Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.3 alpha 4/15/85; site spectrix.UUCP Path: utzoo!mnetor!spectrix!clewis From: clewis@spectrix.UUCP (Chris Lewis) Newsgroups: can.general Subject: Re: Borrowed records from Revenue Canada Message-ID: <192@spectrix.UUCP> Date: Thu, 20-Nov-86 14:39:56 EST Article-I.D.: spectrix.192 Posted: Thu Nov 20 14:39:56 1986 Date-Received: Thu, 20-Nov-86 17:32:12 EST References: <623@water.UUCP> Reply-To: clewis@spectrix.UUCP (Chris Lewis) Distribution: can Organization: Spectrix Microsystems Inc., Toronto, Ontario, Canada Lines: 140 In article <623@water.UUCP> jmlang@water.UUCP writes: >In a way, it is a bit reassuring that the >records were on micro-fiches, there is quite a lot more >damage that could be done with the same records in electronic >format. Actually, it is difficult to see what difference it would make. As it stands (from what I've heard on the radio), these are the possible exposures that the newspapers have thought of: 1) mailing lists - *BIG* ones. A nuisance certainly, but not a big deal. 2) Improper acquisition of passports - well, you're still supposed to have "professional" references, so it shouldn't be too bad. Actually, the main thing you *have* to have is a birth certificate. A SIN without birth certificate won't get you anywhere. 3) Credit checks - theoretically, the credit agencies are only supposed to divulge this information when the request is accompanied by the signature of the person being checked. Eg: you sign a form while getting a mortgage to allow the bank to look at your credit rating. Therefore, I believe that a credit agency releasing information on the basis of a phone call regardless of whether the caller had SIN is improper anyways. Besides, most credit records wouldn't have SIN (though they will if it is in their sources). 4) Various futzing around with banks (eg: creating accounts). This is possible regardless of whether you have a SIN or not. You don't need a SIN to open an account! Banks go by signatures, names and bank account numbers primarily. SINs are there for issuing T5's (I think that you don't have to supply a SIN for this purpose - you can get the filled out form from the bank and send it yourself), RRSP, CSBs etc - and half the time the accounts are not tied together anyways (RRSP still hasn't noticed we've moved, but the mortgage sure and hell has). Any bank that allows somebody to withdraw money from an account purely because of having a name and SIN number is in big trouble. 5) Computer matching: first of all you have to break into a computer that has SINs. That ain't all that easy. But still, what is there? Well: a) banks b) Stats Can (for tracking individual progress, but only for long form, and probably divested of all other ID stuff anyways. Stats Can is not a very worth-while thing to break into) c) employers. d) Credit agencies (sometimes) From (a), (b) and (d) all you can find out of any particular interest is how much you make - sort of like being in the Civil Service. (c) isn't likely to be particularly interesting. Most companies don't have their employee data computerized anyways. [This may be an incomplete list - anybody have other examples of big databases with SINs in them?] 6) There are very few things that you *have* to supply a SIN number for. Almost entirely Taxation stuff. If you want to protect yourself - simply don't give it out except where required by law. Most companies won't insist on it. Unfortunately, though, we don't have the protection that the Americans have - US law states that no person can be denied a service (at least government - eg: welfare etc) for refusing to divulge a SSN. And, in fact, most of the big databases in the US key on names and addresses and other "non-unique identifiers" because they cannot (by law) rely on everybody giving them the SSN. From the point of view of computer matching, the SIN number is nice to have, but hardly necessary. A person's name and address is the only matching data that most organizations have in common with any other organization. For example, the Ontario Cancer Treatment and Research Foundation doesn't bother with SINs or OHIP numbers - they match on age, name and address. OHIP keys on OHIP #, last name and initials and sometimes age. Until I moved out, we couldn't distinguish between OHIP stuff addressed to me or my father... OHIP numbers are REALLY crummy IDs. (The funniest thing I ever saw was a retail store taking OHIP numbers as ID for taking a cheque. Fat lot of good it would do them if it bounced) I used to work in the Krever Commission (Royal Commission of Enquiry into the Confidentiality of Health Records) as a computer consultant. One of the things that seemed pretty obvious from a review of literature and the investigation of various health databases (eg: OHIP, WCB, Corrections, VD registry and a few non-health ones for comparison purposes) is that, frankly, a single indentifier wouldn't make all that much difference. Because you don't need anything more than a name and address to do a match. And, names and addresses are a hell of a lot easier to get than your SIN. Heck, just simply knowing *who* to target for a match gives you enough to do the match. Think about it - how many of your friends, associates, people you do business with have your SIN number? Probably pretty darn few (except of course, for bank employees etc). But all of them know your name, and most of them your address - if not, chances are that it can be pulled out of the phone book anyhow. And, there's a Real-Estate book that contains just as much about you (sorted by street address) as the Revenue Canada data does - including unlisted phone numbers! And you can buy one (actually, rent, but who cares) for about $200. That, frankly, is a far worse exposure than the Revenue Canada one. And, nobody's noticed it! (I just wonder where the hell they get all the data from...) The really sensitive databases (eg: OHIP, VD registry etc.) don't have SIN numbers in them. In fact, when we were investigating improper access to OHIP data, the vast majority of the probes didn't even have OHIP numbers! It was quite simple - several members of the Subrogation Dept. thought that it was their duty to provide some data to insurance investigators which didn't have the OHIP numbers of their "targets" - so the OHIP staff simply looked it up in the OHIP fiche sets that were keyed by name. In spite of the fact that the OHIP "enabling" legislation strictly forbids ANYONE from looking at OHIP data (other than the MRC). Actually, (as awful as it is to say for a computer scientist) the main defence we have against large-scale matching is that the raw databases in these systems are such a awful kludged up mess and are so big that it simply ain't worth the trouble in most cases. It's taken OCTRF years to be able to do the limited matching they do. The most damaging and likely problems are almost always due to disgruntled employees of some of these organizations (and have I got a lot of horror stories about that) divulging info. All the computer security in the world doesn't make that big a difference here. Nor does restricting use of unique IDs. Physical security, bonding and employee background investigations (more privacy invasion if you prefer) does make a difference. If people are sufficiently interested in following this stuff much further, I could give a "pocket" summary of what we found. You'd be surprised. Chances are almost 100 percent that this is simply another disgruntled employee trying to embarass his employer, and in actuality isn't all that particularly dangerous. On the other hand, "live" VD registry data, or in some cases OHIP *IS* dangerous. People die (and I'm not speaking figuratively!) when mistakes are made in releasing "just" OHIP data. Revenue Canada data is merely a nuisance. -- Chris Lewis Spectrix Microsystems Inc, UUCP: {utzoo|utcs|yetti|genat|seismo}!mnetor!spectrix!clewis ARPA: mnetor!spectrix!clewis@seismo.css.gov Phone: (416)-474-1955