From privacy@cv.vortex.com Wed Aug 26 04:02:28 1992 Return-Path: Received: from cv.vortex.com by csrc.ncsl.nist.gov (4.1/NIST) id AA10018; Wed, 26 Aug 92 04:02:03 EDT Posted-Date: Wed, 26 Aug 92 01:01 PDT Received-Date: Wed, 26 Aug 92 04:02:03 EDT Received: by cv.vortex.com (/\==/\ Smail3.1.25.1 #25.21) id ; Tue, 25 Aug 92 23:43 PDT Message-Id: Date: Wed, 26 Aug 92 01:01 PDT From: privacy@cv.vortex.com (PRIVACY Forum) To: privacy-forum@csrc.ncsl.nist.gov Subject: PRIVACY Forum Digest V01 #14 Status: R PRIVACY Forum Digest Tuesday, 25 August 1992 Volume 01 : Issue 14 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Cincinnati Bell CLASS tariff (David A. Banisar) Selling customer lists (Jerome H. Saltzer) Direct Mail Marketers to get access to CA DMV records (Bruce R. Koball) Wells Fargo Bank changes customer security system (Moderator--Lauren Weinstein) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 01, ISSUE 14 Quote for the day: "I was cured all right." -- Alex "A Clockwork Orange" (1971) ---------------------------------------------------------------------- Date: Sun, 23 Aug 1992 13:10:09 -0400 From: David A. Banisar Subject: Cincinnati Bell CLASS tariff --- Original message below --- From: Rohan Samarajiva Cincinnati Bell Telephone, a large non-RBOC telephone company, has filed a request before the Public Utilities Commission of Ohio to offer seven CLASS services, including the controversial Caller ID and Call Return services. CBT had been holding off on the latter services until the commission formulated policies regarding blocking. Interestingly, CBT appears to have gone further than the final PUCO ruling on the blocking of number delivery. Customers will be offered per-call and per-line number delivery blocking. Per-line blocking will be offered free to customers with non-published numbers (23% of CBT's customers). Others can obtain per-line blocking for $1.60 per month. From the material issued by the company (not the formal tariff), it appears that customers who want per-line blocking will have to ask for the service (even unpub. customers). This falls short of the default per-line blocking for unpub. customers that was the key element of the Ohio Hearing Examiner in the Ohio Bell case. Concerns regarding the use of Call Retrun to discover the numbers of calling parties who had blocked number delivery do not appear to have been addressed. ------------------------------ Date: Mon, 24 Aug 92 18:48:33 EDT From: Jerome H Saltzer Subject: Selling customer lists [Subject field supplied by Moderator] In Volume 01, Issue 08, Lauren asks for personal experiences that relate to privacy and Willis Ware talks about "data puddles" accumulated in the course of doing business that are protected, at best, by unspecified business ethics. Last week I ran across something that covers both. A local video rental store went belly-up, and the contents of the store were put up for auction. About 100 people, some being dealers looking for inventory and others being private parties hoping to cheaply enhance their personal videotape library, showed up to check it out. In addition to some 2400 used videotapes in 50 lots, there were a few rental VCR's, a small computer system, and the really choice item, lot 53, a two-drawer filecard cabinet labeled "mailing list". This turned out to contain one file card per customer, with name, address, place of work and originally-presented ID on the front, and on the back a list of the names of all the videotapes that customer had rented. I asked the auctioneer whether there he saw any problem in selling that lot, and he replied that it was common in business auctions to sell customer lists. Exactly how the new federal law prohibiting disclosure of videotape rental records applies to this situation is not at all clear. But it seems safe to say that business ethics can't be very effective in protecting data when the business vanishes. Jerry Saltzer ------------------------------ Date: Mon, 24 Aug 1992 16:35:04 -0700 From: Bruce R Koball Subject: Direct Mail Marketers to get access to CA DMV records Apparently an interesting piece of legislation in the California State Legislature has slipped by the scrutiny of privacy advocates. AB 2543, sponsored by Assemblyman Ross Johnson (R) opens up access to CA state DMV records for the purposes of direct mail marketing. Many folks will remember that the murder of actress Rebecca Schaeffer (sp?), by a deranged fan who obtained her home address from DMV records via a private detective, prompted the DMV to restrict access to their database. This did not please direct mail marketing firms, for whom the DMV database was a major information source. They have apparently successfully lobbied to be included in the select group of people (see below) who are still entitled to access these records. Because this bill ostensibly has no fiscal impact (from the state's viewpoint) it was able to take a fast track through the legislature, slipping by virtually unnoticed, and now sits on the Governor's desk, awaiting his signature. Although records in the state legislature's computer show no recorded opposition to the bill, the DMV's public information office claims that they are on record as opposing it on privacy grounds. The bill's sponsors and supporters have attempted to address concerns about confidentiality of DMV records by restricting access and use, but privacy advocates point out that there are serious secondary use issues here as well. They maintain that information collected for one purpose should not be used for another purpose without the consent of the data subject. The legislative analysis follows: ========== AB 2543 Ross Johnson (R) SUBJECT: Department of Motor Vehicles: access to records SOURCE: Author DIGEST: This bill provides that the Department of Motor Vehicles' records be accessible for the purposes of direct mail marketing, under specified circumstances. Senate Floor Amendments of 8/13/92 specify information that may be sold. ANALYSIS: Existing law provides that residence addresses in the Department of Motor Vehicles (DMV) records are confidential and shall not be disclosed except to a court, law enforcement agency, governmental agency, financial institutional, or insurance company, attorney, and vehicle manufacturer or dealer, with specified restrictions and limitations. Existing law authorizes DMV to limit release of mailing addresses, except to the above listed parties, for purposes relating to the reasons for which the information was collected. It also authorizes the release of mailing addresses to persons who have obtained a "requester code", as specified, from DMV. This bill would require the DMV to allow access and release of a residence address or mailing address, or both, if the name of the individual whose address was released was maintained confidential and not disclosed to any person, and if the address could not be directly linked to any specific vehicle license plate number. The DMV would be allowed to charge a fee for its service to fully recover its cost. The bill would also revise the definition of commercial use to specifically include direct mail advertising. In addition, the bill would provide that access to the department's electronic data base would include both the access and release of a residence address of mailing address, or both, if the name of the individual whose address was released was maintained confidential and not disclosed to any person and if the address could not be directly linked to any specific vehicle license plate number. The bill specifies that information from the department's records that may be inspected, accessed, released or sold includes, but is not limited to information relating to driver's licenses, certificates of ownership and registration cards. The purpose of this bill is to provide to DMV records to direct mail services. Background AS 1779 (Roos) Chapter 1213, Statutes of 1989, created the residence address confidentiality provision. Prior to that bill, the entire DMV data base was sold to the R.L. Polk Company for over $2 million. The Polk Company then tailored information from the data base for a variety of customers. Since 1990, DMV records have been inaccessible to direct mail marketers. In 1990, SB 2068 (Doolittle) attempted to address the problems that have arisen due to the implementation ofexisting law by the DMV. That bill was held in the Assembly Transportation Committee. Prior Legislation SB 2068 (Doolittle - 1990), passed the Senate 37-0, held in Assembly Transportation Committee. FISCAL EFFECT: Appropriation: NO / Fiscal Committee: Yes / Local: No SUPPORT: (Verified 8/13/92) R.L. Polk Seal Press, Inc. Moe's Direct Marketing Mailmark Direct Marketing Service Jart Direct Mail Services ARCO California Newspaper Publishers Association ARGUMENTS IN SUPPORT: According to the proponents of the bill, problems have arisen due to the implementation of existing law by the DMV. Direct marketers would like to have access to DMV records, but recognize the need for appropriate safeguards for confidentiality on personal information. ------------------------------ Date: Mon, 24 Aug 92 19:42 PDT From: lauren@cv.vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Wells Fargo Bank changes customer security system Greetings. In a previous issue of the digest, I reported how Wells Fargo Bank, a major California institution, had rather quietly started allowing customers to optionally specify "code words" before they could access their account balances, etc. via live operators (you could not use their automated system for such purposes if you chose to make use of this additional security). The automated system simply required entry of account number and some other easily obtained information (I believe it was zip code). Wells has now changed this policy. They have now converted to an automated attendant system which answers all calls (though you can still get to a human if you enter the correct commands). Persons who request additional security must now select a three digit code which is then required for both live calls and automated account access. The old "code words" are no longer supported. Supposedly the system will "lock out" if the code number is incorrect three times in a row, and then they will go through some procedure involving a live operator (which they declined to detail) to verify the user. Of some concern is other information that is now available via the automated system. Apparently anybody can now call, enter any account number and an amount, and be told whether or not that amount of funds is available in the specified account. With a relatively few calls, it would be possible to pretty well range in on the amount in any account using this system. When I questioned them about the wisdom of allowing this information to be available in an automated manner with absolutely no security or tracking of any kind, they replied that since federal regulations allow it, they're doing it. So, it seems we have the good and the bad to report (no doubt the ugly will show up shortly...) On the positive side, Wells is to be applauded for the PIN system now available for controlling access to account detail information and transactions. On the negative front, the uncontrolled, automated access to a "go" or "no-go" response for any amount on any account is decidedly unfortunate. Comments regarding Wells Fargo's automated systems should be sent to: Clyde Ostler Vice Chairman Wells Fargo Bank P.O. Box 63710 San Francisco, CA 94163-1036 (This is the name specifically given to me by Wells Fargo customer service supervisors.) --Lauren-- ------------------------------ End of PRIVACY Forum Digest 01.14 ************************