TUCoPS :: Privacy :: priv_210.txt

Privacy Digest 2.10 3/26/93

PRIVACY Forum Digest     Friday, 26 March 1993     Volume 02 :
Issue 10

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
                     ===== PRIVACY FORUM =====

       The PRIVACY Forum digest is supported in part by the 
           ACM Committee on Computers and Public Policy.

     Medical Clearing House (Jerry Leichter)
     Re: Medical Clearing House (John R. Levine)
     Protecting your privacy -- ID info and credit-card agreements
        (Alan Wexelblat)
     Preventing Electromagnetic Eavesdropping (Grady Ward)
     Documented Cases of SSN Abuse Wanted (Steve Schlesinger)
     Individual Privacy Protection Act of 1993 (Juan Osuna)
     CPSR Wins SSN Privacy Case (Marc Rotenberg)
     Intrusion Detection Workshop (Teresa Lunt)

 *** Please include a RELEVANT "Subject:" line on all submissions!
            *** Submissions without them may be ignored! ***

The PRIVACY Forum is a moderated digest for the discussion and
analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their
relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and
must have
RELEVANT "Subject:" lines.  Submissions without appropriate and
"Subject:" lines may be ignored.  Subscriptions are by an automatic
"listserv" system; for subscription information, please send a
consisting of the word "help" (quotes not included) in the BODY of
a message
to: "privacy-request@cv.vortex.com".  Mailing list problems should
reported to "list-maint@cv.vortex.com".  All submissions included
in this
digest represent the views of the individual authors and all
will be considered to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and
related materials, is available via anonymous FTP from site
in the "/privacy" directory.  Use the FTP login "ftp" or
"anonymous", and
enter your e-mail address as the password.  The typical "README"
and "INDEX"
files are available to guide you through the files available for
access.  PRIVACY Forum materials may also be obtained automatically
e-mail through the listserv system.  Please follow the instructions
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used
to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "cv.vortex.com".

For information regarding the availability of this digest via FAX,
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300,
or FAX
to (310) 455-2364.


   Quote for the day:

     "I wasn't kissing her, I was just whispering in her mouth."

                    -- Chico Marx (1891-1961)


Date:    Fri, 19 Mar 93 18:07:45 EDT
From:    Jerry Leichter <leichter@lrw.com>
Subject: Medical Clearing House

Jack Decker forwarded to a recent PRIVACY Digest an article about
a clearing-
house of medical information and its possible use by employers to
hiring people with large medical expenses.

There is, indeed, a massive but little-known central clearinghouse
of medical
data.  It was organized and run by the medical insurers for the
purpose of
controlling fraud.  If you consider the amount of information that
you give
your medical insurance company when you file a claim - all of which
is likely
to get forwarded to the clearinghouse - the amount of very personal
tion the clearinghouse has on virtually every person in the United
States is

Normally, this kind of cooperative record sharing would be
considered a
violation of the antitrust laws.  However, the insurance industry
has an
exemption from those laws for the purpose of controlling fraud.

The records involved are not credit records and do not, as far as
I know, fall
under any of the laws allowing you access to your own files.  As
far as I
know, neither the clearinghouse nor your insurer are obligated to
show you
your records, much less allow you to enter explanations (as you can
do with
your credit records); and I don't believe that, in general, they
will actually
do either voluntarily.

As the article points out, two-thirds of all employers now
self-insure for
their employees' medical policies.  It would not surprise me if
this entitled
them to access the clearinghouse.  (Such policies are typically
by a traditional insurance company; I'd bet that they provide
access to the
clearinghouse as part of their administrative services.)

Until recently, I don't believe there was anything illegal in an
refusing to make a job offer based on anticipated medical costs. 
(In at
least one case I know of, someone was extended a job offer, then
told on his
first day that the medical insurance would not cover his
pre-existing condi-
tion, which required expensive treatment.  The person involved
walked out of
the room, never to return.  As far as he was concerned, he might as
well have
been refused the job.)  Under ADA (Americans with Disabilities
Act), this has
almost certainly changed - at least when the issue is the
employee's medical condition.  I have my doubts whether ADA would
have any
applicability if the issue were a family member's medical

By the way, employers in many states have banded together to create
of employees who have made large work-related disability claims. 
Since such
injuries are covered through a separate insurance pool, and an
contributions to the pool are based on his history of employee
claims, it is
in an employer's interest not to hire people who will "run up his
Again, this practice was apparently legal before ADA.  Whether it
would fall
under ADA is a tougher call.
                                   -- Jerry


Date:    19 Mar 93 22:25:16 EST (Fri)
From:    johnl@iecc.cambridge.ma.us (John R. Levine)
Subject: Re: Medical Clearing House

I've never heard of the Medical Clearing House, but he may actually
referring to the Medical Information Bureau, a long-standing
venture by insurance companies.  It exchanges medical info,
primarily to
avoid losses due to people who apply for insurance and don't
pre-existing conditions.  I've heard that MIB data is also used for
a lot
of less savory things, but I have no hard info either way.

Anyone can ask for a copy of his MIB record; call +1 617 426 3660
leave your name and address on the machine; they'll send you a form
request a copy of your record.

When I sent in the form month or so ago, they wrote back and
they'd never heard of me.  I don't believe it.  When I applied for
current insurance about five years ago, they asked for five years
medical history.  After I sent in my list, they wrote back with a
few more
minor history items that I'd honestly forgotten, and the insurance
went ahead to issue the policy.  I'm certain they got those history
from the MIB, so they certainly had a file on me then.

On an unrelated and probably less interesting note:

>A clerk in a Radio Shack store here in the Boston area refused to
make a
>credit card sale to me when I refused to give my telephone number

I've never had any trouble at the Harvard Square store.  My answer
to the
telephone question is "don't have one."  So they don't believe me. 

John Levine, johnl@iecc.cambridge.ma.us,


Date:    Sat, 20 Mar 93 16:52:34 -0500
From:    "Alan (Gesture Man) Wexelblat" <wex@media.mit.edu>
Subject: Protecting your privacy -- ID info and credit-card

Two topics from recent digests:

When asked for "identifying" information which is probably going to
be used
to compile marketing databases, I cheerfully supply *wrong*
information.  I
make it as bogus and outlandish as I feel that day.  This can be
fun when
filling out "surveys" for product-reg cards, while on airlines,
etc.  I once
told American Airlines I was a 55-year-old Eskimo woman whose
income this
year was $5000 but that was a $50,000 increase from last year.

The idea is to seed their databases with useless information.  The
this stuff is compiled is so that they can do targeted marketing --
increase the efficiency of mailings, etc.  The more bogus entries
are in the
database, the less efficient and less profitable these marketing
will be.  If it becomes un-profitable enough, they'll give it up.

So I urge you all to have fun with these things.  Make them waste
money.  Register things to your pets.  Create companies and sign
them up for
stuff.  The neat thing about this strategy is that it works best
when only a
few people (say 10% of the population) are doing it.  If everyone
did it, it
would pay them to spend the money to verify entries.  What I want
to do is
just make it unprofitable enough that they'll give up and go away.

Now, on the issue of additional information required with a
purchase.  When I worked for <a major company in Mass> we had a
visitor from
VISA who explained that we were *never* to:
     a) provide additional information with our card numbers.  It
is a
        violation of the merchant's agreement with VISA if they ask
        more information.

     b) sign a charge slip without the final balance being entered
on the
        slip.  Merchants can put in a "hold" if they want to be
sure you
        don't overrun your limit.  But once you sign a slip you're
        obliged by your agreement (with VISA anyway) to pay
        amount eventually ends up on the slip.  Fortunately, most
        have stopped asking me to sign blank slips so I rarely have
        problem these days.

--Alan Wexelblat, Reality Hacker and Cyberspace Bard
Media Lab - Advanced Human Interface Group   wex@media.mit.edu
Voice: 617-258-9168, Pager: 617-945-1842     
There is nothing so regretted as a missed opportunity.


Date:    Mon, 22 Mar 93 19:51:23 PST
From:      grady@public.btr.com (Grady Ward)
Subject: Preventing Electromagnetic Eavesdropping

Eavesdropping on personal computers is not limited to looking over
shoulder of the operator or physically tapping in to an Ethernet
U.S. Government standards relating to the prevention of information
via the emission of electromagnetic radiation from computers and
are known as TEMPEST.  However, actual TEMPEST specifications are
TEMPEST aside, there are inexpensive and easily applied means for
individuals to minimize unintentional emissions from equipment.  My
"Preventing Electromagnetic Eavesdropping," discusses these
    [ The document described above (~15K bytes uncompressed) has
      been placed into the PRIVACY Forum archives.  You can obtain

          -- Via anon FTP from site "cv.vortex.com" as:

               /privacy/prevent-eme.Z  (compressed; binary mode)
               /privacy/prevent-eme     (uncompressed)

          -- Via the "cv.vortex.com" listserv system by sending
             an e-mail message to:


             with the first text in the BODY of the message 
             consisting of:

               get privacy prevent-eme

          -- Through the Internet Gopher system via the gopher
             server on "cv.vortex.com" in the "*** PRIVACY Forum
             section (and via linked gopher servers).
                                       -- MODERATOR ]


Date:    Tue, 23 Mar 93 16:23:45 PST
From:    Steve Schlesinger 3711
Subject: Documented Cases of SSN Abuse Wanted

I am collecting documented cases of people being somehow harmed
by their Social Security Number falling into the hands of some
wrong doer.

Please email them to me.  I will post the collection or otherwise
make it available.

Thanks -

 Disclaimer - This request is personal and has nothing to do with

Steve Schlesinger, NCR/Torrey Pines Development Center            
11010 Torreyana Rd, San Diego, CA 92121                  


Date:    Wed, 24 Mar 93 12:20:02 -0500
From:    josuna@cs.UMD.EDU (Juan Osuna)
Subject: Individual Privacy Protection Act of 1993

I am working on an article about the idea of establishing a federal
protection board. This idea has been floating around Congress for
years, and this year another bill has been introduced, called the
Privacy Protection Act of 1993.

The act would create a five-member board (appointed by the
president and
approved by the Senate) to study the computerized information
systems of
government and industry and to recommend legislative or

The board would hold hearings, subpoena witnesses and documents,
and issue 

I have been told by Congressional staffers that the bill will
likely undergo 
revision before being considered by a committee.

Privacy advocates often base arguments on what could happen rather
than on
what does happen. And even when an invasion of privacy is shown, it
difficult to quantify or prove actual damage.  I think this
presents a
problem for legislators, who need to show their constituents
concrete, not
abstract reasons for legislation.

I am writing an article and would like to hear comments on such a
Can anyone provide me with concrete examples where someone was
emotionally or financially harmed as a result of new technologies
their privacy rights?

Public and private comments are welcome. I will guarantee anonymity
your request.
Juan Antonio Osuna, Computing Research News       E-mail:
1875 Connecticut Ave. NW, Suite 718                      Ph: (202)
Washington, D.C. 20009                                  Fax: (202)

     [ Such a board has been proposed before, and has reached
       legislative levels in the past.  I have conceptually
       this idea for a long time--but making sure it's done
properly is
       no simple task, to say the least.  The privacy issues
       cover a wide range of both "public" and "private"
       The tendency of many organizations is to take the view that
       "hardly anyone complains about privacy matters, so why
should we
       bother changing anything?"  Most individuals also take much
       same tack, until something happens to *them* ... --


Date:    Fri, 26 Mar 1993 17:03:43 EST
From:    Marc Rotenberg <Marc_Rotenberg@washofc.cpsr.org>
Subject: CPSR Wins SSN Privacy Case


March 26, 1993

                  - - - -
CPSR Expresses Support for Decision"

A federal court of appeals has ruled that Virginia's divulgence of
Social Security numbers of registered voters violates the
Constitution.  The
Court said that Virginia's registration scheme places an
burden" on the right to vote.

        The result comes nearly two years after Marc Greidinger, a
of Falmouth, Virginia, first tried to register to vote.  Mr.
Greidinger said
that he found it nearly impossible to obtain a driver's license,
accounts with local utilities or even rent a video without
demands for his Social Security number.

        Mr. Greidinger told the New York Times this week that when
the State
of Virginia refused to register him as a voter unless he provided
his Social
Security number he decided to take action.  He brought suit against
state, and argued that Virginia should stop publishing the Social
numbers of voters.

        This week a federal appeals court in Richmond, Virginia
ruled that
the state's practice constituted "a profound invasion of privacy"
emphasized the "egregiousness of the harm" that could result from
dissemination of an individual's SSN.

        Computer Professionals for Social Responsibility (CPSR), a
membership organization of professionals in the computing field,
joined with
Mr.  Greidinger in the effort to change the Virginia system.  CPSR,
had testified before the U.S. Congress and the state legislature in
about growing problems with the misuse of the SSN, provided both
and legal support to Mr. Greidinger.  CPSR also worked with Paul
Wolfson of
the Public Citizen Litigation Group, who argued the case for Mr.

        In an amicus brief filed with the court, CPSR noted the
long-standing interest of the computing profession in the design of
information systems and the particular concerns about the misuse of
SSN.  The CPSR brief traced the history of the SSN provisions in
the 1974
Privacy Act.  The brief also described how the widespread use of
SSNs had
led to a proliferation of banking and credit crime and how SSNs
were used to
fraudulently obtain credit records and federal benefits.

        CPSR argued that the privacy risk created by Virginia's
and disclosure of Social Security numbers was unnecessary and that
procedures could address the State's concerns about records

        This week the court of appeals ruled that the state of
Virginia must
discontinue the publication of the Social Security numbers of
voters.  The court noted that when Congress passed the Privacy Act
of 1974
to restrict the use of the Social Security number, the misuse of
the SSN was
"one of the most serious manifestations of privacy concerns in the

    The Court then said that since 1974, concerns about SSN
have "become significantly more compelling. For example, armed with
SSN, an unscrupulous individual could obtain a person's welfare
benefits, or
Social Security benefits, order new checks at a new address, obtain
cards, or even obtain the person's paycheck."

        The Court said that Virginia's voter registration scheme
"compel a would-be voter in Virginia to consent to the possibility
of a
profound invasion of privacy when exercising the fundamental right
to vote."

        The Court held that Virginia must either stop collecting
the SSN or
stop publicly disclosing it.

        Marc Rotenberg, director of the CPSR Washington office
said, "We are
extremely pleased with the Court's decision.  It is a remarkable
case, and a
real tribute to Marc Greidinger's efforts.  Still, there are many
remaining about the misuse of the Social Security number.  We would
like to
see public and private organizations find other forms of
identification for
their computing systems.  As the federal court made clear, there
are real
risks in the misuse of the Social Security number."

        Mr. Rotenberg also said that he hoped the White House task
currently studying plans for a national health care claims payment
would develop an identification scheme that did not rely on the
Security Number.  "The privacy concerns with medical records are
particularly acute.  It would be a serious design error to use the
said Mr. Rotenberg.

        Cable News Network (CNN) will run a special segment on the
Security number and the significance of the Greidinger case on
evening, March 28, 1993.  The Court's opinion is available from the
Internet Library via Gopher/ftp/WAIS.  The file name is
"cpsr/ssn/greidinger_opinion.txt".  The CPSR amicus brief is
available as

        CPSR is a national membership organization, based in Palo
California.  CPSR conducts many activities to protect privacy and
liberties.  Membership is open to the public and support is
welcome.  For
more information about CPSR, please contact, CPSR, P.O. Box 717,
Palo Alto,
CA 94302, call 415/322-3778 or email cpsr@csli.stanford.edu.


Date: Wed, 24 Mar 93 09:47:07 -0800
From: Teresa Lunt <lunt@csl.sri.com>
Subject: intrusion detection workshop

                        CALL FOR PARTICIPATION

A two-day workshop on intrusion detection will be held at SRI
in Menlo Park, California on May 27-28, 1993, which are the
Thursday and
Friday following the 1993 IEEE Symposium on Research in Security
and Privacy
in Oakland, California.  This will be the eleventh in a series of
intrusion-detection workshops.

The workshop will consist of several short presentations as well as
discussion periods.  If you have any progress to report on an
intrusion-detection project or some related work that would be
for a short presentation, please indicate the title and a paragraph
describing your proposed talk on the form below.  You can also
indicate there
your suggestions for discussion topics.  Of course, you do not have
to make
a presentation to attend; all are welcome! 

If you and/or your colleagues wish to attend, please RSVP using the
form.  Please email the completed form to Liz Luntzel at
luntzel@csl.sri.com.  For other questions, please call Liz Luntzel
415-859-3285 or send us a fax at 415-859-2844 or email at

There will be a $100 charge for the workshop.  This fee includes
lunches in
SRI's International Dining Room.  Please send your check to Liz
SRI International, 333 Ravenswood Ave, Menlo Park CA 94025 USA.

The workshop will begin at 9am and will conclude at 5pm on
Thursday, and will
be from 9am to 2pm on Friday.

SRI is located at 333 Ravenswood Avenue in Menlo Park.  The
will be held in room IS109, which is in the International Building.

To get to SRI:

>From highway 101:
    From I-101, take Willow Road (Menlo Park) west to Middlefield
    Road (approx. 1 mile).  Turn right onto Middlefield Road.  Go
    block and turn left onto Ravenswood Avenue.  SRI Building A
    brick building) is 1/4 mile up Ravenswood Avenue, on the left. 

    The address is 333 Ravenswood Avenue.  
>From I-280:
    From I-280, take Sand Hill Road (east towards Menlo Park).
Follow Sand
    Hill Road to Junipero Serra and turn left.  Bear right at the
next light,
    and turn right at the stop sign onto Santa Cruz.  Take Santa
Cruz to
    El Camino and turn right.  Then take the first left, onto
    Cross the railroad tracks.  SRI is at 333 Ravenswood, on the
right. If you
    continue along Ravenswood along Middlefield, you will come to
    conference parking area at the corner of Ravenswood and
>From Central Expressway:
    From Central Expressway, go north towards Menlo Park all the
    to where it merges with El Camino Real.  Continue north on El
    staying in the right lane, for a few blocks, and turn right
    Ravenswood Ave.  Cross the railroad tracks, and after the first
    look for SRI on your right.  SRI is at 333 Ravenswood.

Visitors may park in the small visitors lot in front of Building A
or in the
conference parking area at the corner of Ravenswood and Middlefield
there is lots of space).  The workshop will be held in the
Building, the white concrete structure on Ravenswood to the East
(closer to
Middlefield) of Building A.  Visitors should sign in at
Building receptionist---from the parking lot go up the steps into
courtyard; it's on the left.

   --------------CUT HERE AND RETURN TO


Yes! I will attend the Intrusion-Detection Workshop May 27-28 at

Please complete the following:





Indicate one:
I [will/will not] present a talk.

Please complete the following:

Title of Talk:


Suggestions for Discussion Topics:


End of PRIVACY Forum Digest 02.10

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH