Date: Thu, 10 Feb 94 07:53:51 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#028
Computer Privacy Digest Thu, 10 Feb 94 Volume 4 : Issue: 028
Today's Topics: Moderator: Leonard P. Levine
Re: SSN on Payroll Checks
Re: SSN on Payroll Checks
Re: SSN on Payroll Checks
Privacy Acts - Ireland, Iceland
Banks
Re: Data Encryption and Privacy
Voice Recognition in Canada
Re: Data Encryption and Privacy -- PGP Issues
Campaign Against Clipper
Cantwell Privacy Bill
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: tenney@netcom.com (Glenn S. Tenney)
Date: Tue, 8 Feb 1994 00:27:39 -0800
Subject: Re: SSN on Payroll Checks
rick@CRICK.SSCTR.BCM.TMC.EDU wrote:
>In my opinion, the appearance of his SSN or his paycheck is one case
>where there should be no question about its use. Since the SSN number
>is the taxpayer ID number, it should appear on the check as a sanity
>check and a verification that his earnings would be reported under the
>correct ID. By the same token, ADP would have to know his SSN since
>they would be reporting his earnings to both the IRS and SSA (as well
>as any local and state agencies) This is also why it is required for
>interest bearing accounts, mortgages and other entities which can
>generate tax events.
Actually, there is NO reason for the SSN to be on the face of the check
-- NO REASON ON EARTH! On the stub -- yes. But not on the
face. A long time ago when a client had to have me as an employee
they switched to ADP. I could get no where with their people about
this, so I just took out my xacto knife (sometimes I used scissors) and
removed the SSN from the check. This is perfectly legal since you're
not altering the banking information. It's been a long time since I've
gotten a tax refund, but I did the same thing with IRS refund checks
too... (I may have used permanent felt tip pens..) :-)
Richard's comment above, from someone who seems quite technically
sharp, is indicative of a part of the SSN problem... people just assume
it's necessary. When you read what Richard said, you're bound to say
"right, that's clear", but when you think about it, you should see that
it was missing one fine point... there's always a stub with that check
and that's where the information should go -- along with all of the
other PERSONAL information (deductions for this, deductions for that).
---
Glenn Tenney
tenney@netcom.com Amateur radio: AA6ER
(415) 574-3420 Fax: (415) 574-0546
[This will be a terminating article in the Social Security Number
string. I am sure that we will recommence this string in a few months
because SSN is an important topic for discussion, but I feel that its
new material has been exhausted at this time. Moderator]
------------------------------
From: poivre@netcom.com (poivre)
Date: Wed, 9 Feb 1994 01:51:48 GMT
Subject: Re: SSN on Payroll Checks
Organization: NETCOM On-line Communication Services (408 241-9760 guest)
Phil Albert (palbert@netcom.com) wrote:
: tcj@netcom.com (Todd Jonz) writes:
: With Great Western (California), you can ask that the service be turned
: off. Kudos to Wells Fargo: they will assign you a PIN for telephone
: inquiries. For either bank, you have to ask.
I have recently called Citibank about my mastercard and i noticed that
they too have implemented a bot where you just press the last 4 digits
of your SSN to get an automated reponse on your acct status.
Lucky for me, i got Citibank to put in a password on my acct, replacing
my SSN for phone inquiries. When i first heard that bot, i pressed the
last 4 digits of my SSN and it refused to give me access to my acct
info. It asked me to try again upon which i pressed the last 4 digits
of my password and it let me in!!
I have also replaced my SSN with passwords on my gas card and my other
credit cards. I put one in for my calling card but it doesnt work
since when i called last time for acct info, the operator didnt ask me
for my password, nor even my SSN. They just wanted my name and card
number. I was rather disappointed!!
So for any of you out there who dont know, you can put password on all
of your credit cards too.
--
. . . . . . . . . . . . . . . . . . . . . . . . . .
poivre@netcom.com : #include <disclaimer.h>
lychees@marble.bu.edu :
ykliu@mailbox.syr.edu :
. . . . . . . . . . . . . . . . . . . . . . . . . .
[This will be a terminating article in the Social Security Number
string. I am sure that we will recommence this string in a few months
because SSN is an important topic for discussion, but I feel that its
new material has been exhausted at this time. Moderator]
------------------------------
From: rerodd@eos.ncsu.edu (Richard Roda)
Date: Wed, 9 Feb 1994 05:16:11 GMT
Subject: Re: SSN on Payroll Checks
Organization: North Carolina State University, Project Eos
bj@herbison.com (B.J. Herbison) writes:
> Credit reporting bureaus have some
>protection because they don't generate the information, they just
>`report what they are told'. They also have some explicit protection
>in U.S. Federal law. It is very hard to sue a credit agency, although
>I have heard more talk about trying to change this in the last few
>years.
Probably true. I bet, however, that an uncooperative bank could be
sued on those grounds because they are generating the information and
then using the credit agency as a publisher.
--
PGP & RIPEM Public keys by mail | rerodd@eos.ncsu.edu (Richard E. Roda)
Disclaimer--------------------------------------------------------------
| The opinions expressed above are those of a green alien who spoke to |
| me in a vision. They do not necessarily represent the views of NCSU |
| or any other person, dead or alive, or of any entity on Earth. |
------------------------------------------------------------------------
[This will be a terminating article in the Social Security Number
string. I am sure that we will recommence this string in a few months
because SSN is an important topic for discussion, but I feel that its
new material has been exhausted at this time. Moderator]
------------------------------
From: matyas@scs.carleton.ca (Vaclav Matyas)
Date: Mon, 7 Feb 1994 15:58:25 -0500
Subject: Privacy Acts - Ireland, Iceland
Organization: School of Computer Scince, Carleton University, Ottawa, Canada
Does anyone know whether or not (resp. what kind of and where to get
them in electronic form, if possible) do Ireland and Iceland have
Privacy Acts ?
Thanks for any hint.
Vaclav Matyas, Jr.
School of Computer Science E-mail : matyas@scs.carleton.ca
Carleton University
1125 Colonel By Drive
Ottawa, Ont.
K1S 5B6 ___________________________________________________
CANADA Without a courageous step, we will not move forward.
------------------------------
From: gast@CS.UCLA.EDU (David Gast)
Date: Mon, 7 Feb 94 14:41:23 -0800
Subject: Banks
>close@lunch.asd.sgi.com (Diane Barlow Close) writes:
> Todd Jonz <tcj@netcom.com> writes:
> I wonder if one can request that this "service" *not* be provided for
> a specified account?
> Yes, and I was instrumental in getting this "service"
> replaced/refined.
Congratulations. I closed my BofA account after I found out about it.
I tried talking to the manager of my branch, but was completely
unsuccessful. They also have another "service" which does not require
an SSN or other password. Given an account number, they will answer a
binary question of the form "Does the account have $XXX", where the
amount is specified by the user. The user can reissue dollar amounts,
in essence providing a binary search for the balance. They will also
provide a "credit" rating. It would seem to me that if they provide a
credit rating, they have to comply with the laws relating to credit
buraus, but they did not appear to be.
I changed to Home Fed which had much better privacy rules. They did
not even print the complete account number on ATM receipts. As you may
know, Home Fed went belly up, and various branches were bought by
various financial institutions. Mine was bought by First Interstate
which has, IMHO, a terrible account agreement, at least as far as
protecting account information goes. Essentially, they get the right
to disclose information to just about anyone. I closed my account
shortly before it was to switch to the First Interstate rules.
> Just FYI, I eventually left banking at B of A for other reasons. I
> must say that they did take my security and privacy concerns very
> seriously and it was most rewarding to be involved in the planning and
> implementation of a more secure process.
I suspect they were responding to the $25K of fraud you mentioned
rather than your inherent concerns. They certainly did not care
anything about my concerns.
David
------------------------------
From: "Tansin A. Darcos & Company" <0005066432@mcimail.com>
Date: Wed, 9 Feb 1994 05:08:38 -0500 (EST)
Subject: Re: Data Encryption and Privacy
Paul Robinson <TDARCOS@MCIMAIL.COM> writes:
> In his book "The Puzzle Palace", about the National Security Agency
> [deleted] suggests that the NSA can monitor all voice traffic into and
> out of the US. He also suggests that the NSA is consistently about five
> years ahead of ... "state of the art" [Deleted material]
>I would think it merely prudent, not paranoid, to assume that the NSA
>can and does
>1) monitor all Internet traffic, perhaps even traffic _internal_to_ the
>US; and
> 2) archive it (what's 40 MB a day to people with acres of computers ?);
You haven't read the notice I sent out a while back. I stated that it
has been assumed for years (but we can't really know) that the NSA
captures _everything_ on every news group and list it can discover and
archives it forever. Some people have been known to put up "NSA Food"
in which they put bad-sounding terms in harmless messages so that some
person has to take time out to read it. They would put a line in a
message such as
Encryption Kill Clipper Chip Clinton Terminate Cocaine Gore RSA PGP
Assasinate DES Bush
and so on, in order to get a high score on the computer monitoring so
that some person would have to take time out to read the messages
directly.
---
Paul Robinson - Paul@TDR.COM / TDARCOS@MCIMAIL.COM
Voted "Largest Polluter of the (IETF) list" by Randy Bush <randy@psg.com>
-----
------------------------------
From: cmckie@ccs.carleton.ca (Craig McKie)
Date: Thu, 3 Feb 94 20:24:59 EST
Subject: Voice Recognition in Canada
Spy Agency works on eavesdropping device for phones, faxes New snoop
gadget would identify voices carried through air
The Canadian Press
Used on page 1, Ottawa Citizen, Monday January 31, 1994
An elite wing of Canada's spy agency is secretly developing devices
that can monitor and identify voices carried through the air by phone,
fax and radio signals, according to a broadcast report citing
government documents.
The Communications Security Establishment is a super-secret branch
of the Canadian Security Intelligence Service that specializes in
gathering signals intelligence - SIGINT to insiders.
Since 1989, the CSE has awarded three contracts worth $1.1 million
to a Montreal firm to make machines that can quickly isolate key words
and phrases from the millions of signals the CSE monitors each day, CTV
reported Sunday.
In May 1983, the CSE awarded the Centre de Recherche Informatique de
Montreal a contract to develop a "speaker identification system," which
can pick voices from the electronic haze and identify them.
"Its frightening," says Bill Robinson, a researcher with the peace
group, Project Ploughshares. "It has Orwellian potential to sweep
through everybody's conversations. As computers get faster and faster,
theoretically, one would be able to keep records of all conversations."
The CSE is supposed to provide the federal government with foreign
intelligence, but parliamentarians have often voiced concerns about the
agency's potential to violate the privacy of Canadians.
Liberal MP Derek Lee, the head of a Commons committee that oversees
Canada's spy agency, said the CSE is overstepping its mandate.
"Have they been asked, or have they decided for themselves to take
on a new role that requires them to analyse the human voice? And if
they have, they've gone beyond what I think they've told us."
The CSE is accountable to Parliament through the defence minister.
But Defense Minister David Colonette told CTV her was unaware of the
CSE's latest electronic snooping projects.
"This is the first I've heard of this," Collenette said. "It is
certainly something I'll discuss with my officials."
While in Opposition, the Liberals pledged to make the CSE more
accountable.
With a budget of about $250 milliojn and more than 800 employees the
CSE operates out of a building on Heron Road in Confederation Heights
surrounded by a barbed-wire fence.
Its work is considered so sensitive that employees are told not to
take commercial flights, in case the plane is hijacked and they are
held hostage.
------------------------------
From: close@lunch.asd.sgi.com (Diane Barlow Close)
Date: 9 Feb 1994 22:08:26 GMT
Subject: Re: Data Encryption and Privacy -- PGP Issues
Organization: Self employed, eh.
Earlier I asked some questions about PGP (and other stuff) and found
out that PGP stood for a really good encryption system. Then someone
pointed out to me that PGP implements the RSA public-key encryption
algorithm, and there is a patent on the use of RSA for digital
communication, and that includes email. I also said if you use PGP to
encrypt or sign email which you then send to someone else, and you have
not obtained a license for use of the patent from the patent holders,
you are "infringing" the patent.
That was followed up to with mail from "Tansin A. Darcos & Company"
<0005066432@mcimail.com>, who said that no, I'm wrong and PGP IS freely
available and free to use and its use infringes on nothing:
"Tansin A. Darcos & Company" <0005066432@mcimail.com> writes:
> Late last year, the owners of the 5 patents dealing with RSA
> encryption (PKP Partners, Inc.) made a special arrangement with the
> National Institutes of Science and Technology that in exchange for a
> trade of certain encryption inventions developed by NIST to them, they
> would make the following provisions:
>
> - Individuals using RSA encryption (which would include the methods
> used in PGP) may do so *royalty free* and *without having to obtain a
> license*;
Etc. Rest deleted. That left me totally confused. Does PGP infringe
or doesn't it? Are there exceptions or aren't there? I wrote to Jim
Bidzos asking for clarification and he basically said that the stuff
about PGP being free and legal was pure fiction. Jim said that PGP is
definitely unlicensed and is considered infringing by the patent
holders. He responded directly to "Tansin A. Darcos & Company" and
cc'd me on the response, asking me to forward this to any newsgroup or
mailing list that might be discussing this issue:
Date: Tue, 8 Feb 94 16:49:00 PST
From: jim@RSA.COM (Jim Bidzos)
Subject: RSA, patents, and pgp
To: Tansin A. Darcos & Company
I was sent a copy of statements you made that RSA had made some
licensing deal with the government, and that somehow this
legitimized the use of pgp. This is not correct.
You are probably referring to a Federal Register announcement last
year in which it was proposed that the govt would get a license to
use several PKP patents and PKP would license those patents
uniformly to the private sector. This proposal was for a proposed
Digital Signature Standard, never mentioned the RSA algorithm, never
included the RSA patent, never had anything to with pgp, and was
never executed anyway.
Making, using, or selling or distributing pgp, which is unlicensed,
is considered infringement by the patent holders, who reserve all
rights and remedies at law. This has been made clear on many
occasions and in many places, including letters written to
CompuServ, AOL, and to a large number of universities, all of whom
now prohibit its use or distribution, as stated in responses to us
from their counsel.
There is, however, free and properly licensed source code for
encryption and authentication using the RSA cryptosystem for
non-commercial purposes. This software is called RIPEM (for a copy,
email the author, Mark Riordan at mrr@scss3.cl.msu.edu), and is
based on free crypto source code called RSAREF (send any message to
RSAREF@RSA.COM). Further, commercial licenses are available at low
cost for RIPEM; however, in cases where consumer privacy is the
application, no-cost commercial licenses have been and are routinely
granted.
I hope this clarifies the situation. I think it would be appropriate
to post this message wherever the erroneous message concerning pgp
was posted.
******end of message.
--
Diane Barlow Close
close@lunch.asd.sgi.com
I'm at lunch today. :-)
------------------------------
From: Dave Banisar <banisar@washofc.cpsr.org>
Date: Mon, 7 Feb 1994 22:28:08 EST
Subject: Campaign Against Clipper
Organization: CPSR Washington Office
Campaign Against Clipper
CPSR ANNOUNCES CAMPAIGN TO OPPOSE CLIPPER PROPOSAL
Embargoed until 2 pm, Monday, February 7, 1994
contact: rotenberg@washofc.cpsr.org (202 544 9240)
Washington, DC -- Following the White House decision on Friday to
endorse a secret surveillance standard for the information highway,
Computer Professionals for Social Responsibility (CPSR) today announced
a national campaign to oppose the government plan.
The Clipper proposal, developed in secret by the National Security
Agency, is a technical standard that will make it easier for government
agents to wiretap the emerging data highway.
Industry groups, professional associations and civil liberties
organizations have expressed almost unanimous opposition to the plan
since it was first proposed in April 1993.
According to Marc Rotenberg, CPSR Washington director, the
Administration made a major blunder with Clipper. "The public does not
like Clipper and will not accept it. This proposal is fatally flawed."
CPSR cited several problems with the Clipper plan:
o The technical standard is subject to misuse and compromise. It would
provide government agents with copies of the keys that protect
electronic communications. "It is a nightmare for computer security,"
said CPSR Policy Analyst Dave Banisar.
o The underlying technology was developed in secret by the NSA, an
intelligence agency responsible for electronic eavesdropping, not
privacy protection. Congressional investigations in the 1970s disclosed
widespread NSA abuses, including the illegal interception of millions of
cables sent by American citizens.
o Computer security experts question the integrity of the technology.
Clipper was developed in secret and its specifications are classified.
CPSR has sued the government seeking public disclosure of the Clipper
scheme.
o NSA overstepped its legal authority in developing the standard. A
1987 law explicitly limits the intelligence agency's power to set
standards for the nation's communications network.
o There is no evidence to support law enforcement's claims that new
technologies are hampering criminal investigations. CPSR recently forced
the release of FBI documents that show no such problems.
o The Administration ignored the overwhelming opposition of the general
public. When the Commerce Department solicited public comments on the
proposal last fall, hundreds of people opposed the plan while only a few
expressed support.
CPSR today announced four goals for its campaign to oppose the Clipper
initiative:
o First, to educate the public about the implications of the Clipper
proposal.
o Second, to encourage people to express their views on the Clipper
proposal, particularly through the computer network.
Toward that goal, CPSR has already begun an electronic petition on the
Internet computer network urging the President to withdraw the Clipper
proposal. In less than one week, the CPSR campaign has drawn thousands
of electronic mail messages expressing concern about Clipper. To sign
on, email clipper.petition@cpsr.org with the message "I oppose clipper"
in the body of the text.
o Third, to pursue litigation to force the public disclosure of
documents concerning the Clipper proposal and to test the legality of
the Department of Commerce's decision to endorse the plan.
o Fourth, to examine alternative approaches to Clipper.
Mr. Rotenberg said "We want the public to understand the full
implications of this plan. Today it is only a few experts and industry
groups that understand the proposal. But the consequences of Clipper
will touch everyone. It will affect medical payments, cable television
service, and everything in between.
CPSR is a membership-based public interest organization. For more
information about CPSR, send email to cpsr@cpsr.org or call 415 322
3778. For more information about Clipper, check the CPSR Internet
library CPSR.ORG. FTP/WAIS/Gopher and listserv access are available.
------------------------------
From: Steve J White <aragorn@alpha1.csd.uwm.edu>
Date: Mon, 7 Feb 1994 22:24:16 -0600 (CST)
Subject: Cantwell Privacy Bill
Organization: University of Wisconsin-Milwaukee
The Electronic Frontier Foundation needs your help to ensure privacy rights!
* DISTRIBUTE WIDELY *
Monday, February 7th, 1994
From: Jerry Berman, Executive Director of EFF
jberman@eff.org
Dear Friends of the Electronic Frontier,
I'm writing a personal letter to you because the time has now come for
action. On Friday, February 4, 1994, the Administration announced that it
plans to proceed on every front to make the Clipper Chip encryption scheme
a national standard, and to discourage the development and sale of
alternative powerful encryption technologies. If the government succeeds
in this effort, the resulting blow to individual freedom and privacy could
be immeasurable.
As you know, over the last three years, we at EFF have worked to ensure
freedom and privacy on the Net. Now I'm writing to let you know about
something *you* can do to support freedom and privacy. *Please take a
moment to send e-mail to U.S. Rep. Maria Cantwell (cantwell@eff.org) to
show your support of H.R. 3627, her bill to liberalize export controls on
encryption software.* I believe this bill is critical to empowering
ordinary citizens to use strong encryption, as well as to ensuring that
the U.S. software industry remains competitive in world markets.
Here are some facts about the bill:
Rep. Cantwell introduced H.R. 3627 in the House of Representatives on
November 22, 1993. H.R. 3627 would amend the Export Control Act to move
authority over the export of nonmilitary software with encryption
capabilities from the Secretary of State (where the intelligence community
traditionally has stalled such exports) to the Secretary of Commerce. The
bill would also invalidate the current license requirements for
nonmilitary software containing encryption capablities, unless there is
substantial evidence that the software will be diverted, modified or
re-exported to a military or terroristic end-use.
If this bill is passed, it will greatly increase the availability of
secure software for ordinary citizens. Currently, software developers do
not include strong encryption capabilities in their products, because the
State Department refuses to license for export any encryption technology
that the NSA can't decipher. Developing two products, one with less secure
exportable encryption, would lead to costly duplication of effort, so even
software developed for sale in this country doesn't offer maximum
security. There is also a legitimate concern that software companies will
simply set up branches outside of this country to avoid the export
restrictions, costing American jobs.
The lack of widespread commercial encryption products means that it will
be very easy for the federal government to set its own standard--the
Clipper Chip standard. As you may know, the government's Clipper Chip
initiative is designed to set an encryption standard where the government
holds the keys to our private conversations. Together with the Digital
Telephony bill, which is aimed at making our telephone and computer
networks "wiretap-friendly," the Clipper Chip marks a dramatic new effort
on the part of the government to prevent us from being able to engage in
truly private conversations.
We've been fighting Clipper Chip and Digital Telephony in the policy arena
and will continue to do so. But there's another way to fight those
initiatives, and that's to make sure that powerful alternative encryption
technologies are in the hands of any citizen who wants to use them. The
government hopes that, by pushing the Clipper Chip in every way short of
explicitly banning alternative technologies, it can limit your choices for
secure communications.
Here's what you can do:
I urge you to write to Rep. Cantwell today at cantwell@eff.org. In the
Subject header of your message, type "I support HR 3627." In the body of
your message, express your reasons for supporting the bill. EFF will
deliver printouts of all letters to Rep. Cantwell. With a strong showing
of support from the Net community, Rep. Cantwell can tell her colleagues
on Capitol Hill that encryption is not only an industry concern, but also
a grassroots issue. *Again: remember to put "I support HR 3627" in your
Subject header.*
This is the first step in a larger campaign to counter the efforts of
those who would restrict our ability to speak freely and with privacy.
Please stay tuned--we'll continue to inform you of things you can do to
promote the removal of restrictions on encryption.
In the meantime, you can make your voice heard--it's as easy as e-mail.
Write to cantwell@eff.org today.
Sincerely,
Jerry Berman
Executive Director, EFF
jberman@eff.org
P.S. If you want additional information about the Cantwell bill, send
e-mail to cantwell-info@eff.org. To join EFF, write membership@eff.org.
For introductory info about EFF, send any message to info@eff.org.
The text of the Cantwell bill can be found on the Internet with the any of
the following URLs (Universal Resource Locaters):
ftp://ftp.eff.org/pub/Policy/Legislation/cantwell.bill
http://www.eff.org/ftp/EFF/Policy/Legislation/cantwell.bill
gopher://gopher.eff.org/00/EFF/legislation/cantwell.bill
It will be available on AOL (keyword EFF) and CIS (go EFFSIG) soon.
------------------------------
End of Computer Privacy Digest V4 #028
******************************
.