Previous month:
January 2017
Next month:
March 2017

14 posts from February 2017

FCC Announced Approval ot LTE-U Mobile Devices

On Wednesday, the Office of Engineering and Technology (OET) within the U.S. Federal Communications announced the authorization of unlicensed wireless (a/k/a LTE-U) devices to operate in the 5 GHz band:

"This action follows a collaborative industry process to ensure LTE-U with Wi-Fi and other unlicensed devices operating in the 5 GHz band. The Commission’s provisions for unlicensed devices are designed to prevent harmful interference to radio communications services and stipulate that these devices must accept any harmful interference they receive. Industry has developed various standards within the framework of these rules such as Wi-Fi, Bluetooth and Zigbee that are designed to coexist in shared spectrum. These and other unlicensed technologies have been deployed extensively and are used by consumers and industry for a wide variety of applications.

LTE-U is a specification that was developed and supported by a group of companies within the LTE-U Forum... The LTE-U devices that were certified today have been tested to show they meet all of the FCC’s rules. We understand that the LTE-U devices were evaluated successfully under the co-existence test plan. However, this is not an FCC requirement and similar to conformity testing for private sector standards the co-existence test results are not included in the FCC’s equipment certification records."

ComputerWorld explained in 2015 the strain on existing wireless capabilities and why several technology companies pursued the technology:

"According to the wireless providers and Qualcomm, the technology will make use of the existing unlicensed spectrum most commonly used for Wi-Fi. LTE-U is designed to deliver a similar capability as Wi-Fi, namely short-range connectivity to mobile devices.

As billions of mobile devices and Web video continue to strain wireless networks and existing spectrum allocations, the mobile ecosphere is looking for good sources of spectrum. The crunch is significant, and tangible solutions take a long time to develop... as former FCC Chairman Julius Genachowski and FCC Commissioner Robert McDowell recently remarked, “mobile data traffic in the U.S. will grow sevenfold between 2014 and 2019” while “wearable and connected devices in the U.S. will double” in that same period."

Some cable companies, such as Comcast, opposed LTE-U based upon concerns about the technology conflicting with existing home WiFi. According to Computerworld:

"In real-world tests so far, LTE-U delivers better performance than Wi-Fi, doesn’t degrade nearby Wi-Fi performance and may in fact improve the performance of nearby Wi-Fi networks."

Reportedly, in August 2016 Verizon viewed the testing as "fundamentally unfair and biased." Ajit Pai, the new FCC Chairman, said in a statement on Wednesday:

"LTE-U allows wireless providers to deliver mobile data traffic using unlicensed spectrum while sharing the road, so to speak, with Wi-Fi. The excellent staff of the FCC’s Office of Engineering and Technology has certified that the LTE-U devices being approved today are in compliance with FCC rules. And voluntary industry testing has demonstrated that both these devices and Wi-Fi operations can co-exist in the 5 GHz band. This heralds a technical breakthrough in the many shared uses of this spectrum.

This is a great deal for wireless consumers, too. It means they get to enjoy the best of both worlds: a more robust, seamless experience when their devices are using cellular networks and the continued enjoyment of Wi-Fi, one of the most creative uses of spectrum in history..."


Your Smart TV Is A Blabbermouth. How To Stop Its Spying On You

Internet-connected televisions, often referred to as "smart TVs," collect a wide variety of information about consumers. The devices track the videos you watch from several sources: cable, broadband, set-top box, DVD player, over-the-air broadcasts, and streaming devices. The devices collect a wide variety of information about consumers, including items such as as sex, age, income, marital status, household size, education level, home ownership, and household value. The TV makers sell this information to third parties, such as advertisers and data brokers.

Some people might call this "surveillance capitalism."

Reliability and trust with smart devices are critical for consumers. Earlier this month, Vizio agreed to pay $2.2 million to settle privacy abuse charges by the U.S. Federal Trade Commission (FTC).

What's a consumer to do to protect their privacy? This C/Net article provides good step-by-step instructions to turn off or to minimize the tracking by your smart television. The instructions include several smart TV brands: Samsung, Vizio, LG, Sony, and others. Sample instructions for one brand:

"Samsung: On 2016 TVs, click the remote's Home button, go to Settings (gear icon), scroll down to Support, then down to Terms & Policy. Under "Interest Based Advertisement" click "Disable Interactive Services." Under "Viewing Information Services" unclick "I agree." And under "Voice Recognition Services" click "Disable advanced features of the Voice Recognition services." If you want you can also disagree with the other two, Nuance Voice Recognition and Online Remote Management.

On older Samsung TVs, hit the remote's Menu button (on 2015 models only, then select Menu from the top row of icons), scroll down to Smart Hub, then select Terms & Policy. Disable "SynchPlus and Marketing." You can also disagree with any of the other policies listed there, and if your TV has them, disable the voice recognition and disagree with the Nuance privacy notice described above."

Browse the step-by-step instructions for your brand of television. If you disabled the tracking features on your smart TV, how did it go? If you used a different resource to learn about your smart TV's tracking features, please share it below.


Advocacy Groups And Legal Experts Denounce DHS Proposal Requiring Travelers To Disclose Social Media Credentials

U.S. Department of Homeland Security logo Several dozen human rights organizations, civil liberties advocates, and legal experts published an open letter on February 21,2017 condemning a proposal by the U.S. Department of Homeland Security to require the social media credentials (e.g., usernames and passwords) of all travelers from majority-Muslim countries. This letter was sent after testimony before Congress by Homeland Security Secretary John Kelly. NBC News reported on February 8:

"Homeland Security Secretary John Kelly told Congress on Tuesday the measure was one of several being considered to vet refugees and visa applicants from seven Muslim-majority countries. "We want to get on their social media, with passwords: What do you do, what do you say?" he told the House Homeland Security Committee. "If they don't want to cooperate then you don't come in."

His comments came the same day judges heard arguments over President Donald Trump's executive order temporarily barring entry to most refugees and travelers from Syria, Iraq, Iran, Somalia, Sudan, Libya and Yemen. Kelly, a Trump appointee, stressed that asking for people's passwords was just one of "the things that we're thinking about" and that none of the suggestions were concrete."

The letter, available at the Center For Democracy & Technology (CDT) website, stated in part (bold emphasis added):

"The undersigned coalition of human rights and civil liberties organizations, trade associations, and experts in security, technology, and the law expresses deep concern about the comments made by Secretary John Kelly at the House Homeland Security Committee hearing on February 7th, 2017, suggesting the Department of Homeland Security could require non-citizens to provide the passwords to their social media accounts as a condition of entering the country.

We recognize the important role that DHS plays in protecting the United States’ borders and the challenges it faces in keeping the U.S. safe, but demanding passwords or other account credentials without cause will fail to increase the security of U.S. citizens and is a direct assault on fundamental rights.

This proposal would enable border officials to invade people’s privacy by examining years of private emails, texts, and messages. It would expose travelers and everyone in their social networks, including potentially millions of U.S. citizens, to excessive, unjustified scrutiny. And it would discourage people from using online services or taking their devices with them while traveling, and would discourage travel for business, tourism, and journalism."

The letter was signed by about 75 organizations and individuals, including the American Civil Liberties Union, the American Library Association, the American Society of Journalists & Authors, the American Society of News Editors, Americans for Immigrant Justice, the Brennan Center for Justice at NYU School of Law, Electronic Frontier Foundation, Human Rights Watch, Immigrant Legal Resource Center, National Hispanic Media Coalition, Public Citizen, Reporters Without Borders, the World Privacy Forum, and many more.

The letter is also available here (Adobe PDF).


EU Privacy Watchdogs Ask Microsoft For Explanations About Data Collection About Users

A privacy watchdog group in the European Union (EU) are concerned about privacy and data collection practices by Microsoft. The group, comprising 28 agencies and referred to as the Article 29 Working Party, sent a letter to Microsoft asking for explanations about privacy concerns with the software company's Windows 10 operating system software.

The February 2017 letter to Brendon Lynch, Chief Privacy Officer, and to Satya Nadella, Chief Executive Officer, was a follow-up to a prior letter sent in January. The February letter explained:

"Following the launch of Windows 10, a new version of the Windows operating system, a number of concerns have been raised, in the media and in signals from concerned citizens to the data protection authorities, regarding protection of your users’ personal data... the Working Party expressed significant concerns about the default installation settings and an apparent lack of control for a user to prevent collection or further processing of data, as well as concerns about the scope of data that are being collected and further processed... "

Microsoft logo While Microsoft has been cooperative so far, the group's specific privacy concerns:

"... user consent can only be valid if fully informed, freely given and specific. Whilst it is clear that the proposed new express installation screen will present users with five options to limit or switch off certain kinds of data processing it is not clear to what extent both new and existing users will be informed about the specific data that are being collected and processed under each of the functionalities. The proposed new explanation when, for example, a user switches the level of telemetry data from 'full' to 'basic' that Microsoft will collect 'less data' is insufficient without further explanation. Such information currently is also not available in the current version of the privacy policy.

Additionally, the purposes for which Microsoft collects personal data have to be specified, explicit and legitimate, and the data may not be further processed in a way incompatible with those purposes. Microsoft processes data collected through Windows 10 for different purposes, including personalised advertising. Microsoft should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid..."

Visit this EU link for more information about the Article 29 Working Party, or download the Article 29 Working Party letter to Microsoft (Adobe PDF).


GOP Legislation In Congress To Revoke Consumer Privacy And Protections

Logo for Republican Party, also known as the GOP The MediaPost Policy Blog reported:

"Republican Senator Jeff Flake, who opposes the Federal Communications Commission's broadband privacy rules, says he's readying a resolution to rescind them, Politico reports. Flake's confirmation to Politico comes days after Rep. Marsha Blackburn (R-Tennessee), the head of the House Communications Subcommittee, said she intends to work with the Senate to revoke the privacy regulations."

Blackburn's name is familiar. She was a key part of the GOP effort in 2014 to keep state laws in place to limit broadband competition by preventing citizens from forming local broadband providers. To get both higher speeds and lower prices compared to offerings by corporate internet service providers (ISPs), many people want to form local broadband providers. They can't because 20 states have laws preventing broadband competition. A worldwide study in 2014 found the consumers in the United States get poor broadband value: pay more and get slower speeds. Plus, the only consumers getting good value were community broadband customers. In June 2014, the FCC announced plans to challenge these restrictive state laws that limit competition, and keep your Internet prices high. That FCC effort failed. To encourage competition and lower prices, several Democratic representatives introduced the Community Broadband Act in 2015.That legislation went nowhere in a GOP-controlled Congress.

Pause for a moment and let that sink in. Blackburn and other GOP representatives have pursued policies where we consumers all pay more for broadband due to the lack of competition. The GOP, a party that supposedly dislikes regulation and prefers free-market competition, is happy to do the opposite to help their corporate donors. The GOP, a party that historically has promoted states' rights, now uses state laws to restrict the freedoms of constituents at the city, town, and local levels. And, that includes rural constituents.

Too many GOP voters seem oblivious to this. Why Democrats failed to capitalize on this broadband issue, especially during the Presidential campaign last year, is puzzling. Everyone needs broadband: work, play, school, travel, entertainment.

Now, back to the effort to revoke the FCC's broadband privacy rules. Several cable, telecommunications, and advertising lobbies sent a letter in January asking Congress to remove the broadband privacy rules. That letter said in part:

"... in adopting new broadband privacy rules late last year, the Federal Communications Commission (“FCC”) took action that jeopardizes the vibrancy and success of the internet and the innovations the internet has and should continue to offer. While the FCC’s Order applies only to Internet Service Providers (“ISPs”), the onerous and unnecessary rules it adopted establish a very harmful precedent for the entire internet ecosystem. We therefore urge Congress to enact a resolution of disapproval pursuant to the Congressional Review Act (“CRA”) vitiating the Order."

The new privacy rules by the FCC require broadband providers (a/k/a ISPs) to obtain affirmative “opt-in” consent from consumers before using and sharing consumers' sensitive information; specify the types of information that are sensitive (e.g., geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications); stop using and sharing information about consumers that have opted out of information sharing; meet transparency requirements to clearly notify customers about the information collection sharing and how to change their opt-in or opt-out preferences, prohibit "take-it-or-leave-it" offers where ISPs can refuse to serve customers who don't consent to the information collection and sharing; and comply with "reasonable data security practices and guidelines" to protect the sensitive information collected and shared.

The new FCC privacy rules are common sense stuff, but clearly these companies view common-sense methods as a burden. They want to use consumers' information however they please without limits, and without consideration for consumers' desire to control their own personal information. And, GOP representatives in Congress are happy to oblige these companies in this abuse.

Alarmingly, there is more. Lots more.

The GOP-led Congress also seeks to roll back consumer protections in banking and financial services. According to Consumer Reports, the issue arose earlier this month in:

"... a memo by House Financial Services Committee Chairman Rep. Jeb Hensarling (R-Tex), which was leaked to the press yesterday... The fate of the database was first mentioned [February 9th] when Bloomberg reported on a memo by Hensarling, an outspoken critic of the CFPB. The memo outlined a new version of the Financial CHOICE Act (Creating Hope and Opportunity for Investors, Consumers and Entrepreneurs), a bill originally advanced by the House Financial Services Committee in September. The new bill would lead to the repeal of the Consumer Complaint Database. It would also eliminate the CFPB's authority to punish unfair, deceptive or abusive practices among banks and other lenders, and it would allow the President to handpick—and fire—the bureau's director at will."

Banks have paid billions in fines to resolve a variety of allegations and complaints about wrongdoing. Consumers have often been abused by banks. You may remember the massive $185 million fine for the phony accounts scandal at Wells Fargo. Or, you may remember consumers forced to use prison-release cards. Or, maybe you experienced debt collection scams. And, this blog has covered extensively much of the great work by the CFPB which has helped consumers.

Does these two legislation items bother you? I sincerely hope that they do bother you. Contact your elected officials today and demand that they support the FCC privacy rules.


Espionage Groups Target Apple Devices With New Malware

ZDNet reported about a group performing multiple online espionage campaigns which targeted:

"... Mac users with malware designed to steal passwords, take screenshots, and steal backed-up iPhone data. This malware, discovered by cybersecurity researchers at Bitdefender, is thought to be linked to the APT28 group, which was accused of interferring in the United States presidential election. Bitdefender notes a number of similarities between the malware attacks against Macs -- which have been taking place since September 2016 -- and previous campaigns by the group, believed to be closely linked to Russia military intelligence and also dubbed Fancy Bear. Known as Xagent, the new form of malware targets victims running Mac OS X and installs a modular backdoor onto the system which enables the perpetrators to carry out cyberespionage activities... Xagent is also capable of stealing iPhone backups stored on a compromised Mac, an action which opens up even more capabilities for conducting cyberespionage, providing the perpetrators with access to additional files..."


Travelers Face Privacy Issues When Crossing Borders

If you travel for business, pleasure, or both then today's blog post will probably interest you. Wired Magazine reported:

"In the weeks since President Trump’s executive order ratcheted up the vetting of travelers from majority Muslim countries, or even people with Muslim-sounding names, passengers have experienced what appears from limited data to be a “spike” in cases of their devices being seized by customs officials. American Civil Liberties Union attorney Nathan Wessler says the group has heard scattered reports of customs agents demanding passwords to those devices, and even social media accounts."

Devices include smartphones, laptops, and tablets. Many consumers realize that relinquishing passwords to social networking sites (e.g., Facebook, Instagram, etc.) discloses sensitive information not just about themselves, but also all of their friends, family, classmates, neighbors, and coworkers -- anyone they are connected with online. The "Bring Your Own Device" policies by many companies and employers means that employees (and contractors) can use their personal devices in the workplace and/or connected remotely to company networks. Those connected devices can easily divulge company trade secrets and other sensitive information when seized by Customs and Border Patrol (CBP) agents for analysis and data collection.

Plus, professionals such as attorneys and consultants are required to protect their clients' sensitive information. These professionals, who also must travel, require data security and privacy for business.

Wired also reported:

"In fact, US Customs and Border Protection has long considered US borders and airports a kind of loophole in the Constitution’s Fourth Amendment protections, one that allows them wide latitude to detain travelers and search their devices. For years, they’ve used that opportunity to hold border-crossers on the slightest suspicion, and demand access to their computers and phones with little formal cause or oversight.

Even citizens are far from immune. CBP detainees from journalists to filmmakers to security researchers have all had their devices taken out of their hands by agents."

For travelers wanting privacy, what are the options? Remain at home? This may not be an option for workers who must travel for business. Leave your devices at home? Again, impractical for many. The Wired article provided several suggestions, including:

"If customs officials do take your devices, don’t make their intrusion easy. Encrypt your hard drive with tools like BitLocker, TrueCrypt, or Apple’s Filevault, and choose a strong passphrase. On your phone—preferably an iPhone, given Apple’s track record of foiling federal cracking—set a strong PIN and disable Siri from the lockscreen by switching off “Access When Locked” under the Siri menu in Settings.

Remember also to turn your devices off before entering customs: Hard drive encryption tools only offer full protection when a computer is fully powered down. If you use TouchID, your iPhone is safest when it’s turned off, too..."

What are the consequences when travelers refuse to disclose passwords and encrpt devices? Ars Technica also explored the issues:

"... Ars spoke with several legal experts, and contacted CBP itself (which did not provide anything beyond previously-published policies). The short answer is: your device probably will be seized (or "detained" in CBP parlance), and you might be kept in physical detention—although no one seems to be sure exactly for how long.

An unnamed CBP spokesman told The New York Times on Tuesday that such electronic searches are extremely rare: he said that 4,444 cellphones and 320 other electronic devices were inspected in 2015, or 0.0012 percent of the 383 million arrivals (presuming that all those people had one device)... The most recent public document to date on this topic appears to be an August 2009 Department of Homeland Security paper entitled "Privacy Impact Assessment for the Border Searches of Electronic Devices." That document states that "For CBP, the detention of devices ordinarily should not exceed five (5) days, unless extenuating circumstances exist." The policy also states that CBP or Immigration and Customs Enforcement "may demand technical assistance, including translation or decryption," citing a federal law, 19 US Code Section 507."

The Electronic Frontier Foundation (EFF) collects stories from travelers who've been detained and had their devices seized. Clearly, we will hear a lot more in the future about these privacy issues. What are your opinions of this?


Survey: Internet of Evil Things Report

Pwnie 2017 Internet of Evil Things report A recent survey of information technology (IT) professionals by Pwnie Express, an information security vendor, found that connected devices bring risks into corporate networks and IT professionals are not keeping up. 90 percent of IT professionals surveyed view connected devices as a security threat to their corporate systems and networks. 66 percent aren't sure how many connected devices are in their organizations.

These findings have huge implications as the installed base of connected devices (a/k/a the "Internet of things" or ioT) takes off. Experts forecast 8.4 billion connected devices in use worldwide in 2017, up 31 percent from 2016. Total spending for those devices will reach almost $2 trillion in 2017, and $20.4 billion by 2020. The regions that will drive this growth include North America, Western Europe, and China; which already comprise 67 percent of the installed base.

Key results from the latest survey by Pwnie Express:

"One in five of the survey respondents (20%) said their IoT devices were hit with ransomware attacks last year. 16 percent of respondents say they experienced Man-in-the-middle attacks through IoT devices. Devices continue to lend themselves to problematic configurations. The default network from common routers “linksys” and “Netgear” were two of the top 10 most common “open default” wireless SSID’s (named networks), and the hotspot network built-in for the configuration and setup of HP printers - “hpsetup”- is #2."

An SSID, or Service Set Identifier, is the name a wireless network broadcasts. Manufacturers ship them with default names, which the bad guys often look for to find open, unprotected networks. While businesses purchase and deploy a variety of connected devices (e.g., smart meters, manufacturing field devices, process sensors for electrical generating plants, real-time location devices for healthcare) and some for "smart buildings" (e.g., LED lighting, HVAC sensors, security systems), other devices are brought into the workplace by workers.

Most companies have Bring Your Own Device (BYOD) policies allowing employees to bring and use in the workplace personal devices (e.g., phones, tablets, smart watches, fitness bands). The risk for corporate IT professionals is that when employees, contractors, and consultants bring their personal devices into the workplace, and connect to corporate networks. A mobile device infected with malware from a wireless home network, or from a public hot-spot (e.g., airport, restaurant) can easily introduce that malware into office networks.

Consumers connect a wide variety of items to their wireless home networks: laptops, tablets, smartphones, printers, lighting and temperature controls, televisions, home security systems, fitness bands, smart watches, toys, smart wine bottles, and home appliances (e.g., refrigerators, hot water heaters, coffee makers, crock pots, etc.). Devices with poor security features don't allow operating system and security software updates, don't encrypt key information such as PIN numbers and passwords, and build the software into the firmware where it cannot be upgraded. Last month, the U.S. Federal Trade Commission (FTC) filed a lawsuit against a modem/router maker alleging poor security in its products.

Security experts advise consumers to perform several steps to protect their wireless home networks: change the SSID name, change all default passwords, enable encryption (e.g., WEP, WPA, WPA2, etc.), create a special password for guests, and enable a firewall. While security experts have warned consumers for years, too many still don't heed the advice.

The survey respondents identified the top connected device threats:

"1. Misconfigured healthcare, security, and IoT devices will provide another route for ransomware and malware to cause harm and affect organizations.

2. Unresolved vulnerabilities or the misconfiguration of popular connected devices, spurred by the vulnerabilities being publicized by botnets, including Mirai and newer, “improved” versions, in the hands of rogue actors will compromise the security of organizations purchasing these devices.

3. Mobile phones will be the attack vector of the future, becoming an extra attack surface and another mode of rogue access points taking advantage of unencrypted Netgear, AT&T, and hpsetup wireless networks to set up man-in-the-middle attacks."

The survey included more than 800 IT security professionals in several industries: financial services, hospitality, retail, manufacturing, professional services, technology, healthcare, energy and more. Download the "2017 Internet of Evil Things Report" by Pwnie.


Facebook Doesn't Tell Users Everything it Really Knows About Them

[Editor's note: today's guest post is by reporters at ProPublica. I've posted it because, a) many consumers don't know how their personal information is bought, sold, and used by companies and social networking sites; b) the USA is capitalist society and the sensitive personal data that describes consumers is consumers' personal property; c) a better appreciation of "a" and "b" will hopefully encourage more consumers to be less willing to trade their personal property for convenience, and demand better privacy protections from products, services, software, apps, and devices; and d) when lobbyists and politicians act to erode consumers' property and privacy rights, hopefully more consumers will respond and act. Facebook is not the only social networking site that trades consumers' information. This news story is reprinted with permission.]

by Julia Angwin, Terry Parris Jr. and Surya Mattu, ProPublica

Facebook has long let users see all sorts of things the site knows about them, like whether they enjoy soccer, have recently moved, or like Melania Trump.

But the tech giant gives users little indication that it buys far more sensitive data about them, including their income, the types of restaurants they frequent and even how many credit cards are in their wallets.

Since September, ProPublica has been encouraging Facebook users to share the categories of interest that the site has assigned to them. Users showed us everything from "Pretending to Text in Awkward Situations" to "Breastfeeding in Public." In total, we collected more than 52,000 unique attributes that Facebook has used to classify users.

Facebook's site says it gets information about its users "from a few different sources."

What the page doesn't say is that those sources include detailed dossiers obtained from commercial data brokers about users' offline lives. Nor does Facebook show users any of the often remarkably detailed information it gets from those brokers.

"They are not being honest," said Jeffrey Chester, executive director of the Center for Digital Democracy. "Facebook is bundling a dozen different data companies to target an individual customer, and an individual should have access to that bundle as well."

When asked this week about the lack of disclosure, Facebook responded that it doesn't tell users about the third-party data because its widely available and was not collected by Facebook.

"Our approach to controls for third-party categories is somewhat different than our approach for Facebook-specific categories," said Steve Satterfield, a Facebook manager of privacy and public policy. "This is because the data providers we work with generally make their categories available across many different ad platforms, not just on Facebook."

Satterfield said users who don't want that information to be available to Facebook should contact the data brokers directly. He said users can visit a page in Facebook's help center, which provides links to the opt-outs for six data brokers that sell personal data to Facebook.

Limiting commercial data brokers' distribution of your personal information is no simple matter. For instance, opting out of Oracle's Datalogix, which provides about 350 types of data to Facebook according to our analysis, requires "sending a written request, along with a copy of government-issued identification" in postal mail to Oracle's chief privacy officer.

Users can ask data brokers to show them the information stored about them. But that can also be complicated. One Facebook broker, Acxiom, requires people to send the last four digits of their social security number to obtain their data. Facebook changes its providers from time to time so members would have to regularly visit the help center page to protect their privacy.

One of us actually tried to do what Facebook suggests. While writing a book about privacy in 2013, reporter Julia Angwin tried to opt out from as many data brokers as she could. Of the 92 brokers she identified that accepted opt-outs, 65 of them required her to submit a form of identification such as a driver's license. In the end, she could not remove her data from the majority of providers.

ProPublica's experiment to gather Facebook's ad categories from readers was part of our Black Box series, which explores the power of algorithms in our lives. Facebook uses algorithms not only to determine the news and advertisements that it displays to users, but also to categorize its users in tens of thousands of micro-targetable groups.

Our crowd-sourced data showed us that Facebook's categories range from innocuous groupings of people who like southern food to sensitive categories such as "Ethnic Affinity" which categorizes people based on their affinity for African-Americans, Hispanics and other ethnic groups. Advertisers can target ads toward a group 2014 or exclude ads from being shown to a particular group.

Last month, after ProPublica bought a Facebook ad in its housing categories that excluded African-Americans, Hispanics and Asian-Americans, the company said it would build an automated system to help it spot ads that illegally discriminate.

Facebook has been working with data brokers since 2012 when it signed a deal with Datalogix. This prompted Chester, the privacy advocate at the Center for Digital Democracy, to filed a complaint with the Federal Trade Commission alleging that Facebook had violated a consent decree with the agency on privacy issues. The FTC has never publicly responded to that complaint and Facebook subsequently signed deals with five other data brokers.

To find out exactly what type of data Facebook buys from brokers, we downloaded a list of 29,000 categories that the site provides to ad buyers. Nearly 600 of the categories were described as being provided by third-party data brokers. (Most categories were described as being generated by clicking pages or ads on Facebook.)

The categories from commercial data brokers were largely financial, such as "total liquid investible assets $1-$24,999," "People in households that have an estimated household income of between $100K and $125K, or even "Individuals that are frequent transactor at lower cost department or dollar stores."

We compared the data broker categories with the crowd-sourced list of what Facebook tells users about themselves. We found none of the data broker information on any of the tens of the thousands of "interests" that Facebook showed users.

Our tool also allowed users to react to the categories they were placed in as being "wrong," "creepy" or "spot on." The category that received the most votes for "wrong" was "Farmville slots." The category that got the most votes for "creepy" was "Away from family." And the category that was rated most "spot on" was "NPR."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Are Smart Television Makers Gaming The Energy-Efficiency Tests?

After yesterday's blog post about the settlement agreement by VIZIO with the U.S. Federal Trade Commission (FTC) and the New Jersey Attorney General, a reader mentioned an Economist article about smart televisions. It seems there is an ongoing investigation into whether or not manufacturers, similar to the Volkswagon emissions scandal, misrepresented the energy-efficiency test results of their televisions.

The Economist reported:

"South Korea’s Samsung and LG, along with Vizio, a Californian firm, stand accused of misrepresenting the energy efficiency of large-screen sets. Together, they sell over half of all TVs in America. In September 2016 the Natural Resources Defense Council (NRDC), an environmental group, published research on the energy consumption of TVs, showing that those made by Samsung, LG and Vizio performed far better during short government tests than they did the rest of the time. Some TVs consumed double the amount of energy suggested by manufacturers’ marketing bumpf. America’s Department of Energy (DoE) has also conducted tests of its own that have turned up big inconsistencies.

Not all TV-makers are at fault: the NRDC found no difference in energy-consumption levels for TVs made by Sony and Philips. But class-action lawsuits have already been filed against the three companies highlighted by the tests—the latest was lodged against Samsung in New York on January 30th. The industry is now waiting to see whether regulators will take action... Televisions made by Samsung and LG (but not Vizio) appear to recognize the test clip that the American government uses to rate energy consumption and to advise consumers on how much it will cost to operate the set over a whole year. The DoE’s ten-minute test clip has a lot of motion and scene changes in short succession, with each clip lasting only 2.3 seconds before flashing to a new one (most TV content is made up of scenes that last more than double that length). During these tests the TVs’ backlight dims, resulting in substantial energy savings. For the rest of the time, during typical viewing conditions, the backlight stays bright..."

If true, then those new televisions many consumers bought may cost them a lot more energy and electricity costs. The September 2016 NRDC press release:

"There are flaws in the government’s method for testing the energy use of televisions and three major TV manufacturers representing half of the U.S. market appear to be exploiting them, which could cost owners of recently purchased models an extra $1.2 billion on their utility bills... The global standard video clip on which the DOE test method is based is eight years old and needs a major overhaul. DOE should update its test method with more realistic video content... It appears that some major manufacturers have modified their TV designs to get strong energy-use marks during government testing but they may not perform as well in consumers’ homes. These ‘under the hood’ changes dramatically increase a TV’s energy use and environmental impact, usually without the user’s knowledge. While this may not be illegal, it smacks of bad-faith conduct that falls outside the intent of the government test method designed to accurately measure TV energy use..."

The consequences and impacts go far beyond possible bad-faith conduct:

"The latest version of ultra high-definition (UHD) TVs used approximately 30 to 50 percent more energy when playing content produced with High Dynamic Range (HDR) than conventional UHD content... With millions of televisions purchased annually across America, all of this extra energy use has a major impact on national energy consumption, consumer utility bills, and the environment..."

You can learn more about the DoE test procedures here. What are your opinions of this?


VIZIO To Pay $2.2 Million To Settle Privacy Charges About Its Smart TVs

VIZIO Inc. logo Today's blog post highlights how easy it is for manufacturers to make and sell smart-home devices that spy on consumers without notice nor consent. VIZIO, Inc., one of the largest makers of smart televisions, agreed to pay $2.2 million to settle privacy abuse charges by the U.S. Federal Trade Commission (FTC) and the State of New Jersey Attorney General. The FTC announcement explained:

"... starting in February 2014, VIZIO, Inc. and an affiliated company have manufactured VIZIO smart TVs that capture second-by-second information about video displayed on the smart TV, including video from consumer cable, broadband, set-top box, DVD, over-the-air broadcasts, and streaming devices. In addition, VIZIO facilitated appending specific demographic information to the viewing data, such as sex, age, income, marital status, household size, education level, home ownership, and household value... VIZIO sold this information to third parties, who used it for various purposes, including targeting advertising to consumers across devices... VIZIO touted its “Smart Interactivity” feature that “enables program offers and suggestions” but failed to inform consumers that the settings also enabled the collection of consumers’ viewing data. The complaint alleges that VIZIO’s data tracking—which occurred without viewers’ informed consent—was unfair and deceptive, in violation of the FTC Act and New Jersey consumer protection laws."

The FTC complaint (Adobe PDF) named as defendants VIZIO, Inc. and VIZIO Inscape Services, LLC, its wholly-owned subsidiary. VIZIO has designed and sold televisions in the United States since 2002, and has sold more than 11 million Internet-connected televisions since 2010. The complaint also mentioned:

"... the successor entity to Cognitive Media Services, Inc., which developed proprietary automated content recognition (“ACR”) software to detect the content on internet-connected televisions and monitors."

This merits emphasis because consumers thinking that they can watch DVD or locally recorded content in the privacy of their home with advertisers knowing it really can't because the ACR software can easily identify, archive, and transmit it. The complaint also explained:

"Through the ACR software, VIZIO’s televisions transmit information about what a consumer is watching on a second-by-second basis. Defendants’ ACR software captures information about a selection of pixels on the screen and sends that data to VIZIO servers, where it is uniquely matched to a database of publicly available television, movie, and commercial content. Defendants collect viewing data from cable or broadband service providers, set-top boxes, external streaming devices, DVD players, and over-the-air broadcasts... the ACR software captures up to 100 billion data points each day from more than 10 million VIZIO televisions. Defendants store this data indefinitely. Defendants’ ACR software also periodically collects other information about the television, including IP address, wired and wireless MAC addresses, WiFi signal strength, nearby WiFi access points, and other items."

That's impressive. The ACR software enabled VIZIO to know and collect information about other devices (e.g., computers, tablets, phones, printers) connected to your home WiFi network. Then, besides the money consumers paid for their VIZIO smart TVs, the company also made money by reselling the information it collected to third parties... probably data brokers and advertisers. You'd think that the company might lower the price of its smart TVs given that additional revenue stream, but I guess not.

Now, here is where VIZIO created problems for itself:

"Consumers that purchased new VIZIO televisions beginning in August 2014, with ACR tracking preinstalled and enabled by default, received no onscreen notice of the collection of viewing data. For televisions that were updated in February 2014 to install default ACR tracking after purchase, an initial pop-up notification appeared on the screen that said: "The VIZIO Privacy Policy has changed. Smart Interactivity has been enabled on your TV, but you may disable it in the settings menu. See www.vizio.com/privacy for more details. This message will time out in 1 minute." This notification provided no information about the collection of viewing data or ACR software. Nor did it directly link to the settings menu or privacy policy... In March 2016, while Plaintiffs’ investigations were pending, [VIZIO and VIZIO Inscape] sent another pop-up notification to televisions that, for the first time, referenced the collection of television viewing data. This notification timed out after 30 seconds without input from the household member who happened to be viewing the screen at the time, and did not provide easy access to the settings menu... In all televisions enabled with ACR tracking, VIZIO televisions had a setting, available through the settings menu, called “Smart Interactivity.” This setting included the description: “Enables program offers and suggestions.” Similarly, in the manual for some VIZIO televisions, a section entitled “Smart Interactivity” described the practice as “Your TV can display program-related information as part of the broadcast.” Neither description provided information about the collection of viewing data..."

30 seconds? Really?! If a consumer left the room to grab a bite to eat or visit the bathroom for a bio break, they easily missed this pop-up message. No notice? Neither are good. VIZIO released a statement about the settlement:

"VIZIO is pleased to reach this resolution with the FTC and the New Jersey Division of Consumer Affairs.  Going forward, this resolution sets a new standard for best industry privacy practices for the collection and analysis of data collected from today’s internet-connected televisions and other home devices,” stated Jerry Huang, VIZIO General Counsel. “The ACR program never paired viewing data with personally identifiable information such as name or contact information, and the Commission did not allege or contend otherwise. Instead, as the Complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors... the FTC has made clear that all smart TV makers should get people’s consent before collecting and sharing television viewing information and VIZIO now is leading the way,” concluded Huang."

Terms of the settlement agreement and the Court Order (Adobe PDF) require VIZIO to:

"A. Prominently disclose to the consumer, separate and apart from any “privacy policy,” “terms of use” page, or other similar document: (1) the types of Viewing Data that will be collected and used, (2) the types of Viewing Data that will be shared with third parties; (3) the identity or specific categories of such third parties; and (4) all purposes for Defendants’ sharing of such information;

B. Obtain the consumer’s affirmative express consent (1) at the time the disclosure...

C. Provide instructions, at any time the consumer’s affirmative express consent is sought under Part II.B, for how the consumer may revoke consent to collection of Viewing Data.

D. For the purposes of this Order, “Prominently” means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers..."

The Order also defines that disclosure must be visual, audible, in all formats which VIZIO uses, in easy-to-understand language, and not contradicted by any legal statements elsewhere. Terms of the settlement require VIZIO to pay $1.5 million to the FTC, $1.0 million to the New Jersey Division of Consumer Affairs (which includes a $915,940.00 civil penalty and $84,060.00 for attorneys’ fees and investigative costs). VIZIO will not have to pay $300,000 due to the N.j> Division of consumer affairs it the company complies with court order, and does not engage in acts that violate the New Jersey Consumer Fraud Act (CFA) during the next five years.

Additional terms of the settlement agreement require VIZIO to destroy information collected before March 1, 2016, establish and implement a privacy program, designate one or several employees responsible for that program, identify and risks of internal processes that cause the company to collect consumer information it shouldn't, design and implement a program to address those risks, develop and implement processes to identify service providers that will comply with the privacy program, and hire an independent third-party to audit the privacy program every two years.

I guess the FTC and New Jersey AG felt this level of specificity was necessary given VIZIO's past behaviors. Kudos to the FTC and to the New Jersey AG for enforcing and protecting consumers' privacy. Given the rapid pace of technological change and the complexity of today's devices, oversight is required. Consumers simply don't have the skills nor resources to do these types of investigations.

What are your opinions of the VIZIO settlement?


Town Hall With Congressman Stephen Lynch About Security And Rights

Official photo of Congressman Stephen F. Lynch. Click to view larger version Congressman Stephen F. Lynch (Democrat, 8th District of Massachusetts) held a town hall meeting on Friday February 3, 2017 titled, “Keeping America Safe While Preserving Our Constitutional Rights.” The 7:00 pm event at the Milton High School auditorium was heavily attended (see photos below) with an estimated attendance of about 500 to 700 persons. The website and e-mail invitation from Congressman Lynch’s office described the meeting agenda:

"The Town Hall will be an opportunity for constituents to come together to discuss the legal implications of President Trump’s executive actions, to discuss what can be done to resist any infringements of Constitutional rights and discuss existing and ongoing efforts to ensure safety in our homeland, and to provide resources for those who may need assistance."

Representative Lynch serves on the Oversight and Government Reform Committee and the Financial Services Committee. He is the lead Democrat on the National Security Subcommittee, responsible for overseeing the Departments of State, Defense and Homeland Security, and the United States Agency for International Development. He was sworn in to the United States Congress in October 2001, after the sudden passing of Congressman John Joseph Moakley.

Partial view of February 3, 2017 town hall session. Milton HS auditorium. Click to view larger version Representative Lynch opened the meeting with remarks about his experience in Congress, the heavier than usual volume of emails, phone calls, and visits to his office since the flurry of Executive Orders by President Trump, his 17 trips to the Middle East including Iraq and Turkey, his visits to refugee camps, and his familiarity with the vetting process for immigrants wanting to relocate to the United States.

Representative Lynch said regarding refugees and immigrants that the "facts on the ground" are often very different than what is reported in the news media or by the current White House. He explained that many Syrians spend several years in refugee camps, since many want to return to their homes and not immigrate to other countries. And, the United States is probably number 10 in a list of desired locations of refugees wanting to relocate to another country.

He also described an overview of the vetting process, which includes interviews, biometrics, retina scans, and follow-up sessions with about 18 steps lasting 14 to 18 months. Several U.S. Federal government agencies are involved in the vetting process. Congressman Lynch described President Trump's Executive Order banning immigrants from seven Middle East countries as "wrong and unnecessary," and was conducted carelessly.

Congressman Lynch held an hour-long telephone town hall on January 24, 2017. He has co-sponsored H.R.852 in the 115th Congress (2017-2018) to:

"... amend the Immigration and Nationality Act to provide that an alien may not be denied admission or entry to the United States, or other immigration benefits, because of the alien's religion, and for other purposes."

H.R. 852 was sponsored by Representative Donald S. Beyer, Jr. (Democrat, Virginia) and introduced On February 3, 2017. It is in committee. View the list of bills sponsored or co-sponsored by Congressman Lynch.

The February 3 town hall session started at 7:00 pm. Carl Williams, a staff attorney with the American Civil Liberties Union (ACLU), also spoke and briefly discussed recent decisions by several federal court judges about President Trump's immigration ban, which applies to seven majority Muslim countries: Iraq, Syria, Iran, Libya, Somalia, Sudan, and Yemen. Late on Friday February 3, a federal court judge in Seattle decided to halt the immigration ban. This was the third major decision after one in New York and a second in Boston.

Partial view of February 3, 2017 town hall session. Milton HS auditorium. Click to view larger version The question-and-answer session started at about 7:55 pm and at least 20 constituents immediately lined up in the auditorium to ask questions. At the check-in table, Congressman Lynch's staff provided index cards for constituents to write and submit questions. During the session, constituents asked a variety of questions at the microphones, including (partial list):

  • How can we help refugees?
  • What will Congressman Lynch do to keep us safe?
  • How do we get our voices heard in other states?
  • Will Congressman Lynch fight for single payer healthcare plan as Republicans propose an alternative to the Affordable Care Act (a/k/a "Obamacare)?
  • How do we get Steve Bannon off the National Security Council?

Representative Lynch reminded constituents that due to the "Separation of Powers" built into our government, the legislative branch has no power to affect how the White House chooses to organize itself. He also reminded attendees of the 55-seat advantage the Republican party has in the House.

Besides several Executive Orders by President Trump, the House of Representatives has taken several actions and votes. I have found the E-Update Newsletter by Congressman Michael Capuano (Democrat, 7th District of Massachusetts) very informative with summaries about recent House activities in easy-to-understand language; plus a running list of activities. Representative Capuano's summaries also include the vote total by party. For example:

Excerpt from February 3, 2017 E-Update Newsletter by Representative Michael Capuano. Click to view larger version

Friday's town hall's agenda was scheduled to end at 9:00 pm. I left at that time, and hadn't heard any mention of security issues about the proposed wall between the United States and Mexico. The town hall was also Live on Facebook, but I found the audio quality poor at times. Always better to attend in person and ask questions directly of a Congressperson.

I did not see any reporters from local news media at the town hall session. If you attended the town hall session, what were your questions or comments? Below is a tweet by Representative Lynch about the town hall.


Cable, Telecom And Advertising Lobbies Ask Congress To Remove FCC Broadband Privacy Rules

The Association of National Advertisers (ANA) and 15 other cable, telecommunications, advertising lobbies sent a letter on January 27, 2017 to key leaders in Congress urging them to repeal the broadband privacy rules the U.S. Federal Communications Commission (FCC) adopted in October 2016 requiring Internet service providers (ISPs) to protect the privacy of their customers. 15 advertising and lobbyist groups co-signed the letter with the ANA: the American Cable Association, the Competitive Carriers Association, CTIA-The Wireless Association (formerly known as the Cellular Communications Industry Association), the Data & Marketing Association, the Internet Advertising Bureau, the U.S. Chamber of Commerce, the U.S. Telecom Association, and others.

The letter, available at the ANA site and here (Adobe PDF; 354.4k), explained the groups' reasoning:

"Unfortunately, in adopting new broadband privacy rules late last year, the Federal Communications Commission (“FCC”) took action that jeopardizes the vibrancy and success of the internet and the innovations the internet has and should continue to offer. While the FCC’s Order applies only to Internet Service Providers (“ISPs”), the onerous and unnecessary rules it adopted establish a very harmful precedent for the entire internet ecosystem. We therefore urge Congress to enact a resolution of disapproval pursuant to the Congressional Review Act (“CRA”) vitiating the Order.

Adopted on a party-line 3-2 vote just ten days before the Presidential election, over strenuous objections by the minority and strong concerns expressed by entities throughout the internet ecosystem, the new rules impose overly prescriptive online privacy and data security requirements that will conflict with established law, policy, and practice and cause consumer confusion... the FCC Order would create confusion and interfere with the
ability of consumers to receive customized services and capabilities they enjoy and be informed of new products and discount offers. Further, the Order would also result in consumers being bombarded with trivial data breach notifications."

Data breach notifications are trivial? After writing this blog for almost 10 years, I have learned they aren't. Consumers deserve to know when companies fail to protect their sensitive personal information. Most states have laws requiring breach notifications. It seems as these advertising groups don't want to be responsible nor held accountable.

The Hill explained the CRA and how it usually fails:

"The Congressional Review Act (CRA) has only worked precisely one time as a way for Congress to undo an executive branch regulation... The CRA was passed in 1996 as part of then-Speaker Newt Gingrich's (R-Ga.) "Contract with America." While executive branch agencies can only issue regulations pursuant to statutes passed by Congress, Congress wanted to find a way to make it easier to overturn those regulations. Previously there was a process by which, if one house of Congress voted to overturn the regulation, it was invalidated. This procedure was ruled unconstitutional by the Supreme Court in 1983.

Congress was still able to overturn an executive branch regulation by passing a law. Passing a law is, of course, subject to filibusters in the Senate. We've learned that the filibuster in recent years has made it quite difficult to pass laws. The CRA created a period of 60 "session days" (days in which Congress is in session) during which Congress could use expedited procedures to overturn a regulation.

Also on January 27, several consumer privacy advocates sent a letter (Adobe PDF) to the same Congressional representatives. The letter, signed by 20 privacy advocates including the American Civil Liberties Union, the Center for Democracy and Technology, the Center for Media Justice, Consumers Union, the National Hispanic Media Coalition, the Privacy Rights Clearing House, and others urging the Congressional representatives:

"... to oppose the use of the Congressional Review Act (CRA) to adopt a Resolution of Disapproval overturning the FCC’s broadband privacy order. That order implements the mandates in Section 222 of the 1996 Telecommunications Act, which an overwhelming, bipartisan majority of Congress enacted to protect telecommunications users’ privacy. The cable, telecom, wireless, and advertising lobbies request for CRA intervention is just another industry attempt to overturn rules that empower users and give them a say in how their private information may be used.

Not satisfied with trying to appeal the rules of the agency, industry lobbyists have asked Congress to punish internet users by way of restraining the FCC, when all the agency did was implement Congress’ own directive in the 1996 Act. This irresponsible, scorched-earth tactic is as harmful as it is hypocritical. If Congress were to take the industry up on its request, a Resolution of Disapproval could exempt internet service providers (ISPs) from any and all privacy rules at the FCC... It could also preclude the FCC from addressing any of the other issues in the privacy order like requiring data breach notification and from revisiting these issues as technology continues to evolve in the future... Without these rules, ISPs could use and disclose customer information at will. The result could be extensive harm caused by breaches or misuse of data.

Broadband ISPs, by virtue of their position as gatekeepers to everything on the internet, have a largely unencumbered view into their customers’ online communications. That includes the websites they visit, the videos they watch, and the messages they send. Even when that traffic is encrypted, ISPs can gather vast troves of valuable information on their users’ habits; but researchers have shown that much of the most sensitive information remains unencrypted. The FCC’s order simply restores people’s control over their personal information and lets them choose the terms on which ISPs can use it, share it, or sell it..."

The new FCC broadband privacy rules kept consumers in control of their online privacy. The new rules featured opt-in requirements allowing them to collect consumers' sensitive personal information only after gaining customers' explicit consent.

So, advertisers have finally stated clearly how much they care about protecting consumers' privacy. They really don't. They don't want any constraints upon their ability to collect and archive consumers' (your) sensitive personal information. During the 2016 presidential campaign, candidate and now President Donald Trump promised:

"One of the keys to unlocking growth is scaling-back years of disastrous regulations unilaterally imposed by our out-of-control bureaucracy. In 2015 alone, federal agencies issued over 3,300 final rules and regulations, up from 2,400 the prior year. Every year, over-regulation costs our economy $2 trillion dollars a year and reduces household wealth by almost $15,000 dollars. Mr. Trump has proposed a moratorium on new federal regulations that are not compelled by Congress or public safety, and will ask agency and department heads to identify all needless job-killing regulations and they will be removed... A complete regulatory overhaul will level the playing field for American workers and add trillions in new wealth to our economy – keeping companies here, expanding hiring and investment, and bringing thousands of new companies to our shores."

Are FCC rules protecting your privacy "over-regulation," "onerous and unnecessary?" Are FCC privacy rules keeping consumers in control over their sensitive personal information "disastrous?" Will the Trump administration side with corporate lobbies or consumers' privacy protections? We shall quickly see.

There is a clue what the answer to that question will be. President Trump has named Ajit Pai, a Republican member of the Federal Communications Commission, as the new FCC chair replacing Tom Wheeler, the former chair and Democrat, who stepped down on Friday. This will also give the Republicans a majority on the FCC.

Pai is also an opponent of net neutrality rules the FCC has also adopted, which basically says consumers (and not ISPs) decided where consumers go on the Internet with their broadband connections. Republicans in Congress and lobby groups have long opposed net neutrality. In 2014, more than 100 tech firms urged the FCC to protect net neutrality. With a new President in the White House opposing regulations, some companies and lobby groups seem ready to undo these consumer protections.

What do you think?