NPR Podcast: 'The Weaponization Of Social Media'

Any technology can be used for good, or for bad. Social media is no exception. A recent data breach study in Australia listed the vulnerabilities of social media. A study in 2016 found, "social media attractive to vulnerable narcissists."

How have social media sites and mobile apps been used as weapons? The podcast below features an interview of P.W. Singer and Emerson Brooking, authors of a new book, "LikeWar: The Weaponization of Social Media." The authors cite real-world examples of how social media sites and mobile apps have been used during conflicts and demonstrations around the globe -- and continue to be used.

A Kirkus book review stated:

"... Singer and Brooking sagely note the intensity of interpersonal squabbling online as a moral equivalent of actual combat, and they also discuss how "humans as a species are uniquely ill-equipped to handle both the instantaneity and the immensity of information that defines the social media age." The United States seems especially ill-suited, since in the Wild West of the internet, our libertarian tendencies have led us to resist what other nations have put in place, including public notices when external disinformation campaigns are uncovered and “legal action to limit the effect of poisonous super-spreaders.” Information literacy, by this account, becomes a “national security imperative,” one in which the U.S. is badly lagging..."

The new book "LikeWar" is available at several online bookstores, including Barnes and Noble, Powell's, and Amazon. Now, watch the podcast:


'Got Another Friend Request From You' Warnings Circulate On Facebook. What's The Deal?

Facebook logo Several people have posted on their Facebook News Feeds messages with warnings, such as:

"Please do not accept any new Friend requests from me"

And:

"Hi … I actually got another friend request from you yesterday … which I ignored so you may want to check your account. Hold your finger on the message until the forward button appears … then hit forward and all the people you want to forward too … I had to do the people individually. Good Luck!"

Maybe, you've seen one of these warnings. Some of my Facebook friends posted these warnings in their News Feed or in private messages via Messenger. What's happening? The fact-checking site Snopes explained:

"This message played on warnings about the phenomenon of Facebook “pirates” engaging in the “cloning” of Facebook accounts, a real (but much over-hyped) process by which scammers target existing Facebook users accounts by setting up new accounts with identical profile pictures and names, then sending out friend requests which appear to originate from those “cloned” users. Once those friend requests are accepted, the scammers can then spread messages which appear to originate from the targeted account, luring that person’s friends into propagating malware, falling for phishing schemes, or disclosing personal information that can be used for identity theft."

Hacked Versus Cloned Accounts

While everyone wants to warn their friends, it is important to do your homework first. Many Facebook users have confused "hacked" versus "cloned" accounts. A hack is when another person has stolen your password and used it to sign into your account to post fraudulent messages -- pretending to be you.

Snopes described above what a "cloned" account is... basically a second, unauthorized account. Sadly, there are plenty of online sources for scammers to obtain stolen photos and information to create cloned accounts. One source is the multitude of massive corporate data breaches: Equifax, Nationwide, Facebook, the RNC, Uber, and others. Another source are Facebook friends with sloppy security settings on their accounts: the "Public" setting is no security. That allows scammers to access your account via your friends' wide-open accounts lacking security.

It is important to know the differences between "hacked" and "cloned" accounts. Snopes advised:

"... there would be no utility to forwarding [the above] warning to any of your Facebook friends unless you had actually received a second friend request from one of them. Moreover, even if this warning were possibly real, the optimal approach would not be for the recipient to forward it willy-nilly to every single contact on their friends list... If you have reason to believe your Facebook account might have been “cloned,” you should try sending separate private messages to a few of your Facebook friends to check whether any of them had indeed recently received a duplicate friend request from you, as well as searching Facebook for accounts with names and profile pictures identical to yours. Should either method turn up a hit, use Facebook’s "report this profile" link to have the unauthorized account deactivated."

Cloned Accounts

If you received a (second) Friend Request from a person who you are already friends with on Facebook, then that suggests a cloned account. (Cloned accounts are not new. It's one of the disadvantages of social media.) Call your friend on the phone or speak with him/her in-person to: a) tell him/her you received a second Friend Request, and b) determine whether or not he/she really sent that second Friend Request. (Yes, online privacy takes some effort.) If he/she didn't send a second Friend Request, then you know what to do: report the unauthorized profile to Facebook, and then delete the second Friend Request. Don't accept it.

If he/she did send a second Friend Request, ask why. (Let's ignore the practice by some teens to set up multiple accounts; one for parents and a second for peers.) I've had friends -- adults -- forget their online passwords, and set up a second Facebook account -- a clumsy, confusing solution. Not everyone has good online skills. Your friend will tell you which account he/she uses and which account he/she wants you to connect to. Then, un-Friend the other account.

Hacked Accounts

All Facebook users should know how to determine if your Facebook account has been hacked. Online privacy takes effort. How to check:

  1. Sign into Facebook
  2. Select "Settings."
  3. Select "Security and Login."
  4. You will see a list of the locations where your account has been accessed. If one or more of the locations weren't you, then it's likely another person has stolen and used your password. Proceed to step #5.
  5. For each location that wasn't you, select "Not You" and then "Secure Account." Follow the online instructions displayed and change your password immediately.

I've performed this check after friends have (erroneously) informed me that my account was hacked. It wasn't.

Facebook Search and Privacy Settings

Those wanting to be proactive can search the Facebook site to find other persons using the same name. Simply, enter your name in the search mechanism. The results page lists other accounts with the same name. If you see another account using your identical profile photo (and/or other identical personal information and photos), then use Facebook's "report this profile" link to report the unauthorized account.

You can go one step further and warn your Facebook friends who have the "Public" security setting on their accounts. They may be unaware of the privacy risks, and once informed may change their security setting to "Friends Only." Hopefully, they will listen.

If they don't listen, you can suggest that he/she at a minimum change other privacy settings. Users control who can see their photos and list of friends on Facebook. To change the privacy setting, navigate to your Friends List page and select the edit icon. Then, select the "Edit Privacy" link. Next, change both privacy settings for, "Who can see your friends?" and "Who can see the people, Pages, and lists you follow?" to "Only Me." As a last resort, you can un-Friend the security neophyte, if he/she refuses to make any changes to their security settings.


New Phone-Based Phishing Scams Can Trick Even Experts. How You Can Avoid Getting Duped

Beware, phone scams are more sophisticated. The pitches are so slick that even some technology experts who know better were tricked into disclosing sensitive personal and payment information. Some phone scams include human callers (called "phishing"), while others include a mix of humans and computer automation (called "vishing").

The Krebs On Security blog listed several examples. Here's one:

"Matt Haughey is the creator of the community Weblog MetaFilter... Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses. Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him.

Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out. Haughey told the lady that he would need a replacement card immediately... Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren’t made in either Oregon or California. This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip?"

Maybe that struck you as odd, too. Against his better judgment, Haughey continued the phone call and didn't hang up. The caller knew his home address and asked him to verify his mother's maiden name, the 3-digit security code on the back of his card, and his PIN number. Those requests were more clues, too. The bank should know this information.

Like most people, Haughey thought that it was his bank trying to be helpful. Finally, he hung up and called his bank directly. That's when he learned it was a scam. His bank hadn't called.

This example provides several lessons for consumers:

  1. Scam artists are persistent. They will keep calling hoping you'll give in and answer the phone calls.
  2. Scam artists are well armed. Thanks to the recent multitude of massive corporate data breaches (like this one, this one, this one, this one, and/or this one), the bad guys have probably acquired plenty of stolen personal and payment information about consumers. Criminals also buy, sell, and trade stolen data on the dark web. Using the same technologies (e.g., artificial intelligence, open-source online tools) which the good guys use, the bad guys will "spoof" or fake valid phone numbers to pretend to be your bank or financial institution.
  3. A bit of skepticism is healthy. We've all been taught to be polite and to answer the phone when it rings. Scam artists try to exploit this habit. Experts advise consumers to hang up on robocalls. Even if the Caller ID feature on your phone displays a familiar number, hang up and call your bank or financial institution directly. Their phone number is conveniently listed on the back of your credit/debit card. Ask your bank if they called. They probably didn't.
  4. Learn how to spot robocalls acting like humans. If you're curious and have the time, ask a simple question like, "How's the weather where you live?" If the caller ignores your question or provides a canned response, like "I don't have that information" or "I'm sorry. Can you repeat that," then it's probably a robocall. Hang up.
  5. Know scam artists' pitch. It's all about money. They will pretend to be your bank, financial institution, phone company, and/or computer company. (Yes, online scammers have a profile.) Similar to phishing emails, phone scams often include a sense of urgency. They want you to act now... in the moment. Wise consumers do product research and comparison shop before making purchase decisions. The "haste makes waste" advice your parents told you as a youth still applies.

You now know more, so you won't get duped by phone scams.


Why The Recent Facebook Data Breach Is Probably Much Worse Than You First Thought

Facebook logo The recent data breach at Facebook has indications that it may be much worse than first thought. It's not the fact that a known 50 million users were affected, and 40 million more may also be affected. There's more. The New York Times reported on Tuesday:

"... the impact could be significantly bigger since those stolen credentials could have been used to gain access to so many other sites. Companies that allow customers to log in with Facebook Connect are scrambling to figure out whether their own user accounts have been compromised."

Facebook Connect, an online tool launched in 2008, allows users to sign into other apps and websites using their Facebook credentials (e.g., username, password). many small, medium, and large businesses joined the Facebook Connect program, which was using:

"... a simple proposition: Connect to our platform, and we’ll make it faster and easier for people to use your apps... The tool was adopted by thousands of other firms, from mom-and-pop publishing companies to high-profile tech outfits like Airbnb and Uber."

Initially, Facebook Connect made online life easier and more convenient. Users could sign up for new apps and sites without having to create and remember new sign-in credentials:

But in July 2017, that measure of security fell short. By exploiting three software bugs, attackers forged “access tokens,” digital keys used to gain entry to a user’s account. From there, the hackers were able to do anything users could do on their own Facebook accounts, including logging in to third-party apps."

On Tuesday, Facebook released a "Login Update," which said in part:

"We have now analyzed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login.

Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens. However, out of an abundance of caution, as some developers may not use our SDKs — or regularly check whether Facebook access tokens are valid — we’re building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out."

So, there are more news and updates to come about this. According to the New York Times, some companies' experiences so far:

"Tinder, the dating app, has found no evidence that accounts have been breached, based on the "limited information Facebook has provided," Justine Sacco, a spokeswoman for Tinder and its parent company, the Match Group, said in a statement... The security team at Uber, the ride-hailing giant, is logging some users out of their accounts to be cautious, said Melanie Ensign, a spokeswoman for Uber. It is asking them to log back in — a preventive measure that would invalidate older, stolen access tokens."


FTC: How You Should Handle Robocalls. 4 Companies Settle Regarding Privacy Shield Claims

First, it seems that the number of robocalls has increased during the past two years. Some automated calls are English. Some are in other languages. All try to trick consumers into sending money or disclosing sensitive financial and payment information. Advice from the U.S. Federal Trade Commission (FTC):

Second, the FTC announced a settlement agreement with four companies:

"In separate complaints, the FTC alleges that IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc. falsely claimed to be certified under the EU-U.S. Privacy Shield, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law... The Department of Commerce administers the Privacy Shield framework, while the FTC enforces the promises companies make when joining the framework."

According to the lawsuits, IDmission, a cloud-based services firm, applied in 2017 for Privacy Shield certification with the U.S. Department of Commerce but never completed the necessary steps to be certified under the program. The other three companies each obtained Privacy Shield certification in 2016 but allowed their certifications to lapse. VenPath is a data analytics firm. SmartStart offers employment and background screening services. mResource provides talent management and recruitment services.

Terms of the settlement agreements prohibit all four companies from misrepresenting their participation in any privacy or data security program sponsored by the government. Also:

"... VenPath and SmartStart must also continue to apply the Privacy Shield protections to personal information they collected while participating in the program, protect it by another means authorized by the Privacy Shield framework, or return or delete the information within 10 days of the order."


Facebook Data Breach Affected 90 Million Users. Users Claim Facebook Blocked Posts About the Breach

On Friday, Facebook announced a data breach which affected about 50 million users of the social networking service. Facebook engineers discovered the hack on September 25th. The Facebook announcement explained:

"... that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app... This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens."

Facebook Security Update: image for mobile users. Click to view larger version Many mobile users will see the message in the image displayed on the right. Facebook said it has fixed the vulnerability, notified law enforcement, turned off the "View As" feature until the breach investigation is finished, and has already reset the access tokens of about 90 million users.

Why the higher number of 90 million and not 50 million? According to the announcement:

"... we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened."

So, 90 million users affected and 50 million known for sure. What to make of this? Wait for findings in the completed breach investigation. Until then, we won't know exactly how attackers broke in, what they stole, and the true number of affected users.

What else to make of this? Facebook's announcement skillfully avoided any direct mentions of exactly when the attack started. The announcement stated that the vulnerability was related to a July 2017 change to the video uploading feature. So, the attack could have started soon after that. Facebook didn't say, and it may not know. Hopefully, the final breach investigation report will clarify things.

And, there is more disturbing news.

Some users have claimed that Facebook blocked them from posting messages about the data breach. TechCrunch reported:

"Some users are reporting that they are unable to post [the] story about a security breach affecting 50 million Facebook users. The issue appears to only affect particular stories from certain outlets, at this time one story from The Guardian and one from the Associated Press, both reputable press outlets... some users, including members of the staff here at TechCrunch who were able to replicate the bug, were met with the following error message which prevented them from sharing the story."

Error message displayed to some users trying to post about Facebook data breach. Click to view larger version

Well, we now know that -- for better or for worse -- Facebook has an automated tool to identify spam content in real-time. And, this tool can easily misidentify content as spam, which isn't spam. Not good.

Reportedly, this error message problem has been fixed. Regardless, it should never have happened. The data breach is big news. Clearly, many people want to read and post about it. Popularity does not indicate spam. And Facebook owes users an explanation about its automated tool.

Did Facebook notify you directly of its data breach? Did you get this spam error message? How concerned are you? Please share your experience and opinions below.


Uber To Pay $148 Million To Settle Lawsuits And Coverup From Its 2016 Data Breach

Uber logo California-based Uber Technologies, Inc. has agreed to pay $148 million to settle lawsuits by several states' attorneys general regarding the ride-sharing service's massive data breach in 2016 where hackers stole information about 57 million Uber customers and drivers worldwide, including 600,000 U.S. driver's license numbers. The breach problems were compounded by allegations that Uber paid the hackers $100,000 for their silence, and by the company's failure to notify both state agencies and affected consumers about the breach.

Josh Shapiro, the Attorney General (AG) for the State of Pennsylvania, announced on the Wednesday the settlement agreement including a coalition of 51 state AGs:

"In November 2016, Uber learned that hackers had gained access to some personal information Uber maintains about its drivers, including drivers’ license information for about 600,000 drivers nationwide. Instead of reporting the breach to law enforcement and impacted individuals, Uber tracked down the hackers and obtained assurances that the hackers deleted the information – and made payments to ensure their silence... Since some of the compromised information – specifically driver’s license numbers – is considered personally identifiable information (PII), Uber was required to notify impacted individuals under the Pennsylvania Breach of Personal Information Notification Act. However, Uber failed to report the breach until November 2017."

13,500 Uber drivers in Pennsylvania were affected by the breach. Pennsylvania's share of the total payment is $5.7 million. Each Uber driver in Pennsylvania will receive $100.

48 states have data breach notification laws requiring various levels of notifications to both state officials and affected consumers, who need notice in order to take action to protect themselves and their sensitive personal and payment information.

Massachusetts' share of the total payment is $7.1 million, of which $6.5 million will be distributed to the Commonwealth’s General fund and $600,000 will be used to assist consumers and businesses. Massachusetts AG Maura Healey said:

"Uber failed to immediately report this data breach and tried to pay hush money to hackers. This settlement should be a lesson to other businesses that consumers have a right to know when their personal information has been compromised."

California's share of the total payment is $26 million. California AG  Xavier Becerra said:

"Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data."

San Francisco District Attorney George Gascon said:

"We wholeheartedly support innovative business models, but new ways of engaging in business cannot come at the expense of public safety or consumer privacy. This settlement today demonstrates what happens when all of us in law enforcement work together. My office will continue to collaborate closely with the Attorney General to protect consumers both in San Francisco, and the rest of California."

Terms of the settlement agreement require Uber and its executives to:

"1. Implement and maintain robust data security practices.
2. Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents.
3. Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company’s driver and customer information is safeguarded.
4. Develop, implement, and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber’s Board of Directors.
5. Report any data security incidents to states on a quarterly basis for two years.
6. Maintain a Corporate Integrity Program that includes a hotline to report misconduct, quarterly reports to the board, implementation of privacy principles, and an annual code of conduct training".

Uber and its executives have a long history of sketchy behavior including the 'Greyball' worldwide program by executives to thwart code enforcement inspections by governments, dozens of employees fired or investigated for sexual harassment, a lawsuit describing how the company's mobile app allegedly scammed both riders and drivers, and privacy abuses with the 'God View' tool.

This breach settlement is another reminder that Uber and its executives deserve close monitoring and supervision.


Voting in America Is NUTS. Here’s How to Plan Ahead.

[Editor's note: during the last two years, the voting process has changed in many areas in the United States. Today's guest post by reporters at ProPublica explains the changes, and provides advice for voters. It is reprinted with permission.]

By Cynthia Gordy Giwa, ProPublica

Hi, welcome back! Since last time, you’ve learned how online political advertising gets targeted to you, and you had a peek at ads aimed at other people (or ads that campaigns don’t want you to see).

This week, let’s get you ready to vote. There are three key questions you should ask:

  1. Are you registered to vote?
  2. Do you know where your polling place is?
  3. Do you know what you need to bring with you?

The answers aren’t as straightforward as you might think. With 50 states and more than 10,000 voting jurisdictions that run elections different ways, answering even these basic questions can get tricky. Oh, and since the 2016 election, state legislatures have enacted more than 500 new voting laws. This means almost every state has changed something about its voting process. Our patchwork voting system isn’t just confusing for you, the voter. It also makes it hard to keep track of how well our elections are actually being run.

Welcome to Electionland

(Hey, now — no Electionland slander on my watch! I promise, this’ll be a good time.)

Electionland, a coalition of hundreds of newsrooms around the country, is working to change this. Its reporters monitor problems that can stop voters from casting their ballots, like changed voting locations, flyers with false information, voter purges, broken machines and hacking. Led by ProPublica, Electionland uses data and technology to track problems, in real time, at every stage of the voting process.

We’ll talk more about what those problems look like and what they might mean for your community. In the meantime, let’s make sure you’re set for November.

So, Are You Registered?

You’ve still got time to make this voting thing official! If you’re not registered to vote, you can learn more about how to fix that through your state’s elections website.

Even if you’re pretty sure you’ve handled it already, take a moment to get 100 percent certain. On the morning of New York’s primary elections in September, we saw a whole frenzy of tweets like this...

And this...

As WNYC’s Gothamist, an Electionland partner, reported, an untold number of voters arrived at their polling sites only to find their names mysteriously missing from the rolls, or their registration transferred to new districts. Election officials regularly clean up their voter rolls to get rid of inactive voters who have died or moved and forgotten to update their information. But mistakes are often made, and active voters can get swept off the rolls too.

Vote.org has a handy tool that lets you verify your voter registration in seconds.

Absentee Voting

If you’re an out-of-state college student, you can register to vote either in your home state or where you attend college. If you decide to register in your home state, you’ll need to request an absentee ballot, which you receive by mail before the election.

Also called mail-in voting, absentee voting trips up a lot of students. In a recent study, 23 percent of students cited not getting an absentee ballot in time as their reason for not voting. Don’t let this be you!

Absentee voting isn’t just for college students, though. You may also need mail-in voting if you:

  • are out of your county on Election Day
  • are sick or have a physical disability that makes it hard to get to the polls
  • are active duty in the U.S. military
  • work a required shift that coincides with polling hours

The rules for absentee ballots, and who is allowed to use them, vary based on where you live. (That patchwork voting system strikes again!)

  • 20 states require you to give them a good reason for voting absentee
  • 27 states and the District of Columbia let you do it without giving an excuse.
  • And, fun fact: in Colorado, Oregon and Washington, everyone votes by mail.

If you want to request an absentee ballot, you should request it early — election offices are slammed in the weeks before Election Day. Your secretary of state’s website has more details about the local rules and deadlines.

There are also 37 states that offer some kind of early voting. Again, your secretary of state’s website has more details about the local rules and deadlines.

Where to Go on Election Day…

Next, you should look up your polling place. Even if you’ve voted recently, polling locations change, so just showing up wherever you voted the last time might not work out. Double check on the official site of your secretary of state.

When you actually hit the polls, you might face long lines — sometimes as a sign of problems at your location, sometimes as a sign of voter enthusiasm. In Maricopa County, Arizona, where some voters waited in lines up to two hours during this year’s primaries, the Arizona Republic (an Electionland partner) found that it was a little of both. Be prepared!

… And What to Bring

If you’re a first-time voter, you are required to show identification at the polls. And in some states, all voters have to present ID. But what you’ll need to bring varies by state. Sometimes drastically.

Strict Photo ID

Some states require voters to show government-issued photo identification, like a driver’s license or U.S. passport.

Strict Non-Photo ID

In some states, non-photo ID with your name and address, such as a utility bill or bank statement, is required.

Non-Strict Voter ID

Then there are the states that request either of these forms of ID, but it’s not required for you to vote.

Under this category, you can still vote through alternative options like signing an identity affidavit, having election officials vouch for your identity or voting on a provisional ballot that is double-checked by your local election officials. (But, like all things on Nov. 6, options come down to the state.)

No Document Required to Vote

Finally, in some states, you don’t have to show any ID at all! Unless you’re a first-time voter. Then you do. 🙃

You can learn more about the nuances of your state’s special brand of voter ID requirements at your secretary of state’s site.

To Recap:

Homework and Additional Reading

Don’t forget, Electionland is monitoring the voting experience nationwide, and we’re inviting you to help. If you had problems completing any of the steps in this guide, we want to hear about it.

From now through Election Day, you can tell us about voting problems in your area. In 2016, nearly 4,000 voters reported problems they experienced or saw to Electionland, from names incorrectly missing from the voter rolls to shady information shared online. We’re listening!

Check out a few of Electionland’s latest investigations:

We’re getting off to a great start. Next week’s topic: what your current representatives actually stand for. I can’t wait to share more with you then!

Cynthia Gordy Giwa Proud ProPublican

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Amid Accusations of Age Bias, IBM Winds Down a Push for Millennial Workers

[Editor's note: today's post, by reporters at ProPublica, updates a prior post about corporate hiring. A data breach in 2007 at IBM resulted in the creation of this blog. Today's post is reprinted with permission.]

By Peter Gosselin and Ariana Tobin, ProPublica

IBM logo Faced with a mounting pile of lawsuits accusing it of age discrimination — the latest, a class action, was filed this week in federal district court in New York — tech giant IBM appears to be winding down its Millennial Corps, an internal network of young employees that’s been cited in several legal complaints as evidence of the company’s bias toward younger workers.

ProPublica reported in March that IBM, which had annual revenue of $79 billion in 2017, had ousted an estimated 20,000 U.S. employees ages 40 or older in the past five years, in some instances using money saved from the departures to hire young replacements to, in the words of an internal company document, “correct seniority mix.”

IBM deployed several strategies to attract younger workers, establishing a digital platform catering to millennials, a blog called “The Millennial Experience,” a Twitter account, @IBMillennial, as well as creating the Millennial Corps, whose members company executives pledged to consult about major business moves. The Corps was featured in a 2016 FastCompany piece titled “These Millennials Have Become the Top Decision Makers at IBM.”

But company sources said this week that the internal millennial platform has had almost no entries in recent months and the only posting on the blog dates from at least a year ago. There have been no recent tweets from @IBMillennial. At least one of the Millennial Corps founders quoted in the FastCompany story about the network has left the company, as have several of those listed as Millennial Corps “ambassadors” on the internal platform.

An IBM spokesman did not respond to questions on the status of the Millennial Corps.

The class action was filed Monday on behalf of three former IBM employees who say the company discriminated against them based on their age by ousting them from their jobs and refusing to hire them for other slots. The complaint cites ProPublica’s article extensively in accusing IBM of “systematically laying off older employees in order to build a younger workforce.” The suit was filed by Boston lawyer Shannon Liss-Riordan, who has represented workers against such tech behemoths as Amazon, Google and Uber.

IBM responded to the filing by saying it has done nothing wrong in retooling its workforce to meet the challenges of an evolving tech landscape.

“Changes in our workforce are about skills, not age,” company spokesman Edward Barbini said in a statement. “In fact, since 2010 there is no difference in the age of our U.S. workforce.”

This week’s class action suit follows lawsuits filed against IBM on behalf of individuals in California, Georgia and Texas, as well as a nationwide investigation of age bias at the company by the U.S. Equal Employment Opportunity Commission, which administers the nation’s workplace anti-discrimination laws.

The Texas case, filed by 60-year-old former sales executive Jonathan Langley, accuses the company of laying him off after 24 years because of his age. In court papers, he said IBM “devoted countless millions of dollars to its effort to rebrand as a hip, Millennial-centric tech company” by, among other things, establishing the Millennial Corps.

An IBM spokesman has said the company will defend the Langley case vigorously and complies with all applicable laws.

The new class-action complaint is somewhat narrower than it at first appears, a reflection of complexities in the laws against age discrimination and legal protections IBM has erected for itself.

At the moment, the complaint seeks the right to represent older ex-IBM employees in just two states, California and North Carolina. Ex-employees in other states would have to sign up, or affirmatively opt in, to be covered. Liss-Riordan said in an email that individuals from other could be added to the class if other plaintiffs emerge.

In addition, the class action filed this week only seeks to represent ex-IBM employees who did not sign the company’s separation agreement when they were ousted.

ProPublica reported in March that IBM regularly denies older workers being laid off information that federal law says they’re entitled to in order to decide whether they have been victims of age bias. It does so by making severance pay contingent on departing employees signing separation agreements in which they give up their right to sue, and can then only pursue age claims through secret, individual arbitration.

Even with these limits on potential plaintiffs, experts on employment said the legal actions could have a substantial effect on IBM.

“If a judge approves class-action status, or any of the age-discrimination lawsuits filed against IBM recently proceed, the company is going to face a costly fight defending its treatment of older workers,” said Jeffrey Young, an Augusta, Maine, lawyer who has successfully sued major employers for age bias but isn’t representing any of the plaintiffs in the IBM cases.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


The Overlooked Weak Link in Election Security

[Editor's note: today's guest post, by reporters at ProPublica, discusses voting and elections security within the United States. It is reprinted with permission.]

By Jack Gillum and Jessica Huseman, ProPublica

More than one-third of counties that are overseeing elections in some of the most contested congressional races this November run email systems that could make it easy for hackers to log in and steal potentially sensitive information.

A ProPublica survey found that official email accounts used by 11 county election offices, which are in charge of tallying votes in 12 key U.S. House of Representatives races from California to Ohio, could be breached with only a user name and password — potentially allowing hackers to vacuum up confidential communications or impersonate election administrators. Cybersecurity experts recommend having a second means of verifying a user’s identity, such as typing in an additional code from a smartphone or card, to thwart intruders who have gained someone’s login credentials through trickery or theft. This system, known as two-factor verification, is available on many commercial email services.

“Humans are horrific at creating passwords, which is why ‘password’ is the most commonly used password,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., who has pushed for security fixes in the voting process. “This means increasingly we need something other than passwords to secure access to our accounts, especially email, which tends to undergird all our other accounts.”

The email vulnerabilities emerged in ProPublica’s survey of election security in 27 counties encompassing all or part of roughly 40 congressional districts that the Cook Political Report has said are toss-ups. These contests could determine if Democrats take control the U.S. House of Representatives, where the party needs to pick up about two dozen seats to flip the current Republican majority. Of the 12 districts in counties with less protected email systems, Republicans are seeking re-election in 10. The other two are open seats where incumbents are stepping down.

Much attention has focused on the potential to hack voting machines. In the “Voting Village” at the Def Con security conference this summer in Las Vegas, hackers sought to compromise a handful of machines. But lax protections for internet-connected systems like email servers may pose just as serious a threat.

The lack of two-factor verification may have helped Russian hackers ultimately gain access to the Democratic National Committee’s network in April 2016, according to a federal indictment. Prosecutors say a Democratic campaign employee unwittingly put her password into a spearphishing email – a targeted message meant to dupe users into sharing their login information. Russian hackers also tricked John Podesta, Hillary Clinton’s campaign chairman, into handing over his password, enabling an embarrassing leak of his emails weeks before the election.

Even a program created by the Kansas secretary of state’s office to prevent voter fraud was vulnerable to snooping, ProPublica reported last year. The program, Crosscheck, sought to identify voters casting ballots in more than one state by comparing the rolls across states. But its files were hosted on an insecure server, and program officials regularly shared user names and passwords—many of them overly simplistic—for the site by email as late as 2017. Crosscheck paused operations in 2018 because of concerns about security and accuracy, and it is unclear when it will begin matching rolls again. The Kansas Secretary of State’s office did not return a request for comment.

A different kind of cyber-attack in 2016 manipulated the software code behind Illinois’ voter-registration system to expose the personal details of thousands of people. Matt Dietrich, a spokesman for the state board of elections, said the flaws that allowed the penetration have been fixed. Special counsel Robert Mueller charged 12 Russians this past July in connection with an unspecified breach that Illinois officials said was very likely the attack on the voter registration database.

“This wasn’t about to steal votes, but to create havoc,” Dietrich said. “If you can steal a voter database, and then go in and mess up the poll books that election judges rely on to check off voters, that’s going to be the story: That the United States can’t run a competent election.”

Using a checklist developed by Harvard’s Belfer Center for Science and International Affairs, ProPublica asked county election officials about their email systems, as well as about cybersecurity protections for voting machines and computers that check in voters at polling sites. Voter registration is generally handled at the state level, while counties administer elections and are responsible for protecting voting machines and verifying end-of-night vote tallies that determine winners.

Funded by local taxes, counties are generally run by elected commissioners and often have centralized IT staff overseeing email services for departments ranging from the medical examiner to public works. As a result, elections officials have to compete for IT resources and attention.

Most of the counties interviewed said they had bulletproofed their computer systems and voting equipment. Joel Miller, an election official in Linn County, Iowa, said the county has recently put in place two-factor authentication requirements for its email systems. “We all need minimum standards for network security,” he said. “We weren’t up to date until recently.”

The counties with vulnerable email systems ranged in population from Orange County, California, with 3.1 million people to Olmsted County, Minnesota, with 155,000. Orange County elections director Neal Kelley said he’d prefer to have two-factor authentication. It hasn’t been implemented yet, but is “on the short horizon,” he said. There are two toss-up House races in Orange County.

Noah Praetz, the director of elections for Cook County, Illinois, except the city of Chicago, said his office “lacks a little bit of control” when it comes to changing IT systems because the county-run network serves more than 24,000 employees. He said the county government doesn’t require two-factor authentication for employees to log into emails.

One county reported two problems. Fayette County, Kentucky, which includes Lexington, told ProPublica its electronic voting machines don’t produce a separate paper trail for voters to verify their choices. Nor does it use two-factor authentication on its email system. Fayette, one of the state’s largest counties, is home to a chunk of Kentucky’s 6th congressional district, where a once-safe Republican incumbent is facing an unexpectedly competitive challenger.

Don Blevins, the Fayette elections chief, told ProPublica his county is not at risk for an email hack that would affect voting or registration. “I don’t question that two-factor authentication is better,” he said, but added, “Since we don’t use email to conduct voting, nor voter registration, then the level of security is moot.”

Besides Orange, Olmsted, Cook, and Fayette, the counties without two-factor authentication were: Arapaho County, Colorado; Linn County, Hennepin County, and Dakota County, Minnesota; Hamilton County, Ohio; King County, Washington; and Harris County, Texas.

Some counties have secured their emails but had other shortcomings. Shawnee County, Kansas, said it doesn’t yet have countermeasures to stop hackers from bringing down its website by overloading it with malicious traffic. If such a denial-of-service attack takes the site offline, election commissioner Andrew Howell said, officials would instead publish election results on social media.

Five of the 27 counties surveyed did not respond to multiple emails or phone calls from ProPublica: Polk County, Iowa; St. Louis County, Minnesota; Ocean County and Essex County, New Jersey; and Oneida County, New York.

U.S. law enforcement officials and cybersecurity experts have been working with states in the months leading up to the November midterms to improve election security. States are using some of the $380 million in newly earmarked federal funds to test for vulnerabilities and recruit and train IT staff, according to congressional testimony from the National Association of Secretaries of State.

Fixing technical problems isn’t cheap, and county governments have had to make hard choices when prioritizing spending. Tammy Patrick, a former election administrator in Arizona and now a senior adviser at the nonprofit Democracy Fund, said counties may consider it more urgent to replace outdated voting machines than to fix email systems.

That said, even short-lived IT security problems may have a corrosive effect on public trust in the accuracy of ballot results. “The last thing you want to do on Election Day is face problems you could have easily dealt with before then,” Hall, the technologist, said. “Officials will dismissively say, ‘It hasn’t happened to us.’ But with that attitude, you’re building a castle on sand.”

Ally Levine, Lilia Chang and Blake Paterson contributed to this report.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Tips For Parents To Teach Their Children Online Safety

Today's children often use mobile devices at very young ages... four, five, or six years of age. And they don't know anything about online dangers: computer viruses, stalking, cyber-bullying, identity theft, phishing scams, ransomware, and more. Nor do they know how to read terms-of-use and privacy policies. It is parents' responsibility to teach them.

NordVPN logo NordVPN, a maker of privacy software, offers several tips to help parents teach their children about online safety:

"1. Set an example: If you want your kid to be careful and responsible online, you should start with yourself."

Children watch their parents. If you practice good online safety habits, they will learn from watching you. And:

"2. Start talking to your kid early and do it often: If your child already knows how to play a video on Youtube or is able to download a gaming app without your help, they also should learn how to do it safely. Therefore, it’s important to start explaining the basics of privacy and cybersecurity at an early age."

So, long before having the "sex talk" with your children, parents should have the online safety talk. Developing good online safety habits at a young age will help children throughout their lives; especially as adults:

"3. Explain why safe behavior matters: Give relatable examples of what personal information is – your address, social security number, phone number, account credentials, and stress why you can never share this information with strangers."

You wouldn't give this information to a stranger on a city street. The same applies online. That also means discussing social media:

"4. Social media and messaging: a) don’t accept friend requests from people you don’t know; b) never send your pictures to strangers; c) make sure only your friends can see what you post on Facebook; d) turn on timeline review to check posts you are tagged in before they appear on your Facebook timeline; e) if someone asks you for some personal information, always tell your parents; f) don’t share too much on your profile (e.g., home address, phone number, current location); and g) don’t use your social media logins to authorize apps."

These are the basics. Read the entire list of online safety tips for parents by Nord VPN.


A Free Press Works For All of Us

[Editor's note: after repeated claim since 2017 by President Trump accusing journalists of being, "the enemy of the people," more than 300 local and national newspapers responded during August. Today's guest post includes ProPublica's response. It is reprinted with permission.]

By Stephen Engelberg, Editor-in-Chief, ProPublica

ProPublica does not have an editorial page, and we have never advocated for a particular policy to address the wrongs our journalism exposes. But from the very beginning of our work more than a decade ago, we have benefited enormously from the traditions and laws that protect free speech. And so today, as the nation’s news organizations remind readers of the value of robust journalism, it seems fitting to add our voice.

ProPublica specializes in investigative reporting — telling stories with “moral force” that hold government, businesses and revered institutions to account. There are few forms of journalism more vulnerable to pressure from the powerful. What we publish can change the outcome of elections, reverse policies, embarrass police or prosecutors and cost companies boatloads of money. The main subjects of our work, in most cases, would much prefer that our reporting never appear or be substantially watered down.

The framers of our Constitution fully understood the importance of protecting a robust, sometimes raucous press. It is no coincidence that the very first amendment begins, “Congress shall make no law ... abridging the freedom of speech, or of the press.” They had lived under a system in which a powerful monarch could use the law of seditious libel to accomplish the 18th-century version of “lock her up.” They wanted no part of it.

In the 21st century, journalism — at least as practiced on cable television — is becoming a craft in which partisans put forth or omit facts to advance their preferred political perspective. Those who bring to light uncomfortable truths are dismissed as “fake news” or, in our case, the work of the “Soros-funded” ProPublica, the all-purpose, vaguely anti-Semitic epithet meant to connote left-wing bias. (For the record, George Soros’s Open Society Foundations fund less than 2 percent of our operations.)

We have covered Presidents George W. Bush, Barack Obama and Donald Trump. We’re proud to say that we’ve annoyed them all with journalism that revealed serious shortcomings. We revealed that Bush had granted pardons to nearly four times as many white applicants as blacks; we ceaselessly hammered Obama for his failure to provide mortgage relief he’d promised ordinary homeowners; and we’ve vigorously covered Trump’s crackdown on immigrants, notably disclosing an audio recording of wailing children in a shelter. Democrats and Republicans have come under our scrutiny. We disclosed how California’s Democrats had manipulated the state’s redistricting process; however, we also reported that Republicans had used dark money and redistricting in other states to win the House in 2012, even though GOP congressional candidates won far fewer votes in aggregate than Democrats.

Journalists inevitably make mistakes along the way, and we’ve had our share at ProPublica. But the argument advanced by Trump and his allies — that journalists are the “enemy of the people” who sit around making up fake stories to undermine his administration — is palpably false. In fact, to use a word we have shied away from in our coverage, it’s a lie. And the president knows it.

For our part, we’re both proud and pleased to live in a country where one can still say that.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.