> [EMAIL PROTECTED] wrote: >> "Ben Laurie wrote" >> >>>[EMAIL PROTECTED] wrote: >>> >>>>Example: >>>> Cash_Ur_check is in the business of cashing checks. To cash a >>>> check, >>>>they ask you for "sensitive information" like SIN, bank account number, >>>>drivers licence number, etc. They use the information to query >>>>Equifax or the like to see if the person has a good credit rating, if >>>>the rating is o.k. they cash the check. They keep all the information >>>>in the database, because if the client comes back 2 months later, they >>>>will send the same query to Equifax to see if the credit rating hasn't >>>>changed. >>>>These sensitive information are "indexes" to external databases (but >>>>Cash_Ur_check doesn't directly connect to these other databases). >>>>Cash_Ur_check doesn't need to use these data as indexes. Cash_Ur_check >>>>can use first/middle/last name of person as an index, or attribute some >>>>random number to the person, or something else, they should not use the >>>>SIN to identify a person. They should not do searches on SIN to find a >>>>person given his SIN. >>> >>>Sure, but Equifax should. >> >> >> No, they shouldn't! If you think they should, you are missinformed. At >> least in Canada, the Privacy Act protects the SIN, Equifax cannot demand >> it. > > I am just reading what you've written: "To cash a check, they ask you > for "sensitive information" like SIN, bank account number, drivers > licence number, etc. They use the information to query Equifax or the > like"
They'll ask for it, but you don't have to give it. They can collect it, but they don't have to do searches on it. It's the typical ask for SIN if the user gives it use it (as in Adam Shostack's example with cell phone), but if they don't then ask for 2 other identity cards. In most cases, I don't have to give my SIN, but almost everybody asks for it. Equifax will always ask for the SIN but they don't have the right to demand it. http://www.piac.ca/newpage91.htm "Equifax suggests that to prevent these inaccuracies, consumers should always give their full name and SIN number on application forms (this facilitates updating of files and prevents confusion of two files). However, this solution to the problem does not take into account that consumers have a valid interest in protecting their privacy with respect to their SIN." The problem is with forms that make it look like you have to give your SIN, when in fact the law says you don't have to. Providing other identification can be troublesome, so allot of people just end up giving their SIN. --Anton --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
