Previous month:
November 2016
Next month:
January 2017

13 posts from December 2016

Federal Reserve: Monitor Your Bank Accounts For Fraud And Know Where To Get Help

On Thursday, the Federal Reserve Board (FRB) issued a warning for consumers to do two things to protect themselves and their finances:

  1. Monitor online accounts for unauthorized transactions, and
  2. Learn where to find help should you find unauthorized transactions in your financial accounts

The FRB's warning also stated:

"Signs of potential problems may include a notice, bill, or debit card for an account that was not activated or authorized, as well as a notice of fees for unsolicited products or services tied to an existing account. Consumers who see questionable activity should contact their financial institution immediately. Consumers who continue to experience issues may also submit a complaint to the Federal Reserve. The Federal Reserve maintains the Federal Reserve Consumer Help (FRCH) website, which offers an online complaint form and information on filing complaints by fax and phone for consumers. The FRCH website also provides consumer alerts, frequently asked questions, and information about other government agencies. While the Federal Reserve does not have the authority to resolve every problem, it will refer complaints to the relevant federal or state agency. Consumers can contact FRCH at 1-888-851-1920, or at www.federalreserveconsumerhelp.gov."

Other relevant federal agencies may include the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the Securities & Exchange Commission (SEC).


Driver's Licenses For 9 States Won't Be Valid ID For Domestic Flights In 2018

Residents in nine states wanting to travel domestically via commercial airlines may need to obtain alternative identification documents. Why? While new identification requirements will become effective in 2018, starting in 2017 federal agencies may no longer accept driver's licenses from these nine states.

On December 12, the Department of Homeland Security (DHS) announcement explained:

"The Transportation Security Administration (TSA) will begin posting signs at airports this week notifying travelers that beginning January 2018 it will start enforcing REAL ID requirements at airport security checkpoints, meaning that travelers seeking to use their state-issued driver’s license or identification card for boarding commercial aircraft may only use such documents if they are issued by a REAL ID compliant state or a non-compliant state with an extension."

The U.S. Congress passed the REAL ID Act in 2005 to establish minimum security standards for state-issued driver’s licenses and identification cards. The Act prohibits federal agencies, including the TSA, from accepting licenses and identification cards for certain official purposes (e.g., boarding federally regulated commercial aircraft) from states that do not meet these minimum standards and have not received an extension for compliance from DHS.

If the nine states change their procedures, then the government may grant each state an extension or approval, as warranted. The nine states which did not receive extensions for 2016 or 2017 are Kentucky, Maine, Minnesota, Missouri, Montana, Oklahoma, Pennsylvania, South Carolina, and Washington. So, starting January 30, 2017 federal agencies and nuclear power plants may not accept driver's licenses and state IDs from these nine states for identification. Federal officials may continue to accept Enhanced Driver’s Licenses from Minnesota and Washington.

See the DHS site for the compliance status for all states and territories. See the TSAa.gov site for a complete list of identification documents accepted at TSA checkpoints. Below are the notices you may see while traveling through airports.

Generic TSA notice about changing ID requirements

TSA notice for noncompliant states about changing ID requirements


Federal Reserve Bars Two Bank Executives From Working Within Industry

The Federal Reserve Board announced this enforcement action:

"Richard Henderson and Philip Cooper, who held senior positions at Regions Equipment Finance Corporation (REFCO), Regions' subsidiary, were recently indicted for bank bribery, wire fraud, money laundering, and conspiracy. According to the indictment, Henderson and Cooper conspired to defraud Regions and REFCO by directing REFCO to purchase insurance policies from a shell company that paid kickbacks to Henderson and Cooper. The indictment further alleges that Henderson and Cooper attempted to conceal those kickbacks by establishing additional shell companies to receive the kickbacks.

In issuing today's enforcement actions, the Board found that, given the indictment, Henderson's and Cooper's continued participation in any depository institution may impair public confidence in that institution. The prohibition is effective until the criminal charges against Henderson and Cooper are resolved or disposed of, or until the Board terminates the prohibition."

REFCO was founded in 1972 and is based in Birmingham, Alabama. It is a subsidiary of Regions Bank.


Federal Reserve Survey of Experiences of Younger Workers

The Federal Reserve Board (FRB) recently released the results of its survey of younger workers ages 18 to 30 with data through 2015. The survey found that younger workers overall:

"... experienced higher rates of unemployment and lower rates of labor force participation than the general population for at least two decades, and the Great Recession exacerbated this phenomenon. Despite a substantial labor market recovery from 2009 through 2014, vulnerable populations—including the nation’s young adults—continue to experience higher rates of unemployment. Changes in labor market conditions, including globalization and automation, have reduced the availability of well-paid, secure jobs for less-educated persons, particularly those jobs that provide opportunity for advancement. Furthermore, data suggest that young workers entering the labor market are affected by a long-running increase in the use of “contingent” or “alternative” work arrangements, characterized by contracted, part-time, temporary, and seasonal work."

Specific findings about younger workers' attitudes:

"In 2015, the majority of young adults (61 percent) are optimistic about their future job opportunities, showing an increase in optimism from 2013 (45 percent)... the likelihood that a young adult is optimistic about future job opportunities increases with higher levels of education... young adults continue to have a strong preference for steady employment (62 percent) over higher pay (36 percent)... Among respondents who prefer steady employment, 80 percent would rather have one steady job than a stream of steady jobs for the next five years...

Most young adults are not sure how their standard of living will compare with their parents’ standard of living. Young adults with at least one parent with a bachelor’s degree (or higher) are more likely to believe their standard of living will be lower than their parents (4 percent) when compared with young adults whose parents have a high school education or less (1 percent)...

Specific findings about younger workers' experiences:

"28 percent of respondents are currently enrolled as students in a certificate or degree program. Most students are enrolled in degree programs... most undergraduate students are identified “nontraditional” because they are over age 23, enrolled in school part time, working full time, and/or financially independent. 10 percent of respondents are “non-completers,” meaning they are not currently enrolled in a certificate or degree program they started... 62 percent of respondents with post-secondary education worked while in school to finance all or part of their most recent education. 52 percent of respondents with post-secondary educational experience have parents that contributed financially to their education. 46 percent of respondents incurred debt to pay for some portion of their education or training...

41 percent of respondents believe they have the level of education and training needed for the type of job that they would like to hold in the next five years... 66 percent of young adults received information about jobs and careers during high school. And, 69 percent of young adults received such information in college...

Less than half (45 percent) of employees work in a career field that is closely related to their educational and training background... Many young adults gained early work experience during high school, college, or both. 53 percent of young adults had a paid job during high school, and 77 percent of young adults had a paid job during college..."

A key takeaway: about 30 percent of young adults did not receive information about jobs and careers in high school nor college. That seems to be an area the educational sector must improve upon.

4,135 potential respondents were contacted for the 2015 survey, and 2,035 completed surveys (49 percent response rate). FRB staff designed the survey, which was administered by GfK, an online consumer research company.

More notable statistics from the survey: about 69 percent of survey respondents have some form of paid employment, up from 60 percent in 2013. 63 percent of employees held a single full-time job during the past year, and 18 percent of employees held multiple full-time jobs during the past year. Profile information about employed younger workers:

"78 percent of employees have a permanent/long-term job... 75 percent of employees in the survey have a full-time job... Among part-time employees surveyed, 49 percent were identified as underemployed, as they are working part time because of economic conditions. Meanwhile, 42 percent of part-time employees prefer part-time work... The percent of young workers who have health insurance increased from 2013 (70 percent) to 2015 (82 percent). Likewise, the percent of young workers who received paid time off for sick leave, holidays, or both from any of their paid jobs increased from 2013 (59 percent) to 2015 (62 percent)...

As adults, 43 percent of employees have formed a new household with their immediate family (i.e., spouse/partner), and 20 percent have formed a new household alone or with a roommate..."

Self-sufficiency is important. The report found:

"... 73 percent of employees are able to cover their monthly household expenses with their household income. Meanwhile, 22 percent of employees report that they are sometimes able to cover their monthly household expenses, and 4 percent are not able to cover their monthly household expenses at all... Among employees who are not able to cover their household expenses some or all of the time, 64 percent reduce their monthly expenses to meet the challenge, 56 percent do not pay some bills, 54 percent borrow money from family, 46 percent use their credit cards, 41 percent use savings, and 16 percent borrow from friends.

A key consideration regarding self-sufficiency is the ability of a household to withstand financial disruptions. Among young workers, the ability to go without a paycheck temporarily improved between 2013 and 2015. The percent of young workers who can pay their living expenses if out of work for four weeks improved from 38 percent in 2013 to 45 percent in 2015..."

The report cited 4 policy implications to address the findings:

  1. Improve Alignment between Education and the Labor Market
  2. Increase Opportunities for Non-degree Education
  3. Provide Assistance and Protections for Workers with Alternative Work Arrangements
  4. Seek Opportunities to Improve Job Growth

There is plenty of information in the 120-page report, which is available at the FRB site and here (Adobe PDF; 1,190.2K bytes).


Ashley Madison Operators Agree to Settlement With FTC And States

Ashley Madison home page image

The operators of the AshleyMadison.com dating site have agreed to settlement with the U.S. Federal Trade Commission (FTC) for security lapses in a massive 2015 data breach. 37 million subscribers were affected and site's poor handling of its password-reset mechanism made accounts discover-able while the site had promised otherwise. The site was know for helping married persons find extra-marital affairs.

The FTC complaint against Avid Life Media Inc. sought relief and refunds for subscribers. The complaint alleged that the dating site:

"... Defendants collect, maintain, and transmit a host of personal information including: full name; username; gender; address, including zip codes; relationship status; date of birth; ethnicity; height; weight; email address; sexual preferences and desired encounters; desired activities; photographs; payment card numbers; hashed passwords; answers to security questions; and travel locations and dates. Defendants also collect and maintain consumers’ communications with each other, such as messages and chats... Until August 2014, Defendants engaged in a practice of using “engager profiles” — that is, fake profiles created by Defendants’ staff who communicate with consumers in the same way that consumers would communicate with each other—as a way to engage or attract additional consumers to AshleyMadison.com. In 2014, there were 28,417 engager profiles on the website. All but 3 of the engager profiles were female. Defendants created these profiles using profile information, including photographs, from existing members who had not had any account activity within the preceding one or more years... Because these engager profiles contained the same type of information as someone who was actually using the website, there was no way for a consumer to determine whether an engager profile was fake or real. To consumers using AshleyMadison.com, the communications generated by engager profiles were indistinguishable from communications generated by actual members... When consumers signed up for AshleyMadison.com, Defendants explained that their system is “100% secure” because consumers can delete their “digital trail”.

More importantly, the complaint alleged that the operators of the site failed to protect subscribers' information in several key ways:

"a. failed to have a written organizational information security policy;
b. failed to implement reasonable access controls. For example, they: i) failed to regularly monitor unsuccessful login attempts; ii) failed to secure remote access; iii) failed to revoke passwords for ex-employees of their service providers; iv) failed to restrict access to systems based on employees’ job functions; v) failed to deploy reasonable controls to identify, detect, and prevent the retention of passwords and encryption keys in clear text files on Defendants’ network; and vi) allowed their employees to reuse passwords to access multiple servers and services;
c. failed to adequately train Defendants’ personnel to perform their data security- related duties and responsibilities;
d. failed to ascertain that third-party service providers implemented reasonable security measures to protect personal information. For example, Defendants failed to contractually require service providers to implement reasonable security; and
e. failed to use readily available security measures to monitor their system and assets at discrete intervals to identify data security events and verify the effectiveness of protective measures."

The above items read like a laundry list of everything not to do regarding information security. Several states also sued the site's operators. Toronto, Ontario-based Ruby Corporation (Formerly called Avid Life media), ADL Media Inc. (based in Delaware), and Ruby Life Inc. (d/b/a Ashley Madison) were named as defendants in the lawsuit. According to its website, Ruby Life operates several adult dating sites: Ashley Madison, Cougar Life, and Established Men.

The Ashley Madison site generated about $47 million in revenues in the United States during 2015. The site has members in 46 countries, and almost 19 million subscribers in the United States created profiles since 2002. About 16 million of those profiles were male.

Terms of the settlement agreement require the operators to pay $1.6 million to settle FTC and state actions, and to implement a comprehensive data-security program with third-party assessments. About $828,500 is payable directly to the FTC within seven days, with an equal amount divided among participating states. If the defendants fail to make that payment to the FTC, then the full judgment of $8.75 million becomes due.

The defendants must submit to the FTC a compliance report one year after the settlement agreement. The third-party assessment programs starts within 180 days of the settlement agreement and continues for 20 years with reports every two years. The terms prohibit the site's operators and defendants from misrepresenting to persons in the United States how their online site and mobile app operate. Clearly, the use of fake profiles is prohibited.

The JD Supra site discussed the fake profiles:

"AshleyMadison/Ruby’s use of chat-bot-based fake or “engager profiles” that lured users into upgrading/paying for full memberships was also addressed in the complaint. According to a report in Fortune Magazine, men who signed up for a free AshleyMadison account would be immediately contacted by a bot posing as an interested woman, but would have to buy credits from AshleyMadison to reply.

Gizmodo, among many other sites, has examined the allegations of fake female bots or “engager profiles” used to entice male users who were using Ashley Madison’s free services to convert to paid services: “Ashley Madison created more than 70,000 female bots to send male users millions of fake messages, hoping to create the illusion of a vast playland of available women.” "

13 states worked on this case with the FTC: Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, Vermont, and the District of Columbia. The State of Tennessee's share was about $57,000. Vermont Attorney General William H. Sorrell said:

“Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website... I was pleased to see the FTC and the state attorneys general working together in such a productive and cooperative manner. Vermont has a long history of such cooperation, and it’s great to see that continuing.”

The Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner reached their own separate settlements with the company. Commissioner Daniel Therrien of the Office of the Privacy Commissioner of Canada said:

“In the digital age, privacy issues can impact millions of people around the world. It’s imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live.”

Australian Privacy Commissioner Timothy Pilgrim stated:

"My office was pleased to work with the FTC and the Office of the Canadian Privacy Commissioner on this investigation through the APEC cross-border enforcement framework... Cross-border cooperation and enforcement is the future for privacy regulation in the global consumer age, and this cooperative approach provides an excellent model for enforcement of consumer privacy rights.”

Kudos to the FTC for holding a company's feet (and its officers' and executives' feet) to the fire to protect consumers' information.


EPA Concludes Fracking a Threat to U.S. Water Supplies

[Editor's note: Today's guest post is by reporters at ProPublica. This new story was originally published on December 14, 2016. It is reprinted with permission.]

by Patrick G. Lee, ProPublica

Starting in 2008, ProPublica published stories that found hydraulic fracking had damaged drinking water supplies across the country. The reporting examined how fracking in some cases had dislodged methane, which then seeped into water supplies. In other instances, the reporting showed that chemicals related to oil and gas production through fracking were winding up in drinking water, and that waste water resulting from fracking operations was contaminating water sources.

Many environmentalists hailed the reporting. The gas drilling industry, for its part, pushed back, initially dismissing the accounts as anecdotal at best.

This week, the Environmental Protection Agency issued its latest and most thorough report on fracking's threat to drinking water, and its findings support ProPublica's reporting. The EPA report found evidence that fracking has contributed to drinking water contamination 2014 "cases of impact" 2014 in all stages of the process: water withdrawals for hydraulic fracturing; spills during the management of hydraulic fracturing fluids and chemicals; injection of hydraulic fracturing fluids directly into groundwater resources; discharge of inadequately treated hydraulic fracturing wastewater to surface water resources; and disposal or storage of hydraulic fracturing wastewater in unlined pits, resulting in contamination of groundwater resources.

In an interview, Amy Mall, a senior policy analyst at the National Resources Defense Council, said the EPA's report was welcome.

"Many of us have been working on this issue for many years, and industry has repeatedly said that there is no evidence that fracking has contaminated drinking water," Mall said.

The EPA report comes a year after its initial set of findings set off fierce criticism by environmental advocates and health professionals. That report, issued in 2015, said the agency had found no evidence that fracking had "led to widespread, systemic impacts on drinking water resources." Many accused the agency of pulling its punches and adding to confusion among the public. News organizations throughout the U.S. interpreted the EPA's language to mean it had concluded fracking did not pose a threat to water supplies and public health.

The EPA said in its report this week that the sentence about the lack of evidence of systemic issues had been intentionally removed because the agency's scientists had "concluded it could not be quantitatively supported."

"I think one of the concerns about the original document was that the EPA seemed to say that everything was fine," said Rob Jackson, a professor of earth-system science at Stanford University. "It's important that we understand the ways and the cases where things have gone wrong, to keep them from happening elsewhere."

The EPA's latest declaration comes as a Trump administration apparently hostile to almost any kind of regulation of fracking prepares to assume office. But those worried about fracking's implications for the environment have long been discouraged by the lack of consistent and stringent state or federal regulation.

"Because state regulators have not fully investigated cases of drinking water contamination, and because federal regulators have been handcuffed by Congress into how much they can regulate, the science wasn't as robust as it should have been," said Mall, the analyst at NRDC. "It's a pattern of, the rules are too weak, and the ones that are on the books aren't enforced enough."

The more significant impact of a Trump administration, however, may be in limiting the EPA's appetite for aggressive and continued study. The report issued this week was six years in the making, but made clear there was still much work to be done to better and more comprehensively determine fracking's impact on the environment, chiefly water supplies.

"It was not possible to calculate or estimate the national frequency of impacts on drinking water resources from activities in the hydraulic fracturing water cycle or fully characterize the severity of impacts," the report said.

The Trump administration's transition team did not immediately respond to an e-mailed request for comment about its position on fracking and the EPA's final report. Trump's transition website promises to "unleash an energy revolution" and "streamline the permitting process for all energy projects." It also says it will "refocus the EPA on its core mission of ensuring clean air, and clean, safe drinking water for all Americans."

Advocates for hydraulic fracturing argue that the final EPA report is not vastly different from the draft version.

"Anecdotal evidence about localized impacts does not disprove the central thesis, which is that there is no evidence of widespread or systemic impacts," said Scott Segal, a partner at Bracewell LLP who represents oil and gas developers. "There's a lot of exaggeration. There's a lot of mischaracterization of the extent of contamination that's based on a desire to enhance recovery in tort liability lawsuits."

Read more of ProPublica's major work on fracking.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Yahoo Announced Another Massive Data Breach. Has Begun Notifying Affected Users

Yahoo logo Yahoo announced on Wednesday a new data breach that affected as many as one billion users. The company believes this latest breach is different from its September 2016 breach. After law enforcement notified Yahoo in November about data files a third party claimed were stolen during the latest breach:

"... The company analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016."

The data elements stolen included full names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or un-encrypted security questions and answers. The announcement also said that no payment card data or bank account information was stolen.

Regardless, this is bad. First, Yahoo doesn't know how the criminals hacked its systems. So, it cannot prevent another breach. Second, law enforcement notified Yahoo. It's breach detection systems failed. Third, one billion is a lot of affected users. Fourth, the data elements stolen expose affected users to spam and attempted break-ins to their other online accounts. Cyber criminals will test stolen passwords at other sites to see where else they can access. It's what they do.

Fifth, Yahoo's stock price is falling again after news broke about the latest breach. Verizon has already said it will re-evaluate its acquisition offer based upon the latest news, or it may terminate the acquisition deal entirely.

Yahoo's breach announcement also disclosed:

"Separately, Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password. Based on the ongoing investigation, the company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies. The company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016."

That's not good, either. The announcement did not disclose the name of the state-sponsored actor.

A reader of this blog shared the e-mail breach notice they received from Bob Lord, the Chief Information Security Officer at Yahoo. The breach notice contained much of the same content as the online announcement, but omitted the above information about forged cookies. The breach notice sent to users stated:

"From: Yahoo (Yahoo@communications.yahoo.com)
Sent: Wednesday, December 14, 2016 7:38 PM
Subject: Important Security Information for Yahoo Users

NOTICE OF DATA BREACH

Dear XXXXXXX,
We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.

What Happened?
Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with a broader set of user accounts, including yours. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.

What Information Was Involved?
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. Not all of these data elements may have been present for your account. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system we believe was affected.

What We Are Doing
We are taking action to protect our users:

  • We are requiring potentially affected users to change their passwords.
  • We invalidated unencrypted security questions and answers so that they cannot be used to access an account.
  • We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.

What You Can Do
We encourage you to follow these security recommendations:

  • Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
  • Review all of your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
  • Avoid clicking on links or downloading attachments from suspicious emails.

Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

For More Information
For more information about this issue and our security resources, please visit the Yahoo Security Issues FAQs page available at https://yahoo.com/security-update.

Protecting your information is important to us and we work continuously to strengthen our defenses.

Sincerely,

Bob Lord
Chief Information Security Officer
Yahoo"

What are your opinions of the latest breach at Yahoo? Is the company doing enough to protect users' information?


Health App Developer Settles With FTC For Deceptive Marketing Claims

The U.S. Federal Trade Commission (FTC) announced a settlement agreement with Aura Labs, Inc. regarding alleged deceptive claims about its product: the Instant Blood Pressure App. Aura sold the app from at least June 2014 to at least July 31, 2015 at the Apple App Store and at the Google Play marketplace for $3.99 (or $4.99). Sales of the app totaled about $600,000 during this period. Ryan Archdeacon, the Chief Executive Officer and President of Aura, was named as a co-defendant in the suit.

The FTC alleged that the defendants violated the FTC Act. The complaint alleged deceptive marketing claims by Aura about its blood pressure app:

"Although Defendants represent that the Instant Blood Pressure App measures blood pressure as accurately as a traditional blood pressure cuff and serves as a replacement for a traditional cuff, in fact, studies demonstrate clinically and statistically significant deviations between the App’s measurements and those from a traditional blood pressure cuff."

iMedicalApps reported on March 2, 2016:

"A study presented today at the American Heart Association EPI & Lifestyle (AHA EPI) meeting in Phoenix has shown the shocking inaccuracy of a popular medical app, Instant Blood Pressure... Back in 2014, we raised concerns about the Instant Blood Pressure medical app which claimed to measure blood pressure just by having users put their finger over their smartphone’s camera and microphone over their heart presumably to use something akin to a pulse wave velocity... Dr. Timothy Plante, a fellow in general internal medicine at Johns Hopkins, led the study in which a total of 85 participants were recruited to test the accuracy of the Instant Blood Pressure app... When looking at individuals with low blood pressure or high blood pressure, they found that the Instant Blood Pressure app gave falsely normal values. In other words, someone with high blood pressure who used the app would be falsely reassured their blood pressure was normal... the sensitivity for high blood pressure was an abysmal 20%. These results, while striking, should not be surprising. This medical app had no publicly available validation data, despite reassurance from the developer back in 2014 that such data was forthcoming. The use of things like pulse wave velocity as surrogates for blood pressure has been tried and is fraught with problems..."

The FTC complaint listed the problems with an online review posted in the Apple App Store:

"Defendant Ryan Archdeacon left the following review of the Instant Blood Pressure App in the Apple App Store: "Great start by ARCHIE1986 – Version – 1.0.1 – Jun 11, 2014. This app is a breakthrough for blood pressure monitoring. There are some kinks to work out and you do need to pay close attention to the directions in order to get a successful measurement but all-in-all it’s a breakthrough product. For those having connection problems, consider trying again. I have experienced a similar issue. It is also great that the developer is committed to continual improvements. This is a great start!!!" That the review was left by the Chief Executive Officer and President of Aura was not disclosed to consumers and would materially affect the weight and credibility consumers assigned to the endorsement."

The complaint also cited problems with endorsements posted at Aura's web site:

"At times material to this Complaint, the What People Think portion of Defendants’ website contained three endorsements, including the following endorsement from relatives of Aura’s Chairman of the Board and co-founder Aaron Giroux: "This is such a smart idea that will benefit many of us in monitoring our health in an easy and convenient way." That the endorsement was left by relatives of Aura’s Chairman of the Board and co-founder Aaron Giroux was not disclosed to consumers and would materially affect the weight and credibility consumers assigned to the endorsement."

Terms of the settlement prohibit the defendants from making such unsubstantiated claims in the future, refund money to affected customers, reimburse plaintiffs for the costs of this lawsuit, and additional unspecified items. The FTC announcement also stated that the court order imposed:

"... a judgment of $595,945.27, which is suspended based on the defendants’ inability to pay. The full amount will become due, however, it they are later found to have misrepresented their financial condition."

Copies of the complaint are available at the FTC site and here (Adobe PDF). Kudos tot he FTC for its enforcement action. Product claims and endorsements should be truthful and accurate. And consumers still need to do research before purchase. Just because there's an app for it doesn't mean the results promised are guaranteed.

Got an unresolved problem with a product, service, or app? Consumers can file a complaint online with the FTC. What are your opinions of the Aura-FTC settlement? Of claims by app developers?


Big Data Brokers: Failing With Privacy

You may not know that hedge funds, in both the United Kingdom and in the United States, buy and sell a variety of information from data brokers: mobile app purchases, credit card purchases, posts at social networking sites, and lots more. You can bet that a lot of that mobile information includes geo-location data. The problem: consumers' privacy isn't protected consistently.

The industry claims the information sold is anonymous (e.g., doesn't identify specific persons), but researchers have it easy to de-anonymize the information. The Financial Times reported:

"The “alternative data” industry, which sells information such as app downloads and credit card purchases to investment groups, is failing to adequately erase personal details before sharing the material... big data is seen as an increasingly attractive source of information for asset managers seeking a vital investment edge, with data providers selling everything from social media chatter and emailed receipts to federal lobbying data and even satellite images from space..."

One part of the privacy problem:

“The vendors claim to strip out all the personal information, but we occasionally find phone numbers, zip codes and so on,” said Matthew Granade, chief market intelligence officer at Steven Cohen’s Point72. “It’s a big enough deal that we have a couple of full-time tech people wash the data ourselves.” The head of another major hedge fund said that even when personal information had been scrubbed from a data set, it was far too easy to restore..."

A second part of the privacy problem:

“... there is no overarching US privacy law to protect consumers, with standards set individually by different states, industries and even companies, according to Albert Gidari, director of privacy at the Stanford Center for Internet and Society..."

The third part of the privacy problem: consumers are too willing to trade personal information for convenience.


How To Spot Fake News And Not Get Duped

You may have heard about the "pizzagate" conspiracy -- fake news about a supposed child-sex ring operating from a pizzeria in Washington, DC. A heavily armed citizen drove from North Carolina to the pizzeria to investigate to investigate the bogus child-sex ring supposedly run by Presidential candidate Hillary Clinton. The reality: no sex ring. That citizen had been duped by fake news. Shots were fired, and thankfully nobody was hurt.

CBS News reported that the pizzagate conspiracy had been promoted by Michael G. Flynn, son of retired General Michael T. Flynn, Donald Trump's pick for national security adviser. As a result, the younger Flynn resigned Tuesday from President-Elect Trump's transition team.

I use the phrase "fake news" for several types of misleading content: propaganda, unproven or fact-free conspiracy theories, disinformation, and clickbait. The pizzagate incident highlighted two issues: a) fake news has consequences, and b) many people don't know how to distinguish real news from fake news. So, while political operatives reportedly have used a combination of fake news, ads, and social media to both encourage supporters to vote and discourage opponents from voting, there clearly are other real-life consequences.

To help people spot fake news, NPR reported:

"Stopping the proliferation of fake news isn't just the responsibility of the platforms used to spread it. Those who consume news also need to find ways of determining if what they're reading is true. We offer several tips below. The idea is that people should have a fundamental sense of media literacy. And based on a study recently released by Stanford University researchers, many people don't."

The report is enlightening. In the "Evaluating Information: The Cornerstone of Civic Online Reasoning" report, researchers at Stanford University tested about 7,804 students in 12 states between January 2015 and June 2016. They found:

"... at each level—middle school, high school, and college—these variations paled in comparison to a stunning and dismaying consistency. Overall, young people’s ability to reason about the information on the Internet can be summed up in one word: bleak. Our “digital natives” may be able to flit between Facebook and Twitter while simultaneously uploading a selfie to Instagram and texting a friend. But when it comes to evaluating information that flows through social media channels, they are easily duped... We would hope that middle school students could distinguish an ad from a news story. By high school, we would hope that students reading about gun laws would notice that a chart came from a gun owners’ political action committee. And, in 2016, we would hope college students, who spend hours each day online, would look beyond a .org URL and ask who’s behind a site that presents only one side of a contentious issue. But in every case and at every level, we were taken aback by students’ lack of preparation... Many [people] assume that because young people are fluent in social media they are equally savvy about what they find there. Our work shows the opposite."

This is important for both individuals and the future of the nation because:

"For every challenge facing this nation, there are scores of websites pretending to be something they are not. Ordinary people once relied on publishers, editors, and subject matter experts to vet the information they consumed. But on the unregulated Internet, all bets are off... Never have we had so much information at our fingertips. Whether this bounty will make us smarter and better informed or more ignorant and narrow-minded will depend on our awareness of this problem and our educational response to it. At present, we worry that democracy is threatened by the ease at which disinformation about civic issues is allowed to spread and flourish."

While the study focused upon students, but older persons have been duped, too. The suspect in the pizzeria incident was 28 years old. The Stanford report focused upon what teachers and educators can do to better prepare students. According to the researchers, additional solutions are forthcoming.

What can you do to spot fake news? Don't wait for sites and/or social media to do it for you. Become a smarter consumer. The NPR report suggested:

  1. Pay attention to the domain and URL
  2. Read the "About Us" section of the site
  3. Look at the quotes in a story
  4. Look at who said the quotes

All of the suggestions require readers to take the time to understand the website, publication, and/or publisher. A little skepticism is healthy. Also verify the persons quoted and whether the persons quoted are who the article claims. And, verify that any images used actually relate to the event.

We all have to be smarter consumers of news in order to stay informed and meet our civic duties, which includes voting. Nobody wants to vote for politicians that don't represent their interests because they've been duped. To the above list, I would add:

  • Read news wires. These sites include the raw, unfiltered news about who, when, where, and what happened. Some suggested sources: : Associated Press (AP), Reuters, and United Press International (UPI)
  • Learn to recognize advertisements
  • Learn the differences between different types of content: news, opinion, analysis, satire/humor, and entertainment. Reputable sites will label them to help readers.

If you don't know the differences and can't spot each type, then you are likely to get duped.


High Tech Companies And A Muslim Registry

Since the Snowden disclosures in 2013, there have been plenty of news reports about how technology companies have assisted the U.S. government with surveillance programs. Some of these activities included surveillance programs by the U.S. National Security Agency (NSA) including innocent citizens, bulk phone calls metadata collection, warrantless searches by the NSA of citizen's phone calls and emails, facial image collection, identification of the best collaborator with NSA spying, fake cell phone towers (a/k/a 'stingrays') used by both federal government agencies and local police departments, and automated license plate readers to track drivers.

You may also remember, after Apple Computer's refusal to build a backdoor into its smartphones, the U.S. Federal Bureau of Investigation bought a hacking tool from a third party. Several tech companies built the reform government surveillance site, while others actively pursue "Surveillance Capitalism" business goals.

During the 2016 political campaign, candidate (and now President Elect) Donald Trump said he would require all Muslims in the United States to register. Mr. Trump's words matter greatly given his lack of government experience. His words are all voters had to rely upon.

So, The Intercept asked several technology companies a key question about the next logical step: whether or not they are willing to help build and implement a Muslim registry:

"Every American corporation, from the largest conglomerate to the smallest firm, should ask itself right now: Will we do business with the Trump administration to further its most extreme, draconian goals? Or will we resist? This question is perhaps most important for the country’s tech companies, which are particularly valuable partners for a budding authoritarian."

The companies queried included IBM, Microsoft, Google, Facebook, Twitter, and others. What's been the response? Well, IBM focused on other areas of collaboration:

"Shortly after the election, IBM CEO Ginni Rometty wrote a personal letter to President-elect Trump in which she offered her congratulations, and more importantly, the services of her company. The six different areas she identified as potential business opportunities between a Trump White House and IBM were all inoffensive and more or less mundane, but showed a disturbing willingness to sell technology to a man with open interest in the ways in which technology can be abused: Mosque surveillance, a “virtual wall” with Mexico, shutting down portions of the internet on command, and so forth."

The response from many other companies has mostly been crickets. So far, only executives at Twitter have flatly refused, and included with its reply a link to its blog post about developer policies:

"Recent reports about Twitter data being used for surveillance, however, have caused us great concern. As a company, our commitment to social justice is core to our mission and well established. And our policies in this area are long-standing. Using Twitter’s Public APIs or data products to track or profile protesters and activists is absolutely unacceptable and prohibited.

To be clear: We prohibit developers using the Public APIs and Gnip data products from allowing law enforcement — or any other entity — to use Twitter data for surveillance purposes. Period. The fact that our Public APIs and Gnip data products provide information that people choose to share publicly does not change our policies in this area. And if developers violate our policies, we will take appropriate action, which can include suspension and termination of access to Twitter’s Public APIs and data products.

We have an internal process to review use cases for Gnip data products when new developers are onboarded and, where appropriate, we may reject all or part of a requested use case..."

Recently, a Trump-Pence supporter floated this trial balloon to justify such a registry:

"A prominent supporter of Donald J. Trump drew concern and condemnation from advocates for Muslims’ rights on Wednesday after he cited World War II-era Japanese-American internment camps as a “precedent” for an immigrant registry suggested by a member of the president-elect’s transition team. The supporter, Carl Higbie, a former spokesman for Great America PAC, an independent fund-raising committee, made the comments in an appearance on “The Kelly File” on Fox News...

“We’ve done it based on race, we’ve done it based on religion, we’ve done it based on region,” Mr. Higbie said. “We’ve done it with Iran back — back a while ago. We did it during World War II with Japanese.”

You can read the replies from nine technology companies at the Intercept site. Will other companies besides Twitter show that they have a spine? Whether or not such a registry ultimately violates the U.S. Constitution, we will definitely hear a lot more about this subject in the near future.


Millions Of Android Smartphones And Apps Infected With New Malware, And Accounts Breached

Security researchers at Check Point Software Technologies have identified malware infecting an average of 13,000 Android phones daily. More than 1 million Android phones have already been infected. Researchers named the new malware "Gooligan." Check Point explained in a blog post:

"Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more. Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year... Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 74% of in-market devices today. About 57% of these devices are located in Asia and about 9% are in Europe... We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores. These stores are an attractive alternative to Google Play because many of their apps are free, or offer free versions of paid apps. However, the security of these stores and the apps they sell aren’t always verified... Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began..."

Check Point chart about Gooligan malware. Click to view larger version This Telegraph UK news story listed 24 device manufacturers affected: Archos, Broadcom, Bullitt, CloudProject, Gigaset, HTC, Huaqin, Huawei, Intel, Lenovo, Pantech, Positivio, Samsung, Unitech, and others.The Check Point announcement listed more than 80 fake mobile apps infected with the Gooligan malware: Billiards, Daily Racing, Fingerprint unlock, Hip Good, Hot Photo, Memory Booster, Multifunction Flashlight, Music Cloud, Perfect Cleaner, PornClub, Puzzle Bubble-Pet Paradise, Sex Photo, Slots Mania, StopWatch, Touch Beauty, WiFi Enhancer, WiFi Master, and many more.

Check Point is working closely with the security team at Google. Adrian Ludwig, Google’s director of Android security, issued a statement:

"Since 2014, the Android security team has been tracking a family of malware called 'Ghost Push,' a vast collection of 'Potentially Harmful Apps' (PHAs) that generally fall into the category of 'hostile downloaders.' These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps. For over two years, we’ve used Verify Apps to notify users before they install one of these PHAs and let them know if they’ve been affected by this family of malware... Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent. In the last few weeks, we've worked closely with Check Point... to investigate and protect users from one of these variants. Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps... Because Ghost Push only uses publicly known vulnerabilities, devices with up-to-date security patches have not been affected... We’ve taken multiple steps to protect devices and user accounts, and to disrupt the behavior of the malware as well. Verified Boot [https://source.android.com/security/verifiedboot/], which is enabled on newer devices including those that are compatible with Android 6.0, prevents modification of the system partition. Adopted from ChromeOS, Verified Boot makes it easy to remove Ghost Push... We’ve removed apps associated with the Ghost Push family from Google Play. We also removed apps that benefited from installs delivered by Ghost Push to reduce the incentive for this type of abuse in the future."

How the gooligan malware works by Check Point. Click to view larger version Android device users can also have their devices infected by phishing scams where criminals send text and email messages containing links to infected mobile apps. News about this latest malware comes at a time when some consumers are already worried about the security of Android devices.

Recently, there were reports of surveillance malware installed the firmware of some Android devices, and and the Quadrooter security flaw affecting 900 million Android phones and tablets. Last month, Google quietly dropped its ban on personally identifiable web tracking.

News about this latest malware also highlights the problems with Google's security model. We know from prior reports that manufacturers and wireless carriers don't provide OS updates for all Android phones. Hopefully, the introduction last month of the Pixel phone will address those problems. A better announcement would have also highlighted security improvements.

For the Gooligan malware, Check Point has develop a web site for consumers to determine if their Google account has already been compromised:  https://gooligan.checkpoint.com/. Check Point advised consumers with compromised accounts:

"1. A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”

2. Change your Google account passwords immediately after this process."

A word to the wise: a) shop for apps only at trustworthy, reputable sites; b) download and install all operating-system security patches to protect your devices and your information; and c) avoid buying cheap phones that lack operating system software updates and security patches.