Date: Sat, 29 Jul 95 08:54:10 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V7#008
Computer Privacy Digest Sat, 29 Jul 95 Volume 7 : Issue: 008
Today's Topics: Moderator: Leonard P. Levine
Re: Texas Driver's License
Re: Social Security Number Abuse by Employer
Re: Social Security Number Abuse by Employer
Re: Social Security Number Abuse by Employer
Re: Social Security Number Abuse by Employer
More SSN Abuse
Information Collection at Sears
Phone Sales
EC Adopts Privacy Directive
Re: BC Telephone Co. Publishes Another Unlisted Home address
Privacy in Commercial Use of the Internet
Time Magazine Eats Crow
Info on CPD [unchanged since 12/29/94]
----------------------------------------------------------------------
From: coleman@alexia.lis.uiuc.edu (Scott Coleman)
Date: 27 Jul 1995 17:23:34 GMT
Subject: Re: Texas Driver's License
Organization: University of Illinois at Urbana
In <comp-privacy7.7.2@cs.uwm.edu> Maryjo Bruce <sunshine@netcom.com> writes:
>I just went to have my driver's license renewed in Texas. I had to
>provide both right and left thumbprints. Does every state do that?
No.
CA: Right thumb print.
IL: No thumb print.
--
Scott Coleman, President ASRE (American Society of Reverse Engineers)
asre@uiuc.edu
and From: idela!markb@ide.com (Mark Bells Home Account)
California does. They use an electronic imaging system where the
applicant puts her/his thumb on a little glass plate. The operator
then has a remarkably good image on a PC screen and can ask the
applicant to make any adjustments (lighter, heavier, etc.). I had
the operator show me what she was seeing and it was a high quality
image. This of course is captured digitally and stored somewhere.
I asked if it is encoded on the magnetic strip on the license but she
said no, all that the strip had was name and address.
--
Mark Bell
IDE Northidge, CA
and From: JF_Brown@pnl.gov (Jeff Brown)
organization: Battelle Pacific Northwest Labs
Washington State does not.
and From: levine@cs.uwm.edu
organization: University of Wisconsin-Milwaukee
Wisconsin demands only that you give your SocSocNo, it does not appear
in the license but is held in the computer records.
------------------------------
From: JF_Brown@pnl.gov (Jeff Brown)
Date: 26 Jul 1995 19:40:29 +0000 (GMT)
Subject: Re: Social Security Number Abuse by Employer
Organization: Battelle Pacific Northwest Labs
wmcclatc@internext.com says... This is kind of redundant since
most people have their SSN's on the check already.
I certainly hope not! NOT MINE!
--
Jeff Brown
JF_Brown@pnl.gov
------------------------------
From: coleman@alexia.lis.uiuc.edu (Scott Coleman)
Date: 27 Jul 1995 17:20:40 GMT
Subject: Re: Social Security Number Abuse by Employer
Organization: University of Illinois at Urbana
wmcclatc@internext.com (Bill McClatchie) writes: This is kind of
redundant since most people have their SSN's on the check already.
Actually, my experience is exactly the opposite. Having worked retail
for many years in my pre-graduate days, I have had the opportunity to
observe firsthand the printing on many, many checks. Very few had the
SSN preprinted on them. As for myself, my checks have my name and PO
Box number. This is enough to satisfy those merchants which use check
guarantee services which require a preprinted name and address. If the
merchant wants more, he has to ask me for it (and justify his request
before it will be granted).
--
Scott Coleman, President ASRE (American Society of Reverse Engineers)
asre@uiuc.edu
"An Irishman is never drunk as long as he can hold onto one blade of grass and
not fall off the face of the earth."
------------------------------
From: mitcht@alaska.net (Mitch Thompson)
Date: 29 Jul 1995 08:02:07 GMT
Subject: Re: Social Security Number Abuse by Employer
Organization: Internet Alaska, Inc.
mitcht@alaska.net said: in MA, it's illegal to require anything
other that name/address driver's license number and a phone number
on the check. (though if you DL # is the same as your SSN that's
another problem; though it can be corrected..)
An example I can give is that, being in the military, whenever I shop
at the on-base BX and/or commissary (or, really, any place on a
military installation where I might have to write a check) my SSN is
always required as part of the identification process. In 12 years of
service, I never really questioned it, but I think that when it comes
time to order new checks, my phone #/SSN will not be imprinted on them,
just to see what happens. One thing I think is funny is how often the
military harps on your SSN being Privacy Act information, and how often
you are required to give it out. Just see how far you get if you
don't!
I still have my 1962 SS card from shortly after I was born and at the
bottom it says "For Social Security and Tax Purposes - Not for
Identification". I notice on my son's (1991) it doesn't say that.
When did they stop that, I wonder?
--
Mitch Thompson, Anchorage, Alaska USA (E-Mail me for public PGP v2.6 key).
PGP Key fingerprint = 1C 4E 12 29 4C 6D 29 90 8F B6 0B 2F 42 71 B6 4E
---------------------------------
"The gift of God is eternal life" -- Romans 6:23
------------------------------
From: wmcclatc@internext.com (Bill McClatchie)
Date: 27 Jul 1995 15:27:12 -0400
Subject: Re: Social Security Number Abuse by Employer
Well I wrote the following, and have gotten several responces to it.
So I will elaborate some.
wmcclatc@internext.com (Bill McClatchie) wrote:
This is kind of redundant since most people have their SSN's on the
check already.
First , no my SSN is not on my checks. And neither is a currently
correct mailing address or phone number.
And yes, SSN's are on many people's checks - And people get these there
the same way you get your name, address, and phone number on them.
Some people request it, and others don't realize it is there until they
get their checks since banks now feel that it is more conveinant for
people to have this on their checks.
And I work in retail, and have for several years - and this has been in
practice in areas where drivers liscence numbers are the SSN's. Since
retailers can ask for a drivers liscence before taking a check, and
write this info down on the check - or request the customer put it
there - a great deal of people feel that it is easier and less hassle
to just have the information put on.
[moderator: Since Bill McClatchie started this string, let us give him
the last word on it.]
------------------------------
From: PHILS@RELAY.RELAY.COM (Philip H. Smith III, (703) 506-0500)
Date: 27 Jul 95 07:44:50 EDT
Subject: More SSN Abuse
A local Washington, DC TV station was recently doing a story on Jack
Kent Cooke, owner of the Washington Redskins (among other things). As
part of the story, they were discussing his refusal to discuss his
income publicly, and mentioned that they had a copy of his tax return.
They then SHOWED the front page of a tax return filled out with his
name and address, including an SSN! One can only hope that it was NOT
his real SSN...
--
phsiii (of course, I memorized it Just In Case)
------------------------------
From: Robert Gellman <rgellman@cais.cais.com>
Date: 28 Jul 1995 09:42:00 -0400 (EDT)
Subject: Information Collection at Sears
In response to the recent postings about retailers collecting
information from their customers, I offer my own experience. I went to
Sears to buy an appliance costing several hundred dollars. The clerk
asked for my phone number. I refused. He entered 555-1212. He then
asked for my address. I refused. He would not sell me the item unless
I gave my address. I was paying by non-Sears credit card. I went to
another retailer and was asked for the same information. I refused.
They shrugged and sold me what I wanted anyway.
--
Bob Gellman
------------------------------
From: Maryjo Bruce <sunshine@netcom.com>
Date: 26 Jul 1995 21:27:19 -0700 (PDT)
Subject: Phone Sales
Is there any reliable way to stop phone sales calls. On July 24 I left
for a meeting at 5 pm and returned at 10:30pm. There were 25 calls on
my caller id box. My entire half hour answering machine tape was
full. Since it was my birthday, visions of birthday wishes danced in
my head. However, twenty-two of the calls were sales calls.
One firm calls me 3x daily, 4 days/week sometimes. When I call their
number on the caller id box, I get a message saying it is a non-working
number. Through the phone co I located the business. I phoned
personally and asked to be put on the no-call list. A phone co rep did
the same in my behalf. They told us both to buzz off. They continued
calling.
I then sent a written request to an address given me by the phone co
asking that all sales calls to my number be stopped. It had no effect
at all. My number is unpublished and unlisted.
The situation is getting out of control. Is there any way to make
these people stop? They seem fearless.
--
Mary Jo Bruce, M.S., M.L.S.
Sunshine@netcom.com
------------------------------
From: Monty Solomon <monty@roscom.COM>
Date: 27 Jul 1995 00:45:17 -0400
Subject: EC Adopts Privacy Directive
forwarded message from Marc Rotenberg <rotenberg@epic.org>
Apologies for the long message. If you are not interested in privacy
issues or the development of international standards for the GII,
simply delete this message. Otherwise, read on.
The European Community has taken a major step this week to protect the
privacy interests of citizens and consumers. The passage of the
Directive on the Protection of Personal Data is the culmination of a
process that began over a decade ago to address growing concerns about
the impact of technology on society.
There are, of course, many questions remaining about the scope and
implementation of the Directive. But there is no doubt that this a
significant event in the ongoing effort to preserve human rights in the
information age.
The announcement from the European Commission follows.
Marc Rotenberg, director
Electronic Privacy Information Center
(www.epic.org)
--------
EUROPEAN COMMISSION PRESS RELEASE: IP/95/822
DOCUMENT DATE: JULY 25, 1995
COUNCIL DEFINITIVELY ADOPTS DIRECTIVE ON PROTECTION OF
PERSONAL DATA
The Directive on the protection of personal data has been formally
adopted by the Council of Ministers. ``I am pleased that this important
measure, which will ensure a high level of protection for the privacy
of individuals in all Member States, has been adopted with a very wide
measure of agreement within the Council and European Parliament''
commented Single Market Commissioner Mario Monti. ``The Directive will
also help to ensure the free flow of Information Society services in
the Single Market by fostering consumer confidence and minimising
differences between Member States' rules. Moreover, the text agreed
includes special provisions for journalists, which reconcile the right
to privacy with freedom of expression,'' he added. ``The Member States
must transpose the Directive within three years, but I sincerely hope
that they will take the necessary measures without waiting for the
deadline to expire so as to encourage the investment required for the
Information Society to become a reality.''
The Directive will establish a clear and stable regulatory framework
necessary to guarantee free movement of personal data, while leaving
individual EU countries room for manoeuvre in the way the Directive is
implemented. Free movement of data is particularly important for all
services with a large customer base and depending on processing
personal data, such as distance selling and financial services. In
practice, banks and insurance companies process large quantities of
personal data inter alia on such highly sensitive issues as credit
ratings and credit-worthiness. If each Member State had its own set of
rules on data protection, for example on how data subjects could verify
the information held on them, cross-border provision of services,
notably over the information superhighways, would be virtually
impossible and this extremely valuable new market opportunity would be
lost.
The Directive aims to narrow divergences between national data
protection laws to the extent necessary to remove obstacles to the free
movement of personal data within the EU. As a result, any person whose
data are processed in the Community will be afforded an equivalent
level of protection of his rights, in particular his right to privacy,
irrespective of the Member State where the processing is carried out.
Until now, differences between national data protection laws have
resulted in obstacles to transfers of personal data between Member
States, even when these States have ratified the 1981 Council of Europe
Convention on personal data protection. This has been a particular
problem, for example, for multinational companies wishing to transfer
data concerning their employees between their operations in different
Member States.
Such obstacles to data transfers could seriously impede the future
growth of Information Society services. As the Bangemann Group report
to the Corfu European Council remarked: ``Without the legal security of
a Union-wide approach, lack of consumer confidence will certainly
undermine the rapid development of the information society.'' As a
result, the Corfu European Council called for the rapid adoption of the
data protection Directive.
To prevent abuses of personal data and ensure that data subjects are
informed of the existence of processing operations, the Directive lays
down common rules, to be observed by those who collect, hold or
transmit personal data as part of their economic or administrative
activities or in the course of the activities of their association. In
particular, there is an obligation to collect data only for specified,
explicit and legitimate purposes, and to be held only if it is
relevant, accurate and up-to-date.
The Directive also establishes the principle of fairness, so that
collection of data should be as transparent as possible, giving
individuals the option of whether they provide the information or not.
Moreover, individuals will be entitled to be informed at least about
the identity of the organisation intending to process data about them
and the main purposes of such processing. That said, the Directive
applies different rules according to whether information can be easily
provided in the normal course of business activities or whether the
data has been collected by third parties. In the latter case, there is
an exemption where the obligation to provide information is impossible
or involves disproportionate effort.
The Directive requires all data processing to have a proper legal
basis. The six legal grounds defined in the Directive are consent,
contract, legal obligation, vital interest of the data subject or the
balance between the legitimate interests of the people controlling the
data and the people on whom data is held (i.e. data subjects). This
balance gives Member States room for manoeuvre in their implementation
and application of the Directive.
Under the Directive, data subjects are granted a number of important
rights including the right of access to that data, the right to know
where the data originated (if such information is available), the right
to have inaccurate data rectified, a right of recourse in the event of
unlawful processing and the right to withhold permission to use their
data in certain circumstances (for example, individuals will have the
right to opt-out free of charge from being sent direct marketing
material, without providing any specific reason).
In the case of sensitive data, such as an individual's ethnic or racial
origin, political or religious beliefs, trade union membership or data
concerning health or sexual life, the Directive establishes that it can
only be processed with the explicit consent of the individual, except
in specific cases such as where there is an important public interest
(e.g. for medical or scientific research), where alternative safeguards
have to be established.
As the flexibility of the Directive means that some differences between
national data protection regimes may persist, the Directive lays down
the principle that the law of the Member State where a data processor
is established applies in cases where data is transferred between
Member States.
The Directive also establishes arrangements for monitoring by
independent data supervisory authorities, where necessary acting in
tandem with each other.
In the specific case of personal data used exclusively for
journalistic, artistic or literary purposes, the Directive requires
Member States to ensure appropriate exemptions and derogations exist
which strike a balance between guaranteeing freedom of expression while
protecting the individual's right to privacy.
For cases where data is transferred to non-EU countries, the Directive
includes provisions to prevent the EU rules from being circumvented.
The basic rule is that the non-EU country receiving the data should
ensure an adequate level of protection, although a practical system of
exemptions and special conditions also applies. The advantage for
non-EU countries who can provide adequate protection is that the free
flow of data from all 15 EU states will henceforth be assured, whereas
up to now each state has decided on such questions separately.
For their part, the Council and the Commission have made it clear that
they consider that the European Union institutions and bodies should be
subject to the same protection principles as those laid down in the
Directive.
END OF DOCUMENT
------------------------------
From: klassen@sol.UVic.CA (Melvin Klassen)
Date: 27 Jul 95 19:31:19 GMT
Subject: Re: BC Telephone Co. Publishes Another Unlisted Home address
Organization: University of Victoria, Victoria B.C. CANADA
ua602@freenet.victoria.bc.ca (Kelly Bert Manning) writes: Vancouver
TV stations aired a story of a woman forced to move to a
transistion [sic] house today after BC Tel published her home
address. She had called BC Tel 4 times before the new directory
came out, to confirm that the address would not be published. BC
Tel claimed to need to have the home address "for billing" and had
promised to just list a PO box number. A while back a womens'
shelter had to close down after BC Tel negligently published the
address.
They didn't "close", they just moved.
BC Tel's initial response after the angry woman contacted them was
to offer a $20 gift certificate. After being contacted by news
reporters BC Tel spokes- woman Michelle Gagon seemed to be offering
to help with relocation expenses.
BCTel's most-recent offer is $1500 (CDN), plus "incidental" expenses,
but she is demanding $9000 (CDN).
------------------------------
From: MIRZA A R <A.R.Mirza@city.ac.uk>
Date: 28 Jul 1995 13:41:12 +0100 (BST)
Subject: Privacy in Commercial Use of the Internet
I am interested in privacy in the commercial use of the internet. I am
especially interested in the threat posed for large organisations using
the internet, methods to overcome these threats to become more secure,
and any other relevant issues. I would be grateful for any responses.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 26 Jul 1995 20:14:41
Subject: Time Magazine Eats Crow
Organization: University of Wisconsin-Milwaukee
This is a reprint of a portion of an electronic newsletter BONG that
addresses the issue very well in my opinion. I include it here with
permission.
From: mlinksva@netcom.com (Mike Linksvayer)
Date: 26 Jul 1995 20:14:41 -0700
Subject: BONG Bull No. 332!
*********************************************************************
The Burned-Out Newspapercreatures Guild's Newsletter
<<<<<<<<>>>>>>>>>>>>>>>>>>>>>> BONG Bull <<<<<<<<<<<<<<<<<>>>>>>>>>
Charley Stough, Chief Copyboy
*********************************************************************
Copyright (c) 1995 by BONG. All rights reserved.
To subscribe: E-mail to LISTSERV@NETCOM.COM. In the text say
SUBSCRIBE BONG-L.
[...]
EXCERPT. Here is the opener for this week's News From the Net column,
available to clients of the New York Times News Service, the most noble
wire service of them all. (Non-NYTNS client editors may arrange for
one-time rights by contacting columnist Charles Stough directly at
copyboy@dmapub.dma.org.)
...
Unwittingly, as it ate crow in its July 24 edition, Time magazine
underscored the power of the new Internet medium.
Admitting fatal flaws in its earlier report of Internet pornography --
a college student's "study" of computer porn lumped private,
adults-only links, called bulletin boards or "BBS's", with the public
Usenet special-interest groups shared by millions of adults and
children worldwide. And it made appalling miscounts on the statistical
side. And there were other errors, some of which Time now admits.
Usenet? BBS? Huh? The difference is this.
Imagine the world's busiest airport, its terminals chockablock with
millions of people and groups chattering away in all languages about
all subjects, its runways buzzing with cargo linking it to every other
place on the planet. That's the Internet.
Now imagine a tiny closet-sized lounge far past Gate 89-W, with a
"Members Only" sign on the door. That's a BBS, trading its wares in
code, dealing through credit cards.
If a BBS distributes pornography, it's in a digusting trade. But it's
not public. A child would accidentally stumble upon porn on the
Internet about as easily as a tot in O'Hare Airport would accidentally
wander into a locked frequent-fliers' club, order a pitcher of
Singapore slings and fax an order for $2 million worth of Botswanan war
bonds to the Bank of Tokyo.
Someone at Time knew all this when it frightened moms with its lurid
cover story about Internet porn. But not everybody at Time,
obviously. (And how about the illustrations? A naked man having sex
with a computer? Come on, Time guys!).
Now here's the fun part. Time's shoddy reporting set off a blizzard of
rebuttal in the Internet.itself, exposing Time's "scholar," his record
of doubtful scholarship, salacious publishing of his own, and the
grievous research flaws in this study. You can still see it and even
join the discussion, if you have a computer and modem and open the
Usenet group called alt.culture.usenet.
Time had to back down.
Once a world-class publishing powerhouse able to define truth with its
own vision, Time was beaten back by Internet users. None had more than
a computer and a modem, and yet with the new power of the press -- the
press of a button -- any of them could place an article before millions
of readers more than Time ever reached in its best week of ink-on-paper
printing.
Is something new and wonderful going on in mass communications now?
No. What Time magazine's editors didn't know is that it already had
happened.
[...]
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 29 Dec 1994 10:50:22 -0600 (CST)
Subject: Info on CPD [unchanged since 12/29/94]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the SUBJECT: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit or append to the text except for purely technical
reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V7 #008
******************************
.