Previous month:
May 2014
Next month:
July 2014

17 posts from June 2014

New York State Senate Passes Bill To Amend The State's Wage Theft Law

The New York State Senate passed a bill on June 19 that would amend, if it becomes law, several provisions in the state's landmark 2010 Wage Theft Protection Act. The amendments repeal the annual wage notification employers must provide to employees, and increase the fines for employers for wage payment violations. Supporters of the bill emphasized the paper work reduction benefits for employers.

Specific components of the legislation:

"Section 1 amends Subdivision 1(a) of Section 195 of the Labor Law to strike the annual notice requirement from the Wage Theft Prevention Act when the same information is provided in another manner.

Section 2 amends Subdivisions 1-b and 1-d of Section 198 of the Labor Law to increase penalties for employers' failure to comply with certain sections of the Wage Theft Prevention Act."

So, employers would no longer be required to inform employees each year of pay rates; only new employees. The potential penalties for failing to notify new employees increases from $50 per week with a maximum of $2,000 to $50 per day with a maximum of $5,000, plus costs and attorney's fees. The court may award other payments, too.

The bill also includes provisions for employers that are repeat and/or egregious offenders:

"Section 6 amends Subdivision 1(b) of Section 215 of the Labor Law to authorize the Commissioner to assess a greater civil penalty for those employers who have committed wage theft and had a previous violation within the previous six years...

Section 3 amends Subdivision 1 of Section 218 of the Labor Law if an order directing payment of wages, benefits, wage supplements and liquidated damages is issued to an employer who had previously committed wage theft, or to an employer whose violation is willful or egregious, the employer will be required to report specified employee and wage data to the Commissioner of Labor, which will be published on the Department of Labor's website."

Offenders will often reorganize their business (e.g., declare bankruptcy and shed debt) to avoid paying employees and contractors. So, this section of the bill is important:

"Section 3 also adds a new Subdivision 5 of Section 218 of the Labor Law to provide that an employer similar in operation or ownership to a prior employer who had previously committed wage theft is liable for the acts of the prior employer for the purposes of civil penalties."

The bill would also extend liability to the ten (10) largest owners in limited liability companies (LLCs):

"Section 11 adds new Subdivisions (c) and (d) to the Limited Liability Company Law requiring that the ten members with the largest percentage ownership in a limited liability company be personally liable for all debts, wages, or salaries due and owing to any of its laborers, servants or employees, for services performed by them for such limited liability company... An action to enforce such liability shall be commenced within ninety days after the return of an execution unsatisfied against the limited liability company upon a judgment recovered against it for such services. The bill allows for any member who has paid more than his or her pro rata share to be entitled to contribution pro rata from the other members liable under this section with respect to the excess so paid, over and above his or her pro rata share, and may sue them jointly or severally or any number of them to recover the amount due from them..."

This component appeals since it holds owners accountable, and encourages them not to ignore the actions of the company's executives.

The bill now moves to the Assembly for a vote and/or changes. The law would go into effect 60 days after it is signed by Governor Andrew Cuomo. Learn more about Senate Bill A08106C.


Survey: Consumers' Attitudes About The Security of Internet-Connected Homes

Fortinet, a network security provider, announced during the weekend the results of a global survey of consumers' opinions about the security of Internet-connect homes. The survey explored consumers' attitudes about the emerging trend to connect home appliances and electronics to the Internet, referred to as the "Internet of Things" (ioT). While the ioT also includes commercial devices outside the home (e.g., drones, accessories for search animals, supermarket shopping carts), a key aspect is that the connected appliances "talk" or communicate with each other without the user's intervention.

In the coming years, a variety of home appliances will be directly connected to the Internet, including televisions, home security systems, refrigerators, washing machines, smart thermostats, trash or recycle bins, and more. The survey included 1,800 homeowners in 11 countries. Some chief findings:

  • 61 percent of respondents expect the Internet of Things to become a reality within the next five years
  • 69 percent said that privacy is their biggest concern
  • 66 percent want complete control over their personal data
  • 48 percent would hold the manufacturer responsible for vulnerabilities found in home appliances

You can already search the Internet of Things today. That means that cyber-criminals and identity thieves can, too. To learn more about the survey, read the Fortinet blog and infographic.

The coming Internet of Things highlights several security and privacy issues. To understand these issues requires an understanding of the types of  personal data items. There are obvious items and not-so-obvious items that uniquely describe you and your habits. Obvious items are your name, address, date of birth, Social Security number, driver's license number, professional licenses, online usernames and passwords, bank account information, payment cards (e.g., credit, debit, prepaid) information (e.g., numbers, expiration dates, security codes), the music you listen to, the films and shows you watch, and the products (and services) you buy.

Obvious personal data also include items in your resume, plus your health and fitness data. That includes not only your medical records at your doctor, but also the personal health data (e.g., heart rate; blood pressure; calories burned; exercise dates, routine, geolocation data, and duration; etc.) collected and archived by fitness apps.

Not-so-obvious items include the search terms you enter into search engines (e.g., Yahoo, Google, Bing, online store search engines, etc.), your color and fabric preferences, left-handed or right-handedness, professional association memberships, contacts in the address book on your smartphone, your geolocation purchase information (e.g., where and when you purchase items in the real world), your geolocation habits (e.g., where and when you drive, walk, or visit), your image, and the people you are connected with at various social networking sites.

Even if you don't use loyalty and payment cards, physical retail stores can collect your search terms, color and fabric preferences, product preferences (e.g., the dresses, skirts, pants you literally pull off the rack to inspect and then put back), and left/right-handedness using discretely placed video surveillance cameras. There are at least five ways retail stores can spy on their customers.

More not-so-obvious items include the unique device identification number assigned to each ioT appliance, your utility consumption (e.g., water, electricity, gas, etc.) at home, the corresponding dates and patterns, the frequency you operate certain home appliances, and the layout plus furnishings in your  home. The government agency or company that provides your utilities collects this utility consumption information via wireless transmissions from smart meters installed in homes. Companies that provide home security systems also can collect some of this information.

ioT appliances provide more ways for companies to collect your personal data -- both obvious and not-so-obvious data items. You might like an Internet-connected refrigerator because it can create and send shopping lists automatically to your smartphone. Behind that convenience benefit is the stark reality that your appliance collects the size, brand, types, number, and frequency (e.g., dates and times) of all items you eat and drink. Anything with a barcode can be tracked, including medical items you store in your refrigerator. Depending upon the terms and privacy policies from the refrigerator's manufacturer, the appliance will probably transmit your usage to business partners and other companies.

Does the convenience benefit still outweigh the loss of privacy?

Another issue is control: not just what you choose to share and with whom, but will the consumer or the device be in control? Today, banks collect your purchase decisions from your usage of debit, credit, and/or prepaid cards. Consumers have made that decision to trade convenience for privacy by using the payment cards issued by their bank. Similarly, retailers (e.g., online stores, physical stores, etc.) collect your purchase decisions from loyalty cards you use for reward points and discounts. Consumers have made that decision to trade privacy for discounts.

Depending upon how much you shared with social networking sites, they may know your purchase decisions, too. Your decision to use public WiFi hotspots with unencrypted transmissions means that you have probably shared more to a wider group of companies.

The coming ioT highlights the security issue: how consumers will protect the ioT appliances in their homes. Today, many people today use anti-virus software to protect their computers, tablets, and smartphones. Will consumers expect anti-virus software developers to provide broader packages that also protect ioT appliances? Or, will consumers expect each appliance developer to provide adequate (and updated) security?

Will consumers be able to enjoy a completely connect home with today's ioT? Not yet, according to one expert:

"“We’re still in the stage where every vendor has their own proprietary standard and few can agree on anything... As such, devices from different vendors aren’t able to talk to each other, and if you want a fully automated house, you need to perform a lot of patchwork to get things working properly.”

What are your opinions of the ioT? Which method do you prefer to secure your Internet-connected appliances? What are your opinions of the survey? You can share your opinions in the Comments section.


Spy Reform Legislation Slowly Works Its Way Through The U.S. Congress

National Security Agency logo Change may be coming to limit National Security Agency (NSA) spy programs. Two amendments to the 2015 Defense Appropriations bill are slowly working their way through Congress. The Hill reported yesterday:

"The first amendment from Reps. Thomas Massie (R-Ky.), Lofgren and Jim Sensenbrenner (R-Wis.) would require the NSA to obtain a warrant to search for information about people in the U.S. when searching collections of communications involving foreigners. The provision would also keep the NSA from requiring tech companies to build “backdoor” security vulnerabilities into their products and services... A second amendment, offered by Rep. Alan Grayson (D-Calif.), would keep the NSA form working with the Commerce Department’s digital security agency to create faulty cryptography standards."

The two amendments represent changes that aren't as strong as the orginal bill:

"... introduced by Sensenbrenner, original author of the Patriot Act, and Senate Judiciary Chairman Patrick Leahy (D-Vt.) — had multiple provisions aimed at reining in the NSA and ending sweeping “bulk” surveillance activities, such as the program that collected information about U.S. phone calls. But eleventh-hour negotiations between [GOP] House leadership and the Obama administration removed some of the changes to the NSA, prompting some lawmakers and privacy advocates to withdraw their support for the bill."

The American Civil Liberties Union (ACLU) provided some context about the two amendments:

"... would prevent funds from being used to search through U.S. citizens’ emails and phone calls under Section 702 of the Foreign Intelligence Surveillance Act (FISA) unless the government has reason to think they are involved in wrongdoing. While Section 702 was originally designed to target people abroad, not U.S. citizens, it has been used and abused as an end-run around our privacy laws. We now know that millions of Americans’ communications are – in the government’s words– being “incidentally” collected under 702 simply because they talk to someone abroad."

The U.S. Senate must now vote on the amendments. The ACLU  emphasized:

"The vote reaffirms that the version of the USA Freedom Act passed by the House is simply not enough. And it sends a strong message to the Senate: If even the House can agree on the need for surveillance reform – twice – then it’s clearly high time to change the law."


SunTrust To Pay About $1 Billion To Settle Mortgage And Foreclosure Abuses

U.S. Justice Department logo The U.S. Department of Justice (DOJ), plus several federal and state agencies, announced on Tuesday a $968 million settlement agreement with SunTrust Mortgage, Inc. for mortgage and home foreclosure abuses. The other agencies involved in the agreement include the Department of Housing and Urban Development (HUD), the Consumer Financial Protection Bureau (CFPB), 49 state attorneys general, and the District of Columbia’s attorney general.

SunTrust Bank logo The agreement had first been presented in October 2013. Terms of the settlement agreement require SunTrust pay $500 million in relief directly to homeowners and borrowers during the next three years to reduce the principle for mortgages nearing default. The bank also agreed to:

".... pay $418 million to resolve its potential liability under the federal False Claims Act for originating and underwriting loans that violated its obligations as a participant in the Federal Housing Administration (FHA) insurance program.  As a participant in that program, SunTrust had the authority to originate, underwrite and certify mortgages for FHA insurance."

The agreement was reached after investigations by the DOJ, the HUD Office of the Inspector General (HUD-OIG), the CFPB, and several state attorneys general. SunTrust admitted in the agreement that:

"... between January 2006 and March 2012, it originated and underwrote FHA-insured mortgages that did not meet FHA requirements, that it failed to carry out an effective quality control program to identify non-compliant loans, and that it failed to self-report to HUD even the defective loans it did identify... numerous audits and other documents disseminated to its management between 2009 and 2012 described significant flaws and inadequacies in SunTrust’s origination, underwriting, and quality control processes, and notified SunTrust management that as many as 50 percent or more of SunTrust’s FHA-insured mortgages did not comply with FHA requirements."

Stuart D. Delery, the Assistant Attorney General for the DOJ Civil Division, said:

“As this settlement demonstrates, we will continue to hold accountable financial institutions that misuse public funds and ruin the lives of hardworking Americans in the pursuit of their own financial interests... SunTrust’s irresponsible FHA lending practices caused grievous harm to homeowners and the housing market, as well as wasting hundreds of millions of dollars in taxpayer funds..”

The announcement emphasized that the servicing portion of the settlement agreement is similar to the $25 billion National Mortgage Settlement (NMS) in February 2012 between the federal government, 49 state attorneys general and the District of Columbia’s attorney general and the five largest national mortgage servicers. And, SunTrust will pay $50 million in cash to redress its servicing practices, $40 million of which will be distributed to borrowers and homeowners through the Borrower Payment Fund established by the NMS and administered by the states.

SunTrust stated in a news release in its website:

"Over the past several years, SunTrust has made significant improvements to its mortgage underwriting processes and internal controls.  This includes increased training and the establishment of a center of specialization to underwrite all government-insured mortgages, which has led to improved quality control and significantly reduced error rates. The company also completed timely implementation of stringent new regulatory requirements for loan origination and disclosure issued by the Consumer Financial Protection Bureau (CFPB) across all of its retail and correspondent origination locations."

Time will tell how effective the training and improvements are.


MasterCard Phone Scam in Pennsylvania

Earlier this week, a friend from Pennsylvania posted on a social networking website her experience with an automated credit card phone scam:

"I was told by an automated system that my Master Card had been frozen. I was to enter my Master Card number to unlock it. Of course, it wasn't from a bank, and I don't have a Master Card, but I decided to play along."

During the phone call, the scammer's automated system asked for the credit card number, expiration date, and three-digit security code. (Don't worry. To learn a little more about the scam, my friend entered random numbers to these inquiries.) Then, it asked my friend to enter her Social Security number. She promptly hung up. My friend reported in her status message:

"BTW, anyone who gets one of these calls: 832-548-4155. It was fielded through "Texas", so - it's probably offshore."

My friend was wise to recognize the scam immediately and end the phone call. Consumers should confirm the identity of phone callers before disclosing any information. If you aren't satisfied with the caller's responses, definitely don't disclose any personal information, and end the call.

A quick online search confirmed that the phone number has been used by scammers. MasterCard advises its cardholders to report scams and fraud:

"MasterCard will never solicit personal or account information from a cardholder and we suspect that the information you received is fraudulent. Consumers should always safeguard their personal information and refrain from responding to suspicious email/phone scams."

Consumers experiencing like this one should submit compalints to the U.S. Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and to the local consuemr affairs agency in their state. If you disclosed your real credit card number, then you will need to monitor your statements for fraudulent charges.

If you disclosed your Social Security number, then you will probably need to monitor your credit reports for fraudulent entries. If you lost money or experienced other fraud, then you may also have to file a report with the local police department in your town. If you aren't sure what to do next, you may find the Identity Theft Resource Center (ITRC) helpful. This nonprofit provides advice and resources for victims of various scams.

Have you received one of these automated phone calls? Please share below your experience and how you responded.

[Editor's note: I have no affiliations with ITRC or any agencies mentioned above. Nor have I received any compensation for mentioning them. Simply, I like what they do and they are good at what they do.]


Maryland AG Announced Settlement With Snapchat For Deceptive Marketing

Snapchat logo Last week, the office of the Maryland Attorney General (AG) announced a settlement with Snapchat, Inc., the developer of the popular mobile app, about alleged deceptive marketing practices and violation of Federal children's privacy laws. The Maryland AG announcement:

"... Snapchat misled consumers when it represented that snaps are only temporary and will disappear after they are opened and viewed by the recipient. In fact, recipients of snaps can capture or copy them for later viewing and distribution. Consequently, consumers may have sent sensitive snaps that they intended not to be saved or seen by anyone but the recipient, only to discover that they were saved or distributed to others."

The company alleged collected and saved the names and phone numbers of contacts from the address books on app users' mobile devices, which it allegedly didn't disclose. The AG also alleged that the company knew about users under the age of 13 and failed to comply with the Children's Online Privacy Protection Act (COPPA).

Terms of the settlement require the company to stop making false representations, to stop misrepresenting the temporary nature of Snaps, to disclose to user that Snaps can indeed be saved by other users, to comply with COPPA and stop children under 13 from using its app, pay $100,000 to the State of Maryland, and to obtain users' consent before collecting and saving address book contents. Attorney General Gansler said about the settlement:

"Despite Snapchat's marketing claims to the contrary, no company can fully prevent content you send to someone else from being copied, shared or posted online... Companies that operate on the Internet or on mobile devices, especially those popular among youth, have a responsibility to protect their users' privacy and to be up front about what personal information they collect and the permanency of uploaded files."

Snapchat, Inc. acknowledged in its blog the settlement with the Maryland AG, and emphasized that it didn't save Snaps. That is little comfort to consumers who used the mobile app thinking that Snaps wouldn't be saved by anybody: the company nor other users.

The company settled similar allegations in May, 2014 with the U.S. Federal Trade Commission (FTC):

"That Snapchat stored video snaps unencrypted on the recipient’s device in a location outside the app’s “sandbox,” meaning that the videos remained accessible to recipients who simply connected their device to a computer and accessed the video messages through the device’s file directory... deceptively told its users that the sender would be notified if a recipient took a screenshot of a snap. In fact, any recipient with an Apple device that has an operating system pre-dating iOS 7 can use a simple method to evade the app’s screenshot detection, and the app will not notify the sender. That the company misrepresented its data collection practices. Snapchat transmitted geolocation information from users of its Android app, despite saying in its privacy policy that it did not track or access such information... the complaint alleges that Snapchat’s failure to secure its Find Friends feature resulted in a security breach permitting attackers to compile a database of 4.6 million Snapchat usernames and phone numbers. According to the FTC, the exposure of this information could lead to costly spam, phishing..."

The FTC also emphasized in its announcement:

"The settlement with Snapchat is part of the FTC’s ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers. Under the terms of its settlement with the FTC, Snapchat will be prohibited from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information. In addition, the company will be required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years."

While $100K is a tiny fine, still I applaud the Maryland AG for its work. Consumers now know far more than otherwise. I wonder what is happening in other states. What are your opinions of the allegations? Of the Snapchat settlements?


Comcast Switches Its Customers' Wireless Home Routers To Public WiFi Hotspots

Comcast logo KTRK, the ABC News affiliate in Houston, reported that on Tuesday Comcast switched the wireless routers of 50,000 Houston-area XFINITY WiFi home users to public WiFi hotspots. This is part of the company's nationwide program to covert customers' home WiFi to public hotspots. (See the list of rollout cities below.) The company did not give its customers a choice to participate in or decline the program. Instead, it simply bulk reconfigured their home routers so the routers can also be used by other XFINITY WiFi customers.

Roaming or "guest" XFINITY WiFi customers must enter their account credentials in order to access and use one of the hotspots. However, the XFINITY WiFi website stated that non-customers can use some hotspots:

"Limited Free Trial: At select XFINITY WiFi hotspot locations, visitors are allowed two 60-minute complimentary sessions per month. You must wait 24 hours between sessions."

In an announcement in April, Comcast explained that the program includes several types of hotspots. Some are at commercial locations, and others are:

"Neighborhood Hotspots: Recently, Comcast began providing residential customers with Xfinity Wireless Gateways the ability to have a second "xfinitywifi" signal (or SSID) in their home that is separate and distinct from their private and secure home Wi-Fi signal. This second signal provides visiting Xfinity Internet customers Wi-Fi access without the need to use the homeowner’s private network password..."

XFINITY WiFi Home customers who don't want their home routers included in the program must must opt out. The XFINITY WiFi site explained why some XFINITY Internet customers can't particate in the home hotspot program:

"This new feature enhancement is not yet available on all XFINITY Wireless Gateways or supported with all XFINITY Internet products. Wireless routers purchased at retail outlets don’t support the XFINITY WiFi service."

Up to five "guest" mobile devices can connect to a home hotspot. So, the loss of wireless bandwidth to the home user could be substantial, especially if the home user has multiple mobile devices already connected. Comcast said it "expects minimal impact" in bandwidth loss by its customers.

Some customers are already not happy. KTRK reported:

"Michelle Eulene has been a Comcast customer for years, but she's not happy with her WiFi now that her router is playing host to other Xfinity customers who want an internet connection. "It feels weird for Comcast to take my modem that I am already paying for and delivering it to other people," said Eulene."

The April announcement by Comcast included plans for eight million hotspots in 2014:

"Comcast Cable’s Xfinity WiFi network will reach eight million hotspots by the end of 2014, covering 19 of the country’s 30 largest cities with fast and reliable wireless Internet access... the company plans to add new hotspot locations coast-to-coast in cities like Atlanta, Baltimore, Boston, Chicago, Denver, Detroit, Hartford, Houston, Indianapolis, Miami, Minneapolis, Nashville, Philadelphia, Pittsburgh, Portland, Sacramento, Salt Lake City, San Francisco, Seattle and Washington D.C."

To opt out of the program, customers must disable the public setting on their wireless home routers. The XFINITY WiFi website provides instructions:

"You will always have the ability to disable the XFINITY WiFi feature on your Wireless Gateway by calling 1-800-XFINITY. You can also visit My Account at http://customer.comcast.com/, click on “Users & Preferences”, and then select “Manage XFINITY WiFi."

XFINITY WiFi logo The way that Comcast structured its hotspot program abuses its customers. It's another example where the customer is literally the product -- in this case, part of a national network of WiFi hotspots usable by other customers. I'll bet that many customers didn't expect this when they subscribed to XFINITY WiFi. In this instance, Comcast took the customer-unfriendly approach and just switched a bulk of wireless routers. It could have asked first, but it didn't -- a stark reminder that the equipment is the company's property and not the customer's.

Comcast's program should have been opt-in, not opt-out. Customers should have been in control to enroll in the national hotspot program. Instead, Comcast forced in on them. Plus, Comcast should compensate customers for both their participation and the bandwidth lost. There is value in a national WiFi network, which its customers are helping Comcast build and operate.

There is precedent for compensating customers. Companies frequently offer discounts to customers who use online-billing services, compared to traditional, monthly paper bills. The former is less costly to companies. Another example: 40 states have programs for consumers to sell electricity generated via renewable methods (e.g., solar, wind, geothermal) back to the local energy utility or grid -- in effect, a price discount for participation.

Instead, Comcast took the customer unfriendly approach and didn't offer any compensation. Is this fair? Is it right? I think not.

What do you think? What are your opinions of the Comcast's Xfinity wireless program? If you are an Xfinity customer with a wireless router, please share your experiences.


Facebook Announced A New Feature Where It Listens And Identifies Music And TV Content

Facebook logo Before and during the Memorial Day holiday, I was busy with work and family events. Perhaps, you were busy too and missed this. Just before the holiday, Facebook announced a new, optional feature where it will listen and identify whatever you are listening to while typing status messages.

If you have used mobile apps like Shazam, then you know how technology can easily identify the name and artist of music. Facebook wants to take the technology further by identifying the background content (e.g., music you are listening to, movies or television show you are watching) while posting messages to Facebook. Facebook's announcement pitched the new feature as:

"You may have seen a friend post a photo after a tough workout with a “feeling proud” icon. Or you’ve seen your friend check in at a coffee shop “drinking an iced coffee.” In the last year, people shared more than 5 billion status updates... we’re making those conversations quicker and easier by introducing a new way to share and discover music, TV and movies. When writing a status update – if you choose to turn the feature on – you’ll have the option to use your phone’s microphone to identify what song is playing or what show or movie is on TV."

Unlike the Shazzam app (which the user initiates), once you turn on the "Identify TV and Music" feature, it will operate quietly and identify whatever is playing in the background when you post messages:

"If you leave the feature on, you will see the audio icon move and attempt to detect a match when you’re writing a status update. No sound is stored and you’ll always get to choose whether you post to your friends... if you choose to turn this feature on, it will only use your microphone (for 15 seconds) when you’re actually writing a status update to try and match music and TV... when you write a status update, the app converts any sound into an audio fingerprint on your phone. This fingerprint is sent to our servers to try and match it against our database of audio and TV fingerprints. By design, we do not store fingerprints from your device for any amount of time."

It's important to read Facebook's words closely. It says it won't store the music, TV show, or movie you are watching or listening to. It does store the status message you authorize about the background content. That means, the feature will record the name or title of the show/music, the artists, along with the date, time, your geolocation (e.g., GPS) data, and probably other relevant metadata. It needs these metadata elements to create a status message for you to post to your Timeline.

Based upon its matching algorithm, the message includes an excerpt of the music or show, since Facebook assumes that your friends may want to purchase the music or video item. In this way, Facebook can sell more advertising to its corporate sponsors; where once again Facebook members are the product. The feature allows Facebook to analyze its members' actions and build a a more robust activity profile. For example, people with certain demographic characteristics (e.g., age, sex, students, rural residents, etc.) or in certain locations, listen to XYZ music and/or watch a certain genre of television shows while posting status messages. And, Facebook can associate certain moods or feelings in your posts to the moods or feelings in the background content (e.g., music, movie, or TV shows).

The Naked Security blog by Sophos reported:

"When it initially announced the eavesdroppish new service, Facebook didn't say anything about listening in on background noise, including private conversations. But this week, Facebook's security head honcho, Gregg Stefancik, filled in that gap. Stefancik, head of security infrastructure for the very-data-rich, o-so-good-at-data-mining social network, explicitly told journalists that the new audio feature does not snoop on users and does not record conversations... The raw audio never leaves the phone, Stefancik said, while the data about the match is only stored if a user opts to post it:.. The app can't identify background noise and conversation before the feature is enabled."

I guess that this new feature will be a benefit to consumers who want to share easily, quickly, and automatically without having to do anything. You literally won't need to lift a finger. It seems wise for consumers to give a new feature like this a lot of thought and consideration before turning it on. Why? The background content (via the authorized status messages) will be associated with your profile.

Maybe, the background content is the television you've left on because you're home alone, not really watching it, and want some noise in your home. Maybe you are simply in the same room with a family member or friend who is watching TV, movies, or listening to music. Their selections identify their choices, not necessarily yours. Maybe you are in a shopping mall and muzak is playing in the background. Maybe the music playing is from an advertisement on television. Maybe Facebook's matching algorithm was incorrect.

My point: the background content may have nothing to do with your profile, but it gets recorded and associated with your profile anyway. The background content may be items you'd ever select nor buy, but Facebook would assume so. Then, who is right? Who knows more about you and your habits: you or Facebook?

I see this new feature as extremely invasive and problematic. I know my profile better than any social networking service, and remaining in control is important to me. Facebook addressed the issue of control in its announcement:

"... this feature is completely optional. If you don’t turn it on, we won’t use your microphone to try and match TV or music when you write a status update. If you do choose to turn it on and later decide it’s not for you, you can easily turn it off at any time."

This implies, if you want to delete any background content from your Timeline, then you would do so consistent with the capabilities and limitations of the current Timeline system. Does a user really have effective control? I don't see how any consumer can verify that Facebook uses the new feature to comply with its promises (e.g., don't record conversations, 15 seconds, identify only TV/music, etc.). The announcement did not specify how accurate the feature is. If it incorrectly identifies some background content, and you authorize that status message then an error has been introduced to your profile. Facebook member may not know the background content identified.

I'd like to see Facebook explain more about its matching algorithm. How accurate is it? Does it match any song or music? Does that include music in TV advertisements? If so, then, the matching algorithm could identify what commercials you have viewed. What about radio? The announcement didn't say anything about radio. People listen to traditional radio and satellite radio. What matching is done then?

This technology confirms what a lot of people have been worried about with surveillance by government spy agencies: the ability to remotely control the microphone in your smart phone or mobile device, and monitor what you are doing, listening to, and watching. Since Facebook already records and archives everything (including deletions) you type into the status message box, the two features combined provide the social networking site with very strong capabilities to determine what you are  thinking, feeling, and considering -- not just what you typed in the status message. That is very strong personal content.

It's also very creepy stuff, in my opinion. Spy agencies must be looking at this and wondering: if Facebook can do this, we should be able to do this, too. If I operated a Web design service that was a front for a spy agency, I'd want to use an app like this.

I wouldn't want any mobile device in my pocket running an app like this. Nor would I want to be around people using an app like this; especially in business meetings. Yes, this upcoming Facebook feature reminds me a lot of Google Glass. Very invasive for people who value their privacy.

What's your opinion of the upcoming Facebook feature? Is this more or less invasive than government spy programs?


California AG Issues Privacy Recommendations To Better Protect Consumers

Late last month, the Office of the Attorney General for the State of California issued a guide with privacy recommendations for companies about how to present privacy policies and do-not-track disclosures to consumers. The recommendations are based upon changes in California law (emphasis added):

"...in 2003, California established the landmark California Online Privacy Protection Act, which was the first law in the nation to require operators of commercial websites, including mobile apps, to conspicuously post a privacy policy if they collect personally identifiable information from Californians. In 2013, the Act was amended by Assembly Bill 370, which requires privacy policies to include information on how the operator responds to Do Not Track signals or similar mechanisms. The law also requires privacy policies to state whether third parties can collect personally identifiable information about the site’s users."

Previously, many mobile app developers failed to include usage term and privacy policies with their apps, both before and after purchase. Most Web browsers have Do Not Track (DNT) features, but the effectiveness of that feature depends upon the website operator's compliance, which is not mandatory. The California AG's guide included a summary of Do Not Track and web browsers (emphasis added):

"... the [U.S. Federal Trade Commission] staff in 2010 proposed a Do Not Track (DNT) browser signal as a uniform and comprehensive way for consumers to choose whether to allow the collection and use of data regarding their online searching and browsing activities. The Commission noted in its 2012 final report that a number of browser vendors had announced that their latest versions permitted consumers “to instruct websites not to track their activities across websites.” In a 2012 paper on consumer privacy, the White House noted that “privacy-enhancing technologies such as the ‘Do Not Track’ mechanism allow consumers to exercise some control over how third parties use personal data or whether they receive it at all.” By 2013, the major browser companies had all implemented a DNT mechanism in their browsers. In May 2014, the White House once again commented that consumers “have a valid interest in ‘Do Not Track’ tools that help them control when and how their data is collected. There is no legal requirement for how operators of web sites or online services must respond to a browser’s DNT signal. The World Wide Web Consortium (W3C), which facilitates collaborative efforts to develop web standards, created a Tracking Protection Working Group, which has been working since 2011 to develop standards for the technology and meaning of Do Not Track. As of the end of 2013, the W3C group had not agreed upon what an operator or an advertising network should do when they receive a DNT browser header."

The guide includes the following key recommendations:

"Readability
- Use plain, straightforward language. Avoid technical or legal jargon.
- Use a format that makes the policy readable, such as a layered format.

Online Tracking/Do Not Track
- Make it easy for a consumer to find the section in which you describe your policy regarding online tracking by labeling it, for example: “How We Respond to Do Not Track Signals,” “Online Tracking,” or “California Do Not Track Disclosures.”
- Describe how you respond to a browser’s Do Not Track signal or to other such mechanisms. This is more transparent than linking to a “choice program."
- State whether other parties are or may be collecting personally identifiable information of consumers while they are on your site or service.

Data Use and Sharing
- Explain your uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service.
- Whenever possible, provide a link to the privacy policies of third parties with whom you share personally identifiable information.

Individual Choice and Access
- Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.

Accountability
- Tell your customers whom they can contact with questions or concerns about your privacy policies and practices"

Personally identifiable information (PII) includes the following data elements:

  • Your name: first, middle, last
  • Your residential or home address, including the street name, town, and ZIP Code
  • Your e-mail address
  • Your telephone number (mobile or land-line)
  • Your Social Security number
  • Any other identifier that enables somebody to contact you online or offline in the physical world
  • "Information concerning a user that the web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier..."

The last two items are critical because they includes several things that can be used to identify only you, such as a user name, user ID, license number, member number, policy number, record number, the IP address assigned to your computer device, and so forth. The last item probably includes your physical movements (e.g., GPS coordinates with time stamps from your mobile device or car), since this data could be used to uniquely identify and track you.

Download the "Making Your Privacy Practices Public" guide (Adobe PDF) by the California Attorney General's Office. It includes detailed recommendations, which are a good start. Assembly Bill 370 makes it clearer for consumers to understand what a website and mobile app operator promises to do about privacy and handling consumers' sensitive personal information. Obviously, there needs to be a standard about how advertising networks respond to DNT signals from a browser.

I look forward to seeing more privacy improvements in California and in other states. What are your opinions of the "Making Your Privacy Practices Public" guide? Is it good? Does it go far enough?


A Review of The Vanilla Visa Prepaid Card

Front of Vanilla Visa package. Click to view larger image. Back of Vanilla Visa package. Click to view larger image.

Recently, I received several prepaid cards as birthday gifts. One gift was the Vanilla Visa Gift Card, a prepaid card. Perhaps, you have heard of it or used it. Since I have written about prepaid cards in this blog, I was curious to see what was inside the Vanilla Visa package.

The Vanilla Visa Gift Card comes in an attractive, sealed package that features on the front exterior a "Happy Birthday" message and the Visa logo. The card can contain a value from $20 to $500. The back exterior of the package includes this messaging:

"IF TAMPER EVIDENT, DO NOT PURCHASE... No Fees After Purchase. Check your balance 24/7. Visit www.vanillavisa.com"

I took the above photos after I opened the package. Hence, you see the tear in the above photograph of the packaging. The back exterior also includes spaces for the gift giver to write their name, the amount of money on the prepaid card, and the recipient's name. The sealed package seems to be a nice improvement so the consumer knows that the magnetic strip on the back of the prepaid card has not been tampered with. Retail stores frequently display racks of prepaid cards exposed without packages.

Inside the sealed package are the prepaid card and the contract, called the Cardholder Agreement. I like that the product includes the contract, since users of prepaid card don't have the same rights and responsibilities as with credit- and debit-cards. Many prepaid cards don't. It is important to read the contract because it explains several key items:

  • Activation and applicable fees,
  • Card features and expiration date,
  • How to check your card balance,
  • How to make split purchases,
  • How to use the card when paying for gasoline for your auto,
  • Where you can use the prepaid card,
  • Non-reloadable value,
  • Optional use of a PIN,
  • A "Confidentiality" section, which seems to be a brief privacy policy,
  • Warranties and related terms,
  • Customer service information, and
  • Arbitration terms

The PIN option is useful for cardholders who want that extra security. As with any payment card, it is important for consumers to know who you are doing business with. Vanilla Visa prepaid card users do business with at least three corporations -- Visa and:

"The Cardholder Agreement ("Agreement") constitutes the agreement between you, the Bancorp bank, Wilmington, Delaware ("The Bancorp Bank" or "Issuer"), ITC Financial Licenses, Inc. and IH Financial Licenses, Inc. outlining the terms and conditions under which the Vanilla Visa Card has been issued to you by the issuer... All Cards are issued by the Issuer and distributed and serviced either by ITC Financial Licenses, Inc. or IH Financial Licenses, Inc., depending upon the state or territory in which the Card was sold."

The Vanilla Visa prepaid card is issued by The Bancorp Bank of Wilmington, Delaware. The Bancorp is the holding company, and as the center image on the home page at the website says:

"Founded in 2000, The Bancorp creates customized banks for our hundreds of affinity partners, setting a new standard in financial services innovation. Today, The Bancorp remains one of the few financial service companies in the world dedicated to providing private-label banking and technology solutions for non-bank companies ranging from entrepreneurial start-ups to those on the Fortune 500."

Image of The Bancorp home page June 2, 2014 So, companies wanting to offer prepaid cards to their customers might do business with The Bancorp Bank. As with any prepaid card, it is critical for consumers to know the terms and conditions; especially what fees apply and when they apply. With this card, there are no fees after purchase. (In my case, the gift giver paid the fee.) That is good, and the card has an expiration date. Mine expires in June 2022; plenty of time to use the $25 on it.

You can use the Vanilla Visa card only in the 50 states and the District of Columbia within the United States. The default state of the card is that it is not re-loadable; meaning you can spend only the value on the card. (In my case, I could spend the amount from the gift giver.) However, at the Vanilla Visa website, you can upgrade your card to make it a re-loadable prepaid card. I did not upgrade my card. Wise consumers will consult the website first to determine what additional fees apply before upgrading their cards to re-loadable status.

About activation, the Cardholder Agreement said:

"Activate Your Card
If your Card includes a notice that activation is required, you must activate the Card before you can use it. Please visit www.vanillavisa.com or call 1-855-904-7299 to activate your Card."

I was pretty certain that my card had been activated by the gift giver, but I called the phone number anyway just to confirm. The phone system included a message (on June 2, 2014) that card activation was not available via the telephone system. Not good. It's not good to promise something and then not fulfill that promise.

Next, I visited the website. It included a secure connection (https://) to enter the card number -- which I did. The results screen confirmed the amount on my card and that my card had been activated. That was good, easy, and fast.

I plan to use my Vanilla Visa card when dining at a restaurant. Since the bill will likely be higher than the $25 amount on my card, I will likely use the card plus cash to pay my bill -- something the Cardholder agreement calls a "split transaction." To do this, cardholders need to know the balance on their cards, and if the restaurant, or retail store, accepts split transactions. Some don't. A split transaction could also include other payment types (e.g., a prepaid card and a credit card; two prepaid cards, etc.). You get the idea.

Two images of the Cardholder Agreement (click to view a larger image):

Page one of the Vanilla Visa Cardholder Agreement. Click to view larger image. Page two of the Vanilla Visa Cardholder Agreement. Click to view larger image.

The Cardholder Agreement stated the following:

"Some merchants do not allow cardholders to conduct split transactions... If you wish to conduct a split transaction and it is permitted by the merchant, you must tell the merchant to charge only the exact amount of funds available on the Card to the Card. You must then arrange to pay the difference using another payment method..."

So, to use a prepaid card with split transactions requires the cardholder to know the exact balance on their card. Otherwise, you risk having your card declined. There are exceptions when making purchases at retail places like hotels, gas stations, and car rental services. Those merchants may pre-authorize an amount greater than the balance on your prepaid card:

"If you use your Card at an automated fuel dispenser ("pay at the pump"), the merchant may preauthorize the transaction amount up to $100.00 or more. If your Card is declined, even though you have sufficient funds available, pay for your purchase inside with the cashier... , and how to perform a split transaction:

If you encounter problems, the Cardholder Agreement specifies how to contact customer service. If you experience unresolved problems, the Cardholder Agreement includes binding arbitration:

"Arbitration
Any claim, dispute, or controversy ("Claim") between you and us arising out of or relating in any way to this Agreement, your Card, your purchase of the Card, your usage of the Card, or transactions on the Card, no matter how described, pleaded or styled, shall be finally and exclusively resolved by binding individual arbitration conducted by the American Arbitration Association ("AAA") under its Consumer Arbitration Rules in your state of residence at a location that is reasonably convenient for both parties. ARBITRATION OF YOUR CLAIM IS MANDATORY AND BINDING. NEITHER YOU NOR WE WILL HAVE THE RIGHT TO LITIGATE THAT CLAIM THROUGH A COURT. IN ARBITRATION, NEITHER YOU NOR WE WILL HAVE THE RIGHT TO A TRIAL BY JUDGE OR JURY."

This contractual clause means that for an unresolved problem or dispute, the cardholder must use the arbitration process specified. It also means that the cardholder has lost at least three rights: to sue, to participate in any class-action lawsuits, and to benefit from mediation. These rights may be important to you. You may find them acceptable, or not. Bankrate published this in 2004:

"Binding arbitration, a little noticed clause in many agreements and contracts, strips consumers of their fundamental rights, including the right to sue individually or join a class-action suit if they have a problem with a company. Under binding arbitration, a consumer can be forced to pay thousands of dollars upfront to pursue a complaint, travel thousands of miles to a location of the company's choosing for the hearing, argue their case before an arbitrator who depends on the company for future business and surrender such basic legal weapons as the right to discovery and the right to appeal a decision... Labeled by the National Consumer Law Center as "astonishingly unfair and undemocratic," these clauses affect millions of consumers across the country. Corporations insert them into employment and home building contracts, in agreements for credit cards, computer software and hardware purchases, and many types of loans."

And, arbitration can cost more than a traditional court trial:

"Consumers' costs for arbitration vary widely and depend on the arbitration company, the type of dispute and the cost of the proposed remedy. The American Arbitration Association offers a streamlined process for consumer disputes that limits costs, but limits your rights too. While the American Arbitration Association is an umbrella group for arbitration companies, not all arbitration companies follow its suggested rules. Under these consumer rules, there is a filing fee of $125 if your dispute is under $10,000 and $350 if it is over that amount... However, in exchange for the low filing fees and streamlined process, you must give up some of your rights... There is no contingency in arbitration. Also, these costs don't include costs for an attorney if you want one..."

According to the National Association of Consumer Advocates (NACA):

"One of the alleged benefits of arbitration is that it costs less than litigation, but frequently this is not true for consumers and employees. Forced arbitration frequently costs more than taking a case to court and can cost thousands of dollars. Individuals often have to pay a large fee simply to initiate the arbitration process. If they are able to get an in-person hearing, individuals sometimes have to travel thousands of miles on their own dime to attend the arbitration. In the end, the loser (usually the individual) often pays the company’s legal fees."

The Public Citizen website lists the banks, retail stores, entertainment, online shopping, telecommunications, consumer electronics, software, nursing homes, and health care companies that include binding arbitration clauses in their contracts with customers. If this bothers you (and I hope that it does), you can take action at the NACA website.

With the Vanilla Visa prepaid card, its packaging exterior does not seem to provide any indication of the contractual clauses. A cardholder learns about the binding arbitration clause after the purchase, and after you have opened the package to read the contract. Is this fair? Is this right? Is this legal? While this is legal, to me it isn't fair nor right. Important contract terms like binding arbitration should be stated on the exterior packaging. Otherwise, consumers are making uninformed purchases.

Also, the above three lost rights are important for consumers; especially when things go wrong with a product or service. Since technology moves forward far faster than federal, state, and local laws, differences of opinion are likely... and hence, disputes. It is not good that more corporations have inserted binding arbitration clauses into their contracts. Case law, the accumulation of court decisions by judges and juries, is the backbone of the judicial system in the United States.

While corporations have every right to limit their legal costs, that isn't always a benefit for consumers. So, consumers have every right not to purchase products and services from corporations that include binding arbitration clauses in their agreements.

While using a prepaid card may seem as easy as using cash, there are several important differences consumers need to know. Many people like the convenience of prepaid cards: you can't spend more than your card's balance, and you can avoid overdraft fees (but incur other fees). For me, cash offers more benefits without the complexities. With cash, I can't spend more than what's in my wallet, there are no overdraft fees, and no other fees (e.g., maintenance, non-usage, check balance, etc.).

In my opinion, prepaid cards are not as easy to use as cash. With prepaid cards you lose privacy because the banks, or corporations you do business with usually store and analyze your purchases. And with the Vanilla Visa card, you lose several rights due to the binding arbitration clause in the contract.

After writing this review, I did an online search to see what other reviews exist. You may find helpful the Vanilla Visa Gift Card reviews at the Consumer Affairs site.

What's your opinion of the Vanilla Visa prepaid card? Of the contract terms? If you have used this prepaid card, share your experiences below.


The FCC, Keeping An Open Internet (Net Neutrality), And Related Issues

An article in Forbes magazine by Roslyn Layton explored some of the issues surrounding the Federal Communications Commission (FCC), it's approach to net neutrality, and public opinions. You may not know that in a few months five political appointees at the FCC will decide the future of Internet access in the United States. The decision of those five commissioners will affect everyone -- people and corporations, old and young, students, retirees, and workers.

You may not be aware that:

"... as the Pew Research Center reports, net neutrality is not likely to be the topic of dinner conversations. Outside of the many blogs and trade media that have covered the issue, two-thirds of the mainstream coverage has been made by just 6 newspapers, not counting the Wall Street Journal. TV coverage has been even more limited."

Shame on the news media, since it is supposed to cover the news. Changes to the Internet is news. Layton wrote about polling:

"There are just two national public opinion polls on net neutrality. A 2006 poll by the Senate Commerce Committee conducted with 800 registered voters found that in many parts of the US only 5% of voters even knew what net neutrality was. In December 2010, a Rasmussen poll of 1000 voters found that just 21% want the FCC to regulate the Internet and most fear regulation would promote a political agenda."

There are other polls, and consumers support net neutrality. The polls may not be national, but are still applicable -- especially for the politicians whose constitutents are covered. Politicians have a variety of toolls to listen to their constituents: petitions by Senator Markey, MoveOn, Credo Action, Daily Kos, Bold Progressives, and the White House.

Layton wrote about politics:

"In fact, net neutrality rules have been proposed at least six times by Congressional Democrats since 2006, but none has been compelling enough to come to a vote. Counteractions by Republicans have appeared on at least five occasions. Two were brought to a vote. One failed to proceed, and the other, a Joint Resolution disapproving of the FCC’s 2010 Open Internet Report & Order, passed the House with a vote of 240 to 179. Moreover, the Court of Appeals has twice struck down the FCC’s rulemaking on net neutrality."

For context, the GOP-led House has voted at least 50 times to change (and in a few instances, to repeal) Obamacare. Many people would argue that Internet access is as important as health care. Layton seems to want to describe opposition to net neutrality as bipartisan, but the GOP platform in 2012 was clearly to oppose net neutrality.

Layton wrote about jobs:

"The Internet makes up 5% of America’s economy. Digital goods and services are now the third largest American export, and broadband and the related IT industry directly support nearly 11 million jobs in the United States. The US, just 4% of the world’s population, accounted for a quarter of the world’s investment in communication networks in 2013, nearly $70B, according to Infonetics. Fifteen of the world’s top 25 Internet companies come from the US."

Layton conveniently skipped the fact that in May, more than 100 tech companies sent a letter to the FCC demanding it keep open Internet rules. Several venture capitalists have said that the FCC's fast/slow-lanes broadband proposal is already having a negative impact upon business. Start-up executives are forced to raise more money than otherwise because ISPs are already charging fees. This will cause some new ventures to not receive funding (e.g., fewer jobs), and/or venture capitalists shift their funding to other businesses away from Internet/tech. Both impacts are not good for a country serious about maintaining leadership in tech and Internet industries.

Layton seems to argue for less regulation. I find the argument hypocritical since the telecommunications corporations have already lobbied for and won local laws in 19 states (e.g., more regulation) that prohibit local government officials from building their own broadband Internet (e.g., fiber). You can't have it both ways: argue against regulation at the federal level while using regulation at the local level to minimize or kill competition.

With more competition, how much lower would Internet access prices be for consumers in these 19 states? With more competition and lower prices, how many more jobs would have been created in these 19 states?

The FCC's policy shift does not restore Net Neutrality. It kills it. The indicator: no longer is all content treated equally. No longer do consumers decide where to go with the broadband bandwidth they've paid for. ISPs can charge some publishers fees for content they believe and can "reasonably" justify. Think of your favorite video sites, since video consumes more bandwidth than plain text. If a publisher can't pay the fees, then they will have a tougher time getting their content and websites distributed.

Think about your favorite cloud services and all of your files -- text, music, and video -- that you have stored there... assuming unlimited Internet access. Guess what? The ISPs could lump those cloud services sites (e.g., Dropbox, Apple iCloud, etc.) along with other video sites in the fast lane; or in the slow lane if the publishers refuse to pay the fees.

I found the planned FCC policy troublesome because it fails to address the fact that the USA lags many other countries in broadband speeds while leading with the highest prices. Consumers in the USA simply aren't getting the value citizens in other countries get. I don't seen any of Layton's comments addressing this, either.

Public Citizen has documented the telecommunications companies that already inserted binding arbitration clauses into their agreements with consumers. This provides consumers with fewer right in the marketplace. According to the National Association of Consumer Advocates (NACA):

"One of the alleged benefits of arbitration is that it costs less than litigation, but frequently this is not true for consumers and employees. Forced arbitration frequently costs more than taking a case to court and can cost thousands of dollars. Individuals often have to pay a large fee simply to initiate the arbitration process. If they are able to get an in-person hearing, individuals sometimes have to travel thousands of miles on their own dime to attend the arbitration. In the end, the loser (usually the individual) often pays the company’s legal fees."

Layton and other net neutrality opponents never seem to want to ask these and other related questions. The bottomline: all of this plus the FCC's planned net neutrality policy means a playing field that is even more heavily tilted towards telecommunications companies and against consumers.


N.S.A. Programs Collect Facial Images From Users' Online Communications

National Security Agency logo The New York Times reported that the National Security Agency (NSA) captures and stores millions of images each day, of which about 55,000 are "facial recognition quality images." During the Obama Administration, the agency has reportedly increased its use of facial recognition software and programs. According to the news report:

"It is not clear how many people around the world, and how many Americans, might have been caught up in the effort. Neither federal privacy laws nor the nation’s surveillance laws provide specific protections for facial images. Given the N.S.A.’s foreign intelligence mission, much of the imagery would involve people overseas whose data was scooped up through cable taps, Internet hubs and satellite transmissions."

For online communications (e.g., e-mail, text, web surfing) within the United States, the agency would need a court order to collect your images. Exceptions to this are if a telecommunications company provided content directly in response to a request by the F.B.I. or other government agency, or if you communicate with persons outside the United States:

"Because the agency considers images a form of communications content, the N.S.A. would be required to get court approval for imagery of Americans collected through its surveillance programs, just as it must to read their emails or eavesdrop on their phone conversations, according to an N.S.A. spokeswoman. Cross-border communications in which an American might be emailing or texting an image to someone targeted by the agency overseas could be excepted."

The NSA uses both in-house and commercially available facial recognition software:

"One of the N.S.A.’s broadest efforts to obtain facial images is a program called Wellspring, which strips out images from emails and other communications, and displays those that might contain passport images... the N.S.A. relies in part on commercially available facial recognition technology, including from PittPatt, a small company owned by Google..."

Although the facial recognition software used is powerful, it still introduced errors:

A 2011 PowerPoint showed one example when Tundra Freeze, the N.S.A.’s main in-house facial recognition program, was asked to identify photos matching the image of a bearded young man with dark hair. The document says the program returned 42 results, and displays several that were obviously false hits... another 2011 N.S.A. document reported that a facial recognition system was queried with a photograph of Osama bin Laden. Among the search results were photos of four other bearded men with only slight resemblances to Bin Laden."

Reportedly, the agency does not collect images through its bulk metadata collection of phone records. All of the selfies you e-mailed and posted online probably have helped the NSA with its image collection because most social networking sites did not offer secure, encrypted capabilities before 2011. Ars Technica reported:

"According to the documents cited by the Times, the agency began performing facial recognition searches using captured images in 2010, matching photos in Pinwale (the NSA’s long-term store of captured content from external sources) and a terrorist watch list database called Tide... Of the major Web mail providers, only Google was providing SSL encryption at the beginning of 2010. Microsoft added SSL encryption to Hotmail in November of 2010. But SSL wasn’t even an option for Yahoo mail until early in 2013—and Yahoo didn’t turn it on by default until October of 2013."

And, your mobile device and your apps probably are leaky and less secure than a traditional browser interface. Ars Technica did some testing and found:

"Yahoo, Google, Microsoft, Apple, and Facebook now all encrypt images and other content from servers to Web browsers—though there are some exceptions in the mobile realm. Facebook, for example, encrypts all the images transmitted from its content delivery network to users’ browsers, though the images can still be reached through an unencrypted interface. During our testing, Pwnie Express founder and CTO Dave Porcello found that on an Android 4.1.1 “Jelly Bean” device—admittedly an older phone, but still in wide use—Facebook profile pictures and images were transmitted unencrypted to the Facebook app."

NSA Android logo I look forward to reading the full report by Ars Technica when it is available. What to make of the NSA image-collection programs? First, the facial image collection is probably much more extensive, due to: a) cooperation by the spy agencies (e.g., GCHQ) of allies; and b) telecommunications and technology companies that have provided information in response to requests by the FBI, NSA, or other agencies. Second, consumers have to demand from app developers the same level of privacy with mobile apps that is available via traditional browser interfaces.

Third, know that when you communicate with persons outside the United States, you probably have far less privacy than you think. Fourth, contact your elected officials and demand that they rein in the NSA, stop the secret courts, laws, processes, and "back doors", and strictly comply with the Fourth Amendment of the U.S. Constitution.


10 Ways To Avoid Identity Theft During Vacation Travel

As summer approaches, many people travel on vacation. Stolen cash or payment cards (e.g., debit cards, credit cards, bank ATM cards) can wreck a relaxing, carefree vacation. Below are 10 tips  the Better Business Bureau (BBB) provided in 2013 that are effective and worthy of repeating:

"1. Don’t announce your travel plans on social media. This invites identity thieves to target your house while you’re away.

2. Place a hold on your mail. When criminals see an overflowing mailbox, they see an easy way to steal personal information.

3. Carry only necessities in your wallet when traveling. Go through your wallet and leave at home your library card and other cards with your name on them.

4. Set up a travel alert on your credit card accounts, and freeze your credit with the three credit bureaus.

5. Leave your laptop computer at home if you can. If you must travel with a laptop, update your anti-virus and anti-spyware programs. Do not access bank accounts from your laptop while in a hotel room or at a coffee shop or other public location.

6. While staying at a hotel, lock important documents such as your passport in a safe.

7. Use only ATMs located in banks.

8. Protect your smartphone. Create a password for access, and use an application with a GPS locator to find your phone if it is lost or stolen.”

9. Don’t put your full name and address on luggage tags. Include just your last name and phone number.

10. Tear up and discard used boarding passes. Many travelers leave boarding passes behind in airplanes or hotels. They often contain full names and other personal information.

With tip #4, I inform my bank about the dates and countries where my credit-card purchases during vacation will be valid. Some of these tips (e.g., 1, 4, 7) I practice year-round. Some of these tips (e.g., 9, 10) I use for both business and vacation travel. During cruise ship vacations, I lock my wallet, important documents, and my smart phone in the safe in my stateroom.

What do you do to avoid identity theft during vacation travel?