PRIVACY Forum Digest Wednesday, 11 November 1992 Volume 01 : Issue 25 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Re: Privacy on the Agenda? (Jeff Johnson) Wire Taps, Key Management, and Privacy (Brinton Cooper) Va. Hearing on SSNs (Dave Banisar) Credit Thieves (Paul Robinson) Privacy Problems in 2142 A.D. (Lauren Weinstein; PRIVACY Forum Moderator) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 01, ISSUE 25 Quote for the day: "Sticks nix hick pix" -- Headline from "Variety" (a Hollywood trade daily) regarding rural areas' lack of interest in farm dramas. (July 17, 1935) ---------------------------------------------------------------------- Date: Wed, 04 Nov 92 10:29:20 -0800 >From: Jeff Johnson Subject: Re: Privacy on the Agenda? Moderator Lauren Weinstein wondered aloud whether Clinton et al will put privacy on their agenda. He wrote: > I suspect that it's only natural to expect that the issues of privacy may > not be high (or even present) on many lists. Here is a list from the Clinton Campaign, on which privacy is indeed mentioned: Excerpted from - "Clinton/Gore Campaign Pledges Strong Consumer Protections; Blasts Bush/Quayle Record" - Oct. 26 A Clinton/Gore Consumer Bill of Rights will include: 1. The Right to Safety -- To be protected against the marketing of goods which are hazardous to health or life. 2. The Right to be Informed -- To be protected against fraudulent, deceitful, or grossly misleading information, advertising, labeling or other practices, and to be given the facts needed to make an informed choice. 3. The Right to Choose -- To be assured, whenever possible, access to a variety of products and services at competitive prices; and in those industries in which competition is not workable and government regulation substituted, an assurance of satisfactory quality and services at fair prices. 4. The Right to be Heard -- To be assured that consumer interests will receive full and sympathetic consideration in the formulation of government policy and fair and expeditious treatment in its administrative tribunals. 5. The Right to Consumer Education -- To help consumer education become an integral part of regular school instruction, community services and educational program for people out of school; to ensure that consumers have the assistance necessary to plan and use their resource to their maximum potential and greatest personal satisfaction. 6. The Right to Privacy -- To not have information provided by consumers for one purpose used for a separate purpose without the consumer's knowledge and consent. ------------------------------ Date: Wed, 4 Nov 92 17:38:19 EST >From: Brinton Cooper Subject: Wire Taps, Key Management, and Privacy In RISKS DIGEST 13.87, Dorothy Denning wrote, in part: of a "...potential crisis in law enforcement if we lose the capability to conduct court authorized taps." She spoke of the high costs of lawful surveillance and asserted, "Much of this is related to organized crime," perhaps a scare tactic? Her solution involves nongovernmental "key centers" which, presumably, would not give out keys to anyone without a properly executed court order. She cites that the "...phone companies are so fussy about court orders that they send them back if the semicolons aren't right...," apparently believing that the rights of the citizens are thereby protected. For the following reasons, this is a politically naive position. 1. It provides that our right to protection from illegal governmental search and seizure and/or illegal eavesdropping rests on the good will and integrity of a phone company! 2. Even a nongovernmental agency may act more like, than unlike, government. Consider the US Postal Service. 3. Court orders, search warrants, and the like protect citizens only when the information or evidence gathered is to be used in court against a suspect. If information is being gathered for political purposes, blackmail, or other subversion of law (Watergate, Iran-Contra, the Italian bank scandal, etc), the purloined information will never see a public forum but can still do great harm to innocent persons. Thus, the constraints of court orders are obviated. The FBI needs to fund its own R&D from its own budget, just as the rest of the government at all levels must do. There is talent that can "red team" modern telecommunications and find trapdoors when necessary. You must never forget that the gravest threat to our freedom is, and always has been, government itself. _Brinton Cooper ------------------------------ Date: Wed, 11 Nov 1992 9:29:42 EDT >From: Dave Banisar Subject: Va. Hearing on SSNs An ad hoc committee of the Virginia General Assembly met November 10 and agreed to draft legislation that will remove the SSN off the face of the Va. drivers license and from voting records. The Special Joint Subcommittee Studying State and Commerical use of Social Security Numbers for Transaction Identification met for 3 hours and heard witnesses from government, industry and public interest groups. It appears that the draft will require the DMV and the Election Board to continue to collect the information, but will no longer make it publicly available. It was also agreed that the committee would look into greater enforcement of Va. privacy laws, including the feasibility of setting up a data commissioner. All of the legislators in attendance agreed that using the SSN on the face of the driver's license caused problems for both fraud and privacy. The DMV representative admitted that it would cost a minimum amount of money to modify their new computer system, which they have not completed installing yet, to use another numbering system. She estimated that this would take 3-7 years using the renewal process to change all the licenses. She estimated a cost of $8 million for an immediate change due to mailing costs. Bob Stratton of Intercon Systems explained the inherent flaws in using the SSN as an identifier and offered alternatives such as the SOUNDEX system used by Maryland and New York as a better alternative for licenses. A representative of the Va. State Police admitted that they do not use the SSN to identify persons in their records because it was "inherently inaccurate" and described cases of criminals with up to 50 different SSNs. Dave Banisar of CPSR Washington Office explained how the SSN facilitates computer matching and offered options for the board to consider to improve protection of personal privacy. Mikki Barry of Intercon Systems described how any attorney in Virginia has access to the DMV database to examine all records via a computer network. ------------------------------ Date: Mon, 09 Nov 1992 22:23:37 EST >From: "Message Center" Subject: Credit Thieves Article Summary, "The Credit Thieves" (Washington Post, Nov. 9, Page D5), "They Take Your Identity, Then Your Good Name." In "The Credit Thieves" article author Stephen J. Shaw asks if you have checked your credit rating lately; some thieves have been known to find people's personal information, then create new identities - and new credit histories - for some people. Apparently name and address is enough to be able to "borrow" someone else's credit information. Some so-called "credit doctors" charge $500 to find someone else with the same or similar name and a clean record, and give the buyer that person's credit record. Shaw declares personal exposure to credit fraud: his credit rating showed "almost $100,000" in credit, services and merchandise ("loans, credit cards, personal bank loans, plane tickets, home-entertainment systems, computers, clothes, furniture, cellular telephones and a slew of other consumer goodies") granted to "him" even though he lives in Washington DC, and the credit granted to "him" was to someone in Orlando Florida, and he's never heard of the things claimed to be charged to him. He only found out about the incident when he applied for credit with an organization and they asked him why he didn't declare all the OTHER credit cards and such that he has. Apparently almost anyone with access to a computer terminal with access to a regular credit reporting agency can probably find out your credit history. His "Credit Double" was only caught because he tried to buy a house using Shaw's name. The Secret Service is the agency that handles trying to catch people who do this. The "credit mugger" is in jail awaiting trial for four counts of bank and credit fraud. Happy ending, eh? NOT. Now getting rid of the inaccurate and fraudulent credit requests is a job in and of itself. "Equifax had deleted five of the bogus accounts, kept another four on my report and added three new ones. TRW told me that most of the disputed accounts had been deleted because the creditor had not replied to TRW's inquiry, but added that the 'creditor may re-report item.' stating , in effect, that the accounts could reappear in future editions." Trans Union did not have the incorrect accounts, but still had the Florida address. TRW also has his address listed as Florida. A New York State agency found six out of 17 credit reporting agencies which advertised would sell credit histories without any attempt to verify the purpose of the request. An executive at TRW told a 1991 Congressional hearing that "if someone is willing to lie to get a consumer report on another individual, there is nothing in the present law to act as a deterrent." Apparently it's not all that hard even to get someone's credit report legally. The Fair Credit Reporting Act (FCRA) allows anyone with "a legitimate business need for the information" can get your report; this includes prospective creditors and employers. "This loophole covers anything from renting an apartment to paying for something by check to joining a health club or a dating service. Reports can be ordered legitimately by employers checking on employees, insurance companies writing policies, someone trying to collect a debt, and government agencies deciding to grant any form of assistance or licenses." The article notes one can request not to be put in the list of "pre-screened" or "targeted" people that credit reporting agencies sell to companies that sometimes offer credit. You can also ask to be taken off mailing lists by writing the Direct Marketing Association, Mail Preference Services, 11 West 42nd St, Box 3961, New York, NY 10163-3861. They can also take reqests just to remove your telephone number from some lists. The article recommends contacting each of the three major agencies twice yearly, and at least 6 months before a major purchase, because some of them don't get what the others have. If something is wrong, contact the creditor directly as well as the reporting agency. If you can't get something corrected, ask to have a statement inserted in your record. If you're not satisfied, you can write the Federal Trade Commission at Correspondence Dept, Room 692, Washington DC 20580. The major credit reporting agencies are: - Equifax, Box 740241, Atlanta GA 30374 1-800-685-1111 - Trans Union, Box 7000, North Olmsted, OH 44070 Regional Offices: - Box 360, Philadelphia, PA, 19105 215-569-4582 - 222 South First St., Suite 201, Louisville KY 40202 502-584-0121 - Box 3110, Fullerton, CA 92634 714-870-5191 - TRW National Consumer Relations Center, 12606 Greenville Ave., Box 749029, Dallas TX 75374-9029 214-235-1200 (TRW allows one free report a year by mail from) - TRW, Box 2350, Chatsworth CA, 91313-2350 --- Paul Robinson -- TDARCOS@MCIMAIL.COM These (uninformed and probably inaccurate) opinions are mine alone; nobody else is (stupid enough to be) responsible for them. ------------------------------ Date: Wed, 11 Nov 92 19:41 PST >From: lauren@cv.vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Privacy Problems in 2142 A.D. Greetings. About two months ago "The Sci-Fi Channel" launched their (long awaited) cable service. While it is not yet widely carried by cable systems, it shows a wide variety of (mostly old and/or campy) Science Fiction, Horror, and related programs and films. I like it-- which says nothing about its chances for future success! In any case, one of their in-house produced interstitial elements (that is, short programming segments to run between main programs) is the "Comlink FTL Newsfeed"--direct from the year 2142. The concept is that we're looking in on a sort of "headline minute" from today's date, but 150 years in the future. Each day there's a new one, and we move forward in step with the future. The news is read by a computer-processed "mask" face, with various garbled stock tickers running along the top and bottom (wouldn't you know it, we can't see what the winning stocks will be in 2142!) There have been a number of interesting looks into future news stories. The scandal over the Mars terriforming contracts, for example. The issue of clone rights. Problems with "defective" clones--especially the Elvis and Mother Teresa models. However, the one continuing FTL story since the channel launched is the "Identification Chip Controversy". It seems that in 2142, the government decreed that all citizens would be required to have identity implants which could be scanned by authorities (similar to the pet ID chips available today, it would seem). Initial announcements on FTL indicated that the chips would only be scanned when searching for criminals--but later announcements indicated that there were plans for direct tie-ins between the identity chip codes and a range of public and private databases. When the opposition "Privacy Party" publicly tried to argue against this technology (using arguments very similar to what we might see in this digest) they were branded essentially as kooks and official statements were released to the effect that no honest citizen has anything to fear from identity chips or database linkups. Yestersday, an FTL press release announced that a new "police visor" would be issued that could automatically scan all identity chips in an area to make identification of all citizens as rapid as possible. Apparently this was the straw that broke the camel's bank for some of the opposition in the future. Today (or rather, today plus 150 years), FTL Newsfeed was suddenly interrupted by a large red "R", and a voice repeating, "Defy the government! No Identi-Chip!" until the end of the segment. One can only imagine the steps that authorities will take to deal with the transgression! We shall see. Even though it is presented in a humorous manner, it is refreshing to see *any* treatment of privacy issues that indicates even a basic awareness of modern privacy concerns--matters that are all too frequently ignored by most mass media. The Sci-Fi Channel deserves a thumbs-up for their creative (and continuing) look into the "future" of privacy. --Lauren-- ------------------------------ End of PRIVACY Forum Digest 01.25