TUCoPS :: Privacy :: priv_210.txt

Privacy Digest 2.10 3/26/93

PRIVACY Forum Digest     Friday, 26 March 1993     Volume 02 :
Issue 10

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
     
                     ===== PRIVACY FORUM =====

       The PRIVACY Forum digest is supported in part by the 
           ACM Committee on Computers and Public Policy.


CONTENTS
     Medical Clearing House (Jerry Leichter)
     Re: Medical Clearing House (John R. Levine)
     Protecting your privacy -- ID info and credit-card agreements
        (Alan Wexelblat)
     Preventing Electromagnetic Eavesdropping (Grady Ward)
     Documented Cases of SSN Abuse Wanted (Steve Schlesinger)
     Individual Privacy Protection Act of 1993 (Juan Osuna)
     CPSR Wins SSN Privacy Case (Marc Rotenberg)
     Intrusion Detection Workshop (Teresa Lunt)


 *** Please include a RELEVANT "Subject:" line on all submissions!
***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------
------------
The PRIVACY Forum is a moderated digest for the discussion and
analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their
relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and
must have
RELEVANT "Subject:" lines.  Submissions without appropriate and
relevant
"Subject:" lines may be ignored.  Subscriptions are by an automatic
"listserv" system; for subscription information, please send a
message
consisting of the word "help" (quotes not included) in the BODY of
a message
to: "privacy-request@cv.vortex.com".  Mailing list problems should
be
reported to "list-maint@cv.vortex.com".  All submissions included
in this
digest represent the views of the individual authors and all
submissions
will be considered to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and
all
related materials, is available via anonymous FTP from site
"cv.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or
"anonymous", and
enter your e-mail address as the password.  The typical "README"
and "INDEX"
files are available to guide you through the files available for
FTP
access.  PRIVACY Forum materials may also be obtained automatically
via
e-mail through the listserv system.  Please follow the instructions
above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used
to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "cv.vortex.com".

For information regarding the availability of this digest via FAX,
please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300,
or FAX
to (310) 455-2364.
-----------------------------------------------------------------
------------

VOLUME 02, ISSUE 10

   Quote for the day:

     "I wasn't kissing her, I was just whispering in her mouth."

                    -- Chico Marx (1891-1961)

-----------------------------------------------------------------
-----

Date:    Fri, 19 Mar 93 18:07:45 EDT
From:    Jerry Leichter <leichter@lrw.com>
Subject: Medical Clearing House

Jack Decker forwarded to a recent PRIVACY Digest an article about
a clearing-
house of medical information and its possible use by employers to
avoid
hiring people with large medical expenses.

There is, indeed, a massive but little-known central clearinghouse
of medical
data.  It was organized and run by the medical insurers for the
purpose of
controlling fraud.  If you consider the amount of information that
you give
your medical insurance company when you file a claim - all of which
is likely
to get forwarded to the clearinghouse - the amount of very personal
informa-
tion the clearinghouse has on virtually every person in the United
States is
staggering.

Normally, this kind of cooperative record sharing would be
considered a
violation of the antitrust laws.  However, the insurance industry
has an
exemption from those laws for the purpose of controlling fraud.

The records involved are not credit records and do not, as far as
I know, fall
under any of the laws allowing you access to your own files.  As
far as I
know, neither the clearinghouse nor your insurer are obligated to
show you
your records, much less allow you to enter explanations (as you can
do with
your credit records); and I don't believe that, in general, they
will actually
do either voluntarily.

As the article points out, two-thirds of all employers now
self-insure for
their employees' medical policies.  It would not surprise me if
this entitled
them to access the clearinghouse.  (Such policies are typically
administered
by a traditional insurance company; I'd bet that they provide
access to the
clearinghouse as part of their administrative services.)

Until recently, I don't believe there was anything illegal in an
employer
refusing to make a job offer based on anticipated medical costs. 
(In at
least one case I know of, someone was extended a job offer, then
told on his
first day that the medical insurance would not cover his
pre-existing condi-
tion, which required expensive treatment.  The person involved
walked out of
the room, never to return.  As far as he was concerned, he might as
well have
been refused the job.)  Under ADA (Americans with Disabilities
Act), this has
almost certainly changed - at least when the issue is the
prospective
employee's medical condition.  I have my doubts whether ADA would
have any
applicability if the issue were a family member's medical
condition.

By the way, employers in many states have banded together to create
databases
of employees who have made large work-related disability claims. 
Since such
injuries are covered through a separate insurance pool, and an
employer's
contributions to the pool are based on his history of employee
claims, it is
in an employer's interest not to hire people who will "run up his
bill".
Again, this practice was apparently legal before ADA.  Whether it
would fall
under ADA is a tougher call.
                                   -- Jerry

------------------------------

Date:    19 Mar 93 22:25:16 EST (Fri)
From:    johnl@iecc.cambridge.ma.us (John R. Levine)
Subject: Re: Medical Clearing House

I've never heard of the Medical Clearing House, but he may actually
be
referring to the Medical Information Bureau, a long-standing
cooperative
venture by insurance companies.  It exchanges medical info,
primarily to
avoid losses due to people who apply for insurance and don't
disclose
pre-existing conditions.  I've heard that MIB data is also used for
a lot
of less savory things, but I have no hard info either way.

Anyone can ask for a copy of his MIB record; call +1 617 426 3660
and
leave your name and address on the machine; they'll send you a form
to
request a copy of your record.

When I sent in the form month or so ago, they wrote back and
claimed
they'd never heard of me.  I don't believe it.  When I applied for
my
current insurance about five years ago, they asked for five years
of
medical history.  After I sent in my list, they wrote back with a
few more
minor history items that I'd honestly forgotten, and the insurance
company
went ahead to issue the policy.  I'm certain they got those history
items
from the MIB, so they certainly had a file on me then.


On an unrelated and probably less interesting note:

>A clerk in a Radio Shack store here in the Boston area refused to
make a
>credit card sale to me when I refused to give my telephone number
and
>address.

I've never had any trouble at the Harvard Square store.  My answer
to the
telephone question is "don't have one."  So they don't believe me. 
Tough.

John Levine, johnl@iecc.cambridge.ma.us,
{spdcc|ima|world}!iecc!johnl

------------------------------

Date:    Sat, 20 Mar 93 16:52:34 -0500
From:    "Alan (Gesture Man) Wexelblat" <wex@media.mit.edu>
Subject: Protecting your privacy -- ID info and credit-card
agreements

Two topics from recent digests:

When asked for "identifying" information which is probably going to
be used
to compile marketing databases, I cheerfully supply *wrong*
information.  I
make it as bogus and outlandish as I feel that day.  This can be
fun when
filling out "surveys" for product-reg cards, while on airlines,
etc.  I once
told American Airlines I was a 55-year-old Eskimo woman whose
income this
year was $5000 but that was a $50,000 increase from last year.

The idea is to seed their databases with useless information.  The
reason
this stuff is compiled is so that they can do targeted marketing --
ie,
increase the efficiency of mailings, etc.  The more bogus entries
are in the
database, the less efficient and less profitable these marketing
schemes
will be.  If it becomes un-profitable enough, they'll give it up.

So I urge you all to have fun with these things.  Make them waste
their
money.  Register things to your pets.  Create companies and sign
them up for
stuff.  The neat thing about this strategy is that it works best
when only a
few people (say 10% of the population) are doing it.  If everyone
did it, it
would pay them to spend the money to verify entries.  What I want
to do is
just make it unprofitable enough that they'll give up and go away.

Now, on the issue of additional information required with a
credit-card
purchase.  When I worked for <a major company in Mass> we had a
visitor from
VISA who explained that we were *never* to:
     a) provide additional information with our card numbers.  It
is a
        violation of the merchant's agreement with VISA if they ask
for
        more information.

     b) sign a charge slip without the final balance being entered
on the
        slip.  Merchants can put in a "hold" if they want to be
sure you
        don't overrun your limit.  But once you sign a slip you're
        obliged by your agreement (with VISA anyway) to pay
whatever
        amount eventually ends up on the slip.  Fortunately, most
hotels
        have stopped asking me to sign blank slips so I rarely have
this
        problem these days.

--Alan Wexelblat, Reality Hacker and Cyberspace Bard
Media Lab - Advanced Human Interface Group   wex@media.mit.edu
Voice: 617-258-9168, Pager: 617-945-1842     
wexelblat.chi@xerox.com
There is nothing so regretted as a missed opportunity.

------------------------------

Date:    Mon, 22 Mar 93 19:51:23 PST
From:      grady@public.btr.com (Grady Ward)
Subject: Preventing Electromagnetic Eavesdropping

Eavesdropping on personal computers is not limited to looking over
the
shoulder of the operator or physically tapping in to an Ethernet
cable.
U.S. Government standards relating to the prevention of information
capture
via the emission of electromagnetic radiation from computers and
peripherals
are known as TEMPEST.  However, actual TEMPEST specifications are
classified.
 
TEMPEST aside, there are inexpensive and easily applied means for
individuals to minimize unintentional emissions from equipment.  My
document
"Preventing Electromagnetic Eavesdropping," discusses these
techniques.
 
    [ The document described above (~15K bytes uncompressed) has
      been placed into the PRIVACY Forum archives.  You can obtain
it:

          -- Via anon FTP from site "cv.vortex.com" as:

               /privacy/prevent-eme.Z  (compressed; binary mode)
               /privacy/prevent-eme     (uncompressed)

          -- Via the "cv.vortex.com" listserv system by sending
             an e-mail message to:

               listserv@cv.vortex.com

             with the first text in the BODY of the message 
             consisting of:

               get privacy prevent-eme

          -- Through the Internet Gopher system via the gopher
             server on "cv.vortex.com" in the "*** PRIVACY Forum
***" 
             section (and via linked gopher servers).
                                       -- MODERATOR ]

------------------------------

Date:    Tue, 23 Mar 93 16:23:45 PST
From:    Steve Schlesinger 3711
<steves@sv012.torreypinesca.NCR.COM>
Subject: Documented Cases of SSN Abuse Wanted

I am collecting documented cases of people being somehow harmed
by their Social Security Number falling into the hands of some
wrong doer.

Please email them to me.  I will post the collection or otherwise
make it available.

Thanks -
steve

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-
 Disclaimer - This request is personal and has nothing to do with
NCR or AT&T
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-

=================================================================
==============
Steve Schlesinger, NCR/Torrey Pines Development Center            
619-597-3711
11010 Torreyana Rd, San Diego, CA 92121                  
ucsd.edu!sv001!steves
                                       
steve.schlesinger@TorreyPinesCA.ncr.com
=================================================================
==============

------------------------------

Date:    Wed, 24 Mar 93 12:20:02 -0500
From:    josuna@cs.UMD.EDU (Juan Osuna)
Subject: Individual Privacy Protection Act of 1993

I am working on an article about the idea of establishing a federal
privacy
protection board. This idea has been floating around Congress for
many
years, and this year another bill has been introduced, called the
Individual
Privacy Protection Act of 1993.

The act would create a five-member board (appointed by the
president and
approved by the Senate) to study the computerized information
systems of
government and industry and to recommend legislative or
administrative
action.

The board would hold hearings, subpoena witnesses and documents,
and issue 
reports. 

I have been told by Congressional staffers that the bill will
likely undergo 
revision before being considered by a committee.

Privacy advocates often base arguments on what could happen rather
than on
what does happen. And even when an invasion of privacy is shown, it
is
difficult to quantify or prove actual damage.  I think this
presents a
problem for legislators, who need to show their constituents
concrete, not
abstract reasons for legislation.

I am writing an article and would like to hear comments on such a
proposal.
Can anyone provide me with concrete examples where someone was
physically,
emotionally or financially harmed as a result of new technologies
eroding
their privacy rights?

Public and private comments are welcome. I will guarantee anonymity
upon
your request.
 
-----------------------------------------------------------------
----------
Juan Antonio Osuna, Computing Research News       E-mail:
josuna@cs.umd.edu
1875 Connecticut Ave. NW, Suite 718                      Ph: (202)
234-2111
Washington, D.C. 20009                                  Fax: (202)
667-1066
-----------------------------------------------------------------
----------

     [ Such a board has been proposed before, and has reached
various
       legislative levels in the past.  I have conceptually
supported
       this idea for a long time--but making sure it's done
properly is
       no simple task, to say the least.  The privacy issues
involved
       cover a wide range of both "public" and "private"
organizations.
       The tendency of many organizations is to take the view that
       "hardly anyone complains about privacy matters, so why
should we
       bother changing anything?"  Most individuals also take much
the
       same tack, until something happens to *them* ... --
MODERATOR ]

------------------------------

Date:    Fri, 26 Mar 1993 17:03:43 EST
From:    Marc Rotenberg <Marc_Rotenberg@washofc.cpsr.org>
Subject: CPSR Wins SSN Privacy Case

PRESS RELEASE

March 26, 1993

"FEDERAL APPEALS COURT UPHOLDS PRIVACY:
USE OF SOCIAL SECURITY NUMBER LIMITED
                  - - - -
CPSR Expresses Support for Decision"

A federal court of appeals has ruled that Virginia's divulgence of
the
Social Security numbers of registered voters violates the
Constitution.  The
Court said that Virginia's registration scheme places an
"intolerable
burden" on the right to vote.

        The result comes nearly two years after Marc Greidinger, a
resident
of Falmouth, Virginia, first tried to register to vote.  Mr.
Greidinger said
that he found it nearly impossible to obtain a driver's license,
open
accounts with local utilities or even rent a video without
encountering
demands for his Social Security number.

        Mr. Greidinger told the New York Times this week that when
the State
of Virginia refused to register him as a voter unless he provided
his Social
Security number he decided to take action.  He brought suit against
the
state, and argued that Virginia should stop publishing the Social
Security
numbers of voters.

        This week a federal appeals court in Richmond, Virginia
ruled that
the state's practice constituted "a profound invasion of privacy"
and
emphasized the "egregiousness of the harm" that could result from
dissemination of an individual's SSN.

        Computer Professionals for Social Responsibility (CPSR), a
national
membership organization of professionals in the computing field,
joined with
Mr.  Greidinger in the effort to change the Virginia system.  CPSR,
which
had testified before the U.S. Congress and the state legislature in
Virginia
about growing problems with the misuse of the SSN, provided both
technical
and legal support to Mr. Greidinger.  CPSR also worked with Paul
Wolfson of
the Public Citizen Litigation Group, who argued the case for Mr.
Greidinger.

        In an amicus brief filed with the court, CPSR noted the
long-standing interest of the computing profession in the design of
safe
information systems and the particular concerns about the misuse of
the
SSN.  The CPSR brief traced the history of the SSN provisions in
the 1974
Privacy Act.  The brief also described how the widespread use of
SSNs had
led to a proliferation of banking and credit crime and how SSNs
were used to
fraudulently obtain credit records and federal benefits.

        CPSR argued that the privacy risk created by Virginia's
collection
and disclosure of Social Security numbers was unnecessary and that
other
procedures could address the State's concerns about records
management.

        This week the court of appeals ruled that the state of
Virginia must
discontinue the publication of the Social Security numbers of
registered
voters.  The court noted that when Congress passed the Privacy Act
of 1974
to restrict the use of the Social Security number, the misuse of
the SSN was
"one of the most serious manifestations of privacy concerns in the
Nation."

    The Court then said that since 1974, concerns about SSN
confidentiality
have "become significantly more compelling. For example, armed with
one's
SSN, an unscrupulous individual could obtain a person's welfare
benefits, or
Social Security benefits, order new checks at a new address, obtain
credit
cards, or even obtain the person's paycheck."

        The Court said that Virginia's voter registration scheme
would
"compel a would-be voter in Virginia to consent to the possibility
of a
profound invasion of privacy when exercising the fundamental right
to vote."

        The Court held that Virginia must either stop collecting
the SSN or
stop publicly disclosing it.

        Marc Rotenberg, director of the CPSR Washington office
said, "We are
extremely pleased with the Court's decision.  It is a remarkable
case, and a
real tribute to Marc Greidinger's efforts.  Still, there are many
concerns
remaining about the misuse of the Social Security number.  We would
like to
see public and private organizations find other forms of
identification for
their computing systems.  As the federal court made clear, there
are real
risks in the misuse of the Social Security number."

        Mr. Rotenberg also said that he hoped the White House task
force
currently studying plans for a national health care claims payment
system
would develop an identification scheme that did not rely on the
Social
Security Number.  "The privacy concerns with medical records are
particularly acute.  It would be a serious design error to use the
SSN,"
said Mr. Rotenberg.

        Cable News Network (CNN) will run a special segment on the
Social
Security number and the significance of the Greidinger case on
Sunday
evening, March 28, 1993.  The Court's opinion is available from the
CPSR
Internet Library via Gopher/ftp/WAIS.  The file name is
"cpsr/ssn/greidinger_opinion.txt".  The CPSR amicus brief is
available as
"cpsr/ssn/greidinger_brief.txt".

        CPSR is a national membership organization, based in Palo
Alto,
California.  CPSR conducts many activities to protect privacy and
civil
liberties.  Membership is open to the public and support is
welcome.  For
more information about CPSR, please contact, CPSR, P.O. Box 717,
Palo Alto,
CA 94302, call 415/322-3778 or email cpsr@csli.stanford.edu.

------------------------------

Date: Wed, 24 Mar 93 09:47:07 -0800
From: Teresa Lunt <lunt@csl.sri.com>
Subject: intrusion detection workshop

                ELEVENTH INTRUSION DETECTION WORKSHOP
                        CALL FOR PARTICIPATION

A two-day workshop on intrusion detection will be held at SRI
International
in Menlo Park, California on May 27-28, 1993, which are the
Thursday and
Friday following the 1993 IEEE Symposium on Research in Security
and Privacy
in Oakland, California.  This will be the eleventh in a series of
intrusion-detection workshops.

The workshop will consist of several short presentations as well as
discussion periods.  If you have any progress to report on an
intrusion-detection project or some related work that would be
appropriate
for a short presentation, please indicate the title and a paragraph
describing your proposed talk on the form below.  You can also
indicate there
your suggestions for discussion topics.  Of course, you do not have
to make
a presentation to attend; all are welcome! 

If you and/or your colleagues wish to attend, please RSVP using the
attached
form.  Please email the completed form to Liz Luntzel at
luntzel@csl.sri.com.  For other questions, please call Liz Luntzel
at
415-859-3285 or send us a fax at 415-859-2844 or email at
luntzel@csl.sri.com.

There will be a $100 charge for the workshop.  This fee includes
lunches in
SRI's International Dining Room.  Please send your check to Liz
Luntzel,
SRI International, 333 Ravenswood Ave, Menlo Park CA 94025 USA.

The workshop will begin at 9am and will conclude at 5pm on
Thursday, and will
be from 9am to 2pm on Friday.

SRI is located at 333 Ravenswood Avenue in Menlo Park.  The
workshop
will be held in room IS109, which is in the International Building.

To get to SRI:

>From highway 101:
    From I-101, take Willow Road (Menlo Park) west to Middlefield
    Road (approx. 1 mile).  Turn right onto Middlefield Road.  Go
one 
    block and turn left onto Ravenswood Avenue.  SRI Building A
(red 
    brick building) is 1/4 mile up Ravenswood Avenue, on the left. 

    The address is 333 Ravenswood Avenue.  
>From I-280:
    From I-280, take Sand Hill Road (east towards Menlo Park).
Follow Sand
    Hill Road to Junipero Serra and turn left.  Bear right at the
next light,
    and turn right at the stop sign onto Santa Cruz.  Take Santa
Cruz to
    El Camino and turn right.  Then take the first left, onto
Ravenswood.
    Cross the railroad tracks.  SRI is at 333 Ravenswood, on the
right. If you
    continue along Ravenswood along Middlefield, you will come to
the
    conference parking area at the corner of Ravenswood and
Middlefield.
>From Central Expressway:
    From Central Expressway, go north towards Menlo Park all the
way
    to where it merges with El Camino Real.  Continue north on El
Camino, 
    staying in the right lane, for a few blocks, and turn right
onto
    Ravenswood Ave.  Cross the railroad tracks, and after the first
light
    look for SRI on your right.  SRI is at 333 Ravenswood.

Visitors may park in the small visitors lot in front of Building A
or in the
conference parking area at the corner of Ravenswood and Middlefield
(where
there is lots of space).  The workshop will be held in the
International
Building, the white concrete structure on Ravenswood to the East
(closer to
Middlefield) of Building A.  Visitors should sign in at
International
Building receptionist---from the parking lot go up the steps into
the
courtyard; it's on the left.

   --------------CUT HERE AND RETURN TO
LUNTZEL@CSL.SRI.COM----------------

                   ELEVENTH INTRUSION DETECTION WORKSHOP

Yes! I will attend the Intrusion-Detection Workshop May 27-28 at
SRI.

Please complete the following:

Name:

Title:

Affiliation:

Address:


Indicate one:
I [will/will not] present a talk.

Please complete the following:

Title of Talk:

Abstract:


Suggestions for Discussion Topics:

------------------------------

End of PRIVACY Forum Digest 02.10
 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH