PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest     Thursday, 18 March 1993     Volume 02 : Issue 09

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
        
                     ===== PRIVACY FORUM =====

          The PRIVACY Forum digest is supported in part by the 
              ACM Committee on Computers and Public Policy.


CONTENTS
        Should the information industry be consentual? (Bob Leone)
        Reverse directory/Sears/Radio Shack (Arthur Rubin)
        Re: Credit Card Validation (Chris Hibbert)
        Use of Medical Clearing House (Jack Decker)
        No anonymity for Canon copiers? (Brad Mears)
        Re: Cashiers and telephone numbers (Chuck Stern)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
RELEVANT "Subject:" lines.  Submissions without appropriate and relevant
"Subject:" lines may be ignored.  Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "privacy-request@cv.vortex.com".  Mailing list problems should be
reported to "list-maint@cv.vortex.com".  All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "cv.vortex.com/",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "cv.vortex.com/".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 02, ISSUE 09

   Quote for the day:

        "I detest life-insurance agents; they always argue that
         I shall some day die, which is not so."

                                        -- Stephen Leacock (1869-1944)
                                           "Literary Lapses" (1910)
                                            (Insurance up to Date)

----------------------------------------------------------------------

Date:    Sat, 13 Mar 1993 11:29:08 -0500
From:    Bob Leone <leone@gandalf.ssw.com>
Subject: Should the information industry be consentual?

Pete Kaiser writes:
    @Experience shows that in the business of accumulating and exchanging
    databases about personal information there is a high rate of corruption, of
    both data [1] and individuals [2].  Moreover, there are plenty of obvious
    cases where the free flow of accurate information is unwise, inhumane, or
    illegal [3].

Just to give some more extreme examples: if someone was allowed to compile
data using "employer" as the selection criteria, I'm sure you can imagine
the results of a list of names, home addresses, and car license numbers of
employees of

     1) Fur makers going to PETA and the Animal Liberation Front
     2) IRS going to extremist Tax Protest groups
     3) BATF going to members of the Waco, Texas "Branch Davidian" group
     4) Smith & Wesson going to Handgun Control Inc
     5) Handgun Control Inc going to NRA
     6) Strikebraker employees of whatever going to union goon squads

I'm sure you all get the picture at this point. Just about everyone either
works for someone, shops somewhere, or subscribes to some periodical which
might make him or her the target of harassment (or worse) from some group,
somewhere.

Just because we haven't seen it yet, doesn't mean it won't start happening
eventually as groups become more familiar with how to get data.

Bob Leone

------------------------------

Date:    Mon, 15 Mar 93 07:33:36 PST 
From:    a_rubin@dsg4.dse.beckman.com (arthur rubin)
Subject: reverse directory/Sears/Radio Shack

In PRIVACY Forum Digest 02:08, joep@jaguar.informix.com (Joseph Pearl) writes:

>I was at Sears with my wife, returning something, when the cashier
>asked what our phone number was.  Without thinking, my wife told the
>cashier (one of those rough days where the brain shuts down after
>6pm).  The cashier then recited our name and address and asked if it
>was correct.

Radio Shack (used to) "require" a phone number for any purchase.  If you
told the clerk that you didn't want to give a phone number, the store
manager would (usually) allow a cash purchase to complete.  (From my own
personal experience and reports on comp.dcom.telecom, before this list was
created.)

The moderator comments:

          A comment: I would suggest that it is never a good idea
          to use a fictitious phone number in response to a clerk's
          query.  Doing so simply risks dragging some other person,
          who might have that number, into the situation.  If the clerk
          insists on a number, and you don't want to give it, ask
          for the manager, or consider doing business elsewhere. 

You might give the 900 number you got on your last "you have won a free
prize" postcard. :-)  More promising, you might give your work number, the
number of the local Attorney General's office (it is illegal to ask for a
phone number under many circumstances here in California), or some other
approriate number which you don't mind publishing.

------------------------------

Date:    Mon, 15 Mar 93 10:10:36 -0800
From:    Chris Hibbert <hibbert@memex.com>
Subject: Re: Credit Card Validation

Brint Cooper <abc@BRL.MIL> is worried because Citibank is asking him to
supply extra information, which they say they will use to verify his
identity if he tries to call them on the phone.  He isn't sure whether
they'll protect the info, or if it might leak into other uses.

The list they ask for includes:


        Name
        Acccount #
        Address
        Date of Birth
        Social Security Number (you were surprised, maybe?)
        Mother's Maiden Name (My hospital asks for this one, too.)
        Business and home phones
        Other Diner's accounts to which this info applies.

My response to this would be to give them a set of information that would be
useless to them, but which you can reproduce when they ask, even if you've
lost your wallet.  They ask for Mother's Maiden name because they think
that's such an item.  There would be no purpose in cross-matching that with
another database, and I always treat such requests as a request for a
password, realizing that they'll prompt for the password by asking for your
Mother's Maiden name.  They don't care at all what answer you give as long
as you can reproduce it.  I might give them my favorite color, or the name
of one of my hobbies.  If their db has lots of room, I might even ask them
to store e.g. "color: blue" in the field so I could ask for the first word
as a prompt to remind me which category I'd used with them.

Similarly, I would treat it as a wonderful opportunity if my credit card
company asked for an SSN and said (as Citibank seems to have) that they were
only going to use it to identify me if I called on the phone.  They have no
reason to report the number to anyone else, so I would give them one of the
many numbers I know that don't seem to be in use by anyone.  (I give one in
my SSN FAQ, but I have a collection of others that have appeared in various
books (as part of a student prank that involved registering a pet dog as a
student at the university) or in movies (as visual evidence that a character
had created several false personas).  What an opportunity!

Chris

------------------------------

Date: Wed, 10 Mar 93 09:30:43 EST
From: ac388@freenet.hsc.colorado.edu (Jack Decker)
Subject: Use of Medical Clearing House

The following message first appeared in a Fidonet conference called
ADAJOBS (I got it via the EMPLOYMENT conference on BIZynet, a
Fidonet-technology business-oriented network).  The risks of the use of
such a database as the one described below should be obvious (how does one
know if they were denied employment because of information contained in
this database?  For that matter, how does one even know if the information
contained in the database is accurate?).  Any replies should probably go
to the original author (Herbert Mansmann at Fidonet address 1:273/201,
which is herbert.mansmann@f201.n273.z1.fidonet.org in Internet notation):

=====================================================================
* Forwarded by Chris Gunn (1:202/1008)
* Area : ADAJOBS (ADAnet - Job Hunting When Disabled)
* From : Herbert Mansmann, 1:273/201 (08 Mar 93 10:55)
* To   : All
* Subj : USE OF MEDICAL CLEARING HOUSE
=====================================================================
I have been told by several personnel recruiters that something known as
the Medical Clearing House exists for companies or other employers to check
on person's medical expenses before hiring them, similar to a credit check.
This information is kept in regional databases and is accessible over the
phone to high level employee relations personnel at major corporations
only. Supposedly it is illegal to release this information to unauthorized
users, but it is being done routinely for high medical expense individuals
since the penalties are few, the savings can be substantial, and the
enforcement of the laws against this are lax.  Our daughter has Cystic
Fibrosis which has very high medical costs associated over many years.  We
believe this information and information about other medical conditions
that do not interfere with someone's ability to work is being sold to avoid
medical costs.  Since over two thirds of the employers now self-insure
instead of utilizing a real insurance company, they are motivated to
eliminate these costs.  If you have any information about this practice,
please respond on E-mail or anonymously to Herbert Mansmann, 224 Swedesford
Rd., Malvern, PA 19355.  It is important to get this subject out in the
open and to include it in healthcare reform. Thanks. Feel free to call
(215)647-3698.

--- TMail v1.31.3
 * Origin: U.S. Telematics, Yardley PA (215)493-5242 (1:273/201)

Jack Decker | Internet: ac388@freenet.hsc.colorado.edu
Fidonet: 1:154/8 or jack.decker@f8.n154.z1.fidonet.org
Note: Mail to the Fidonet address has been known to bounce. :-(

------------------------------

Date: Tue, 16 Mar 1993 14:17:53 -0600 (CST)
From: bmears@gothamcity.jsc.nasa.gov (Brad Mears [I-Net])
Subject: No anonymity for Canon copiers?

The most recent issue of Popular Science had a small sidebar concerning new
copier technologies that are being used to combat counterfeiting.  According
to Canon, their new color copiers include two mechanisms to prevent people
from copying currency.

The first is rather innocuous - the copier can recognize many different
currencies and will print a blank image rather than a fake bill.  No obvious
risks here.

The second mechanism is a bit more threatening.  According to the story, 
which I quote without permission -

    "Each copier embeds a code into the copied image, which is
     impossible to see.  A special scanner extracts the code and
     a computer program then furnishes the copier's serial number,
     allowing identification of the registered purchaser of the
     machine."

As a means to combat counterfeiters this may be very useful.  Unfortunately,
it is also useful for tracking down people who report government waste,
publishers of underground newsletters, and others who may have a legitimate
need to remain anonymous.  Plus, it seems a bit too much like the Eastern bloc
countries who used to require registration of typewriters.

Brad Mears  bmears@gothamcity.jsc.nasa.gov

        [ This item was reposted from the RISKS Digest -- MODERATOR ]

------------------------------

Date:    Thu, 18 Mar 1993 15:42:05 -0500
From:    cstern@novus.com (Chuck Stern)
Subject: Re: Cashiers and telephone numbers

>    [ ...
>      Keep in mind that in most cases you're simply dealing with    
>      a clerk who has a specific set of information he has
>      been instructed to get and may not realize that not everyone
>      is willing to provide a number.  However, in almost all cases,
>      when faced with a choice of not getting the number or losing
>      the sale, the clerk will opt for the former. -- MODERATOR ]

This is not strictly true, oh Esteemed Moderator.  A clerk in a Radio Shack
store here in the Boston area refused to make a credit card sale to me when
I refused to give my telephone number and address.  The sale, by the way, 
was to be for $23.50 or some such price.  One angry (collect) call to Tandy
corporate headquarters got the matter straightened out - they were
violating Commonwealth of Mass. laws by even asking - but I haven't
darkened the doors of another Radio Shack since, nor will I ever again.

More anecdotal evidence from...
cstern@novus.com

       [ Well, as I said, in almost all cases a salesperson will opt for
         the sale... but there's always the exception.  Typically you're
         dealing with an overzealous employee, not company policy in a
         situation such as you describe.  It's interesting to note that the
         changes in the laws (in some states) making it illegal to ask for a
         phone number as a requirement for credit card purchases are
         relatively recent in most cases.  In the past some credit card
         companies strongly suggested that a phone number be obtained for
         all orders and written on the charge slips.  Not everyone in all
         affected areas has gotten the word about changes, apparently.

         As for anecdotes, in my own experience, I've never had a
         salesperson refuse me a purchase, regardless of whether or not I
         provided a phone number when asked.  Of course, my Harley-Davidson
         clothing motif probably doesn't hurt in such situations!

                                                        -- MODERATOR ]

------------------------------

End of PRIVACY Forum Digest 02.09
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.