Date: Thu, 31 Aug 95 11:24:18 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V7#018
Computer Privacy Digest Thu, 31 Aug 95 Volume 7 : Issue: 018
Today's Topics: Moderator: Leonard P. Levine
Re: A Netscape Story
Re: A Netscape Story
Re: Fair Credit Reporting
SSN Horror Stories
Computer Privacy Digest Outrage
Telcos and Info-privacy
Database for Deadbeat Dads [long]
Info on CPD [unchanged since 08/01/95]
----------------------------------------------------------------------
From: dougw@highz.as.arizona.edu (Doug Williams)
Date: 28 Aug 1995 17:16:28 GMT
Subject: Re: A Netscape Story
Organization: University of Arizona, Tucson, AZ
glew@galstar.com (Gordon A. Lew) writes: Evan Rosser
<ejr@cs.UMD.EDU> wrote: I am not too concerned about undocumented
playful hacks. It has a long history -- i.e. "MAKE LOVE"/Not war?
on DEC-20's, developers' pictures in the Mac SE ROM's, etc. As a
matter of fact, there are more such things in Netscape -- try
typing "about:mozilla" as a URL to load.
A quick scan through the Solaris executable (version 1.1N) with the
command 'strings netscape | grep about' produced the following list:
(Note that about:mozilla does NOT appear).
about: about:ari about:atotic about:blythe about:chouck about:dmose
about:ebina about:hagan about:jeff about:jg about:jwz about:kipp
about:marca about:mlm about:montulli about:mtoy about:paquin about:robm
about:sharoni about:sk about:timm
These all seem to point to the homepages of the various programmers at
Netscape.
-=[doug]=-
------------------------------
From: mannd@server2.CandW.ag (Dave Mann)
Date: 28 Aug 1995 18:53:58 +0400
Subject: Re: A Netscape Story
Evan Rosser <ejr@cs.UMD.EDU> wrote: I am not too concerned about
undocumented playful hacks. It has a long history -- i.e. "MAKE
LOVE"/Not war? on DEC-20's, developers' pictures in the Mac SE
ROM's, etc. As a matter of fact, there are more such things in
Netscape -- try typing "about:mozilla" as a URL to load.
My objection to "Easter Eggs" and cutesy code doodles is that they
introduce uncertainty into an already uncertain system. Every line of
code adds an additional potential for fraud, waste, abuse, malfunction
and/or just plan slop. We argue that adding 100KB to a bloated 20MB
program is no big deal. At the end of the day the Clueless user pays
for it. But, <sigh> yes, I used to put peace symbols on punch cards
and make the KSR-33's play "In a Gadda Da Vida" with the BEL function,
when I worked with the DIAOLS/COINS behemoth at the Pentagon. I was
young then. I still have the punched tape someplace.
|-----------------------------------------------------------------------------|
| Dave Mann - VP2EHF |
| Dorothea Mann - VP2EE |
| E-Mail: mannd @ candw.com.ai {or} vp2ehf @ aol.com {or} vp2ee @ aol.com |
| dave @ datahaven.com.ai {or} 74227.3127 @ compuserve.com |
| |
| Post Office Box 599, The Valley, Anguilla, British West Indies |
| Telephone: 809-497-2150 |
| FAX: 809-497-3557 |
|-----------------------------------------------------------------------------|
------------------------------
From: Barry Schrager <71370.2466@compuserve.com>
Date: 28 Aug 95 17:03:49 EDT
Subject: Re: Fair Credit Reporting
What is the legal obligation of the credit information provider (in
this case - Trans Union) to provide the identity and authorization of a
requestor? Are they legally reponsible?
In this case:
1. The subject requested a consumer copy of her credit report.
2. The report showed an inquiry from an entity -- a credit bureau.
3. The credit bureau's telephone number supplied by Trans Union was always
busy, so the subject requested Trans Union supply her with the
authorization.
4. The entity that requested the information from the credit bureau (as
supplied by Trans Union) had a disconnected telephone number and an
address at a mail drop (similar to Mail Boxes, etc.)
5. Trans Union stated they would send an investigator out and if there was
no good explaination, they would drop the credit bureau as a
correspondent.
6. They verbally told subject that there was no authorzation, they would be
dropping the credit bureau as a correspondent, and that they would be
supplying a real address and telephone number for the entity that
requested the report.
7. Trans Union has still not supplied any information nor confirmed that
they were dropping the credit bureau.
The subject believes that she has been investigated because she is a
witness in a multi-million dollar RICO lawsuit. This information has
been passed on to Trans Union so they know that this is based upon more
than curiosity.
What legal rights does she have against Trans Union? They have been
stonewalling the subject in her attempts to obtain information as to
who received an authorized credit report for over three months. If
they had been forthcoming in the beginning, it would not have come to
this point.
Does she have to file a lawsuit? Are there any government agencies
that oversee this industry? Is there a complaint bureau? Are there
any financial penalties that can be imposed against Trans Union?
Thank you for your help.
--
Barry Schrager
------------------------------
From: "Michael O'Donnell" <mod@world.std.com>
Date: 31 Aug 1995 08:47:10 -0400
Subject: SSN Horror Stories
I'm not nearly as well versed on SSN abuse as I'd like to be. I've
read Chris Hibbard's "What to do when they ask for your SSN" and that's
a great place to start but what I think I'd really like to have is a
compendium of SSN horror stories. Does anybody know where such a
collection might be found?
Also, my employer just notified me and many of my coworkers that
applications for AmEx cards had been submitted in our names and we
could come pick up the cards. Of course, they never bothered to inform
us that they were doing this and they never obtained our permission,
they simply handed over our SSN's and various other items of personal
info to AmEx. When I complained, their attitude was essentially, "You
got a problem with that? Well, too bad."
------------------------------
From: Robert Ellis Smith <0005101719@mcimail.com>
Date: 28 Aug 95 16:40 EST
Subject: Computer Privacy Digest Outrage
It's outrageous that the Digest would run a recommendation for a new
newsletter that doesn't have any track record (Aug. 21 Digest) when it
has rejected my continual efforts to bring my well-established
newsletter to the attention of Computer Privacy Dige st participants.
I have been at this privacy business for more than 20 years. In the
past several years, I have tried to respond to Digest submissions that
sought specific information about the law or company policies.
Later, I submitted lists of the highlights from my newsletter each
month for readers to use in any way they wanted, but the moderator said
that this was "too commercial." Then I tried submitting stories from
PRIVACY JOURNAL that would interest Digest rea ders. Then I questioned
why the moderator includes endless recruiting notices, new-product
notes, announcements of conferences, sign-offs from participants that
include their corporate identities, even advertisements for illicit
dealers of personal infor mation (including their 800 phone numbers).
All of these are commercial. A few months back, the moderator included
a puff piece on a book on cryptography published by a large publishing
house. When I questioned how this fit in with the supposed "non-co
mmercial" policy, the moderator told me that this was a "book review of
legitimate interest to readers."
Perhaps a Digest reader or two who relies on PRIVACY JOURNAL and can
vouch for the quality of the newsletter will submit a statement to
Computer Privacy Digest RECOMMENDING it. That's the only way we can
bring this publication to the attention of Digest participants. Robert
Ellis Smith, Publisher, Privacy Journal.
------------------------------
From: Peter Marshall <rocque@eskimo.com>
Date: 31 Aug 1995 15:36:44 GMT
Subject: Telcos and Info-privacy
Organization: Eskimo North (206) For-Ever
---------- Forwarded message ----------
Date: 30 Aug 1995 23:40:33 -0500
From: jbsajual@sover.net
To: Multiple recipients of list <telecomreg@relay.doit.wisc.edu>
Subject: Re: "Deception"
[....] All I know is the data is there, that it is far richer than any
available data set from any other source imaginable, and that when it
comes to "unleashing" the LEC or introducing competition, the LEC is in
a extraordinarily strong position both to defend its turf, and expand
its products simply because it is in a position to know so much more
about the customer.
The IXC doesn't have the information that can be derived from analysing
local calls... The cable provider's present data set is far poorer
because the minute-by-minute choices the consumer make aren't recorded
in the same way as telephone calls. The Cable co may know if I have the
Disney channel, but it can't tell the program I watched, the length of
time I watched it, etc. The information set they are working with is
far thinner than what is available to the LEC.
By contrast the LEC has at its disposal an extraordinary data set that
virtually no other industry can match. If knowledge is power, then the
LEC has a database of unparalleled value. Even if it is argued that
they don't presently make constructive use of that database (and this
whole thread suggests otherwise)it has to be assumed that eventually
someone WILL notice the value of this information, and in a
de-regulated environment, make use of it.
This has implications for valuing the LEC as a corporation, for
assessing its potential future business opportunities, for assessing
the likelihood of effective competition emerging in anything like the
short term, and -- in my mind -- whether traditional regulatory
concerns around issues of access and price should be replaced by
concerns about privacy and unfair use of the information that can be
derived from call analysis.
[....] I frankly wonder how much attention this issue has gotten from
state and federal regulators. Is there a solution? (or should we go out
and buy as much Bell Atlantic stock as possible? :)
--
Jack Bryar
***************************************************************
Sajual Systems & Consulting, Inc.
"Technical Due Diligence" (sm) Investigations
Project Management and Prototyping
Cambridge MA and Grafton VT
802-843-6101 Fax: 802-843-2640
Partner - NORTHERN MEDIA SOLUTIONS
Telecommunications Applications Evangelists
and Strategic Integration Consulting
(802)843-2500 email: info@nmsi.com
***************************************************************
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 29 Aug 1995 13:08:06 -0500 (CDT)
Subject: Database for Deadbeat Dads [long]
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: Risks-Forum Digest Monday 28 August 1995
Volume 17 : Issue 30 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND
RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public
Policy, Peter G. Neumann, moderator
From: simsong@vineyard.net (Simson L. Garfinkel)
Date: 28 Aug 1995 08:12:52 -0400
Subject: Database for Deadbeat Dads
SOCIAL INSECURITY PLAN TO MAKE IT EASIER TO
TRACK DOWN 'DEADBEAT DADS' WORRIES PRIVACY ADVOCATES
Simson Garfinkel, Special to the Mercury News
San Jose Mercury News, 17 July 1995, Business Monday, Page 1F
Copyright 1995, Simson Garfinkel
ELEVEN years late, the 1984 as envisioned by George Orwell finally may
arrive.
Welfare reform legislation moving through Congress could dramatically
increase the use of Social Security numbers by state governments as a
way to track people from cradle to grave. The proposal, which would
create or expand a series of national data banks, is designed to track
people who don't want to be found.
With support among both Democrats and Republicans, the proposal is
striking fear among the guardians of privacy, who believe the
legislation would increase the government's surveillance of the
American public.
''What we are facing is the single greatest step toward big brother
government since Watergate,'' said Donald L. Haines, a legislative
counsel with the American Civil Liberties Union in Washington.
Nevertheless, the proposal has received relatively little attention
because the expanded use of Social Security numbers is one of the few
areas of agreement between the Republican-controlled Congress and the
Clinton administration.
Welfare reform was one of President Clinton's campaign promises, and it
also was one of the 10 tenets of the Republican Party's ''Contract with
America.''
Called the ''Personal Responsibility Act,'' the U.S. House of
Representatives passed its version of the bill March 24. The Senate
version, retitled the ''Family Self-Sufficiency Act of 1995,'' passed a
committee vote June 9. Although the committee, chaired by Sen. Bob
Packwood, R-Ore., made substantial changes to the House bill, the
sections dealing with the expanded use of Social Security numbers
remained essentially intact. At the heart of the legislation is the
desire to do something about so-called ''deadbeat dads'' - and moms -
who refuse to pay court-ordered child support payments. Both Congress
and the Clinton administration believe that a large amount of the money
spent on the government's Aid to Families with Dependent Children
program could be saved if more single parents obtained child support
orders, and if those orders were better enforced.
'People normally say that there is a $34 billion gap'' between the $14
billion that is annually paid in child support and the $48 billion that
theoretically could be collected, says Jane Checkan of the Health and
Human Service's Administration on Children and Families in Washington.
Checkan's figures are for the year 1993, the last year available.
In an attempt to close this gap, the welfare reform legislation
mandates increased surveillance of all American citizens. By tracking
Americans when they change jobs or receive state driver's or
professional licenses, the legislation's backers hope to give deadbeat
dads nowhere to hide.
The legislation also calls for mandatory reporting of Social Security
numbers by people getting marriage licenses or divorced, and in
paternity proceedings. These reports are designed to make it easier for
single parents to obtain support orders, and to make it easier for
state welfare agencies to figure out the identity of a spouse when a
single parent applies for benefits.
'Ten million women are potentially eligible to child support for their
kids,'' Checkan said. But many people do not take advantage of their
legal rights. ''Forty-two percent do not have an award in place.''
Welfare reform pushed
Checkan said that it is estimated that as much as 8 percent of the
government's Aid to Families with Dependent Children payments could be
eliminated if child support orders were obtained and enforced. ''That's
why, in the Clinton proposal, that child support is such a major part
of welfare reform,'' she said.
Currently, many government agencies maintain databases that are indexed
by Social Security numbers. Nevertheless, the databases are of limited
use for welfare enforcement. Some of the databases are restricted by
statute so that their information may not be used for purposes other
than that which they were collected. A move to unify standards
Others are not cross-indexed with databases of current address,
employment and child support orders. Still other databases cannot
easily be searched against, because the information is not in a uniform
format. One of the intents of the legislation, sponsors say, is to
bring order to this computational chaos by mandating standard data
representation and indexing strategies. Basing the databanks on Social
Security numbers is key to its success, said Bill Walsh, chief of
California's Child Support Management Bureau, part of the Department of
Social Services.
''I'll tell you, the Social Security number is probably the most
important piece of data that there is in trying to locate parents that
we can't find in order to establish child-support orders, or in cases
where we have already established an order, to get payment on those
orders,'' he said.
A national database also could make it easier to track down the 30
percent of dads who live outside the state, said Walsh. Although such a
database currently exists, the proposed legislation would greatly
expand its reach, by creating a virtual dragnet that could not be
escaped. Civil libertarians worry
Walsh said his department is in favor of creation and expansion of the
national databanks, because they ''allow us to have access to more and
better data in order to locate parents who owe child support.''
Nevertheless, a growing number of civil libertarians are questioning
the creation of large-scale national databanks, and the expanded use of
Social Security numbers, for tracking down deadbeat dads.
''It's a databank that could be used to allow people to track people
down for purposes having nothing to do with (child support),'' said
Haines of the ACLU.
Haines is especially worried that the system could be used to find
victims of domestic violence who are attempting to hide from their
assailants.
''An unfortunate truth is that in our justice system today, for many
victims of domestic violence, their only hope for relief is to escape
into some level of anonymity,'' he said. ''Protective orders don't work
or aren't enforced.''
Although the legislation would prohibit the unauthorized use of the
system, Haines characterized such use as ''inevitable.'' As an example,
he noted how some abusive men find runaway spouses using surreptitious
means, such as privileged data reserved for law enforcement. Potential
for fraud
Other privacy advocates are concerned that the databanks could be used
as the basis for financial fraud.
''I think that there is a real danger using (information) provided for
one purpose for another purpose,'' said Claudia Terraza, an attorney
with the Privacy Rights Clearinghouse at the University of San Diego.
''I see a real problem with people getting access to your Social
Security number and from there, being able to find out your credit
report, or for finding out other information that they could use for
fraudulent purposes.''
Privacy advocates are most upset about the expansion of the Federal
Parent Locator Service. As written, the legislation would create a
national database of virtually all U.S. citizens - parents or not -
with the stated purpose of tracking them so that any individual's most
recent address and employer can be easily determined at any time. The
legislation also would help enforce court- ordered parental visitation
rights.
Staff members working on both the House and Senate versions of the
legislation said that lawmakers were aware of the privacy issues, and
had tried to put ''privacy protection'' measures into the legislation
without compromising the central goal of creating a national location
registry.
''We had a long discussion about (privacy issues) - and the (lawmakers)
were the main people doing the talking,'' said a staffer. ''There were
some members who were real sensitive, and they were absolutely adamant
that (the Social Security number) could not be required to be on the
license itself.''
Nevertheless, the legislation does require states to ask drivers for
their Social Security numbers when they are issued driver's licenses or
professional licenses, and for those numbers to be reported to the
central registry.
''What all of that means is that we will have a de facto national ID
system in this country, which is going to be this database, and with a
de facto national ID card, which will be your Social Security
card/driver's license, all without a debate on whether or not Americans
deserve to be subjected to a Soviet- or Nazi-style national ID
system,'' Haines said.
Effort failed in '60s
This is not the first time that the federal government has proposed
creating a national databank. A proposal in the late 1960s called for
the creation of a national data center that would ''pull together the
scattered statistics in government files on citizens and to provide
instant, total recall of significant education, health, citizenship,
employment records and in some cases personal habits of individuals,''
reported an article in the Feb. 25, 1968 issue of The New York Times.
At the time, the proposal was opposed by privacy advocates like
Columbia University Professor Alan F. Westin and University of Michigan
Law School Professor Arthur R. Miller. Information centers ''may
become the heart of the surveillance system that will turn society into
a transparent world in which our home, our finances, our associates,
our mental and physical conditions are bared to the most casual
observer,'' Miller told the Times.
The national data center was never built, and today the controversy has
been largely forgotten. Nevertheless, says Marc Rotenberg, director of
the Electronic Privacy Information Center, one of the important issues
raised at the time was the danger of entrusting a single federal agency
with so many different files.
''These proposals invariably reach further than originally intended,''
said Rotenberg. ''If the Social Security number is used today to catch
welfare cheats, it can be used tomorrow to identify political
dissidents.
''It is of course ironic that such a proposal would go through the
Congress at the very same time that the Republican majority is urging
greater relaxation of government regulation.''
- - - - - - - - - - - - - - - - - - - - - - - -
INFOBOX: THEY'VE GOT YOUR NUMBER
Legislation currently before the Senate would mandate the creation or
expansion of three national databanks. Each databank would be indexed
by Social Security number. Together, they would track every
American.
(box) Federal Parent Locator Service: Would contain a record of every
driver's license and professional license issued in individual
states.
(box) Federal Case Registry of Child Support Orders: Besides tracking
every child support order issued by the states, this database also
would contain records of every marriage, every divorce and every
paternity determination case in the United States.
(box) State Directory of New Hires: This federal database would be
updated every time an American started working for a new employer. It
would contain the employee's name, address, job description, and the
name of their employer.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 11 Aug 1995 09:39:43 -0500 (CDT)
Subject: Info on CPD [unchanged since 08/01/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the SUBJECT: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit or append to the text except for purely technical
reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V7 #018
******************************
.