TUCoPS :: Privacy :: priv_224.txt

Privacy Digest 2.24 7/10/93

PRIVACY Forum Digest        Saturday, 10 July 1993        Volume 02 : Issue 24

          Moderated by Lauren Weinstein (lauren@vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.

	SSN on library/ID card at U of Texas (Jonathan Thornburg)
	Privacy in the Great West (Brett Glass)
	Social Security numbers and passwords (Willis H. Ware)
	Social Security numbers on the Internet (Brett Glass)
	Bank Procedures Encourage Risky Behavior by Card Holders 
	   (Nelson Bolyard)
	American Express recognizes privacy concerns (Andrew Shapiro)
	CPSR Workplace Privacy Testimony (Dave Banisar)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.


   Quote for the day:

	"Sorry about that, Chief!"

			-- Maxwell Smart [CONTROL Agent 86] (Don Adams)
			   "Get Smart" (1965-1970)


Date:    Fri, 2 Jul 93 19:00:41 -0500
From:    jonathan@hoffmann.ph.utexas.edu (Jonathan Thornburg)
Subject: SSN on library/ID card at U of Texas

A sad-but-true example of egregious misuse of SSNs:

The University of Texas at Austin generally prints one's (full)
SSN on one's library/ID card.  This makes it visible anytime one
shows ID and anytime one checks out a library book.  What's worse,
the library/ID card number is used as a key in just about *all*
library transactions, including lots that leave paper trails (eg
book call-in/hold/renewal requests).

So far as I know, the only way around this is not to have an SSN
when you receive a library/ID card.  In such a case they will
assign a 9-digit number of their own.

Unfortunately, I didn't find this out until after I acquired an
SSN.  I spoke to a supervisor at the ID center, and was told that
the SSN was "required".  I debated fighting it, but decided in this
case to surrender, partly because I'll be leaving UT permanantly
in the near future.

However, on a happier note, the credit union had no objections at
all to switching my account number from my SSN to something else,
so at least my SSN isn't emblasoned (in magnetic ink, no less) on
my cheques...

- Jonathan Thornburg
  <jonathan@einstein.ph.utexas.edu> or <jonathan@hermes.chpc.utexas.edu>
  [until 31/Aug/93] U of Texas at Austin / Physics Dept / Center for Relativity
  [thereafter] U of British Columbia / {Astronomy,Physics}


Date:    Thu, 1 Jul 93 09:38:03 -0700
From:    rogue@remarque.berkeley.edu (Brett Glass)
Subject: Privacy in the Great West

I am in the process of relocating from the West Coast to the
West, and have been amazed by the extent to which western states
(e.g. Wyoming and Colorado) lag behind the others in privacy
protection. As I deal with the logistics of signing up for gas,
water, telephone, electricity, and other essentials, I have been
dismayed by the lengths to which private businesses -- and
organizations which sell their databases of customer information
-- will go to acquire your Social Security number, the key to the
credit reporting agencies' dossiers on you and your private
When I called telephone provider US West to establish service,
for instance, the second piece of information the representative
wanted -- after the address where I wanted service -- was my
Social Security number. When I politely declined to provide that
number (but told him that he was welcome to check my payment
record with my current phone company), he said he would put my
request "on hold." He then transferred me to a line that rang
continuously with no answer. I called back and described this
experience to a different representative. She muttered "That
jerk!" and proceeded to re-enter my request (which the first
representative had actually deleted from the computer). As I
ordered service, I was informed that it cost $2.50 per month to
obtain an unlisted number (far more than on either coast).
The electric company was a little more graceful about giving me
service without a Social Security number, but the gas company --
which insisted that its forms be filled out "in full" -- wouldn't
budge. (I still need to contact a supervisor to arrange for
service, and may need to pay a deposit.)
The problem is also pervasive among retailers. When I entered a
store and attempted to pay by check or credit card, they would
routinely request a Social Security number and insist that I pay
cash if I refused to supply it. (This was for transactions as
small as $5!) There is no law there, as there is in California,
that prevents a retailer from demanding and recording excessive
personal information before allowing a check or credit card
Finally, an issue which seems to know no geographical boundaries
but is worse in states where privacy is not respected: keeping
one's Social Security number under wraps when buying a house
appears to be almost impossible. The realtor wants to enter it
into the National Association of Realtors' database (and, in
fact, attempts to get you to agree to this when you sign a
contract). The title company wants it on the deed, and your
insurer wants it before he will provide homeowner's insurance. In
truth, the only player in the trancaction that appears to be
legitimately entitled to have your Social Security number is your
mortgage lender, who needs it for tax purposes. Alas, too many
lenders will supply it to anyone else who requests it --
especially other parties in the real estate transaction.
None of this has affected my intention to move, but this
information has injected a dose of realism into the West's image
as a laissez-faire culture where indivdual privacy is respected.
Apparently, folks won't pry -- so long as you'll willingly
the key to all of your personal information.
--Brett Glass


Date:    Fri, 02 Jul 93 14:54:07 PDT
From:    "Willis H. Ware" <willis@jake.rand.org>
Subject: Social Security numbers and passwords

Ohringer@DOCKMASTER.NCSC.MIL asks about the use of some or all of
one's SSN as part of a scheme to assign computer passwords.  The
scheme is not described in enough detail to really answer his
questions, but some comments are possible.  It might be an innocuous
or a dumb idea depending upon details of the usage.

1.  First, if the last 4-digits are supposed to uniquely point to a
password, it follows that at most 10,000 employees can be handled.
Worse, though, there is a reasonable probability that there will be
duplication among the 4-digit tails of some random collection of
employees.  Unless the 4-digits were combined with something else, the
mapping into passwords might not be unique.

If duplication must be avoided, then the company must be prepared to
assign alternate numbers, so why not base the scheme entirely on a
company's own employee-number scheme?

2. Why use the SSN? Probable answer: the company already has SSNs in
the personnel-records database.  It is too lazy or indifferent or
foolish to make up some unique anonymous numbering system for itself.

>> .. Is this an acceptable use of (part of) social
>> security numbers?

Depends upon personal opinion only. I think it unwise, if not dumb,
especially for what would appear to be a very minor advantage that
could be gained.  There is no law that says you cannot do this unless
your state happens to have one.  Even then the law will almost
certainly refer to "the SSN" and not concern itself with usage of a
part of the number.

>> ..................  What precedents exist for allowing or
>> prohibiting such use?  What precedent is set by this proposed use?

There are no legal prohibitions against use of the SSN within the
private sector for record-keeping purposes.  We all know that in spades.
There are a few legal requirements which mandate the use of SSN; e.g.,
financial transactions which involve tax consequences.  If the company
that is considering this is a Fortune 500 and if the scheme became public
knowledge, there might be a small temptation for others to follow. If the
company in question is a small family business in rural Maryland, there
is probably no precedent of importance.

I point out that if the actual 4 digits of the SSN were traceable
through or derivable from the password and if the password becomes
compromised [i.e., known to a 3rd party], then 4/9 of the SSN is
revealed.  It might not be too difficult to construct the rest of the
9 digits.  The format of the SSN is known, the significance of the
various digits combinations is well known, and employment or family
history might be enough to deduce the others.  But then some people
don't consider an SSN to be a sensitive data element; a lot of others
do however.

>> I look forward to reading how readers would react if they faced such a
>> proposal.

Lauren would properly decline to print my explicit views of a
management that is seemingly so careless, so casual, so indifferent,
so unwise, so foolish, so unbelievably ill informed and so
unimaginative as to propose the use of the SSN for a trivial purpose
with seemingly so little payoff, or for that matter to propose its use
for any purpose other than for which it is legally required.

For a good history and review of the SSN usage, see the report of the
Privacy Protection Study Commission, chapter on SSN.

						Willis H. Ware
						Santa Monica, CA


Date:    Fri, 2 Jul 93 22:57:06 -0700
From:    rogue@remarque.berkeley.edu (Brett Glass)
Subject: Social Security numbers on the Internet

The last issue of PRIVACY Forum Digest contained several messages which
suggested that the use of Social Security numbers as passwords is a bad
idea. Ironically, there may be thousands of users on the Internet right
now whose Social Security number is used not as their password but as
their user ID! Many academic institutions use the SSN as a student ID
number, which then becomes an account name when the student applies for
a computer account.

>From then on, each time the student sends an electronic mail message,
posts to a Usenet newsgroup, or even appears on the list generated by
the FINGER command, his or her SSN is revealed.

Not exactly the best way to protect students' privacy.

--Brett Glass


Date:    Fri, 2 Jul 93 16:18:16 -0700
From:    nelson@bolyard.wpd.sgi.com (Nelson Bolyard)
Subject: Bank Procedures Encourage Risky Behavior by Card Holders

Suppose you received a message on your residence answering machine that
said "My name is <someone-you-never-heard-of> at <your-bank> and I need
to talk to you as soon as possible about your credit card.  Please call
me at 1-800-xxx-xxxx.  It's really important."  What would you do??

Let's take the scenario one step further.  You call the 800 number (that
you've never seen before, and isn't known to you as belonging to your
bank) and get a recording that says something like "Welcome to Bank Card
Services.  In order that we may properly route your call, please enter
your credit card number now."  You have no real idea whose machine you're
listening to.  It didn't even identify itself as belonging to your bank,
which is highly suspicious.  Do you enter your card number?

Let's go yet another step further.  After entering your credit card
number, the machine next asks you to enter the last 4 digits of your
Social Security Number, which you know your bank uses as a (very poor)
authenticator, and is essentially the closest thing to a password that
you have with your bank.  Do you enter the last 4 digits of your SSN as

Given that most readers of this list are more wary of privacy and
security concerns than the average Joe (and Jane), chances are very high
that you would have stopped without entering your SSN and hung up, and
perhaps you would have called your bank to find out what's going on.

Clearly, it's very possible that someone has set this system up to
defraud you by using your remaining credit balance, and has asked you to
supply them with everything they need to accomplish it.  Nothing they've
told you gives you any real assurance they're legitimate.  They may very
well be relying on the fact that most folks will be really scared that
something has gone wrong with their credit account, and in their
adrenaline-pumped frenzy will be in such a rush to get it cleared up that
they'll ignore the warning signs, and supply all the info.

Well, this is not merely an imaginary excersize.  This actually happenned
to a member of my household last Sunday.  Fortunately, I was there, and
was able to add reason to the situation, and sucessfully fought the
apparently panic-driven desire to answer any question asked (by the
machine) on the way to finding out what had gone wrong with the credit
card.  After being asked for the SSN, we terminated the call, and we
called the phone number on the back of the credit card.  To my surprise,
we got a machine with an almost identical recording (and same voice)
except this time it identified itself as belonging to Bank of America,
and so then we felt safe in answering the questions (because we had
called a known good number, not because it named the bank).

The bank personnel (to whom we finally talked after completing the maze
of questions asked by the machine) were consumed with the desire to
authenticate us, and asked us to repeat the SSN info which we had already
entered, but seemed shocked that perhaps we might legitimately wonder if
they were who they claimed to be.  They were hesitant to let us speak
with the person who called us, but did at least acknoledge that she is a
real employee.

One would think that a legitimate bank would have left a different
message, asking the card holder to call a phone number listed in the
phone book, or appearing on a recent bank statement, so that the card
holder would have some reason to think that s/he was really dealing with
her/his bank, and not some other party.  

One would think that the message might have also explained why this call
was desired (e.g. to report a lost credit card).  I mention this because
after entering card number and SSN number, the machine asked if we were
calling to report a lost/stolen card, or to obtain a credit balance.
We had to guess that it had something to do with being lost or stolen.

One would think that, because they eat much of the cost of credit card
fraud, banks would have some incentive to use fraud-resistant procedures
for dealing with their card holders, and would encourage their card
holders to never give out their "password" information to incoming
callers, or to people (and machines) whom they call, unless they are
certain that they've called the bank.  But apparently they do not care
if their card holders get swindled or not.

I attempted to complain to the department supervisor about the shoddy 
security practices, but was told I needed to call another number to 
complain.  I have not been able to succesfully reach that supervisor 
since then.  

Perhaps a list of which banks follow good security practices (e.g. don't
use readily obtainable information, such as SSNs, for passwords, and 
encourage their customers to be aware of fraud and use fraud-resistant
procedures to deal with emergencies) would be useful to the readship 
of this list.  Anybody have such a list?
Nelson Bolyard     MTS Advanced Networking Lab         Silicon Graphics, Inc.
nelson@sgi.COM     {decwrl,sun}!sgi!whizzer!nelson     415-390-1919
Disclaimer: I do not speak for my employer.


Date:    Wed, 7 Jul 93 10:48:30 MDT
From:    shapiro@marble.Colorado.EDU (Andrew Shapiro)
Subject: American Express recognizes privacy concerns.

At last some good news on the privacy frontier. American Express sent me
a postage-paid mailer entitled, "An Important Notice To Our Cardmembers 
Concerning Privacy, Mailing and Telemarketing Options." The gist of the
mailer is, we keep lists of your habits and try and sell you things
based on these lists. I quote from the flyer:

  Cardmembers tell us they appreciate receiving these special offers, as
  well as information on Cardmember benefits. However, if for any reason
  you no longer wish to receive these offers, you may select from among
  the following options:

* Please exclude me from American Express mailings, including new option
  Cardmember benefits and American Express Merchandise Service catalogs.

* Please exclude me from mailings by other companies, including offers in
  cooperation with American Express provided by establishments that accept
  the Card.

* Please exclude me from lists used for telemarketing.

At least they recognize that there is a portion of the population who
are not interested in having there personal spending habits used for
marketing purposses.

                                     -Andrew T. Shapiro
shapiro@spot.colorado.edu             CSES/CIRES University of Colorado
shapiro@cses.colorado.edu             Campus Box 449
(303) 492-5539                        Boulder, CO 80309-0449


Date:    Fri, 2 Jul 1993 16:00:05 EST
From:    Dave Banisar <banisar@washofc.cpsr.org>
Subject: CPSR Workplace Privacy Testimony

                   Prepared Testimony
                Statement for the Record
                     Marc Rotenberg,
           Director, CPSR Washington office,
  Adjunct Professor, Georgetown University Law Center
                        H.R. 1900,
       The Privacy for Consumers and Workers Act

    The Subcommittee on Labor-Management Relations,
           Committee on Education and Labor,
             U.S. House of Representatives
                      June 30, 1993

        Mr. Chairman, members of the Subcommittee, thank
for the opportunity to testify today on H.R. 1900, the
Privacy for Consumers and Workers Act.  My name is Marc
Rotenberg and I am the director of the CPSR Washington
office and an adjunct professor at Georgetown University
Law Center where I teach a course on information privacy
        Speaking on behalf of CPSR, we strongly endorse the
Privacy for Consumers and Workers Act.  The measure will
establish important safeguards for workers and consumers
in the United States.  We believe that H.R. 1900 is
particularly important as our country becomes more
dependent on computerized information systems and the
risk of privacy abuse increases.
        CPSR has a special interest in workplace privacy.
For almost a decade we have advocated for the design of
computer systems that better serve the needs of
employees in the workplace.  We do not view this
particular goal as a trade-off between labor and
management.  It is our belief that computer systems and
information policies that are designed so as to value
employees will lead to a more productive work
environment and ultimately more successful companies and
organizations.  As Charles Hecksher of the Harvard
Business School has said good managers have no use for
secret monitoring.
        Equally important is the need to ensure that
certain fundamental rights of employees are safeguarded.
The protection of personal privacy in the information
age may be as crucial for American workers as the
protection of safety was in the age of machines.
Organizations that fail to develop appropriate workplace
privacy policies leave employees at risk of abuse,
embarrassment, and harassment.
        The concern about workplace privacy is widely felt
in the computer profession.  This month MacWorld
magazine, a leading publication in the computer
industry, released a special report on workplace
privacy.  The report, based on a survey of 301 companies
in the United States and authored by noted science
writer Charles Piller, made clear the need for a strong
federal policy.

        Among the key findings of the MacWorld survey:

>  More than 21 percent of those polled said that
they had "engaged in searches of employee
computer files, voice mail, electronic mail, or
other networking communications."

>  "Monitoring work flow" is the most frequently
cited reason for electronic searches.

>  In two out of three cases, employees are not
warned about electronic searches.

>  Only one third of the companies surveyed have a
written policy on privacy

        What is also interesting about the MacWorld survey
is the high level of concern expressed by top corporate
managers about electronic monitoring.  More than a half
of those polled said that electronic monitoring was
either "never acceptable" or "usually or always
counterproductive."  Less than five percent believed
that electronic monitoring was a good tool to routinely
verify honesty.
        These numbers suggest that managers would support a
sensible privacy law.  Indeed, they are consistent with
other privacy polls conducted by Professor Alan Westin
for the Lou Harris organization which show that managers
are well aware of privacy concerns and may, with a
little prodding, agree to sensible policies.
        What would such a policy look like?  The MacWorld
report also includes a model privacy policy that is
based on several U.S. and international privacy codes.
Here are the key elements:

>  Employees should know what electronic
surveillance tools are used, and how management
will use the data gathered.

>  Management should minimize electronic monitoring
as much as possible.  Continuous monitoring
should not be permitted.

>  Data should only be used for clearly defined,
work-related purposes.

>  Management should not engage in secret
monitoring unless there is credible evidence of
criminal activity or serious wrongdoing.

>  Data gathered through monitoring should not be
the sole factor in employee evaluations.

>  Personal information gathered by employers
should not be disclosed to any third parties,
except to comply with legal requirements.

>  Employees or prospective employees should not be
asked to waive privacy rights.

>  Managers who violate these privacy principles
should be subject to discipline or termination.

        Many of these provisions are contained in H.R.
1900, the Privacy for Consumers and Workers Act.
Clearly, the policies and the bill itself are not
intended to prohibit monitoring, nor to prevent
employers from protecting their business interests.
What the bill will do is help establish a clear
framework that ensures employees are properly notified
of monitoring practices, that personal information is
not misused, and that monitoring capability is not
abused.  It is a straightforward, sensible approach that
does not so much balance rights as it clarifies
interests and ensures that both employers and employees
will respect appropriate limitations on monitoring
        The need to move quickly to establish a framework
for workplace privacy protection is clear.  Privacy
problems will become more acute in the years ahead as
new monitoring schemes are developed and new forms of
personal data are collected.  As Professor Gary Marx has
made clear, there is little that can be imagined in the
monitoring realm that can not be achieved.  Already,
some members of the computer profession are wearing
"active badges" that provide full-time geographical
monitoring.  Properly used, these devices help employees
use new tools in the hi-tech workplace.  Improperly
used, such devices could track the physical movements of
an employee throughout the day, almost like a blip on a
radar screen.
        Computers are certainly powerful tools.  We believe
that they can be used to improve productivity and
increase job satisfaction.  But this requires that
appropriate policies be developed to address employee
concerns and that laws be passed, when necessary, to
ensure that computer abuse does not occur.
        This concludes my testimony.  I would be pleased to
answer your questions.


End of PRIVACY Forum Digest 02.24

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2023 AOH