PRIVACY Forum Digest Saturday, 12 November 1994 Volume 03 : Issue 22 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS PRIVACY Brief (Lauren Weinstein; PRIVACY Forum Moderator) Local authority housing id scheme in London (Steve Bowbrick) Re: HTTP, New Browsers, & Privacy (M. Hedlund) The dangers of half-hearted privacy measures (David Dyer-Bennet) CMU blocks access to nasty newsgroups (Mich Kabay) Followup on Sears captures signatures (Steve Holzworth) Minnesota driver license (Daniel Frankowski) Discover Card "Fraud" Mailing update (dgh@BIX.com) Ohio Supreme Court Upholds Privacy of SSNs (David Banisar) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW home page at the URL: "http://www.vortex.com/". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX to (818) 225-7203. ----------------------------------------------------------------------------- VOLUME 03, ISSUE 22 Quote for the day: "I'm going to give you the choice I never had." -- Lestat (Tom Cruise) "Interview With The Vampire" (1994) ---------------------------------------------------------------------- PRIVACY Brief (from the MODERATOR) --- As expected, California's Proposition 187, which would ban all educational services and non-emergency medical services for illegal immigrants, and require widespread reporting of undocumented persons by numerous entities, passed easily in the November 8th election. Also as predicted, its implementation was immediately halted by at least two courts, and nearly 30 lawsuits were filed against it within 24 hours. These suits seek to overturn the initiative on numerous grounds, including constitutionality, conflict with federal privacy and other laws, conflict with existing U.S. Supreme Court decisions, and a range of others. It seems likely therefore that perhaps years of litigation will be the primary result of the proposition for the foreseeable future. Discussion of these issues as they relate to privacy topics would be welcome in this forum. ------------------------------ Date: Mon, 7 Nov 1994 01:25:41 +0000 From: Steve Bowbrick Subject: local authority housing id scheme in London Here in Britain there is a historic resistance to a universal identification document. Citizenship of this country has always been defined negatively. Despite many abridgements to this ancient, if unwritten, right, mostly motivated by immigration-hysteria, it is still the case that 'being here is enough'. I am never required to prove descent, my citizenship is not defined positively or 'by blood' as it is in many other European countries and I do not have to carry, or even own, id. Identification is, of course, a part of daily life - cashing a cheque or opening a bank account will always require some form of id - but there is no single, accepted form of id, no national id card and drivers' licenses do not carry pictures or barcodes. Our Prime Minister, John Major, is explicit in his desire for a universal id document, tied to the tax and social security systems and carrying a picture. Popular resistance will be considerable. I will not carry one. Recently, and as if in response to the government's new acceptance of the 'need' for universal id, my local authority, the London Borough of Tower Hamlets, has introduced a semi-formal id scheme. I and all tenants of the borough are required to attend an office of the borough to prove that we are the legitimate occupiers of our homes. A list of acceptable forms of id is provided - none formal or accepted in law. A drivers license is adequate. Leaving aside the paradox of positive identification in a country that has no such concept (I have pointed out to the borough that, even if I proved my identity to their satisfaction, I would have proved nothing in law). I have refused to tender id and I am now threatened with court proceedings for posession of my home. I'd be interested in the opinion of the experts on whether my anti-id position is defensible in English law. US perspectives would be welcome. Steve -- Steve Bowbrick, Editor, 3W Magazine steve@3W.com 3W Magazine, the Internet with attitude +44 181 980 4207 ~~~~~~~~ fax +44 181 981 2351 http://www.3W.com/3W/ mobile +44 1860 183 481 ------------------------------ Date: Sun, 6 Nov 1994 23:33:55 -0800 From: march@europa.com (Marc H.) Subject: Re: HTTP, New Browsers, & Privacy Ed Kubaitis wrote, in V03 #21, about HTTP_FROM, an environment variable passed by some web browsers to HTTP servers. The variable contains the user's email address as entered in their "Preferences," and Ed expressed concern over possible logging of email addresses by marketers or other web sites. I'm glad to see this issue raised again; I brought it up some months ago when AT&T opened their "youwill.com" contest, for which they asked users to submit a web form-based survey. (Adam Curry, who was apparantly involved in the project and who was surprised to hear address-gathering from forms was even possible, assured several posters that no logging was taking place at AT&T's site.) First off, a list of the browsers supporting this variable (with version numbers known to be inclusive; earlier versions may also belong here, and later versions almost certainly do): MacMosaic 2.0.0a6 Lynx/2.3 BETA Emacs-W3/2.1.54 OmniWeb 0.7.4.1 AIR_Mosaic(16bit)(demo)/v3.06.05.03 MidasWWW/2.1 Mozilla 0.9b (Netscape) [all platforms] I collected this information during September of this year (with the exception of Netscape); this list will hopefully prevent some duplication of work, but it is _not_ intended as a blacklist. NCSA Mosaic for X and Windows, MacWeb, Global Wide Help & Information System (GWHIS), Chimera, and Spry's Enhanced Mosaic all do not send HTTP_FROM. As a CGI (Common Gateway Interface -- a protocol for running scripts on web servers) programmer, I am very much in favor of browsers supporting HTTP_FROM. Good use of the variable can allow automation of repetitive tasks, which is the whole point. I've used it several times to offer a default return-address for mailing scripts, which both alerts the user to the capability, and allows him or her to alter the address if they choose. I see HTTP_FROM as similar to ftpd's familiar "Guest login ok, send your complete e-mail address as password" prompt: any program or server that asks users for their email addresses is completely open to receiving a false address, or none at all, from those users. On the other hand, Ed's reaction -- and Adam Curry's, and that of other people to whom I've mentioned HTTP_FROM -- indicates that plenty of web users don't know this capability exists. I found out myself only by running a script similar to Ed's (http://www.uiuc.edu/cgi-bin/printenv) to list all environment varibles sent -- after having been assured by several people that the web was completely anonymous, what I was seeking didn't exist, etc. To use my example above, ftpd is quite explicit about its logging, but more recent ftp clients (such as ncftp) -- and the browsers listed above -- are not. I see this as the real problem. Explicit warnings and documentation seem to be the best solutons. I'm not sure what Lauren meant when he noted, "future versions of the Netscape browser will probably be distributed with the name/address feature defaulting to off." It seems to me that this is already the case -- the user has to enter his or her email address for the variable to work. What I would like to see is a much more explicit preferences dialog, one that warns the user about possible logging by web sites. I would disagree with any assertion that particular browsers should be avoided because of HTTP_FROM. At worst, particular preferences dialogs should be avoided. At best, all browsers could provide a menu option -- similar to "Auto-load images" -- that would allow the user to turn "Privacy" on or off. This is not a web-specific issue. Interested readers are referred to RFC 1413, "Identification Protocol," , which details a more-reliable, transparent, and generalized implementation of TCP connection logging. I think it only prudent to assume that any site you visit on the net could keep a log of your visit; and that as time passes, more and more sites -- particularly commercial sites -- will do just that. Browse carefully; the junk mail "you will" receive may be at stake. I support Lauren's call for regulation of the use of such information. M. Hedlund [ My meaning regarding the presumed future default for "Netscape" WWW browsers related to defaulting to *not* sending the address information even when it was available in the configuration. Since many (most?) people when configuring software will fill in all of the requested fields (including name, email address, etc.) it's important that the actual sending of the identification information be independently controlled through an explicit user decision. -- MODERATOR ] ------------------------------ Date: Mon, 7 Nov 94 11:03:11 CST From: ddb@anubis.network.com (David Dyer-Bennet) Subject: The dangers of half-hearted privacy measures Counterpoint -- Living in a Fish Bowl I'm in favor of privacy. I'd rather have real privacy than the alternative I'm going to talk about here. However, at least in the on-net privacy-oriented community, I see little or no recognition of the forces driving the various risks to privacy today. So I'm writing this to attempt to expose some issues and options that aren't often seen in this community. The pressures for various sorts of losses of privacy are tremendously strong. Recorded video monitoring of public spaces probably really does make them safer; at least it makes it more likely that anybody commiting a violent crime in that space will be caught and convicted. Paying for your groceries by debit card is convenient, and receiving customized coupons for products that you might actually buy is nice. Not having to stop at tollbooths on a highway improves traffic flow, and paying for roads with usage fees moves the costs squarely onto those deriving the benefits and should help people's rational personal choices on transportation be less costly to society as a whole. And, of course, customized marketing is profitable. As a consumer, customized marketing doesn't bother me too much -- what it means to me is that I receive less uninteresting junk mail. Most of these things can be implemented without serious privacy impacts with proper design; the video tapes can be thrown away after a defined period if no crime is reported, with strict laws about any improper disclosure, for example. The tollbooth can work anonymously in various ways. (The customized coupons seem to require keeping past purchase history; I find it hard to imagine a credible scheme to keep that information and use it *only* for issuing some customized coupons, so perhaps that idea can't be implemented without compromising privacy.) But all of these approaches involve throwing away information deliberately. This is a sin to many people, an unnatural act. The incentives for various uses of this information appear strong enough that the system is likely to develop lots of loopholes and probably illegal leaks as well. Having essentially all information about me and everybody else be public, including details of our daily movements, what we read, what we watch, who we phone, etc. would lead to a very, very different society from what we have now. It would largely end the common hypocrisies of day-to-day life, one way or the other. Either the avowed standards would remain, and people would actually conform to them, or new standards would evolve that we'd be willing to actually live with. The transition period would be very difficult, of course. The first society would be much more restrictive than current society, but I don't believe it's a likely outcome. The second might actually be freer, and also more honest, than what we have now. People would be forced to recognize *and accept* the degree of individual differences that actually exist. It might be a tolerable outcome. (This is not what I'd call an enthusiastic endorsement!) What would be *in*tolerable is a society where that level of information was available, but *only* to the government and the very rich. And where the information on the rich and prominent could often be suppressed, but the information on those of us with only ordinary resources could not. This is the worst possible outcome, and it's one of the more likely dangers. This is where we end up with weak laws, compromises, and sloppy attempts at ensuring privacy. This is why it's important that society converge on a strongly-supported position on privacy and pursue it aggressively. We need to be either for it, or against it, uniformly and broadly. Personally, I'm for privacy; I don't want to try the fish-bowl experiment myself. But I think that is better than the half-hearted compromises we're likely to end up with. -- David Dyer-Bennet Network Systems Corporation ddb@network.com Brooklyn Park, MN +1-612-391-1353 ddb@terrabit.mn.org My postings represent at most my own opinions. Web URL: http://www.mtn.org/~ddb (SF, photography) [ We've frequently discussed in this forum the rather "insidious" nature of the problems you mention. The convenience of these systems makes them difficult to avoid, even when practical alternatives to using them exist. I would argue that only through legislative rules that apply evenly to all entities collecting information can the "strong" privacy protections you suggest be implemented. Leaving the decisions regarding the use of such data to the collecting entities themselves has proven to result in widespread abuse. Unfortunately, it seems unlikely that legislation that would help the privacy situation in any significant manners will be forthcoming anytime soon, at least at the federal level. -- MODERATOR ] ------------------------------ Date: 06 Nov 94 15:46:49 EST From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: CMU blocks access to nasty newsgroups [ From RISKS-FORUM Digest; Volume 16 : Issue 53 -- MODERATOR ] >From the United Press Intl newswire via CompuServe's Executive News Service: UPn 11/04 1054 College blocks computer sex access PITTSBURGH, Nov. 4 (UPI) -- Carnegie Mellon University of Pittsburgh said Friday it will block access on its campus computer system to sexually explicit material available on the worldwide computer network called the Internet. Carnegie Mellon officials said they are acting out of concern that the university could by subject to prosecution under Pennsylvania's pornography and obscenity laws. The article goes to to explain that University spokespersons admit they will be "be accused of stifling free expression" but feel that the risks are too high, especially since children can easily access these materials. The decision was said to have been difficult and painful for the administrators, who strongly support the tradition of academic freedom. The decision was criticized by a student spokesperson, who compared it to banning books. [Comments by MK: The anonymity of the Internet will continue to cause difficult problems related to access by children. Right now, the response of well-meaning administrators and others is to put blanket restrictions on everyone so as to prevent unsupervised use of the Internet by minors. Imagine a world where no one had developed the concept of an ignition key for automobiles. We can imagine well-meaning highway administrators concerned with access to the high-speed transportation infrastructure exclaiming, "Gosh, but with these highways and cars, children could travel to (gasp) brothels and pigsties! They could see things that their parents would never want them involved in." And so the highway administrators would shut down roads in an attempt to prevent access to bad places by children. In both the real world and this imaginary world, these difficulties are caused by the lack of identification and authentication in accessing the highways. In the real world, we have ignition keys for automobiles and severe penalties for stealing automobiles or driving without a permit. We have no accepted standards for access to networks. Parents who are concerned about access to a network by their children could take the responsibility of locking their computers or their modems. However, that's a pretty crude approach too--all or nothing. And what about the children's independence and growth? There are already devices available for controlling access to television; parents program the times, channels and duration of viewing permitted for their children, who punch in a PIN to gain personally-tailored access to the TV. Maybe as Internet access grows, there will arise sufficient interest and demand for menu systems for access to the Internet. Parents could select the sections of the Internet which they wish to allow for their children; children and parents could explore the Internet together and add or remove destinations and newsgroups as they see fit. Right now, CompuServe has access to Internet newsgroups. The administration has settled on a middle ground in restricting access to the Internet by limiting the _listings_ of newsgroups. In fact, however, if someone already knows the name of a newsgroup, they are free to subscribe even if it isn't listed. I think that we have to move beyond a crude TOTAL ACCESS / NO ACCESS dichotomy in regulating access to the Internet. We need finer granularity in our restrictions so that we don't infringe on the rights of adults. A final note. In a recent thread on the NCSA FORUM on CompuServe, there was a discussion about whether there were mechanisms for restricting BBS and Internet access by children. I answered, "Yes--one is PARENTAL RESPONSIBILITY."] M.E.Kabay,Ph.D./DirEd/Natl Computer Security Assn (Carlisle PA) ------------------------------ Date: Mon, 31 Oct 1994 18:44:44 -0500 (EST) From: Steve Holzworth Subject: followup on Sears captures signatures [ From RISKS-FORUM Digest; Volume 16 : Issue 53 -- MODERATOR ] Since my original post concerning Sears now digitizing signatures when you sign a credit card slip, bunches of people :-) have sent me Email, either asking for elaboration on the risks involved, or adding anecdotes of their own. I'll attempt to describe the potential risks as I see them. Summary of previous post: Sears in my area has recently started asking for people to sign their credit card receipts while the receipts are on what is obviously a small digitizing pad. Sears doesn't make it obvious that this is the function of the device. You can refuse to sign on the tablet. They'll probably have to call someone first to OK it. Potential Risks of digitized signatures: Capturing the act of signing gives the store more information than simply scanning a copy of a signed receipt would. In addition to the basic image of the signature, the tablet can also effectively record stroke information (direction of strokes, and possibly, pressure of strokes). This is important, because given stroke information, it is almost trivial to write a program to fake a signature with a pen plotter. Simply use the stroke points as control points for spline curves. Said control points can then be perturbed slightly to yield what appears to be the same signature STYLE, without being a direct copy of an existing signature. Of course, Sears wouldn't do anything so stupid. However, once the data is available, a disgruntled or entrepeneurial employee could sell the data to other parties. Let's see. Bill Gates goes to Sears and buys a screwdriver on his credit card. How much is his signature potentially worth on the market? Or, (for the really paranoid :-) ), some government agency, say, DEA, known to be overzealous at times, decides to "apply" your signature to some incriminating evidence... I don't believe Sears (and others mentioned) can perform dynamic signature verification on the fly. They can't possibly have that horsepower at the terminal (at present). Even simple credit card number verification takes 30 seconds or more. Imagine the complexities of looking up one of N million signatures, correlating it to the new sample, then issuing a go/no-go response in a reasonable time frame. The closest approximation to this so far is the Apple Newton handwriting recognition. It looks in a small (10k words) dictionary, has to be trained to your writing style over time, and still screws up often enough to cause some headaches. How tolerant is your customer base to having their charges denied when they KNOW they wrote a valid signature? More importantly, what REASON can Sears have for wanting this information? I proposed that they can't do anything useful with it yet, so why should we let them have it? Further, to the best of my knowledge, no credit card provider requires card owners to supply digitized signature information when initiating a transaction. My understanding is that, per the card issuer agreement with the merchant, the merchant CANNOT require ANY other identifying information, assuming they get an approval code from the card issuer. Keep in mind, you don't even SIGN a receipt for a mail-order purchase... Why should we let Sears et al digitize our signatures? One limited use of a digitized signature could be to display a specimen of your signature on POS terminal so the clerk can compare with your receipt. Of course, that is supposedly what the signature on the back of the card is for (among other things)... One responder mentioned that if the customer was signing paper on top of a tablet, it was unlikely that much information could be captured beyond stylus pressure. This is incorrect. I developed high-end CAD software for civil engineering and land planning for many years. All of the digitizers we used were capable of capturing positional information through quite a number of layers of vellum, mylar, and/or paper. This was necessary because much of engineering work involves tracing existing maps or drawings. Several responders stated that they had run into similar digitizers at Sears, Service Merchandise, and others. A few stated that my example of refusing to sign had encouraged them enough to "just say no" :-) next time. I'm not trying to be paranoid, but I attempt to see all of the angles when confronted with a situation as described above. I operate under the rule that unless you can give me an extremely good reason why I should give you some class of information about me, you don't get it. Numerous posts to RISKS have documented how quickly and easily information about someone is disseminated, and how difficult it is to correct misinformation, once it gets spread. I attempt to minimize acquisition of the information as a preemptive measure. Steve Holzworth SAS Institute x6872 SAS/Macintosh Development Team Cary, N.C. sch@unx.sas.com ------------------------------ Date: Fri, 4 Nov 1994 15:55:56 -0600 (CST) From: dfrankow@winternet.com (Daniel Frankowski) Subject: Minnesota driver license [ From RISKS-FORUM Digest; Volume 16 : Issue 53 -- MODERATOR ] *City Pages*, a great free news weekly here in the Twin Cities (Minnesota USA), recently had an article [1] chock full of privacy issues and implications of the new Minnesota driver license (not "driver's" but "driver" on our license). I approached the article with deep suspicions about a new card, and came away only slightly less suspicious. The old license has been the same for 25 years. It has a picture, a license number and some personal information (address, height, weight, signature, birthdate, etc.). .. [O]fficials were tired of the ease with which the old card could be forged and altered. In early 1990, local police officials uncovered a forgery ring in the Twin Cities that used fake Minnesota licenses to open bank accounts and pass close to $1 million worth of bad checks. To make it harder to forge, the new card is printed in several fonts and the location of your (digitized and stored) picture depends on your age. For the information age, there is a barcode with your driver license number, and a magnetic stripe that can contain three lines of about 80 characters each, currently slated to contain a person's full name, date of birth, and driver license number. The article raises a plethora of issues, some of which follow. I have hastily tried to put them into categories, which unfortunately overlap. INFORMATION HANDLING RISKS - - The state government assumes that the public should trust government agencies with these technologies. This resulted in a lack of public discussion or input because the government did not publicize the new card proposal. The article gave an example I had not heard why we should not trust government: upon dishonorable discharge from the US military, it assigned a code which potential employers and others could get. 257 meant "unfitness, homosexual acts," 261 was "psychiatric or psychoneurotic disorder," 287 was "unclean habits including venereal disease," and 289 "unsuitability, alcoholism." - - Currently, the Driver Vehicle Services (DVS) department makes all their information public except social security number and medical information. That is, registration and title info, driving records, and the personal information from your license. The state sells it ("provides it for a fee"), and currently has 600 online accounts (presumably customers buying the information). They can sort by age, area, or size of person, for example. - - The card is a universal identifier, a notion often reviled in RISKS. - - The article mentions a national database of 7 million commercial drivers (only truckers?) called (and operated by) AAMVANET which went online January 1989. It contains each person's name, date of birth, social security number, and physical descriptors. "It was mandated by the federal government because truckers were getting licensed in multiple states to avoid suspensions." Barry Goleman is the president of AAMVANET, Inc., a subsidiary of the American Association of Motor Vehicle Administrators. "Goleman says that in the future, the system will include all drivers-- currently a total of 160 million, nationwide." - - The license may be linked to issues unrelated to driving. In Wisconsin, your license may be suspended for failing to pay public fines. The article's example is a late book fine at the public library. RISKS OF SUDDENLY SWITCHING TECHNOLOGIES - - The company producing them (Deluxe Check Corporation, big in Minnesota) promised quicker turnaround for new licenses, but their digitizing cameras overheated, and their incompatible transmission protocols lost about 4000 new pictures which have to be retaken. RISKS OF MAGNETIC STRIPES Goleman (see above) said "upward of" 22 states have magnetic stripe-reading technology for driver licenses already. - - You, the card holder, cannot easily read the magnetic stripe to ensure that there are no mistakes because a special machine is required. - - Businesses could modify credit card readers to read the license stripe "ostensibly to verify ID" and build databases of shopping habits and personal information. - - Minnesota businesses are trying to get extra information put on the magnetic stripe. - - A state group proposed distributing AFDC (welfare) money. The article hypothesized the card could be used (say) to track your location. Comments: At first, I was impressed with the fact that all information in the barcode and magnetic stripe would also be visible on the card. In other words, no hidden information. However, other points listed above drained away my relief. I noted a fatalism about the article: it catalogued frightening consequences without proposing solutions or interviewing privacy experts. This seems typical of even good journalism these days. So are there simple guiding principles about the use of information for a driver license? Would it be a good idea to pass a law requiring cash machines to be able to display (for free) any information on a magnetic stripe given the appropriate PIN #? How else can we solve the problems above? 1. Card Blanche, Jennifer Vogel, City Pages, Vol 16, No 725, October 26, 1994, pages 15-20. Dan Frankowski dfrankow@winternet.com ------------------------------ Date: Thu, 10 Nov 1994 04:06:13 -0500 (EST) From: dgh@BIX.com Subject: Discover Card "Fraud" Mailing update Discover card did not do a bulk class mailing of their "Fraud Prevention" information notices. They were included with the monthly bill. I don't think that anybody in their right mind is going to toss out their monthly Discover Card bill, unopened... [ It appears that Discover card customers who were mailed regular statements recently had the "fraud prevention" notice/request included with their statement. However, bulk class mailings did go out to subscribers who were not due statements, presumably including people with a Discover card who did not have any current card activity, which could be a very large number of folks. -- MODERATOR ] ------------------------------ Date: Sat, 12 Nov 1994 13:56:25 -0500 From: David Banisar Subject: Ohio Supreme Court Upholds Privacy of SSNs In a decision handed down on October 26, the Ohio Supreme Court has ruled that governmental disclosure of Social Security numbers (SSNs) violates individuals' constitutional right to privacy. At issue was a request by the Akron Beacon Journal for release of computer tape records of the City of Akron's year-end employee master files. The payroll files contain various information including employees' names, addresses, telephone numbers, SSNs, birth dates, education, employment status and positions, pay rates, service ratings, annual and sick leave information, overtime hours and pay, and year-to-date employee earnings. The City had provided the records to the newspaper, but deleted the SSNs on privacy grounds. EPIC staff, on behalf of Computer Professionals for Social Responsibility, joined with the Public Citizen Litigation Group in filing a "friend of the court" brief in the case. The CPSR/Public Citizen brief highlighted the privacy implications of SSN disclosures and argued in support of the City's decision to withhold the numbers. The brief urged the Ohio Supreme Court to follow the lead of the U.S. Court of Appeals for the Fourth Circuit in the case of Greidinger v. Davis, where Virginia's practice of requiring SSNs for voter registration purposes was held unconstitutional. EPIC staff had similarly participated in the Greidinger litigation as friends of the court. Significant excerpts from the Ohio Supreme Court decision: The city's refusal to release its employees' SSNs does not significantly interfere with the public's right to monitor governmental conduct. The numbers by themselves reveal little information about the city's employees. ... While the release of all city employees' SSNs would provide inquirers with little useful information about the organization of their government, the release of the numbers could allow an inquirer to discover the intimate, personal details of each city employee's life, which are completely irrelevant to the operations of government. As the Greidinger court warned, a person's SSN is a device which can quickly be used by the unscrupulous to acquire a tremendous amount of information about a person. ... Thanks to the abundance of data bases in the private sector that include the SSNs of persons listed in their files, an intruder using an SSN can quietly discover the intimate details of a victim's personal life without the victim ever knowing of the intrusion. Coming a year after the Greidinger decision, the Akron Beacon Journal case continues a trend toward judicial recognition of the privacy implications of SSNs. EPIC will continue to participate in related litigation in an attempt to establish a body of caselaw protecting the confidentiality of SSNs and other personal information. David Sobel (Sobel@epic.org) Legal Counsel Electronic Privacy Information Center ------------------------------ End of PRIVACY Forum Digest 03.22 ************************