The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1987)
DOCUMENT: Rutgers 'Security List' for July 1987 (20 messages, 15376 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1987/07.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

-----------[000000][next][prev][last][first]----------------------------------------------------
From:      hao!gatech!spaf@ames.arpa  (Gene Spafford)  21-Jul-1987 14:37:36
To:        security@RUTGERS.EDU
As a matter of principle, I'm one of those people who won't give out my
social security number when applying for utilities or credit cards.
The reasons why have been discussed numerous times in various
security-related groups.   It is my understanding that it is against
the law to force someone to give his/her social security number unless
it is a government agency; although I've often run into occasional
resistance, a few moments of explanation has usually resulted in things
working out okay.

Then there's today.  I'm moving to W. Lafayette Indiana in two weeks
and I called to establish my phone service there.  Indiana is
served by GTE for phone service.  I did not anticipate any problems
since I have an excellent credit history, as could be verified by
a quick check with the local Southern Bell folks.  After the rep
at GTE took all my information down, she asked for my SS#.  I explained
that I don't give that out.  She informed me that I would be required
to pay a $75 deposit if I refused to give my SS#.  So, I asked to
talk to her supervisor.

Her supervisor repeated that I would have to give my SS# to waive the
deposit.  I asked if they could simply call Southern Bell or take a
credit card #, or they could call Purdue and verify my employment.  He
said that wasn't enough -- I had to supply my SS#, no other option.  I
enquired as to why they needed it -- he said it was for a credit check
and to verify future disconnect requests.  I explained that they could
do that self-same credit check without the SS# *and* I don't give out
my SS# precisely because I don't want it used as a verification number
on my account.   He insisted I either supply the number or pay the
deposit.  He also asked why I was being so stubborn -- it was even on
my driver's license, wasn't it?  (It isn't -- and hasn't been.  In
Georgia, you have always had the option of having a different ID, and
now the licenses are being issue with those as default.  The guy at GTE
claims that the Indiana licenses are *required* to have the SS# on them
-- anyone know if this is true?  It shouldn't be...) I explained that
having done some work in computer security, and personal experience, I
know how that number can be abused.  He said I was the only person he'd
ever run into to refuse to give the SS# (!).

I then asked him if the requirement for a SS# was written policy -- I
wanted a copy to examine.  He informed me that such information was
private to the company and I couldn't have a copy -- didn't I trust
him?  I then asked if that policy was on file with the state Public
Service Commission.  At that he (rather loudly) asked if I wanted
service with GTE or not?  I asked him very calmly if he was threatening
to deny me service -- he quieted down.  I next explained that I wanted
to see a copy of the written policy because it would be interesting to
include in an article I might write on improper use of SS#s.  He became
very quiet.  I offered to find the name and number of someone at
Southern Bell who could verify my 9 years of service here.  He said to
call back with that information (thankful to get rid of me, I guess).

The lady I talked to at Southern Bell was very helpful.  She informed
me that all the Southern Bell operators are told not to force a SS#
because it is against both policy and law, but if someone won't provide
it they are to get a bank account # or credit card number (both of
which I am willing to give in circumstances such as this).  She was
more than willing to talk to the supervisor at GTE and give him a
credit reference, if only he'd call.  She said she'd also fill him in
on policy.  *AND*, most interestingly, Southern Bell had somehow
obtained my SS# through other means and it was on file, but she
marked it so that it was not to be given out to anyone, specifically
not anyone with GTE Indiana. :-)

Back to GTE.  I called the supervisor (collect, of course) and gave him
the name and number of the lady at Southern Bell.  He was very curt and
said he'd probably still require a deposit.  He hung up on me.

20 minutes later the original GTE operator called me back and
cheerily informed me that my service would be turned on August 4
with *no* deposit required!

Questions
---------

1) Do many of you (net-readers) withhold your SS# in similar circumstances?
Do you have these kinds of confrontations too?

2) Anyone know if other people at GTE Indiana are such jerks, or is
this an isolated instance? 

3) Anyone know if Indiana does, in fact, *require* that the SS# be
on the driver's license?  

4) Should I bother to follow-up on this further?  That is, should
I bother contacting the Public Service commission in Indiana
about the treatment I received? (I'm currently not sure it is
worth the effort).

Too bad we don't have a choice of phone companies as well as long
distance carriers -- I'd keep Southern Bell.

-- 
Gene Spafford
Software Engineering Research Center (SERC), Georgia Tech, Atlanta GA 30332
Internet:	spaf@gatech.gatech.edu
uucp:	...!{decvax,hplabs,ihnp4,linus,rutgers,seismo}!gatech!spaf
-----------[000001][next][prev][last][first]----------------------------------------------------
From:      khayo@locus.ucla.edu  21-Jul-1987 16:08:09
To:        security@RUTGERS.EDU
In article <16026@gatech.edu> spaf@gatech.UUCP (Gene Spafford) writes:
   
   As a matter of principle, I'm one of those people who won't give out my
   social security number when applying for utilities or credit cards.

   (...)
   
   1) Do many of you (net-readers) withhold your SS# in similar
   circumstances?  Do you have these kinds of confrontations too?

  When I came to the US I was sufficiently worried about getting a bank
acct., insurance etc. that I didn't even think about this problem. Now I
wish I had - not because of any abuse of my SS# (at least I'm not aware
of it), but as a matter of principle. Now my # is all over the place, so
there's no point withholding it; but I'm glad to see that there still are
some Don Quixotes like you. This country is one of the very few remaining
in which *privacy* still has some practical meaning, and where an average
guy can influence the world (at least locally) by *doing* things [to the
skeptical "realists" out there: this may sound like idealism, I realize
that, but believe me - it's true!].
   
   4) Should I bother to follow-up on this further?  That is, should I
   bother contacting the Public Service commission in Indiana about the
   treatment I received? (I'm currently not sure it is worth the effort).

  YES, you should! YES, it's worth the effort.

  As an aside, my fight with windmills consists largely of writing
letters to various Co.'s from which I received a less-than-reasonable
service. I was surprised that most of them (Sears, United Airlines,
Ralphs stores etc.) take such letters seriously - at least someone
high-up reads them & sends an individually written reply. In some cases
I noticed that things that I complained about actually changed for the
better just after I received an answer, but of course it may be a
coincidence. But what surprised me even more is that so many people
around me think I'm nuts to even bother, saying that it's a total waste
of time. Oh, well, I'll just keep doing that until my Mac drops dead.
(BTW, so far I got frustrated in only one case: USPS; 5 letters to the
Postmaster without a reaction...)
                                    Eric
-----------[000002][next][prev][last][first]----------------------------------------------------
From:      duke!cds@mcnc.org  (Craig D. Singer)  22-Jul-1987 15:09:15
To:        security@RUTGERS.EDU
   >As a matter of principle, I'm one of those people who won't give out my
   >social security number when applying for utilities or credit cards.
   >(...)
   >
   >1) Do many of you (net-readers) withhold your SS# in similar circumstances?
   >Do you have these kinds of confrontations too?
   
     When I came to the US I was sufficiently worried about getting a bank
   acct., insurance etc. that I didn't even think about this problem. Now I
   wish I had - not because of any abuse of my SS# (at least I'm not aware
   of it), but as a matter of principle. Now my # is all over the place, so
   there's no point withholding it; but I'm glad to see that there still
   are some Don Quixotes like you.

I agree that Mr. Spafford showed great poise and determination in refusing
to give out information against his will.  But as Mr. Behr has pointed out,
there's no point withholding it once everybody has it.  And, considering
that Southern Bell had Mr. Spafford's social security number in spite of the
fact that he never gave it to them personally, it's clear to me that if
someone wants your SS# bad enough, they'll get it whether you want them to
or not.

I'll agree that withholding it whenever possible at least reduces the
probability that some Joe on the street will obtain it and misuse it; but
there's a bit of paranoia in that attitude as well.  If the options are to
risk the information leakage and subsequent misuse, or to have stress-
inducing episodes similar to Mr. Spafford's affair with the arrogant GTE
employee, personally I'll take the information risk.

Nevertheless, an interesting account of the narrowing interpretation of
American privacy.
-- 
Craig D. Singer                      ARPA:  cds@cs.duke.edu
Department of Computer Science       UUCP:  ...!decvax!duke!cds
Duke University                      CSNET: cds@duke
Durham, NC  27706-2591  USA          Phone (919) 684-5110 ext. 20
-----------[000003][next][prev][last][first]----------------------------------------------------
From:      poisson.usc.edu!mlinar@oberon.usc.edu  (Mitch Mlinar)  23-Jul-1987 01:06:33
To:        security@RUTGERS.EDU
In article <16026@gatech.edu> spaf@gatech.UUCP (Gene Spafford) writes:

>3) Anyone know if Indiana does, in fact, *require* that the SS# be
>on the driver's license?  

I am not sure about Indiana, but I have lived in CA, WI, IL, and CO: NONE
of them require SS#.  In fact, WI and IL function off credit cards whereas
CA and CO function of driver's license #.

It is also a GOOD idea to check with the local SS office every two years
and get a report of your account activity (you are legally entitled).  If
there has been anyone USING your SS# to "steal" the funds, you will know 
about it.  (If you wait more than 7 years[?], whatever is missing is gone.)
-----------[000004][next][prev][last][first]----------------------------------------------------
From:      jeff%venus@rand-unix.arpa  24-Jul-1987 11:09:04
To:        security@RUTGERS.EDU, jeff%venus@rand-unix.arpa
To the best of my recollection, the last time I renewed my California
driver's license, I was told my SS# was required.  I asked for confirmation,
saying it was my understanding that it could not be required by law, but
they were adamant, so I did not pursue the issue even to the point of
asking to talk to a supervisor.

						Jeff Rothenberg

						The RAND Corp.
						jeff@rand.org
-----------[000005][next][prev][last][first]----------------------------------------------------
From:      Paul Martin <PMARTIN@STRIPE.SRI.COM>  24-Jul-1987 15:00:22
To:        security@RUTGERS.EDU
I too have resisted handing my SSN to every bozo who requests it, and
have consistently met with great surprise that anyone should be so
brazen as to hide such basic information.  I got in the habit of
refusing to supply it when I worked for business DP houses to support my
undergradutate education.

California asked me for it when I traded in my NC drivers license
(1972), and also every time I've registered a car here since then.  They
always point out that I HAVE to supply it, so I write "Privacy Act" in
the slot, they show it to their supervisor, and the matter ends there.
It turns out that California uses the SSN to tie drivers licenses and
vehicle registrations together, so that if a driver has any dealings
with the law, any warrants for old parking tickets can be settled by
putting him in jail until they are paid off.  While this certainly has
the effect of reducing the number of parking scofflaws on the roads, it
has interesting implications for the SSN. 

I learned of the DMV practice in 1974 when I was stopped on suspicion of
car theft while trying to push-start my girl-friend's car for her.  The
officer got friendly when the ownership was cleared up, but then pursued
and pulled me when the radio dispatch told him I had an outstanding
warrant for parking.  Details of the warrant and the claim that it arose
from a parking incident in a year that I was never in CA convinced me,
and eventually the officer, that something was amiss.  He let me
"escape", and, per my promise, I called the sheriff to find out what was
up.  Seems that a fellow named "Paul __Allen__ Martin" had lived in
Monterey, parked overtime in SanFran, and failed to pay the piper for
this tune.   So what?  Well, seems he had ALSO refused to supply his
SSN, so both he and I had "000-00-0000" entered in the DMV computer; the
drooling idiots in DMV's DP department hadn't provided a value to
indicate "not known" for that field!  So, the officer calling my name in
on the radio [Paul ___Alan___ Martin] would be informed of "my" warrants
based on an "exact match" on the SSN.  For the next three years, I had
to point out the spelling of my middle name as a prelude to every
dealing with DMV and law officers to avoid a trip to the cooler.  The
statute of limitations finally came to my rescue, but I have no idea
whether I'm still on file as "bad guy who got away".

I am a regular blood donor for both the Red Cross and the local med
school hospital (Stanford U).  I have done pheresis donations for
specific patients; this is a process where 6 to 12 times as much blood
as a normal donation is taken (a bit at a time) and separated to extract
just the component needed by the patient.  The components are always
something like white cells which, especially in such high doses, must be
carefully matched to the recipient's immune system.  This matching
process is the same one used for organ donor matching; because of the
degree of match required, there are typically dozens instead of millions
of potential donors known for a given pattern.  To block all sorts of
undesirable interactions (e.g., bribery, extortion, or even innocent but
desperate pleading), a secure wall of anonymity is maintained between
the donor and the recipient.  

Despite this, the Red Cross and Stanford Med Center each ask for the
donor's SSN!  When I refuse it (offering some alternative to
disambiguate me from others with the same name), they ask me "Why?"  I
point out that if their files on HLA type (the immune system coding
scheme) were ever stolen, I'd hate to have someone who was quite rich,
quite sick, and quite ruthless discover that (1) I matched his HLA type,
(2) My heart works a lot better than his (or else they wouldn't accept
me as a pheresis donor), and (3) I've filed a universal organ donor
card, making my spare parts available in the event that some hood should
happen to blow my head off in the foyer of a hospital....  After hearing
this explanation, most nurses say something along the lines of "I wonder
if I can purge my OWN SSN from the database?"

Cheers... Paul

-----------[000006][next][prev][last][first]----------------------------------------------------
From:      "Bryan, Jerry"       <VM0A61%WVNVM.BITNET@wiscvm.wisc.edu>  24-Jul-1987 17:13:26
To:        <SECURITY@RED.RUTGERS.EDU>
  
   As a matter of principle, I'm one of those people who won't give out my
   social security number when applying for utilities or credit cards.  The
   reasons why have been discussed numerous times in various security-
      related groups.   It is my understanding that it is against the law to
   force someone to give his/her social security number unless it is a
   government agency; although I've often run into occasional resistance, a
   few moments of explanation has usually resulted in things working out okay.

I wish you were correct, but contrariwise, there seem to be no restrictions
whatsoever about the use of social security numbers *outside* the
government.  All the restrictions seem to apply only to the government.
   
   The guy at GTE claims that the Indiana licenses are *required* to have
   the SS# on them -- anyone know if this is true?  It shouldn't be...)

Again, sorry to be a pessimist, but driver's licenses are one area where
federal law specifically *permits* states to require SSN's.  Of course,
once it is a part of your driver's license, there is virtually no way
*not* to give it out to the rest of the world.  Also, I spent three years
in Virginia not being able to vote because I would not give them my
SSN.  In the bitter end, the law was on their side via a grandfather
clause.  This is different from the driver's license case.  A state can
require SSN for voting only if they required it before some date ('74
maybe, or '79), but they can require it for driver's license, period.
Also, *every* time the government asks for it, they are supposed to cite
the law which authorizes it, but they never do.  Unfortunately,
if they violate federal law by failing to provide such notification,
there is not penalty.  Thus, there is no real force to the law.
   
   1) Do many of you (net-readers) withhold your SS# in similar
   circumstances?  Do you have these kinds of confrontations too?

Yes, and yes, but I have just about given up.  The people you deal with
do not know what you are talking about, and have no authority anyway.
Going to supervisors does not really improve things.  I am convinced that
effort at this level is totally wasted.  About the only place where
effort is worthwhile is with Congress.  Until there is legislation without
so many exceptions and with penalties for non-compliance, we are all
wasting our time.

      3) Anyone know if Indiana does, in fact, *require* that the SS# be on
   the driver's license?

I believe the answer is yes, based on relatives who live there.
   
   4) Should I bother to follow-up on this further?  That is, should I
   bother contacting the Public Service commission in Indiana about the
   treatment I received?

Possibly, but only for the treatment you received, not the SSN issue
itself.   As a point of interest, there are many cases that the
applicability of the existing law (weak though it may be) is unclear.
The existing law applies to "federal, state, and local government".
For example, is a state university covered as "federal, state, or
local government"?  Is a phone company which
is regulated by a State government?  My experience is that a state
university will claim to be a part of the state government when it
is to their advantage and your disadvantage, and vice versa of
course (as when state employees are given a pay raise and university
employees are not or vice versa).
-----------[000007][next][prev][last][first]----------------------------------------------------
From:      DKAVNER@ecla.usc.edu  24-Jul-1987 17:22:10
To:        security@RUTGERS.EDU
For many years I have tried to avoid giving out my SS#.  Most of the
time I have no problem, but occasionally I have given in due to	a
lack of knowledge on the applicable laws.  It is great to hear of someone
who has been so successful.

It seems that the majority of people have no idea of the problems of
in giving out such information and that our government continues
to encourage it.

One of my biggest frustrations is interest bearing bank accounts.  The IRS
requires you to give the bank your SS#, but as far as I know there are
no restrictions on what they can do with it.  Does anyone have a solution
for this?

My SS card has the phrase  "For tax purposes only, not for identification".
Do the new cards issued today still have this phrase?
-----------[000008][next][prev][last][first]----------------------------------------------------
From:      Nick Papadakis <nick@oberon.lcs.mit.edu>  24-Jul-1987 17:42:32
To:        security@RUTGERS.EDU
   As a matter of principle, I'm one of those people who won't give out my
   social security number when applying for utilities or credit cards.

me too.

   1) Do many of you (net-readers) withhold your SS# in similar circumstances?
   Do you have these kinds of confrontations too?

sure do.

   3) Anyone know if Indiana does, in fact, *require* that the SS# be
   on the driver's license?  

Couldn't say.  Virginia has written a statute that requires it for
Virginia licenses.

   4) Should I bother to follow-up on this further?  That is, should
   I bother contacting the Public Service commission in Indiana
   about the treatment I received? (I'm currently not sure it is
   worth the effort).

Every time I have been asked for my ssn by someone who legitimately
requires it (i.e. the federal government) there has been an
accompanying blurb with a reference to the federal law that empowers
them to ask for it.  Evidently Virginia is attempting to emulate this
strategy.  Unfortunately, the ssn isn't exactly in their purview, and
their reasons for "needing" it fall more under the heading of
convenience than real need.  

I frankly don't see why people's privacy should be threatened in order
to make things slightly easier for a few programmers.

Virginia has a history of being a place where bad laws are made.  An
example is the illegality of radar detectors there.  (as far as I
know, only D.C. and Connecticut have similar laws.)

I'd say, make it as expensive as you can for them to do business with
you until they do business right.  Monopolize as much phone time and
letter writing-time as possible - it costs them about $30 to write you
a form letter.

Monopolies need to be kicked periodically.  Use your rights or lose
them. 

   Too bad we don't have a choice of phone companies as well as long
   distance carriers -- I'd keep Southern Bell.

Maybe you should find out how they got your ssn first ...

--
Nick Papadakis
nick@mc.lcs.mit.edu
SSN: 213-09-2981  (right ...!):-)
-----------[000009][next][prev][last][first]----------------------------------------------------
From:      DPickett@his-phoenix-multics.arpa  25-Jul-1987 00:56:15
To:        Security@RUTGERS.EDU
     The privacy act of 19??  (consult your local ACLU chapter) forbids
use of the SSN except for valid SS purposes like tax and employment and
such, except for federal agencies covered under a grandfather clause and
also state governments, but then only by statute (no bureaucratic
initiatives without legislative approval).  New Jersey had a bill
bouncing around to rescind the bill that allowed them to force us to
divulge it.
     My university tried to get it, but I made them give me another and
then had a great time correcting and confusing them with my 4 digit
"Social Security Number".
     The main reason for overuse of the SSN is simplemindedness.
Numbers are a great resource.  You can give them out.  Until you give
out a lot, they stay compact.  Anyone can make up a numbering system.
But they prefer to steal someone else's system, especially if you
already know your number and it is unique.  There is a natural tendency
for the disadvantages of an old way to attach themselves to a new way.
Ever see a computer operator cry because checks get ruined?  You'd think
it was money, not preprinted forms!!!  So it is with numbers; instead of
your name and address or whatever, they can organize their data better
by arbitrary numbering.  But they use non-arbitrary numbering, because
they miss the point!
     So, the best reason to refuse them your SSN is that they are
misusing the concept of numbering!  Spread knowledge to the masses.
Explain how numbering works best only if it is arbitrary and
specialized.  Explain how the SSN has so many digits that they could as
easily look up your name!  (9999 customers looked up in a table of SSN
could take ten trillion digits of storage!)  Point out that you are the
only David Pickett at RR2, box 631, Thorofare, NJ 08086-9632, born
5/20/49.
-----------[000010][next][prev][last][first]----------------------------------------------------
From:      Larry Hunter <hunter-larry@yale.arpa>  27-Jul-1987 12:05:37
To:        security@RUTGERS.EDU
    1) Do many of you (net-readers) withhold your SS# in similar circumstances?
    Do you have these kinds of confrontations too?

Yes!  I had a similar confrontation with Southern New England Telephone.  When
I initially tried to acquire phone service in New Haven, I refused to give out
my social security number.  The customer service representative told me I
would have to make a $200 deposit in lieu of giving out my SSN.  I asked to
talk to his supervisor.  The supervisor gave me the same story.  I told her that
I was not going to give out my SSN and I was not going to pay anything extra
as a result.  I said further that if they intended to deny me service, they
had better get in touch with their legal department and then call me back.
The entire conversation was civil and friendly, but only because I kept it   
that way.  I got a call back the next day telling me they would install my
phone without a SSN or a deposit.

Why does this work?  Simple.  The privacy act of 1974 restricts governmental
use social security numbers.   With certain (fairly significant) exceptions,
a government agency cannot require your SSN unless it is related to social
security or tax matters.  Furthermore, if a gov't. agency asks for your SSN
voluntarily, they must explain that it is voluntary and what it makes no
difference if you give it or not.  On the other hand, there is NO legislation
restricting commercial uses of SSNs; if you don't give it to them, they don't
have to do business with you.  This is especially pernicious with credit
and banking institutions.  At any rate, the phone company falls in between:
Since they are a state regulated monopoly, they probably don't have the 
ability to demand your SSN.  They certainly don't want that tested in court,
since they might loose the freedom to coerce and intimidate as they do.    
Phone companies lose huge amounts of money on unpaid final bills, and they
like to be able to track people down -- SSNs are, of course, invaluable for
this.  You'll find other local monopolies (e.g. gas and electric companies)
work pretty much the same way.  With them, your SSN is yours alone.

Probably the best reference on all of this stuff is Robert Ellis Smith's
"Privacy: How to Protect What's Left of It", available for $7 (prepaid) 
from The Privacy Journal, P.O. Box  15300, Washington, DC 20003.  The
PJ itself is a great newsletter for keeping track of this kind of stuff,
and they have a variety of other interesting publications for sale.
    
    4) Should I bother to follow-up on this further?  That is, should
    I bother contacting the Public Service commission in Indiana
    about the treatment I received? (I'm currently not sure it is
    worth the effort).

Yes!  It is definitely worth sending off a few letters.  I'd send copies
to the phone company's customer service department, the state public
utilities commission, your state representatives, your congressmen,
local newspapaers and to the Privacy Journal (address above).  If nobody
complains about this sort of thing, it will be institutionalized beyond
change before we know it.

                                                Larry Hunter
-----------[000011][next][prev][last][first]----------------------------------------------------
From:      William Daul / McDonnell-Douglas / APD-ASD  <WBD.MDC@office-1.arpa>  27-Jul-1987 17:29:03
To:        SECURITY@RUTGERS.EDU
A friend of mine has a two car / two door garage.  He wants to install a remote
control garage door opener on both doors with different frequencies for each 
door.  He would also like ONE controller that can switch between the 
frequencies.  Is there such a off-the-shelf system?  Thanks,  --Bi//
-----------[000012][next][prev][last][first]----------------------------------------------------
From:      RMOREY%ATLAS%rca.com@relay.cs.net  28-Jul-1987 06:28:13
To:        SECURITY-REQUEST@RUTGERS.EDU
I don't understand how a Social Security number could be abused. In
Massachusetts, your driver's licence number IS your social security
number. Therefore, anytime you write a check to a store, they write your
licence no. (SS#) and a charge card no. on the back of your check
for approval. I can see how, in this state, it would be VERY easy for
ANYONE to obtain your SS#. So, being rather naive, I'd like to know
what to watch out for in giving out my SS#, and how someone could
abuse my number. Thank you.

Randy Morey
GE Automated Systems
Burlington, Mass
RMOREY%ATLAS%RCA.COM@RELAY.CS.NET
-----------[000013][next][prev][last][first]----------------------------------------------------
From:      IWAMOTO%NGSTL1%eg.ti.com@relay.cs.net  28-Jul-1987 13:25:14
To:        security@RUTGERS.EDU
	Ok...maybe I'm a little naive...

	First, of all, I didn't know you could withhold your social 
security number.  I have been giving it out just as a matter of course 
never realizing that I could withhold it (not to mention that it was 
against the law to force me to give it out).  That's interesting and I 
may decide to use it, although, at this point, it's probably all over
the place so its probably not worth my effort.

	I am very interested in hearing how it can be abused, however.  
Could you please elaborate on this a little?

Warren M. Iwamoto
Artificial Intelligence Laboratory 
Texas Instruments, Inc.
iwamoto%ngstl1@eg.ti.com
-----------[000014][next][prev][last][first]----------------------------------------------------
From:      trainor@locus.ucla.edu  29-Jul-1987 22:09:51
To:        security@RUTGERS.EDU
There are also other options.  I know several people who give out
random numbers and have been doing so for quite some time.  They
are very clever about not declaring it to be the number on file
with Social Security.  This is done verbally--boxes on forms are
left blank.  There are two variations: 1) random numbers at every
query, 2) random numbers for each institution.
-----------[000015][next][prev][last][first]----------------------------------------------------
From:      <simsong@athena.MIT.EDU>   30-Jul-1987 00:39:31
To:        security@red.rutgers.edu
Some of the older readers of this list may remember my posting of an outline
for an article about computer security for lawyers which I was working on
last year. (Is that a single sentence? Am I pretending to be a writer?)
Anyway, I just got the galleys back from the publisher. It's going to be3 in
the September issue.

If anybody wants a copy of it, ask me and I'll send a draft. If the demand is 
great, I'll make it ftp'able.

-simson
-----------[000016][next][prev][last][first]----------------------------------------------------
From:      djw@lanl.gov (David Wade)  30-Jul-1987 12:20:31
To:        hao!gatech!spaf@ames.arpa, security@RUTGERS.EDU
  1) Do many of you (net-readers) withhold your SS# in similar circumstances?
  Do you have these kinds of confrontations too?

Yes, but not wholly successfully.  I too have kept my SSN private for the
last eight or nine years.  I had given the number out whenever asked up until
that time.  Now I sometimes run into the consequences of that action.

The University of New Mexico 'requires' your Social Security Number whenever
you enroll in classes.  If you are a foreign national, the University will
assign you a number; if you are a US Citizen, they will not.  I was not able
to test this because I had previously given them my SSN.  However, we got all
my records marked such that the University won't give out my SSN without a
court order.

  4) Should I bother to follow-up on this further?  That is, should
  I bother contacting the Public Service commission in Indiana
  about the treatment I received? (I'm currently not sure it is
  worth the effort).

The telephone companies have had their own way for so long that it is nice
to finally see that turning around.  You seem to think highly of Southern
Belle  while you express surprise that they had information about you that
you had never given them and that you think they didn't need.  The Privacy
Act of 1974 covers only the government and its subcontractors.  Currently,
private companies can require whatever information they think their customers
will provide.  You may argue that Southern Belle is a subcontractor and you
would be correct, but most people don't believe that your little problem
applies to their great big company.

From "The Report of The Privacy Protection Study Commission" a booklet known
as appendix 4, "The Privacy Act of 1974: an Assessment" page 3.

=============================================================================
	Government contractors are another category of entities to which the
Privacy Act applies.  Subsection 3(m) of the Act provides that:

	When an agency provides by contract for the operation by or on
	behalf of the agency of a system of records to accomplish an agency
	function, the agency shall, consistent with its authority, cause the
	requirements of . . . [the Act] to be applied to such system.  For
	purposes of subsection (i) [the criminal penalties provision] of [the
	Act] any such contractor and any employee of such contractor, if
	such contract is agreed to on or after the effective date of [the Act],
	shall be considered to be an employee of an agency.  [5 U.S.C.
	552a(m)]
=============================================================================
ibid.,pp.35

	The Privacy Act also establishes criminal penalties for certain knowing
and willful violations of its requirements.  Subsection 3(i) provides that an
officer or employee of an agency may be found guilty of a misdemeanor and
fined up to $5,000 for knowingly and willfully disclosing individually
identifiable information, the disclosure of which is prohibited by the Act or
agency regulations thereunder, or for willfully failing to publish an annual
"Federal Register" notice on a system of records.  The same penalties may also
be assessed against anyone who knowingly and willfully requests or obtains
an agency record about an individual under false pretenses.
=============================================================================
ibid.,pp.5
		What is Covered by the Act

	Where the Act fails to meets (sic) its objectives, the failure can
often be  traced, in part, to the record and system-of-records
definitions that further limit its scope of application.  The Privacy
Act applies to a "record" that is "retrieved" from a "system of records"
by the name of an individual "or by some identifying number, symbol, or
other identifying particular" assigned to him. [5 U.S.C. 552a(a)(5)]
	As defined in subsection 3(a)(4), "record" means:

	. . . any item, collection, or grouping of information about an
	individual that is maintained by an agency, including, but not
	limited to, his education, financial transactions, medical history,
	and criminal or employment history and that contains his name, or
	the identifying number, symbol, or other identifying particular
	assigned to the individual, such as a finger or voice print or a
	photograph.[5 U.S.C. 552a(a)(4)]
=============================================================================
However...
ibid.

Thus, unless an agency, in fact, retrieves recorded information by reference
to a "name. . .identifying symbol, or other identifying particular. . .," the
system in which the information is maintained is not covered by the Act.
=============================================================================

You need to inform each "agency" what you consider "individual identifying
information".  You may then tell them that your
	1)  Name
	2)  Birthdate
	3)  Social Security Account Number (The one which identifies your
		retirement insurance payment information; and generally is of
		the form 123-45-6789...)
	4)  Street Address in conjunction with physical description
		information,
	5)  Phone Number in conjunction with physical description
		information,
are sufficiently private that they may not disclose these numbers without
your specific written authority, and that the "agency" must show you a log
of everyone who has had access to these "records".  If they cannot do this
before you give them the information, they are already in violation.  What
makes you think that they will clean up their act after you tell them your
"Retirement Account Number".

These Privacy Act reports state that the majority of the burden of
enforcement rests on the individual, and that the individual wasn't really
interested.  The Privacy Act was being observed as though it were a "good
idea at the time, but not really applicable to 'my agency's situation'".

A letter about Southern Belle's having "acquired" your SSN should probably
be directed to the Data Processing Manager explaining that he is liable for
a $5,000 fine and that he'd probably better "cut it out".

You did the proper thing to the "cracker" at Indiana Bell, but you should
send them a copy of what you send to Southern Belle, this note with an
explanation of what the 'Risks' group is, and a request for an apology and
notification that the above listed items are Privacy Act items.  You won't
be able to get a free unlisted phone that way, (I think, I really don't
know, but the book says that that information is in the public domain).  But
you can certainly stop the harrassment from the Service Representatives.

Dave
-----------[000017][next][prev][last][first]----------------------------------------------------
From:      David Chase <rbbb@rice.edu>  31-Jul-1987 00:14:35
To:        security@RUTGERS.EDU
Suppose I demand that a company with a copy of my SS# but no right or need
for it remove my SS# from their records.  Is there any hope of this
working, or will they just laugh at me?  Are there any big legal sticks
that I can wield?

If it is that important to keep the number secret, then this OUGHT to work.

David
-----------[000018][next][prev][last][first]----------------------------------------------------
From:      James M Galvin <galvin@udel.edu>  31-Jul-1987 10:42:11
To:        security@RUTGERS.EDU
Gene Spafford's note made me think about giving out phone numbers.  When
you use a credit card, store clerks always ask you to sign the receipt
and right down your phone number.  Sometimes they ask for your address.

Now, I don't normally like to give my phone number, even if it is listed
in the phone book.  So, I have always wondered, can they force you to give
out your phone number?

Jim
-----------[000019][next][prev][last][first]----------------------------------------------------
From:      RMOREY%ATLAS%rca.com@relay.cs.net  31-Jul-1987 18:44:41
To:        SECURITY-REQUEST@RUTGERS.EDU
Being new to the net, I'm not sure if this topic has been discussed
before. My apologies if it has.

My wife loves to take my daughters (ages 2 and 2 months) for walks,
but there are usually 1 or 2 big dogs loose that terrify them. We have
a leash law in my town, and a friendly dogcatcher. Calls to the
dogcatcher do nothing. His office is only open from 3pm to 4pm. Also,
dogs will come into our backyard where my 'girls' are playing and
snarl at them. 

I have heard about aerosol sprays that deter attackers, but can't find
them and don't know if they are legal. Someone suggested to my wife
that she buy a squirt gun with a 30-foot range and fill it with
ammonia to shoot at dogs. Q: Would this work without getting me into a
lawsuit from seriously injuring a dog? And what is in aerosol sprays
that are used for self defense, if not mace? What sprays are legal
and where are they found?

I'm not a dog hater. I've never been a dog owner, either. Does
anyone have any better suggestions?

Randy Morey
GE Aerospace
Burlington, Mass
RMOREY%ATLAS%RCA.COM@RELAY.CS.NET

END OF DOCUMENT