----MESSAGE-BEGIN---- <1987072006573600> From: hao!gatech!spaf@ames.arpa (Gene Spafford) 21-Jul-1987 14:37:36 To: security@RUTGERS.EDU Subj: [5205] SS# & Utilities -- a story As a matter of principle, I'm one of those people who won't give out my social security number when applying for utilities or credit cards. The reasons why have been discussed numerous times in various security-related groups. It is my understanding that it is against the law to force someone to give his/her social security number unless it is a government agency; although I've often run into occasional resistance, a few moments of explanation has usually resulted in things working out okay. Then there's today. I'm moving to W. Lafayette Indiana in two weeks and I called to establish my phone service there. Indiana is served by GTE for phone service. I did not anticipate any problems since I have an excellent credit history, as could be verified by a quick check with the local Southern Bell folks. After the rep at GTE took all my information down, she asked for my SS#. I explained that I don't give that out. She informed me that I would be required to pay a $75 deposit if I refused to give my SS#. So, I asked to talk to her supervisor. Her supervisor repeated that I would have to give my SS# to waive the deposit. I asked if they could simply call Southern Bell or take a credit card #, or they could call Purdue and verify my employment. He said that wasn't enough -- I had to supply my SS#, no other option. I enquired as to why they needed it -- he said it was for a credit check and to verify future disconnect requests. I explained that they could do that self-same credit check without the SS# *and* I don't give out my SS# precisely because I don't want it used as a verification number on my account. He insisted I either supply the number or pay the deposit. He also asked why I was being so stubborn -- it was even on my driver's license, wasn't it? (It isn't -- and hasn't been. In Georgia, you have always had the option of having a different ID, and now the licenses are being issue with those as default. The guy at GTE claims that the Indiana licenses are *required* to have the SS# on them -- anyone know if this is true? It shouldn't be...) I explained that having done some work in computer security, and personal experience, I know how that number can be abused. He said I was the only person he'd ever run into to refuse to give the SS# (!). I then asked him if the requirement for a SS# was written policy -- I wanted a copy to examine. He informed me that such information was private to the company and I couldn't have a copy -- didn't I trust him? I then asked if that policy was on file with the state Public Service Commission. At that he (rather loudly) asked if I wanted service with GTE or not? I asked him very calmly if he was threatening to deny me service -- he quieted down. I next explained that I wanted to see a copy of the written policy because it would be interesting to include in an article I might write on improper use of SS#s. He became very quiet. I offered to find the name and number of someone at Southern Bell who could verify my 9 years of service here. He said to call back with that information (thankful to get rid of me, I guess). The lady I talked to at Southern Bell was very helpful. She informed me that all the Southern Bell operators are told not to force a SS# because it is against both policy and law, but if someone won't provide it they are to get a bank account # or credit card number (both of which I am willing to give in circumstances such as this). She was more than willing to talk to the supervisor at GTE and give him a credit reference, if only he'd call. She said she'd also fill him in on policy. *AND*, most interestingly, Southern Bell had somehow obtained my SS# through other means and it was on file, but she marked it so that it was not to be given out to anyone, specifically not anyone with GTE Indiana. :-) Back to GTE. I called the supervisor (collect, of course) and gave him the name and number of the lady at Southern Bell. He was very curt and said he'd probably still require a deposit. He hung up on me. 20 minutes later the original GTE operator called me back and cheerily informed me that my service would be turned on August 4 with *no* deposit required! Questions --------- 1) Do many of you (net-readers) withhold your SS# in similar circumstances? Do you have these kinds of confrontations too? 2) Anyone know if other people at GTE Indiana are such jerks, or is this an isolated instance? 3) Anyone know if Indiana does, in fact, *require* that the SS# be on the driver's license? 4) Should I bother to follow-up on this further? That is, should I bother contacting the Public Service commission in Indiana about the treatment I received? (I'm currently not sure it is worth the effort). Too bad we don't have a choice of phone companies as well as long distance carriers -- I'd keep Southern Bell. -- Gene Spafford Software Engineering Research Center (SERC), Georgia Tech, Atlanta GA 30332 Internet: spaf@gatech.gatech.edu uucp: ...!{decvax,hplabs,ihnp4,linus,rutgers,seismo}!gatech!spaf ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072008280900> From: khayo@locus.ucla.edu 21-Jul-1987 16:08:09 To: security@RUTGERS.EDU Subj: [2289] Re: SS# & Utilities -- a story In article <16026@gatech.edu> spaf@gatech.UUCP (Gene Spafford) writes: As a matter of principle, I'm one of those people who won't give out my social security number when applying for utilities or credit cards. (...) 1) Do many of you (net-readers) withhold your SS# in similar circumstances? Do you have these kinds of confrontations too? When I came to the US I was sufficiently worried about getting a bank acct., insurance etc. that I didn't even think about this problem. Now I wish I had - not because of any abuse of my SS# (at least I'm not aware of it), but as a matter of principle. Now my # is all over the place, so there's no point withholding it; but I'm glad to see that there still are some Don Quixotes like you. This country is one of the very few remaining in which *privacy* still has some practical meaning, and where an average guy can influence the world (at least locally) by *doing* things [to the skeptical "realists" out there: this may sound like idealism, I realize that, but believe me - it's true!]. 4) Should I bother to follow-up on this further? That is, should I bother contacting the Public Service commission in Indiana about the treatment I received? (I'm currently not sure it is worth the effort). YES, you should! YES, it's worth the effort. As an aside, my fight with windmills consists largely of writing letters to various Co.'s from which I received a less-than-reasonable service. I was surprised that most of them (Sears, United Airlines, Ralphs stores etc.) take such letters seriously - at least someone high-up reads them & sends an individually written reply. In some cases I noticed that things that I complained about actually changed for the better just after I received an answer, but of course it may be a coincidence. But what surprised me even more is that so many people around me think I'm nuts to even bother, saying that it's a total waste of time. Oh, well, I'll just keep doing that until my Mac drops dead. (BTW, so far I got frustrated in only one case: USPS; 5 letters to the Postmaster without a reaction...) Eric ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072107291500> From: duke!cds@mcnc.org (Craig D. Singer) 22-Jul-1987 15:09:15 To: security@RUTGERS.EDU Subj: [2059] Re: SS# & Utilities -- a story >As a matter of principle, I'm one of those people who won't give out my >social security number when applying for utilities or credit cards. >(...) > >1) Do many of you (net-readers) withhold your SS# in similar circumstances? >Do you have these kinds of confrontations too? When I came to the US I was sufficiently worried about getting a bank acct., insurance etc. that I didn't even think about this problem. Now I wish I had - not because of any abuse of my SS# (at least I'm not aware of it), but as a matter of principle. Now my # is all over the place, so there's no point withholding it; but I'm glad to see that there still are some Don Quixotes like you. I agree that Mr. Spafford showed great poise and determination in refusing to give out information against his will. But as Mr. Behr has pointed out, there's no point withholding it once everybody has it. And, considering that Southern Bell had Mr. Spafford's social security number in spite of the fact that he never gave it to them personally, it's clear to me that if someone wants your SS# bad enough, they'll get it whether you want them to or not. I'll agree that withholding it whenever possible at least reduces the probability that some Joe on the street will obtain it and misuse it; but there's a bit of paranoia in that attitude as well. If the options are to risk the information leakage and subsequent misuse, or to have stress- inducing episodes similar to Mr. Spafford's affair with the arrogant GTE employee, personally I'll take the information risk. Nevertheless, an interesting account of the narrowing interpretation of American privacy. -- Craig D. Singer ARPA: cds@cs.duke.edu Department of Computer Science UUCP: ...!decvax!duke!cds Duke University CSNET: cds@duke Durham, NC 27706-2591 USA Phone (919) 684-5110 ext. 20 ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072117263300> From: poisson.usc.edu!mlinar@oberon.usc.edu (Mitch Mlinar) 23-Jul-1987 01:06:33 To: security@RUTGERS.EDU Subj: [814] Re: SS# & Utilities -- a story In article <16026@gatech.edu> spaf@gatech.UUCP (Gene Spafford) writes: >3) Anyone know if Indiana does, in fact, *require* that the SS# be >on the driver's license? I am not sure about Indiana, but I have lived in CA, WI, IL, and CO: NONE of them require SS#. In fact, WI and IL function off credit cards whereas CA and CO function of driver's license #. It is also a GOOD idea to check with the local SS office every two years and get a report of your account activity (you are legally entitled). If there has been anyone USING your SS# to "steal" the funds, you will know about it. (If you wait more than 7 years[?], whatever is missing is gone.) ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072303290400> From: jeff%venus@rand-unix.arpa 24-Jul-1987 11:09:04 To: security@RUTGERS.EDU, jeff%venus@rand-unix.arpa Subj: [548] Re: SS# & Utilities -- a story To the best of my recollection, the last time I renewed my California driver's license, I was told my SS# was required. I asked for confirmation, saying it was my understanding that it could not be required by law, but they were adamant, so I did not pursue the issue even to the point of asking to talk to a supervisor. Jeff Rothenberg The RAND Corp. jeff@rand.org ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072307202200> From: Paul Martin 24-Jul-1987 15:00:22 To: security@RUTGERS.EDU Subj: [4197] SSN again I too have resisted handing my SSN to every bozo who requests it, and have consistently met with great surprise that anyone should be so brazen as to hide such basic information. I got in the habit of refusing to supply it when I worked for business DP houses to support my undergradutate education. California asked me for it when I traded in my NC drivers license (1972), and also every time I've registered a car here since then. They always point out that I HAVE to supply it, so I write "Privacy Act" in the slot, they show it to their supervisor, and the matter ends there. It turns out that California uses the SSN to tie drivers licenses and vehicle registrations together, so that if a driver has any dealings with the law, any warrants for old parking tickets can be settled by putting him in jail until they are paid off. While this certainly has the effect of reducing the number of parking scofflaws on the roads, it has interesting implications for the SSN. I learned of the DMV practice in 1974 when I was stopped on suspicion of car theft while trying to push-start my girl-friend's car for her. The officer got friendly when the ownership was cleared up, but then pursued and pulled me when the radio dispatch told him I had an outstanding warrant for parking. Details of the warrant and the claim that it arose from a parking incident in a year that I was never in CA convinced me, and eventually the officer, that something was amiss. He let me "escape", and, per my promise, I called the sheriff to find out what was up. Seems that a fellow named "Paul __Allen__ Martin" had lived in Monterey, parked overtime in SanFran, and failed to pay the piper for this tune. So what? Well, seems he had ALSO refused to supply his SSN, so both he and I had "000-00-0000" entered in the DMV computer; the drooling idiots in DMV's DP department hadn't provided a value to indicate "not known" for that field! So, the officer calling my name in on the radio [Paul ___Alan___ Martin] would be informed of "my" warrants based on an "exact match" on the SSN. For the next three years, I had to point out the spelling of my middle name as a prelude to every dealing with DMV and law officers to avoid a trip to the cooler. The statute of limitations finally came to my rescue, but I have no idea whether I'm still on file as "bad guy who got away". I am a regular blood donor for both the Red Cross and the local med school hospital (Stanford U). I have done pheresis donations for specific patients; this is a process where 6 to 12 times as much blood as a normal donation is taken (a bit at a time) and separated to extract just the component needed by the patient. The components are always something like white cells which, especially in such high doses, must be carefully matched to the recipient's immune system. This matching process is the same one used for organ donor matching; because of the degree of match required, there are typically dozens instead of millions of potential donors known for a given pattern. To block all sorts of undesirable interactions (e.g., bribery, extortion, or even innocent but desperate pleading), a secure wall of anonymity is maintained between the donor and the recipient. Despite this, the Red Cross and Stanford Med Center each ask for the donor's SSN! When I refuse it (offering some alternative to disambiguate me from others with the same name), they ask me "Why?" I point out that if their files on HLA type (the immune system coding scheme) were ever stolen, I'd hate to have someone who was quite rich, quite sick, and quite ruthless discover that (1) I matched his HLA type, (2) My heart works a lot better than his (or else they wouldn't accept me as a pheresis donor), and (3) I've filed a universal organ donor card, making my spare parts available in the event that some hood should happen to blow my head off in the foyer of a hospital.... After hearing this explanation, most nurses say something along the lines of "I wonder if I can purge my OWN SSN from the database?" Cheers... Paul ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072309332600> From: "Bryan, Jerry" 24-Jul-1987 17:13:26 To: Subj: [3575] SS# & Utilities -- a story As a matter of principle, I'm one of those people who won't give out my social security number when applying for utilities or credit cards. The reasons why have been discussed numerous times in various security- related groups. It is my understanding that it is against the law to force someone to give his/her social security number unless it is a government agency; although I've often run into occasional resistance, a few moments of explanation has usually resulted in things working out okay. I wish you were correct, but contrariwise, there seem to be no restrictions whatsoever about the use of social security numbers *outside* the government. All the restrictions seem to apply only to the government. The guy at GTE claims that the Indiana licenses are *required* to have the SS# on them -- anyone know if this is true? It shouldn't be...) Again, sorry to be a pessimist, but driver's licenses are one area where federal law specifically *permits* states to require SSN's. Of course, once it is a part of your driver's license, there is virtually no way *not* to give it out to the rest of the world. Also, I spent three years in Virginia not being able to vote because I would not give them my SSN. In the bitter end, the law was on their side via a grandfather clause. This is different from the driver's license case. A state can require SSN for voting only if they required it before some date ('74 maybe, or '79), but they can require it for driver's license, period. Also, *every* time the government asks for it, they are supposed to cite the law which authorizes it, but they never do. Unfortunately, if they violate federal law by failing to provide such notification, there is not penalty. Thus, there is no real force to the law. 1) Do many of you (net-readers) withhold your SS# in similar circumstances? Do you have these kinds of confrontations too? Yes, and yes, but I have just about given up. The people you deal with do not know what you are talking about, and have no authority anyway. Going to supervisors does not really improve things. I am convinced that effort at this level is totally wasted. About the only place where effort is worthwhile is with Congress. Until there is legislation without so many exceptions and with penalties for non-compliance, we are all wasting our time. 3) Anyone know if Indiana does, in fact, *require* that the SS# be on the driver's license? I believe the answer is yes, based on relatives who live there. 4) Should I bother to follow-up on this further? That is, should I bother contacting the Public Service commission in Indiana about the treatment I received? Possibly, but only for the treatment you received, not the SSN issue itself. As a point of interest, there are many cases that the applicability of the existing law (weak though it may be) is unclear. The existing law applies to "federal, state, and local government". For example, is a state university covered as "federal, state, or local government"? Is a phone company which is regulated by a State government? My experience is that a state university will claim to be a part of the state government when it is to their advantage and your disadvantage, and vice versa of course (as when state employees are given a pay raise and university employees are not or vice versa). ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072309421000> From: DKAVNER@ecla.usc.edu 24-Jul-1987 17:22:10 To: security@RUTGERS.EDU Subj: [863] Re: SS# and Utilities For many years I have tried to avoid giving out my SS#. Most of the time I have no problem, but occasionally I have given in due to a lack of knowledge on the applicable laws. It is great to hear of someone who has been so successful. It seems that the majority of people have no idea of the problems of in giving out such information and that our government continues to encourage it. One of my biggest frustrations is interest bearing bank accounts. The IRS requires you to give the bank your SS#, but as far as I know there are no restrictions on what they can do with it. Does anyone have a solution for this? My SS card has the phrase "For tax purposes only, not for identification". Do the new cards issued today still have this phrase? ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072310023200> From: Nick Papadakis 24-Jul-1987 17:42:32 To: security@RUTGERS.EDU Subj: [2144] SS# & Utilities -- a story As a matter of principle, I'm one of those people who won't give out my social security number when applying for utilities or credit cards. me too. 1) Do many of you (net-readers) withhold your SS# in similar circumstances? Do you have these kinds of confrontations too? sure do. 3) Anyone know if Indiana does, in fact, *require* that the SS# be on the driver's license? Couldn't say. Virginia has written a statute that requires it for Virginia licenses. 4) Should I bother to follow-up on this further? That is, should I bother contacting the Public Service commission in Indiana about the treatment I received? (I'm currently not sure it is worth the effort). Every time I have been asked for my ssn by someone who legitimately requires it (i.e. the federal government) there has been an accompanying blurb with a reference to the federal law that empowers them to ask for it. Evidently Virginia is attempting to emulate this strategy. Unfortunately, the ssn isn't exactly in their purview, and their reasons for "needing" it fall more under the heading of convenience than real need. I frankly don't see why people's privacy should be threatened in order to make things slightly easier for a few programmers. Virginia has a history of being a place where bad laws are made. An example is the illegality of radar detectors there. (as far as I know, only D.C. and Connecticut have similar laws.) I'd say, make it as expensive as you can for them to do business with you until they do business right. Monopolize as much phone time and letter writing-time as possible - it costs them about $30 to write you a form letter. Monopolies need to be kicked periodically. Use your rights or lose them. Too bad we don't have a choice of phone companies as well as long distance carriers -- I'd keep Southern Bell. Maybe you should find out how they got your ssn first ... -- Nick Papadakis nick@mc.lcs.mit.edu SSN: 213-09-2981 (right ...!):-) ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072317161500> From: DPickett@his-phoenix-multics.arpa 25-Jul-1987 00:56:15 To: Security@RUTGERS.EDU Subj: [1944] Re: SS and the data theives... The privacy act of 19?? (consult your local ACLU chapter) forbids use of the SSN except for valid SS purposes like tax and employment and such, except for federal agencies covered under a grandfather clause and also state governments, but then only by statute (no bureaucratic initiatives without legislative approval). New Jersey had a bill bouncing around to rescind the bill that allowed them to force us to divulge it. My university tried to get it, but I made them give me another and then had a great time correcting and confusing them with my 4 digit "Social Security Number". The main reason for overuse of the SSN is simplemindedness. Numbers are a great resource. You can give them out. Until you give out a lot, they stay compact. Anyone can make up a numbering system. But they prefer to steal someone else's system, especially if you already know your number and it is unique. There is a natural tendency for the disadvantages of an old way to attach themselves to a new way. Ever see a computer operator cry because checks get ruined? You'd think it was money, not preprinted forms!!! So it is with numbers; instead of your name and address or whatever, they can organize their data better by arbitrary numbering. But they use non-arbitrary numbering, because they miss the point! So, the best reason to refuse them your SSN is that they are misusing the concept of numbering! Spread knowledge to the masses. Explain how numbering works best only if it is arbitrary and specialized. Explain how the SSN has so many digits that they could as easily look up your name! (9999 customers looked up in a table of SSN could take ten trillion digits of storage!) Point out that you are the only David Pickett at RR2, box 631, Thorofare, NJ 08086-9632, born 5/20/49. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072604253700> From: Larry Hunter 27-Jul-1987 12:05:37 To: security@RUTGERS.EDU Subj: [3317] Re: SS# & Utilities -- a story 1) Do many of you (net-readers) withhold your SS# in similar circumstances? Do you have these kinds of confrontations too? Yes! I had a similar confrontation with Southern New England Telephone. When I initially tried to acquire phone service in New Haven, I refused to give out my social security number. The customer service representative told me I would have to make a $200 deposit in lieu of giving out my SSN. I asked to talk to his supervisor. The supervisor gave me the same story. I told her that I was not going to give out my SSN and I was not going to pay anything extra as a result. I said further that if they intended to deny me service, they had better get in touch with their legal department and then call me back. The entire conversation was civil and friendly, but only because I kept it that way. I got a call back the next day telling me they would install my phone without a SSN or a deposit. Why does this work? Simple. The privacy act of 1974 restricts governmental use social security numbers. With certain (fairly significant) exceptions, a government agency cannot require your SSN unless it is related to social security or tax matters. Furthermore, if a gov't. agency asks for your SSN voluntarily, they must explain that it is voluntary and what it makes no difference if you give it or not. On the other hand, there is NO legislation restricting commercial uses of SSNs; if you don't give it to them, they don't have to do business with you. This is especially pernicious with credit and banking institutions. At any rate, the phone company falls in between: Since they are a state regulated monopoly, they probably don't have the ability to demand your SSN. They certainly don't want that tested in court, since they might loose the freedom to coerce and intimidate as they do. Phone companies lose huge amounts of money on unpaid final bills, and they like to be able to track people down -- SSNs are, of course, invaluable for this. You'll find other local monopolies (e.g. gas and electric companies) work pretty much the same way. With them, your SSN is yours alone. Probably the best reference on all of this stuff is Robert Ellis Smith's "Privacy: How to Protect What's Left of It", available for $7 (prepaid) from The Privacy Journal, P.O. Box 15300, Washington, DC 20003. The PJ itself is a great newsletter for keeping track of this kind of stuff, and they have a variety of other interesting publications for sale. 4) Should I bother to follow-up on this further? That is, should I bother contacting the Public Service commission in Indiana about the treatment I received? (I'm currently not sure it is worth the effort). Yes! It is definitely worth sending off a few letters. I'd send copies to the phone company's customer service department, the state public utilities commission, your state representatives, your congressmen, local newspapaers and to the Privacy Journal (address above). If nobody complains about this sort of thing, it will be institutionalized beyond change before we know it. Larry Hunter ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072609490300> From: William Daul / McDonnell-Douglas / APD-ASD 27-Jul-1987 17:29:03 To: SECURITY@RUTGERS.EDU Subj: [481] Garage Door Openers (not your typical question) A friend of mine has a two car / two door garage. He wants to install a remote control garage door opener on both doors with different frequencies for each door. He would also like ONE controller that can switch between the frequencies. Is there such a off-the-shelf system? Thanks, --Bi// ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072622481300> From: RMOREY%ATLAS%rca.com@relay.cs.net 28-Jul-1987 06:28:13 To: SECURITY-REQUEST@RUTGERS.EDU Subj: [715] SS# I don't understand how a Social Security number could be abused. In Massachusetts, your driver's licence number IS your social security number. Therefore, anytime you write a check to a store, they write your licence no. (SS#) and a charge card no. on the back of your check for approval. I can see how, in this state, it would be VERY easy for ANYONE to obtain your SS#. So, being rather naive, I'd like to know what to watch out for in giving out my SS#, and how someone could abuse my number. Thank you. Randy Morey GE Automated Systems Burlington, Mass RMOREY%ATLAS%RCA.COM@RELAY.CS.NET ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072705451400> From: IWAMOTO%NGSTL1%eg.ti.com@relay.cs.net 28-Jul-1987 13:25:14 To: security@RUTGERS.EDU Subj: [786] RE: SS# & Utilities -- a story Ok...maybe I'm a little naive... First, of all, I didn't know you could withhold your social security number. I have been giving it out just as a matter of course never realizing that I could withhold it (not to mention that it was against the law to force me to give it out). That's interesting and I may decide to use it, although, at this point, it's probably all over the place so its probably not worth my effort. I am very interested in hearing how it can be abused, however. Could you please elaborate on this a little? Warren M. Iwamoto Artificial Intelligence Laboratory Texas Instruments, Inc. iwamoto%ngstl1@eg.ti.com ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072814295100> From: trainor@locus.ucla.edu 29-Jul-1987 22:09:51 To: security@RUTGERS.EDU Subj: [485] SS# other options There are also other options. I know several people who give out random numbers and have been doing so for quite some time. They are very clever about not declaring it to be the number on file with Social Security. This is done verbally--boxes on forms are left blank. There are two variations: 1) random numbers at every query, 2) random numbers for each institution. ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072816593100> From: 30-Jul-1987 00:39:31 To: security@red.rutgers.edu Subj: [536] Some of the older readers of this list may remember my posting of an outline for an article about computer security for lawyers which I was working on last year. (Is that a single sentence? Am I pretending to be a writer?) Anyway, I just got the galleys back from the publisher. It's going to be3 in the September issue. If anybody wants a copy of it, ask me and I'll send a draft. If the demand is great, I'll make it ftp'able. -simson ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072904403100> From: djw@lanl.gov (David Wade) 30-Jul-1987 12:20:31 To: hao!gatech!spaf@ames.arpa, security@RUTGERS.EDU Subj: [6731] Re: SS# & Utilities -- a story 1) Do many of you (net-readers) withhold your SS# in similar circumstances? Do you have these kinds of confrontations too? Yes, but not wholly successfully. I too have kept my SSN private for the last eight or nine years. I had given the number out whenever asked up until that time. Now I sometimes run into the consequences of that action. The University of New Mexico 'requires' your Social Security Number whenever you enroll in classes. If you are a foreign national, the University will assign you a number; if you are a US Citizen, they will not. I was not able to test this because I had previously given them my SSN. However, we got all my records marked such that the University won't give out my SSN without a court order. 4) Should I bother to follow-up on this further? That is, should I bother contacting the Public Service commission in Indiana about the treatment I received? (I'm currently not sure it is worth the effort). The telephone companies have had their own way for so long that it is nice to finally see that turning around. You seem to think highly of Southern Belle while you express surprise that they had information about you that you had never given them and that you think they didn't need. The Privacy Act of 1974 covers only the government and its subcontractors. Currently, private companies can require whatever information they think their customers will provide. You may argue that Southern Belle is a subcontractor and you would be correct, but most people don't believe that your little problem applies to their great big company. From "The Report of The Privacy Protection Study Commission" a booklet known as appendix 4, "The Privacy Act of 1974: an Assessment" page 3. ============================================================================= Government contractors are another category of entities to which the Privacy Act applies. Subsection 3(m) of the Act provides that: When an agency provides by contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of . . . [the Act] to be applied to such system. For purposes of subsection (i) [the criminal penalties provision] of [the Act] any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of [the Act], shall be considered to be an employee of an agency. [5 U.S.C. 552a(m)] ============================================================================= ibid.,pp.35 The Privacy Act also establishes criminal penalties for certain knowing and willful violations of its requirements. Subsection 3(i) provides that an officer or employee of an agency may be found guilty of a misdemeanor and fined up to $5,000 for knowingly and willfully disclosing individually identifiable information, the disclosure of which is prohibited by the Act or agency regulations thereunder, or for willfully failing to publish an annual "Federal Register" notice on a system of records. The same penalties may also be assessed against anyone who knowingly and willfully requests or obtains an agency record about an individual under false pretenses. ============================================================================= ibid.,pp.5 What is Covered by the Act Where the Act fails to meets (sic) its objectives, the failure can often be traced, in part, to the record and system-of-records definitions that further limit its scope of application. The Privacy Act applies to a "record" that is "retrieved" from a "system of records" by the name of an individual "or by some identifying number, symbol, or other identifying particular" assigned to him. [5 U.S.C. 552a(a)(5)] As defined in subsection 3(a)(4), "record" means: . . . any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.[5 U.S.C. 552a(a)(4)] ============================================================================= However... ibid. Thus, unless an agency, in fact, retrieves recorded information by reference to a "name. . .identifying symbol, or other identifying particular. . .," the system in which the information is maintained is not covered by the Act. ============================================================================= You need to inform each "agency" what you consider "individual identifying information". You may then tell them that your 1) Name 2) Birthdate 3) Social Security Account Number (The one which identifies your retirement insurance payment information; and generally is of the form 123-45-6789...) 4) Street Address in conjunction with physical description information, 5) Phone Number in conjunction with physical description information, are sufficiently private that they may not disclose these numbers without your specific written authority, and that the "agency" must show you a log of everyone who has had access to these "records". If they cannot do this before you give them the information, they are already in violation. What makes you think that they will clean up their act after you tell them your "Retirement Account Number". These Privacy Act reports state that the majority of the burden of enforcement rests on the individual, and that the individual wasn't really interested. The Privacy Act was being observed as though it were a "good idea at the time, but not really applicable to 'my agency's situation'". A letter about Southern Belle's having "acquired" your SSN should probably be directed to the Data Processing Manager explaining that he is liable for a $5,000 fine and that he'd probably better "cut it out". You did the proper thing to the "cracker" at Indiana Bell, but you should send them a copy of what you send to Southern Belle, this note with an explanation of what the 'Risks' group is, and a request for an apology and notification that the above listed items are Privacy Act items. You won't be able to get a free unlisted phone that way, (I think, I really don't know, but the book says that that information is in the public domain). But you can certainly stop the harrassment from the Service Representatives. Dave ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987072916343500> From: David Chase 31-Jul-1987 00:14:35 To: security@RUTGERS.EDU Subj: [433] re: SS# Suppose I demand that a company with a copy of my SS# but no right or need for it remove my SS# from their records. Is there any hope of this working, or will they just laugh at me? Are there any big legal sticks that I can wield? If it is that important to keep the number secret, then this OUGHT to work. David ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987073003021100> From: James M Galvin 31-Jul-1987 10:42:11 To: security@RUTGERS.EDU Subj: [533] giving out your phone number Gene Spafford's note made me think about giving out phone numbers. When you use a credit card, store clerks always ask you to sign the receipt and right down your phone number. Sometimes they ask for your address. Now, I don't normally like to give my phone number, even if it is listed in the phone book. So, I have always wondered, can they force you to give out your phone number? Jim ----MESSAGE-END---- ----MESSAGE-BEGIN---- <1987073011044100> From: RMOREY%ATLAS%rca.com@relay.cs.net 31-Jul-1987 18:44:41 To: SECURITY-REQUEST@RUTGERS.EDU Subj: [1212] Dogs, defense against Being new to the net, I'm not sure if this topic has been discussed before. My apologies if it has. My wife loves to take my daughters (ages 2 and 2 months) for walks, but there are usually 1 or 2 big dogs loose that terrify them. We have a leash law in my town, and a friendly dogcatcher. Calls to the dogcatcher do nothing. His office is only open from 3pm to 4pm. Also, dogs will come into our backyard where my 'girls' are playing and snarl at them. I have heard about aerosol sprays that deter attackers, but can't find them and don't know if they are legal. Someone suggested to my wife that she buy a squirt gun with a 30-foot range and fill it with ammonia to shoot at dogs. Q: Would this work without getting me into a lawsuit from seriously injuring a dog? And what is in aerosol sprays that are used for self defense, if not mace? What sprays are legal and where are they found? I'm not a dog hater. I've never been a dog owner, either. Does anyone have any better suggestions? Randy Morey GE Aerospace Burlington, Mass RMOREY%ATLAS%RCA.COM@RELAY.CS.NET ----MESSAGE-END----