PRIVACY Forum Digest Saturday, 10 July 1993 Volume 02 : Issue 24 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS SSN on library/ID card at U of Texas (Jonathan Thornburg) Privacy in the Great West (Brett Glass) Social Security numbers and passwords (Willis H. Ware) Social Security numbers on the Internet (Brett Glass) Bank Procedures Encourage Risky Behavior by Card Holders (Nelson Bolyard) American Express recognizes privacy concerns (Andrew Shapiro) CPSR Workplace Privacy Testimony (Dave Banisar) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 24 Quote for the day: "Sorry about that, Chief!" -- Maxwell Smart [CONTROL Agent 86] (Don Adams) "Get Smart" (1965-1970) ---------------------------------------------------------------------- Date: Fri, 2 Jul 93 19:00:41 -0500 From: jonathan@hoffmann.ph.utexas.edu (Jonathan Thornburg) Subject: SSN on library/ID card at U of Texas A sad-but-true example of egregious misuse of SSNs: The University of Texas at Austin generally prints one's (full) SSN on one's library/ID card. This makes it visible anytime one shows ID and anytime one checks out a library book. What's worse, the library/ID card number is used as a key in just about *all* library transactions, including lots that leave paper trails (eg book call-in/hold/renewal requests). So far as I know, the only way around this is not to have an SSN when you receive a library/ID card. In such a case they will assign a 9-digit number of their own. Unfortunately, I didn't find this out until after I acquired an SSN. I spoke to a supervisor at the ID center, and was told that the SSN was "required". I debated fighting it, but decided in this case to surrender, partly because I'll be leaving UT permanantly in the near future. However, on a happier note, the credit union had no objections at all to switching my account number from my SSN to something else, so at least my SSN isn't emblasoned (in magnetic ink, no less) on my cheques... - Jonathan Thornburg or [until 31/Aug/93] U of Texas at Austin / Physics Dept / Center for Relativity [thereafter] U of British Columbia / {Astronomy,Physics} ------------------------------ Date: Thu, 1 Jul 93 09:38:03 -0700 From: rogue@remarque.berkeley.edu (Brett Glass) Subject: Privacy in the Great West I am in the process of relocating from the West Coast to the West, and have been amazed by the extent to which western states (e.g. Wyoming and Colorado) lag behind the others in privacy protection. As I deal with the logistics of signing up for gas, water, telephone, electricity, and other essentials, I have been dismayed by the lengths to which private businesses -- and organizations which sell their databases of customer information -- will go to acquire your Social Security number, the key to the credit reporting agencies' dossiers on you and your private affairs. When I called telephone provider US West to establish service, for instance, the second piece of information the representative wanted -- after the address where I wanted service -- was my Social Security number. When I politely declined to provide that number (but told him that he was welcome to check my payment record with my current phone company), he said he would put my request "on hold." He then transferred me to a line that rang continuously with no answer. I called back and described this experience to a different representative. She muttered "That jerk!" and proceeded to re-enter my request (which the first representative had actually deleted from the computer). As I ordered service, I was informed that it cost $2.50 per month to obtain an unlisted number (far more than on either coast). The electric company was a little more graceful about giving me service without a Social Security number, but the gas company -- which insisted that its forms be filled out "in full" -- wouldn't budge. (I still need to contact a supervisor to arrange for service, and may need to pay a deposit.) The problem is also pervasive among retailers. When I entered a store and attempted to pay by check or credit card, they would routinely request a Social Security number and insist that I pay cash if I refused to supply it. (This was for transactions as small as $5!) There is no law there, as there is in California, that prevents a retailer from demanding and recording excessive personal information before allowing a check or credit card purchase. Finally, an issue which seems to know no geographical boundaries but is worse in states where privacy is not respected: keeping one's Social Security number under wraps when buying a house appears to be almost impossible. The realtor wants to enter it into the National Association of Realtors' database (and, in fact, attempts to get you to agree to this when you sign a contract). The title company wants it on the deed, and your insurer wants it before he will provide homeowner's insurance. In truth, the only player in the trancaction that appears to be legitimately entitled to have your Social Security number is your mortgage lender, who needs it for tax purposes. Alas, too many lenders will supply it to anyone else who requests it -- especially other parties in the real estate transaction. None of this has affected my intention to move, but this information has injected a dose of realism into the West's image as a laissez-faire culture where indivdual privacy is respected. Apparently, folks won't pry -- so long as you'll willingly the key to all of your personal information. --Brett Glass ------------------------------ Date: Fri, 02 Jul 93 14:54:07 PDT From: "Willis H. Ware" Subject: Social Security numbers and passwords Ohringer@DOCKMASTER.NCSC.MIL asks about the use of some or all of one's SSN as part of a scheme to assign computer passwords. The scheme is not described in enough detail to really answer his questions, but some comments are possible. It might be an innocuous or a dumb idea depending upon details of the usage. 1. First, if the last 4-digits are supposed to uniquely point to a password, it follows that at most 10,000 employees can be handled. Worse, though, there is a reasonable probability that there will be duplication among the 4-digit tails of some random collection of employees. Unless the 4-digits were combined with something else, the mapping into passwords might not be unique. If duplication must be avoided, then the company must be prepared to assign alternate numbers, so why not base the scheme entirely on a company's own employee-number scheme? 2. Why use the SSN? Probable answer: the company already has SSNs in the personnel-records database. It is too lazy or indifferent or foolish to make up some unique anonymous numbering system for itself. 3. >> .. Is this an acceptable use of (part of) social >> security numbers? Depends upon personal opinion only. I think it unwise, if not dumb, especially for what would appear to be a very minor advantage that could be gained. There is no law that says you cannot do this unless your state happens to have one. Even then the law will almost certainly refer to "the SSN" and not concern itself with usage of a part of the number. >> .................. What precedents exist for allowing or >> prohibiting such use? What precedent is set by this proposed use? There are no legal prohibitions against use of the SSN within the private sector for record-keeping purposes. We all know that in spades. There are a few legal requirements which mandate the use of SSN; e.g., financial transactions which involve tax consequences. If the company that is considering this is a Fortune 500 and if the scheme became public knowledge, there might be a small temptation for others to follow. If the company in question is a small family business in rural Maryland, there is probably no precedent of importance. I point out that if the actual 4 digits of the SSN were traceable through or derivable from the password and if the password becomes compromised [i.e., known to a 3rd party], then 4/9 of the SSN is revealed. It might not be too difficult to construct the rest of the 9 digits. The format of the SSN is known, the significance of the various digits combinations is well known, and employment or family history might be enough to deduce the others. But then some people don't consider an SSN to be a sensitive data element; a lot of others do however. >> I look forward to reading how readers would react if they faced such a >> proposal. Lauren would properly decline to print my explicit views of a management that is seemingly so careless, so casual, so indifferent, so unwise, so foolish, so unbelievably ill informed and so unimaginative as to propose the use of the SSN for a trivial purpose with seemingly so little payoff, or for that matter to propose its use for any purpose other than for which it is legally required. For a good history and review of the SSN usage, see the report of the Privacy Protection Study Commission, chapter on SSN. Willis H. Ware Santa Monica, CA ------------------------------ Date: Fri, 2 Jul 93 22:57:06 -0700 From: rogue@remarque.berkeley.edu (Brett Glass) Subject: Social Security numbers on the Internet The last issue of PRIVACY Forum Digest contained several messages which suggested that the use of Social Security numbers as passwords is a bad idea. Ironically, there may be thousands of users on the Internet right now whose Social Security number is used not as their password but as their user ID! Many academic institutions use the SSN as a student ID number, which then becomes an account name when the student applies for a computer account. >From then on, each time the student sends an electronic mail message, posts to a Usenet newsgroup, or even appears on the list generated by the FINGER command, his or her SSN is revealed. Not exactly the best way to protect students' privacy. --Brett Glass ------------------------------ Date: Fri, 2 Jul 93 16:18:16 -0700 From: nelson@bolyard.wpd.sgi.com (Nelson Bolyard) Subject: Bank Procedures Encourage Risky Behavior by Card Holders Suppose you received a message on your residence answering machine that said "My name is at and I need to talk to you as soon as possible about your credit card. Please call me at 1-800-xxx-xxxx. It's really important." What would you do?? Let's take the scenario one step further. You call the 800 number (that you've never seen before, and isn't known to you as belonging to your bank) and get a recording that says something like "Welcome to Bank Card Services. In order that we may properly route your call, please enter your credit card number now." You have no real idea whose machine you're listening to. It didn't even identify itself as belonging to your bank, which is highly suspicious. Do you enter your card number? Let's go yet another step further. After entering your credit card number, the machine next asks you to enter the last 4 digits of your Social Security Number, which you know your bank uses as a (very poor) authenticator, and is essentially the closest thing to a password that you have with your bank. Do you enter the last 4 digits of your SSN as requested? Given that most readers of this list are more wary of privacy and security concerns than the average Joe (and Jane), chances are very high that you would have stopped without entering your SSN and hung up, and perhaps you would have called your bank to find out what's going on. Clearly, it's very possible that someone has set this system up to defraud you by using your remaining credit balance, and has asked you to supply them with everything they need to accomplish it. Nothing they've told you gives you any real assurance they're legitimate. They may very well be relying on the fact that most folks will be really scared that something has gone wrong with their credit account, and in their adrenaline-pumped frenzy will be in such a rush to get it cleared up that they'll ignore the warning signs, and supply all the info. Well, this is not merely an imaginary excersize. This actually happenned to a member of my household last Sunday. Fortunately, I was there, and was able to add reason to the situation, and sucessfully fought the apparently panic-driven desire to answer any question asked (by the machine) on the way to finding out what had gone wrong with the credit card. After being asked for the SSN, we terminated the call, and we called the phone number on the back of the credit card. To my surprise, we got a machine with an almost identical recording (and same voice) except this time it identified itself as belonging to Bank of America, and so then we felt safe in answering the questions (because we had called a known good number, not because it named the bank). The bank personnel (to whom we finally talked after completing the maze of questions asked by the machine) were consumed with the desire to authenticate us, and asked us to repeat the SSN info which we had already entered, but seemed shocked that perhaps we might legitimately wonder if they were who they claimed to be. They were hesitant to let us speak with the person who called us, but did at least acknoledge that she is a real employee. One would think that a legitimate bank would have left a different message, asking the card holder to call a phone number listed in the phone book, or appearing on a recent bank statement, so that the card holder would have some reason to think that s/he was really dealing with her/his bank, and not some other party. One would think that the message might have also explained why this call was desired (e.g. to report a lost credit card). I mention this because after entering card number and SSN number, the machine asked if we were calling to report a lost/stolen card, or to obtain a credit balance. We had to guess that it had something to do with being lost or stolen. One would think that, because they eat much of the cost of credit card fraud, banks would have some incentive to use fraud-resistant procedures for dealing with their card holders, and would encourage their card holders to never give out their "password" information to incoming callers, or to people (and machines) whom they call, unless they are certain that they've called the bank. But apparently they do not care if their card holders get swindled or not. I attempted to complain to the department supervisor about the shoddy security practices, but was told I needed to call another number to complain. I have not been able to succesfully reach that supervisor since then. Perhaps a list of which banks follow good security practices (e.g. don't use readily obtainable information, such as SSNs, for passwords, and encourage their customers to be aware of fraud and use fraud-resistant procedures to deal with emergencies) would be useful to the readship of this list. Anybody have such a list? -- Nelson Bolyard MTS Advanced Networking Lab Silicon Graphics, Inc. nelson@sgi.COM {decwrl,sun}!sgi!whizzer!nelson 415-390-1919 Disclaimer: I do not speak for my employer. ------------------------------ Date: Wed, 7 Jul 93 10:48:30 MDT From: shapiro@marble.Colorado.EDU (Andrew Shapiro) Subject: American Express recognizes privacy concerns. At last some good news on the privacy frontier. American Express sent me a postage-paid mailer entitled, "An Important Notice To Our Cardmembers Concerning Privacy, Mailing and Telemarketing Options." The gist of the mailer is, we keep lists of your habits and try and sell you things based on these lists. I quote from the flyer: Cardmembers tell us they appreciate receiving these special offers, as well as information on Cardmember benefits. However, if for any reason you no longer wish to receive these offers, you may select from among the following options: * Please exclude me from American Express mailings, including new option Cardmember benefits and American Express Merchandise Service catalogs. * Please exclude me from mailings by other companies, including offers in cooperation with American Express provided by establishments that accept the Card. * Please exclude me from lists used for telemarketing. At least they recognize that there is a portion of the population who are not interested in having there personal spending habits used for marketing purposses. -Andrew T. Shapiro shapiro@spot.colorado.edu CSES/CIRES University of Colorado shapiro@cses.colorado.edu Campus Box 449 (303) 492-5539 Boulder, CO 80309-0449 ------------------------------ Date: Fri, 2 Jul 1993 16:00:05 EST From: Dave Banisar Subject: CPSR Workplace Privacy Testimony Prepared Testimony and Statement for the Record of Marc Rotenberg, Director, CPSR Washington office, Adjunct Professor, Georgetown University Law Center on H.R. 1900, The Privacy for Consumers and Workers Act Before The Subcommittee on Labor-Management Relations, Committee on Education and Labor, U.S. House of Representatives June 30, 1993 Mr. Chairman, members of the Subcommittee, thank for the opportunity to testify today on H.R. 1900, the Privacy for Consumers and Workers Act. My name is Marc Rotenberg and I am the director of the CPSR Washington office and an adjunct professor at Georgetown University Law Center where I teach a course on information privacy law. Speaking on behalf of CPSR, we strongly endorse the Privacy for Consumers and Workers Act. The measure will establish important safeguards for workers and consumers in the United States. We believe that H.R. 1900 is particularly important as our country becomes more dependent on computerized information systems and the risk of privacy abuse increases. CPSR has a special interest in workplace privacy. For almost a decade we have advocated for the design of computer systems that better serve the needs of employees in the workplace. We do not view this particular goal as a trade-off between labor and management. It is our belief that computer systems and information policies that are designed so as to value employees will lead to a more productive work environment and ultimately more successful companies and organizations. As Charles Hecksher of the Harvard Business School has said good managers have no use for secret monitoring. Equally important is the need to ensure that certain fundamental rights of employees are safeguarded. The protection of personal privacy in the information age may be as crucial for American workers as the protection of safety was in the age of machines. Organizations that fail to develop appropriate workplace privacy policies leave employees at risk of abuse, embarrassment, and harassment. The concern about workplace privacy is widely felt in the computer profession. This month MacWorld magazine, a leading publication in the computer industry, released a special report on workplace privacy. The report, based on a survey of 301 companies in the United States and authored by noted science writer Charles Piller, made clear the need for a strong federal policy. Among the key findings of the MacWorld survey: > More than 21 percent of those polled said that they had "engaged in searches of employee computer files, voice mail, electronic mail, or other networking communications." > "Monitoring work flow" is the most frequently cited reason for electronic searches. > In two out of three cases, employees are not warned about electronic searches. > Only one third of the companies surveyed have a written policy on privacy What is also interesting about the MacWorld survey is the high level of concern expressed by top corporate managers about electronic monitoring. More than a half of those polled said that electronic monitoring was either "never acceptable" or "usually or always counterproductive." Less than five percent believed that electronic monitoring was a good tool to routinely verify honesty. These numbers suggest that managers would support a sensible privacy law. Indeed, they are consistent with other privacy polls conducted by Professor Alan Westin for the Lou Harris organization which show that managers are well aware of privacy concerns and may, with a little prodding, agree to sensible policies. What would such a policy look like? The MacWorld report also includes a model privacy policy that is based on several U.S. and international privacy codes. Here are the key elements: > Employees should know what electronic surveillance tools are used, and how management will use the data gathered. > Management should minimize electronic monitoring as much as possible. Continuous monitoring should not be permitted. > Data should only be used for clearly defined, work-related purposes. > Management should not engage in secret monitoring unless there is credible evidence of criminal activity or serious wrongdoing. > Data gathered through monitoring should not be the sole factor in employee evaluations. > Personal information gathered by employers should not be disclosed to any third parties, except to comply with legal requirements. > Employees or prospective employees should not be asked to waive privacy rights. > Managers who violate these privacy principles should be subject to discipline or termination. Many of these provisions are contained in H.R. 1900, the Privacy for Consumers and Workers Act. Clearly, the policies and the bill itself are not intended to prohibit monitoring, nor to prevent employers from protecting their business interests. What the bill will do is help establish a clear framework that ensures employees are properly notified of monitoring practices, that personal information is not misused, and that monitoring capability is not abused. It is a straightforward, sensible approach that does not so much balance rights as it clarifies interests and ensures that both employers and employees will respect appropriate limitations on monitoring capability. The need to move quickly to establish a framework for workplace privacy protection is clear. Privacy problems will become more acute in the years ahead as new monitoring schemes are developed and new forms of personal data are collected. As Professor Gary Marx has made clear, there is little that can be imagined in the monitoring realm that can not be achieved. Already, some members of the computer profession are wearing "active badges" that provide full-time geographical monitoring. Properly used, these devices help employees use new tools in the hi-tech workplace. Improperly used, such devices could track the physical movements of an employee throughout the day, almost like a blip on a radar screen. Computers are certainly powerful tools. We believe that they can be used to improve productivity and increase job satisfaction. But this requires that appropriate policies be developed to address employee concerns and that laws be passed, when necessary, to ensure that computer abuse does not occur. This concludes my testimony. I would be pleased to answer your questions. ------------------------------ End of PRIVACY Forum Digest 02.24 ************************