The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Saturday, 17 July 1993 Volume 02 : Issue 25 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Bank Security Issues (Diane Barlow Close) Re: American Express recognizes privacy concerns (payne@itd.nrl.navy.mil) Credit Card Security (Paul Robinson) Incident at a Car Rental 800 Number (Paul Robinson) Data-swapping between EMT and DMV (Wayne Madsen) Congress asked for hearings on Owens bill (James Love) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 25 Quote for the day: "... They're giving you a number, And takin' 'way your name." -- From the song "Secret Agent Man", theme to "Danger Man" (1961) and "Secret Agent" (1965-1966). Song by P.F. Sloan and Steve Barri, sung by Johnny Rivers. ---------------------------------------------------------------------- Date: Sat, 10 Jul 1993 09:34:22 -0800 (PDT) From: close@lunch.wpd.sgi.com (Diane Barlow Close) Subject: Bank Security Issues Nelson Bolyard wrote: > Suppose you received a message on your residence answering machine that > [Typical Bank of America horror story deleted.] What you wrote of is very, very typical of Bank of America, imho. I went through this exact same scenario, except about using the SSN# as a password, not about credit cards, exactly one year ago today. I see the attitude of the "customer service" (abuse is more like it) representatives haven't changed: > The bank personnel (to whom we finally talked after completing the maze > of questions asked by the machine) were consumed with the desire to > authenticate us, and asked us to repeat the SSN info which we had already > entered, but seemed shocked that perhaps we might legitimately wonder if > they were who they claimed to be. They were hesitant to let us speak > with the person who called us, but did at least acknoledge that she is a > real employee. It seems that BofA routinely leaves return phone numbers with no company identification on them. Their attitude is one of "we, the legitimate, are trying to call you, the lowly, so you should take our word for it and call us back pronto!" They are overprotective of their staff, but do NOT apply the same zealous procedures to their customers or to their customers' accounts! > One would think that, because they eat much of the cost of credit card > fraud, banks would have some incentive to use fraud-resistant procedures One would think that, but I found extreme resistance to getting BofA to employ even rudimentary fraud-check procedures like the use of a random password instead of a SSN# for pass book checkups. > certain that they've called the bank. But apparently they do not care > if their card holders get swindled or not. Bingo! That's certainly been the impression I've received! As I mentioned much earlier, I went through almost this same scenario one year ago. My husband's SSN# was stolen and used, along with his name, to set up the great-credit-card-company-rip-off by some as-yet-unknown-fink. When we found out about it and had cleared his name and credit record, we wanted to protect our driver's license and bank accounts and stuff like that. We had no problem getting the Big Three credit reporting agencies to put a fraud warning in my husband's credit report, and we had not problem getting the State to put a fraud warning/hold on my husband's driver's licence, but we had major, major problems getting Bank of America to implement a password change! The policy was supposed to already be in place, but it took three weeks to change a SSN# to a password, to get locked out of the auto-phone-system (as it was "not set up for any passwords except SSN#) and then a further FIVE MONTHS to get the phone dweebs to ask for that password when doing stuff to our accounts! I ended up writing one of BofA's VPs -- *that's* when I saw some action!! (Finally!!) He not only implemented policy quickly, but saw the necessity to change some of it for customer protection and then followed up with secret spot checks (for three months) to make sure employees were doing their job. He fired or transferred those that made repeated mistakes. I was impressed, but saddened that it had to go that far for something that was supposed to be already in place but just hadn't been used before. Anyway, my BofA troubles didn't end there and when they messed up big time on all three IRA transactions I decided to take my business elsewhere. I did a huge phone interrogation of all the local banks, and the only one I found that combined both convenience with enough security checks and really pleasant, efficient employees was Wells Fargo. I've been really impress so far! I've been there 8 months now and all of my problems have been handled speedily, efficiently and without the need for supervisors! Heck, they've gotten things right the FIRST time!! And I was super impressed with their ability to handle personalized passwords instead of SSN's, although a little disappointed they limit them to 3 letter/characters. But at least it's a start! Other banks and S&L's that came close, imho: Foothill 1st Nationwide Eureka Bank HomeFed Bank If you can go without 24 phone service, or don't mind limited ATM availability, then just about any small bank or S&L whose president resides in-house (like 1st Nationwide on San Antonio) will listen seriously to bank/credit horror stories and then implement new, personal policies to keep your money safe and get you feeling better. I found the smaller banks were very keen on security, although I'm very happy with the service I'm getting at Well's Fargo. I'm certainly happy I'm gone from BofA!! I went through lost funds (their fault) and scraps with the IRS due to mis-reported funds (again their fault), and although they eventually corrected everything, it shouldn't have happened in the first place! If you want to stick with BofA, then I suggest you write the same VP that I wrote to get your problems solved. Heck, you can even mention my name -- he should remember me, he sent me enough flowers! :-D Don Owen Senior Vice President, Manager, Item Processing 611 North Brand Blvd. Glendale, CA 91203 > Perhaps a list of which banks follow good security practices (e.g. don't > use readily obtainable information, such as SSNs, for passwords, and > encourage their customers to be aware of fraud and use fraud-resistant > procedures to deal with emergencies) would be useful to the readship Hopefully I've been of some help! Good luck! -- Diane Barlow Close close@lunch.wpd.sgi.com ------------------------------ Date: Mon, 12 Jul 93 8:40:23 EDT From: payne@itd.nrl.navy.mil Subject: re: American Express recognizes privacy concerns One thing to note about American Express's attention to privacy however: When I was a Card holder, I was solicited by AMEX regularly for various products and services (e.g., applications for the Gold Card). I used to receive my mail at a P.O. Box, and I usually discarded such junk mail before leaving the Post Office. However, I always took special care of AMEX mailings, because AMEX had the nasty habit of printing my AMEX number somewhere in the mailings (such as on any included application forms). ------------------------------ Date: Mon, 12 Jul 1993 09:06:45 -0400 (EDT) From: Paul Robinson Organization: Tansin A. Darcos & Company, Silver Spring, MD USA Subject: Credit Card Security ----- nelson@bolyard.wpd.sgi.com (Nelson Bolyard), writes: > One would think that, because they eat much of the cost of credit > card fraud, banks would have some incentive to use fraud-resistant > procedures for dealing with their card holders, and would encourage > their card holders to never give out their "password" information > to incoming callers, or to people (and machines) whom they call, > unless they are certain that they've called the bank. But > apparently they do not care if their card holders get swindled or > not. To quote from the song "Hello Stranger": "Well some they do and some they don't, and some you just can't tell..." When I received my new Visa card in June, effective 7/93, there was a sticker on it warning me it was "dead plastic" e.g. that the card would remain invalid until I called the bank at the number printed on the sticker to validate the information. Now, since this was a legitimate Visa card from my issuer and my old card expired 6/93, it made sense; but someone else could have pulled the same type of scam, since the bank asked me to authenticate myself with some private information to enable the card. Since most of the time I'm usually either maxed out or have less than $200 free, it wouldn't get a thief much. But there is another problem, that of the apparently illiterate and incompetent people they have at some credit card companies. I have a shared account with a relative. I called once to find out what the available credit was on my Visa card. Well, they asked for the relative's social security number (which I know) and apparently it's keyed to their number even though it's a joint card. Point is they got the number wrong, and froze my account. So they tell me to mail proof of the correct number to their security office which is supposed to be in South Dakota. I have a drivers' license from Maryland which does not print Social Security Numbers on the card. The relative I share this Visa card with (the relative doesn't use it; they have another card with someone else that they use) has an ID card from the District of Columbia which *does* show Social Security Number. So I photocopied that along with a photocopy of the credit card with the matching name on it. After *Six Weeks* they finally turn the card back on, because the office told me to send the information to the security office for their *other* VISA card, and it had to be sent to the security office for the "special" card (The financial institution runs two, their regular visa and their allegedly "special" Visa, and I'm stuck with the so-called Special one, that is run out of a different office. I am being deliberately vague so someone can't figure out who I am using, and no, I'm not talking about a secured Visa card.) So the other day I tried to call them to check on the balance. They *still have the wrong social security number* and I'm afraid to say anything because the last time I did they shut off my plastic for *Six weeks* because *I* told them their information was wrong. Because their computer and the clerks want Social Security numbers, I can't ever ask any information about my account, for fear they'll lock out my credit card again. --- Paul Robinson - TDARCOS@MCIMAIL.COM ------------------------------ Date: Mon, 12 Jul 1993 15:38:23 -0400 (EDT) From: Paul Robinson Organization: Tansin A. Darcos & Company, Silver Spring, MD USA Subject: Incident at a Car Rental 800 Number ----- Recently I called a car rental company to request a car over the weekend. (I do not own a car because the bus runs from my house direct to my office; the expense would be frivolous.) I called the nationwide 800 number and requested it for Washington National Airport. (Note: for most places, rentals from an airport location are cheaper than rentals in the city. As the airport has direct train service, it's no more difficult than going into DC, and possibly easier.) I ordered the car for a weekend, and was asked the usual information about whether I was over 25 and so on. The interesting note was that they stated that they would check my drivers' record when I went to get the automobile. Now, I can understand that someone who is renting me a car would want to check to make sure I don't have a habit of stealing cars or running into telephone poles, but I do note that this is the first time I've heard any place state they would do so. I have heard that there have been problems with companies renting cars to people who are bad drivers, who take the optional accident waiver and then don't care what happens. After I had rented more than 10 times and never made a bad move, I stopped taking accident waiver. What bothers me is that the rental office is at Washington, DC's National Airport, in Arlington, Virginia and I live in Silver Spring, Maryland so I have a Maryland driver's license, yet apparently they will have no trouble checking my background, which would be an Interstate record, even on a Saturday. Makes me wonder how. Well, at least Maryland doesn't print Social Security numbers on the drivers' license... --- Paul Robinson - TDARCOS@MCIMAIL.COM ------------------------------ Date: Tue, 13 Jul 93 11:17:56 EDT From: wmadsen@opus.starlab.csc.com (Wayne Madsen) Subject: Data-swapping between EMT and DMV Recently, an employee of Martin Marietta here in Moorestown, New Jersey collapsed at his desk and was rushed off to hospital by EMT (Emergency Medical Technician) personnel. He was diagnosed with a benign brain tumor. Upon his recovery he was notified by the NJ Dept. of Motor Vehicles (DMV) that he had to re-apply for his drivber's license. It seems that the EMT had shared the medical data with DMV and when confronted later, EMT claimed that it was a routine procedure to do so. Is this a common procedure in other states? If so, it is a draconian privacy measure and calls into question the privacy of medical data in the upcoming National Health Insurance program - if the government presently is so callous in its disregard for such data - what will happen when they run the show more or less completely? Wayne Madsen Computer Sciences Corp. Moorestown, NJ ------------------------------ Date: Fri, 16 Jul 1993 17:07:01 EDT From: love@essential.org Subject: CONGRESS ASKED FOR HEARINGS ON OWENS BILL ----------------------------Original message---------------------------- Taxpayer Assets Project Information Policy Note June 12, 1993 WASHINGTON, June 12. Today 15 citizen groups wrote to Representative Gary Condit (D-CA) asking for hearings on HR 629, the Improvement of Information Access Act (IIA Act, sometimes referred to as the "Owens bill" after its sponor, Rep. Major Owens of NY). Condit is the new Chair of the House Subcommittee on Government Information. This subcommittee has bottled HR 629 up for the past two years, due primarily to opposition to the bill by lobbyists for commercial data vendors. Groups calling for hearings include the Taxpayer Assets Project, Computer Professionals for Social Responsibility, Public Citizen, Center for Media Education, Association of Research Libraries, Center for Civic Networking, the Information Trust, Consumer Federation of America, FAIR, Government Accountability Project, National Writers Union, Environmental Research Foundation, Federation of American Scientists, Essential Information, and the National Coordinating Committee for the Promotion of History. The letter follows: ---------------------------------------- June 12, 1993 Representative Gary Condit Chair, Subcommittee on Government Information, Justice and Agriculture Committee on Government Operations U.S. House of Representatives Washington, DC 20515 Dear Representative Condit: We are writing to request that you hold a hearing of the Subcommittee on Government Information, Justice and Agriculture to consider HR 629, the Improvement of Information Access Act (IIA Act). This legislation, first introduced in 1991, is a very important proposal that would broaden public access to government information resources. The IIA Act reflects the views and needs of the research, education and library community. The issues addressed in the bill are relevant to public access to government information in an era when computers are increasingly important. The IIA Act addresses the following issues: 1. AGENCIES ARE GIVEN A MANDATE TO USE MODERN COMPUTER TECHNOLOGIES TO DISSEMINATE GOVERNMENT INFORMATION Agencies are required to disseminate information in diverse modes and through appropriate outlets, including federal depository libraries, national computer networks such as the Internet, and other outlets. They must assure free or low-cost public access to Government information. Agency dissemination efforts must ensure the timeliness, usefulness, and reliability of the information for the public. Agencies are given a mandate to provide data users with adequate documentation, software, indexes, or other resources that will permit and broaden public access to Government information. Why are these measures needed? While some agencies have taken bold and imaginative steps to broaden public access to Government information through the use of modern information technologies, other agencies actively resist efforts to broaden public access. This bill would give federal agencies a mandate to provide the types of information services and products that are important to data users. 2. STANDARDS Agencies would be required to disseminate information products and services in standardized record formats. Agencies would be required to report annually on efforts to develop or implement standards for file and record formats, software query command structures, user interfaces, and other matters that make information easier to obtain and use, and also on agency provisions for protecting access to records stored with technologies that are superseded or obsolete. The National Institute for Standards and Technology (NIST) and the National Records and Archives Administration (NARA) would be required to develop and periodically revise voluntary performance standards for public access to government records. Why are these measures needed? Many federal agencies have not yet developed standards for information systems, and thus it is often difficult for agencies to share data or for the public to obtain access to agency information resources. 3. PRICING The IIA Act would set a government wide limit on the prices the federal government can charge on information products and services. This price limit would be the incremental cost of dissemination, which is defined to exclude the costs of data collection. Agencies would not be allowed to impose royalties or other fees on the redissemination of federal government information. Why are these measures needed? As federal agencies are faced with difficult fiscal pressures, they are looking at information resources as a source of income. Many agencies price electronic information products and services far above dissemination costs, and impose royalties and restrictions on the redissemination of information. Such policies erode the public's right-to-know, and lead to a society where information is rationed to the most affluent. The IIA Act limits user fees on information products and services to dissemination costs, which is the policy which has long been used for information published in paper formats. Limiting the prices for information products and services to the costs of dissemination is also consistent with the recently revised OMB Circular A-130. 4. PUBLIC NOTICE Perhaps most importantly, the IIA Act would make the federal management of information resources more democratic. Every year federal agencies would be required to publish a report which describes: - the plans to introduce or discontinue information products and services, - the efforts to develop or implement standards for file and record formats, software query command structures and other matters that make information easier to obtain and use, - the status of agency efforts to create and disseminate comprehensive indexes or bibliographies of their information products and services, - the means by which the public may access the agency's information, - the plans for preserving access to electronic information that is stored in technologies that may be superseded or obsolete, and - the agency plans to keep the public aware of its information resources, services and products. Agencies would be required to solicit public comments on this plan, including comments on the types of information collected and disseminated, the agency's methods of storing information, their outlets for disseminating information, the prices they charge for information and the "validity, reliability, timeliness, and usefulness to the public of the information." The agency would be required to summarize the comments it receives and report each year what it has done to respond to the comments received in the previous year. Why are these measures needed? It is essential that federal agencies become more involved with citizens at the grass roots as they design information policies. Citizens have important information regarding the way Government information is used, and they also have important insights regarding emerging information technologies. When issues such as standards are involved, it is essential to have regular and frequent input from citizens regarding the choice of standards, particularly since technologies are rapidly changing. These public notice provisions will empower citizens at the grass roots to shape federal policies in ways that benefit the public. HEARINGS ARE NEEDED ON HR 629 While this important legislation has broad backing from the right to know community, and has been endorsed by such groups as Public Citizen, the American Library Assocation, Computer Professionals for Social Responsiblity (CPSR) and the Taxpayer Assets Project, the Subcommittee on Government Information should schedule or conduct a hearing on this bill. Sincerely, James Love, Taxpayer Assets Project; P.O. Box 19367, Washington, DC 20036; 202/387-8030; love@essential.org Paul Wolfson, Public Citizen; 2000 P Street, NW, Suite 700 Washington, DC 20036; 202/833-3000 Pam Gilbert, Congress Watch; 215 Pennsylvania Avenue, SE, Washington, DC 20003; 202/546-4996 Marc Rotenberg, Computer Professionals for Social Responsiblity 666 Pennsylvania Avenue, SE, Suite 303, Washington, DC 20003; 202/544-9240; rotenberg@washofc.cpsr.org Tom Devine, Government Accountability Project, 810 First Street, NE, Suite 630, Washington, DC 20002; 202/408-0034 Prue Adler, Association of Research Libraries, 21 Dupont Circle, NW, Washington, DC 20036; 202/296-8656l; prue@cni.org Jeff Chester, Center for Media Education, P.O. Box 330039, Washington, DC 20033; 202/628-2620; cme@digex.net Richard Civille, Center for Civic Networking, P.O. Box 65272 Washington, DC 20035; 202/362-3831; rciville@cap.gwu.edu Page Miller, National Coordinating Committee for the Promotion of History; 400 A Street, SE, Washington, DC 20003; 202/544-2422 Scott Armstrong, The Information Trust, 1330 Connecticut Avenue, NW, Suite 220, Washington, DC 20036; 202/296-4833 Brad Stillman, Legislative Counsel, Consumer Federation of America, 1424 16th Street, NW, Suite 604, Washington, DC 20036 202/387-6121; bstillman@essential.org Janine Jackson, FAIR, 130 West 25th Street, New York, NY 10011; 212/633-6700 John Richard, Essential Information, P.O. Box 19405, Washington, DC 20036; 202/387-8034; jrichard@essential.org Jonathan Tasini, National Writers Union, 739 West 186th Street Apartment 1A, New York, NY 10033; 212/927-1208; 76450.2377@compuserve.com Peter Montague, Environmental Research Foundation, P.O. Box 5036 Annapolis, MD 21403; erf@igc.apc.org Steven Aftergood, Federation of American Scientists, 307 Massacusetts Ave., NE, Washington, DC 20002; 202/675-1012 jstone@igc.apc.org ------------------------------------------------------------------ tap-info postings are archived at cpsr.org. ftp: ftp.cpsr.org; gopher: gopher.cpsr.org; wais: wais.cpsr.org To receive tap-info, send a note to tap-info-request@essential.org ------------------------------------------------------------------ Taxpayer Assets Project, P.O. Box 19367, Washington, DC 20036; v. 202/387-8030; f. 202/234-5176; internet: tap@essential.org ------------------------------------------------------------------ ------------------------------ End of PRIVACY Forum Digest 02.25 ************************