From: "E. Allen Smith" <EALLENSMITH@ocelot.Rutgers.EDU>
Date: Sat, 7 Sep 1996 10:13:48 +0800
To: cypherpunks@toad.com
Subject: More identification laws
Message-ID: <01I960QKGRV49JDL62@mbcl.rutgers.edu>
MIME-Version: 1.0
Content-Type: text/plain


From:	IN%"rre@weber.ucsd.edu"  2-SEP-1996 22:33:17.31

[The new welfare bill in the US has profound privacy implications and
will require major new identification systems and databases.  See the
article on the front page of today's (9/2/96) New York Times for some
details.  (There's a bunch of useful Internet stuff in the business
section too.)  This issue of the Privacy Forum, which I've abridged
and rearranged, includes three items on Social Security Numbers and
another on fingerscanning.  This is really it: pressures for universal
identifiers are growing exponentially from a hundred directions as we
speak.  I wish I knew how to communicate the magnitude of it.  If half
the stuff currently being launched in this area really happens then
the world is going to be completely different a year from now -- give
it two if the system development projects choke as per usual on their
overambition.  I hope you're not sick of this topic, because you'll
be hearing lots more about it this autumn.  Educate, agitate, organize.
Please.  Speaking of which, I've also enclosed a note about a Privacy
International web page on national identification cards.]

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message was forwarded through the Red Rock Eater News Service (RRE).
Send any replies to the original author, listed in the From: field below.
You are welcome to send the message along to others but please do not use
the "redirect" command.  For information on RRE, including instructions
for (un)subscribing, send an empty message to  rre-help@weber.ucsd.edu
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Date: Sun, 1 Sep 96 18:14 PDT
From: privacy@vortex.com (PRIVACY Forum)
Subject: PRIVACY Forum Digest V05 #16

PRIVACY Forum Digest       Sunday, 1 September 1996       Volume 05 : Issue 16

----------------------------------------------------------------------

Date:    Fri, 30 Aug 1996 10:51:45 -0700 (PDT)
From:    jd@scn.org (Janeane Dubuar)
Subject: NCSL ALERT: Driver's Licenses and Birth Certificates

This alert came by mail from the National Conference of State Legislatures
in Washington, D.C.  I added an update which includes the names of
House-Senate conferees.  The federal immigration bill (H.R. 2202) is
expected to emerge from conference committee some time during the first
week of September.  Now is the time to act. 

TOWARD A NATIONAL IDENTIFICATION CARD AND MORE RED TAPE:
CONGRESS MANDATES CHANGES TO DRIVER'S LICENSES AND BIRTH CERTIFICATES

On May 2, 1996, the U.S. Senate passed S. 1664 (now called H.R. 2202 -
Senate version), a bill to reform illegal immigration, that proposes
monumental changes to all driver's licenses and birth certificates
(section 118).  These changes will force most U.S. citizens to obtain and
pay for new driver's licenses and birth certificates; compromise each
citizen's right to privacy; violate state and local control over driver's
licenses and birth certificates; and invite discrimination against
minorities.  The Congressional Budget Office estimates that the federal
driver's license mandate alone will shift up to $20 million in costs to
states and localities.  The House also passed an immigration bill, H.R.
2202.  The House bill does not contain the driver's license and birth
certificate mandates.  Both House and Senate immigration staff are
currently reconciling the two bills in an informal conference committee. 
Phone calls to House and Senate Leadership are urgently needed to demand
that the driver's license and birth certificate mandates be deleted from
the final bill. 

What Does the Senate Version of H.R. 2202 Require?

1.  Driver's Licenses  -  State driver's licenses and identification cards
MUST CONTAIN THE APPLICANT'S SOCIAL SECURITY NUMBER.  The federal
government will also create new federal standards for the application
process and design of all driver's licenses and ID cards.  States that
currently retain and verify an applicant's social security number but do
not place the number on the cards are initially exempt from the social
security number mandate.  According to the American Association of Motor
Vehicle Administrators, of the 38 states that do not require the social
security number to be on their driver's licenses, only Massachusetts would
qualify for this exemption; all other states would be required to place
social security numbers on driver's licenses and ID cards.  All states are
required to conform to the other federal standards.  States with cycles of
renewal longer than six years must start October 1, 2006.  After October
1, 2006, NO ONE may use a driver's license or ID card for identification
purposes that does not meet these federal standards. 

2.  Birth Certificates  -  All birth certificates must be printed on
federally-approved safety paper and be certified by the issuing agency.
The federal government will also issue additional provisions requiring
other security features in the future.  Starting in 1999 (three years
after the bill's enactment), birth certificates that do not meet these
federal standards cannot be accepted by any federal agency or by any state
or local agency that issues driver's licenses or ID cards. 

Who Needs a New Driver's License?

Anyone who wants to use their driver's license as a valid form of 
identification after October 1, 2006.  If you need to use a driver's 
license to vote, to apply for a passport, to qualify for a federal school 
loan, license, contract or public assistance program or to meet any other 
federal, state or local requirement you will need a new driver's license.

Will I Have to Put My Social Security Number on My Driver's License?

Yes.  While most states currently give applicants the option of not using 
this number on their driver's license or prohibit its use outright, the 
new federal requirements will force almost every American to put their 
social security number on their license or ID card.  Many citizens are 
concerned by laws that increase the circulation of their social security 
number.  The social security number is a key which provides access to 
vital personal information, which could be misused if it fell into the 
wrong hands.  Others believe that proposals making driver's licenses 
uniform, including social security numbers, are a significant step toward 
a national ID card.  Finally, many minorities contend that they will be 
disproportionately affected by the new requirements because they will be 
asked to show their documents more often than other Americans.

Who Needs a New Birth Certificate?

Anyone who wants to use their birth certificate as a valid form of 
identification after October 1, 1999.  If you need to use your birth 
certificate to establish citizenship, apply for or renew a driver's 
license, passport or other identification documents, obtain a marriage 
license, register to vote, change your name, or many other purposes you 
will need a new certificate.  No matter how old you are, if you need to 
use your birth certificate it must conform to the new federal standards, 
otherwise it is invalid.  Fees will almost certainly be charged for new 
birth certificates to pay for the new federal requirements.  This will 
impose a significant hardship on elderly and low-income Americans.


THE DRIVER'S LICENSE AND BIRTH CERTIFICATE MANDATES IN ILLEGAL 
IMMIGRATION BILL H.R. 2202 (Senate) WILL...

...INCREASE SOCIAL SECURTY NUMBER FRAUD.  H.R. 2202 (Senate version) 
will require the vast majority of automobile drivers in the U.S. to put 
their social security numbers on their driver's licenses.  In the future, 
whenever someone shows their driver's license they will also be exposing 
their social security number.  With the social security number accessible 
to so many people, it will be relatively easy for someone to fraudulently 
use your social security number to assume your identity and gain access 
to your bank account, credit services, utility billing information, 
driving history, and other sources of personal information.  This new 
federal law will compound and exacerbate a disturbing trend reported by 
banks and credit card companies that social security number-related fraud 
is already on the rise.

...INVADE PRIVACY AND THREATEN CIVIL LIBERTIES.  According to the 
Privacy Rights Clearinghouse, when social security numbers were first 
issued in 1936, the federal government assured the public that use of the 
numbers would be limited to social security programs.  The driver's 
license and ID card provisions in H.R. 2202 (Senate version) violate this 
promise, and will dramatically increase the circulation of the social 
security number and its use as a national identifier.  Now more 
corporations, creditors, insurance companies, government officials and 
others will be able to get easier access to vast amounts of personal 
information that can be used to support marketing schemes, determine 
insurance and loan eligibility, gain an advantage in a lawsuit, etc.

...PREEMPT STATE LAWS AND SHIFT COSTS TO STATES AND LOCALITIES.  According
to the Automobile Association of America, 38 states do not require drivers
to put their social security numbers on their driver's licenses. 
Legislation has been introduced in a number of states (including
Mississippi and Hawaii) that require social security numbers on their
driver's licenses to take the numbers off the card because of fraud and
privacy problems.  The new federal law would require all but Massachusetts
to change their laws, taking this option away from the majority of the
nation's drivers and limiting state authority to decide whether this
policy is appropriate for their residents.  The bill also gives the
federal government wide latitude to develop new and more costly
requirements for state driver's licenses, ID cards and birth certificates
in the future.  According to the Congressional Budget Office, the new
unfunded federal mandates in the law will shift up to $20 million in costs
to states and force states and localities to increase fees for birth
certificates to pay for new federal requirements. 

...LEAD TO A NATIONAL ID CARD THAT DISCRIMINATES AGAINST MINORITIES.  By
requiring states to tie the social security number to state-issued
identification documents, the proposal marks a dramatic shift toward using
the number as an identifier.  Today's mandate that the states follow
federal requirements in their identification documents will lead to
tomorrow's mandate:  that the federal government issue the identification
documents itself to ensure uniformity and reliability.  Make no mistake:
this provision is a key building block for national identification
documents, and the national ID card.  If such an ID card is mandated,
Latinos, Asians, and other Americans who "look foreign" or speak with an
accent will be expected to produce this document far more often than other
Americans, especially if they live in border areas.  Increasing
discrimination against our own citizens is no way to deal with the problem
of illegal immigration. 

...TANGLE CITIZENS IN GOVERNMENT RED TAPE.  The federal bill requires any
citizen that needs to use their birth certificate for official
identification to get a reissued birth certificate from their place of
birth by October 1999.  Senior citizens that intend to apply for Medicare
will need to obtain a new birth certificate.  Couples engaged to be
married will need new birth certificates for a marriage license and to
change their names.  Professionals traveling internationally for business
or families going on vacation overseas will need new birth certificates to
obtain passports.  With millions of citizens requesting new birth
certificates, lines and waits for federally-approved birth certificates
will be long.  All recipients will be charged a fee for their new birth
certificates. 
		      -------------------------------

UPDATE:  To study the full text of the Senate's version of H.R. 2202, go
to http://thomas.loc.gov and look up S.1664, section 118.  Write or call
conferees and your own member of the House.  As of Thursday, 8/29/96, 4:30
pm EDT, Senate conferees on the immigration bill were: 

Feinstein, Dianne - California 
Grassley, Chuck - Iowa 
Hatch, Orrin - Utah
Kennedy, Edward - Massachusetts 
Kohl, Herb - Wisconsin 
Kyl, Jon - Arizona
Leahy, Patrick - Vermont 
Simon, Paul - Illinois 
Simpson, Alan - Wyoming
Specter, Arlen - Pennsylvania 
Thurmond, Strom - South Carolina

Likely House conferees include:

Becerra, Xavier - California (30)
Berman, Howard - California (26)
Bono, Sonny - California (44)
Bryant, Ed - Tennessee (7)
Bryant, John - Texas (5)
Conyers, John, Jr. - Michigan (14)
Frank, Barney - Massachusetts (4)
Gallegly, Elton - California (23)
Goodlatte, Bob - Virginia (6)
Hyde, Henry - Illinois (6)
McCollum, Bill - Florida (8)
Smith, Lamar - Texas (21)

Please do not wait to contact House conferees.  The conference report 
could be issued within as little as 24 hours of their final selection.

To be most effective, letters should be postmarked by Saturday, August
31st, or faxed early the following week.  Members' offices also may be
reached by phone through the Capitol Switchboard (202) 224-3121. 
Thanks for your help.

------------------------------

Date: Fri, 16 Aug 96 15:24 EST
From: Robert Ellis Smith <0005101719@mcimail.com>
Subject: Alternatives to Social Security Numbers

   [ From Risks-Forum Digest; Volume 18 : Issue 35  -- MODERATOR ]

Last spring, I asked readers of RISKS for suggestions on alternatives to
Social Security numbers in organizations with large data bases of
information about individuals.  Many such organizations find they do not
need to use SSNs, and avoid privacy problems associated with using them.
For a copy of all of the responses, send a request to us and specify whether
you want hard copy or electronic edition of our August issue, and provide
postal address or e-mail address.

Robert Ellis Smith, Publisher, Privacy Journal newsletter,
Providence, RI, 401/274-7861, e-mail 5101719@mcimail.com.

Excerpts from the suggestions follow:

* FROM WASHINGTON, D.C.: Maryland uses Soundex (of name and birth date
concatenated [linked in a chain]) both for driver and vehicle registrations.

* FROM CAMBRIDGE, MASS.: "Against Universal Health-Care Identifiers" in the
JOURNAL OF THE AMERICAN MEDICAL INFORMATICS ASSOCIATION 1:316-319, 1994, by
Dr. Peter Szolovits of MIT and Dr. Isaac Kohane of Children's Hospital in
Boston, discusses a number of ways in which cryptography- based health care
identifiers can be used to preserve privacy while remaining manageable for
typical medical purposes.  This is publication #49 (in Postscript format) at
http://medg.lcs.mit.edu/people/psz/publications.html.

* FROM YARDLEY, PA.: One way is to use a simple scheme like three letters
from last name, the first initial, and some digits; another is just to use
sequential numbers.  Another is an MD5 hash of the full-name string [a
one-way mathematical function as a stand-in for the name that makes
translation back to the original name impossible].  This is always unique
for a unique string, so you might need to add some numbers.

* FROM MADISON, WISC.: When I was working on the development of the
Wisconsin Student Data Handbook - we tried to develop
 what we called an "SSN surrogate," also of nine bytes per
individual.  It involved an algorithm which combined year,
month, and date of birth with sex and two consonants each
 extracted from the first and middle names.

* FROM CYBERSPACE: I worked with a banking software company that set up
employee records simply by exact hire date and time.  Since they never hired
anyone at exactly the same time, it gave each person a unique number.  You
could do the same for any data base in which records are added gradually one
at a time - just number them based on exact date and time added.

* FROM PALO ALTO, CAL.: At Stanford University we made a decision long ago
not to use SSN for identification except where required by law (payroll
taxes, for example).  We use a unique Stanford University ID (SUID), which
is a lifetime number and applies to all students, alumni, faculty, staff,
and patients.  It serves all the same purposes that the SSN would do if it
were used.  

------------------------------

Date:    Sat, 24 Aug 1996 00:25:15 -0400
From:    Monty Solomon <monty@roscom.COM>
Subject: SSN and Welfare Legislation

Excerpt from EPIC Alert 3.15

=======================================================================
[3] Welfare Legislation Signed by Clinton
=======================================================================

On August 22, President Clinton signed the Personal Responsibility and
Work Opportunity Reconciliation Act of 1996. The bill includes a
number of sections that expand the use of the Social Security Number
and create new databases of personal information.

The bill requires that states obtain individuals' Social Security
Numbers for many state documents.  It provides that on "any
application for a professional license, commercial driver's license,
occupational license, or marriage license [the SSN] be recorded on the
application."

The new bill also creates a national database of every employee in the
United States.  States are also required to create databases of "new
hires."  The state databases would be uploaded to a federal registry
and the Social Security Administration would verify the SSNs.  The
Commissioner of Social Security is required to develop "a prototype of
a counterfeit-resistant social security card" made of tamper proof
materials for proving citizenship, and to issue a report on the cost
of issuing a new card to all citizens over a three, five or ten year
period.

More information on the welfare bill, the Social Security Number, and
efforts to expand its use is available at:

     http://www.epic.org/privacy/ssn/

------------------------------

Date:    Fri, 30 Aug 1996 10:34:03 -0700 (PDT)
From:    jd@scn.org (Janeane Dubuar)
Subject: fingerprinting by banks

SEATTLE WEEKLY

Copyright 1996 - used with permission

July 24,1996  -  "Quick and Dirty"
column by Eric Scigliano

Thumbprint, retinal or body-odor scan, sir?

If you think those "Go to Jail" charity slumber parties are a scream, you 
may get a kick out of cashing checks after September 11.  That's when US 
Bank will start requiring that non-customers cashing its checks consent 
to be finger--or, rather, thumb--printed.  Other local banks are expected 
to join US Bank on the new security frontier in September, and at least 
one, Seafirst, plans to start taking thumbprints next year in step with 
its California parent, Bank America.  The thumbprinting scheme is being 
pushed by the Washington Bankers Association, which wants all its members 
to take the plunge together.  As Dan Doyle, regional manager over US 
Bank's Western Washington branches, notes, "I'm not sure any one bank 
wants to be the one to step out and do it--it probably sounds cold, hard, 
and not very customer-friendly."  Indeed.  "But it's really to protect 
customers."

That protection is supposed to come from deterrence.  Very few, if any, 
check forgers actually get caught via thumbprints in those states (most 
notably Texas, Nevada, and Arizona) whose banks already take them.  
Tellers can't (yet, anyway) check the prints for known forgers; the 
prints will merely be saved (on the checks themselves) for investigation 
in the event of a bounce.  But Bruce Koppe, the Bankers Association's 
executive director, reports that bogus-check losses have declined by 40 
percent in those states.  Doyle says US Bank has charted 45 percent 
reductions in states where it's tried the system, and fewer than 1 
percent of those asked decline to give prints.  Some retailers, and 
reportedly at least one local credit union, are already taking prints on 
checks.  

Customers can at least be reassured that they won't have to bear the 
telltale black stains of traditional fingerprinting; the new "inkless"  
printing leaves no visible mark on the skin.  Still, fingerprinting is, 
in the words of American Civil Liberties Union lobbyist Jerry Sheehan, 
"the archetypal metaphor of criminality, along with the mug shot and 
lineup."  Some tellers are already grumbling at the prospect of having to 
do it.  The banks take heart that they won't be demanding prints of their 
current customers.  But the ill will may still come around to bite them; 
those are all potential customers they stand to infuriate, and 
account-holders may not like the idea of their checks being valid only 
when backed by thumbprints.

And thumbprinting may be just the nose under the tent.  That mixed bodily 
metaphor suits the brave new world of "biometric" identification in which 
we will, very soon, find ourselves.  Down in Olympia, a working group of 
the joint Legislative Transportation Committee is considering what kind 
of biometric and/or computer technology to adopt in upcoming "smart" 
driver's licenses; its findings are due in December, preparatory to the 
next legislative session.  Possibilities include a bar code or magnetic 
strip; a store scrutinizing your check or a cop writing a ticket could 
scan your full digitalized profile.  All the drivers' license data that 
now fills a state warehouse could be consolidated in a single data base.  
And all those sci-fi and privacy-protectionist warnings about personal bar 
codes and instant snooping will come true.  

Transportation Committee staffer Jennifer Joly says that fingerprinting 
is still the most common form of biometric ID.  But more exotic 
techniques are coming in: hand geometry scans, retinal scans, iris scans, 
computerized facial recognition, and (I am not making this up) body odor 
measurement.  It seems unlikely that those who take IDs will stop at 
thumbprinting checks.  Joly reports that bankers, retailers, and 
law-enforcement groups have joined in a coalition to weigh in on the new 
drivers' licenses.

"We'll be pushing for legislation imposing severe restrictions" on 
fingerprinting, the ACLU's Sheehan vows.  And they'll "continue to resist 
these pressures to create uniform identification papers from a document 
intended for driver's certification." [...]

July 31, 1996  -  "Quick and Dirty"
column by Eric Scigliano

[...]
They want to know it all

If you feel queasy about being fingerprinted by a bank, imagine how 
tellers feel about all the information they're supposed to disclose.  US 
Bank asks employees to fill out an "extortion readiness card" listing all 
their cars (by number and "markings") and neighbors, the names, schools, 
and daily routes and schedules of their children, and any meetings they 
themselves regularly attend.  US Bancorp spokeswoman Mary Ruble says 
taking such data is a longtime standard banking practice done for the 
employees' "own safety," to protect them in "hostage situations" and to 
help authorities "follow up if a claim of kidnapping is made."  She adds 
that US Bank has never encountered such a situation, but believes other 
banks have.  The cards are kept confidential in a central office, and 
filling them out is "voluntary for employees."  But one bank worker who 
objected recalls being told to fill out the card anyway, and got the 
feeling, despite the explanation, that the intent was really to guard 
against crimes by, rather than against, employees.  "The extortion 
readiness card has nothing to do with embezzlement," says Ruble.

-----------------------------------------------------------------------------

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.

------------------------------

End of PRIVACY Forum Digest 05.16
************************



Date: 2 Sep 1996 13:52:18 -0500
From: "Dave Banisar" <banisar@epic.org>
To: "Interested People" <interest@epic.org>
Subject: National ID Card Web Pages


         EXTENSIVE NATIONAL ID CARD WEB SITE IS NOW ON LINE


The London-based human rights watchdog Privacy International (PI)
has just opened an extensive web page on National ID cards. The
initiative comes in the wake of pending efforts in the United
States, Canada and United Kingdom to implement national ID card
systems.

The page contains a 7,000 word FAQ (Frequently Asked Questions) on
all aspects of ID cards and their implications. Also included in the
PI documents is a paper describing successful campaigns opposing to
ID cards in Australia and other countries.  The page also has links
to numerous other sites and documents.

PI Director Simon Davies said he hoped the page would help promote
debate about the cards, "ID cards are often introduced without
serious discussion or consultation. The implications are profound,
and countries planning to introduce them should proceed with
caution."

"The existence of a card challenges important precepts of individual
rights and privacy. At a symbolic and a functional level, ID cards
are often an unnecessary and potentially dangerous white elephant.
They are promoted by way of fear-mongering and false patriotism, and
are implemented with scant regard for serious investigation of the
consequences." he said.

The URL is :

   http://www.privacy.org/pi/activities/idcard/

PI has also set up an auto response function for the FAQ document.
Its address is: idcardfaq@mail.privacy.org

Privacy International is an international human rights group
concerned with privacy and surveillance issues. It is based in
London, UK. For further information contact the Privacy
International Washington Office at +1.202.544.9240 or email
pi@privacy.org. PI's web page is available at:
http://www.privacy.org/pi/


_________________________________________________________________________
Subject: National ID Card Web Pages
_________________________________________________________________________
David Banisar (Banisar@privacy.org)     *  202-544-9240 (tel)
Privacy International Washington Office *  202-547-5482 (fax)
666 Pennsylvania Ave, SE, Suite 301     *  HTTP://www.privacy.org/pi/
Washington, DC 20003