PRIVACY Forum Digest Thursday, 18 March 1993 Volume 02 : Issue 09 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Should the information industry be consentual? (Bob Leone) Reverse directory/Sears/Radio Shack (Arthur Rubin) Re: Credit Card Validation (Chris Hibbert) Use of Medical Clearing House (Jack Decker) No anonymity for Canon copiers? (Brad Mears) Re: Cashiers and telephone numbers (Chuck Stern) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "cv.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 09 Quote for the day: "I detest life-insurance agents; they always argue that I shall some day die, which is not so." -- Stephen Leacock (1869-1944) "Literary Lapses" (1910) (Insurance up to Date) ---------------------------------------------------------------------- Date: Sat, 13 Mar 1993 11:29:08 -0500 From: Bob Leone Subject: Should the information industry be consentual? Pete Kaiser writes: @Experience shows that in the business of accumulating and exchanging databases about personal information there is a high rate of corruption, of both data [1] and individuals [2]. Moreover, there are plenty of obvious cases where the free flow of accurate information is unwise, inhumane, or illegal [3]. Just to give some more extreme examples: if someone was allowed to compile data using "employer" as the selection criteria, I'm sure you can imagine the results of a list of names, home addresses, and car license numbers of employees of 1) Fur makers going to PETA and the Animal Liberation Front 2) IRS going to extremist Tax Protest groups 3) BATF going to members of the Waco, Texas "Branch Davidian" group 4) Smith & Wesson going to Handgun Control Inc 5) Handgun Control Inc going to NRA 6) Strikebraker employees of whatever going to union goon squads I'm sure you all get the picture at this point. Just about everyone either works for someone, shops somewhere, or subscribes to some periodical which might make him or her the target of harassment (or worse) from some group, somewhere. Just because we haven't seen it yet, doesn't mean it won't start happening eventually as groups become more familiar with how to get data. Bob Leone ------------------------------ Date: Mon, 15 Mar 93 07:33:36 PST From: a_rubin@dsg4.dse.beckman.com (arthur rubin) Subject: reverse directory/Sears/Radio Shack In PRIVACY Forum Digest 02:08, joep@jaguar.informix.com (Joseph Pearl) writes: >I was at Sears with my wife, returning something, when the cashier >asked what our phone number was. Without thinking, my wife told the >cashier (one of those rough days where the brain shuts down after >6pm). The cashier then recited our name and address and asked if it >was correct. Radio Shack (used to) "require" a phone number for any purchase. If you told the clerk that you didn't want to give a phone number, the store manager would (usually) allow a cash purchase to complete. (From my own personal experience and reports on comp.dcom.telecom, before this list was created.) The moderator comments: A comment: I would suggest that it is never a good idea to use a fictitious phone number in response to a clerk's query. Doing so simply risks dragging some other person, who might have that number, into the situation. If the clerk insists on a number, and you don't want to give it, ask for the manager, or consider doing business elsewhere. You might give the 900 number you got on your last "you have won a free prize" postcard. :-) More promising, you might give your work number, the number of the local Attorney General's office (it is illegal to ask for a phone number under many circumstances here in California), or some other approriate number which you don't mind publishing. ------------------------------ Date: Mon, 15 Mar 93 10:10:36 -0800 From: Chris Hibbert Subject: Re: Credit Card Validation Brint Cooper is worried because Citibank is asking him to supply extra information, which they say they will use to verify his identity if he tries to call them on the phone. He isn't sure whether they'll protect the info, or if it might leak into other uses. The list they ask for includes: Name Acccount # Address Date of Birth Social Security Number (you were surprised, maybe?) Mother's Maiden Name (My hospital asks for this one, too.) Business and home phones Other Diner's accounts to which this info applies. My response to this would be to give them a set of information that would be useless to them, but which you can reproduce when they ask, even if you've lost your wallet. They ask for Mother's Maiden name because they think that's such an item. There would be no purpose in cross-matching that with another database, and I always treat such requests as a request for a password, realizing that they'll prompt for the password by asking for your Mother's Maiden name. They don't care at all what answer you give as long as you can reproduce it. I might give them my favorite color, or the name of one of my hobbies. If their db has lots of room, I might even ask them to store e.g. "color: blue" in the field so I could ask for the first word as a prompt to remind me which category I'd used with them. Similarly, I would treat it as a wonderful opportunity if my credit card company asked for an SSN and said (as Citibank seems to have) that they were only going to use it to identify me if I called on the phone. They have no reason to report the number to anyone else, so I would give them one of the many numbers I know that don't seem to be in use by anyone. (I give one in my SSN FAQ, but I have a collection of others that have appeared in various books (as part of a student prank that involved registering a pet dog as a student at the university) or in movies (as visual evidence that a character had created several false personas). What an opportunity! Chris ------------------------------ Date: Wed, 10 Mar 93 09:30:43 EST From: ac388@freenet.hsc.colorado.edu (Jack Decker) Subject: Use of Medical Clearing House The following message first appeared in a Fidonet conference called ADAJOBS (I got it via the EMPLOYMENT conference on BIZynet, a Fidonet-technology business-oriented network). The risks of the use of such a database as the one described below should be obvious (how does one know if they were denied employment because of information contained in this database? For that matter, how does one even know if the information contained in the database is accurate?). Any replies should probably go to the original author (Herbert Mansmann at Fidonet address 1:273/201, which is herbert.mansmann@f201.n273.z1.fidonet.org in Internet notation): ===================================================================== * Forwarded by Chris Gunn (1:202/1008) * Area : ADAJOBS (ADAnet - Job Hunting When Disabled) * From : Herbert Mansmann, 1:273/201 (08 Mar 93 10:55) * To : All * Subj : USE OF MEDICAL CLEARING HOUSE ===================================================================== I have been told by several personnel recruiters that something known as the Medical Clearing House exists for companies or other employers to check on person's medical expenses before hiring them, similar to a credit check. This information is kept in regional databases and is accessible over the phone to high level employee relations personnel at major corporations only. Supposedly it is illegal to release this information to unauthorized users, but it is being done routinely for high medical expense individuals since the penalties are few, the savings can be substantial, and the enforcement of the laws against this are lax. Our daughter has Cystic Fibrosis which has very high medical costs associated over many years. We believe this information and information about other medical conditions that do not interfere with someone's ability to work is being sold to avoid medical costs. Since over two thirds of the employers now self-insure instead of utilizing a real insurance company, they are motivated to eliminate these costs. If you have any information about this practice, please respond on E-mail or anonymously to Herbert Mansmann, 224 Swedesford Rd., Malvern, PA 19355. It is important to get this subject out in the open and to include it in healthcare reform. Thanks. Feel free to call (215)647-3698. --- TMail v1.31.3 * Origin: U.S. Telematics, Yardley PA (215)493-5242 (1:273/201) Jack Decker | Internet: ac388@freenet.hsc.colorado.edu Fidonet: 1:154/8 or jack.decker@f8.n154.z1.fidonet.org Note: Mail to the Fidonet address has been known to bounce. :-( ------------------------------ Date: Tue, 16 Mar 1993 14:17:53 -0600 (CST) From: bmears@gothamcity.jsc.nasa.gov (Brad Mears [I-Net]) Subject: No anonymity for Canon copiers? The most recent issue of Popular Science had a small sidebar concerning new copier technologies that are being used to combat counterfeiting. According to Canon, their new color copiers include two mechanisms to prevent people from copying currency. The first is rather innocuous - the copier can recognize many different currencies and will print a blank image rather than a fake bill. No obvious risks here. The second mechanism is a bit more threatening. According to the story, which I quote without permission - "Each copier embeds a code into the copied image, which is impossible to see. A special scanner extracts the code and a computer program then furnishes the copier's serial number, allowing identification of the registered purchaser of the machine." As a means to combat counterfeiters this may be very useful. Unfortunately, it is also useful for tracking down people who report government waste, publishers of underground newsletters, and others who may have a legitimate need to remain anonymous. Plus, it seems a bit too much like the Eastern bloc countries who used to require registration of typewriters. Brad Mears bmears@gothamcity.jsc.nasa.gov [ This item was reposted from the RISKS Digest -- MODERATOR ] ------------------------------ Date: Thu, 18 Mar 1993 15:42:05 -0500 From: cstern@novus.com (Chuck Stern) Subject: Re: Cashiers and telephone numbers > [ ... > Keep in mind that in most cases you're simply dealing with > a clerk who has a specific set of information he has > been instructed to get and may not realize that not everyone > is willing to provide a number. However, in almost all cases, > when faced with a choice of not getting the number or losing > the sale, the clerk will opt for the former. -- MODERATOR ] This is not strictly true, oh Esteemed Moderator. A clerk in a Radio Shack store here in the Boston area refused to make a credit card sale to me when I refused to give my telephone number and address. The sale, by the way, was to be for $23.50 or some such price. One angry (collect) call to Tandy corporate headquarters got the matter straightened out - they were violating Commonwealth of Mass. laws by even asking - but I haven't darkened the doors of another Radio Shack since, nor will I ever again. More anecdotal evidence from... cstern@novus.com [ Well, as I said, in *almost* all cases a salesperson will opt for the sale... but there's always the exception. Typically you're dealing with an overzealous employee, not company policy in a situation such as you describe. It's interesting to note that the changes in the laws (in some states) making it illegal to ask for a phone number as a requirement for credit card purchases are relatively recent in most cases. In the past some credit card companies strongly suggested that a phone number be obtained for all orders and written on the charge slips. Not everyone in all affected areas has gotten the word about changes, apparently. As for anecdotes, in my own experience, I've never had a salesperson refuse me a purchase, regardless of whether or not I provided a phone number when asked. Of course, my Harley-Davidson clothing motif probably doesn't hurt in such situations! -- MODERATOR ] ------------------------------ End of PRIVACY Forum Digest 02.09 ************************