|
PRIVACY Forum Archive Document
|
PRIVACY Forum Digest Friday, 26 March 1993 Volume 02 : Issue 10
Moderated by Lauren Weinstein (lauren@cv.vortex.com)
Vortex Technology, Topanga, CA, U.S.A.
===== PRIVACY FORUM =====
The PRIVACY Forum digest is supported in part by the
ACM Committee on Computers and Public Policy.
CONTENTS
Medical Clearing House (Jerry Leichter)
Re: Medical Clearing House (John R. Levine)
Protecting your privacy -- ID info and credit-card agreements
(Alan Wexelblat)
Preventing Electromagnetic Eavesdropping (Grady Ward)
Documented Cases of SSN Abuse Wanted (Steve Schlesinger)
Individual Privacy Protection Act of 1993 (Juan Osuna)
CPSR Wins SSN Privacy Case (Marc Rotenberg)
Intrusion Detection Workshop (Teresa Lunt)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
RELEVANT "Subject:" lines. Submissions without appropriate and relevant
"Subject:" lines may be ignored. Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "privacy-request@cv.vortex.com". Mailing list problems should be
reported to "list-maint@cv.vortex.com". All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "cv.vortex.com/",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive. All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "cv.vortex.com/".
For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------
VOLUME 02, ISSUE 10
Quote for the day:
"I wasn't kissing her, I was just whispering in her mouth."
-- Chico Marx (1891-1961)
----------------------------------------------------------------------
Date: Fri, 19 Mar 93 18:07:45 EDT
From: Jerry Leichter <leichter@lrw.com>
Subject: Medical Clearing House
Jack Decker forwarded to a recent PRIVACY Digest an article about a clearing-
house of medical information and its possible use by employers to avoid
hiring people with large medical expenses.
There is, indeed, a massive but little-known central clearinghouse of medical
data. It was organized and run by the medical insurers for the purpose of
controlling fraud. If you consider the amount of information that you give
your medical insurance company when you file a claim - all of which is likely
to get forwarded to the clearinghouse - the amount of very personal informa-
tion the clearinghouse has on virtually every person in the United States is
staggering.
Normally, this kind of cooperative record sharing would be considered a
violation of the antitrust laws. However, the insurance industry has an
exemption from those laws for the purpose of controlling fraud.
The records involved are not credit records and do not, as far as I know, fall
under any of the laws allowing you access to your own files. As far as I
know, neither the clearinghouse nor your insurer are obligated to show you
your records, much less allow you to enter explanations (as you can do with
your credit records); and I don't believe that, in general, they will actually
do either voluntarily.
As the article points out, two-thirds of all employers now self-insure for
their employees' medical policies. It would not surprise me if this entitled
them to access the clearinghouse. (Such policies are typically administered
by a traditional insurance company; I'd bet that they provide access to the
clearinghouse as part of their administrative services.)
Until recently, I don't believe there was anything illegal in an employer
refusing to make a job offer based on anticipated medical costs. (In at
least one case I know of, someone was extended a job offer, then told on his
first day that the medical insurance would not cover his pre-existing condi-
tion, which required expensive treatment. The person involved walked out of
the room, never to return. As far as he was concerned, he might as well have
been refused the job.) Under ADA (Americans with Disabilities Act), this has
almost certainly changed - at least when the issue is the prospective
employee's medical condition. I have my doubts whether ADA would have any
applicability if the issue were a family member's medical condition.
By the way, employers in many states have banded together to create databases
of employees who have made large work-related disability claims. Since such
injuries are covered through a separate insurance pool, and an employer's
contributions to the pool are based on his history of employee claims, it is
in an employer's interest not to hire people who will "run up his bill".
Again, this practice was apparently legal before ADA. Whether it would fall
under ADA is a tougher call.
-- Jerry
------------------------------
Date: 19 Mar 93 22:25:16 EST (Fri)
From: johnl@iecc.cambridge.ma.us (John R. Levine)
Subject: Re: Medical Clearing House
I've never heard of the Medical Clearing House, but he may actually be
referring to the Medical Information Bureau, a long-standing cooperative
venture by insurance companies. It exchanges medical info, primarily to
avoid losses due to people who apply for insurance and don't disclose
pre-existing conditions. I've heard that MIB data is also used for a lot
of less savory things, but I have no hard info either way.
Anyone can ask for a copy of his MIB record; call +1 617 426 3660 and
leave your name and address on the machine; they'll send you a form to
request a copy of your record.
When I sent in the form month or so ago, they wrote back and claimed
they'd never heard of me. I don't believe it. When I applied for my
current insurance about five years ago, they asked for five years of
medical history. After I sent in my list, they wrote back with a few more
minor history items that I'd honestly forgotten, and the insurance company
went ahead to issue the policy. I'm certain they got those history items
from the MIB, so they certainly had a file on me then.
On an unrelated and probably less interesting note:
>A clerk in a Radio Shack store here in the Boston area refused to make a
>credit card sale to me when I refused to give my telephone number and
>address.
I've never had any trouble at the Harvard Square store. My answer to the
telephone question is "don't have one." So they don't believe me. Tough.
John Levine, johnl@iecc.cambridge.ma.us, {spdcc|ima|world}!iecc!johnl
------------------------------
Date: Sat, 20 Mar 93 16:52:34 -0500
From: "Alan (Gesture Man) Wexelblat" <wex@media.mit.edu>
Subject: Protecting your privacy -- ID info and credit-card agreements
Two topics from recent digests:
When asked for "identifying" information which is probably going to be used
to compile marketing databases, I cheerfully supply wrong information. I
make it as bogus and outlandish as I feel that day. This can be fun when
filling out "surveys" for product-reg cards, while on airlines, etc. I once
told American Airlines I was a 55-year-old Eskimo woman whose income this
year was $5000 but that was a $50,000 increase from last year.
The idea is to seed their databases with useless information. The reason
this stuff is compiled is so that they can do targeted marketing -- ie,
increase the efficiency of mailings, etc. The more bogus entries are in the
database, the less efficient and less profitable these marketing schemes
will be. If it becomes un-profitable enough, they'll give it up.
So I urge you all to have fun with these things. Make them waste their
money. Register things to your pets. Create companies and sign them up for
stuff. The neat thing about this strategy is that it works best when only a
few people (say 10% of the population) are doing it. If everyone did it, it
would pay them to spend the money to verify entries. What I want to do is
just make it unprofitable enough that they'll give up and go away.
Now, on the issue of additional information required with a credit-card
purchase. When I worked for <a major company in Mass> we had a visitor from
VISA who explained that we were never to:
a) provide additional information with our card numbers. It is a
violation of the merchant's agreement with VISA if they ask for
more information.
b) sign a charge slip without the final balance being entered on the
slip. Merchants can put in a "hold" if they want to be sure you
don't overrun your limit. But once you sign a slip you're
obliged by your agreement (with VISA anyway) to pay whatever
amount eventually ends up on the slip. Fortunately, most hotels
have stopped asking me to sign blank slips so I rarely have this
problem these days.
--Alan Wexelblat, Reality Hacker and Cyberspace Bard
Media Lab - Advanced Human Interface Group wex@media.mit.edu
Voice: 617-258-9168, Pager: 617-945-1842 wexelblat.chi@xerox.com
There is nothing so regretted as a missed opportunity.
------------------------------
Date: Mon, 22 Mar 93 19:51:23 PST
From: grady@public.btr.com (Grady Ward)
Subject: Preventing Electromagnetic Eavesdropping
Eavesdropping on personal computers is not limited to looking over the
shoulder of the operator or physically tapping in to an Ethernet cable.
U.S. Government standards relating to the prevention of information capture
via the emission of electromagnetic radiation from computers and peripherals
are known as TEMPEST. However, actual TEMPEST specifications are classified.
TEMPEST aside, there are inexpensive and easily applied means for
individuals to minimize unintentional emissions from equipment. My document
"Preventing Electromagnetic Eavesdropping," discusses these techniques.
[ The document described above (~15K bytes uncompressed) has
been placed into the PRIVACY Forum archives. You can obtain it:
-- Via anon FTP from site "cv.vortex.com/" as:
/privacy/prevent-eme.Z (compressed; binary mode)
/privacy/prevent-eme (uncompressed)
-- Via the "cv.vortex.com/" listserv system by sending
an e-mail message to:
listserv@cv.vortex.com
with the first text in the BODY of the message
consisting of:
get privacy prevent-eme
-- Through the Internet Gopher system via the gopher
server on "cv.vortex.com/" in the "*** PRIVACY Forum ***"
section (and via linked gopher servers).
-- MODERATOR ]
------------------------------
Date: Tue, 23 Mar 93 16:23:45 PST
From: Steve Schlesinger 3711 <steves@sv012.torreypinesca.NCR.COM>
Subject: Documented Cases of SSN Abuse Wanted
I am collecting documented cases of people being somehow harmed
by their Social Security Number falling into the hands of some
wrong doer.
Please email them to me. I will post the collection or otherwise
make it available.
Thanks -
steve
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Disclaimer - This request is personal and has nothing to do with NCR or AT&T
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
===============================================================================
Steve Schlesinger, NCR/Torrey Pines Development Center 619-597-3711
11010 Torreyana Rd, San Diego, CA 92121 ucsd.edu!sv001!steves
steve.schlesinger@TorreyPinesCA.ncr.com
===============================================================================
------------------------------
Date: Wed, 24 Mar 93 12:20:02 -0500
From: josuna@cs.UMD.EDU (Juan Osuna)
Subject: Individual Privacy Protection Act of 1993
I am working on an article about the idea of establishing a federal privacy
protection board. This idea has been floating around Congress for many
years, and this year another bill has been introduced, called the Individual
Privacy Protection Act of 1993.
The act would create a five-member board (appointed by the president and
approved by the Senate) to study the computerized information systems of
government and industry and to recommend legislative or administrative
action.
The board would hold hearings, subpoena witnesses and documents, and issue
reports.
I have been told by Congressional staffers that the bill will likely undergo
revision before being considered by a committee.
Privacy advocates often base arguments on what could happen rather than on
what does happen. And even when an invasion of privacy is shown, it is
difficult to quantify or prove actual damage. I think this presents a
problem for legislators, who need to show their constituents concrete, not
abstract reasons for legislation.
I am writing an article and would like to hear comments on such a proposal.
Can anyone provide me with concrete examples where someone was physically,
emotionally or financially harmed as a result of new technologies eroding
their privacy rights?
Public and private comments are welcome. I will guarantee anonymity upon
your request.
---------------------------------------------------------------------------
Juan Antonio Osuna, Computing Research News E-mail: josuna@cs.umd.edu
1875 Connecticut Ave. NW, Suite 718 Ph: (202) 234-2111
Washington, D.C. 20009 Fax: (202) 667-1066
---------------------------------------------------------------------------
[ Such a board has been proposed before, and has reached various
legislative levels in the past. I have conceptually supported
this idea for a long time--but making sure it's done properly is
no simple task, to say the least. The privacy issues involved
cover a wide range of both "public" and "private" organizations.
The tendency of many organizations is to take the view that
"hardly anyone complains about privacy matters, so why should we
bother changing anything?" Most individuals also take much the
same tack, until something happens to them ... -- MODERATOR ]
------------------------------
Date: Fri, 26 Mar 1993 17:03:43 EST
From: Marc Rotenberg <Marc_Rotenberg@washofc.cpsr.org>
Subject: CPSR Wins SSN Privacy Case
PRESS RELEASE
March 26, 1993
"FEDERAL APPEALS COURT UPHOLDS PRIVACY:
USE OF SOCIAL SECURITY NUMBER LIMITED
- - - -
CPSR Expresses Support for Decision"
A federal court of appeals has ruled that Virginia's divulgence of the
Social Security numbers of registered voters violates the Constitution. The
Court said that Virginia's registration scheme places an "intolerable
burden" on the right to vote.
The result comes nearly two years after Marc Greidinger, a resident
of Falmouth, Virginia, first tried to register to vote. Mr. Greidinger said
that he found it nearly impossible to obtain a driver's license, open
accounts with local utilities or even rent a video without encountering
demands for his Social Security number.
Mr. Greidinger told the New York Times this week that when the State
of Virginia refused to register him as a voter unless he provided his Social
Security number he decided to take action. He brought suit against the
state, and argued that Virginia should stop publishing the Social Security
numbers of voters.
This week a federal appeals court in Richmond, Virginia ruled that
the state's practice constituted "a profound invasion of privacy" and
emphasized the "egregiousness of the harm" that could result from
dissemination of an individual's SSN.
Computer Professionals for Social Responsibility (CPSR), a national
membership organization of professionals in the computing field, joined with
Mr. Greidinger in the effort to change the Virginia system. CPSR, which
had testified before the U.S. Congress and the state legislature in Virginia
about growing problems with the misuse of the SSN, provided both technical
and legal support to Mr. Greidinger. CPSR also worked with Paul Wolfson of
the Public Citizen Litigation Group, who argued the case for Mr. Greidinger.
In an amicus brief filed with the court, CPSR noted the
long-standing interest of the computing profession in the design of safe
information systems and the particular concerns about the misuse of the
SSN. The CPSR brief traced the history of the SSN provisions in the 1974
Privacy Act. The brief also described how the widespread use of SSNs had
led to a proliferation of banking and credit crime and how SSNs were used to
fraudulently obtain credit records and federal benefits.
CPSR argued that the privacy risk created by Virginia's collection
and disclosure of Social Security numbers was unnecessary and that other
procedures could address the State's concerns about records management.
This week the court of appeals ruled that the state of Virginia must
discontinue the publication of the Social Security numbers of registered
voters. The court noted that when Congress passed the Privacy Act of 1974
to restrict the use of the Social Security number, the misuse of the SSN was
"one of the most serious manifestations of privacy concerns in the Nation."
The Court then said that since 1974, concerns about SSN confidentiality
have "become significantly more compelling. For example, armed with one's
SSN, an unscrupulous individual could obtain a person's welfare benefits, or
Social Security benefits, order new checks at a new address, obtain credit
cards, or even obtain the person's paycheck."
The Court said that Virginia's voter registration scheme would
"compel a would-be voter in Virginia to consent to the possibility of a
profound invasion of privacy when exercising the fundamental right to vote."
The Court held that Virginia must either stop collecting the SSN or
stop publicly disclosing it.
Marc Rotenberg, director of the CPSR Washington office said, "We are
extremely pleased with the Court's decision. It is a remarkable case, and a
real tribute to Marc Greidinger's efforts. Still, there are many concerns
remaining about the misuse of the Social Security number. We would like to
see public and private organizations find other forms of identification for
their computing systems. As the federal court made clear, there are real
risks in the misuse of the Social Security number."
Mr. Rotenberg also said that he hoped the White House task force
currently studying plans for a national health care claims payment system
would develop an identification scheme that did not rely on the Social
Security Number. "The privacy concerns with medical records are
particularly acute. It would be a serious design error to use the SSN,"
said Mr. Rotenberg.
Cable News Network (CNN) will run a special segment on the Social
Security number and the significance of the Greidinger case on Sunday
evening, March 28, 1993. The Court's opinion is available from the CPSR
Internet Library via Gopher/ftp/WAIS. The file name is
"cpsr/ssn/greidinger_opinion.txt". The CPSR amicus brief is available as
"cpsr/ssn/greidinger_brief.txt".
CPSR is a national membership organization, based in Palo Alto,
California. CPSR conducts many activities to protect privacy and civil
liberties. Membership is open to the public and support is welcome. For
more information about CPSR, please contact, CPSR, P.O. Box 717, Palo Alto,
CA 94302, call 415/322-3778 or email cpsr@csli.stanford.edu.
------------------------------
Date: Wed, 24 Mar 93 09:47:07 -0800
From: Teresa Lunt <lunt@csl.sri.com>
Subject: intrusion detection workshop
ELEVENTH INTRUSION DETECTION WORKSHOP
CALL FOR PARTICIPATION
A two-day workshop on intrusion detection will be held at SRI International
in Menlo Park, California on May 27-28, 1993, which are the Thursday and
Friday following the 1993 IEEE Symposium on Research in Security and Privacy
in Oakland, California. This will be the eleventh in a series of
intrusion-detection workshops.
The workshop will consist of several short presentations as well as
discussion periods. If you have any progress to report on an
intrusion-detection project or some related work that would be appropriate
for a short presentation, please indicate the title and a paragraph
describing your proposed talk on the form below. You can also indicate there
your suggestions for discussion topics. Of course, you do not have to make
a presentation to attend; all are welcome!
If you and/or your colleagues wish to attend, please RSVP using the attached
form. Please email the completed form to Liz Luntzel at
luntzel@csl.sri.com. For other questions, please call Liz Luntzel at
415-859-3285 or send us a fax at 415-859-2844 or email at
luntzel@csl.sri.com.
There will be a $100 charge for the workshop. This fee includes lunches in
SRI's International Dining Room. Please send your check to Liz Luntzel,
SRI International, 333 Ravenswood Ave, Menlo Park CA 94025 USA.
The workshop will begin at 9am and will conclude at 5pm on Thursday, and will
be from 9am to 2pm on Friday.
SRI is located at 333 Ravenswood Avenue in Menlo Park. The workshop
will be held in room IS109, which is in the International Building.
To get to SRI:
>From highway 101:
From I-101, take Willow Road (Menlo Park) west to Middlefield
Road (approx. 1 mile). Turn right onto Middlefield Road. Go one
block and turn left onto Ravenswood Avenue. SRI Building A (red
brick building) is 1/4 mile up Ravenswood Avenue, on the left.
The address is 333 Ravenswood Avenue.
>From I-280:
From I-280, take Sand Hill Road (east towards Menlo Park). Follow Sand
Hill Road to Junipero Serra and turn left. Bear right at the next light,
and turn right at the stop sign onto Santa Cruz. Take Santa Cruz to
El Camino and turn right. Then take the first left, onto Ravenswood.
Cross the railroad tracks. SRI is at 333 Ravenswood, on the right. If you
continue along Ravenswood along Middlefield, you will come to the
conference parking area at the corner of Ravenswood and Middlefield.
>From Central Expressway:
From Central Expressway, go north towards Menlo Park all the way
to where it merges with El Camino Real. Continue north on El Camino,
staying in the right lane, for a few blocks, and turn right onto
Ravenswood Ave. Cross the railroad tracks, and after the first light
look for SRI on your right. SRI is at 333 Ravenswood.
Visitors may park in the small visitors lot in front of Building A or in the
conference parking area at the corner of Ravenswood and Middlefield (where
there is lots of space). The workshop will be held in the International
Building, the white concrete structure on Ravenswood to the East (closer to
Middlefield) of Building A. Visitors should sign in at International
Building receptionist---from the parking lot go up the steps into the
courtyard; it's on the left.
--------------CUT HERE AND RETURN TO LUNTZEL@CSL.SRI.COM----------------
ELEVENTH INTRUSION DETECTION WORKSHOP
Yes! I will attend the Intrusion-Detection Workshop May 27-28 at SRI.
Please complete the following:
Name:
Title:
Affiliation:
Address:
Indicate one:
I [will/will not] present a talk.
Please complete the following:
Title of Talk:
Abstract:
Suggestions for Discussion Topics:
------------------------------
End of PRIVACY Forum Digest 02.10
************************
Copyright © 2005 Vortex Technology. All Rights Reserved.