Computer Privacy Digest Wed, 20 Jul 94 Volume 5 : Issue: 010
Today's Topics: Moderator: Leonard P. Levine
Privacy Information on Gopher
Companies Recording Phone Calls
Government E-Mail Directive
SIN use in Canada
Re: Monitoring of International Calls and Clipper
Re: SSN of Dependants Now Required
Re: Clipper Security and other lies
Re: New National ID Card Proposal
Re: University of New Mexico use of SSN as ID
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: Privacy Rights Clearinghouse <prc@teetot.acusd.edu>
Date: 20 Jul 1994 00:24:20 -0700 (PDT)
Subject: Privacy Information on Gopher
The Privacy Rights Clearinghouse (PRC) a non-profit consumer education
group, now has a gopher site. The gopher site contains State
(California) and Federal legislation relating to the issue of privacy
and informational fact sheets that are constantly being updated. Some
of the topics include; Your Social Security number, junk mail, e-mail
in the work place and wiretapping, and many others. Gopher to
gopher.acusd.edu. To telnet to the PRC: telnet teetot.acusd.edu,
login: privacy.
The Privacy Rights Clearinghouse is a service for California
consumers. It is administered by the University of San Diego's Center
for Public Interest Law. It is funded by the telecommunications
Education Trust, a program of the California Public Utilities
Commission. It has been in operation since October 1992. Voice
(619)298-3396.
------------------------------
From: tenney@netcom.com (Glenn S. Tenney)
Date: 20 Jul 1994 02:08:13 -0800
Subject: Companies Recording Phone Calls
I know that many companies' support lines have a recorded message
saying that "this call may be monitored by supervisory personnel and
for training purposes". Well, today I had to call AAA's 800 number for
road service and... They don't use any recorded message, they just use
the "beep" every 10 (or is it 15) seconds that they're required to do
if they're recording the phone call.
I spoke with a supervisor who explained that they record all incoming
road service calls now in California, that they use them for training
purposes, and they use them in case there's any dispute. The
supervisor said that I'm the first person she knew of who complained.
She did say that I could call the local AAA office and ask for her
extension and then she'd take the road service call...
Personally, I do NOT want to have any of my phone calls recorded
(unless absolutely necessary). I have no assurances that AAA *only*
uses the recordings for those purposes. Does anyone share my concern
that this ever increasing recording of calls is a potentially
significant violation of our privacy...?
---
Glenn Tenney
tenney@netcom.com Amateur radio: AA6ER
(415) 574-3420 Fax: (415) 574-0546
------------------------------
From: binskeep@crl.com (Bob Inskeep)
Date: 20 Jul 1994 16:30:29 -0700
Subject: Government E-Mail Directive
Organization: CRL Dialup Internet Access
Organization: (415) 705-6060 [login: guest]
Two friends had been corresponding with me via a Military and
Government net. Both recently stopped their e-mail with me and stated
that they had received a rather lengthy instruction prohibiting
personal e-mail on gov systems. I would like to obtain a copy of the
instruction, if it exists. Any help would be appreciated. Thanks.
------------------------------
From: "Kyle Friesen (604) 387-5629" <KFRIESEN@galaxy.gov.bc.ca>
Date: 20 Jul 1994 16:07:00 -0700 (PDT)
Subject: SIN use in Canada
David Mitchell recently commented on the use of the Social Insurance
Number (SIN) in Canada. He wrote: "In Canada, it is illegal to
require SIN for a purpose such as that proposed by Sprint." I would
like to clarify the issue of SIN usage in Canada by the private
sector.
The Privacy Commissioner of Canada recently issued a fact sheet on the
SIN which our office (the B.C. provincial equivalent to the federal
Privacy Commissioner) frequently mails to interested callers (see
below). The Treasury Board Secretariat (a part of the Government of
Canada) in Ottawa has issued guidelines for SIN use within the
Government of Canada, resulting in a narrowing of approved uses over a
multi-year period. However, TBS does not regulate the use of the SIN
in the private sector, including Sprint Canada.
Here is the Privacy Commissioner's fact sheet in its entirety:
[begin quotation] "Social Insurance Numbers (SIN)
Who can ask me for my SIN?
Anyone can ask you for your SIN - there is no law to stop them.
Canadians find themselves asked for their SIN by landlords, stores,
libraries and even hockey teams. However, you do not have to give it
to them. Well, who must I give it to?
There are a few federal laws which require you to give your SIN for
specific purposes. These are:
() for Old Age security, Unemployment Insurance and Canada Pension
Plan contributions or claims (the original purposes for the SIN);
() for Income Tax identification;
() to your employer to send your contributions to UI, CPP and Income
Tax;
() to banks, trust companies, caisse populaires and stock brokers when
they sell you financial products (GICs or Canada Savings Bonds) or
services (bank accounts) that generate interest. They declare your
interest to Revenue Canada for income tax purposes;
() for various Veterans Affairs benefits programs;
() for Canada Student Loans;
() for two Native peoples' programs (Rural and Native Housing Program
and Social Assistance and Economic Development Program); and
() for Gasoline and Aviation Gasoline Excise Tax Applications,
Canadian Wheat Board Act, Labour Adjustment Benefits Act, Tax Rebate
Discounting Regulations, Race Track Supervision Regulations and the
National Dose Registry for Occupational Exposures to Radiation.
Why do other organizations ask for my SIN?
Many stores, financial institutions and even landlords use the SIN to
check your credit rating. Credit bureaus use SINs as credit file
numbers. Other organizations simply use it as a client number to save
them setting up their own numbering systems. And finally, it has
simply become a bad habit - it's on the form but no-one knows why.
What can happen if I refuse to give my SIN?
If you refuse, the organization may deny you the service. This is not
illegal even thought successive federal privacy commissioners - and a
Parliamentary committee - have said it should be.
What can someone find out if they have my SIN?
No-one can get access to your federal government records just because
he or she has your SIN. The Privacy Act sets out strict rules limiting
other peoples' access to your personal information in federal data
banks. However, who uses your SIN outside the federal government - and
how - depends on how well the organization protects its files.
Can a provincial government use the SIN?
The law does not prevent provinces (or local governments) from using
SINs. In Prince Edward Island, for example, parents of newborns must
get the baby a SIN for the health care plan. And provincial
governments use the SIN when they administer federal funds (like the
Quebec Pension Plan or welfare). However, all provinces (except
Alberta and PEI) have privacy laws to protect personal information -
including SINs - in government files. And the Quebec privacy lawcovers
the private sector.
Some provinces are reviewing their uses of the SIN. If you are
concerned about your provincial government's use of the number (and/or
the private sector in Quebec), call your provincial information and
privacy commissioner (or ombudsman where there is no commissioner).
See the blue pages of your telephone directory.
Why should I worry about the SIN, it's just a number.
True, it's just a number and individual file numbers are not
necessarily a privacy problem. But the SIN is very powerful because it
is unique, accurate and widely used. Computer technology now makes it
possible to use the SIN to find and match your information from one
database to another. Theoretically, technology makes it possible to
assemble a detailed profile about you - what you buy, read, eat, where
and when you travel, your medical history, your financial situation.
This amounts to 'data surveillance', or monitoring you through your
daily transactions. This can pose a serious threat to our autonomy.
So what can I do when asked for my SIN?
() Ask if you are required by law to provide it (see the list above);
() Ask why the person needs it, how it will be used and to whom it
will be given;
() If not required by law (and you are not satisfied with the
explanation), tell the person you prefer not to use the SIN and offer
other identification;
() If the organization refuses to give you the product or service
unless you give your SIN, complain to senior management and possibly to
your provincial or federal privacy commissioner (or ombudsman, where
there is no commissioner);
() If you would like better legal protection for your SIN, call or
write your federal member of parliament." [end quotation]
__
R. Kyle Friesen Barrister and Solicitor Office of the Information
and Privacy Commissioner of British Columbia tel. (604) 387-5629
/ fax (604) 387-1696 Internet: kfriesen@galaxy.gov.bc.ca
[moderator: This was not delivered as an ASCII file and required
considerable editing. Typos and missing data are mine. LPL]
------------------------------
From: tnyurkiw@lambert.uwaterloo.ca (Tom Yurkiw)
Date: 19 Jul 1994 16:55:56 GMT
Subject: Re: Monitoring of International Calls and Clipper
Organization: University of Waterloo
ninjo@MIT.EDU writes: I have been following the Clipper debate and
I have a question for all of you Privacy readers out there.
A. to my understanding the NSA monitors all international
commmunications without the need to get any judges approval.
B. with the clipper chip, wouldn't the NSA need to have all the
escrowed keys at their disposal, in order for them to continue this
monitoring?
This was exactly the issue recently raised in a Canadian newspaper (The
Ottawa Citizen). It is all very well for Americans to haggle over
whether the escrowed keys are safe because of the necessity of court
orders, etc. but foreign countries have no such protection. So
really, that leaves Canada, (and other countries with two options):
1. use Clipper and trust the U.S. government in good faith. heh!
2. each develop their own "Clipper" system. This would require
cross-border electronic "gateways" and create horrendous technical
problems with respect to translation, etc.
for that reason, other countries should oppose Clipper.
--
Tommy the Yurk
------------------------------
From: hibbert@netcom.com (Chris Hibbert)
Date: 19 Jul 1994 20:51:41 GMT
Subject: Re: SSN of Dependants Now Required
Organization: NETCOM On-line Communication Services (408 261-4700 guest)
Christopher Hoover <ch@lks.csi.com> wrote: My employer has asked
me to list all my dependents, their relationships to me, and their
*social security numbers*.
This is a new requirement from the Omnibus Budget Reconciliation Act of
1993. It's not supposed to take effect until 1/1/95. If your
employer's request is valid, it should be accompained by a Privacy Act
Notice. Wehn they ask, point to a copy of a W2 and the Privacy Act
notice it has to demonstrate what you want.
I'm still trying to find out more about this.
--
Chris Hibbert protecting privacy in the computer age is
hibbert@netcom.com like trying to change a tire on a moving car.
------------------------------
From: lupienj@wal.hp.com (John Lupien)
Date: 19 Jul 94 16:54:05 EDT
Subject: Re: Clipper Security and other lies
From: barmar@Think.COM (Barry Margolin) Crooks currently use
ordinary, unencrypted phones for sensitive communications. Clipper
phones are at least as secure as unencrypted phones, so why
wouldn't they use them?
The crooks you mention are the same stupid ones that I mention above.
The ones that can expect to survive a caper or two not only don't use
phones for sensitive conversations, they don't use "plaintext english"
- the law enforcement community is well aware of this fact, and the
clipper proposal is not a means of addressing that problem.
--
John R. Lupien
lupienj@wal.hp.com
------------------------------
From: "Justin Fanning" <justin@futures.apana.org.au>
Date: 20 Jul 1994 18:46:38 EDT
Subject: Re: New National ID Card Proposal
Organization: Long... Short... (Futures, Melbourne)
In Australia, the PI-led campaign led to the dissolution of both
houses of the federal Parliament in 1987 after hundreds of
thousands marched in protest. The Australian campaign brought
together groups from all parts of the political spectrum from the
Communist Party to the Libertarian Alliance, farmers and
conservation groups, rock stars, academics, large businesses such
as banks and mining corporations, but the overwhelming support came
from the public who created the biggest civil protest in Australian
history.
So then they called it a "Tax File Number" and everyone was happy.
--
Justin T. Fanning
Justin@futures.apana.org.au
------------------------------
From: khinedi@bu.edu (Kareem Hinedi)
Date: 20 Jul 1994 20:41:02 GMT
Subject: Re: University of New Mexico use of SSN as ID
Organization: Boston University
ead@netcom.com wrote: What do you make of this paragraph from the
application to the University of New Mexico's Office of Graduate
Studies:
The University of New Mexico uses students' social security
numbers as identification at the University. The number is used
for record- keeping purposes only. The authority to use the social
security number comes from the Board of Regents and was adopted on
March 24, 1967. It is mandatory, therefore, that students disclose
their numbers in order to enroll at UNM.
Is this permitted even if the University complies with the Family
Educational Rights and Privacy Act of 1974 (the "Buckley
Amendment"), which prohibits them from giving out personal
information (e.g. the SSN) on students without permission?
from the way I understand it, assuming UNM is a state institution, they
can require the use of the SSN as an identifier as long as they post a
privacy act notice somewhere (which tells you if and why disclosure of
the SSN is mandatory -- and if so, what are the cosequences of not
releasing it, and whom they might release it to).
One question: what about international students who don't have a SSN
when they first come to the US. I am positive, they have some sort of
override mechanism. WHen I worked at a university as a computer
programmer, students who did not have SSNs were given an ID nunmber of
the form: 000-mm-ddyy where mm is month of birth, dd is day of birth,
and yy is year of birth. If the number was already assigned, they used
001-mm-ddyy, then 002-mm-ddyy. I don't remember ever seeing an ID
number above 004 and this was a fairly large university.
(this question would also apply to the rare 17-18 year olds who don't
have a SSN either -- they are actually very rare nowadays given that
the SSN is required for a parent to claim a child as a dependant for
income tax).
--
Kareem A. Hinedi
Boston University School of Public Health
------------------------------
End of Computer Privacy Digest V5 #010
******************************