Previous month:
September 2013
Next month:
November 2013

15 posts from October 2013

Planned Obsolescence With Smart Phones. A Good Idea?

Is planned obsolescence a good idea with smart phones? Is it a good idea at all? Does this really benefit consumers? Starting with the Apple iPhone, Author Catherine Rampell explores answers to these questions in a New York Times article:

"Economists have theories about market conditions that encourage planned obsolescence. A company has strong incentives to degrade product durability when it has a lot of market power and when consumers don’t have good substitute products to choose from... A company could still be encouraged to engage in planned obsolescence if consumers perceive large “switching costs” associated with going to a new brand."

Questions about the durability of Apple smart phone arose from battery-life observations, although apps that perform a lot of background processing (or tracking and reporting) may also be the cause. In her article, Rampell likens the Apple smart phone to fashion.


Data Breach At California Hospitals Put Sensitive Health Information of 729,000 Patients At Risk

A data breach at the AHMC Healthcare hospital group earlier this month has placed the sensitive health information of 729,000 patients at risk. The breach occurred when two laptop computers were stolen from an administration building in San Gabriel Valley.

The theft was recorded on video on October 12, and it was discovered on October 14. The breach victims were patients at several AHMC hospitals: Garfield Medical Center, Monterey Park Hospital, Greater El Monte Community Hospital, Whittier Hospital Medical Center, San Gabriel Valley Medical Center and Anaheim Regional Medical Center.

According to the October 21 breach announcement (Adobe PDF), the theft included patient records with the following data elements: patient names, Medicare and healthcare insurance identification numbers, diagnosis and medical procedure codes, and insurance payment information.

The hospital group is investigating the breach and has hired a vendor to assist. The breach announcement did not disclose what steps the hospital group will take to avoid future thefts like this.

A breach like this makes one wonder why so many patient records were stored on two laptop computers.


Schnucks Supermarket Agrees To $1.6 Million Settlement Over Data Breach

Schnucks Market has agreed to settle a class-action lawsuit after a data breach affected 2.4 million consumers. Terms of the proposed settlement require the retailer to pay:

"... up to $10 to customers for each credit or debit card that was compromised and had fraudulent charges posted on it... Schnucks also would pay customers for certain unreimbursed out-of-pocket expenses such as bank, overdraft and late fees... There would be a cap on these expenses of up to $175 per class member... Schnucks would pay: up to $10,000 for each related identity theft loss, with the total capped at $300,000; up to $635,000 for the plaintiff and settlement attorney’s fees; and $500 to each of the nine named plaintiffs in the lawsuit."

The settlement must be approved by the court. The March 2013 data breach had affected about 2.4 million debit- and credit cardholders in several states.


JPMorgan Chase and U.S. Justice Department Reach Tentative $13 Billion Settlement About Mortgage-Backed Securities. What Next?

Earlier this week, many news outlets reported the JPMorgan Chase bank and the U.S. Justice Department had tentatively agreed to a $13 billion settlement for alleged corporate wrongdoing with mortgage asset-backed securities the bank sliced, diced, re-bundled, and sold as derivatives and other financial products. A key part of this settlement isn't the huge cash amount, but that the criminal investigation continues and prosecution is a distinct possibility -- as it should be.

Just last month, the bank agreed to pay $1 billion to settle with the CFPB and other agencies about alleged wrongdoing with identity-theft protection services and collection services.

My questions are: after the current criminal investigation and settlement about mortgage asset-backed securities are concluded, what next about credit-card asset-backed securities by JPMorgan Chase? Will this be a another criminal investigation with jail time for more bank executives?

Some background for those unfamiliar:


Missouri Attorney General Announced A New National Fund For Victims Of Moneygram Scams

The Attorney General for the State of Missouri announced last week the establishment of a new, national fund to assist and repay victims of Moneygram scams. The fraudulent wire transfer scams occurred between January 2004 and August 2009. According to the announcement:

"MoneyGram International, Inc. (MoneyGram), a global money services business, has agreed to forfeit $100 million to the United States as part of an agreement with the Justice Department. The agreement arose from a case involving approximately 25 MoneyGram agents allegedly carrying out wire scams..."

The fraudsters operated several versions of scams, often targeting senior citizens. Some of the scams involved promises of large cash prizes, shopping discounts, or employment opportunities as a "secret shopper" to trick unsuspecting consumers into transferring money. Another version of the scam involved a bogus story where a relative was stranded in another country, in need an immediate cash.

The Missouri Attorney General's Office will send letters to consumers who filed complaints about the MoneyGram scam. the letters describe the process for victims to receive a share of the forfeited payment. If you were a victim of the scam and did not file a complaint, you may still be eligible. If you believe you were a victim during the above period, contact the Missouri Attorney General's Office at 800-392-8222. All claims must be submitted by November 15, 2013.

For more information about the claims process, see http://www.justice.gov/criminal/vns/caseup/moneygram.html. The Justice Department's Victim Asset Recovery Program will review claims and determine payment on a case-by-case basis. The amount victims will receive will be determined after all claims have been processed.

The Oregon Attorney General, made a similar announcement in September 2013 about a settlement with Moneygram.

Sadly, this is not the first time Moneygram has been involved in scams. In 2008, The State of Maryland Attorney General announced an agreement between Moneygram and attorney generals in 43 states for alleged wire transfers to fraudulent marketers. The 2008 announcement:

"... MoneyGram will, among other things, fund a $1.1 million national consumer awareness program and set out very prominent consumer warnings on the forms used by consumers to wire money. MoneyGram, based in Minneapolis, offers money transfer services by wire... The problem addressed by the Agreement is the high number of “fraud-induced transfers” – money wired by consumers to fraudulent telemarketers and other scam artists. For example, some telemarketers, often based in other countries, use a “lottery” scam, in which they tell vulnerable consumers they have won a large sum of money but must pay taxes or other charges in order to claim the winnings..."

The Texas and Vermont attorney generals made similar announcements about the 2008 settlement. And, the U.S. Justice Department announced in November 2012:

"MoneyGram International Inc... has agreed to forfeit $100 million and enter into a deferred prosecution agreement (DPA) with the Justice Department in which it admits to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program, as charged in an information filed today in the Middle District of Pennsylvania."

In that 2012 announcement, Assistant Attorney General Breuer said:

“MoneyGram’s broken corporate culture led the company to privilege profits over everything else... MoneyGram knowingly turned a blind eye to scam artists and money launderers who used the company to perpetrate fraudulent schemes targeting the elderly and other vulnerable victims."

It sounds to me like the corporate culture is still broken. How much is enough? While the fines help victim recover stolen money, they clearly aren't enough. Send corporate executives to prison. That will put a quick stop this garbage.

Readers of this blog know that Moneygram is key vendor behind Walmart Money Centers, which offer a variety of banking services including money transfers, credit cards, prepaid cards, and gift cards. Knowing this history, I would not buy any money transfers at a Walmart Money Center. Would you?

Experts advise consumers to never wire money to a stranger. Transferring money via wire services is the same as cash. Call or contact the supposed family member in distress first, to verify the story.


Criminals Use Your Posts On Social Networking Sites. More Facebook Being Facebook

Writing this blog for over six years has taught me that criminals and fraudsters are persistent, creative, and use the same online tools that you and I use. You see this in a variety of online activities from malware disguised as anti-virus software to phishing e-mails to text message spam to malware customized for Apple brand products to check scams to ransomeware to the numerous tools criminals use to hack your mobile device in WiFi hotspots.

Social Media Today reported some interesting statistics about social networking sites and crime:

"54% of burglars say that posting your status and whereabouts on social media is a victim's biggest mistake. By broadcasting to people that you are away from home, you are advertising that you are leaving your home unprotected. 78% of burglars admit to using Facebook, Twitter, Foursquare, and Google Street View to select victim's homes."

The statistics were compiled from several sources. The site posted an interesting infographic, which included:

"Sex crimes are the most common social media-related offense... 33% of all Internet-initiated sex crimes were instigated through social networking sites... In 50% of all sex crimes against a minor, offenders obtained information and/or pictures of the victim through the victim's social networking profile..."

Researchers previously documented that 30 percent of teen girls meet in-person people they met online. And, this 2011 Carnegie Mellon CyLab report (Adobe PDF) explored the evidence that criminals target children for identity theft and fraud. Of the children's identities examined by the researchers, about 10% experienced identity theft, with the rate highest among teenagers.

Facebook logo All of this makes Facebook.com's recent privacy changes seem totally idiotic. If you missed it, Facebook.com announced on Wednesday three privacy changes for teenage users:

"Up until today, for people aged 13 through 17, the initial audience of their first post on Facebook was set to 'Friends of Friends' – with the option to change it. Going forward, when people aged 13 through 17 sign up for an account on Facebook, the initial audience of their first post will be set to a narrower audience of 'Friends...' So, starting today, people aged 13 through 17 will also have the choice to post publicly on Facebook... In addition, teens will be able to turn on Follow so that their public posts can be seen in people's News Feeds. As always, followers can only see posts they are in the audience for."

Yes, you read that correctly. Previously, teens could not post publicly on Facebook. Now they can. Nothing could go wrong with that, right? Moreover, Facebook enabled the "Follow" feature, so people can read teens' publicly-available post without being connected as "Friends." Nothing could go wrong with that either, right?

To the good, Facebook changed the default setting for teen accounts to "Friends" from the much broader "Friends of Friends," a step in the right direction, but the other changes represent two big steps in the wrong direction. These changes came on top of another feature change that eroded users' privacy: Facebook eliminated the option for members to opt-out of having their Timelines searchable with Facebook's search mechanism.

This means that all Facebook members' Timelines are searchable. Some people wonder if it is time to leave Facebook. The reason Facebook gave for this change:

"Everyone used to have a setting called "Who can look up your Timeline by name?," which controlled whether you could be found when people typed your name into the Facebook search bar. The setting was created when Facebook was a simple directory of profiles and it was very limited... Today, people can also search Facebook using Graph Search making it even more important to control the privacy of the things you share rather than how people get to your Timeline. The setting also made Facebook's search feature feel broken at times..."

My view: if you make your website interface for privacy settings convoluted and difficult enough for people to use and to understand, then people won't use their privacy settings -- and it becomes a self-fulfilling prophecy to remove privacy features later.

Facebook launched a campaign in April 2013 to promote privacy among teenagers by working with the attorney generals from 19 states. These recent privacy changes seem to fly in the opposite direction. What are Facebook executives thinking?

Teens represent a group that is learning about privacy and the consequences of disclosing too much. (See the first paragraph above for a list of some of the online threats teens, and their parents, must learn to recognize.) These (anti-)privacy changes also highlight the reality of Facebook's business model:

  • To make money, Facebook must erode members' privacy
  • To make money, Facebook must treat teenage children as adults
  • Parents have less and less control over their children's online activities

Remember the new privacy rules for children announced by the FTC in July. I just don't see the recent privacy changes by Facebook.com as consistent with these new rules.

What can parents do to help protect themselves and teach their children about online safety? One place to start is the Parents Resources section of the Stay Safe Online website, and this cell phone safety page for parents of teens.

What do you think about the above crime statistics? About the recent privacy changes by Facebook.com?


California Attorney General Files Suit Against For-Profit College

Logo for Corinthian Colleges, Inc. The Attorney General's office for the State of California announced last week that it had filed a lawsuit against Corinthian Colleges, Inc. (CCI). The complaint alleged that the company performed:

"... false and predatory advertising, intentional misrepresentations to students, securities fraud and unlawful use of military seals in advertisements... CCI intentionally targeted low-income, vulnerable Californians through deceptive and false advertisements and aggressive marketing campaigns that misrepresented job placement rates and school programs. CCI deployed these advertisements through persistent internet, telemarketing and television ad campaigns... Corinthian executives knowingly misrepresented job placement rates..."

The complaint also named as defendants Everest, Heald and WyoTech colleges. The announcement said that the complaint cited internal company documents obtained by the Department of Justice. which described the consumers targeted by CCI's marketing activities:

"... as “isolated,” “impatient,” individuals with “low self-esteem,” who have “few people in their lives who care about them” and who are “stuck” and “unable to see and plan well for future.” "

CCI describes itself in its website as:

"... one of the largest for-profit, post-secondary education companies in North America, with more than 81,300 students at over 111 U.S. and Canadian campuses. Our campuses offer short-term diploma and/or degree programs in a variety of popular career fields..."

The complaint alleged that CCI advertised placement rates for its graduates of 100 percent when the reality was the rate was about zero. California Attorney General Harris said:

"The predatory scheme devised by executives at Corinthian Colleges, Inc. is unconscionable. Designed to rake in profits and mislead investors, they targeted some of our state’s most particularly vulnerable people—including low income, single mothers and veterans returning from combat... My office will continue our investigation into the for-profit college industry and will hold accountable those responsible for these illegal, exploitative practices.”

Current or former CCI students should contact the California Attorney General's Office to file a complaint.

It is good to see an attorney general pursue this type of alleged corporate behavior. I hope that stiff fines and punishments result with specific executives named, and not a weak settlement agreement where the company does not admit any wrongdoing. In my opinion, the company should pay the entire debts of its graduates it promised 100 percent placement rates in jobs, and who haven't found work.


Operator Of Misleading Website Settles With Maryland Attorney General

Last week, the Attorney General's office for the State of Maryland announced that its Consumer Protection Division had reached a settlement with Stanislav Komsky, operator of the Joomsef.net, a website that featured traffic citations issued to Maryland residents. The Maryland Attorney General office's announcement said that Komsky's website:

"... exaggerated the traffic offenses by representing that consumers had been "booked" or arrested, and by displaying a space on each webpage reserved for a photograph of the consumer that was captioned "Mugshot Unavailable," wrongly suggesting that a mugshot had been taken... In order to fully view the information about the "charged" offenses, Joomsef.net required a fee of $9.99..."

So, to view a full report, which was misleading, residents paid $9.99 per report. Residents who wanted their information removed Joomsef.net had to pay from $39.99 to $89.99, depending upon how quickly they wanted their information removed. Komsky has since taken down the Joomsef.net website.

Terms of the settlement agreement require Komsky to cease publishing false or misleading information about consumers' backgrounds (criminal or other), to refund payments he already collected from consumers to view or remove their information, and to pay a $7,500 penalty to the Consumer Protection Division.

Maryland Attorney General Gansler said:

"The Internet should be a resource for sharing information, not a vehicle for spreading misinformation... Businesses cannot be allowed to post half-truths on the Internet to make a quick buck."

A number of websites have emerged in several states where website operators post publicly-available mug-shot photos, and then charge large fees to residents who want the information removed. I agree and look forward to more states' attorney generals investigating and prosecuting this type of deceptive marketing.


Police Body Cameras. What They Are And The Privacy Issues

This blog has reported about the spread of several new surveillance technologies outside consumers' homes (more later about the spread inside homes), from smart mannequins to retail stores spying on their shoppers to smart grocery store shopping carts to smart trash recycle bins to automated license plate readers to drones. to BYOD work policies (where some employers may download the entire contents of employees' personal mobile devices used for work). Today's blog post is about a new technology used by many local police departments.

For several years, police departments have used video cameras mounted in their vehicles. The next step in the evolution of video surveillance has been the adoption by police departments of "police body cameras," also called "police cams" or "on-officer cameras." These are tiny recording devices attached to police officers' clothing -- part of the new category of wearable mobile devices.

Police departments in Albuquerque, New Mexico and other cities recently purchased on-officer cameras. The Los Angeles Police Department is considering a pilot program for the use of on-body cameras.

While everyone agrees that the recording and documenting of criminal wrongdoing with video cameras is a good thing, the concerns center around abuse of the information recorded against innocent people. The ACLU summarized the privacy issues:

"Will police officers have the discretion to control what the cameras record? If officers can “edit on the fly,” that will destroy this technology’s value as a police accountability tool. Should officers’ cameras be on at all times during their shift, or would it be too oppressive for officers to have every chat between partners in a patrol car recorded, and to worry that recordings will be misused by police supervisors against whistleblowers or union activists?... Are good policies are put in place to ensure that these cameras do not invade the privacy of particular individuals, or become yet another vector for mass surveillance? How can we ensure that citizens are made aware that they are being recorded; that video taken inside a person’s home (during a domestic violence call or burglary investigation, for example) or in other sensitive situations does not embarrass someone and cause others to hesitate to call for help? How can we ensure that video of embarrassing or titillating incidents does not get circulated within a police force for laughs, or end up on the internet? How can we ensure that the public has faith that video of their interactions with the police will be strictly handled?"

To address these issues, the ACLU recommended specific policy guidelines for the deployment of body-mounted cameras by police departments:

"... the challenge of on-officer cameras is the tension between their potential to invade privacy and their strong benefit in promoting police accountability. Overall, we think they can be a win-win—but only if they are deployed within a framework of strong policies to ensure they protect the public without becoming yet another system for routine surveillance of the public, and maintain public confidence in the integrity of those privacy protections. Without such a framework, their accountability benefits would not exceed their privacy risks."

The policy recommendations cover the following areas:

  • Notice to citizens
  • Recording in citizens' homes
  • Data retention
  • Use of recordings
  • Subject Access (indexing of video content)
  • Public Disclosure
  • Technology Controls

You can easily read online the numerous policy recommendations, so I did not repeate them here. Or download the report (Adobe PDF). The City Council in Cambridge, Massachusetts voted for a period of public discussion before the deployment of DHS surveillance cameras. The same applies to police body cameras.

Now, you know what to discuss with local politicians and law enforcement officials where you live.


Adobe Data Breach Affects 2.9 Million Customers

On Thursday, Adobe announced a data breach that affected 2.9 million of its customers. The types of data elements accessed and stolen included customer names, ID numbers, encrypted passwords, encrypted credit- and debit card numbers, expiration dates, and information related to customers' software orders. At the time of the breach announcement, Adobe does not believe that unencrypted credit- and debit card numbers were stolen.

Adobe is working with its partners and law enforcement to investigate the breach and resolve the situation. Besides notifying affected customers' banks, Adobe is:

"... resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password... notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you..."

Adobe will offer affect customers one year of free credit-monitoring services.Perhaps most troubling is that during the Adobe breach, hackers modified and/or stole the company's source code for several of its products. Reportedly, products with stolen source code included Adobe Acrobat and ColdFusion. Adobe produces several other proudcts including Photoshop, which is available through the company's Creative Cloud service.

The Krebs On Security blog announced the breach before Adobe confirmed it:

"... hackers accessed a source code repository sometime in mid-August 2013, after breaking into a portion of Adobe’s network that handled credit card transactions for customers... affected customers — which include many Revel and Creative Cloud account users... Adobe is still in the process of determining what source code for other products may have been accessed by the attackers, and conceded that Adobe Acrobat may have been among the products the bad guys touched..."

Krebs On Security reported that the hackers behind the Adobe breach are the the same group behind the NW3C breach:

"...the attackers appear to have initiated the intrusion into the NW3C using a set of attack tools that leveraged security vulnerabilities in Adobe’s ColdFusion Web application server..."

The modified and/or stolen source code for Adobe software products is particularly alarming and troublesome because it becomes very easy for hackers and thieves to insert malware inside of product software to do far more damage, identity theft, and data breaches. It undermines totally the security of the software.


Wage Theft Flow For Executives

What I have learned and observed during my career while working for a variety of businesses:

Basic wage theft flow for executives

Click on the image to view a larger version. Pretty soon, I will publish an "advanced" wage-theft flow, as there are even more ways some ethics-challenged executives and employers will "mug" their employees. To learn more, visit the Wage Abuse section of this blog.


My Favorite Twitter Hashtags

Some people dislike Twitter. Many people love it. I love it, too. For me, Twitter is an efficient method to read breaking news. I also use it to promote this blog and interact with readers. Many privacy experts, bloggers, attorneys, and reporters follow my tweets, and I follow theirs.

Using Twitter effectively includes using hashtags. You've probably seen them. Hashtags are an effective way to categorize a tweet, identify an industry, company, event, or trend, and/or provide a concise commentary. Good hashtags are short, easy to read, and easy to type. The best ones are obvious and don't need an explanation. Hashtags make searches more accurate. Hashtags are so popular that Facebook added the feature to their service.

Users create and apply hashtags. That is both a blessing and a curse. Unlike categories used by librarians and information specialists, there is no single, standardized list of hashtags. And, things change along with the news. For example, the hashtag #FAA often refered to the U.S. government agency (e.g., Federal Aviation Administration), but lately it has referred to a U.S. law created to fight terrorism (e.g., FISA Amendments Act). So, hashtag usage is often a free-for-all. The closest thing I have seen to a single, comprehensive, standardized list is the Hashtag Directory at the TWUBS website.

Some of my favorite hashtags related to this blog:

CategoryHashtags
Banking and Finance #Banks
#CreditUnions - Credit Unions
#Debit = Debit cards or associated fees
#OWS = Occupy Wall Street protest
#Paycards = Prepaid payroll cards
#Prepaidcards = Prepaid cards
Corporate Responsibility #BYOD = Bring your own device = employer's policy that allows employees to use personal mobile devices for work
#CR = Corporate Responsibility
#CSR = Corporate social responsibility
#DeceptiveMarketing = Deceptive marketing
#NetNeutrality = Internet Neutrality = #OpenInternet
#smallbiz = Small businesses
#SMB = Small and medium businesses
#TBTF = Too Big To Fail
#TBTJ = Too Big To Jail
#whistlebloweraward = Whistle blower award
Data and Data Analysis #BigData = Data mining/analysis
#cloud = cloud services
#Infographic = Information in graphic form
#Metadata = descriptive data
#Tracking
Data Breaches and Security #databreach - Data/security breach
#hackable
#hacking
#infosec = Information security
#Security = Data security
#Threat
Government #Amash = U.S. Congressman's proposal
#Congress = the U.S. Congress
#GCHQ = Government Communications Headquarters (Britain)
#HIPAA = Health Insurance Portability & Accountability Act
#Holder = U.S. Attorney Eric Holder
#NSA = National Security Agency
#POTUS = President of the United States
#SCOTUS = Supreme Court of the United States
Identity Theft and Fraud #Fraud
#GMMFM = Give me My F--king Money
#IDtheft = Identity theft
#IDTheftChat = Online discussion about identity theft
Privacy #COPPA = Children's Online Privacy Protection Act
#DNtrack = #DoNotTrack = Do not track
#DPPA = Driver Privacy Protection Act
#ECPA = Electronic Communications Privacy Act
#FCRA = Fair Credit Reporting Act
#FourthAmendment = Fourth Amendment of the U.S. Constitution
#Privacy
Social Networking #kidsapps = Mobile apps for children
#mobile
#NSFFB = Not Safe/Suitable For Facebook
#NSFW = Not Safe For Work
#Social
#SocialMedia
#Video
Surveillance #FISA = Foreign Intelligences Surveillance Act
#FisaAmendmentsAct = #FAA = FISA Amendments Act
#NSA = National Security Agency
#PRISM = an NSA spy program
#Snowden = Former NSA analyst Edward Snowden
#Spy
#Surveillance
#XKeyscore = an NSA spy program
Technology #GoogleGlass = Google glass eye-wear
#RFID = Radio-frequency identification
#Wearables = clothing with embedded computers
#Wireless
Wage Theft And Abuse #payroll
#wages
#WageTheft
Commentary And Criticism #fail (usually used with another hashtag)
#FF = #FollowFriday = people recommendations
#FTW = For the win
#FWIW = For what it's worth
#GMMFM = Give me my f--king money (employees due back wages)

What are your favorite hashtags? Which hashtags do you use?


Online Review Fraud

Recently, researchers at Harvard Business School published a report about a study about fake online reviews. Typically, a company or hired vendors write the fake online reviews. The researchers studied fake reviews at the Yelp.com site about restaurants in Boston, and found:

"First, roughly 16 percent of restaurant reviews on Yelp are identified as fraudulent, and tend to be more extreme (favorable or unfavorable) than other reviews. Second, a restaurant is more likely to commit review fraud when its reputation is weak, i.e., when it has few reviews, or it has recently received bad reviews. Third, chain restaurants - which benefit less from Yelp - are also less likely to commit review fraud. Fourth, when restaurants face increased competition, they become more likely to leave unfavorable reviews...

The researchers labeled certain business behaviors: "positive review fraud" when a business engaged in creating fake, positive reviews about itself, and "negative review fraud" when a business engaged in creating fake, bad reviews about a competitor. The study methodology used Yelp's formulas for identifying bogus reviews. At the time of the study, Yelp had about 30 million online reviews and 100 million unique visitors per month.

The researchers cited results from other studies that focused on other industries:

"... Mayzlin et al. (2012) exploit an organizational difference between Expedia and TripAdvisor (which are spin-o s of the same parent company with different features) to study review fraud by hotels: while anyone can post a review on TripAdvisor, Expedia requires that a guest has "paid and stayed" before submitting a review. The authors observe that Expedia's verification mechanism increases the cost of posting a fake review. The study finds that independent hotels tend to have a higher proportion of five-star reviews on TripAdvisor relative to Expedia and competitors of independent hotels tend to have a higher proportion of one-star reviews on TripAdvisor relative to Expedia..."

The findings in this study probably explain the motives by 19 companies exposed last week and fined for astroturfing by the New York State Attorney General. Desperate companies and executives do desperate things. It isn't right, but they do it. And, they will continue committing online review fraud as long as:

The probability of getting caught X the probability of getting sued X the probability of paying a fine (or going to jail) < the amount of revenues generated by fake online reviews

What are consumers to do? Right now, learn how to spot fake reviews. Some of the links below can help. I hope that the attorney generals in more states investigate and prosecute online review fraud. These fraudsters need to be exposed publicly.

Download the Harvard Business School report, "Fake It To You Make It: Reputation, Competition, And Yelp Review Fraud" (Adobe PDF). Learn more about online reviews: