Lawmakers In California Cave To Industry Lobbying, And Backtrack With Weakened Net Neutrality Bill

After the U.S. Federal Communications Commission (FCC) acted last year to repeal net neutrality rules, those protections officially expired on June 11th. Meanwhile, legislators in California have acted to protect their state's residents. In January, State Senator Weiner introduced in January a proposed bill, which was passed by the California Senate three weeks ago.

Since then, some politicians have countered with a modified bill lacking strong protections. C/Net reported:

"The vote on Wednesday in a California Assembly committee hearing advanced a bill that implements some net neutrality protections, but it scaled back all the measures of the bill that had gone beyond the rules outlined in the Federal Communications Commission's 2015 regulation, which was officially taken off the books by the Trump Administration's commission last week. In a surprise move, the vote happened before the hearing officially started,..."

Weiner's original bill was considered the "gold standard" of net neutrality protections for consumers because:

"... it went beyond the FCC's 2015 net neutrality "bright line" rules by including provisions like a ban on zero-rating, a business practice that allows broadband providers like AT&T to exempt their own services from their monthly wireless data caps, while services from competitors are counted against those limits. The result is a market controlled by internet service providers like AT&T, who can shut out the competition by creating an economic disadvantage for those competitors through its wireless service plans."

State Senator Weiner summarized the modified legislation:

"It is, with the amendments, a fake net neutrality bill..."

A key supporter of the modified, weak bill was Assemblyman Miguel Santiago, a Democrat from Los Angeles. Motherboard reported:

"Spearheading the rushed dismantling of the promising law was Committee Chair Miguel Santiago, a routine recipient of AT&T campaign contributions. Santiago’s office failed to respond to numerous requests for comment from Motherboard and numerous other media outlets... Weiner told the San Francisco Chronicle that the AT&T fueled “evisceration” of his proposal was “decidedly unfair.” But that’s historically how AT&T, a company with an almost comical amount of control over state legislatures, tends to operate. The company has so much power in many states, it’s frequently allowed to quite literally write terrible state telecom law..."

Supporters of this weakened bill either forgot or ignored the results from a December 2017 study of 1,077 voters. Most consumers want net neutrality protections:

Do you favor or oppose the proposal to give ISPs the freedom to: a) provide websites the option to give their visitors the ability to download material at a higher speed, for a fee, while providing a slower speed for other websites; b) block access to certain websites; and c) charge their customers an extra fee to gain access to certain websites?
Group Favor Opposed Refused/Don't Know
National 15.5% 82.9% 1.6%
Republicans 21.0% 75.4% 3.6%
Democrats 11.0% 88.5% 0.5%
Independents 14.0% 85.9% 0.1%

Why would politicians pursue weak net neutrality bills with few protections, while constituents want those protections? They are doing the bidding of the corporate internet service providers (ISPs) at the expense of their constituents. Profits before people. These politicians promote the freedom for ISPs to do as they please while restricting consumers' freedoms to use the bandwidth they've purchased however they please.

Broadcasting and Cable reported:

"These California democrats will go down in history as among the worst corporate shills that have ever held elected office," said Evan Greer of net neutrality activist group Fight for the Future. "Californians should rise up and demand that at their Assembly members represent them. The actions of this committee are an attack not just on net neutrality, but on our democracy.” According to Greer, the vote passed 8-0, with Democrats joining Republicans to amend the bill."

According to C/Net, more than 24 states are considering net neutrality legislation to protect their residents:

"... New York, Connecticut, and Maryland, are also considering legislation to reinstate net neutrality rules. Oregon and Washington state have already signed their own net neutrality legislation into law. Governors in several states, including New Jersey and Montana, have signed executive orders requiring ISPs that do business with the state adhere to net neutrality principles."

So, we have AT&T (plus politicians more interested in corporate donors than their constituents, the FCC, President Trump, and probably other telecommunications companies) to thank for this mess. What do you think?


Several States Updated Their Existing Breach Notification Laws, Or Introduced New Laws

Given the increased usage of data in digital formats, new access methods, and continual data breaches within corporations and governments, several state governments have updated their data breach notification laws, and/or passed new laws:

Alabama

The last state without any breach notification laws, Governor Kay Ivey signed in March the state's first data breach law: the Alabama Data Breach Notification Act of 2018 (SB 318), which became effective on June 1, 2018. Some of the key modifications: a) similar to other states, the law defined the format and types of data elements which must be protected, including health information; b) defined "covered entities" including state government agencies and "third-party agents" contracted to maintain, store, process and/or access protected data; c) requires notification of affected individuals within 45 days, and to the state Attorney General; and d) while penalties aren't mandatory, the law allows civil penalties up to $5,000 per day for, "each consecutive day that the covered entity fails to take reasonable action to comply with the notice provisions of this act."

Arizona

Earlier this year, Arizona Governor Doug Ducey signed legislation updating the state's breach notification laws. Some of the key modifications: a) expanded definitions of personal information to include medical or mental health treatment/diagnosis, passport numbers, taxpayer ID numbers, biometric data, e-mail addresses in combination with online passwords and security questions; b) set the notification window for affected persons at 45 days; c) allows e-mail notification of affected persons; d) and if the breach affected more than 1,000 persons, then notification must provided to the three national credit-reporting agencies and to the state Attorney General.

Colorado

Colorado Governor John Hickenloope signed on May 29th several laws including HB-1128, which will go into effect on september 1, 2018. Some experts view HB-1128 as the strongest protections in the country. Some of the key modifications: a) expanded "covered entities" to include certain "third-party service providers" contracted to maintain, store, process and/or access protected data; b) expanded definitions of "personal information" to include biometric data, plus e-mail addresses in combination with online passwords and security questions; c) allows substitute notification methods (e.g., e-mail, post on website, statewide news media) if the cost of basic notification would exceed $250,000; d) allows e-mail notification of affected persons; e) sets the notification window at 30 days, if the breach affected more than 500 Colorado residents; and f) expanded requirements for companies to protected personal information.

Louisiana

Louisiana Governor John Edwards signed in May 2018 an amendment to the state’s Database Security Breach Notification Law (Act 382) which will take effect August 1, 2018. Some of the key modifications: a) expanded definition of ‘personal information’ to include a state identification card number, passport number, and “biometric data” (e.g., fingerprints, voice prints, eye retina or iris, or other unique biological characteristics used to access systems); b) removed vagueness and defined the notification window as within 60 days; c) allows substitute notification methods (e.g., e-mail, posts on affected company's website, statewide news media); and d) tightened required that companies utilizing "computerized data" better protect the information they archive.

South Dakota

The next-to-last state without any breach notification laws, Governor Dennis Daugaard signed into law in March the state’s first breach notification law (SB 62). Like breach laws in other states, it provides definitions of what a breach is, personal information which must be protected, covered entities (e.g., companies, government agencies) subject to the law, notification requirements, and conditions when substitute notification methods (e.g., e-mail, posts on the affected entity's website, statewide news media) are allowed.

To Summarize

New Mexico enacted its new breach notification law (HB 15) in March, 2017. With the additions of Alabama and South Dakota, finally every state has a breach notification law. Sadly, it has taken 16 years. California was the first state to enact a breach notification law in 2002. It has taken that long for other states to catch up... not only catch up with California, but also catch up with technological changes driven by the internet.

California has led the way for a long time. It banned RFID skimming in 2008, co-hosted privacy workshops with the U.S. Federal Trade Commission in 2008, strengthened its existing breach law in 2011, and introduced in 2013 privacy guidelines for mobile app developers. Other states' legislatures can learn from this leadership.

Want to learn more? Detailed reviews of new and updated breach laws are available in the National Law Review website.


Apple To Close Security Hole Law Enforcement Frequently Used To Access iPhones

You may remember. In 2016, the U.S. Department of Justice attempted to force Apple Computer to build a back door into its devices so law enforcement could access suspects' iPhones. After Apple refused, the government found a vendor to do the hacking for them. In 2017, multiple espionage campaigns targeted Apple devices with new malware.

Now, we learn a future Apple operating system (iOS) software update will close a security hole frequently used by law enforcement. Reuters reported that the future iOS update will include default settings to terminate communications through the USB port when the device hasn't been unlocked within the past hour. Reportedly, that change may reduce access by 90 percent.

Kudos to the executives at Apple for keeping customers' privacy foremost.


When "Unlimited" Mobile Plans Are Anything But

My apologies to readers for the 10-day gap in blog posts. I took a few days off to attend a high school reunion in another state. Time passes more quickly than you think. It was good to renew connections with classmates.

Speaking of connections, several telecommunications companies appear to either ignore or not know the meaning of "unlimited" for mobile internet access. 9To5mac reported:

"Not content with offering one ‘unlimited’ plan which isn’t, and a second ‘beyond unlimited’ plan which also isn’t, Verizon has now decided the solution to this is a third plan. The latest addition is called ‘above unlimited’ and, you guessed it, it’s not... The carrier has the usual get-out clause, claiming that all three plans really are unlimited, it’s just that they reserve the right to throttle your connection speed once you hit the stated, ah, limits."

Some of the mobile plans limit video to low-resolution formats. Do you prefer to watch in 2018 low-resolution video formatted to 2008 (or earlier)? I think not. Do you want your connection slowed after you reach a data download threshold? I think not.

I look forward to action by the U.S. Federal Trade Commission (FTC) to enforce the definition of "unlimited," since the "light-touch" regulatory approach by the Federal Communications Commission (FCC) means that the FCC has abandoned its duties regarding oversight of internet service providers.

Caveat emptor, or buyer beware, definitely applies. Wise consumers read the fine print before purchase of any online services.


Google To Exit Weaponized Drone Contract And Pursue Other Defense Projects

Google logo Last month, protests by current and former Google employees, plus academic researchers, cited ethical and transparency concerns with artificial intelligence (AI) help the company provides to the U.S. Department of Defense for Project Maven, a weaponized drone program to identify people. Gizmodo reported that Google plans not to renew its contract for Project Maven:

"Google Cloud CEO Diane Greene announced the decision at a meeting with employees Friday morning, three sources told Gizmodo. The current contract expires in 2019 and there will not be a follow-up contract... The company plans to unveil new ethical principles about its use of AI this week... Google secured the Project Maven contract in late September, the emails reveal, after competing for months against several other “AI heavyweights” for the work. IBM was in the running, as Gizmodo reported last month, along with Amazon and Microsoft... Google is reportedly competing for a Pentagon cloud computing contract worth $10 billion."


Why Your Health Insurer Doesn’t Care About Your Big Bills

[Editor's note: today's guest post, by the reporters at ProPublica, discusses pricing and insurance problems within the healthcare industry, and a resource most consumers probably are unaware of. It is reprinted with permission.]

By Marshall Allen, ProPublica

Michael Frank ran his finger down his medical bill, studying the charges and pausing in disbelief. The numbers didn’t make sense.

His recovery from a partial hip replacement had been difficult. He’d iced and elevated his leg for weeks. He’d pushed his 49-year-old body, limping and wincing, through more than a dozen physical therapy sessions.

NYU Langone Health logo The last thing he needed was a botched bill.

His December 2015 surgery to replace the ball in his left hip joint at NYU Langone Medical Center in New York City had been routine. One night in the hospital and no complications.

Aetna Inc. logoHe was even supposed to get a deal on the cost. His insurance company, Aetna, had negotiated an in-network “member rate” for him. That’s the discounted price insured patients get in return for paying their premiums every month.

But Frank was startled to see that Aetna had agreed to pay NYU Langone $70,000. That’s more than three times the Medicare rate for the surgery and more than double the estimate of what other insurance companies would pay for such a procedure, according to a nonprofit that tracks prices.

Fuming, Frank reached for the phone. He couldn’t see how NYU Langone could justify these fees. And what was Aetna doing? As his insurer, wasn’t its duty to represent him, its “member”? So why had it agreed to pay a grossly inflated rate, one that stuck him with a $7,088 bill for his portion?

Frank wouldn’t be the first to wonder. The United States spends more per person on health care than any other country. A lot more. As a country, by many measures, we are not getting our money’s worth. Tens of millions remain uninsured. And millions are in financial peril: About 1 in 5 is currently being pursued by a collection agency over medical debt. Health care costs repeatedly top the list of consumers’ financial concerns.

Experts frequently blame this on the high prices charged by doctors and hospitals. But less scrutinized is the role insurance companies — the middlemen between patients and those providers — play in boosting our health care tab. Widely perceived as fierce guardians of health care dollars, insurers, in many cases, aren’t. In fact, they often agree to pay high prices, then, one way or another, pass those high prices on to patients — all while raking in healthy profits.

ProPublica and NPR are examining the bewildering, sometimes enraging ways the health insurance industry works, by taking an inside look at the games, deals and incentives that often result in higher costs, delays in care or denials of treatment. The misunderstood relationship between insurers and hospitals is a good place to start.

Today, about half of Americans get their health care benefits through their employers, who rely on insurance companies to manage the plans, restrain costs and get them fair deals.

But as Frank eventually discovered, once he’d signed on for surgery, a secretive system of pre-cut deals came into play that had little to do with charging him a reasonable fee.

After Aetna approved the in-network payment of $70,882 (not including the fees of the surgeon and anesthesiologist), Frank’s coinsurance required him to pay the hospital 10 percent of the total.

When Frank called NYU Langone to question the charges, the hospital punted him to Aetna, which told him it paid the bill according to its negotiated rates. Neither Aetna nor the hospital would answer his questions about the charges.

Frank found himself in a standoff familiar to many patients. The hospital and insurance company had agreed on a price and he was required to help pay it. It’s a three-party transaction in which only two of the parties know how the totals are tallied.

Frank could have paid the bill and gotten on with his life. But he was outraged by what his insurance company agreed to pay. “As bad as NYU is,” Frank said, “Aetna is equally culpable because Aetna’s job was to be the checks and balances and to be my advocate.”

And he also knew that Aetna and NYU Langone hadn’t double-teamed an ordinary patient. In fact, if you imagined the perfect person to take on insurance companies and hospitals, it might be Frank.

For three decades, Frank has worked for insurance companies like Aetna, helping to assess how much people should pay in monthly premiums. He is a former president of the Actuarial Society of Greater New York and has taught actuarial science at Columbia University. He teaches courses for insurance regulators and has even served as an expert witness for insurance companies.

The hospital and insurance company may have expected him to shut up and pay. But Frank wasn’t going away.

Patients fund the entire health care industry through taxes, insurance premiums and cash payments. Even the portion paid by employers comes out of an employee’s compensation. Yet when the health care industry refers to “payers,” it means insurance companies or government programs like Medicare.

Patients who want to know what they’ll be paying — let alone shop around for the best deal — usually don’t have a chance. Before Frank’s hip operation he asked NYU Langone for an estimate. It told him to call Aetna, which referred him back to the hospital. He never did get a price.

Imagine if other industries treated customers this way. The price of a flight from New York to Los Angeles would be a mystery until after the trip. Or, while digesting a burger, you’d learn it cost 50 bucks.

A decade ago, the opacity of prices was perhaps less pressing because medical expenses were more manageable. But now patients pay more and more for monthly premiums, and then, when they use services, they pay higher co-pays, deductibles and coinsurance rates.

Employers are equally captive to the rising prices. They fund benefits for more than 150 million Americans and see health care expenses eating up more and more of their budgets.

Richard Master, the founder and CEO of MCS Industries Inc. in Easton, Pennsylvania, offered to share his numbers. By most measures MCS is doing well. Its picture frames and decorative mirrors are sold at Walmart, Target and other stores and, Master said, the company brings in more than $200 million a year.

But the cost of health care is a growing burden for MCS and its 170 employees. A decade ago, Master said, an MCS family policy cost $1,000 a month with no deductible. Now it’s more than $2,000 a month with a $6,000 deductible. MCS covers 75 percent of the premium and the entire deductible. Those rising costs eat into every employee’s take-home pay.

Economist Priyanka Anand of George Mason University said employers nationwide are passing rising health care costs on to their workers by asking them to absorb a larger share of higher premiums. Anand studied Bureau of Labor Statistics data and found that every time health care costs rose by a dollar, an employee’s overall compensation got cut by 52 cents.

Master said his company hops between insurance providers every few years to find the best benefits at the lowest cost. But he still can’t get a breakdown to understand what he’s actually paying for.

“You pay for everything, but you can’t see what you pay for,” he said.

Master is a CEO. If he can’t get answers from the insurance industry, what chance did Frank have?

Frank’s hospital bill and Aetna’s “explanation of benefits” arrived at his home in Port Chester, New York, about a month after his operation. Loaded with an off-putting array of jargon and numbers, the documents were a natural playing field for an actuary like Frank.

Under the words, “DETAIL BILL,” Frank saw that NYU Langone’s total charges were more than $117,000, but that was the sticker price, and those are notoriously inflated. Insurance companies negotiate an in-network rate for their members. But in Frank’s case at least, the “deal” still cost $70,882.

With a practiced eye, Frank scanned the billing codes hospitals use to get paid and immediately saw red flags: There were charges for physical therapy sessions that never took place, and drugs he never received. One line stood out — the cost of the implant and related supplies. Aetna said NYU Langone paid a “member rate” of $26,068 for “supply/implants.” But Frank didn’t see how that could be accurate. He called and emailed Smith & Nephew, the maker of his implant, until a representative told him the hospital would have paid about $1,500. His NYU Langone surgeon confirmed the amount, Frank said. The device company and surgeon did not respond to ProPublica’s requests for comment.

Frank then called and wrote Aetna multiple times, sure it would want to know about the problems. “I believe that I am a victim of excessive billing,” he wrote. He asked Aetna for copies of what NYU Langone submitted so he could review it for accuracy, stressing he wanted “to understand all costs.”

Aetna reviewed the charges and payments twice — both times standing by its decision to pay the bills. The payment was appropriate based on the details of the insurance plan, Aetna wrote.

Frank also repeatedly called and wrote NYU Langone to contest the bill. In its written reply, the hospital didn’t explain the charges. It simply noted that they “are consistent with the hospital’s pricing methodology.”

Increasingly frustrated, Frank drew on his decades of experience to essentially serve as an expert witness on his own case. He gathered every piece of relevant information to understand what happened, documenting what Medicare, the government’s insurance program for the disabled and people over age 65, would have paid for a partial hip replacement at NYU Langone — about $20,491 — and what FAIR Health, a New York nonprofit that publishes pricing benchmarks, estimated as the in-network price of the entire surgery, including the surgeon fees — $29,162.

He guesses he spent about 300 hours meticulously detailing his battle plan in two inches-thick binders with bills, medical records and correspondence.

ProPublica sent the Medicare and FAIR Health estimates to Aetna and asked why they had paid so much more. The insurance company declined an interview and said in an emailed statement that it works with hospitals, including NYU Langone, to negotiate the “best rates” for members. The charges for Frank's procedure were correct given his coverage, the billed services and the Aetna contract with NYU Langone, the insurer wrote.

NYU Langone also declined ProPublica’s interview request. The hospital said in an emailed statement it billed Frank according to the contract Aetna had negotiated on his behalf. Aetna, it wrote, confirmed the bills were correct.

After seven months, NYU Langone turned Frank’s $7,088 bill over to a debt collector, putting his credit rating at risk. “They upped the ante,” he said.

Frank sent a new flurry of letters to Aetna and to the debt collector and complained to the New York State Department of Financial Services, the insurance regulator, and to the New York State Office of the Attorney General. He even posted his story on LinkedIn.

But no one came to the rescue. A year after he got the first bills, NYU Langone sued him for the unpaid sum. He would have to argue his case before a judge.

You’d think that health insurers would make money, in part, by reducing how much they spend.

Turns out, insurers don’t have to decrease spending to make money. They just have to accurately predict how much the people they insure will cost. That way they can set premiums to cover those costs — adding about 20 percent to for their administration and profit. If they’re right, they make money. If they’re wrong, they lose money. But, they aren’t too worried if they guess wrong. They can usually cover losses by raising rates the following year.

Frank suspects he got dinged for costing Aetna too much with his surgery. The company raised the rates on his small group policy — the plan just includes him and his partner — by 18.75 percent the following year.

The Affordable Care Act kept profit margins in check by requiring companies to use at least 80 percent of the premiums for medical care. That’s good in theory but it actually contributes to rising health care costs. If the insurance company has accurately built high costs into the premium, it can make more money. Here’s how: Let’s say administrative expenses eat up about 17 percent of each premium dollar and around 3 percent is profit. Making a 3 percent profit is better if the company spends more.

It’s like if a mom told her son he could have 3 percent of a bowl of ice cream. A clever child would say, “Make it a bigger bowl.”

Wonks call this a “perverse incentive.”

“These insurers and providers have a symbiotic relationship,” said Wendell Potter, who left a career as a public relations executive in the insurance industry to become an author and patient advocate. “There’s not a great deal of incentive on the part of any players to bring the costs down.”

Insurance companies may also accept high prices because often they aren’t always the ones footing the bill. Nowadays about 60 percent of the employer benefits are “self-funded.” That means the employer pays the bills. The insurers simply manage the benefits, processing claims and giving employers access to their provider networks. These management deals are often a large, and lucrative, part of a company’s business. Aetna, for example, insured 8 million people in 2017, but provided administrative services only to considerably more — 14 million.

To woo the self-funded plans, insurers need a strong network of medical providers. A brand-name system like NYU Langone can demand — and get — the highest payments, said Manuel Jimenez, a longtime negotiator for insurers including Aetna. “They tend to be very aggressive in their negotiations.”

On the flip side, insurers can dictate the terms to the smaller hospitals, Jimenez said. The little guys, “get the short end of the stick,” he said. That’s why they often merge with the bigger hospital chains, he said, so they can also increase their rates.

Other types of horse-trading can also come into play, experts say. Insurance companies may agree to pay higher prices for some services in exchange for lower rates on others.

Patients, of course, don’t know how the behind-the-scenes haggling affects what they pay. By keeping costs and deals secret, hospitals and insurers dodge questions about their profits, said Dr. John Freedman, a Massachusetts health care consultant. Cases like Frank’s “happen every day in every town across America. Only a few of them come up for scrutiny.”

In response, a Tennessee company is trying to expose the prices and steer patients to the best deals. Healthcare Bluebook aims to save money for both employers who self-pay, and their workers. Bluebook used payment information from self-funded employers to build a searchable online pricing database that shows the low-, medium- and high-priced facilities for certain common procedures, like MRIs. The company, which launched in 2008, now has more than 4,500 companies paying for its services. Patients can get a $50 bonus for choosing the best deal.

Bluebook doesn’t have price information for Frank’s operation — a partial hip replacement. But its price range in the New York City area for a full hip replacement is from $28,000 to $77,000, including doctor fees. Its “fair price” for these services tops out at about two-thirds of what Aetna agreed to pay on Frank’s behalf.

Frank, who worked with mainstream insurers, didn’t know about Bluebook. If he had used its data, he would have seen that there were facilities that were both high quality and offered a fair price near his home, including Holy Name Medical Center in Teaneck, New Jersey, and Greenwich Hospital in Connecticut. NYU Langone is one of Bluebook’s highest-priced, high-quality hospitals in the area for hip replacements. Others on Bluebook’s pricey list include Montefiore New Rochelle Hospital in New Rochelle, New York, and Hospital for Special Surgery in Manhattan.

ProPublica contacted Hospital for Special Surgery to see if it would provide a price for a partial hip replacement for a patient with an Aetna small-group plan like Frank’s. The hospital declined, citing its confidentiality agreements with insurance companies.

Frank arrived at the Manhattan courthouse on April 2 wearing a suit and fidgeted in his seat while he waited for his hearing to begin. He had never been sued for anything, he said. He and his attorney, Gabriel Nugent, made quiet conversation while they waited for the judge.

In the back of the courtroom, NYU Langone’s attorney, Anton Mikofsky, agreed to talk about the lawsuit. The case is simple, he said. “The guy doesn’t understand how to read a bill.”

The high price of the operation made sense because NYU Langone has to pay its staff, Mikofsky said. It also must battle with insurance companies who are trying to keep costs down, he said. “Hospitals all over the country are struggling,” he said.

“Aetna reviewed it twice,” Mikofsky added. “Didn’t the operation go well? He should feel blessed.”

When the hearing started, the judge gave each side about a minute to make its case, then pushed them to settle.

Mikofsky told the judge Aetna found nothing wrong with the billing and had already taken care of most of the charges. The hospital’s position was clear. Frank owed $7,088.

Nugent argued that the charges had not been justified and Frank felt he owed about $1,500.

The lawyers eventually agreed that Frank would pay $4,000 to settle the case.

Frank said later that he felt compelled to settle because going to trial and losing carried too many risks. He could have been hit with legal fees and interest. It would have also hurt his credit at a time he needs to take out college loans for his kids.

After the hearing, Nugent said a technicality might have doomed their case. New York defendants routinely lose in court if they have not contested a bill in writing within 30 days, he said. Frank had contested the bill over the phone with NYU Langone, and in writing within 30 days with Aetna. But he did not dispute it in writing to the hospital within 30 days.

Frank paid the $4,000, but held on to his outrage. “The system,” he said, “is stacked against the consumer.”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


What Facebook’s New Political Ad System Misses

[Editor's Note: today's guest post is by the reporters at ProPublica. It is reprinted with permission.]

By Jeremy B. Merrill, Ariana Tobin, and Madeleine Varner, ProPublica

Facebook’s long-awaited change in how it handles political advertisements is only a first step toward addressing a problem intrinsic to a social network built on the viral sharing of user posts.

The company’s approach, a searchable database of political ads and their sponsors, depends on the company’s ability to sort through huge quantities of ads and identify which ones are political. Facebook is betting that a combination of voluntary disclosure and review by both people and automated systems will close a vulnerability that was famously exploited by Russian meddlers in the 2016 election.

The company is doubling down on tactics that so far have not prevented the proliferation of hate-filled posts or ads that use Facebook’s capability to target ads particular groups.

If the policy works as Facebook hopes, users will learn who has paid for the ads they see. But the company is not revealing details about the significant aspect of how political advertisers use its platform — the specific attributes the ad buyers used to target a particular person for an ad.

Facebook’s new system is the company’s most ambitious response thus far to the now-documented efforts by Russian agents to circulate items that would boost Donald Trump’s chances or suppress Democratic turnout. The new policies announced Thursday will make it harder for somebody trying to exploit the precise vulnerabilities in Facebook’s system exploited by the Russians in 2016 in several ways:

First, political ads that you see on Facebook will now include the name of the organization or person who paid for it, reminiscent of disclaimers required on political mailers and TV ads. (The ads Facebook identified as placed by Russians carried no such tags.)

The Federal Election Commission requires political ads to carry such clear disclosures but as we have reported, many candidates and groups on Facebook haven’t been following that rule.

Second, all political ads will be published in a searchable database.

Finally, the company will now require that anyone buying a political ad in their system confirm that they’re a U.S. resident. Facebook will even mail advertisers a postcard to make certain they’re in the U.S. Facebook says ads by advertisers whose identities aren’t verified under this process will be taken down starting in about a week, and they will be blocked from buying new ads until they have verified themselves.

While the new system can still be gamed, the specific tactics used by the Russian Internet Research Agency, such as an overseas purchase of ads promoting a Black Lives Matter rally under the name “Blacktivist,” will become harder — or at least harder to do without getting caught.

The company has also pledged to devote more employees to the issue, including 3,000-4,000 more content moderators. But Facebook says these will be not be additional hires — they will be included in the 20,000 already promised to tackle various moderation issues in the coming months.

What Is Facebook Missing?

The most obvious flaw in Facebook’s new system is that it misses ads it should catch. Right now, it’s easy to find political ads that are missing from their archive. Take this one, from the Washington State Democratic Party. Just minutes after Facebook finished announcing its launch of the tool, a participant in ProPublica’s Facebook Political Ad Collector project saw this ad, criticizing Republican congresswoman Cathy McMorris Rodgers… but it wasn’t in the database.

And there are others.

The company acknowledged that the process is still a work in progress, reiterating its request that users pitch in by reporting the political ads that lack disclosures.

Even as Facebook’s system gets better at identifying political ads, the company is withholding a critical piece of information in the ads it’s publishing. While we’ll see some demographic information about who saw a given ad, Facebook is not indicating which audiences the advertiser intended to target — categories that often include racial or political characteristics and which have been controversial in the past.

This information is critical to researchers and journalists trying to make sense of political advertising on Facebook. Take, for instance, this ad promoting the environmental benefits of nuclear power, from a group called Nuclear Matters: the group chose specifically to show it to people interested in veganism — a fact we wouldn’t know from looking at the demographics of the users who saw the ad.

Facebook said it considers the information about who saw an ad — age, gender and location — sufficient. Rob Leathern, Facebook’s Director of Product Management, said that the limited demographics-only breakdown “offers more transparency than the intent, in terms of showing the targeting.”

The company is also promising to launch an API, a technical tool which will allow outsiders to write software that would look for patterns in the new ad database. The company says it will launch an API “later this summer” but hasn’t said what data it will contain or who will have access to it.

ProPublica’s own Facebook Ad Collector tool, which also collects political ads spotted on Facebook, has an API that can be accessed by anyone. It also includes the targeting information — which users can also see on each ad that they view.

Facebook said it would not release data about ads flagged by users as political and then rejected by the system. We’re curious about those, and we know firsthand that their software can be imperfect. We’ve attempted to buy ads specifically about our journalism that were flagged as problematic — because the ads “contained profanity,” or were misclassified as discriminatory ads for “employment, credit or housing opportunities” by mistake.

Facebook’s track record on initiatives aimed at improving the transparency of its massively profitable advertising system is spotty. The company has said it’s going to rely in part on artificial intelligence to review ads — the same sort of technology that the company said in the past it would use to block discriminatory ads for housing, employment and credit opportunities.

When we tested the system almost a year after a ProPublica story showed Facebook was allowing advertisers to target housing ads in a way that violated Fair Housing Act protections, we found that the company was still approving housing ads that excluded African-Americans and other “multicultural affinities” from seeing them. The company was pressured to implement several changes to its ad portal and a Fair Housing group filed a lawsuit against the company.

Facebook also plans to rely in part on users to find and report political ads that get through the system without the required disclosures.

But its track record of moderating user-flagged content — when it comes to both hate speech and advertising — has been uneven. Last December, ProPublica brought 49 cases of user-flagged offensive speech to Facebook, and the company acknowledged that its moderators had made the wrong call in 22 of them.

The company admits it's playing a “cat and mouse game” with people trying to pass political ads through their system unnoticed. Just last month, Ohio Democratic gubernatorial candidate Richard Cordray’s campaign ran Facebook ads criticizing his opponent — but from a page called “Ohio Primary Info.”

The need for ad transparency goes way beyond Russian bad actors. Our tool has already caught scams and malware disguised as politics, which users raised as a problem years before Facebook made any meaningful change.

If you flag an ad to Facebook, please report them to us as well by sending an email to political.ads@propublica.org. We will be watching to see how well Facebook responds when users flag an ad.

How Will They Enforce the New Rules?

It’s one thing to create a set of rules, and another to enforce them consistently and on a large scale.

Facebook, which kept its content moderation and hate speech policies secret until they were revealed by ProPublica, won’t share the specific rules governing political ad content or details about the instructions moderators receive.

Leathern said the company is keeping the rules secret to frustrate the efforts of “bad actors who try to game our enforcement systems”

Facebook has said it’s looking to flag both electoral ads and those that take a position on its list of twenty “national legislative issues of public importance”. These range from the concrete, like “abortion” and “taxes,” to broad topics like “health” and “values.”

Facebook acknowledges its system will make mistakes and says it will improve over time. Ads for specific candidates are relatively easy to detect. “We’ll likely miss ads when they aim to persuade,” said Katie Harbath, Facebook’s Global Politics and Government Outreach Director.

We plan to keep an eye out for ads that don’t make it into the archive. We’ll be looking for ads that our Political Ad Collector tool finds that aren’t in Facebook’s database.

Want to Help?

We need your help building out our independent database of political ads! If you’re still reading this article, we’re giving you permission to stop and install the Political Ad Collector extension. Here’s what you need to know about how it works.

You can also help us find other people who can install the tool. We are especially in need of people who aren’t ProPublica readers already. We need people from a diverse set of backgrounds, and with different perspectives and political beliefs. Please encourage your friends and relatives — especially the ones you avoid talking politics with — to install it.

Do You Work at a News Outlet and Want to Partner With Us on This?

Awesome. We’re already working with quite a few newsrooms all over the world, including the CBC in Canada, Bridge Magazine in Michigan, The Guardian in Australia and more.

In the U.S., we’re trying to get eyes and ears on the ground in as many local elections as possible. If your readers would be interested in joining our transparency effort, please reach out. We’re happy to send more information about this and our larger Electionland project.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


FBI Warns Sophisticated Malware Targets Wireless Routers In Homes And Small Businesses

The U.S. Federal Bureau of Investigation (FBI) issued a Public Service Announcement (PSA) warning consumers and small businesses that "foreign cyber actors" have targeted their wireless routers. The May 25th PSA explained the threat:

"The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic... The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer... VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks."

The "VPN" acronym usually refers to a Virtual Private Network. Why use the VPNfilter name for a sophisticated computer virus? Wired magazine explained:

"... the versatile code is designed to serve as a multipurpose spy tool, and also creates a network of hijacked routers that serve as unwitting VPNs, potentially hiding the attackers' origin as they carry out other malicious activities."

The FBI's PSA advised users to, a) reboot (e.g., turn off and then back on) their routers; b) disable remote management features which attackers could take over to gain access; and c) update their routers with the latest software and security patches. For routers purchased independently, security experts advise consumers to contact the router manufacturer's tech support or customer service site.

For routers leased or purchased from an internet service providers (ISP), consumers should contact their ISP's customer service or technical department for software updates and security patches. Example: the Verizon FiOS forums site section lists the brands and models affected by the VPNfilter malware, since several manufacturers produce routers for the Verizon FiOS service.

It is critical for consumers to heed this PSA. The New York Times reported:

"An analysis by Talos, the threat intelligence division for the tech giant Cisco, estimated that at least 500,000 routers in at least 54 countries had been infected by the [VPNfilter] malware... A global network of hundreds of thousands of routers is already under the control of the Sofacy Group, the Justice Department said last week. That group, which is also known as A.P.T. 28 and Fancy Bear and believed to be directed by Russia’s military intelligence agency... To disrupt the Sofacy network, the Justice Department sought and received permission to seize the web domain toknowall.com, which it said was a critical part of the malware’s “command-and-control infrastructure.” Now that the domain is under F.B.I. control, any attempts by the malware to reinfect a compromised router will be bounced to an F.B.I. server that can record the I.P. address of the affected device..."

Readers wanting technical details about VPNfilter, should read the Talos Intelligence blog post.

When consumers contact their ISP about router software updates, it is wise to also inquire about security patches for the Krack malware, which the bad actors have used recently. Example: the Verizon site also provides information about the Krack malware.

The latest threat provides several strong reminders:

  1. The conveniences of wireless internet connectivity which consumers demand and enjoy, also benefits the bad guys,
  2. The bad guys are persistent and will continue to target internet-connected devices with weak or no protection, including devices consumers fail to protect,
  3. Wireless benefits come with a responsibility for consumers to shop wisely for internet-connected devices featuring easy, continual software updates and security patches. Otherwise, that shiny new device you recently purchased is nothing more than an expensive "brick," and
  4. Manufacturers have a responsibility to provide consumers with easy, continual software updates and security patches for the internet-connected devices they sell.

What are your opinions of the VPNfilter malware? What has been your experience with securing your wireless home router?


Federal Watchdog Launches Investigation of Age Bias at IBM

[Editor's note: today's guest post, by reporters at ProPublica, updates a prior post about employment practices. It is reprinted with permission. A data breach at IBM in 2007 led to the creation of this blog.]

IBM logo By Peter Gosselin, ProPublica

The U.S. Equal Employment Opportunity Commission has launched a nationwide probe of age bias at IBM in the wake of a ProPublica investigation showing the company has flouted or outflanked laws intended to protect older workers from discrimination.

More than five years after IBM stopped providing legally required disclosures to older workers being laid off, the EEOC’s New York district office has begun consolidating individuals’ complaints from across the country and asking the company to explain practices recounted in the ProPublica story, according to ex-employees who’ve spoken with investigators and people familiar with the agency’s actions.

"Whenever you see the EEOC pulling cases and sending them to investigations, you know they’re taking things seriously," said the agency’s former general counsel, David Lopez. "I suspect IBM’s treatment of its later-career workers and older applicants is going to get a thorough vetting."

EEOC officials refused to comment on the agency’s investigation, but a dozen ex-IBM employees from California, Colorado, Texas, New Jersey and elsewhere allowed ProPublica to view the status screens for their cases on the agency’s website. The screens show the cases being transferred to EEOC’s New York district office shortly after the March 22 publication of ProPublica’s original story, and then being shifted to the office’s investigations division, in most instances, between April 5 and April 10.

The agency’s acting chair, Victoria Lipnic, a Republican, has made age discrimination a priority. The EEOC’s New York office won a settlement last year from Kentucky-based national restaurant chain Texas Roadhouse in the largest age-related case as measured by number of workers covered to go to trial in more than three decades.

IBM did not respond to questions about the EEOC investigation. In response to detailed questions for our earlier story, the company issued a brief statement, saying in part, "We are proud of our company and its employees’ ability to reinvent themselves era after era while always complying with the law."

Just prior to publication of the story, IBM issued a video recounting its long history of support for equal employment and diversity. In it, CEO Virginia "Ginni" Rometty said, "Every generation of IBMers has asked ‘How can we in our own time expand our understanding of inclusion?’ "

ProPublica reported in March that the tech giant, which has an annual revenue of about $80 billion, has ousted an estimated 20,000 U.S. employees ages 40 and over since 2014, about 60 percent of its American job cuts during those years. In some instances, it earmarked money saved by the departures to hire young replacements in order to, in the words of one internal company document, "correct seniority mix."

ProPublica reported that IBM regularly denied older workers information the law says they’re entitled to in order to decide whether they’ve been victims of age bias, and used point systems and other methods to pick older workers for removal, even when the company rated them high performers.

In some cases, IBM treated job cuts as voluntary retirements, even over employees’ objections. This reduced the number of departures counted as layoffs, which can trigger public reporting requirements in high enough numbers, and prevented employees from seeking jobless benefits for which voluntary retirees can’t file.

In addition to the complaints covered in the EEOC probe, a number of current and former employees say they have recently filed new complaints with the agency about age bias and are contemplating legal action against the company.

Edvin Rusis of Laguna Niguel, a suburb south of Los Angeles, said IBM has told him he’ll be laid off June 27 from his job of 15 years as a technical specialist. Rusis refused to sign a severance agreement and hired a class-action lawyer. They have filed an EEOC complaint claiming Rusis was one of "thousands" discriminated against by IBM.

If the agency issues a right-to-sue letter indicating Rusis has exhausted administrative remedies for his claim, they can take IBM to court. "I don’t see a clear reason for why they’re laying me off," the 59-year-old Rusis said in an interview. "I can only assume it’s age, and I don’t want to go silently."

Coretta Roddey of suburban Atlanta, 49, an African-American Army veteran and former IBM employee, said she’s applied more than 50 times to return to the company, but has been turned down or received no response. She’s hired a lawyer and filed an age discrimination complaint with EEOC.

"It’s frustrating," she said of the multiple rejections. "It makes you feel you don’t have the qualifications (for the job) when you really do."

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


New Commissioner Says FTC Should Get Tough on Companies Like Facebook and Google

[Editor's note: today's guest post, by reporters at ProPublica, explores enforcement policy by the U.S. Federal Trade Commission (FTC), which has become more important  given the "light touch" enforcement approach by the Federal Communications Commission. Today's post is reprinted with permission.]

By Jesse Eisinger, ProPublica

Declaring that "the credibility of law enforcement and regulatory agencies has been undermined by the real or perceived lax treatment of repeat offenders," newly installed Democratic Federal Trade Commissioner Rohit Chopra is calling for much more serious penalties for repeat corporate offenders.

"FTC orders are not suggestions," he wrote in his first official statement, which was released on May 14.

Many giant companies, including Facebook and Google, are under FTC consent orders for various alleged transgressions (such as, in Facebook’s case, not keeping its promises to protect the privacy of its users’ data). Typically, a first FTC action essentially amounts to a warning not to do it again. The second carries potential penalties that are more serious.

Some critics charge that that approach has encouraged companies to treat FTC and other regulatory orders casually, often violating their terms. They also say the FTC and other regulators and law enforcers have gone easy on corporate recidivists.

In 2012, a Republican FTC commissioner, J. Thomas Rosch, dissented from an agency agreement with Google that fined the company $22.5 million for violations of a previous order even as it denied liability. Rosch wrote, “There is no question in my mind that there is ‘reason to believe’ that Google is in contempt of a prior Commission order.” He objected to allowing the company to deny its culpability while accepting a fine.

Chopra’s memo signals a tough stance from Democratic watchdogs — albeit a largely symbolic one, given the fact that Republicans have a 3-2 majority on the FTC — as the Trump administration pursues a wide-ranging deregulatory agenda. Agencies such as the Environmental Protection Agency and the Department of Interior are rolling back rules, while enforcement actions from the Securities and Exchange Commission and the Department of Justice are at multiyear lows.

Chopra, 36, is an ally of Elizabeth Warren and a former assistant director of the Consumer Financial Protection Bureau. President Donald Trump nominated him to his post in October, and he was confirmed last month. The FTC is led by a five-person commission, with a chairman from the president’s party.

The Chopra memo is also a tacit criticism of enforcement in the Obama years. Chopra cites the SEC’s practice of giving waivers to banks that have been sanctioned by the Department of Justice or regulators allowing them to continue to receive preferential access to capital markets. The habitual waivers drew criticism from a Democratic commissioner on the SEC, Kara Stein. Chopra contends in his memo that regulators treated both Wells Fargo and the giant British bank HSBC too lightly after repeated misconduct.

"When companies violate orders, this is usually the result of serious management dysfunction, a calculated risk that the payoff of skirting the law is worth the expected consequences, or both," he wrote. Both require more serious, structural remedies, rather than small fines.

The repeated bad behavior and soft penalties “undermine the rule of law,” he argued.

Chopra called for the FTC to use more aggressive tools: referring criminal matters to the Department of Justice; holding individual executives accountable, even if they weren’t named in the initial complaint; and “meaningful” civil penalties.

The FTC used such aggressive tactics in going after Kevin Trudeau, infomercial marketer of miracle treatments for bodily ailments. Chopra implied that the commission does not treat corporate recidivists with the same toughness. “Regardless of their size and clout, these offenders, too, should be stopped cold,” he writes.

Chopra also suggested other remedies. He called for the FTC to consider banning companies from engaging in certain business practices; requiring that they close or divest the offending business unit or subsidiary; requiring the dismissal of senior executives; and clawing back executive compensation, among other forceful measures.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Privacy Badger Update Fights 'Link Tracking' And 'Link Shims'

Many internet users know that social media companies track both users and non-users. The Electronic Frontier Foundation (EFF) updated its Privacy Badger browser add-on to help consumers fight a specific type of surveillance technology called "Link Tracking," which facebook and many social networking sites use to track users both on and off their social platforms. The EFF explained:

"Say your friend shares an article from EFF’s website on Facebook, and you’re interested. You click on the hyperlink, your browser opens a new tab, and Facebook is no longer a part of the equation. Right? Not exactly. Facebook—and many other companies, including Google and Twitter—use a variation of a technique called link shimming to track the links you click on their sites.

When your friend posts a link to eff.org on Facebook, the website will “wrap” it in a URL that actually points to Facebook.com: something like https://l.facebook.com/l.php?u=https%3A%2F%2Feff.org%2Fpb&h=ATPY93_4krP8Xwq6wg9XMEo_JHFVAh95wWm5awfXqrCAMQSH1TaWX6znA4wvKX8pNIHbWj3nW7M4F-ZGv3yyjHB_vRMRfq4_BgXDIcGEhwYvFgE7prU. This is a link shim.

When you click on that monstrosity, your browser first makes a request to Facebook with information about who you are, where you are coming from, and where you are navigating to. Then, Facebook quickly redirects you to the place you actually wanted to go... Facebook’s approach is a bit sneakier. When the site first loads in your browser, all normal URLs are replaced with their l.facebook.com shim equivalents. But as soon as you hover over a URL, a piece of code triggers that replaces the link shim with the actual link you wanted to see: that way, when you hover over a link, it looks innocuous. The link shim is stored in an invisible HTML attribute behind the scenes. The new link takes you to where you want to go, but when you click on it, another piece of code fires off a request to l.facebook.com in the background—tracking you just the same..."

Lovely. And, Facebook fails to deliver on privacy in more ways:

"According to Facebook's official post on the subject, in addition to helping Facebook track you, link shims are intended to protect users from links that are "spammy or malicious." The post states that Facebook can use click-time detection to save users from visiting malicious sites. However, since we found that link shims are replaced with their unwrapped equivalents before you have a chance to click on them, Facebook's system can't actually protect you in the way they describe.

Facebook also claims that link shims "protect privacy" by obfuscating the HTTP Referer header. With this update, Privacy Badger removes the Referer header from links on facebook.com altogether, protecting your privacy even more than Facebook's system claimed to."

Thanks to the EFF for focusing upon online privacy and delivering effective solutions.


Academic Professors, Researchers, And Google Employees Protest Warfare Programs By The Tech Giant

Google logo Many internet users know that Google's business of model of free services comes with a steep price: the collection of massive amounts of information about users of its services. There are implications you may not be aware of.

A Guardian UK article by three professors asked several questions:

"Should Google, a global company with intimate access to the lives of billions, use its technology to bolster one country’s military dominance? Should it use its state of the art artificial intelligence technologies, its best engineers, its cloud computing services, and the vast personal data that it collects to contribute to programs that advance the development of autonomous weapons? Should it proceed despite moral and ethical opposition by several thousand of its own employees?"

These questions are relevant and necessary for several reasons. First, more than a dozen Google employees resigned citing ethical and transparency concerns with artificial intelligence (AI) help the company provides to the U.S. Department of Defense for Maven, a weaponized drone program to identify people. Reportedly, these are the first known mass resignations.

Second, more than 3,100 employees signed a public letter saying that Google should not be in the business of war. That letter (Adobe PDF) demanded that Google terminate its Maven program assistance, and draft a clear corporate policy that neither it, nor its contractors, will build warfare technology.

Third, more than 700 academic researchers, who study digital technologies, signed a letter in support of the protesting Google employees and former employees. The letter stated, in part:

"We wholeheartedly support their demand that Google terminate its contract with the DoD, and that Google and its parent company Alphabet commit not to develop military technologies and not to use the personal data that they collect for military purposes... We also urge Google and Alphabet’s executives to join other AI and robotics researchers and technology executives in calling for an international treaty to prohibit autonomous weapon systems... Google has become responsible for compiling our email, videos, calendars, and photographs, and guiding us to physical destinations. Like many other digital technology companies, Google has collected vast amounts of data on the behaviors, activities and interests of their users. The private data collected by Google comes with a responsibility not only to use that data to improve its own technologies and expand its business, but also to benefit society. The company’s motto "Don’t Be Evil" famously embraces this responsibility.

Project Maven is a United States military program aimed at using machine learning to analyze massive amounts of drone surveillance footage and to label objects of interest for human analysts. Google is supplying not only the open source ‘deep learning’ technology, but also engineering expertise and assistance to the Department of Defense. According to Defense One, Joint Special Operations Forces “in the Middle East” have conducted initial trials using video footage from a small ScanEagle surveillance drone. The project is slated to expand “to larger, medium-altitude Predator and Reaper drones by next summer” and eventually to Gorgon Stare, “a sophisticated, high-tech series of cameras... that can view entire towns.” With Project Maven, Google becomes implicated in the questionable practice of targeted killings. These include so-called signature strikes and pattern-of-life strikes that target people based not on known activities but on probabilities drawn from long range surveillance footage. The legality of these operations has come into question under international and U.S. law. These operations also have raised significant questions of racial and gender bias..."

I'll bet that many people never imagined -- nor want - that their personal e-mail, photos, calendars, video, social media, map usage, archived photos, social media, and more would be used for automated military applications. What are your opinions?