|
PRIVACY Forum Digest Saturday, 23 June 2001 Volume 10 : Issue 05 (<A HREF="http://www.vortex.com/privacy/priv.10.05">http://www.vortex.com/privacy/priv.10.05</A>) Moderated by Lauren Weinstein (<A HREF="mailto:lauren@vortex.com">lauren@vortex.com</A>) Vortex Technology, Woodland Hills, CA, U.S.A. <A HREF="http://www.vortex.com">http://www.vortex.com</A> ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Charles Schwab Takes Step Backwards in Privacy Protection (Lauren Weinstein; PRIVACY Forum Moderator) Calif. DMV: Identity Theft Prevention System Causes Drivers' Grief (Lauren Weinstein; PRIVACY Forum Moderator) Surprise! Your New Webmaster is... Microsoft! (Lauren Weinstein; PRIVACY Forum Moderator) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "<A HREF="mailto:privacy@vortex.com">privacy@vortex.com</A>" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "<A HREF="mailto:privacy-request@vortex.com">privacy-request@vortex.com</A>". Mailing list problems should be reported to "<A HREF="mailto:list-maint@vortex.com">list-maint@vortex.com</A>". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributed and archived without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp <A HREF="ftp://ftp.vortex.com/">ftp.vortex.com</A>", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "<A HREF="http://gopher.vortex.com">gopher.vortex.com</A>/". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "<A HREF="http://www.vortex.com">http://www.vortex.com</A>"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 10, ISSUE 05 Quote for the day: "No matter how horrible things are, they can always get worse." -- Julia O. Treadway (Barbara Stanwyck) "Executive Suite" (MGM; 1954) ---------------------------------------------------------------------- Date: Sat, 23 Jun 2001 15:20:55 PDT From: <A HREF="mailto:lauren@vortex.com">lauren@vortex.com</A> (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Charles Schwab Takes Step Backwards in Privacy Protection Greetings. Widely-used brokerage house Charles Schwab, already famous for a Website which is impossible to use properly without both Javascript and cookies enabled (even if you're just a potential customer who doesn't need to log in) has recently announced a significant step <B>backwards</B> in privacy protection for their clients. In a recent newsletter, Schwab has announced a new system to provide a universal online login ID so that customers will no longer need to deal with separate login account IDs for different services. In fact, customers who wish to avail themselves of Schwab's upcoming "online statements" access will apparently be <B>required</B> to use this new login ID system, which Schwab says has been designed so that "you can't forget" your ID. What's the new online login ID to which Schwab wants all of their customers to migrate? C'mon, you've already guessed! It's your Social Security Number! Just what we need, millions of customers blasting their SSNs across the Web daily just for basic account access. Now, to be completely fair about this, Schwab does use SSL to encrypt most account activities, but as we've seen so many times in the past when security breaches occur on Web servers, SSL is almost never at fault. The problems usually relate to server configurations or other issues, allowing access to databases of information stored on the servers. No matter how you look at it, SSN as a login ID is a bad idea. Shame on Schwab for this one. --Lauren-- Lauren Weinstein <A HREF="mailto:lauren@pfir.org">lauren@pfir.org</A> or <A HREF="mailto:lauren@vortex.com">lauren@vortex.com</A> or <A HREF="mailto:lauren@privacyforum.org">lauren@privacyforum.org</A> Co-Founder, PFIR: People For Internet Responsibility - <A HREF="http://www.pfir.org">http://www.pfir.org</A> Moderator, PRIVACY Forum - <A HREF="http://www.vortex.com">http://www.vortex.com</A> Member, ACM Committee on Computers and Public Policy ------------------------------ Date: Sat, 23 Jun 2001 15:49:56 PDT From: <A HREF="mailto:lauren@vortex.com">lauren@vortex.com</A> (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Calif. DMV: Identity Theft Prevention System Causes Drivers' Grief Greetings. If there's one government agency we've been able to historically count on to provide maximum "hassle value" in our lives, it's been the Department of Motor Vehicles. Those wonderful driver's license photos notwithstanding, the DMV has traditionally been one of the places to which we nearly all must routinely return and that we all routinely dislike dealing with at all. In recent years, at least here in California, there have been significant improvements at the DMV, particularly in terms of mail-in license renewals, availability of appointments, and so on. But one bizarre aspect of a new "anti-fraud" program by the California DMV can't help but make me wonder if someone is asleep at the switch. As you probably know, the connection between driver's licenses and Social Security Numbers has become increasingly tight in recent years, with data matching being used for various verifications, searches for delinquent child-support payments, and so on. We've discussed these issues in the past here in the PRIVACY Forum. But the Calif. DMV (henceforth referred to simply as "DMV") has started something new. They're cross-checking the names on driver's licenses at renewal times with Social Security Administration records. The idea is to reduce the incidence of fake IDs being issued with false names associated with various SSNs. The Social Security Administration is a fairly enlightened organization it seems--they fully understand that "Bill Gates" is a nickname for "William Gates." But the DMV, in their new fraud prevention program, shows less common sense than the average eight-year-old would display in a similar situation. Yep--if your Social Security record says your name is Susan, but your driver's license says Susie (even if this has been the case for many years or decades) DMV will now reject your renewal. Bob and Robert? David and Dave? These are hardly unusual nicknames, but DMV apparently will reject them all if they don't match up between your license and Social Security records. The same problem is occuring with persons who adopted hyphenated names after marriage. Right now, this apparently has affected about a half million people (around 11% of all renewal applicants). The folks caught up in this inanity can't just make a quick call and clear it up either. DMV's answer to the problem is to <B>change your name</B> in the Social Security records to match your driver's license! And even after people go through the hassle of that change, it may take many weeks to get their new license. DMV suggests that after everyone has changed their Social Security name records so that everything matches up, they won't have more problems in the future (except that DMV is also suggesting that new forms of SSN verification at renewal time will probably be required in upcoming years). This whole situation is utter nonsense. Accepting "Bob Crane" on a driver's license when it says "Robert Crane" on a Social Security record wouldn't reduce the efficacy of the DMV anti-fraud program by one iota. It would, however, greatly reduce the hassles and problems for their customers, issues which the DMV apparently considers to be low priorities. Or maybe the DMV just doesn't know how to match up nicknames? Well, I can help with that. It took me just thirty seconds flat (on Google) to find a concise list (<A HREF="http://www.rootsweb.com/~txcoryel/nickname.htm">http://www.rootsweb.com/~txcoryel/nickname.htm</A>) which is currently online for DMV's immediate perusal! Cutting down the levels of identity fraud is a laudable goal. But some common sense really needs to be introduced into the mix as far as the California DMV is concerned. --Lauren-- Lauren Weinstein <A HREF="mailto:lauren@pfir.org">lauren@pfir.org</A> or <A HREF="mailto:lauren@vortex.com">lauren@vortex.com</A> or <A HREF="mailto:lauren@privacyforum.org">lauren@privacyforum.org</A> Co-Founder, PFIR: People For Internet Responsibility - <A HREF="http://www.pfir.org">http://www.pfir.org</A> Moderator, PRIVACY Forum - <A HREF="http://www.vortex.com">http://www.vortex.com</A> Member, ACM Committee on Computers and Public Policy ------------------------------ Date: Sat, 23 Jun 2001 16:16:18 PDT From: <A HREF="mailto:lauren@vortex.com">lauren@vortex.com</A> (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Surprise! Your New Webmaster is... Microsoft! Greetings. When you offer a Web page to the world via the Internet, you probably assume that it will be seen by viewers in the manner that you designed and wrote it. You may also have copyrighted the contents to try help protect your work. So you'd probably be fairly surprised and perhaps more than a little bit upset if you discovered that a third-party was effectively "editing" your Web pages without your knowledge--changing their contents before they were even seen by the persons visiting your site! Hackers run amok? No indeed--it's a feature likely to be deployed soon by the friendly folks at Microsoft, in at least some versions of their new operating system ("Windows XP") and their new version Web browser (their effective monopoly "Internet Explorer") as well. The new feature is called "Smart Tags," and it literally enables Microsoft to add <B>their own</B> links to your Web pages (the impact on e-mail is less clear at this point) without your cooperation or permission. Microsoft claims that they've developed this system to help deal with the "problem" of sites that (in Microsoft's opinion) are "underlinked." Or perhaps, one might speculate, their real concern is sites that don't have enough "appropriate" links (such as to Microsoft and/or Microsoft's business partners...) Indeed, the Smart Tags system will display new links on unaffiliated Web pages, which will link back to sites and materials as defined by Microsoft. So, for example, let's say you have a Web page highly critical of company Xyzzy-Plugh, Inc. If said company has worked out the appropriate arrangements (e.g., payments) with Microsoft, your mentioning of X-P, Inc. on your Web page could result in a Smart Tags link back to the new products page for Xyzzy-Plugh itself. You didn't intend to be acting as a promotional tool for X-P, Inc.? Too bad. Microsoft says that Smart Tags will be turned off in the browsers by default (at least for now)--so they're effectively "opt-in" for the users. But as far as content providers running Websites are concerned, Smart Tags are "opt-out" only--your pages are vulnerable to Smart Tagging from any browser that has them enabled, <B>unless</B> you insert special code on all of your pages (both static and dynamic) that your site serves. Why didn't Microsoft make this aspect opt-in as well, rather than drafting the world's Websites into their scheme without explicit permissions? The answer is obvious--how many sites would <B>want</B> to let Microsoft add new links not under the sites' own direct control! Microsoft also points out that the Smart Tag links appear differently from any pages' "original" links. They suggest that this will avoid user confusion. To the contrary--confusion will be rampant. Many users are already in the dark concerning who has responsibility for materials on one linked site vs. another. It's not always even easy to tell when you've moved between sites as you click your way through the convolutions of the Web as it stands right now. <B>Reportedly</B>, the meta code: <meta name="MSSmartTagsPreventParsing" content="TRUE"> will prevent Microsoft's "Smart Tags" feature from operating on any Web page in which the above line appears in the header. Assuming that Microsoft continues with their plans for distribution of OS and applications software supporting Smart Tags, Website authors who do not wish to have Microsoft acting as a third-party editor of their sites might wish to start deploying the above code in their Web pages, CGI programs, etc. Taggers spray-painting graffiti around our cities and towns is bad enough. We don't need Microsoft "Smart Tagging" our Websites as well without our permission. --Lauren-- Lauren Weinstein <A HREF="mailto:lauren@pfir.org">lauren@pfir.org</A> or <A HREF="mailto:lauren@vortex.com">lauren@vortex.com</A> or <A HREF="mailto:lauren@privacyforum.org">lauren@privacyforum.org</A> Co-Founder, PFIR: People For Internet Responsibility - <A HREF="http://www.pfir.org">http://www.pfir.org</A> Moderator, PRIVACY Forum - <A HREF="http://www.vortex.com">http://www.vortex.com</A> Member, ACM Committee on Computers and Public Policy [ UPDATE (6/28/01): Microsoft has announced that, due to what they consider to be unexpectedly strong negative reactions to the "Smart Tags" concept from Web content providers and others, they will <B>not</B> be including Smart Tags in the imminent Windows XP or Internet Explorer releases. Microsoft continues to express strong faith in the Smart Tags concept, and says that they will revisit the technology in some form in the near future. -- PRIVACY Forum Moderator ] ------------------------------ End of PRIVACY Forum Digest 10.05 ************************