[EMAIL PROTECTED] wrote:
"Ben Laurie wrote"
[EMAIL PROTECTED] wrote:
Example:
Cash_Ur_check is in the business of cashing checks. To cash a check,
they ask you for "sensitive information" like SIN, bank account number,
drivers licence number, etc. They use the information to query
Equifax or the like to see if the person has a good credit rating, if
the rating is o.k. they cash the check. They keep all the information
in the database, because if the client comes back 2 months later, they
will send the same query to Equifax to see if the credit rating hasn't
changed.
These sensitive information are "indexes" to external databases (but
Cash_Ur_check doesn't directly connect to these other databases).
Cash_Ur_check doesn't need to use these data as indexes. Cash_Ur_check
can use first/middle/last name of person as an index, or attribute some
random number to the person, or something else, they should not use the
SIN to identify a person. They should not do searches on SIN to find a
person given his SIN.
Sure, but Equifax should.
No, they shouldn't! If you think they should, you are missinformed. At
least in Canada, the Privacy Act protects the SIN, Equifax cannot demand
it.
I am just reading what you've written: "To cash a check, they ask you
for "sensitive information" like SIN, bank account number, drivers
licence number, etc. They use the information to query Equifax or the
like"
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
