Date: Fri, 22 Dec 95 16:58:27 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V7#053
Computer Privacy Digest Fri, 22 Dec 95 Volume 7 : Issue: 053
Today's Topics: Moderator: Leonard P. Levine
Must I PAY For My Own Drug Test?
Pointer to Official NZ Privacy Case Notes
Re: Employer Abuse of Private Email
Re: SSN Shown On Payments by Intuit's Banking Service
Risks of Checking Accounts
Re: Unsolicited email Advertising
Re: Unsolicited email Advertising
German Service Providers' Databases
Nastiness From "Netnet"
Conferences/Events of Global Interest
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 22 Dec 1995 14:25:54 -0600 (CST)
Subject: Must I PAY For My Own Drug Test?
Organization: University of Wisconsin-Milwaukee
I saw this on the alt.privacy newsgroup.
From: bluebird@alpha.c2.org
Subject: Must I PAY For My Own Drug Test?
Date: 19 Dec 1995 22:06:29 +0100
Organization: Mail to Usenet Gateway at Utopia
From the "Believe it or Not" Department:
My professional background is in high-end security, primarily
diplomatic and executive protection. Terminal illness in the family
forced me to move from the city where I worked to a smaller city where
there are no opportunities to work in this occupation. Unemployed,
broke and desperate, I find myself looking for a job as a lowly guard
as such is the only related employment available here.
The major companies pay the best wage, but are the most selective.
They require, besides the usual California State background checks,
psychological and drug testing. OK so far - I have ever used drugs and
pass these tests with no problem.
To my utter astonishment, I discovered that upon application for
employment, Pinkerton Security (which bills itself as the oldest and
largest security company in the world) requires applicants to sign
forms submitting themselves to pre-employment drug screening FOR WHICH
THEY MUST THEMSELVES PAY $20! The $20 is to be deducted from wages and
will, after six months successful employment, be _partially_
re-embursed.
I cannot believe that it could _possibly_ be legal to require
applicants to PAY for processing employer-mandated drug tests!
While on one hand it seems that a big company wouldn't dare have
application processes that were illegal, it also seems that this is
such an egregious requirement that it just _can't_ be lawful. I see
big companies getting sued for illegal application procedures fairly
frequently, so maybe I overestimate their legal savvy.
Does anyone here know the straight skinny on this, or what Federal or
California State agency would provide me with the facts?
Thanks.
------------------------------
From: stuart@cosc.canterbury.ac.nz
Date: 20 Dec 1995 21:56:51 GMT
Subject: Pointer to Official NZ Privacy Case Notes
Organization: University of Waikato
This is a pointer to the web pages of the Office of the
(New Zealand) Privacy Commissioner, Bruce Slane. The site
contains legally binding guidelines, a collection of case
notes, full text of speeches and other relevant data.
http://www.kete.co.nz/privacy/welcome.htm
What is the role and function of the Privacy Commissioner ?
The general functions of the Privacy Commissioner include
receiving representations and consulting with those
concerned with privacy of the individual and inquiring
generally into any matter or procedure or practice,
governmental or non-governmental, or any technical
development if privacy is being or may be unduly infringed
thereby.
The Privacy Act 1993 came into force on 1 July 1993 and
has as one of its main purposes the promotion and
protection of individual privacy in general accordance
with the 1980 Organisation for Economic Co-operation and
Development (OECD) Guidelines on the Protection of Privacy
and Transborder Flows of Personal Data.
(note that this is a pointer to the official pages,
not an official pointer.)
--
There are those who are born UNIX |Stuart Yeates
Those who are made UNIX |stuart@cosc.canterbury.ac.nz
And those who become UNIX |syeates@cs.waikato.ac.nz
For the kingdom of heaven's sake |Matthew 19:12
------------------------------
From: Ann Cavoukian <cavouk@io.org>
Date: 22 Dec 1995 07:08:03 -0500 (EST)
Subject: Re: Employer Abuse of Private Email
I'm the assisstant commissioner for the IPC (Information and Privacy
Commission) in Ontario, Canada. In your last CP Digest there was a
reference to our homepage, and a suggestion to surf the Ontario
government URLs to find it. Since we are not part of the government,
you wouldn't be able to find us there. Here's where you can find us:
http://www.ipc.on.ca
--
Ann Cavoukian
------------------------------
From: michael@piglet.amscons.com (Michael Bryan)
Date: 21 Dec 1995 08:39:13 -0800
Subject: Re: SSN Shown On Payments by Intuit's Banking Service
Organization: none
Michael Bryan <michael@piglet.amscons.com> wrote: Another user
(Robert Mayo) discovered, and I confirmed, that Intuit's online
bill payment service sends your payees a printout containing your
social security number.
The latest information on this is that Intuit has agreed to stop this
practice, effective no later than Friday, December 22nd. Updated
information is available at this URL:
http://www.mc4.com/mayo/quick.html
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 22 Dec 1995 10:38:57 -0600 (CST)
Subject: Risks of Checking Accounts
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: Risks-Forum Digest Thursday 21 December
1995 Volume 17 : Issue 57 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS
AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and
Public Policy, Peter G. Neumann, moderator
From: trimm@netcom.com (Trimm Industries)
Date: 20 Dec 1995 17:00:14 -0800 (PST)F
Subject: Risks of Checking Accounts
A couple weeks ago I was depositing a check at an ATM, filled out the
deposit slip, and was ready to seal it in the envelope when something
attracted my attention to the name on the deposit slip -- it wasn't
mine! It came out of my pad of (correctly) printed checks, but about
half of the deposit slips in the pad were some other guy, from a
different state, with a different account number AT A COMPLETELY
DIFFERENT BANK! Now, I understand that check printers service many
different banks, but this guy's name was distant from mine
alphabetically and the account number was quite different. The RISKs
here are several and obvious, such as what fate befell _my_ deposit
slips, but alas as yet no one has deposited money into my account by
using one of my deposit slips by mistake.
Okay, life is weird and all that, but the very next week BofA
accidentally included someone else's bank statement in with mine,
including all their cancelled checks. It occurs to me that this would
be a goldmine for a swindler -- here I had a sample of the person's
signature, their (substantial) starting and ending bank balance, their
check style and account number, as well as their home address. Thus
far, not much for a crook to go on. But here's the kicker -- the
person paid her phone bill and put her unlisted phone number on the
Memo line, paid her Visa bill and put her Visa number on the Memo line,
and paid some other bill whose account number was her Social Security
Number with an alphabetic prefix, and this was on the Memo field of the
appropriate check. I had a dossier on this person and if I was a
swindler I could have ruined her life.
The RISKS:
1. Banks are idiots. Don't trust them to keep your secrets.
2. Don't put all sorts of important numbers on check Memos.
3. Keep in mind that people can _steal_ your checking statement
from your mail.
4. Merchants: don't assume that because someone has a few personal
numbers of someone that they are indeed that person.
5. Consider letting the bank store your cancelled checks on microfilm
for you (but keep #1, above, in mind.)
Gary M. Watson Sigma-Trimm Technologies trimm@netcom.com
350 Pilot Road, Las Vegas, NV 89119 Phone: (800) 423-2024 x2115
[This is clearly RISKS relevant, although some of you may wonder
about the computer-relevance. The bottom line seems to be that if
we blindly trust technology, we may be more easily led astray. PGN]
------------------------------
From: jcr@mcs.com (John C. Rivard)
Date: 21 Dec 1995 14:06:38 -0600
Subject: Re: Unsolicited email Advertising
Organization: very little
herwin@osf1.gmu.edu (HARRY R. ERWIN) wrote: I have been receiving
'junk email' from a commercial advertiser,
netnet@access1.soundcity.net. I have politely asked them to put me
on their 'do not contact' list, but I continue to find my mailbox
filled with their stuff. What have people found to be the most
effective recourse?
You didn't mention if you got any reply to your requests (other than
more junk mail).
If I were you, I'd send a message to "postmaster@soundcity.net"
complaining about the situation. There is a very good chance that this
sort of thing is against the policy of this ISP. Include a copy of one
of the email messages, including all headers.
If that doesn't work, check with interNIC to see who owns the domain.
You may find that it is a subdomain or "vanity domain" that falls under
the control of a bigger service. Then complain to the postmaster
there.
--
John C. Rivard <jcr@mcs.com>
Opinions expressed yadda yadda--you know the drill
------------------------------
From: mccurley@swcp.com (Kevin McCurley)
Date: 22 Dec 1995 04:54:08 GMT
Subject: Re: Unsolicited email Advertising
Organization: Southwest Cyberport
HARRY R. ERWIN <herwin@osf1.gmu.edu> wrote: I have been receiving
'junk email' from a commercial advertiser,
netnet@access1.soundcity.net. I have politely asked them to put me
on their 'do not contact' list, but I continue to find my mailbox
filled with their stuff. What have people found to be the most
effective recourse?
I made the mistake of putting my email address in a mailto: url on a
web page early in the days of the web, and have continued to make
non-anonymous postings to usenet. As a result I have ended up on
numerous databases for telemarketing. On the other hand, I have never
had a repeat case because I have a fairly effective way of discouraging
them. I follow this procedure:
1. I send them a polite reply asking to never receive email from them
again, and pointing out that I have a policy to never do business with
companies that advertise by phone or email.
2. Most reply to this agreeing to my terms. Those that do not are
placed on my "Nag" list. I happen to receive my email on a unix
machine, and I have a crontab that runs once a day to send a piece of
email to them asking to be removed from their mailing list. It's
basically the same as 1., but a bit more insistent.
3. some email advertisers do not read the email to the address that
they sent it from. In that case I begin sending email once a day to
the "root" or "postmaster" address at the domain where the mail
originated.
4. If I get no response from this after a few days, then I start
sending a huge file (1 megabyte) every day with an explanation that I
am trying to get someones attention. This is designed to eventually
fill their disk and makes them look for what filled it.
5. I have never reached this stage, but the next step is to start
sending requests to terminate their service to whoever provides their
DNS and routing service. Sites whose postmaster does not respond are
considered bad net citizens.
6. Again, I have never reached this stage, but the next step is to
start sending the huge file every few minutes until their disk fills.
I am not charged by volume for email.
I don't really think that step 7 will be necessary, but I'll consider
recruiting others to send them email, or simply hacking them to bits.
If our society is going to degenerate into a constant state of
information warfare, I am not going to be unarmed. Perhaps this will
be a new service for www.digicrime.com...
--
Kevin McCurley
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 22 Dec 1995 10:36:35 -0600 (CST)
Subject: German Service Providers' Databases
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: Risks-Forum Digest Thursday 21 December
1995 Volume 17 : Issue 57 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS
AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and
Public Policy, Peter G. Neumann, moderator
From: muewi@informatik.uni-bremen.de (Wilhelm Mueller)
Date: 21 Dec 1995 13:44:09 +0100
Subject: German service providers must maintain covert customer
databases?
This is an excerpt from an article that appeared in the weekly German
newspaper *Die Zeit*, No. 52 (22 Dec 1959), p.58 (Bulkware/Telephon-CD
gestoppt). [literal translation by WM] [*emphasis* below is *Die
Zeit*'s] [further translation by PGN, respecting the original German
(not included)]:
For others, though, address data will suffice only if it can be
easily compared with other databases. Such a practical
["praktisches"!] information system is needed by the German
government and secret services. Paragraph 92a TKG-E of a proposal
for a new *telecommunications law* published last week would oblige
all telephone companies, on-line services, and even private mailboxes
to maintain a database at their own expense containing the full
names, addresses, and phone numbers of *all customers* -- in case
someone is under suspicion. This database must be organised so that
it can be accessed by higher places ["hoeheren Orts"!] without the
telecommunication provider noticing it.
Wilhelm Mueller, Am Wall 139, D-28195 Bremen (office) +49-421-361-10629
muewi@informatik.uni-bremen.de (home) +49-421-169 2525
[Ah, mandatory trap doors are a wonderful opportunity for misuse,
internally and externally. We've been around this topic in RISKS
many times before, but this is a new context. PGN]
------------------------------
From: Nightwolf <N-wolf@cris.com>
Date: Fri, 22 Dec 1995 15:41:59 -0500 (EST)
Subject: Nastiness From "Netnet"
Organization: Concentric Internet Services
For the first time in my life, I broke down and mailbombed another
Internet E-mail address. What caused me to take such a step, was
receiving a second junk E-Mail after formally requesting that a Spammer
take my E-mail address off of their mailing list. Would you believe,
that this firm responded to my mailbomb by sending me a new junk E-mail
within days of receiving my mailbomb? They did!!!
Appended below, is the full header information, only, from both of the
two advertisements about which I am complaining. After very carefully
thinking about this problem, I have decided to not in any way risk
rewarding this firm, by including any other details in this post. I
certainly have no desire to encourage these slimebags!
Has anyone else reading any of these newsgroups received the same pair
of advertisements? If so, then what have you done, or what are you
planning to do? Would it be out of line for me to suggest that each
person who has received a copy of this advertisement might call the
eight hundred number given in the advertisement, and advise whomever
answers that you are calling to protest the sending of junk E-Mail? If
this is not the best solution, then what is a better idea? Does anyone
have any suggestions? Please do let me know! I want to make a point
of nipping this damned garbage in the bud!!!
--
Nightwolf
N-wolf@cris.com
From netnet@soundcity.net
Return-Path: <netnet@access1.soundcity.net>
Received: from access1.soundcity.net by
franklin-fddi.cris.com [1-800-745-CRIS (voice)]
Errors-To: netnet@access1.soundcity.net
Received: (from netnet@localhost) by access1.soundcity.net
(8.6.12/8.6.9) id UAA14198; Fri, 15 Dec 1995 20:25:31 -0500
Date: Fri, 15 Dec 1995 20:25:31 -0500
Message-Id: <199512160125.UAA14198@access1.soundcity.net>
From: netnet@soundcity.net
To: N-wolf@cris.com
Subject: Greetings and Salutations!
---------- Forwarded message ----------
Return-Path: <netnet@www.soundcity.net>
Received: from www.soundcity.net by franklin-fddi.cris.com
[1-800-745-CRIS (voice)] Errors-To: netnet@www.soundcity.net
Received: (from netnet@localhost) by www.soundcity.net (8.6.12/8.6.12)
id GAA07835; Wed, 20 Dec 1995 06:27:56 -0500
Date: 20 Dec 1995 06:27:56 -0500
Message-Id: <199512201127.GAA07835@www.soundcity.net>
From: netnet@access1.soundcity.net
To: N-wolf@cris.com
Subject: SAMPO 20" Color Monitor for < $1000!
------------------------------
From: cpsr-global@Sunnyside.COM
Date: 22 Dec 1995 04:24:15 -0800
Subject: Conferences/Events of Global Interest
Taken from CPSR-GLOBAL Digest 289
CONFERENCE /EVENT SCHEDULE [edited by moderator CPD]
CQL'96: Symposium on Computers & the Quality of Life (ACM), Philadelphia, PA,
February 14-16, 1996.
Contact: liffick@cs.millersv.edu 717 872 3536 717 871-2320 (fax)
A Nation Connected: Defining the Public Interest in the Information
Superhighway,
Annenberg Center, Rancho Mirage, CA, Feb. 20.
Contact: barb.macikas@ala.org 800 545-2433 x3201 312 280-3201
Computers, Freedom, and Privacy, M.I.T., Cambridge, MA, March 27-30, 1996.
Contact: web.mit.edu/cfp96 cfp96-info@mit.edu
Visions of Privacy for the 21st Century: A Search for Solutions, Victoria, BC,
CANADA, May 9-11, 1996. Contact: http://www.cafe.net./gvc.foi
Society and the Future of Computing (SFC'96), Snowbird, UT, June 16-20.
Contact: rxl@lanl.gov http://www.lanl.gov/SFC
Australasian Conference on Information Security and Privacy, New South
Wales, AUSTRALIA, June 24-26. Contact: jennie@cs.uow.edu.au
The Privacy Laws & Business, Cambridge, ENGLAND, July 1-3.
Contact: 44 181 423 1300 44 181 423 4536 (fax)
Advancd Surveillance Technologies II. Ottawa, ON, CANADA, Sept. 17.
Contact: pi@privacy.org
Data Protection and Privacy Commissioners, Ottawa, ON, CANADA, Sept. 18-20.
Contact:
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 22 Nov 1995 14:25:54 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V7 #053
******************************
.