Date: Tue, 27 Dec 94 12:37:04 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V5#078
Computer Privacy Digest Tue, 27 Dec 94 Volume 5 : Issue: 078
Today's Topics: Moderator: Leonard P. Levine
Yet Another Bad Use of An SSN
School Monitoring
Re: 3 Hits and You're Out
Re: 3 Hits and You're Out
Re: 3 Hits and You're Out
Internet Ethics Paper
Mother's Maiden Name
Credit Card Information Stolen
K-12 Student Records: Privacy at Risk
Info on CPD, (unchanged since 11/28/94)
----------------------------------------------------------------------
From: jepstein@cordant.com (Jeremy Epstein -C2 PROJECT)
Date: 22 Dec 1994 15:02:31 -0500 (EST)
Subject: Yet Another Bad Use of An SSN
I purchased a new car the other day, and the salesman walked me through
a "customer satisfaction" survey that we'll receive from Ford Motor.
He said that it'll be coded with his SSN for tracing purposes.
Interesting use of that number...
------------------------------
From: collins@nova.umd.edu (Jim C)
Date: 22 Dec 1994 17:42:48 -0500
Subject: School Monitoring
Organization: University of Maryland University College
Recently, the logon banner at my school/internet provider has had an
unsettling addition to it:
"All usage of this system is monitored for security purposes, and by
signing on to the system you are implictly consenting to this
monitoring."
Yipes! What are the implications of this? Is this even legal? I don't
expect to pick up the phone and hear "By using this service you are
implictly consenting to being montored for security purposes", I don't
expect to go mail a letter and see on the mailbox "By using this
service you are implictly consenting to subjecting your mail and
parcels to inspection". What is this nonsense? Jim C.
PS I hope they are "monitoring" this.
------------------------------
From: "Virginia Matzek" <VMATZEK@alumni.berkeley.edu>
Date: Thu, 22 Dec 1994 10:08:00 PACIFIC
Subject: Re: 3 Hits and You're Out
Organization: California Alumni Assoc.
I've been told that it is a good thing to periodically check on one's
own credit, to make sure that there is no mistake in the record. Would
this qualify as a "strike" on the aforementioned "3 (or so) strikes and
you're out"?
Also, does anyone have any advice for me on how to go about doing this?
For example, will it cost me anything (to inquire into information
about myself)?
===================================================================
Virginia Matzek vmatzek@alumni.berkeley.edu
"From the keyboard, through the modem, bounced off an ip gateway,
through some far-away routers to a logical interface near you...
Nothin' but Net!!" -- Ryan Rediske
------------------------------
From: ranck@earn.net (Bill Ranck)
Date: 23 Dec 1994 09:02:41 GMT
Subject: Re: 3 Hits and You're Out
Organization: Universite Paris-Sud, France.
Mike Bandy (bandy@aplcomm.jhuapl.edu) wrote: Indeed, I just bought
a new house and had to justify to the mortgage company a credit
check made by a bank. I had no idea who they were or Now to figure
out why the bank really was looking at my credit...
The last time I looked at my credit report there were quite a few
queries on there from banks I don't deal with. They seem to correspond
with mail compaigns offering credit cards. In other words they query
*everybody* in the database to find who they are going to solicit.
You would think this type of query would be flagged differently though.
--
* Bill Ranck +33.1.69.41.24.26 ranck@earn.net *
* Technical Staff, European Academic & Research Network (EARN) Orsay, France *
------------------------------
From: mikus@bga.com (Mikus Grinbergs)
Date: 23 Dec 1994 13:17:17 GMT
Subject: Re: 3 Hits and You're Out
Organization: Gone Walkabout
Robert Ellis Smith wrote: On Dec. 5, 1994, Geoffrey Knauth asked
whether the mere fact that someone inquires into your credit-bureau
file may have negative consequences for you. The answer is yes.
Credit grantors regard an inquiry from a company into your credit
file without any evidence in your credit file that the company
subsequently granted you credit as evidence that the company
rejected you. To many credit grantors, three inquiries in a short
period of time without any granting of credit indicates that your
credit applications have been rejected three times. That's enough
for other companies to reject you.
What I personally find objectionable is to receive unsolicited letters
saying: "You have been PRE-APPROVED for our credit card (or vacation
rental, or whatever). Just sign here." I make it a point not to
respond. Now you tell me that these hucksters (who've run credit
checks on me that I haven't authorized) make footprints that look like
"credit-denied", unless I accept their offer ? Mind-boggling!
------------------------------
From: VidFreak@ix.netcom.com (Matthew Horn)
Date: 24 Dec 1994 06:16:17 GMT
Subject: Internet Ethics Paper
Organization: Netcom
Hi there...
I recently wrote two papers for college courses this past semester.
The first was one on how different communication on the Internet is
from face-to-face communication. The second, and the one I would like
to get some discussion on, was about how the Internet could be used to
build an Ethical Society.
I would put the entire paper here, but I know how tired my eyes get
reading long posts on local BBSs. Suffice it to say, that it is a
research paper which takes all the available research I had (magazines
mainly) and tried to tie them together to show that the Internet's
Virtual Communities could be the paving stones for a new ethical
structure to begin.
I would like to hear from some of you who read this newsgroup about
what you see as ethical issues on the computer networks. This could be
anything from censorship to being polite. I need to flesh out the
paper some so that I can submit it to a national foundation for
consideration in their upcoming contest.
Thanks for all the help you can give.
--
E-Mail me here (VidFreak@ix.netcom.com):
Vid.Freak@aol.com
matthew.horn@wildcat.olivet.edu
------------------------------
From: Rich24@aol.com
Date: 23 Dec 1994 21:27:31 -0500
Subject: Mother's Maiden Name
I have followed the discussion on this means of verifying the user of a
chargeable service. Why not offer people the option of inputting 4 or 5
different identifying facts such as place of birth, high school name,
etc.
When the user makes a charge, the company would randomly ask for one of
the pieces of information. I realize this system wouldn't eliminate
unauthorized use totally, but it might help cut down on fraud.
--
Rich Sagall
------------------------------
From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
Date: 26 Dec 94 22:15:29 EST
Subject: Credit Card Information Stolen
In the _Globe and Mail_ (sometimes referred to as the _Groan and
Wail_), "Canada's National Newspaper", for 94.12.15 (sorry about the
delay in posting), there's a note about the theft of credit card
information during ordinary commercial transactions and its use by
criminals:
Credit-card scheme funded heroin trade, police charge: Personal
data gleaned from purchases made at CN Tower.
By Peter Moon Globe and Mail
TORONTO -- A $1.5 million fraud scheme in which stolen credit-card
information was used to finance heroin smuggling has been cracked,
poilice say.
The scheme involved obtaining confidential information about all
credit cards used at the CN Tower during more than three years,
RCMP Inspector Dave Douglas said yesterday.
According to the author, the stolen credit card information was used to
generate cash with the help of dishonest businesses. Apparently a
night auditor in the large tourist trap in downtown Toronto obtained
"computer records involving every purchase made with about 28,000
cards" from January 1989 to May 1994.
The alleged criminals "shared... an acute understanding of how
financial institutions operate and how they can benefit from the
illicit gains obtainable from credit," said Inspector Douglas.
Using credit cards issued by small U.S. banks, "many of whom do not
have the security and credit vetting resources of Canada's large
chartered banks," the criminals and their business confederates
generated phony transactions and shared the proceeds. Apparently "many
customers did not bother to check or challenge fraudulent items that
appeared on their monthly bills."
Detective-Sergeant Charles Konkel of Toronto Metro Police said, "Our
evidence... is that it is a multi-multi-million dollar, perhaps
billion-dollar enterprise and we're just touching the surface with our
investigations."
The conspirators turned their stolen funds into gold bullion and took them to
Hong Kong, returning with illegal drugs which multiplied their gains.
<<Comments from MK: My leitmotif lately has been that credit card use
should require a PIN and that the PIN should be protected from
disclosure to merchants or anyone tapping the communications lines
between retail outlet and credit-card verification centres. If
necessary, users should be issued cryptographically-sound smart cards
which would make counterfeiting impractical for thieves. This system
will be implemented when one credit card supplier realizes that the
investment in proper security can so reduce fraud that it will be able
to lower its service charges for its users and so gain a competitive
edge. And drug-running creeps will not be able to steal millions of
dollars so easily.>>
M.E.Kabay,Ph.D./DirEd/Natl Computer Security Assn
------------------------------
From: "Prof. L. P. Levine" <levine@cs.uwm.edu>
Date: 23 Dec 1994 06:09:36 -0600
Subject: K-12 Student Records: Privacy at Risk
SEATTLE CPSR POLICY FACT SHEET
K-12 STUDENT RECORDS: PRIVACY AT RISK
---------------------------------------------------------------------------
TOPIC
The U.S. education system is rapidly building a nationwide network of
electronic student records. This computer network will make possible
the exchange of information among various agencies and employers, and
the continuous tracking of individuals through the social service,
education and criminal justice systems, into higher education, the
military and the workplace.
WHAT IS THE ISSUE?
There is no adequate guarantee that the collection and sharing of
personal information will be done only with the knowledge and consent
of students or their parents.
CHANGES ARE COMING TO STUDENT RECORDS
National proposals being implemented today include:
- An electronic "portfolio" to be kept on each student, containing
personal essays and other completed work.
- Asking enrolling kindergartners for their Social Security Numbers,
which will be used to track each student's career after high
school.
- Sending high school students' transcripts and "teachers'
confidential ratings of a student's work-related behavior," to
employers via an electronic network called WORKLINK.
At the heart of these changes is a national electronic student records
network, coordinated by the federal government and adopted by states
with federal assistance.
Publication 93-03 of the National Education Goals Panel, a federally
appointed group recently empowered by the Goals 2000 legislation to
oversee education restructuring nationally, recommends as "essential"
that school districts and/or states collect expanded information on
individual students, including: - month and extent of first prenatal
care, - birthweight, - name, type, and number of years in a preschool
program, - poverty status, - physical, emotional and other
development at ages 5 and 6, - date of last routine health and dental
care, - extracurricular activities, - type and hours per week of
community service, - name of post-secondary institution attended, -
post-secondary degree or credential, - employment status, - type of
employment and employer name, - whether registered to vote.
It also notes other "data elements useful for research and school
management purposes": - names of persons living in student household,
- relationship of those persons to student, - highest level of
education for "primary care-givers," - total family income, - public
assistance status and years of benefits, - number of moves in the last
five years, - nature and ownership of dwelling.
Many of these information categories also were included in the public
draft, "Student Data Handbook for Elementary and Secondary Education,"
developed by the Council of Chief State School Officers to standardize
student record terminology across the nation. State and local agencies
theoretically design their own information systems, but the handbook
encourages them to collect information for policymakers at all levels.
Among the data elements are: - evidence verifying date of birth, -
Social Security Number, - attitudinal test, - personality test, -
military service experience, - description of employment permit
(including permit number,) - type of dwelling, - telephone number of
employer.
WHO CAN ACCESS THIS COMPREHENSIVE INFORMATION?
Officers, employees and agents of local, state and federal educational
agencies and private education researchers may be given access to
individual student records without student or parent consent, according
to the federal Family Educational Rights and Privacy Act of 1974 (20
USC 1232g) and related federal regulations (34 CFR 99.3). Washington
state law echoes this federal law.
WHAT IS COMING NEXT?
Recent legislation passed in Washington state (SB 6428-'92, HB
1209-'93, HB 2319-'94) directly links each public school district with
a self- governing group of social service and community agencies that
will provide services for families.
This type of program is described in detail in the book, _Together We
Can_, published jointly by the U.S. Department of Education and the
U.S. Department of Health and Human Services. The book speaks of
overcoming "the confidentiality barrier," and suggests creating
centralized data banks that gather information about individuals from
various government agencies- or in other ways ensuring agencies, "ready
access to each other's records."
The book calls for a federal role in coordinating policies, regulations
and data collection. A group in St. Louis, MO, called Wallbridge
Caring Communities, is cited as a model for seeking agreements to allow
computer linkups with schools and the social service and criminal
justice systems to track school progress, referrals and criminal
activity.
WHAT HAPPENED TO ONE COMMUNITY
In Kennewick, WA, over 4,000 kindergarten through fourth graders were
rated by their teachers on how often they lie, cheat, sneak, steal,
exhibit a negative attitude, act aggressively, and whether they are
rejected by their peers. The scores, with names attached, were sent to
a private psychiatric center under contract to screen for "at-risk"
students who might benefit from its programs. All of this was done
without the knowledge and consent of the children or their parents.
CPSR'S POSITION
CPSR Seattle believes that schools and other agencies should minimize
the collection, distribution and retention of personal data. Students
and/or their parents should decide who has access to personal
information.
CPSR ACTIONS
Representatives of CPSR Seattle have gone to Olympia to: - oppose the
use of the Social Security Number as the standard student
identifier,
- urge legislators to set educational goals that can be measured
without invading privacy,
- oppose turning over individual student records to law enforcement
officials apart from a court order or official investigation.
Reports cited:
_Goal 2 Technical Planning Subgroup on Core Data Elements_.
National Education Goals Panel, Washington, D.C. 4-21-93. (ED# 361
403, TM# 020 509).
"Student Data Handbook for Elementary and Secondary Education."
Council of Chief State School Officers, Washington, D.C. draft
9-11-92.
_Together We Can_. Atelia Melaville, et al. U.S. Government
Printing Office. 4-93. (PIP 93-1103).
You may redistribute this fact sheet, as long as it is not modified.
Computer Professionals for Social Responsibility - Seattle Chapter,
P.O. Box 85481, Seattle, WA 98145-1481. (206) 365-4528.
cpsr-seattle@csli.stanford.edu
6/15/94
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 28 Nov 1994 08:46:14 -0600 (CST)
Subject: Info on CPD, (unchanged since 11/28/94)
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions generally are acknowledged within 24 hours of
submission. An article is printed if it is relevant to the charter of
the digest and is not redundant or insulting. If selected, it is
printed within two or three days. The moderator reserves the right to
delete extraneous quoted material. He may change the subject line of
an article in order to make it easier for the reader to follow a
discussion. He will not, however, alter or edit or append to the text
except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V5 #078
******************************
.