|
PRIVACY Forum Archive Document
|
PRIVACY Forum Digest Saturday, 23 June 2001 Volume 10 : Issue 05
(http://www.vortex.com/privacy/priv.10.05)
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
http://www.vortex.com
===== PRIVACY FORUM =====
-------------------------------------------------------------------
The PRIVACY Forum is supported in part by
the ACM (Association for Computing Machinery)
Committee on Computers and Public Policy,
Cable & Wireless USA, Cisco Systems, Inc.,
and Telos Systems.
- - -
These organizations do not operate or control the
PRIVACY Forum in any manner, and their support does not
imply agreement on their part with nor responsibility
for any materials posted on or related to the PRIVACY Forum.
-------------------------------------------------------------------
CONTENTS
Charles Schwab Takes Step Backwards in Privacy Protection
(Lauren Weinstein; PRIVACY Forum Moderator)
Calif. DMV: Identity Theft Prevention System Causes Drivers' Grief
(Lauren Weinstein; PRIVACY Forum Moderator)
Surprise! Your New Webmaster is... Microsoft!
(Lauren Weinstein; PRIVACY Forum Moderator)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com".
All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributed and archived without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system. Please follow the instructions above
for getting the list server "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.
All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------
VOLUME 10, ISSUE 05
Quote for the day:
"No matter how horrible things are,
they can always get worse."
-- Julia O. Treadway (Barbara Stanwyck)
"Executive Suite" (MGM; 1954)
----------------------------------------------------------------------
Date: Sat, 23 Jun 2001 15:20:55 PDT
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Charles Schwab Takes Step Backwards in Privacy Protection
Greetings. Widely-used brokerage house Charles Schwab, already famous for a
Website which is impossible to use properly without both Javascript and
cookies enabled (even if you're just a potential customer who doesn't need
to log in) has recently announced a significant step backwards in privacy
protection for their clients.
In a recent newsletter, Schwab has announced a new system to provide a
universal online login ID so that customers will no longer need to deal with
separate login account IDs for different services. In fact, customers who
wish to avail themselves of Schwab's upcoming "online statements" access
will apparently be required to use this new login ID system, which Schwab
says has been designed so that "you can't forget" your ID.
What's the new online login ID to which Schwab wants all of their customers
to migrate? C'mon, you've already guessed! It's your Social Security
Number! Just what we need, millions of customers blasting their SSNs across
the Web daily just for basic account access. Now, to be completely fair
about this, Schwab does use SSL to encrypt most account activities, but as
we've seen so many times in the past when security breaches occur on Web
servers, SSL is almost never at fault. The problems usually relate to server
configurations or other issues, allowing access to databases of information
stored on the servers.
No matter how you look at it, SSN as a login ID is a bad idea.
Shame on Schwab for this one.
--Lauren--
Lauren Weinstein
lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org
Co-Founder, PFIR: People For Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
------------------------------
Date: Sat, 23 Jun 2001 15:49:56 PDT
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Calif. DMV: Identity Theft Prevention System Causes Drivers' Grief
Greetings. If there's one government agency we've been able to historically
count on to provide maximum "hassle value" in our lives, it's been the
Department of Motor Vehicles. Those wonderful driver's license photos
notwithstanding, the DMV has traditionally been one of the places to which
we nearly all must routinely return and that we all routinely dislike
dealing with at all.
In recent years, at least here in California, there have been significant
improvements at the DMV, particularly in terms of mail-in license renewals,
availability of appointments, and so on. But one bizarre aspect of a new
"anti-fraud" program by the California DMV can't help but make me wonder
if someone is asleep at the switch.
As you probably know, the connection between driver's licenses and Social
Security Numbers has become increasingly tight in recent years, with data
matching being used for various verifications, searches for delinquent
child-support payments, and so on. We've discussed these issues in the past
here in the PRIVACY Forum.
But the Calif. DMV (henceforth referred to simply as "DMV") has started
something new. They're cross-checking the names on driver's licenses at
renewal times with Social Security Administration records. The idea is to
reduce the incidence of fake IDs being issued with false names associated
with various SSNs.
The Social Security Administration is a fairly enlightened organization it
seems--they fully understand that "Bill Gates" is a nickname for "William
Gates." But the DMV, in their new fraud prevention program, shows less
common sense than the average eight-year-old would display in a similar
situation.
Yep--if your Social Security record says your name is Susan, but your
driver's license says Susie (even if this has been the case for many years
or decades) DMV will now reject your renewal. Bob and Robert? David and
Dave? These are hardly unusual nicknames, but DMV apparently will reject
them all if they don't match up between your license and Social Security
records. The same problem is occuring with persons who adopted
hyphenated names after marriage.
Right now, this apparently has affected about a half million people (around
11% of all renewal applicants). The folks caught up in this inanity can't
just make a quick call and clear it up either. DMV's answer to the problem
is to change your name in the Social Security records to match your
driver's license! And even after people go through the hassle of that
change, it may take many weeks to get their new license.
DMV suggests that after everyone has changed their Social Security name
records so that everything matches up, they won't have more problems in the
future (except that DMV is also suggesting that new forms of SSN
verification at renewal time will probably be required in upcoming years).
This whole situation is utter nonsense. Accepting "Bob Crane" on a driver's
license when it says "Robert Crane" on a Social Security record wouldn't
reduce the efficacy of the DMV anti-fraud program by one iota. It would,
however, greatly reduce the hassles and problems for their customers,
issues which the DMV apparently considers to be low priorities.
Or maybe the DMV just doesn't know how to match up nicknames? Well, I can
help with that. It took me just thirty seconds flat (on Google) to find a
concise list (http://www.rootsweb.com/~txcoryel/nickname.htm) which is
currently online for DMV's immediate perusal!
Cutting down the levels of identity fraud is a laudable goal. But some
common sense really needs to be introduced into the mix as far as the
California DMV is concerned.
--Lauren--
Lauren Weinstein
lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org
Co-Founder, PFIR: People For Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
------------------------------
Date: Sat, 23 Jun 2001 16:16:18 PDT
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Surprise! Your New Webmaster is... Microsoft!
Greetings. When you offer a Web page to the world via the Internet, you
probably assume that it will be seen by viewers in the manner that you
designed and wrote it. You may also have copyrighted the contents to try
help protect your work.
So you'd probably be fairly surprised and perhaps more than a little bit
upset if you discovered that a third-party was effectively "editing" your
Web pages without your knowledge--changing their contents before they were
even seen by the persons visiting your site!
Hackers run amok? No indeed--it's a feature likely to be deployed soon by
the friendly folks at Microsoft, in at least some versions of their new
operating system ("Windows XP") and their new version Web browser (their
effective monopoly "Internet Explorer") as well.
The new feature is called "Smart Tags," and it literally enables Microsoft to
add their own links to your Web pages (the impact on e-mail is less clear
at this point) without your cooperation or permission.
Microsoft claims that they've developed this system to help deal with the
"problem" of sites that (in Microsoft's opinion) are "underlinked." Or
perhaps, one might speculate, their real concern is sites that don't have
enough "appropriate" links (such as to Microsoft and/or Microsoft's business
partners...)
Indeed, the Smart Tags system will display new links on unaffiliated Web
pages, which will link back to sites and materials as defined by Microsoft.
So, for example, let's say you have a Web page highly critical of company
Xyzzy-Plugh, Inc. If said company has worked out the appropriate
arrangements (e.g., payments) with Microsoft, your mentioning of X-P, Inc.
on your Web page could result in a Smart Tags link back to the new products
page for Xyzzy-Plugh itself. You didn't intend to be acting as a
promotional tool for X-P, Inc.? Too bad.
Microsoft says that Smart Tags will be turned off in the browsers by default
(at least for now)--so they're effectively "opt-in" for the users. But as
far as content providers running Websites are concerned, Smart Tags are
"opt-out" only--your pages are vulnerable to Smart Tagging from any browser
that has them enabled, unless you insert special code on all of your pages
(both static and dynamic) that your site serves. Why didn't Microsoft make
this aspect opt-in as well, rather than drafting the world's Websites into
their scheme without explicit permissions? The answer is obvious--how many
sites would want to let Microsoft add new links not under the sites'
own direct control!
Microsoft also points out that the Smart Tag links appear differently from
any pages' "original" links. They suggest that this will avoid user
confusion. To the contrary--confusion will be rampant. Many users are
already in the dark concerning who has responsibility for materials on one
linked site vs. another. It's not always even easy to tell when you've
moved between sites as you click your way through the convolutions of the
Web as it stands right now.
Reportedly, the meta code:
<meta name="MSSmartTagsPreventParsing" content="TRUE">
will prevent Microsoft's "Smart Tags" feature from operating on any Web page
in which the above line appears in the header.
Assuming that Microsoft continues with their plans for distribution of OS and
applications software supporting Smart Tags, Website authors who do not
wish to have Microsoft acting as a third-party editor of their sites
might wish to start deploying the above code in their Web pages, CGI
programs, etc.
Taggers spray-painting graffiti around our cities and towns is bad enough.
We don't need Microsoft "Smart Tagging" our Websites as well without
our permission.
--Lauren--
Lauren Weinstein
lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org
Co-Founder, PFIR: People For Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
[ UPDATE (6/28/01): Microsoft has announced that, due to what they
consider to be unexpectedly strong negative reactions to the "Smart
Tags" concept from Web content providers and others, they will
not be including Smart Tags in the imminent Windows XP or
Internet Explorer releases. Microsoft continues to express strong
faith in the Smart Tags concept, and says that they will revisit
the technology in some form in the near future.
-- PRIVACY Forum Moderator ]
------------------------------
End of PRIVACY Forum Digest 10.05
************************
Copyright © 2005 Vortex Technology. All Rights Reserved.