Date: Fri, 11 Nov 94 11:42:19 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#061 Computer Privacy Digest Fri, 11 Nov 94 Volume 5 : Issue: 061 Today's Topics: Moderator: Leonard P. Levine Points on Various Topics Re: Mother's Maiden Name Re: Snail-mail forwarding Re: Snail Mail forwarding Re: Snail-mail forwarding Clipper Chip information needed Re: First Amendment Rights vs Regulation of the Net Re: Must I Always Carry I.D? Re: Must I Always Carry I.D? Re: Must I Always Carry I.D? Re: Intrusive Supermarket Card Re: Intrusive Supermarket Card Re: Intrusive Supermarket Card Medical System Security Reply Re: Sears Captures Signatures E-mail headers Re: Other People's E-mail Privacy Rights Clearinghouse Info on CPD, Contributions, Subscriptions, FTP, etc. ---------------------------------------------------------------------- From: Robert Ellis Smith <0005101719@mcimail.com> Date: 08 Nov 1994 21:25:03 -0600 (CST) Subject: Points on Various Topics Organization: University of Wisconsin-Milwaukee Digital Telephony In response to Gayle Hodur (Nov. 4), the President signed the Digital Telephony law Oct. 25. Mother's Maiden Name In response to Jim Huggins' comments about mother's maiden name Nov. 3 and subsequent comments: It's important to realize that under a Federal Trade Commission ruling it is permissible for a credit bureau to rent, sell or give away a person's mother's m aiden name (along with phone number, Social Security number and other identifying information) without any of the protections of the Fair Credit Reporting Act. As people in the digest have noted, mother's maiden name has traditionally been a simple and s ecure authenticator, but now that it is so commonly available commercially, there are no longer any safeguards. Credit bureaus commonly did not gather this bit of data, but with the FTC ruling they certainly have an incentive to do so now - and to sell it to anyone without any need to check out the requester's legitimacy. Must I Always Carry I.D.? In response to Mrs. Carey L. Nelson's inquiry Nov. 4 (Is one obligated to carry personal ID documents?), the U.S. Supreme Court has ruled that it is unconstitutional to require a person to produce personal identity so long as one's behavior is not illegal . Kolender v. Lawson, 461 U.S. 367 (1983). This information comes from OUR VANISHING PRIVACY, by Robert Ellis Smith ($16.95 from Privacy Journal, P.O. Box 28577, Providence RI 02908, 401 274 7861, 0005101719@mcimail.com). Mike Robkin asked for the best sources on European data protection (privacy) laws. They are: Handbook of Personal Data Protection (Stockton Press) by Wayne Madsen, amends@incomsec.org. It has full texts. Compendium of European Data Protection Legislation (Intl Business Action Centre) by G Russell Pipe, in Amsterdam 31 20 673 7311, fax 31 20 675 3827 or in the U.S. 703 323 9116, fax 703 250 4705. It describes and explains the laws. Privacy Laws and Business published by Stewart Dresner in Middlesex, U.K., 81 866 8641, fax 81 868 2915. He has proposed laws as well. If you need U.S. and Canadian laws, the authoritative source is Compilation of State and Federal Privacy Laws (1994, 136 pages, $33), published by Privacy Journal in Providence RI. 0005101719@mcimail.com. -- From Robert Ellis Smith, Privacy Journal. ------------------------------ From: huggins@quip.eecs.umich.edu (Jim Huggins) Date: 09 Nov 1994 15:33:17 GMT Subject: Re: Mother's Maiden Name Organization: University of Michigan EECS Dept. Serrano wrote: And don't forget that dishonest family members who obviously knows one's mother's maiden name can defraud one real easy, not to mention also snooping on spouse and children to see their spendings. Of course, a dishonest family member may also still have physical access to your house, which would give them all sorts of opportunity for old-fashioned fraud (stealing the silver, swiping your credit card out of your pocket, dialing 1-900-SEX-LINE from your phone ...). It's my understanding that insider fraud is the most difficult type of fraud to prohibit in most situations. The main alternatives are to require 'good' passwords (which many people would write down on paper and keep in their wallet, thus leading back to the original problem) or to deny phone-based services entirely. The question is: what kind of threat model are you concerned about? Mother's maiden name is probably good-enough for the casual thief who finds your wallet but doesn't know you from Adam. If you want greater security, you'll need a more complicated authentication scheme. -- Jim Huggins, Univ. of Michigan huggins@eecs.umich.edu "You cannot pray to a personal computer no matter how user-friendly it is." (PGP key available upon request) W. Bingham Hunter ------------------------------ From: cntrspy@ix.netcom.com (Executive Protection Associates) Date: 09 Nov 1994 19:37:54 GMT Subject: Re: Snail-mail forwarding Organization: Netcom ratner@ficus.CS.UCLA.EDU (Dave Ratner) writes: BUT: the "forwarding" card to be filled out requires no documentation to submit, and can even be mailed in to the postmaster of your old zip (postal) code. So what stops random guy/stalker/person-mad-at-you from submitting a forwarding address card as you and getting all of your mail? It would seem the Post Office should require at least a *little* documentation other than a signature which can't even be checked against anything. Absoultely nothing prevents un-authorized use except fear of being convicted of a US code violation. Check out alt-revenge if you really want a scare on how this stuff is used. -- Chris Hall, Chief Operating Officer Executive Protection Associates, Inc. Worldwide Investigations, Privacy Protection Consultants, Second Passport Agents, Off-shore Banking and Trust Agents. e-mail: cntrspy@ix.netcom.com, cntrspy1@ipn.net *PGP key available. Opions Expressed are those of the Author and not of EPAI. WWW Home Page ( http://www.mps.ohio-state.edu/cgi-bin/hpp? spook_stuff.html ) ------------------------------ From: "Rapisarda, Alessandra" Date: 09 Nov 94 15:12:47 EST Subject: Re: Snail Mail forwarding Dave Ratner wrote re: snail mail forwarding: BUT: the "forwarding" card to be filled out requires no documentation to submit Dave: I agree that this is a suprisingly easy process to complete! I recently moved my residence and was shocked that I could perform this action without ever telling anyone that I was really me. Also- the information goes to the Post Office on a postcard- not a sealed envelope. I was extremely uncomfortable with this ability. AND- does anybody know if all the mail from the previous address comes to the new one? I get all the mail- even mail going to my boyfriend's "ex-". Amazing how fanatical we can be if someone reads or steals snail mail (a FEDERAL offense), but anyone can re-direct it to the moon if they wanted to. I guess if you stop getting snail mail, you know what happened... See ya. -- Alex Rapisarda ------------------------------ From: Paul Cook <0003288544@mcimail.com> Date: 10 Nov 94 13:36 EST Subject: Re: Snail-mail forwarding ratner@ficus.CS.UCLA.EDU (Dave Ratner) wrote: BUT: the "forwarding" card to be filled out requires no documentation to submit, and can even be mailed in to the postmaster of your old zip (postal) code. So what stops random guy/stalker/person-mad-at-you from submitting a forwarding address card as you and getting all of your mail? It would seem the Post Office should require at least a *little* documentation other than a signature which can't even be checked against anything. It happened to me! I noticed that my mail delivery was getting erratic. Our postman had open heart surgery, and we had suffered through a series of substitute mail carriers, so I thought that this was the cause of the problem. It seemed like I was only getting a few bulk mail pieces. Finally I called my local post office to see when my old postman would be back on the job. He was there when I called, and when I asked about my mail, he said "I've been forwarding it to Maui just like you wanted!". I was incredulous. He went to get the forwarding order, and there it was with a forged signature, directing all my first class mail and magazines to General Delivery, Wailuku, HI. The next day he dropped off a copy of the forwarding order with the forged signature, and I let the postal inspector know. I called the Wailuku post office, and asked if they had any mail for me. The guy who answered the phone said "Yah, Mon...got a BIG pile of your mail. When you comin' in to pick it up??" The postal inspector arranged for all the mail to be boxed up and shipped back overnight at no charge. It was a BIG box of mail. I caught it just in time so that I didn't have any late unpaid bills. We never did figure out who did it. A few years later I had a roommate who was intercepting offers from credit card companies, filling them out with information he had gleaned by snooping through my tax returns, and then intercepting the cards before I saw them. He would run up big charges, which the credit card companies just wrote off. He never got caught either. -- Tad Cook tad@ssc.com ------------------------------ From: Shannon Dunn Date: 09 Nov 94 15:32:10 EST Subject: Clipper Chip information needed My name is Shannon Dunn and I am a junior at Northern Michigan University. My reason for writing is to request information on the Clipper Chip issue. Any kind of information reguarding the Clipper will be a great aid to an ethics paper I am writing concerning this issue. Thank You. -- Shannon Dunn ------------------------------ From: gmcgath@condes.mv.com (Gary McGath) Date: 09 Nov 1994 18:30:37 -0500 Subject: Re: First Amendment Rights vs Regulation of the Net Organization: Conceptual Design KL9636A@american.edu (Kevin Levitt) wrote: I am a senior at American University conducting a research paper on the issue o f first amendment rights vs. regulation of the net. I am looking for opinions, articles, papers, and/or references on the subject. Also, how can the governm ent regulate the net without breaching our first amendment rights and should th e net be regulated at all? Thanks for your help! I recommend Jonathan Emord's *Freedom, Privacy, and the First Amendment*, Pacific Research Institute for Public Policy, 1991. -- gmcgath@condes.mv.com "Do not beg for alms from those who have robbed you." -- Ayn Rand ------------------------------ From: mcinnis@austin.ibm.com (Mickey McInnis) Date: 09 Nov 1994 20:12:44 GMT Subject: Re: Must I Always Carry I.D? Organization: IBM Austin centauri@crl.com (Charles Rutledge) writes: Not true. The Supreme Court ruled sometime back that you are not legally bound to carry identification nor identify yourself to law enforcement officals unless they have suspession that you are doing something illegal. The case delt with a black man walking at night throught a mostly white neighborhood and stopped by people and asked to identify himself. When he couldn't (he was not carrying any identification at the time), they arrested him for basicly having no ID. In the ruling, the Supreme Court said that law enforcement officials have no right to demand ID from someone just minding his own business. Of course, law enforcement officials often have a very liberal interpretation of what minding one's own business is. The police can charge you with a minor offence such as jaywalking, etc. and hold you in jail until you produce ID or go to trial. (or appear before a judge, etc.) i.e. they can hold you in jail for an offense that you would normally get a ticket for if you don't produce "adequate" ID. This happened in Denver some years back to someone charged with jaywalking who didn't have ID. They spent 3 nights in jail because all the judges were in a conference. In theory, you aren't being held for refusing to ID, and the cops won't make some minor charge up just to hold you. In practice.... -- Mickey McInnis - mcinnis@austin.ibm.com (mcinnis@vnet.ibm.com outside IBM) ------------------------------ From: amy young-leith Date: 10 Nov 1994 09:38:32 -0500 Subject: Re: Must I Always Carry I.D? Organization: Computer Science, Indiana University Kevin Kadow wrote: Not in the USA, but true in many other countries. You CAN be hassled by the police if you don't have identification, and of course you need a drivers license to drive (and the drivers license functions as a de facto national ID card). On a related tangent, I've had an arguement with friends over the issue of what happens if you DO NOT carry your driver's license with you. If you are pulled over and you HAVE a valid drivers license issued to you, but you don't have it WITH you (it's at home on the table or in your purse slung on the chair or...), is THAT a crime? Will you be charged with something? Will you have any chance to obtain your license to avoid this charge if there is one? -- --------------------------------------------------------------------------- \ Amy Young-Leith Bloomington, Indiana Lifetime Student \ /\ (That thing to the left is a bunny!) ( ) The views expressed within represent only my opinions. .( o ). http://nickel.ucs.indiana.edu/~alyoung ------------------------------ From: lawrence@combdyn.com (Lawrence *The Dreamer* Chen) Date: 10 Nov 1994 21:38:11 GMT Subject: Re: Must I Always Carry I.D? Organization: Combustion Dynamics Ltd. coreynelso@aol.com (CoreyNelso) writes: I friend recently told me that he thought you HAVE to carry I.D. of some kind with you at all times. I don't think you need "your papers please" just to walk around the block. Does any one have any ideas about this? Along a similar line.....if I'm supposed to have ID, what constitutes valid ID? Does it have to have a photograph? If so, just where does one get one aside from their passport? Everybody seems to automatically ask for a driver's licence as ID, but I don't have one of these beasts....because I have no use for having one. Something about being able to ensure that I can see when I'm driving (I see well enough to work infront of a 19" monitor, but if you want me to see distance accurately that's another story). -- WORK: lawrence@combdyn.com | PHONE 403 529 2162 | FAX 529 2516 | VE6LKC HOME: dreamer@lhaven.uumh.ab.ca | 403 526 6019 | 529 5102 | VE6PAQ ---------------------------------------------------------------------------- Praxis Society K12 BBS - 403 529 1610 | Lunatic Haven BBS - 403 526 6957 ---------------------------------------------------------------------------- disclamer = (working_for && !representing) + (Combustion Dynamics Ltd.); ------------------------------ From: bennett@cs.niu.edu (Scott Bennett) Date: 09 Nov 1994 22:53:52 -0600 Subject: Re: Intrusive Supermarket Card Organization: Northern Illinois University Winn Bill wrote: There is a supermarket chain in Indiana, Marsh Supermarkets, that has a discount card program called "Fresh IDEA" (Instant Discounts Electronically Applied). The idea behind the program is one completes an application and gets a discount card in return. When making purchases at Marsh, holders of this card are given unpublished discounts. The application has some very interesting, and intrusive, questions. Many of the questions, sans the multiple choice answers, follow. Remember, this is a discount card program for a supermarket Sounds like Marsh Supermarkets is a latecomer to this sort of offensive marketing measure. Jewel Tea (Jewel Foods) has been up to this nonsense for at least a year now. Jewel calls it the "Preferred Card." -- Scott Bennett, Comm. ASMELG, CFIAG Systems Programming Computer Center Northern Illinois University DeKalb, Illinois 60115 ********************************************************************** * Internet: bennett@netmgr.cso.niu.edu bennett@cs.niu.edu * * BITNET: A01SJB1@NIU * *--------------------------------------------------------------------* * "The jury has a right to judge both the law as well as the fact in * * controversy."--John Jay, First Chief Justice, U.S. Supreme Court * * in Georgia vs. Brailsford, 1794 * ********************************************************************** ------------------------------ From: johnl@iecc.com (John R Levine) Date: 10 Nov 94 22:15 EST Subject: Re: Intrusive Supermarket Card Organization: I.E.C.C., Cambridge, Mass. [long list of nosy questions on supermarket discount card] The owner/CEO of the chain has been sent a letter inquiring as to why all of this information is needed for a coupon card, but thus far there has been no reply. They're compiling prospect lists for junk mail, of course. On most of those cards all you really need to fill out is name and address, and you don't even have to do that truthfully. In may cases the card doubles as a check cashing card (for people who haven't figured out that if you pay with your Visa card you get a month's free float) so in that case the name, address, and bank reference had better match. They all ask for SSN, but I've only run into one (Stop and Shop) who refused to give me a checks cashing card without one. -- John Levine, johnl@iecc.com Primary Perpetrator of "The Internet for Dummies" ------------------------------ From: morris@grian.cps.altadena.ca.us (Mike Morris) Date: 10 Nov 1994 11:18:34 GMT Subject: Re: Intrusive Supermarket Card Organization: College Park Software, Altadena, CA Winn Bill writes: There is a supermarket chain in Indiana, Marsh Supermarkets, that has a discount card program called "Fresh IDEA" (Instant Discounts Electronically Applied). The idea behind the program is one completes an application and gets a discount card in return. When making purchases at Marsh, holders of this card are given unpublished discounts. The application has some very interesting, and intrusive, questions. Many of the questions, sans the multiple choice answers, follow. Remember, this is a discount card program for a supermarket (analogous to using coupons), not a security clearance application. [long list of questions] Sounds like market research to me - if you have a P.O. Box why not fill it out, with answers appropriate for a deceased anccestor, and a ssn with a 9x center digit string (never used for a real ssn). Give them minimal info - i.e. no kids, no smoking, rent, no insomnia, diabetes, not in military service, no computer, no beer, etc. See how much promo stuff to that name appears in the PO box. I've done similar tricks and been able to pin a lot of stuff on various mailing list sellers that say "we don't sell out list". Yes, they don't. They rent it. -- Mike Morris WA6ILQ | All opinions must be my own since nobody pays PO Box 1130 | me enough to be their mouthpiece... Arcadia, CA. 91077 | ICBM: 34.12N, 118.02W | Reply to: morris@grian.cps.altadena.ca.us ------------------------------ From: Bob Bales <74774.1326@CompuServe.COM> Date: 10 Nov 1994 11:30:02 GMT Subject: Medical System Security Reply Organization: National Computer Security Association The National Computer Security Association (NCSA) is hosting the 2nd Medical System Security Symposium on November 16-17, in Washington, DC. The proceedings from this symposium include, inter alia, the US OTA report on Health System Security and the new (standalone) chapter from Benjamin Wright's book "Law of Electronic Commerce", which treats the subject of the protection of medical records. The moderator for the symposium is recognized security expert Dr. Michel Kabay, a frequent contributor to the RISKS digest, columnist for Computing Canada, Interex Magazine and Network World, and Director of Education for the NCSA. Anyone interested in more information about this symposium can send me an EMail; I'll respond promptly with details. -- Bob Bales | CompuServe InfoSec Forum: GO NCSA Natl Computer Security Assoc| Phone: 717-258-1816 10 South Courthouse Avenue | Fax: 717-243-8642 Carlisle, PA 17013 | Email: 74774.1326@compuserve.com ------------------------------ From: anonymous Date: 10 Nov 1994 11:40:33 GMT Subject: Re: Sears Captures Signatures Organization: College Park Software, Altadena, CA "Prof. L. P. Levine" writes: Since my original post concerning Sears now digitizing signatures when you sign a credit card slip, bunches of people :-) have sent me Email, either asking for elaboration on the risks involved, or adding anecdotes of their own. I'll attempt to describe the potential risks as I see them. UPS also digitizes signatures using a clip-board style computer with a receipt form on it... And my best friend's was forged by UPS onto one of their forms authorizing them to withdraw funds to pay UPS shipping charges. I wonder how many signatres are on file. His company fell for a UPS "trial period" for daily pickup from his start-up company. I don't know the details but UPS was supposed to bill him monthly. Instead they were withdrawing daily. My friend is VP of the company, and was out of town the day the UPS sales-slime visited the co. The pres signed some forms. He specifically told the sales-slime he wanted monthly billing. Several weeks later the company bounced a check. Investigation revealed daily UPS withdrawls and several for next-day airfreight of packages that were marked for the cheapest ground transit. The pres asked the salesman to get the regional manager to visit us. It took about 3 weeks to get everybody in the same room at the same time. The UPS sales-slime produced a form signed by my friend authorizing the daily withdrawls, and dated the day the sales-slime visited the co. My friend produced his ATM card, pointed out the number, and produced a ATM receipt dated & timed 3 hours later 650 miles away on the same day. Also a round trip airline ticket with a departure the previous day and return 3 days after. There were some interesting discussions concerning fraud and forgery. My friend has never signed a UPS clipboard at the co. address - just at home, 12 miles away. He rents, so his name was not cross-ref'd via address. The last package he signed for at the house was over 4 months earlier. Anyway, the end result was that the company had to close out the account and change _banks_ - not just accounts - to get UPS out of the company funds. I believe that the sales-slime was canned. If you publish this, please keep my name & email address confidential. [moderator: I did. The address at the top of this document is mine.] ------------------------------ From: "Houston, James A." Date: 10 Nov 1994 08:42:56 -0600 (CST) Subject: E-mail headers Can anyone enlighten me on the subject of email headers? My question stems from recent discussion regarding whether someone else's mail can be read. My question is this, *if* a "blind" carbon copy is directed to the president of my company, can I see that transaction in the header, or is that type of thing controlled by the email application being used, e.g., ccmail? I just want to know if there is a way to *detect* if my mail is being directed to secret places I normally would not be aware of. ------------------------------ From: (Gerard J. Ashton) Date: 10 Nov 1994 15:28:12 -0500 Subject: Re: Other People's E-mail Organization: IBM Microelectronics Division One case I treat differently depending on whether it is paper mail or e-mail is mail sent to me by mistake. If I receive paper mail at home by mistake, I write "no such person at this address" on it, put it in my mail box, and raise the red flag so the mail carrier will pick it up. If I receive e-mail at work by mistake at work, I read enough of the message to figure out where it should go, and send it to the appropriate person along with an explaination (if possible). Otherwise, I reply to the sender. I don't know of any specific policy about misdirected e-mail, but I feel my approach is consistent with the general policies of respect for the individual and service to the customer. I have e-mail access at home, but never received any misdirected e-mail there. I never received any misdirected paper mail at work that would have required opening it to figure out the correct destination. Any laws passed on this subject should try to strike a good balance about when it is acceptable for an end-user to read the body of a message in order to forward misdirected e-mail to the correct destination, and when it is not. This is especially true in the case where e-mail gets to the right company but the wrong employee. -- Gerard Ashton IBM Microelectronics Division Phone: (802) 769-5667 Essex Junction, Vermont Send Internet E-mail to ashton@vnet.ibm.com ------------------------------ From: "Prof. L. P. Levine" Date: 11 Nov 1994 09:52:43 -0600 (CST) Subject: Privacy Rights Clearinghouse Organization: University of Wisconsin-Milwaukee The following was taken from the cpsr-global listserver. From: Judi Clark Subject: Privacy Rights Clearinghouse. Judi Clark wrote a note to another group about this resource. It may be useful in countries where there are ongoing battles about who owns health information, earnings, etc. of an individual. Privacy Rights Clearinghouse. You can read it from the web at the URL: http://www.manymedia.com/prc/ (look for the publications list). You can also reach them through other methods: E-mail: prc@teetot.acusd.edu Gopher: gopher gopher.acusd.edu Ftp: ftp ftp.acusd.edu user name: anonymous password: guest ftp>cd pub/privacy I hope this helps. -- judi ------------------------------ From: "Prof. L. P. Levine" Date: 26 Sep 1994 12:45:51 -0500 (CDT) Subject: Info on CPD, Contributions, Subscriptions, FTP, etc. Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions generally are acknowledged within 24 hours of submission. An article is printed if it is relevant to the charter of the digest. If selected, it is printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the subject line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V5 #061 ****************************** .