(Webmaster's note: This message has been left intact. Spelling, etc, has not been changed.)

From: Terrence Bressi
Hello

To keep from sending unwanted email on this topic to recipients who aren't interested, I have generated a mailing list of those that I think would like to stay on top of this issue. If you wish to be removed, let me know and I will do so immediately.

First I'd like to thank everyone who acted on this issue so quickly after it first came out in the open. Because of the large number of complaints that were raised, the University is pulling back the released databases. According to official reports, MCI will have removed the data by Monday the 23rd and the University is still discussing the matter with Saguaro Credit Union. I would encourage everyone to verify that the info has been removed both with the vendors and the University. The official release can be read at:

In addition there were front page articles in both the Daily Star and the Tucson Citizen on Friday the 20th and there may be an article in the Wildcat on Monday.

Even though the University has taken steps to address this topic, I think there are still unresolved issues that need to be addressed. The first thing I would like to do is move further discussion to a public medium. My first thought was the Wildcat chat page because email on the topic has already been posted there with a few replies, including Ron Smith's email (Controller, Financial Services Office) in response to all the complaints. In addition, the student population will have ready access to the discussion. The web address is:

and I would encourage everyone to either repost mail sent to me or others on this subject or just recomment as you see fit. The first post appears half way down the page and starts with "The New Catcard and Privacy Concerns (long)". Since I don't normally hang out at chat pages, I don't know if this is the best place to do this so if there are other sites or better forums out there please pass it on and feel free to post wherever.

On a more personal note, I would like to move the discussion to a public area because as you can imagine, I have put a fair amount of time into this already and can't afford to keep up the time committment that this would entail for one individual. There are entities on campus such as the Staff Advisory Council, the Faculty Senate, and the Student Government that exist to deal with problems like this and I would encourage their participation not to mention it would be much more appropriate for their direct involvement.

A number of people have asked me if it is true that the Catcard office is digitizing both signatures and photos and saving them to a data base. This is indeed the case. You can read it for yourself at:

The reason given is that it will make it easier to replace lost or stolen cards. Unfortunately this action doesn't consider privacy concerns and until this practice is stopped I have no intention of getting the new card. Just think; SSN, signature, photo, name, address, phone number, salary, etc all stored together in one convenient data base. If the University is considered an 'agency' under the Privacy Act of 1974 then there is an additional stipulation that they cannot collect and store within a system of records any personal information that is not necessary to meet requirements imposed on them by law. Signatures and photos don't meet this criteria and are another example of the Universities disregard for the privacy concerns of the community.

Another example that was brought to my attention via email is the release of SSN's by the Benefits office to entities like HMO's that turn around and use the number as an account number without any consent or permission. The list goes on and things like this need to be addressed by the UofA.

Moving on to yet another issue, the Catcard folks in pursuing their "vision" of a universal ID card for the University community that ties together a multitude of services, they forgot to actually identify who the person carrying the card is; i.e. staff, student, or faculty. Perhaps the University should be less concerned with identifing us to commercial vendors and outside entities that pay for the service and more concerned with identifying us to the people who need to know in what capacity we are at the University in the first place. Thanks again to all those who brought this to my attention. A little bit of "vision" can sometimes be a dangerous thing!

The Attorney's Office has indicated that the agreement associated with the Catcard was being rewritten, would include a privacy act clause, and would no longer include verbage associated with MCI or Saguaro. In addition, fake SSN's can be generated for encoding on the magnetic strip so that real SSN's would not be associated with the card in any way but you must specifically ask for this to be done. In any event, I wont be getting a card until the digitized signature & photo issue is resolved.

The Staff Advisory Home page is located at:

and the Faculty Senate home page is located at:

and there's an article in Lo Que Pasa about this topic at:

Finally, to change the direction of the discussion slightly, what does everyone think of this "smart chip" anyway? It doesn't seem to have any immediate bad effects on the cardholder but I can think of some pretty easy ways to turn it into a "counterfeit machine". Since the chip can be programmed with dollar amounts up to $100.00 by readers/writers setup around campus it only stands to reason that some individual or combination of individuals could figure out how to reprogram ther chip itself and give themselves "free" $100.00 bills. The readers/writers are available commercially and the fact that anyone can walk up to one and deposit money implies the machines are not really networked and that there is no "account" to check to see if the programmed amount in the chip was the result of a legal transaction or the result of a hack. I like the idea of free $100.00 bills as much as the next person but anyone who has any background in macro economics knows this isn't a good idea in the long run. I don't know for sure how easy it would be to do this but perhaps it deserves further consideration. It just goes to show that just because you can do something doesn't mean you should do something and perhaps it's time to move the "smart" from chips (which really aren't that smart to begin with) to the people who decide what technology is going to be used and in what capacity.

Thanks for your time.

Terry
tbressi@pirl.lpl.arizona.edu