Date: Thu, 03 Feb 94 10:33:51 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#026
Computer Privacy Digest Thu, 03 Feb 94 Volume 4 : Issue: 026
Today's Topics: Moderator: Leonard P. Levine
Networks and Democracy
Electronic Cross-Checking
Re: SSN other concerns
Re: SSN on Payroll Checks
Re: SSN other concerns
RE: OHIO laws about SSN on checks
RE: OHIO laws about SSN on checks
Re: OHIO laws about SSN on checks
Re: OHIO laws about SSN on checks
Re: SSN on Payroll Checks
Re: SSN other concerns
Re: SSN other concerns
Re: WIRED Magazine Report
SSN End of String
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: dan@iguwnext.tuwien.ac.at (Dan Temmer)
Date: 2 Feb 1994 09:22:59 GMT
Subject: Networks and Democracy
Organization: Technical University Vienna, Austria
The enlargement of international Computernetworks and the impact on
democracy
I would like to demonstrate the influence of the fluently growing
international computer networks, especially internet, on democracy.
Following a short introduction on the history of computernetworks, i am
going to show, how direct democracy is being supported by networks.
Later on, i would like to insist on the danger of combining networks
and databases regarding the aspects of privacy, cross-matching,
media-concentration and information elites.
A short history of Computernetworks
Computer Networks appeared in the 60 s and where a creation of the
military. Under the supervision of the Advanced research Project
Agency, Arpanet, wich still exists, was born. In the 70 s, a decentral
network based on Unix machines was developped by universitys and
private users: UUCP (Unix to Unix copy). Dataexchange occured with
modem s and telephone lines (today: glas-fibre cables). Because of the
fact, that UUCP was only designed for e-mail exchange, 2 american
universitys developped a computer net, wich was able to publish news
like on a blacb-board: the system was called usenet. Internet itself is
based on a conglomeration of local networks using the same protocol
(TCP/IP).
Direct democraty is supported by Networks
Direct democracy differs from representative democracy as following:
everyone has the possibility to vote for a certain subject, not only
the representatives of the people, but there can be a logistic problem
regarding the fact that there will not be enough space for everyone to
assist a vote. Representative democracys do not have this problem,
because there is only a certain number of representatives, but do they
always represent the interests of their voters?
How do networks support direct democracy? It happens by to ways: First,
there is the possibility of electronic votes, wich resolves the space
problem (the precondition is that everyone who has the right to vote
must have an acces to the network). Then, voters also have a better
acces to governement data and information about governement activities
(this concerns also representative democracy). Electronic voting is
already made possible: IBM developped a program called Consensor, NIPO
(on of the three biggest oppinion polling institutes of the
netherlands) gets already his data online from people they gave to
computers and modems. Finally, "Electronic Governement" became an well
known slogan: it stays for a access to governement data of the white
house like the budget, laws , congressional directories or other
statistical data like census of population and housing, etc...
How democracy is endangered by networks
The age of surveillance has finally broken in. Privacy is endangered by
the following facts:
1- computer matching is the easyest and most rapidly growing form of
surveillance made possible through telecommunication links (between
databases). In the U.S., comparision, via social security numbers
(SSN), of two lists of persons resident in separare organisations can
produce a "hit" when the SSN appears on both lists (example: bank
account and application for public assistance) or when a person does
not appear where he is expected (example: draft registration list)
2- Every action (especially voting) wich happens on the net can be
surveilled by governement or by private or commercial institutions.
This stands in opposition to the privacy of post.
3- The surveillance is extensive and depersonalized automatic and self
initiated: when an individual logs on to a terminal on the network,
uses an automatic teller machine when punching in his personal
identification number or uses a gate in a parking lot by paying with
his credit card, he has initiated without his knowledge a process wich
changes his data history (a kind of automatic, remote sensoring)
Information elites and media concentrations
The idea of public acces to information by networks is to reduce the
social gap. in fact, the contrary can be produced. Only 13% of all
Americans posess a PC, and of them only 10% posess a modem: the
technology itself is an obstacle to information, wich can only passed
by education.
The industry has find out for a long time that Communication becomes
more and more the market for the future. The war has already broken out
between the giant telecommunication firms on who will dominate the
market and who will eat whom. Therefore, giant takeovers and
conglomeration happen in this industrial sector, creating only a few
institutions who have the acces to most of the information and the
control of it via the networks
Literature
"Domesticating Cyberspace" by Gary Stix, Scientific American, August
1993 Fridolin N. 71, Oktober 1993
"Democracy and new technology" by Iain McLean (University of Oxford)
Computerworld n. 37, September 1993
"Information Privacy and the Crisis of Control" by Oscar H. Grandy,
Jr.
Dan Temmer, University of technology of Vienna (Austria) e-mail:
dan@iguwnext.tuwien.ac.at
------------------------------
From: erwin@trwacs.fp.trw.com (Harry Erwin)
Date: 2 Feb 1994 13:54:25 GMT
Subject: Electronic Cross-Checking
Organization: TRW Systems Integration Division
The IRS is getting into cross-checking of 1099s. The found a financial
institution that was filing 1099s for me that I hadn't heard from in
five years. I had assumed they had gone bankrupt when I stopped getting
letters from them... Apparently they hadn't. Now I have to get an
up-to-date address for them...
Cheers,
--
Harry Erwin
Internet: herwin@gmu.edu or erwin@trwacs.fp.trw.com
Working on Katchalsky networks....
------------------------------
From: Dave Gomberg <GOMBERG@UCSFVM.UCSF.EDU>
Date: Tue, 01 Feb 94 09:07:11 PST
Subject: Re: SSN other concerns
You know, I joined this list because I thought it might have something
to do with privacy. I have now concluded it is the home of paranoid
rantings about ssns. If someone wants to steal from you or make up
credit records about you, it is trivial for them to do it with or
without your ssn. Getting the ssn for a name, or the name for an ssn
is so easy that it is foolish to think you are "protecting" something.
All you are doing is singling yourself out as someone who will be
trouble to deal with. You self-identify as a potential problem. Are
you sure that is what you want to do?
[Note to ed: please remove me from this list. Thanks. Dave]
Dave Gomberg, role model for those who don't ask much in their fantasy lives.
GOMBERG@UCSFVM Internet node UCSFVM.UCSF.EDU fax-> (415)731-7797
For info on West Coast Live send email to West_Coast_Live-Request@netcom.com
------------------------------
From: rerodd@eos.ncsu.edu (Richard Roda)
Date: Tue, 1 Feb 1994 17:35:52 GMT
Subject: Re: SSN on Payroll Checks
Organization: North Carolina State University, Project Eos
ua602@freenet.victoria.bc.ca (Kelly Bert Manning) writes:
>Privacy Journal reported that the major credit bureaus autmatically
change the address in their files if they get more than one credit
application report with a new address on it.<
>You seem to be missing the point that businesses and individuals have
a common interest in wiping out this kind of fraud, which adds up to a
lot of money every year. The person the SSN was assigned to has no
obligation to any of the creditors. They are completely out on a limb
with almost no hope of recovering the amounts.<
I am not a lawyer, but sometimes I play one on the Internet :-). Isn't
it true that if the credit report is not true and you are able to prove
it is not true that you could sue for liable or commercial slander?
--
PGP & RIPEM Public keys by finger | rerodd@eos.ncsu.edu (Richard E. Roda)
Disclaimer--------------------------------------------------------------
| The opinions expressed above are those of a green alien who spoke to |
| me in a vision. They do not necessarily represent the views of NCSU |
| or any other person, dead or alive, or of any entity on Earth. |
------------------------------------------------------------------------
Disclaimer? There are too many lawyers around. Q: Why do rats not infest
the houses of lawyers? A: Professional courtesy.
------------------------------
From: tenney@netcom.com (Glenn S. Tenney)
Date: Tue, 1 Feb 1994 13:42:24 -0800
Subject: Re: SSN other concerns
At 9:06 AM 2/1/94 -0500,Dave Gomberg <GOMBERG@UCSFVM.UCSF.EDU> wrote:
>This is wrong. Dale, give me your year of birth, your current street
address (don't even tell me the town) and a written request that I pull
your credit record and I will, and for free. I don't need your ssn,
but I will get it in the process. It will cost about $1.<
>What everyone on the other side of this debate seems to miss is that
the info is too valuable to pass up. We need it to do business. If
you are not willing to identify yourself, I wouldn't do business with
you. It's that simple. Not on credit anyway.<
Since you know that you can pull up a credit report without the SSN,
then it's clear that you DON'T need the SSN for your business needs.
It doesn't help at all.
As it happens, I have seen my credit reports and they don't have my SSN
on them because I don't authorize it to be disclosed. In some cases,
the company has made up a number (I have no idea where they got it
from) but its not mine.
The point is that the credit agencies don't need the SSN (as you've
noted), shouldn't give it out, and shouldn't even have "you" ask for
it. That would go a long way in helping -- it's been pointed out that
nearly all financial institutions will provide all information and will
process almost any account change over the phone with just a name and
SSN.
>... I don't care about the key, I care about the info. Deprive me of
the info and you are out of the game. Sayonara.<
With a name and address (not even dob) you can pull up a credit report,
so no one is remotely suggesting that you be deprived of info.
---
Glenn Tenney
tenney@netcom.com Amateur radio: AA6ER
(415) 574-3420 Fax: (415) 574-0546
------------------------------
From: Robert Ellis Smith <0005101719@mcimail.com>
Date: Tue, 1 Feb 94 13:27 EST
Subject: RE: OHIO laws about SSN on checks
Frank Tompkins on Jan 31 asked about an Ohio law limiting merchants
from gathering personal information on personal checks. The law,
1349.17, actually applies to credit-card sales. As in other states,
merchants may not record SSNs or phone numbers of credit-card slips.
Cal. Ga. Iowa, Kansas, Md., Mn, Nev., NY Va. and other states have
similar laws affecting CHECKS. This information comes from Compilation
of State and Federal Privacy Laws, a reference book available for $29
-- with a 20 percent discount for Digest readers -- from PRIVACY
JOURNAL, PO Box 28577, Providence RI 02908, 401/274 7861, e-mail:
rsmith, mcimail 510 1719.
------------------------------
From: Vincent Broerman <0005461808@mcimail.com>
Date: Tue, 1 Feb 94 18:09 EST
Subject: RE: OHIO laws about SSN on checks
This message is directed to Frank Tompkins:
Frank...I too ran into problems with a merchant in Ohio regarding ssn
and accepting checks. The merchant's response was....they are doing me
a favor by making it convienent to write a check. If I don't want to
give them a ssn I can pay cash, however, they will not accept a check
w/o a ssn.......If you can find any more information regarding this, I
will be very interested in reading it.
------------------------------
From: poivre@netcom.com (poivre)
Date: Wed, 2 Feb 1994 01:27:28 GMT
Subject: Re: OHIO laws about SSN on checks
Organization: NETCOM On-line Communication Services (408 241-9760 guest)
Frank Tompkins (TOMPKINS@vm1.cc.uakron.edu) wrote:
>So I made one up. It was accepted verbally without checking my
drivers license!!!<
Well, i hope you used one of the null numbers (see SSN FAQ to check
which ones) on your check instead of someone elses.
--
. . . . . . . . . . . . . . . . . . . . . . . . . .
poivre@netcom.com : #include <disclaimer.h>
lychees@marble.bu.edu : ^^^^^^^^^^^^^^^^^^^^^^^
ykliu@mailbox.syr.edu :
. . . . . . . . . . . . . . . . . . . . . . . . . .
>>>>>>>>>>>>>>>>>>>>> On Since: November, 1991.<<<<<<<<<<<<<<<<<<<<<<<<<<<<
. . . . . . . . . . . . . . . . . . . . . . . . . .
------------------------------
From: Zaf <punjanza@dunx1.ocs.drexel.edu>
Date: Wed, 2 Feb 1994 00:48:49 -0500 (EST)
Subject: Re: OHIO laws about SSN on checks
Since we are on the subject of SSN, I was wondering if you had to show
your SSN to a potential landlord before leasing a room in that
landlords house. Does anyone know? If so...why? Any input would be much
appreciated.
------------------------------
From: tcj@netcom.com (Todd Jonz)
Date: Wed, 2 Feb 1994 10:50:41 GMT
Subject: Re: SSN on Payroll Checks
Organization: Sanity Cruise Enterprises, Ltd.
Joe Wisniewski x8421 (joew@resumix.portal.com) writes:
>My employer went to a new payroll system, ADT. Got our first check
today. Guess what was on it. Yup, ss#.<
GOMBERG@UCSFVM.UCSF.EDU (Dave Gomberg) at Computer Privacy Digest replies:
>Let me ask why I care if someone (or lots of folks) knows my SSN? <
With an account number and the last four digits of the account holder's
SSN, Bank of America provides an automated telphone account inquiry
service via which you can get detailed information about his account
balance, recent deposit amounts, cleared check number and amounts,
etc. Joe's pay stub or direct deposit notification contains all of the
information required to make the telephone robot spill its guts. Until
very recently, this information also appeared on BofA's ATM receipts as
well.
I wonder if one can request that this "service" *not* be provided for a
specified account?
------------------------------
From: ran@cbebl1.att.com
Date: Wed, 2 Feb 94 08:37:35 EST
Subject: Re: SSN other concerns
Organization: AT&T
fin@panix.com (David Finan) writes:
>What I don't understand is why, the Fed (Dept Health, somthing and
Welfare) didn't inform the blood company of their obligation under the
law to inform citizens of the privacy act in relation to the SSN and
what uses it would be put to.<
>Lawyer story. The folks told me that therer had been a lawyer who
also balked at providing his SSN. He went away and later came back,
unhappy, and said '...has to give the number.' "HAS TOO"?!?! My
employer encourages but does not require blood donation. But this is
the story I was told. I thought that this was a voluntary thing for
everyone.<
A while back I actually looked up in the library a whole slew of
federal laws regarding the SSN and the Privacy Act of 1974. What
follows below is what I found out. It'll take a while to get back to
the blood issue, but for those who cannot wait, the upshot is that
Congress has authorized the use of the SSN for blood donations. So,
now onwards to seeing how we got there.
If you'd like your own copies of the laws I mention here, I'll tell you
where to look in your library to find them. [Note: I am not a lawyer,
and what I present here is just stuff I picked up looking in the
library over the past week; the legal beagles may want to add
to/correct it if necessary.]
The first thing to know is that there are two places to look for US
laws in the library. The first is "U. S. Code". This is codified law,
and has citations like 5 USC 552a, which is read as "Title 5 of the U.
S. Code, Section 552a". The other place to look is in "Statutes at
Large". These are what Congress actually passes. Citations look like
Pub. L. 93-579, 88 Stat. 1897, which means "Public Law number 93-579
(93 means passed by the 93rd Congress), and may be found in Volume 88
of Statutes at Large, page 1897". What is relevant to us is that
Public Laws often say things like "Title 5, United States Code, is
amended by adding after section 552 the following new section: Section
552a . . .". But Public Laws also add new law that is not necessarily
included in U.S. Code.
So, how does that apply the Privacy Act and SSn authorization? First
of all, the Privacy Act of 1974 is another name for Pub. L. 93-579
(thus, the citation in the SSN FAQ [which says that the Privacy Act is
5 USC 552a] is incorrect), The Privacy Act created the existance of the
U. S. Code Section 5 USC 552a. 5 USC 552a only puts privacy
restrictions on Federal Agencies (not State or Local). However, 5 USC
552a is NOT the Privacy Act of 1974, since the Privacy Act, after
establishing 5 USC 552a in Section 3, also goes on to do other things,
one of which, in Section 7, addresses State and Local government:
Sec. 7.
(a) (1) It shall be unlawful for any Federal, State or local
government agency to deny any individual any right, benefit, or
privilege provided by law because of such individual's refusal to
dis- close his social security account number.
(2) the provisions of paragraph (1) of this subsection shall not
apply with respect to--
(A) any disclosure which is required by Federal statute, or
(B) the disclosure of a social security number to any
Federal,
State, or local agency maintaining a system of records in
exist- ence and operating before January 1, 1975, if such
disclosure was required under statute or regulation adopted
prior to such date to verify the identity of an individual.
(b) Any Federal, State, or local government agency which
requests an individual to disclose his social security account
number shall inform that individual whether that disclosure is
mandatory or voluntary, by what statutory or other authority
such number is soli- cited, and what uses will be made of it.
So, this section is NOT part of the U. S. Code, but is just hanging out
there as a "Public Law".
The SSN FAQ also mentions that the Tax Reform Act of 1976 gave
authority to state or local tax, welfare, driver's license, or motor
vehicle registration authorities to use the number in order to
establish identities. This is Pub. L. 94-455, Title XII, Section
1211(b), 90 Stat. 1711, and it modifies 42 USC 405 (codification of the
Social Security Act) in the manner mentioned above. However (and the
SSN FAQ does not mention this), Pub. L. 100-485, Title I, Section 125,
102 Stat. 2353, goes on to modify 42 USC 405 even further, and says
that each state MUST require parents to supply their SSNs as part of
getting birth certificates for new children (for possible child
support). There have also been other changes that I haven't tracked,
(gotten further citations on) but 42 USC 405(c)(2)(C) now has the
following requirements on SSNs:
1. the states may use SSNs for tax, welfare, driver's license
or motor vehicle registration identification.
2. each state MUST require parents to supply their SSNs as
part of getting birth certificates for new children (for
possible child support).
3. stores accepting food stamps must give Dept. of Agriculture
the SSN of the owner of the store.
4. users of federal crop insurance must give their SSNs to the
Federal Crop Insurance Corporation.
5. SSNs disclosed as above are confidential and shall not be
disclosed to unauthorized people. A reference is made to the
Internal Revenue Code as to penalties. However, I'm still
trying to puzzle this one out. It seems to apply only to laws
passed after 1990, which means points 2-4 above. Point 1,
passed in 1988, seems not to be covered, and that leaves a hole
big enough to drive a semi through.
Now, on to the blood bit. It seems that Pub. L. 100-647, Title VIII,
Section 8008(a)(1), 102 Stat. 3783 further modified 42 USC 405 (the
Social Security Act codification) to add the following section [42 USC
405(c)(2)(D)]:
(D)
(i) It is the policy of the United States that--
(I) any State (or any political subdivision of a State) and
any authorized blood donation facility may utilize the
social security account numbers issued by the Secretary for
the purpose of identifying blood doners, and
(II) any State (or any political subdivision of a State) may
require any individual who donates blood within such State
(or political subdivision) to furnish to such State (or
political subdivision), to any agency thereof having related
administrative responsibility, or to any authorized blood
donation facility the social security number (or numbers, if
the donor has more than one such number) issued to the donor
by the Secretary.
(ii) If and to the extent that any provision of Federal Law
enacted before November 10, 1988, is inconsistent with the
policy set forth in clause (i), such provision shall, on and
after November 10, 1988, be null, void, and of no effect.
(iii) For the purposes of this subparagraph--
(I) the term ``authorized blood donation facility'' means an
entity described in section 1320b-11(h)(1)(B) of this title,
and
(II) the term ``State'' includes the District of Columbia,
the Commonwealth of Puerto Rico, the Virgin Islands, Guam,
the Commonwealth of the Northern Marianas, and the Trust
Territory of the Pacific Islands.
So there you have it (creep, creep, creep).
--
". . . and shun the frumious Bandersnatch."
Robert Neinast (ran@cbebl1.att.com)
AT&T-Bell Labs
------------------------------
From: mike@upolu.upolu.gsfc.nasa.gov (Mike Jones)
Date: 2 Feb 94 18:17:46 GMT
Subject: Re: SSN other concerns
Organization: NASA Goddard Space Flight Center -- InterNetNews site
fin@panix.com (David Finan) writes:
>have read alot here on the SSN privacy issue. Here's an example [...
tried to donate blood ...] there is a new requirement from the Fed
health folks (i can give dept names but this is being done on the fly)
that ALL blood doners MUST provide the blood bank with the SSN or their
blood won't be taken.<
I donated blood today, at a US gov't facility. They did ask for my SS
number (about 4 times) but when I told them no they still took my
blood.
I suspect they where making it up as they went along.
------------------------------
From: bernie@fantasyfarm.com (Bernie Cosell)
Date: Wed, 2 Feb 1994 17:09:29 GMT
Subject: Re: WIRED Magazine Report
Organization: Fantasy Farm, Pearisburg, VA
Robert Jacobson writes:
>WIRED Magazine recently carried an article on a new federal scheme to
track _all_ financial transaction passing over any sort of telecom
network. I suppose this means that all exchanges of money that can be
electronically encoded and recorded, then transmitted, will be
accessible to federal (and international?) security agencies.<
As a practical matter, I have always assumed that that was the case
*anyway*. I know that the various institutions have to journal and
archive every transaction, and I think it would be naive to assume that
they would be somehow held 'secret' against a group of prosecutors
armed with warrants.
Granted this kind of automation of it would make it _easier_, but this
just highlights a common problem that shows up on this newsgroup: the
financial/personal analog of "security by obscurity". The ostrich-like
idea that because something _seems_ tricky to you [e.g., getting your
financial records without your SSN] that you're safe, secure and
privacy-assured, when the reality is that that only puts off the most
casual browsers.
>... Given that the most personal behavior is often indicated by
financial trans- actions (using credit cards, etc., but cash also once
it enters the electronic till), is this the single most invasive police
scheme yet devised?>
Probably not. The info is already there for the taking, much of it
*already* has to be reported to the feds, and while the details of what
you report are sketchy, it doesn't seem like there are any new privacy
barriers being broken down.
Remember the simple rule of thumb: if you're using *anything* other
than cash, you can be assured that your transaction is _not_ private.
period. And even if you pay cash, your transaction might not be
private, but it is for-sure that anything _less_ than cash just has too
many people in the loop, and too many people who have to 'know' who you
are to approve the transaction, for even a pretense of privacy.
--
Bernie Cosell bernie@fantasyfarm.com
Fantasy Farm Fibers, Pearisburg, VA (703) 921-2358
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: Thu, 3 Feb 1994 08:57:14 -0600 (CST)
Subject: SSN End of String
Organization: University of Wisconsin-Milwaukee
I think we have seen most of the new ideas about the danger of
revealing Social Security Numbers versus the ever present nature of the
number posted. I am sure that this discussion will continue in the
future, but for now let us allow one last round of discussion and
terminate this string with the next issue of the digest.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of Computer Privacy Digest and
Professor of Computer Science | comp.society.privacy.
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V4 #026
******************************
.