Date: Wed, 19 Jan 94 13:50:26 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#020 Computer Privacy Digest Wed, 19 Jan 94 Volume 4 : Issue: 020 Today's Topics: Moderator: Leonard P. Levine SSNs and E-mail guidelines Credit, Retirement and SS Reports Buckley Act Outrage Re: Form 1040 Re: Form 1040 Re: Autoland Credit Scam Re: FOIA and Copyright Data Encryption and Privacy The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Robert Ellis Smith <0005101719@mcimail.com> Date: Mon, 17 Jan 94 10:35 EST Subject: SSNs and E-mail guidelines In response to the moderator's tax form: IRS has decided to cover the SSNs on Form 1040 but apparently did not decide in time to alter the 1993 forms. This change in IRS practices resulted from prodding by CPSR and other privacy advocates over the past five years. Michael T. Palmer asked about SSNs and the Virginia drivers license. There was long litigation concerning the Virginia requirement that SSNs be provided IN ORDER TO VOTE, but not concerning the SSN on drivers licenses. A federal Court of Appeals ruled in March 1993 that Virginia could not demand the SSN in order to vote. A. Lee Saloman asked about corporate policies on e-mail. Guidelines are available from the Electronic Mail Association in Arlington, Va. 703/875-8620. It is EMA on most mailboxes; on CompuServe it's 70007,2377. Robert Ellis Smith, Publisher, Privacy Journal. ------------------------------ From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr) Date: Mon, 17 Jan 94 12:53:30 EST Subject: Credit, Retirement and SS Reports With all the talk about the Autoland Credit Scam and checking credit reports, it occurred to me that there are two other areas that should be checked at least yearly. Get a copy of your earnings and benefits statement from the Social Security Administration. Call (800-772-1213 and they will send you a form to fill out and mail back. I do that yearly and have just done so for 1993. Another place and is especially critical if one is in a defined contribution retirement plan (retirement pay based on earnings paid into the plan, not retirement pay based on age/years of service). At one point several years ago, I wasn't receiving earnings and retirement projections from my retirement plan and started asking my employer about it. They stated that the payments went in on a regular basis but didn't know any more than I did. I then contated my retirement plan and when they got done checking, they found out that although my payments were credited correctly, the reports were going to Los Angeles, not Long Island. Reason: Somebody goofed at the retirement plan and the reports were going to W. David Niebuhr, not David W. Niebuhr. The retirement plan then reported back to my employer who graciously went over almost five years of records and gave me a complete readout of what was sent in, down to the penny amount. So did the retirement plan. My SSN was not needed at the time since the policies are issued on a "participant number" that in no way resembles an SSN. They're trying to go the SSN way but when I call them, I refuse to give it to them even though they have it. Moral: Check your retirement plan at least yearly as well as your SSN benefits and earnings. They can go just as screwy as a credit card in the wrong hands. I've held the name of the retirement plan back but will reveal it if asked since it is the biggest private pension plan going (it has a huge investment in the Mega Mall in Minneapolis as well as underwriting another daughter's college education). Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred) niebuhr@bnl.gov / Bitnet: niebuhr@bnl Senior Technical Specialist, Scientific Computing Facility Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093 ------------------------------ From: "Prof. L. P. Levine" Date: Tue, 18 Jan 1994 15:18:02 -0600 (CST) Subject: Buckley Act Outrage Organization: University of Wisconsin-Milwaukee [I recently received the following from a student at a University here in the United States. I agreed to post this under my name to secure that student's privacy. MODERATOR] I'd like to share the following with the readers of your digest. I am a graduate student at _______. I have a strenous diagreement with one faculty member and in retaliation, I have discovered that this person has disseminated confidential information in my student file which, of course, is protected in full by the Educational Privacy Act of 1974, better known as the "Buckley Act." Incredibly, when I complained, no one realized that a student's educational file is completely confidential and the contents therein can only be released to University personnel on a "need to know basis" and that under no circumstances, can information be disseminated to outsiders notwithstanding a signed release from the student in question. I would GREATLY appreciate help from any one of you as to how best to deal with this outrage. Can violations of the Buckley Act and dissemination of information in student files be punished on a criminal basis? If so, who/where does one complain? Also, if anyone has any other "tips" about the Buckley Act I would appreciate hearing them (for example, can anyone in a school access the information, or is it limited to instructional personnel or what??). [If any reader wishes to privatly mail material to this student, I will be glad to forward anything sent to me. MODERATOR] ------------------------------ From: todd@meaddata.com (Todd Leonard) Date: 19 Jan 1994 14:29:04 GMT Subject: Re: Form 1040 Organization: Mead Data Central, Dayton OH The IRS TeleFile package (1040EZ-3) sent to eligible Ohio residents is rather inconsistent, privacy-wise... - My SSN is prominently displayed on the peel-off label on the front cover. - Instructions on the 3rd unnumbered page say, parenthetically, "For best results, and to ensure privacy, don't use cordless or cellular phones." - Later on that page, the instructions continue, "TeleFile will use a recording of your voice [name + SSN] as your signature, so there's no form to sign." To me, the most interesting nugget in the instructions is that the IRS dares to imply that despite law to the contrary, cellular phone conversations are less than private. :-) That's a nice touch, but clearly they still have work to do to "ensure privacy". -- ______________________________________________________________________ ________ | | _ _| _| todd@meaddata.com | No island is an island. ||_||_||_| !uunet!meaddata!todd | ------------------------------ From: "Prof. L. P. Levine" Date: Tue, 18 Jan 1994 15:47:07 -0600 (CST) Subject: Re: Form 1040 Organization: University of Wisconsin-Milwaukee After contacting the information officer of the local office of the IRS, I now know about the various packages offered by them. There are 11 packages that are sent to taxpayers depending on which forms you filled out last year. I was told that package 1040-5 is for people who filed Schedule C last year. The package was redesigned this year. Other packages will be redesigned later and the change that appeared in package 1040-5 this year will occur in other packages as they are redesigned. For my purpose the only privacy change was the removal of the Social Security Number from the mailing label on the front of the package. The SSN is still used to identify you, but it is now on a separate sheet of paper located inside the package. -- Leonard P. Levine e-mail levine@cs.uwm.edu Professor, Computer Science Office 1-414-229-5170 University of Wisconsin-Milwaukee Fax 1-414-229-6958 Box 784, Milwaukee, WI 53201 ------------------------------ From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr) Date: Mon, 17 Jan 94 12:38:40 EST Subject: Re: Autoland Credit Scam images@netcom.com (David M. Berman) writes: >>His reply: "Don't blame you, I'll leave it blank."<< >>My daughter decided not to get the car due to the deal the salesman proposed so it was a moot issue (I hope).<< >I'm rather certain that a name and address are sufficient identification to run a credit check. Your best protection at this point in time is to pay TRW or one of the other services to send you a recent report several times per year. These reports list INQUIRIES made into your credit record -- mine listed Autoland as one. Witholding your credit card number from the salesman did not hold him up at all because the TRW (or Equifax or Transunion) report lists ALL of your cards and ALL of their numbers along with credit line, payment history, balance, etc.< Actually, I just sent away for copies of my credit reports from the "big three" and I'll be looking to see what, if any, inquiries have been made. from what I understand, the operative part of a credit report is the SSN and I didn't give the salesman that since he never asked for it. Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred) niebuhr@bnl.gov / Bitnet: niebuhr@bnl Senior Technical Specialist, Scientific Computing Facility Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093 ------------------------------ From: brokowski@nwu.edu (Mike Brokowski) Date: 18 Jan 1994 01:05:45 GMT Subject: Re: FOIA and Copyright Organization: Northwestern University, Evanston IL In article , David P. Reed wrote: >The recent note by James Love of Nader's Taxpayer's Assets Project attempt to break West's control of the Juris database raises interesting issues related to the use of FOIA to allow one taxpayer to seize another's property. (Let me make it clear that I'm not commenting on the dispute about Juris, instead I'm extending the argument Love makes).< >FOIA is apparently being used to request a free copy of the contents of West's Juris database from the gov't. Apparently the cost of purchasing it from West is considered a barrier, and FOIA is being used to get it cheaper. [The general issue of whether the gov't should make judicial opinions available through channels other than West is more complex, but the FOIA approach tries to bypass those issues]< >Now suppose that I sell the government a copyrighted work (a book, play, computer program, whatever). If a citizen decides that the gov't cost to make a copy of that work is less than it costs to buy it in the commercial marketplace, he/she can bypass the commercial source, and ask the gov't to give it to them under the FOIA, since it is a taxpayer asset. There is an exemption when it is in a library (obviously since the Lib of Congress gets copies of all books, this would be a problem). But where does it cross between a library and a taxpayer asset?< Is the issue what constitutes a "taxpayer asset" or what is a "public record"? Clearly the distinction may be blurry in many cases, but I thought that the FOIA was to provide reasonable access to documents that the government generates in the course of its functions, not to allow access to government assets. Am I mistaken? I don't pretend to understand the entire legal machinery behind this kind of case, but it seems reasonable to assume that FOIA requests are intended to make accessable public records generated by the government in the course of government activities. A the FOIA provides a check on government activities by making records of said activities available to the public and it is an assumed cost of government. As I see it, the problem isn't that someone wants a free copy of West's records. Indeed, these *aren't* West's records, West only takes care of storage and distribution, they have no copyrights to them as they are public infromation (court records). (Someone correct me if this isn't the case.) The problem might be that the government has entered into a contract that it shouldn't have. If the government is required (by FOIA) to maintain these records and provide ready and (essentially) free access to them, then they have screwed up in telling West that West may maintain them *and* charge for access to them. If the gov't wants to contract out this record keeping service and meet its FOIA obligations, then perhaps the contract needs to be reworked to allow West to provide access to these records and send the bill for such access back tot he appropriate department. Otherwise, uncle Sam is dodging the cost of meeting its FOIA duties whenever it contracts out the maintainance of public records to a private record keeper. >If a gov't employee in the course of doing his job records a movie on HBO for later viewing under fair use (this is clearly not a library function), one might argue the FOIA gives an entrepreneur the right to request it for distribution to taxpayers free. Looks like a new business opportunity, especially if you can get the FCC to do so on a regular basis.< Hmm. Does the FOIA allow access to copywritten materials at all? I thought it only allowed access to records generated by the gov't, not necessarily all of the data that the government has, some of which is the intellectual property of private entities. However, the poster has an interesting point in the (common?) case where private material is entered into a government record for some purpose. One recalls the popularity of the Meese Commission's Report on Pornography some time ago. :-) Mike brokowski@nwu.edu ------------------------------ From: Chuck Weckesser <71233.677@compuserve.com> Date: 19 Jan 94 08:59:54 EST Subject: Data Encryption and Privacy Since the issue of PGP has been raised, I have a question about two programs (commercial) which I have paid for with the express intent of keeping my Macintosh, and the contents therein, completely private. One "layer" of privacy is insufficient. The names of the programs are (1) Cryptomactic and (2) Nightwatch II, both manufactured by a firm called Kent Marsh Ltd. The first program encrypts files using several different methods. I always choose "triple DES". I then use Norton to encrypt the encrypted file as there is no incompatibility in doing so. I then use Nightwatch II to actually lock the disk where the encrypted files are. Question: Am I completely protected? If I have anything less than 100% protection, I am going to be dissappointed upon finding that out from one of you guys as I shelled out big bucks for these programs. In theory, could even NSA penetrate my system given the steps I have taken to protect my data? Finally, is anyone aware of a shareware program which DESTROYS your disc (if you so set that option) after incorrectly entering the password on the third attempt *after* first getting through security measures which cause no harm? I am new to Internet and am following the PGP debate with great interest. As things now stand, and someone please correct me if I am wrong, it is absolutely *IMPOSSIBLE* to penetrate a system using PGP, correct? I belong to CompuServe. I hope they have this file. I will try to look for it but if anyone is willing to send PGP through Internet at 71233.677@compuserve.com I would appreciate it. ------------------------------ End of Computer Privacy Digest V4 #020 ****************************** .