From clancy@first.org Wed Jan 27 06:06:43 1993 Return-Path: Received: from nkosi.well.sf.ca.us by well.sf.ca.us with SMTP (5.65c/SMI-4.1/well-921206-1) id AA23475; Wed, 27 Jan 1993 06:06:35 -0800 Received: from first.org (CSRC.NCSL.NIST.GOV) by nkosi.well.sf.ca.us (5.65c/SMI-4.1/nkosi-921118-1) id AA27663; Wed, 27 Jan 1993 06:06:29 -0800 Received: by first.org (4.1/NIST) id AA01610; Wed, 27 Jan 93 09:07:37 EST Date: Wed, 27 Jan 93 09:07:37 EST From: Kim Clancy Organization: FIRST, The Forum of Incident Response & Security Teams Posted-Date: Wed, 27 Jan 93 09:07:37 EST Message-Id: <9301271407.AA01610@first.org> To: aissecur@well.sf.ca.us Subject: pri Status: O >From privacy@cv.vortex.com Tue Jan 26 11:08:08 1993 Return-Path: Received: from cv.vortex.com by first.org (4.1/NIST) id AA00224; Tue, 26 Jan 93 11:07:38 EST Posted-Date: Sun, 24 Jan 93 12:45 PST Received-Date: Tue, 26 Jan 93 11:07:38 EST Received: by cv.vortex.com (Smail3.1.26.7 #2) id m0nGED6-0000lJC; Sun, 24 Jan 93 12:45 PST Message-Id: Date: Sun, 24 Jan 93 12:45 PST >From: privacy@cv.vortex.com (PRIVACY Forum) Subject: PRIVACY Forum Digest V02 #04 To: PRIVACY-Forum-List@cv.vortex.com Status: RO PRIVACY Forum Digest Sunday, 24 January 1993 Volume 02 : Issue 04 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Caller-ID a danger? Not by itself (A. Padgett Peterson) The REAL problem with Caller ID (Larry Seiler) Re: SSN and new baby, Schools and SSNs (Ed Tripp) OECD Guidelines cont'd (Marc Rotenberg) IEEE conference (Dr. William J. Kelly) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 04 Quote for the day: "Mars is essentially in the same orbit... somewhat the same distance from the sun, which is very important. We have seen pictures where there are canals, we believe, and water. If there is water, that means there is oxygen. If oxygen, that means we can breathe." -- Former Vice President Dan Quayle ---------------------------------------------------------------------- Date: Sat, 16 Jan 93 21:12:42 -0500 >From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Caller-ID a danger ? Not by itself. >From: scott@cs.rochester.edu >Subject: Op-ed piece on telephone Calling Number ID > Unless you act immediately, your name, address, and telephone number are >about to be added to the marketing lists of a whole new set of telephone soli- >citors and direct-mail advertisers. How? Through the "Call ID" facility >recently introduced by Rochester Telephone. First, let me say that I am a firm believer in the potential of Caller-ID to be an invisible layer of access control to computer systems. Given that, my feeling is that the controversy centers around two, not one, situations. 1) Captured CNID information can be stored electronically. 2) Once stored, the CNID can be used to extract information from public databases that the caller might prefer not to be disclosed. What is not commonly appreciated is that element (1) is available in the form of ANI on any number of common business calls to anyone with the proper service (e.g. 800 and 900 area code calls). The difference between this and Caller-ID (CNID) is the cost threshold. Given that the information is already available for (1), the answer would to be the amount of information derived in (2). True, reverse phone books provide additional information, but all is based on the information provided by the telco. There are many areas/exchanges which, by the virue of being small, do not have reverse directories available (I used to live in one in Texas). Further, even where reverse directories are available, they are based on the information provided electronically (for a fee) by the telco. There are any number of ways to prevent dissemination of this. The two best known are touted as extra cost "features" by the Telco - unpublished and unlisted numbers. There is a third means that may be used at no cost however. Simply specify that only the name of the person having that number be listed (e.g. direct that no address or only the city be listed). There is nothing in the tarrifs that requires street addresses to be listed in the phone book and several compelling reasons why individual safety would dictate not - but few people ever take advantage of this. The important thing to remember is that the subscriber does have some control over *what* is listed, and this is what is reported to outside parties. Meanwhile, I have Caller-ID at home and my personal dislike is that finding out before installation what numbers you can receive and which will report "out-of-area" is like pulling teeth. Fully a third of the local calls received report this including those that originate from a subdivision less than five miles from my home (and I have been assured that the callers did not block CNID), yet there is no discount for such "partial" service (*all* of the calls received today were "out-of-area"). IMHO, until it is nationwide, it will not be really effective (expect it in under two years). Warmly, Padgett [ One important distinction between CNID and 800 number ANI is that in the latter case the person being *called* is paying for the call--essentially it is a collect call. Clearly some mechanism must exist for the entity paying for these calls to track use and/or abuse of their resources. This is a different situation than CNID, where the person *making* the call is the one normally paying for the call, but the person receiving the call still wants to know the number of the person calling. -- MODERATOR ] ------------------------------ Date: Tue, 19 Jan 93 15:53:57 EST >From: "Larry Seiler, x223-0588, MLO5-2 19-Jan-1993 1515" Subject: The REAL problem with Caller ID As noted by Michael Scott in digest #03, Caller ID is almost exclusively a marketing tool. At one time I thought it had value for finding the identity of nuiscance callers, but that can now be easily accomplished by the phone company at their offices -- CNID isn't necessary. However, I feel that it is important understand that the real privacy problem of CNID is NOT the fact that businesses can know who is calling them. In most cases, I don't think people expect to be anonymous to the companies they do business with. I do think that most people feel it is nobody else's business who they choose to do business with. So the privacy problem comes from the compilation and sale of databases of that information -- plus inferences drawn from the caller information. CNID facilitates invasions of privacy on a broader scale than before, because it makes it easier to gather the data. But it is what is done with the data that violates privacy -- not (usually) its collection. This is an important distinction. CNID is just a tool. We should fight to limit CNID on privacy grounds, since it is such an effective tool. But the real fight is to outlaw the distribution of personal data except with the permission of the people about whom the data was collected. Enjoy, Larry ------------------------------ Date: Sun, 17 Jan 93 00:18 EST >From: et@tdslab.cmhnet.org (Ed Tripp) Subject: Re: SSN and new baby, Schools and SSNs I have to respond to the assumption being made that the IRS can finally force the registration of all children in this country or deny the valid tax exemptions for them. My three children were all born at home, in the same bed, with the assistance of midwives. I filed the birth certificates and at least one of them has me as the only witness to the birth. My children have no SSNs and they will not have them until they are working and registered for Social Security tax purposes. The original law requiring registration of children of ages 5 and up was put through as a way to control AFDC fraud. A rider on a bill two years (I think) later changed the age to 2 and was written so as to be essentially invisible to the reader. The whole statement was one line amending "5" to "2" in a referenced paragraph in another document (the original bill). I first encountered these laws when the bank demanded SSNs to avoid backup withholding from my children's bank accounts. I opened an account with $100 for each one at birth the same way my parents had done for me. The idea was to encourage saving. Since the amount involved was so small, I let the bank take the tax as a necessary expense of freedom. The next demand came in the form of a statement that a $50 penalty could be assessed for not having the numbers. I closed the accounts, bought savings bonds for the kids, and made sure the the bank knew exactly why. This kind of nonsense only survives when people don't care enough to do anything about it. About that time, the tax forms started requiring the numbers for dependents or a statement that they had been requested. I wrote numerous letters to Congress and the ACLU on the issue. The ACLU is actively pursuing this issue with respect to privacy concerns. I got a letter from Jesse Helms stating that he had never realized what the Congress had passed when the registration requirement was passed and he "would look into it". As for the tax returns, every year I file with "no numbers - see attachment" written across the area reserved for the SSNs. Each year, I give the government a new set of copies of my childrens' birth certificates. Those are public record and I don't mind them having them or having to deal with them. Given the incredible abuse of the SSN by American businesses and government agencies at all levels I can clearly state that it will be a cold day in hell before I give in on this issue. I should also note that my two oldest children are in the public school system here (Upper Arlington, Ohio). As far as I know, they are the only two in the entire system who do not have SSNs. When the school office called me about the missing number on my daughter's registration and I replied that she did not have one and would not have one, the reply was "Oh yes, you're the one". They remembered the encounter when my oldest son was enrolled. This time there was no further discussion. In fact, the only thing the woman I was talking to could think of that required a number for the schools was requests for copies of high school transcripts. I assume my children will have them legitimately by then. I would be interested in feedback from anyone who knows whether the material I am including below is still relevant to this issue. When I read it, it appeared that I had actually been exceeding what was necessary to keep the IRS off my back. However, that may have changed recently given the efforts of a number of people to establish a "New World Order" for everyone inside and outside of this country. This is excerpted from a file available at eff.org and I assume a number of other sites: ----------------------------------------------------------------------- Archive-Name: ssn-privacy What to do when they ask for your Social Security Number by Chris Hibbert Computer Professionals for Social Responsibility --------- much deleted material --------- Children The Family Support Act of 1988 (42 USC 1305, 607, and 602) apparently requires states to require parents to give their Social Security Numbers in order to get a birth certificate issued for a newborn. The law allows the requirement to be waived for "good cause", but there's no indication of what may qualify. The IRS requires taxpayers to report SSNs for dependents over one year of age, but the requirement can be avoided if you're prepared to document the existence of the child by other means if challenged. The law on this can be found at 26 USC 6109. ----------------------------------------------------------------------- By the way, I am a computer "professional" if that term means that I make my living teaching about, designing, building, programming, and otherwise being obsessed with computers. Computers are tools. They can be used for great good and great evil. My determination to fight the use of the SSN as a universal identifier has to do with avoiding the latter. And no, I do not trust my government on this issue since abuses of intelligence and police powers are commonplace events and commercial use of the SSN is totally uncontrolled in spite of the often repeated desire of Congress to avoid the creation of a "national identity number". Ed Tripp (et@tdslab.cmhnet.org) ------------------------------ Date: Mon, 18 Jan 1993 15:16:10 EST >From: Marc Rotenberg Subject: OECD Guidelines cont'd Padget Peterson makes a good point in Privacy Forum Vol. 2, Issue 3. The character of vulnerabilies has changed. Failure is more difficult to localize in networked environments. Look at the recent problems with the phone network or the Cornell Worm. It is important to point out that the words Padget quotes ("Society has become very dependent on technologies that are not yet sufficiently dependable") are from the OECD press release and not from CPSR. We are generally more skeptical about the prospects for absolute dependability. Still, openness in design in important. The OECD expert group tried to address this concern with the "Awareness Principle" which states "In order to foster confidence in information systems, owners, providers and users of information systems and other parties should readily be able, consistent with maintaining security, to gain appropriate knowledge of and be informed about the existence and general extent of measures, practices and procedures for the security of information systems. However, I disagree with one point in Padgett's note. Openness in design does not come at a cost in privacy. In some circumstances, just the opposite is true." The principle could have been stated less ambiguously, but the idea is there. I disagree with one point in Padget's note. Openness does not necessarily lead to a trade off with personal privacy. In many circumstances, the opposite is true. Consider the FBI's digital telephony proposal which would facilitate wiretapping of the communications network. CPSR has pushed the FBI through the Freedom of Information Act to be more forthcoming about the technical issues surrounding wire surveillance. The FBI is reluctant to provide the information, even though the General Service Administration has now sent us a document which said that the proposal would "make it easier for criminals, terrorists, foreign intelligence and computer hackers to electronically penetrate the phone network and pry into areas not previously open to snooping." Privacy is not secrecy. Marc Rotenberg CPSR Washington office ------------------------------ Date: Fri, 22 Jan 1993 14:23:20 EDT >From: "Dr. William J. Kelly" Subject: IEEE conference CALL FOR PAPERS THE IEEE SOCIAL IMPLICATIONS OF TECHNOLOGY SOCIETY THE IEEE TECHNICAL POLICY CONFERENCE COMMITTEE THE IEEE NATIONAL CAPITAL AREA COUNCIL INVITE CONTRIBUTIONS FOR AN INTERDISCIPLINARY International Symposium on Technology and Society 1993 (ISTAS '93) Washington DC October 22-23, 1993 on the theme TECHNOLOGY: WHOSE COSTS?..WHOSE BENEFITS? Technology is constantly changing the our world. New ways of doing things bring benefits undreamed-of just a few years ago. These technologies also have their price. The costs can be financial, or increased risks, or a less pleasant way of life. How do we balance benefits and costs? Do those who enjoy the benefits bear their fair share of the costs? How can we determine a fair share? If we can, and don't like the results, what do we change? Is the Government always the best way to change things? ISTAS '93 will explore these and related questions, concentrating on three exemplary areas of technology: Computers and Communications Health Care Energy and the Environment ISTAS '93 invites significant contributions on these issues from a wide spectrum of scholarly and concerned individuals. The contributions can be papers, proposals for a session or panel of invited experts, or proposals for "poster" or discussion sessions. Please send an extended (two page) abstract for papers or a two page proposal for sessions, to the General Chair Dr. William J. Kelly Attn IEEE MITRE Corporation 7525 Colshire Drive McLean, VA 22102 DEADLINE FOR SUBMISSION: FEBRUARY 28, 1993 Notification of Acceptance: March 31, 1993 Camera Ready Copy: June 30, 1993 In the tradition of the Carnahan Conferences Technics: A Delicate Balance" in Los Angeles 1989 "Preparing for a Sustainable Society" in.Toronto1991 ISTAS '93 invites contributors from many disciplines to illuminate the problems and choices that face us all. ------------------------------ End of PRIVACY Forum Digest 02.04