TUCoPS :: Privacy :: priv_225.txt

Privacy Digest 2.25 7/17/93

PRIVACY Forum Digest        Saturday, 17 July 1993        Volume 02 : Issue 25

          Moderated by Lauren Weinstein (lauren@vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS
	Bank Security Issues (Diane Barlow Close)
	Re: American Express recognizes privacy concerns 
	   (payne@itd.nrl.navy.mil)
	Credit Card Security (Paul Robinson)
	Incident at a Car Rental 800 Number (Paul Robinson)
	Data-swapping between EMT and DMV (Wayne Madsen)
        Congress asked for hearings on Owens bill (James Love)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 02, ISSUE 25

   Quote for the day:

	"... They're giving you a number,
	     And takin' 'way your name."

			-- From the song "Secret Agent Man",
			   theme to "Danger Man" (1961) and
			   "Secret Agent" (1965-1966).
			   Song by P.F. Sloan and Steve Barri,
			   sung by Johnny Rivers.

----------------------------------------------------------------------

Date:    Sat, 10 Jul 1993 09:34:22 -0800 (PDT)
From:    close@lunch.wpd.sgi.com (Diane Barlow Close)
Subject: Bank Security Issues

Nelson Bolyard wrote:

> Suppose you received a message on your residence answering machine that
> [Typical Bank of America horror story deleted.]

What you wrote of is very, very typical of Bank of America, imho.  I
went through this exact same scenario, except about using the SSN# as
a password, not about credit cards, exactly one year ago today.  I see
the attitude of the "customer service" (abuse is more like it)
representatives haven't changed:

> The bank personnel (to whom we finally talked after completing the maze
> of questions asked by the machine) were consumed with the desire to
> authenticate us, and asked us to repeat the SSN info which we had already
> entered, but seemed shocked that perhaps we might legitimately wonder if
> they were who they claimed to be.  They were hesitant to let us speak
> with the person who called us, but did at least acknoledge that she is a
> real employee.

It seems that BofA routinely leaves return phone numbers with no
company identification on them.  Their attitude is one of "we, the
legitimate, are trying to call you, the lowly, so you should take our
word for it and call us back pronto!"  They are overprotective of
their staff, but do NOT apply the same zealous procedures to their
customers or to their customers' accounts!

> One would think that, because they eat much of the cost of credit card
> fraud, banks would have some incentive to use fraud-resistant procedures

One would think that, but I found extreme resistance to getting BofA
to employ even rudimentary fraud-check procedures like the use of a
random password instead of a SSN# for pass book checkups.

> certain that they've called the bank.  But apparently they do not care
> if their card holders get swindled or not.

Bingo!  That's certainly been the impression I've received!

As I mentioned much earlier, I went through almost this same scenario
one year ago.  My husband's SSN# was stolen and used, along with his
name, to set up the great-credit-card-company-rip-off by some
as-yet-unknown-fink.  When we found out about it and had cleared his
name and credit record, we wanted to protect our driver's license and
bank accounts and stuff like that.  We had no problem getting the Big
Three credit reporting agencies to put a fraud warning in my husband's
credit report, and we had not problem getting the State to put a fraud
warning/hold on my husband's driver's licence, but we had major, major
problems getting Bank of America to implement a password change!

The policy was supposed to already be in place, but it took three
weeks to change a SSN# to a password, to get locked out of the
auto-phone-system (as it was "not set up for any passwords except
SSN#) and then a further FIVE MONTHS to get the phone dweebs to ask
for that password when doing stuff to our accounts!

I ended up writing one of BofA's VPs -- *that's* when I saw some
action!!  (Finally!!)  He not only implemented policy quickly, but saw
the necessity to change some of it for customer protection and then
followed up with secret spot checks (for three months) to make sure
employees were doing their job.  He fired or transferred those that
made repeated mistakes.  I was impressed, but saddened that it had to
go that far for something that was supposed to be already in place but
just hadn't been used before.

Anyway, my BofA troubles didn't end there and when they messed up big
time on all three IRA transactions I decided to take my business
elsewhere.  I did a huge phone interrogation of all the local banks,
and the only one I found that combined both convenience with enough
security checks and really pleasant, efficient employees was Wells
Fargo.

I've been really impress so far!  I've been there 8 months now and all
of my problems have been handled speedily, efficiently and without the
need for supervisors!  Heck, they've gotten things right the FIRST
time!!  And I was super impressed with their ability to handle
personalized passwords instead of SSN's, although a little
disappointed they limit them to 3 letter/characters.  But at least
it's a start!

Other banks and S&L's that came close, imho:

Foothill
1st Nationwide
Eureka Bank
HomeFed Bank

If you can go without 24 phone service, or don't mind limited ATM
availability, then just about any small bank or S&L whose president
resides in-house (like 1st Nationwide on San Antonio) will listen
seriously to bank/credit horror stories and then implement new,
personal policies to keep your money safe and get you feeling better.
I found the smaller banks were very keen on security, although I'm
very happy with the service I'm getting at Well's Fargo.

I'm certainly happy I'm gone from BofA!!  I went through lost funds
(their fault) and scraps with the IRS due to mis-reported funds (again
their fault), and although they eventually corrected everything, it
shouldn't have happened in the first place!  If you want to stick with
BofA, then I suggest you write the same VP that I wrote to get your
problems solved.  Heck, you can even mention my name -- he should
remember me, he sent me enough flowers!  :-D

Don Owen
Senior Vice President,
Manager, Item Processing
611 North Brand Blvd.
Glendale, CA  91203


> Perhaps a list of which banks follow good security practices (e.g. don't
> use readily obtainable information, such as SSNs, for passwords, and 
> encourage their customers to be aware of fraud and use fraud-resistant
> procedures to deal with emergencies) would be useful to the readship 

Hopefully I've been of some help!  Good luck!

-- 
Diane Barlow Close
close@lunch.wpd.sgi.com 

------------------------------

Date:    Mon, 12 Jul 93 8:40:23 EDT
From:    payne@itd.nrl.navy.mil
Subject: re: American Express recognizes privacy concerns

One thing to note about American Express's attention to privacy however:

When I was a Card holder, I was solicited by AMEX regularly for
various products and services (e.g., applications for the Gold Card).
I used to receive my mail at a P.O. Box, and I usually discarded such
junk mail before leaving the Post Office.  However, I always took
special care of AMEX mailings, because AMEX had the nasty habit of
printing my AMEX number somewhere in the mailings (such as on any
included application forms).

------------------------------

Date:    Mon, 12 Jul 1993 09:06:45 -0400 (EDT)
From:    Paul Robinson <TDARCOS@MCIMAIL.COM>
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
Subject: Credit Card Security

-----
nelson@bolyard.wpd.sgi.com (Nelson Bolyard), writes:
> One would think that, because they eat much of the cost of credit
> card fraud, banks would have some incentive to use fraud-resistant
> procedures for dealing with their card holders, and would encourage
> their card holders to never give out their "password" information
> to incoming callers, or to people (and machines) whom they call,
> unless they are certain that they've called the bank.  But
> apparently they do not care if their card holders get swindled or
> not.                               

To quote from the song "Hello Stranger":

  "Well some they do and some they don't, and some you just can't tell..."

When I received my new Visa card in June, effective 7/93, there was a
sticker on it warning me it was "dead plastic" e.g. that the card 
would remain invalid until I called the bank at the number printed on 
the sticker to validate the information.  Now, since this was a 
legitimate Visa card from my issuer and my old card expired 6/93, 
it made sense; but someone else could have pulled the same type of 
scam, since the bank asked me to authenticate myself with some private
information to enable the card.  Since most of the time I'm usually 
either maxed out or have less than $200 free, it wouldn't get a thief 
much.

But there is another problem, that of the apparently illiterate and
incompetent people they have at some credit card companies.  I have
a shared account with a relative.  I called once to find out what 
the available credit was on my Visa card.  Well, they asked for the
relative's social security number (which I know) and apparently it's
keyed to their number even though it's a joint card.  

Point is they got the number wrong, and froze my account.  So they
tell me to mail proof of the correct number to their security office 
which is supposed to be in South Dakota.

I have a drivers' license from Maryland which does not print Social
Security Numbers on the card.  The relative I share this Visa card
with (the relative doesn't use it; they have another card with someone
else that they use) has an ID card from the District of Columbia which
*does* show Social Security Number.   So I photocopied that along
with a photocopy of the credit card with the matching name on it.

After *Six Weeks* they finally turn the card back on, because the
office told me to send the information to the security office for
their *other* VISA card, and it had to be sent to the security office
for the "special" card   (The financial institution runs two, their
regular visa and their allegedly "special" Visa, and I'm stuck with
the so-called Special one, that is run out of a different office.
I am being deliberately vague so someone can't figure out who I am
using, and no, I'm not talking about a secured Visa card.)
 
So the other day I tried to call them to check on the balance.  They
*still have the wrong social security number* and I'm afraid to say
anything because the last time I did they shut off my plastic for *Six
weeks* because *I* told them their information was wrong.  Because their
computer and the clerks want Social Security numbers, I can't ever ask any
information about my account, for fear they'll lock out my credit card
again. 
---
Paul Robinson - TDARCOS@MCIMAIL.COM

------------------------------

Date:    Mon, 12 Jul 1993 15:38:23 -0400 (EDT)
From:	 Paul Robinson <TDARCOS@MCIMAIL.COM>
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
Subject: Incident at a Car Rental 800 Number

-----
Recently I called a car rental company to request a car over the 
weekend.  (I do not own a car because the bus runs from my house
direct to my office; the expense would be frivolous.)

I called the nationwide 800 number and requested it for Washington
National Airport.  (Note: for most places, rentals from an airport
location are cheaper than rentals in the city.  As the airport has
direct train service, it's no more difficult than going into DC, and
possibly easier.)

I ordered the car for a weekend, and was asked the usual information
about whether I was over 25 and so on.  The interesting note was that
they stated that they would check my drivers' record when I went to
get the automobile.  Now, I can understand that someone who is renting
me a car would want to check to make sure I don't have a habit of
stealing cars or running into telephone poles, but I do note that this
is the first time I've heard any place state they would do so.

I have heard that there have been problems with companies renting cars
to people who are bad drivers, who take the optional accident waiver and
then don't care what happens.  After I had rented more than 10 times 
and never made a bad move, I stopped taking accident waiver. 

What bothers me is that the rental office is at Washington, DC's National
Airport, in Arlington, Virginia and I live in Silver Spring, Maryland so I
have a Maryland driver's license, yet apparently they will have no trouble
checking my background, which would be an Interstate record, even on a
Saturday.  Makes me wonder how. 

Well, at least Maryland doesn't print Social Security numbers on the
drivers' license...
---
Paul Robinson - TDARCOS@MCIMAIL.COM

------------------------------

Date:    Tue, 13 Jul 93 11:17:56 EDT
From:    wmadsen@opus.starlab.csc.com (Wayne Madsen)
Subject: Data-swapping between EMT and DMV

Recently, an employee of Martin Marietta here in Moorestown, New Jersey
collapsed at his desk and was rushed off to hospital by EMT (Emergency
Medical Technician) personnel. He was diagnosed with a benign brain
tumor. Upon his recovery he was notified by the NJ Dept. of Motor
Vehicles (DMV) that he had to re-apply for his drivber's license.

It seems that the EMT had shared the medical data with DMV and when
confronted later, EMT claimed that it was a routine procedure to do so.
Is this a common procedure in other states? If so, it is a draconian
privacy measure and calls into question the privacy of medical data
in the upcoming National Health Insurance program - if the government
presently is so callous in its disregard for such data - what will
happen when they run the show more or less completely?

Wayne Madsen
Computer Sciences Corp.
Moorestown, NJ

------------------------------

Date:    Fri, 16 Jul 1993 17:07:01 EDT
From:    love@essential.org
Subject: CONGRESS ASKED FOR HEARINGS ON OWENS BILL

----------------------------Original message----------------------------
Taxpayer Assets Project
Information Policy Note
June 12, 1993

     WASHINGTON, June 12.  Today 15 citizen groups wrote to
Representative Gary Condit (D-CA) asking for hearings on HR 629,
the Improvement of Information Access Act (IIA Act, sometimes
referred to as the "Owens bill" after its sponor, Rep. Major
Owens of NY).

     Condit is the new Chair of the House Subcommittee on
Government Information.  This subcommittee has bottled HR 629
up for the past two years, due primarily to opposition to the
bill by lobbyists for commercial data vendors.

     Groups calling for hearings include the Taxpayer Assets
Project, Computer Professionals for Social Responsibility, Public
Citizen, Center for Media Education, Association of Research
Libraries, Center for Civic Networking, the Information Trust,
Consumer Federation of America, FAIR, Government Accountability
Project, National Writers Union, Environmental Research
Foundation, Federation of American Scientists, Essential
Information, and the National Coordinating Committee for the
Promotion of History.

     The letter follows:

----------------------------------------
June 12, 1993

Representative Gary Condit
Chair, Subcommittee on Government Information,
  Justice and Agriculture
Committee on Government Operations
U.S. House of Representatives
Washington, DC  20515

Dear Representative Condit:

We are writing to request that you hold a hearing of the
Subcommittee on Government Information, Justice and Agriculture
to consider HR 629, the Improvement of Information Access Act
(IIA Act).  This legislation, first introduced in 1991, is a very
important proposal that would broaden public access to government
information resources.  The IIA Act reflects the views and needs
of the research, education and library community.  The issues
addressed in the bill are relevant to public access to government
information in an era when computers are increasingly important.

The IIA Act addresses the following issues:

1.   AGENCIES ARE GIVEN A MANDATE TO USE MODERN COMPUTER
     TECHNOLOGIES TO DISSEMINATE GOVERNMENT INFORMATION

Agencies are required to disseminate information in diverse modes
and through appropriate outlets, including federal depository
libraries, national computer networks such as the Internet, and
other outlets.  They must assure free or low-cost public access
to Government information.  Agency dissemination efforts must
ensure the timeliness, usefulness, and reliability of the
information for the public.  Agencies are given a mandate to
provide data users with adequate documentation, software,
indexes, or other resources that will permit and broaden public
access to Government information.

     Why are these measures needed?

     While some agencies have taken bold and imaginative
     steps to broaden public access to Government
     information through the use of  modern information
     technologies, other agencies actively resist efforts to
     broaden public access.  This bill would give federal
     agencies a mandate to provide the types of information
     services and products that are important to data users.

2.   STANDARDS

Agencies would be required to disseminate information products
and services in standardized record formats.  Agencies would be
required to report annually on efforts to develop or implement
standards for file and record formats, software query command
structures, user interfaces, and other matters that make
information easier to obtain and use, and also on agency
provisions for protecting access to records stored with
technologies that are superseded or obsolete.

The National Institute for Standards and Technology (NIST) and
the National Records and Archives Administration (NARA) would be
required to develop and periodically revise voluntary performance
standards for public access to government records.

     Why are these measures needed?

     Many federal agencies have not yet developed standards
     for information systems, and thus it is often difficult
     for agencies to share data or for the public to obtain
     access to agency information resources.

3.   PRICING

The IIA Act would set a government wide limit on the prices the
federal government can charge on information products and
services.   This price limit would be the incremental cost of
dissemination, which is defined to exclude the costs of data
collection.  Agencies would not be allowed to impose royalties or
other fees on the redissemination of federal government
information.

     Why are these measures needed?

     As federal agencies are faced with difficult fiscal
     pressures, they are looking at information resources as
     a source of income.  Many agencies price electronic
     information products and services far above
     dissemination costs, and impose royalties and
     restrictions on the redissemination of information.
     Such policies erode the public's right-to-know, and
     lead to a society where information is rationed to the
     most affluent.  The IIA Act limits user fees on
     information products and services to dissemination
     costs, which is the policy which has long been used for
     information published in paper formats.  Limiting the
     prices for information products and services to the
     costs of dissemination is also consistent with the
     recently revised OMB Circular A-130.


4.   PUBLIC NOTICE

Perhaps most importantly, the IIA Act would make the federal
management of information resources more democratic.  Every year
federal agencies would be required to publish a report which
describes:

-    the plans to introduce or discontinue information products
     and services,

-    the efforts to develop or implement standards for file and
     record formats, software query command structures and other
     matters that make information easier to obtain and use,

-    the status of agency efforts to create and disseminate
     comprehensive indexes or bibliographies of their information
     products and services,

-    the means by which the public may access the agency's
     information,

-    the plans for preserving access to electronic information
     that is stored in technologies that may be superseded or
     obsolete, and

-    the agency plans to keep the public aware of its information
     resources, services and products.


Agencies would be required to solicit public comments on this
plan, including comments on the types of information collected
and disseminated, the agency's methods of storing information,
their outlets for disseminating information, the prices they
charge for information and the "validity, reliability,
timeliness, and usefulness to the public of the information."
The agency would be required to summarize the comments it
receives and report each year what it has done to respond to the
comments received in the previous year.

     Why are these measures needed?

     It is essential that federal agencies become more
     involved with citizens at the grass roots as they
     design information policies.  Citizens have important
     information regarding the way Government information is
     used, and they also have important insights regarding
     emerging information technologies.  When issues such as
     standards are involved, it is essential to have regular
     and frequent input from citizens regarding the choice
     of standards, particularly since technologies are
     rapidly changing.  These public notice provisions will
     empower citizens at the grass roots to shape federal
     policies in ways that benefit the public.


     HEARINGS ARE NEEDED ON HR 629


While this important legislation has broad backing from the right
to know community, and has been endorsed by such groups as Public
Citizen, the American Library Assocation, Computer Professionals
for Social Responsiblity (CPSR) and the Taxpayer Assets Project,
the Subcommittee on Government Information should schedule or
conduct a hearing on  this bill.


Sincerely,

James Love, Taxpayer Assets Project; P.O. Box 19367, Washington,
DC  20036; 202/387-8030; love@essential.org

Paul Wolfson, Public Citizen; 2000 P Street, NW, Suite 700
Washington, DC  20036; 202/833-3000

Pam Gilbert, Congress Watch; 215 Pennsylvania Avenue, SE,
Washington, DC  20003; 202/546-4996

Marc Rotenberg, Computer Professionals for Social Responsiblity
666 Pennsylvania Avenue, SE, Suite 303, Washington, DC  20003;
202/544-9240; rotenberg@washofc.cpsr.org

Tom Devine, Government Accountability Project, 810 First Street,
NE, Suite 630, Washington, DC  20002; 202/408-0034

Prue Adler, Association of Research Libraries, 21 Dupont Circle,
NW, Washington, DC  20036; 202/296-8656l; prue@cni.org

Jeff Chester, Center for Media Education, P.O. Box 330039,
Washington, DC  20033; 202/628-2620; cme@digex.net

Richard Civille, Center for Civic Networking, P.O. Box 65272
Washington, DC  20035; 202/362-3831; rciville@cap.gwu.edu

Page Miller, National Coordinating Committee for the Promotion of
History; 400 A Street, SE, Washington, DC  20003; 202/544-2422

Scott Armstrong, The Information Trust, 1330 Connecticut Avenue,
NW, Suite 220, Washington, DC  20036; 202/296-4833

Brad Stillman, Legislative Counsel, Consumer Federation of
America, 1424 16th Street, NW, Suite 604, Washington, DC  20036
202/387-6121; bstillman@essential.org

Janine Jackson, FAIR, 130 West 25th Street, New York, NY  10011;
212/633-6700

John Richard, Essential Information, P.O. Box 19405, Washington,
DC  20036; 202/387-8034; jrichard@essential.org

Jonathan Tasini, National Writers Union, 739 West 186th Street
Apartment 1A, New York, NY  10033; 212/927-1208;
76450.2377@compuserve.com

Peter Montague, Environmental Research Foundation, P.O. Box 5036
Annapolis, MD  21403; erf@igc.apc.org

Steven Aftergood, Federation of American Scientists, 307
Massacusetts Ave., NE, Washington, DC  20002; 202/675-1012
jstone@igc.apc.org
------------------------------------------------------------------
tap-info postings are archived at cpsr.org.  ftp: ftp.cpsr.org;
gopher: gopher.cpsr.org; wais: wais.cpsr.org
To receive tap-info, send a note to tap-info-request@essential.org
------------------------------------------------------------------
Taxpayer Assets Project, P.O. Box 19367, Washington, DC 20036;
v. 202/387-8030; f. 202/234-5176; internet:  tap@essential.org
------------------------------------------------------------------
------------------------------

End of PRIVACY Forum Digest 02.25
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH