Previous month:
February 2016
Next month:
April 2016

20 posts from March 2016

Why iPhones Are Now Less Secure, And How This Affects Everyone

Federal Bureau of Investigation logo Tuesday's blog post discussed the announcement by the U.S. Department of Justice (DOJ) that it had withdrawn its lawsuit against Apple, Inc. because the Federal Bureau of Investigation (FBI), with the help of an unnamed third party, had successfully unlocked the San Bernardino attacker's iPhone and accessed the information in the device. That blog post also discussed several related issues and implications. The government did not disclose the exact method it used to unlock the iPhone.

Today's blog post explores another related issue: whether the government will inform Apple of the vulnerability. With information about the vulnerability, Apple can improve the security of its iPhones. That will help all iPhone users better protect their privacy. The Washington Post reported:

"The FBI plans to classify this access method and to use it to break into other phones in other criminal investigations."

The article described how security research usually works. When security engineers find a vulnerability, they inform the developer so a fix can be quickly built and distributed to users. Also, other developers learn:

"Vulnerabilities are found, fixed, then published. The entire security community is able to learn from the research, and — more important — everyone is more secure as a result of the work. The FBI is doing the exact opposite... All of our iPhones remain vulnerable to this exploit."

No doubt, the FBI and other U.S. government law enforcement (and spy) agencies will use the vulnerability to unlock more iPhones. People forget that iPhones are used by:

"... elected officials and federal workers and the phones used by people who protect our nation’s critical infrastructure and carry out other law enforcement duties, including lots of FBI agents... The problem with computer vulnerabilities is that they’re general. There’s no such thing as a vulnerability that affects only one device. If it affects one copy of an application, operating system or piece of hardware, then it affects all identical copies..."

The worst case scenario: by withholding vulnerability information, the government fosters a situation where Apple products are less secure than other brands developed abroad, whose governments freely shares vulnerability information. That could negatively affect the tech company's revenues and profitability... meaning lost jobs here.

There is one tiny bit of good news in this mess (bold added):

"The FBI did the right thing by using an existing vulnerability rather than forcing Apple to create a new one, but it should be disclosed to Apple and patched immediately."

So now, the bad guys - criminals, hackers, other governments' spy agencies -- know for sure that a vulnerability exists in newer iPhones. If they look hard enough and long enough, they can find it, too. (Many of the bad guys hire skilled, experienced engineers, too.) Once found, they too can use the vulnerability to hack iPhones.

The government's decision to classify the vulnerability seems myopic at best, and at worse extremely unfriendly to users and business. This weakens our defenses. It does not make our defenses stronger.

The government's approach seems to be surveillance trumps privacy. You could say: surveillance by any means necessary (sorry, Malcolm) and damn the consequences. Damn the collateral damage.

Is this wise? Ethical? Is this how you want your government to operate? Was there a debate about this? Did you provide any input to your elected officials? Have they listened?


Justice Department Withdraws Lawsuit Against Apple. Confirms Third Party Successfully Unlocked Attacker's iPhone

Federal Bureau of Investigation logo The U.S. Justice Department (DOJ) announced on Monday its decision to withdraw its lawsuit to force Apple, Inc. to unlock an iPhone used by one of the San Bernardino attackers. U.S. Attorney Eileen M. Decker, of the Central District in California, made the two-paragraph announcement:

"The government has asked a United States Magistrate Judge in Riverside, California to vacate her order compelling Apple to assist the FBI in unlocking the iPhone that was used by one of the terrorists who murdered 14 innocent Americans in San Bernardino on December 2nd of last year. Our decision to conclude the litigation was based solely on the fact that, with the recent assistance of a third party, we are now able to unlock that iPhone without compromising any information on the phone.

We sought an order compelling Apple to help unlock the phone to fulfill a solemn commitment to the victims of the San Bernardino shooting – that we will not rest until we have fully pursued every investigative lead related to the vicious attack. Although this step in the investigation is now complete, we will continue to explore every lead, and seek any appropriate legal process, to ensure our investigation collects all of the evidence related to this terrorist attack. The San Bernardino victims deserve nothing less."

The announcement confirmed that a undisclosed third party had successfully unlocked the attacker's newer model iPhone and retrieved information from it without triggering the auto-erase security feature. Rumors have speculated that Israel-based Cellebrite is the third party assisting the Federal Bureau of Investigation (FBI). There also was speculation that the National Security Agency (NSA) assisted the FBI.

After a cancelled March 22 court hearing, the government had an April 5 deadline to provide a status to the court. In its original complaint, the government used a 227-year-old law to force the tech company to build software to unlock the newer model iPhone and bypass its security features. The judge agreed and Apple appealed the decision.

The announcement did not mention what, if any, useful information the phone revealed. The government had suspected the device may contain information about other persons working with the attackers.

The legal fight between the FBI and Apple probably is not over. The New York Times reported:

"... what happened in the San Bernardino case doesn’t mean the fight is over,” said Esha Bhandari, a staff lawyer at the American Civil Liberties Union. She notes that the government generally goes through a process whereby it decides whether to disclose information about certain vulnerabilities so that manufacturers can patch them. “I would hope they would give that information to Apple so that it can patch any weaknesses,” she said, “but if the government classifies the tool, that suggests it may not.”

Apple released a brief statement yesterday:

"From the beginning, we objected to the FBI’s demand that Apple build a backdoor into the iPhone because we believed it was wrong and would set a dangerous precedent. As a result of the government’s dismissal, neither of these occurred. This case should never have been brought.

We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated. Apple believes deeply that people in the United States and around the world deserve data protection, security and privacy. Sacrificing one for the other only puts people and countries at greater risk..."

At least for now, engineers at Apple can refocus on improving the device's security without being forced to do investigative work the government should have done. According to TechCrunch:

"... the Department of Justice said the method only works on this phone in particular. But it’s hard to believe this argument as there’s no reason the FBI wouldn’t be able to unlock other iPhones 5c running the same version of iOS 9. Moreover, if the FBI found a software exploit, this exploit should work with all iPhones running on this version of iOS 9 (and most likely the current version of iOS, iOS 9.3)..."

What to make of these events?

If the government didn't find any useful information on the attacker's phone, then this court case has been a huge waste of time and taxpayer's money. There was speculation that the government's strategy was to gain broader legal powers to force tech companies to help it break into encrypted devices. (Reread Decker's announcement above, including "... seek any appropriate legal process...") It didn't get that legal precedent by abandoning the case.

However, two U.S. Senators have drafted proposed legislation giving federal judges such broader powers. The latest proposal was drafted by Senators Richard Burr (Rep.-North Carolina) and Dianne Feinstein (Dem.-California), leading members of the Senate Intelligence Committee. Will this proposal continue now that the government has withdrawn its lawsuit? Should this proposal continue? If it does, that bears watching. I guess the DOJ didn't want to wait for a gridlocked Congress to act next year after elections.

What are your opinions of these events?


Learn How To Spot These 5 Energy Scams So You Don't Get Duped

Eversource logo Maybe it was a visit by door-to-door sales person. Maybe it was a phone call; or a text or e-mail message. There are six energy scams you should be aware of, so you don't get duped and lose your hard-earned money. Eversource, the largest energy delivery service in New England, alerted its customers about common scams:

  1. Shut-off Threats: callers claim to represent the Billing or Disconnect Department, and state that your power will be shut off if you don't make a payment immediately.
  2. Pay immediately: callers instruct you to make a payment immediately to a third-party location, such as a grocery store, or to a "Green Dot" VISA card. Then, the scammer directs victims to call another phone number to report the card payment information, so the scammers can drain the card account online.
  3. Faulty meters: callers claim your electric (or gas) meter is broken and it overcharging you. Then, the scammer directs victims to buy a $200.00 prepaid card. The scammers calls again claiming the first payment hasn't posted, and the consumer should buy a $300.00 prepaid card. Of course, the scammer lies about the meter being fixed soon.
  4. Unsolicited technician: a door-to-door person, with a hard-to-read badge, claims he is there to check your usage since your neighbors reported have claimed about high monthly bills.
  5. Unsolicited salesperson: a door-to-door person claims there is a problem with your utilities, and you failed to respond to urgent notices. The scammers insisted that you could get a rebate, or savings, but needs to see a copy of your energy bill.

These are all scams because:

"Eversource would never ask you to purchase prepaid cards or make an immediate payment at a third-party location, like a grocery store. We have a very secure, protected billing system, and you have multiple, convenient options to pay your bills, including direct debit, check, credit card and cash. Customers who are scheduled for disconnection due to nonpayment receive written notice that includes the actions they can take to maintain service... All [Eversource] employees carry company-issued identification, and any electrical contractors working with us carry documentation explaining the nature and location of their work. Customers can always call us to verify this information. Eversource would never solicit door-to-door or over the phone on behalf of a specific competitive/alternate energy supplier."

The information on your monthly energy bill is sensitive information. Protect it. Eversource advises:

"Never provide personal financial or utility account information to any unsolicited individual, in person, on the phone, or online, even if the individual seems legitimate."

And Eversource advises its consumers to:

"Always verify whether these contacts are legitimate by asking for some basic information about your account. Our representatives will always be able to provide the name on the account, the account address, and the exact past due balance. If the caller cannot provide that information, the call is not from us."

If you use a different energy provider, check it's website for scams. For example, earlier this month PG&E warned its customers in California about similar scams.

I've received some of these robocalls from scammers. Long ago, I registered both my landline and mobile phone numbers in the National Do Not Call Registry. When I receive unwanted and un-requested robocalls, I hang up the call immediately and submit a complaint to the U.S. Federal Trade Commission (FTC). You should, too.


What's New: Cruise Ship Vacations To Cuba Starting May 1 That Include Volunteering

On Monday, March 21, Carnival Corporation announced a signed agreement with the Cuban government allowing its Fathom cruise line to provide service to port destinations in Cuba beginning May 1, 2016. Carnival received approval by the United States government in July, 2015. With approval by both countries' governments, cruise sailings can soon begin. This will be the first time in about 50 years that passengers can sail from the United States to Cuba.

Fathom cruise line logo Tara Russell, president of Fathom cruise line said in the announcement:

"Our Carnival Corporation and Fathom brand teams have worked closely with Cuba throughout this process and we are thrilled to begin regular sailings to Cuba from Miami starting on May 1, 2016... We have been told that we will be the first cruise line to sail from the U.S. to Cuba with our historic inaugural sailing."

The history-making sailings will be made by the 704-passenger MV Adonia cruise ship. Based in Miami, the MV Adonia will sail to three port destinations in Cuba: Havana, Cienfuegos, and Santiago de Cuba. To celebrate this historic event, the itinerary will include a Cuban experience with onboard seminars about Cuba’s history, customs, and culture plus conversational Spanish lessons, Cuban music, films, and Cuban menu options.

What distinguishes Fathom from other cruise lines is the concept of "impact travel." The site explains:

"Fathom was created for the passionate and growing number of travelers seeking mindful, purpose-driven and easily accessible travel programs that allow them to make an impact on the world... Fathom offers consumers authentic, meaningful travel experiences to enrich the life of the traveler and work alongside locals as they tackle community needs..."

Those programs include activities such as planting trees, building and installing water filters, teaching grade-school to read, and more. So you can mix volunteer work with your vacation. That's definitely a different cruise-ship vacation.

Carnival Corporation owns several cruise lines, including Carnival, Costa, Cunard, Holland America, Princess, and its new Fathom cruise line. How did Fathom start? There's a robust discussion by consumers on the Cruise Critic social site. One person offered this perspective:

"... I live in New Orleans... the origin of Fathom was born out of Carnival's experience during Hurricane Katrina in 2005. To support first responders, Carnival made the decision to reallocate 3 Fantasy Class vessels to New Orleans to provide safe infrastructure (housing, food, communications etc). The city had zero support systems in place (destroyed by the levy breaking) to provide those services for at least 90 days after Katrina. Contrary to popular outcry, Carnival had enough excess capacity fleet-wide to absorb guests (who expressed the willingness to be flexible) who were displaced by this action. Katrina proved to be be the greatest outpouring of volunteerism in the history of this country. Every year since Katrina, thousands of volunteers return to continue to help rebuild. Carnival Corporation learned from that experience. Thru the concept of Fathom, it can bring hundreds of volunteers with various skills and passions to any destination that can be reach by a cruise ship and a workable port of call... or in Cuba's situation to help rebuild a long decayed infrastructure... I think this will be a major hit...it will change the paradigms of how the younger generation views vacations. I applaud Carnival for doing this..."

The MV Adonia will make 7-day sailings departing Miami on Sundays. The Fathom cruise line will also provide service to ports in the Dominican Republic. Prices for 7-day sailings to Cuba start at $1,800.00 per person, excluding Cuban visas, taxes, fees, and port expenses. The prices include all meals on the ship, onboard experiences and on-land activities. Prices will vary by season. To book a sailing, a $600.00 per person deposit is required, and final payment is due 90 days prior to departure.

This is exciting news. I look forward to experiencing what Fathom has to offer. You can learn more in this video:


FBI vs. Apple: Cancelled Hearing, Draft Legislation, New Decryption Capabilities, And An Outside Party

Federal Bureau of Investigation logo A lot happened this week. A lot. Below is a recap of key headlines and events involving Apple, Inc. and the U.S. Federal Bureau of Investigation (FBI).

Late during the day on Monday, the government's lawyers got U.S. Magistrate Sheri Pym to cancel a Tuesday March 22 hearing between Apple and the FBI about an earlier court decision forcing Apple to unlock the iPhone used by one of the San Bernardino attackers. Apple did not object to the cancelled hearing. The FBI was ordered to file a status by April 5, 2016. The government filed court papers on Monday explaining why:

"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone. Testing is required whether it is a viable method that will not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for assistance from Apple Inc. set forth in the All Writs Act Order in this case."

So, on or before April 5 we will learn if this outside party successfully demonstrated the ability to unlock and decrypt information stored on this newer model iPhone without any loss of damage to the information stored on it.

Are these decryption capabilities a good thing? Ars Technica reported:

"Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society, said that these new government decryption capabilities are not good for privacy and ever-expanding government surveillance. "The DOJ doesn't want bad precedent, and I think Apple had the better side in this argument," she told Ars. "Being able to hack helps DOJ for a while. Apple could upgrade beyond the capability..."

Meanwhile, two U.S. Senators have drafted proposed legislation giving federal judges broad powers to force technology companies like Apple to help law enforcement break into encrypted devices. Prior proposals died in Congress. The latest proposal was drafted by Senators Richard Burr (Rep.-North Carolina) and Dianne Feinstein (Dem.-California), leading members of the Senate Intelligence Committee.

Apple Inc. logo Who is this mysterious outside party helping the FBI unlock and decrypt information on newer model iPhones? There has been speculation that the National Security Agency (NSA) was helping the FBI. One would expect the NSA to have the decryption capabilities. BGR explored this on March 4:

"... the NSA can hack into the device but that it doesn’t want to tell that to the FBI because it never likes to reveal what it’s capable of doing. If that were the case, however, why wouldn’t the NSA help the FBI behind the scenes before the FBI went public with its request for Apple’s assistance? And besides, as The Intercept notes, “courts have affirmed the NSA’s legal right to keep its investigative methods secret.” In fact, security experts explained to Wired earlier this week that the FBI could recruit the NSA to connect the iPhone 5c to a Stingray-like rogue cellular network as it’s booting up, which could give the agency the ability to control the device before it even gets to the unlock screen..."

However, Inverse reported on Thursday who else it might be and why:

"Sun Corporation, the company currently getting rich off public speculation that it can help the FBI break into the notorious San Bernardino iPhone was not always such a fierce competitor. While it’s seen the value of its stock rise 36 percent since Reuters reported that the FBI had enlisted its subsidiary, an Israeli-firm called Cellebrite, to unlock the iPhone..."

NPR reported that it might be a publicity stunt by Cellebrite. Will the FBI meet its April 5 deadline? The NPR report discussed a possible decryption approach:

"Computer forensics researcher Jonathan Zdziarski argues that because the FBI has asked courts for only two weeks to test the viability of the new method, it's likely not highly experimental. It's also likely not something destructive, like the "decapping" method that relies on physically shaving off tiny layers of the microprocessor inside the phone to reveal a special code that would let investigators move the data and crack the passcode. The idea that's garnering the most focus is something called chip cloning, or mirroring or transplantation..."

During a press conference on Friday, FBI Director James Comey wouldn't disclose the name of the outside party. USA Today also reported:

"Law enforcement officials Thursday threw cold water on two recent theories on how the FBI was attempting to hack into an iPhone used by one of the San Bernardino terrorists... FBI Director James Comey, in response to a reporter's question at a briefing, said making a copy of the iPhone’s chip in an effort to circumvent the password lockout “doesn’t work”... A widely discussed scenario in the security world, put forward by a staff technologist at the ACLU, has been that the FBI had found a way to remove crucial chips from the iPhone, make digital copies of them and then run multiple passcode attempts against the digital copies, while keeping the phone's software itself untouched. That would avoid tripping the self-erase program built into the iPhone..."

So, who is helping the FBI -- Cellebrite, the NSA, or both? Or another entity?

Another line of speculation is that the FBI has received assistance from the NSA and has decided to use Cellebrite as a false front. Why might this be true? It allows the FBI to reveal (some) investigation methods without revealing the NSA's real methods. I'm no legal expert, but if this is true, I can't see any judge being pleased about being lied to.

We shall see on or before April 5. What are your opinions? Speculation?


Emotional Technology: The Coming Products, Services, And Apps

A reader shared the video below with this comment:

"I don't know George, this sort of creeps me out."

My comments appear below the video:

My thoughts and reactions to the video:

  1. It should creep you out. Do you want technology between you and your spouse? During very private, intimate, face-to-face conversations? I think not.
  2. We consumers are already experiencing the beginnings of emotional technology. To make that tech work, companies must collect data about our moods and emotions. Some examples of this data capture: a) Facebook's expanded list of emojis; b) Facebook saves your unpublished and unedited comments and posts before final posting,
  3. Consumers decide when and where you want technology in your relationships. That line is already blurred. (Examples: devices with voice-recognition interfaces, such as Amazon Echo and Hello Barbie, that listen 24/7/365.)
  4. If I was a data broker, of course I'd want to capture your moods and emotions and link them to certain geo-locations and at times of day. Why? It's an opportunity to make more $$$ by selling to advertisers that emotional data so they can serve up supposedly relevant ads responding to your moods in those locations and/or times,
  5. Wearables, fitness trackers and smart homes outfitted with certain Internet-of-things devices will perform this mood data capture.
  6. Whenever somebody uses technology to offer convenience, watch out. There is usually are accompanying data capture, tracking, and privacy issues (e.g., notice, consent) embedded. Will companies adequately protect emotional information from data breaches? How will your government and law enforcement acquire, archive, and use moods information?

What are your opinions?


Apple Engineers Consider Their Options, The FBI's Goals, And 'Warrant-Proof Phones' Spin

Apple Inc. logo The encryption engineers at Apple are considering their options, if the U.S. Federal Bureau of Investigation (FBI) is successful at forcing their employer to build back doors into one or several iPhones. The New York Times reported: that

"Apple employees are already discussing what they will do if ordered to help law enforcement authorities. Some say they may balk at the work, while others may even quit their high-paying jobs rather than undermine the security of the software they have already created, according to more than a half-dozen current and former Apple employees. Among those interviewed were Apple engineers who are involved in the development of mobile products and security, as well as former security engineers and executives."

One explanation for this:

“It’s an independent culture and a rebellious one,” said Jean-Louis Gassée, a venture capitalist who was once an engineering manager at Apple. “If the government tries to compel testimony or action from these engineers, good luck with that.”

The tech company estimated it would take 10 engineers about a month to develop the back-door software, some have called, "GovtOS." That estimate assumed the encryption engineers would be on staff and available. Security experts have warned that more court orders to unlock iPhones will likely follow, if the FBI is successful with forcing Apple to unlock the San Bernardino attacker's phone. 

Since the "back doors" are really software, that software must be developed, debugged, tested, and documented like any other. Those tasks require a broader team across multiple disciplines; all of which could be working (instead) on other projects that generate revenue. Then, multiply this by multiple unlock demands. Will the government reimburse Apple for the new, broader project team it creates to build back-door software? Will the government reimburse Apple for the opportunity cost from lost projects and revenues the team members could have completed instead? Will the government reimburse Apple for the costs of hiring engineers and workers to replace those who quit? It will be interesting to see how the financial markets evaluate all of this, if the FBI successfully forces Apple to unlock iPhones.

By using a 227-year-old law, it seems that the FBI and Director James Comey want to direct the development work of private companies to do tasks they should do themselves, while ignoring the unintended consequences to business and jobs. (Remember, experts warned in 2014 that NSA spying could cost the tech industry billions of dollars.) Has the government really thought this through? It seems like they haven't.

Federal Bureau of Investigation logo What are the FBI's goals? An article in Quartz suggested that the FBI is:

"... worried about is the fast-approaching future when its best hackers will be stymied by powerful corporate encryption and security systems. Federal law, in its current state, is of little help. There is no precedent that will allow the government to force a private company to change its security systems so that the FBI can get inside and take a peek. In fact, the Communications Assistance for Law Enforcement Act (CALEA) could be interpreted to restrict the government from doing so. The FBI has apparently decided that it’s time for federal law to change. So its officials have been searching for a particular case that would give them a shot at changing the established legal precedent.."

Learn more about CALEA and the FBI's attempts since 2010 to expand it. An MIT Technology Review article debunked the government's spin and fear-mongering claims of a new period of "warrant-proof phones" (e.g., newer iPhones) and "going dark." There have always been warrant-proof products and services because these (analog or paper-based) items historically didn't archive or store information. So, historical government surveillance was always "dark." While law enforcement may lose some information surveillance sources in the future due to encryption, the multitude of new technologies, products, services, companies, web sites, and mobile apps during the past few years have provided it with far more sources with far more detailed information than it ever had. The old saying seems to apply: can't see the forest for the trees.

I agree. We definitely live in the golden age of surveillance.

The government's argument is weak also because it ignores the option that the well-funded bad guys, such as drug cartels and terrorist networks, can, a) purchase encrypted communications products and services elsewhere outside the USA, and b) hire engineers and programs to maintain their own encrypted systems.

What are your opinions?


ExxonMobil CEO Sues To Stop Fracking Near His Mansion

This news story highlights corporate executive hypocrisy. The Nation reported that Rex Tillerson, the Chief Executive Officer (CEO) at ExxonMobil, has sued to stop fracking activities near his mansion:

"... Tillerson, a vocal proponent of hydraulic fracking, who is suing to prevent the construction of a water tower near his eighty-three-acre, $5 million horse ranch in Bartonville, Texas. The purpose of the tower? Storing water for fracking. Tillerson and his super-wealthy neighbors are concerned, the lawsuit states, that the fracking tower might “devalue their properties..."

By implication, this means it is better to locate fracking activities in or near neighborhoods of poor and middle-income people. They won't mind, right?

Is Mr. Tillerson's hypocritical actions atypical at ExxonMobil? I think not. Why? It's important to remember history. The Guardian UK reported in July 2015:

"ExxonMobil, the world’s biggest oil company, knew as early as 1981 of climate change – seven years before it became a public issue, according to a newly discovered email from one of the firm’s own scientists. Despite this the firm spent millions over the next 27 years to promote climate denial. The email from Exxon’s in-house climate expert provides evidence the company was aware of the connection between fossil fuels and climate change, and the potential for carbon-cutting regulations that could hurt its bottom line, over a generation ago... Exxon’s public position was marked by continued refusal to acknowledge the dangers of climate change, even in response to appeals from the Rockefellers, its founding family... Over the years, Exxon spent more than $30m on think tanks and researchers that promoted climate denial, according to Greenpeace. Exxon said on Wednesday that it now acknowledges the risk of climate change and does not fund climate change denial groups."

What are your opinions?


John Oliver's Awesome Fake Apple Ad About Encryption, Privacy And iPhones

With the ongoing legal battle about encryption between Apple and the Federal Bureau of Investigation (FBI), John Oliver, the host of the "Last Week Tonight" show, presented a satirical advertisement for Apple to help consumers understand encryption. The segment is worth watching.

First, some background. The FBI used a 227-year-old law to force Apple to build a "back door" into an iPhone used by one of the San Bernardino attackers, who killed 14 persons. The FBI believes that there may be information on that phone that could lead to other persons involved. Apple has appealed the court decision, citing several security and privacy issues. The back doors, really software, can be stolen and/or modified to make all iPhones vulnerable.

Legal experts warned that the 227-year-old All Writs Act is too broad, and Congress should act to clarify the law. Since then, we've learned that the FBI made access to the phone more difficult after a failed attempt to hack the attacker's iCloud account. Experts also warned that if Apple is forced to build a back there may be unintended consequences, including tech companies moving their operations and jobs offshore to avoid heavy-handed government surveillance and intrusions. And, if the government weakens encryption and security in products made by U.S. tech companies, then users (both good guys and bad guys) will simply shop elsewhere since many security products are already made abroad.

This week, we learned that Apple said the government is lying when it claimed that the company produced advertisements stating that encryption keeps out law enforcement. No doubt, there will be more disclosures and revelations. This latest claim makes the fake ad even more timely. No doubt, the final outcome of the Apple versus FBI court case will affect everyone.

The entire 18-minute segment is a good, funny, entertaining primer about encryption. The about-face by technophobe and U.S. Senator Lindsey Graham (R-South Carolina) is priceless. The fake ad appears in the last two minutes:


The NFL (Finally) Admits A Link Between Football And Degenerative Brain Disease

National Football League logo This week, the National Football League (NFL) admitted a link between football and degenerative brain disease. Frontline reported:

"After years of skepticism, professed doubts and at times outright denial, the NFL has acknowledged a link between playing football and the degenerative brain disease known as chronic traumatic encephalopathy. The acknowledgment came one day after Jeff Miller, the NFL’s senior vice president for health and safety, told the House of Representatives’ Committee on Energy and Commerce, that football-related head trauma can lead to brain disease."

It's important to remember how we got this admission. The problem has been brewing for a long time:

"Miller’s admission broke with the NFL’s past stances on the issue. In a series of scientific papers published between 2003 and 2009, members of the league’s since disbanded “Mild Traumatic Brain Injury Committee” wrote that “no NFL player” had ever suffered chronic brain damage as a result of repeat concussions... As recently as Super Bowl week, Dr. Mitch Berger, the neurosurgeon who leads the NFL’s subcommittee on long-term brain injury, said there was still no direct link between football and CTE."

Geez.

I've watched the sport most of my life. In 2013, I wrote an open letter to the NFL detailing my dissatisfaction with the league's progress, or lack thereof, with addressing head injuries. Back then, the league had just settled a lawsuit with former players... a woefully inadequate settlement, given a $9 billion per year business built by former players -- many of whom suffer with CTE. Disgusting. So I stopped watching NFL games... all of them... even when my favorite team won Super Bowl XLIX.

This week's admission was long overdue. The league still has a lot to do to earn back my trust and support. A lot.

What next will the NFL do -- not say -- to help former players? What next to better protect players? What next to present the science to youth (before high school) so they can make informed choices? Hopefully, the league will move with more speed that it did during the last 20 years.


Survey: Bankers Expect Consumers To Use Wearable And Smart Home Devices For Banking

Pegasystems logo Would you use a smart watch, fitness band, or other wearable device for banking? How about your smart television or refrigerator? Many bankers think you will, and are racing to integrate a broader range of mobile devices and technologies into their banking services. A recent survey of financial executives found that:

"... 20 per cent expect it to be common for consumers to make financial transactions using wearables within one year, 59 per cent within two years and 91 per cent within five years... 87 per cent expect it to be common for consumers to make financial transactions using Smart TVs and 68 per cent via home appliances."

The survey included 500 executives globally in several financial areas: banking, financial advice, consumer finance, investment management, insurance, and payments. So, consumers are likely to see these changes not just at your bank, but in a variety of financial and insurance transactions. Here's why:

"... too many banks are out of touch with what customers really want: one survey found 62 per cent of retail banking executives believed their bank offered excellent service compared to just 35 per cent of customers.... Millennials will have annual spending power of US$1. trillion [in 2020] and represent 30 per cent of total retail sales... Millennials not only have an appetite for disruptive new technologies but also an affinity with brand-savvy digital leaders... The Millennial Disruption Index, a three-year study of industry disruption conducted by Viacom subsidiary Scratch, found that banking was most vulnerable to disruption..."

The report discussed the desire by executives to serve customers via a variety of methods:

"Today’s customers expect a flawless end-to-end experience across all channels, yet fewer than 4 per cent of our respondents say they have achieved full omni-channel integration... by 2020, 89 per cent of our respondents expect to achieve full omni-channel integration. This either suggests a massive surge of investment over the next five years – or an industry in denial about the scale of the task ahead... 70 per cent expect video chat to largely replace branch appointments. Indeed, six out of ten now believe a digital-only channel model is viable."

Bankers view the Internet-of-Things (IoT) as both a collection of endpoint devices to provide services through, and a rich source of data:

"...93 per cent agree that finding innovative ways to provide value-added services to customers based on data-driven insight will be crucial to long-term success... 86 per cent agree that once consumers recognize the data potential of the IoT they will increasingly seek to benchmark their own behavior against their peers..."

Banks will probably develop more non-human (e.g., self-service) interfaces:

"... 76 per cent agree the widespread use of virtual assistants such as Siri on the iPhone means customers are more willing to engage with automated assistance and advice... almost three quarters of our respondents agree that in the future customers will interact with a human-like avatar..."

Another technology being considered:

"... 60 per cent [of survey respondents] believe that blockchain, a distributed public ledger which can securely record any information and the ownership of any asset, will prove to be the most significant technology development to affect financial services since the Internet and 45 per cent think the combination of blockchain wallets and peerto-peer (P2P) lending could herald the end of banking as we know it... 12 per cent expect the settlement of insurance claims using IoT data, blockchain and smart contracts to be mainstream practice within two years and 74 per cent expect it to be mainstream by 2025..."

Don't expect your bank to provide these new services next week or next month. It will take them time. New systems must be built, tested, debugged, and integrated with legacy computer systems and processes. All of this suggests that to fund their investments in innovation projects, banks probably won't lower their retail banking prices and fees (e.g., checking, savings, etc.) any time soon. While writing this blog the past 8+ years, I've found it wise to always keep an eye on the banks.

Download "The Future of Retail Financial Services" report by Cognizant, Marketforce, and Pegasystems.


CPNI Privacy Notices: A Review Of AT&T's And What You Need To Know

AT&T postcard notice in March 2016 about CPNI

Last week, my wife and I received the above postcard from AT&T, which provides our mobile phone service. All telecommunications companies in the United States provide these notices -- by snail mail, email, or both. If you receive a notice, don't toss it in the trash. Read it closely because your privacy depends upon it.

AT&T logo The text of our postcard read:

"AN IMPORTANT MESSAGE ABOUT THE PRIVACY OF YOUR CUSTOMER PROPRIETARY NETWORK INFORMATION (OR CPNI)

The protection of our customers' privacy is of utmost importance to the employees and management of the AT&T family of companies (AT&T)*. Please take a moment to read the following important message about the privacy of your customer information.

AT&T companies that provide telecommunications and interconnected Voice over Internet Protocol (VoIP) service (which permits VoIP customers to both send and receive calls to/from customer with traditional telephone/telecommunications service) would like to share your customer proprietary network information (CPNI) within the AT&T family of companies for our own marketing purposes, including using theat information to offer you additional products and services.

What CPNI? Your CPNI includes the types of telecommunications and interconnected VoIP services you currently purchase, how you use them, and the related billing for those services. CPNI does not include your telephone number, your name or your address. Protecting the confidentiality of your CPNI is your right and our duty under federal law. As an AT&T customer, you can restrict the use of your CPNI even within the AT&T family of companies.

To allow AT&T to use your CPNI, no further action is required. AT&T and our authorized agents will not sell, trade or share your CPNI with anyone other than those who are in the AT&T family of companies or are AT&T authorized agents, unless required by law. If at any time you would prefer that AT&T not use your CPNI to offer you additional products and services, you may:
- Submit an online form at att.com/ecpnioptout; or
- Call 800.315.8303 24 hour a day, 7 days a week and follow the prompts; or
- To speak to a service representative call 800.288.2020

Your decision to permit or restrict the use of CPNI will remain in effect until you decide to change it, which you can do at any time without charge. Restricting our use of your CPNI will not affect the providion of any AT&T products or services to which you currently subscribe, nor will it eliminate other types of marketing contacts. Thank you for choosing AT&T. We appreciate your business.

*The AT&T Family of Companies are those companies that provide voice, video and broadcast-related products and/or services domestically and internationally, including the AT&T local and long distance companies, AT&T Corp., AT&T Mobility, DIRECTV and other subsidiaries or affiliates of AT&T Inc. that provide, design, market, or sell products and/or services."

What does this notice mean? What's really going on?

First, AT&T is already sharing your information. Anytime you read a corporate notice that says you can opt out (e.g., unsubscribe) of a marketing or advertising program, that means you are already included. You'd think that programs would work the other way: you are never included in a program until you subscribe (e.g., opt in). That would be easy for consumers. You're only in programs you want to participate in, and there's no burden to (constantly) opt out of unwanted programs.

Sadly, other telecommunications companies have similar marketing programs with CPNI and opt-out mechanisms. Why? Marketing and advertising programs that automatically include all customers are the easiest and fastest way for companies to collect and share as much information as possible about as many customers as possible. So, you're included in programs whether you want them or not, with the hope that you won't take the time to read and opt out (unsubscribe).

That's definitely not consumer friendly.

Second, the notice fails to explain exactly what CPNI is. The description seems to have been written by lawyers for lawyers -- and not for consumers. A clearer notice would list the specific data elements collected and shared, with examples. I checked AT&T's CPNI website page to see if it provided a more details. It doesn't. It provided the same vague text. Compared to a postcard, there's plenty of more room on a web page to share details. I guess AT&T really doesn't want to share details about CPNI.

If you want to know exactly what CPNI is, the FCC provides this definition:

"Your local, long distance and wireless telephone companies, as well as your Voice over Internet Provider (VoIP), collect information such as the numbers you call and when you call them, as well as the particular services you use, such as call forwarding or voice mail. These companies collect this customer information, also called Customer Proprietary Network Information (CPNI) so they can provide the services you have requested and send you bills for them."

While petitioning the FCC for greater privacy protections in 2007, the Electronic Privacy Information Center (Epic) and other advocacy groups said:

"CPNI is the data collected by telecommunications corporations about a consumer’s telephone calls. It includes the time, date, duration and destination number of each call, the type of network a customer subscribes to, and any other information that appears on the customer's bill."

So, CPNI includes metadata about your call and online activity. That's sensitive personal information... which leads to the next point.

Third, treat the security of your CPNI data seriously. Last year, AT&T paid a $25 million penalty after data breaches in three of its offshore call centers that included stolen CPNI. The U.S. Federal Communications Commission (FCC) investigated after unauthorized employees in call centers in Mexico, Colombia, and the Philippines accessed sensitive personal information of about 280,000 U.S. customers: names, full or partial Social Security numbers, and CPNI data. The employees transferred the stolen information to "unauthorized third parties" (e.g., criminals) to unlock stolen phones and other acts. So, criminals understand the value of CPNI data. You should, too.

Fourth, the notice seems slanted. It uses the term "restrict" as if that is bad, but never provides examples of the benefits for consumers. How are consumers to make informed decisions if a company fails to clearly explain the program?

Fifth, the AT&T CPNI Optout page mechanism is poorly designed. The form, which asks customers to enter an account number and ZIP Code:

Image of AT&T CPNI Opt-out page

This works okay for accounts with a single person. It is problematic for accounts with multiple persons (phones), like family plans -- which my wife and I have. The form's lack of flexibility means that the account holder decides for everyone on the account. Individual persons can't selectively opt out. You'd think that AT&T would have designed the mechanism with flexibility to accommodate this, but it didn't. Everything seems driven by the sharing of information on monthly bills.

Sixth, the confirmation page copy seems vague. It isn't clear if the customer has opted out or not. If the processing isn't complete, then messaging should explain what happens next and when. See:

Image of AT&T CPNI Opt-out Confirmation page

Seventh, if you opted out of the CPNI data sharing program, you're not finished. The AT&T Choices and Controls page lists about six behavioral advertising programs. It is time consuming and crazy-making to have to wade through so many programs and opt out of each one.

So, I was underwhelmed by the CPNI opt-out mechanism. A long time ago, AT&T publicly promised to do behavioral advertising the right way. It's not there yet. Not even close.

What else might be happening here? AT&T executives probably have watched the 'supercookies' investigation and settlement agreement involving Verizon Wireless. Supercookies are unique identifiers inserted into mobile users' data streams to track their online usage. The identifiers, which are really difficult for consumers to delete, help provide advertisers with the robust information they desire. The FCC found that Verizon Wireless didn't inform its customers about its use of supercookies with data sharing, and didn't provide its customers with an opt-out mechanism. Bazinga! $1.35 million fine for privacy violations and a three-year compliance program. Verizon has since updated its policies and opt-out mechanism.

C/Net reported in 2014 that AT&T lagged Verizon in using supercookies:

"Verizon, the largest mobile carrier in the US, uses information gleaned from its supercookies to understand your interests and concerns by tracking the websites you visit and links you click on. It then supplies that information to its advertisers so they can craft finely targeted advertising campaigns. About 106 million of Verizon's consumer customers have been tracked this way for over two years by the company's Precision Market Insights program... AT&T tracks fewer customers, but only because the company says its program is still being tested."

Will AT&T ramp up its supercookies development? That bears monitoring. I expect privacy advocates will keep watch. Meanwhile, consumers can assume that CPNI includes everything on their monthly bill for whichever telecommunications products and services you use. Make your opt-out decisions based upon that.

What are your opinions of the CPNI privacy notice by AT&T? By other telecommunications companies?


Video: The History of Credit Unions in The USA

46 years ago yesterday, the U.S. Congress created the National Credit Union Administration (NCUA), an independent federal agency, on March 10, 1970. Cooperative credit unions, or credit unions, started in Germany in the 1860's, and in the United States in 1909. Why? Traditional banks were unwilling to provide loans to farmers, small businesses, and most individuals. Regular people, like you and I, formed credit unions to pool their savings and provide loans to neighbors at reasonable terms and at reasonable interest rates; plus encourage thrift and savings.

So, credit unions were built by and for consumers. This has been an important check and balance against the excesses by traditional banks. And, we've seen a lot of excesses by banks recently. Last year, banks paid more in bonuses to their executives than all minimum wage workers earned. Yes, you read that correctly. The amount of bonuses to banking executives exceeded the total earnings of all minimum-wage workers in the USA. Yes, there are minimum-wage workers in banking.

With fewer fees, lower fees, high interest rates for savings, and lower interest rates on loans, credit unions are worth considering. Credit unions have outperformed banks on customer loyalty. It's no surprise banks are lobbying to eliminate credit unions.

So, know your country's history:


Apple News: eBook Price Fixing, Brooklyn, And San Bernardino

Apple Inc. logo Apple, Inc. Has been in the news a lot recently. So, it can be a little confusing to keep track of events. Below is a brief summary of three separate court cases.

First, the U.S. Supreme Court (SCOTUS) declined to hear an appeal by the tech giant about ebook price-fixing with book publishers. The U.S. Justice Department had sued Apple and several book publishers in April, 2012. A lower court decision in 2013 found Apple guilty. Since the SCOTUS declined to hear the appeal, then the lower court decision stands, and Apple must pay a $450 million class-action settlement. Fortune Magazine reported:

"The publishers—Hachette, Penguin, Simon & Schuster, HarperCollins and Macmillan—promptly settled the case, but Apple chose to fight the charges in court. This led to a highly publicized trial in which U.S. District Judge Denise Cote issued a lengthy ruling that Apple had clearly violated Section 1 of the Sherman Act... The price-fixing case, which transfixed the publishing industry, began in 2010 when Apple’s late CEO, Steve Jobs, persuaded five major publishers to sell books on the iPod. Under the arrangement, which was designed to wrest pricing power from Amazon, the publishers shifted to a so-called “agency pricing” model in which they set the price and passed along a commission to Apple."

Second, in California Apple has appealed a lower court's decision forcing it to unlock an iPhone (running iOS 9) used by one of the San Bernardino attackers. A decision in that appeal is pending. The Federal Bureau of Investigation (FBI) admitted during testimony before Congress that it had erred when it reset the associated iCloud password, making it more difficult to access the attacker's iPhone.

Third, a court in Brooklyn (New York) ruled late in February that Apple did not have to unlock a Brooklyn drug dealer's iPhone running the iOS 7 operating system.The tech giant had initially agreed to unlock the phone, but then declined when the court demanded first more information before issuing a search warrant. Bloomberg Business reported:

"When the government first contacted Apple about the drug dealer’s phone, an Apple “data extraction specialist” said it could find data on pre-iOS 8 phones after receiving a search warrant. The next day, the government sought a warrant from [Judge] Orenstein..."

Federal Bureau of Investigation logo Prosecutors have used the All Writs Act in both the Brooklyn and San Bernardino cases. Bloomberg Business reported that prosecutors In the Brooklyn case argued:

That Apple routinely extracted data from such devices shows the government’s request is not “burdensome” and doesn’t violate the All Writs Act, a 1789 law that prosecutors used to demand that Apple help access data on locked phones, the U.S. said. In refusing the government, Orenstein sided with the company’s claim that prosecutors were taking the law too far. He said Congress should resolve the issue. In their appeal, prosecutors said the All Writs Act authorizes courts to issue such warrants and that Orenstein’s “analysis goes far afield of the circumstances of this case and sets forth an unprecedented limitation of federal courts’ authority.”

Bloomberg Business also reported:

"Apple helped the government access data on at least 70 iPhones before it stopped cooperating, according to prosecutors. For phones using older operating systems, the company can extract data from locked devices at its headquarters, according to a guide it produced for law enforcement..."


Online Shopping: When Deals And Discounts Are Anything But

There is trouble brewing for online shoppers. Deals or discounts are often compared to list prices or manufacturer's suggested retail price (MSRP). The problem: nobody sells online at list price, so the discounts promised to consumers aren't really discounts. In other words, you're not saving money as promised.

According to The New York Times:

"... one recent example of how retailers use list prices to motivate online buyers: Le Creuset’s iron-handle skillet, 11 ¾ inches wide and cherry in color. Amazon said late last week that it would knock $60 off the $260 list price to sell the skillet for $200. Sounds like a bargain... Check around, though. The suggested price for the skillet at Williams-Sonoma.com is $285, but customers can buy it for $200. At AllModern.com, the list price is $250 but its sale price is $200. At CutleryandMore.com, the list price is $285 and the sale price is $200. An additional 15 or so online retailers — some hosted by Amazon, others on Google Shopping — charge $200. On Le Creuset’s own site, it sells the pan for $200."

So, that great "deal" you got shopping online may not be one. This is a huge problem:

"If you’re selling $15 pens for $7.50, but just about everybody else is also selling the pens for $7.50, then saying the list price is $15 is a lie,” said David C. Vladeck, the former director of the F.T.C.’s Bureau of Consumer Protection. "And if you’re doing this frequently, it’s a serious problem."

I agree. It sounds like list-price-abuse is worthy of an investigation by the U.S. Federal Trade Commission (FTC). Shopping online is getting trickier. Many consumers avoid retailers that have had repeated data breaches. In 2014, researchers found that some e-commerce sites performed price discrimination and steering.

What are your opinions? What do you do before purchase to ensure that the online deals you get are truly deals?


Verizon Wireless Settles With The FCC Regarding 'Supercookies' And Online Tracking

Verizon logo Yesterday, the Federal Communications Commission (FCC) announced a settlement agreement with Verizon Wireless regarding the company's use of "Supercookies" to track mobile users. The FCC alleged that that Verizon Wireless inserted:

"... unique identifier headers or so-called “supercookies” into its customers’ mobile Internet traffic without their knowledge or consent. These unique, undeletable identifiers – referred to as UIDH – are inserted into web traffic and used to identify customers in order to deliver targeted ads from Verizon and other third parties."

Terms of the settlement agreement require Verizon Wireless to notify consumers about its targeted advertising programs, obtain customers’ opt-in consent before sharing UIDH with third-party companies and affiliates, and obtain customers’ opt-in (or opt-out) consent before sharing UIDH internally among Verizon's companies and business units. The settlement terms also require the company to pay a $1.35 million fine and adopt a three-year compliance plan.

Federal communications Commission logo The FCC's announcement also noted that the company was slow to update its privacy policy (bold added):

"It was not until late March 2015, over two years after Verizon Wireless first began inserting UIDH, that the company updated its privacy policy to disclose its use of UIDH and began to offer consumers the opportunity to opt-out of the insertion of unique identifier headers into their Internet traffic... Section 222 of the Communications Act imposes a duty on carriers to protect their customers’ proprietary information and use such information only for authorized purposes. It also expressly prohibits carriers that obtain proprietary information from other carriers for the provision of telecommunications services to use such information for any other purpose. Section 8.3 of the Commission’s rules, known as the Open Internet Transparency Rule, requires every fixed and mobile broadband Internet access provider to publicly disclose accurate information regarding the network management practices, performance, and commercial terms of its broadband Internet access services sufficient for consumers to make informed choices regarding use of such services and for content, application, service, and device providers to develop, market, and maintain Internet offerings."

The FCC began its investigation in December, 2014. At that time, the concern was:

"... whether Verizon Wireless failed to appropriately protect customer proprietary information and whether the company failed to disclose accurate and adequate information regarding its insertion of UIDH into consumer Internet traffic over its wireless network, in violation of the FCC’s 2010 Open Internet Transparency Rule and Section 222 of the Communications Act."

Verizon Wireless began inserting UIDH into consumer Internet traffic in December 2012, and didn't disclose this practice until October 2014. After acknowledging this practice, the company claimed that third-party advertising companies were unlikely to use their supercookies to build consumer profiles or other purposes. The Washington Post reported in November 2014:

"Verizon and AT&T have been quietly tracking the Internet activity of more than 100 million cellular customers with what critics have dubbed “supercookies”... The technology has allowed the companies to monitor which sites their customers visit, cataloging their tastes and interests. Consumers cannot erase these supercookies or evade them by using browser settings, such as the “private” or “incognito” modes that are popular among users wary of corporate or government surveillance.

Also in November 2014, the Electronic Frontier foundation (EFF) discovered the tracking, and asked Verizon to both notify users and get their consent before using supercookies:

"Verizon users might want to start looking for another provider. In an effort to better serve advertisers, Verizon Wireless has been silently modifying its users' web traffic on its network to inject a cookie-like tracker. This tracker, included in an HTTP header called X-UIDH, is sent to every unencrypted website a Verizon customer visits from a mobile device. It allows third-party advertisers and websites to assemble a deep, permanent profile of visitors' web browsing habits without their consent. Verizon apparently created this mechanism to expand their advertising programs, but it has privacy implications far beyond those programs."

The EFF said that the Verizon Wireless settlement agreement:

"... is a huge win for Internet privacy. ISPs are trusted carriers of our communications. They should be supporting individuals' privacy rights, not undermining them."

The EFF tempered its comments with a warning how ISPs can still secretly track consumers:

"... They can send tracking data only to selected web sites, hindering detection by third parties. ISPs can (and some very likely do) hide tracking data in a lower protocol layer, like TCP or IP, setting fields that are normally random based on an agreed-upon code. Or they could log all user browsing activity themselves and share it upon request. Detecting these more pernicious methods will require ongoing skilled technical work by the FCC and other watchdog organizations.."

This is why both a skilled oversight agency and watchdog groups are necessary. The average consumer cannot perform this technical analysis. FCC Enforcement Bureau Chief Travis LeBlanc said:

"Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they’re doing online... Privacy and innovation are not incompatible. This agreement shows that companies can offer meaningful transparency and consumer choice while at the same time continuing to innovate...”

Yes! Innovation and privacy are compatible. Yes, we consumers care... care greatly about privacy. Relevant advertising is not an excuse to do anything without notification and without consent. Kudos to the FCC. View the Verizon Wireless Order and Consent Decree (Adobe PDF).


Apple vs. FBI: "Extraordinary" Government Actions May Cause U.S. Companies To Move Offshore

Apple Inc. logo There may be unintended consequences of the Federal Bureau of Investigation (FBI) is successful with forcing Apple, Inc. to build back doors into its iPhones. What might some of those unintended consequences be? TechCrunch reported that Lavabit filed an amicus brief supporting Apple. Never heard of Lavabit? Forgot about Lavabit? You may remember:

"... Lavabit, a technology company that previously judged it necessary to shutter its own service after receiving similarly “extraordinary” government demands for assistance to access user data, in the wake of the 2013 disclosures by NSA whistleblower Edward Snowden... the FBI sought the private encryption key used by Lavabit to protect the Secure Socket Layer (“SSL”) and Transport Layer Security (“TLS”) connections to their servers. With the SSL/TLS private key in hand, the FBI would be able to impersonate Lavabit on the Internet. This would allow them to intercept, decrypt, inspect, and modify (either with intent, or by accident) all of the connections between Lavabit and the outside world..."

Federal Bureau of Investigation logo In its brief, Lavabit argues that by being forced to build back doors into its devices. not only would Apple's brand be tarnished, but that the ability of iPhone users to receive reliable and secure operating-system security updates would be degraded. Some updates might include malware. If users' trust decreases and they choose to stop receiving security updates, then their devices become more vulnerable than otherwise. That's not good. And, if people blame government for starting this security mess, then that's not good either since it would erode trust in government.

Would companies relocate out of the United States due to privacy and surveillance concerns? Consider:

"... Silent Circle, moved its global headquarters from the Caribbean to Switzerland back in May 2014 — citing the latter’s “strong privacy laws” as one of the reasons to headquarter its business in Europe. Various other pro-encryption startups, including ProtonMail and Tutanota, have also chosen to locate their businesses in countries in Europe that have a reputation for protecting privacy."

Plus, there are money concerns. Since 1982, at least 51 companies completed tax inversions: moved their headquarters (and sometimes some employees) out of the United States to another country to enjoy lower taxes. So, Burger King is now a Canadian company. Pfizer is now an Irish company. And, lower tax payments by companies make government deficits (federal, state, local) worse. The bottom line: profitability matters. When companies suffer lower profitability -- as tarnished brands often do -- their executives take actions to improve profits. It's what they do.

Want to learn more about Lavabit? At about the two-thirds mark in the film "CitizenFour," Lavabit founder Ladar Levison shares some of his experiences.


Why The FBI Can't Access The San Bernardino Attacker's iPhone

Federal Bureau of Investigation logo On Tuesday, the head of the Federal Bureau of Investigation (FBI) admitted during House Judiciary Committee hearings that his agency lost an opportunity to access the San Bernardino attacker's iPhone when it reset the password to the iCloud account associated with the phone. The New York Times reported:

"There was a mistake made in the 24 hours after the attack,” James B. Comey Jr., the director of the F.B.I., told lawmakers at a hearing on the government’s attempt to force Apple to help “unlock” the iPhone. F.B.I. personnel apparently believed that by resetting the iCloud password, they could get access to information stored on the iPhone. Instead, the change had the opposite effect — locking them out and eliminating other means of getting in."

A Federal Court judge had ruled last month in favor of the FBI, and ordered Apple to develop the software to unlock the attacker's phone. Apple is appealing the ruling. FBI officials have claimed that the phone may contain information about what the attacker and his wife did before the attack, and who they communicated with. More details emerged during the hearing:

"When the dispute over Mr. Farook’s iPhone erupted two weeks ago, the Justice Department blamed technicians at San Bernardino County, which employed Mr. Farook as an environmental health specialist and which owned the phone he used. But county officials said their technicians had changed the password only “at the F.B.I.’s request.” Mr. Comey acknowledged at the hearing that the F.B.I. had directed the county to change the password."

Apple Inc. logo Bruce Sewell, the general counsel at Apple, also spoke at the hearing on Tuesday. He warned:

"... the F.B.I.’s demand for technical help to unlock Mr. Farook’s iPhone 5c “would set a dangerous precedent for government intrusion on the privacy and safety of its citizens.” Apple has said that in many cases investigators have other means to gain access to crucial information, and in some instances it has turned over data stored in iCloud."

Mr. Sewell also said:

"... before F.B.I. officials ordered the password reset, Apple first wanted them to try to connect the phone to a “known” Wi-Fi connection that Mr. Farook had used. Doing so might have recovered information saved to the phone since October, when it was last connected to iCloud. “The very information that the F.B.I. is seeking would have been available, and we could have pulled it down from the cloud..."

So, the FBI has only itself to blame for the current mess, and for making access to the attacker's iPhone more difficult.


Vehicle Accident Involving Google Self-Driving Car Highlights Several Issues

In a monthly report on February 29 to California regulators, Google disclosed that one of its self-driving cars hit a city bus in Mountain View. Google's description of the accident on February 14:

"... our vehicle was driving autonomously and had pulled toward the right-hand curb to prepare for a right turn. It then detected sandbags near a storm drain blocking its path, so it needed to come to a stop. After waiting for some other vehicles to pass, our vehicle, still in autonomous mode, began angling back toward the center of the lane at around 2 mph -- and made contact with the side of a passing bus traveling at 15 mph. Our car had detected the approaching bus, but predicted that it would yield to us because we were ahead of it..."

A human test driver was in the Google self-driving car while it was operating in autonomous mode. Nobody was hurt in the accident, and 15 bus passengers were transferred to another bus. The Google car sustained damage to its left front fender, left front wheel, and one driver's side sensor.

The company operates 23 self-driving Lexus RX450h SUVs on public streets. That includes 14 vehicles in Mountain View (California), 8 in Austin (Texas), and one in Kirkland (Washington). It also operates 33 self-driving prototypes in public city streets: 26 in Mountain View, and 7 in Austin. The cars have driven about 1.5 million miles in autonomous mode, and about one million miles in human-driver mode. There have been more than a dozen accidents; mostly where Google vehicles were rear ended by other vehicles. The first injury accident was in July last year when several employees suffered whiplash when their Google vehicle was rear ended by a human-driven vehicle.

Google admitted that it bore some responsibility in this accident:

"In this case, we clearly bear some responsibility, because if our car hadn’t moved there wouldn’t have been a collision. That said, our test driver believed the bus was going to slow or stop to allow us to merge into the traffic, and that there would be sufficient space to do that. We’ve now reviewed this incident (and thousands of variations on it) in our simulator in detail and made refinements to our software. Our cars will more deeply understand that buses and other large vehicles are less likely to yield to us than other types of vehicles, and we hope to handle situations like this more gracefully in the future."

Reportedly, this would be the first accident where a self-driving car operating in autonomous mode is at fault. Many experts predict that insurance for self-driving cars will be lower than insurance for human-driven cars. Besides ethical dilemmas, accidents involving self-driving cars highlight unresolved liability issues. The Guardian UK explained:

"Hilary Rowen, a partner at the insurance regulation practice Sedgwick LLP and an expert in the issue of self-driving cars and legal responsibility, said the case is a good example of a conundrum that will soon be common. “Here, the software didn’t avoid the accident, but the human could have taken over,” she said. “Who’s at fault – the driver, the bus driver, or the software? Rowen said in real world situations, both the driver and injured party will actually be incentivized to blame the software which, if found to be guilty, will leave the driver’s record clear and likely have a higher payout for the injured party."

It is good that the company is transparent and forthcoming with accident reports. The accident also highlights the state of the self-driving or robotic software for vehicles. It's not ready yet for every-day operation. You can bet that when the software is ready a lot of drivers for ride-sharing services and taxi companies will find themselves quickly out of work. View the February 2016 Google Self-Driving Car Report (Adbobe PDF).

What are your opinions of the accident? Of the liability issue?