Microsoft Fights Foreign Cyber Criminals And Spies

The Daily Beast explained how Microsoft fights cyber criminals and spies, some of whom with alleged ties to the Kremlin:

"Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft’s trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls “the most vulnerable point” in Fancy Bear’s espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers. These servers can be thought of as the spymasters in Russia's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents.

Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company’s approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like “livemicrosoft[.]net” or “rsshotmail[.]com” that Fancy Bear registers under aliases for about $10 each. Once under Microsoft’s control, the domains get redirected from Russia’s servers to the company’s, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers’ network of automated spies."

Kudos to Microsoft and its attorneys.


U.S. Treasury Department Fined ExxonMobil $2 Million For Sanction Violations

ExxonMobil logo On Thursday, the U.S. Department of the Treasury fined ExxonMobil Corporation $2 million for violations of sanctions while current Secretary of State Rex Tillerson was the company's Chief Executive Officer. The Office of Foreign Assets Control (OFAC) within the Treasury Department issued the fine. According to the announcement:

"Between on or about May 14, 2014 and on or about May 23, 2014, ExxonMobil violated § 589.201 of the Ukraine-Related Sanctions Regulations when the presidents of its U.S. subsidiaries dealt in services of an individual whose property and interests in property were blocked, namely, by signing eight legal documents related to oil and gas projects in Russia with Igor Sechin, the President of Rosneft OAO, and an individual identified on OFAC’s List of Specially Designated Nationals and Blocked Persons.

OFAC determined that ExxonMobil did not voluntarily self-disclose the violations to OFAC, and that the violations constitute an egregious case."

During March of 2014, Russia officially annexed Crimea, a peninsula in the Black Sea, from Ukraine. Moscow retaliated by banning nine U.S. officials and lawmakers from entering Russia. Then, President Obama ordered more sanctions against two-dozen members of Putin's inner circle and against Bank Rossiya, the Russian bank supporting them.

During August of 2014, Russian troops invaded eastern areas of Ukraine along the country's southeast coast. Reportedly, Russian troops fought with pro-Russia rebels against Ukrainian military.

 The Treasury Department released an "Enforcement Information for July 20, 2017" document which stated in part:

"... ExxonMobil did not voluntarily self-disclose the violations to OFAC and that the violations constitute an egregious case. Both the base civil monetary penalty and the statutory maximum civil monetary penalty amounts for the violations were $2,000,000. OFAC thoroughly considered the arguments ExxonMobil set forth in its submissions to OFAC, and the penalty amount reflects OFAC's consideration of the following facts and circumstances... OFAC considered the following to be aggravating factors: (1) ExxonMobil demonstrated reckless disregard for U.S. sanctions requirements when it failed to consider warning signs associated with dealing in the blocked services of an SDN; (2) ExxonMobil's senior-most executives knew of Sechin's status as an SDN when they dealt in the blocked services of Sechin; (3) ExxonMobil caused significant harm to the Ukraine-related sanctions program objectives by engaging the services of an SDN designated on the basis that he is an official of the Government of the Russian Federation contributing to the crisis in Ukraine; and (4) ExxonMobil is a sophisticated and experienced oil and gas company that has global operations and routinely deals in goods, services, and technology subject to U.S economic sanctions and U.S. export controls. OFAC considered the following to be a mitigating factor: ExxonMobil has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the first transaction giving rise to the violation..."

It seems that OFAC would have fined ExxonMobil more if it could have. During 2016, ExxonMobil generated sales revenues of $197.52 billion and net income of $7.84 billion. So, the company can easily afford this fine.

ExxonMobil issued a press release on July 20 which denied the violations and claimed that it had received clear guidance from the Treasury Department that the transactions were legal, "so long as the activity related to Rosneft’s business and not Sechin’s personal business." The press release also cited several news sources. You'd think that the company's executive would simply have gone straight to the source, the OFAC, and bypassed intermediaries.

The OFAC Enforcement Information document debunked the energy company's claim:

"ExxonMobil claims that it interpreted press statements as establishing a distinction between Sechin's "professional" and "personal" capacity, in part citing to a news article published in April 2014 that quoted a Department of the Treasury representative as saying that a U.S. person would not be prohibited from participating in a meeting of Rosneft' s board of directors. However, that brief statement did not address the conduct in this case.

Furthermore, the plain language of the Ukraine-Related Sanctions Regulations (which were issued after the Executive branch statements) and E.O. 13661 do not contain a "personal" versus "professional" distinction, and OFAC has neither interpreted its Regulations in that manner nor endorsed such a distinction. The press release statements provided context for the policy rationale surrounding the targeted approach during the early days of the Ukraine crisis, which was to isolate designated individuals who were targeted as a result of the crisis in Ukraine, rather than imposing blocking sanctions on the large companies that they managed. No materials issued by the White House or the Department of the Treasury asserted an exception or carve-out for the professional conduct of designated or blocked persons, nor did any materials suggest that U.S. persons could continue to conduct or engage in business with such individuals.

Separately, there was a Frequently Asked Question (FAQ) publicly available on the OFAC website at the time of the violations that specifically spoke to the conduct at issue in this case..."

The Enforcement Information document is available at the Treasury Department's website and here (Adobe PDF).

While at the Treasury Department's website, I noticed that the Treasury Notes blog stopped publishing on January 19, 2017 -- about the same time as the Presidential Inauguration. What's up with that? Does the Treasury Department, under the Trump Administration, believe that it is okay not to inform citizens, taxpayers, and voters?


Survey: Online Harassment In 2017

What is online life like for many United States residents? A recent survey by the Pew Research Center provides a good view. 41 percent of adults surveyed have personally experienced online harassment. Even more, 66 percent, witnessed online harassment directed at others.

Types of behaviors. Online Harassment 2017 survey. Pew Research. Click to view larger version The types of online harassment behaviors vary from the less severe (e.g., offensive name calling, efforts to embarrass someone) to the more severe (e.g., physical threats, harassment over a sustained period, sexual harassment, stalking.) 18 percent of survey participants -- nearly one out of every fiver persons -- reported that they had experienced severe behaviors.

Americans reported that social networking sites are the most common locations for online harassment experiences. Of the 41 percent of survey participants who personally experienced online harassment, most of those (82 percent) cited a single site and 58 percent cited "social media."

The reasons vary. 14 percent of survey respondents reported they had been harassed online specifically because of their politics; 9 percent reported that they were targeted due to their physical appearance; e percent said they were targeted due to their race or ethnicity; and 8 percent said they were targeted due to their gender. 5 percent said they were targeted due their religion, and 3 percent said they were targeted due to their sexual orientation.

Some groups experience online harassment more than others. Pew found that younger adults, under age 30, are more likely to experience severe forms of online harassment. Similarly, younger adults are also more likely to witness online harassment targeting others. Pew also found:

"... one-in-four blacks say they have been targeted with harassment online because of their race or ethnicity, as have one-in-ten Hispanics. The share among whites is lower (3%). Similarly, women are about twice as likely as men to say they have been targeted as a result of their gender (11% vs. 5%). Men, however, are around twice as likely as women to say they have experienced harassment online as a result of their political views (19% vs. 10%). Similar shares of Democrats and Republicans say they have been harassed online..."

The impacts upon victims vary, too:

"... ranging from mental or emotional stress to reputational damage or even fear for one’s personal safety. At the same time, harassment does not have to be experienced directly to leave an impact. Around one-quarter of Americans (27%) say they have decided not to post something online after witnessing the harassment of others, while more than one-in-ten (13%) say they have stopped using an online service after witnessing other users engage in harassing behaviors..."

Different attitudes by gender. Online Harassment 2017 survey. Pew Research. Click to view larger version And, attitudes vary by gender. See the table on the right. More women than men consider online harassment a "major problem," and men prioritize free speech over online safety while women prioritize safety first. And, 83 percent of young women (e.g., ages 18 - 29) viewed online harassment as a major problem. Perhaps most importantly, persons who have "faced severe forms of online harassment differ in experiences, reactions, and attitudes."

Pew Research also found that persons who experience severe forms of online harassment, "are more likely to be targeted for personal characteristics and to face offline consequences." So, what happens online doesn't necessarily stay online.

The perpetrators vary, too. Of the 41 percent of survey participants who personally experienced online harassment, 34 percent said the perpetrator was a stranger, and 31 percent said they didn't know the perpetrator's real identity. Also, 26 percent said the perpetrator was an acquaintance, followed by friend (18 percent), family member, (11 percent), former romantic partner (7 percent), and coworker (5 percent).

Pew Research found that the number of Americans who experienced online harassment has increased slightly from 35 percent during a 2014 survey. Pew Research Center surveyed 4,248 U.S. adults during January 9 - 23, 2017. 

Next Steps
62 percent of survey participants view online harassment as a major problem. 5 percent do not consider it a problem at all. People who have experienced severe forms of online harassment said that they have already taken action. Those actions include a mix: a) set up or adjust privacy settings for their profiles in online services, b) reported offensive content to the online service, c) responded directly to the harasser, d) offered support to others targeted, e) changed information in their online profiles, and f) stopped using specific online services.

Views vary about which entities bear responsibility for solutions. 79 percent of survey respondents said that online services have a duty to intervene when harassment occurs on their service. 35 percent believe that better policies and tools from online services are the best way to address online harassment.

Meanwhile, 60 said that bystanders who witness online harassment "should play a major role in addressing this issue," and 15 percent view peer pressure as an effective solution. 49 said law enforcement should play a major role in addressing online harassment, while 31 said stronger laws are needed. Perhaps most troubling:

"... a sizable proportion of Americans (43%) say that law enforcement currently does not take online harassment incidents seriously enough."

Among persons who have experienced severe forms of online harassment, 55 percent said that law enforcement does not take the incidents seriously enough. Compare that statistic with this: nearly three-quarters (73 percent) of young men (ages 18 - 29) feel that offensive online content is taken too seriously.

And Americans are highly divided about how to balance safety concerns versus free:

"When asked how they would prioritize these competing interests, 45% of Americans say it is more important to let people speak their minds freely online; a slightly larger share (53%) feels that it is more important for people to feel welcome and safe online.

Americans are also relatively divided on just how seriously offensive content online should be treated. Some 43% of Americans say that offensive speech online is too often excused as not being a big deal, but a larger share (56%) feel that many people take offensive content online too seriously."

With such divergent views, one wonders if the problem of online harassment can be easily solved. What are your opinions about online harassment?


CBP Responds To Senator's Query About Border Searches Of Returning Travelers' Devices

This has implications for all U.S. citizens returning to the country from international travel; business or vacation. An important exchange occurred recently between government officials about Fourth Amendment rights and protections, or the lack thereof, for citizens.

Earlier this year, U.S. Senator Ron Wyden (D-Oregon) sent a letter (Adobe PDF) asking the Department of Homeland Security (DHS), the parent agency of U.S. Customs & Border Protection (CBP), about CBP's detaining of citizens returning from international travel, and warrantless demands to access citizens' locked mobile devices. The Senator's letter read in part:

U.S. Department of Homeland Security logo "Dear Secretary Kelly,
I am alarmed by recent media reports of Americans being detained by CBP and pressured to give CBP agents access to their smartphone PIN numbers or otherwise provide access to locked devices. These reports are particularly troubling, particularly in light of your recent comments suggesting that CBP might begin demanding social media passwords from visitors to the United States. With those passwords, CBP may then be able to log into accounts and access data that they would only be able to get from Internet companies with a warrant. Circumventing the normal protections for such private information is simply unacceptable.

There are well-established rules governing how law enforcement agencies may obtain data from social media companies and email providers... In addition to violating the privacy and civil liberties of travelers, these digital dragnet border search practices weaken our national and economic security. Indiscriminate digital searches distract CBP from its core mission and needlessly divert agency resources away from those who truly threaten our nation. Likewise, if businesses fear their data can be seized when employees cross the border, they may reduce non-essential employee international travel, or deploy technical countermeasures..."

Senator Wyden's concerns focus upon the rights of companies and individuals to protect intellectual property, without which many businesses -- large, small, startups, and journalists -- cannot operate. Senator Wyden asked for a response from DHS by March 20, 2017 with answers to five questions (links added):

"1. What legal authority permits CBP to ask for, or demand, as a condition of entry, that a U.S. person disclose their social media or email password?
2. How is CBP use of a traveler's password to gain access to data stored in the cloud consistent with the Computer Fraud And Abuse Act?
3. What legal authority permits CBP to ask for, or demand, as a condition of entry, that a U.S. person turn over their device PIN or password to gain access to encrypted data? How are such demands consistent with the Fifth Amendment?
4. How many times in each calendar year 2012 - 2016 did CBP ask for, or demand, as a condition of entry, that a U.S. person disclose a smartphone or computer password, or otherwise provide access to a locked smartphone or computer? How many times has this occurred since January 20, 2017?
5. How many times in each calendar year 2012, 2013, 2014, 2015,and 2016 did CBP ask for, or demand, as a condition of entry, that a U.S. person disclose a social media or email account password, or otherwise provide CBP personnel access to data stored in an online account? How many times has this occurred since January 20, 2017?"

In April, Senator Wyden, with Senator Rand Paul (R-Kentucky), Representative Jared Polis (D-Colorado), and Representative Blake Farenthold (R-Texas) introduced the Protecting Data at the Border Act (PDBA) to ensure that U.S. citizens are not forced to endure indiscriminate and suspicion-less searches of their phones, laptops and other digital devices when crossing the United State's borders.

U.S. Customs and Border Protection logo On June 20, Kevin McAleenan, the Nominee for CBP Commissioner, responded to Senator's Wyden's letter. NBC News reported:

"U.S. border officers aren't allowed to look at any data stored only in the "cloud" — including social media data — when they search U.S. travelers' phones, Customs and Border Protection acknowledged in a letter obtained Wednesday by NBC News. The letter (PDF), sent in response to inquiries by Sen. Ron Wyden, D-Ore., and verified by Wyden's office, not only states that CBP doesn't search data stored only with remote cloud services, but also — apparently for the first time — declares that it doesn't have that authority in the first place... McAleenan's letter says officers can search a phone without consent and, except in very limited cases, without a warrant or even suspicion — but only for content that is saved directly to the device, like call histories, text messages, contacts, photos and videos... Travelers don't even have to unlock their devices or hand over their passwords when asked — but if they refuse, officers can "detain" the phone, McAleenan wrote."

When your phone or mobile device is detained, that means CBP agents keep it for a time before returning it to you. So, while you may enter the country fairly quickly, your seized device(s) may not. There are notable horror stories about travelers returning to the United States. It doesn't matter if the device is yours or your employer's.

McAleenan's letter did not answer questions #4 and #5 about search activity. Not good. In fact, the letter stated:

"DHS's May 9, 2017 letter stated that CBP did not have data responsive to this request."

Huh? This seems incredulous. Consider this scenario: a CBP agent detains a citizen's device(s) and inspects those devices (with or without the assistance of another federal agency). McAleenan's response would have us believe that the CBP doesn't have data documenting this event. This implies that the CBP either doesn't collect or doesn't maintain records of how its agents account for their time: when, where, why, the duration, which agents inspected, and types of devices inspected; nor when the detained device was ultimately returned to its owner. It also implies that the CBP doesn't have any records (e.g., doesn't know) about when, where, or the amount of data uploaded from detained devices and stored in CBP databases. This seems unbelievable and a huge managerial failure.

During my business career I had to submit and complete data into several online time-tracking systems; which tracked workers' time down to 15 minute intervals. Perhaps, it is appropriate to query the CBP about its time-tracking systems. Some ad hoc queries may yield responsive data.

Moreover, the CBP site contains and displays plenty of statistics about the agency's operations (e.g., staffing, sector performance, etc.) and enforcement (e.g., "inadmissibles," illegal aliens apprehended, arrests of wanted criminals, drug seizures, gang affiliated enforcement, etc.), but nothing about citizens detained for device searches nor the volume of passwords collected.

More about that in a few minutes. So, keep reading.

What to make of this? U.S. citizens have no Fourth Amendment rights when traveling across our borders. Not good. It doesn't matter whether you are law-abiding or not. Not good. Why? How? McAleenan's letter confirmed it:

"While 8 U.S.C. 1357 is an example of CBP's authority to conduct a search in the immigration context, CBP currently operates under a host of additional statutory authorities that more broadly provide that all persons, baggage, and merchandise arriving, or departing from, the United States are subject to search, inspection, and detention. See, e.g., 19 U.S.C. 1461; 1496; 1499. Those statutory Customs authorities are applicable to all travelers entering the United States, regardless of their citizenship.

"On this point, because CBP must determine the admissibility of both the traveler and his or her goods and baggage, even after a returning U.S. citizen has established their identity and U.S. citizenship, CBP may conduct a border search of the goods he or she is seeking to bring into the country to ensure that those goods are permitted to enter. In other words, because any traveler may be carrying an electronic device that contains evidence relating to offenses such as terrorism, illegal smuggling, child pornography, CBP's authority to search such a device at the border does not depend upon the citizenship of the traveler.

In the exceedingly rare instances when CBP seeks to conduct a border search of information in an electronic device -- which affects less than one-hundredth of one percent of travelers arriving to the United States because of a need to inspect that traveler's device. Therefore, although CBP may detain an arriving traveler's electronic device for further examination, in the limited circumstances when that is appropriate, CBP will not prevent a traveler who is confirmed to be a U.S. citizen from entering the country because of a need to conduct that additional examination..."

U.S. international travel statistics for Fiscal year 2016. The U.S. Customs and Border Protection. Click to view larger version Exceedingly rare? Perhaps on a percentage basis. We know from the CBP statistics page:

"CBP officers processed more than 390 million travelers at air, land, and sea ports of entry in FY2016, including more than 119 million travelers at air ports of entry..."

Some simple math using data supplied by the CBP: 0.01 percent X 390 million = 39,000 passengers during 2016 who have had their electronic devices detained and searched for information. Next, multiple that annual total by 10 or more years. The true total fast approaches half a million incidents.

Plus, the detainment and search rate may not be rare at all for frequent travelers. Some jobs require employees to travel frequently to international destinations.

Also, the above statement highlights the CBP approach: all travelers entering the country are presumed to be threats without any supporting data or evidence. No Fourth Amendment protections for U.S. citizens at our borders. Do you find this troubling? I hope that you do. Contact your elected representatives and demand that they support the Protecting Data at the Border Act.

A wise friend once said, "You just can't run away from the Fourth Amendment." I agree. What do you think?


CFPB Issues New Rule Governing Arbitration Clauses

The products and services many consumers purchases include contractual agreements with arbitration clauses, which prohibit consumers from getting relief by joining class-action lawsuits. Those clauses also specify the out-of-court process to resolve disagreements and the upfront fees consumers must pay.

Many you have heard of the phrase, "binding arbitration." Regular readers of this blog are familiar with the issues with binding arbitration. Many popular mobile apps, websites, streaming video services, and some augmented-reality (AR) mobile games contain these clauses. The Public Citizen website lists the banks, retail stores, entertainment, online shopping, telecommunications, consumer electronics, software, nursing homes, and health care companies that include binding arbitration clauses in their contracts with customers.

To achieve a better balance between the needs of consumers versus the needs of corporations, the Consumer Financial Protection Bureau (CFPB) has issued new rules governing arbitration clauses. The CFPB explained:

"No matter how many people are harmed by the same conduct, most arbitration clauses require people to bring claims individually against the company, outside the court system, before a private individual (an arbitrator). Companies know that people almost never spend the time or money to pursue relief when the amounts at stake are small, so few people do this. Our new rule will restore the ability of groups of people to file or join group lawsuits. In some cases, not only will companies have to provide relief, they will also have to change their behavior moving forward.

People who would otherwise have to go it alone or give up, will be able to join with others to pursue justice and some remedy for their harm."

Richard Cordray, the Director of the CFPB, in a statement briefly discussed the history:

"Originally, arbitration was primarily used for disagreements between two businesses. But over the last quarter century or so, companies started adding arbitration clauses to their consumer contracts... In 2007, Congress passed the Military Lending Act, which disallows mandatory arbitration clauses in connection with certain loans made to servicemembers. Three years later, in the Dodd-Frank Wall Street Reform and Consumer Protection Act, Congress went further and banned mandatory arbitration clauses in most residential mortgage contracts."

Supporters of binding arbitration clauses have long fought pro-consumer action by the CFPB. Director Cordray also discussed the new CFPB rule:

"A cherished tenet of our justice system is that no one, no matter how big or how powerful, should escape accountability if they break the law. But right now, many contracts for consumer financial products like bank accounts and credit cards come with a mandatory arbitration clause that makes it virtually impossible for people to sue the company as a group if things go wrong. On paper, these clauses simply say that either party can opt to have disputes resolved by private individuals known as arbitrators rather than by the court system. In practice, companies use these clauses to bar groups of consumers from joining together to seek justice by vindicating their legal rights..."

"The breadth and application of these clauses can be unexpected and severe. For example, when Wells Fargo opened millions of deposit and credit card accounts without the knowledge or consent of consumers, arbitration clauses in existing account contracts blocked their customers from bringing group lawsuits for the unauthorized account openings. Companies have argued that group lawsuits are unnecessary because the government can pursue enforcement actions to address the same problems. But consumers should be able to stand up for themselves and pursue their own legal rights without having to wait on the government. And the government has limited resources..."

The CFPB also produced this video:

What are your opinions of binding arbitration clauses? Were you aware of them? What are your opinions of the new CFPB rule?


Real Scams, Real Cons and Fake Law Enforcement

[Editor's Note: Today's guest post is by Arkady Bukh of Bukh & Associates, PLLC which specializes in criminal law, family law, and several areas of civil law. Aware consumers know how to recognize scams.]

By Arkady Bukh, Esq.

A man in Nigeria died recently. When the coroner went to the home for the body, he found $25 BILLION dollars. Apparently, the decedent had been trying to give away his money for years, but no one answered his email.

If you've been on the Internet for over, say, one-hour, you recognize the source for that joke. The Nigerian email scam is so infamous it's been given its own, easily recognizable, name: The Nigerian Email Scam.

Despite scams and cons being popular online, they're not confined to the virtual world. They crop up in the real world, too. Often, in unexpected ways.

Pennsylvania Teen Tries to Scam and It Doesn’t Go Well at Home
Police in Westtown Township nabbed a teenage boy in March after linking the kid to a scam involving fake traffic tickets. The fraudulent fines were placed in mailboxes at four homes. Each fake ticket claimed the homeowners' vehicle was captured on camera speeding in nearby West Chester. An accompanying note asked for $96 to be left in the mailbox.

"It does look real," said Jackie McGlone, a West Chester resident.

Detectives have found the photographs of the vehicle's' plates were taken while the car was parked in their owner's' driveway and unoccupied.

Police tracked the 16-year old boy, who lives in the area, by a tip phoned in by the teenager's dad.

The teen's father found some notifications waiting to be mailed and called the police. Charges are pending.

Truckers Lose Big Money in Oregon
In 2013, an Oregon-based scam dug into the pockets of truck drivers with automated calls telling them to pay their unpaid traffic tickets using re-loadable debit cards — or face a penalty.

The caller identified himself as, "Alex James Murphy of the Oregon State Police," and informed drivers of a bench warrant for an outstanding speeding ticket. To pay, the drivers were told to buy re-loadable prepaid cards through Green Dot MoneyPak, put $154 on the card, and then call a second phone number to provide the card information.

If the driver does all that, they'll find out there was never an unpaid speeding ticket and their $154 has hit the road. The scam, which occasionally crops up in difference places, first appeared on the radar in November 2012 and had gone through a few variations since.

An offshoot which also relies on confusing the lines between a con artist and legitimate law enforcement agencies is the “Support Your Sheriff” sticker scam. The Federal Trade Commission's website has a page warning consumers about cons which play on citizens' desire to help support local law enforcement.

Fake Police
A vehicle which appears to be an unmarked police car pulls you over. The ‘officer' says you are about to be handed a large fine and see points added to your driver's license. "However," says the supposed-cop, "you can avoid this by paying a smaller fee, up front, in cash."

That's not a tactic used by legitimate law enforcement agencies anywhere. Real cops want to make sure the law is obeyed and not about a discount if a speeder pays on the front end. Legitimate cops will issue a real ticket that must be paid in person, or mail, at the department.

If in doubt, request another officer to come to the scene. It's your right.

Phishing Scam
Someone receives an e-mail message claiming them they are guilty of a traffic violation. A wise person will delete the email immediately. Any email saying you owe money for traffic tickets is a phishing scam.

Usually, the email says the person needs to pay for the traffic citation right now. The e-mail includes a link where the individual to find details. The link often contains a computer virus, and can redirect the user to a phishing page meant to request personal information from the user.

Buy a Sticker and Get Out of Jail Free
Scammers have called individuals at work and home at claiming the local Department of Public Safety (DPS) offers decals for autos with the DPS logo to waive their next traffic ticket.

The caller instructs the person to place the sticker next to the car's license plate. To get the sticker, the vehicle owner must pay $10. Many persons fall for the scam as $10 is smaller than any traffic ticket issued after 1946.

If you get a traffic citation, you broke the law. You will pay for that. There is no such thing as a law enforcement sticker which gets you one free traffic ticket.


Data Breach Exposes Information Of Millions Of Verizon Customers

Verizon logo A data breach at Verizon has exposed the sensitive information of millions of customers. ZD Net reported:

"As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of NICE Systems, a Ra'anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address."

Many businesses use cloud services vendors  -- Amazon Web Services and other vendors -- to outsource the storage of customers' information in online databases. While the practice isn't new, a problem is that customers aren't always informed of the business practice using their sensitive information.

Founded in 1986, NICE Systems has 3,500 employees, serves about 25,000 customers in 150 countries, and provides services to 85 percent of Fortune 100 companies. The exact number of affected Verizon customers is disputed.

The security firm Upguard found the unprotected cloud-based storage server:

"Upguard's Cyber Risk Team can now report that a mis-configured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon. (UPDATE: July 12, 3 PM PST - Both NICE Systems and Verizon have since confirmed the veracity of the exposure, while a Verizon spokesperson has claimed that only 6 million customers had data exposed)."

Whether the total number of breach victims is 6 or 14 million customers, neither is good. The phrase "account details" is troubling. That could mean anything from e-mail addresses to payment information to residential addresses, or more.

Upguard's announcement added:

"Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.

Finally, this exposure is a potent example of the risks of third-party vendors handling sensitive data... Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises."

Agreed. This outsourcing business practice may be profitable for all companies involved, but the outsourcing practice does not decrease the risks. Not good. Mis-configured cloud servers should not happen. Not good. The event raises the question: when has this happened before, but went undetected?

Verizon released a statement about the incident:

"... an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.

By way of background, the vendor was supporting an approved initiative to help us improve a residential and small business wireline self-service call center portal and required certain data for the project. The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area.

To further clarify, the data supports a wireline portal and only includes a limited number of cell phone numbers for customer contact purposes. In addition, to the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts..."

Typically, after a breach companies hire independent security experts to investigate breaches and the contributing causes. Verizon's announcement did not state who, if anyone, it hired to perform a post-breach investigation nor when. So, according to Verizon: no big deal. No problem. Hmmmmm.

Reportedly, Upguard notified Verizon about the breach on June 13, and the breach was fixed on June 22. Upguard added:

"The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling."

Troubling, indeed. What took Verizon (and/or Nice Systems) so long? Verizon's statement didn't say. And what is Verizon (and/or NICE Systems) doing so this type of breach doesn't happen again? I look forward to upcoming explanations by both companies.

Readers: what are your opinions of this data breach? Of how long it took Verizon to fix things? Of the outsourcing practice? Verizon customers:

  • Is Verizon doing enough to protect your sensitive data?
  • Should affected customers be notified directly?
  • Have you received a breach notice from Verizon? If so, share some of its details.

ProPublica Seeks Input From Former IBM Employees

IBM logo This news item immediately caught my attention, since a data breach in 2007 at IBM Inc. was the original inspiration for this blog. And the tech company had another breach in 2009. The company has struggled against other tech companies.

Earlier this month, IBM completed a blockchain trial with Westpack and ANZ. According to Yahoo News and Zacks Equity Research, blockchain:

"... is a kind of distributed database and works as an online ledger that cannot be altered or breached easily. The use of such technologies in the banking and finance sector is aimed at reducing the possibility of losing valuable data as well as minimizing the rate of cybercrime in the finance industry.

Notably, IBM is one of major players in the Blockchain market. This is the second significant deal for the company in this technology space..."

The reporters at ProPublica seek input from former IBM employees who left the company during the last few years. Why? The computing and technology company has:

"... been upending its workforce, often with painful results for longtime employees. According to one estimate, IBM’s U.S. employment, which peaked at 230,000, had dropped to about 70,000 by mid-2015, largely the product of layoffs and retirements. And six weeks ago, IBM told thousands of its telecommuting employees to start reporting to particular offices, which in many cases would involve long-distance moves. That, or resign. As a result, hundreds, perhaps thousands, more IBMers are leaving the company.

IBM has long been a corporate leader in employment practices. That means the way it treats its employees speaks volumes about what lies ahead for working people everywhere. But IBM executives won’t tell their workers or the public how many people are leaving this year. They refuse to provide the numbers for 2016, 2015, or 2014 either, to explain the logic behind who gets tapped to go, or exactly how the departures fit into a larger strategy.

We’re asking you to help us get the numbers and, with them, answers."

Former IBM employees interested in providing input should complete this brief questionnaire at the ProPublica site.


Presidential Commission Demands Massive Amounts of State Voter Data

[Editor's Note: today's guest blog post, by the reporters at ProPublica, explores issues of alleged voter fraud, and the problems with analyses claiming multiple voter registrations across states. It is reprinted with permission.]

by Jessica Huseman, ProPublica

On June 28, all 50 states were sent letters from Kris Kobach -- vice chair for the Presidential Advisory Commission on Election Integrity -- requesting information on voter fraud, election security and copies of every state's voter roll data.

The letter asked state officials to deliver the data within two weeks, and says that all information turned over to the commission will be made public. The letter does not explain what the commission plans to do with voter roll data, which often includes the names, ages and addresses of registered voters. The commission also asked for information beyond what is typically contained in voter registration records, including Social Security numbers and military status, if the state election databases contain it.

President Donald Trump established the commission through an executive order on March 11. Its stated goal is to "promote fair and honest Federal elections" and it is chaired by Vice President Mike Pence. The commission plans to present a report to Trump that identifies vulnerabilities in the voting system that could lead to fraud and makes recommendations for enhancing voters' confidence in election integrity. No deadline has been set for completion of the work.

A number of experts, as well as at least one state official, reacted with a mix of alarm and bafflement. Some saw political motivations behind the requests, while others said making such information public would create a national voter registration list, a move that could create new election problems.

"You'd think there would want to be a lot of thought behind security and access protocols for a national voter file, before you up and created one," said Justin Levitt, a professor at Loyola University School of Law and former Department of Justice civil rights official. "This is asking to create a national voter file in two weeks."

David Becker, the executive director of the Center for Election Innovation & Research, also expressed serious concerns about the request. "It's probably a good idea not to make publicly available the name, address and military status of the people who are serving our armed forces to anyone who requests it," he said.

Kobach, the secretary of state in Kansas, has been concerned about voter fraud for years. His signature piece of legislation was a law requiring Kansans to show proof of citizenship when they register to vote, which is currently ensnarled in a fraught court battle with the American Civil Liberties Union. He has written that he believes people vote twice with "alarming regularity," and also that non-citizens frequently vote. Multiple studies have shown neither happens with any consistency.

Kobach also runs the Interstate Voter Registration Crosscheck Program, a proprietary piece of software started by Kansas Secretary of State Ron Thornburgh in 2005. Under the program, 30 states pool their voter information and attempt to identify people who are registered in more than one state.

Some expect the information Kobach has requested will be used to create a national system that would include data from all 50 states.

It is not uncommon for voters to be registered in more than one state. Many members of Trump's inner circle -- including his son-in-law Jared Kushner and daughter Tiffany Trump -- were registered to vote in two states. Given the frequency with which voters move across state lines and re-register, the act of holding two registrations is not in itself fraud. There is no evidence to suggest that voting twice is a widespread problem, though experts say removing duplicate registrations are a good practice if done carefully.

"In theory, I don't think we have a problem with that as an idea, but the devil is always in the details," said Dale Ho, the director of the ACLU's Voting Rights Project. While he believes voter registration list maintenance is important, he says Kobach's Crosscheck program has been repeatedly shown to be ineffective and to produce false matches. A study by a group of political scientists at Stanford published earlier this year found that Crosscheck highlighted 200 false matches for every one true double vote.

"I have every reason to think that given the shoddy work that Mr. Kobach has done in this area in the past that this is going to be yet another boondoggle and a propaganda tool that tries to inflate the problem of double registration beyond what it actually is," Ho said.

Some experts already see sloppy work in this request. On at least one occasion, the commission directed the letter to the incorrect entity. In North Carolina, it addressed and sent the letter to Secretary of State Elaine Marshall, who has no authority over elections or the voter rolls. In that state, the North Carolina Board of Elections manages both.

Charles Stewart, a professor at MIT and expert in election administration, said it was proof of "sloppy staff work," and questioned the speed at which the letter was sent. "It seems to me that the data aren't going anywhere. Doing database matching is hard work, and you need to plan it out carefully," he said. "It's a naïve first undertaking by the commission, and reflects that the commission may be getting ahead of itself."

Connecticut Secretary of State Denise Merrill, who oversees voting in the state, said she was dismayed about the commission's failure to be clearer about what its intentions are. In a statement, Merrill said her office would share publicly available information with the commission. But she said that "in the same spirit of transparency" her office would request the commission "share any memos, meeting minutes or additional information as state officials have not been told precisely what the Commission is looking for."

"This lack of openness is all the more concerning, considering that the Vice Chair of the Commission, Kris Kobach, has a lengthy record of illegally disenfranchising eligible voters in Kansas," she wrote.

Alabama's Republican Secretary of State John Merrill (no relation) also indicated he had questions for Kobach regarding how much of the data would be made public and how Alabamans' privacy would be protected, even while he expressed support for the commission. "Kobach is a close friend, and I have full confidence in him and his ability, but before we turn over data of this magnitude to anybody we're going to make sure our questions are answered," he said.

Colorado Secretary of State Republican Wayne Williams, for his part, said he was not concerned with what the commission planned to do with the data. "Just like when we get a [public-records] request, we don't demand to know what they are going to do with the data," he said. "There are important reasons why the voter roll is publicly available information."

The extent to which voter roll data is public varies across the country. While some states, like North Carolina, make their voter rolls available for free download, other states charge high fees. Alabama, for example, charges one cent per voter in the roll for a total cost of more than $30,000. The state law provides a waiver for government entities, so Merrill said the commission would receive the data for free. Other states, like Virginia, do not make this information public beyond sharing it with formal campaigns and political candidates. When ProPublica tried to purchase Illinois' voter roll, our request was denied because they only release it to government entities for privacy reasons. Illinois did not respond to a request regarding whether they would release this information to the PCEI, which 2014 while a government entity 2014 intends to make the information public.

The letter from the commission also asks quite broad questions of state elections officials.

"What changes, if any, to federal election laws would you recommend to enhance the integrity of federal elections?" asks the first question. The letter also asked for all information and convictions related to any instance of voter fraud or registration fraud, and it solicited recommendations "for preventing voter intimidation or disenfranchisement."

"The equivalent is, 'Hey, doctors, what changes would you suggest regarding healthcare? Let us know in two weeks,'" said Levitt, the Loyola professor. "If I were a state election official, I wouldn't know what to do with this."

While the commission is being chaired by Vice President Mike Pence, Kobach signed the letter alone. Jon Greenbaum, chief counsel for the Lawyers' Committee for Civil Rights Under Law, said this is an indication that Kobach -- not Pence -- "will be running the show," which he said should be a point of concern.

"As we know with Kobach, he's obsessed with trying to identify voter fraud and finds it in a lot of places where it doesn't exist," he said.

Vanita Gupta, the former acting head of the Department of Justice's civil rights division under President Barack Obama, said the commission's letter was an indication the commission was "laying the groundwork" to carry out changes to the National Voter Registration Act that might seek to restrict access to the polls.

The National Voter Registration Act -- sometimes called the Motor Voter Act -- was enacted in 1993. It allows the DOJ the authority to ensure states to keep voter registration lists, or voter rolls, accurate and up-to-date. It also requires states to offer opportunities for voter registration at all offices that provide public assistance (like the DMV). 

In November, Kobach was photographed holding a paper addressing national security issues and proposing changes to the voter registration law. It is not clear what these changes were. The ACLU is involved in a lawsuit against Kansas' state law requiring people to show proof of citizenship in order to register to vote. As part of the suit, ACLU lawyers requested access to the document reflecting the changes Kobach proposed.

Originally Kobach told the court the document was beyond the scope of the lawsuit, but last week the court found the documents were relevant and that Kobach had intentionally misled the court. He was fined $1,000 for the offense and required him to turn the document over. It has not yet been made public.

Gupta said her concern about the future of the voter registration act was deepened by the fact that, on June 29, the DOJ sent a letter to the 44 states covered by the act requesting information on the maintenance of their voter rolls. States were given 30 days to answer a set of detailed questions about their policies for list maintenance.

"The timing of the letters being issued on the same day is curious at the very least," she said.

The White House and the DOJ all did not respond to requests for comment about the letters.

The letter did not ask about compliance with the portions of the act that require states to attempt to expand the voter base, such as by offering voter registration forms and information in public offices.

Danielle Lang, deputy director of voting rights for The Campaign Legal Center, said the focus on list maintenance troubled her. While she said this might point to a new direction in enforcement for the DOJ's voting rights section, it was too early to tell how this information might be used.

Levitt said he did not recall a time when the DOJ has previously requested such broad information. While the information is public and not, on its face, troubling, Levitt said the only time he recalled requesting similar information was during targeted investigations when federal officials suspected a state was not complying with the law.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Facebook's Secret Censorship Rules Protect White Men from Hate Speech But Not Black Children

[Editor's Note: today's guest post, by the reporters at ProPublica, explores how social networking practice censorship to combat violence and hate speech, plus related practices such as "geo-blocking." It is reprinted with permission.]

Facebook logo by Julia Angwin, ProPublica, and Hannes Grassegger, special to ProPublica

In the wake of a terrorist attack in London earlier this month, a U.S. congressman wrote a Facebook post in which he called for the slaughter of "radicalized" Muslims. "Hunt them, identify them, and kill them," declared U.S. Rep. Clay Higgins, a Louisiana Republican. "Kill them all. For the sake of all that is good and righteous. Kill them all."

Higgins' plea for violent revenge went untouched by Facebook workers who scour the social network deleting offensive speech.

But a May posting on Facebook by Boston poet and Black Lives Matter activist Didi Delgado drew a different response.

"All white people are racist. Start from this reference point, or you've already failed," Delgado wrote. The post was removed and her Facebook account was disabled for seven days.

A trove of internal documents reviewed by ProPublica sheds new light on the secret guidelines that Facebook's censors use to distinguish between hate speech and legitimate political expression. The documents reveal the rationale behind seemingly inconsistent decisions. For instance, Higgins' incitement to violence passed muster because it targeted a specific sub-group of Muslims -- those that are "radicalized" -- while Delgado's post was deleted for attacking whites in general.

Over the past decade, the company has developed hundreds of rules, drawing elaborate distinctions between what should and shouldn't be allowed, in an effort to make the site a safe place for its nearly 2 billion users. The issue of how Facebook monitors this content has become increasingly prominent in recent months, with the rise of "fake news" -- fabricated stories that circulated on Facebook like "Pope Francis Shocks the World, Endorses Donald Trump For President, Releases Statement" -- and growing concern that terrorists are using social media for recruitment.

While Facebook was credited during the 2010-2011 "Arab Spring" with facilitating uprisings against authoritarian regimes, the documents suggest that, at least in some instances, the company's hate-speech rules tend to favor elites and governments over grassroots activists and racial minorities. In so doing, they serve the business interests of the global company, which relies on national governments not to block its service to their citizens.

One Facebook rule, which is cited in the documents but that the company said is no longer in effect, banned posts that praise the use of "violence to resist occupation of an internationally recognized state." The company's workforce of human censors, known as content reviewers, has deleted posts by activists and journalists in disputed territories such as Palestine, Kashmir, Crimea and Western Sahara.

One document trains content reviewers on how to apply the company's global hate speech algorithm. The slide identifies three groups: female drivers, black children and white men. It asks: Which group is protected from hate speech? The correct answer: white men.

The reason is that Facebook deletes curses, slurs, calls for violence and several other types of attacks only when they are directed at "protected categories" -- based on race, sex, gender identity, religious affiliation, national origin, ethnicity, sexual orientation and serious disability/disease. It gives users broader latitude when they write about "subsets" of protected categories. White men are considered a group because both traits are protected, while female drivers and black children, like radicalized Muslims, are subsets, because one of their characteristics is not protected. (The exact rules are in the slide show below.)

The Facebook Rules

Facebook has used these rules to train its "content reviewers" to decide whether to delete or allow posts. Facebook says the exact wording of its rules may have changed slightly in more recent versions. ProPublica recreated the slides.

Behind this seemingly arcane distinction lies a broader philosophy. Unlike American law, which permits preferences such as affirmative action for racial minorities and women for the sake of diversity or redressing discrimination, Facebook's algorithm is designed to defend all races and genders equally.

"Sadly," the rules are "incorporating this color-blindness idea which is not in the spirit of why we have equal protection," said Danielle Citron, a law professor and expert on information privacy at the University of Maryland. This approach, she added, will "protect the people who least need it and take it away from those who really need it."

But Facebook says its goal is different -- to apply consistent standards worldwide. "The policies do not always lead to perfect outcomes," said Monika Bickert, head of global policy management at Facebook. "That is the reality of having policies that apply to a global community where people around the world are going to have very different ideas about what is OK to share."

Facebook's rules constitute a legal world of their own. They stand in sharp contrast to the United States' First Amendment protections of free speech, which courts have interpreted to allow exactly the sort of speech and writing censored by the company's hate speech algorithm. But they also differ -- for example, in permitting postings that deny the Holocaust -- from more restrictive European standards.

The company has long had programs to remove obviously offensive material like child pornography from its stream of images and commentary. Recent articles in the Guardian and Süddeutsche Zeitung have detailed the difficult choices that Facebook faces regarding whether to delete posts containing graphic violence, child abuse, revenge porn and self-mutilation.

The challenge of policing political expression is even more complex. The documents reviewed by ProPublica indicate, for example, that Donald Trump's posts about his campaign proposal to ban Muslim immigration to the United States violated the company's written policies against "calls for exclusion" of a protected group. As The Wall Street Journal reported last year, Facebook exempted Trump's statements from its policies at the order of Mark Zuckerberg, the company's founder and chief executive.

The company recently pledged to nearly double its army of censors to 7,500, up from 4,500, in response to criticism of a video posting of a murder. Their work amounts to what may well be the most far-reaching global censorship operation in history. It is also the least accountable: Facebook does not publish the rules it uses to determine what content to allow and what to delete.

Users whose posts are removed are not usually told what rule they have broken, and they cannot generally appeal Facebook's decision. Appeals are currently only available to people whose profile, group or page is removed.

The company has begun exploring adding an appeals process for people who have individual pieces of content deleted, according to Bickert. "I'll be the first to say that we're not perfect every time," she said.

Facebook is not required by U.S. law to censor content. A 1996 federal law gave most tech companies, including Facebook, legal immunity for the content users post on their services. The law, section 230 of the Telecommunications Act, was passed after Prodigy was sued and held liable for defamation for a post written by a user on a computer message board.

The law freed up online publishers to host online forums without having to legally vet each piece of content before posting it, the way that a news outlet would evaluate an article before publishing it. But early tech companies soon realized that they still needed to supervise their chat rooms to prevent bullying and abuse that could drive away users.

America Online convinced thousands of volunteers to police its chat rooms in exchange for free access to its service. But as more of the world connected to the internet, the job of policing became more difficult and companies started hiring workers to focus on it exclusively. Thus the job of content moderator -- now often called content reviewer -- was born.

In 2004, attorney Nicole Wong joined Google and persuaded the company to hire its first-ever team of reviewers, who responded to complaints and reported to the legal department. Google needed "a rational set of policies and people who were trained to handle requests," for its online forum called Groups, she said.

Google's purchase of YouTube in 2006 made deciding what content was appropriate even more urgent. "Because it was visual, it was universal," Wong said.

While Google wanted to be as permissive as possible, she said, it soon had to contend with controversies such as a video mocking the King of Thailand, which violated Thailand's laws against insulting the king. Wong visited Thailand and was impressed by the nation's reverence for its monarch, so she reluctantly agreed to block the video -- but only for computers located in Thailand.

Since then, selectively banning content by geography -- called "geo-blocking" -- has become a more common request from governments. "I don't love traveling this road of geo-blocking," Wong said, but "it's ended up being a decision that allows companies like Google to operate in a lot of different places."

For social networks like Facebook, however, geo-blocking is difficult because of the way posts are shared with friends across national boundaries. If Facebook geo-blocks a user's post, it would only appear in the news feeds of friends who live in countries where the geo-blocking prohibition doesn't apply. That can make international conversations frustrating, with bits of the exchange hidden from some participants.

As a result, Facebook has long tried to avoid using geography-specific rules when possible, according to people familiar with the company's thinking. However, it does geo-block in some instances, such as when it complied with a request from France to restrict access within its borders to a photo taken after the Nov. 13, 2015, terrorist attack at the Bataclan concert hall in Paris.

Bickert said Facebook takes into consideration the laws in countries where it operates, but doesn't always remove content at a government's request. "If there is something that violates a country's law but does not violate our standards," Bickert said, "we look at who is making that request: Is it the appropriate authority? Then we check to see if it actually violates the law. Sometimes we will make that content unavailable in that country only."

Facebook's goal is to create global rules. "We want to make sure that people are able to communicate in a borderless way," Bickert said.

Founded in 2004, Facebook began as a social network for college students. As it spread beyond campus, Facebook began to use content moderation as a way to compete with the other leading social network of that era, MySpace.

MySpace had positioned itself as the nightclub of the social networking world, offering profile pages that users could decorate with online glitter, colorful layouts and streaming music. It didn't require members to provide their real names and was home to plenty of nude and scantily clad photographs. And it was being investigated by law-enforcement agents across the country who worried it was being used by sexual predators to prey on children. (In a settlement with 49 state attorneys general, MySpace later agreed to strengthen protections for younger users.)

By comparison, Facebook was the buttoned-down Ivy League social network -- all cool grays and blues. Real names and university affiliations were required. Chris Kelly, who joined Facebook in 2005 and was its first general counsel, said he wanted to make sure Facebook didn't end up in law enforcement's crosshairs, like MySpace.

"We were really aggressive about saying we are a no-nudity platform," he said.

The company also began to tackle hate speech. "We drew some difficult lines while I was there -- Holocaust denial being the most prominent," Kelly said. After an internal debate, the company decided to allow Holocaust denials but reaffirmed its ban on group-based bias, which included anti-Semitism. Since Holocaust denial and anti-Semitism frequently went together, he said, the perpetrators were often suspended regardless.

"I've always been a pragmatist on this stuff," said Kelly, who left Facebook in 2010. "Even if you take the most extreme First Amendment positions, there are still limits on speech."

By 2008, the company had begun expanding internationally but its censorship rulebook was still just a single page with a list of material to be excised, such as images of nudity and Hitler. "At the bottom of the page it said, 'Take down anything else that makes you feel uncomfortable,'" said Dave Willner, who joined Facebook's content team that year.

Willner, who reviewed about 15,000 photos a day, soon found the rules were not rigorous enough. He and some colleagues worked to develop a coherent philosophy underpinning the rules, while refining the rules themselves. Soon he was promoted to head the content policy team.

By the time he left Facebook in 2013, Willner had shepherded a 15,000-word rulebook that remains the basis for many of Facebook's content standards today.

"There is no path that makes people happy," Willner said. "All the rules are mildly upsetting." Because of the volume of decisions -- many millions per day -- the approach is "more utilitarian than we are used to in our justice system," he said. "It's fundamentally not rights-oriented."

Willner's then-boss, Jud Hoffman, who has since left Facebook, said that the rules were based on Facebook's mission of "making the world more open and connected." Openness implies a bias toward allowing people to write or post what they want, he said.

But Hoffman said the team also relied on the principle of harm articulated by John Stuart Mill, a 19th-century English political philosopher. It states "that the only purpose for which power can be rightfully exercised over any member of a civilized community, against his will, is to prevent harm to others." That led to the development of Facebook's "credible threat" standard, which bans posts that describe specific actions that could threaten others, but allows threats that are not likely to be carried out.

Eventually, however, Hoffman said "we found that limiting it to physical harm wasn't sufficient, so we started exploring how free expression societies deal with this."

The rules developed considerable nuance. There is a ban against pictures of Pepe the Frog, a cartoon character often used by "alt-right" white supremacists to perpetrate racist memes, but swastikas are allowed under a rule that permits the "display [of] hate symbols for political messaging." In the documents examined by ProPublica, which are used to train content reviewers, this rule is illustrated with a picture of Facebook founder Mark Zuckerberg that has been manipulated to apply a swastika to his sleeve.

The documents state that Facebook relies, in part, on the U.S. State Department's list of designated terrorist organizations, which includes groups such as al-Qaida, the Taliban and Boko Haram. But not all groups deemed terrorist by one country or another are included: A recent investigation by the Pakistan newspaper Dawn found that 41 of the 64 terrorist groups banned in Pakistan were operational on Facebook.

There is also a secret list, referred to but not included in the documents, of groups designated as hate organizations that are banned from Facebook. That list apparently doesn't include many Holocaust denial and white supremacist sites that are up on Facebook to this day, such as a group called "Alt-Reich Nation." A member of that group was recently charged with murdering a black college student in Maryland.

As the rules have multiplied, so have exceptions to them. Facebook's decision not to protect subsets of protected groups arose because some subgroups such as "female drivers" didn't seem especially sensitive. The default position was to allow free speech, according to a person familiar with the decision-making.

After the wave of Syrian immigrants began arriving in Europe, Facebook added a special "quasi-protected" category for migrants, according to the documents. They are only protected against calls for violence and dehumanizing generalizations, but not against calls for exclusion and degrading generalizations that are not dehumanizing. So, according to one document, migrants can be referred to as "filthy" but not called "filth." They cannot be likened to filth or disease "when the comparison is in the noun form," the document explains.

Facebook also added an exception to its ban against advocating for anyone to be sent to a concentration camp. "Nazis should be sent to a concentration camp," is allowed, the documents state, because Nazis themselves are a hate group.

The rule against posts that support violent resistance against a foreign occupier was developed because "we didn't want to be in a position of deciding who is a freedom fighter," Willner said. Facebook has since dropped the provision and revised its definition of terrorism to include nongovernmental organizations that carry out premeditated violence "to achieve a political, religious or ideological aim," according to a person familiar with the rules.

The Facebook policy appears to have had repercussions in many of the at least two dozen disputed territories around the world. When Russia occupied Crimea in March 2014, many Ukrainians experienced a surge in Facebook banning posts and suspending profiles. Facebook's director of policy for the region, Thomas Myrup Kristensen, acknowledged at the time that it "found a small number of accounts where we had incorrectly removed content. In each case, this was due to language that appeared to be hate speech but was being used in an ironic way. In these cases, we have restored the content."

Katerina Zolotareva, 34, a Kiev-based Ukrainian working in communications, has been blocked so often that she runs four accounts under her name. Although she supported the "Euromaidan" protests in February 2014 that antagonized Russia, spurring its military intervention in Crimea, she doesn't believe that Facebook took sides in the conflict. "There is war in almost every field of Ukrainian life," she says, "and when war starts, it also starts on Facebook."

In Western Sahara, a disputed territory occupied by Morocco, a group of journalists called Equipe Media say their account was disabled by Facebook, their primary way to reach the outside world. They had to open a new account, which remains active.

"We feel we have never posted anything against any law," said Mohammed Mayarah, the group's general coordinator. "We are a group of media activists. We have the aim to break the Moroccan media blockade imposed since it invaded and occupied Western Sahara."

In Israel, which captured territory from its neighbors in a 1967 war and has occupied it since, Palestinian groups are blocked so often that they have their own hashtag, #FbCensorsPalestine, for it. Last year, for instance, Facebook blocked the accounts of several editors for two leading Palestinian media outlets from the West Bank -- Quds News Network and Sheebab News Agency. After a couple of days, Facebook apologized and un-blocked the journalists' accounts. Earlier this year, Facebook blocked the account of Fatah, the Palestinian Authority's ruling party -- then un-blocked it and apologized.

Last year India cracked down on protesters in Kashmir, shooting pellet guns at them and shutting off cellphone service. Local insurgents are seeking autonomy for Kashmir, which is also caught in a territorial tussle between India and Pakistan. Posts of Kashmir activists were being deleted, and members of a group called the Kashmir Solidarity Network found that all of their Facebook accounts had been blocked on the same day.

Ather Zia, a member of the network and a professor of anthropology at the University of Northern Colorado, said that Facebook restored her account without explanation after two weeks. "We do not trust Facebook any more," she said. "I use Facebook, but it's almost this idea that we will be able to create awareness but then we might not be on it for long."

The rules are one thing. How they're applied is another. Bickert said Facebook conducts weekly audits of every single content reviewer's work to ensure that its rules are being followed consistently. But critics say that reviewers, who have to decide on each post within seconds, may vary in both interpretation and vigilance.

Facebook users who don't mince words in criticizing racism and police killings of racial minorities say that their posts are often taken down. Two years ago, Stacey Patton, a journalism professor at historically black Morgan State University in Baltimore, posed a provocative question on her Facebook page. She asked why "it's not a crime when White freelance vigilantes and agents of 'the state' are serial killers of unarmed Black people, but when Black people kill each other then we are 'animals' or 'criminals.'"

Although it doesn't appear to violate Facebook's policies against hate speech, her post was immediately removed, and her account was disabled for three days. Facebook didn't tell her why. "My posts get deleted about once a month," said Patton, who often writes about racial issues. She said she also is frequently put in Facebook "jail" -- locked out of her account for a period of time after a posting that breaks the rules.

"It's such emotional violence," Patton said. "Particularly as a black person, we're always have these discussions about mass incarceration, and then here's this fiber-optic space where you can express yourself. Then you say something that some anonymous person doesn't like and then you're in 'jail.'"

Didi Delgado, whose post stating that "white people are racist" was deleted, has been banned from Facebook so often that she has set up an account on another service called Patreon, where she posts the content that Facebook suppressed. In May, she deplored the increasingly common Facebook censorship of black activists in an article for Medium titled "Mark Zuckerberg Hates Black People."

Facebook also locked out Leslie Mac, a Michigan resident who runs a service called SafetyPinBox where subscribers contribute financially to "the fight for black liberation," according to her site. Her offense was writing a post stating "White folks. When racism happens in public -- YOUR SILENCE IS VIOLENCE."

The post does not appear to violate Facebook's policies. Facebook apologized and restored her account after TechCrunch wrote an article about Mac's punishment. Since then, Mac has written many other outspoken posts. But, "I have not had a single peep from Facebook," she said, while "not a single one of my black female friends who write about race or social justice have not been banned."

"My takeaway from the whole thing is: If you get publicity, they clean it right up," Mac said. Even so, like most of her friends, she maintains a separate Facebook account in case her main account gets blocked again.

Negative publicity has spurred other Facebook turnabouts as well. Consider the example of the iconic news photograph of a young naked girl running from a napalm bomb during the Vietnam War. Kate Klonick, a Ph.D. candidate at Yale Law School who has spent two years studying censorship operations at tech companies, said the photo had likely been deleted by Facebook thousands of times for violating its ban on nudity.

But last year, Facebook reversed itself after Norway's leading newspaper published a front-page open letter to Zuckerberg accusing him of "abusing his power" by deleting the photo from the newspaper's Facebook account.

Klonick said that while she admires Facebook's dedication to policing content on its website, she fears it is evolving into a place where celebrities, world leaders and other important people "are disproportionately the people who have the power to update the rules."

In December 2015, a month after terrorist attacks in Paris killed 130 people, the European Union began pressuring tech companies to work harder to prevent the spread of violent extremism online.

After a year of negotiations, Facebook, Microsoft, Twitter and YouTube agreed to the European Union's hate speech code of conduct, which commits them to review and remove the majority of valid complaints about illegal content within 24 hours and to be audited by European regulators. The first audit, in December, found that the companies were only reviewing 40 percent of hate speech within 24 hours, and only removing 28 percent of it. Since then, the tech companies have shortened their response times to reports of hate speech and increased the amount of content they are deleting, prompting criticism from free-speech advocates that too much is being censored.

Now the German government is considering legislation that would allow social networks such as Facebook to be fined up to 50 million euros if they don't remove hate speech and fake news quickly enough. Facebook recently posted an article assuring German lawmakers that it is deleting about 15,000 hate speech posts a month. Worldwide, over the last two months, Facebook deleted about 66,000 hate speech posts per week, vice president Richard Allan said in a statement Tuesday on the company's site.

Among posts that Facebook didn't delete were Donald Trump's comments on Muslims. Days after the Paris attacks, Trump, then running for president, posted on Facebook "calling for a total and complete shutdown of Muslims entering the United States until our country's representatives can figure out what is going on."

Candidate Trump's posting -- which has come back to haunt him in court decisions voiding his proposed travel ban -- appeared to violate Facebook's rules against "calls for exclusion" of a protected religious group. Zuckerberg decided to allow it because it was part of the political discourse, according to people familiar with the situation.

However, one person close to Facebook's decision-making said Trump may also have benefited from the exception for sub-groups. A Muslim ban could be interpreted as being directed against a sub-group, Muslim immigrants, and thus might not qualify as hate speech against a protected category.

Hannes Grassegger is a reporter for Das Magazin and Reportagen Magazine based in Zurich.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Bank Of New York Mellon Corporation Fined For 'Unsafe And Unsound' Practices

The Federal Reserve Board (FRB) announced on Tuesday that it had levied a $3 million fine against the Bank of New York Mellon Corporation (BNY Mellon) for "unsafe and unsound practices." The FRB announcement explained:

"In 2010, following a change in the relevant accounting rules, BNY Mellon consolidated a portfolio of collateralized loan obligations onto its balance sheet. BNY Mellon incorrectly assigned the assets a zero-risk weighting, which was improper under the rules in place at the time. As a result of its improper treatment of the portfolio BNY Mellon understated its reported risk-weighted assets and overstated its risk-based capital ratios for nearly 14 quarters."

When the errors were identified, BNY Mellon has since taken corrective action and is now in compliance. The Consent Order (Adobe PDF) dated June 26, 2017 stated:

"The Board of Governors hereby assesses BNY Mellon a civil money penalty in the amount of $3,000,000.00 which shall be paid upon the execution of this Order by Fedwire transfer of immediately available funds to the Federal Reserve Bank of Richmond... This penalty is a penalty paid to a government agency for a violation of law for purposes of 26 U.S.C. § 162(f) and 26 C.F.R. § 1.162-21. The Federal Reserve Bank of Richmond, on behalf of the Board of Governors, shall distribute this sum to the U.S. Department of the Treasury... Each provision of this Consent Penalty Assessment shall remain effective and enforceable until stayed, modified, terminated, or suspended in writing by the Board of Governors.

The Board of Governors hereby agrees not to initiate any further enforcement actions, including for civil money penalties, against BNY Mellon and its affiliates, successors, and assigns, with respect to the conduct that has been or might have been asserted by the Board of Governors described..."

Earlier this month, the FRB barred two former employees of Regions Bank from working within the banking industry, after both men -- Richard Henderson and Philip Cooper -- pled guilty to conspiracy to commit money laundering, and conspiracy to commit bank bribery and wire fraud. In late May, the FRB levied a $41 million penalty, plus a cease-and-desist order, against the U.S. operations of Deutsche Bank AG for anti-money laundering deficiencies.

BNY Mellon can easily afford this fine. In April, the bank reported first quarter earnings of $880 million on revenues of $3.84 billion. The bank has about $29 trillion in assets under custody and administration, and $1.6 trillion in assets under management.


How Two Common Medications Became One $455 Million Specialty Pill

[Editor's Note: today's guest post, by the reporters at ProPublica, explores reasons for the high cost of prescription drugs for patients in the United States. Today's post is reprinted with permission.]

by Marshall Allen, ProPublica

Everything happened so fast as I walked out of the doctor's exam room. I was tucking in my shirt and wondering if I'd asked all my questions about my injured shoulder when one of the doctor's assistants handed me two small boxes of pills.

"These will hold you over until your prescription arrives in the mail," she said, pointing to the drug samples.

Strange, I thought to myself, the doctor didn't mention giving me any drugs.

I must have looked puzzled because she tried to reassure me.

"Don't worry," she said. "It won't cost you any more than $10."

I was glad whatever was coming wouldn't break my budget, but I didn't understand why I needed the drugs in the first place. And why wasn't I picking them up at my local CVS?

At first I shrugged it off. This had been my first visit with an orthopedic specialist and he, Dr. Mohnish Ramani, hadn't been the chatty type. He'd barely said a word as he examined me, tugging my arm this way and bending it that way before rotating it behind my back. The pain made me squirm and yelp, but he knew what he was doing. He promptly diagnosed me with frozen shoulder, a debilitating inflammation of the shoulder capsule.

But back to the drugs. As an investigative reporter who has covered health care for more than a decade, the interaction was just the sort of thing to pique my interest. One thing I've learned is that almost nothing in medicine 2014 especially brand-name drugs 2014 is ever really a deal. When I got home, I looked up the drug: Vimovo.

The drug has been controversial, to say the least. Vimovo was created using two readily and cheaply available generic, or over-the-counter, medicines: naproxen, also known by the brand Aleve, and esomeprazole magnesium, also known as Nexium. The Aleve handles your pain and the Nexium helps with the upset stomach that's sometimes caused by the pain reliever. The key selling point of this new "convenience drug"? It's easier to take one pill than two.

But only a minority of patients get an upset stomach, and there was no indication I'd be one of them. Did I even need the Nexium component?

Of course I also did the math. You can walk into your local drugstore and buy a month's supply of Aleve and Nexium for about $40. For Vimovo, the pharmacy billed my insurance company $3,252. This doesn't mean the drug company ultimately gets paid that much. The pharmaceutical world is rife with rebates and side deals 2014 all designed to elbow ahead of the competition. But apparently the price of convenience comes at a steep mark-up.

Think about it another way. Let's say you want to eat a peanut butter and jelly sandwich every day for a month. You could buy a big jar of peanut butter and a jar of grape jelly for less than 10 bucks. Or you could buy some of that stuff where they combine the peanut butter and grape jelly into the same jar. Smucker's makes it. It's called Goober. Except in this scenario, instead of its usual $3.50 price tag, Smucker's is charging $565 for the jar of Goober.

So if Vimovo is the Goober of drugs, then why have Americans been spending so much on it? My insurance company, smartly, rejected the pharmacy's claim. But I knew Vimovo's makers weren't wooing doctors like mine for nothing. So I looked up the annual reports for the Ireland-based company, Horizon Pharma, which makes Vimovo. Since 2014, Vimovo's net sales have been more than $455 million. That means a lot of insurers are paying way more than they should for their Goober.

And Vimovo wasn't Horizon's only such drug. It has brought in an additional $465 million in net sales from Duexis, a similar convenience drug that combines ibuprofen and famotidine, AKA Advil and Pepsid.

This year I have been documenting the kind of waste in the health care system that's not typically tracked. Americans pay more for health care than anyone else in the world, and experts estimate that the U.S. system wastes hundreds of billions of dollars a year. In recent months I've looked at what hospitals throw away and how nursing homes flush or toss out hundreds of millions of dollars' worth of usable medicine every year. We all pay for this waste, through lower wages and higher premiums, deductibles and out-of-pocket costs. There doesn't seem to be an end in sight 2014 I just got a notice that my premiums may be increasing by another 12 percent next year.

With Vimovo, it seemed I stumbled on another waste stream: overpriced drugs whose actual costs are hidden from doctors and patients. In the case of Horizon, the brazenness of its approach was even more astounding because it had previously been called out in media reports and in a 2016 congressional hearing on out-of-control drug prices.

Health care economists also were wise to it.

"It's a scam," said Devon Herrick, a health care economist with the National Center for Policy Analysis. "It is just a way to gouge insurance companies or employer health care plans."

Unsurprisingly, Horizon says the high price is justified. In fact, the drug maker wrote in an email, "The price of Vimovo is based on the value it brings to patients."

Thousands of patients die and suffer injuries every year, the company said, because of gastric complications from naproxen and other non-steroid anti-inflammatory drugs (NSAIDs). Providing pain relief and stomach protection in a single pill makes it more likely patients will be protected from complications, it said.

And Horizon stressed Vimovo is a "special formulation" of Aleve and Nexium, so it's not the same as taking the two separately. But several experts said that's a scientific distinction that doesn't make a therapeutic difference. "I would take the two medications from the drugstore in a heartbeat 2014 therapeutically it makes sense," said Michael Fossler, a pharmacist and clinical pharmacologist who is chair of the public-policy committee for the American College of Clinical Pharmacology. "What you're paying for with [Vimovo] is the convenience. But it does seem awful pricey for that."

Public outrage is boiling over when it comes to high drug prices, leading the media and lawmakers to scold pharmaceutical companies. You'd think a regulator would monitor this, but the Food and Drug Administration told me they are only authorized to review new drugs for safety and effectiveness, not prices. "Prices are set by manufacturers and distributors," the FDA said in a statement.

Horizon acquired Vimovo in November 2013 from the global pharmaceutical giant AstraZeneca. Horizon knew it faced challenges trying to get top dollar for inexpensive ingredients. "Use of these therapies separately in generic form may be cheaper," it said in its 2013 report to investors. But the company executed a shrewd strategy to give everyone -- insurers, patients, doctors and pharmacies -- the incentive to use Vimovo. It's instructive to review its playbook.

To get Vimovo covered, Horizon made deals with insurance payers and pharmacy benefit managers -- the intermediaries who help determine which drugs get reimbursed. The contracts generally included special rebates and even administrative fees for these intermediaries, the Horizon reports said, so the drug maker got paid much less than the sticker price, though it wouldn't say how much. But the company's net sales show the deals worked.

Horizon put boots on the ground to get the prescriptions rolling, expanding its sales force by the hundreds and focusing its marketing and sales efforts on doctors who already liked to prescribe brand-name drugs. The company's message to doctors emphasized the convenience of prescribing the two ingredients in a single pill and that the single pill protected patients by making it more likely they would take their medication as directed.

Horizon also primed the medical community by giving donations totaling $101,000 to the American Gastroenterology Association, a specialty nonprofit for physicians. Some doctors refuse drug-industry money, if only to at least avoid the appearance of a conflict of interest. ProPublica has done loads of stories showing why doctors taking money is indeed problematic, including one about drug makers' influence on physician specialty groups. When I went on the American Gastroenterology Association's website, the first thing I saw was a pop-up ad from a drug company. Several of the association's board members have received drug-company money, too. Horizon has made clear in its annual reports that donations to the group "help physicians and patients better understand and manage" the risks of pain relievers causing gastric problems.

Horizon also zeroed in on patients' worries about drug costs. To encourage them to fill their prescriptions, Horizon covered all or most of their out-of-pocket costs. That's why my doctor's office could promise me I wouldn't spend too much for my Vimovo. The program, Horizon told investors in reports, addressed the impact of pharmacies switching to less expensive alternatives and could "mitigate" the effect of payers searching for cheaper alternatives.

The strategy worked on me. I didn't even know why I was getting the prescription, but when they told me it wouldn't cost more than I would spend on lunch with a friend, I gave it the OK. A pharmacy I'd never heard of sent me a bottle of Vimovo for $10, even though my insurance company rejected the claim.

Turns out paying the patient's costs motivated my doctor, too. I waited until the end of my next visit to bring up Vimovo, and then we had a follow-up conversation on the phone. Ramani didn't know the price of the drug and found it "disturbing" when I told him. That was a surprise to me, but not to him. He said he leaves billing to his staff and doesn't even know how much he gets paid for a lot of the procedures he performs, let alone how much insurers are being charged for drugs. The marketing arms of companies like Horizon must count on this sort of blindness.

Ramani doesn't receive money or gifts from Horizon. (I confirmed this on ProPublica's Dollars for Docs website, which lists drug-company payments.) He said he likes Vimovo because Horizon covers the patient's out-of-pocket costs, entirely in many cases. Prescribing the generics or over-the-counter medications separately would actually cost more, he said. Which of course is exactly the company's plan. But Ramani agreed that the high cost of the drug to insurers ultimately raises overall health care costs for all Americans.

Knowing Vimovo's price, I asked him if he would continue to prescribe it. "It changes my thought process," he said. "But at the end of the day, I have to think about the patient and whether the patient will be able to pay out of pocket or not."

Ramani said the Horizon drug rep told him Vimovo prescriptions had to go through a particular pharmacy for the patient to receive financial assistance. In its 2016 annual report, Horizon wrote that prescriptions for its drugs might not be filled by certain pharmacies because of insurance-company exclusions, co-payment requirements, or incentives to use lower-priced alternatives. So that's why they didn't give me the option of picking up my pills at my neighborhood drugstore.

Instead, my Vimovo was mailed to me from White Oak Pharmacy in Nutley, New Jersey, which is about 45 minutes from my house. I drove there to find out why. The neighborhood pharmacy is on the bottom floor of a two-story brick building on a street corner, next to a hair salon.

Vishal Chhabria, the pharmacist who owns White Oak, told me the drug company sets the price of Vimovo. He insisted his pharmacy has no special relationship or contract with Horizon. Maybe the drug company steers prescriptions his way, he said, because his pharmacy will process the coupons that reduce or eliminate the patient costs, which some pharmacies don't.

Chhabria said there is no approved generic alternative to Vimovo, so he can't suggest one to patients. And while other drugs, like over-the-counter medications, would be cheaper for the health system overall, they are more expensive for the individual patient, he said.

In poring through Horizon's financial filings, it appears the drug's run may be ending. Horizon said in its report for the first quarter of 2017 that fewer insurance companies have been willing to cover Vimovo and many that do have demanded larger rebates. As a result, Horizon has been eating more of the costs of providing the drug to patients, as they must have in my case. The prescriptions have still been coming in, but net sales were just under $5 million in the first quarter of this year, down 81 percent from the first quarter of 2016.

Critics of Vimovo say that's still more than patients should be spending on the drug. "That number should be zero," said Linda Cahn, an attorney who advises corporations, unions and other payers to help reduce their costs. "If you want to talk about waste, that's waste."

Herrick, the health care economist, said Horizon cashed in by eliminating many of the barriers in the system that are meant to control costs. The company got patients on board by covering their out-of-pocket costs. It appealed to doctors by promoting the benefits to patients. And it did an end-run around chain pharmacies, which typically might suggest a lower-priced alternative, by steering prescriptions to pharmacists who would participate in their patient-assistance program.

"Somebody brainstormed: 'How can we nullify any consumer check and balance in this supply chain? What can we do to keep the customer from asking questions?'" Herrick said.

The scheme that played out with Vimovo is bound to happen again, Herrick said. Maybe it already is. Drug companies are always on the lookout to deploy similar strategies.

I dutifully took my Vimovo for several days, until I noticed it kept me awake until 3 in the morning 2014 a rare side effect. (Perhaps they need to add a third drug to the combo.) I probably have more than 50 pills left in the bottle on my bedside table. Maybe I could sell it back to Horizon for $1,500.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.