TUCoPS :: Privacy :: priv_209.txt

Privacy Digest 2.09 3/18/93


PRIVACY Forum Digest     Thursday, 18 March 1993     Volume 02 :
Issue 09

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
     
                     ===== PRIVACY FORUM =====

       The PRIVACY Forum digest is supported in part by the 
           ACM Committee on Computers and Public Policy.


CONTENTS
     Should the information industry be consentual? (Bob Leone)
     Reverse directory/Sears/Radio Shack (Arthur Rubin)
     Re: Credit Card Validation (Chris Hibbert)
     Use of Medical Clearing House (Jack Decker)
     No anonymity for Canon copiers? (Brad Mears)
     Re: Cashiers and telephone numbers (Chuck Stern)


 *** Please include a RELEVANT "Subject:" line on all submissions!
***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------
------------
The PRIVACY Forum is a moderated digest for the discussion and
analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their
relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and
must have
RELEVANT "Subject:" lines.  Submissions without appropriate and
relevant
"Subject:" lines may be ignored.  Subscriptions are by an automatic
"listserv" system; for subscription information, please send a
message
consisting of the word "help" (quotes not included) in the BODY of
a message
to: "privacy-request@cv.vortex.com".  Mailing list problems should
be
reported to "list-maint@cv.vortex.com".  All submissions included
in this
digest represent the views of the individual authors and all
submissions
will be considered to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and
all
related materials, is available via anonymous FTP from site
"cv.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or
"anonymous", and
enter your e-mail address as the password.  The typical "README"
and "INDEX"
files are available to guide you through the files available for
FTP
access.  PRIVACY Forum materials may also be obtained automatically
via
e-mail through the listserv system.  Please follow the instructions
above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used
to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "cv.vortex.com".

For information regarding the availability of this digest via FAX,
please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300,
or FAX
to (310) 455-2364.
-----------------------------------------------------------------
------------

VOLUME 02, ISSUE 09

   Quote for the day:

     "I detest life-insurance agents; they always argue that
      I shall some day die, which is not so."

                            -- Stephen Leacock (1869-1944)
                            "Literary Lapses" (1910)
                             (Insurance up to Date)

-----------------------------------------------------------------
-----

Date:    Sat, 13 Mar 1993 11:29:08 -0500
From:    Bob Leone <leone@gandalf.ssw.com>
Subject: Should the information industry be consentual?

Pete Kaiser writes:
    @Experience shows that in the business of accumulating and
exchanging
    databases about personal information there is a high rate of
corruption, of
    both data [1] and individuals [2].  Moreover, there are plenty
of obvious
    cases where the free flow of accurate information is unwise,
inhumane, or
    illegal [3].

Just to give some more extreme examples: if someone was allowed to
compile
data using "employer" as the selection criteria, I'm sure you can
imagine
the results of a list of names, home addresses, and car license
numbers of
employees of

     1) Fur makers going to PETA and the Animal Liberation Front
     2) IRS going to extremist Tax Protest groups
     3) BATF going to members of the Waco, Texas "Branch Davidian"
group
     4) Smith & Wesson going to Handgun Control Inc
     5) Handgun Control Inc going to NRA
     6) Strikebraker employees of whatever going to union goon
squads

I'm sure you all get the picture at this point. Just about everyone
either
works for someone, shops somewhere, or subscribes to some
periodical which
might make him or her the target of harassment (or worse) from some
group,
somewhere.

Just because we haven't seen it yet, doesn't mean it won't start
happening
eventually as groups become more familiar with how to get data.

Bob Leone

------------------------------

Date:    Mon, 15 Mar 93 07:33:36 PST 
From:    a_rubin@dsg4.dse.beckman.com (arthur rubin)
Subject: reverse directory/Sears/Radio Shack

In PRIVACY Forum Digest 02:08, joep@jaguar.informix.com (Joseph
Pearl) writes:

>I was at Sears with my wife, returning something, when the cashier
>asked what our phone number was.  Without thinking, my wife told
the
>cashier (one of those rough days where the brain shuts down after
>6pm).  The cashier then recited our name and address and asked if
it
>was correct.

Radio Shack (used to) "require" a phone number for any purchase. 
If you
told the clerk that you didn't want to give a phone number, the
store
manager would (usually) allow a cash purchase to complete.  (From
my own
personal experience and reports on comp.dcom.telecom, before this
list was
created.)

The moderator comments:

       A comment: I would suggest that it is never a good idea
       to use a fictitious phone number in response to a clerk's
       query.  Doing so simply risks dragging some other person,
       who might have that number, into the situation.  If the
clerk
       insists on a number, and you don't want to give it, ask
       for the manager, or consider doing business elsewhere. 

You might give the 900 number you got on your last "you have won a
free
prize" postcard. :-)  More promising, you might give your work
number, the
number of the local Attorney General's office (it is illegal to ask
for a
phone number under many circumstances here in California), or some
other
approriate number which you don't mind publishing.

------------------------------

Date:    Mon, 15 Mar 93 10:10:36 -0800
From:    Chris Hibbert <hibbert@memex.com>
Subject: Re: Credit Card Validation

Brint Cooper <abc@BRL.MIL> is worried because Citibank is asking
him to
supply extra information, which they say they will use to verify
his
identity if he tries to call them on the phone.  He isn't sure
whether
they'll protect the info, or if it might leak into other uses.

The list they ask for includes:


     Name
     Acccount #
     Address
     Date of Birth
     Social Security Number (you were surprised, maybe?)
     Mother's Maiden Name (My hospital asks for this one, too.)
     Business and home phones
     Other Diner's accounts to which this info applies.

My response to this would be to give them a set of information that
would be
useless to them, but which you can reproduce when they ask, even if
you've
lost your wallet.  They ask for Mother's Maiden name because they
think
that's such an item.  There would be no purpose in cross-matching
that with
another database, and I always treat such requests as a request for
a
password, realizing that they'll prompt for the password by asking
for your
Mother's Maiden name.  They don't care at all what answer you give
as long
as you can reproduce it.  I might give them my favorite color, or
the name
of one of my hobbies.  If their db has lots of room, I might even
ask them
to store e.g. "color: blue" in the field so I could ask for the
first word
as a prompt to remind me which category I'd used with them.

Similarly, I would treat it as a wonderful opportunity if my credit
card
company asked for an SSN and said (as Citibank seems to have) that
they were
only going to use it to identify me if I called on the phone.  They
have no
reason to report the number to anyone else, so I would give them
one of the
many numbers I know that don't seem to be in use by anyone.  (I
give one in
my SSN FAQ, but I have a collection of others that have appeared in
various
books (as part of a student prank that involved registering a pet
dog as a
student at the university) or in movies (as visual evidence that a
character
had created several false personas).  What an opportunity!

Chris

------------------------------

Date: Wed, 10 Mar 93 09:30:43 EST
From: ac388@freenet.hsc.colorado.edu (Jack Decker)
Subject: Use of Medical Clearing House

The following message first appeared in a Fidonet conference called
ADAJOBS (I got it via the EMPLOYMENT conference on BIZynet, a
Fidonet-technology business-oriented network).  The risks of the
use of
such a database as the one described below should be obvious (how
does one
know if they were denied employment because of information
contained in
this database?  For that matter, how does one even know if the
information
contained in the database is accurate?).  Any replies should
probably go
to the original author (Herbert Mansmann at Fidonet address
1:273/201,
which is herbert.mansmann@f201.n273.z1.fidonet.org in Internet
notation):

=================================================================
====
* Forwarded by Chris Gunn (1:202/1008)
* Area : ADAJOBS (ADAnet - Job Hunting When Disabled)
* From : Herbert Mansmann, 1:273/201 (08 Mar 93 10:55)
* To   : All
* Subj : USE OF MEDICAL CLEARING HOUSE
=================================================================
====
I have been told by several personnel recruiters that something
known as
the Medical Clearing House exists for companies or other employers
to check
on person's medical expenses before hiring them, similar to a
credit check.
This information is kept in regional databases and is accessible
over the
phone to high level employee relations personnel at major
corporations
only. Supposedly it is illegal to release this information to
unauthorized
users, but it is being done routinely for high medical expense
individuals
since the penalties are few, the savings can be substantial, and
the
enforcement of the laws against this are lax.  Our daughter has
Cystic
Fibrosis which has very high medical costs associated over many
years.  We
believe this information and information about other medical
conditions
that do not interfere with someone's ability to work is being sold
to avoid
medical costs.  Since over two thirds of the employers now
self-insure
instead of utilizing a real insurance company, they are motivated
to
eliminate these costs.  If you have any information about this
practice,
please respond on E-mail or anonymously to Herbert Mansmann, 224
Swedesford
Rd., Malvern, PA 19355.  It is important to get this subject out in
the
open and to include it in healthcare reform. Thanks. Feel free to
call
(215)647-3698.

--- TMail v1.31.3
 * Origin: U.S. Telematics, Yardley PA (215)493-5242 (1:273/201)

Jack Decker | Internet: ac388@freenet.hsc.colorado.edu
Fidonet: 1:154/8 or jack.decker@f8.n154.z1.fidonet.org
Note: Mail to the Fidonet address has been known to bounce. :-(

------------------------------

Date: Tue, 16 Mar 1993 14:17:53 -0600 (CST)
From: bmears@gothamcity.jsc.nasa.gov (Brad Mears [I-Net])
Subject: No anonymity for Canon copiers?

The most recent issue of Popular Science had a small sidebar
concerning new
copier technologies that are being used to combat counterfeiting. 
According
to Canon, their new color copiers include two mechanisms to prevent
people
from copying currency.

The first is rather innocuous - the copier can recognize many
different
currencies and will print a blank image rather than a fake bill. 
No obvious
risks here.

The second mechanism is a bit more threatening.  According to the
story, 
which I quote without permission -

    "Each copier embeds a code into the copied image, which is
     impossible to see.  A special scanner extracts the code and
     a computer program then furnishes the copier's serial number,
     allowing identification of the registered purchaser of the
     machine."

As a means to combat counterfeiters this may be very useful. 
Unfortunately,
it is also useful for tracking down people who report government
waste,
publishers of underground newsletters, and others who may have a
legitimate
need to remain anonymous.  Plus, it seems a bit too much like the
Eastern bloc
countries who used to require registration of typewriters.

Brad Mears  bmears@gothamcity.jsc.nasa.gov

     [ This item was reposted from the RISKS Digest -- MODERATOR ]

------------------------------

Date:    Thu, 18 Mar 1993 15:42:05 -0500
From:    cstern@novus.com (Chuck Stern)
Subject: Re: Cashiers and telephone numbers

>    [ ...
>      Keep in mind that in most cases you're simply dealing with
     
>      a clerk who has a specific set of information he has
>      been instructed to get and may not realize that not everyone
>      is willing to provide a number.  However, in almost all
cases,
>      when faced with a choice of not getting the number or losing
>      the sale, the clerk will opt for the former. -- MODERATOR ]

This is not strictly true, oh Esteemed Moderator.  A clerk in a
Radio Shack
store here in the Boston area refused to make a credit card sale to
me when
I refused to give my telephone number and address.  The sale, by
the way, 
was to be for $23.50 or some such price.  One angry (collect) call
to Tandy
corporate headquarters got the matter straightened out - they were
violating Commonwealth of Mass. laws by even asking - but I haven't
darkened the doors of another Radio Shack since, nor will I ever
again.

More anecdotal evidence from...
cstern@novus.com

       [ Well, as I said, in *almost* all cases a salesperson will
opt for
      the sale... but there's always the exception.  Typically
you're
      dealing with an overzealous employee, not company policy in
a
      situation such as you describe.  It's interesting to note
that the
      changes in the laws (in some states) making it illegal to ask
for a
      phone number as a requirement for credit card purchases are
      relatively recent in most cases.  In the past some credit
card
      companies strongly suggested that a phone number be obtained
for
      all orders and written on the charge slips.  Not everyone in
all
      affected areas has gotten the word about changes, apparently.

      As for anecdotes, in my own experience, I've never had a
      salesperson refuse me a purchase, regardless of whether or
not I
      provided a phone number when asked.  Of course, my
Harley-Davidson
      clothing motif probably doesn't hurt in such situations!

                                   -- MODERATOR ]

------------------------------

End of PRIVACY Forum Digest 02.09
 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH