hope to develop
new products will face extensive government obstacles. Cryptographers
who wish to develop new privacy enhancing technologies will be
discouraged. Citizens who anticipate that the progress of technology
will enhance personal privacy will find their expectations
unfulfilled.
Some have proposed that Clipper be adopted on a voluntary basis
and suggest that other technical approaches will remain viable. The
government, however, exerts enormous influence in the marketplace, and
the likelihood that competing standards would survive is small. Few
in the user community believe that the proposal would be truly
voluntary.
The Clipper proposal should not be adopted. We believe that if
this proposal and the associated standards go forward, even on a
voluntary basis, privacy protection will be diminished, innovation
will be slowed, government accountability will be lessened, and the
openness necessary to ensure the successful development of the
nation's communications infrastructure will be threatened.
We respectfully ask the White House to withdraw the Clipper
proposal.
------------------------------
End of Computer Privacy Digest V4 #025
******************************
.