home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 2
/
HACKER2.BIN
/
772.CPD336.TXT
< prev
next >
Wrap
Text File
|
1993-09-19
|
20KB
|
402 lines
Computer Privacy Digest Sat, 18 Sep 93 Volume 3 : Issue: 036
Today's Topics: Moderator: Dennis G. Rears
Family Educational Rights and Privacy Act
John misses the point
Re: About Selling Phone Numbers
Re: Something to Consider
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: merlin <merlin@neuro.usc.edu>
Newsgroups: comp.society.privacy,alt.privacy
Subject: Family Educational Rights and Privacy Act
Date: 17 Sep 1993 09:52:22 -0700
Organization: University of Southern California, Los Angeles, CA
My campus housing office disclosed my name, address, social security
number, and other non-directory information to a private third party
commercial long distance telephone carrier in order to help this 3rd
party long distance carrier replace Pacific Telephone as the carrier
for all students in campus dorms/apartments.
When I complained that such disclosure violated the FERP our general
counsel replied that (1) the 3rd party long distance carrier signed a
confidentiality agreement and (2) the 3rd party long distance carrier
was acting as an 'agent' of the university.
It seems to me this disclosure is forbidden by the FERP -- the campus
knows it violated the FERP -- and is trying to get out of it by using
the claim that the 3rd party carrier is an 'agent' of the campus.
Does anyone on the network know the FERP well -- maybe to the point of
representing usc dorm students in administrative complaint and/or some
followon lawsuit for willfully continuing to disclose this information
to an inappropriate 3rd party long distance telephone carrier?
>>My campus housing office disclosed my name, address,
>This is definitely directory information.
I specifically requested nondisclosure of even directory information -- so
the disclosure of this information is against the act.
>>social security number
The campus identifies SSAN as nondirectory information. Moreover, neither
the statute or the implementing regulations in the CFR's identify SSAN as
potential directory information. I believe everyone would agree SSAN is
not in the category of directory information.
>Incidentally, how do you know that they have this information? Did they send
>you a form with your SS # on it or something?
I called Sunbelt Computer Systems home office in Phonenix AZ before they opened
an office under the pseudonym Student Telephone Services on campus -- and they
identified me by social security number and told me they were provided my SSAN
by the USC Housing & Residence Halls office.
Also, on the back of the telephone authorization code/credit card sent to me by
Student Telephone Services (a.k.a. Sunbelt Computer Systems) is the statement:
"REMEMBER: Your student identification number serves
as your account number."
Clearly SCS/STS/HTS (whatever else this third party long distance carrier wants
to be called) acquired, used, and intended to continue using student ID numbers
(which on our campus are almost exclusively social security account numbers) as
their own internal account number for student long distance telephone accounts.
>What other information did they disclose? I could hardly imagine any other
>non-directory information that would be of interest to long distance carrier.
Other minutia -- financial records and the like.
>>When I complained that such disclosure violated the FERP our general
>>counsel replied that (1) the 3rd party long distance carrier signed a
>>confidentiality agreement and (2) the 3rd party long distance carrier
>>was acting as an 'agent' of the university.
>
>Well, (2) sounds like garbage, but neither sounds like the counsel was
>necessarily admitting a violation of FERPA. Schools do have lattitude
>in decidening whether or not to disclose directory information. He may
>have been explaining their reasons for disclosing directory information.
>(And in any case, he likely just figured that he was calming some crazy
>student, rather than framing a legal position. Don't assume that they
>respect you enough at the outset to pay serious attention to you...)
>
>It would certainly be very stupid for an attorney to admit such a
>violation--not to mention that school's are usually pretty careful about
>FERPA, in the first place.
>
>I'd like to hear just what information was disclosed, and find out about
>any relevant interpretations of "directory information" before drawing
>a conclusion as to whether or not the school actually violated FERPA.
>
>By the way, how did you manage to talk with the school's attorney? It seems
>awfully strange for you to be dealing with the school's attorney, rather
>than with an administrator.
Quote from 7/23/93 letter from Mr. Jeffrey Urdahl (USC Director Housing and
Residence Halls) to A. J. Annala (Student in USC Graduate Student Apartments):
"I share your concerns regarding disclosure of student information
to non-University entities. In discussion with the General Counsel's
office, it was determined that the release of information for telephone
services to Sunbelt Computer Systems would in fact be legal as they are
acting as an agent of the University. In addition, they signed a
confidentiality agreement that we maintain in our files. Therefore,
release of this information was seen as within the requirements of the
Student Educational Rights and Privacy Act."
So, I dealt with an administrator who relayed counsel's opinion. Another
administrator (Associate Registrar) wrote:
"The release of SSN is, of course, prohibited."
All in all, I'll confine my complaint to disclosure of SSAN, which admittedly
occurred, continues to occur because the campus insists SCS is an agent of the
campus, and appears to be a clean cut violation of the FERP.
So, I wrote to the housing director. I also wrote back to the registrar.
I don't know what else I should do.
--------------------------------------------------------------------------
Mr. Urdahl,
Here is a copy of the portion of federal law (United States Code) which
spells out the only individuals, agencies, or organizations to which you
may disclose student records without a written request from the student
[or the parents of the student] subject of the record to be disclosed.
It is my understanding that Sunbelt Computer Systems (a.k.a. USC Student
Telephone Services) is solely concerned with the sale of long distance
telephone service. SCS is not involved in the maintenance of telephone
equipment at the USC campus. SCS has no purpose for accessing student
records other than to facilitate their attempt to replace Pacific Bell
and AT&T as the long distance carriers for the students identified in
the student records transmitted to SCS by Mr. Jeffrey Urdahl's office.
Would you please indicate, among the categories identified below, which
category includes SCS -- and therefore would authorize the disclosure
of student records (including social security number) to SCS? It would
seem to me, given the very restricted nature of this list, that SCS is
not authorized to receive student records under any circumstances. If
it is claimed that SCS falls under subsection (1)(A) would you please
state the "legitimate educational interests" served by the disclosures.
Also, under section (4)(A) below, you are required to "maintain a record,
kept with the education records of each student, which will indicate all
individuals (other than those specified in paragraph (1)(A) of this
subsection), agencies, or organizations which have requested or obtained
access to a student's education records maintained by such educational
agency or institution, and which will indicate specifically the legitimate
interest that each such person, agency, or organization has in obtaining
this information." I hereby request a copy of this record for release of
all information from my student records [particularly records maintained
under Mr. Jeffrey Urdahl's jurisdiction] to any third party not identified
in subsection (1)(A) of the Family Educational Rights and Privacy Act.
Thanks, AJ Annala
cc: Mr. Morley
n.b. I am not interested in filing a complaint with the US Department
of Education. I do, however, believe the campus made a mistake in the
disclosure of student records to SCS -- and -- that it is incumbent on
the campus to retrieve those records to rectify this situation. If it
is not possible to do this then it would seem the campus is supporting
a policy of permitting the release of student records against the Act.
The potential penalty could be the removal of Department of Education
funding from the campus -- an undesirable outcome for all concerned.
--------------------------------------------------------------------------
20 USC 1232g. Family educational and privacy rights [Buckley Amendment]
(1) No funds shall be made available under any applicable program to
any educational agency or institution which has a policy or practice of
permitting the release of educational records (or personally identifiable
information contained therein other than directory information, as
defined in paragraph (5) of subsection (a)) of students without the
written consent of their parents [or students] to any individual, agency,
or organization, other than to the following--
(A) other school officials, including teachers within the educational
institution or local educational agency, who have been determined by such
agency or institution to have legitimate educational interests;
(B) officials of other schools or school systems in which the student
seeks or intends to enroll, upon condition that the student's parents be
notified of the transfer, receive a copy of the record if desired, and
have an opportunity for a hearing to challenge the content of the record;
(C) authorized representatives of (i) the Comptroller General of the
United States, (ii) the Secretary, (iii) an administrative head of an
educational agency (as defined in section 408(c) , or (iv) State
educational authorities, under the conditions set forth in paragraph (3)
of this subsection;
(D) in connection with a student's application for, or receipt of,
financial aid;
(E) State and local officials or authorities to whom such information
is specifically required to be reported or disclosed pursuant to State
statute adopted prior to November 19, 1974;
(F) organizations conducting studies for, or on behalf of, educational
agencies or institutions for the purpose of developing, validating, or
administering predictive tests, administering student aid programs, and
improving instruction, if such studies are conducted in such a manner as
will not permit the personal identification of students and their parents
by persons other than representatives of such organizations and such
information will be destroyed when no longer needed for the purpose for
which it is conducted;
(G) accrediting organizations in order to carry out their accrediting
functions;
(H) parents of a dependent student of such parents, as defined in
section 152 of the Internal Revenue Code of 1954; and
(I) subject to regulations of the Secretary, in connection with an
emergency, appropriate persons if the knowledge of such information is
necessary to protect the health or safety of the student or other persons.
--------------------------------------------------------------------------
(4) (A) Each educational agency or institution shall maintain a
record, kept with the education records of each student, which will
indicate all individuals (other than those specified in paragraph (1)(A)
of this subsection), agencies, or organizations which have requested or
obtained access to a student's education records maintained by such
educational agency or institution, and which will indicate specifically
the legitimate interest that each such person, agency, or organization
has in obtaining this information. Such record of access shall be
available only to parents, to the school official and his assistants who
are responsible for the custody of such records, and to persons or
organizations authorized in, and under the conditions of, clauses (A) and
(C) of paragraph (1) as a means of auditing the operation of the system.
--------------------------------------------------------------------------
------------------------------
Date: Fri, 17 Sep 1993 10:15:08 -0700 (PDT)
From: Dave Ptasnik <davep@cac.washington.edu>
Subject: John misses the point
> From: John Higdon <john@zygot.ati.com>
> Organization: Green Hills and Cows
> Subject: Re: ANI
>
> All the verbage aside, this is what seems to bother you a great deal.
> Tell me, why is it that you seem to feel it so threatened that an entity
> that you call who pays for that call know who you are?
> I am interested in YOUR reasons for having an abhorrance for
> letting a business that YOU elect to contact know anything at all about
> the person doing the contacting.
It should be enough that many people feel that it is an invasion of
privacy for it to be considered just that. While I am not the person
of whom John asked this question I will give my answer. My
mother-in-law has cancer. If I call a medical information information
service at a hospital, and that service is paid for by a health
insurance company, I am concerned that the health insurance company
will keep track of all phone numbers that access cancer information.
Once the insurance company has a database of callers to a cancer
hotline, it is very easy to compare that list to the phone numbers of
new applicants for coverage. Even though I don't have cancer, and am
not genetically related to anyone who does, now I have a problem
because I made the call. The insurance company isn't selling the list,
they aren't calling for new customers, it is unlikely that anyone will
ever know why their application for insurance was denied, or why they
were asked to take lots of tests before being accepted. Granted this
method of screening is not perfect. The data ages very rapidly. There
are lots of ways around this if you suspect it is happening. Still, I
think it is a legitimate reason for me to resist giving out my phone
number when I call that kind of info serivce. I feel like I am paying
for the service by having to listen to the inevitable commercials you
hear with that sort of thing.
If the service chooses to reject calls from blocked numbers, that is their
privilege.
> The custom and usage of caller anonymity, a legacy of the limited
> technology of the past, will die hard.
John, you are the one who wants to limit technology. The technology
exists to send Caller ID and/or ANI. The technology exists to prevent
the sending of both or either. The technology exists to reject blocked
calls. I suggest we put all of these technologies into the
marketplace, there are customers for all of them. I'm sorry that you
feel that the technologies that I like decrease the value of the
technologies that you like, but I resent your telling me that I should
not have blocking, just because you want my phone number.
John, I'm truly sorry that PacBell decided not to give you access to
this latest technological terror. I have often heard you support
divestiture (as do I). When we get competition at the local level, you
will get your Caller ID, maybe even true ANI. Some of us will probably
block our numbers when we call you. But just because PacBell did not
give you what you wanted, citing the reason of required blocking for
their refusal to offer Caller-ID, does not mean that blocking is a bad
idea, or that it is the fault of privacy advocates that you did not get
what you wanted. I think you can more squarely place the blame on
PacBell for their desire to be controlling and manipulative, interested
in their own pocketbooks to the exclusion of the deisres of thier
customers. An inexcusable attitude from a regulated monopoly.
For all of you out there with door and peephole analogies, I retain my
privilege of putting my thumb over the hole when I knock. You retain the
privilege of not opening the door. Should I become obnoxious on your
front porch, you can always call the cops.
> As the knee-jerk reactions to
> anything that threatens the status quo subside, we may all eventually
> look back on this era with great amusement.
I agree with that, but I do wonder who will be getting laughed at.
Get the point John. When you get the features you want, don't attempt to
deny me the features I want. I want the freedom to call without
identifying myself. I do not want you to force me to send my number. If
you don't like the way I call you, I would never dream of forcing you to
answer.
------------------------------
From: Ed Ravin <eravin@panix.com>
Subject: Re: About Selling Phone Numbers
Date: 17 Sep 1993 13:10:56 -0400
Organization: Not Just Another Pretty Face
In article <comp-privacy3.35.1@pica.army.mil>,
Carl Oppedahl <oppedahl@panix.com> wrote:
>>Two days after getting a new phone line here in Tucson, the local paper
>>was calling to "FIRST, welcome me to my new neighborhood, and SECOND..."
>>of course they wanted me to buy their paper.
>
>Yes, most telcos peddle lists of people who have just gotten new
>service, and you can be sure they are very popular among many service
>industries including newspaper delivery.
But let's not forget the biggest offender in this department: the US
Postal Service. When you file a change-of-address, it immediately
gets delivered to a whole bunch of junk mail lists. The junk mail at
your new address often gets there before you do.
--
Ed Ravin |
eravin@panix.com | "The cockroach is very advanced politically -- not
elr@trintex.uucp | one cockroach in America voted for Ronald Reagan."
+1 914 993 4737 | ---- Professor Louie
------------------------------
Date: Fri, 17 Sep 93 10:18:00 EDT
From: Brinton Cooper <abc@arl.army.mil>
Subject: Re: Something to Consider
Organization: The US Army Research Laboratory
Kirsi M. Vivolin <vivo@hardy.u.washington.edu> discussed the well-known
risks (see Risks-Digest archives for complete discussions on the topic)
of pooled databases by phone companies, credit organizations, etc. She
says, in part:
| On the other hand, if data from many different points starts converging
|into one database, privacy becomes impacted. Not only can we expect
|this to happen(it is happening now), but we can expect little guidance
|from the existing body of law, simply because there has never been any
|precedent to this.
|
Notice how she slipped in "(it is happening now)" near the end of the
posting. A key point in the ANI debate on this forum is whether "it" is
happening or not. If corporations are collecting ANI data and using it
for nefarious reasons, let's have at least one concrete example, rather
than a litany of what "could" happen. Let's not suggest legislating as
illegal acts which haven't yet been observed.
_Brint
------------------------------
End of Computer Privacy Digest V3 #036
******************************