Previous month:
August 2012
Next month:
October 2012

10 posts from September 2012

New Data Breach Law In Connecticut Begins October 1

A new data breach law goes into effect in Connecticut on October 1. The Connecticut Attorney General office announced:

"Connecticut law generally requires anyone who conducts business in Connecticut and who – in the ordinary course of business – owns, licenses or maintains computerized data that includes personal information to disclose a security breach without unreasonable delay to state residents whose personal information is believed to have been compromised. Failure to provide such notice could be considered a violation of the Connecticut Unfair Trade Practices Act (CUTPA)."

The new law includes an email address for companies to report breaches directly to the Connecticut AG office. Previously, companies were required to notify only consumers affected by data breaches. Now, companies must notify both breach victims and the state.


Study: Small And Medium Sized Businesses Face Growing Data Security Threats

According to a new report by Osterman Research, and sponsored by Trend Micro, while cloud and mobile device usage have increased within small and medium sized businesses, so too has malware and data security threats. The survey found that about 52.1% of devices (e.g., desktop computers, laptops, tablets, smartphones) used by employees were infected annually with malware. In any given month, about 4.3% of devices were infected.

The report found that the malware has become more serious, with more versions, a short life, had target specific mobile devices (e.g., devices running the Android operating system) ,and had targeted businesses in specific countries that perform online banking.

The researchers found the costs to businesses were substantial. Information technology (I.T.) departments spent on average 72 minutes per device to remove the malware and fix the infected computer. The direct I.T. staff cost was about $2,400 per device per year. And, those costs don't include the lost employee productivity.

The data breaches from this malware can lead to theft of money, trade secrets, or the sensitive personal information of employees, former employees, and contractors. Criminals try to infect employees' devices with keystroke-logging malware to steal online bank account passwords. The report listed some of the company data breaches where businesses were robbed in this manner:

  • Western Beaver County School District: $700,000
  • The Catholic Diocese of Des Moines: $600,000
  • Hillary Machinery: $800,000 (its bank was able to recover only $600,000)
  • Patco: $588,000
  • Experi-Metal, Inc.: $560,000
  • Village View Escrow: $465,000
  • An unidentified construction company in California: $447,000
  • Choice Escrow: $440,000
  • An unidentified solid waste management company in New York: $150,000
  • An unidentified law firm in South Carolina: $78,421

So, if you work in a small or medium sized business that performs online banking, you can assume that identity thieves and criminals have targeted your employer and, most likely, your mobile device.


Mobile Marketing Company To Pay $500K Settlement Fine For Text Message Spam

This past weekend, the office of the New York State Attorney General announced a settlement with Game Theory LLC, a mobile content company. Game Theory agreed to pay a $500,000 settlement for allegedly sending deceptive text messages that tricked New York State residents into signing up for monthly text messages costing $9.99 per month:

"These charges appeared on the victim’s wireless telephone bill in a way that was difficult to detect. For months, consumers would pay for text messages they did not want before they realized they were being charged. For example, between May 23, 2011 and July 5, 2011, Game Theory sent text messages claiming that the recipients had a “secret crush,” and that the recipient needed to respond “yes” to find out who it was. However, in the process of finding out the identity of the “secret crush,” the recipient was also unknowingly signing-up for a text message service..."

Game Theory reportedly sent 150,000 such text messages to the mobile phones of New York State residents. Terms of the settlement require the company to exit the text messaging business.

Security experts advise consumers to never respond to unsolicited text messages, including those that claim a reply is necessary to stop any charges. Consumers should report text message spam and fraudulent mobile phone charges to their mobile service provider, and ask their provider to block those third-party charges. Consumers can also report this fraud to their state consumer protection agency, and to the U.S. Federal Trade Commission (FTC).

It is important for parents to remind and teach their children of good mobile device security habits, including how to recognize and delete smishing text messages.


Ashesi University, Ethics, Africa, And I've Been Mugged Blog

I was very pleased to learn that while Ashesi University began teaching to its students in 2010 the ethics curriculum "Giving Voice To Values" (GVV) developed by Mary Gentile, the university also uses the I've Been Mugged interview with Gentile. Ashesi University, located in Ghana, is a private, secular liberal arts institution that offers bachelor degree programs in Computer Science, Management Information Systems and Business Administration. All students perform community service before graduation.

In July 2012, the university and the MasterCard Foundation jointly hosted the first-ever robotics competition in Ghana to encourage high school students to study computer science, engineering, and other technical fields. The Ashesi University Foundation, located in Seattle, Washington (USA) helps donors around the world support the school.

The school was founded in 2002 by Patrick Awuah, a graduate of Swarthmore College. Watch this June 2007 speech by Awuah at the Ted (Technology, Entertainment, and Design) Global Conference held in Arusha, Tanzania. The New York Times reported in January 2011:

"Africa has reached an inflection point with the march of democracy across the continent,” said Mr. Awuah, speaking at the World Innovation Summit for Education in Doha in November... We can bring change in one generation. How we train our leaders will make all the difference. According to Mr. Awuah, the goal of Ashesi, whose name means “beginning” in Akan, the local language of Ghana, is to train a new ethically responsible educated elite to break the cycle of corruption on the continent."

To find all schools (including Ashesi University) that offer the GVV ethics curriculum, browse the list of GVV pilot sites (Adobe PDF) maintained by Babson College, and its curriculum information. Visit the GVV book website to learn more about and the book, available to the public.

If you know of a school that uses the I've Been Mugged blog as part of an ethics or Interent-related curriculum, let me know or share it below.


Survey: FDIC Releases Results From Latest Survey Of UnBanked And UnderBanked Consumers

Yesterday, the Federal Deposit Insurance Corporation (FDIC) released the results of its "2011 National Survey of Unbanked and Underbanked Households." The FDIC conducts this survey every two years, in a partnership with the U.S. Bureau of the Census. Key findings from the survey:

  • "8.2 percent of U.S. households are unbanked. This represents one in 12 households in the nation, or nearly 10 million in total. The proportion of unbanked households increased slightly since the 2009 survey. The estimated 0.6 percentage point increase represents an additional 821,000 unbanked households."
  • "20.1 percent of U.S. households are underbanked. This represents one in five households, or 24 million households with 51 million adults. The 2011 underbanked rate in 2011 is higher than the 2009 rate of 18.2 percent..."
  • "29.3 percent of households do not have a savings account, while about 10 percent do not have a checking account. About two-thirds of households have both checking and savings accounts."
  • "One-quarter of households have used at least one AFS product in the last year, and almost one in ten households have used two or more AFS. In all, 12 percent of households used an AFS product in the last 30 days, including four in ten unbanked and underbanked households."

The survey included responses from about 45,000 households. The term "unbanked" refers to consumers who do not have a checking account nor a savings account. the term "underbanked" refers to consumers who have either a checking account or savings account, but not both. This is important because banks have targeted both unbanked and underbanked consumers with financial products and services-- typically prepaid cards and variations such as flexible spending health-care cards and payroll cards.

These prepaid cards, which often have numerous fees, and offer fewer rights for consumers than both credit cards and debit cards. Industry research has documented the perception by consumers, many of whom have bank accounts, that prepaid cards are a desirable method to avoid the expensive overdraft fees with debit cards. Some additional findings from the survey:

"The highest unbanked and underbanked rates are found among non-Asian minorities, lower-income households, younger households, and unemployed households. Close to half of all households in these groups are unbanked or underbanked compared to slightly more than one-quarter of all households... Among unbanked households, slightly more than half have never had a bank account. Relatively high proportions of Hispanic (14.7 percent) and foreign-born noncitizen households (18.9 percent) have never had an account. The most common reasons why households report they do not have bank accounts are that they feel they do not have enough money for an account, or they do not need or want one."

The specific banking rates by demographic groups:

Demographic GroupUnBanked %
Underbanked %
Fully Banked %
All Households 8.1
20.1
68.8
Black households 21.4
33.9
41.6
Foreign-born, non-citizens 22.2
28.9
45.8
Households experiencing unemployment
22.5
28.0
47.5
Lower income households (less than $15,000)
28.2
21.6
47.6
Unmarried female head of households 19.1
29.5
48.4
Hispanic households 20.1
28.6
48.7
Households with people under age 24
17.4
31.0
49.7

By targeting unbanked and underbanked households, banks are trying to replace pay-day lenders and check cashing services, often referred to as "Alternative Financial Services" (AFS). The survey reported:

"AFS transaction products (i.e., non-bank money orders, non-bank check cashing, and non-bank remittances) are considerably more widely used than AFS credit products (i.e., payday loans, pawn shops, rent-to-own stores, and refund anticipation loans). In the last year, 23.3 percent of households used transaction AFS and 6.0 percent used AFS credit products. The relationship between household banking status and AFS use is complex. A non-trivial share of unbanked households (29.5 percent) do not use any of the AFS providers asked about in the survey, suggesting they rely primarily on cash. However, overall, unbanked households are more active AFS users than underbanked households."

Also, I found these survey results interesting:

"Having a bank account does not guarantee long-term participation in the banking system. Households can and do cycle in and out the banking system over time. For example, nearly half of unbanked households had an account in the past, and nearly half (48.2 percent) of these report that they are likely to join the banking system again in the future... Households with banking experience appear to have more positive perceptions of having an account and rely less on AFS. Unbanked households that previously had a relationship with a financial institution are more likely to see value in having a bank account than unbanked households without this relationship. Previously banked households are more likely to want to open an account in the future..."

Download the FDIC survey (Adobe PDF, 7.9 MBytes).


Survey: How Mobile Device Users Protect Their Privacy With Mobile Apps

A recent survey by the Pew Research Center investigated how mobile device users manage their privacy. The survey included both cell phone users and smart phone users. Key findings:

"54% of app users have decided to not install a cell phone app when they discovered how much personal information they would need to share in order to use it; 30% of app users have uninstalled an app that was already on their cell phone because they learned it was collecting personal information that they didn’t wish to share. Taken together, 57% of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons."

It is good to read that consumers are not blindly downloading and using mobile device apps, since prior studies have documented sporadic and inconsistent access to privacy policies for mobile apps. After pressure from the California Attorney General, several companies (e.g., Amazon.com, Apple, Google, hewlett-packard, Microsoft, and Research In Motion) that operate mobile app stores agreed to improve app privacy policies disclosing the personal data collected, stored, and shared. Earlier this month, researchers at M.I.T. documented privacy abuses by mobile apps that tracked consumers without notice nor consent. And, the U.S. Federal Trade Commission published guidelines for businesses that develop and market mobile device apps.

The Pew survey found that almost one-third, 31% of all smart phone users surveyed, have lost their device or had it stolen. Among users 18 to 24 years of age, about 45% had either lost their device or had it stolen. The survey authors concluded:

"Smartphone owners are generally more active in managing their mobile data, but also experience greater exposure to privacy intrusions"

The table below highlights this conclusion:

ActivitySmart Phone UsersCell Phone Users
Back up phone contents 59% 21%
Cleared browsing or search history 50% 14%
Turned off location tracking 30% 7%
Experienced lost or stolen device 33% 29%
Somebody accessed device in a way that felt like a privacy intrustion 15% 8%

Pew conducted the nationwide survey, in both English and Spanish, of 2,254 adults (age 18 and older) during March 15 to April 3, 2012. Download the Pew report: "Privacy and Data management on Mobile Devices."


FTC Publishes 9 Guidelines For Mobile App Developers

Earlier this week, the U.S. Federal Trade Commission (FTC) introduced guidelines for businesses and mobile application (app) developers. The information is in a new guide titled, "Marketing Your Mobile App: Get It Right from the Start." The guide includes nine recommendations:

"1. Tell the truth about what your app can do. Once you start distributing your app, you become an advertiser... Whether it’s what you say on a website, in an app store, or within the app itself, you have to tell the truth. False or misleading claims, as well as the omission of certain important information, can tick off users and land you in legal hot water... If you make objective claims about your app, you need solid proof to back them up before you start selling. The law calls that “competent and reliable evidence.” If you say your app provides benefits related to health, safety, or performance, you may need competent and reliable scientific evidence."

Businesses that are unsure how to back up their claims with scientific evidence can visit the Business Center Blog for more information.

"2. Disclose key information clearly and conspicuously... your disclosures have to be “clear and conspicuous.” What does that mean? That they’re big enough and clear enough that users actually notice them and understand what they say."

"3. Build privacy considerations in from the start... privacy by design... Incorporating privacy protections into your practices, limiting the information you collect, securely storing what you hold on to, and safely disposing of what you no longer need... For any collection or sharing of information that’s not apparent, get users’ express agreement."

"4. Be transparent about your data practices... be clear to users about your practices. Explain what information your app collects from users or their devices and what you do with their data."

You'd think that following these guidelines was obvious, but researchers at M.I.T. recently documented abuses by mobile apps that tracked users' GPS locations and collected users' browser histories without notice nor consent; sometimes, even when the app was supposedly turned off.

"5. Offer choices that are easy to find and easy to use. Give your users tools that offer choices in how to use your app – like privacy settings, opt-outs, or other ways for users to control how their personal information is collected and shared... Make it easy for people to find the tools you offer, design them so they’re simple to use, and follow through by honoring the choices users have made."

"6. Honor your privacy promises... Chances are you make assurances to users about the security standards you apply or what you do with their personal information. At minimum, app developers — like all other marketers — have to live up to those promises. The FTC has taken action against dozens of companies that claimed to safeguard the privacy or security of users’ information, but didn’t live up to their promises... The FTC also has taken action against businesses that made broad statements about their privacy practices, but then failed to disclose the extent to which they collected or shared information with others – like advertisers or other app developers."

"7. Protect kids’ privacy. If your app is designed for children or if you know that you are collecting personal information from kids, you may have additional requirements under the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule. Specifically, under COPPA, any operator whose app is directed to kids under age 13 or who has actual knowledge that a user is under 13 must clearly explain its information practices and get parental consent before collecting personal information from children. App operators also must keep personal information collected from children confidential and secure."

"8. Collect sensitive information only with consent... get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information. It’s a mistake to assume they won’t mind."

"9. Keep user data secure. At minimum, you have to live up to the privacy promises you make. But what if you don’t say anything specific about what you do with users’ information? Under the law, you still have to take reasonable steps to keep sensitive data secure."

This is a good list, but in my view the above guidelines are the minimum app developers should do. Ways for businesses and app developers to do better than the FTC minimums:

  • Choices for consumers should be opt-in not opt-out
  • Consolidate and simplify whenever possible. There are too many privacy policies: mobile device manufacturers, device operating system developers, app stores, telecommunications providers, and the app developer
  • Plain language privacy policies, not lawyer speak
  • Consistent, easy access. Prior studies have documented sporadic and inconsistent access to privacy policies before app install, after app install, and while the app is running
  • Give users an estimate of the daily or monthly consumption by the app, so users can make informed decisions and avoid data plan surprises and overage fees. Auto manufacturers publish mileage estimates. App developers can easily do the same (and should) about data plan consumption by their apps

It is a sad state of affairs when the first guideline has to be, "tell the truth." What do you think mobile apps should do to protect consumers' privacy?


Survey Finds Most Americans Confused About The Cloud

A recent nationwide survey conducted by Wakefield Research and sponsored by Citrix, found that many Americans are confused about what the "cloud" is and how they use it. Key survey findings:

"When asked what “the cloud” is, a majority responded it’s either an actual cloud (specifically a “fluffy white thing”), the sky or something related to the weather (29 percent). Only 16 percent said they think of a computer network to store, access and share data from Internet-connected devices..."

Many people already use the cloud and don't know it:

"A majority of Americans (54 percent) claim to never use cloud computing. However, 95 percent of this group actually does use the cloud. Specifically, 65 percent bank online, 63 percent shop online, 58 percent use social networking sites such as Facebook or Twitter, 45 percent have played online games, 29 percent store photos online, 22 percent store music or videos online, and 19 percent use online file-sharing. All of these services are cloud based."

Survey respondents seem to know the advantages and disadvantages of the cloud. The most recognized benefits are that the cloud lowers costs (35%), spurs small business growth (32%) and boosts customer engagement for businesses (35%). The three leading concerns are cost (34%), security (32%), and privacy (31%).

The survey was conducted during August 2012 and included 1,000 adults nationwide. The info-graphic below includes more survey findings.

Citrix Cloud Infographic


Researchers At MIT Document Privacy Abuses By Smart Phone Apps

This week, the Boston Globe reported the findings of a study by a group of researchers at the Massachusetts Institute Of Technology. The research discovered that several Android apps track consumers' activities without notice and without consent. Researchers Frances Zhang and Fuming Shih investigated 36 apps that run on smart phones with the Android operating system:

"... some popular apps for phones running Google Inc.’s Android operating system are continually collecting information without informing the phone’s owner. The popular game Angry Birds uses the phone’s GPS and Wi-Fi wireless networking features to track the owner’s location, even when he’s not playing the game... Another game, Bowman, collects information from the phone’s Internet browser, including what websites the owner has been visiting..."

The researchers hope to patent their app-testing process so it can be used to test a wider range of mobile device apps. The researchers did not test Apple mobile devices.

While improved software will help consumers monitor apps for compliance with privacy policies, a survey earlier this year documented sporadic and inconsistent access to privacy policies for mobile device apps across all major brands.


Hacker Group Announces Theft Of 12 Million Apple Mobile Device Identification Numbers

A hacker group has announced the theft of 1 million Apple iPhone UDIDs, or Unique Device Identifcation numbers. The hacker group claimed that the data breach was to highlight the unannounced tracking of US citizens by the Federal Bureau of Investigation (FBI) agency. The Next Web reported:

"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zip codes, cellphone numbers, addresses, etc. the personal details fields referring to people..."

The AntiSec hacker group stole 12 million UDIDs, and has publicly released 1 million of them.

What is a UDID? If you read this blog, then you already know what UDIDs are. Every smart phone, tablet, and mobile device has one: a 40-digit number that uniquely identifies each device. If you switched devices recently, chances are your telecommunications provider (e.g., Sprint, AT&T, Verizon, etc.) probably required that you provide them with the UDID for your new device.

The UDID is a bonanza for companies, marketers, government agencies, and any entity interested in tracking consumers. When matched with your 10-digit phone number and iTunes account, the UDID is a powerful identification (and tracking) tool that allows the compilation of all data, usage, and information on a mobile device to a person: phone calls, email messages, photos, video, text messages, GPS position, phone book, web browser history, apps downloaded, music, movies, and more. That compilation is more extensive since many consumers now use multiple email addresses (e.g., work and personal) on a single mobile device. Parents, who gave their children mobile devices, also need to be aware of the tracking threat. Links between your device's UDID and your Apple iCloud account would enable even more extensive tracking at the document level.

The Huffington Post advises consumers who want to check if their UDID was stolen:

"First, use the website whatsmyudid.com to figure out how to access your UDID, which can easily be found by plugging Apple devices into iTunes. Next, copy and paste the ID into The Next Web's data checker, or use tech consultant Sean MacGuire's website to quickly scan through the hacked IDs."

This blog has reported privacy abuses where app developers and marketers allegedly collected consumers' UDID without notice and without consent, including this class-action suit against Apple and this class-action suit against Ringleader Digital and several other companies. The sad reality is that consumers' UDIDs could already be in a lot more entities' databases, since too many mobile device apps fail to provide privacy policies, and collect data without notice and without consent.

[Update 3:30 pm: one blogger analyzed the data released by the hackers, and concluded it isn't so bad since not much other personal data was stolen. I don't place much weight on this view, as there is no guarantee the hackers released everything stolen.]

[Update 10:00 am: the FBI denies that it has the data the hacker group claimed it has.]