Computer Privacy Digest Sun, 21 Aug 94 Volume 5 : Issue: 024 Today's Topics: Moderator: Leonard P. Levine Re: Fingerprinting/Identfying Children Re: Fingerprinting/Identfying Children Re: Fingerprinting/Identfying Children Re: Fingerprinting/Identfying Children Re: Fingerprinting/Identfying Children Re: Fingerprinting/Identfying Children Re: Fingerprinting/Identfying Children Multiple SSNs Sprint Voice card and SSN Re: SSN Dial In Database Microsoft "Chicago" OS Wanted: Info on Electronic Address Privacy Privacy Issues in Telecommunications - Australia Re: Bank of Canada opposes widespread availability of cash machines Re: Internet White Pages Re: Answering Machine Features --------------------------------------------------------------------- Housekeeping information is located at the end of this Digest. ---------------------------------------------------------------------- From: "Willis H. Ware" Date: 12 Aug 94 15:51:14 PDT Subject: Re: Fingerprinting/Identfying Children Mike Fischbein recently wrote in part as follows: I wouldn't mind being fingerprinted; that's pretty much only useful for positive ID purposes. I've had several (different jobs, different agencies) high security clearances, and been fingerprinted for each, as well as when I was active duty Navy. I wouldn't have been upset at all about fingerprinting. Many of us have been repeatedly fingerprinted for the same set of reasons but all of our views and emotions about the process arise for experience with a system based in an era of paper, and very little automation. Suppose that all fingerprints were in digital form, hence could readily be transported from place to place by the ample wide band communications coming into place, become entries in all data systems which were concerned with identification (e.g., credit files, bank accounts, entitlement databases), had little legal protection against usage by private sector organizations, and were carried on smart cards along with a lot of other personal data. In other words, suppose that digital fingerprints became as ubiquitous as the SSN; i.e., prescribed for some purposes (e.g., taxpayer ID), permissive for others (e.g., state data systems), but uncontrolled otherwise (e.g., private sector). What then would be Mike Fischbein's views? Or mine for that matter? Would they change? And how? My point. So many of our attitudes toward fingerprints, SSNs, data bases, privacy, ....... have been shaped by our past experiences, especially those of a largely paper world. We must be extraordinarily cautious in extrapolating the past to the highly automated data-intensive future, and especially we must be cautious about using arguments that were valid for a paper world to promote or accept attitudes and public policies for the future. First-rate example: public records. As paper systems, they provided important data for local access and they were not coupled to one another. Hence, dissemination was inherently limited and controlled by the physical attributes of the data system and the paper medium. Today, we have rapid computerization, linking of systems, ready remote access, sales of such material, assembly of data from individual records into composite ones..... Public records collectively have become a major input to dossier-level records on individuals, and are a growing source of concern about privacy-related infractions. What we thought about them in the past, and the laws that we created to generate and control them may require significant alteration for the future. Willis H. Ware Santa Monica, CA ------------------------------ From: John Medeiros <71604.710@compuserve.com> Date: 12 Aug 94 22:57:38 EDT Subject: Re: Fingerprinting/Identfying Children Two thoughts. First, JB Wood (jbwood@chemical.watstar.uwaterloo.ca) wrote: Fingerprinting is a lot more serious and I would NEVER submit to any gov't agency retaining my prints (voluntarily). About 8 years ago, my mom thought it was a good idea when the police offered the free service one weekend at the mall. They said it was to help find missing children, but in my mind they just wanted to be able to use future technologies to I.D. anybody by computer. There is no problem if, as is usual, the parents retain the fingerprint card. I had my daughter fingerprinted and held on to the cards (had two made), just in case... Second, poivre@netcom.com (Poivre) wrote: I have always wondered about fingerprinting children against kidnapping. What good does fingerprinting do in recovering live, coherent abductees? The fingerprints of very small children (under 5 or 6) become essential in proving that the recovered child is in fact a particular missing child. As Poivre pointed out, without the fingerprints, this becomes increasingly difficult with the passage of time. With current fingerprint technology, fingerprints of victims are computerized, and when possible victims are located, their fingerprints can be be used to query for possible matches. This would allow a child found on the east coast under suspicious circumstances to be identified as a child missing from the west coast 3 years before. No manual system could possibly make such a match. And unfortunately, as Poivre also pointed out, fingerprints are also used to identify unkown corpses. It may be small consolation, but victim parents want some resolution, even if it means finally acknowledging that there child is gone. And positive identifications in these cases are equally important. ------------------------------ From: nuessle@vax1.umkc.edu Date: 12 Aug 94 22:23:05 CST Subject: Re: Fingerprinting/Identfying Children Organization: University of Missouri - Kansas City JBWOOD stated: Fingerprinting is a lot more serious and I would NEVER submit to any gov't agency retaining my prints (voluntarily). About 8 years ago, my mom thought it was a good idea when the police offered the free service one weekend at the mall. They said it was to help find missing children, but in my mind they just wanted to be able to use future technologies to I.D. anybody by computer. The legitimacy of child identification programs varies, but does Not necessarily involve any government agency retaining the records. The fingerprints, pictures, videotapes, etc. that may be created in these programs are often given to the parents for use if they are needed, with no copies kept by the government or any other organization. * -.- .- ----- --.. .- .--. * Nick Nuessle, PE * nuessle@vax1.umkc.edu * Only my viewpoints Perpetual Student * * unless noted. UMKC: Pushing back the Frontiers of Ignorance in the Fly-Over Zone ------------------------------ From: dunn@nlm.nih.gov (Joe Dunn) Date: 15 Aug 94 21:55:29 GMT Subject: Re: Fingerprinting/Identfying Children Organization: NLM/NCBI an64344@anon.penet.fi wrote: Then I got to a form that was titled Fingerprint Authorization. It read similar to the following, but this is from memory: "I voluntarily give authorization to be fingerprinted, and give permission my fingerprints to be used in a manner deemed necessary by ." "I understand that I do not have to have my fingerprints taken and this will not affect any current or future employment with ." If the offer sheet you received from the bank does not put in it conditions of employment that you must provide your fingerprints you can not compel you to provide this information. If they refused to give you the job based on your refusal to provide them your fingerprints than you have the right to sue them for wrongful termination. If presented with a situation like this again, sign your name, but annotate that you are being compelled under threat of job loss and state the name of the person forcing you to sign. You are leaving yourself open in the event a problem occurs in t the future, legally. That form will be used against you in court, if necessary, and your signature will be the only thing the jury sees. Whoever the bozo was who forced you to sign it will swear up and down that you were in no way coerced into signing. They rely very heavily on your caving in under threat of losing you job, who wouldn't? You showed a lot of fortitude standing up to them as much as you did, as the guy said, most sheeople just go ahead an sign it... ------------------------------ From: bsmart@bsmart.tti.com (Bob Smart) Date: 16 Aug 1994 00:04:57 GMT Subject: Re: Fingerprinting/Identfying Children Organization: Citicorp+TTI poivre@netcom.com (Poivre) writes: If someone could explain to me the benefits of fingerprinting children other than what i've said above, i'd like to hear it. Otherwise, its almost useless. Well, I'm not sure that positive ID of a child's corpse is "almost useless." It's not as useful as recovering a live child, but spending the rest of your life wondering what happened to your child (or to your sibling) has got to be painful. Also, conclusively identifying a dead child might still help in catching the kidnapper--who might well be about to repeat the process with some other kid. Again, not as useful as preventing any kidnappings from happening in the first place, but still a long way from "almost useless." Beyond postmortem use, however, what about situations where you have some reason to suspect that a child is with the wrong person, but you can't quite prove it? You have reason to doubt me when I tell you that this child is mine, you might even suspect that the child is kidnapped...so you run the kid's prints and discover that your intuition was correct. I might have pretty convincing stories about the fire that destroyed our only copy of the birth certificate, the tragic death of all the relatives who could have vouched for my being his father...but if those prints match the prints of a child listed as missing, no amount of tapdancing will get me off the hook. The prints alone won't solve anything, since print matching isn't normally done when doing things like registering for school, but if you were suspicious of me for some other reason, having the prints or not having them might mean the difference between getting me and not getting me. I think that sounds pretty useful. Works the other way, too: if my child happens to look very similar to one who's missing, but my kid's prints don't match the missing kid's prints, then you can stop considering me as a suspect in the other kid's disappearance because you can be certain that the kid with me isn't the one you're looking for. -- A fanatic is someone who does what he knows that God would do if God knew the facts of the case. ------------------------------ From: PHILS@RELAY.RELAY.COM (Philip H. Smith III) Date: Tue, 16 Aug 94 07:00:08 EDT Subject: Re: Fingerprinting/Identfying Children poivre@netcom.com (Poivre) wrote: I have always wondered about fingerprinting children against kidnapping. I can think of a lot of uses for latent prints: identifying where a child has been; identifying a child too small to identify him/herself; identifying a wounded, unconscious child. As well as, of course, the sad example you suggested, of a corpse. True, it doesn't *prevent* kidnapping -- but nobody ever suggested it did. wmccarth@t4fsa-gw.den.mmc.com (Wil McCarthy) wrote: I'm concerned that the clerk is no longer permitted to exercise judgment of any sort, and that the specter of underage drinking is _so_ terrible that every shopper must be inconvenienced to prevent it. I'm also concerned that the process is 50% automated at this point. Much simpler if you just surrender your license at the start, yes? The computer will give it back to you if you haven't broken any laws... Sure the clerk can authorize judgement: if (s)he doesn't think you're worth carding, (s)he can hit ENTER or whatever on the register to say "OK, I checked the stupid card". No need for you to display anything. I'd be more concerned about clerks without brains ... ------------------------------ From: Rich24@aol.com Date: 21 Aug 94 15:40:16 EDT Subject: Re: Fingerprinting/Identfying Children The past few issues have contained postings about fingerprinting, advertising, and privacy in general. I find these conversations interesting because they reflect a very parochial view of the world as it exists today. There is a price to pay for services used, and if one wants to use those services then he/she must pay the price. The costs are more than financial, they are also "informational." If you want the convenience of using a credit card or a checking account, then you, by using these services, surrender some of your privacy. If you don't want others to know about you, your buying practices, etc., then don't use the services. Remember, selling your information helps to pay for the services. And no one is going to provide the service without making some money off of it. Finger printing children is only useful for identifying corpses. I have yet to hear of a case where finger prints have been of any other value. But then all the scare about children being kidnapped is greatly overblow. There are really very few cases of true abductions by total strangers. The vast majority of children "abducted" are really taken by a parent involved in a custody case. ------------------------------ From: cybrland@aol.com (Cybrland) Date: 14 Aug 1994 22:39:03 -0400 Subject: Multiple SSNs Organization: America Online, Inc. (1-800-827-6364) What prevents a person from going the the SS Admin and getting a 2nd, 3rd, or Nth, SSN? Is there some number that THEY match with your SSN? ------------------------------ From: dunn@nlm.nih.gov (Joe Dunn) Date: 15 Aug 94 21:41:41 GMT Subject: Sprint Voice card and SSN Organization: NLM/NCBI A little bit of a follow up to my previous posting, I don't have a voice card because I don't believe in giving out my SSN even if it's a good idea. The fundimental reason that the SSN is used rather than a self generated number is to ensure separation between two sound-alike voices being misinterpreted. Part of the system is a user can input a list of names to call, such as call home. The user says call home and the system dials the pre-stored number. If it is someone who sounds like you and go thru accidently, he would be talking to your wife, kids, what have you. Talk about an invasion of privacy. I don't carry my SS card, never have. I have never been approached by someone asking for my SS card, and wouldn't give it to them anyway. So, not concerned with someone getting my SS number to use with the system if I used it. One posting is the primary reason I don't use it. That is someone could sit in an airport and write down everyone's SSN. We all know how lethal that would be in the wrong hands. BTW, I am very curious about the SIN in Canada. I saw that last year that Canada also started taxing the "wealthy" recipients of SIN, along the same lines imposed in the US. Is the SIN in as bad a shape as the SS system? At least, that's what we're told. In order to save the SS system this tax is necessary. You all fed the same line?? Or am I just being conspiratorial that all these events seem to happen simulaniously?? ------------------------------ From: todd@meaddata.com (Todd Leonard) Date: 16 Aug 1994 00:31:12 GMT Subject: Re: SSN Dial In Database Organization: Mead Data Central, Dayton OH Glen Roberts (glr@ripco.com) wrote: Now, there is something new. SSN-BASE, a public, free, interactive SSN database. It's easy to check out. Just call from your modem (2400 baud): (708) 838-3378. I tried this service. First, I entered a number that "looked like" a SSN, to which it replied something to the effect of "I've never heard of that, but I'll add it to the database". Next I tried 000-00-0000, and then 123-45-6789, both of which were found, leading me to suspect somebody before me had tried the same experiment. I'm glad I didn't try a real SSN, particularly my own. Such a system could clearly be used to collect SSNs and use them illicitly, if that were the motive of the providers. This presents a risk similar to the fake ATM machines used to collect PINs... -- Todd Leonard --- todd@meaddata.com --- http://www.meaddata.com/~todd If you see a good fight, get into it... - Vernon Johns ------------------------------ From: dpbsmith@world.std.com (Daniel P. B. Smith) Date: 13 Aug 1994 00:04:01 GMT Subject: Microsoft "Chicago" OS Organization: The World Public Access UNIX, Brookline, MA Press reports about the Microsoft "Chicago" (DOS 7.0) operating system suggest that it will have an automated version of the traditional marketing information reply card in it. If you have a modem, it will encourage you to fill in an electronic on-screen form (the usual age, job, is this for home or office, will you use it for spreadsheets or games, etc). Apparently it will also query your system automatically for hardware configuration. I'm sure the intent is pretty innocuous--make it easier for people so the response rate will be higher; don't ask the user, who may not even be sure how much RAM or what kind of display adapter they have, when the program can just find out for itself. It wouldn't surprise me if it presented a plug for Microsoft's upcoming on-line service. But the implications are kind of interesting. Seems like the Prodigy STAGE.DAT thing, but for real. How far does it go? How far _could_ it go? Will it tell Microsoft if you have WordPerfect loaded on your disk, so they can send you an extra-special competitive upgrade offer? Will it time your keystrokes and tell Microsoft whether you're a fast typist? If you have 8 meg, will they sell your name to a RAM vendor so they can advertise upgrades? Will it search your disk for files with a .GIF extension and upload them to Microsoft to add to Bill Gates' personal collection? :-) -- Daniel P. B. Smith dpbsmith@world.std.com ------------------------------ From: vimrich@athena.mit.edu (Vernon R Imrich) Date: 15 Aug 1994 19:30:10 GMT Subject: Wanted: Info on Electronic Address Privacy Organization: Massachusetts Institute of Technology I'm looking for information (FAQ's, sites, book reviews, personal methods, or whatever) on how to prevent people from tracing the origin of a person's posts. I know of (at least) one "anonymous" server (anon.penet.fi) but their method seems merely to redirect incoming posts to desired targets from numbered accounts. This seems pretty unreliable (particularly if someone gets a hold of the account files somehow) and in the case of penet.fi the posts take forever (based on a few trial runs at least) presumably due to massive traffic. Also, I have heard rumors lately that hackers have jeopardized the anonymity of such systems. I know there are other methods (forging addresses for one) but do not know how they work, nor if they are reliable and/or ethical/legal (i.e. I'm not interested in framing anyone with false posts, my interest is privacy). I'd like to find any information on such methods (e.g. Can "experts" locate where it "really" came from? or narrow it down? Can the methods be applied from "commercial internet email providers" such as Delphi, etc.?) It seems to me that even with reliably encrypted transmissions, the feds (or whoever) can still track who is contacting who. In a case such as the AA-BBS, even if the data had been encrypted, the police would not have been hindered. If however, the "location" of the data source in electronic terms was hidden, greater privacy would have been possible. Only the receiver of the data would have had to worry about the local laws (IMHO a good side effect). If PGP and data encryption is the electronic equivalent of an envelope on a snail mail letter, what is the electronic equivalent of not including a return address? Any pointers out there? Thanks. -------------------------------------------------------------------- | Vernon Imrich | market failure, n. The inabilty of the | | MIT OE, Rm 5-329b | market to recover from a blow by | | Cambridge, MA 02139 | intervention. (the Exchange) | -------------------------------------------------------------------- ------------------------------ From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Date: 16 Aug 94 07:44:57 EDT Subject: Privacy Issues in Telecommunications - Australia from the Australian Associated Press newswire (94.08.16 @ 15:32 Australian time) via CompuServe's Executive News Service (GO ENS): Privacy Issues in Telecommunications to be Examined By Jennifer Ezzy of AAP "SYDNEY, Aug 16 AAP - Telecommunications regulator Austel would examine privacy issues raised by the rise of new technological services such as Pay TV, mobile phones and modem communications, Federal Communications Minister, Michael Lee, announced today. "The call for an advisory committee comes 18 months after an Austel report recommended a volunteer co-regulatory approach to telecommunication services yet almost three years before the 1997 deregulation deadline to allow more players into the industry." The author provides the following key points in her article: o The Minister spoke at a conference in Sydney entitled, "Converging On Telecommunications: Consumers And The 1997 Review". o `"The issues that I will ask Austel to take up as a matter of priority are protection of customer personal information, caller identification and telemarketing," Mr Lee told a conference in Sydney today on changes after 1997.' o According to Mr Lee, the Telecommunications Act prohibits "carrier employees from disclosing customers' particulars, including silent numbers. o A recent trial of caller-ID in Wauchope, New South Wales was well received. o There is currently no law in Australia governing the use of automatic diallers and recorded marketing messages. o The Minister "said consumers subjected to this form of marketing must be in a position to terminate such calls." M.E.Kabay,Ph.D./DirEd/Natl Computer Security Assn / Carlisle, PA ------------------------------ From: skypatrl@crl.com (Albert Zhou) Date: 20 Aug 1994 23:24:23 -0700 Subject: Re: Bank of Canada opposes widespread availability of cash machines Organization: CRL Dialup Internet Access 415-705-6060 [login: guest] ua602@freenet.victoria.bc.ca (Kelly Bert Manning) writes: A document recently obtained under Canada's Access to Information act has revealed that the Bank of Canada opposes the widespread availability of automated bank machines(gas stations, beer stores, drug stores, supermarkets, consumer electronics, etc.) dispensing $20 bills because they make the canadian currency system "inefficient". Why can't the machine dispense $50 and $100 bills? It also helps reduce the work load of human tellers. Many people want $100 bills when they withdraw several hundred dollars. If the machine can dispense them, they wouldn't probably go to the bank. ------------------------------ From: skypatrl@crl.com (Albert Zhou) Date: 21 Aug 1994 00:06:42 -0700 Subject: Re: Internet White Pages Organization: CRL Dialup Internet Access (415) 705-6060 [login: guest] jeffrey@minerva.cis.yale.edu (Jeffrey Licht) writes: I see a few issues here: * Do people posting on Usenet know that their e-mail addresses are being recorded? (I doubt it.) I know it, but I am not particularly worried. What can one do with an e-mail address? Sending junk mails? They are much easier to dispose than paper junk mails. Try to stalk me? Haha.. * Would more people post anonymously if they knew this? > * Does anyone have the right to publish this information about me. for personal gain, without contacting me first? This is currently done all the time with (snail) mailing lists - is it appropriate for the Internet? Well, it's just like phone company publishing your name, number and address. You can opt yourself out of phone book by paying $2.00 per month extra. What a good revenue source! If I were to publish this book, I'd put a message on the front page: "Don't want to be listed here? Send us $2.00". ------------------------------ From: rerodd@unity.ncsu.edu (Richard Roda) Date: 21 Aug 1994 02:19:26 GMT Subject: Re: Answering Machine Features Organization: North Carolina State University Just my $0.02 worth: I bought an answering machine at the flea market a few years that does not have ANY remote features. Its a simple, no-frills two-tape machine, and its old. Perhaps at yard sales, flea markets, etc, would be a good place to look for answering machines without the "remove" feature. BTW: It does have a button to tape the current phone conversation. ------------------------------ The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". People with gopher capability can access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Archives are also held at ftp.pica.army.mil [129.139.160.133]. End of Computer Privacy Digest V5 #024 ******************************