Previous month:
May 2010
Next month:
July 2010

23 posts from June 2010

Readers Report Receiving Travel Rewards Letters From Larson Keller

Last month, I wrote this blog post about a snail-mail letter my wife received from Shelton & White. It seems that Shelton & White is now using a different name. On reader, Linda, wrote:

"I just got this same exact letter in Los Angeles, only from a company called "Larson Keller"

Another reader, Scott, wrote:

"Just received a letter today - Larson Keller. Same exact language. Hand written address, post marked from Arizona..."

If you check the Better Business Bureau website, you will see the list of names the company has used.


Video: Submitting an Identity Theft Complaint WIth the FTC

You've been scammed or ripped off. Perhaps, criminals have taken out fraudulent loans in your name. Or criminals have committed crimes using your stolen identity information after a data breach by your (current or former) employer. What can you do?

First, contact local law enforcement. Second, monitor your credit reports for fraudulent entries. Third, file a complaint with the U.S. Federal Trade Commission. Why file a complaint with the FTC? Because the FTC uses complaint statistics to focus it enforcement actions and the rules and regulation it develops to govern corporate commerce. In short, to protect consumers.

The FTC produced this video to help consumers:

Browse more videos by the FTC.


Smartphones: Plenty To Consider Before Purchase

On Saturday, I accompanied a friend, Arlene, to a local Verizon store to help with a smartphone purchase. Besides helping a friend, I was interested in learning about any location tracking services embedded in Verizon's new smartphones, since Apple recently made headlines about the location-based data collection by its iPhone.

My takeaway from the trip is that there is a lot to consider with a smartphone decision; more than just phone features matching a phone to your information needs. The considerations can easily overwhelm the average consumer.

Arlene has a four-year-old flip phone and wants to upgrade. As a small business owner, staying in contact with clients and potential clients is important to her when she is out of the office. More importantly, she has organized her contacts on her laptop in two databases; one for businesses and a second for personal. For business reasons, she further organized her business contacts into several groups. Ideally, she wants a smartphone that can replicate this contact structure and information.

We looked at two versions of the new Droid smartphone (one with a physical keyboard and one without), and quickly learned that the phones are unable to organize her contacts as she has them organized on her laptop. I noticed that while discussing Arlene's needs, the average consumer has some new terminology to learn.

To sync contacts between her phone and laptop, especially after entering new contacts in a smartphone, would result in merging all contacts into a single database. That would require more manual effort by Arlene to separate contacts later on her laptop.

Some people use two smartphones to keep business and personal contacts separate. Arlene wants a single device. During the visit, we talked with both a sales person and the app specialist, who was able to provide more detailed information. Both recommended a Blackberry to Arlene, who sees the Blackberry as old technology since she used an iPhone briefly in a prior job. (The company paid for that iPhone.) She wants something as easy-to-use and intuitive as the iPhone was for her. And she wants to stay on the Verizon network since she has a family calling plan.

Arlene made phone calls with both Droid smartphones to evaluate the sound quality. This is important for consumers to evaluate the phone's interface... the size of the icons, the touch and feel of the virtual keyboard, and how you make selections on the smartphone.

The Droid phone requires Gmail which Arlene doesn't have and isn't sure she wants to have. We briefly discussed privacy and Gmail since Arlene is highly concerned about her privacy and doesn't want anyone tracking her. Neither Arlene nor the app specialist were aware that Google scans the contents of Gmail messages to serve up targeted ads when people use Gmail webmail:

"Google believes that showing relevant advertising offers more value to users than displaying random pop-ups or untargeted banner ads. In Gmail, users will see text ads and links to related pages that are relevant to the content of their messages... No email content or other personally identifiable information is ever shared with advertisers. In fact, advertisers do not even know how often their ads are shown in Gmail, as this data is aggregated... To ensure a quality user experience for all Gmail users, we avoid showing ads reflecting sensitive or inappropriate content by only showing ads that have been classified as Family-Safe..."

Clearly,, some users like targeted ads and some don't. Arlene will likely see targeted ads when using the Droid browser to read Google webmail, unless she opts out. The app specialist directed us to the Gmail site for any issues with Gmail and privacy. We discussed briefly some of the apps on the Droid, and Arlene doesn't plan on using any apps. The app specialist mentioned that some apps use personal data such as the phone's GPS position.

We asked what I thought was a simple question: what's the list of apps for a small business person? The app specialist said there were too many to list and that they change constantly.

My points in raising this privacy issue:

  • How you expect to use a smartphone matters, including any apps, that may affect your ability to maintain privacy
  • Don't rely on the sales person telling you everything you need to know
  • Like any other service purchase, the important stuff is in the smartphone service contract details
  • That means consumers should closely the terms of service for the smartphone and calling plan
  • If e-mail or other features from a third-party company are embedded within the smartphone service, the consumer should read those terms of service, too
  • Reputable services offer an opt-out mechanism that is clear and easy to find. The targeted ad opt-out mechanism for Google
  • Many social networking websites and companies are rushing to offer location tracking services (or the less threatening phrase "location-based services"). Consumers need to read the terms of service for this, too

If Verizon's approach is the standard, then a smartphone purchase isn't easy for many consumers. It leaves the consumer to investigate, understand and reconcile all of this information from both Verizon and Google. In my opinion, the purchase should be easier.

The location tracking issue is new and particularly prickly. Congress is debating who should and should not have access to the location-tracking data collected about consumers. Experts say that Congress must reconcile elements of the Electronic Communications Privacy Act (ECPA) of 1986 with the Communications Assistance For Law Enforcement Act (CALEA) of 1994 regarding real-time location-based tracking of consumers.

Clearly, the Droid is Verizon's answer to AT&T and the iPhone, and the Droid has some unique features like the personal WiFi hotspot. In my opinion, it is always wise to read the product and service evaluations at Consumer Reports.

Arlene hasn't made a decision yet. She plans to meet again with the Verizon app specialist and spend more time using the smartphones in the store.

What's your opinion of today's smartphones? Of location-based tracking? Any suggestions for Arlene about how to handle her contacts structure?

[Addendum: a recent study found that 20 percent Android apps pose a security risk to disclose consumers' sensitive personal information. That's 1 out of every 5 Android apps. Experts advise consumers to research the developer of an app before downloading that app.]


High School Seniors Need Help With Money Management

I recently wrote about identity theft tips for college graduates. It seems that things are worse with high school seniors.

According to a recent survey by Capital One Financial Corporation, high school seniors benefit greatly from financial education both in the home and at school. Either one alone is not quite enough. The survey found that those seniors with financial education both at home and at school felt significantly more confident about their personal finance skills and knowledge.

The survey also found that nearly half (45 percent) of all high school seniors surveyed said they are unsure or unprepared to manage their own banking and personal finances. Compare that to this: of the students who had a personal finance class 75 percent said they felt prepared to manage their finances. Another 66 percent rated themselves "highly" or "very" knowledgeable about personal finance, compared to only 30 percent for high school students who didn't have a financial education course.

If this is how high school students without a financial education course rated their confidence, the percentage must be similar for those who haven't learned about identity theft and fraud.

Parents Involvement Matters

The survey also found:

  • 20 percent of high school students said that they "frequently" discuss money management and personal finance issues with their parents
  • 45 percent said they "sometimes" discuss money management and personal finance with their parents
  • 34 percent said they never discuss money with their parents, or only when necessary
  • Of students that reported frequent discussions, 71 percent rated themselves as "highly" or "very" knowledgeable about personal finance, and 81 percent feel prepared to manage their own finances

Having a Job Helps

The survey also found that having a job during high school helps prepare high school students to manage their money and finances. Of the high school student who already had a job, 72 percent said that their job experience prepared them in some way.

To help parents and young adults, Capital One partnered with Search Institute to create a free multimedia financial literacy program at www.bankit.com. The program helps parents and teens learn practical skills together and avoid common mistakes.


Several States' AGs To Investigate Data Collection By Google Street View

In a press release earlier this week, the office of the State of Connecticut Attorney General announced that it will lead a multistate investigation into the collection of personal information by Google Street View cars. As many as 30 states may join the investigation. Blumenthal said:

“Street View cannot mean Complete View -- invading home and business computer networks and vacuuming up personal information and communications. Consumers have a right and a need to know what personal information -- which could include emails, web browsing and passwords -- Google may have collected, how and why Google must come clean, explaining how and why it intercepted and saved private information broadcast over personal and business wireless networks."

The investigation will consider what may have been broken and whether changes to state and federal statutes are necessary. Some of the questions posed by investigators:

  • Was data collected by Google ever extracted and if so, when and why?
  • How did purportedly unauthorized code -- which captured data broadcast over unencrypted WiFi networks -- become part of a Street View computer program?
  • Who inserted what Google calls unauthorized code into the program and why?
  • Have there been other instances of engineers writing unauthorized code into Google products to capture consumer data? (And if so provide all instances and full details)
  • Why did Google save data it says was accidentally collected?

That list is a good start at question which should be asked. I applaud the AGs for taking action. Follow-through is important here.

Earlier this month, Google reported that personal wireless information collected in Austria, Denmark, and Ireland was deleted. Investigations of Google Street View are underway in Canada, Belgium, Britain, the Czech Republic, France, Germany, Italy, Spain and Switzerland.

I have used Google Street View and found it a useful application. The neighborhood in Harlem where I grew up is in Google Street View. As Google said in June in a letter to Congressional representatives:

"Street View is a feature of Google Maps that allows consumers to view 360-degree panoramic street-level photographs. The photographs are taken by cameras mounted on Google’s Street View cars and depict what is visible from the street. WiFi information is not linked with Street View imagery, and Google does not share this WiFi information with third parties... The system detected and collected WiFi network data, including SSID, MAC address, signal strength, data rate, channel of the broadcast, and type of encryption method... Recently, we became aware that we had mistakenly included code in our software that collected samples of “payload data” -- information sent over the network -- from open (unencrypted) networks. Payload data from closed (encrypted) networks was not stored."

That's some significant data collection. The point here is the goal of Street View cars is to shoot video of locations, not capture wireless information. I can see the cars needing to transmit imagery to Google servers, but the broader collection seems way out of bounds.

And if the Google Street View cars' drivers paused in any locations for a period of time -- say at traffic signals, traffic congestion, on the road side to make a phone call or send a text message -- more data must have been collected at those locations.

Questions I have and want answered:

  • I am sure that data collection was more extensive in some locations versus others. Which locations? The talented folks at Google should produce heat maps of its data collection by city, urban area, and residential areas.
  • Did the data collection vary by driver? If so, who?
  • What QA testing was done with the Google Street View cars before the cars were released to residential enter neighborhoods?
  • This data harvesting went on for three years. Nobody at Google noticed the increased server memory storage requirements for this harvested personal information?
  • "Unauthorized code" suggests that an executive approved development of this code for use in a different application. So, who approved development of this code and what different application(s) was it intended for?
  • Companies are required to notify consumers of a data breach, when people not authorized to access/view sensitive personal data do so. What about enforcement of a breach notification to consumers by Google... as required in about 35+ states?
  • Has the "unauthorized code" and data collected been removed from the Google Street View cars, and from data center backup tapes/servers?
  • What assurances can Google provide that "unauthorized code" isn't installed in other Google applications?
  • What steps is Google taking to prevent an event like this from happening again?

Maybe now, Google executives will realize that consumer trust has been broken. That needs fixing.

What questions do you want answered during the investigation?


My ID Alert From Capital One (Product Review)

A few days ago, a representative from Capital One Bank, where I have a credit card account, called me at home about identity theft. The representative was polite and asked if I knew much about the increasing risks of identity theft. Her solution was to sign me up to My ID Alert, a credit monitoring services offered jointly by Capital One Bank and Intersections, Inc..

I listened to her pitch and thanked her for the call. I asked if My ID Alert included medical identity theft coverage. She said it didn't and she didn't know much about that. I mentioned that this was important to me since I am interested in a comprehensive identity protection service that includes credit monitoring, public records monitoring, and medical identity theft protections.

Plus, I was not about to sign up for any credit monitoring service over the phone without, a) understanding what specific services are included in the monthly fee, and b) reviewing the contract terms and conditions. Since writing this blog, I have learned that the important stuff is always listed in the contract terms of a credit monitoring service. If it's not in that document, then it's not provided.

I visited the My ID Alert website to learn more. I had encountered Intersections previously in 2007 when reviewing the Bank of America's Privacy Assist credit monitoring service. A review of My ID Alert would be a good follow-up to see if Capital One negotiated an improved service with new features. The My ID Alert main page:

The My ID Alert credit monitoring service home page

The site was well organized and easy to read. Consumers can quickly find the major features of the service. For $12.99 monthly, subscribers get:

  • Unlimited access to valuable credit tools and your credit score
  • Daily monitoring of your credit files at all 3 credit bureaus
  • Up to $50,000 identity theft insurance with no deductible and at no extra cost

It was easy for me to find and read the website Privacy Policy. It explained that the site uses HTTP browser cookies, but it didn't mention whether or not it uses Flash Cookies. The website probably uses Flash Cookies (a/k/a Local Shared Objects) since it mentions that it works with unnamed third parties.

It was tricky to find the contract terms. First, click the "Enroll Now" button on the home page. On the "Order Form: Step 1" page, there are two links you'll want to use. The first link, "more info," is next to ID Alert and it provides access to summary information in a pop-up window:

The My ID Alert order form page, step 1

The second and more important link, "Print and Review Terms of Use," is further down the page and provides access to the contract terms:

The link to the contract terms on the My ID Alert order form page

Both links should be more accessible to users, ideally on the home page, the FAQ page, and the Privacy Policy page. The contract terms contain critical information consumers need to evaluate the service. It shouldn't be this hard to find important information.

It is important to note that Capital One already sells a credit monitoring service by Intersections: CreditInform Premier. The My ID Alert website didn't mention this, nor did it provide a comparison. So, I developed this brief comparison:

ItemCreditInform PremierMy ID Alert
Unlimited access to credit tools and
credit score
Yes
Yes
Quarterly Notification / credit updatesYesYes
Insurance$20,000$50,000
Notify Express. Includes:
  • Inquiries to your credit files
  • New accounts opened
  • New public records
  • Address changes
  • Changes to public records
  • Changes to account
    information
Yes. Based on Experian
credit report only
No
Credit Score ( From CreditXpert, Inc.
which is not a FICO score)
YesYes
Monthly fee$8.99$12.99

Then, I read the contract terms more closes and noted some important language about the credit score provided (links added for improved readability):

"Any credit score provided as part of the Service is provided by CreditXpert products. The information used by CreditXpert products is derived from one or more credit reports produced by the major credit reporting agencies, also called credit bureaus... CreditXpert Credit Scores(TM) are provided to help users better understand how lenders evaluate consumer credit reports. Lenders may use a different score to evaluate a person's creditworthiness... Also, CreditXpert Inc. is not connected in any way to Fair Isaac Corporation; the CreditXpert Credit Score is not a so-called FICO(®) score. CreditXpert Inc. does not represent that CreditXpert Credit Scores are identical or similar to any specific credit scores produced by any other company."

I have not heard of CreditXpert before. And, like most consumers I thought that FICO was the only source of credit scores. This is an important disclosure since potential lenders may treat different brands of credit scores differently.

I have not done an analysis of the difference between a credit score from FICO versus CreditXpert. Perhaps a reader has and will add a comment below. So, I can't state what the impact might be on a consumer's credit worthiness. Consumers wanting to purchase a FICO-brand credit score may want to look elsewhere. The website didn't present any testimonials from My ID Alert customers, a helpful feature that could have addressed concerns about the credit score source.

One indicator I use to judge a company responsiveness to consumers' needs is whether or not the service has built pages on social networking sites like Facebook, Twitter, and Youtube. These are often a rich source of customer opinions and consumer testimonials, if the service does not have a blog site.

I searched and didn't find a My ID Alert page on Facebook, Twitter, or Youtube. This makes me wonder how serious executives at Capital One and Intersections are about reaching consumers. You have to fish where the fish are.

I also browsed the My ID Alert service looking for evidence it offers real-time alerts via e-mail or text messaging. To help me monitor my financial accounts, my bank offers this where I set the threshold amount to trigger an e-mail alert 24/7. The sooner I can discover fraudulent activity, the less money I am likely to lose. So, I look for this in a credit monitoring service. I couldn't find any evidence in the My ID Alert website about whether it offers real-time alerts. So, I assume no.

Should you sign up for My ID Alert? To me, it is a starter credit monitoring service... it is an option for a person who is just learning about identity theft and wants basic coverage. Each consumer's situation is slightly different, so it is always wise to shop around. For example, parents may seek a service that covers several family members. I've reviewed several credit monitoring service in this blog.

As I mentioned above, I seek an identity protection service that is comprehensive... that includes credit monitoring, public records monitoring, and medical identity theft protections. I want the convenience of subscribing to a single service... one-stop shopping.

The MY ID Alert service doesn't fit my identity protection needs. And, its price seems high. Yes, you get more insurance but you don't get the Notify Express feature Capital One offers in CreditInform Premier. And, the service Capital One negotiated with Intersections didn't seem much different from Bank of America's offering when I last reviewed it.

What do you think? If you use or have used My ID Alert, please share your experiences. We'd love to hear them.


The Big Banks Plan New And Higher Fees

In the Spring of 2009, this blog warned consumers about banks' plans for huge increases in credit card interest rates. Now, the big banks are planning changes for later this year and early 2011.

In response to both passed and pending financial reform legislation, the major banks are exploring new fees to charge their customers. Some banks are ending free checking accounts for consumers, while others plan to raise the deposit minimum for an account to qualify for free checking. Other banks plan to charge monthly maintenance fees, as much as $15. Some banks are exploring fees for debit card users who don't sue their debit cards often. Some banks are planning to charge higher fees for credit reports and credit monitoring services.

If you want to learn more, I suggest these articles:

Experts advise consumers to watch your surface mailbox for notices from your bank, and to read every notice closely. The banks are required by law to notify consumers of changes in fees. Remember, you can bank elsewhere. Move your money to a smaller, local bank or credit union.


Identity Thieves Upgrade Their ATM Skimming Devices

In case you hadn't seen this news report:

Visit msnbc.com for breaking news, world news, and news about the economy

As I wrote previously about ATM skimming devices, my advice for consumers:

  • If an ATM machine looks like it has a skimming device attached, use a different ATM machine. Don't try to remove the skimming device. Notify law enforcement and or the bank.
  • Experts recommend that consumers check their bank statements frequently for fraudulent entries and cash withdrawals, because it is difficult to spot skimming devices
  • Use ATM machines that are in well-lighted and in public places
  • Anybody can buy and operate an ATM machine, so I only use ATM machines from my bank. When you use an ATM machine, you are trusting that retail store to keep that ATM machine secure
  • I avoid unfamiliar-looking ATM machines because it is harder to spot an ATM machine that may have a skimming device attached

We Have A Choice

Somewhere Over the Rainbow, as sang by the cast of "Glee" and set to new images:

Some pols and pundits blame "extreme environmentalists" for the BP oil gusher in the Gulf. That is a load of bull. This is one strong reason why I believe both BP and MMS senior executives should go to jail. Do not pass go. Straight to jail for a lengthy stay.

Some pols and pundits want you to believe that the only choice for energy independence is to drill for oil in deep water or shallow water. Not so. We have a choice. I choose moving faster towards clean, renewal energy. What about you?


The United States And Energy Independence

Several pro-oil pols and pundits have criticized President Obama for demonizing BP, the $20 bill escrow account to help oil disaster victims, and using the BP oil disaster to push his energy agenda. Obama's energy agenda? Geez, how quickly some Americans forget:

The Daily Show With Jon Stewart Mon - Thurs 11p / 10c
An Energy-Independent Future
www.thedailyshow.com
Daily Show Full Episodes Political Humor Tea Party

Why has the USA failed to secure energy independence? Simply, we are a nation of oil addicts lacking the will to change our ways. Plenty of pols and pundits (invested in the old ways) are quick to tell oil addicts what they want to hear: we can drill our way out of the energy problem.

On Facebook, one person wrote to me saying she doesn't want to change her [oil-based] lifestyle, and that the BP oil spill was an accident comparable to an airplane crash. WTF? In her opinion, accidents happen. By her logic, the pollution of the Gulf and lost livelihoods by Gulf residents is just the consequence of drill-we-must.

I reject that. The era of cheap, easy oil has passed. Gone. Time to face facts. Pollution of the environment does matter. The BP oil disaster in the Gulf proves that. Time to find a better way than drill-we-must. Energy independence and clean, renewal energy sources both matter.

My experience with addicts: they either change and get sober, or go insane. What's your choice?


To Help Consumers, New Credit Card Rules From The Federal Reserve Board

In February of 2009 this blog warned consumers about pending credit card interest rate increases. Yesterday, the Federal Reserve Board (FRB) announced new rules to protect consumers from unreasonable late payment and other penalty fees. The new rules prevent credit card issuers and banks from charging:

  • Penalty fees that are more than $25 for late payments or violations of the account terms
  • Penalty fees that exceed the dollar amount of the transaction. Example: credit card issuers cannot charge a $39.00 fee for a late payment that is higher than the minimum $20 payment. Now, that late payment fee cannot exceed $20.
  • Inactivity fees when consumers don't use their credit cards to make purchases
  • Multiple penalty fees based on a single late payment or other violation of the account terms.Now, banks can charge only a single fee.

In its announcement, the FRB also announced rules to require banks to reevaluate every six (6) months a consumer's credit card interest rate (e.g., the Annual Percentage Rate printed on your monthly statement). The bank must explain why they are increasing the interest rate on your credit card; or lower it within 45 days.

The new rules, which are part of Credit Card Accountability Responsibility and Disclosure Act of 2009, go into effect on August 22, 2010. I highly recommend that consumers read the FRB pages about the new credit card rules that start in August, and the credit card rules that already started in February 2010.

Will these new rules be enough? Will they protect consumers adequately? What do you think?


Holy Terminator, Batman -- Google is Skynet!

[Editor's Note: I am pleased to feature another post by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. She has studied what makes some individuals embrace or avoid information technology. (She’s definitely one of the former.) Michelle helps others improve their use of technology in their personal or professional life. Today, Michelle tackles Google and privacy.]

By R. Michelle Green

Have you ever had the experience of wiping up a spill and then realizing the clean spot makes the rest of the table look bad, so now you have to wash the whole table? That’s the way I feel about my recent blog posts. I’ve been looking at more and more things that infringe on our privacy, and now I just have to keep pulling at that thread, even if it unravels my whole sweater... Wow, a Cusinart of metaphor. Anyhow.

I was patting myself on the back for being Facebook security savvy when a Chicago friend tells me he won’t trust Google with his web and search history. He also opted out of search personalization, where Google puts sites you already like to visit higher in your search query results. The hell you say! Don’t trust Google!? Google is wonderful, Google is my friend! The company’s motto is “Don’t Be Evil,” right?

Google’s gotten a lot of slack from people like me, who love the effectiveness, creativity and style in the tools available online and through text, for personal and professional needs. The search engine is a thing of beauty, no question. But we’ve come a long way (especially in internet years, my friend) from Google’s early statement, underscored on the Corporate Philosophy page last updated September 2009, that all they wanted to do was be the very best search engine they could be.

Let’s examine the evidence. Google CEO Eric Schmidt in a 2007 Wired interview said that Google is no longer first a search company, but an advertising company. In a 2008 CNBC interview with Maria Bartiromo he returned search to primacy, saying it was “even more important…than advertising,” and citing it as critical to end-user happiness. But when CNBC can say that 95% of your profit comes from selling AdWords, make no mistake about it, it’s the company’s priority.

The Business Insider chart below shows advertising’s role as a function of Google revenue over time:

Chart showing Google's revenue sources over time

This gives more credence to Schmidt’s 2007 statement to Wired: Google is advertising (Doubleclick), a social phenomenon (YouTube, Google Chat and Google Groups), an end-user system (Google Apps, Android) and a giant supercomputer. For a company that puts transparency high in its ideals, there is little or no clarity about who owns the your web and search history. (Since possession is nine-tenths of the law, I think Google owns it, even if my name’s on it.)

Is that in and of itself evil? It might be nice to have Google organize everything you do online, help you find that hysterical sleeping ancient Pomeranian dog you saw three years ago. So what if they keep it on their own servers? The big sin here isn’t that they do it – others can and do also.

If you are a Comcast 'net user (or Yahoo, or AOL or portals) and stay signed in while you surf, they can associate your actions uniquely with the profile information you offered at sign up, just as Google does with its Gmail users. You might even say they’ve been a little more straightforward about it, offering greater user control with it than the aforementioned web portals. There’s a dash of hubris and a fair share of hypocrisy, however, in Google’s assertions that they’ll never do anything evil with the data they amass. Data lives to become knowledge, knowledge is power, and we know what power does. Absolutely.

So what information does Google have about you? Inquiring minds and all that. Check for yourself by going to your Google search page and clicking on the web history link in the upper right hand corner. Then for funsies, follow the link that says, “is that everything?” where Google also talks about its cookies and server logs.

If you already have a Google account, you can get more precise information at Google Dashboard. My Dashboards for different Gmail names are different, but they show they’re related because I have their calendars connected. The Search history is far spottier than I expected, however, in part because I’m scrupulous about logging in and out of Gmail on a per task basis. And while at first blush it may look sparse, note they are offering you samples of your search in various categories, you must click on the category for more detail.

Don’t get me wrong, I remain a Google fan. I think it’s incredibly cool that Washington D.C. firefighters are using Google Apps, for example. It lets them call up schematics of abandoned buildings, the locations of fire hydrants, whether the hydrants are working or non-working (!), and the locations of their trucks. The District showed a first-year taxpayer savings of $3 million using the tool. I love “20 percent time,” where Google encourages use of work time on personal projects as a path to greater innovation. I like how they’re standing up to China. However, I believe the CEO’s statement to CNBC, “If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place,” is problematic, (and from him, maybe a tad hypocritical).

Even if you trust Google today, what if pieces of the company get sold off to less beneficent people? Could the management mantra change one day from “don’t be evil”? With so very much information in one place, how vulnerable are they (er, are WE?) to the loss of their password program Gaia? And, has their very success blinded them to recognizing the cumulative steps toward monopoly, no matter how benevolent or effective? I am very impressed with the commentary, “Google’s Microsoft Moment” likening their current position to Microsoft in the 1990s – that they are in danger of becoming what Google’s founders once found anathema.

Think back to the description of Google as supercomputer for a minute. They’ve got the images (Street Views, Google Goggles, Picasa, YouTube, etc.). They’ve got the words (every search query ever, Google Books, Google Scholar). They’ve got the commerce (AdWords, Google Shopper, Google Checkout, Doubleclick). They’ve got the tools (Google Apps, Android, Google Docs). No doubt about it – it’s Skynet, goin’ somewhere to happen...

Readers going for extra credit should check out CNBC’s excellent special Inside the Mind of Google, available in its entirety online, and running on CNBC again on June 21st.


© 2010 R. Michelle Green. Reprinted with permission.


Global Credit Card Theft Ring Busted in 14 Countries

I always like to acknowledge the good work of law enforcement with identity theft and fraud.

Reportedly, police arrested 178 people in 14 countries (including the USA) in an international credit card scam operation. The credit card theft ring reportedly stole 120,000 credit card numbers and cloned 5,000 credit cards. The theft totaled about 20 million Euros. The arrests resulted after a two-year investigation.

As if this wasn't enough, police alleged that the theft ring also conducted armed robbery, blackmail, sex trafficking, and money-laundering. Wow! A diversified operation.

It is early in the news cycle for this story. I am sure that over the coming days, more facts will emerge about this fraud operation. I'd like to know:


Identity Theft Prevention Tips For College Graduates

Maybe you graduated from college recently. Or, you are the parent (or family member) of a recent graduate.

There are certain things college graduates need to know to be an informed consumer, and not get ripped off or scammed. The U.S. Federal Trade Commission created the "How To Be a Class-Value-dictorian" (Adobe PDF format) alert for college students and graduates. The FTC's advice:

  1. Keep your personal information to yourself
  2. Socialize safely online
  3. Consider the National Do Not Call Registry
  4. Stay away from “guarantees” of scholarships
  5. Don’t buy bogus weight loss products
  6. Understand credit and use annualcreditreport.com
  7. Travel scams turn summer breaks into summer busts
  8. Peer-to-peer file-sharing can be risky
  9. Phishing scams reel in personal information
  10. Some employment services are scams

To this list, I would add the following:

What identity theft prevention advice would you give to college graduates?


Words Matter (Or Crying Over Spilt Oil)

Lately, I have written a couple blog posts about the BP oil gusher in the Gulf. You may have noticed. Yes, these posts are a departure from this blog's usual identity theft and data breach content. As a U.S. citizen, my anger, sadness, and frustration with the BP oil gusher, and the company's inability to stop the gushing, makes it difficult for me to remain quiet.

I've thought a lot lately about how the news media (and citizens) describe the oil gusher. Most news stories and broadcasts call it an "oil spill." I prefer to call it an "oil gusher." Why? Because words matter.

How we describe an event affects our attitudes about that event, and subsequent events. How we view the oil in the Gulf affects how we view the environmental damage, the cleanup efforts, and the likely legal actions.

To me, a "spill" is when I knock over a glass of milk on the kitchen table. It's a mess, but a small and manageable mess. People aren't killed or injured. What we have in the Gulf is far more. When I watched the "spill cam" a week ago (online and on the evening news broadcasts), it looked to me like oil was gushing out, not spilling out.

I considered other terms like "cataclysm" and "disaster" and "blowout" since these terms convey a more serious and far more extensive problem than the term "spill" conveys. The phrase "oil blowout" appealed to me since the device that failed was called a Blowout Preventer (BOP).

I call it the "BP oil gusher" because BP is the oil company involved (e.g., Transocean and Halliburton are sub-contractors that should be paying cleanup costs, too). Plus, the focus has been -- and will remain -- on BP's actions (or lack thereof). Hence, I call it the "BP oil gusher."

Boycott BP and all of its brands: Castrol, Arco, Aral, am/pm, Amoco, Wild Bean Cafe and, Safeway gas The BP oil gusher affects me because, as a U.S. Citizen, it's my country's people, wildlife, vacation destinations, and coastline that have been devastated. As a citizen of this planet, it affects me because we are damaging our planet, perhaps irreparably.

Should we allow oil drilling in deep water? No. Why? The BP oil gusher has shown that when things go wrong, companies (and the government) are unable to fix a deep-water oil gusher. The risk and impact to our planet is simply too great.

And, then I read in this Fortune magazine article about:

"... the scale of the spill is much bigger and that there's a larger leak several miles away... There's a lake at the bottom of the Gulf of Mexico that's over 100 miles wide and at least 400 to 500 feet deep of black oil..."

Another leak? One is bad enough. To me, a "leak" is when milk from a milk container in your refrigerator drips over other food items.

15,000 or 20,000 barrels a day is not a "leak." That qualifies as a gusher. (There are 42 gallons in one barrel.) The disaster in the Gulf is not a "leak." It never has been.

Experts estimate that 25 to 35 million barrels of oil have gushed into the Gulf. That seems far larger than a "spill." To me, "a lake of oil" is a better description. "Cataclysm" is probably most accurate. (News reports today reported that experts now estimate oil gushing at twice as high.)

Last, I find the damage by the BP oil gusher(s) to the environment sad and infuriating. Several people I have talked with assume incorrectly that oil stays only on the ocean surface. No, the oil sticks to plants, fish, and debris throughout the water column. The government and BP seem capable of only measuring the amount of oil on the ocean surface; not the amount of oil scattered throughout the water column. Watch this Associated Press video:

Watch more AOL News videos on AOL Video

There is nothing wrong with crying. It is appropriate given the vast devastation in the Gulf.

If you prefer to laugh, watch this spoof (which is far more believable than the propaganda video BP broadcast online and on television to repair its image):

The only improvement I would suggest with the above spoof: replace the coffee cup on the table with a broken coffee machine that constantly leaks coffee.

Addendum: this is a must read: "The Spill, The Scandal, and The President."


A Conversation With Jens Muller, CTO at Maxa Research

Companies and online advertisers increasingly use both web browser and Flash cookies to track consumers' online usage and to collect personal information, often without notice and consent. Many consumers are unaware or unsure what to do about this.

I discussed this situation recently with Jens Muller, the Chief Technology Officer at Maxa Research. Maxa Research developed and offers the Maxa Cookie Manager software for consumers to manage, review, and delete the variety of cookie types that websites place on consumers' computers. Jens was gracious and answered all of my questions. Our discussion:

I've Been Mugged: Who is MAXA Research and what is your position/duties at MAXA?
Jens Muller: MAXA Research is an established (for 20 years) and innovative company for computer hardware, firmware, and software development. In the last years, our main focus lies in the areas of internet application development and security solutions. I am the CTO at MAXA and responsible for product development.

Mugged: For consumers that don't know, what are browser cookies and the dangers?
Muller: A browser cookie is a mechanism that allows a website to save information on the visitor's computer. This information is then automatically sent back to the original website when opening it the next time. This mechanism can be used for legitimate purposes, like keeping you logged in or retaining website specific settings (i.e., the chosen language). However, a website page can also assign a unique ID to a website visitor and save it in the cookie on their computer. This way, the website is able to recognize you over a long period of time, even years.

When large advertising networks use cookies, they can find out the user's interests and create a profile of the user's surfing habits. When this information is linked with information that can be obtained after logging into accounts, even more is shared with third parties. We call such cookies, which have no use for the user but are only good to track him, "web bugs."

Mugged: How are Flash cookies, "Super Cookies," and Silverlight cookies different?
Muller: Browser plug-ins additionally allow websites to store information on the user's PC, especially Adobe Flash. It is installed on virtually all computers and, for example, is used to display videos in the browser window. After ad companies found out that some users were deleting their standard browser cookies, they had the idea to also store the information in a Flash cookie. In case the browser cookie is deleted, they still are able to find out who the visitor is.

Flash cookies are widely unknown and difficult to delete or manage. Even worse, Flash cookies are browser independent (i.e., shared among all browsers on the user's computer). So, it does not help to use the Firefox browser to visit "privacy sensitive" websites and use the Internet Explorer browser to visit other websites. Flash cookies also stay active during a browser's "private browsing mode."

Our privacy test demonstrates this.

Mugged: When evaluating options to manage browser cookies, what should a consumer consider?
Muller: During the last few years, browser developers have added more options for cookie management. The amount of settings differs from browser to browser. Normal browser cookies can be adequately managed this way, with some manual action needed in every browser. Flash cookies cannot be managed this way and they remain active. Even the "Internet Security/Management" software products available today cannot handle Super Cookies.

I've Been Mugged: What benefits does the MAXA Cookie Manager software provide?
Muller: MAXA Cookie Manager allows the automatic management of all kinds of cookies:

  • Browser cookies of all popular browsers and browser independent cookies are both listed and evaluated.
  • Cookies of sites the user wants to keep can be organized in a white list while undesired cookies can be blocked using the black list.
  • Known web bugs are recognized and can be deleted automatically.

Our website features two introductory videos about the software: video #1 and video #2.

Mugged: Many consumers like integrated software. Why didn't MAXA offer its cookie management software integrated with anti-virus or web browser software?
Muller: First of all MAXA Cookie Manager is not directly integrated, (like an add-on) into a specific web browser as it must be able to manage all cookies produced by all of the browsers and browser plug-ins on a user's computer. You are right that cookie management can be seen as a sub-task for anti-virus software which is, however, widely neglected. While malware actively harms your computer by executing malicious code, cookies "only" spill information to third parties and therefore infringe upon your privacy without you noticing it.

We are a small and innovative company and have therefore decided to develop this product standalone, as we have no anti-virus product in our portfolio. However, we are always open to other AV and security companies that would like to OEM our code/product.

Mugged: MAXA Cookie Manager currently runs only on Windows ® computers. What about a version for Mac/Apple iPad users?
Muller: Browser independent cookies indeed are a privacy issue for Macs, too. MAXA Cookie Manager is tightly coupled to the operating system and cannot easily be ported to Mac OS. Furthermore, the browsers available for Mac OS are different ones. If we receive enough demand, we might consider developing a MAXA Cookie Manager version for Mac OS in the future.

Mugged: My anti-virus software updates itself about every other day because threats change quickly. What updates can users expect with MAXA Cookie Manager?
Muller: The definition base for the algorithms that evaluate the cookies and recognize web bugs are regularly updated. Furthermore, users can establish their whitelist in MAXA Cookie Manager either by selecting from a list of popular websites we provide and update, or by iteratively adding websites whose cookies they want to keep. Users have the ability to delete all other cookies or to delete only explicitly blacklisted cookies.

Again, it is important to remember that a website setting a cookie itself does in no way immediately "infect" your computer as a virus would do. When the cookie stays present for a longer period of time, the site or ad network can gain more and more information about the user. Also, please note that we do not have a subscription model like most anti-virus solutions. People who buy MAXA Cookie Manager can use it as long as they want in this version. Multiple updates with improvements are free and web bug definition updates stay free. Occasional upgrades which may introduce a new feature to the software can be obtained for a reduced price if wanted - but again - the user can keep using the version he purchased as long as desired.

Mugged: I installed the BetterPrivacy add-on with my Firefox web browser to delete Flash cookies. Why should a consumer with this add-on also purchase the MAXA Cookie Manager Pro?
Muller: BetterPrivacy allows users to delete Flash cookies. In my opinion, it has a rudimentary whitelist, and it does not support the user's decision about which cookies to save or delete. MAXA Cookie Manager's evaluation feature helps users decide to delete or save a cookie. Also, a BetterPrivacy user would need to make the same settings for Firefox itself (in order to have the same rules to manage regular cookies) and possibly for other browsers he is using.

MAXA Cookie Manager's white and black lists affect all cookies of all technologies. MAXA Cookie Manager allows users to inspect the cookie's contents and to search for strings in cookies -- which BetterPrivacy does not offer. Finally, BetterPrivacy does not handle Silverlight cookies, which have the same power as Flash cookies, though Silverlight is installed on fewer machines than Flash.

Mugged: I visited one of the cookie software sites cookiecentral.com) to find your software. Where is it available for download/purchase, and why isn't it more widely available?
Muller: Good question. In my opinion, cookiecentral.com is trying to make money via website ads and software commission sales using its privileged domain name. Nevertheless we contacted them in the past and did not get any answer.

UPDATE: I contacted again recently and got a positive answer to add our software soon to the list of cookie managers. Compared to other companies we are relatively small and do not have a huge marketing budget. We try to differentiate via innovative products with fast and individual customer support. Sometimes we have the impression that companies or large websites ignore us and do not want to cooperate as they themselves depend on cookies for user tracking and have no interest in the spread of (good) cookie managers.

Nonetheless, we are listed on many websites like:

Try a Google search using "maxa cookie manager" and you will find us on many more websites.

Mugged: Download.cnet.com lists dozens of cookie manager software products. Why should consumers use MAXA Cookie Manager?
Muller: I looked at the list. First, the large majority of these products do not support Flash cookies. Then, look at the date they were added. It seems nearly all of the software listed here is really old (last release more than 4 years ago). Therefore they already cannot support Google Chrome, a new browser, and probably don't support newer versions of Firefox. Finally, the points I mentioned above about the BetterPrivacy comparison also apply.

Mugged: Some cookies are needed to log into my financial accounts or similar websites. How can a consumer easily identify which (Flash and HTTP) cookies to keep versus delete?
Muller: The evaluation function in our MAXA Cookie Manager helps by highlighting the active cookies in different colors for: web bug / suspicious / unsuspicious / whitelisted. Furthermore, the whitelist wizard allows a user to add popular websites to the white list if he wants to keep the cookies. For the rest, most often, the domain name of the cookie will have something to do with the website whose service the user wants to use.

Mugged: While consumers can download your software at Download.cnet.com, the site's editors haven't reviewed it. When will a review appear here or elsewhere?
Muller: I had in mind that in the past there was a review, but even in the box "Previous versions" at the very bottom I could not find it any more when going back to all the previous versions. In order to re-schedule a review for download.cnet.com a major change in the software must be provided. So, we cannot trigger one immediately. However, lately we had a great response from the following Belgian CNet/ZDNet review (use an online translator if interested).

About a year ago, ZDNet.de listed MAXA Cookie Manager as its software pick of the week. We were reviewed in a couple of European print PC magazines, if interested I can supply more details. Also, we were mentioned in this EZine article about cookies.

Yet, the most relevant feedback we receive are comments from our existing customers in the product survey we send them after purchasing. These comments are visible at our website. Users often have good suggestions which we incorporate into new versions.

Mugged: What do you see in the future for cookie management software?
Muller: We see that people are getting more and more privacy aware lately, which is important as cookie use is spiraling out of control. While this increases the demand for cookie managing software, browsers supporting the new web standard HTML5 will, in the further future, definitely bring a change; and in my opinion render Flash useless. On the other hand, new plug-ins will emerge and with a tighter coupling of online and offline information, could make keeping one's privacy more and more difficult.


Are Flash Privacy Vulnerabilities Important to the Average Online User?

[Editor's Note: I am pleased to feature another post by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. She has studied what makes some individuals embrace or avoid information technology. (She’s definitely one of the former.) Michelle helps others improve their use of technology in their personal or professional life. Here's her take on Flash cookies and privacy.]

By R. Michelle Green

I read this post about Flash cookies with the “Get right out of town!” look all over my face. Even just going to Adobe’s site and seeing the statement “always ask/deny access to my camera or microphone” was a trippy feeling. If you think too consciously about the dangers of the modern world, you’ll never get out of bed. Hey, driving may be dangerous but I’m not hanging up my keys. Instead, I want to be the best driver I can be. Online, that means being informed and prepared.

(Besides, just as entities like DOT and Consumer Reports will work to make my driving conditions better, I’m confident that George and people like him will work to make my online conditions better – Thanks George!)

Though I too fret about data gathering for behavioral marketing, I fear it is already too prevalent to escape. Besides, when used appropriately, Flash cookies are critical in enhancing the online experience at many sites. Unauthorized laptop camera use was way scarier to me than Google’s knowing that I like Joss Whedon.

So what did I need to know to be informed and prepared about the use of Flash cookies? Three questions came to mind:

  1. Do I need to protect myself now from unauthorized use?
  2. Will I know if I need to protect myself in the future?
  3. How do I protect myself?

To answer the first question, I needed to learn what websites might use my camera or microphone. I’m not an online or multiplayer gamer – maybe I’m “safe” already. I’ve used Skype and Oovoo, but I never stay logged in unless I’m making a call. The site sillywebcam.com would not load for me, but the Google cache image showed reams of games that will use Flash and your webcam in games. I first saw one when The Dark Knight came out – an ad campaign permitted you to send others a picture of yourself ‘trapped’ in Arkham Asylum. As far back as 2004, some very cool apps did nice things with webcams. You choose to participate in all these apps, however.

The open source download Adeona can turn your webcam on remotely. Essentially Lojack for your laptop, it does not give a third party access to your laptop as with some of its competitors. Again, you choose to download that program. Pennsylvania’s Lower Merion School District is in litigation for accessing 42 school laptops without informing the users. LANrev provided the school district’s laptops with the software. If your laptop is second hand, or purchased when you left your employer (like mine), you might have such software loaded and not know.

I was completely unsuccessful at identifying programs that use your webcam without your involvement. I find the absence of information noteworthy in today’s wired world. Does anyone else know of such programs?

The second question: how will I know if I need protection? Will the little green light always be on if my [laptop] camera is on? Anything can fail, but in principle, if the camera’s on the light’s on. It’s wise as a matter of course to review the programs running in the background on your computer. (If the light’s been on since you bought it, for example, you might think that’s a normal part of your laptop’s operation.) And, I have no immediate indicator that my [laptop] microphone is engaged…

That leaves the third question: what can I do to protect myself? I’ve gone to the Adobe site and set the Flash global settings to “always ask” if someone wants to use my camera. (Be sure to click each of the folder tabs to see the breadth of control Adobe offers you.) The "Always deny" setting doesn’t let me make a choice. I already use my browser options to delete cookies once I’ve closed the browser.

Maxa Cookie Manager is a paid tool that manages Flash cookies, but it works only on Windows (®). I needed something like flush.app to help me manage Flash cookies on my Mac. It lets me delete the ones I don’t want, and keep ones that are helpful. Flash programs in IE use a mechanism called ActiveX to run, with, you guessed it, additional privacy settings to manage. And if you’re like me and use multiple browsers, you have to manage all this within each browser.

I’m worn out just thinking about this.

My advice? Cover the [laptop] camera lens until you want to use it. Disable your access to the 'net until you want to be online. Shut down and close the laptop when you’re offline.

Ahh, the beauty of the low-tech hack.


© 2010. R. Michelle Green. Reprinted with permission.


AvMed Breach Affects 1.2 Million Florida Residents

A data breach in December 2009 at AvMed Health Plans included the theft of the Social Security numbers, names, addresses, birth dates, and health records of both current and former AvMed subscribers. Two laptop computers containing the records were stolen from the company's Gainesville office in December.

360,000 breach victims were notified in February and on June 3 the company announced that it is notifying an additional 860,000 breach victims. AvMed is offering breach victims two years of free credit monitoring service with the Debix Identity Protection Network. Breach victims requiring more information can visit the AvMed website contact Debix at 1-877-441-3004 (TTY: 877-442-8633). Breach victims that want the Debix coverage must register.

Breach victims should visit the Florida Attorney General' website for more information about identity theft and steps to take if their medical or personal information is used fraudulently by criminals. The Florida AG advises victims of fraud to:

  1. Report the incident to the fraud department of the three major credit bureaus
  2. Contact the fraud department of each of your creditors
  3. Contact your bank or financial institution
  4. Report the incident to law enforcement

Breach victims can get a free copy of their credit reports from the three credit bureaus at AnnualCreditReport.com. Since this breach involves medical information, breach victims should obtain a copy of their medical records from their AvMed physician and review it for fraudulent entries.

After a data breach with 1.5 million records stolen, in 2009 Health Net selected Debix as the complimentary credit monitoring service for its breach victims.

Is the health care industry doing a good job at protecting patients' medical information? I think not. Data breaches at health care companies are more common than many consumers and patients realize.

According to the Privacy Rights Clearinghouse, recent health care breaches:

  • June 2010: Safe Harbor Med Santa Cruz, California)
  • May 2010: Aetna (South Windsor, Connecticut)
  • May 2010: Loma Linda University Medical Center (Loma Linda, California)
  • May 2010: New Mexico Medicaid (Santa Fe, New Mexico)
  • May 2010: Millennium Medical Management Resources (Westmont, Illinois)
  • April 2010: St. Jude Heritage Medical Group (Orange, California)
  • April 2010: The Medical Center (Bowling Green, Kentucky)
  • April 2010: Hutcheson Medical Center and one other medical facility (Chattanooga, Tennessee)
  • April 2010: DRC Physical Therapy Plus (Monticello, New York)
  • April 2010: Affinity Health Plan (Bronx, New York)
  • April 2010: Massachusetts Eye and Ear Infirmary (Boston, Massachusetts)
  • April 2010: Brooke Army Medical Center (San Antonio, Texas)
  • April 2010: St. Peter's Hospital (Albany, New York)
  • April 2010: Virginia Beach Dept. of Social Services (Virginia Beach, Virginia)
  • April 2010: ManorCare Health Services (Wheaton, Maryland)
  • April 2010: St. Francis Hospital (Tulsa, Oklahoma)
  • April 2010: Providence Hospital (Southfield, Michigan)
  • April 2010: John Muir Physician Network (Walnut Creek, California)
  • March 2010: Northwestern Medical Faculty Foundation (Chicago, Illinois)
  • March 2010: University of Calgary Sunridge Medical Clinic (Calgary, California)
  • March 2010: Atlanta Veterans Affairs Medical Center (Atlanta, Georgia)
  • March 2010: UT Southwestern Medical Center (Dallas, Texas)
  • March 2010: The Open Door Clinic of Greater Elgin (Elgin, Illinois)

Whenever I read about a large breach including laptop computers, I wonder why firms and their employees insist on storing so many records on a single computer. It raises the question about whether AvMed properly trained its employees with effective data security practices.

I read AvMed's February and June press releases. Neither press release mentioned whether or not the stolen information was encrypted. Breach victims have to assume the worst: nothing was encrypted. This makes one wonder why the company didn't encrypt sensitive information.

And while the company claims that the risk of identity fraud is low, the fact is that using the types of information stolen, criminals can assume breach victims' identities, apply for credit in breach victims' names, and apply for health care fraudulently using breach victims' medical information.


IBM Distributes Virus-Infected USB Drives at Security Conference

International Business Machines logo Long-time readers know that I named this blog to honor the company that lost my sensitive personal data during a February 2007 data breach. Since then, i try to give IBM the media attention it earns.

Last week, InformationWeek magazine reported that IBM gave attendees at the AusCERT information security conference in Australia virus-infected infected USB thumb drives. IBM followed up this snafu with an apology via e-mail. The InformationWeek article contains the text of the e-mail message.

Nobody at IBM bothered to check the USB thumb drives before distributing them to conference attendees? Wow! And this occurred at a security conference, too.

If I ever received a free USB drive from the leading computer and security company worldwide, that advises other companies how to deal with data breaches, I'll be sure to scan it with anti-virus software first.