Previous month:
November 2013
Next month:
January 2014

21 posts from December 2013

Banks Oppose Volcker Rule

Just before the Christmas holiday, the New York Times reported that the American Bankers Association:

"... have long been lobbying to shape or water down the Volcker Rule, the provision intended to deter banks from making risky bets with their own money, in hopes of avoiding the need for future bailouts of the financial system... In a letter Monday, the association said it would file a lawsuit challenging the rule, unless regulators immediately suspended a provision that could force regional and community banks to divest themselves of an investment in collateralized debt obligations backed by trust preferred securities, known as TruPs... The trade group sent the letter to the Federal Reserve chairman, Ben S. Bernanke; the Federal Deposit Insurance Corporation chairman, Martin Gruenberg; and the Comptroller of the Currency, Thomas Curry..."

The Volcker Rule requires banks to divest of risky assets by July 21, 2015.


Target Confirms Debit Card PIN Payment Information Stolen During Breach. Lawsuits Filed

Target Bullseye logo Almost immediately after its data breach, Target said that debit card PIN numbers were not stolen. You may remember this December 20, 2013 statement by Target CEO Gregg Steinhafel:

"There is no indication that PIN numbers have been compromised on affected bank issued PIN debit cards or Target debit cards. Someone cannot visit an ATM with a fraudulent debit card and withdraw cash."

In an updated December 27, 2013 breach notice (Adobe PDF), the retailer admitted that debit card PIN numbers had indeed been stolen during the data breach:

"... our ongoing investigation determined that strongly encrypted PIN data was removed from our system during the data breach incident..."

Then, its latest statement attempted to reassure shoppers:

"... These [PIN data] files are protected by triple DES encryption, the most secure standard... We never had access to the encryption key required to open or read the PIN files..."

Shoppers are supposed to be comforted by the disclosure that even though PIN payment data was stolen, the encryption was strong and the encryption keys were stored in a different place than the encrypted debit payment information. This assumes that the hackers didn't also breach the location with the stored encryption keys during the breach or previously. C/Net reported:

"However, one major U.S. bank is worried that the hackers might be able to crack the encryption code, giving [thieves] the ability to withdraw money from bank accounts..."

While writing this blog for the past 6+ years (including posts about the massive TJX Companies/T.J. Maxx data breach), I have learned that hackers are smart, persistent, and study their targets (no pun intended) before an attack. All of that seems to apply to the Target breach. Hackers use computers just like you do. And that includes software to break or decode encrypted data. It may take time, but hackers have time. That's one reason for long-term credit monitoring services for breach victims.

Breach victims are angry, and some are not buying the company's assurances. Some consumers have filed lawsuits against Target. ABC News reported:

"Angry shoppers are lashing out at Target, filing lawsuits in California and Oregon against the retailer, alleging the store "failed to implement and maintain reasonable security procedures" when credit and debit card data for about 40 million customers... On Thursday, Target customer Jennifer Kirk filed a lawsuit in San Francisco in the hopes of being certified as part of a class action..."

These lawsuits are not a surprise given the huge size of the breach, and that the U.S. banking system uses obsolete technology for debit/credit cards. The rest of the planet uses newer technology in their debit and credit cards.

That Target first denied PIN payment data was stolen, and then reversed itself by admitting that PIN data was stolen demonstrates the risk of executives making hasty statements before a forensic breach investigation is completed. A company can't really know until after the investigation is completed:

  1. Exactly what data elements (e.g., name, address, card numbers, PIN numbers, 3-digit security codes, etc.) were accessed and stolen,
  2. The specific computer sserver(s) and/or networks hacked,
  3. The technology(ies) the thieves used, and
  4. The duration of the attack and breach

While I am not a computer systems security expert, I have seen many data breaches since I started writing this blog over six years ago. History has taught me that a company can't reliably claim what was (or wasn't) stolen and that a breach is fixed until the investigation is completed, the extent of the attack and the damage are known, and then the appropriate technical solutions are implemented on the affected servers and networks -- and ideally, are hardened. Often, that fix also includes training employees to avoid risky behaviors that introduce malware and computer viruses.

At least 2,000 shoppers visiting from Europe were affected by the breach, and, the U.S. Secret Service is also investigating the Target breach. The findings from that agency's investigation may also affect the retailer's fixes.

The company's early statements, before all the facts were in, are why I have very little faith in what Target says. Shop at its stores, but use cash or credit cards. Breach victims should change their debit card PIN information; ideally, and replace affected bank accounts with new ones. Like other breach incidents, Target will likely pay for the costs banks incur to switch bank accounts for breach victims.

The whole incident is a reminder for consumers of the risks of shopping with their debit cards. Despite what the banking industry and retailers claim, the U.S. banking system uses obsolete technology for debit/credit cards. Plus, when you shop with your debit card, you are betting that criminals have not hacked:

  • The point-of-sale terminals (e.g., payment terminals) in the stores,
  • The wireless transmissions between the retail stores, and/or
  • The retail company's centralized databases and networks.

Plus, stolen debit card payment information provides thieves direct access to your checking accounts. Stay tuned. We will hear a lot more about the Target data breach during the coming weeks and months.


You Gave JPMorgan Bank A Whale Of A Christmas Gift

JPMorgan Chase bank received a whale of a Christmas present in 2013, after paying a record amount of fines. I think that the bank's executives should thank American taxpayers for this gift. They probably will never thank us, though.

What was the Christmas gift? Christopher Brauchli wrote an excellent summary at CounterPunch. First, some background about the bank (links added for reference):

"Between June 2010 and November 2012 JPMorgan Chase paid more than $3 billion in fines and settlements... overcharging active-duty service members on their mortgages, misleading investors about a collateralized debt obligation it marketed, rigging at least 93 municipal bond transactions in 31 states... In August 2012 alone it paid a fine of $1.2 billion to resolve a lawsuit that alleged it and other institutions conspired to set the price of credit and debit card interchange fees... February 2012 it paid $1.8 billion to settle claims that it and other financial institutions improperly carried out home foreclosures after the housing crisis..."

Remember, all of that was before 2013. Here's the tally for 2013 (links added for reference):

"In July 2013 it paid $410 million for alleged bidding manipulation of California and Midwest electricity markets. In September 2013 it paid $389 million for unfair billing practices, in September it paid $920 million for actions of the “London Whale” disaster, and in October 2013 another $100 million with respect to the same fiasco... November 19, 2013 it was reported that JPMorgan Chase was going to pay $13 billion to settle what in non-legal terms would be described as a whole bunch of claims that had to do with the mortgage crisis... December 13 it was announced that the bank was entering into a $2 billion deferred prosecution agreement with the government because of its role in the Bernie Madoff Ponzi scheme."

That is a record amount of fines, folks. Plus, the 2013 tally didn't include a data breach, and alleged bribing of Chinese officials to win lucrative contracts. What a corporate history.

Mr. Brauchli explained what your whale of a 2013 Christmas gift was to the bank:

"... Marianne Lake, the Chief Financial Officer of the bank explained that taxpayers will help the bank pay the fine. She explained that of the $13 billion, $7 billion is tax deductible..."

Aren't you thrilled?! It's not like the USA has a federal debt problem to worry about. We have this cash just lying around waiting to be used. Not!

Viewed another way: politicians in Congress believe that the USA can afford to give a $7 billion tax break to an already highly profitable bank, but can't afford unemployment checks for the unemployed, and food stamps for the poor? Our current Congress seems to be Robin-Hood-in-reverse: take from the poor and give to the rich.

This wasn't the first gift by taxpayers to JPMorgan. JPMorgan bank received a $25 billion bailout in 2008. You might think that a bank that had been treated so well by taxpayers would not engage in the abuses of taxpayers Mr. Brauchli listed in the CounterPunch article.

Clearly, fines are not enough. Bank executives must be prosecuted. About the effectiveness of fines to prevent banking abuses, former Secretary of Labor Robert Reich said in September 2013 on Twitter.com:

"Fines effective only if risk of being caught x probability of being prosecuted x amount of fine > profits to be made."

I'm not holding my breath waiting for a thank-you card from the bank. By its actions, it treats both consumers and taxpayers like chumps. A bit of embarrassment definitely beats jail time.

Season's greetings!


Sing-Along: You Better Watch Out. The NSA Is Coming To Town

"You better watch out.
You better not Skype.
You better log out.
You better not type.
The NSA is coming to town."

When Congressional politicians return to Washington after the holiday break, it will be great to greet them with a gift from American voters: stop the abuse by the NSA. There is a good bipartisan bill, the USA FREEDOM Act, before both the House and the Senate in Congress. Read HR 3361, S 1599 (Adobe PDF), or learn more

Sign the petition today and contact your elected officials to support this bipartisan legislation!


Helping The Poor Trapped In Banking Deserts In The USA

Despite the claims of many politicians (and some economists), markets don't solve all problems, and many consumers are not just abused, but overlooked and ignored. There is a wonderful and inspiring article in Forbes magazine about how the dedicated and hardworking folks at Hope Enterprise Corporation, a community development financial institution, help the poor.

"HOPE serves black farmers in the south, though its customer base is much broader than that. Like Root Capital, HOPE was founded to address a fundamental market failure, and it has developed creative strategies to serve a rural population left behind by traditional banks."

Bill Bynum, the CEO of Hope, described the challenges and his organization:

"We work with a population that has not had the opportunity to participate in the formal banking system. Our region still suffers from a legacy of plantation agriculture, which relied on keeping people uninformed and dependent. The vestiges of this system persist today, leaving significant gaps, opportunity gaps... HOPE was started in the mid-90s by civic and business leaders who had seen years of effort to improve conditions in the delta, the most impoverished region in the U.S., produce little change... HOPE’s territory is akin to a developing country, a situation made worse by the dramatic expansion of bank deserts throughout the region. Eighteen hundred bank branches have closed since the recession and 93 percent of those are in low-income tracts. It’s happening across the country but it’s been particularly devastating to neighborhoods here in the Mid South... that leaves a lot of communities on the outside looking in, and vulnerable to predatory lenders and other abusive financial practices. Our region has always been under-banked and under-served by traditional institutions..."

Hope Enterprise Corporation works closes with the Hope Credit Union. I strongly encourage you to read the entire Forbes article. Another title for this article could have easily been, "What Hope Can Teach Others Seeking To Serve Bank Deserts In The USA."


JPMorgan Chase Bank Limits Debit Card Purchases By Its Cardholders Affected By The Target Breach

The Chicago Tribune newspaper reported that JPMorgan Chase bank has placed limits on debit card purchases for its customers that have been affected by the Target data breach. The new, lower limits are $100 per day for cash withdrawals and $300 per day for purchases.

Reportedly, the limits affect about 2 million debit card customers, about 10 percent of Chase's total debit card customers. The limits come at a bad time: holiday shopping before the Christmas holiday.

Also, Chase bank announced several changes due to the Target breach. The changes affect customers with either Chase debit cards and Chase Liquid Cards. Chase credit card customers are not affected. The bank said that it will contact directly debit card customers that have been affected by the breach. the bank also said:

"Customers whose Chase debit cards or Chase Liquid Cards are at risk by the Target breach will experience some temporary limits on cash and purchases until we can replace their cards. If you need cash beyond these limits please visit a branch. With proper identification, you can access your available funds."

Shoppers at Target stores in the USA were affected by the data breach. The company said that shoppers at stores in Canada were not affected. DNB, Norway's largest bank, confirmed that at least 2,000 shoppers visiting from Europe were also affected.

I fully expect more banks to announce similar precautions. The threat is real and ongoing, since the payment information about debit cards stolen during the Target breach is already being resold online.


Data Breach At Target Stores In USA. How Affected Shoppers Can Protect Themselves

Target Bullseye logo Yesterday, Target stores announced a data breach affecting customers who purchased items in stores with their credit card or debit cards from November 27 to December 15, 2013. The specific payment information stolen included customers' names, card numbers, expiration dates, and the three-digit CVV security numbers.

While the Target breach announcement did not disclose the total number of shoppers affected, Mashable and TechCrunch reported that 40 million consumers were affected by the breach. That is a massive breach. Target has 1,797 stores in the USA and 124 in Canada. Shoppers at stores in Canada were not affected. DNB, Norway's largest bank, confirmed that at least 2,000 shoppers visiting from Europe were also affected.

Several media sources have reported that the Target breach is the second biggest in the USA to the TJX/TJ Maxx breach, but it is probably third biggest if you consider the Heartland breach. These size comparisons are useless because many companies don't disclose the number of breach victims affected.

TechCrunch also reported:

"The company moved quite slowly on this breach. On December 12 Brian Krebs reported the first rumors of the attack, suggesting it consisted of a wholesale scraping of “track data,” the data found on each credit card magnetic track. Krebs suggests that the thieves may have broken into the stores’ wireless networks and grabbed the card information as it was transferred from the cash registers."

The New York Times reported:

"By breaching point-of-sale systems, cybercriminals can create counterfeit cards. If they were able to intercept the PIN information, as well, it is also possible that thieves could withdraw money from a customer’s account through an A.T.M. A similar breach affected Barnes & Noble stores last year. In that case, customers at 63 Barnes & Noble stores across the country, including New York City, San Diego, Miami and Chicago, were affected."

The Target breach announcement did not disclose details about how the retailer's systems were hacked. The retailer's announcement included the usual comments: a forensics firm is helping it investigate the breach incident; it is working with local law enforcement, and it has notified banks financial institutions. The U.S. Secret Service is also investigating the Target breach.

Target listed several questions in its breach announcement. One claimed that the breach has been resolved:

"Has the issue been resolved?
Yes, Target moved swiftly to address this issue so guests can shop with confidence. We have identified and resolved the issue of unauthorized access to payment card data..."

I find this claim about resolution premature and difficult to believe, since the breach investigation is still ongoing. The hackers may have accessed Target's systems through several methods, not just the first method identified and closed.

The Target breach announcement advised affected shoppers to do the following to protect themselves and their payment information:

  • Read the breach notice closely,
  • Monitor your bank accounts and card statements for fraudulent transactions,
  • Watch your credit reports for fraudulent transactions,
  • Visit the official Annual Credit Report website to obtain your free credit reports,
  • Contact the major credit reporting agencies to learn more about credit reports and how to place a fraud alert on your credit files,
  • Contact the U.S. Federal Trade Commission (FTC) to learn more about identity theft and how to protect yourself

The Target breach announcement included additional information for consumers to contact the FTC, plus specific instructions for shoppers who live in Iowa, Maryland, Massachusetts, or North Carolina.

After writing this blog for over six years, I have learned a fair amount about data breaches. Affected shoppers should proactively monitor their financial accounts for the next couple years, because identity thieves usually resell stolen payment information to other thieves. So, the thieves that hacked Target's systems won't necessarily be the ones to attempt fraud with shoppers' stolen payment information. While thieves are in no hurry to use the stolen payment information, payment information stolen from the Target breach is already being sold online.

Usually, companies provide free credit monitoring services to breach victims, but Target has not offered that. After its data breach, IBM provided me and other affected breach victims with one year of free credit monitoring.

Consumers that shopped at Target during the above period with a debit card PIN number should change their PIN number, so theives cannot drain their bank accounts through ATM withdrawals. Wise shoppers will also change the passwords on their bank accounts. Shoppers that experience actual fraud (e.g., stolen money from their financial accounts, new accounts opened in their names) will probably want to request a fraud alert (or a security freeze for more protection) on their credit reports and have their banks issue replacement accounts (and cards).

Do I use a debit card to pay for purchases in retail stores? No. It is simply too risky. There have been many breaches at retail stores. When you use your debit card to pay for purchases, you are betting that identity thieves have not hacked:

  • The point-of-sale terminals (e.g., payment terminals) in the stores, and/or
  • The wireless transmissions between the retail stores, any centralized databases the store operates, and the banks.

Plus, stolen debit card payment information provides thieves direct access to your checking accounts.

And, it is especially risky at gas station pumps, which are also point-of-sale terminals due to pay-at-the-pump payment options. The problem: the gas pumps are unattended and accessible by the public for long hours when gas stations are closed. That makes it easy for identity thieves to tamper with gas pumps and insert skimming devices. And many have.

I expect much more news during the coming days or weeks as Target and the U.S. Secret Service share the results of their investigations. If the banks issue replacement debit cards and checking accounts to breach victims, then somebody will have to pay for the replacement cards: the banks or Target.

[Update Dec. 21: In a letter to its shoppers published on its website, Target CEO Gregg Steinhafel mentioned that the retailer will offer, in a future correspondence to affected shoppers, free credit monitoring services.]


Consumer Financial Protection Bureau Sues CashCall

Logo for Consumer Financial Protection Bureau The Consumer Financial Protection Bureau (CFPB) announced that it has sued California-based  CashCall Inc., its owner, its subsidiary, and affiliate for alleged illegal marketing activities:

"... the defendants engaged in unfair, deceptive, and abusive practices, including illegally debiting consumer checking accounts for loans that were void... the high-cost loans violated either licensing requirements or interest-rate caps – or both – in at least eight states: Arizona, Arkansas, Colorado, Indiana, Massachusetts, New Hampshire, New York, and North Carolina..."

The loan amounts varied from $850 to $10,000, and typically had upfront fees, lengthy repayment terms, and annual interest rates from 90 percent to 343 percent. Some consumers signed agreements allowing their loans to be paid by direct debits from their bank accounts.

The lawsuit seeks monetary relief, damages, and civil penalties, plus future compliance by the defendants not to repeat the alleged violations. Named in the lawsuit as defendants were WS Funding LLC, and its affiliate, Delbert Services Corporation, a Nevada collection agency. The CFPB's investigation began in 2009 when it discovered:

"... CashCall and WS Funding entered into an arrangement with Western Sky Financial, a South Dakota-based online lender. Western Sky Financial asserted state laws did not apply to its business because it was based on an Indian reservation and owned by a member of the Cheyenne River Sioux Tribe. But this relationship with a tribe does not exempt Western Sky from having to comply with state laws when it makes loans over the Internet to consumers in various states... In September 2013, Western Sky stopped making loans and began to shut down its business after several states began investigations and court actions..."


Oregon Attorney General Issues Report Listing The 20 Worst Charities

As the end of the year approaches, you are probably considering donations to charities and other non-profit organizations. If so, this is news you'll find critical.

The Office of the Attorney General for the State of Oregon issued its report covering its annual review of organizations and charities raising funds in Oregon that spend spend more money on professional fundraising and administrative costs than on the actual charitable cause it supports. Besides the ranked list, the announcement also included advice for consumers:

"Well-informed and proactive donors can avoid supporting organizations that spend little on their charitable missions. Rather than responding to an unsolicited telephone call or mailing, take time to identify the causes that matter most to you... The organizations on this year’s “Worst 20” list exemplify some “red flags,” including the use of names that are confusingly similar to more reputable charities, and the use of emotionally appealing, but vague, descriptions of the charities’ activities."

The report is based upon standards by the Better Business Bureau (BBB), where organizations should spend no more than 35 percent of the money raised on fundraising and administrative costs, and contribute at least 65 percent of the money raised to the actual charitable programs. For example: a charity that spends 5 percent on the charitable cause it supports that means that 5 cents of every dollar you give goes to the charitable cause and 95 cents of every dollar you give goes to expenses for professional funding and administrative expenses.

So, the 20 worst charities are those organizations that operated furthest from the BBB standards. The top 12 worst charities:

Charity / OrganizationLocationAvg. Annual Expenses (000)% Spent on Charitable Cause
1. Law Enforcement Education Program Troy, MI $2,097.0 3.1%
2. Shiloh International Ministries La Vernem, CA $727.7 3.4%
3. Firefighters Support Foundation Greenfield, MA $3,590.8 6.6%
4. Firefighters Charitable Foundation, Inc. Farmingdale, NY $7,315.6 7.8%
5. The Wishing Well Foundation Metairie, LA $1,216.5 10.0%
6. National Vietnam Veterans Foundation Alexandria, VA $4,547.1 11.1%
7. Committee For Missing Children Lawrenceville, GA $2,181.5 12.4%
8. Woman to Woman Breast Cancer Foundation, Inc. Lauderdale Lakes, FL $4,300.1 13.9%
9. Disabled Police Officers Counseling Center, Inc. Niceville, FL $649.7 14.6%
10. National Association of Police and Lay Charities Washington, DC $424.9 14.7%
11. Law Enforcement Legal Defense Fund Arlington, VA $2,585.9 15.8%
12. Dakota Indian Foundation Chamberlain, SD $1,446.6 18.0%

Download the full report with the 20 worst charities (Adobe PDF).


AT&T Rejects Shareholder Proposal For Increased Transparency About Data Shared In Government Surveillance Requests

The New York Times reported that AT&T has rejected a shareholder request that the telecommunications company be more transparent by publishing regular reports about the customer information shared in response to surveillance inquiries by the U.S. government. The company sent its response to the U.S. Securities Exchange Commission (SEC) and to Thomas P. DiNapoli, a New York State  comptroller, who wrote the resolution seeking greater transparency.

According to the New York Times:

"AT&T said in the letter that matters of “ordinary business operations” should not be controlled by shareholders, but by managers and the board... AT&T also noted that if it were to publish transparency reports, the company would be limited to disclosing its responses to law enforcement requests for information like cellphone records; any information related to the government’s foreign intelligence surveillance activities would be classified. It noted that the so-called transparency reports published by technology companies like Yahoo and Google face the same limitations."

DiNapoli is the trustee of the New York State Common Retirement Fund. A similar transparency proposal was sent to Verizon Communications. Read the full text of the AT&T rejection of the shareholder proposal (Adobe PDF). You can also read the Mashable news article.

Interested consumers, and customers of AT&T (and Verizon) can sign this online petition demanding increased transparency. The online petition was written by the ACLU's San Francisco office. About 32,900 people have already signed the petition. You can learn more about government surveillance in this blog, at the ACLU website, and at the EFF website.

It is baffling why AT&T refuses to publish what it can about what it shares with the NSA and other government agencies. Other companies do. Customers' trust is definitely the issue, and AT&T's reponse so far only decreases this customer's trust. Maybe this 2006 article about AT&T is accurate: the company shares everything since NSA spy gear is installed on company premises; and the company is exposed legally.

Time to look for phone service elsewhere.


Study: Facebook Saves And Analyzes Your Unpublished Posts And Comments

Facebook logoI found this study very troubling and extremely slimy corporate behavior. There is a good article at Slate about how Facebook wants to know your thoughts by collecting your unpublished posts or status messages.

Yes, your unpublished status messages.

Think about all of the content you started to type in the compose box on Facebook, but then stopped and either erased or changed it. After all, we all have been taught to think carefully about what we share online. Unfortunately, Facebook captures this unpublished content: stuff that you typed and didn't post by actually selecting the "Post" button in the facebook compose box:

"... the code that powers Facebook still knows what you typed—even if you decide not to publish it. It turns out that the things you explicitly choose not to share aren't entirely private. Facebook calls these unposted thoughts "self-censorship," and... The study examined aborted status updates, posts on other people's timelines, and comments on others' posts. To collect the text you type, Facebook sends code to your browser. That code automatically analyzes what you type into any text box and reports metadata back to Facebook."

If you don't know (or forgot), read this primer about what metadata is and why it is valuable. (It will help you understand what data is attached to your posts, images, and video.) Remember, this is about content you typed in the Facebook compose box and never published. One might expect Facebook to collect versions of content you typed, posted, and later edited, because you selected the "Post" button, shared that content before editing it. I doubt uses would expect Facebook to save content you didn't share = content you may have type but never posted or published. Sadly, the social networking site does save (and analyze) your unpublished content.

And, if you are an informed online user that diligently reads the policies (e.g., Terms Of Use, Privacy) at websites:

"In Facebook’s Data Use Policy, under a section called "Information we receive and how it is used," it’s made clear that the company collects information you choose to share or when you "view or otherwise interact with things.” But nothing suggests that it collects content you explicitly don’t share. Typing and deleting text in a box could be considered a type of interaction, but I suspect very few of us would expect that data to be saved..."

I find this data collection of unpublished posts extremely slimy corporate behavior and a privacy intrusion:

"This may be closer to the recent revelation that the FBI can turn on a computer's webcam without activating the indicator light to monitor criminals. People surveilled through their computers’ cameras aren’t choosing to share video of themselves, just as people who self-censor on Facebook aren’t choosing to share their thoughts. The difference is that the FBI needs a warrant but Facebook can proceed without permission from anyone."

Researchers Adam Kramer, a Facebook data scientist, and Sauvik Das, a Ph.D. student at Carnegie Mellon and summer software engineer intern at Facebook, analyzed 17 days of usage from 3.9 million Facebook users. You can download the researchers' study (Adobe PDF). Some key findings from the study:

"... 71% of the 3.9 million users in our sample self-censored at least one post or comment over the course of 17 days, confirming that self-censorship is common. Posts are censored more than comments (33% vs. 13%)... decisions to self-censor content strongly affected by a user’s perception of audience: Users who target specific audiences self-censor more than users who do not... males censor more posts, but, surprisingly, also that males censor more than females when more of their friends are male... people with more boundaries to regulate censor more posts; older users censor fewer posts but more comments; and, people with more politically and age diverse friends censor fewer posts."

After reading this, I wonder if self-censor rates would have been higher if the study duration was longer than 17 days. The researchers seem to think so (emphasis added in bold:

"Over the 17-days, 71% of all users censored content at least once, with 51% of users censoring at least one post and 44% of users censoring at least one comment. The 51% of users who censored posts censored 4.52 posts on average, while the 44% of users who censored comments censored 3.20 comments on average... While 71% of our users did last-minute self-censor at least once, we suspect, in fact, that all users employ last-minute self-censorship on Facebook at some point. The remaining 29% of users in our sample likely didn’t have a chance to self-censor over the short duration of the study. Surprisingly, however, we found that relative rates of self-censorship were quite high: 33% of all potential posts written by our sample users were censored, and 13% of all comments. These numbers were higher than anticipated..."

The researchers (and probably Facebook managers, too) seemed worried that Facebook's user interface and website features may be inadequate and encourage more self-censorship by users than otherwise. They concluded:

"... we now know that current solutions on Facebook do not effectively prevent self-censorship caused by boundary regulation problems. Users with more boundaries to regulate self-censor more, even controlling for their use of audience selection and privacy tools. One reason for this finding is that users might distrust the available tools to truly restrict the audience of a post; another possibility is that present audience selection tools are too static and content agnostic, rendering them ineffective in allowing users to selectively target groups on the fly..."

The researchers also concluded:

"... the frequency of self-censorship seems to vary by the nature of the content (e.g., post or a comment?) and the context surrounding it (e.g., status update or event post?). The decision to self-censor also seems to be driven by two simple principles: People censor more when their audience is hard to define, and people censor more when the relevance or topicality of a CMC “space” is narrower. For example, posts are unsurprisingly censored more than comments..."

What I make of this:

  • Facebook expects more self-censorship by members who have a large or very diverse set of "friends." If your groups are small, and/or if you have segmented your friends into several smaller groups or circles, then you probably won't self-censor as much
  • Clearly, Facebook expects its users to self-censor, otherwise they wouldn't have built and deployed the capability into their system.
  • As your group of friends change and/or as your online skill changes, Facebook expects a your self-censor rates and instances to change
  • The saving and analyzing of users' unpublished posts reduces consumer rights. Consumers have lost the right to keep control over what they post and publish. Instead, Facebook is essentially saying it knows best/better. Very paternalistic and insulting.
  • This is dangerous, because almost nobody thinks that what they type and then delete or change would still be collected, saved, analyzed, and used to profile you with relevant metadata (e.g., gender, age, political likes, etc.) attached.
  • This is dangerous, because Facebook content is used in courts, and credit reporting agencies want access to your social networking content. Nobody expects to be challenged with stuff they typed and never posted because the social networking site decided to retain it anyway.

So, a word to the wise until online privacy laws catch up: be careful about what you type before posting, and be careful about what you post on Facebook. If this is too complicated for you, then don't post on Facebook or simply stop using Facebook altogether. I know people who only read Facebook.

Next, several related questions immediately come to mind:

  1. How does self-censorship vary by device type? Perhaps, users with desktops or laptops self-censor more or less than users with tablets or smart phones. Perhaps, the same user's rate of self-censorship varies when switching between devices. Perhaps, certain brands of devices have higher self-censor rates. If I worked in Facebook's usability department, or if I was a Facebook business partner, these are answers I'd want to know.
  2. When did Facebook start archiving users' unpublished posts?
  3. How long does Facebook archive users' unpublished posts?
  4. What companies, business partners, and/or affiliates does Facebook share unpublished posts with?
  5. Does Facebook share unpublished posts with the NSA and other spy organizations?

A New Blog Design

Frequent readers probably noticed a change during the past week with this blog. I updated the design for this blog. My goals were to provide a simpler design that's easier to read for everyone and more supportive of readers using mobile devices (e.g., smart phones, tablets). There is now a single right column with fewer widgets = reduced page clutter.

I'd love to hear from readers about the new design. Please leave comments below.


Upcoming '60 Minutes' Report About NSA Whistleblower, More Documents, And Amnesty

Thursday evening, the CBS Evening News previewed a report to be broadcast this Sunday on the "60 Minutes" television show. Apparently, former NSA contractor and whistleblower Edward Snowden has more documents to release that are more damaging than the documents released so far.

The news report included U.S. government officials that are split about whether to grant Snowden amnesty to prevent the release of more documents (and additional damage from such releases), even though the Chinese and Russian probably already have those documents. Seems like a must-watch "60 Minutes" episode this Sunday.

All of this strongly suggests that the Chinese and Russian governments probably know more now about surveillance programs by the U.S. Government than U.S. citizens know.


Tech Companies Launch 'Reform Government Surveillance' Website With Letter To US Government Leaders

During the past few days, the news meda has been on fire with reports about the Reform Government Surveillance (RGS) website. Eight technology companies jointly developed the website.

I visited the RGS website. The first thing I noticed was an international focus. An excerpt from the RGS site's introduction:

"The undersigned companies believe that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information. While the undersigned companies understand that governments need to take action to protect their citizens’ safety and security, we strongly believe that current laws and practices need to be reformed."

The eight companies proposed five principles upon which international reforms should be based:

  1. Limiting Governments' Authority To Collect Information
  2. Oversight and Accountability
  3. Transparency About Government Demands
  4. Respecting The Free Flow of Information
  5. Avoiding Conflicts Among Governments

Only after reading all of the above, does the RGS site present its letter to officials in the U.S. government. The letter:

"Dear Mr. President and Members of Congress,

We understand that governments have a duty to protect their citizens. But this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide. The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It’s time for a change.

For our part, we are focused on keeping users’ data secure — deploying the latest encryption technology to prevent unauthorized surveillance on our networks and by pushing back on government requests to ensure that they are legal and reasonable in scope.

We urge the US to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight. To see the full set of principles we support, visit ReformGovernmentSurveillance.com

Sincerely,

AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, Yahoo"

After reading the RGS site, I had several reactions.

First, where are the other companies involved? None of the above eight companies achieved their current successes without assistance, joint marketing, and/or contracts with telecommunications firms (e.g., AT&T, Verizon, Sprint,e tc.), mobile device and smart phone manufacturers (e.g., HTC, LG, Samsung), and banks. Mobile payment services require banks. Plus, nowhere in the site did I see any content or a link encouraging other companies to join the RGS group.

Second, the RGS site's proposed principle (#3) about transparency isn't new. Six of the eight RGS companies already signed a letter in July 2013 arguing for more transparency.

NSA Inside logo Third, the RGS companies want their to be limits upon government surveillance (e.g., tracking, monitoring, data collection), but no limits on their activities to do the same. In his ValleyWag blog, Sam Biddle summarized the letter in the RGS site as a, "half-assed outrage letter to the NSA." Seems about right. Most of the companies made it easy for the NSA to collect consumers' information because they'd already collected it and yielded to government queries to provide consumer data. Plus, some include NSA code in their products, which subsequently caused some governments to react negatively.

Fourth, the RGS site's proposed principle (#2) about accountability seems a little disingenuous. At least two of the eight companies (e.g., Microsoft and Yahoo) include forced arbitraton clauses in their terms for consumers. This limits consumers' rights and makes it difficult to hold a company responsibility when its products or services harm consumers. How can you argue for governments to be accountable when you avoid accountability yourself?

Fifth, the following question occurred to me: what next? Nowhere in the website did I see any content about next steps. What will the eight RGS companies do next -- as a group orindividually? What you do means a lot more to me than what you said in a static website. A missed opportunity: content and links in the RGS website to sollicit other companies to join them.

After reading the RGS site, I felt as though I had just experienced a public relations stunt... fluff and not much substance. To quote an old-school television commercial: where's the beef? And, if you really care about consumers' privacy rights, then design your programs based upon opt-in and not opt-out.

What is your opinion of the RGS site?


Report Finds The Federal Government Frequently Awards Contracts To Companies That Violate Safety And Wage Laws

According to a New York Times report yesterday, the U.S. Federal government frequently does business with, and renews contracts with, companies that frequently violate labor laws:

"... 18 federal contractors — including Imperial Sugar — were among the recipients of the largest 100 penalties issued by the Occupational Safety and Health Administration from 2007 to 2012. The report found that 32 federal contractors were among the leading companies in the amount of back pay assessed for wage violations between 2007 and 2012... 49 federal contractors responsible for large violations of federal labor laws were cited for 1,776 separate violations of these laws and paid $196 million in penalties... In fiscal year 2012, these same companies were awarded $81 billion in taxpayer dollars."

The Congressional report was issued for the Health, Education, Labor, and Pension Committee. Some specific examples from the report:

"Imperial Sugar had $94.8 million in federal contracts last year, even though it paid $6 million in safety penalties over a 2008 factory explosion in Georgia that killed 14 workers. The report also noted that the federal government had awarded $4.2 billion in contracts to Tyson Foods since 2000, even though Tyson has faced more than $500,000 in safety penalties since 2007 and 11 of its workers have died on the job since 1999."

It seems that the Federal government should factor more heavily violations into its decisions to award contracts, and the report recommends this change. The Federal government awards about $500 billion in contracts every year.

After reading this, I wonder if state governments are better, or worse, at awarding contracts to repeat offenders -- and which states perform the best.


12 Facts About Why Low Wage Workers Strike For Higher Wages

You've probably heard that workers in several cities in the United States went on strike last Thursday for higher wages. Some facts about why workers are striking:

  1. The average fast food worker makes $8.69 an hour. About 87 percent of fast food workers receive no health benefits. (Source: UC Berkeley Labor Center)
  2. The minimum wage rate kept pace with productivity from 1947 to 1969. Since then, they haven't. If they had, the minimum wage would now be over $16 an hour, not $7.25. The strikers are asking for $15 an hour. (Source: Baker and Kimball, Center for Economic and Policy Research)
  3. The ongoing bailout of the fast food industry is very expensive. The 10 largest fast food companies cost taxpayers about $3.9 billion in government health assistance and $1.04 billion in food assistance. (Source: UC Berkeley Labor Center)
  4. The same 10 companies earned $7.4 billion in profits last year, and paid out $7.7 billion in dividends. So, these corporations can easily afford modes increases in the minimum wage rate and/or an end to industry subsidies. (Source: National Employment Law Project)
  5. The strikes targeted large employers. 66 percent of low-wage workers are employed by corporations with 100 employees or more. McDonald’s employs 707,850 people. Yum! Brands (e.g., Pizza Hut, Taco Bell and KFC) employs 379,449 people. The workforce for these 10 corporations is greater than the populations of Nebraska, West Virginia, Idaho, Hawaii, Maine, New Hampshire, Rhode Island, Montana, Delaware, South Dakota, Alaska, North Dakota, Vermont and Wyoming. (Sources: National Employment Law Project, and the US Census Bureau)
  6. 25 percent of American workers receive some form of public assistance. For fast food workers it was 52 percent. And more than half of full-time fast food workers receive some form of public assistance. (Sources: University of California, Berkeley/University of Illinois study; and UC Berkeley Labor Center)
  7. Most low-wage workers are adults. Nationally, adults make up 88 percent of the workers. In areas like New York State and Albuquerque, New Mexico, that figure is 92 percent. (Sources: US Senate Committee on Health, Education, Labor and Pensions, the Fiscal Policy Institute, and New Mexico Voices for Children/Fiscal Policy Project)

Read the full list of facts at the Bill Moyers website.


JPMorgan Chase Bank: Data Breach Affects 500,000 Prepaid Card Holders, And The Bank's Sordid History

The bad news (and behavior) at JPMorgan Chase bank never seems to end. On Friday, NBC News reported that a data breach at the bank affected almost 500,000 prepaid card holders. Hackers gained unauthorized access to the bank's networks during July 2013. The bank's prepaid cards:

"... were issued for corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits. JPMorgan said Wednesday it had detected that the web servers used by its site www.ucard.chase.com had been breached in the middle of September..."

Unencrypted data was accessed. The bank is notifying the affect prepaid card holders, who comprise about two percent of 25 million UCard users. Network World reported that the bank will not issue replacement prepaid cards, and the card-holder notification focused on users who registered their cards between July and September of 2013.

In November, JPMorgan signed several settlement agreements with both federal and state agencies to resolve charges that the bank misrepresented residential mortgage-backed securities (RMBS) it sold to investors, including several banks that later failed. The bank paid about $13 billion in reimbursements and fines.

In September, the Consumer Financial Protection Bureau (CFPB) and the Office of the Comptroller of the Currency (OCC) ordered JPMorgan Chase bank to pay $309 million in refunds to more than 2.1 million customers for:

"... illegal credit card practices. This enforcement action is the result of work started by the Office of the Comptroller of the Currency (OCC), which the CFPB joined last year. The agencies found that Chase engaged in unfair billing practices for certain credit card “add-on products” by charging consumers for credit monitoring services that they did not receive."

In August, the New York Times first reported about an investigation of the bank for allegedly bribing officials in China to gain lucrative contracts:

"Federal authorities have opened a bribery investigation into whether JPMorgan Chase hired the children of powerful Chinese officials to help the bank win lucrative business... In one instance, the bank hired the son of a former Chinese banking regulator who is now the chairman of the China Everbright Group, a state-controlled financial conglomerate... After the chairman’s son came on board, JPMorgan secured multiple coveted assignments from the Chinese conglomerate... The Hong Kong office of JPMorgan also hired the daughter of a Chinese railway official..."

This would appear to be a violation of the Foreign Corrupt Practices Act (FCPA), a federal law that prohibits United States companies from making:

"... payments to foreign government officials to assist in obtaining or retaining business. Specifically, the anti-bribery provisions of the FCPA prohibit the willful use of the mails or any means of instrumentality of interstate commerce corruptly in furtherance of any offer, payment, promise to pay, or authorization of the payment of money or anything of value to any person, while knowing that all or a portion of such money or thing of value will be offered, given or promised, directly or indirectly, to a foreign official to influence the foreign official in his or her official capacity, induce the foreign official to do or omit to do an act in violation of his or her lawful duty, or to secure any improper advantage in order to assist in obtaining or retaining business...."

The investigation is still ongoing. This past weekend, several news sources reported about emails by the bank with hiring children of prominent Chinese families. Violations of the FCPA are fraud, folks. This is rare but not a first in the banking industry. As the New York Times reported:

"Only a handful of Wall Street employees have ever faced bribery accusations, including a former Morgan Stanley executive in China who pleaded guilty to criminal charges in 2012..."

The above instances are the tip of the proverbial iceberg. Read more about the bank's sordid history. To me, it seems rotten to the core, and needs to be dissolved with jail-time for all senior executives.


Maryland AG Issued Consumer Rights Reminder About Health Care Insurance Cancellation Letters

Many consumers have recently received cancellation notices from their health care insurance companies. The Office of the Maryland Attorney General issued a statement and reminder to both insurance companies and to its residents about consumers' rights under the Affordable Care Act, often referred to as ObamaCare:

"... consumers who receive a policy cancellation notice must be informed of their full rights and options under state and federal law, and that such communications should be concise and easy to understand. Citing reports of insurance company abuses in other states where carriers have attempted to "intentionally evoke fear and mislead consumers about their options" under the Affordable Care Act, Attorney General Gansler notified insurance carriers in a letter sent today that they will be held accountable if they attempt to drop consumers from their rolls and push them into the exchange without offering a new plan."

Health care insurance cancellation letters sent to Maryland residents should include the following:

"1. Should provide the 90-day notice required by Maryland law, as well as comply with all regulations set forth by the Maryland Insurance Commissioner;
2. Should include a statement, when applicable, that the insurer had the option to renew the policy for one year, but chose not to do so.
3. Should prominently mention Maryland's health exchange; the availability of other health plans on the exchange, including those offered by other insurers, and; the availability of tax credits and other subsidies that lower premiums.
4. Should not automatically enroll individuals in a new plan outside Maryland's health exchange.
5. If letters identify or suggest a new plan offered by the insurer as an option and any comparisons are made between the current plan to be canceled and that plan, comparisons must not only include actual premiums and deductibles, but also the scope of benefits covered, coverage of pre-existing conditions, and the availability of tax credits and subsidies.
6. If letters identify or suggest a new plan offered by the insurer outside the exchange as an option, they must include information on all plans offered by the insurer on the exchange, including information on actual premiums, deductibles, scope of benefits covered, coverage of pre-existing conditions, and the availability of tax credits and subsidies."

Residents in other states should check with the attorney general's office or consumer protection agency for their state.


Settlement Agreements Require JP Morgan Bank To Pay Record Amount Of Fines

Just in case you missed it while preparing for the Thanksgiving and Chanukah holidays, during mid November there were several announcements about settlements between the JP Morgan bank and various federal and state governments. This is important and cannot be over-emphasized.

The Federal Deposit Insurance Company (FDIC) announced a settlement agreement with JP Morgan bank and its affiliates. The bank will pay $515.4 million to settle charges that it misrepresented:

"... offering documents for 40 residential mortgage-backed securities (RMBS) purchased by the failed banks. The settlement funds will be distributed among the receiverships for the failed Citizens National Bank, Strategic Capital Bank, Colonial Bank, Guaranty Bank, Irwin Union Bank and Trust Company, and United Western Bank... As receiver for failed financial institutions, the FDIC may sue professionals and entities whose conduct resulted in losses to those institutions in order to maximize recoveries. From May 2012 to September 2012, the FDIC as Receiver for five of the failed banks filed ten lawsuits against JPMorgan, its affiliates, and other defendants for violations of federal and state securities laws in connection with the sale of RMBS. As of October 30, 2013, the FDIC has authorized lawsuits based on the sale of RMBS to a total of eight failed institutions and has filed 18 lawsuits seeking damages for violations of federal and state securities laws."

The Office of the California Attorney General announced a settlement agreement with the bank, requiring it to pay about $300 million in damages:

"An investigation conducted by Attorney General Harris showed that offering documents for the securities failed to accurately disclose the true characteristics of many of the underlying mortgages, and that due diligence to weed out poor quality loans had not been adequately performed. The broader settlement reached today by the United States Department of Justice and other federal and state agencies totals $13 billion, and represents the largest settlement with a single entity in American history."

A tentative agreement had been announced during October 2013. These announcements in November represented the final agreements. The U.S. Justice Department (DOJ) announced a $13 billion settlement with the bank to settle charges based on:

"... the packaging, marketing, sale and issuance of residential mortgage-backed securities (RMBS) by JPMorgan, Bear Stearns and Washington Mutual prior to Jan. 1, 2009. As part of the settlement, JPMorgan acknowledged it made serious misrepresentations to the public - including the investing public - about numerous RMBS transactions.  The resolution also requires JPMorgan to provide much needed relief to underwater homeowners and potential homebuyers, including those in distressed areas of the country. The settlement does not absolve JPMorgan or its employees from facing any possible criminal charges..."

The DOJ announcement included this statement by U.S. Attorney General Eric Holder:

“Without a doubt, the conduct uncovered in this investigation helped sow the seeds of the mortgage meltdown... JPMorgan was not the only financial institution during this period to knowingly bundle toxic loans and sell them to unsuspecting investors, but that is no excuse for the firm’s behavior. The size and scope of this resolution should send a clear signal that the Justice Department’s financial fraud investigations are far from over. No firm, no matter how profitable, is above the law, and the passage of time is no shield from accountability."

Huffington Post reported:

"Mounting legal costs from government proceedings pushed JPMorgan to a rare loss in this year's third quarter... The bank reported Oct. 11 that it set aside $9.2 billion in the July-September quarter to cover the string of legal cases against the bank. JPMorgan said it has placed $23 billion in reserve to cover potential legal costs. On Nov. 15, the company announced it had reached a $4.5 billion settlement with 21 major institutional investors over mortgage-backed securities issued by JPMorgan and Bear Stearns between 2005 and 2008.."

The Office of the Massachusetts Attorney General announced a settlement agreement where the bank will pay the state about $34 million:

"The Massachusetts Attorney General’s Office, the Department of Justice and four other states entered into the agreement today. As part of the $13 billion settlement, an expected $4 billion will be set aside for consumer relief, $7 billion used to compensate investors, and $2 billion for fines..."

Theses settlements and fines are in addition a separate settlement between JP Morgan Chase Bank and the Consumer Financial Protection Bureau (CFPB). Back in September 2013, the CFPB and the Office of the Comptroller of the Currency (OCC) ordered the bank to pay $309 million in refunds to more than 2.1 million customers for:

"... illegal credit card practices. This enforcement action is the result of work started by the Office of the Comptroller of the Currency (OCC), which the CFPB joined last year. The agencies found that Chase engaged in unfair billing practices for certain credit card “add-on products” by charging consumers for credit monitoring services that they did not receive."

I look forward to reading in the future about criminal investigations related to the above mortgage asset-backed securities abuses, and about credit-card asset-backed securities by JPMorgan Chase.


Amazon's Plan For Drones To Deliver Packages To Customers, And A Primer About Drones

During an interview on the 60 Minutes television show, Amazon.com CEO Jeff Bezos disclosed a test plan -- called Prime Air -- for the online retailer to use drones to deliver packages to its customers. The plan is years away, doesn't have approvals by the Federal Aviation Administration (FAA), and would deliver packages to customers only within 10 miles of a fulfillment center.

Regardless, the news meda is on fire with reports -- many with photographs and video of the drones, also called UAVs (Unmanned Aerial Vehicles): Associated Press, Bloomberg, CNBC, CNN, CNet, Huffington Post, PSFK, the New York Times, and countless others. Almost immediately, some satire images appeared online.

This Atlantic article explored the issues with package delivery by drones. Some retailers view the new technology as a way to solve the last-mile delivery problem. Matternet wants to use drones for package delivery in remote areas and in developing countries. Forbes Magazine reported about the societal disruption this new technology poses:

"Bezos says that Amazon is on its 7th generation of fulfillment centers. The public never heard much about those seven evolutions because they were all invisible, all back-end optimizations, all techy algorithmic stuff. Amazon’s service kept getting better in the form of faster delivery times... But drone delivery is a different kind of evolution. It’s visibly and behaviorally disruptive. And, as a marketer, Bezos wisely sees the need to start softening up the consumer market well in advance of these devices even being legal. Because he likely understands that there will be several critical phases to the public’s ultimate adoption of this technology, and each phase will take time."

The Forbes article emphasized the calculation Amazon has made: it is cheaper to let the news media normalize a new, disruptive technology rather than pay for the large amounts of advertising necessary. Others reported that the announcement coincides with Cyber Monday, and may have garnered for Amazon.com as much as $3 million in free advertising.

Wired reported that the concept isn't really new; that FedEx previously considered it. Wired also reported:

"Some weary of the use of unmanned aircraft have already pledged to shoot them down... there are more subtle ways to take down a small electric octocotper, including nets, even “mist nets”–virtually invisible nets used to catch or control birds–that would allow everybody from protesters to simple thieves to stop a delivery. And of course there is probably a hacker or two who would like to tackle the problem."

Besides military usage of drones for both warfare and cargo delivery, a wide variety of institutions want to use drones domestically: local police departments, journalists, paparazzi, movie studios, farmers, colleges and universities, and the National Guard (for rescues). FAA Administrator Michael Huerta predicted that there could be as many as 7,500 commercial drones in U.S. airspace within the next five years. So, there needs to be laws and guidance, about who can (and cannot) possess and operate drones; plus where and under what conditions.

TechCrunch discussed the three major limitations of drones: technical, privacy, and poor judgement by operators. We've all experienced crazy automobile drivers on the roads. Now, imagine the skies filled with drones controlled by crazy operators. Similar to driver's licenses, some experts say drone operator's licenses are likely.

The Guardian has a pretty good primer about drones. Way back in January 2012, the Electronic Frontier Foundation (EFF) discussed drones and privacy:

"Drones are capable of highly advanced and almost constant surveillance, and they can amass large amounts of data. They carry various types of equipment including live-feed video cameras, infrared cameras, heat sensors, and radar. Some newer drones carry super high resolution “gigapixel” cameras that can “track people and vehicles from altitudes above 20,000 feet... Predator drones can eavesdrop on electronic transmissions, and one drone unveiled at DEFCON last year can crack Wi-Fi networks and intercept text messages and cell phone conversations... some have suggested that drones carrying weapons such as tasers and bean bag guns could be used domestically."

Like any other technology, there is a market for drones. The EFF reported:

"According to a July 15, 2010 FAA Fact Sheet (PDF), “[i]n the United States alone, approximately 50 companies, universities, and government organizations are developing and producing some 155 unmanned aircraft designs.” According to one market research firm, approximately 70% of global growth and market share of unmanned aircraft systems is in the United States (PDF)."

Companies frequently test new technology in other countries before introducing it in the United States. Examples that come to mind include smart recycling trash bins in England, and smart shopping carts in Brazil. Some experts expect drones to be tested in other countries before the USA. As CNBC reported:

"The FAA is way behind the curve.. Drone experts are not optimistic for a 2015 deadline." It is just a little over a year away... and they don't even have the test sites named, much less the framework laid out."

Discovering the entities that already use drones domestically is difficult. Disclosure rules are weak or nonexistent. No doubt, there will be plenty more discussions about drones.