PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page

PRIVACY Forum Digest     Saturday, 12 November 1994     Volume 03 : Issue 22

          Moderated by Lauren Weinstein (
            Vortex Technology, Woodland Hills, CA, U.S.A.
                     ===== PRIVACY FORUM =====

          The PRIVACY Forum digest is supported in part by the 
              ACM Committee on Computers and Public Policy.

        PRIVACY Brief (Lauren Weinstein; PRIVACY Forum Moderator)
        Local authority housing id scheme in London (Steve Bowbrick)
        Re: HTTP, New Browsers, & Privacy (M. Hedlund)
        The dangers of half-hearted privacy measures (David Dyer-Bennet)
        CMU blocks access to nasty newsgroups (Mich Kabay)
        Followup on Sears captures signatures (Steve Holzworth)
        Minnesota driver license (Daniel Frankowski)
        Discover Card "Fraud" Mailing update (
        Ohio Supreme Court Upholds Privacy of SSNs (David Banisar)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"".  Mailing list problems should be reported to
"".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are available
through the Internet Gopher system via a gopher server on site
"".  Access to PRIVACY Forum materials is also available
through the Internet World Wide Web (WWW) via the Vortex Technology WWW home
page at the URL: "".

For information regarding the availability of this digest via FAX, please
send an inquiry to, call (818) 225-2800, or FAX
to (818) 225-7203.


   Quote for the day:

        "I'm going to give you the choice I never had."

                -- Lestat (Tom Cruise)
                   "Interview With The Vampire" (1994)


PRIVACY Brief (from the MODERATOR)


As expected, California's Proposition 187, which would ban all educational
services and non-emergency medical services for illegal immigrants, and
require widespread reporting of undocumented persons by numerous entities,
passed easily in the November 8th election.  Also as predicted, its
implementation was immediately halted by at least two courts, and nearly 30
lawsuits were filed against it within 24 hours.  These suits seek to overturn
the initiative on numerous grounds, including constitutionality, conflict
with federal privacy and other laws, conflict with existing U.S. Supreme
Court decisions, and a range of others.  It seems likely therefore that
perhaps years of litigation will be the primary result of the proposition
for the foreseeable future.

Discussion of these issues as they relate to privacy topics would
be welcome in this forum.


Date:    Mon, 7 Nov 1994 01:25:41 +0000
From:    Steve Bowbrick <>
Subject: local authority housing id scheme in London

Here in Britain there is a historic resistance to a universal
identification document. Citizenship of this country has always been
defined negatively. Despite many abridgements to this ancient, if
unwritten, right, mostly motivated by immigration-hysteria, it is still the
case that 'being here is enough'. I am never required to prove descent, my
citizenship is not defined positively or 'by blood' as it is in many other
European countries and I do not have to carry, or even own, id.

Identification is, of course, a part of daily life - cashing a cheque or
opening a bank account will always require some form of id - but there is
no single, accepted form of id, no national id card and drivers' licenses
do not carry pictures or barcodes.

Our Prime Minister, John Major, is explicit in his desire for a universal
id document, tied to the tax and social security systems and carrying a
picture. Popular resistance will be considerable. I will not carry one.

Recently, and as if in response to the government's new acceptance of the
'need' for universal id, my local authority, the London Borough of Tower
Hamlets, has introduced a semi-formal id scheme. I and all tenants of the
borough are required to attend an office of the borough to prove that we
are the legitimate occupiers of our homes. A list of acceptable forms of id
is provided - none formal or accepted in law. A drivers license is
adequate. Leaving aside the paradox of positive identification in a country
that has no such concept (I have pointed out to the borough that, even if I
proved my identity to their satisfaction, I would have proved nothing in

I have refused to tender id and I am now threatened with court proceedings
for posession of my home. I'd be interested in the opinion of the experts
on whether my anti-id position is defensible in English law. US
perspectives would be welcome.

Steve Bowbrick, Editor, 3W Magazine                   
3W Magazine, the Internet with attitude                     +44 181 980 4207
                               ~~~~~~~~                 fax +44 181 981 2351                                mobile +44 1860 183 481


Date:    Sun, 6 Nov 1994 23:33:55 -0800
From: (Marc H.)
Subject: Re: HTTP, New Browsers, & Privacy

Ed Kubaitis <> wrote, in V03 #21, about HTTP_FROM, an
environment variable passed by some web browsers to HTTP servers.  The
variable contains the user's email address as entered in their
"Preferences," and Ed expressed concern over possible logging of email
addresses by marketers or other web sites.  I'm glad to see this issue
raised again; I brought it up some months ago when AT&T opened their
"" contest, for which they asked users to submit a web
form-based survey.  (Adam Curry, who was apparantly involved in the project
and who was surprised to hear address-gathering from forms was even
possible, assured several posters that no logging was taking place at
AT&T's site.)

First off, a list of the browsers supporting this variable (with version
numbers known to be inclusive; earlier versions may also belong here, and
later versions almost certainly do):
        MacMosaic 2.0.0a6
        Lynx/2.3 BETA
        Mozilla 0.9b (Netscape) [all platforms]
I collected this information during September of this year (with the
exception of Netscape); this list will hopefully prevent some duplication
of work, but it is _not_ intended as a blacklist.  NCSA Mosaic for X and
Windows, MacWeb, Global Wide Help & Information System (GWHIS), Chimera,
and Spry's Enhanced Mosaic all do not send HTTP_FROM.

As a CGI (Common Gateway Interface -- a protocol for running scripts on web
servers) programmer, I am very much in favor of browsers supporting
HTTP_FROM.  Good use of the variable can allow automation of repetitive
tasks, which is the whole point.  I've used it several times to offer a
default return-address for mailing scripts, which both alerts the user to
the capability, and allows him or her to alter the address if they choose.
I see HTTP_FROM as similar to ftpd's familiar "Guest login ok, send your
complete e-mail address as password" prompt: any program or server that
asks users for their email addresses is completely open to receiving a
false address, or none at all, from those users.

On the other hand, Ed's reaction -- and Adam Curry's, and that of other
people to whom I've mentioned HTTP_FROM -- indicates that plenty of web
users don't know this capability exists.  I found out myself only by
running a script similar to Ed's ( to
list all environment varibles sent -- after having been assured by several
people that the web was completely anonymous, what I was seeking didn't
exist, etc.  To use my example above, ftpd is quite explicit about its
logging, but more recent ftp clients (such as ncftp) -- and the browsers
listed above -- are not.  I see this as the real problem.

Explicit warnings and documentation seem to be the best solutons. I'm not
sure what Lauren meant when he noted, "future versions of the Netscape
browser will probably be distributed with the name/address feature
defaulting to off."  It seems to me that this is already the case -- the
user has to enter his or her email address for the variable to work.  What
I would like to see is a much more explicit preferences dialog, one that
warns the user about possible logging by web sites.  I would disagree with
any assertion that particular browsers should be avoided because of
HTTP_FROM.  At worst, particular preferences dialogs should be avoided.  At
best, all browsers could provide a menu option -- similar to "Auto-load
images" -- that would allow the user to turn "Privacy" on or off.

This is not a web-specific issue.  Interested readers are referred to RFC
1413, "Identification Protocol,"
<URL:>, which details a
more-reliable, transparent, and generalized implementation of TCP
connection logging.  I think it only prudent to assume that any site you
visit on the net could keep a log of your visit; and that as time passes,
more and more sites -- particularly commercial sites -- will do just that.
Browse carefully; the junk mail "you will" receive may be at stake.

I support Lauren's call for regulation of the use of such information.

M. Hedlund <>

   [ My meaning regarding the presumed future default for "Netscape"
     WWW browsers related to defaulting to not sending the 
     address information even when it was available in the configuration.
     Since many (most?) people when configuring software will fill in all
     of the requested fields (including name, email address, etc.) it's
     important that the actual sending of the identification information
     be independently controlled through an explicit user decision.

                -- MODERATOR ]


Date:    Mon, 7 Nov 94 11:03:11 CST
From: (David Dyer-Bennet)
Subject: The dangers of half-hearted privacy measures
         Counterpoint -- Living in a Fish Bowl

I'm in favor of privacy.  I'd rather have real privacy than the alternative
I'm going to talk about here.  However, at least in the on-net
privacy-oriented community, I see little or no recognition of the forces
driving the various risks to privacy today.  So I'm writing this to attempt to
expose some issues and options that aren't often seen in this community.

The pressures for various sorts of losses of privacy are tremendously strong.
Recorded video monitoring of public spaces probably really does make them
safer; at least it makes it more likely that anybody commiting a violent crime
in that space will be caught and convicted.  Paying for your groceries by
debit card is convenient, and receiving customized coupons for products that
you might actually buy is nice.  Not having to stop at tollbooths on a highway
improves traffic flow, and paying for roads with usage fees moves the costs
squarely onto those deriving the benefits and should help people's rational
personal choices on transportation be less costly to society as a whole.  And,
of course, customized marketing is profitable.  As a consumer, customized
marketing doesn't bother me too much -- what it means to me is that I receive
less uninteresting junk mail. 

Most of these things can be implemented without serious privacy impacts with
proper design; the video tapes can be thrown away after a defined period if no
crime is reported, with strict laws about any improper disclosure, for
example.  The tollbooth can work anonymously in various ways.  (The customized
coupons seem to require keeping past purchase history; I find it hard to
imagine a credible scheme to keep that information and use it only for
issuing some customized coupons, so perhaps that idea can't be implemented
without compromising privacy.) But all of these approaches involve throwing
away information deliberately.  This is a sin to many people, an unnatural
act.  The incentives for various uses of this information appear strong enough
that the system is likely to develop lots of loopholes and probably illegal
leaks as well.

Having essentially all information about me and everybody else be public,
including details of our daily movements, what we read, what we watch, who we
phone, etc. would lead to a very, very different society from what we have
now.  It would largely end the common hypocrisies of day-to-day life, one way
or the other.  Either the avowed standards would remain, and people would
actually conform to them, or new standards would evolve that we'd be willing
to actually live with.  The transition period would be very difficult, of
course.  The first society would be much more restrictive than current
society, but I don't believe it's a likely outcome.  The second might actually
be freer, and also more honest, than what we have now.  People would be forced
to recognize and accept the degree of individual differences that actually
exist.  It might be a tolerable outcome.  (This is not what I'd call an
enthusiastic endorsement!)

What would be *in*tolerable is a society where that level of information was
available, but only to the government and the very rich.  And where the
information on the rich and prominent could often be suppressed, but the
information on those of us with only ordinary resources could not.  This is
the worst possible outcome, and it's one of the more likely dangers.  This is
where we end up with weak laws, compromises, and sloppy attempts at ensuring
privacy.  This is why it's important that society converge on a
strongly-supported position on privacy and pursue it aggressively.  We need to
be either for it, or against it, uniformly and broadly.  

Personally, I'm for privacy; I don't want to try the fish-bowl experiment
myself.  But I think that is better than the half-hearted compromises we're
likely to end up with.
David Dyer-Bennet             Network Systems Corporation               Brooklyn Park, MN  +1-612-391-1353           My postings represent at most my own opinions.
Web URL:  (SF, photography)

        [ We've frequently discussed in this forum the rather "insidious"
          nature of the problems you mention.  The convenience of these
          systems makes them difficult to avoid, even when practical
          alternatives to using them exist.  I would argue that 
          only through legislative rules that apply evenly to all
          entities collecting information can the "strong" privacy
          protections you suggest be implemented.  Leaving the decisions
          regarding the use of such data to the collecting entities
          themselves has proven to result in widespread abuse. 

          Unfortunately, it seems unlikely that legislation that would help
          the privacy situation in any significant manners will be
          forthcoming anytime soon, at least at the federal level.
                -- MODERATOR ]

Date: 06 Nov 94 15:46:49 EST
From: "Mich Kabay [NCSA Sys_Op]" <>
Subject: CMU blocks access to nasty newsgroups

   [ From RISKS-FORUM Digest; Volume 16 : Issue 53  -- MODERATOR ]

>From the United Press Intl newswire via CompuServe's Executive News Service:

UPn 11/04 1054 College blocks computer sex access

        PITTSBURGH, Nov. 4 (UPI) -- Carnegie Mellon University
        of Pittsburgh said Friday it will block access on its 
        campus computer system to sexually explicit material 
        available on the worldwide computer network called 
        the Internet.

        Carnegie Mellon officials said they are acting out of 
        concern that the university could by subject to 
        prosecution under Pennsylvania's pornography and
        obscenity laws.

The article goes to to explain that University spokespersons admit they will
be "be accused of stifling free expression" but feel that the risks are too
high, especially since children can easily access these materials.  The
decision was said to have been difficult and painful for the administrators,
who strongly support the tradition of academic freedom.  The decision was
criticized by a student spokesperson, who compared it to banning books.

[Comments by MK:

The anonymity of the Internet will continue to cause difficult problems
related to access by children.  Right now, the response of well-meaning
administrators and others is to put blanket restrictions on everyone so as
to prevent unsupervised use of the Internet by minors.

Imagine a world where no one had developed the concept of an ignition key
for automobiles.  We can imagine well-meaning highway administrators
concerned with access to the high-speed transportation infrastructure
exclaiming, "Gosh, but with these highways and cars, children could travel
to (gasp) brothels and pigsties!  They could see things that their parents
would never want them involved in."  And so the highway administrators would
shut down roads in an attempt to prevent access to bad places by children.

In both the real world and this imaginary world, these difficulties are
caused by the lack of identification and authentication in accessing the
highways.  In the real world, we have ignition keys for automobiles and
severe penalties for stealing automobiles or driving without a permit.  We
have no accepted standards for access to networks.

Parents who are concerned about access to a network by their children could
take the responsibility of locking their computers or their modems.
However, that's a pretty crude approach too--all or nothing.  And what about
the children's independence and growth?

There are already devices available for controlling access to television;
parents program the times, channels and duration of viewing permitted for
their children, who punch in a PIN to gain personally-tailored access to the
TV.  Maybe as Internet access grows, there will arise sufficient interest
and demand for menu systems for access to the Internet.  Parents could
select the sections of the Internet which they wish to allow for their
children; children and parents could explore the Internet together and add
or remove destinations and newsgroups as they see fit.

Right now, CompuServe has access to Internet newsgroups.  The administration
has settled on a middle ground in restricting access to the Internet by
limiting the _listings_ of newsgroups.  In fact, however, if someone already
knows the name of a newsgroup, they are free to subscribe even if it isn't

I think that we have to move beyond a crude TOTAL ACCESS / NO ACCESS
dichotomy in regulating access to the Internet.  We need finer granularity
in our restrictions so that we don't infringe on the rights of adults.

A final note.  In a recent thread on the NCSA FORUM on CompuServe, there was
a discussion about whether there were mechanisms for restricting BBS and
Internet access by children.  I answered, "Yes--one is PARENTAL

M.E.Kabay,Ph.D./DirEd/Natl Computer Security Assn (Carlisle PA)


Date: Mon, 31 Oct 1994 18:44:44 -0500 (EST)
From: Steve Holzworth <>
Subject: followup on Sears captures signatures

   [ From RISKS-FORUM Digest; Volume 16 : Issue 53  -- MODERATOR ]

Since my original post concerning Sears now digitizing signatures when
you sign a credit card slip, bunches of people :-) have sent me Email,
either asking for elaboration on the risks involved, or adding anecdotes
of their own. I'll attempt to describe the potential risks as I see them.

Summary of previous post:

Sears in my area has recently started asking for people to sign their 
credit card receipts while the receipts are on what is obviously a small
digitizing pad. Sears doesn't make it obvious that this is the function of
the device. 

You can refuse to sign on the tablet. They'll probably have to 
call someone first to OK it.

Potential Risks of digitized signatures:

Capturing the act of signing gives the store more information than 
simply scanning a copy of a signed receipt would. In addition to the basic
image of the signature, the tablet can also effectively record stroke 
information (direction of strokes, and possibly, pressure of strokes).
This is important, because given stroke information, it is almost trivial
to write a program to fake a signature with a pen plotter. Simply use
the stroke points as control points for spline curves. Said control
points can then be perturbed slightly to yield what appears to be the 
same signature STYLE, without being a direct copy of an existing signature.

Of course, Sears wouldn't do anything so stupid. However, once the data is
available, a disgruntled or entrepeneurial employee could sell the data to
other parties. Let's see. Bill Gates goes to Sears and buys a screwdriver on
his credit card. How much is his signature potentially worth on the market?
Or, (for the really paranoid :-) ), some government agency, say, DEA, known
to be overzealous at times, decides to "apply" your signature to some
incriminating evidence...

I don't believe Sears (and others mentioned) can perform dynamic signature
verification on the fly. They can't possibly have that horsepower at
the terminal (at present). Even simple credit card number verification
takes 30 seconds or more. Imagine the complexities of looking up one
of N million signatures, correlating it to the new sample, then issuing
a go/no-go response in a reasonable time frame. The closest approximation
to this so far is the Apple Newton handwriting recognition. It looks in
a small (10k words) dictionary, has to be trained to your writing style
over time, and still screws up often enough to cause some headaches.
How tolerant is your customer base to having their charges denied when
they KNOW they wrote a valid signature?

More importantly, what REASON can Sears have for wanting this information?
I proposed that they can't do anything useful with it yet, so why should
we let them have it? Further, to the best of my knowledge, no credit card
provider requires card owners to supply digitized signature information
when initiating a transaction. My understanding is that, per the card issuer
agreement with the merchant, the merchant CANNOT require ANY other identifying
information, assuming they get an approval code from the card issuer.
Keep in mind, you don't even SIGN a receipt for a mail-order purchase...
Why should we let Sears et al digitize our signatures?

One limited use of a digitized signature could be to display a specimen of 
your signature on POS terminal so the clerk can compare with your receipt.
Of course, that is supposedly what the signature on the back of the card
is for (among other things)...

One responder mentioned that if the customer was signing paper on top of a
tablet, it was unlikely that much information could be captured beyond
stylus pressure. This is incorrect. I developed high-end CAD software for
civil engineering and land planning for many years. All of the digitizers we
used were capable of capturing positional information through quite a number
of layers of vellum, mylar, and/or paper. This was necessary because much of
engineering work involves tracing existing maps or drawings.

Several responders stated that they had run into similar digitizers at Sears,
Service Merchandise, and others. A few stated that my example of refusing
to sign had encouraged them enough to "just say no" :-) next time.

I'm not trying to be paranoid, but I attempt to see all of the angles when
confronted with a situation as described above. I operate under the rule
that unless you can give me an extremely good reason why I should give you
some class of information about me, you don't get it. Numerous posts to
RISKS have documented how quickly and easily information about someone is
disseminated, and how difficult it is to correct misinformation, once it
gets spread. I attempt to minimize acquisition of the information as a
preemptive measure.

Steve Holzworth  SAS Institute   x6872  SAS/Macintosh Development Team
Cary, N.C.               


Date: Fri, 4 Nov 1994 15:55:56 -0600 (CST)
From: (Daniel Frankowski)
Subject: Minnesota driver license

   [ From RISKS-FORUM Digest; Volume 16 : Issue 53  -- MODERATOR ]

City Pages, a great free news weekly here in the Twin Cities (Minnesota
USA), recently had an article [1] chock full of privacy issues and
implications of the new Minnesota driver license (not "driver's" but
"driver" on our license).  I approached the article with deep suspicions
about a new card, and came away only slightly less suspicious.

The old license has been the same for 25 years.  It has a picture, a license
number and some personal information (address, height, weight, signature,
birthdate, etc.).

  .. [O]fficials were tired of the ease with which the old card could
  be forged and altered.  In early 1990, local police officials uncovered 
  a forgery ring in the Twin Cities that used fake Minnesota licenses to 
  open bank accounts and pass close to $1 million worth of bad checks.

To make it harder to forge, the new card is printed in several fonts and the
location of your (digitized and stored) picture depends on your age.  For
the information age, there is a barcode with your driver license number, and
a magnetic stripe that can contain three lines of about 80 characters each,
currently slated to contain a person's full name, date of birth, and driver
license number.

The article raises a plethora of issues, some of which follow.  I have
hastily tried to put them into categories, which unfortunately overlap.


- - The state government assumes that the public should trust government
agencies with these technologies.  This resulted in a lack of public
discussion or input because the government did not publicize the new
card proposal.  The article gave an example I had not heard why we
should not trust government: upon dishonorable discharge from the US
military, it assigned a code which potential employers and others
could get.  257 meant "unfitness, homosexual acts," 261 was
"psychiatric or psychoneurotic disorder," 287 was "unclean habits
including venereal disease," and 289 "unsuitability, alcoholism."

- - Currently, the Driver Vehicle Services (DVS) department makes all
their information public except social security number and medical
information.  That is, registration and title info, driving records,
and the personal information from your license.  The state sells it
("provides it for a fee"), and currently has 600 online accounts
(presumably customers buying the information).  They can sort by age,
area, or size of person, for example.

- - The card is a universal identifier, a notion often reviled in RISKS.

- - The article mentions a national database of 7 million commercial
drivers (only truckers?) called (and operated by) AAMVANET which went
online January 1989.  It contains each person's name, date of birth,
social security number, and physical descriptors.  "It was mandated by
the federal government because truckers were getting licensed in
multiple states to avoid suspensions."  Barry Goleman is the president
of AAMVANET, Inc., a subsidiary of the American Association of Motor
Vehicle Administrators.  "Goleman says that in the future, the system
will include all drivers-- currently a total of 160 million,

- - The license may be linked to issues unrelated to driving.  In
Wisconsin, your license may be suspended for failing to pay public
fines.  The article's example is a late book fine at the public


- - The company producing them (Deluxe Check Corporation, big in
Minnesota) promised quicker turnaround for new licenses, but their
digitizing cameras overheated, and their incompatible transmission
protocols lost about 4000 new pictures which have to be retaken.


Goleman (see above) said "upward of" 22 states have magnetic
stripe-reading technology for driver licenses already.

- - You, the card holder, cannot easily read the magnetic stripe to
ensure that there are no mistakes because a special machine is

- - Businesses could modify credit card readers to read the license
stripe "ostensibly to verify ID" and build databases of shopping
habits and personal information.

- - Minnesota businesses are trying to get extra information put on the
magnetic stripe.

- - A state group proposed distributing AFDC (welfare) money.  The
article hypothesized the card could be used (say) to track your


At first, I was impressed with the fact that all information in the
barcode and magnetic stripe would also be visible on the card.  In
other words, no hidden information.  However, other points listed
above drained away my relief.

I noted a fatalism about the article: it catalogued frightening
consequences without proposing solutions or interviewing privacy
experts.  This seems typical of even good journalism these days.

So are there simple guiding principles about the use of information
for a driver license?

Would it be a good idea to pass a law requiring cash machines to be
able to display (for free) any information on a magnetic stripe given
the appropriate PIN #?

How else can we solve the problems above?

1. Card Blanche, Jennifer Vogel, City Pages, Vol 16, No 725, October
26, 1994, pages 15-20.

Dan Frankowski


Date:    Thu, 10 Nov 1994 04:06:13 -0500 (EST)
Subject: Discover Card "Fraud" Mailing update

Discover card did not do a bulk class mailing of their "Fraud Prevention"
information notices.  They were included with the monthly bill.  I don't
think that anybody in their right mind is going to toss out their monthly
Discover Card bill, unopened...

        [ It appears that Discover card customers who were mailed regular
          statements recently had the "fraud prevention" notice/request
          included with their statement.  However, bulk class mailings did
          go out to subscribers who were not due statements, presumably
          including people with a Discover card who did not have any current
          card activity, which could be a very large number of folks.

                -- MODERATOR ]


Date:    Sat, 12 Nov 1994 13:56:25 -0500
From:    David Banisar <>
Subject: Ohio Supreme Court Upholds Privacy of SSNs

In a decision handed down on October 26, the Ohio Supreme Court has
ruled that governmental disclosure of Social Security numbers (SSNs)
violates individuals' constitutional right to privacy.  At issue was a
request by the Akron Beacon Journal for release of computer tape
records of the City of Akron's year-end employee master files.  The
payroll files contain various information including employees' names,
addresses, telephone numbers, SSNs, birth dates, education, employment
status and positions, pay rates, service ratings, annual and sick
leave information, overtime hours and pay, and year-to-date employee
earnings.  The City had provided the records to the newspaper, but
deleted the SSNs on privacy grounds.

EPIC staff, on behalf of Computer Professionals for Social
Responsibility, joined with the Public Citizen Litigation Group in
filing a "friend of the court" brief in the case.  The CPSR/Public
Citizen brief highlighted the privacy implications of SSN disclosures
and argued in support of the City's decision to withhold the numbers.
The brief urged the Ohio Supreme Court to follow the lead of the U.S.
Court of Appeals for the Fourth Circuit in the case of Greidinger v.
Davis, where Virginia's practice of requiring SSNs for voter
registration purposes was held unconstitutional.  EPIC staff had
similarly participated in the Greidinger litigation as friends of the

Significant excerpts from the Ohio Supreme Court decision:

          The city's refusal to release its employees' SSNs does
     not significantly interfere with the public's right to
     monitor governmental conduct. The numbers by themselves
     reveal little information about the city's employees. ...

          While the release of all city employees' SSNs would
     provide inquirers with little useful information about the
     organization of their government, the release of the numbers
     could allow an inquirer to discover the intimate, personal
     details of each city employee's life, which are completely
     irrelevant to the operations of government. As the Greidinger
     court warned, a person's SSN is a device which can quickly be
     used by the unscrupulous to acquire a tremendous amount of
     information about a person. ...

         Thanks to the abundance of data bases in the private
     sector that include the SSNs of persons listed in their
     files, an intruder using an SSN can quietly discover the
     intimate details of a victim's personal life without the
     victim ever knowing of the intrusion.

Coming a year after the Greidinger decision, the Akron Beacon Journal
case continues a trend toward judicial recognition of the privacy
implications of SSNs.  EPIC will continue to participate in related
litigation in an attempt to establish a body of caselaw protecting the
confidentiality of SSNs and other personal information.

David Sobel (
Legal Counsel
Electronic Privacy Information Center


End of PRIVACY Forum Digest 03.22

PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.