Previous month:
June 2017
Next month:
August 2017

13 posts from July 2017

Robotic Vacuum Cleaner Maker To Resell Data Collected Of Customers' Home Interiors

iRobot Roomba autonomous vacuum. Click to view larger image Do you use a robovac -- an autonomous WiFi-connected robotic vacuum cleaner -- in your home? Do you use the mobile app to control your robovac?

Gizmodo reports that iRobot, the maker of the Roomba robotic vacuum cleaner, plans to resell maps generated by robovacs to other smart-home device manufacturers:

"While it may seem like the information that a Roomba could gather is minimal, there’s a lot to be gleaned from the maps it’s constantly updating. It knows the floor plan of your home, the basic shape of everything on your floor, what areas require the most maintenance, and how often you require cleaning cycles, along with many other data points... If a company like Amazon, for example, wanted to improve its Echo smart speaker, the Roomba’s mapping info could certainly help out. Spatial mapping could improve audio performance by taking advantage of the room’s acoustics. Do you have a large room that’s practically empty? Targeted furniture ads might be quite effective. The laser and camera sensors would paint a nice portrait for lighting needs..."

Think about it. The maps identify whether you have one, none, or several sofas -- or other large furniture items. The maps also identify the size, square footage, of your home and the number of rooms. Got a hairy pet? If your robovac needs more frequently cleaning, that data is collected, too.

One can easily confirm this by reading the iRobot Privacy Policy:

"... Some of our Robots are equipped with smart technology which allows the Robots to transmit data wirelessly to the Service. For example, the Robot could collect and transmit information about the Robot’s function and use statistics, such as battery life and health, number of missions, the device identifier, and location mapping. When you register your Robot with the online App, the App will collect and maintain information about the Robot and/or App usage, feature usage, in-App transactions, technical specifications, crashes, and other information about how you use your Robot and the product App. We also collect information provided during set-up.

We use this information to collect and analyze statistics and usage data, diagnose and fix technology problems, enhance device performance, and improve user experience. We may use this information to provide you personalized communications, including marketing and promotional messages... Our Robots do not transmit this information unless you register your device online and connect to WiFi, Bluetooth, or connect to the internet via another method."

Everything seems focused upon making your robovac perform optimally. Seems. Read on:

"When you access the Service by or through a mobile device, we may receive or collect and store a unique identification numbers associated with your device or our mobile application (including, for example, a UDID, Unique ID for Advertisers (“IDFA”), Google Ad ID, or Windows Advertising ID), mobile carrier, device type, model and manufacturer, mobile device operating system brand and model, phone number, and, depending on your mobile device settings, your geographical location data, including GPS coordinates (e.g. latitude and/or longitude) or similar information regarding the location of your mobile device..."

Use the mobile app and your robovac's unique ID number can easily be associated with other data describing you, where you live, and your lifestyle. Valuable stuff.

Another important section of the privacy policy:

"We may share your personal information in the instances described... i) Other companies owned by or under common ownership as iRobot, which also includes our subsidiaries or our ultimate holding company and any subsidiaries it owns. These companies will use your personal information in the same way as we can under this Policy; ii) Third party vendors, affiliates, and other service providers that perform services on our behalf, solely in order to carry out their work for us, which may include identifying and serving targeted advertisements, providing e-commerce services, content or service fulfillment, billing, web site operation, payment processing and authorization, customer service, or providing analytics services.

Well, there seems to be plenty of wiggle room for iRobot to resell your data. And, that assumes it doesn't change its privacy policy to make resales easier. Note: this is not legal advice. If you want legal advice, hire an attorney. I am not an attorney.

The policy goes on to describe customers' choices with stopping or opting out of data collection programs for some data elements. If you've read that, then you know how to opt out of as much as possible of the data collection.

The whole affairs highlights the fact that the data collected from different brands of smart devices in consumers' homes can be combined, massaged, and analyzed in new ways -- ways in which probably are not apparent to consumers, and which reveal more about you than often desired. And, the whole affair is a reminder to read privacy policies before purchases. Know what valuable personal data you will give away for convenience.

Eyes wide open.

Got an autonomous robotic lawn mower? You might re-read the privacy policy for that, too.


National Parks: Buy Your Senior Pass Before the Price Hike

The U.S. National Park Service (NPS) is responsible for the care of the nation's parks. With 417 sites, its park system includes 129 historical parks or sites, 87 national monuments, 59 national parks, 25 battlefields or military parks, 19 preserves, 18 recreation areas, 10 seashores, four parkways, four lake shores, and two reserves. Last year, the NPS celebrated its 100th anniversary.

Visiting and camping within national parks are popular activities, especially during the summertime. More than 307 million persons visited the national park system during 2015. The NPS operates 879 visitor centers and contact stations. It employs more than 22,000 permanent, temporary, and seasonal workers. 440,000 volunteers assist those workers. Browse more NPS statistics (Adobe PDF), and the proposed 2018 budget to fix much deferred maintenance.

The NPS offers a variety of passes for frequent users and groups. Lifetime passes for seniors (age 62 or older) are a bargain since the pass holder can use it plus accompanying passengers is a single, private, non-commercial vehicle. The price of a senior pass will rise from $10.00 to $80.00 on August 28. For those counting, that is a 700 percent price increase!

U.S. citizens or permanent residents can buy passes. There are three ways to buy senior passes:

A $10.00 processing fee is charged for online and postal orders. Applicants must provide documentation proving citizenship and age. See the Frequently Asked Questions: Recreational Passes page (USGS site) for additional information, including forms of acceptable documentation. Within the parks and recreational sites, there may be additional fees for special services (e.g., camping, swimming, boat launch, specialized interpretive services). The senior pass may provide a 50 percent discount on these fees, but does not cover fees charged by concession stands.

Six agencies participate in the Interagency Pass Program: National Park Service, U.S. Forest Service, U.S. Fish and Wildlife Service, Bureau of Land Management, Bureau of Reclamation, and the U.S. Army Corps of Engineers. So, senior passes also provide access to other agencies' sites -- more than 2,000 sites in total.

Not a senior? Besides standard annual passes ($80.00 each), the NPS offers a variety of annual passes: free passes for military members and their dependents, passes for 4th grade students, free passes for persons with disabilities, and free passes for volunteers. To learn more, visit the NPS site and use its park search finder.

Want to buy your pass in person? Not all sites sell passes, so check this list of federal recreation sites that issue passes (Adobe PDF) for the site nearest to you.

I bought my senior pass as the Adams National Historic Park in Quincy, Massachusetts. The park includes the birthplaces of two presidents, the "summer White House," Stone Library, the Adams Carriage House, and 13 acres of a historic landscapes. Guided tours (April 19 - November 10) start at the visitor center (1250 Hancock Street, Quincy, MA), where senior, military, and 4th grade recreational passes can also be purchased in person.

National parks offer much to see and do. I've visited several national parks covering a wide variety of natural environments, scenery, and wildlife: Denali National Park, Glacier National Park, Grand Canyon National Park, Haleakala National Park, and Volcanoes National Park. Words and photos cannot express the beauty!

I want my grandchildren and great-grandchildren to be able to visit and see the natural wonders in our national parks. Have you visited a national park? Which is your favorite?


The Myth Of Drug Expiration Dates

[Editor's Note: some politicians and pundits repeatedly claim that the private sector is more efficient than the public sector. Today's blog post explores waste in the healthcare industry. Today's post is reprinted with permission.]

By Marshall Allen, ProPublica

The box of prescription drugs had been forgotten in a back closet of a retail pharmacy for so long that some of the pills predated the 1969 moon landing. Most were 30 to 40 years past their expiration dates -- possibly toxic, probably worthless.

But to Lee Cantrell, who helps run the California Poison Control System, the cache was an opportunity to answer an enduring question about the actual shelf life of drugs: Could these drugs from the bell-bottom era still be potent?

Cantrell called Roy Gerona, a University of California, San Francisco, researcher who specializes in analyzing chemicals. Gerona had grown up in the Philippines and had seen people recover from sickness by taking expired drugs with no apparent ill effects.

"This was very cool," Gerona says. "Who gets the chance of analyzing drugs that have been in storage for more than 30 years?"

The age of the drugs might have been bizarre, but the question the researchers wanted to answer wasn't. Pharmacies across the country -- in major medical centers and in neighborhood strip malls -- routinely toss out tons of scarce and potentially valuable prescription drugs when they hit their expiration dates.

Gerona and Cantrell, a pharmacist and toxicologist, knew that the term "expiration date" was a misnomer. The dates on drug labels are simply the point up to which the Food and Drug Administration and pharmaceutical companies guarantee their effectiveness, typically at two or three years. But the dates don't necessarily mean they're ineffective immediately after they "expire" -- just that there's no incentive for drugmakers to study whether they could still be usable.

ProPublica has been researching why the U.S. health care system is the most expensive in the world. One answer, broadly, is waste -- some of it buried in practices that the medical establishment and the rest of us take for granted. We've documented how hospitals often discard pricey new supplies, how nursing homes trash valuable medications after patients pass away or move out, and how drug companies create expensive combinations of cheap drugs. Experts estimate such squandering eats up about $765 billion a year -- as much as a quarter of all the country's health care spending.

What if the system is destroying drugs that are technically "expired" but could still be safely used?

In his lab, Gerona ran tests on the decades-old drugs, including some now defunct brands such as the diet pills Obocell (once pitched to doctors with a portly figurine called "Mr. Obocell") and Bamadex. Overall, the bottles contained 14 different compounds, including antihistamines, pain relievers and stimulants. All the drugs tested were in their original sealed containers.

The findings surprised both researchers: A dozen of the 14 compounds were still as potent as they were when they were manufactured, some at almost 100 percent of their labeled concentrations.

"Lo and behold," Cantrell says, "The active ingredients are pretty darn stable."

Cantrell and Gerona knew their findings had big implications. Perhaps no area of health care has provoked as much anger in recent years as prescription drugs. The news media is rife with stories of medications priced out of reach or of shortages of crucial drugs, sometimes because producing them is no longer profitable.

Tossing such drugs when they expire is doubly hard. One pharmacist at Newton-Wellesley Hospital outside Boston says the 240-bed facility is able to return some expired drugs for credit, but had to destroy about $200,000 worth last year. A commentary in the journal Mayo Clinic Proceedings cited similar losses at the nearby Tufts Medical Center. Play that out at hospitals across the country and the tab is significant: about $800 million per year. And that doesn't include the costs of expired drugs at long-term care pharmacies, retail pharmacies and in consumer medicine cabinets.

After Cantrell and Gerona published their findings in Archives of Internal Medicine in 2012, some readers accused them of being irresponsible and advising patients that it was OK to take expired drugs. Cantrell says they weren't recommending the use of expired medication, just reviewing the arbitrary way the dates are set.  

"Refining our prescription drug dating process could save billions," he says.

But after a brief burst of attention, the response to their study faded. That raises an even bigger question: If some drugs remain effective well beyond the date on their labels, why hasn't there been a push to extend their expiration dates?

It turns out that the FDA, the agency that helps set the dates, has long known the shelf life of some drugs can be extended, sometimes by years.

In fact, the federal government has saved a fortune by doing this.

For decades, the federal government has stockpiled massive stashes of medication, antidotes and vaccines in secure locations throughout the country. The drugs are worth tens of billions of dollars and would provide a first line of defense in case of a large-scale emergency.

Maintaining these stockpiles is expensive. The drugs have to be kept secure and at the proper humidity and temperature so they don't degrade. Luckily, the country has rarely needed to tap into many of the drugs, but this means they often reach their expiration dates. Though the government requires pharmacies to throw away expired drugs, it doesn't always follow these instructions itself. Instead, for more than 30 years, it has pulled some medicines and tested their quality.

The idea that drugs expire on specified dates goes back at least a half-century, when the FDA began requiring manufacturers to add this information to the label. The time limits allow the agency to ensure medications work safely and effectively for patients. To determine a new drug's shelf life, its maker zaps it with intense heat and soaks it with moisture to see how it degrades under stress. It also checks how it breaks down over time. The drug company then proposes an expiration date to the FDA, which reviews the data to ensure it supports the date and approves it. Despite the difference in drugs' makeup, most "expire" after two or three years.

Once a drug is launched, the makers run tests to ensure it continues to be effective up to its labeled expiration date. Since they are not required to check beyond it, most don't, largely because regulations make it expensive and time-consuming for manufacturers to extend expiration dates, says Yan Wu, an analytical chemist who is part of a focus group at the American Association of Pharmaceutical Scientists that looks at the long-term stability of drugs. Most companies, she says, would rather sell new drugs and develop additional products.

Pharmacists and researchers say there is no economic "win" for drug companies to investigate further. They ring up more sales when medications are tossed as "expired" by hospitals, retail pharmacies and consumers despite retaining their safety and effectiveness.

Industry officials say patient safety is their highest priority. Olivia Shopshear, director of science and regulatory advocacy for the drug industry trade group Pharmaceutical Research and Manufacturers of America, or PhRMA, says expiration dates are chosen "based on the period of time when any given lot will maintain its identity, potency and purity, which translates into safety for the patient."

That being said, it's an open secret among medical professionals that many drugs maintain their ability to combat ailments well after their labels say they don't. One pharmacist says he sometimes takes home expired over-the-counter medicine from his pharmacy so he and his family can use it.

The federal agencies that stockpile drugs -- including the military, the Centers for Disease Control and Prevention and the Department of Veterans Affairs -- have long realized the savings in revisiting expiration dates.

In 1986, the Air Force, hoping to save on replacement costs, asked the FDA if certain drugs' expiration dates could be extended. In response, the FDA and Defense Department created the Shelf Life Extension Program.

Each year, drugs from the stockpiles are selected based on their value and pending expiration and analyzed in batches to determine whether their end dates could be safely extended. For several decades, the program has found that the actual shelf life of many drugs is well beyond the original expiration dates.

A 2006 study of 122 drugs tested by the program showed that two-thirds of the expired medications were stable every time a lot was tested. Each of them had their expiration dates extended, on average, by more than four years, according to research published in the Journal of Pharmaceutical Sciences.

Some that failed to hold their potency include the common asthma inhalant albuterol, the topical rash spray diphenhydramine, and a local anesthetic made from lidocaine and epinephrine, the study said. But neither Cantrell nor Dr. Cathleen Clancy, associate medical director of National Capital Poison Center, a nonprofit organization affiliated with the George Washington University Medical Center, had heard of anyone being harmed by any expired drugs. Cantrell says there has been no recorded instance of such harm in medical literature.

Marc Young, a pharmacist who helped run the extension program from 2006 to 2009, says it has had a "ridiculous" return on investment. Each year the federal government saved $600 million to $800 million because it did not have to replace expired medication, he says.

An official with the Department of Defense, which maintains about $13.6 billion worth of drugs in its stockpile, says that in 2016 it cost $3.1 million to run the extension program, but it saved the department from replacing $2.1 billion in expired drugs. To put the magnitude of that return on investment into everyday terms: It's like spending a dollar to save $677.

"We didn't have any idea that some of the products would be so damn stable -- so robustly stable beyond the shelf life," says Ajaz Hussain, one of the scientists who formerly helped oversee the extension program.

Hussain is now president of the National Institute for Pharmaceutical Technology and Education, an organization of 17 universities that's working to reduce the cost of pharmaceutical development. He says the high price of drugs and shortages make it time to reexamine drug expiration dates in the commercial market.

"It's a shame to throw away good drugs," Hussain says.

Some medical providers have pushed for a changed approach to drug expiration dates -- with no success. In 2000, the American Medical Association, foretelling the current prescription drug crisis, adopted a resolution urging action. The shelf life of many drugs, it wrote, seems to be "considerably longer" than their expiration dates, leading to "unnecessary waste, higher pharmaceutical costs, and possibly reduced access to necessary drugs for some patients."

Citing the federal government's extension program, the AMA sent letters to the FDA, the U.S. Pharmacopeial Convention, which sets standards for drugs, and PhRMA asking for a re-examination of expiration dates.

No one remembers the details -- just that the effort fell flat.

"Nothing happened, but we tried," says rheumatologist Roy Altman, now 80, who helped write the AMA report. "I'm glad the subject is being brought up again. I think there's considerable waste."

At Newton-Wellesley Hospital, outside Boston, pharmacist David Berkowitz yearns for something to change.

On a recent weekday, Berkowitz sorted through bins and boxes of medication in a back hallway of the hospital's pharmacy, peering at expiration dates. As the pharmacy's assistant director, he carefully manages how the facility orders and dispenses drugs to patients. Running a pharmacy is like working in a restaurant because everything is perishable, he says, "but without the free food."

Federal and state laws prohibit pharmacists from dispensing expired drugs and The Joint Commission, which accredits thousands of health care organizations, requires facilities to remove expired medication from their supply. So at Newton-Wellesley, outdated drugs are shunted to shelves in the back of the pharmacy and marked with a sign that says: "Do Not Dispense." The piles grow for weeks until they are hauled away by a third-party company that has them destroyed. And then the bins fill again.

"I question the expiration dates on most of these drugs," Berkowitz says.

One of the plastic boxes is piled with EpiPens -- devices that automatically inject epinephrine to treat severe allergic reactions. They run almost $300 each. These are from emergency kits that are rarely used, which means they often expire. Berkowitz counts them, tossing each one with a clatter into a separate container, " 'that's 45, 46, 47' " He finishes at 50. That's almost $15,000 in wasted EpiPens alone.

In May, Cantrell and Gerona published a study that examined 40 EpiPens and EpiPen Jrs., a smaller version, that had been expired for between one and 50 months. The devices had been donated by consumers, which meant they could have been stored in conditions that would cause them to break down, like a car's glove box or a steamy bathroom. The EpiPens also contain liquid medicine, which tends to be less stable than solid medications.

Testing showed 24 of the 40 expired devices contained at least 90 percent of their stated amount of epinephrine, enough to be considered as potent as when they were made. All of them contained at least 80 percent of their labeled concentration of medication. The takeaway? Even EpiPens stored in less than ideal conditions may last longer than their labels say they do, and if there's no other option, an expired EpiPen may be better than nothing, Cantrell says.

At Newton-Wellesley, Berkowitz keeps a spreadsheet of every outdated drug he throws away. The pharmacy sends what it can back for credit, but it doesn't come close to replacing what the hospital paid.

Then there's the added angst of tossing drugs that are in short supply. Berkowitz picks up a box of sodium bicarbonate, which is crucial for heart surgery and to treat certain overdoses. It's being rationed because there's so little available. He holds up a purple box of atropine, which gives patients a boost when they have low heart rates. It's also in short supply. In the federal government's stockpile, the expiration dates of both drugs have been extended, but they have to be thrown away by Berkowitz and other hospital pharmacists.

The 2006 FDA study of the extension program also said it pushed back the expiration date on lots of mannitol, a diuretic, for an average of five years. Berkowitz has to toss his out. Expired naloxone? The drug reverses narcotic overdoses in an emergency and is currently in wide use in the opioid epidemic. The FDA extended its use-by date for the stockpiled drugs, but Berkowitz has to trash it.

On rare occasions, a pharmaceutical company will extend the expiration dates of its own products because of shortages. That's what happened in June, when the FDA posted extended expiration dates from Pfizer for batches of its injectable atropine, dextrose, epinephrine and sodium bicarbonate. The agency notice included the lot numbers of the batches being extended and added six months to a year to their expiration dates.

The news sent Berkowitz running to his expired drugs to see if any could be put back into his supply. His team rescued four boxes of the syringes from destruction, including 75 atropine, 15 dextrose, 164 epinephrine and 22 sodium bicarbonate. Total value: $7,500. In a blink, "expired" drugs that were in the trash heap were put back into the pharmacy supply.

Berkowitz says he appreciated Pfizer's action, but feels it should be standard to make sure drugs that are still effective aren't thrown away.

"The question is: Should the FDA be doing more stability testing?" Berkowitz says. "Could they come up with a safe and systematic way to cut down on the drugs being wasted in hospitals?"

Four scientists who worked on the FDA extension program told ProPublica something like that could work for drugs stored in hospital pharmacies, where conditions are carefully controlled.

Greg Burel, director of the CDC's stockpile, says he worries that if drugmakers were forced to extend their expiration dates it could backfire, making it unprofitable to produce certain drugs and thereby reducing access or increasing prices.

The 2015 commentary in Mayo Clinic Proceedings, called "Extending Shelf Life Just Makes Sense," also suggested that drugmakers could be required to set a preliminary expiration date and then update it after long-term testing. An independent organization could also do testing similar to that done by the FDA extension program, or data from the extension program could be applied to properly stored medications.

ProPublica asked the FDA whether it could expand its extension program, or something like it, to hospital pharmacies, where drugs are stored in stable conditions similar to the national stockpile.

"The Agency does not have a position on the concept you have proposed," an official wrote back in an email.

Whatever the solution, the drug industry will need to be spurred in order to change, says Hussain, the former FDA scientist. "The FDA will have to take the lead for a solution to emerge," he says. "We are throwing away products that are certainly stable, and we need to do something about it."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Wisconsin Employer To Offer Its Employees ID Microchip Implants

Microchip implant to be used by Three Square Market. Click to view larger version A Wisconsin company said it will offer to its employees starting August 1 the option of having microchip identification implants. The company, Three Square Market (32M), will allow employees with the microchip implants to make purchases in the employee break room, open locked doors, login to computers, use the copy machine, and related office tasks.

Each microchip, about the size of a grain of rice (see photo on the right), would be implanted under the skin in an employee's hand. The microchips use radio-frequency identification (RFID), a technology that's existed for a while and has been used in variety of devices: employee badges, payment cards, passports, package tracking, and more. Each microchip electronically stores identification information about the user, and uses near-field communications (NFC). Instead of swiping a payment card, employee badge, or their smartphone, instead the employee can unlock a device by waving their hand near a chip reader attached to that device. Purchases in the employee break room can be made by waving their hand near a self-serve kiosk.

Reportedly, 32M would be the first employer in the USA to microchip its employees. CBS News reported in April about Epicenter, a startup based in Sweden:

"The [implant] injections have become so popular that workers at Epicenter hold parties for those willing to get implanted... Epicenter, which is home to more than 100 companies and some 2,000 workers, began implanting workers in January 2015. Now, about 150 workers have [chip implants]... as with most new technologies, it raises security and privacy issues. While biologically safe, the data generated by the chips can show how often an employee comes to work or what they buy. Unlike company swipe cards or smartphones, which can generate the same data, a person cannot easily separate themselves from the chip."

In an interview with Saint Paul-based KSTP, Todd Westby, the Chief Executive Officer at 32M described the optional microchip program as:

"... the next thing that's inevitably going to happen, and we want to be a part of it..."

To implement its microchip implant program, 32M has partnered with Sweden-based BioHax International. Westby explained in a company announcement:

"Eventually, this technology will become standardized allowing you to use this as your passport, public transit, all purchasing opportunities... We see chip technology as the next evolution in payment systems, much like micro markets have steadily replaced vending machines... it is important that 32M continues leading the way with advancements such as chip implants..."

"Mico markets" are small stores located within employers' offices; typically the break rooms where employees relax and/or purchase food. 32M estimates 20,000 micro markets nationwide in the USA. According to its website, the company serves markets in North America, Europe, Asia, and Australia. 32M believes that micro markets, aided by chip implants and self-serve kiosk, offer employers greater employee productivity with lower costs.

Yes, the chip implants are similar to the chip implants many pet owners have inserted to identify their dogs or cats. 32M expects 50 employees to enroll in its chip implant program.

Reportedly, companies in Belgium and Sweden already use chip implants to identify employees. 32M's announcement did not list the data elements each employee's microchip would contain, nor whether the data in the microchips would be encrypted. Historically, unencrypted data stored by RFID technology has been vulnerable to skimming attacks by criminals using portable or hand-held RFID readers. Stolen information would be used to cloned devices to commit identity theft and fraud.

Some states, such as Washington and California, passed anti-skimming laws. Prior government-industry workshops about RFID usage focused upon consumer products, and not employment concerns. Earlier this year, lawmakers in Nevada introduced legislation making it illegal to require employees to accept microchip implants.

A BBC News reporter discussed in 2015 what it is like to be "chipped." And as CBS News reported:

"... hackers could conceivably gain huge swathes of information from embedded microchips. The ethical dilemmas will become bigger the more sophisticated the microchips become. The data that you could possibly get from a chip that is embedded in your body is a lot different from the data that you can get from a smartphone..."

Example: employers installing RFID readers for employees to unlock bathrooms means employers can track when, where, how often, and the duration employees use bathrooms. How does that sound?

Hopefully, future announcements by 32M will discuss the security features and protections. What are your opinions? Are you willing to be an office cyborg? Should employees have a choice, or should employers be able to force their employees to accept microchip implants? How do you feel about your employer tracking what you eat and drink via purchases with your chip implant?

Many employers publish social media policies covering what employees should (shouldn't, or can't) publish online. Should employers have microchip implant policies, too? If so, what should these policies state?


Microsoft Fights Foreign Cyber Criminals And Spies

The Daily Beast explained how Microsoft fights cyber criminals and spies, some of whom with alleged ties to the Kremlin:

"Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft’s trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls “the most vulnerable point” in Fancy Bear’s espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers. These servers can be thought of as the spymasters in Russia's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents.

Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company’s approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like “livemicrosoft[.]net” or “rsshotmail[.]com” that Fancy Bear registers under aliases for about $10 each. Once under Microsoft’s control, the domains get redirected from Russia’s servers to the company’s, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers’ network of automated spies."

Kudos to Microsoft and its attorneys.


U.S. Treasury Department Fined ExxonMobil $2 Million For Sanction Violations

ExxonMobil logo On Thursday, the U.S. Department of the Treasury fined ExxonMobil Corporation $2 million for violations of sanctions while current Secretary of State Rex Tillerson was the company's Chief Executive Officer. The Office of Foreign Assets Control (OFAC) within the Treasury Department issued the fine. According to the announcement:

"Between on or about May 14, 2014 and on or about May 23, 2014, ExxonMobil violated § 589.201 of the Ukraine-Related Sanctions Regulations when the presidents of its U.S. subsidiaries dealt in services of an individual whose property and interests in property were blocked, namely, by signing eight legal documents related to oil and gas projects in Russia with Igor Sechin, the President of Rosneft OAO, and an individual identified on OFAC’s List of Specially Designated Nationals and Blocked Persons.

OFAC determined that ExxonMobil did not voluntarily self-disclose the violations to OFAC, and that the violations constitute an egregious case."

During March of 2014, Russia officially annexed Crimea, a peninsula in the Black Sea, from Ukraine. Moscow retaliated by banning nine U.S. officials and lawmakers from entering Russia. Then, President Obama ordered more sanctions against two-dozen members of Putin's inner circle and against Bank Rossiya, the Russian bank supporting them.

During August of 2014, Russian troops invaded eastern areas of Ukraine along the country's southeast coast. Reportedly, Russian troops fought with pro-Russia rebels against Ukrainian military.

 The Treasury Department released an "Enforcement Information for July 20, 2017" document which stated in part:

"... ExxonMobil did not voluntarily self-disclose the violations to OFAC and that the violations constitute an egregious case. Both the base civil monetary penalty and the statutory maximum civil monetary penalty amounts for the violations were $2,000,000. OFAC thoroughly considered the arguments ExxonMobil set forth in its submissions to OFAC, and the penalty amount reflects OFAC's consideration of the following facts and circumstances... OFAC considered the following to be aggravating factors: (1) ExxonMobil demonstrated reckless disregard for U.S. sanctions requirements when it failed to consider warning signs associated with dealing in the blocked services of an SDN; (2) ExxonMobil's senior-most executives knew of Sechin's status as an SDN when they dealt in the blocked services of Sechin; (3) ExxonMobil caused significant harm to the Ukraine-related sanctions program objectives by engaging the services of an SDN designated on the basis that he is an official of the Government of the Russian Federation contributing to the crisis in Ukraine; and (4) ExxonMobil is a sophisticated and experienced oil and gas company that has global operations and routinely deals in goods, services, and technology subject to U.S economic sanctions and U.S. export controls. OFAC considered the following to be a mitigating factor: ExxonMobil has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the first transaction giving rise to the violation..."

It seems that OFAC would have fined ExxonMobil more if it could have. During 2016, ExxonMobil generated sales revenues of $197.52 billion and net income of $7.84 billion. So, the company can easily afford this fine.

ExxonMobil issued a press release on July 20 which denied the violations and claimed that it had received clear guidance from the Treasury Department that the transactions were legal, "so long as the activity related to Rosneft’s business and not Sechin’s personal business." The press release also cited several news sources. You'd think that the company's executive would simply have gone straight to the source, the OFAC, and bypassed intermediaries.

The OFAC Enforcement Information document debunked the energy company's claim:

"ExxonMobil claims that it interpreted press statements as establishing a distinction between Sechin's "professional" and "personal" capacity, in part citing to a news article published in April 2014 that quoted a Department of the Treasury representative as saying that a U.S. person would not be prohibited from participating in a meeting of Rosneft' s board of directors. However, that brief statement did not address the conduct in this case.

Furthermore, the plain language of the Ukraine-Related Sanctions Regulations (which were issued after the Executive branch statements) and E.O. 13661 do not contain a "personal" versus "professional" distinction, and OFAC has neither interpreted its Regulations in that manner nor endorsed such a distinction. The press release statements provided context for the policy rationale surrounding the targeted approach during the early days of the Ukraine crisis, which was to isolate designated individuals who were targeted as a result of the crisis in Ukraine, rather than imposing blocking sanctions on the large companies that they managed. No materials issued by the White House or the Department of the Treasury asserted an exception or carve-out for the professional conduct of designated or blocked persons, nor did any materials suggest that U.S. persons could continue to conduct or engage in business with such individuals.

Separately, there was a Frequently Asked Question (FAQ) publicly available on the OFAC website at the time of the violations that specifically spoke to the conduct at issue in this case..."

The Enforcement Information document is available at the Treasury Department's website and here (Adobe PDF).

While at the Treasury Department's website, I noticed that the Treasury Notes blog stopped publishing on January 19, 2017 -- about the same time as the Presidential Inauguration. What's up with that? Does the Treasury Department, under the Trump Administration, believe that it is okay not to inform citizens, taxpayers, and voters?


Survey: Online Harassment In 2017

What is online life like for many United States residents? A recent survey by the Pew Research Center provides a good view. 41 percent of adults surveyed have personally experienced online harassment. Even more, 66 percent, witnessed online harassment directed at others.

Types of behaviors. Online Harassment 2017 survey. Pew Research. Click to view larger version The types of online harassment behaviors vary from the less severe (e.g., offensive name calling, efforts to embarrass someone) to the more severe (e.g., physical threats, harassment over a sustained period, sexual harassment, stalking.) 18 percent of survey participants -- nearly one out of every fiver persons -- reported that they had experienced severe behaviors.

Americans reported that social networking sites are the most common locations for online harassment experiences. Of the 41 percent of survey participants who personally experienced online harassment, most of those (82 percent) cited a single site and 58 percent cited "social media."

The reasons vary. 14 percent of survey respondents reported they had been harassed online specifically because of their politics; 9 percent reported that they were targeted due to their physical appearance; e percent said they were targeted due to their race or ethnicity; and 8 percent said they were targeted due to their gender. 5 percent said they were targeted due their religion, and 3 percent said they were targeted due to their sexual orientation.

Some groups experience online harassment more than others. Pew found that younger adults, under age 30, are more likely to experience severe forms of online harassment. Similarly, younger adults are also more likely to witness online harassment targeting others. Pew also found:

"... one-in-four blacks say they have been targeted with harassment online because of their race or ethnicity, as have one-in-ten Hispanics. The share among whites is lower (3%). Similarly, women are about twice as likely as men to say they have been targeted as a result of their gender (11% vs. 5%). Men, however, are around twice as likely as women to say they have experienced harassment online as a result of their political views (19% vs. 10%). Similar shares of Democrats and Republicans say they have been harassed online..."

The impacts upon victims vary, too:

"... ranging from mental or emotional stress to reputational damage or even fear for one’s personal safety. At the same time, harassment does not have to be experienced directly to leave an impact. Around one-quarter of Americans (27%) say they have decided not to post something online after witnessing the harassment of others, while more than one-in-ten (13%) say they have stopped using an online service after witnessing other users engage in harassing behaviors..."

Different attitudes by gender. Online Harassment 2017 survey. Pew Research. Click to view larger version And, attitudes vary by gender. See the table on the right. More women than men consider online harassment a "major problem," and men prioritize free speech over online safety while women prioritize safety first. And, 83 percent of young women (e.g., ages 18 - 29) viewed online harassment as a major problem. Perhaps most importantly, persons who have "faced severe forms of online harassment differ in experiences, reactions, and attitudes."

Pew Research also found that persons who experience severe forms of online harassment, "are more likely to be targeted for personal characteristics and to face offline consequences." So, what happens online doesn't necessarily stay online.

The perpetrators vary, too. Of the 41 percent of survey participants who personally experienced online harassment, 34 percent said the perpetrator was a stranger, and 31 percent said they didn't know the perpetrator's real identity. Also, 26 percent said the perpetrator was an acquaintance, followed by friend (18 percent), family member, (11 percent), former romantic partner (7 percent), and coworker (5 percent).

Pew Research found that the number of Americans who experienced online harassment has increased slightly from 35 percent during a 2014 survey. Pew Research Center surveyed 4,248 U.S. adults during January 9 - 23, 2017. 

Next Steps
62 percent of survey participants view online harassment as a major problem. 5 percent do not consider it a problem at all. People who have experienced severe forms of online harassment said that they have already taken action. Those actions include a mix: a) set up or adjust privacy settings for their profiles in online services, b) reported offensive content to the online service, c) responded directly to the harasser, d) offered support to others targeted, e) changed information in their online profiles, and f) stopped using specific online services.

Views vary about which entities bear responsibility for solutions. 79 percent of survey respondents said that online services have a duty to intervene when harassment occurs on their service. 35 percent believe that better policies and tools from online services are the best way to address online harassment.

Meanwhile, 60 said that bystanders who witness online harassment "should play a major role in addressing this issue," and 15 percent view peer pressure as an effective solution. 49 said law enforcement should play a major role in addressing online harassment, while 31 said stronger laws are needed. Perhaps most troubling:

"... a sizable proportion of Americans (43%) say that law enforcement currently does not take online harassment incidents seriously enough."

Among persons who have experienced severe forms of online harassment, 55 percent said that law enforcement does not take the incidents seriously enough. Compare that statistic with this: nearly three-quarters (73 percent) of young men (ages 18 - 29) feel that offensive online content is taken too seriously.

And Americans are highly divided about how to balance safety concerns versus free:

"When asked how they would prioritize these competing interests, 45% of Americans say it is more important to let people speak their minds freely online; a slightly larger share (53%) feels that it is more important for people to feel welcome and safe online.

Americans are also relatively divided on just how seriously offensive content online should be treated. Some 43% of Americans say that offensive speech online is too often excused as not being a big deal, but a larger share (56%) feel that many people take offensive content online too seriously."

With such divergent views, one wonders if the problem of online harassment can be easily solved. What are your opinions about online harassment?


CBP Responds To Senator's Query About Border Searches Of Returning Travelers' Devices

This has implications for all U.S. citizens returning to the country from international travel; business or vacation. An important exchange occurred recently between government officials about Fourth Amendment rights and protections, or the lack thereof, for citizens.

Earlier this year, U.S. Senator Ron Wyden (D-Oregon) sent a letter (Adobe PDF) asking the Department of Homeland Security (DHS), the parent agency of U.S. Customs & Border Protection (CBP), about CBP's detaining of citizens returning from international travel, and warrantless demands to access citizens' locked mobile devices. The Senator's letter read in part:

U.S. Department of Homeland Security logo "Dear Secretary Kelly,
I am alarmed by recent media reports of Americans being detained by CBP and pressured to give CBP agents access to their smartphone PIN numbers or otherwise provide access to locked devices. These reports are particularly troubling, particularly in light of your recent comments suggesting that CBP might begin demanding social media passwords from visitors to the United States. With those passwords, CBP may then be able to log into accounts and access data that they would only be able to get from Internet companies with a warrant. Circumventing the normal protections for such private information is simply unacceptable.

There are well-established rules governing how law enforcement agencies may obtain data from social media companies and email providers... In addition to violating the privacy and civil liberties of travelers, these digital dragnet border search practices weaken our national and economic security. Indiscriminate digital searches distract CBP from its core mission and needlessly divert agency resources away from those who truly threaten our nation. Likewise, if businesses fear their data can be seized when employees cross the border, they may reduce non-essential employee international travel, or deploy technical countermeasures..."

Senator Wyden's concerns focus upon the rights of companies and individuals to protect intellectual property, without which many businesses -- large, small, startups, and journalists -- cannot operate. Senator Wyden asked for a response from DHS by March 20, 2017 with answers to five questions (links added):

"1. What legal authority permits CBP to ask for, or demand, as a condition of entry, that a U.S. person disclose their social media or email password?
2. How is CBP use of a traveler's password to gain access to data stored in the cloud consistent with the Computer Fraud And Abuse Act?
3. What legal authority permits CBP to ask for, or demand, as a condition of entry, that a U.S. person turn over their device PIN or password to gain access to encrypted data? How are such demands consistent with the Fifth Amendment?
4. How many times in each calendar year 2012 - 2016 did CBP ask for, or demand, as a condition of entry, that a U.S. person disclose a smartphone or computer password, or otherwise provide access to a locked smartphone or computer? How many times has this occurred since January 20, 2017?
5. How many times in each calendar year 2012, 2013, 2014, 2015,and 2016 did CBP ask for, or demand, as a condition of entry, that a U.S. person disclose a social media or email account password, or otherwise provide CBP personnel access to data stored in an online account? How many times has this occurred since January 20, 2017?"

In April, Senator Wyden, with Senator Rand Paul (R-Kentucky), Representative Jared Polis (D-Colorado), and Representative Blake Farenthold (R-Texas) introduced the Protecting Data at the Border Act (PDBA) to ensure that U.S. citizens are not forced to endure indiscriminate and suspicion-less searches of their phones, laptops and other digital devices when crossing the United State's borders.

U.S. Customs and Border Protection logo On June 20, Kevin McAleenan, the Nominee for CBP Commissioner, responded to Senator's Wyden's letter. NBC News reported:

"U.S. border officers aren't allowed to look at any data stored only in the "cloud" — including social media data — when they search U.S. travelers' phones, Customs and Border Protection acknowledged in a letter obtained Wednesday by NBC News. The letter (PDF), sent in response to inquiries by Sen. Ron Wyden, D-Ore., and verified by Wyden's office, not only states that CBP doesn't search data stored only with remote cloud services, but also — apparently for the first time — declares that it doesn't have that authority in the first place... McAleenan's letter says officers can search a phone without consent and, except in very limited cases, without a warrant or even suspicion — but only for content that is saved directly to the device, like call histories, text messages, contacts, photos and videos... Travelers don't even have to unlock their devices or hand over their passwords when asked — but if they refuse, officers can "detain" the phone, McAleenan wrote."

When your phone or mobile device is detained, that means CBP agents keep it for a time before returning it to you. So, while you may enter the country fairly quickly, your seized device(s) may not. There are notable horror stories about travelers returning to the United States. It doesn't matter if the device is yours or your employer's.

McAleenan's letter did not answer questions #4 and #5 about search activity. Not good. In fact, the letter stated:

"DHS's May 9, 2017 letter stated that CBP did not have data responsive to this request."

Huh? This seems incredulous. Consider this scenario: a CBP agent detains a citizen's device(s) and inspects those devices (with or without the assistance of another federal agency). McAleenan's response would have us believe that the CBP doesn't have data documenting this event. This implies that the CBP either doesn't collect or doesn't maintain records of how its agents account for their time: when, where, why, the duration, which agents inspected, and types of devices inspected; nor when the detained device was ultimately returned to its owner. It also implies that the CBP doesn't have any records (e.g., doesn't know) about when, where, or the amount of data uploaded from detained devices and stored in CBP databases. This seems unbelievable and a huge managerial failure.

During my business career I had to submit and complete data into several online time-tracking systems; which tracked workers' time down to 15 minute intervals. Perhaps, it is appropriate to query the CBP about its time-tracking systems. Some ad hoc queries may yield responsive data.

Moreover, the CBP site contains and displays plenty of statistics about the agency's operations (e.g., staffing, sector performance, etc.) and enforcement (e.g., "inadmissibles," illegal aliens apprehended, arrests of wanted criminals, drug seizures, gang affiliated enforcement, etc.), but nothing about citizens detained for device searches nor the volume of passwords collected.

More about that in a few minutes. So, keep reading.

What to make of this? U.S. citizens have no Fourth Amendment rights when traveling across our borders. Not good. It doesn't matter whether you are law-abiding or not. Not good. Why? How? McAleenan's letter confirmed it:

"While 8 U.S.C. 1357 is an example of CBP's authority to conduct a search in the immigration context, CBP currently operates under a host of additional statutory authorities that more broadly provide that all persons, baggage, and merchandise arriving, or departing from, the United States are subject to search, inspection, and detention. See, e.g., 19 U.S.C. 1461; 1496; 1499. Those statutory Customs authorities are applicable to all travelers entering the United States, regardless of their citizenship.

"On this point, because CBP must determine the admissibility of both the traveler and his or her goods and baggage, even after a returning U.S. citizen has established their identity and U.S. citizenship, CBP may conduct a border search of the goods he or she is seeking to bring into the country to ensure that those goods are permitted to enter. In other words, because any traveler may be carrying an electronic device that contains evidence relating to offenses such as terrorism, illegal smuggling, child pornography, CBP's authority to search such a device at the border does not depend upon the citizenship of the traveler.

In the exceedingly rare instances when CBP seeks to conduct a border search of information in an electronic device -- which affects less than one-hundredth of one percent of travelers arriving to the United States because of a need to inspect that traveler's device. Therefore, although CBP may detain an arriving traveler's electronic device for further examination, in the limited circumstances when that is appropriate, CBP will not prevent a traveler who is confirmed to be a U.S. citizen from entering the country because of a need to conduct that additional examination..."

U.S. international travel statistics for Fiscal year 2016. The U.S. Customs and Border Protection. Click to view larger version Exceedingly rare? Perhaps on a percentage basis. We know from the CBP statistics page:

"CBP officers processed more than 390 million travelers at air, land, and sea ports of entry in FY2016, including more than 119 million travelers at air ports of entry..."

Some simple math using data supplied by the CBP: 0.01 percent X 390 million = 39,000 passengers during 2016 who have had their electronic devices detained and searched for information. Next, multiple that annual total by 10 or more years. The true total fast approaches half a million incidents.

Plus, the detainment and search rate may not be rare at all for frequent travelers. Some jobs require employees to travel frequently to international destinations.

Also, the above statement highlights the CBP approach: all travelers entering the country are presumed to be threats without any supporting data or evidence. No Fourth Amendment protections for U.S. citizens at our borders. Do you find this troubling? I hope that you do. Contact your elected representatives and demand that they support the Protecting Data at the Border Act.

A wise friend once said, "You just can't run away from the Fourth Amendment." I agree. What do you think?


CFPB Issues New Rule Governing Arbitration Clauses

The products and services many consumers purchases include contractual agreements with arbitration clauses, which prohibit consumers from getting relief by joining class-action lawsuits. Those clauses also specify the out-of-court process to resolve disagreements and the upfront fees consumers must pay.

Many you have heard of the phrase, "binding arbitration." Regular readers of this blog are familiar with the issues with binding arbitration. Many popular mobile apps, websites, streaming video services, and some augmented-reality (AR) mobile games contain these clauses. The Public Citizen website lists the banks, retail stores, entertainment, online shopping, telecommunications, consumer electronics, software, nursing homes, and health care companies that include binding arbitration clauses in their contracts with customers.

To achieve a better balance between the needs of consumers versus the needs of corporations, the Consumer Financial Protection Bureau (CFPB) has issued new rules governing arbitration clauses. The CFPB explained:

"No matter how many people are harmed by the same conduct, most arbitration clauses require people to bring claims individually against the company, outside the court system, before a private individual (an arbitrator). Companies know that people almost never spend the time or money to pursue relief when the amounts at stake are small, so few people do this. Our new rule will restore the ability of groups of people to file or join group lawsuits. In some cases, not only will companies have to provide relief, they will also have to change their behavior moving forward.

People who would otherwise have to go it alone or give up, will be able to join with others to pursue justice and some remedy for their harm."

Richard Cordray, the Director of the CFPB, in a statement briefly discussed the history:

"Originally, arbitration was primarily used for disagreements between two businesses. But over the last quarter century or so, companies started adding arbitration clauses to their consumer contracts... In 2007, Congress passed the Military Lending Act, which disallows mandatory arbitration clauses in connection with certain loans made to servicemembers. Three years later, in the Dodd-Frank Wall Street Reform and Consumer Protection Act, Congress went further and banned mandatory arbitration clauses in most residential mortgage contracts."

Supporters of binding arbitration clauses have long fought pro-consumer action by the CFPB. Director Cordray also discussed the new CFPB rule:

"A cherished tenet of our justice system is that no one, no matter how big or how powerful, should escape accountability if they break the law. But right now, many contracts for consumer financial products like bank accounts and credit cards come with a mandatory arbitration clause that makes it virtually impossible for people to sue the company as a group if things go wrong. On paper, these clauses simply say that either party can opt to have disputes resolved by private individuals known as arbitrators rather than by the court system. In practice, companies use these clauses to bar groups of consumers from joining together to seek justice by vindicating their legal rights..."

"The breadth and application of these clauses can be unexpected and severe. For example, when Wells Fargo opened millions of deposit and credit card accounts without the knowledge or consent of consumers, arbitration clauses in existing account contracts blocked their customers from bringing group lawsuits for the unauthorized account openings. Companies have argued that group lawsuits are unnecessary because the government can pursue enforcement actions to address the same problems. But consumers should be able to stand up for themselves and pursue their own legal rights without having to wait on the government. And the government has limited resources..."

The CFPB also produced this video:

What are your opinions of binding arbitration clauses? Were you aware of them? What are your opinions of the new CFPB rule?


Real Scams, Real Cons and Fake Law Enforcement

[Editor's Note: Today's guest post is by Arkady Bukh of Bukh & Associates, PLLC which specializes in criminal law, family law, and several areas of civil law. Aware consumers know how to recognize scams.]

By Arkady Bukh, Esq.

A man in Nigeria died recently. When the coroner went to the home for the body, he found $25 BILLION dollars. Apparently, the decedent had been trying to give away his money for years, but no one answered his email.

If you've been on the Internet for over, say, one-hour, you recognize the source for that joke. The Nigerian email scam is so infamous it's been given its own, easily recognizable, name: The Nigerian Email Scam.

Despite scams and cons being popular online, they're not confined to the virtual world. They crop up in the real world, too. Often, in unexpected ways.

Pennsylvania Teen Tries to Scam and It Doesn’t Go Well at Home
Police in Westtown Township nabbed a teenage boy in March after linking the kid to a scam involving fake traffic tickets. The fraudulent fines were placed in mailboxes at four homes. Each fake ticket claimed the homeowners' vehicle was captured on camera speeding in nearby West Chester. An accompanying note asked for $96 to be left in the mailbox.

"It does look real," said Jackie McGlone, a West Chester resident.

Detectives have found the photographs of the vehicle's' plates were taken while the car was parked in their owner's' driveway and unoccupied.

Police tracked the 16-year old boy, who lives in the area, by a tip phoned in by the teenager's dad.

The teen's father found some notifications waiting to be mailed and called the police. Charges are pending.

Truckers Lose Big Money in Oregon
In 2013, an Oregon-based scam dug into the pockets of truck drivers with automated calls telling them to pay their unpaid traffic tickets using re-loadable debit cards — or face a penalty.

The caller identified himself as, "Alex James Murphy of the Oregon State Police," and informed drivers of a bench warrant for an outstanding speeding ticket. To pay, the drivers were told to buy re-loadable prepaid cards through Green Dot MoneyPak, put $154 on the card, and then call a second phone number to provide the card information.

If the driver does all that, they'll find out there was never an unpaid speeding ticket and their $154 has hit the road. The scam, which occasionally crops up in difference places, first appeared on the radar in November 2012 and had gone through a few variations since.

An offshoot which also relies on confusing the lines between a con artist and legitimate law enforcement agencies is the “Support Your Sheriff” sticker scam. The Federal Trade Commission's website has a page warning consumers about cons which play on citizens' desire to help support local law enforcement.

Fake Police
A vehicle which appears to be an unmarked police car pulls you over. The ‘officer' says you are about to be handed a large fine and see points added to your driver's license. "However," says the supposed-cop, "you can avoid this by paying a smaller fee, up front, in cash."

That's not a tactic used by legitimate law enforcement agencies anywhere. Real cops want to make sure the law is obeyed and not about a discount if a speeder pays on the front end. Legitimate cops will issue a real ticket that must be paid in person, or mail, at the department.

If in doubt, request another officer to come to the scene. It's your right.

Phishing Scam
Someone receives an e-mail message claiming them they are guilty of a traffic violation. A wise person will delete the email immediately. Any email saying you owe money for traffic tickets is a phishing scam.

Usually, the email says the person needs to pay for the traffic citation right now. The e-mail includes a link where the individual to find details. The link often contains a computer virus, and can redirect the user to a phishing page meant to request personal information from the user.

Buy a Sticker and Get Out of Jail Free
Scammers have called individuals at work and home at claiming the local Department of Public Safety (DPS) offers decals for autos with the DPS logo to waive their next traffic ticket.

The caller instructs the person to place the sticker next to the car's license plate. To get the sticker, the vehicle owner must pay $10. Many persons fall for the scam as $10 is smaller than any traffic ticket issued after 1946.

If you get a traffic citation, you broke the law. You will pay for that. There is no such thing as a law enforcement sticker which gets you one free traffic ticket.


Data Breach Exposes Information Of Millions Of Verizon Customers

Verizon logo A data breach at Verizon has exposed the sensitive information of millions of customers. ZD Net reported:

"As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of NICE Systems, a Ra'anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address."

Many businesses use cloud services vendors  -- Amazon Web Services and other vendors -- to outsource the storage of customers' information in online databases. While the practice isn't new, a problem is that customers aren't always informed of the business practice using their sensitive information.

Founded in 1986, NICE Systems has 3,500 employees, serves about 25,000 customers in 150 countries, and provides services to 85 percent of Fortune 100 companies. The exact number of affected Verizon customers is disputed.

The security firm Upguard found the unprotected cloud-based storage server:

"Upguard's Cyber Risk Team can now report that a mis-configured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon. (UPDATE: July 12, 3 PM PST - Both NICE Systems and Verizon have since confirmed the veracity of the exposure, while a Verizon spokesperson has claimed that only 6 million customers had data exposed)."

Whether the total number of breach victims is 6 or 14 million customers, neither is good. The phrase "account details" is troubling. That could mean anything from e-mail addresses to payment information to residential addresses, or more.

Upguard's announcement added:

"Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.

Finally, this exposure is a potent example of the risks of third-party vendors handling sensitive data... Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises."

Agreed. This outsourcing business practice may be profitable for all companies involved, but the outsourcing practice does not decrease the risks. Not good. Mis-configured cloud servers should not happen. Not good. The event raises the question: when has this happened before, but went undetected?

Verizon released a statement about the incident:

"... an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.

By way of background, the vendor was supporting an approved initiative to help us improve a residential and small business wireline self-service call center portal and required certain data for the project. The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area.

To further clarify, the data supports a wireline portal and only includes a limited number of cell phone numbers for customer contact purposes. In addition, to the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts..."

Typically, after a breach companies hire independent security experts to investigate breaches and the contributing causes. Verizon's announcement did not state who, if anyone, it hired to perform a post-breach investigation nor when. So, according to Verizon: no big deal. No problem. Hmmmmm.

Reportedly, Upguard notified Verizon about the breach on June 13, and the breach was fixed on June 22. Upguard added:

"The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling."

Troubling, indeed. What took Verizon (and/or Nice Systems) so long? Verizon's statement didn't say. And what is Verizon (and/or NICE Systems) doing so this type of breach doesn't happen again? I look forward to upcoming explanations by both companies.

Readers: what are your opinions of this data breach? Of how long it took Verizon to fix things? Of the outsourcing practice? Verizon customers:

  • Is Verizon doing enough to protect your sensitive data?
  • Should affected customers be notified directly?
  • Have you received a breach notice from Verizon? If so, share some of its details.

ProPublica Seeks Input From Former IBM Employees

IBM logo This news item immediately caught my attention, since a data breach in 2007 at IBM Inc. was the original inspiration for this blog. And the tech company had another breach in 2009. The company has struggled against other tech companies.

Earlier this month, IBM completed a blockchain trial with Westpack and ANZ. According to Yahoo News and Zacks Equity Research, blockchain:

"... is a kind of distributed database and works as an online ledger that cannot be altered or breached easily. The use of such technologies in the banking and finance sector is aimed at reducing the possibility of losing valuable data as well as minimizing the rate of cybercrime in the finance industry.

Notably, IBM is one of major players in the Blockchain market. This is the second significant deal for the company in this technology space..."

The reporters at ProPublica seek input from former IBM employees who left the company during the last few years. Why? The computing and technology company has:

"... been upending its workforce, often with painful results for longtime employees. According to one estimate, IBM’s U.S. employment, which peaked at 230,000, had dropped to about 70,000 by mid-2015, largely the product of layoffs and retirements. And six weeks ago, IBM told thousands of its telecommuting employees to start reporting to particular offices, which in many cases would involve long-distance moves. That, or resign. As a result, hundreds, perhaps thousands, more IBMers are leaving the company.

IBM has long been a corporate leader in employment practices. That means the way it treats its employees speaks volumes about what lies ahead for working people everywhere. But IBM executives won’t tell their workers or the public how many people are leaving this year. They refuse to provide the numbers for 2016, 2015, or 2014 either, to explain the logic behind who gets tapped to go, or exactly how the departures fit into a larger strategy.

We’re asking you to help us get the numbers and, with them, answers."

Former IBM employees interested in providing input should complete this brief questionnaire at the ProPublica site.


Presidential Commission Demands Massive Amounts of State Voter Data

[Editor's Note: today's guest blog post, by the reporters at ProPublica, explores issues of alleged voter fraud, and the problems with analyses claiming multiple voter registrations across states. It is reprinted with permission.]

by Jessica Huseman, ProPublica

On June 28, all 50 states were sent letters from Kris Kobach -- vice chair for the Presidential Advisory Commission on Election Integrity -- requesting information on voter fraud, election security and copies of every state's voter roll data.

The letter asked state officials to deliver the data within two weeks, and says that all information turned over to the commission will be made public. The letter does not explain what the commission plans to do with voter roll data, which often includes the names, ages and addresses of registered voters. The commission also asked for information beyond what is typically contained in voter registration records, including Social Security numbers and military status, if the state election databases contain it.

President Donald Trump established the commission through an executive order on March 11. Its stated goal is to "promote fair and honest Federal elections" and it is chaired by Vice President Mike Pence. The commission plans to present a report to Trump that identifies vulnerabilities in the voting system that could lead to fraud and makes recommendations for enhancing voters' confidence in election integrity. No deadline has been set for completion of the work.

A number of experts, as well as at least one state official, reacted with a mix of alarm and bafflement. Some saw political motivations behind the requests, while others said making such information public would create a national voter registration list, a move that could create new election problems.

"You'd think there would want to be a lot of thought behind security and access protocols for a national voter file, before you up and created one," said Justin Levitt, a professor at Loyola University School of Law and former Department of Justice civil rights official. "This is asking to create a national voter file in two weeks."

David Becker, the executive director of the Center for Election Innovation & Research, also expressed serious concerns about the request. "It's probably a good idea not to make publicly available the name, address and military status of the people who are serving our armed forces to anyone who requests it," he said.

Kobach, the secretary of state in Kansas, has been concerned about voter fraud for years. His signature piece of legislation was a law requiring Kansans to show proof of citizenship when they register to vote, which is currently ensnarled in a fraught court battle with the American Civil Liberties Union. He has written that he believes people vote twice with "alarming regularity," and also that non-citizens frequently vote. Multiple studies have shown neither happens with any consistency.

Kobach also runs the Interstate Voter Registration Crosscheck Program, a proprietary piece of software started by Kansas Secretary of State Ron Thornburgh in 2005. Under the program, 30 states pool their voter information and attempt to identify people who are registered in more than one state.

Some expect the information Kobach has requested will be used to create a national system that would include data from all 50 states.

It is not uncommon for voters to be registered in more than one state. Many members of Trump's inner circle -- including his son-in-law Jared Kushner and daughter Tiffany Trump -- were registered to vote in two states. Given the frequency with which voters move across state lines and re-register, the act of holding two registrations is not in itself fraud. There is no evidence to suggest that voting twice is a widespread problem, though experts say removing duplicate registrations are a good practice if done carefully.

"In theory, I don't think we have a problem with that as an idea, but the devil is always in the details," said Dale Ho, the director of the ACLU's Voting Rights Project. While he believes voter registration list maintenance is important, he says Kobach's Crosscheck program has been repeatedly shown to be ineffective and to produce false matches. A study by a group of political scientists at Stanford published earlier this year found that Crosscheck highlighted 200 false matches for every one true double vote.

"I have every reason to think that given the shoddy work that Mr. Kobach has done in this area in the past that this is going to be yet another boondoggle and a propaganda tool that tries to inflate the problem of double registration beyond what it actually is," Ho said.

Some experts already see sloppy work in this request. On at least one occasion, the commission directed the letter to the incorrect entity. In North Carolina, it addressed and sent the letter to Secretary of State Elaine Marshall, who has no authority over elections or the voter rolls. In that state, the North Carolina Board of Elections manages both.

Charles Stewart, a professor at MIT and expert in election administration, said it was proof of "sloppy staff work," and questioned the speed at which the letter was sent. "It seems to me that the data aren't going anywhere. Doing database matching is hard work, and you need to plan it out carefully," he said. "It's a naïve first undertaking by the commission, and reflects that the commission may be getting ahead of itself."

Connecticut Secretary of State Denise Merrill, who oversees voting in the state, said she was dismayed about the commission's failure to be clearer about what its intentions are. In a statement, Merrill said her office would share publicly available information with the commission. But she said that "in the same spirit of transparency" her office would request the commission "share any memos, meeting minutes or additional information as state officials have not been told precisely what the Commission is looking for."

"This lack of openness is all the more concerning, considering that the Vice Chair of the Commission, Kris Kobach, has a lengthy record of illegally disenfranchising eligible voters in Kansas," she wrote.

Alabama's Republican Secretary of State John Merrill (no relation) also indicated he had questions for Kobach regarding how much of the data would be made public and how Alabamans' privacy would be protected, even while he expressed support for the commission. "Kobach is a close friend, and I have full confidence in him and his ability, but before we turn over data of this magnitude to anybody we're going to make sure our questions are answered," he said.

Colorado Secretary of State Republican Wayne Williams, for his part, said he was not concerned with what the commission planned to do with the data. "Just like when we get a [public-records] request, we don't demand to know what they are going to do with the data," he said. "There are important reasons why the voter roll is publicly available information."

The extent to which voter roll data is public varies across the country. While some states, like North Carolina, make their voter rolls available for free download, other states charge high fees. Alabama, for example, charges one cent per voter in the roll for a total cost of more than $30,000. The state law provides a waiver for government entities, so Merrill said the commission would receive the data for free. Other states, like Virginia, do not make this information public beyond sharing it with formal campaigns and political candidates. When ProPublica tried to purchase Illinois' voter roll, our request was denied because they only release it to government entities for privacy reasons. Illinois did not respond to a request regarding whether they would release this information to the PCEI, which 2014 while a government entity 2014 intends to make the information public.

The letter from the commission also asks quite broad questions of state elections officials.

"What changes, if any, to federal election laws would you recommend to enhance the integrity of federal elections?" asks the first question. The letter also asked for all information and convictions related to any instance of voter fraud or registration fraud, and it solicited recommendations "for preventing voter intimidation or disenfranchisement."

"The equivalent is, 'Hey, doctors, what changes would you suggest regarding healthcare? Let us know in two weeks,'" said Levitt, the Loyola professor. "If I were a state election official, I wouldn't know what to do with this."

While the commission is being chaired by Vice President Mike Pence, Kobach signed the letter alone. Jon Greenbaum, chief counsel for the Lawyers' Committee for Civil Rights Under Law, said this is an indication that Kobach -- not Pence -- "will be running the show," which he said should be a point of concern.

"As we know with Kobach, he's obsessed with trying to identify voter fraud and finds it in a lot of places where it doesn't exist," he said.

Vanita Gupta, the former acting head of the Department of Justice's civil rights division under President Barack Obama, said the commission's letter was an indication the commission was "laying the groundwork" to carry out changes to the National Voter Registration Act that might seek to restrict access to the polls.

The National Voter Registration Act -- sometimes called the Motor Voter Act -- was enacted in 1993. It allows the DOJ the authority to ensure states to keep voter registration lists, or voter rolls, accurate and up-to-date. It also requires states to offer opportunities for voter registration at all offices that provide public assistance (like the DMV). 

In November, Kobach was photographed holding a paper addressing national security issues and proposing changes to the voter registration law. It is not clear what these changes were. The ACLU is involved in a lawsuit against Kansas' state law requiring people to show proof of citizenship in order to register to vote. As part of the suit, ACLU lawyers requested access to the document reflecting the changes Kobach proposed.

Originally Kobach told the court the document was beyond the scope of the lawsuit, but last week the court found the documents were relevant and that Kobach had intentionally misled the court. He was fined $1,000 for the offense and required him to turn the document over. It has not yet been made public.

Gupta said her concern about the future of the voter registration act was deepened by the fact that, on June 29, the DOJ sent a letter to the 44 states covered by the act requesting information on the maintenance of their voter rolls. States were given 30 days to answer a set of detailed questions about their policies for list maintenance.

"The timing of the letters being issued on the same day is curious at the very least," she said.

The White House and the DOJ all did not respond to requests for comment about the letters.

The letter did not ask about compliance with the portions of the act that require states to attempt to expand the voter base, such as by offering voter registration forms and information in public offices.

Danielle Lang, deputy director of voting rights for The Campaign Legal Center, said the focus on list maintenance troubled her. While she said this might point to a new direction in enforcement for the DOJ's voting rights section, it was too early to tell how this information might be used.

Levitt said he did not recall a time when the DOJ has previously requested such broad information. While the information is public and not, on its face, troubling, Levitt said the only time he recalled requesting similar information was during targeted investigations when federal officials suspected a state was not complying with the law.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.