Date: Thu, 10 Feb 94 07:53:51 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#028 Computer Privacy Digest Thu, 10 Feb 94 Volume 4 : Issue: 028 Today's Topics: Moderator: Leonard P. Levine Re: SSN on Payroll Checks Re: SSN on Payroll Checks Re: SSN on Payroll Checks Privacy Acts - Ireland, Iceland Banks Re: Data Encryption and Privacy Voice Recognition in Canada Re: Data Encryption and Privacy -- PGP Issues Campaign Against Clipper Cantwell Privacy Bill The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: tenney@netcom.com (Glenn S. Tenney) Date: Tue, 8 Feb 1994 00:27:39 -0800 Subject: Re: SSN on Payroll Checks rick@CRICK.SSCTR.BCM.TMC.EDU wrote: >In my opinion, the appearance of his SSN or his paycheck is one case >where there should be no question about its use. Since the SSN number >is the taxpayer ID number, it should appear on the check as a sanity >check and a verification that his earnings would be reported under the >correct ID. By the same token, ADP would have to know his SSN since >they would be reporting his earnings to both the IRS and SSA (as well >as any local and state agencies) This is also why it is required for >interest bearing accounts, mortgages and other entities which can >generate tax events. Actually, there is NO reason for the SSN to be on the face of the check -- NO REASON ON EARTH! On the stub -- yes. But not on the face. A long time ago when a client had to have me as an employee they switched to ADP. I could get no where with their people about this, so I just took out my xacto knife (sometimes I used scissors) and removed the SSN from the check. This is perfectly legal since you're not altering the banking information. It's been a long time since I've gotten a tax refund, but I did the same thing with IRS refund checks too... (I may have used permanent felt tip pens..) :-) Richard's comment above, from someone who seems quite technically sharp, is indicative of a part of the SSN problem... people just assume it's necessary. When you read what Richard said, you're bound to say "right, that's clear", but when you think about it, you should see that it was missing one fine point... there's always a stub with that check and that's where the information should go -- along with all of the other PERSONAL information (deductions for this, deductions for that). --- Glenn Tenney tenney@netcom.com Amateur radio: AA6ER (415) 574-3420 Fax: (415) 574-0546 [This will be a terminating article in the Social Security Number string. I am sure that we will recommence this string in a few months because SSN is an important topic for discussion, but I feel that its new material has been exhausted at this time. Moderator] ------------------------------ From: poivre@netcom.com (poivre) Date: Wed, 9 Feb 1994 01:51:48 GMT Subject: Re: SSN on Payroll Checks Organization: NETCOM On-line Communication Services (408 241-9760 guest) Phil Albert (palbert@netcom.com) wrote: : tcj@netcom.com (Todd Jonz) writes: : With Great Western (California), you can ask that the service be turned : off. Kudos to Wells Fargo: they will assign you a PIN for telephone : inquiries. For either bank, you have to ask. I have recently called Citibank about my mastercard and i noticed that they too have implemented a bot where you just press the last 4 digits of your SSN to get an automated reponse on your acct status. Lucky for me, i got Citibank to put in a password on my acct, replacing my SSN for phone inquiries. When i first heard that bot, i pressed the last 4 digits of my SSN and it refused to give me access to my acct info. It asked me to try again upon which i pressed the last 4 digits of my password and it let me in!! I have also replaced my SSN with passwords on my gas card and my other credit cards. I put one in for my calling card but it doesnt work since when i called last time for acct info, the operator didnt ask me for my password, nor even my SSN. They just wanted my name and card number. I was rather disappointed!! So for any of you out there who dont know, you can put password on all of your credit cards too. -- . . . . . . . . . . . . . . . . . . . . . . . . . . poivre@netcom.com : #include lychees@marble.bu.edu : ykliu@mailbox.syr.edu : . . . . . . . . . . . . . . . . . . . . . . . . . . [This will be a terminating article in the Social Security Number string. I am sure that we will recommence this string in a few months because SSN is an important topic for discussion, but I feel that its new material has been exhausted at this time. Moderator] ------------------------------ From: rerodd@eos.ncsu.edu (Richard Roda) Date: Wed, 9 Feb 1994 05:16:11 GMT Subject: Re: SSN on Payroll Checks Organization: North Carolina State University, Project Eos bj@herbison.com (B.J. Herbison) writes: > Credit reporting bureaus have some >protection because they don't generate the information, they just >`report what they are told'. They also have some explicit protection >in U.S. Federal law. It is very hard to sue a credit agency, although >I have heard more talk about trying to change this in the last few >years. Probably true. I bet, however, that an uncooperative bank could be sued on those grounds because they are generating the information and then using the credit agency as a publisher. -- PGP & RIPEM Public keys by mail | rerodd@eos.ncsu.edu (Richard E. Roda) Disclaimer-------------------------------------------------------------- | The opinions expressed above are those of a green alien who spoke to | | me in a vision. They do not necessarily represent the views of NCSU | | or any other person, dead or alive, or of any entity on Earth. | ------------------------------------------------------------------------ [This will be a terminating article in the Social Security Number string. I am sure that we will recommence this string in a few months because SSN is an important topic for discussion, but I feel that its new material has been exhausted at this time. Moderator] ------------------------------ From: matyas@scs.carleton.ca (Vaclav Matyas) Date: Mon, 7 Feb 1994 15:58:25 -0500 Subject: Privacy Acts - Ireland, Iceland Organization: School of Computer Scince, Carleton University, Ottawa, Canada Does anyone know whether or not (resp. what kind of and where to get them in electronic form, if possible) do Ireland and Iceland have Privacy Acts ? Thanks for any hint. Vaclav Matyas, Jr. School of Computer Science E-mail : matyas@scs.carleton.ca Carleton University 1125 Colonel By Drive Ottawa, Ont. K1S 5B6 ___________________________________________________ CANADA Without a courageous step, we will not move forward. ------------------------------ From: gast@CS.UCLA.EDU (David Gast) Date: Mon, 7 Feb 94 14:41:23 -0800 Subject: Banks >close@lunch.asd.sgi.com (Diane Barlow Close) writes: > Todd Jonz writes: > I wonder if one can request that this "service" *not* be provided for > a specified account? > Yes, and I was instrumental in getting this "service" > replaced/refined. Congratulations. I closed my BofA account after I found out about it. I tried talking to the manager of my branch, but was completely unsuccessful. They also have another "service" which does not require an SSN or other password. Given an account number, they will answer a binary question of the form "Does the account have $XXX", where the amount is specified by the user. The user can reissue dollar amounts, in essence providing a binary search for the balance. They will also provide a "credit" rating. It would seem to me that if they provide a credit rating, they have to comply with the laws relating to credit buraus, but they did not appear to be. I changed to Home Fed which had much better privacy rules. They did not even print the complete account number on ATM receipts. As you may know, Home Fed went belly up, and various branches were bought by various financial institutions. Mine was bought by First Interstate which has, IMHO, a terrible account agreement, at least as far as protecting account information goes. Essentially, they get the right to disclose information to just about anyone. I closed my account shortly before it was to switch to the First Interstate rules. > Just FYI, I eventually left banking at B of A for other reasons. I > must say that they did take my security and privacy concerns very > seriously and it was most rewarding to be involved in the planning and > implementation of a more secure process. I suspect they were responding to the $25K of fraud you mentioned rather than your inherent concerns. They certainly did not care anything about my concerns. David ------------------------------ From: "Tansin A. Darcos & Company" <0005066432@mcimail.com> Date: Wed, 9 Feb 1994 05:08:38 -0500 (EST) Subject: Re: Data Encryption and Privacy Paul Robinson writes: > In his book "The Puzzle Palace", about the National Security Agency > [deleted] suggests that the NSA can monitor all voice traffic into and > out of the US. He also suggests that the NSA is consistently about five > years ahead of ... "state of the art" [Deleted material] >I would think it merely prudent, not paranoid, to assume that the NSA >can and does >1) monitor all Internet traffic, perhaps even traffic _internal_to_ the >US; and > 2) archive it (what's 40 MB a day to people with acres of computers ?); You haven't read the notice I sent out a while back. I stated that it has been assumed for years (but we can't really know) that the NSA captures _everything_ on every news group and list it can discover and archives it forever. Some people have been known to put up "NSA Food" in which they put bad-sounding terms in harmless messages so that some person has to take time out to read it. They would put a line in a message such as Encryption Kill Clipper Chip Clinton Terminate Cocaine Gore RSA PGP Assasinate DES Bush and so on, in order to get a high score on the computer monitoring so that some person would have to take time out to read the messages directly. --- Paul Robinson - Paul@TDR.COM / TDARCOS@MCIMAIL.COM Voted "Largest Polluter of the (IETF) list" by Randy Bush ----- ------------------------------ From: cmckie@ccs.carleton.ca (Craig McKie) Date: Thu, 3 Feb 94 20:24:59 EST Subject: Voice Recognition in Canada Spy Agency works on eavesdropping device for phones, faxes New snoop gadget would identify voices carried through air The Canadian Press Used on page 1, Ottawa Citizen, Monday January 31, 1994 An elite wing of Canada's spy agency is secretly developing devices that can monitor and identify voices carried through the air by phone, fax and radio signals, according to a broadcast report citing government documents. The Communications Security Establishment is a super-secret branch of the Canadian Security Intelligence Service that specializes in gathering signals intelligence - SIGINT to insiders. Since 1989, the CSE has awarded three contracts worth $1.1 million to a Montreal firm to make machines that can quickly isolate key words and phrases from the millions of signals the CSE monitors each day, CTV reported Sunday. In May 1983, the CSE awarded the Centre de Recherche Informatique de Montreal a contract to develop a "speaker identification system," which can pick voices from the electronic haze and identify them. "Its frightening," says Bill Robinson, a researcher with the peace group, Project Ploughshares. "It has Orwellian potential to sweep through everybody's conversations. As computers get faster and faster, theoretically, one would be able to keep records of all conversations." The CSE is supposed to provide the federal government with foreign intelligence, but parliamentarians have often voiced concerns about the agency's potential to violate the privacy of Canadians. Liberal MP Derek Lee, the head of a Commons committee that oversees Canada's spy agency, said the CSE is overstepping its mandate. "Have they been asked, or have they decided for themselves to take on a new role that requires them to analyse the human voice? And if they have, they've gone beyond what I think they've told us." The CSE is accountable to Parliament through the defence minister. But Defense Minister David Colonette told CTV her was unaware of the CSE's latest electronic snooping projects. "This is the first I've heard of this," Collenette said. "It is certainly something I'll discuss with my officials." While in Opposition, the Liberals pledged to make the CSE more accountable. With a budget of about $250 milliojn and more than 800 employees the CSE operates out of a building on Heron Road in Confederation Heights surrounded by a barbed-wire fence. Its work is considered so sensitive that employees are told not to take commercial flights, in case the plane is hijacked and they are held hostage. ------------------------------ From: close@lunch.asd.sgi.com (Diane Barlow Close) Date: 9 Feb 1994 22:08:26 GMT Subject: Re: Data Encryption and Privacy -- PGP Issues Organization: Self employed, eh. Earlier I asked some questions about PGP (and other stuff) and found out that PGP stood for a really good encryption system. Then someone pointed out to me that PGP implements the RSA public-key encryption algorithm, and there is a patent on the use of RSA for digital communication, and that includes email. I also said if you use PGP to encrypt or sign email which you then send to someone else, and you have not obtained a license for use of the patent from the patent holders, you are "infringing" the patent. That was followed up to with mail from "Tansin A. Darcos & Company" <0005066432@mcimail.com>, who said that no, I'm wrong and PGP IS freely available and free to use and its use infringes on nothing: "Tansin A. Darcos & Company" <0005066432@mcimail.com> writes: > Late last year, the owners of the 5 patents dealing with RSA > encryption (PKP Partners, Inc.) made a special arrangement with the > National Institutes of Science and Technology that in exchange for a > trade of certain encryption inventions developed by NIST to them, they > would make the following provisions: > > - Individuals using RSA encryption (which would include the methods > used in PGP) may do so *royalty free* and *without having to obtain a > license*; Etc. Rest deleted. That left me totally confused. Does PGP infringe or doesn't it? Are there exceptions or aren't there? I wrote to Jim Bidzos asking for clarification and he basically said that the stuff about PGP being free and legal was pure fiction. Jim said that PGP is definitely unlicensed and is considered infringing by the patent holders. He responded directly to "Tansin A. Darcos & Company" and cc'd me on the response, asking me to forward this to any newsgroup or mailing list that might be discussing this issue: Date: Tue, 8 Feb 94 16:49:00 PST From: jim@RSA.COM (Jim Bidzos) Subject: RSA, patents, and pgp To: Tansin A. Darcos & Company I was sent a copy of statements you made that RSA had made some licensing deal with the government, and that somehow this legitimized the use of pgp. This is not correct. You are probably referring to a Federal Register announcement last year in which it was proposed that the govt would get a license to use several PKP patents and PKP would license those patents uniformly to the private sector. This proposal was for a proposed Digital Signature Standard, never mentioned the RSA algorithm, never included the RSA patent, never had anything to with pgp, and was never executed anyway. Making, using, or selling or distributing pgp, which is unlicensed, is considered infringement by the patent holders, who reserve all rights and remedies at law. This has been made clear on many occasions and in many places, including letters written to CompuServ, AOL, and to a large number of universities, all of whom now prohibit its use or distribution, as stated in responses to us from their counsel. There is, however, free and properly licensed source code for encryption and authentication using the RSA cryptosystem for non-commercial purposes. This software is called RIPEM (for a copy, email the author, Mark Riordan at mrr@scss3.cl.msu.edu), and is based on free crypto source code called RSAREF (send any message to RSAREF@RSA.COM). Further, commercial licenses are available at low cost for RIPEM; however, in cases where consumer privacy is the application, no-cost commercial licenses have been and are routinely granted. I hope this clarifies the situation. I think it would be appropriate to post this message wherever the erroneous message concerning pgp was posted. ******end of message. -- Diane Barlow Close close@lunch.asd.sgi.com I'm at lunch today. :-) ------------------------------ From: Dave Banisar Date: Mon, 7 Feb 1994 22:28:08 EST Subject: Campaign Against Clipper Organization: CPSR Washington Office Campaign Against Clipper CPSR ANNOUNCES CAMPAIGN TO OPPOSE CLIPPER PROPOSAL Embargoed until 2 pm, Monday, February 7, 1994 contact: rotenberg@washofc.cpsr.org (202 544 9240) Washington, DC -- Following the White House decision on Friday to endorse a secret surveillance standard for the information highway, Computer Professionals for Social Responsibility (CPSR) today announced a national campaign to oppose the government plan. The Clipper proposal, developed in secret by the National Security Agency, is a technical standard that will make it easier for government agents to wiretap the emerging data highway. Industry groups, professional associations and civil liberties organizations have expressed almost unanimous opposition to the plan since it was first proposed in April 1993. According to Marc Rotenberg, CPSR Washington director, the Administration made a major blunder with Clipper. "The public does not like Clipper and will not accept it. This proposal is fatally flawed." CPSR cited several problems with the Clipper plan: o The technical standard is subject to misuse and compromise. It would provide government agents with copies of the keys that protect electronic communications. "It is a nightmare for computer security," said CPSR Policy Analyst Dave Banisar. o The underlying technology was developed in secret by the NSA, an intelligence agency responsible for electronic eavesdropping, not privacy protection. Congressional investigations in the 1970s disclosed widespread NSA abuses, including the illegal interception of millions of cables sent by American citizens. o Computer security experts question the integrity of the technology. Clipper was developed in secret and its specifications are classified. CPSR has sued the government seeking public disclosure of the Clipper scheme. o NSA overstepped its legal authority in developing the standard. A 1987 law explicitly limits the intelligence agency's power to set standards for the nation's communications network. o There is no evidence to support law enforcement's claims that new technologies are hampering criminal investigations. CPSR recently forced the release of FBI documents that show no such problems. o The Administration ignored the overwhelming opposition of the general public. When the Commerce Department solicited public comments on the proposal last fall, hundreds of people opposed the plan while only a few expressed support. CPSR today announced four goals for its campaign to oppose the Clipper initiative: o First, to educate the public about the implications of the Clipper proposal. o Second, to encourage people to express their views on the Clipper proposal, particularly through the computer network. Toward that goal, CPSR has already begun an electronic petition on the Internet computer network urging the President to withdraw the Clipper proposal. In less than one week, the CPSR campaign has drawn thousands of electronic mail messages expressing concern about Clipper. To sign on, email clipper.petition@cpsr.org with the message "I oppose clipper" in the body of the text. o Third, to pursue litigation to force the public disclosure of documents concerning the Clipper proposal and to test the legality of the Department of Commerce's decision to endorse the plan. o Fourth, to examine alternative approaches to Clipper. Mr. Rotenberg said "We want the public to understand the full implications of this plan. Today it is only a few experts and industry groups that understand the proposal. But the consequences of Clipper will touch everyone. It will affect medical payments, cable television service, and everything in between. CPSR is a membership-based public interest organization. For more information about CPSR, send email to cpsr@cpsr.org or call 415 322 3778. For more information about Clipper, check the CPSR Internet library CPSR.ORG. FTP/WAIS/Gopher and listserv access are available. ------------------------------ From: Steve J White Date: Mon, 7 Feb 1994 22:24:16 -0600 (CST) Subject: Cantwell Privacy Bill Organization: University of Wisconsin-Milwaukee The Electronic Frontier Foundation needs your help to ensure privacy rights! * DISTRIBUTE WIDELY * Monday, February 7th, 1994 From: Jerry Berman, Executive Director of EFF jberman@eff.org Dear Friends of the Electronic Frontier, I'm writing a personal letter to you because the time has now come for action. On Friday, February 4, 1994, the Administration announced that it plans to proceed on every front to make the Clipper Chip encryption scheme a national standard, and to discourage the development and sale of alternative powerful encryption technologies. If the government succeeds in this effort, the resulting blow to individual freedom and privacy could be immeasurable. As you know, over the last three years, we at EFF have worked to ensure freedom and privacy on the Net. Now I'm writing to let you know about something *you* can do to support freedom and privacy. *Please take a moment to send e-mail to U.S. Rep. Maria Cantwell (cantwell@eff.org) to show your support of H.R. 3627, her bill to liberalize export controls on encryption software.* I believe this bill is critical to empowering ordinary citizens to use strong encryption, as well as to ensuring that the U.S. software industry remains competitive in world markets. Here are some facts about the bill: Rep. Cantwell introduced H.R. 3627 in the House of Representatives on November 22, 1993. H.R. 3627 would amend the Export Control Act to move authority over the export of nonmilitary software with encryption capabilities from the Secretary of State (where the intelligence community traditionally has stalled such exports) to the Secretary of Commerce. The bill would also invalidate the current license requirements for nonmilitary software containing encryption capablities, unless there is substantial evidence that the software will be diverted, modified or re-exported to a military or terroristic end-use. If this bill is passed, it will greatly increase the availability of secure software for ordinary citizens. Currently, software developers do not include strong encryption capabilities in their products, because the State Department refuses to license for export any encryption technology that the NSA can't decipher. Developing two products, one with less secure exportable encryption, would lead to costly duplication of effort, so even software developed for sale in this country doesn't offer maximum security. There is also a legitimate concern that software companies will simply set up branches outside of this country to avoid the export restrictions, costing American jobs. The lack of widespread commercial encryption products means that it will be very easy for the federal government to set its own standard--the Clipper Chip standard. As you may know, the government's Clipper Chip initiative is designed to set an encryption standard where the government holds the keys to our private conversations. Together with the Digital Telephony bill, which is aimed at making our telephone and computer networks "wiretap-friendly," the Clipper Chip marks a dramatic new effort on the part of the government to prevent us from being able to engage in truly private conversations. We've been fighting Clipper Chip and Digital Telephony in the policy arena and will continue to do so. But there's another way to fight those initiatives, and that's to make sure that powerful alternative encryption technologies are in the hands of any citizen who wants to use them. The government hopes that, by pushing the Clipper Chip in every way short of explicitly banning alternative technologies, it can limit your choices for secure communications. Here's what you can do: I urge you to write to Rep. Cantwell today at cantwell@eff.org. In the Subject header of your message, type "I support HR 3627." In the body of your message, express your reasons for supporting the bill. EFF will deliver printouts of all letters to Rep. Cantwell. With a strong showing of support from the Net community, Rep. Cantwell can tell her colleagues on Capitol Hill that encryption is not only an industry concern, but also a grassroots issue. *Again: remember to put "I support HR 3627" in your Subject header.* This is the first step in a larger campaign to counter the efforts of those who would restrict our ability to speak freely and with privacy. Please stay tuned--we'll continue to inform you of things you can do to promote the removal of restrictions on encryption. In the meantime, you can make your voice heard--it's as easy as e-mail. Write to cantwell@eff.org today. Sincerely, Jerry Berman Executive Director, EFF jberman@eff.org P.S. If you want additional information about the Cantwell bill, send e-mail to cantwell-info@eff.org. To join EFF, write membership@eff.org. For introductory info about EFF, send any message to info@eff.org. The text of the Cantwell bill can be found on the Internet with the any of the following URLs (Universal Resource Locaters): ftp://ftp.eff.org/pub/Policy/Legislation/cantwell.bill http://www.eff.org/ftp/EFF/Policy/Legislation/cantwell.bill gopher://gopher.eff.org/00/EFF/legislation/cantwell.bill It will be available on AOL (keyword EFF) and CIS (go EFFSIG) soon. ------------------------------ End of Computer Privacy Digest V4 #028 ****************************** .