|
PRIVACY Forum Archive Document
|
PRIVACY Forum Digest Tuesday, 25 August 1992 Volume 01 : Issue 14
Moderated by Lauren Weinstein (lauren@cv.vortex.com)
Vortex Technology, Topanga, CA, U.S.A.
===== PRIVACY FORUM =====
The PRIVACY Forum digest is supported in part by the
ACM Committee on Computers and Public Policy.
CONTENTS
Cincinnati Bell CLASS tariff (David A. Banisar)
Selling customer lists (Jerome H. Saltzer)
Direct Mail Marketers to get access to CA DMV records
(Bruce R. Koball)
Wells Fargo Bank changes customer security system
(Moderator--Lauren Weinstein)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
RELEVANT "Subject:" lines. Submissions without appropriate and relevant
"Subject:" lines may be ignored. Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "privacy-request@cv.vortex.com". Mailing list problems should be
reported to "list-maint@cv.vortex.com". All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "cv.vortex.com/",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.
For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------
VOLUME 01, ISSUE 14
Quote for the day:
"I was cured all right."
-- Alex
"A Clockwork Orange" (1971)
----------------------------------------------------------------------
Date: Sun, 23 Aug 1992 13:10:09 -0400
From: David A. Banisar <Banisar@.cpsr.org>
Subject: Cincinnati Bell CLASS tariff
--- Original message below ---
From: Rohan Samarajiva <rsamaraj@magnus.acs.ohio-state.edu>
Cincinnati Bell Telephone, a large non-RBOC telephone company,
has filed a request before the Public Utilities Commission of
Ohio to offer seven CLASS services, including the controversial
Caller ID and Call Return services. CBT had been holding off
on the latter services until the commission formulated policies
regarding blocking. Interestingly, CBT appears to have gone further
than the final PUCO ruling on the blocking of number delivery.
Customers will be offered per-call and per-line number delivery
blocking. Per-line blocking will be offered free to customers
with non-published numbers (23% of CBT's customers). Others can
obtain per-line blocking for $1.60 per month. From the material
issued by the company (not the formal tariff), it appears that
customers who want per-line blocking will have to ask for the service
(even unpub. customers). This falls short of the default per-line
blocking for unpub. customers that was the key element of the
Ohio Hearing Examiner in the Ohio Bell case. Concerns regarding
the use of Call Retrun to discover the numbers of calling parties
who had blocked number delivery do not appear to have been addressed.
------------------------------
Date: Mon, 24 Aug 92 18:48:33 EDT
From: Jerome H Saltzer <Saltzer@MIT.EDU>
Subject: Selling customer lists [Subject field supplied by Moderator]
In Volume 01, Issue 08, Lauren asks for personal experiences that relate
to privacy and Willis Ware talks about "data puddles" accumulated in the
course of doing business that are protected, at best, by unspecified
business ethics. Last week I ran across something that covers both.
A local video rental store went belly-up, and the contents of the store
were put up for auction. About 100 people, some being dealers looking
for inventory and others being private parties hoping to cheaply enhance
their personal videotape library, showed up to check it out. In addition
to some 2400 used videotapes in 50 lots, there were a few rental VCR's, a
small computer system, and the really choice item, lot 53, a two-drawer
filecard cabinet labeled "mailing list". This turned out to contain one
file card per customer, with name, address, place of work and
originally-presented ID on the front, and on the back a list of the names
of all the videotapes that customer had rented.
I asked the auctioneer whether there he saw any problem in selling that
lot, and he replied that it was common in business auctions to sell
customer lists.
Exactly how the new federal law prohibiting disclosure of videotape
rental records applies to this situation is not at all clear. But it
seems safe to say that business ethics can't be very effective in
protecting data when the business vanishes.
Jerry Saltzer
------------------------------
Date: Mon, 24 Aug 1992 16:35:04 -0700
From: Bruce R Koball <bkoball@well.sf.ca.us>
Subject: Direct Mail Marketers to get access to CA DMV records
Apparently an interesting piece of legislation in the California
State Legislature has slipped by the scrutiny of privacy
advocates. AB 2543, sponsored by Assemblyman Ross Johnson (R)
opens up access to CA state DMV records for the purposes of
direct mail marketing.
Many folks will remember that the murder of actress Rebecca
Schaeffer (sp?), by a deranged fan who obtained her home address
from DMV records via a private detective, prompted the DMV to
restrict access to their database.
This did not please direct mail marketing firms, for whom the DMV
database was a major information source. They have apparently
successfully lobbied to be included in the select group of people
(see below) who are still entitled to access these records.
Because this bill ostensibly has no fiscal impact (from the
state's viewpoint) it was able to take a fast track through the
legislature, slipping by virtually unnoticed, and now sits on the
Governor's desk, awaiting his signature.
Although records in the state legislature's computer show no
recorded opposition to the bill, the DMV's public information
office claims that they are on record as opposing it on privacy
grounds.
The bill's sponsors and supporters have attempted to address
concerns about confidentiality of DMV records by restricting
access and use, but privacy advocates point out that there are
serious secondary use issues here as well. They maintain that
information collected for one purpose should not be used for
another purpose without the consent of the data subject.
The legislative analysis follows:
==========
AB 2543
Ross Johnson (R)
SUBJECT: Department of Motor Vehicles: access to records
SOURCE: Author
DIGEST: This bill provides that the Department of Motor Vehicles'
records be accessible for the purposes of direct mail marketing,
under specified circumstances.
Senate Floor Amendments of 8/13/92 specify information that may
be sold.
ANALYSIS: Existing law provides that residence addresses in the
Department of Motor Vehicles (DMV) records are confidential and
shall not be disclosed except to a court, law enforcement agency,
governmental agency, financial institutional, or insurance
company, attorney, and vehicle manufacturer or dealer, with
specified restrictions and limitations. Existing law authorizes
DMV to limit release of mailing addresses, except to the above
listed parties, for purposes relating to the reasons for which
the information was collected. It also authorizes the release of
mailing addresses to persons who have obtained a "requester
code", as specified, from DMV.
This bill would require the DMV to allow access and release of a
residence address or mailing address, or both, if the name of the
individual whose address was released was maintained confidential
and not disclosed to any person, and if the address could not be
directly linked to any specific vehicle license plate number. The
DMV would be allowed to charge a fee for its service to fully
recover its cost.
The bill would also revise the definition of commercial use to
specifically include direct mail advertising. In addition, the
bill would provide that access to the department's electronic
data base would include both the access and release of a
residence address of mailing address, or both, if the name of the
individual whose address was released was maintained confidential
and not disclosed to any person and if the address could not be
directly linked to any specific vehicle license plate number.
The bill specifies that information from the department's records
that may be inspected, accessed, released or sold includes, but
is not limited to information relating to driver's licenses,
certificates of ownership and registration cards.
The purpose of this bill is to provide to DMV records to direct
mail services.
Background
AS 1779 (Roos) Chapter 1213, Statutes of 1989, created the
residence address confidentiality provision. Prior to that bill,
the entire DMV data base was sold to the R.L. Polk Company for
over $2 million. The Polk Company then tailored information from
the data base for a variety of customers. Since 1990, DMV records
have been inaccessible to direct mail marketers.
In 1990, SB 2068 (Doolittle) attempted to address the problems
that have arisen due to the implementation ofexisting law by the
DMV. That bill was held in the Assembly Transportation Committee.
Prior Legislation
SB 2068 (Doolittle - 1990), passed the Senate 37-0, held in
Assembly Transportation Committee.
FISCAL EFFECT: Appropriation: NO / Fiscal Committee: Yes / Local:
No
SUPPORT: (Verified 8/13/92)
R.L. Polk
Seal Press, Inc.
Moe's Direct Marketing
Mailmark
Direct Marketing Service
Jart Direct Mail Services
ARCO
California Newspaper Publishers Association
ARGUMENTS IN SUPPORT: According to the proponents of the bill,
problems have arisen due to the implementation of existing law
by the DMV. Direct marketers would like to have access to DMV
records, but recognize the need for appropriate safeguards for
confidentiality on personal information.
------------------------------
Date: Mon, 24 Aug 92 19:42 PDT
From: lauren@cv.vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Wells Fargo Bank changes customer security system
Greetings. In a previous issue of the digest, I reported how Wells Fargo
Bank, a major California institution, had rather quietly started allowing
customers to optionally specify "code words" before they could access their
account balances, etc. via live operators (you could not use their
automated system for such purposes if you chose to make use of this
additional security). The automated system simply required entry of account
number and some other easily obtained information (I believe it was zip
code).
Wells has now changed this policy. They have now converted to an automated
attendant system which answers all calls (though you can still get to a
human if you enter the correct commands). Persons who request additional
security must now select a three digit code which is then required for both
live calls and automated account access. The old "code words" are no longer
supported. Supposedly the system will "lock out" if the code number is
incorrect three times in a row, and then they will go through some procedure
involving a live operator (which they declined to detail) to verify the user.
Of some concern is other information that is now available via the automated
system. Apparently anybody can now call, enter any account number and an
amount, and be told whether or not that amount of funds is available in the
specified account. With a relatively few calls, it would be possible to
pretty well range in on the amount in any account using this system. When I
questioned them about the wisdom of allowing this information to be
available in an automated manner with absolutely no security or tracking of
any kind, they replied that since federal regulations allow it, they're
doing it.
So, it seems we have the good and the bad to report (no doubt the ugly will
show up shortly...) On the positive side, Wells is to be applauded for the
PIN system now available for controlling access to account detail
information and transactions. On the negative front, the uncontrolled,
automated access to a "go" or "no-go" response for any amount on any account
is decidedly unfortunate.
Comments regarding Wells Fargo's automated systems should be sent to:
Clyde Ostler
Vice Chairman
Wells Fargo Bank
P.O. Box 63710
San Francisco, CA 94163-1036
(This is the name specifically given to me by Wells Fargo customer service
supervisors.)
--Lauren--
------------------------------
End of PRIVACY Forum Digest 01.14
************************
Copyright © 2005 Vortex Technology. All Rights Reserved.