Conference 7.286::digital

Assuming you are in an HMO, you can be sure that Digital has provided them
with you SSN as well.

    Re .-1
    
    Oh no they haven't. When I registered for the HMO (Harvard) I refused
    to put my SSN on the form. I also wrote all over it that I was NOT
    authorizing Digital to disclose it. Apparently that caused me to get a
    really weird Harvard number. When I give out my HMO number I often get
    asked to repeat it because it isn't a format of number they recognize.
    
    I also took the time to go to the Harvard admin office and get a full
    print out of my record with them to insure my social security number
    wasn't in the record. I can assure you that if it had have been in the
    record Digital would have regretted disclosing personal confidential
    information. In this case they didn't. I want to make sure that they
    don't disclose my SSN number to the charge card company either.
    
    You'd be amazed what people try to use SSN numbers for. Pharmacies keep
    track of prescriptions by SS number if they can. And believe it or not
    they sell the information. As far as I'm aware there is no limit to who
    they can sell it to either.
    
    I'm an individual and I am NOT identified by by SS number.
    
    Dave

I didn't put it on my form either but Digital "thoughtfully" put it on for me.

    I didn't put my SS on my HMO form either; no problem.  Digital needed
    the number on its copy of the form, since the HMO payroll deduction was
    tax exempt, and like most people my "TaxPayer Identifification Number"
    is my SS number; but the local (ZKO) personnel folks were happy to keep
    the number out of the hands of the HMO folks.
    
    Like the author of .0 I would be extremely unhappy if Digital were to
    provide my SS# to anyone!

    Do you have a drivers license?  At least, in GA and AL, your SSN is 
    on our drivers license, therefore anyone who needs to see your DL
    (for check cashing, etc...) can get your SSN!  

    
    In MA too, SS# is the Drivers Licence Number.

    However, you can refuse to have your social security number used as
    your drivers lic. number, there are signs at the registry asking you to
    inform them if you don't want it used and they will assign you a
    different number!  As .0 says, there are very few instances where you
    have to give your SS number.

    I think that they already know your SSN; the check is to show that you
    recieved the card, and someone else hasn't stolen it from the mail.
    Unless that person can supply the number, the card won't be activated.
    
    Credit card companies frequently ask for your mother's maiden name as
    well, to check when you make a large or otherwise "suspicious"
    transaction like a large cash advance. How do you feel about that?
    
    

    Re .-1
    
    It is the fact that they'd already know my SS number that has got me
    up in arms. Because the only way they'd know it is if Digital gave it
    to them. I'm just making it clear that I don't expect Digital to give
    ANYBODY my SS number unless they are obligated to do so by law.
    
    Dave

    Add me in this, too.  I've already sent mail to the address in the memo
    (no response) asking another number be assigned.  If you'll reread the
    memo, they guarantee the privacy of the information then, a few
    paragraphs further, state your information will be turned over to
    credit agencies if you're delinquent.  As anyone with SYSPRV knows,
    information is only safe as long as no one else *really* wants to see
    it.
    
    Some people have abusive ex-spouses, are victims of stalkers, have had
    infobase-related crime (burglary, extortion, identity assumption, and
    far worse), etc. and DON'T want this information out anywhere.  For all
    of you who feel comfortable passing your info around and populating
    databases, I respect your right.  As for those of us who don't, our
    rights should be respected also, especially when the consequences could
    be very severe.  Digital, I thought, was sensitive to this.

    Re .-1
    
    I'm glad I'm not alone in this. I encourage everybody else who feels
    strongly about Digital disclosing confidential information to also send
    a message to POWDML::CHARGECARD. My feeling is that the more messages
    they get the less likely they are to compromise our privacy.
    
    As pointed out in .-1 there is actually a paragraph in the memo that
    explicitly says that Digital intends to disclose confidential
    information about you to the chargecard company. I didn't actually
    highlight that paragraph.
    
    Dave

    I have checked my Georgia driver license and my SS# is not in it.
    I am, however, becoming increasingly concerned about the possible
    abuses of shared databases where personal information is freely
    disseminated without regard for either privacy or discretion.
    
    Is there some government publication which lists those agencies or
    institutions which are authorized and/or required by law to have
    access to or use of your SS# ?
    
    

    I'm not in the US, so don't understand the significance of the SSN.
    
    With numbers I have:
    
    a UK social security medical card
    a French social security number
    a Digital badge
    a driving licence
    a bank card
    gas, electricity, telephone consumer numbers
    a bank account
    a PIN for my bank card
    
    The only one I will _not_ reveal is the PIN for my bank card.
    
    For the rest, if someone wants the number and seems to be legit I'll
    tell them.  If I feel I'm being deluged with junk mail I'll write and
    ask them to drop me from their list.  If they don't, I'd start sending
    it back, unstamped so they have to pay double :-) 
    
    What's the big deal about disclosing a US SSN?
    
    Nick

    This topic has been discussed at length in ASKENET_V5 and other
    conferences, so I'll just summarize it here.  The general feeling is
    "If you don't have anything to hide, why not give it out?" among those
    who have never had problems.
    
    Many companies/agencies try to use the SSN as a central identifying
    number.  If we lived in a perfect society, this wouldn't be a problem,
    but we don't.  Actual cases I know of are: criminals assuming other
    people's identities for employment/tax purposes, people with revoked
    licenses getting same in other people's names, cross-referencing phone
    accounts and city pages for burglary, and attempted rape/murder (good
    friend of mine who *also* saw nothing wrong with giving your SSN to
    everyone.  They since caught the guy). 
    
    Obviously, even a clerical error can be disastrous if someone else
    obtains your SSN.  With a name, birth-date, and SSN I can get a credit
    report on anyone.  This lists all of your charge cards, accounts, etc.
    Using this SSN for verification, I could have new cards mailed to a
    mail drop and party in Bermuda for awhile.
    
    *** MODERATOR QUESTION *** If I posted someone's name, birthdate, and
    SSN in this file would you allow it to stand or would it be deleted?
    If it would be deleted, then why?
    
    Having your SSN bandied around is like playing Russian Roulette.  No
    big deal as long as nothing happens, extremely big deal when something
    does.  Many US charge companies, by the by, have found the SS# useless
    and now put your picture on your card and have you verify actual
    account detail (address, last charge, mother's maiden name, etc.) when 
    you call.  I applaud this and have no issue with it.
    
    Be careful out there, there are not-nice people lurking around
    monitors, credit agencies, printers, 7-11 counters, etc., etc., etc.

    Here's the VISA application from VTX, you can see why they want your
    SS#, they're going to review everyone's credit history. I don't 
    remember signing a release for AMEX to do a credit check, did DIGITAL 
    ok this by default?? 


                     FIRST BANK VISA CORPORATE CHARGE CARD

            APPLICATION FOR DIGITAL EQUIPMENT CORPORATION EMPLOYEES


INSTRUCTIONS
Complete the attached and forward it to an authorized signer for your cost 
center.  This individual can either forward the application electronically 
(to CHARGECARD @MSO or POWDML::CHARGECARD) or fax it to DTN 223-7986 for 
processing.  Corporate Travel is located at MSO2-3/C17.
                  

  
EMPLOYEE INFORMATION
|Name (first-middle-last)		|Badge	|Social Security #|
|		|	|		|       |     -     -     | 
|Home Address			|City		|State	|Zip Code|
|				|		|	|	 |
|Home Telephone #|Business Telephone #|DTN Prefix|Cost Center|Site Code|
|(   )    -	 |(    )    -	      |		 |	     |	       |
|Billing Address (if different from home)|City	|State	|Zip Code|
|					 |	|	|	 |
|Date of Birth (MM-DD-YY)|Anticipated monthly travel/entertainment expenses|
| 			 |$						   |


EMPLOYEE APPLICANT SIGNATURE
Employee Applicant requests that he/she be issued a First Bank VISA Corporate 
Card and authorizes FBS Card Services, Inc. to obtain credit information 
concerning Employee Applicant for the sole purpose of issuance, renewal, and 
replacement of a First Bank VISA Corporate Card.  In consideration of the 
issuance to and the use of the First Bank VISA Corporate Card, the employee 
applicant agrees to be bound by the First Bank Corporate Card Cardholder 
Agreement accompanying the Card for all charges incurred by the use of the Card.  
Creditor is First Bank of South Dakota (National Association).

                  
|Signature of Employee Applicant	|Date			|
|					|			|
|Approving Manager (Print Name)		|Badge	|Date		|
|					|	|		|
|Signature of Approving Manager		|Badge	|Date		|
|					|	|		|

    Well, that blows the "has promised to keep this private" clause.  FBS
    Services, like all reporting services, will update their files with the
    application.  Thus, if they don't find a record on you, they will
    create one.  If they find one, they'll update it with the fact that
    you've requested credit (a potential negative in itself, if too many
    hits have been made in a certain period).
    
    I'm afraid I don't feel warm and fuzzy on this.  My understanding is
    that they're doing this on my behalf, whether I want to or not, and
    that my sole option is non-activation which would put me out of
    compliance with policy?
    
    I've received no reply from POWDML::CHARGECARD to date.  Does anyone
    have a DTN of someone to talk to?  Anyone have additional news?

Well, at Blockbuster, I simply refused to sign the bit which
said if effect "I have read the rules and I agree to abdide by
them".  I did this because they couldn't find a copy of the rules
for me to read...

    RE: .6  by ICS::VERMA 
    
    >In MA too, SS# is the Drivers Licence Number.
    
    No, it's not.  Up until recently, you could request a non-SS# for your
    driver's license when renewing or getting a new license at the Registry
    of Motor Vehicles, but if you didn't request otherwise you got the SS#
    for your license #.  
    
    Now, the default is the arbitrary number.  Your's may have an SS# on it
    now, but when next you renew, it will be replaced with a non-SS#.
    

    
    
      But in mass,  you still have to initially supply your SSN
    so they can look you up in the National Driver's Register, 
    regardless of what you want listed as your license number...
    
    
    

    re -.2
    
    But hasn't Digital already sent Visa a tape of our names, addresses,
    and SSNs?  I understood that we didn't apply, we merely called to
    activate the card...
    
    
    5/3/93-10/31/93    Any employee who booked two or more trips through
                       Thomas Cook Travel during this time period will be
                       issued a card.
    
    11/23/93           Digital employees with an American Express or Diners
                       Club corporate card as of this date will be issued a
                       First Bank VISA corporate card in December.
    
    12/27/93           First Bank VISA corporate cards will be mailed to
                       employee's home address.
    
    12/27/93-1/14/94   Employees must call VISA at 1-800-344-5696 to
                       activate the First Bank VISA corporate card.
    
    
    It doesn't say anything about applying, this appears to be a forced
    action.

  According to -.1, it appears that Visa and its credit agency already have
the SSN of everyone who had a Digital Amex credit card, plus a few others. So
turning down a corporate Visa credit card won't help, but may keep a few more
people from getting your SSN.
  It doesn't surprise me that Mr./Ms. Chargecard has not replied to people's
mail messages on this. 
  I'm curious about whether Amex also got people's SSN's when they got Digital
credit cards. I am not convinced that it is possible to get a personal or cor-
porate credit card in the U.S. without disclosing your SSN. If it is possible,
then Digital should respect the wishes of those who don't want to disclose
their SSN, even if it's only 1% of the U.S. workforce.

    
    I was concerned about use of my SSN as well in the new (US) Group Life
    Insurance.  When I registered for my insurance I had to use my SSN in
    their automatic telephone sign-up scheme.
    
    I called the insurance carrier's (CIGNA) help number requesting
    specifically that my SSN not be used as my policy number.  Of course,
    they had no idea how to handle my request.
    
    I was annoyed that Digital had provided this Tax Payer ID number
    without my permission.
    
    Is there some tax reason that an insurance carrier would have to have 
    a SSN?
    
    -Rob

    As of now, I will not be receiving the new corporate card.  If you send
    mail to POWDML::CHARGE_CARD with your name, badge number, and DTN and
    a request to NOT use your SSN then your information will NOT be
    transferred to VISA this Friday.
    
    I asked if there were any repercussions from this, since the new policy
    is *definite* use of the corporate card.  I was told "no, you're not
    alone in the boat.  Continue as before".  (I had been using my own card
    and being reimbursed).
    
    Although not published, Digital internally has proven themselves
    responsive to the situation.

Re: .21
    
>I am not convinced that it is possible to get a personal or cor-
>porate credit card in the U.S. without disclosing your SSN....
    
    It is. I have two. It took some additional conversation and pointing
    out that they initially offered credit to me, but I got them.
    
Re: .23
    
>    Although not published, Digital internally has proven themselves
>    responsive to the situation.
    
    Did you have to call? I have not received any such response yet.

    
    
    

    
    re -.1
    
    Yah, I called but they had already added my badge number to the "don't
    process" list based on my mail.  I'm hesitant to publish the
    name/number I called, as mail tends to work and I'm not sure but that I
    was given it discretely.
    
    The lady in charge was very nice and very responsive.  Don't wait,
    though, as the tape goes out Friday.

    How long did it take to get a response? I sent mail Friday morning 
    with some questions, and haven't received a reply/acknowledgment yet.
    
    Dave

    
    I don't think you'll get a response.  Apparently, the person in charge
    is somewhat inundated, so it would be best to just send mail to
    POWDML::CHARGE_CARD as follows:
    
    "I, John Doe, badge number 555555, do not give Digital permission to 
    release my SSN to an outside source for procurement of a charge card in
    my name.  If Digital wishes to make arrangements to use another unique
    identifying number, this is acceptable, otherwise ensure my data is not
    transferred from IS."
    
    I did about this and my badge number was already on the "no-transfer"
    list when I called.  Don't wait, though.  The tape goes out Friday
    which probably means Thursday is the deadline for refusal.

    As I said, my message didn't relate to SSN...
    
    The questions I raised relate to the credit bureau reporting aspects.
    
    I can understand/appreciate the benefits Digital would derive through
    consistant use of the card, however I can't accept that the application 
    for it nor any delinquencies being recorded against my credit record.
    
    Whether they use my SSN or not, the card showing on my credit record is 
    the problem I have with the current (and past) program. 

>    As I said, my message didn't relate to SSN...
    
    No, you didn't say it didn't relate to SSNs, you said you "sent mail
    with some questions" and didn't get a reply.  The theme of this note
    is "Digital and SSNs" thus *my* reply assuming that was your topic
    also.

Incidentally, the address given in the memo is POWDML::CHARGECARD - no 
underscore.  I don't know if it works with an underscore as well.

I consider my SSN to be classified "DIGITAL PERSONAL" and inappropriate for
distribution outside Digital without my prior explicit permission.  

			Steve

I'm wondering about people not reading this conference, who'll be upset if 
and when they hear about this "after the fact"...?

Would that be sufficient grounds for legal action against the company?

...petri

RE: all

The reason they need the SSN is that the IRS requires a SSN or Tax ID number
on all accounts. be it Savings,loans, or any other lines of credit.

    Re .32:
    
    That's not true either.  Accounts can be opened without taxpayer
    identification numbers, but they are subject to backup withholding.
    
    
    				-- edp
    
    
Public key fingerprint:  8e ad 63 61 ba 0c 26 86  32 0a 7d 28 db e7 6f 75
To get PGP, FTP /pub/unix/security/crypt/pgp23A.zip from ftp.funet.fi.
For FTP access, mail "help" message to DECWRL::FTPmail or open Upsar::Gateways.

    Interesting to hear some of the reasons why an SSN should be protected
    (that you, Brent??). They had not occurred to me. It's also interesting
    to note a recent experience. We bought a house and moved in last month,
    and I have been getting address changes out piecemeal. Last week we got
    a form from People magazine (hey, I'm a parent of a 3-year-old, what 
    else do I get a chance to read?!?) requesting confirmation of our
    address change. We did NOT send them a change notification. Guess we're
    on the list of new homeowners. At least they're smart enough to check
    our new information against their list of current subscribers and do
    something useful with it, rather than send us junk mail asking us to
    subscribe (unlike Sprint; they called us on the phone, and I informed
    the person we already used them).
                                    

    Yep, that's me, Steve!  Send me mail off-line, I want to hear from
    you!
    
    The US Postal Service is probably to blame, Steve.  They sell the
    largest and most sought-after mailing list, also one of the most
    expensive.  The information is garnered from those little change of
    address forms you fill out (privacy rule #1...the postal service is NOT
    your buddy) and handed over to anyone with a checkbook.
    
    Therefore, if you're trying to hide from that woman that looked like
    Julia Roberts but acted like Glenn Close, DO NOT fill out one of those
    things.  Notify your creditors and friends, then just move and let the
    junk mailers sort it out.

    To prevent your change of address from being given out, check the
    "temporary" box instead of "permanent" and make it for 11 months and a
    fraction.  The "permanent" forwarding only lasts a year anyway, and the
    Post Office doesn't put the temporary ones on the mailing list it
    sells.
    
    
    				-- edp
    
    
Public key fingerprint:  8e ad 63 61 ba 0c 26 86  32 0a 7d 28 db e7 6f 75
To get PGP, FTP /pub/unix/security/crypt/pgp23A.zip from ftp.funet.fi.
For FTP access, mail "help" message to DECWRL::FTPmail or open Upsar::Gateways.

>    Does anybody know if Digital discloses Social Security numbers? It
>    seems that I've been nominated for some charge card I don't want and
>    worse it appears that I have to disclose my social security number to
>    use it.

    Digital has also recently given out all U.S. employees Social Security
    numbers to CIGNA for the insurance plan.  This is true even if you
    didn't take any optional coverage.

    ---Phil

    Re .-1
    
    How do I find out if this is the case. Who do I make a big stink too
    on this? I'm outraged if my SS number has been disclosed.
    
    Dave

           This note is From  Don Beauchesne @AKO
    
    I sent a note to the Travel office as well as to Personnel.  This morning
    I received a response from Personnel indicating that they would delete
    my name from the list and not receive a card.  Great solution!
    
    I have sent a response to Personnel stating that there is a simple
    solution, use a badge number or some other number for  verification.  
    Unfortunately, the program is being structured so that you will be 
    allowed to use the card for personal needs, in addition to company
    business, that's why the bank needs to SS#..
    
    Finally, I told personal that I thought giving out this information 
    without my approval was a violation of policy.  They said it wasn't, 
    that "agents" are allowed to have access.  I checked the policy and
    they are wrong, see Sec. 6.18 in the Orange book.  
    
    So much for following policy.
    
    Don 
    
    

    
>    Finally, I told personal that I thought giving out this information 
>    without my approval was a violation of policy.  They said it wasn't, 
>    that "agents" are allowed to have access.  I checked the policy and
>    they are wrong, see Sec. 6.18 in the Orange book.  


Remember, the orange book is a guideline and the local office had the discretion
to interpret the guide line.  If they interpret the orange book to mean that
"agents" are allowed access, they are within their interpretation of the
guidelines.

Al
    
    

The bank doesn't need the SSN - but having it makes it easier for them to
get a credit report on you. 

For the charge card issue, the real problem is that what it really is is
a personal charge card, obtained based on YOUR credit history that you are
personally on the hook for, but which is to be used solely for Digital's
business purposes.  (Contrary to .39, the card is not supposed to be used
for personal purchases.)  Digital should not be making applications for
charge cards on the employees' behalf, especially when Digital is not willing
to assume any of the responsibility for use of the card.

Regarding insurance companies - they don't need your own SSN.  Some do ask
for the SSN of any beneficiaries, but I note that CIGNA didn't.  Digital should
not give out employee SSNs to insurance companies, banks or anyone else.

				Steve

    Since my credit rating is currently in the crapper (got a handicapped
    kid, for whom the 'damn DEC insurance only pays 'reasonable and
    customary',(BTW reasonable and customary is determined by a junior
    college pre-med student, practicing in east borneo), I'll be
    pleasantly surprised if a card shows up!
    
    Tired of getting stepped on.... Ds.

I would think that with all the intrusions of one's privacy made possible by
today's technology, that not having someone's Social Security number would be a
small hurdle inn obtaining information about them.  I assume those who insist on
their SSN not being disclosed are also against any sort of universal ID?  I feel
you might be fighting a losing battle.

Paul, who's sure his SSN is everywhere and now I can't get it back...

    
    
    		There was some loose interpretation of the "Mark of the
    	Beast" having to do with SSN's and the "Beast" that held them 
    	all in the 3 or 4 story computer building in England; I believe,
    	in a documentry on Nostridamus(sp?) and his wild dreams. Not to start
    	a rathole on the subject of one mans vision,just found it curious.
    
    		I just feel that privacy is comprimised for far too many
    	of the wrong reasons, far too often. The need for a PIN to do a
    	reference on a person is valid , as long as you have valid numbers.
    	Change the number , and you can effectively change the identity.
    	So what is really gained by haveing a different number on your
    	drivers liscence, that is different than the numbers on your
    	library card , that is different from the numbers on your employee
    	badge, that is different than the numbers on your credit card.....
    	and on and on . Give me good video imageing, one number per image,
    	and the info highway to make it available, pick any unique number
    	you'd like. 
    
    				Pablo
    
    	

    In the new booklet ... "Making the Right Choice, Digital's Code of
    Business Ethics" on page 10 under Employees para 3  "
    
    " ... Communicating facts, not rumors, and respecting the privacy of 
    others and the confidentiality of personal information are vital. ..."
    
    Then from page 26 ...
    
    "However, do not hesitate to contact the Ethics Office, if that seems
    the best way to address an ethics concern>"
    
    	Phone: 223-4636
        E-Mail: MEMIT::ETHICSOFFICE
                Ethics Office @MLO
    
    This looks like a good candidate.
    
    
    Stuart

    
    Well I just got my notification that I won't be receiving a corporate
    card. Good. Looks like from the distribution list that a lot of other
    people refused them too.
    
    Dave
    
From:	POWDML::POWDML::MRGATE::"A1::CHARGECARD"  5-JAN-1994 11:54:49.37
To:	@Distribution_List
CC:	
Subj:	First Bank VISA Corporate Card                                         1

From:	NAME: CHARGECARD @MSO               
	FUNC:                                 
	TEL:                                  <CHARGECARD AT A1 at POWDML at PKO>
To:     See Below

    
     In January, the First Bank VISA Corporate Card replaced the current 
     Diners Club and American Express Corporate Cards.  Our records 
     indicate that you requested not to receive a corporate charge card.    
     
     If you should need a corporate charge card in the future, please 
     access VTX TRAVEL and complete an application for a First Bank VISA 
     Corporate Charge Card.
     
     If you have any questions, please contact Corporate Travel at 
     CHARGECARD @MSO or POWDML::CHARGECARD.




To Distribution List:

CATHY PAPPAS @CLO,
DON BEAUCHESNE @BPO,
NANCY FREDRICKSON @MRO,
CLAUDIA BLASS @MSO,
MARTIN@A1VAX@VMSMAIL,
NEUMAN@MSBCS@VMSMAIL,
BUTCHART@TPSYS@VMSMAIL,
JAMES TOLAND @TTB,
ROBINSON@ACESPS@VMSMAIL,
FULLER@GLDOA@VMSAMIL,
JOAN JOHNSON @MKO,
SESTOKAS@RUSURE@VMSMAIL,
KIRK@MARIN@VMSMAIL,
AMISH@LEDS@VMSMAIL,
D_BURDEN@CASS@VMSMAIL,
SUSAN SELLSTROM @ACI,
MCMULLEN@GLDOA@VMSMAIL,
LEONARD LEVY @MRO,
AXELROD@GWEN@VMSMAIL,
WRAY@TUXEDO@VMSMAIL,
MADER@WONK@VMSMAIL,
FRANK WOODALL @ALF,
LARRY BOUTERIE @COP,
HAMBURGEN@US1RMC@VMSMAIL,
CHRISTOPHER CONWAY @ABO,
EYSTER@SCAPAS@VMSMAIL,
KEITH ECKLUND @ALF,
GARROD@SMAUG@VMSMAIL,
MIRIAM BOE @AKO,
WATSON@ASDG@VMSMAIL,
TUTTLE@CRL@VMSMAIL,
YERAZUNIS@AIRG@VMSMAIL,
MATTHEWS@SUPER@VMSMAIL,
KING@ROLAID@VMSMAIL,
BARBARA DAMICO@KYO,
GEOFF RANTILLA @SHR,
FEASE@ELWOOD@VMSMAIL,
READ@ZEKE@VMSMAIL,
FELICE@NETRIX@VMSMAIL,
NOETH@DSM@VMSMAIL,
LAYNE@USDEV@VMSMAIL,
J_HAYTER@CSC32@VMSMAIL,
SWEEZEY@RAGMOP@VMSMAIL,
AKRIDGE@MFGFIN@VMSMAIL,
LLOYD POWELL @ZKO,
BEN ERNST @NVO,
LIONEL@QUARK@VMSMAIL,
PATERLINE@TPSYS@VMSMAIL,
ANDERSON@ROYALT@VMSMAIL,
VAIL@TRLIAN@VMSMAIL,
JOHN GUBERNAT @TTB,
LONG@LANDO@VMSMAIL,
RICHARD CAHILL @SCA,
TRACY ELKINS @MKO,
CVICKERS@I18N@VMSMAIL,
HARRY MANUEL @WMO,
LREID@AIMHI@VMSMAIL,
MAKI@AIMHI@VMSMAIL,
HEDBERG@HANNAH@VMSMAIL,
MICHEL LEGROS @MRO,
ANKER@ASABET@VMSMAIL,
DFAUST@GRANPA@VMSMAIL,
NIST@LANDO@VMSMAIL,
ROTH@CSOADM@VMSMAIL,
POWERS@REGENT@VMSMAIL,
DJENKINS@MR4DEC@VMSMAIL,
PARISE@MIMS@VMSMAIL,
DEROSA@DECWET@VMSMAIL,
BUTENHOF@DCEIDL@VMSMAIL,
LITT@DOTWRK@VMSMAIL,
DIXON@DUPSS1@VMSMAIL,
GARROD@SMAUG@VMSMAIL,
REICHERT@MR4DEC@VMSMAIL,
GOLDSMITH@SEOSS1@VMSMAIL,
S_RAY@CSC32@VMSMAIL,
HALLINAN@CSSE@VMSMAIL,
ROBERT BARRIOS @RCH,
FOX_D@MRKTNG@VMSMAIL,
MCLANE@XAPPL@VMSMAIL,
DIANE SPIRIO @SHR,
WITHERS@SPECXN@VMSMAIL,
LASKO@REGENT@VMSMAIL,
SWHEELER@FENRYS@VMSMAIL,
SCALES@WTFN@VMSMAIL,
MURPHY_MAIL@SEVENS@VMSMAIL,
LOWELL@RANGER@VMSMAIL,
POLOMSKI@REFINE@VMSMAIL,
PRICE@AIMHI@VMSMAIL,
GORDON@WAYLAY@VMSMAIL,
KELLY@DKAS@VMSMAIL,
ERDEN@TPSYS@VMSMAIL,
HEINSELMAN@ZEKE@VMSMAIL,
PHILLIPS@CTOAVX@VMSMAIL,
KATHY BREDA @OGO,
AINSLEY@ROWLET@VMSMAIL,
LYON@DECWET@VMSMAIL,
NANCY HATCH @MRO,
SHERK@IAMOK@VMSMAIL,
HINXMAN@R2ME2@VMSMAIL,
DONADT@SUBSYS@VMSMAIL,
RON COBB @ALF,
ZIMMERMANN@SWAMPD@VMSMAIL,
HO@PASTA@VMSMAIL

I took no action whatsoever (and have only travelled on DEC expenses about
three times in the last five years and have never had a DEC credit card since
giving up my Air Travel Card and telephone calling card when leaving the field
in 1978), but one of these cards arrived the other day.  When I asked my
manager whether I really needed it, he told me to go ahead and activate it
but not carry it, and that I might expect delays in reimbursement if I did
not use it.

Without my filling out any forms whatsoever, Digitial decided to request a
card for me and disclosed my SSAN to First Bank.

I'm sort of annoyed, but I think there is really no hope for keeping your
number private.  All any company needs to get your SSAN is your name and
address, unless you have never given it to any bank, because every bank
you've ever dealt with will have given it to the credit bureaus, and they
provide it anytime a credit check is requested.

Case in point: I recently opened a new Cellular One account; when they
asked for my SSAN, I told them they didn't need it.  A few days later, I
was requesting a feature change, and they asked for my SSAN to verify my
identity.  I said, "I didn't think you had that" and they said, no it's
right here in your records.

/john

    A case in point...
    
    I heard a story on NPR Morning Edition today about Sprint's new Voice
    Recognition service.  The password you supply for access is your SSN
    plus one digit assigned by Sprint.
    

    
    Re .35
    
    >     The US Postal Service is probably to blame, Steve.  They sell the
    > largest and most sought-after mailing list, also one of the most
    > expensive.
    
    And what's printed boldly on the front of those nice packages you get
    from or send to the IRS?  Why, it's my jealously-guarded private SSN! 
    
    %-)
    

>    And what's printed boldly on the front of those nice packages you get
>    from or send to the IRS?  Why, it's my jealously-guarded private SSN! 

Not this year.  They have a separate return label with the SSN.  You actually
have to open the cover to see it.  Of course, it's not sealed or anything...

People who would like to request that their SS numbers be removed from First 
Bank's database should contact Bill Nearing at (203) 237-9976. 

Bob

>  <<< Note 2815.50 by NOTIME::SACKS "Gerald Sacks ZKO2-3/N30 DTN:381-2085" >>>
>
>>    And what's printed boldly on the front of those nice packages you get
>>    from or send to the IRS?  Why, it's my jealously-guarded private SSN! 
>
>Not this year.  They have a separate return label with the SSN.  You actually
>have to open the cover to see it.  Of course, it's not sealed or anything...

The 1993 1040 Form and Instructions (Package 1040-8) which I received yesterday
has the mailing label with my SSN plainly visible on the outside.

-stephen

    
    Even if it was under the cover or in an in an envelope, the label is
    required for be mailing the return back to the IRS.  At which time our
    SSNs will be in plain view.  (Probably sucked into the Post Office OCR
    sorting computer and filed neatly somewhere too....)
    
    C
    
    

Re: .53

No, the label attaches to your return that is sealed in an envelope.  It's
not an address label to send back to the IRS.

However, my package too has the label on the outside, as always.

				Steve

    	Why on earth are we trying to use SSNs or visible card numbers as
    authentication checks? From the discussion here it is obvious that SSNs
    are available to almost anyone who can pose as an authentic busines,
    and maybe the same for credit card numbers too.
    
    	We have the technology with DSSA to provide genuinely secure
    solutions to these problems, and we are neglecting to sell it.
    
    	I don't have a strong personal interest, since I don't have a SSN.
    My VISA card contains a chip that is capable of handling a
    challenge-response authentication, which is currently not used
    correctly, but which is capable in principle of providing strong
    authentication, and is currently probably more secure than signatures,
    or providing card numbers over the 'phone.
    
    	Can't we tell banks and other businesses "If you are only prepared
    to pay for poor authentication, then you only get poor authentication,
    and you have to pay for it in the long run".

Bill Nearing says to call Dawn Decosta instead, at 508-493-7411.

    I sent mail to Chargecard@MSO.  I told them that I refuse to use my SSN
    as a means of identification for security reasons. 
    I would be glad to set up a different method, such as employed by 
    other systems in Digital (such as badge number + date of hire + CC).  

    What I got back was a voice mail message from the bank saying that it was
    Digital that choose to use the SSN as a means of identification and that
    is all they will use.

    This company has some very good security consultants that could have
    easily come up with a different means of solving this problem, but it
    is obvious that they never contacted anyone.

    Anyway I will be declining the card until they come up with a better
    method.

    Re: .57 
    
    Someone is lying.
    
    When I insisted that CHARGECARD@MSO tell me whether my SSN was used, I
    received an electronic message saying that "Visa" required the Social
    Security Number. 
    
    Refer to my topic 2788.64.  There is also more discussion there.

First Bank requires the SSN as a matter of convenience.  (for them)

They use the SSN as a key in their database.  They are apparently unable 
(or unwilling) to use an alternate key.  I have been in contact with several
people, but have not yet reached a resolution.

Since Digital is indicating that they will not cover expenses that are not
charged to the corporate card, its becoming a rather important issue for me,
since I do a lot of travelling, and fully support the use of a corporate 
card.

The use of the corporate card will hopefully help us close the gap between
Digital's discounted rates, and the discounted rate of our competitors.
(Try using the HP rate some day, and see how much lower it is!)

So I'm very interested in how this situation gets resolved, since I will
NOT allow the use of my SSN on the account, and I WANT to use the corporate 
card for the reasons indicated.

Will Digital let me do the right thing, and force First Bank to use an 
alternate number?   Who's the customer in this process?  How big a deal can
it possibly be to use an alternate key?   What do they do for people who
don't HAVE SSN's?

The reaction that I've gotten so far has a tinge of "Go away, don't bother me,
I'm not interested in your problem..."


Bob

	Why not re-apply for the "Corporate Chargecard" and leave the 
    social security field blank ?

    That might work if the recipient did not have access to the information.
    I suspect that if this was done, one of the mysterious souls behind
    CHARGECARD @MSO would "helpfully" fill in the information you "forgot".

    re:.60
    Or, as an alternative, why no re-apply for the Corporate Card and
    invent a number (in the correct format) for the SSN - is there any 
    legal reason why the number you provide has to be YOUR SSN?
    
    Colin

    Re .62:
    
    > ... is there any  legal reason why the number you provide has to be
    > YOUR SSN?
                                                          
    Writing a number in a space for a Social Security Account Number could
    reasonably be interpreted as making a statement that the number is your
    SSAN.  Making a false statement, knowing it is false, doing it to get
    another party to enter into an agreement (like a charge account), and
    entering into the agreement constitute fraud.
    
    A possible way to deal with this is to write in the number of your
    choice but cross out the words "Social Security".
    
    
    				-- edp
    
    
Public key fingerprint:  8e ad 63 61 ba 0c 26 86  32 0a 7d 28 db e7 6f 75
To get PGP, FTP /pub/unix/security/crypt/pgp23A.zip from ftp.funet.fi.
For FTP access, mail "help" message to DECWRL::FTPmail or open Upsar::Gateways.

re .52:
>                     -< 1040-8 Package show SSN on label >-

The package I was talking about is 1040-5.

    According to corporate policy (ref: section 6.18), there are exactly
    three instances where Digital may disclose employee information to 
    outside sources:
    
        (a) verification of employment
        (b) employee has approved (IN WRITING) the disclosure
        (c) disclosure is required by law
    
    Interestingly, the (b) case lists information for verifying credit not
    as an exception, but as an example where the information may be sent
    directly to the requester [after the employee's approval].
    
    Clearly, disclosure of ANY information other than employment status to 
    First Bank VISA without written approval is a violation of corporate 
    policy.  It may also be illegal.
    
    -andy

    I called Diners Club to notify them they had credited the $5.00 annual
    fee twice in my January statement. December was my normal renewal
    month.  When I paid the bill I had for a December, I wrote a letter
    stating that Digital was cancelling the card so I did not pay the
    renewal fee.  Somehow they credited it twice.
    
    To resolve the problem, I called Diners Club and the second question
    they asked me was my social security number.  They said it was used to
    verify who I was (along with other info they asked me).
    
    I am not surpised they had it but I had no idea they did.  When I hired
    on (young and naive) I signed a lot of papers and assumed it was all
    for goodness.  I was so glad to have a job making more than $5.00 an
    hour that I would have probably signed anything put in front of me. It
    could be in those papers I gave Digital authority to use my SS# for
    expense accounts.  Don't know since I did not get/keep a copy, or if I
    did, I have no idea where they are.
    
    greg_t
    

  I just got a notice by electronic mail saying that all inquires about Digital
life insurance must be directed to Cigna, not Digital, and all phone inquires
for information specific to one's policy must include the 4-digit access code
(PIN) that was sent with our policy documents a month or two ago. This means,
in effect, that we will have to carry this PIN in our wallets. Why? We now
have too many access codes (DCU, Digital Investor Services, Digital life in-
surance, etc.) to remember them all, and one may need to inquire about life
insurance while away from home and office. 
  I got the impression you must use this access code even if you are calling
from a rotary phone and therefore talk to a live person instead of using the
robot.
  I am posting this in the Social Security Number note because I think there
may be a connection between people asking to not have their SSN disclosed to
Cigna and Cigna requiring an access code for these inquiries. I seem to recall
that in the old days, it was possible to use an easily remembered number (such
as a SSN or badge number) for inquiries about Digital life insurance.

    I too got the mail message.  Getting it reminded me that I had
    misplaced the PIN number originally sent to me by CIGNA.  I proceeded
    to call the 800 number that was in the mail message and after entering
    "1" to indicate that I had a touch-tone phone I was prompted to enter
    my Social Security Number...

re: .67  Too many pins

Why not set your PIN to be the same for all of your accounts?  I've
done this for all of mine...

cw

    Smart move this ...  I have the followin picture in my mind ...
    
    You pass away (for one reason or another) ...
    
    Your grieving spouse, in desparate need of the cash from the policy
    calls CIGNA ...
    
    SPOUSE>Hello ?
    
    CIGNA>How can I help you ?
    
    SPOUSE> My husband just passed away and I want to file a claim.
    
    CIGNA> Who did he work for ?
    
    SPOUSE> Digital Equipment Corp.
    
    CIGNA> Personal Identinfication Number please ...
    
    SPOUSE> I don't know it ... it was his # after all.
    
    CIGNA> I'm sorry, we can't help you without the PIN,  We
    can send a copy of the PIN to your husband ...
    
    SPOUSE> My HUSBAND JUST DIED
    
    CIGNA> Well, I'm sorry we cannot send a copy of the PIN to you.
    
    Click
    
    SPOUSE> Hello Digital ?
    
    DIGITAL> Yes, how can we help you ?
    
    SPOUSE> My husband, a Digital employee, just died and I was trying to
    claim on his CIGNA insurance ... (Interrupting)
    
    DIGITAL> Sorry, you'll have to call CIGNA, their number is ... They
    deal with all employee insurance matters  And you'll need his PIN
    by the way 
    
    Click
    
    
    Hmmm ... make sure you give your spouse or other beneficiary a copy
    of that PIN!!!!!
    
    Stuart

    Don't want to start something but everyone *is* aware that the PIN is
    an encoding of the last four digits of your ssn,right?
    
    Ken

    RE: -1
    Encoding, scrambling, whatever, how do you know?  They certainly
    aren't the same numbers reordered.  At least in my case.
    
    

If .71 is true, in all likelihood, the encoding is a plain substitution and
transposition.

Look at the number of different digits in the last four digits of
SSN.  If the PIN number contains the same number of different
digits (though not necessary the same digits) then a substitution
followed by a transposition was made.

In my case,     3818  --->  6252  (substitution)
            	6151  --->  2652  (transposition - reordering)


Gim

    
    I thought it was     012-34-5678
                          1  3  5 7
    

    Neither .73 nor .74 is true in my case (I can tell by the repeats, or
    lack thereof, of a single number).
    
    -If my soc sec last 4 digits are -abcd, the cigna PIN is eefg
    
    - If .74's scheme were applied, the starting digits would be -ccac (too
      many repeats for the PIN's eefg)
    
    Leslie

Re:                 <<< Note 2815.71 by CSC32::K_BOUCHARD >>>

>    Don't want to start something but everyone *is* aware that the PIN is
>    an encoding of the last four digits of your ssn,right?
    
I think it's clear now that this is not the case.  They are probably randomly 
assigned 4 digit numbers and the probability is high that some people are going
to see digits which are also in their SSN. 

It's called coincidence...  :-)

-  David

    Hey David,
    Anyone ever tell you you're a major wet-blanket?
    
    Ken