PRIVACY Forum Digest Friday, 26 March 1993 Volume 02 : Issue 10 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Medical Clearing House (Jerry Leichter) Re: Medical Clearing House (John R. Levine) Protecting your privacy -- ID info and credit-card agreements (Alan Wexelblat) Preventing Electromagnetic Eavesdropping (Grady Ward) Documented Cases of SSN Abuse Wanted (Steve Schlesinger) Individual Privacy Protection Act of 1993 (Juan Osuna) CPSR Wins SSN Privacy Case (Marc Rotenberg) Intrusion Detection Workshop (Teresa Lunt) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "cv.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 10 Quote for the day: "I wasn't kissing her, I was just whispering in her mouth." -- Chico Marx (1891-1961) ---------------------------------------------------------------------- Date: Fri, 19 Mar 93 18:07:45 EDT From: Jerry Leichter Subject: Medical Clearing House Jack Decker forwarded to a recent PRIVACY Digest an article about a clearing- house of medical information and its possible use by employers to avoid hiring people with large medical expenses. There is, indeed, a massive but little-known central clearinghouse of medical data. It was organized and run by the medical insurers for the purpose of controlling fraud. If you consider the amount of information that you give your medical insurance company when you file a claim - all of which is likely to get forwarded to the clearinghouse - the amount of very personal informa- tion the clearinghouse has on virtually every person in the United States is staggering. Normally, this kind of cooperative record sharing would be considered a violation of the antitrust laws. However, the insurance industry has an exemption from those laws for the purpose of controlling fraud. The records involved are not credit records and do not, as far as I know, fall under any of the laws allowing you access to your own files. As far as I know, neither the clearinghouse nor your insurer are obligated to show you your records, much less allow you to enter explanations (as you can do with your credit records); and I don't believe that, in general, they will actually do either voluntarily. As the article points out, two-thirds of all employers now self-insure for their employees' medical policies. It would not surprise me if this entitled them to access the clearinghouse. (Such policies are typically administered by a traditional insurance company; I'd bet that they provide access to the clearinghouse as part of their administrative services.) Until recently, I don't believe there was anything illegal in an employer refusing to make a job offer based on anticipated medical costs. (In at least one case I know of, someone was extended a job offer, then told on his first day that the medical insurance would not cover his pre-existing condi- tion, which required expensive treatment. The person involved walked out of the room, never to return. As far as he was concerned, he might as well have been refused the job.) Under ADA (Americans with Disabilities Act), this has almost certainly changed - at least when the issue is the prospective employee's medical condition. I have my doubts whether ADA would have any applicability if the issue were a family member's medical condition. By the way, employers in many states have banded together to create databases of employees who have made large work-related disability claims. Since such injuries are covered through a separate insurance pool, and an employer's contributions to the pool are based on his history of employee claims, it is in an employer's interest not to hire people who will "run up his bill". Again, this practice was apparently legal before ADA. Whether it would fall under ADA is a tougher call. -- Jerry ------------------------------ Date: 19 Mar 93 22:25:16 EST (Fri) From: johnl@iecc.cambridge.ma.us (John R. Levine) Subject: Re: Medical Clearing House I've never heard of the Medical Clearing House, but he may actually be referring to the Medical Information Bureau, a long-standing cooperative venture by insurance companies. It exchanges medical info, primarily to avoid losses due to people who apply for insurance and don't disclose pre-existing conditions. I've heard that MIB data is also used for a lot of less savory things, but I have no hard info either way. Anyone can ask for a copy of his MIB record; call +1 617 426 3660 and leave your name and address on the machine; they'll send you a form to request a copy of your record. When I sent in the form month or so ago, they wrote back and claimed they'd never heard of me. I don't believe it. When I applied for my current insurance about five years ago, they asked for five years of medical history. After I sent in my list, they wrote back with a few more minor history items that I'd honestly forgotten, and the insurance company went ahead to issue the policy. I'm certain they got those history items from the MIB, so they certainly had a file on me then. On an unrelated and probably less interesting note: >A clerk in a Radio Shack store here in the Boston area refused to make a >credit card sale to me when I refused to give my telephone number and >address. I've never had any trouble at the Harvard Square store. My answer to the telephone question is "don't have one." So they don't believe me. Tough. John Levine, johnl@iecc.cambridge.ma.us, {spdcc|ima|world}!iecc!johnl ------------------------------ Date: Sat, 20 Mar 93 16:52:34 -0500 From: "Alan (Gesture Man) Wexelblat" Subject: Protecting your privacy -- ID info and credit-card agreements Two topics from recent digests: When asked for "identifying" information which is probably going to be used to compile marketing databases, I cheerfully supply *wrong* information. I make it as bogus and outlandish as I feel that day. This can be fun when filling out "surveys" for product-reg cards, while on airlines, etc. I once told American Airlines I was a 55-year-old Eskimo woman whose income this year was $5000 but that was a $50,000 increase from last year. The idea is to seed their databases with useless information. The reason this stuff is compiled is so that they can do targeted marketing -- ie, increase the efficiency of mailings, etc. The more bogus entries are in the database, the less efficient and less profitable these marketing schemes will be. If it becomes un-profitable enough, they'll give it up. So I urge you all to have fun with these things. Make them waste their money. Register things to your pets. Create companies and sign them up for stuff. The neat thing about this strategy is that it works best when only a few people (say 10% of the population) are doing it. If everyone did it, it would pay them to spend the money to verify entries. What I want to do is just make it unprofitable enough that they'll give up and go away. Now, on the issue of additional information required with a credit-card purchase. When I worked for we had a visitor from VISA who explained that we were *never* to: a) provide additional information with our card numbers. It is a violation of the merchant's agreement with VISA if they ask for more information. b) sign a charge slip without the final balance being entered on the slip. Merchants can put in a "hold" if they want to be sure you don't overrun your limit. But once you sign a slip you're obliged by your agreement (with VISA anyway) to pay whatever amount eventually ends up on the slip. Fortunately, most hotels have stopped asking me to sign blank slips so I rarely have this problem these days. --Alan Wexelblat, Reality Hacker and Cyberspace Bard Media Lab - Advanced Human Interface Group wex@media.mit.edu Voice: 617-258-9168, Pager: 617-945-1842 wexelblat.chi@xerox.com There is nothing so regretted as a missed opportunity. ------------------------------ Date: Mon, 22 Mar 93 19:51:23 PST From: grady@public.btr.com (Grady Ward) Subject: Preventing Electromagnetic Eavesdropping Eavesdropping on personal computers is not limited to looking over the shoulder of the operator or physically tapping in to an Ethernet cable. U.S. Government standards relating to the prevention of information capture via the emission of electromagnetic radiation from computers and peripherals are known as TEMPEST. However, actual TEMPEST specifications are classified. TEMPEST aside, there are inexpensive and easily applied means for individuals to minimize unintentional emissions from equipment. My document "Preventing Electromagnetic Eavesdropping," discusses these techniques. [ The document described above (~15K bytes uncompressed) has been placed into the PRIVACY Forum archives. You can obtain it: -- Via anon FTP from site "cv.vortex.com" as: /privacy/prevent-eme.Z (compressed; binary mode) /privacy/prevent-eme (uncompressed) -- Via the "cv.vortex.com" listserv system by sending an e-mail message to: listserv@cv.vortex.com with the first text in the BODY of the message consisting of: get privacy prevent-eme -- Through the Internet Gopher system via the gopher server on "cv.vortex.com" in the "*** PRIVACY Forum ***" section (and via linked gopher servers). -- MODERATOR ] ------------------------------ Date: Tue, 23 Mar 93 16:23:45 PST From: Steve Schlesinger 3711 Subject: Documented Cases of SSN Abuse Wanted I am collecting documented cases of people being somehow harmed by their Social Security Number falling into the hands of some wrong doer. Please email them to me. I will post the collection or otherwise make it available. Thanks - steve -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Disclaimer - This request is personal and has nothing to do with NCR or AT&T -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- =============================================================================== Steve Schlesinger, NCR/Torrey Pines Development Center 619-597-3711 11010 Torreyana Rd, San Diego, CA 92121 ucsd.edu!sv001!steves steve.schlesinger@TorreyPinesCA.ncr.com =============================================================================== ------------------------------ Date: Wed, 24 Mar 93 12:20:02 -0500 From: josuna@cs.UMD.EDU (Juan Osuna) Subject: Individual Privacy Protection Act of 1993 I am working on an article about the idea of establishing a federal privacy protection board. This idea has been floating around Congress for many years, and this year another bill has been introduced, called the Individual Privacy Protection Act of 1993. The act would create a five-member board (appointed by the president and approved by the Senate) to study the computerized information systems of government and industry and to recommend legislative or administrative action. The board would hold hearings, subpoena witnesses and documents, and issue reports. I have been told by Congressional staffers that the bill will likely undergo revision before being considered by a committee. Privacy advocates often base arguments on what could happen rather than on what does happen. And even when an invasion of privacy is shown, it is difficult to quantify or prove actual damage. I think this presents a problem for legislators, who need to show their constituents concrete, not abstract reasons for legislation. I am writing an article and would like to hear comments on such a proposal. Can anyone provide me with concrete examples where someone was physically, emotionally or financially harmed as a result of new technologies eroding their privacy rights? Public and private comments are welcome. I will guarantee anonymity upon your request. --------------------------------------------------------------------------- Juan Antonio Osuna, Computing Research News E-mail: josuna@cs.umd.edu 1875 Connecticut Ave. NW, Suite 718 Ph: (202) 234-2111 Washington, D.C. 20009 Fax: (202) 667-1066 --------------------------------------------------------------------------- [ Such a board has been proposed before, and has reached various legislative levels in the past. I have conceptually supported this idea for a long time--but making sure it's done properly is no simple task, to say the least. The privacy issues involved cover a wide range of both "public" and "private" organizations. The tendency of many organizations is to take the view that "hardly anyone complains about privacy matters, so why should we bother changing anything?" Most individuals also take much the same tack, until something happens to *them* ... -- MODERATOR ] ------------------------------ Date: Fri, 26 Mar 1993 17:03:43 EST From: Marc Rotenberg Subject: CPSR Wins SSN Privacy Case PRESS RELEASE March 26, 1993 "FEDERAL APPEALS COURT UPHOLDS PRIVACY: USE OF SOCIAL SECURITY NUMBER LIMITED - - - - CPSR Expresses Support for Decision" A federal court of appeals has ruled that Virginia's divulgence of the Social Security numbers of registered voters violates the Constitution. The Court said that Virginia's registration scheme places an "intolerable burden" on the right to vote. The result comes nearly two years after Marc Greidinger, a resident of Falmouth, Virginia, first tried to register to vote. Mr. Greidinger said that he found it nearly impossible to obtain a driver's license, open accounts with local utilities or even rent a video without encountering demands for his Social Security number. Mr. Greidinger told the New York Times this week that when the State of Virginia refused to register him as a voter unless he provided his Social Security number he decided to take action. He brought suit against the state, and argued that Virginia should stop publishing the Social Security numbers of voters. This week a federal appeals court in Richmond, Virginia ruled that the state's practice constituted "a profound invasion of privacy" and emphasized the "egregiousness of the harm" that could result from dissemination of an individual's SSN. Computer Professionals for Social Responsibility (CPSR), a national membership organization of professionals in the computing field, joined with Mr. Greidinger in the effort to change the Virginia system. CPSR, which had testified before the U.S. Congress and the state legislature in Virginia about growing problems with the misuse of the SSN, provided both technical and legal support to Mr. Greidinger. CPSR also worked with Paul Wolfson of the Public Citizen Litigation Group, who argued the case for Mr. Greidinger. In an amicus brief filed with the court, CPSR noted the long-standing interest of the computing profession in the design of safe information systems and the particular concerns about the misuse of the SSN. The CPSR brief traced the history of the SSN provisions in the 1974 Privacy Act. The brief also described how the widespread use of SSNs had led to a proliferation of banking and credit crime and how SSNs were used to fraudulently obtain credit records and federal benefits. CPSR argued that the privacy risk created by Virginia's collection and disclosure of Social Security numbers was unnecessary and that other procedures could address the State's concerns about records management. This week the court of appeals ruled that the state of Virginia must discontinue the publication of the Social Security numbers of registered voters. The court noted that when Congress passed the Privacy Act of 1974 to restrict the use of the Social Security number, the misuse of the SSN was "one of the most serious manifestations of privacy concerns in the Nation." The Court then said that since 1974, concerns about SSN confidentiality have "become significantly more compelling. For example, armed with one's SSN, an unscrupulous individual could obtain a person's welfare benefits, or Social Security benefits, order new checks at a new address, obtain credit cards, or even obtain the person's paycheck." The Court said that Virginia's voter registration scheme would "compel a would-be voter in Virginia to consent to the possibility of a profound invasion of privacy when exercising the fundamental right to vote." The Court held that Virginia must either stop collecting the SSN or stop publicly disclosing it. Marc Rotenberg, director of the CPSR Washington office said, "We are extremely pleased with the Court's decision. It is a remarkable case, and a real tribute to Marc Greidinger's efforts. Still, there are many concerns remaining about the misuse of the Social Security number. We would like to see public and private organizations find other forms of identification for their computing systems. As the federal court made clear, there are real risks in the misuse of the Social Security number." Mr. Rotenberg also said that he hoped the White House task force currently studying plans for a national health care claims payment system would develop an identification scheme that did not rely on the Social Security Number. "The privacy concerns with medical records are particularly acute. It would be a serious design error to use the SSN," said Mr. Rotenberg. Cable News Network (CNN) will run a special segment on the Social Security number and the significance of the Greidinger case on Sunday evening, March 28, 1993. The Court's opinion is available from the CPSR Internet Library via Gopher/ftp/WAIS. The file name is "cpsr/ssn/greidinger_opinion.txt". The CPSR amicus brief is available as "cpsr/ssn/greidinger_brief.txt". CPSR is a national membership organization, based in Palo Alto, California. CPSR conducts many activities to protect privacy and civil liberties. Membership is open to the public and support is welcome. For more information about CPSR, please contact, CPSR, P.O. Box 717, Palo Alto, CA 94302, call 415/322-3778 or email cpsr@csli.stanford.edu. ------------------------------ Date: Wed, 24 Mar 93 09:47:07 -0800 From: Teresa Lunt Subject: intrusion detection workshop ELEVENTH INTRUSION DETECTION WORKSHOP CALL FOR PARTICIPATION A two-day workshop on intrusion detection will be held at SRI International in Menlo Park, California on May 27-28, 1993, which are the Thursday and Friday following the 1993 IEEE Symposium on Research in Security and Privacy in Oakland, California. This will be the eleventh in a series of intrusion-detection workshops. The workshop will consist of several short presentations as well as discussion periods. If you have any progress to report on an intrusion-detection project or some related work that would be appropriate for a short presentation, please indicate the title and a paragraph describing your proposed talk on the form below. You can also indicate there your suggestions for discussion topics. Of course, you do not have to make a presentation to attend; all are welcome! If you and/or your colleagues wish to attend, please RSVP using the attached form. Please email the completed form to Liz Luntzel at luntzel@csl.sri.com. For other questions, please call Liz Luntzel at 415-859-3285 or send us a fax at 415-859-2844 or email at luntzel@csl.sri.com. There will be a $100 charge for the workshop. This fee includes lunches in SRI's International Dining Room. Please send your check to Liz Luntzel, SRI International, 333 Ravenswood Ave, Menlo Park CA 94025 USA. The workshop will begin at 9am and will conclude at 5pm on Thursday, and will be from 9am to 2pm on Friday. SRI is located at 333 Ravenswood Avenue in Menlo Park. The workshop will be held in room IS109, which is in the International Building. To get to SRI: >From highway 101: From I-101, take Willow Road (Menlo Park) west to Middlefield Road (approx. 1 mile). Turn right onto Middlefield Road. Go one block and turn left onto Ravenswood Avenue. SRI Building A (red brick building) is 1/4 mile up Ravenswood Avenue, on the left. The address is 333 Ravenswood Avenue. >From I-280: From I-280, take Sand Hill Road (east towards Menlo Park). Follow Sand Hill Road to Junipero Serra and turn left. Bear right at the next light, and turn right at the stop sign onto Santa Cruz. Take Santa Cruz to El Camino and turn right. Then take the first left, onto Ravenswood. Cross the railroad tracks. SRI is at 333 Ravenswood, on the right. If you continue along Ravenswood along Middlefield, you will come to the conference parking area at the corner of Ravenswood and Middlefield. >From Central Expressway: From Central Expressway, go north towards Menlo Park all the way to where it merges with El Camino Real. Continue north on El Camino, staying in the right lane, for a few blocks, and turn right onto Ravenswood Ave. Cross the railroad tracks, and after the first light look for SRI on your right. SRI is at 333 Ravenswood. Visitors may park in the small visitors lot in front of Building A or in the conference parking area at the corner of Ravenswood and Middlefield (where there is lots of space). The workshop will be held in the International Building, the white concrete structure on Ravenswood to the East (closer to Middlefield) of Building A. Visitors should sign in at International Building receptionist---from the parking lot go up the steps into the courtyard; it's on the left. --------------CUT HERE AND RETURN TO LUNTZEL@CSL.SRI.COM---------------- ELEVENTH INTRUSION DETECTION WORKSHOP Yes! I will attend the Intrusion-Detection Workshop May 27-28 at SRI. Please complete the following: Name: Title: Affiliation: Address: Indicate one: I [will/will not] present a talk. Please complete the following: Title of Talk: Abstract: Suggestions for Discussion Topics: ------------------------------ End of PRIVACY Forum Digest 02.10 ************************