Previous month:
October 2016
Next month:
December 2016

16 posts from November 2016

There's No Evidence Our Election Was Rigged

[Editor's note: Given recent allegations of voter fraud and hacks into voting systems, today's guest post is by reporters at ProPublica. This news story was originally published on November 28, 2016. It is reprinted with permission.]

by Jessica Huseman and Scott Klein, ProPublica

President-elect Donald Trump took to Twitter on Sunday to claim that he would have won the popular vote "if you deduct the millions of people who voted illegally."

There is no evidence that millions of people voted illegally. If there were, we'd have seen some sign of it.

ProPublica was an organizing partner in Electionland, a project run by a coalition of organizations including Google News Lab, Univision, WNYC, the CUNY Graduate School of Journalism and the USA Today Network. We monitored the vote with a team of more than 1,000 people, including about 600 journalism school students poring over social media reports and more than 400 local journalists who signed up to receive tips on what we found. We had access to a database of thousands of calls made to a nonpartisan legal hotline. We had four of the nation's leading voting experts in the room with us and election sources across the country. Thousands of people texted us to tell us about their voting experience.

We had an unprecedented real-time understanding of voting in the United States, and while we saw many types of problems, we did not see mass voter fraud of any kind 2014 especially of the sort Donald Trump alleges.

Trump's claim tracks closely with an Infowars piece published less than a week after the election, claiming that 3 million votes were cast by illegal aliens. The website, run by conservative radio host and noted conspiracy theorist Alex Jones, attributed the number to an unsubstantiated tweet by Gregg Phillips, the founder of VoteStand, a voter fraud app. While Infowars attributed the number to VoteFraud.org, there has been no report on the number by VoteFraud.org and Phillips told Politifact he was not affiliated with the organization. He would not provide Politifact with any information about how he arrived at the number, saying he was still verifying its accuracy. As Politifact points out, there is no evidence to support the number.

On a call Monday morning with reporters, Trump transition spokesman Jason Miller cited two studies to back up the president-elect's claim of illegal voting. The research, he said, spoke to "issues of both voter fraud and illegal immigrants voting."

Experts say the studies did not speak to these issues. The first study Miller cited was published in 2014 and has been widely debunked by a number of researchers. While the study claimed that 14 percent of non-citizens were registered to vote, that turned out to be an error in self-reporting. The question pertaining to citizenship was confusing, leading citizens to regularly mark themselves as non-citizens.

Miller also cited a 2012 Pew Study which found that there were thousands of people on the rolls who had moved or died. David Becker, now the executive director of the Center for Election Innovation & Research, was the primary author of the study, and told us there was "no link" between this study and voter fraud.

"The rolls are out of date because people are moving or dying in the normal course of things, not because people go and intentionally register in two states," he said, adding that his two decades of experience has shown him that out-of-date rolls are not used for fraud. He added that now that 20 states are participating in the Electronic Registration Information Center Inc. 2014 or ERIC 2014 which allows states to share registration information, the voting rolls in 2016 were "far more up to date" than the rolls in 2012.

Beyond the study, Becker said the warning signs of millions of ineligible voters casting ballots are simply not present, nor were they on Election Day, which Becker spent in the Electionland newsroom. In fact, he said, it's likely Electionland 2014 and many other election observers 2014 would have known about this long before the election actually took place.

"There would have been an unprecedented number of new registrants that would not have had matched social security or driver's license numbers," Becker said. "There was no exceptional registration, there were no crazy long lines, there were no language difficulties, and there wasn't an exceptionally high number of mail-in ballots."

Tammy Patrick, another Electionland expert and a fellow at the Bipartisan Policy Center, said that no elections officials have raised flags related to tampering. Jurisdictions do regular audits to ensure that the number of sign-ins equals the number of votes being cast, and none of those audits have found problems. In fact, with the fervor raised in advance by the president-elect himself, Patrick said this election was the best monitored in her memory.

"People were watching," she said. "We had more international observers than ever before. Thousands of political party observers at the polls. Campaign observers in the polling places."

Third-party candidate Jill Stein has raised less sweeping doubts about the validity of the vote. These came on the heels of a Nov. 22 piece in New York Magazine, claiming that researchers had found "persuasive evidence that results in Wisconsin, Michigan, and Pennsylvania may have been manipulated or hacked." The story went on to say that "in Wisconsin, Clinton received 7 percent fewer votes in counties that relied on electronic-voting machines compared with counties that used optical scanners and paper ballots."

Stein has now used this study in her recount petitions in both Wisconsin and Pennsylvania.

However, the story did not seem to hold up under scrutiny. One of those researchers, J. Alex Halderman, writing in a Medium post, disagreed with New York Magazine's characterization of his research, saying only that systems were vulnerable, pointing to the hacks on the Democratic National Committee and the voter registration systems in Illinois and Arizona. He did, however, call for manually checking paper ballots.

Nate Silver at 538 and others rebutted the New York Magazine claims via Twitter and later in a longer story. Silver pointed out, among other things, that in Wisconsin, the disparity between counties that use paper ballots and ones that use electronic voting systems disappears when controlling for race and education.

Charles Stewart, elections expert and professor at MIT, noted in his blog, "virtually all" ballots in Wisconsin and Michigan were cast on paper, so the "core empirical claim" of the New York Magazine story "cannot be true."

But Stein, citing "very troubling news about the possibility of security breaches in voting results," created a crowdsourcing campaign to fund a recount effort in Wisconsin, Michigan and Pennsylvania. She first set a fundraising goal of $2 million, which was very quickly met, and raised it ultimately to $7 million, where it currently stands as we write this.

The Clinton campaign is participating in the Wisconsin recount process. Marc Elias, general counsel to the Clinton campaign, expressed skepticism, saying that the campaign had "not uncovered any actionable evidence of hacking or outside attempts to alter the voting technology," but that they would participate in the recount "in order to ensure the process proceeds in a manner that is fair to all sides."

Both Becker and Patrick say the idea that a hack could meaningfully impact an election is far-fetched. In Wisconsin alone, there are 1,800 jurisdictions, none of which have machines connected to the internet, said Becker. "It would have taken thousands of people working in concert without being discovered to hack the result, just in Wisconsin," he said.

And while some have asserted that malware could have been built into the software used to run electronic voting machines and optical scanners for paper ballots, Patrick said this would either require a lot of foresight or time travel.

"This software is years old. The voting machines are not new. Someone would have had to years ago decide they were going to hack this election, without knowing who the candidates are," she said.

While it's important to investigate voting irregularities, claims made without evidence about fraudulent voting and hacking may have costs that go beyond the expense of a recount. Studies suggest that voters especially low-information voters 2014 who fear that their vote may be tampered with might not vote at all.

Members of the losing party often blame defeats on flaws in the voting system, Becker said. He said it's "particularly difficult" this year, when all of the polls seemed to be lined up against the ultimate winner, "but it doesn't change the facts about the process."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Can Apple Move iPhone Production To The United States?

President Elect Donald Trump and his incoming administration have promised to "make America great again." That promise included a key policy position to move manufacturing -- and its jobs -- back to the United States; in particular move production of Apple iPhones to the USA:

"we have to bring Apple — and other companies like Apple — back to the United States. We have to do it. And that’s one of my real dreams for the country, to get … them back. We have a great capacity in this country."

Well, can it be done? And if so, what might the consequences be?

Nikkei Asia Review reported:

"Key Apple assembler Hon Hai Precision Industry, also known as Foxconn Technology Group, has been studying the possibility of moving iPhone production to the United States... Apple asked both Foxconn and Pegatron, the two iPhone assemblers, in June to look into making iPhones in the United States..."

Experts warn that moving production is complex and difficult. Not only must assembly operations be relocated, but new facilities must be located and built, plus nearby suppliers and transport services found, moved, and contracts obtained. During the globalization trend of the last 35 years, many manufacturing facilities in the USA were closed, destroyed, and replaced with other businesses. Plus, the remainaing facilities may be technologically obsolete. After solving these issues, then production workers must be hired.

With any major change, there often are unintended consequences. A possible consequence:

"Making iPhones in the U.S. means the cost will more than double... According to research company IHS Markit, it costs about $225 for Apple to make an iPhone 7 with a 32GB memory, while the unsubsidized price for such a handset is $649..."

Prices for unlocked iPhone7 with 32 GB phones on eBay range from $700 to $1,000.00. 128 and 256 GB versions cost even more. Would consumers be willing to pay higher prices, say 50 percent more, or even double?


You Gave President Elect Donald Trump a Whale Of A Holiday Gift

Just before the long holiday weekend, the Attorney General (AG) for New York State announced a settlement agreement with President Elect Donald J. Trump regarding his now defunct, educational business Trump University. Reportedly, the $25 million settlement agreement resolves two class-action lawsuits and an action by the New York State AG.

About 7,000 students paid up to $35,000 in tuition and allegedly received little to no education. Terms of the settlement require Mr. Trump to pay $21 million to settle the two class-action lawsuits and $4 million to New York State. The New York Times reported:

"Trump University, which operated from 2004 to 2010, included free introductory seminars across the country, focusing largely on real estate investing and learning Mr. Trump’s secrets... Documents made public through the litigation revealed that some former Trump University managers had given testimony about its unscrupulous and exploitative business practices. One sales executive testified that the operation was “a facade, a total lie.” Another manager called it a “fraudulent scheme.” Other records showed how Mr. Trump had overstated the depth of his involvement in the programs. Despite claims that Mr. Trump had handpicked instructors, he acknowledged in testimony that he had not... the conclusion of the Trump University cases brings vindication to former students, mostly ordinary people across the country who felt they had been robbed of their savings by Mr. Trump..."

The settlement terms did not require Mr. Trump to admit any wrongdoing:

"At a hearing on the case in San Diego on Friday, [Trump's attorney] Daniel Petrocelli said Mr. Trump had settled the case “without an acknowledgment of fault or liability.” "

Why settle now? The Los Angeles Times reported:

"The law firm Zeldes, Haeggquist & Eck, which helped represent the plaintiffs, said in a statement Friday that it was “incredibly painful” to end the legal battle now. “We stand behind their claims 100%,” the firm said, “but there is always risk in taking a case to trial and that was particularly so here, when the defendant was poised to be the next president of the United States.” The lawsuits dogged Trump on the campaign trail, and he denied the allegations many times and said he would not settle the cases."

Some might conclude that not having to admit wrongdoing is a whale of gift. Reportedly, attorneys for the students waived their fees so the students would receive more compensation. Students would received 55 to 100 percent of the money they spent. Some might also say that settling 3 lawsuits for pennies on the dollar is also a whale of a holiday gift. Sadly, there is more.

Much more. Forbes Magazine explained:

"Of course, the real cost to Mr. Trump is after tax, not before it. And most business settlements are fully tax deductible. The only part that arguably may not be here is the $1 million in penalties. But barring express non-deductibility commitments, many penalties can be deducted, too. In general, fines and penalties paid to the government are not deductible. Section 162(f) of the tax code prohibits deducting "any fine or similar penalty paid to a government for the violation of any law."

Despite punitive sounding names, though, some fines and penalties are considered remedial and deductible. That allows some flexibility. Companies often deduct ‘compensatory penalties,’ a maneuver affirmed in a recent Circuit Court ruling. Some defendants insist that their settlement agreement confirms that the payments are not penalties and are remedial. Conversely, some government entities insist on the reverse.  Explicit provisions about taxes in settlement agreements are becoming more common."

You may remember the fines and payments paid by JPMorgan bank in a 2013 settlement agreement. Frobes explained that only $2 billion of the $13 billion was not tax-deductible. So, taxpayers nationwide have given Mr. Trump a whale of a holiday gift similar to gifts given repeatedly to big banks: tax-deductible payments in settlement agreements that allow them to pay less taxes. You'd think that the tax-deductible benefit would come with a price: having to admit wrongdoing.

Is this fair? Is it right? A 2014 survey by the U.S. Public Interest Research Group Education Fund found that most Americans disapprove of tax-deductible payments in settlement agreements, and want more transparency and disclosures about the contents of settlement agreements.

It is infuriating to this taxpayer. Hopefully it infuriates you, too. It seems that often payments and fines to resolve and penalize a defendant for wrongdoing are anything but. What are your opinions?


The List of Fake News Sites

New York Magazine reported:

"As Facebook and now Google face scrutiny for promoting fake news stories, Melissa Zimdars, a communication and media professor from Merrimack College in Massachusetts, has compiled a handy list of websites you should think twice about trusting. “Below is a list of fake, false, regularly misleading, and otherwise questionable ‘news’ organizations that are commonly shared on Facebook and other social media sites,” Zimdars explains. “Many of these websites rely on ‘outrage’ by using distorted headlines and decontextualized or dubious information in order to generate likes, shares, and profits.” (Click here to see the list.)

Be warned: Zimdars’s list is expansive in scope, and stretches beyond the bootleg sites (many of them headquartered in Macedonia) that write fake news for the sole reason of selling advertisements. Right-wing sources and conspiracy theorists like Breitbart and Infowars appear alongside pure (but often misinterpreted) satire like the Onion and The New Yorker’s Borowitz Report."

For consumers seeking "hard" news (e.g., the raw who, what, when, and where something happened), some sources: Associated Press (AP), Reuters, and United Press International (UPI). What sources do you use for "hard" news?


Phone Calls, Apple iCloud, Cloud Services, And Your Privacy

A security firm has found a hidden feature that threatens the privacy of Apple iPhone and iCloud users. Forbes magazine reported:

"Whilst it was well-known that iCloud backups would store call logs, contacts and plenty of other valuable data, users should be concerned to learn that their communications records are consistently being sent to Apple servers without explicit permission, said Elcomsoft CEO Vladimir Katalov. Even if those backups are disabled, he added, the call logs continue making their way to the iCloud, Katalov said... All FaceTime calls are logged in the iCloud too, whilst as of iOS 10 incoming missed calls from apps like WhatsApp and Skype are uploaded..."

Reportedly, the feature is automatic and the only option for users wanting privacy is to not use Apple iCloud services. That's not user-friendly.

Should you switch from Apple iCloud to a commercial service? Privacy risks are not unique to Apple iCloud. Duane Morris LLP explained the risks of using cloud services such as Dropbox, SecuriSync, Citrix ShareFile, and Rackspace:

"Users of electronic file sharing and storage service providers are vulnerable to hacking... Dropbox as just one example: If a hacker was to get their hands on your encryption key, which is possible since Dropbox stores the keys for all of its users, hackers can then steal your personal information stored on Dropbox. Just recently, Dropbox reported that more than 68 million users’ email addresses and passwords were hacked and leaked onto the Internet... potentially even more concerning is the fact that because these service providers own their own servers, they also own any information residing on them. Hence, they can legally access any data on their servers at any time. Additionally, many of these companies house their servers outside of the United States, which means the use, operation, content and security of such servers may not be protected by U.S. law. Furthermore, consider the policies regarding the sharing of your information with third parties. Among others, Dropbox has said that if subpoenaed, it will voluntarily disclose your information to a third party, such as the Internal Revenue Service."

Regular readers of this blog know what that means. Many government entities, such as law enforcement and intelligence agencies besides the IRS issue subpoenas.

This highlights the double-edged sword from syncing and file-sharing across multiple devices (e.g., phone, laptop, desktop, tablet). Sure, is a huge benefit to have all of your files, music, videos, contacts, and data easily and conveniently available regardless of which device you use. Along with that benefit comes the downside privacy and security risks: data stored in cloud services is vulnerable to hacking and subject to government warrants, subpoenas, and court actions. As Duane Morris LLP emphasized, it doesn't matter whether your data is encrypted or not.

Also, Forbes magazine reported:

"Katalov believes automated iCloud storage of up-to-date logs would be beneficial for law enforcement wanting to get access to valuable iPhone data. And, he claimed, Apple hadn’t properly disclosed just what data was being stored in the iCloud and, therefore, what information law enforcement could demand."

Well, law enforcement, intelligence agencies, and cyber-criminals now know what information to demand.


JPMorgan Chase Bank Fined $61.9 Million Fine For Improper Hiring Practices

JPMorgan Chase logo The Federal Reserve Board has levied a $61.9 million fine against JPMorgan bank for "unsafe and unsound" hiring practices. The Federal Reserve Board announced:

"In levying the fine on JPMorgan Chase, the Federal Reserve Board found that the firm's Asia-Pacific investment bank operated an improper referral hiring program. The firm offered internships, trainings, and other employment opportunities to candidates who were referred by foreign government officials and existing or prospective commercial clients to obtain improper business advantages.

The Federal Reserve found that the firm did not have adequate enterprise-wide controls to ensure that referred candidates were appropriately vetted and hired in accordance with applicable anti-bribery laws and firm policies."

To obtain improper business advantages, the bank operated the improper hiring program from at least 2008 through 2013. The FRB found that the program generally produced lesser qualified candidates. The Order to Cease and Desist and Order to Assess a Civil Monetary Penalty (Adobe PDF) stated:

"... from at least 2008 through 2013, JPMC’s APAC investment banking group operated a referral hiring program whereby candidates who were referred, directly or indirectly, by foreign government officials and existing or prospective commercial clients, and who in most instances were less qualified than non-referred candidates who were hired through the Firm’s standard hiring programs, were offered internships, training, and other employment opportunities in order to obtain improper business advantages for the Firm... Federal law and JPMC’s firm-wide policies prohibit the Firm’s employees from offering, directly or indirectly, anything of value, including the offer of internships, training, or other employment opportunities for relatives of a foreign government official, to foreign government officials in order to obtain improper business advantages... the laws in many foreign jurisdictions in which the Firm conducts business and JPMC’s firm-wide policies prohibit the Firm’s employees from offering, directly or indirectly, anything of value to existing or prospective commercial clients in order to obtain improper business advantages..."

JPMorgan has spotty history worth reviewing briefly. In January 2015, it was one of four banks that settled illegal foreclosure charges with the Massachusetts Attorney General with a $2.7 million payment. In November 2014, both RBS and JPMorgan were part of a group of banks that paid $4.2 billion in fines to U.S., U.K., and Swiss regulators for rigging the foreign exchange, or FX, market. In December 2013, JPMorgan paid $515.4 million to the Federal Deposit Insurance Company (FDIC), $300 million to the California Attorney General, and $13 billion with the U.S. Justice Department to settle charges about the misrepresentation of offering documents for residential mortgage-backed securities (RMBS).

In December 2013, JPMorgan Chase announced a data breach that affected half a million prepaid card customers. U.S. taxpayers also learned that month that much of the huge fines JPMorgan paid were tax-deductible and reduced the bank's tax payments. in September 2013, the Consumer Financial Protection Bureau (CFPB) ordered both Chase Bank USA, N.A. and JPMorgan Chase Bank, N.A. to refund about $309 million to more than 2.1 million customers for illegal credit card practices, where customers were enrolled in credit monitoring services without their authorization and charged for services not delivered.

The latest Consent Order also includes a clause not to prosecute executives. Additional terms of the fine require the bank to modify its hiring practices with oversight by the U.S. Justice Department (DOJ) and the U.S. Securities and Exchange Commission (SEC). Those modifications require improved oversight by senior management and anti-bribery policies.


Some Android Phones Infected With Surveillance Malware Installed In Firmware

Security analysts recently discovered surveillance malware in some inexpensive smartphones that run the Android operating system (OS) software. The malware secretly transmits information about the device owner and usage to servers in China. The surveillance malware was installed in the phones' firmware. The New York Times reported:

"... you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours. Security contractors recently discovered pre-installed software in some Android phones... International customers and users of disposable or prepaid phones are the people most affected by the software... The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature."

Shanghai ADUPS Technology Company (ADUPS) is privately owned and based in Shanghai, China. According to Bloomberg, ADUPS:

"... provides professional Firmware Over-The-Air (FOTA) update services. The company offers a cloud-based service, which includes cloud hosts and CDN service, as well as allows manufacturers to update all their device models. It serves smart device manufacturers, mobile operators, and semiconductor vendors worldwide."

Firmware is a special type of software store in read-only memory (ROM) chips that operates a device, including how it controls, monitors, and manipulates data within a device. Kryptowire, a security firm, discovered the malware. The Kryptowire report identified:

"... several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent. These devices were available through major US-based online retailers (Amazon, BestBuy, for example)... These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.

The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information... Our findings are based on both code and network analysis of the firmware. The user and device information was collected automatically and transmitted periodically without the users' consent or knowledge. The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai. This software and behavior bypasses the detection of mobile anti-virus tools because they assume that software that ships with the device is not malware and thus, it is white-listed."

So, the malware was powerful, sophisticated, and impossible for consumers to detect.

This incident provides several reminders. First, there were efforts earlier this year by the U.S. Federal Bureau of Investigation (FBI) to force Apple to build "back doors" into its phones for law enforcement. Reportedly, it is unclear what specific law enforcement or intelligence services utilized the data streams produced by the surveillance malware. It is probably wise to assume that the Ministry of State Security, China's intelligence agency, had or has access to data streams.

Second, the incident highlights supply chain concerns raised in 2015 about computer products manufactured in China. Third, the incident indicates how easily consumers' privacy can be compromised by data breaches during a product's supply chain: manufacturing, assembly, transport, and retail sale.

Fourth, the incident highlights Android phone security issues raised earlier this year. We know from prior reports that manufacturers and wireless carriers don't provide OS updates for all Android phones. Fifth, the incident highlights the need for automakers and software developers to ensure the security of both connected cars and driverless cars.

Sixth, the incident raises questions about how and what, if anything, President Elect Donald J. Trump and his incoming administration will do about this trade issue with China. The Trump-Pence campaign site stated about trade with China:

"5. Instruct the Treasury Secretary to label China a currency manipulator.

6. Instruct the U.S. Trade Representative to bring trade cases against China, both in this country and at the WTO. China's unfair subsidy behavior is prohibited by the terms of its entrance to the WTO.

7. Use every lawful presidential power to remedy trade disputes if China does not stop its illegal activities, including its theft of American trade secrets - including the application of tariffs consistent with Section 201 and 301 of the Trade Act of 1974 and Section 232 of the Trade Expansion Act of 1962..."

This incident places consumers in a difficult spot. According to the New York Times:

"Because Adups has not published a list of affected phones, it is not clear how users can determine whether their phones are vulnerable. “People who have some technical skills could,” Mr. Karygiannis, the Kryptowire vice president, said. “But the average consumer? No.” Ms. Lim [an attorney that represents Adups] said she did not know how customers could determine whether they were affected."

Until these supply-chain security issues get resolved it is probably wise for consumers to inquire before purchase where their Android phone was made. There are plenty of customer service sites for existing Android phone owners to determine the country their device was made in. Example: Samsung phone info.

Should consumers avoid buying Android phones made in China or Android phones with firmware made in China? That's a decision only you can make for yourself. Me? When I changed wireless carriers in July, I switched an inexpensive Android phone I'd bought several years ago to an Apple iPhone.

What are your thoughts about the surveillance malware? Would you buy an Android phone?


Facebook Says it Will Stop Allowing Some Advertisers to Exclude Users by Race

Facebook logo [Editor's note: Today's guest post was originally published by ProPublica on November 11, 2016. It is reprinted with permission. This prior post explained the problems with Facebook's racial advertising filters.]

by Julia Angwin, ProPublica

Facing a wave of criticism for allowing advertisers to exclude anyone with an "affinity" for African-American, Asian-American or Hispanic people from seeing ads, Facebook said it would build an automated system that would let it better spot ads that discriminate illegally.

Federal law prohibits ads for housing, employment and credit that exclude people by race, gender and other factors.

Facebook said it would build an automated system to scan advertisements to determine if they are services in these categories. Facebook will prohibit the use of its "ethnic affinities" for such ads.

Facebook said its new system should roll out within the next few months. "We are going to have to build a solution to do this. It is not going to happen overnight," said Steve Satterfield, privacy and public policy manager at Facebook.

He said that Facebook would also update its advertising policies with "stronger, more specific prohibitions" against discriminatory ads for housing, credit and employment.

In October, ProPublica purchased an ad that targeted Facebook members who were house hunting and excluded anyone with an "affinity" for African-American, Asian-American or Hispanic people. When we showed the ad to a civil rights lawyer, he said it seemed like a blatant violation of the federal Fair Housing Act.

After ProPublica published an article about its ad purchase, Facebook was deluged with criticism. Four members of Congress wrote Facebook demanding that the company stop giving advertisers the option of excluding by ethnic group.

The federal agency that enforces the nation's fair housing laws said it was "in discussions" with Facebook to address what it termed "serious concerns" about the social network's advertising practices.

And a group of Facebook users filed a&n class-action lawsuit against Facebook, alleging that the company's ad-targeting technology violates the Fair Housing Act and the Civil Rights Act of 1964.

Facebook's Satterfield said that today's changes are the result of "a lot of conversations with stakeholders."

Facebook said the new system would not only scan the content of ads, but could also inject pop-up notices alerting buyers when they are attempting to purchase ads that might violate the law or Facebook's ad policies.

"We're glad to see Facebook recognizing the important civil rights protections for housing, credit and employment," said Rachel Goodman, staff attorney with the racial justice program at the American Civil Liberties Union. "We hope other online advertising platforms will recognize that ads in these areas need to be treated differently."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Adobe Settles With 15 States Regarding 2013 Data Breach

The Indiana Attorney General announced a multi-state $1.0 million settlement agreement with Adobe Systems, Inc. after a data breach in 2013 where the information about 2.9 million customers nationwide was stolen. The data elements stolen included names, addresses, telephone numbers, e-mail addresses, usernames, encrypted payment card numbers and expiration dates.

14 states which joined Indiana in the settlement agreement: Arkansas, Connecticut, Illinois, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania, and Vermont. The states alleged in a lawsuit that Adobe failed to use reasonable security measures to protect its computing systems from hacks or had proper intrusion detection methods installed. The multi-state settlement agreement covers about 552,000 residents from the 15 states.

Indiana's share of the settlement was $53,718.36 for 24,049 Indiana residents affected by the breach. Indiana AG Greg Zoeller said:

"This case is yet another example of the importance of protecting your personal and financial information... I continue to be an advocate for Indiana’s credit freeze protections and encourage all Hoosiers to place credit freezes with the major credit bureaus.”

Connecticut's share was $135,095.71. Connecticut AT George Jepsen  said:

"Consumers should have a reasonable expectation that their personal and financial information is properly safeguarded from unauthorized access... Adobe worked in good faith with my office and the states affected by this incident to better protect consumer information going forward, and for that it deserves some credit. My office will continue to be diligent in protecting Connecticut consumers by strictly enforcing our privacy laws."

46,465 Maryland residents were affected by the breach. Maryland AG Brian E. Frosh said:

“Reasonable security measures must be implemented to maintain the safety and security of consumers’ personal information... As a result of this agreement, Adobe has agreed to bolster its security to prevent another similar occurrence.”

More settlement agreements may be forthcoming.


Voting Technologies By County Across The United States

State and local governments across the United States use a variety of voting technologies. Chances are, you voted on Tuesday using one of two dominant technologies: optical-scan ballots or direct-recording electronic (DRE) devices. Optical-scan ballots are paper ballots where voters fill in bubbles or other machine-readable marks. DRE devices include touch-screen devices that store votes in computer memory.

The Pew Research Center analyzed data from the Verified Voting Foundation, a nongovernmental organization, and found that almost:

"... half of registered voters (47%) live in jurisdictions that use only optical-scan as their standard voting system, and about 28% live in DRE-only jurisdictions... Another 19% of registered voters live in jurisdictions where both optical-scan and DRE systems are in use... Around 5% of registered voters live in places that conduct elections entirely by mail – the states of Colorado, Oregon and Washington, more than half of the counties in North Dakota, 10 counties in Utah and two in California. And in more than 1,800 small counties, cities and towns – mostly in New England, the Midwest and the inter-mountain West – more than a million voters still use paper ballots that are counted by hand."

Previously, voting systems nationwide used punch-card devices and "lever machines" which were slowly replaced since 1980 by optical-scan and DRE devices. You may remember voting with one of the old-style lever machines, a self-contained voting booth where voters flips switches for candidates and then pulled a large lever to record their votes:

"Punch cards hung on throughout the 1990s but gradually lost ground to optical-scan and electronic systems – a decline that accelerated sharply after the 2000 Florida election recount debacle that brought the term “hanging chad” to brief prominence. But as punch cards faded away (the last two jurisdictions to use them, Franklin and Shoshone counties in Idaho, abandoned them after the 2014 elections), some voters became concerned that fully electronic voting would not generate any “paper trail” for future recounts. According to Verified Voting, of the 53,608 jurisdictions that use DRE equipment as their major voting method, almost three-quarters use systems that don’t create paper receipts or other hard-copy records of voters’ choices."

In August of this year, Wired reported about the state of security of the DRE devices:

"What people may not remember is the resulting Help America Vote Act (HAVA), passed in 2002, which among other objectives worked to phase out the use of the punchcard voting systems that had caused millions of ballots to be tossed. In many cases, those dated machines were replaced with electronic voting systems. The intentions were pure. The consequences were a technological train wreck.

“People weren’t thinking about voting system security or all the additional challenges that come with electronic voting systems,” says the Brennan Center’s Lawrence Norden. “Moving to electronic voting systems solved a lot of problems, but created a lot of new ones.”

The list of those problems is what you’d expect from any computer or, more specifically, any computer that’s a decade or older. Most of these machines are running Windows XP, for which Microsoft hasn’t released a security patch since April 2014. Though there’s no evidence of direct voting machine interference to date, researchers have demonstrated that many of them are susceptible to malware or, equally if not more alarming, a well-timed denial of service attack."

Experts have said that, besides better built and more secure DREs, post-election auditing -- checking vote totals against paper ballots -- is the best way to ensure accurate vote totals. Reportedly, more than half of states perform post-election audits.

So, it seems appropriate for citizens living in counties that use antiquated DREs, or that don't perform post-election audits, to contact their elected representatives and demand improvements. Good entities to contact are the elections departments in your city, or the Secretary in your state. Find your state in this list. Below is an image of voting technologies by county:

Pew Research Voting technologies by county in the United States. Click to view larger version


Connected Cars: 4 Tips For Drivers To Stay Safe Online

With the increasing dominance of the Internet of Things (IoT), connected cars are becoming more ubiquitous than ever. We’ve long heard warnings from the media about staying safe online, but few consumers consider data hacks and other security compromises while driving a car connected to the internet.

According to the inforgraphic below from Arxan, an app protection company, 75 percent of all cars shipped globally will have internet connectivity by 2020, and current connected cars have more than 100 million lines of code. Connected features are designed to improve safety, fuel efficiency, and overall convenience. These features range from Bluetooth, WiFi, cellular network connections, keyless entry systems, to deeper “cyberphysical” features like automated braking, and parking and lane assist.

More Features Means More Vulnerability
However, with this increasing connectivity comes risks from malicious hacking. Today, connected cars have many attack points malicious hackers can exploit, including the OBD2 port used to connect third-party devices, and the software running on infotainment systems.

According to Arxan, some of the more vulnerable attack points are mobile apps that unlock vehicles and start a vehicle remotely, diagnostic devices, and insurance dongles, including the ones insurance companies give to monitor and reward safe drivers. These plug into the OBD2 port, but hackers could essentially access any embedded system in the car after lifting cryptographic keys, as the Arxan page on application protection for connected cars describes.

Vulnerabilities are usually demonstrated in conferences like Black Hat. Example: in 2010, researchers at the University of Washington and the University of California San Diego hacked a car that had a variety of wireless capabilities. The vulnerable attack points they targeted included its Bluetooth, the cellular radio, an Android app on the owner’s phone that was connected to the car’s network, and an audio file burned onto a CD in the car’s stereo. In 2013, hackers Charlie Miller and Chris Valasek hijacked the steering and brake systems of both a Ford Escape and Toyota Prius with only their laptops.

How To Protect Yourself
According to the FBI and Department of Transportation in a public service announcement, it’s crucial that consumers following the following recommendations to best protect themselves:

  1. Keep your vehicle’s software up to date
  2. Stay aware of recalls that require manual security patches to your car’s code
  3. Avoid unauthorized changes to your car’s software
  4. Use caution when plugging insecure devices into the car’s ports and network

With the latest remote hack of a Tesla Model S, it seems that the response time between finding out about a breach and issuing a patch to correct it is thankfully getting shorter. As more automakers become tech-oriented like Tesla, they will also need to cooperate with OEMs to make sure the operating-system software in their vehicles is designed securely. It seems, this will take time, coordination with vendors, and money to bring these operations in house.

Arxan connected vehicles infographic

What do you do to protect your Internet-connected vehicle? What security tools and features would you prefer automakers and security vendors provide?


Facebook Provides Members With Elections Ballot Previews

The Facebook social networking site introduced on October 28, 2016 a new feature where provides its voting-age users with previews of candidates and questions. The site presented users with the following ad:

Facebook Elections Ballot ad. Click to view larger version

Like other ads in the site, users can disable the ad. Users that select the "Preview Your Ballot" link will see next three pop-up pages which explain the new feature:

Facebook Elections Ballot popup window. Click to view larger version

Then,, users can preview their ballot based upon where they live, which includes national candidates running for office and ballot questions. To view local candidates running for office and local ballot questions, users must provide Facebook with their complete street address:

Facebook Elections Ballot landing page. Click to view larger version

Within the new feature, users can preview information about each candidates: Issue Positions, Endorsements, Recent Posts, and Website. "Issue Positions" links to content within the candidate's Facebook page. The "Endorsements" and "Recent Posts" selections link similar. "Website" links to the candidate's external website. Issue Positions includes the topics you might expect: budget, civil rights, economy, education, energy, environment, foreign policy, guns, health, immigration, infrastructure, military, Social Security, taxes, terrorism, and more.

Why did Facebook introduce this new feature? According to a popup within the feature:

"You're seeing this because you may be in a state that has a voter registration deadline or election coming up. We want to help people have their voice heard in the elections this year, so we're showing this message to people who are old enough to vote - no matter who they support.

We send reminders about voting every now and then. If you'd rather not see these in the future, click or tap the in the top right corner of the reminder and select Hide Reminder, then Hide all voting reminders."

The official Facebook announcement on October 28 said:

"Voting is important... we’re encouraging civic participation. We want to make it easier for people who want to participate to do so, and to have a voice in the political process... Today, we’re introducing a new feature that shows you what’s on the ballot — from candidates to ballot initiatives. We also show you where the candidates stand on the issues...Not all states in America mail out sample ballots ahead of an election. This can make it challenging to find comprehensive information about the questions you’ll be expected to consider when you walk into the voting booth. Thanks to data gathered from election officials by the nonpartisan Center for Technology and Civic Life (CTCL), we can present you with a preview of the ballot you’ll receive on November 8. If you notice an issue with the CTCL data, we’ve built in a way for you to provide feedback and help correct the dataset.

Challenging to find information? What a load of bull. The Internet makes it easy to visit websites for candidates and ballot questions. Plus, information is available at every state. Example: ballot information in Massachusetts is available at websites by the Secretary of the Commonwealth and the City of Boston. Sample ballots were available during the primaries, too. Every state in the Union has a Secretary of State whose website you should visit anyway for elections and other information. Find your state in this list.

I first saw Facebook's new Elections Ballot feature on November 2, 2016 -- five days after the announcement, and less than 6 days before the November 8 Elections Day. You'd think that Facebook would have introduced this feature sooner; ideally, as soon as the main parties had nominated their candidates. Facebook didn't. Not good. And, the feature's availability may be too late for early voters.

What else is happening with this new feature? Several items are worth mentioning. First, executives at Facebook are probably well aware that two-thirds of the site's users get their news at the site. This new feature is clearly an attempt to keep users within the Facebook bubble: increase the amount of time on site and the number of pages viewed within the site.

Second, the accuracy of the new feature is suspect. I have never shared my residential address with Facebook, so the elections feature displayed 4 questions when there are actually 5 where I live. The fifth question is a local ballot iniative. Users like me, who haven't provided street address information, may get a wrong impression of what's on their ballot -- if they fail to read the fine print. And, we know that too many consumers never read the fine print.

Third, the local candidates and ballot questions are a slick way for Facebook to force users to share their residential street address information. Fourth, the new feature is an opportunity to capture users' voting information. Of course, not the official ballots, but the next closest thing. Users can select which candidates are their Favorites and share it with their Friends: people, coworkers, classmates, family, neighbors, and others they are connected to at the site. Favoriting a candidate within this new feature seems like a pretty explicit and accurate proxy instead of an official ballot:

Facebook Elections Ballot. Links to learn about or favorite a candidate. Click to view larger version

Fifth, armed with this ballot information about its users, Facebook can probably charge more to advertisers (e.g., political campaigns, political action committees, pollsters, data brokers) interested in purchasing information about voting populations and/or buying targeted ads at the site. Consider this report by BuzzFeed from November 2014:

"At some point in the next two years, the pollsters and ad makers who steer American presidential campaigns will be stumped: The nightly tracking polls are showing a dramatic swing in the opinions of the electorate, but neither of two typical factors — huge news or a major advertising buy — can explain it. They will, eventually, realize that the viral, mass conversation about politics on Facebook and other platforms has finally emerged as a third force in the core business of politics, mass persuasion.

Facebook is on the cusp — and I suspect 2016 will be the year this becomes clear — of replacing television advertising as the place where American elections are fought and won. The vast new network of some 185 million Americans opens the possibility, for instance, of a congressional candidate gaining traction without the expense of television, and of an inexpensive new viral populism. The way people share will shape the outcome of the presidential election."

It seems that day has arrived. Shape the conversation and outcome, indeed. It's all driven by data -- big data -- data mining.

Sixth, the new feature raises questions and issues for users. Should Facebook know your voting decisions? Does Facebook have a right to know your voting decisions? Has Facebook earned the right to know your voting decisions? Facebook is a money-making enterprise, so it will sell your information to as many other companies as possible. According to the October 28 announcement:

"How you vote is a personal matter, and we’ve taken steps to make sure that you have utmost control over your plan. After you make a selection, you have to choose who you want to be able to see it (“Only me” or “Friends”). For example, you may want to be private about your choice for president, but share with friends your pick for a congressional race or a ballot initiative."

The language in the announcement seems to confusingly refer to the Facebook feature as voting, when it isn't. Do all of your friends need to know your voting preferences? What about friends with Facebook profiles that are open to the general public? In the latter case, anybody wandering in can view your voting information. Is that what you really want?

Not me. What happens in the voting booth stays in the voting booth. I may express concerns on Facebook, but my final vote is private. No doubt, some consumers will share their voting preferences without considering the implications.

I visited the CTCL website and found it underwhelming and lacking key information to uderstand what this organization really is and does. Not good.

What are your opinions of Facebook's new elections and ballot feature?


FCC Adopted New Broadband Privacy Rules

Federal communications Commission logo Late last month, the U.S. Federal Communications Commission (FC) adopted new privacy rules to require high-speed Internet service providers (ISPs) to protect the privacy of their customers. The FCC announcement explained the new privacy rules:

"Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.

Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.

Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences;

A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.

Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information."

The new privacy rules prohibit “take-it-or-leave-it” offers, which means an ISP cannot refuse to serve customers who don’t consent to the use and sharing of their information for commercial purposes. The new rules also addressed the desire by ISPs to charge customers more fees for privacy. According to the FCC Fact Sheet:

"Recognizing that so-called “pay for privacy” offerings raise unique considerations, the rules require heightened disclosure for plans that provide discounts or other incentives in exchange for a customer’s express affirmative consent to the use and sharing of their personal information. The Commission will determine on a case-by-case basis the legitimacy of programs that relate service price to privacy protections. Consumers should not be forced to choose between paying inflated prices and maintaining their privacy.

ISPs like Comcast, AT&T, Charter, and Verizon opposed the stricter privacy rules. Google had argued for broader opt-out provisions and privacy rules the same as for websites, not stricter. The U.S. Chamber of Commerce, a political lobbying organization, opposed the stronger privacy rules the FCC proposed in March. Last week, Reuters reported:

"The final regulation is less restrictive than the initial plan proposed by FCC chairman Tom Wheeler in March and closer to rules imposed on websites by the Federal Trade Commission. Republican commissioners said the rules unfairly give websites the ability to harvest more data than service providers and dominate digital advertising."

FCC Chairman Wheeler released a statement on October 27 about the new broadband privacy rules:

"Last week, I visited Consumer Reports’ headquarters in Yonkers, New York, where I toured their product testing facility and met with senior leadership. When looking at a smart refrigerator that collects and shares data over the Internet, the discussion turned to privacy. Who would have ever imagined that what you have in your refrigerator would be information available to AT&T, Comcast, or whoever your network provider is?

The more our economy and our lives move online, the more information about us goes over our Internet Service Provider (ISP) – and the more consumers want to know how to protect their personal information in the digital age.

Today, the Commission takes a significant step to safeguard consumer privacy in this time of rapid technological change, as we adopt rules that will allow consumers to choose how their Internet Service Provider (ISP) uses and shares their personal data.

The bottom line is that it’s your data. How it’s used and shared should be your choice."

The last sentence cannot be over-emphasized. Consumers: it is our information -- property -- which ISPs use, sell, and make money with. Consumers should decide what data broadband and wireless providers share with marketers. Consumers must be in control.

And, there is more to come as the FCC oversees "pay-for-privacy" schemes by ISPs. So, thanks to the FCC and to Chairman Wheeler for fighting strongly for consumers' online privacy rights. What are your opinions of the new broadband privacy rules?


Study: Almost 40 Percent of U.S. Smartphone Owners Use Voice Recognition

According to a recent study by Parks Associations, a market research and consulting company, 39 percent of smartphone owners in the United States use some form of voice recognition (e.g., Siri, Google Now). The usage is higher (more than 50 percent) for iPhone owners compared to Android owners (less than 33 percent). Harry Wang, Director of Health & Mobile Product Research at Parks Associations said:

“Smartphone penetration has reached 86% of U.S. broadband households, so it is a mature market, with users, particularly younger consumers and iOS users, exploring more intelligent features and interfaces, including voice control... The growing consumer interest in voice control features is driving this technology into new IoT areas... Following Apple’s lead with Siri, other brands have created ‘personalities’ for their voice-control solutions, like Alexa for Amazon Echo and Cortana for Windows Phones."

Usage is higher among younger persons. 48 percent of smartphone users ages 18-24, use voice recognition software, usage of the “Siri” voice recognition software increased from 40 to 52 percent between 2013 and 2015. In total, about 15 percent of all U.S. broadband households use Siri.

About 70 percent of smartphone owners who use voice recognition are satisfied. 38 percent said they are very satisfied, and 9 percent said they are not satisfied.

Additional findings about U.S. smartphone users:

  • More than 70 percent watch short streaming video clips, and more than 40 percent watch long streaming videos.
  • 36 percent use WiFi calling.
  • 26 percent use a payment app for purchases at retail stores, and
  • 24 percent stream video from their phones to a second screen (e.g., TV, PC).

Learn more in the "360 View: Mobility and the App Economy" report, or the press release, by Parks Associates.