Date: Sun, 01 May 94 09:30:51 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#061
Computer Privacy Digest Sun, 01 May 94 Volume 4 : Issue: 061
Today's Topics: Moderator: Leonard P. Levine
New Electronic Privacy Group Formed
Clipper Petition Delivered to White House
Credit Reports
Military and law enforcement
Re: Visa Privacy
Re: Visa Privacy
Re: Visa Privacy
Re: Credit check only with Permission Granted
Re: NSA remarks at "Lawyers and the Internet"
Re: Lord Have Mercy On Us All :-(
Re: Lord Have Mercy On Us All :-(
Re: Long Distance Companies
SSN: Do Not Give Your Number to Anyone!
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: Dave Banisar <epic@cpsr.org>
Date: 29 Apr 1994 17:02:33 +0000
Subject: New Electronic Privacy Group Formed
EPIC Press Release
Electronic Privacy Information Center
666 Pennsylvania Ave., SE, Suite 301
Washington, DC 20003
(202) 544-9240 (tel)
(202) 547-5482 (fax)
epic@cpsr.org (email)
April 29, 1994
NEW PRIVACY CENTER ESTABLISHED
EPIC TO MONITOR DATA HIGHWAY
WASHINGTON, DC -- A new organization was launched today to address growing
public concerns about privacy protection for the national information
infrastructure. The Electronic Privacy Information Center (EPIC) will focus
on emerging threats to personal privacy.
Among the threats are the government's controversial Clipper computer
encryption proposal, which has caused widespread protests from companies and
computer users around the world. Proposals for an information superhighway
and recent plans to reform the nation's health care system also involve
significant threats to personal privacy.
"We have established EPIC to focus public attention on these new
privacy issues -- the Clipper Chip, the Digital Telephony Proposal, medical
record privacy, and the sale of consumer data." said Marc Rotenberg, director
of EPIC.
A 1993 poll by the Lou Harris organization found 80 percent of
Americans concerned about threats to their privacy. More than two thirds
believe they have lost all control over personal information. Still, 70
percent believe that privacy is a fundamental right comparable to "life,
liberty and the pursuit of happiness," and a clear majority of Americans
favor establishment of a privacy agency within the government.
EPIC brings together an unprecedented group of experts from computer
science, information law, civil liberties, human rights, public interest
advocacy, library and research communities, as well as privacy experts and
scholars. Among the members of the EPIC Advisory Board is former Congressman
and Presidential candidate John B. Anderson. Mr. Anderson said today at a
Capitol Hill press conference he was very pleased by the establishment of the
new organization.
"Privacy is one of the bedrock American values. EPIC will help
ensure that privacy is protected in the information age," said Mr. Anderson.
Simon Davies, the Director General of Privacy International, welcomed
the launch of EPIC. Speaking from London, England today he said, "EPIC is an
exciting initiative on the leading edge of privacy protection. My hope is
that EPIC will be the forerunner of many such organizations around the
world."
EPIC is a joint project of the Fund for Constitutional Government and
Computer Professionals for Social Responsibility. FCG is a non-profit
charitable organization established in 1974 to protect civil liberties and
constitutional rights. CPSR is a national membership organization
established in 1982 by professionals in the computing field concerned about
the social impact of computer technology.
For more information contact EPIC, 666 Pennsylvania Ave., SE Suite
301, Washington, DC 20003. 202 544 9240 (tel), 202 547 5482 (fax)
epic@cpsr.org (email). Current materials include a program description and
list of Frequently Asked Questions about EPIC.
Marc Rotenberg, EPIC Director
David L. Sobel, Legal Counsel
Dave Banisar, Policy Analyst
------------------------------
From: CPSR National Office <cpsr@cpsr.org>
Date: 29 Apr 1994 17:12:07 +0000
Subject: Clipper Petition Delivered to White House
CPSR PRESS RELEASE
Computer Professionals for Social Responsibility
P.O. Box 717
Palo Alto, CA 94301
415-322-3778 (voice)
415-322-4748 (fax)
cpsr@cpsr.org
"CLIPPER" PETITION DELIVERED TO WHITE HOUSE
COMPUTER USERS CALL ON ADMINISTRATION TO DROP ENCODING PLAN
NEW PRIVACY CENTER ESTABLISHED
Washington, DC -- A national public interest organization today
delivered to the White House a petition asking for withdrawal of the
controversial Clipper cryptography proposal. The Clipper plan would provide
government agents with copies of the keys used to encoded electronic
messages.
The petition was signed by more than 47,000 users of the nation's
data highway. The petition drive occurred entirely across the Internet. It
is the largest electronic petition to date.
Earlier this year, the White House announced support for the Clipper
proposal. But the plan has received almost unanimous criticism from the
public. A Time/CNN found that 80% of the American public opposed Clipper.
Computer Professionals for Social Responsibility began the petition
drive in January. In the letter addressed to the President, the organization
said that if Clipper goes forward, "privacy protection will be diminished,
innovation will be slowed, government accountability will be lessened, and
the openness necessary to ensure the successful development of the nation's
communications infrastructure will be threatened."
The petition asks for the withdrawal of Clipper. It is signed by
many of the nation's leading cryptographers including Whitfield Diffie,
Martin Hellman, and Ronald Rivest. Users from nearly 3,000 different sites
across the Internet are represented. Responses came from more than 1300
companies including Microsoft, IBM, Apple, DEC, GE, Cray, Tandem, Sun, SGI,
Mead Data Central, AT&T, and Stratus. Signatures also came from more than 850
colleges and universities and 150 non-profit organizations. Many responses
came from public networks such as America Online and Compuserve. Nearly a
thousand came from government and military sites including NASA, the Army and
the Navy.
Next week hearings will be held in Congress on the controversial
cryptography proposal, an initiative developed by the FBI and the National
Security Agency. Most of the witnesses are expected to testify against the
plan.
In a related development, the establishment of the Electronic Privacy
Information Center was announced today. EPIC is jointly sponsored by CPSR
and the Fund for Constitutional Government. It will focus on emerging privacy
issues surrounding the information data highway. [see accompanying release].
CPSR is national membership organization, based in Palo Alto,
California. For more information about CPSR, contact CPSR, P.O. Box 717,
Palo Alto, CA 94302. 415 322 3778 (tel) 415 322 4748 (fax) cpsr@cpsr.org
(email).
------------------------------
From: Robert Ellis Smith <0005101719@mcimail.com>
Date: 29 Apr 94 22:14 EST
Subject: Credit Reports
It is a common misconception that someone needs your consent before
getting access to your credit report. It's not true. The federal Fair
Credit Reporting Act requires only that a requester have a PERMISSIBLE
PURPOSE for ordering a credit report -- for credit, employment,
insurance or a similar "legitimate business purpose." Otherwise, you
need a court order or the consent of the individual.
Private detectives generally perpetuate this misconception -- probably
because they are often denied credit reports because they don't have a
permissible purpose. Lawyers are another group that always want credit
reports and usually don't have a permissi ble purpose. These groups
either fake it and say they are planning on employing a person (getting
a credit report by false pretenses violates federal law) or they go to
"information brokers," most of whom are not scrupulous about compliance
with the FCRA .
Now they're able to order credit reports anonymously on the 'net from
entrepreneurs who are also anonymous.
As Glenn Roberts pointed out, ANYBODY can buy "header information" from
a credit report without regard to the protections in the FCRA. In a
misguided policy, the Federal Trade Commission said that header
information is not a credit report, even though in the past the same
agency had insisted that access to ANY PART of a credit report
constitutes access to a credit report and requires a permissible
purpose. "Header information" includes address, phone number, age,
SSNs, mother's maiden name, and other id entifiers. Even though the
FCRA requires a notation in your file whenever someone has access to
it, because header information is not covered by the FCRA, you will
never know when someone gets this information. This is a prime source
of individuals' Soc ial Security numbers, leading to all sorts of
fraudulent misappropriation of peoples' identities. And think what
someone can do with your mother's maiden name and your bank account
number.
One exception: Vermont now requires consent. Other states may
follow. That's why the credit-reporting business is pushing Congress
to PREEMPT tougher state laws. People on the net should write their
Members of Congress about this. How do credit bureaus handle the
Vermont law? They tell their customers that when they receive a
request for a credit report they will simply assume that the requester
has secured the consumer's consent.
Nobody said keeping track of your privacy rights would be easy.
Robert Ellis Smith, Privacy Journal
------------------------------
From: "John A. Thomas" <B858JT@UTARLVM1.UTA.EDU>
Date: 30 Apr 94 17:07:31 CDT
Subject: Military and law enforcement
L.L. Lipshitz expresses concern about the "gradual incursion of
military technology and personnel into the civilian domain."
I certainly agree that the use of the military for civilian law
enforcement is a dangerous practice. I do not agree that such a threat
now exists.
So far, the use of the military in the "War on Drugs" and to enforce
immigration policy has been limited to use of the naval and air units
for surveillance on the high seas, along with some Army training of
foreign anti-drug forces. I understand the Pentagon was opposed to
even this involvement. Most officers feel strongly that the job of the
military is to fight and defeat the armed forces of hostile states, not
to be policemen or aid workers, whether at home or abroad.
The President is the commander of the U.S. military, and the military
is obviously under civilian control (compare the Chilean
constitution!). Military involvement in politics is simply not part of
our culture. There hasn't been a military government in the
English-speaking world since Oliver Cromwell was Lord Protector. I
certainly agree we should oppose efforts to involve the military in law
enforcement, but I don't see any subtantial attempt to do so, least of
all from the professional military itself.
This said, I think the real threat to civil liberties comes from the
ever-increasing power of the existing law-enforcement system. The Army
or the NSA have no power to make arrests, issue subpoenas, convene
grand juries, or bring prosecutions. But the FBI and DEA do. This is
why the Digital Telephony proposal is much more threatening than the
key-escrow scheme (Clipper), bad as it is.
John A. Thomas b858jt@utarlvm1.uta.edu
------------------------------
From: keelings@wu1.wl.aecl.ca (S. Keeling)
Date: 28 Apr 1994 14:33:32 -0500
Subject: Re: Visa Privacy
Organization: AECL Research, Whiteshell Labs
L. Levine wrote: I am the co-author of a book called "A Foreign
Visitor's Survival Guide to America". It has been suggested that I
use the Freedom of Information act to obtain a list of people
applying for visas to come
I would just suggest that you be extremely selective about who you
choose to target. Governments are vicious, paternalistic, nosey, and
vindictive. At best! Even in this 'polite' land of Canada, our mail is
opened when it crosses the border.
Scale the same to the n'th degree for Indonesians, P. R. China, Korea,
India, any Arab country, etc.
At the very least, make NO mention of the person's application to
emigrate.
--
keelings@wl.aecl.ca S. Keeling, AECL - Whiteshell Labs
------------------------------
From: palbert@netcom.com (Phil Albert)
Date: 29 Apr 1994 23:49:48 GMT
Subject: Re: Visa Privacy
Organization: Disorganized
"Prof. L. P. Levine" <levine@blatz.cs.uwm.edu> writes: I am the
co-author of a book called "A Foreign Visitor's Survival Guide to
America". It has been suggested that I use the Freedom of
Information act to obtain a list of people applying for visas to
come to the United States to create a mailing list of people to
send advertisements to. I would like any opinions on the ethics of
doing this.
That would be a snot-nosed thing to do. For one, the people on that
list did not give their names so you could sell them a book. See the
name of this newsgroup. If your book is any good, they will find out
about it. How many immigrants have heard of "Jurassic Park"? [I'm not
implying it's a good book, but you get my point.] For another thing,
why use up taxpayer money getting this list through the FOIA? Your
request would have NOTHING to do with Freedom of Information, nothing
to do with the government. I suggest you contact the airlines and boat
companies who carry immigrants over and offer to stock their ship and
airport gift stores with the book.
Does your book contan the key to immigrants' survival? That is:
"Advertisers are not interested in you, and they lie more than they
tell the truth."
--
Phil Albert, full-time patent attorney and part-time philosopher
Voicenet: (415) 543-9600 bizcardnet: Townsend & Townsend
Internet: palbert@netcom.com or palbert@cco.caltech.edu
ICBMnet: 37 53 00 N, 122 17 30 W, Alt 760'
------------------------------
From: austin@netcom.com (Tony Austin)
Date: 28 Apr 1994 21:58:27 -0700
Subject: Re: Visa Privacy
Organization: NETCOM On-line Communication Services (408 241-9760 guest)
"Prof. L. P. Levine" <levine@blatz.cs.uwm.edu> writes: I am the
co-author of a book called "A Foreign Visitor's Survival Guide to
America". It has been suggested that I use the Freedom of
Information act to obtain a list of people applying for visas to
come to the United States to create a mailing list of people to
send advertisements to. I would like any opinions on the ethics of
doing this.
It's ethical because it violates no laws. It's immoral because you are
invading their privacy. Ethics applies to the individual or his
profession. Morals applies to society at large.
These are just opinions, they are based on no philosophical text.
Personally I feel it would be a welcome advertisment but who can speak
for all.
Tony Austin
------------------------------
From: tabrown@gis1dilurb.er.usgs.gov (tim brown)
Date: 29 Apr 1994 14:33:27 GMT
Subject: Re: Credit check only with Permission Granted
Organization: other
rivaud@coyote.rain.org (L. E. de Rivaud) writes: I used to work for
a BMW dealer who ran credit checks on people all the time without
their prior consent. That is common practice in the biz.
Tony Austin (austin@netcom.com) wrote: I called TRW in Orange
County, California today. I asked how safe my credit information
and social security number is. They told me that noone can look at
your credit report unless you grant them permission. A fine and a
civil lawsuit was mentioned as well. Subsequently I feel a lot
safer. Is this a false feeling of security?
I received a "pre-approved" VISA application in the mail yesterday. I
always like to look at the fine print on the back when I get one of
these. I'm glad I took the time on this one. It had an interesting
paragraph as follows:
<info on how they obtained my name deleted> "You have the right to
prohibit use of information in your file with any credit reporting
agency in connection with any transaction which you do not initiate. To
assert this right with respest to your file with the agencies listed
above, you may call:"
TRW - 1.800.422.4879
TU - 1.800.241.2858
EQUIFAX - 1.800.685.1111
However, when I called, guess what number they wanted?! SSN#, of
course. I'd like to hear some comments on this. Obviously these
companies already have my SSN#, or do they? Perhaps one of the agencies
does, but the others may not. I might end up giving out the very
information I'm trying to protect. I'd like some feedback on this.
p.s. Thanks to all who responded to my post about insurance companies
and SSN#'s.
--
Timothy A. Brown
Civil Engineer - Urbana, IL
tabrown@srv1dilurb.er.usgs.gov
------------------------------
From: WHMurray@dockmaster.ncsc.mil
Date: 29 Apr 94 11:39 EDT
Subject: Re: NSA remarks at "Lawyers and the Internet"
Now before anyone thinks I've changed my position, Clipper still
sounds to me like a cheap and effective alternative to what is
available today, it is the implimentation (read politics) that has
flaws but these can be fixed. Until I have a Clipper or two to
play with, I am going to reserve technical judgement.
That Skipjack might be effective is an open question. However, The
flaws of the CLIPPER proposal are fundamental and much more difficult
to remedy than my friend suggests.
First, it is flawed as to its source. We need codes that we can all
trust equally. The government in general, and the world's largest
signals intelligence agency in particular is an inappropriate source
for such a code. Trust in the Data Encryption Standard has been
greatly diminished simply by the fact that the NSA consented to it.
Second, it is flawed by secrecy. The only people who can trust a
secret algorithm are those who are party to the secret. The
effectiveness of modern codes does not rely upon their secrecy but
rather upon their complexity. The purpose of secrecy here is not to
improve the security of the mechanism but to resist its replication and
use.
Third, it is flawed by "hardware only." Hardware only is justified by
the need for secrecy but both are rooted in the desire to limit
application and use. However, "hardware only" so severely restricts
use as to leave many requirements unsatisfied. For example, the
availability of encryption services is essential to the integrity of a
"network operating system." There is simply no way that this
requirement can be met by a "hardware only" strategy. While it might
be possible to develop a chip or a card with the proper functionality,
CLIPPER does not have it. While it might be possible to come up with a
chip or a card with the proper functionality, it is clearly not
possible to retrofit or deploy it on all of the components that one
might wish to include in such a network. Even if it could be done, it
would not be within the control of the operating system vendors. They
would be in an impossible bind; the functionality is essential to their
product, but they would have to rely upon some other source for it and
for the customer to buy it and deploy it.
None of these problems is easily remedied. They are not easily
remedied because it is not in the interest of the government for them
to be remedied. Fortunately for us, while we may require the restraint
of the government from the use of its coercive power, we do not need
its active cooperation. There are already codes available to us that
do not suffer from any of these flaws.
William Hugh Murray, Executive Consultant, Information System Security
49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840
1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL
------------------------------
From: andrew@jester.usask.ca
Date: 29 Apr 94 09:55:06 -0600
Subject: Re: Lord Have Mercy On Us All :-(
Christopher Zguris <0004854540@mcimail.com> writes: The only
problem with non-lethal "take-down" weapons is the potential for
abuse. Long before the Rodney King case made the stun gun and taser
infamous, police officers here in New York City lost the ability to
carry or use the stun gun becuase they used it to coerce
confessions. In those cases, the non-lethal stun gun was most
definately abused against citizens. The stun gun was used because
it left only minimal obvious damage that could be documented, so
the offending officers thought they could get away with their
actions (many did, and I'm sure it's happened in other cities). An
"offensive" weapon like a non-lethal stungun should not be compared
to a "defensive" weapon like a Kevlar vest - a Kevlar vest cannot
be abused.
Handcuffs are not an offensive weapon (you do not throw them at the
suspect), but have a potential for abuse.
------------------------------
From: Christopher Zguris <0004854540@mcimail.com>
Date: 29 Apr 94 14:45 EST
Subject: Re: Lord Have Mercy On Us All :-(
elkube@access.digex.net (l.l.lipshitz) writes: Arguably, new
technologies applied to protecting citizens is a good thing.
However, what frightens me is the gradual incursion of military
technology and personnel into the civilian domain. Doesn't the
Memo of Understanding between the DoD and the Justice Dept. scare
anyone else?
What is the Memo of Understanding between the DoD and the Justice
Dept.? Perhaps it involves the military industrial complex looking for
a new threat to justify the huge defense budget?
We already have active military assistance in the War on Drugs and
recommendations for further involvement. Here in the Washington, DC
area, we've seriously entertained proposals for using National
Guard units to patrol our streets to bolster the city's police
force. I believe (don't quote me on this one!) military assistance
has been suggested or is actually being used in efforts to stem
illegal immigration.
The idea of our military patrolling our streets is frightening to me as
well, but, under certain circumstances I think it would be a good idea
to force the military to perform some law enforcement functions.
Fighting illegal immigration on our borders (land, sea, and air) _does
not_ affect American citizens, it affects people who are coming into
this country in violation of our laws (or worse, smuggling drugs).
Illegal immigration is a _very_ large problem, unenforceable laws are
worthless and protect no-one. I think it incredible that we spend
billions of dollars to develope and deploy military technology more
than capable for border patrol but _don't_ implement it. Instead, it
sits around unused or -- at best -- is used in "war games". If the Navy
engaged in patrol and training exercises in support of the woefully
underfunded and underequipped Coast Guard we could significantly close
our borders to drugs & illegal immigration on the seas and better train
military personnel. The same holds true for the air; we have aircraft
carriers and all sorts of state-of-the-art communication & control
systems that could be very effective if used for our immediate
benefit.
Christopher Zguris
czguris@mcimail.com
------------------------------
From: johnl@iecc.com (John R Levine)
Date: 29 Apr 94 19:38 EDT
Subject: Re: Long Distance Companies
Organization: I.E.C.C., Cambridge, Mass.
In the SF Bay Area, if you want cellular phone service from GTE,
they ask for your SSN [and refuse to give you service without it]
Policies vary widely. Here's my experience:
Cellular One Boston (really Southwestern Bell): I went into one of
their agents, a local stereo store, picked out the phone I wanted,
filled out the credit app without the SSN, the guy called it in, and
whoever was on the other end of the phone at Cell One said no SSN, no
service. Much to the guy's dismay, I walked out. Other people later
told me that if I'd called SWB directly they'd probably have been
willing to give me service without the SSN, but I didn't feel like
finding out.
NYNEX Boston: I called them directly, because they had an attractive
free phone/free minutes deal. Guy took the credit app over the phone,
said that without an SSN they might need a $400 deposit. (At 7%
interest, who's complaining?) When I went to get the phone installed
the next week, they didn't want a deposit and the SSN field on the
computer printed work order read 000-00-0000. So much for no credit
check without the SSN.
Cellular One of Vermont (Atlantic Cellular): I called them to get a
second number for my phone. The woman who took the order simply
couldn't believe that I didn't have my SSN handy, and kept calling me
back for a week asking if I'd found it yet. I finally insisted that
I'd never ever be able to find it, so how about something else. She
asked for a bank reference, I gave her the name and number of the
person at the bank who handles my accounts, and she called back about
10 minutes later and said it was all set up. What's really funny is
that I gave her the my banker's unlisted direct dial number which she
answers herself. If I were a crook, I could easily have given her the
number of a confederate who'd pretend to be at the bank.
--
Regards,
John Levine, johnl@iecc.com, jlevine@delphi.com, 1037498@mcimail.com
------------------------------
From: c-cat!david@uwm.edu (Dave)
Date: 30 Apr 94 16:44:46 EDT
Subject: SSN: Do Not Give Your Number to Anyone!
Organization: China Cat BBS (301)604-5976
jkwiatkowski@attmail.com (John Kwiatkowski ) writes: I saw your
message posted in Security. Social Security Numbers were
originally started for exactly that...social security reasons ONLY.
People and businesses took it upon themselves to start using social
security numbers as identifiers. The law says you DO NOT have to
[...] me. I admire you for standing up and refusing to give out
your social security number.PROTECT YOUR PRIVACY!!!Don't give in to
anyone asking for your private info.THEY DON'T HAVE ANY RIGHT TO
ASK FOR OR HAVE IT!
yes, but I am finding this difficult in the employment search world, I
am searching for a new job. many companies now are doing credit checks
before hiring employees, where I don't have a problem with this I do
have a problem with giving my SSN for this purpose. Trying to explain
this to a perspecitve employer without looking like I am trying to hide
something tends to be a difficult subject and rather touchy.
one recriuter told me to "stop the paranoia and just write down the
number", I think I'm going to print off the SSN faq and give it to
him.
1) filling out my SSN is too much of a risk, I have no idea who has
access to their records nor do I know how long they will keep records
or how they dispose of records.
2) filling out a job application with a false information is grounds
for dismissial ( if hired).
3) I might not be hired, because I didn't complete the required
information. ( I currently choose this route. and refuse to give my
SSN until I accept a job offer. I do inform them that if they desire,
they can do a credit check with my name, address, phone. ) for the most
part so far, I've left the SSN blank on the application, and will say
nothing until they ask.
on another note, I had an idea when asked by a business ( non
government, not required) for my SSN, I would ask them for their
company's tax ID number, for they would never divulge their tax ID
number ( dumb if they did), I would explain that the SSN is my tax
number and I can't divulge it either. I haven't had the opportunity to
try this, but I eagerly await the chance to do this.
--
David Ristau
System 0perator UUCP: uunet!anagld!c-cat!david
China Cat BBS INTERNET: david@sed.csc.com
301.604.5976
------------------------------
End of Computer Privacy Digest V4 #061
******************************
.