Date: Mon, 09 Jan 95 13:44:42 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V6#004
Computer Privacy Digest Mon, 09 Jan 95 Volume 6 : Issue: 004
Today's Topics: Moderator: Leonard P. Levine
Police Abuse of Personal Records
RCMP Probes Police Misue of Files
Re: Credit Reporting
Re: Credit Reporting
Re: CallerID Opinion
Re: CallerID Opinion
Re: CallerID Opinion
Re: Opening Mail
Re: School Monitoring
Re: False data
Re: Signature Digitizers
Re: Signature Digitizers
Re: Signature Digitizers
Archives for Volume 5
Info on CPD [unchanged since 12/29/94]
----------------------------------------------------------------------
From: Robert Jacobson <cyberoid@u.washington.edu>
Date: 07 Jan 95 10:47:20 -0800
Subject: Police Abuse of Personal Records
About a decade ago the executive director of the Port of Fresno and the
Fresno County (CA) Board of Supervisors had a major falling out over
management of the Port. Two supervisors (elected officials) were
particularly unhappy with the fiscal condition of the Port and the
dictatorial management techniques of the executive director.
The Board members convened a series of special hearings prior to
seeking the executive director's resignation. While they prepared, the
executive director of the Port, drawing on powers delegated to port
authorities by state law, deputized a number of his security guards,
rendering them "real" policemen. As a result of their new status, the
"Port Police" gained access to California's extensive and comprehensive
law enforcement information system, including access to confidential
materials (like arrests, investigations in process, and so forth --
matters that never go to trial, for example).
Wouldn't you know it? Search long enough and you can turn up any-
thing: the Port Police found that there were certain investigations of
the aggressive supervisors in the past and, in fact, by simply using
the system, the Port Police were adding to the supervisors' records!
It didn't come out until after the fact, but the series of hearings on
the Port of Fresno's management were quietly cancelled and the
supervisors went on to other matters.
--
Bob Jacobson
Former Staff Director
Assembly Utilities and Commerce Committee
California Legislature
------------------------------
From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
Date: 09 Jan 95 13:35:45 EST
Subject: RCMP Probes Police Misue of Files
The _Globe and Mail_ reports (95.01.07, p. A1) on an ongoing
investigation in British Columbia:
RCMP can't tighten security on police files: Possible misuse of
confidential data on abortion clinic staff probed in B.C.
By Robnert Matas, British Columbia Bureau
VANCOUBER -- Every year, some police officers in every province are
accused of misusing confidential information that they are
authorized to obtain, and the RCMP says it cannot figure out how to
tighen security.
Currently, a police officer in Delta, B.C., is under investigation
to determine whether he gained access to confidential files at the
RCMP's Canadian Police Information Centre to help the anti-abortion
movement.
The article goes on to make the following key points:
* Workers at several abortion clinics "have been harassed at home by
anti-abortion activists, even though their phone numbers are unlisted."
* Provincial authorities in B.C. have initiated a review of security
arrangements for motor-vehicle databases; they will focus on
need-to-know and on audit trails.
--
M.E.Kabay,Ph.D.
DirEd/Natl Computer Security Assn (Carlisle, PA)
Mgmt Consultant/LGS Group Inc. (Montreal, QC)
------------------------------
From: eric@PrimeNet.Com (Eric Smith)
Date: 07 Jan 1995 22:13:27 GMT
Subject: Re: Credit Reporting
Organization: Primenet
Scott Coleman <genghis@ilces.ag.uiuc.edu> wrote: My understanding
is that each of us has MULTIPLE credit reports, one with each of
several credit bureaus (the big three certainly, and probably some
smaller regional and local ones, as well). These reports can
differ, depending on which financial institutions report to which
bureaus. Thus, by checking "your credit report" (singular) from
only one bureau, you may be missing inquiries made for your report
at another bureau. As an example, I know my local credit union
checks my credit report at some regional credit bureau, but doesn't
ask TRW, Trans Union, et. al. You might wish to obtain copies of
ALL your credit reports - I'm afraid you may be in for a rather
rude awakening.
If we had an ounce of sense, we would insist that our politicians give
us the right to choose our credit bureaus. We could do so by refusing
to vote for those who failed to vote in favor of such a law. Such a
law could be very simple, for example it could require that each
individual credit bureau get written permission directly from each
consumer once per year to continue to keep their file. Then the
consumer filling out a credit application could indicate by checking a
box on the form which credit bureau they wanted the creditor to check.
And appearances to the contrary, this would not invite fraud by
criminals applying for credit. They would have to give the creditor a
credit bureau that had permission to keep their credit file, or their
credit application would be automatically denied by the creditor, just
as it is now when the credit report comes back saying "file not found."
The logic for this is very clear and hard to argue against. For
example, why should you be required to pay money to three different
credit bureaus just to find out if there are any mistakes on your
file? And why should you be required to support credit bureaus that
treat you like dirt? Make them suck up, by voting against them. Make
them compete against each other for your favor. You should have the
right to say to your credit bureau, "if you put one more mistake on my
file, I'm taking my file elsewhere", without having them laugh and
dismiss you as another one of those silly consumers who think they have
rights.
------------------------------
From: froggy@ix.netcom.com (PHILIP KLOSSNER)
Date: 09 Jan 1995 02:38:38 GMT
Subject: Re: Credit Reporting
Organization: Netcom
mea@intgp1.att.com (Mark E Anderson +1 708 979 4716) writes: I
receive the so called pre-approved credit cards and credit in the
mail about once a week and rip them up without bothering to open
the envelope. None of these outfits have touched my credit report
from what I've seen.
genghis@ilces.ag.uiuc.edu (Scott Coleman) writes: Interesting
choice of phrase, that last. Your use of the singular implies that
you believe that there is only ONE credit report for each person
which may be checked by banks and other parties. My understanding
is that each of us has MULTIPLE credit reports, [snip] You might
wish to obtain copies of ALL your credit reports - I'm afraid you
may be in for a rather rude awakening.
You are so right! There are (at least) 3 major bureaus and any number
of regional/local ones. Sometimes, when I've applied for something, I
get a notice from agencies I've never heard of - no local to LA branch,
and not some division of a major.
You're equally on target with getting credit report*s*! About 6 months
ago, some regional (Dallas, TX) bureau had me as having purchased a
Lexus and then promptly disappearing. Much frustration later, this
mess is straight with the majors (e.g. TRW) and some smaller ones. But
even now, I get "odd rejections", where the report comes from some new
"I've never heard of them" bureau.
As all likely know, bureaus share info and there is an extensive
network of these small agencies out there. In some respects, you may
be in luck if you get a report from one - you'll have one more of these
(sub)nets to track along.
I agree with this thread: never take a credit rejection/report lightly
or suppose that the issue stops there. You may have to persue such an
issue through quite a nasty maze.
------------------------------
From: les@SAIL.Stanford.EDU (Les Earnest)
Date: 07 Jan 1995 23:04:15 GMT
Subject: Re: CallerID Opinion
Organization: Computer Science Department, Stanford University
Carmen C. Richberg writes: The Caller ID Service in North Carolina
is now in many calling areas and it continues to grow. It was
extremely upsetting when I learned that Caller ID could only be
offered with the provision of free universal perline and percall
blocking.
Thank goodness, North Carolina did it right!
If a person can call my home knowing my telephone number, then it
is my right to know what number is calling me.
Really? I don't recall seeing that in the Bill of Rights.
If a person is honest, then they should not have anything to hide.
Perhaps they honestly don't want you to have their telephone number.
If you get the gadget that displays calling numbers, you obviously have
the option of not answering anonymous calls if you choose.
--
Les Earnest (Les@cs.Stanford.edu) Phone: 415 941-3984
Computer Science Dept.; Stanford, CA 94305 Fax: 415 941-3934
------------------------------
From: Panopticon@oubliette.COM (Ian Shook)
Date: 07 Jan 95 17:22:12 CST
Subject: Re: CallerID Opinion
carmen@infi.net (Carmen C. Richberg) writes: The Caller ID Service
in North Carolina is now in many calling areas and it continues to
grow. It was extremely upsetting when I learned that Caller ID
could only be offered with the provision of free universal perline
and percall blocking.
I must sumarize some of what I removed. Carmen later explicitly stated
that she supports a fully functional caller ID system as her right as a
phone user, and based it upon the analogy of phoneline is to house as
front door is to home. (This should stave off anyone e-mailing her
based upon the selection of her text which I am responding to, which
taken out of context might seem to imply to some that she is shocked at
the caller ID service in itself.)
While I was working with the collections personnel at a local mortgage
company I saw a magazine which collections people subscribe to often. I
must apologize because I don't recall the title, and if anyone else
does, please do e-mail me as I was interested enough to subscribe to
it. In this magazine there was an article on equipment for sale to the
collections community which defeats caller ID call blocking. A computer
scientist friend of mine at the UWM confirmed the existence of such
equipment.
So, it is my understanding that all a person needs is a piece of
equipment that reads the blocked information because there is only a
single bit set in the message stream that says the information has been
blocked. So it is your personal CID equipment that notices the bit and
then blocks the information. Therefore anyone with the right equipment,
or "wrong" equipment depending on your side in the argument, can read
the supposedly blocked information anyway. This was meant for certain
government agencies, and certain other private concerns I can imagine.
But, I further understand that due to incompatibility between telephone
system equipment in different LATAs the caller blocked number may still
show up on the recipient's end regardless of the caller's intentions to
block, or the type of equipment the receiver has.
If anyone has more exact info I look forward to hearing from them.
--
Eric Shook, LPD Panopticon Investigative Services Milwaukee, WI
Voice/DATA/Fax: (414) 372-6418 E-mail: Panopticon@Oubliette.COM
------------------------------
From: dskidmo@halcyon.com (Don Skidmore)
Date: 08 Jan 95 13:15:10 PST
Subject: Re: CallerID Opinion
Organization: The Lone Net-Surfer :-) !
carmen@infi.net says... I do not view Caller ID as an invasion of
privacy for the caller, as some have expressed that oppose Caller
ID. In fact, it provides security and privacy. I pay for my
telephone service, not the caller. I do not let people enter my
home without first asking who is it? Nor, do I want to answer my
phone without knowing who is calling. If a person can call my home
knowing my telephone number, then it is my right to know what
number is calling me. If a person is honest, then they should not
have anything to hide.
Right on!
I would like to see the service be updated with the following:
PerCall Blocking only, Anonymous Call Rejection, and Number and
Name Delivery in and out of state.
Looks like you are about to get at least some of your wish. Effective
in April, new FCC regs will require passing Caller-ID info long
distance to the extent possible and limits call blocking to per-call
blocking. Anonymous call rejection would be a local issue. Sure wish
US West would offer it--I'd sign up in a flash.
--
__ __ _ __ | Just my opinion? You bet!
___/ /__ / /__ (_)__/ /_ _ ___ | dskidmo@halcyon.com
/ _ (_-</ '_// / _ / ' \/ _ \ | dskidmo@eskimo.com
\_,_/___/_/\_\/_/\_,_/_/_/_/\___/ | Bellevue, Washington USA
�
------------------------------
From: ddg@cci.com (D. Dale Gulledge)
Date: 08 Jan 1995 16:07:15 GMT
Subject: Re: Opening Mail
Organization: Northern Telecom Inc., D&OS
mea@intgp1.att.com (Mark E Anderson) writes: I receive the so
called pre-approved credit cards and credit in the mail about once
a week and rip them up without bothering to open the envelope...
travis@netrix.com (Travis Low) writes: IMHO, it is better to open
them and look for a postage-paid return envelope. If there is one,
just stuff it full and pop it in the mail. That way, the mailers
subsidize the post office, saving taxpayer dollars. And the
mailers will have to spend money processing the bogus envelopes,
hopefully to their fatal detriment.
Aside from any other considerations, the only way to be sure that those
preapproved applications aren't misused is to render them unusable.
Obviously, once you have scrawled VOID across the application form and
ripped it up, it can't be used. Then by returning the prepaid envelope
to the sender, that becomes unusable.
It is not the offer arriving in the mail that is an invasion of
privacy. The personal information that they are using for their
mailing lists is.
--
ddg@cci.com, D. Dale Gulledge, Software Engineer, Northern Telecom,
Directory & Operator Services, 97 Humboldt St., Rochester, NY 14609
------------------------------
From: froggy@ix.netcom.com (PHILIP KLOSSNER)
Date: 09 Jan 1995 01:46:14 GMT
Subject: Re: School Monitoring
Organization: Netcom
Jim C (collins@nova.umd.edu) wrote: "Recently, the logon banner at
my school/internet provider has had an unsettling addition to it:
'All usage of this system is monitored for security purposes, and
by signing on to the system you are implicitly consenting to th is
monitoring.' Yipes! What are the implications of this? Is this even
legal? I don't expect to pick up the phone and hear 'By using this
service you are implicityly consenting to being monitored for
security purposes..."
Wayne Frost <75000.1251@compuserve.com> writes: Why not? It is
legal. I am employed in the banking industry, in the
I work for a payroll service with some "upscale" payees. After a
scandal where an employee was caught calling one at home (for a date),
my employer researched exactly what activities of employees can be
monitored and when.
This applies to California, and hasn't been legally tested yet. After
this research, employees were explicitly warned (handbook) that:
1. email/internet traffic can be read by the company without
specific cause. Logic: it is the company's system and anything said
could reflect on the company. There are cases upholding a firm's
right to "protect its image" even though that may somewhat impinge on
the right of free speech.)
2. phone conversations and vmail may be monitored without cause".
3. finally, there's the standard "... can look through desks, etc."
at any time and without cause.
Of course, this isn't a school, where it may be that a higher degree of
freedom is allowed. But (as I saw in an earlier posting), it seems to
be the in thing out here in the work world. Well, as the handbook
says: If you don't want us to see it, don't send it...
------------------------------
From: jonsg@diss.hyphen.com (Jon Green)
Date: 09 Jan 1995 13:54:11 +0000 (GMT)
Subject: Re: False data
In a possible past, Leonard P. Levine levine@cs.uwm.edu said: On
Dec 30 I went to the Radio Shack at 807 E. Capital Drive in
Milwaukee Wisconsin and purchased an adapter plug (part 274-325)
for $1.59. When asked for my phone number I gave them the random
string 4234 and when I was asked if my name was Maldonaldo, I said
"sure". So now I have a receipt with a copy of Mr Maldonaldo's
address, phone number and zip and area codes. I sure hope they
were as phoney as what I would have given them for this essentially
cash, no warantee transaction.
In the UK, Tandy (=Radio Shack) appear to have abandoned insisting upon
the customer's name and address for each transaction. Even when they
did, I used a number of tactics to avoid the dreaded mailing list:
1) "Nahhh, you don't need to know that!" Works for cash transactions,
but they used to get iffy about card transactions, despite the fact
that they didn't _need_ the n&a details, like any other trader;
2) If they insisted, for card transactions or warranties, I used to
write across a vital part of the counterfoil, "Not to be used in any
computer database or for marketing purposes" - or words to that
effect. This, I believe, would make it a criminal offense under the
Data Protection Act for them to do so;
3) If they were _really_ stubborn, or wouldn't accept that wording, I'd
simply tell 'em to cancel the whole transaction and get the manager.
Ohhh, but they didn't like that one bit!
They were the only store in England in which I shopped who would insist
on those details, and I abhor aggressive and intrusive marketing.
------------------------------
From: "David C. Frier" <duvie@digex.com>
Date: 09 Jan 1995 08:58:48 -0500
Subject: Re: Signature Digitizers
Organization: Express Access Online Communications, USA
On 7 Jan 1995 Moodperson@aol.com wrote about having his signature
digitized as part of the process of opening a Sears charge
account.
In Maryland now, when you obtain or renew your driver's license, your
signature is digitized and stored. The process involves your signing
your name on a 3x5 card which is fixed over a tablet. The 3x5 card
says, rather disingenuously, that the signature *on*that*card* will not
become part of your records. Well, of course it won't -- it's the
digitization of said signature that becomes part of the record! The
clerk then makes a big show of tearing up the card and throwing it
away, but she would not give me a blank card to take (I wanted to copy
its deceptive verbiage verbatim for this group).
The licence now also features a fat magnetic strip and a digitized
photgraph. How would I go about finding out just what is in that
strip? I don't expect much help along those lines from the MD DMV.
--David GB/CM
Life is complex: d++(-) H-
part real, s+:+ g+ p+ w+
part imaginary. a37 v++ C+++$ N++
U--- W+ M-- -po+ Y+ f
t-- j++3 tv- b+++
n--- e+ h----
u** y++++
r+++(-)
n---*
B--
------------------------------
From: "Jongsma, Ken" <kjongsma@p06.dasd.honeywell.com>
Date: 09 Jan 95 11:59:00 PST
Subject: Re: Signature Digitizers
With the discussion regarding Sears and signature digitizers heating
up, I thought that a recent full page ad by UPS in the latest Business
Week was interesting.
UPS is using the signatures they've been capturing to be reproduced on
a proof of delivery report that can be requested. A shipper can call
UPS and provide the package tracking number and according to the ad,
UPS will fax back a report with the delivery details and signature of
the recipient.
I recall that Amoco used to do this a few years back with their Amoco
(gasoline) charge card. Similar to what American Express does, Amoco
used to reproduce a copy of the signature on the monthly statement. For
whatever reason, Amoco only did this for a few years before giving it
up.
--
Ken Jongsma
kjongsma@p06.dasd.honeywell.com
------------------------------
From: mcdunbar@crems.rockwell.com (mcdunbar)
Date: 09 Jan 1995 19:06:35 GMT
Subject: Re: Signature Digitizers
Organization: Rockwell International Corp
Moodperson@aol.com says: I recently opened a Sears charge account.
Part of the process required me to digitize my signature as I
signed through the credit request. I was told this was to prevent
forgery.
I made a purchase at a Sears store yesterday using a non-Sears credit
card. When I refused to sign the receipt on the digitizing pad, I was
also told it was to prevent forgery. When I asked for a manager, the
clerk immediately relented and let me sign the paper receipt. The
cleck explained that the signature was "only going into the computer"
and that Sears would never do anything bad with it.
The digitizing pad capturing my signature is probably no worse than
scanning my signature off the receipt. As technology improves and the
digitizing pad can capture not only the outline of the signature, but
the pressure and stroke rates, perfect forgeries could be made.
On another subject... I called the local cable company to get service
installed. They wanted my SSN. When I asked why, I was told thay
needed to verify who I was. When I told them they didn't need my SSN,
they backed down and hooked up my service anyway. What on earth do
they need the SSN for??
--
Mark Dunbar
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 09 Jan 1995 13:24:34 -0600 (CST)
Subject: Archives for Volume 5
Organization: University of Wisconsin-Milwaukee
The archives for CPD Volume 5 are complete and can be found via ftp,
gopher, lynx or mosaic at the following addresses:
Ftp: ftp.cs.uwm.edu
Gopher: gopher.cs.uwm.edu
Lynx: gopher://gopher.cs.uwm.edu
Mosaic: gopher://gopher.cs.uwm.edu
The archives contain indexes for the volume organized by name and by
subject as well as the digests themselves. You are free to browse the
archives via any of the above servers.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 29 Dec 1994 10:50:22 -0600 (CST)
Subject: Info on CPD [unchanged since 12/29/94]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours
of submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the SUBJECT: line of an article in order to make it easier
for the reader to follow a discussion. He will not, however, alter or
edit or append to the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V6 #004
******************************
.