Previous month:
April 2016
Next month:
June 2016

17 posts from May 2016

Emails And Passwords For Sale From The Massive Tumblr Data Breach

Tumblr logo Things seem to be getting worse as Tumbler, a blogging platform Yahoo acquired in 2013. First, Tumblr announced on May 12 a possible data breach, which stated:

"We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password."

That early May announcement directed users to reset their passwords, and use secure https connections. It didn't state the number of affected accounts. Well, now we know more.

Softpedia reported on May 30 that valid Tumblr passwords are available online for sale:

"Independent security researcher Troy Hunt revealed today that he received a data dump that contains 65,469,298 emails and hashed passwords, which the anonymous donor said belonged to Tumblr users. The researcher tracked the data dump to The Real Deal Dark Web marketplace, where a hacker by the name of Peace (also known as Peace_of_mind) is selling it for 0.4255 Bitcoin ($225)..."

That's 65.4 million passwords compromised. A massive breach affecting about one out of every eight Tumblr users. The good news: Tumblr had encyrpted its users' passwords. The bad news: the hackers have broken the encryption. That means Tumblr users probably should, a) change their passwords again, and b) inquire what Tumblr is doing to better protect sensitive information so this doesn't happen again.

It seems that Tumblr's breach detection and security processes are both lacking. Softpedia also reported:

"Peace, the hacker that's selling the data, is the same person that put up for sale the MySpace and LinkedIn data dumps, but also other online services such as Fling.com and the Linux Mint forum."

Hmmm. It seems that several social networking sites need to improve their defenses.


Courts To Use Risk Scores More Frequently. Analysis Found Scores Unreliable And Racial Bias

ProPublica investigated the use of risk assessment scores by the courts and justice system in the United States:

"... risk assessments — are increasingly common in courtrooms across the nation. They are used to inform decisions about who can be set free at every stage of the criminal justice system, from assigning bond amounts... to even more fundamental decisions about defendants’ freedom. In Arizona, Colorado, Delaware, Kentucky, Louisiana, Oklahoma, Virginia, Washington and Wisconsin, the results of such assessments are given to judges during criminal sentencing. Rating a defendant’s risk of future crime is often done in conjunction with an evaluation of a defendant’s rehabilitation needs. The Justice Department’s National Institute of Corrections now encourages the use of such combined assessments at every stage of the criminal justice process. And a landmark sentencing reform bill currently pending in Congress would mandate the use of such assessments in federal prisons."

Some important background:

"In 2014, then U.S. Attorney General Eric Holder warned that the risk scores might be injecting bias into the courts. He called for the U.S. Sentencing Commission to study their use... The sentencing commission did not, however, launch a study of risk scores. So ProPublica did, as part of a larger examination of the powerful, largely hidden effect of algorithms in American life. [ProPublica] obtained the risk scores assigned to more than 7,000 people arrested in Broward County, Florida, in 2013 and 2014 and checked to see how many were charged with new crimes over the next two years, the same benchmark used by the creators of the algorithm."

ProPublica analyzed data for Broward County in the State of Florida, and found the risk assessment scores to be unreliable:

"... in forecasting violent crime: Only 20 percent of the people predicted to commit violent crimes actually went on to do so. When a full range of crimes were taken into account — including misdemeanors such as driving with an expired license — the algorithm was somewhat more accurate than a coin flip. Of those deemed likely to re-offend, 61 percent were arrested for any subsequent crimes within two years."

ProPublica also found biases based upon race:

"In forecasting who would re-offend, the algorithm made mistakes with black and white defendants at roughly the same rate but in very different ways. The formula was particularly likely to falsely flag black defendants as future criminals, wrongly labeling them this way at almost twice the rate as white defendants. White defendants were mislabeled as low risk more often than black defendants."

Northpointe logo ProPublica re-checked the analysis. Same results. Northpointe, the for-profit company that produced the Broward County, Florida risk scores disagreed:

"... it criticized ProPublica’s methodology and defended the accuracy of its test: “Northpointe does not agree that the results of your analysis, or the claims being made based upon that analysis, are correct or that they accurately reflect the outcomes from the application of the model.” Northpointe’s software is among the most widely used assessment tools in the country. The company does not publicly disclose the calculations used to arrive at defendants’ risk scores, so it is not possible for either defendants or the public to see what might be driving the disparity... Northpointe’s core product is a set of scores derived from 137 questions that are either answered by defendants or pulled from criminal records. Race is not one of the questions..."

Formed in 1989, Northpointe is a wholly owned subsidiary of the Volaris Group. Northpointe works with a variety ot federal, state, and local justice agencies in the United States and Canada. The company's website also states that it also works with policy makers.

Besides Northpointe, several companies provide risk assessment tools to courts and the judicial system. The National Center For State Courts (NCSC) provides a list of risk assessment tools (Adobe PDF).

All of this points to a larger problem suggesting risk scores still haven't been adequately studied nor techniques vetted:

"There have been few independent studies of these criminal risk assessments. In 2013, researchers Sarah Desmarais and Jay Singh examined 19 different risk methodologies used in the United States and found that “in most cases, validity had only been examined in one or two studies” and that “frequently, those investigations were completed by the same people who developed the instrument.” Their analysis of the research through 2012 found that the tools “were moderate at best in terms of predictive validity,”... there have been some attempts to explore racial disparities in risk scores. One 2016 study examined the validity of a risk assessment tool, not Northpointe’s, used to make probation decisions for about 35,000 federal convicts. The researchers, Jennifer Skeem at University of California, Berkeley, and Christopher T. Lowenkamp from the Administrative Office of the U.S. Courts, found that blacks did get a higher average score but concluded the differences were not attributable to bias."

I wonder if the biases found started in the data rather than in the algorithm. The algorithm may have been developed and tested using existing prison populations which are known to be skewed, plus overly aggressive policing via school-to-prison pipelines and for-profit prisons in many states. Both the State of Florida and Broward County have histories with school-to-prison pipelines.

Plus, It seems crazy to make decisions about persons' lives based upon scores without knowing how the scores were calculated, and without adequate research or vetting of techniques. Transparency matters.

Thoughts? Opinions?


Pending Rule 41 Changes Facilitate Government Spying, So Senators Introduce Legislation To Protect Citizens

Late last week, MacDailyNews reported (links added):

"U.S. Senators Ron Wyden, D-Ore., and Rand Paul, R-Ky., yesterday introduced the Stopping Mass Hacking (SMH) Act to protect millions of law-abiding Americans from government hacking. The Stopping Mass Hacking (SMH) Act prevents recently approved changes to Rule 41 from going into effect. The changes would allow the government to get a single warrant to hack an unlimited number of Americans’ computers if their computers had been affected by criminals, possibly without notifying the victims."

This news story caught my attention because you don't often see Senators Wyden and Paul working together. It raises several questions: what is so important? What is going on?

Last summer, this blog briefly discussed Rule 41 changes the U.S. Justice Department (DOJ) sought. The rule governs how search, seizure, and arrest warrants are obtained by prosecutors for criminal cases. Given sophisticated computer viruses (e.g., malware) that can take over multiple computers in multiple areas and coordinate attacks by those infected computers (a/k/a botnets), the DOJ sought changes where judges could approve warrants where the botnet location is unknown or located in another area, state, or jurisdiction. The Tech Dirt blog covered this well on April 29:

"The DOJ is one step closer to being allowed to remotely access computers anywhere in the world using a normal search warrant issued by a magistrate judge. The proposed amendments to Rule 41 remove jurisdiction limitations, which would allow the FBI to obtain a search warrant in, say, Virginia, and use it to "search" computers across the nation using Network Investigative Techniques (NITs)."

The Tech Dirt blog post also published the relevant section of the pending Rule 41changes approved by the U.S. Supreme Court (SCOTUS):

"Rule 41. Search and Seizure

(b) Venue for a Warrant Application. At the request of a federal law enforcement officer or an attorney for the government:

(6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if:

(A) the district where the media or information is located has been concealed through technological means; or

(B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.
"

The document also says the following about electronic searches:

"(f) Executing and Returning the Warrant.
(1) Warrant to Search for and Seize a Person or Property.
* * * * *
(C) Receipt. The officer executing the warrant must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken or leave a copy of the warrant and receipt at the place where the officer took the property. For a warrant to use remote access to search electronic storage media and seize or copy electronically stored information, the officer must make reasonable efforts to serve a copy of the warrant and receipt on the person whose property was searched or who possessed the information that was seized or copied. Service may be accomplished by any means, including electronic means, reasonably calculated to reach that person."

So, the remote, electronic searching of computers doesn't target only the computers of the defendant suspected of committing a crime, but it also targets innocent people whose computers may or may not have been infected by the computer virus or botnet. How? Government prosecutors can easily craft broad warrants, and/or computer-illiterate judges can approve them.

And, innocent people won't necessarily receive any notice (e.g., the "reasonable efforts") about remote electronic searches of their devices (e.g., desktops, laptops, phones or tablets) located inside or outside their homes. And, that notice might be after the remote electronic searches were completed. Huh? When the government performs broad searches like this, that is called surveillance... spying.

Were you aware of Rule 41? Of the pending changes? Probably not. And, you'd probably agree that innocent persons' computers shouldn't be searched; and if so, advance notice should be provided. This troubles me and I hope that it troubles you, too.

I also find it troubling that the proposed Rule 41 changes weren't discussed nor debated publicly in Congress. Using the proposed Rule 41 changes, the government has found slick, stealth way to gain broader powers to spy on U.S. citizens while conveniently ignoring the Fourth Amendment of the U.S. Constitution.

Senator Paul said in a statement:

"The Fourth Amendment wisely rejected general warrants and requires individualized suspicion before the government can forcibly search private information. I fear this rule change will make it easier for the government to search innocent Americans’ computers and undermine the requirement for individual suspicion..."

Senator Wyden said in a statement:

"This is a dramatic expansion of the government’s hacking and surveillance authority. Such a substantive change with an enormous impact on Americans’ constitutional rights should be debated by Congress, not maneuvered through an obscure bureaucratic process... Unless Congress acts before December 1, Americans’ security and privacy will be thrown out the window and hacking victims will find themselves hacked again - this time by their own government."

Proponents of the Rule 41 changes will often argue that the changes are needed to fight child predators and terrorists. A wise person once told me, "you can't just run away from the Fourth Amendment." The ends don't justify the means.

The Computer & Communications Industry Association (CCIA) said:

"The proposed rule change has gone largely unnoticed by the public via a behind-the-scenes process usually reserved for procedural updates. The CCIA has voiced its concern about the government’s requested change for the past two years and we invite other technology advocates to join us in supporting this important legislation... We welcome Senators Wyden and Paul’s efforts to prevent this highly controversial rule change from taking effect. They recognize that the far-reaching implications of the government’s proposed changes merit the full attention of their colleagues in Congress. There are Constitutional, international, and technological questions that ought to be addressed transparently... The government’s proposal is a substantive expansion of its ability to conduct electronic searches, and it deserves a public debate in Congress..."

Peter Goldberger, the Co-Chair of Committee on Rules of Procedure at the National Association of Criminal Defense Lawyers (NACDL) said:

"This is a significant and substantive change to the law masquerading as a procedural rule change.. While it is surely possible to craft a constitutional procedure for digital searches, the rule making process is not sufficient for addressing such fundamental constitutional questions. Only a comprehensive legislative approach, crafted after full public hearings, could possibly deal with all the complex aspects of this issue."

You can read the Stopping Mass hacking Act (Adobe PDF) text. It's short. I wish that it went further and, a) cited prior legal cases to prevent the remote electronic searches of innocent persons' devices, b) included stronger language to prevent innocent persons from the burden of responding to court orders, subpoenas, and searches, and c) prevent the government from hiring a third-party to perform the remote electronic searches.

So, now you know. Thankfully, Senators Wyden and Paul are paying attention and have decided to work together. The seriousness demands such. Senators Tammy Baldwin (D-Wisconsin), Steve Daines (R-Montana), and Jon Tester (D-Montana) are co-sponsors of the Senate bill. Contact your Senator and ask why he/she does not support the Stopping Mass Hacking (SMH) Act. Then, contact your Representative and demand that he/she support a similar bill in the House of Representatives. Tell them that rules changes should not masquerade as changes in laws.

Opinions? Comments?


Update: Consumer Reports Explores Claims About Theft of Files By Apple Music

Apple Inc. logo Prior blog posts discussed a consumer's claim that Apple Music "stole" music from his laptop, and Apple's response. Consumer Reports explored the issue:

"Can the Apple Music streaming service, launched in June 2015, remove music files from your hard drive without your permission? Even files you created yourself? The answer appears to be “maybe,” but the good news is that there are simple measures you can take to make sure your music doesn't disappear."

Consumer Reports reported:

Here's what the Apple website says: “We compare every track in your collection to the Apple Music library to see if we have a copy. If we do, you can automatically listen to it straight from the cloud. If you have music that’s not in our catalog, we upload those songs from iTunes on your Mac or PC. It’s all in iCloud, so it won’t take up any space on your devices.” However, the program should not delete the originals without your permission."

Consumer Reports logo And:

"The overwhelming majority of Apple Music users never experience such problems, but this sort of issue is reported occasionally, and not just in regard to Apple products. For instance, last year some Spotify users reported glitches in which the files downloaded to a computer or smartphone had disappeared. However, since the files in question were copies of songs streaming from a Spotify playlist, users were more annoyed than outraged."

Consumer reports advised:

"How can you protect yourself from losing your music? First and foremost, you can do what Pinkstone did. Make backups. Often. He relies heavily on Apple’s Time Machine software, and also stores his data on an external hard drive. For this reason, his Apple Music debacle was an inconvenience for him rather than a full-blown disaster."

This issue seems far from resolved. Read the report by Consumer Reports.


LinkedIn Data Breach Was Larger And Worse Than Consumers First Told. 117 Million Persons Affected

LinkedIn.com logo The 2012 data breach at LinkedIn.com was far larger and worse than originally thought. Motherboard reported:

"A hacker is trying to sell the account information, including emails and passwords, of 117 million LinkedIn users. The hacker, who goes by the name “Peace,” told Motherboard that the data was stolen during the LinkedIn breach of 2012. At the time, only around 6.5 million encrypted passwords were posted online, and LinkedIn never clarified how many users were affected by that breach... The paid hacked data search engine LeakedSource also claims to have obtained the data. Both Peace and the one of the people behind LeakedSource said that there are 167 million accounts in the hacked database. Of those, around 117 million have both emails and encrypted passwords."

So, the breach included 167 records affecting as many persons, not 6.5 million. And, 117 million people are at risk now. To make matters worse, hackers have already cracked the encryption method LinkedIn.com used to protect users' passwords:

"The passwords were originally encrypted or hashed with the SHA1 algorithm, with no “salt,” which is a series of random digits attached to the end of hashes to make them harder to be cracked. One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours..."

And, the incident cast doubt on both LinkedIn.com's breach detection methods and the response by the company's executives:

"... LinkedIn spokesperson Hani Durzy told Motherboard that the company’s security team was looking into the incident, but that at the time they couldn’t confirm whether the data was legitimate. Durzy, however, also admitted that the 6.5 million hashes that were posted online in 2012 were not necessarily all of the passwords stolen. “We don’t know how much was taken,” Durzy told me in a phone call. The lesson: For LinkedIn, the lesson is the same as four years ago: don’t store password in an insecure way..."

LinkedIn released a statement yesterday. Relevant portions:

"Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach... For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords... We're moving swiftly to address the release of additional data from a 2012 breach, specifically: We have begun to invalidate passwords for all accounts created prior to the 2012 breach​ that haven’t update​d​ their password since that breach. We will let individual members know​ ​if they need to reset their password. However, regularly changing your password is always a good idea..."

Many people use the LinkedIn.com social site to network with professionals in their field, and find jobs. If you use the site, experts advise consumers to change your password immediately and don't reuse the same password at multiple websites.


Update: Apple Responds To Consumer's Claim That Apple Music "Stole" His Music

Apple Inc. logo A prior blog post discussed a consumer's claim that Apple Music "stole" music files from his laptop. The Loop blog reported a statement by Apple Inc.:

"In an extremely small number of cases users have reported that music files saved on their computer were removed without their permission... We’re taking these reports seriously as we know how important music is to our customers and our teams are focused on identifying the cause. We have not been able to reproduce this issue, however, we’re releasing an update to iTunes early next week which includes additional safeguards. If a user experiences this issue they should contact AppleCare.”

The statement did not explain "additional safeguards." The iMore blog also reported Apple's statement, while calling the situation a "potential bug." Perhaps, "unverified bug" would have been a more accurate description.

Regardless, the statement by Apple is very interesting statement, and it raises more questions. What exactly are the additional safeguards? How many reports has Apple received? If Apple can't replicate the bug, how effective can an iTunes software update be? What about compensating or helping James Pinkstone and other affected users with lost property?


Proprietary Content Formats Threaten Both Consumers' Choices And An Open, Fair Internet

EFF - Save Firefox image

The open Internet and consumer choice are both under attack. The Electronic Frontier Foundation (EFF) described the threat (links added):

"The World Wide Web Consortium (W3C), once the force for open standards that kept browsers from locking publishers to their proprietary capabilities, has changed its mission. Since 2013, the organization has provided a forum where today's dominant browser companies and the dominant entertainment companies can collaborate on a system to let our browsers control our behavior, rather than the other way.

This system, "Encrypted Media Extensions" (EME) uses standards-defined code to funnel video into a proprietary container called a "Content Decryption Module." For a new browser to support this new video streaming standard -- which major studios and cable operators are pushing for -- it would have to convince those entertainment companies or one of their partners to let them have a CDM, or this part of the "open" Web would not display in their new browser.

This is the opposite of every W3C standard to date: once, all you needed to do to render content sent by a server was follow the standard, not get permission. If browsers had needed permission to render a page at the launch of Mozilla, the publishers would have frozen out this new, pop-up-blocking upstart. Kiss Firefox goodbye, in other words.

The W3C didn't have to do this. No copyright law says that making a video gives you the right to tell people who legally watch it how they must configure their equipment. But because of the design of EME, copyright holders will be able to use the law to shut down any new browser that tries to render the video without their permission."

An EFF blog post explained the related threat from vague online language:

"A team of researchers from UC Berkeley and Case Western have published a study showing that customers think they are getting traditional ownership rights when they buy digital media online, even when a vendor’s site includes legal terms (often buried in click-wrap agreements) purporting to limit those rights.

In the study, customers purchased digital media from a fictional website with either a “Buy Now” button, a “License Now” button... Customers clicking “Buy Now” overwhelmingly believed for that they would “own” both digital and hard copy media, and have the right to keep it indefinitely and use it on a device of their choice. Little did they realize that their digital copy could be taken away or simply be discontinued when a vendor went out of business or stopped supporting the product... When the button was changed to read “License Now,” customers’ expectations did not significantly change (they were less likely to say they "owned" the product, but just as likely to believe they had the rights that come with ownership). When, however, customers were presented with a plainly-written summary of the rights that were and were not granted, this did cause a corresponding change in people’s expectations. The paper reinforces the truism that no one reads fine print online terms, even in a research study. If vendors really wanted customers to understand what’s in their terms, they could easily craft informative summaries as the researchers did."

So, when you visit a website with "Buy It Now" buttons or "Own it Now" ads, you now know what really matters is what the fine print states. Some Apple Music and iTunes customers are learning this the hard way. Subscribing to music online may be convenient, but the downside is loss of control over music files that can also affect files users do own.

Publishers have every right to protect their property from theft, and the old adage is true: the devil is in the details. Read the fine print. When publishers use digital rights management (DRM) to drive web browser standards and both the hardware and software consumers can buy, then the tail wagging the dog.

So, it's not only about saving the Firefox web browser. It's about ensuring competition; that publishers build content to open standards and any web browser can display content built to those standards. Read the entire EFF article. Standards are standards. They should be open to everyone; not driven by publisher's needs.

What are you thoughts or opinions about the new standard?


Study: Many Sharing Economy Companies Not There Yet On Privacy And Transparency

Uber logo You've probably heard of the term, "sharing economy" (a/k/a digital economy). It refers to a variety of companies that link buyers and sellers online. These companies include taxi-like ride-sharing services (e.g., Uber, Lyft), home sharing services (e.g., Home Away, Airbnb, VRBO), delivery services (e.g., Postmates), and on-demand labor services (e.g., TaskRabbit).

The 2016 "Who Has Your Back?" report by the Electronic Frontier Foundation (EFF) focused upon companies in the sharing economy, and their policies and practices for inquiries by law enforcement. Prior annual reports included social networking websites, email providers, Internet service providers (ISPs), cloud storage providers, and other companies. The EFF observed that companies in the sharing economy:

"... also collect sensitive information about the habits of millions of people across the United States. Details about what consumers buy, where they sleep, and where they travel are really just scratching the surface of this data trove. These apps may also obtain detailed records of where your cell phone is at a given time, when you are logged on or active in an app, and with whom you communicate.

It’s not just the purchasers in the gig economy who have to trust their data to the startups developing these apps. Individuals offering services are users just like the buyers, and also leave behind a digital trail as (or more) detailed than that of the purchasers. From Lyft drivers to Airbnb hosts to Instacart shoppers, people providing services are entrusting enormous amounts of data to these apps... As with any rich trove of data, law enforcement is increasingly turning to the distributed workforce as part of their investigations. That’s not necessarily a bad thing, but we need to know how and when these companies actually stand up for user privacy..."

So, it is sensible and appropriate to evaluate how well (or poorly) these companies protect consumers' privacy and communicate their activities. The EFF found overall:

"Many sharing economy companies have not yet stepped up to meet accepted tech industry best practices related to privacy and transparency, according to our analysis of their published policies. This analysis is specific to government access requests for user data, and within that context we see ample room for improvement by this budding industry... however, some gig economy companies leading the field on this issue...

Regarding ride-sharing companies, the EFF found:

"We analyzed 10 companies as part of this report. Of them, both Uber and Lyft earned credit in all of the categories we examined. We commend these two companies for their transparency around government access requests, commitments to protecting Fourth Amendment rights in relation to user communications and location data, advocacy on the federal level for user privacy, and commitment to providing users with notice about law enforcement requests. These two companies are setting a strong example for other distributed workforce companies... In contrast, another ride-sharing company, Getaround, received no stars in this year’s report."

TripAdvisor logo The EFF also found improvements by home-sharing companies (links added):

"... FlipKey (owned by TripAdvisor) has adopted several policies related to government access of user data. FlipKey requires a warrant for user content or location data and promises to inform users of law enforcement access requests. It is also a member of the Digital Due Process Coalition, fighting for reform to outdated communications privacy law. Of the home sharing companies we reviewed, FlipKey does the most to stand up for user privacy against government demands.

Only two other companies from our research set earned credit in any categories: Airbnb and Instacart, each earning credit in three categories. Both of these companies require a warrant for content, publish law enforcement guidelines, and are members of the Digital Due Process Coalition..."

Airbnb logo The Digital Due Process Coalition (DDPC) seeks reforms to the Electronic Communications Privacy Act (ECPA) because:

"Technology has advanced dramatically since 1986, and ECPA has been outpaced. The statute has not undergone a significant revision since it was enacted in 1986... As a result, ECPA is a patchwork of confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for both service providers and law enforcement agencies. ECPA can no longer be applied in a clear and consistent way, and, consequently, the vast amount of personal information generated by today’s digital communication services may no longer be adequately protected. At the same time, ECPA must be flexible enough to allow law enforcement agencies and services providers to work effectively together..."

DDPC members include Adobe, Airbnb, Amazon.com, Apple, AT&T, Dell, Dropbox, eBay, Facebook, IBM, Intel, Lyft, Reddit, Snapchat, and many more well-known brands.

Postmates logo The EFF report also found (links added):

"... half of the companies we reviewed—Getaround, Postmates, TaskRabbit, Turo, and VRBO—received no credit in any of our categories. This finding is disappointing... most of the companies we analyzed were not yet publishing transparency reports. Only two companies in the field—Lyft and Uber—have published reports outlining how many law enforcement access requests they’ve received. As a result, the general public has little insight into how often the government is pressuring gig economy companies for access to user data. This concerns us, as one way to make surveillance without due process worse is to allow it to happen entirely in secret. Publicizing reports of law enforcement access requests can help illuminate patterns of overzealous policing, shine a light on efforts by companies to resist overly broad requests, and perhaps give pause to law enforcement officials who might otherwise seek to grab more user data than they need..."

Read the 2016 EFF "Who Has Your Back?" executive summary, or the full report (Adobe PDF). Kudos to the EFF for providing a very timely and valuable report. What are your opinions.


A Healthy Democracy Needs Healthy Journalism

As the election year continues, the Bill Moyers and Company site provided this reminder and warning from the late reporter and editor Ben Bagdikian:

"In the United States, voters cast ballots for individual candidates who are not bound to any party program except rhetorically, and not always then…. No American citizen can vote intelligently without knowledge of the ideas, political background, and commitments of each individual candidate... No national paper or broadcast station can report adequately the issues and candidates in every one of the 65,000 local voting districts. Only locally based journalism can do it, and if it does not, voters become captives of the only alternative information, paid political propaganda, or no information at all.”

And:

"As regional daily newspapers have shuttered, as local newspapers have downsized, as local radio hosts have been replaced by syndicated “content,” and as old lines of distinction between broadcast and print and digital media ownership have been blurred (thanks to wrongheaded federal legislation, lax regulation, and greed), communities across this country have become information deserts. Voter turnout for local elections is often so dismal that it invites questioning about how cities, villages, and towns are governed — and how those in power are held to account."

The messages are from Bagdikian's book: "Media Monopoly." Yes, journalism must serve the people and not the (rich) few and corporations. A healthy democracy needs robust journalism and not a media monopoly that reports propaganda and entertainment masquerading as hard news.


FCC And FTC Query Wireless Providers About Security Updates For Mobile Devices

Federal communications Commission logo The U.S. Federal Trade Commission (FTC) and the U.S. Communications Commission (FCC) have launched a joint effort to understand the processes by wireless service providers (e.g., AT&T, Verizon Wireless, T-Mobile, Sprint, etc.) to review and distribute security updates to users' mobile devices. Also:

"... the FTC has ordered eight mobile device manufacturers to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices."

The FCC announcement cited malware as a key reason for the agencies' joint action:

"There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device, including “Stagefright” in the Android operating system, which may affect almost 1 billion Android devices globally."

Usually, a consumer has to open a file attached to a text message or email for their computer to get infected. Not so with Stagefright. ZDNet explained just how nasty this malware is for mobile devices without security updates:

"Then, there's Stagefright. With malware based on this security hole all you need to do is to get a text on your unpatched Android device, and, bang, you're hacked. Stagefright can attack any Android smartphone, tablet, or other device running Android 2.2 or higher... Stagefright holds up your device by being sent to you as a multimedia text message... The really sneaky part is you don't need to watch the [attached video]. If you're using Google's Hangouts app, you don't even need to open your text message app. All the attacker needs to do is send a poisoned package to your phone number. It then opens up your device, and the attack starts. This can happen so fast that by the time your phone alerts you that a message has arrived, you've already been hacked."

The letter from the FCC to wireless service providers:

"May 9, 2016
Dear [Carrier],

As you know, one of the Commission’s top priorities is the promotion of safety and security of communications. This is a priority that is shared by our colleagues at the Federal Trade Commission (FTC).

As our nation’s consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, from the most sensitive to the most trivial, the safety and security and their communications and other personal information is directly related to the security of the devices they use.

There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device and all the personal, sensitive data on it. One of the most significant to date is a vulnerability in the Android component called “Stagefright.” It may have the ability to affect close to 1 billion Android devices around the world. And there are many other vulnerabilities that could do just as much harm.

Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. Therefore, we appreciate efforts made by operating system providers, original equipment manufacturers, and mobile service providers to respond quickly to address vulnerabilities as they arise. We are concerned, however, that there are significant delays in delivering patches to actual devices—and that older devices may never be patched.

In partnership with the FTC, we have launched a joint effort to better understand, and ultimately to improve, the mobile security “ecosystem.” The FCC is contacting the service provider community to better understand the role that they play in ensuring the security of mobile devices. The FTC is separately seeking information from operating system providers and original equipment manufacturers. We hope that the efforts of our two agencies will lead to a greater understanding of what is being done today to address mobile device vulnerabilities—and what can be done to improve mobile device consumer safety and security in the future.

As a first step, I request that you provide us with your detailed responses within forty-five (45) days of the date of this letter. If you request confidential treatment for your responses, your responses will be treated confidentially (see 47 CFR § 0.459(d)(3)) but please be aware that we intend to share all responses with the FTC, as we are permitted to do pursuant to 44 U.S.C. § 3510, and we ask that you state in your response, pursuant to 47 CFR § 0.442, that you do not oppose such disclosure.

Once we receive your responses, we look forward to meeting with your representatives to review your answers and learn your perspectives on possible next steps. Should you have any questions, please feel free to contact Charles Mathias on my staff. Thank you in advance for help in this important undertaking.

Sincerely,

Jon Wilkins,
Chief
Wireless Telecommunications Bureau
Federal Communications Commission"

The specific questions the FCC and FTC seek responses to:

"General Questions
1. Does [Carrier] face issues or hurdles in releasing security updates for operating systems (OS) to consumers? If so, please explain in detail.

2. Do any mobile devices on [Carrier]’s network run an OS that is modified for or is unique to [Carrier] and if so, what percent of the devices on [Carrier]’s network do they represent? With respect to such OS, is [Carrier] responsible for developing and providing security updates? Does [Carrier] face any additional issues or hurdles in releasing security updates for such OS to consumers? If so please explain in detail.

3. Similarly, are there devices intended for deployment on [Carrier]’s network that have been loaded at [Carrier]’s direction with special software beyond the OS or applications to monitor device or network performance or similar metrics (Required Software)? With respect to such Required Software, is [Carrier] responsible for developing and providing security updates? Does [Carrier] face issues or hurdles in releasing security updates for Required Software to consumers, regardless of who is responsible for developing such updates?

4. Does [Carrier] face particular issues or hurdles in getting consumers to install updates for either a modified OS or Required Software on mobile devices as they are made available?

5. To what degree does [Carrier] know whether a consumer has installed a security update to address OS or Required Software security vulnerabilities? If [Carrier] does not engage in practices to monitor such information, does [Carrier] have the technical ability to do so?

6. To the extent that [Carrier] does not know whether individual consumers have installed updates to address security vulnerabilities in an OS or Required Software, is [Carrier] concerned about this lack of knowledge?

7. Could un-patched, non-updated devices on [Carrier]’s network impact or harm the functionality of that network or [Carrier]’s ability to provide effective service to other consumers who have patched and installed security updates on their devices?

Development and Release of Security Updates Questions
8. To [Carrier]’s knowledge, what entities are involved in the updating process (e.g., original equipment manufacturer (OEM), OS or Required Software vendor, other) and can any of those entities other than [Carrier] individually release security updates for the consumer directly? What legal, security, or other permissions are required from any involved entities and does obtaining those permissions cause delay in release? If [Carrier] provides updates to consumers, are security updates generally released to all consumers at once? If not, please describe the security update release process and how it might affect different consumers, including those who transfer their device to [Carrier]’s network.

9. Do any of these answers differ for devices running different operating systems (e.g., Android, Windows, iOS, CyanogenMod, Blackberry, etc.)? If so, describe in detail. Is the process different for devices that are ported to [Carrier]’s network? If so, describe in detail.

10. As a general matter, are security updates that have been made available or provided to [Carrier] by an OEM or OS or Required Software vendor in response to an identified security vulnerability regularly reviewed and/or released by [Carrier]? If so, how long does this process take? If not, please explain.

11. What considerations does [Carrier] generally take into account when determining the prioritization and timing of release of a security update (i.e., severity of vulnerability, whether it can be rolled into another planned update, etc.)?

12. What data does [Carrier] maintain about security updates that have been made available to [Carrier] and the actions [Carrier] has taken in response?

Consumer-specific Questions
13. Does [Carrier] provide updates to consumers with vulnerabilities on their mobile devices or make available a website where consumers can easily check the vulnerability status of their device and download required patches? If so, what are the steps and typical time frames from the discovery of a vulnerability to the consumer receiving an update that resolves the vulnerability—or making that vulnerability available for download?

14. Are there instances where [Carrier] knows of a vulnerability to OS or Required Software but does not release a security update to consumers or otherwise make the security update available? If so, why and how does [Carrier] protect consumer security in such instances?

15. Does [Carrier] discontinue security update support for mobile devices? How does [Carrier] decide when to discontinue security update support? Are consumers notified at the time of sale how long security updates will be provided or supported for their device by [Carrier]? Are consumers notified when security updates to their mobile devices are no longer supported? What are consumers’ options for protecting themselves against security vulnerabilities after such discontinuance by [Carrier]?

16. What information or notices regarding security update support does [Carrier] provide to customers who port or bring their device when they sign up for [Carrier]’s service?

Stagefright-specific Questions
17. When and how did [Carrier] first become aware of vulnerabilities in the Android libstagefright library (commonly known as Stagefright)?

18. How many models of mobile devices on [Carrier]’s network were or might/could have been impacted by Stagefright vulnerabilities? 19. How many models of mobile devices on [Carrier]’s network remain vulnerable to the Stagefright vulnerabilities? Approximately how many such devices remain active on the network? How many of these devices have a customized OS provided by the [Carrier]?

20. Following expressions of public concern surrounding the Stagefright vulnerabilities, Google, Samsung, and LG committed to releasing monthly security updates for mobile devices. Has [Carrier] made a similar commitment to expedite the release of the monthly security updates as they become available? Have such monthly updates been made available and, if so, has [Carrier] begun to release those updates as they become available? How many have been made available and how many has [Carrier] released?"

It will be interesting to see which companies respond in a timely manner with complete responses, which procrastinate or provide obtuse responses, and which refuse to respond.

The agencies' joint action is good news for both consumers and employers. Many consumers have mobile devices that never receive security updates. Many employers have bring-your-own-device (BYOD) policies, which allow their employees to use personal devices for both personal and company business.

Everyone wants secure mobile devices. Everyone needs secure mobile devices.


What's New: Cruise Ship Vacations Through The Northwest Passage

Map of Northwest Passage itinerary. Click to view larger image You can now sail to parts of Canada and the Arctic Ocean that were previously inaccessible.

Since the 1500s, explorers have attempted to sail the Arctic Ocean and Northwest Passage, but were unable due to thick sea ice present all year long. With climate change, the sea ice has retreated far enough and long enough during the summer months for cargo and cruise ships to navigate this shorter route between the Atlantic and Pacific Oceans.

Crystal Cruises announced a new itinerary through the Northwest Passage to destination ports in the United States, Canada, and Greenland. Starting in August of 2016, the Crystal Serenity cruise ship will sail from Anchorage, Alaska to New York City, with port destinations at Kodiak (Alaska), Nome (Alaska), Ulukhaktok (Northwest Territories, Canada), Cambridge Bay (Canada), Pond Inlet (Canada), Ilulissat (Greenland), Nuuk (Greenland), Bar Harbor (Maine), and more.

Crystal Cruises is a high-end, luxury cruise line offering a truly all-inclusive cruise experience. Budget or entry-level cruise lines typically offer a low price, but add on a variety of fees. Many consumers prefer a one-price, all-inclusive vacation.

The cruise price includes complimentary fine wines and premium spirits, plus gratuities for housekeeping, bar, dining and Penthouse butler staff. It also includes fine dining at any of eight on-board restaurants, classes at the Computer University@Sea®, foreign language classes, themed cruises focusing upon music, film and entertainment shows, wellness and golf,  lectures featuring speakers, authors, and celebrities, art classes, an on-board fitness center, and concierge services to arrange personalized shore excursions.

The fitness center includes state-of-the-art exercise equipment, yoga classes, cycling classes, golf lessons, Pilates, and tai chi classes. The ship includes deluxe staterooms, staterooms with verandahs, penthouses, and penthouse suites. Staterooms include satellite TV, movie/DVD rentals, housekeeping, complimentary soft drinks and bottled water, complimentary beer, wine and spirits upon request, luxury bathrobes, and fine Egyptian cotton linens. Additional complimentary services are available in the penthouses and penthouse suites.

The Crystal Serenity cruise ship debuted in July, 2003. The cruise line spent $52 million in 2013 to redesign and upgrade the ship, including both staterooms and public areas. Besides the Northwest Passage itinerary, the ship sails to destinations in the Caribbean, South America, Hawaii, Australia, and the Mediterranean.

Prices for the 32-day cruise start at $21,855 per person double occupancy, and include the above onboard services plus transfers between the airport and cruise terminal in Anchorage. Prices exclude air fare and transfers between the cruise ship and airports in New York City.

Whether or not you believe in climate change, or agree that human activity contributes to climate change (a/k/a global warming), the retreating sea ice is an indication of changes in the planet.

Image of Crystal Serenity cruise ship


Consumer Claimed Apple Music Service "Stole" Music From His Laptop. What Are The Implications?

Apple Inc. logo Perhaps, you've heard about it. A composer claimed that the Apple Music service "stole" music from his laptop. And a discussion with the service's customer service department produced no resolution nor satisfaction. James Pinkstone wrote:

"I had just explained to Amber [in customer service] that 122 GB of music files were missing from my laptop. I’d already visited the online forum... several people had described problems similar to mine, they were all dismissed by condescending “gurus” who simply said that we had mislocated our files...  Amber explained that I should blow off these dismissive “solutions” offered online because Apple employees don’t officially use the forums... What Amber explained was exactly what I’d feared: through the Apple Music subscription, which I had, Apple now deletes files from its users’ computers. When I signed up for Apple Music, iTunes evaluated my massive collection of Mp3s and WAV files, scanned Apple’s database for what it considered matches, then removed the original files from my internal hard drive. REMOVED them. Deleted. If Apple Music saw a file it didn’t recognize—which came up often, since I’m a freelance composer and have many music files that I created myself—it would then download it to Apple’s database, delete it from my hard drive, and serve it back to me when I wanted to listen, just like it would with my other music files it had deleted."

Many of today's Internet users choose to get their music from subscription services, rather than purchase MP3 downloads or CDs. Mr. Pinkstone described four problems he sees with the music service:

"1. If Apple serves me my music, that means that when I don’t have WiFi access, I can’t listen to it. When I say “my music,” I don’t just mean the music that, over twenty years (since before iTunes existed), I painstakingly imported from thousands of CDs and saved to my computer’s internal hard drive. I also mean original music that I recorded and saved to my computer...

2. What Apple considers a “match” often isn’t..."

Mr. Pinkstone listed several songs he claimed the service mis-matched, and concluded:

"... What this means, then, is that Apple is engineering a future in which rare, or varying, mixes and versions of songs won’t exist unless Apple decides they do. Said alternate versions will be replaced by the most mainstream version, despite their original, at-one-time correct, titles, labels, and file contents.

3. Although I could click the little cloud icon next to each song title and “get it back” from Apple, their servers aren’t fast enough to make it an easy task. It would take around thirty hours to get my music back. And even then...

4. Should I choose to reclaim my songs via download, the files I would get back would not necessarily be the same as my original files. As a freelance composer, I save WAV files of my own compositions rather than Mp3s. WAV files have about ten times the number of samples, so they just sound better. Since Apple Music does not support WAV files, as they stole my compositions and stored them in their servers, they also converted them to Mp3s or AACs. So not only do I need to keep paying Apple Music just to access my own files, but I have to hear an inferior version of each recording instead of the one I created."

Mr, Pinkstone's blog post is being discussed throughout the blogosphere. I spent some time reading Hard Forum. You might, too. One person (Westrock2000) shared on Hard Forum:

"I have been using iTunes for damn near 13 years now and I will admit that in the past it would occasionally delete random songs from the library, but only if you enabled "Allow iTunes to sort my library." So I did keep that turned off for many years, but I have not had that problem in the last several years."

Further down the page, Westrock2000 added:

"iTunes Match is meant to replicate the existence of your entire library on your iOS device. So being able to load playlists to the phone conflicts with that mentality. The other side effect to not being able to force a playlist is that you cannot put music videos on your iOS device outside of the ones that you buy from iTunes. The work around is to turn off Match, load a playlist, then turn it back on. Now I know what you are all going to say, "Oh you have to use a workaround to make an Apple work"..."

Another person (twonunpackmule) commented:

"This happened to me a couple of times. I found if I allowed Apple to "build my library" it would then cause syncing issues with my phone. If the music wasn't present during a sync, it would delete them. I have several backups because of it."

Another person (Miikun) shared:

"This happened to me 10 years ago, I loaded iTunes on my server and it decided to blackhole all my files instead of moving them to the new iTunes storage location. Considering that Apple applications don't exactly come with a manual, and are supposed to be idiot-proof, you really can't expect some innocuous checkbox like "Build My Library" equates with delete everything on the source folder. Even Windows OS will prompt you before deletion/overwrite and let you make the choice, Apple's approach stinks of corporate entitlement, as if anyone who owns CDs are beneath their notice..."

And, there was this interesting comment by Ididar (link added):

"It isn't just Apple. Software bugs in music software or anything that manages your files can be a real problem. On my current setup if I use Microsoft's Windows 10 built in music program it deletes a bunch of my music files. It leaves all the folders and album artwork alone and just deletes the MP3 files. Since I stopped using it I haven't had a single file go missing. Thankfully, all my music is on an NAS that gets backed up to a drive..."

Mr. Pinkstone's blog post also cited sections of the Apple Music agreement he found relevant. He believes that this language is the reason why there haven't been any lawsuits by dissatisfied users:

"... YOU EXPRESSLY AGREE THAT YOUR USE OF, OR INABILITY TO USE, THE APPLE MUSIC SERVICE IS AT YOUR SOLE RISK. THE APPLE MUSIC SERVICE AND ALL PRODUCTS AND SERVICES DELIVERED TO YOU THROUGH THE APPLE MUSIC SERVICE ARE (EXCEPT AS EXPRESSLY STATED BY APPLE) PROVIDED “AS IS” AND “AS AVAILABLE” FOR YOUR USE, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED... IN NO CASE SHALL APPLE, ITS DIRECTORS, OFFICERS, EMPLOYEES, AFFILIATES, AGENTS, CONTRACTORS, OR LICENSORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING FROM YOUR USE OF THE APPLE MUSIC SERVICE OR FOR ANY OTHER CLAIM RELATED IN ANY WAY TO YOUR USE OF THE APPLE MUSIC SERVICE, INCLUDING, BUT NOT LIMITED TO, ANY ERRORS OR OMISSIONS IN ANY CONTENT..."

Mr. Pinkstone recovered his original music from backups he had made of his laptop's hard drive. He concluded:

"... So my files were temporarily restored; but the only way to prevent this from happening over and over, according to Amber, was to cancel my subscription to Apple Music (which she herself doesn’t use due to the above-listed reasons) and to make sure my iCloud settings did not include storing any music backups."

Are Mr. Pinkstone's complaints valid? Macworld disagrees:

"How Apple's music services all work is a little confusing, but in no way is the company interested in getting rid of your music library... James Pinkstone, writing on his company’s blog, tells a tale of losing 122GB of music files because of Apple Music. Plenty of websites are trumpeting this story, saying that Apple Music is the big bad wolf. But I’m afraid that isn’t the case. The author of this blog post begins by citing a bit of a conversation he had with one Amber, an Apple tech support person... Amber is wrong. Neither Apple Music nor iCloud Music Library deletes music files. This simply doesn’t happen.

I’m not contesting what happened to Mr. Pinkstone. iTunes is nothing if not problematic, as you can see regularly in my Ask the iTunes Guy column. But if Apple Music—or more correctly, in this case, iCloud Music Library—were rapturing music files of every user around the world, there would have already been a -gate controversy (musicgate? filegate?) and a class-action lawsuit. Heck, even Taylor Swift would have been unhappy, and penned an open letter to Apple.

I don’t know exactly what happened to this user. I contacted him by email trying to get more information, and he told me that he no longer uses Apple Music, so he really can’t help elucidate the issue. There are a few hypotheses circulating about what may have happened, and none of them make total sense. Something deleted his music files—including music he composed—and it’s hard to figure out what was responsible. But it wasn’t Apple Music, and Apple certainly did not “steal” his music."

So, who is right: Mr. Pinkstone or Macworld? Regardless, it seems wise to understand the differences between Apple Music and iTunes Match; and how both work with iCloud Music Library. Apple clearly stated:

"Apple Music and iTunes Match are not backup services for your original music library. Be sure to back up your music library so that you have a copy of your music and other information if your Mac or PC is ever replaced, lost, or damaged... Your Apple Music membership includes an iCloud Music Library, which allows you to enjoy your entire music library from all of your devices... You can use Apple Music and iTunes Match together. When you subscribe to both services, your iCloud Music Library will make available 256 Kbps DRM-free AAC files only for songs matched using iTunes on your Mac or PC. Songs that can’t be matched are uploaded from iTunes to your iCloud Music Library and stored in iCloud in their uploaded form..."

Macworld also discussed the three services. Apple is known for providing intuitive, easy-to-use products and services. Consumers pay a price premium for that.

Until this gets sorted out (hopefully with a statement from Apple), Mr. Pinkstone's experience is a cautionary tale for consumers who mix subscription and downloaded (e.g., purchased) music files. The applies especially for artists who create their own proprietary music:

  1. Read the fine print for subscription music service before subscribing. Understand what content is stored, reformatted, copied, and/or deleted and the circumstances. Understand the service's syncing or matching policy and available controls; especially if syncing means merge/purge.
  2. Backup all of your devices (e.g., desktop, laptop, tablet, phone) to a media or destination you control. Do this whether your subscribe to a music subscription service or not. Two terabyte external hard drives are inexpensive.
  3. Music you create is your proprietary property. Protect it accordingly. Read contract terms before subscribing. If the terms aren't available before purchase, don't subscribe. If the terms put your property at risk, don't subscribe.
  4. Read reviews before subscribing. Learn from other consumers' experiences, good or bad. Ensure the review site includes customer-written content or trustworthy expert reviews.
  5. Assess whether the music service fits your lifestyle. The way the service stores, formats, matches, and syncs your music files may or may not meet your needs. If it does, great. If it doesn't, it may not benefit you. Only you can decide.

I prefer services that keep me in direct control of my files, and request my permission before making any changes. Services that think for me often include an implicit loss of control. Some people view that as convenience. I don't. This is the crux of item #5. You know best if you're a control freak. If the music subscription service keeps you in control, great. If not, then you may not want to subscribe.

I doubt that we have heard the end of this story. What are your opinions? If you have experienced a situation similar to Mr. Pinkstone's, please share it below.


Breach Notifications Rise More Than 40 Percent In New York

Breach notifications involving New York State residents have risen more than 40 percent compared to a year ago. Attorney General Eric T. Schneiderman announced on Wednesday that his office:

"... has received 459 data breach notices from the first of the year through May 2, 2016, as compared with 327 through the same time last year. In the year 2015 alone, the office received 809 data breach notices. The office is expecting to receive well over 1000 notices for the year, a new record."

The New York State Information Security Breach & Notification Act requires companies to provide notice to the Attorney General office and to affected consumers. Companies use an online submission form. Previously, notifications were submitted via postal mail, fax, or email.

The Attorney General's office released a data breach report in July 2014 which found:

"... the number of reported data security breaches in New York more than tripled between 2006 and 2013. In that same period, 22.8 million personal records of New Yorkers were exposed in nearly 5,000 data breaches, which cost the public and private sectors in New York upward of $1.37 billion in 2013. In addition, the report also found that hacking intrusions – in which third parties gain unauthorized access to data stored on a computer system – were the leading cause of data security breaches, accounting for roughly 40 percent of all breaches."

If you receive a breach notification letter, the Identity Theft Resource Center advises consumers to (links added):

"1. Call the three credit bureaus (Experian, Equifax, and Transunion) and request a 90-day fraud alert be placed on your credit reports.

2. Request your annual free credit report from each of the aforementioned credit bureaus and review them for any inaccuracies...

3. If you do find any inaccuracies, call the three credit bureaus and request a security freeze be placed on your credit reports. This may cost a nominal fee depending on the state that you are in and does not allow new credit lines to be processed until you personally unfreeze your credit. Even if you do not find any inaccuracies, you may want to consider putting a security freeze on your credit as a precautionary measure.

4. File your tax returns as early as possible to avoid an identity thief filing a tax return under your name in order to receive fraudulent tax refunds.

5. Contact the Social Security Administration and request your wage report to ensure that an identity thief has not reported fraudulent wages which you may have to pay taxes on if not resolved.

6. For more details on what to do if you have received a data breach notification letter, please read our ITRC Fact Sheet FS 129."

Learn how to spot fake breach notices from scammers. To help residents confirm breach notifications, A few states (Maryland, New Hampshire, Vermont, Wisconsin) post online breach notices they have received.

Comments? Opinions? If you know of any states that post breach notices online, please tell us below.


Your Fingerprints. A Key or Testimony? Why It Matters Legally

Apple Inc. logo Many people use the fingerprint recognition feature on newer Apple iPhones and iPads. Consumers view the optional feature, called Touch ID, as a more convenient way to secure their phones versus passcodes. (The feature still requires a passcode, is not foolproof, and is hackable, but let's put those issues aside for now.) Most consumers probably aren't aware of the legal considerations. How the law and courts treat your fingerprints matters... specifically when used to access devices or accounts.

The basic question which the law has not settled, yet, is: are your fingerprints like a key to, say an electronic file cabinet, or are they the equivalent of testimony? The distinction matters when the government forces people to unlock their phones. The Los Angeles Times reported:

"... authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone... The phone contained Apple's fingerprint identification system... It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common..."

Why this matters:

"... the prevailing legal stance toward fingerprints. Law enforcement routinely obtains search warrants to examine property or monitor telecommunications, even swab inside an inmate's mouth for DNA. But fingerprints have long remained in the class of evidence that doesn't require a warrant... Courts have categorized fingerprints as "real or physical evidence" sourced from the body, unlike communications or knowledge, which cannot be compelled without violating the 5th Amendment... How far can the government go to obtain biometric markers such as fingerprints and hair? The U.S. Supreme Court has held that police can search phones with a valid warrant and compel a person in custody to provide physical evidence such as fingerprints without a judge's permission. But some legal experts say there should be a higher bar for biometric data because providing a fingerprint to open a digital device gives the state access to a vast trove of personal information and could be a form of self-incrimination."

Providing a fingerprint used to be only about identification... identifying a person under arrest. Now, the same fingerprint can also be used to access electronic documents:

"... the act of compelling a person in custody to press her finger against a phone breached the 5th Amendment's protection against self-incrimination. It forced [the defendant] to testify —without uttering a word — because by moving her finger and unlocking the phone, she authenticated its contents."

Legal experts disagree about whether fingerprints are the equivalent of keys or testimony:

"... Albert Gidari, the director of privacy at Stanford Law School's Center for Internet and Society, said the action might not violate the 5th Amendment prohibition of self-incrimination... George M. Dery III, a lawyer and criminal justice professor at California State University, Fullerton, likened the warrant to the government's request for a key..."

Your opinions? Thoughts?


Google Fixes Most Vulnerabilities In May Android Security Update

Android wordmark If you use a mobile device that runs the Google Android operating system, take note. In its May 2016 Android security update, Google fixed many vulnerabilities but several still linger. ZD Net reported:

"The search and mobile giant on Monday released its monthly round of Android security fixes, with one persistent flaw at the top of the list: a "critical" security vulnerability in mediaserver, a part of Android that finds and indexes media files stored on the device. Almost every month since Google began pushing out monthly security patches, researchers have found a new problem in the bug-ridden Android component."

"Bug-ridden" does not sound good. ZD Net explained:

"According to the bulletin, the two flaws "could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files," though the flaw is mitigated slightly because Google Hangouts and Messenger apps can't trigger the flaw. In other words, an attacker can run malware on a device by exploiting the mediaserver, because the service has access to privileged parts of the device which other apps don't have."

Corporate information technology managers at companies with "BYOD" (a//k/a Bring Your Own Device) policies for their employees can't be happy with this security situation. What can consumers make of this security situation? ZD Net explained in May 2015:

"The problem is that most devices are never updated. The one exception is Google's own brand of phones, the Nexus line-up, which remain continually updated with the latest patches and fixes... Android remains the most popular mobile operating system in the world with over 81 percent of the worldwide market share. But only a fraction of Android's share is running the software's latest version, with the latest bug fixes, vulnerability patches, and security updates. Official stats say just shy of 10 percent are using Android 5.0 "Lollipop," with about 39 percent running the second latest version, Android 4.4 "KitKat"... That's because not everyone gets the updates. Some Android devices aren't deemed compatible. That includes updates that include incremental security fixes (and features) known to mitigate malware threats and data leaks. And it's not Google that determines who gets an upgrade. Google leaves it up to the carriers. Carriers argue they need to test Android updates to determine whether or not a device will get an upgrade. When it's not the carriers, it's the phone makers..."

So, security takes a backseat to profits. Shop wisely for a device (and wireless provider) that includes all security updates.

Thoughts? Comments?


Surveillance Capitalism: A Profitable Business Google And Microsoft Agree About

Google logo The Guardian reported a major shift at both Google and Microsoft. The tech giants have agreed not to sue each other and to focus upon competing in the marketplace:

"This is a gentleman’s agreement. The specifics are secret, but the message on both sides is that the deal reflects a change in management philosophy. Microsoft’s new chief Satya Nadella is eager to push the vision of a dynamic, collaborative Microsoft, partnering with everyone from Apple to Salesforce."

Microsoft logo Microsoft wants to operate in the marketplace that Google already operates in:

"... Microsoft today is facing a very different business ecosystem to the one it dominated in the 1990s. It needs to adapt... what Satya Nadella describes as “systems of intelligence”... cloud-enabled digital feedback loops. They rely on the continuous flow of data from people, places and things, connected to a web of activity. And they promise unprecedented power to reason, predict and gain insight..."

How this relates to "surveillance capitalism":

"For emeritus Harvard Business School professor Shoshana Zuboff, this gets to the core of the Google-Microsoft deal. Zuboff is a leading critic of what she calls “surveillance capitalism”, the monetization of free behavioral data acquired through surveillance and sold on to entities with an interest in your future behavior..."

Whether you call it -- "systems of intelligence" or "surveillance capitalism" -- it shouldn't be a surprise. There has been government surveillance for intelligence and security applications, and for political control. It is more than technologies such asn e-mail trackers, canvass fingerprinting, voice-activated interfaces, and target advertising (a/k/a behavioral advertising). It is more than companies collaborating with government. It is more than smart meters that automatically collect and transmit via wireless your water, gas, and electric utility consumption.

This latest news makes things a lot clearer how companies plan to use the combination of cloud computing services and Internet-of-Things devices installed in smart homes and public spaces.


FBI Files: Former Louisiana Governor Arranged Payments To KKK To Stop Violence During The 1960s

The Advocate reported: how a former Louisiana governor arranged payments to the Ku Klux Klan to avoid violence by Civil Rights opponents:

“As Louisiana’s governor in the mid-1960s, John J. McKeithen was behind payments to Ku Klux Klan leaders that were meant to suppress the racial violence swirling throughout Louisiana at the time, FBI records show... the declassified FBI documents, obtained under the federal Freedom of Information Act, point to McKeithen’s use of the Louisiana State Sovereignty Commission, which was created by the Legislature to keep state control of civil rights issues, to send the privately raised money to Klan leaders.”

Several states formed sovereignty commissions, including Mississippi. Learn about the Louisiana State Sovereignty Commission (LSSC). FBI refers to the Federal Bureau of Investigation. For those unfamiliar with the Ku Klux Klan (KKK), background from History.com:

"A group including many former Confederate veterans founded the first branch of the Ku Klux Klan as a social club in Pulaski, Tennessee, in 1866. The first two words of the organization’s name supposedly derived from the Greek word “kyklos,” meaning circle. In the summer of 1867, local branches of the Klan met in a general organizing convention and established what they called an “Invisible Empire of the South.” Leading Confederate general Nathan Bedford Forrest was chosen as the first leader, or “grand wizard,” of the Klan... The organization of the Ku Klux Klan coincided with the beginning of the second phase of post-Civil War Reconstruction, put into place by the more radical members of the Republican Party in Congress... From 1867 onward, African-American participation in public life in the South became one of the most radical aspects of Reconstruction, as blacks won election to southern state governments and even to the U.S. Congress. For its part, the Ku Klux Klan dedicated itself to an underground campaign of violence against Republican leaders and voters (both black and white) in an effort to reverse the policies of Radical Reconstruction and restore white supremacy in the South... n 1915, white Protestant nativists organized a revival of the Ku Klux Klan near Atlanta, Georgia, inspired by their romantic view of the Old South as well as Thomas Dixon’s 1905 book “The Clansman” and D.W. Griffith’s 1915 film “Birth of a Nation.” This second generation of the Klan was not only anti-black but also took a stand against Roman Catholics, Jews, foreigners and organized labor. It was fueled by growing hostility to the surge in immigration..."

The Southern Poverty Law Center (SPLC) also provides information about the KKK:

"Since the 1970s the Klan has been greatly weakened by internal conflicts, court cases, a seemingly endless series of splits and government infiltration. While some factions have preserved an openly racist and militant approach, others have tried to enter the mainstream, cloaking their racism as mere "civil rights for whites." Today, the Center estimates that there are between 5,000 and 8,000 Klan members..."

You can find a link to the Advocate article on the SPLC Facebook page. Now, back to the Advocate news story, which was unclear whether the payments came from the former governor's personal funds or from state funds. Payments were made to both the KKK and to:

"... the Bogalusa chapter of the Deacons for Defense, an armed African-American group that protected demonstrators and civil rights workers."

The payments were made:

"In an apparent attempt to camouflage the Klan payments arranged by the Sovereignty Commission, recipients were paid through Fountain Insurance Agency in Baton Rouge, which no longer exists. The owner of the agency, identified by investigating FBI agents from the New Orleans field office only as a member of the Sovereignty Commission, would mail “insurance checks” to Klansmen’s homes and later be reimbursed by the commission. Another way the payments reached the Klansmen, the FBI noted, was through the Monroe police chief at the time..."

Were these payments ethical? Was it the right thing to do? Thankfully, somebody filed a Freedom of Information Act (FOIA) request to bring the issue and documents to light. A logical next question is: were the payments successful at avoiding or minimizing violence? The Advocate reported:

“Whether McKeithen’s anti-violence strategy worked is unclear. U.S. Department of Justice and FBI investigations detail at least a half-dozen Klan-related homicides, scores of beatings and dozens of fire bombings in central Louisiana between 1964 and 1969. Whether it would have been worse without the payments will never be known... the KKK soon soured on McKeithen, whose moves toward improved race relations and rights for black people did not sit well in Louisiana Klan circles. By 1967, handbills circulating in Bogalusa accused McKeithen of asking for the Klan vote and then double-crossing them. The Klan called for McKeithen and other Louisiana officeholders to be “tarred and feathered.” ”

The News Star also reported the story. It would be great if graduate Business schools added this as teaching cases to their curriculum to prepare future leaders. It raises several interesting questions:

  • Were the payments ethical?
  • Were there more payments than the $10,000 cited?
  • Were payments from the governor's personal funds or from state funds?
  • Is it appropriate to make payments to a terrorist organization?
  • What other states (or governors) made payments?
  • Is this leadership?
  • Do the ends justify the means?
  • What next in Louisiana?

That these payments were made reinforce the fact of just how violent the KKK was, and how widely it was known for violence. Given this shameful history, making amends is always a good first step toward reconciliation. This news report reinforces my opinion that the second biggest threat to humans after climate change is: ethics.

What are your opinions?