Date: Wed, 01 Feb 95 11:37:25 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V6#013
Computer Privacy Digest Wed, 01 Feb 95 Volume 6 : Issue: 013
Today's Topics: Moderator: Leonard P. Levine
Re: Requests for Home Phone Numbers
Check Security
Phone Numbers as IDs
Tracking of News and WWW Routes
Re: US Government Regulations and Internet Access
Re: Credit Card Signatures
Re: Credit Card Signatures
Wastebaskets
Careless News Media
Re: Radio Shack and Privacy
Infection Data
Info on CPD [unchanged since 12/29/94]
----------------------------------------------------------------------
From: bo774@freenet.carleton.ca (Kelly Bert Manning)
Date: 31 Jan 1995 06:11:28 GMT
Subject: Re: Requests for Home Phone Numbers
Organization: The National Capital FreeNet, Ottawa, Ontario, Canada
In his role as the previous moderatory Mr. Rears and I have expressed
differing opionions in the past about this issue. I'm hoping that we
get around to some new angles and opinions this time around.
In a previous posting, "Dennis G. Rears" (drears@pica.army.mil)
writes: Chip Kaye <aj027@yfn.ysu.edu> wrote: I recently opened an
account on CompuServe and filled in my home phone # on their online
form as 555-555-5555. You provided false information.
Yah so? This kind of demand for information, backed up by a threat of
denial of service is probably why the Quebec government made it the
legal right of consumers not to have to provide unneccessary personal
information. Businesses cannot refuse a request to provide goods or
services just because a consumer refuses to provide irrelevant personal
information.
Most likely compuserve was going to extend you credit.
Quite an assumption. Here in BC there is a major dial in subscription
information service that does nothing on credit. You deposit at least
$100 up front. Money gets deducted as you use it. If the balance
reaches zero before you send more your service stops. Also it is
settled case law here in Canada that a company cannot insist that you
do business on credit. One of the big encyclopedia companies ended up
on the losing end of that judgement. They wanted all customers to buy
on credit, using their loan subsidiary and refused to sell for cash.
They don't try that line since someone took them to court and
established that a vendor cannot make use of their credit and financing
a mandatory condition of purchase. They cannot use a high demand or
the perceived superiority of their product to coerce customers into
using credit or providing irrelevant personal information for creit
screening.
I would prefer not to give out my phone number but was told
that their policy was to require at least 1 phone number. I am
wondering about the legality of this requirement.
Nothing illegal about it. You don't have to provide the number,
they don't have to provide you service. You make the choice.
The US seems to have a much broader pattern of laws than Canada due to
the large number of states.
Is there no US jurisdicition where it is illegal to refuse to provide
goods or services simply because a customer refuses to provide
unneccessary personal information?
My major concern about this kind of "turn on your caller ID or I won't
sell to you" mindset is that hardwire phone numbers can be easily
related to an address because they greatly narrow the geographic area
for which an information seeker has to search unavoidable public
records. On the other hand a cellular phone provides no such link. The
only billing information for the account could be a charge card account
and the cardholders name.
Basically we end up with two classes of telephone users. The affluent
who can afford cell phones and who can turn them off if they don't want
to be traced or harrassed by junk phone calls and those who expose
their phone and residential address every time they make a call.
Some canadians get around CRTC attempts to restrict access to US direct
broadcast satellites by getting post office boxes at border towns and
opening a VISA/Mastercard account at a US bank. This gives the US
broadcaster an out for saying that they didn't realize that they were
delivering a service to a Canadian.
Funny how vendors can be very lax about checking who their customers
are, or where they live, when it is in their financial and regulatory
interest not to know too much.
------------------------------
From: jepstein@cordant.com (Jeremy Epstein -C2 PROJECT)
Date: 31 Jan 1995 09:15:40 -0500 (EST)
Subject: Check Security
Christopher Zguris <0004854540@mcimail.com> wrote: True story: a
friend of mine gave two checks to her accountant, one for $825 in
the accountants name, and one for $125 made out to a major
insurance company. The accountant sent the $825 check to the
insurance company by mistake, and they cashed it _even though_ it
was NOT made out to them. More trivia, the dopes who say you can
delay paying the I.R.S. by not signing the check are full of it,
the I.R.S. will cash it anyway. In fact, I don't think there are
any situations where the bank will say no to the I.R.S.
Not that this has anything to do with privacy, but...
About a year ago this time, I sent my mortgage company a check dated
January 1993 (instead of January 1994). They bounced it back, sending
me a notice that the check was stale (and assessing a late charge). [I
complained; they removed the late charge.] So I sent another check in,
attaching the original with a note to show this is what happened, and
writing in large letters VOID across the old check. BOTH checks were
deposited. Luckily I had enough in my account to cover both, so I
didn't make a fuss (and I didn't have to make a payment the next
month). It would have been interesting to ask the bank to explain
their security if an apparantly year-old check clearly marked VOID
could clear the system!
--
Jeremy
------------------------------
From: "Bruce O'Neel" <oneel@clark.net>
Date: 31 Jan 1995 12:16:41 -0500 (EST)
Subject: Phone Numbers as IDs
mr@world.std.com (Michael J Rollins) wrote: Has any one else
noticed the new trend of businesses answering their phones with an
immediate request for a phone number. This first happened to me
when I called several months ago to inquire about maybe getting an
account at AOL. Since then, it has also happened when I called a
few other companies. Most recently, it happened last week when I
called the customer service number at AT&T. It appears that this
is in fact being done as a sort of password situation, since all of
the numbers where this has so far happened are of the eight hundred
variety.
Yes, I had noticed. This produced a humorous situation with Pizza
Hut. I had some friends move in next store. I went over and ordered
pizza from their phone the night they moved in. Their voice line was a
recycled phone number and Pizza Hut wouldn't take it because they
already had it assigned to another person in our area. Ergo, it
couldn't be the correct number. Luckily for our stomachs they also had
a data line phone number which allowed me another number to satisify
Pizza Hut.
--
bruce
------------------------------
From: kirby6@psu.edu (kirby6@psu.edu)
Date: 31 Jan 1995 19:37:42 GMT
Subject: Tracking of News and WWW Routes
Organization: Penn State University
As a student with a net connection I find myself spending time in some
of the less "politically correct" Usenet groups as well as Web sites.
Is it possible for my school admins. to keep track of the sites I visit
or the news servers I connect to, or even the groups I read? Is every
connection through the campus gateway logged somehow or would I have to
be a specific target? When I connect to a site does that site also
record my connection? Do admins even have time to be concerned with
this?
What I'm wondering is just how any of this information might be used to
"profile" me later. Be it through sales to marketers, restriction of
account, or whatever? Do privacy laws apply to any of this?
Your answers would be greatly appreciated. Could you please suggest
other news groups for this post.
--
regards,
kirby6@psu.edu
------------------------------
From: kasley@chip.fnal.gov
Date: 31 Jan 1995 13:55:36
Subject: Re: US Government Regulations and Internet Access
Eric Hermanson wrote: (one of the regulations on that industry is
that there cannot be more than two cellular providers in any one
metropolitan area. Now SOMEONE please explain the thinking behind
that restriction to me!)
Bear Giles bear@fsl.noaa.gov replied: An informed guess is that
there is a limited number of cellular phone frequencies with
current technology. This is the bandwidth allocated to celphones
divided by the bandwidth required for each channel.
Actually, the limitation on the number of service providers in any one
geographic area dates back to the mid-70's when the present cellular
system was being developed. At that time, mobile phone service used the
IMTS system (Improved Mobile Telephone System). IMTS was improved
because all call setup was handled automatically instead of by a human
operator ("MTS"). IMTS was provided by two licensees: typically the VHF
frequencies were "owned" by an ATT operating company (remember Ma Bell
and her monopoly?) while the UHF frequencies went to whoever the local
"non-wireline" radio common carrier might be (In Chicago, this was
Rogers Radiocomm, long since absorbed into something else.).
When the frequency allocations plans were being made for cellular, the
FCC wanted to prevent Ma Bell from monopolizing ALL of the cellular
channels. Thus, the FCC decided to split the cellular band into two
banks of channels: one for the local Bell operating company and one
for the local RCC.
The lockout situation referred to above has nothing to do with the
assignment of channels between the banks. Each provider has some 300+
individual channels available to his system. When a call crosses cell
boundaries, it is handed-off to a new channel in the same system by the
cell site base stations. Each base station has a limited number of
channels; it would simply be too expensive for every cell site to
support all 300+ channels. If all channels on the destination cell are
busy, the system must either find a useable free channel in a different
adjacent cell or dump the call. Call blocking is not a new phenonmenon;
the equivalent condition happens on the landline network when the
switches can't find a circuit to put a call through; for that case, you
get a fast "all trunks busy" signal.
The number of subscribers that a system can support is determined by
call blocking statistics and is not a simple N/n calculation. It is
based on the available resources (size of the cells, nr of channels in
each cell, bunches of other factors) and a blocking rate goal. Again,
similar calculations have been done for decades by the landline
people.
The two service provider rule is a legacy from the days of the ATT
monolith. Indeed, allocations for the new PCS bands are being made by
auction. The winners are those companies with the deep pockets needed
to "buy" and "develop" scarce radio real estate.
--
paul kasley wa9vyb
kasley@chip.fnal.gov
------------------------------
From: m.sargent@genie.geis.com
Date: 01 Feb 95 06:08:00 UTC
Subject: Re: Credit Card Signatures
Bear Giles writes: That's in the "merchant's agreement" with the
credit card umbrella organizations (e.g., Mastercard
International). They can request ID to verify the cardholder's
identity, but only prior to requesting authorization and only if
they don't record the specific information. Something like "Colo
DL" is acceptable, especially for people like me who refuse to sign
credit cards. (I write "SEE PHOTO ID" instead.)
In fact, in one circumstance, both VISA and MasterCard can require
(except where prohibited by local law) that additional identification
be presented, and that the ID information (driver's license number,
etc) be recorded. That circumstance is the very one Mr. Giles
practices - the use of an unsigned card.
Since June 1st, 1994 (for MasterCard) and January 1st, 1995 (for VISA),
merchants have been instructed to refuse all unsigned cards. A
specific procedure has been established to deal with unsigned cards:
- Require an additional form of signed identification, such as a
driver's license or passport.
- Record any pertinent information about the identification provided
(license number, serial number, expiration date, etc), if allowed by
local law.
- Request that the cardholder sign the card.
- Confirm that the newly signed signature matches that of the other
piece of identification provided.
- The merchant MUST get authorization for the transaction, regardless
of the amount.
If the cardholder refuses to sign the card, the merchant is required to
terminate the transaction. As far as VISA and MasterCard are
concerned, an unsigned card is an invalid card. If an unsigned card is
used illegally, the card issuer has the right to file a compliance case
against the merchant.
Another VISA/MasterCard requirement, which went into effect October
1st, 1994, may explain the increased use of digital signature
capturing. If a customer requests a copy of a transaction, the
merchant is required to provide the best possible reproduction
available of the charge receipt. If the customer believes the copy to
be illegible and disputes the charge, the issuing bank can request
mediation by VISA or MasterCard. An unfavorable ruling will generate a
"fine" of between $10.00 and $25.00 per ruling, depending on card
type. A "digital receipt" isn't prone to the image degradation that
occurs with carbon paper and xerography.
--
Matt Sargent [ m.sargent@genie.geis.com ]
------------------------------
From: "Robert E. Hatfield" <hatfield@paul.spu.edu>
Date: 31 Jan 1995 16:58:36 -0800
Subject: Re: Credit Card Signatures
Organization: Seattle Pacific University
Jesse Mundis wrote: Heh, I did the same thing last time UPS came
around with their pad. I just clearly wrote my first initial
followed by a squiggly line, then my last initial followed by an
other squiggly line. I've seen enough signatures that look like
that before. Apparently, so had the UPS guy who just entered the
name on the pad. ;-) I think I'll have fun with a different
signature each time.
I have been doing the unrecognizable varying signature now for a couple
of years with no problems. It works great.
------------------------------
From: G Martin <gmartin@freenet.columbus.oh.us>
Date: 01 Feb 1995 00:08:16 -0500 (EST)
Subject: Wastebaskets
How careful are you about what you put in your wastebasket at work, or
your trash at home? I was recently making photocopies at a Mailbox,
Etc. and noticed what looked like a tax form in the waste basket next
to the copy machine. I retrieved it and found that it was a medical
claim form. On the form, the person who completed it listed her name,
phone number, address, checked a box indicating she was single, her
SSN, DOB, signature and a description of a medical condition she had.
I made no copies of this document, I just mailed it to her with my name
and phone number attached.
She called me as soon as she opened it, and told me she was glad I
handled it the way I did. She said she'd never be that careless
again. but she and I were talking about what she could have done
instead. Which leads me to a question I'd like to ask all of you. How
do you dispose of documents, diskettes or backup tapes that have
sensitive info on them?
I think shredders are next to worthless because it's so easy to
reassemble the document. And just putting it in the trash just invites
someone with bad intentions to pull it out and possibly misuse the
information. I told her the only safe way I could think of was to take
it home and burn it. How about all of you?
--
Gary Martin
gmartin@FREENET.COLUMBUS.OH.US
------------------------------
From: G Martin <gmartin@freenet.columbus.oh.us>
Date: 01 Feb 1995 00:16:46 -0500 (EST)
Subject: Careless News Media
Saw a story on one of our local TV stations on Monday that just stunned
me with its stupidity and carelessness. They were interviewing a man
who worked for the water company reading meters. The main point of the
story was to ask them for their ID when they come to their door. Then
the camera zoomed in real close on his ID card as he flipped it over
and exposed both sides to the camera.
I videotaped the news that day as I usually do, and replayed the tape
in slow motion. Sure enough, I was able to EASILY read his name, SSN,
DOB, and various physical descriptions like hair color. Columbus is a
city of 500,000 people, and they had to have given that information to
at least tens of thousands of people, some of who are likely
criminals. I couldn't believe the stupidity of it.
The next day, I called the TV station first to tell them what they had
done. I spoke to the General Manager and he seemed genuinely
surprised. I also contacted an ATF agent. He said that the guy is at
great risk of his SSN, etc. being used for all kinds of illegal
purposes from buying guns, to credit cards, etc. His advice was that
the guy contact his office, the Secret Serivce (for credit card fraud),
his local credit bureau, etc., etc., etc. and try to head off any
potential damage before it happens.
My next call was to the media director at the water company. The media
director had been standing right next to him when the cameras took the
pictures. She treated me like I was bothering her, and was very rude.
She said she'd warn the employee who's ID was aired, but I didn't
believe her. I called back again and asked to speak to her boss. He
was very understanding, and said they'd do what they could to help the
employee out. He also said he was going to make up a phoney ID card in
case they ever need to show one again in the media.
How could the media have been so careless?!? they may have ruined this
guys life with their stupidity. Other than the possible risks I've
mentioned, what other risks might he face? Has anyone else seen the
media to anything like this?
--
Gary Martin
gmartin@FREENET.COLUMBUS.OH.US
------------------------------
From: privacy@interramp.com
Date: 01 Feb 95 11:27:35 PDT
Subject: Re: Radio Shack and Privacy
Organization: PSI Public Usenet Link
E.J. Barr <ejbarr@epix.net> wrote: Mr. Featherman; If you're dumb
enough to want to do business with a firm such as Radio Shack, the
grief and agrivation you get, is to be expected. Want to put an end
to it? Stop doing business with Radio Shack. It's that simple.
Dear E.J. Barr,
Thank you for your comment. While I agree that consumers should express
their views with their wallets, I find your approach to be a cop-out.
Radio Shack is not the only company that has violated individuals'
right to privacy. Most companies do so. Radio Shack is simply one of
the more visible enterprises out there.
Your approach inherently assumes that consumers have infinite choices.
I've got news for you. Most consumers don't have many choices. Certain
electronic devices (such as Tandy scanners) are available only at Radio
Shack.
The point is that I suggest changing the system and starting a
grassroots effort while you support consumer exodus.
I respect your view, but urge you to consider the following: In
regulated industries, such as telecommunications (phone companies) or
other utilities (electric, gas, and water companies) where there are
natural monopolies, how would you suggest that people deal with these
firms -- by leaving and not being able to obtain these services -- or
by putting pressure on the firms?
Sure, Radio Shack isn't the only game in town. But your solution
doesn't solve the problem; it ignores it. Convince me that other
electronic merchants will treat you any better.
Even if you do find more privacy-sensitive merchants, isn't our job --
as privacy sensitive advocates -- to help others from being
manipulated?
--
John Featherman
Editor
Privacy Newsletter
PO Box 8206
Philadelphia PA 19101-8206
Phone: 215-533-7373
E-mail: privacy@interramp.com
------------------------------
From: rdurie6@ibm.net
Date: 01 Feb 95 00:17:03
Subject: Infection Data
If the Red Cross sends the name of a person who donated
HIV-positive blood to the CDC, what is the CDC going to do with the
information? They don't know who that person has had sex with, so
how does providing the name to the CDC protect anyone? The CDC
won't have a clue as to who to contact, so the only way the
information could be useful is if people could use a computer to
see if a prospective, or past, partner is on the list. But that
means that *anybody* could access the information, which is *not*
acceptable to privacy advocates.
The needs of Public Health require that exposure data be collected, and
that individuals with exposures to communicable diseases are informed,
is a long standing and well established Public policy concern. If we
simply replace the exposure from HIV to say the Plague then would there
be an issue? I think not. As potential victims of the disease we
should be informed. The only way we are informed is if those with the
disease knew they were infected, and inform those who risk infection.
2) Whether the results of HIV and/or other STD (Sexually
transmitted disease) tests should be made available to persons or
organizations other than the health professionals directly involved
in the notification, testing and treatment procedures. If the
results are disseminated, should it be in statistical form only or
should some persons from government, industry, research or other
fields be able to obtain the identities of those tested and the
results of the individual tests?
The data must be available to organizations with the resources required
to compile and construct exposure profiles. If education is useful then
how do we develop what we teach? As for identities of individuals, it
becomes very important that the exposure be related to a source. The
only way to maintain exposure modalities is to confirm that person "A"
got disease "C" from person "B." Hypothetical; if person B got disease
C without exposure though some yet unknown source how would you test
it. The development of our current understanding of HIV started with
finding out how one man's sexual partners became ill and their sexual
contacts. If the CDC had been restricted from learning his partners
names and their sexual relationships, the development of HIV as a
sexually transmitted disease would have been severally restricted.
Because of the nature of HIV and it's ability to mutate, the
transmission modalities of HIV must be constantly monitored. God forbid
that HIV mutate to an airborne virus.
3.) Whether blood collection agencies have the right to collect
lifestyle information and test donor blood for contagious diseases
of any type in an attempt to screen out potentially unacceptable
donors. Additionally, are the results of these screens the
property of the blood collection agency for further use as they see
fit, or does the "screenee" have the right to control the use of
the information (or somewhere in-between)?
The development of profiles of types of individuals is becoming less
important as HIV spreads throughout the general population. Further, it
may the basis of discrimination suits. If the information is not
collected with any specific identifiers, (SOC # or name) then who
cares? If there are personal identifiers, then it seems to me to be an
attempt to develop it for another purpose.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 29 Dec 1994 10:50:22 -0600 (CST)
Subject: Info on CPD [unchanged since 12/29/94]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours
of submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the SUBJECT: line of an article in order to make it easier
for the reader to follow a discussion. He will not, however, alter or
edit or append to the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V6 #013
******************************
.