1,056 posts categorized "Corporate Responsibility" Feed

Do Social Media Pose Threats To Democracies?

November 4th cover of The Economist magazine The November 4th issue of The Economist magazine discussed whether social networking sites threaten democracy in the United States and elsewhere. Social media were supposed to better connect us with accurate and reliable information. What we know so far (links added):

"... Facebook acknowledged that before and after last year’s American election, between January 2015 and August this year, 146m users may have seen Russian misinformation on its platform. Google’s YouTube admitted to 1,108 Russian-linked videos and Twitter to 36,746 accounts. Far from bringing enlightenment, social media have been spreading poison. Russia’s trouble-making is only the start. From South Africa to Spain, politics is getting uglier... by spreading untruth and outrage, corroding voters’ judgment and aggravating partisanship, social media erode the conditions..."

You can browse some of the ads Russia bought on Facebook during 2016. (Hopefully, you weren't tricked by any of them.) We also know from this United Press International (UPI) report about social media companies' testimony before Congress:

"Senator Patrick Leahy (D-Vt) said Facebook still has many pages that appear to have been created by the Internet Research Agency, a pro-Kremlin group that bought advertising during the campaign. Senator Al Franken (D-Minn.) said some Russian-backed advertisers even paid for the ads in Russian currency.

"How could you not connect those two dots?" he asked Facebook general council Colin Stretch. "It's a signal we should have been alert to and, in hindsight, one we missed," Stretch answered."

Google logo And during the Congressional testimony:

"Google attorney Richard Salgado said his company's platform is not a newspaper, which has legal responsibilities different from technology platforms. "We are not a newspaper. We are a platform that shares information," he said. "This is a platform from which news can be read from many sources."

Separate from the Congressional testimony, Kent Walker, a Senior Vice President and General Counsel at Google, released a statement which read in part:

"... like other internet platforms, we have found some evidence of efforts to misuse our platforms during the 2016 U.S. election by actors linked to the Internet Research Agency in Russia... We have been conducting a thorough investigation related to the U.S. election across our products drawing on the work of our information security team, research into misinformation campaigns from our teams, and leads provided by other companies. Today, we are sharing results from that investigation... We will be launching several new initiatives to provide more transparency and enhance security, which we also detail in these information sheets: what we found, steps against phishing and hacking, and our work going forward..."

This matters greatly. Why? by The Economist explained that the disinformation distributed via social media and other websites:

"... aggravates the politics of contempt that took hold, in the United States at least, in the 1990s. Because different sides see different facts, they share no empirical basis for reaching a compromise. Because each side hears time and again that the other lot are good for nothing but lying, bad faith and slander, the system has even less room for empathy. Because people are sucked into a maelstrom of pettiness, scandal and outrage, they lose sight of what matters for the society they share. This tends to discredit the compromises and subtleties of liberal democracy, and to boost the politicians who feed off conspiracy and nativism..."

When citizens (via their elected representatives) can't agree nor compromise, then government gridlock results. Nothing gets done. Frustration builds among voters.

What solutions to fix these problems? The Economist article discussed several remedies: better critical-thinking skills by social media users, holding social-media companies accountable, more transparency around ads, better fact checking, anti-trust actions, and/or disallow bots (automated accounts). It will take time for social media users to improve their critical-thinking skills. Considerations about fact checking:

"When Facebook farms out items to independent outfits for fact-checking, the evidence that it moderates behavior is mixed. Moreover, politics is not like other kinds of speech; it is dangerous to ask a handful of big firms to deem what is healthy for society.

Considerations about anti-trust actions:

"Breaking up social-media giants might make sense in antitrust terms, but it would not help with political speech—indeed, by multiplying the number of platforms, it could make the industry harder to manage."

All of the solutions have advantages and disadvantages. It seems the problems will be with us for a long while. Social media has been abused... and will continue to be abused. Comments? What solutions do you think would be best?


Considerations For Consumers Affected By The Equifax Breach

Earlier this month, Discover sent me a replacement credit card. The letter with the replacement card stated:

"Notice of Data Breach
What happened: we recently learned your Discover card account might have been part of a data breach. Please know, this breach did not involve Discover card systems.
What we are doing to resolve: we are issuing you a new card with a new account number, security code, and expiration date to reduce the possibility of fraud on your account... So as a safety precaution, we are issuing you a new card to protect your Discover card account information from being misused"

Good. I like the proactive protection, and hope that the retailer absorbed the costs of replacement cards for all affected consumers like me. However, the letter from Discover didn't identify the retailer. I called Discover's customer service hotline. The phone representative wouldn't identify the retailer, either. I'd shopped at four retail stores during the past month, and assumed it was one of them. It wasn't.

Equifax logo On Saturday, I received via postal mail a breach notification letter from Equifax dated October 23, 2017:

"We are writing with regard to the cybersecurity incident Equifax announced on September 7, 2017. At Equifax, our priorities with regard to this incident are transparency and continuing to provide timely, reassuring support to every consumer. You are receiving this letter because the credit or debit card number used to pay for a freeze service, credit score, or disclosure of your Equifax credit file was accessed. We have no evidence that your credit file itself was accessed."

So, confirmation that it was Equifax's fault. What to make of this? Keep reading.

First, thanks Equifax for the postal mail notice. However, this isn't timely communication. Why? Equifax considers it's September 7th press release timely communication. How many consumers read Equifax press releases? Did you? My guess, most don't.

Thankfully, I read online newspapers and was aware of the breach soon after Equifax's September 7th announcement. Yet, my postal letter from Equifax arrived seven weeks after its September 7th press release (and almost three months after it first discovered the breach on July 29).  This incident is a reminder for consumers not to rely upon postal mail for breach notices. Many states' breach notice laws allow for companies to post public notices online in websites and/or in newspaper advertisements. This allows companies to skip (the expense of) mailing individual breach notices via postal mail.

The October 23rd Equifax breach letter also stated:

"On September 7, 2017, Equifax notified U.S. customers of the data security incident, including that 143 million U.S. consumers were impacted. On October 2, 2017, following the completion of the forensic portion of the investigation of the incident, Equifax announced that the review determined that approximately 2.5 million additional U.S. consumers were potentially impacted. Equifax also announced that credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182, 000 consumers were accessed."

So, I am one of the "lucky" 209,000 consumers in the United States whose payment information was exposed stolen in addition to other sensitive personal information. Thanks Equifax for failing to protect my sensitive personal -- and payment -- information you are entrusted to protect.

Second, to upgrade earlier this year from slow, antiquated DSL to fiber broadband from Verizon, I used my credit card to pay for a temporary lift of the security freeze on my Equifax credit report. Why did Equifax retain my payment information for this transaction? Why did it retain that payment information in a complete and UN-encrypted format?

Discover's Frequently Asked Questions page for merchants advises merchants to do the following to protect consumers' highly sensitive payment card information:

"Tips for protecting customer information: a) Truncate all credit card information; b) Avoid storing CID data in your records or within sales data; c) Secure your site; d) Store data securely; e) Protect your data with firewalls; f) Limit authorized use and require passwords; g) Avoid storing customer or credit card information on your web server
Refer to your Merchant Operating Regulations for further card-not-present (CNP) requirements for the submission of sales."

So, it seems that Equifax failed to follow Discover's data security guidelines for merchants. (Browse privacy guidelines for merchants by other card issuers.) I do not have any ongoing services or subscriptions with Equifax, so there seems to be no need for it to retain my full credit card payment information. Not good. I called the Equifax customer service hotline. The phone representative could not explain why Equifax retained my payment information. Not good.

Third, Equifax failed to customize the letter for my situation. In 2008, I placed security freezes on my credit reports at Equifax, Experian, and TransUnion. So, Equifax already knows I have a security freeze in place, and failed to customize the letter accordingly. Rather than explain what applies to customers in my situation, instead the letter repeated the same general fraud-prevention advice for all consumers: how to contact the FTC, visit annualcreditreport.com for free copies of credit reports, file a police report if a victim of identity theft, place a fraud alert or security freeze on my credit reports for protections, and how to lift/remove an existing security freeze. Not good.

This was fast becoming a crappy customer experience.

Fourth, while on the phone with Equifax's customer service I asked if the TrustedID Premier credit monitoring service it ofered would work with the security freezes in place at all three credit reporting agencies. The phone representative said yes, but that the "credit file lock feature" would not work. What's that? According to the Equifax FAQ page:

"What is the difference between a credit file lock and a security freeze?
At their most basic level, both prevent new creditors from accessing your Equifax credit report, unless you give permission or take an action such as removing, unlocking or lifting the freeze or lock. Both a security freeze and a credit file lock help prevent a lender or other creditor from accessing a consumer’s credit report to open unauthorized new accounts.

  • Security freezes were created in the early 2000’s, are subject to regulation by each state and use a PIN based system for authentication.
  • Credit file locks were created more recently, are mobile-enabled and use modern authentication techniques, such as username and passwords and one-time passcodes for better user experience."

So, the "credit file lock" feature is new and different from a security freeze. The new feature allows mobile users to easily and quickly unlock/lock your Equifax credit reports. That seems beneficial for consumers needing frequent and quick access to credit. According to the FAQ page, the new feature will be "free, for life." The above description gives the impression that security freezes are antiquated.

To further understand this new feature, I visited the TrustedID Premier Privacy Policy page, which stated:

"The types of personal information we collect and share depend on the product or service you have with us. This information can include: Social Security number and credit card information; Payment history and transaction history; Credit scores and credit history"

The "depend on the product or service you have" seems vague and broad. Just tell me! Plus, "transaction history" could include geo-location: where you bought something since some purchases are made at brick-and-mortar retail stores. It could also include when and where you use the "credit file lock" feature. So, even though the policy doesn't explicitly mention geo-location data collection, it seems wise to assume that it does. For the new "credit file lock" feature to work on your phone, it probably needs to know your location -- where you and your phone are.

So, this new feature seems to be a slick way for Equifax to collect (and archive) location data about when, where, the duration, and frequency of consumers' travels in the physical world -- something it couldn't get previously through the traditional security freeze process. Remember, any app on your smartphone can collect location data.

Plus, the "credit file lock" feature won't work with a security freeze in place. According to the customer service representative, consumers need to remove a security freeze for the credit file lock feature to work. This is a new, important wrinkle which consumers must understand in order to make informed decisions.

The representative said it would be free to remove the security freeze on my Equifax credit report in order to use the new feature. I asked if the TrustedID Premier service Equifax offers would work with credit reports from Innovis. The rep said no. The duration of my phone call was long since the representative needed to place me on hold and check with others in order to answer my questions. This did not instill confidence.

Plus, this lengthy question-and-answer page about Equifax's services indicates that many consumers (and perhaps some Equifax customer service representatives) don't fully understand the differences between security freezes, credit file locks, and other service features.

Fifth, the letter from Equifax did not mention any of the new threats nor the additional protection steps consumers must take, both of which you can read about in this October 10th blog post. Even though I've written about privacy, data breaches and credit monitor for the past 10+ years, like you there are new things to learn. It seems that Equifax is hoping that breach victims will take the easy route: enroll in TrustedID Premier -- which is free for now, but will likely cost you later.

Overall, for me it was a crappy post-breach customer experience with Equifax. I expected better -- better data security and a better post-breach support. Plenty of news articles have documented the security problems, failures, and post-breach problems with Equifax's breach site.

What are your opinions? What do you think of the new credit file lock feature? If you've used it, share your experience in the comments section below the image.

Overview of features. TrustedID Premier service. Click to view larger version


Security Researcher Finds Unprotected Voter Files Online Affecting Up To 1.8 Million Chicagoans

While looking for unprotected data in cloud storage services, a security researcher found unprotected information for as many as 1.8 million voters in Chicago. CBS Chicago reported:

"It was Friday Aug. 11 in Silicon Valley. John Hendren, a marketing representative for IT security firm UpGuard, was looking for insecure data in the cloud. He randomly plugged in "Chicago … db," for “Chicago database,” and hit the jackpot. He found names, addresses, birth dates, driver’s license numbers and the last four digits of Social Security numbers for up to 1.8 million Chicago voters..."

How the breach happened:

"Chicago’s vendor is ES&S, out of Omaha, Nebraska. The company has been paid more than $5 million since 2014 by the Chicago Board of Elections. The company placed the data folder on Amazon Web Services (AWS) with the wrong security settings, Tom Burt, the firm’s CEO, recently told Chicago officials. Burt says managers missed the gaffe, and the database remained online for six months, until UpGuard found it. Company officials say they don’t believe the information ended up on the “dark web” for identity thieves to attain..."

The CBE's breach notice (Adobe PDF) provided a more complete list of the data elements exposed:

"... The personal information contained in the back-up files included voter names, addresses, and dates of birth, and many voters’ driver’s license and State ID numbers and the last four digits of Social Security numbers. Upon discovery of the Incident, ES&S promptly took the AWS server off-line, secured the back-up files, and commenced a forensics investigation. ES&S also hired two specialized third-party vendors to conduct searches to determine whether any personal information stored on the back-up files was available on the Dark Web. The results of ES&S’ investigations have not uncovered any evidence that any voter’s personal information stored on the AWS server was misused..."

This is bad for several reasons. First, the data elements exposed or stolen are enough for cyber criminals to do sufficient damage to breach victims. Second, just because the post-breach investigation didn't find misuse of data doesn't mean there wasn't any. It simply means they didn't find any misuse.

Third, it would be unwise to assume that the breach wasn't that bad because only the last 4 digits of Social Security numbers were exposed. Security researchers have known for a long time that Social Security numbers are easy to guess:

"... a crook need only figure out where and when you were born--information often easily found on social networking sites like Facebook--to guess your number in as few as 1000 tries... Social Security numbers were never meant to be used for widespread identification. They were conceived solely to track taxes and benefits... Every Social Security number starts with three digits known as an "area number." Smaller states might have only one, whereas New York, for example, has 85. The next two digits are "group numbers," which can be anything from 01-99, but don't correspond to anything specific. The last four digits, the "serial number," are assigned sequentially..."

So, it's long past time to stop using the last four digits of Social Security numbers as identification. Fourth, the incident makes one wonder when -- if ever -- the unprotected data folder would have been discovered by ES&S or CBE, if the security researcher hadn't found it. That's unsettling. It calls into question the security methods and managerial oversight at ES&S.

This isn't the first breach at the Chicago Board of Elections (CBE). A CBE breach in 2012 exposed the sensitive personal information of at least 1,000 voters, after initial reports estimated the number of affected voters at 1.7 million. Before that, the CBE faced several lawsuits in 2007 claiming negligence after:

"... it distributed more than 100 computer disks containing Social Security numbers and other personal data on more than 1.3 million voters to alderman and ward committee members."

Reportedly, in 2016 foreign cyber criminals hacked the Illinois Board of Elections' voter registration system. A similar attack happened in Arizona. The main takeaway: voter registration databases are high-value targets.

So, strong data security measures and methods seem wise; if not necessary. The latest incident makes one wonder about: a) the data security language and provisions in CBE's outsourcing contract with ES&S, and b) the agency's vendor oversight.

Will Chicago residents demand better data security? I hope so. What do you think?


What We Do and Don’t Know About Facebook’s New Political Ad Transparency Initiative

[Editor's note: today's guest post is by the reporters at ProPublica. It is reprinted with permission.]

The short answer: It leaves the company some wiggle room.

Facebook logo By Julia Angwin, ProPublica

On Thursday September 21, Facebook Chief Executive Mark Zuckerberg announced several steps to make political ads on the world’s largest social network more transparent. The changes follow Facebook’s acknowledgment in September that $100,000 worth of political ads were placed during the 2016 election cycle by “inauthentic accounts” linked to Russia.

The changes also follow ProPublica’s launch of a crowdsourcing effort during September to collect political advertising from Facebook. Our goal was to ensure that political ads on Facebook, which until now have largely avoided scrutiny, receive the same level of fact-checking by journalists, advocacy groups and political opponents as do print, broadcast and radio political ads. We hope to have some results to share soon.

In the meantime, here’s what we do and don’t know about how Facebook’s changes could play out.

How does Facebook plan to increase disclosure of funders of political ads?
In his statement, Zuckerberg said that Facebook will start requiring political advertisers to disclose “which page paid for an ad.”

This is a reversal for Facebook. In 2011, the company argued to the Federal Election Commission that it would be “inconvenient and impracticable” to include disclaimers in political ads because the ads are so small in size.

While the commission was too divided to make a decision on Facebook’s request for an advisory ruling, the deadlock effectively allowed the company to continue omitting disclosures. (The commission has just reopened discussion of whether to require disclosure for internet advertising).

Now Facebook appears to have dropped its objections to adding disclosures. However, the problem with Facebook’s plan of only revealing which page purchased the ad is that the source of the money behind the page is not always clear.

What is Facebook doing to make political ads more transparent to the public?
Zuckerberg also said that Facebook will start to require political advertisers to place on their pages all the ads they are “currently running to any audience on Facebook.”

This requirement could mean the end of the so-called “dark posts” on Facebook — political ads whose origins were not easily traced. Now, theoretically, each Facebook political ad would be associated with and published on a Facebook page — either for candidates, political action committees or interest groups.

However, the word “currently” suggests that such disclosure could be fleeting. After all, ads can run on Facebook for as little as a few minutes or a few hours. And since campaigns can run dozens, hundreds or even thousands of variations of a single ad — to test which one gets the best response — it will be interesting to see whether and how they manage to display all those ads on their pages simultaneously.

“It would require a lot of vigilance on the part of users and voters to be on those pages at the exact time” that campaigns posted all of their ads, said Brendan Fischer, a lawyer at the Campaign Legal Center, a campaign finance reform watchdog group.

How will Facebook decide which ads are political?
It’s not clear how Facebook will decide which ads are political and which aren’t. There are several existing definitions they could choose from.

The Federal Communications Commission defines political advertising as anything that “communicates a message relating to any political matter of national importance,” but those rules only apply to television and radio broadcasters. FCC rules require extensive disclosure, including the amount paid for the ads, the audiences targeted and how many times the ads run.

The Federal Election Commission has traditionally defined two major types of campaign ads. “Independent expenditures” are ads that expressly advocate the election or defeat of a “clearly identified candidate.” A slightly broader definition, “electioneering communications,” encompasses so-called “issue ads” that mention a candidate but may not directly advocate for his or her election or defeat.

The FEC only requires spending on electioneering ads to be disclosed in the 60 days leading up to a general election or the 30 days leading up to a primary election. And the electioneering communications rule does not apply to online advertising.

Of course, Facebook doesn’t have to choose of any of the existing definitions of political advertising. It could do what it did with hate speech — and make up its own rules.

How will Facebook catch future political ads secretly placed by foreigners?
The law prohibits a foreign national from making any contribution or expenditure in any U.S. election. That means that Russians who bought the ads may have broken the law, but it also means that any American who “knowingly provided substantial assistance” may also have broken the law.

In mid-September, when Facebook disclosed the Russian ad purchase, the company said it was increasing its technical efforts to identify fake and inauthentic pages and to prevent them from running ads.

Zuckerberg said the company would “strengthen our ad review process for political ads” but didn’t specify exactly how. (Separately, Facebook Chief Operating Officer Sheryl Sandberg said in September that the company is adding more human review to its ad-buying categories, after ProPublica revealed that it allowed advertisers to target ads toward “Jew haters.”)

Zuckerberg also said Facebook will work with other tech companies and governments to share information about online risks during elections.

Will ProPublica continue crowd-sourcing Facebook political ads?
Yes, we plan to keep using our tool to monitor political advertising. In September, we worked with news outlets in Germany — Spiegel Online, Süddeutsche Zeitung and Tagesschau — to collect more than 600 political ads during the parliamentary elections.

We believe there is value to creating a permanent database of political ads that can be inspected by the public, and we intend to track whether Facebook lives up to its promises. If you want to help us, download our tool for Firefox or Chrome web browsers.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Equifax Reported 15.2 Million Records Of U.K. Persons Exposed

Equifax logo Yesterday, Equifax's United Kingdom (UK) unit released a press release about the credit reporting agency's massive data breach and the number of breach victims. A portion of the statement:

"It has always been Equifax’s intention to write to those consumers whose information had been illegally compromised, but it would have been inappropriate and irresponsible of us to do so before we had absolute clarity on what data had been accessed. Following the completion of an independent investigation into the attack, and with agreement from appropriate investigatory authorities, Equifax has begun corresponding with affected consumers.

We would like to take this opportunity to emphasize that Equifax correspondence will never ask consumers for money or cite personal details to seek financial information, and if they receive such correspondence they should not respond. For security reasons, we will not be making any outbound telephone calls to consumers. However, customers can call our Freephone number on 0800 587 1584 for more information.

Today Equifax can confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. Regrettably this file contained data relating to actual consumers as well as sizeable test data-sets, duplicates and spurious fields... we have been able to place consumers into specific risk categories and define the services to offer them in order to protect against those risks and send letters to offer them Equifax and third-party safeguards with instructions on how to get started. This work has enabled us to confirm that we will need to contact 693,665 consumers by post... The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry that this data may have been accessed."

Below is the tabular information of risk categories from the Equifax UK announcement:

Consumer groups Remedial action
12,086 consumers who had an email address associated with their Equifax.co.uk account in 2014 accessed

14,961 consumers who had portions of their Equifax.co.uk membership details such as username, password, secret questions and answers and partial credit card details - from 2014 accessed

29,188 consumers who had their driving license number accessed

We will offer Equifax Protect for free. This is an identity protection service which monitors personal data. Products and services from third party organizations will also be offered at no cost to consumers. In addition to the services set-out above, further information will be outlined in the correspondence.

637,430 consumers who had their phone numbers accessed Consumers who had a phone number accessed will be offered a leading identity monitoring service for free.

Some observations seem warranted.

First, the announcement was vague about whether the 15.2 million U.K. persons affected were included in the prior breach total, or in addition to the prior total. Second, the U.K. unit will send written breach notices to all affected consumers via postal mail, while the U.S. unit refused. The U.K. unit did the right thing, so their users are confused by and don't have to access a hastily built site to see if they were affected.

Third, given the data elements stolen some U.K. breach victims are vulnerable to additional frauds and threats like breach victims in the USA.

Kudos to the Equifax U.K. unit for the postal breach notices and for clearly stating the above risk categories.


Without Fanfare, Equifax Makes Bankruptcy Change That Affects Hundreds of Thousands

[Editor's note: today's guest post, by the reporters at ProPublica, highlights how credit reporting agencies treat certain information contained in consumers' credit reports. It is reprinted with permission.]

By Paul Kiel. ProPublica

For what appears to be decades, the credit rating agency Equifax has quietly layered three more years of tarnish on the credit histories of hundreds of thousands of people who had filed for bankruptcy under Chapter 13.

While its competitors, TransUnion and Experian, placed a flag on such histories for seven years, Equifax left it on the reports of Chapter 13 filers who failed to complete their bankruptcy plans for 10.

After ProPublica asked about the difference in its policy, the company said it now leaves the flag on for seven years, but refused to say when and why the change was made.

The consequences of Equifax’s harsher policy were likely life-changing for some unlucky people. As Experian warns consumers on its website, “having a bankruptcy in your credit history will seriously affect your ability to obtain credit for as long as it remains on your report. It can also affect your ability to qualify for things like an apartment, utilities, and even employment. Even car insurance rates may be affected.” Without knowing why, consumers could have been turned down for apartments because landlords checked their Equifax report rather than those from Experian or TransUnion.

Why Equifax’s policy was different is unclear and the company would not address it. But that such a discrepancy had gone unnoticed and unaddressed for so long underscores how lightly regulated the industry is.

ProPublica contacted all of the major credit agencies earlier this year as part of our ongoing series on consumer bankruptcy. The policies of TransUnion and Experian were similar: People who filed under Chapter 7, which wipes out most debts, would have a flag on their report for 10 years; those who filed under Chapter 13, which usually involves five years of payments before debts are forgiven, would have a flag for seven.

Equifax had the same Chapter 7 policy. But the company had a key difference in its policy for Chapter 13 filers: Those who were unable to complete their five years of payments and had their cases dismissed were saddled with a flag for three additional years.

This difference had the potential for widespread impact. About half of Chapter 13 cases are dismissed, usually because debtors fall behind on payments. From 2008 through 2010, 574,000 Chapter 13 cases were filed and subsequently dismissed, according to our analysis of filings. Under Equifax’s policy of keeping the flag on for 10 years, all those debtors would have a flag on their Equifax report through the end of 2017, but not on their TransUnion and Experian histories.

“It’s a problem, because you have a disparate treatment of debtors depending on which credit rating agency is reporting,” said Tara Twomey, an attorney with the National Consumer Law Center. “We really need consistent credit reporting for this system to work.”

Equifax’s policy also disproportionately affected black consumers, because, as our analysis showed, black debtors are more likely than whites to choose Chapter 13 and have their cases dismissed.

ProPublica wrote the company again in July, prior to its recent disclosure that its records had been hacked, laying out the potential impact of its policy on consumers and asking why it differed from competitors. In an email, Equifax spokeswoman Nancy Bistritz-Balkan wrote that the company had “recently modified the length of time for how long a dismissed Chapter 13 bankruptcy remains on file.” Under the new policy, she wrote, “Equifax removes the flag for a Chapter 13 bankruptcy after seven years, regardless of outcome.”

She would not say what “recently” meant, only saying, “The change we referenced was not implemented after we received your inquiry.” As to why Equifax made the change, she wrote, “At this time, I do not have additional details about how the change was made.”

It might seem puzzling that such a meaningful policy is not governed by law. While some aspects of credit reporting are, others are simply decided among the agencies themselves. Bankruptcy is a mix of the two. Under the Fair Credit Reporting Act, the longest a bankruptcy can stay on someone’s credit report is 10 years. The credit rating agencies have voluntarily decided to treat Chapter 13 cases differently because Chapter 13 typically involves the repayment of some debt, while Chapter 7 does not. Bistritz-Balkan made a point of saying that Equifax’s previous policy had been legal.

Initially, Chapter 7 and Chapter 13 have a similar effect on debtors’ credit scores, one that diminishes over time. Bankruptcy is a negative mark on a debtor’s history, but that doesn’t mean that declaring bankruptcy will invariably damage someone’s credit score. In fact, research shows that most people who declare bankruptcy actually see their score rise in the following months. That’s because the typical score is so low that the negative effect of the bankruptcy is outweighed by the positive effect of wiping out debt.

According to Zachary Anderson, a spokesman for FICO, the median FICO score for consumers who declared bankruptcy between October 2009 and October 2010, when filings peaked during the Great Recession, was 558 — lower than all but 20 percent of consumers with a credit score.

A recent analysis of credit files by Paul Goldsmith-Pinkham, an economist with the Federal Reserve Bank of New York, shows how scores change before and after bankruptcy. In the months prior to filing, as consumers fall deeper into debt, the average credit score plunges. The analysis, using a credit score generated by Equifax that works similarly to a FICO score, found that the average score fell to a low around 520-530, but recovered sharply over the next 6 months, then gradually increased thereafter.

Chart. Average Credit Scores Plunge Before Bankruptcy, Rise After. Click to view larger version

The next noticeable bump was seven or 10 years later, depending on the chapter, when the bankruptcy flags were removed. Consumers’ credit scores then jumped by about 10 points.

The consumers with the lowest credit scores, the analysis found, were those who had their Chapter 13 cases dismissed. That would be due, in part, to the fact that they tend to be disproportionately low-income and black, two groups with lower credit scores on average.

As we showed in our story about bankruptcy in Memphis, where Chapter 13 dismissals are incredibly common, these debtors can find themselves worse off for having tried bankruptcy. They might be even further behind on their debts after their cases are dismissed, making it harder to re-establish their credit. The effect of a dismissal lasts for years. At the very least, Equifax’s change in how it handles Chapter 13s means that the shadow cast by a past bankruptcy isn’t quite as long.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Why The IRS Gave Equifax A No-Bid Contract Extension

You've probably heard the news. The Internal Revenue Service (IRS) gave a no-bid contract to Equifax, even after knowing about the credit reporting agency's massive data breach and arguably lackadaisical data security approaches by management.

Why would the IRS do this? The contract's synopsis in the Federal Business Opportunities (FBO) site stated on September 30:

"This action was to establish an order for third party data services from Equifax to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service. A sole source order is required to cover the timeframe needed to resolve the protest on contract TIRNO-17-Z-00024. This is considered a critical service that cannot lapse."

C/Net explained the decision and sequence of key events:

"The IRS already had enough trouble dealing with tax fraud, losing $5.8 billion to scammers in 2013... The contract, first reported by Politico,... describes the agreement as a "sole source order," calling Equifax's help a "critical service." When it comes to credit monitoring, there are really only three major names in the US: Equifax, Experian and TransUnion. Experian has also suffered a breach... The IRS actually awarded its authentication service contract to another company in July, Jeffrey Tribiano, the agency's deputy commissioner for operations support told members of Congress. Equifax protested losing the contract to the US Government Accountability Office on July 7, according to documents. The office will decide on the protest by October 16. Until then, the IRS could not move onto its new partner. That meant that when the IRS' old contract with Equifax was supposed to expire on Friday (Sept. 29), Tribiano said, millions of Americans would not have been able to verify their identity with the agency for more than two weeks."

Wow! So, the IRS was caught between a rock and a hard place... or "caught between a rock and a hacked place" as C/Net described. Apparently, consumers taxpayers are also caught.

Once again, another mess involving Equifax gives consumers that "I've been mugged" feeling.


Update: All Yahoo Accounts Hacked During Its Data Breach in 2013

Verizon Oath logo Yahoo, now within Verizon's Oath business unit, announced on Tuesday an update in the the number of accounts hacked during its massive data breach in 2013. The announcement stated:

"... [Yahoo] is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected... Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft... Yahoo is sending email notifications to the additional affected user accounts..."

That's 3 billion accounts hacked! It almost boggles the mind. Consumers with questions should also visit the Yahoo 2013 Account Security Page which has been updated with information released this week. Key information about the breach and consumers' data stolen:

"On December 14, 2016, Yahoo announced that, based on its analysis of data files provided by law enforcement, the company believed that an unauthorized party stole data associated with certain user accounts in August 2013... the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or un-encrypted security questions and answers. The investigation indicates that the information that was stolen did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected... No additional notifications regarding the cookie forging activity are being sent in connection with this update..."

Obviously, affected users should change their passwords, security questions, and security answers -- if they haven't already. Some consumers are confused about whether e-mail breach announcements they have received are authentic and truly from Yahoo. The tech company advised:

"... email from Yahoo about this issue will display the Yahoo icon Purple Y icon when viewed through the Yahoo website or Yahoo Mail app. Importantly, the email does not ask you to click on any links or contain attachments and does not request your personal information. If an email you received about this issue prompts you to click on a link, download an attachment, or asks you for information, the email was not sent by Yahoo and may be an attempt to steal your personal information. Avoid clicking on links or downloading attachments from such suspicious emails."

Uncertain users should also check the official Yahoo breach notices by country. In June of this year, Verizon completed its acquisition of Yahoo! Inc. and announced then:

"Verizon has combined these assets with its existing AOL business to create a new subsidiary, Oath, a diverse house of more than 50 media and technology brands that engages more than a billion people around the world. The Oath portfolio includes HuffPost, Yahoo Sports, AOL.com, MAKERS, Tumblr, BUILD Studios, Yahoo Finance, Yahoo Mail and more, with a mission to build brands people love."

Reportedly, the Oath portfolio will include products, services, and apps covering content partnerships, virtual reality (VR), artificial intelligence (AI), and the Internet of Things (IoT).

In March of this year, the U.S. Department of Justice announced the indictment by a grand jury of four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses related to the massive hack of millions of Yahoo webmail accounts.

The announcement this week by Yahoo is a reminder of the importance of post-breach investigations and how long these investigations can take to uncover complete details about the hack. It is unwise to assume that everything is known at the time of the initial breach notification. It is also unwise to assume that companies can immediately improve their data security and systems after a massive breach.


Equifax: 2.5 Million More Persons Affected By Massive Data Breach

Equifax logo Equifax disclosed on Monday, October 2, that 2.5 more persons than originally announced were affected by its massive data breach earlier this year. According to the Equifax breach website:

"... cybersecurity firm Mandiant has completed the forensic portion of its investigation of the cybersecurity incident disclosed on September 7 to finalize the consumers potentially impacted... The completed review determined that approximately 2.5 million additional U.S. consumers were potentially impacted, for a total of 145.5 million. Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables. Instead, this additional population of consumers was confirmed during Mandiant’s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process."

The September breach announcement said that persons outside the United States may have been affected. The October 2nd update addressed that, too:

"The completed review also has concluded that there is no evidence the attackers accessed databases located outside of the United States. With respect to potentially impacted Canadian citizens, the company previously had stated that there may have been up to 100,000 Canadian citizens impacted... The completed review subsequently determined that personal information of approximately 8,000 Canadian consumers was impacted. In addition, it also was determined that some of the consumers with affected credit cards announced in the company’s initial statement are Canadian. The company will mail written notice to all of the potentially impacted Canadian citizens."

So, things are worse than originally announced in September: more United States citizens affected, fewer Canadian citizens affected overall but more Canadians' credit card information exposed, and we still don't know the number of United Kingdom residents affected:

"The forensic investigation related to United Kingdom consumers has been completed and the resulting information is now being analyzed in the United Kingdom. Equifax is continuing discussions with regulators in the United Kingdom regarding the scope of the company’s consumer notifications...

And, there's this statement by Paulino do Rego Barros, Jr., the newly appointed interim CEO (after former CEO Richard Smith resigned):

"... As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements..."

To review? That means Equifax has not finished the job of making its systems and websites more secure with security fixes based upon how the attackers broke in, which identify attacks earlier, and which prevent future breaches. As bad as this sounds, the reality is probably worse.

After testimony before Congress by former Equifax CEO Richard Smith, Wired documented "six fresh horrors" about the breach and the leisurely approach by the credit reporting agency's executives. First, this about the former CEO:

"... during Tuesday's hearing, former CEO Smith added that he first heard about "suspicious activity" in a customer-dispute portal, where Equifax tracks customer complaints and efforts to correct mistakes in their credit reports, on July 31. He moved to hire cybersecurity experts from the law firm King & Spalding to start investigating the issue on August 2. Smith claimed that, at that time, there was no indication that any customer's personally identifying information had been compromised. As it turns out, after repeated questions from lawmakers, Smith admitted he never asked at the time whether PII being affected was even a possibility. Smith further testified that he didn't ask for a briefing about the "suspicious activity" until August 15, almost two weeks after the special investigation began and 18 days after the initial red flag."

Didn't ask about PII? Geez! PII describes the set of data elements which are the most sensitive information about consumers. It's the business of being a credit reporting agency. Waited 2 weeks for a briefing? Not good either. And, that is a most generous description since some experts question whether the breach actually started in March -- about four months before the July event.

Wired reported the following about Smith's Congressional testimony and the March breach:

"Attackers initially got into the affected customer-dispute portal through a vulnerability in the Apache Struts platform, an open-source web application service popular with corporate clients. Apache disclosed and patched the relevant vulnerability on March 6... Smith said there are two reasons the customer-dispute portal didn't receive that patch, known to be critical, in time to prevent the breach. The first excuse Smith gave was "human error." He says there was a particular (unnamed) individual who knew that the portal needed to be patched but failed to notify the appropriate IT team. Second, Smith blamed a scanning system used to spot this sort of oversight that did not identify the customer-dispute portal as vulnerable. Smith said forensic investigators are still looking into why the scanner failed."

Geez! Sounds like a managerial failure, too. Nobody followed up with the unnamed persons responsible for patching the portal? And Equifax executives took a leisurely (and perhaps lackadaisical) approach to protecting sensitive information about consumers:

"When asked by representative Adam Kinzinger of Illinois about what data Equifax encrypts in its systems, Smith admitted that the data compromised in the customer-dispute portal was stored in plaintext and would have been easily readable by attackers... It’s unclear exactly what of the pilfered data resided in the portal versus other parts of Equifax’s system, but it turns out that also didn’t matter much, given Equifax's attitude toward encryption overall. “OK, so this wasn’t [encrypted], but your core is?” Kinzinger asked. “Some, not all," Smith replied. "There are varying levels of security techniques that the team deploys in different environments around the business."

Geez! So, we now have confirmation that the "core" information -- the most sensitive data about consumers -- in Equifax's databases is only partially encrypted.

Context matters. In January of this year, the Consumer Financial Protection Bureau (CFPB) took punitive action against TransUnion and Equifax for deceptive marketing practices involving credit scores and related subscription services. That action included $23.1 million in fines and penalties.

Thanks to member of Congress for asking the tough questions. No thanks to Equifax executives for taking lackadaisical approaches to data security. (TransUnion, Innovis, and Experian executives: are you watching? Learning what mistakes not to repeat?) Equifax has lost my trust.

Until Equifax hardens its systems (I prefer NSA-level hardness), it shouldn't be entrusted with consumers' sensitive personal and payment information. Consumers should be able to totally opt out of credit reporting agencies that fail with data security. This would allow the marketplace to govern things and stop the corporate socialism benefiting credit reporting agencies.

What are your opinions?

[Editor's note: this post was amended on October 7 with information about the CFPB fines.]


Report: Patched Macs Still Vulnerable To Firmware Hacks

Apple Inc. logo I've heard numerous times the erroneous assumption by consumers: "Apple-branded devices don't get computer viruses." Well, they do. Ars Technica reported about a particular nasty hack of vulnerabilities in devices' Extensible Firmware Interface (EFI). Never heard of EFI? Well:

"An analysis by security firm Duo Security of more than 73,000 Macs shows that a surprising number remained vulnerable to such attacks even though they received OS updates that were supposed to patch the EFI firmware. On average, 4.2 percent of the Macs analyzed ran EFI versions that were different from what was prescribed by the hardware model and OS version. 47 Mac models remained vulnerable to the original Thunderstrike, and 31 remained vulnerable to Thunderstrike 2. At least 16 models received no EFI updates at all. EFI updates for other models were inconsistently successful, with the 21.5-inch iMac released in late 2015 topping the list, with 43 percent of those sampled running the wrong version."

This is very bad. EFI hacks are particularly effective and nasty because:

"... they give attackers control that starts with the very first instruction a Mac receives... the level of control attackers get far exceeds what they gain by exploiting vulnerabilities in the OS... That means an attacker who compromises a computer's EFI can bypass higher-level security controls, such as those built into the OS or, assuming one is running for extra protection, a virtual machine hypervisor. An EFI infection is also extremely hard to detect and even harder to remedy, as it can survive even after a hard drive is wiped or replaced and a clean version of the OS is installed."

At-risk EFI versions mean that devices running Windows and Linux operating systems are also vulnerable. Reportedly, the exploit requires plenty of computing and technical expertise, so hackers would probably pursue high-value targets (e.g., journalists, attorneys, government officials, contractors with government clearances) first.

The Duo Labs Report (63 pages, Adobe PDF) lists the specific MacBook, MacBookAir, and MacBookPro models at risk. The researchers shared a draft of the report with Apple before publication. The report's "Mitigation" section provides solutions, including but not limited to:

"Always deploy the full update package as released by Apple, do not remove separate packages from the bundle updater... When possible, deploy Combo OS updates instead of Delta updates... As a general rule of thumb, always run the latest version of macOS..."

Scary, huh? The nature of the attack means that hackers probably can disable the anti-virus software on your device(s), and you probably wouldn't know you've been hacked.


Bloomberg: Equifax Had A Data Breach In March, Too. More Questions Result

Equifax logo According to news reports, Equifax experienced another data breach earlier this year before the massive data breach it announced on September 7th where criminals gained unauthorized access to Equifax's systems and computers from May through then end of July, 2017. Bloomberg reported:

"Equifax Inc. learned about a major breach of its computer systems in March -- almost five months before the date it has publicly disclosed, according to three people familiar with the situation... Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said..."

Two major data breaches? What's happening? A news report by Bank Info Security may clarify things:

"... the Bloomberg story is "attempting to connect two separate cybersecurity events and suggesting the earlier event went unreported." Instead, Equifax says the breach described by Bloomberg was a "security incident involving a payroll-related service." The incident, which Equifax refers to as the "March event," was reported to customers, affected individuals and regulators, as well as covered by the media, it says. "Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related."

Equifax appears to refer a breach involving TALX its payroll, human resources, and tax services subsidiary formally known as Equifax Workforce Solutions. The Bank Info Security news report explained:

"In early March, Equifax began notifying individuals whose employers use TALX for payroll services that it had detected unauthorized access to its web-based portal. Employees use the TALX portal to access their W-2, which is the annual income reporting form that U.S. employees need to file their federal tax return. That's also a key document for fraudsters, because it puts them one step closer to being able to fraudulently file and claim a tax refund in someone else's name.

In the March attack, hackers had luck accessing TALX accounts by guessing registered users' personal questions, according to Equifax's breach notifications. By answering the questions correctly, fraudsters were able to reset a PIN needed to access an account. With the fresh PIN, they were able to obtain an electronic copy of victims' W-2. The unauthorized access incidents occurred between April 17, 2016, and March 29, 2017, Equifax says..."

It's frightening that the TALX breach went undetected for almost a year. Also, the Krebs On Security blog reported in May about the Equifax-TALX breach. However, the Bloomberg news report explored another hacking method criminals might have used in March:

"... one goal of the attackers was to use Equifax as a way into the computers of major banks, according to a fourth person familiar with the matter. This person said a large Canadian bank has determined that hackers claiming to sell celebrity profiles from Equifax on the dark web -- information that appears to be fraudulent, or recycled from other breaches -- did in fact steal the username and password for an application programming interface, or API, linking the bank’s back-end servers to Equifax.

According to the person and a Sept. 14 internal memo reviewed by Bloomberg, the gateway linked a test and development site used by the bank’s wealth management division to Equifax, allowing the two entities to share information digitally."

So, there was a breach in March. Was it the TALX hack, the hack via a bank, both, or something else? If the Bloomberg report is accurate, then the post-breach consequences listed probably apply:

"... will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives. If it’s shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading... New questions about Equifax’s timeline are also likely to become central to the crush of lawsuits being filed against the Atlanta-based company. Investigators and consumers alike want to know how a trusted custodian of so many Americans’ private data could let hackers gain access to the most important details of financial identity... the revelation of an earlier breach will likely raise questions for the company’s beleaguered executives over whether that [March] investigation was sufficiently thorough or if it was closed too soon. For example, Equifax has said that the hackers entered the company’s computer banks the second time through a flaw in the company’s web software that was known in March but not patched until the later activity was detected in July."

If true, then consumers are left with more questions: which bank(s)? What fixes have been implemented so this doesn't happen again? Why wasn't this disclosed sooner? How many consumers were affected? Exactly how did the hackers gain access? Was it the same or a different group of hackers? Which consumers' data elements were accessed/stolen?

The cynic in me wonders if Equifax executives are using its TALX breach as cover -- to avoid having to admit to another massive (and embarrassing) data breach.

Regardless of which news report is accurate, there are plenty of reasons for consumers to feel uneasy about Equifax's breach(es), data security protections, and breach notifications. Equifax is a custodian of extremely valuable and sensitive information about consumers. It makes money selling that information to potential lenders, and consumers have a right to have their questions answered fully.

Maybe the various investigations and inquiry by 31 states will provide answers for consumers. Or maybe Congress needs to hold hearings. It's been done before. What do you think?


Facebook Enabled Advertisers to Reach ‘Jew Haters’

[Editor's note: today's guest post, by the reporters at ProPublica, is part of its Machine Bias series. After being contacted by ProPublica, Facebook removed several anti-Semitic ad categories and it no longer allows advertisers to target groups based upon self-reported information. Today's post is reprinted with permission.]

By Julia Angwin, Madeleine Varner, and Ariana Tobin - ProPublica

Facebook logo Want to market Nazi memorabilia, or recruit marchers for a far-right rally? Facebook’s self-service ad-buying platform had the right audience for you.

Until last week, when we asked Facebook about it, the world’s largest social network enabled advertisers to direct their pitches to the news feeds of almost 2,300 people who expressed interest in the topics of “Jew hater,” “How to burn jews,” or, “History of ‘why jews ruin the world.’”

To test if these ad categories were real, we paid $30 to target those groups with three “promoted posts” — in which a ProPublica article or post was displayed in their news feeds. Facebook approved all three ads within 15 minutes.

After we contacted Facebook, it removed the anti-Semitic categories — which were created by an algorithm rather than by people — and said it would explore ways to fix the problem, such as limiting the number of categories available or scrutinizing them before they are displayed to buyers.

“There are times where content is surfaced on our platform that violates our standards,” said Rob Leathern, product management director at Facebook. “In this case, we’ve removed the associated targeting fields in question. We know we have more work to do, so we’re also building new guardrails in our product and review processes to prevent other issues like this from happening in the future.”

Facebook’s advertising has become a focus of national attention since it disclosed last week that it had discovered $100,000 worth of ads placed during the 2016 presidential election season by “inauthentic” accounts that appeared to be affiliated with Russia.

Like many tech companies, Facebook has long taken a hands off approach to its advertising business. Unlike traditional media companies that select the audiences they offer advertisers, Facebook generates its ad categories automatically based both on what users explicitly share with Facebook and what they implicitly convey through their online activity.

Traditionally, tech companies have contended that it’s not their role to censor the Internet or to discourage legitimate political expression. In the wake of the violent protests in Charlottesville by right-wing groups that included self-described Nazis, Facebook and other tech companies vowed to strengthen their monitoring of hate speech.

Facebook CEO Mark Zuckerberg wrote at the time that “there is no place for hate in our community,” and pledged to keep a closer eye on hateful posts and threats of violence on Facebook. “It’s a disgrace that we still need to say that neo-Nazis and white supremacists are wrong — as if this is somehow not obvious,” he wrote.

But Facebook apparently did not intensify its scrutiny of its ad buying platform. In all likelihood, the ad categories that we spotted were automatically generated because people had listed those anti-Semitic themes on their Facebook profiles as an interest, an employer or a “field of study.” Facebook’s algorithm automatically transforms people’s declared interests into advertising categories.

Here is a screenshot of our ad buying process on the company’s advertising portal:

Screenshot of Facebook ad buying process

This is not the first controversy over Facebook’s ad categories. Last year, ProPublica was able to block an ad that we bought in Facebook’s housing categories from being shown to African-Americans, Hispanics and Asian-Americans, raising the question of whether such ad targeting violated laws against discrimination in housing advertising. After ProPublica’s article appeared, Facebook built a system that it said would prevent such ads from being approved.

Last year, ProPublica also collected a list of the advertising categories Facebook was providing to advertisers. We downloaded more than 29,000 ad categories from Facebook’s ad system — and found categories ranging from an interest in “Hungarian sausages” to “People in households that have an estimated household income of between $100K and $125K.”

At that time, we did not find any anti-Semitic categories, but we do not know if we captured all of Facebook’s possible ad categories, or if these categories were added later. A Facebook spokesman didn’t respond to a question about when the categories were introduced.

Two weeks ago, acting on a tip, we logged into Facebook’s automated ad system to see if “Jew hater” was really an ad category. We found it, but discovered that the category — with only 2,274 people in it — was too small for Facebook to allow us to buy an ad pegged only to Jew haters.

Facebook’s automated system suggested “Second Amendment” as an additional category that would boost our audience size to 119,000 people, presumably because its system had correlated gun enthusiasts with anti-Semites.

Instead, we chose additional categories that popped up when we typed in “jew h”: “How to burn Jews,” and “History of ‘why jews ruin the world.’” Then we added a category that Facebook suggested when we typed in “Hitler”: a category called “Hitler did nothing wrong.” All were described as “fields of study.”

These ad categories were tiny. Only two people were listed as the audience size for “how to burn jews,” and just one for “History of ‘why jews ruin the world.’” Another 15 people comprised the viewership for “Hitler did nothing wrong.”

Facebook’s automated system told us that we still didn’t have a large enough audience to make a purchase. So we added “German Schutzstaffel,” commonly known as the Nazi SS, and the “Nazi Party,” which were both described to advertisers as groups of “employers.” Their audiences were larger: 3,194 for the SS and 2,449 for Nazi Party.

Still, Facebook said we needed more — so we added people with an interest in the National Democratic Party of Germany, a far-right, ultranationalist political party, with its much larger viewership of 194,600.

Once we had our audience, we submitted our ad — which promoted an unrelated ProPublica news article. Within 15 minutes, Facebook approved our ad, with one change. In its approval screen, Facebook described the ad targeting category “Jew hater” as “Antysemityzm,” the Polish word for anti-Semitism. Just to make sure it was referring to the same category, we bought two additional ads using the term “Jew hater” in combination with other terms. Both times, Facebook changed the ad targeting category “Jew hater” to “Antisemityzm” in its approval.

Here is one of our approved ads from Facebook:

Screenshot of approved Facebook ad for ProPublica

A few days later, Facebook sent us the results of our campaigns. Our three ads reached 5,897 people, generating 101 clicks, and 13 “engagements” — which could be a “like” a “share” or a comment on a post.

Since we contacted Facebook, most of the anti-Semitic categories have disappeared.

Facebook spokesman Joe Osborne said that they didn’t appear to have been widely used. “We have looked at the use of these audiences and campaigns and it’s not common or widespread,” he said.

We looked for analogous advertising categories for other religions, such as “Muslim haters.” Facebook didn’t have them.

Update, Sept. 14, 2017: This story has been updated to include the Facebook spokesman's name.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


31 States Sent Joint Letter Demanding Equifax Provide Free Services And Better Support For Consumers

On Friday, September 15, the attorneys general in several states sent a joint letter to Equifax as a result of the credit reporting agency's response to a massive data breach affecting about 143 million persons in the United States. The participating attorneys general are concerned about the impacts and costs to consumers. They want Equifax to respond better to the needs of consumers, extend the duration of the sign-up period for breach victims, and waive the fees of certain services. Perhaps most importantly, they are concerned about Equifax benefiting unjustly due to a situation it created.

The joint letter explained:

"... Chief among the issues causing confusion and concern are the inclusion of terms of service that required consumers to waive their rights, the offer of competing fee-based and free credit monitoring services by Equifax, and the charges consumers incur for a security freeze with other credit monitoring companies like Experian, TransUnion, and Innovis.

Initially, in order to enroll in the free credit monitoring that Equifax offered to all Americans, it appeared that Equifax attached certain conditions to the offer, including mandatory arbitration, among other things. The fact that Equifax’s own conduct created the need for these services demands that they be offered to consumers without tying the offer to complicated terms of service that may require them to forgo certain rights. It was not until after urging from our offices and public condemnation that Equifax withdrew these objectionable terms from its offer of free credit monitoring.

We remain concerned that Equifax continues to market its fee-based services to consumers affected by its data breach. Consumers who view Equifax’s homepage are offered both Equifax fee-based credit monitoring services, as well as its services offered at no cost. Again, at the urging of our offices and following criticism in the media, Equifax made its offer of free credit monitoring services more prominent so that it can be more easily found by consumers. Although these changes are an improvement over the site’s original offering, which presented a much less prominent link when compared to Equifax’s fee-based offering, they do not address all of our concerns.

We believe continuing to offer consumers a fee-based service in addition to Equifax’s free monitoring services will serve to only confuse consumers who are already struggling to make decisions on how to best protect themselves in the wake of this massive breach. We object to Equifax seemingly using its own data breach as an opportunity to sell services to breach victims. Selling a fee-based product that competes with Equifax’s own free offer of credit monitoring services to victims of Equifax’s own data breach is unfair, particularly if consumers are not sure if their information was compromised.

Equifax cannot reap benefits from confused consumers who are likely only visiting Equifax’s homepage because they are concerned about whether the breach affects them and their families. If there is any substantial benefit consumers can obtain by purchasing the fee-based services over the free credit monitoring, then we strongly suggest that Equifax upgrade its free credit monitoring service to provide equivalent protection. On the other hand, if the services are equivalent, then we fail to understand why Equifax continues to offer its fee-based services to those affected by the breach if equivalent services are obtainable at no cost. Either way, we request that Equifax disable links to its fee-based services until the sign-up period for the free service has ended. Additionally, the cutoff date of November 21, 2017 for consumers to avail themselves of the free services provided appears to us to be rather short-sighted and we suggest that date be extended to at least January 31, 2018.

Our offices are also receiving complaints from proactive consumers who have requested a security freeze. Although Equifax is not charging consumers a fee for its own security freeze service, these consumers are furious that they have been forced to pay for a security freeze with other companies, such as Experian and TransUnion, when this privacy breach was no fault of their own. We agree with these consumers that it is indefensible that they be forced to pay fees to fully protect themselves from the fallout of Equifax’s data breach.

Accordingly, we believe Equifax should, at a minimum, be taking steps to reimburse consumers who incur fees to completely freeze their credit..."

The participating attorneys general are from Alabama, Arizona, Connecticut, Delaware, Georgia, Hawaii, Illinois, Idaho, Iowa, Kansas, Kentucky, Maine, Maryland, Michigan, Minnesota, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, Nevada, North Dakota, Oklahoma, Ohio, Oregon, South Carolina, South Dakota, Pennsylvania, Virginia, West Virginia, and the District of Columbia. Read the announcement by Christopher S. Porrino, the State of New Jersey Attorney General. A copy of the joint letter is also available here (Adobe PDF).


The Equifax Breach: Several Investigations Underway

The Office of the Attorney General (AG) for the State of Nevada announced yesterday an investigation into the Equifax data breach. About 143 million persons were affected. The announcement stated:

"The breach, which took place from mid-May through July of this year, neglected to keep important personal identifying information safe and allowed hackers to access names, Social Security numbers, birth dates, addresses and even some driver’s license numbers. As a result of this breach, approximately 209,000 individuals throughout the country are estimated to have had their credit card numbers stolen."

Nevada AG Adam Paul Laxalt said:

"As a part of my commitment to safeguard the identities and personal information of Nevadans, my office will be working diligently with other states to investigate the cause of the Equifax breach... I encourage Nevadans to contact Equifax to determine whether their data was compromised, and to consider taking additional steps to protect themselves."

The statement did not mention the other states the Nevada AG's Office is working with. Residents of Nevada should read the announcement which lists specific actions consumers in that state should take to protect themselves.

The Attorney General for the State of New York announced on September 8 both an investigation into the Equifax data breach and a consumer alert:

"Under New York law, businesses with New York customers are required to inform customers and the Attorney General’s Office about security breaches that have placed personal information in jeopardy. The Attorney General’s Office investigates data breaches to determine if customers were properly notified of the breach and if the entity had appropriate safeguards in place to protect customers’ data..."

The consumer alert portion of the announcement:

"1) Check your credit reports from Equifax, Experian, and TransUnion by visiting annualcreditreport.com. Accounts or activity that you do not recognize could indicate identity theft. This is a free service; 2) Consider placing a credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name. It will not prevent a thief from using any of your existing accounts; 3) Monitor your existing credit card and bank accounts closely for unauthorized charges. Call the credit card company or bank immediately about any charges you do not recognize; and 4) Since Social Security numbers were affected, there is risk of tax fraud. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Consider filing your taxes early and pay close attention to correspondence from the IRS."

Annulacreditreport.com is the official site for free credit reports.  The U.S. Federal Trade Commission (FTC) issued new rules in 2010 which addressed consumer confusion in the marketplace about sites offering free credit reports. When using unofficial sites, some consumers found the "free" credit reports weren't truly free because they included expensive subscriptions to credit monitoring services.

On September 11, the New York AG's issued a warning about cyber attacks resulting from the Equifax breach:

"In addition to taking measures to protect their credit cards and bank accounts, New Yorkers should also think twice before clicking on any suspicious [e-mail] links claiming to be from Equifax or financial institutions... Hackers are resourceful criminals who are constantly looking to exploit any vulnerabilities... New Yorkers should be on the lookout for these possible attacks: a) Phishing emails that claim to be from Equifax where you can check if your data was compromised; b) Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information; c) Calls from scammers that claim they are from your bank or credit union..."

Also, the Los Angeles Times confirmed an investigation by the U.S. Federal Trade Commission (FTC):

"The FTC’s disclosure of an ongoing probe is highly unusual, underscoring the enormous stakes involved in the incident affecting what amounts to half the country."

The news report cited comments by Peter Kaplan, the agency’s acting director of public affairs. So far, little is known which aspects of the breach the FTC is investigating.

No doubt, there is more news to come.


Equifax Data Breach: 11 Reasons Why It Is Worse Than You Think

Equifax logo Equifax, one of the three major credit reporting agencies, announced on September 7 a massive data breach where criminals accessed the company's computer systems. How bad is it? It is instructive to analyze the text of Equifax's breach announcement:

"... a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed."

First, this is huge. Do the math 143 million persons is about 44 percent of the United States population of 325 million on July 4, 2017. So, almost half of the population was affected. Not good. But, there's more to this than size.

Second, the announcement stated "approximately." So, the true number could be lower or higher. The vagueness suggests that Equifax doesn't really know exactly how many consumers were affected. Not good. And, other details support this assumption that Equifax really doesn't know.

Third, the announcement stated "accessed." During the 10+ years I've written this blog, I've read dozens or hundreds of breach announcements. Many use this term. While the term may accurately describe what's Equifax knows, it also can be misleading. Criminals don't access companies' systems simply to window-shop or read files. They access systems to download and steal valuable information they can either use to make money, or resell to others. It's what online criminals do.

Fourth, the data elements accessed stolen allow criminals to do a lot of damage. That might include: a) obtain fraudulent loans or credit in breach victims' names; b) impersonate breach victims (it's called pretexting) to access online accounts; c) with online access withdraw money from victims' bank accounts; and much more. With online access, criminals can change passwords and take over victims' accounts effectively locking out victims.

Fifth, the breach investigation isn't finished:

"Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company's investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks."

The announcement didn't state when Equifax expected the investigation to be finished. Days? Weeks? Months? Not good.

Equifax hired an outside, independent technology firm to investigate its breach. That's what companies usually do during their post-breach response. This tiny bit of good news is quickly overshadowed by the bad. Without a completed breach investigation, Equifax can't really know whether the breach was caused by a technical systems problem, employee error, management oversight lapses, a sloppy or incompetent subcontractor, something else, or a combination of items. Only after a completed breach investigation can Equifax implement one or several fixes so this won't happen again. Not good.

Sixth, without knowing how criminals accessed their systems it is unlikely Equifax also can't know with certainty what data elements about consumers were stolen. More data elements could have been stolen, perhaps entire credit reports. Not good.

Seventh, it seems that Equifax's intrusion detection systems failed. Just look at the timeline. The breach started in mid-May and Equifax discovered it near the end of July. So, criminals had at least 2 full months to steal whatever they could find. Not good. Plus, after discovering the breach it would take Equifax another 5 weeks later to announce it. Why the delays? The breach announcement doesn't explain why. Not good.

Eighth, Equifax seems to take shortcuts with its breach notification:

"Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection."

Setting up a website to convey breach updates to consumers is a good thing, but using the site to notify consumers about the breach is not good for two reasons: a) the site requires consumers to enter many of the same sensitive, valuable data elements criminals want to steal; and b) it forces consumers to trust that the breach site is secure, when we know that the breach investigation is incomplete. This is a breach notification failure.

In the 10+ years I've written this blog, trustworthy companies notify breach victims via postal mail. Why won't Equifax notify all breach victims directly via postal mail? It has consumers' residential addresses in its databases. (That is a benefit for its lending customers.) So, the lack of data is not an excuse. Plus, the credit reporting agency is willing to notify some consumers directly:

"In addition to the website, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted."

Rather than notify all breach victims directly, Equifax seems to want to take shortcuts. Maybe it is to save money, laziness, or poor decisions by its executives. The announcement doesn't explain why, so consumers are left to draw their own conclusions. Not good.

Ninth, technologists have questioned the security of Equifax's new breach site. Ars Technica reported:

"... the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details..."

Reportedly, the domain name registration problem was fixed on Sunday. Still, Equifax's post-breach response appears amateurish. Meanwhile, data security problems persisted in its main website. According to Ars Technica:

"... in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks."

So, Equifax hasn't completed its breach investigation, doesn't know how its systems were hacked, has vulnerabilities in its main site, but wants consumers to trust that its breach site is secure. Not good.

Tenth, the Equifax announcement promoted its credit monitoring service (emphasis added):

"Equifax has established a dedicated website... to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers - all complimentary to U.S. consumers for one year."

One year? Are Equifax executives serious? Stolen consumers' credentials don't magically lose value after one year. Criminals will use stolen credentials (e.g., name, address, Social Security Number, birth date, etc.) as long as they can. Criminals will resell stolen data to other criminals as long as the data has value. In my opinion, Equifax should provide complimentary lifetime credit monitoring indefinitely to all breach victims.

Why lifetime? Because the data elements accessed stolen have ongoing value. The cynical part of me wonders if some finance executives have done the math. As long as credit reporting agency executives believe that one year of free credit monitoring will appease breach victims, it's cheaper to pay that cost (plus a few out-of-court settlements), rather than implement more robust data security.

Eleventh, there is a history of questionable decisions by Equifax executives. In 2007, it paid a $2.7 million fine for violating federal credit laws. In 2009, it paid a $65,000 fine to the state of Indiana for violating the state's security freeze law. In 2012, Equifax and some of its customers paid $1.6 million to settle allegations of improper list sales. Earlier this year, Equifax and TransUnion paid $23.1 million to settle allegations of deceptive advertising about credit scores.

This history provides some context to news reports that three Equifax executives sold about $1.8 million in stock after the breach was discovered and before the public breach announcement. Equifax stock fell about 13 percent after the breach announcement. The company said on Thursday that these executives didn't know about the intrusion when they sold shares. Even if true, the optics of this look absolutely terrible.

The whole sordid affair should be a reminder to consumers that we are the product. Credit reporting agencies' true customers are lenders - the companies that lend money and make loans to consumers. Equifax makes its money selling credit reports to lenders.

What to make of this? I see several considerations for consumers:

  1. Assume the worst. Every time you hear or read the word "accessed" by Equifax, replace it with "stolen." Then, make your data security decisions accordingly.
  2. If you don't trust the security of Equifax's breach site, then call the company instead via the hotline listed in the breach announcement (preferably using a landline phone) to see if you are affected.
  3. Carefully consider the advantages and disadvantages of Equifax's offer of free credit monitoring and identity theft protection. Equifax has been criticized for forcing arbitration on consumers who accept the free credit monitoring offer. In a September 11th update in its breach site, Equifax reversed course and said the arbitration clause and class-action waiver don't apply in this incident. Regardless, read the fine print before signing up. They may try to re-insert it later. If you don't know what it is, learn about arbitration. A variety of companies have inserted these clauses into their user agreements policies. You'll need to learn about arbitration anyway in order to make informed purchase decisions about other products and services.
  4. If you don't need credit, consider a Security Freeze to lock down your Equifax credit reports. Then, Equifax can't sell your credit report to lenders. You can do this at all three major credit reporting agencies. I did this several years ago after a data breach by a former employer. Know that a Security Freeze is not a cure-all, since it won't stop data breaches and it won't stop all forms of identity theft and fraud. To learn more, this blog has plenty of information about credit reporting agencies, credit monitoring services, fraud alerts for your credit reports, and security freezes.
  5. If you dislike Equifax's post-breach response, then contact your elected officials and demand that they pressure Equifax to do the right thing: a) notify all breach victims directly via postal mail; and b) implement better data security.
  6. Equifax's post-breach response makes me question whether the company is really up to the data security task -- it's responsibility -- to adequately protect consumers' sensitive information. All credit reporting agencies are high-value targets by criminals. If Equifax's executives didn't understand this before, they should now -- and take actions to demonstrate to consumers they realize the seriousness of the breach. Words are not enough.
  7. Consumers lack choices. Citizens cannot opt in nor opt out of the data collection by credit reporting agencies. (Consumers can opt out of pre-approved credit offers, but can't opt out of the data collection. There's a difference.) Also, the Equifax breach highlights the hypocrisy of pundits and politicians who object to the mandate within Obamacare (e.g., the Affordable Care Act) legislation -- some called it socialism -- while remaining remain silent about a similarly socialistic mandate with credit reporting.

While writing a post recently about misdeeds at Wells Fargo, I asked the question: "How much damage can one bank do?" Now, I find myself asking a similar question about Equifax: "How much damage can one company do?" Credit and lending are essential to the United States economy. In my opinion, all credit reporting agencies should have NSA-level data security for their networks and computer systems. The data they archive is that critical.

And: if you can't protect it, don't collect it. It's that simple.

As more issues emerge about this breach, I will address them in subsequent posts. What are your opinions of the Equifax breach? Did you lock down your credit reports with a Security Freeze?


Wells Fargo: 1.4 Million More Fake Accounts Found By Latest Investigation

Wells Fargo logo Just before the long holiday weekend, Wells Fargo Bank announced in an August 31 news release the latest results of a third-party investigation into its retail bank account practices since 2009:

"The original account analysis reviewed 93.5 million current and former customer accounts opened in an approximately four and half year time period – from May 2011 through mid-2015 – and identified approximately 2.1 million potentially unauthorized accounts. The expanded analysis reviewed more than 165 million retail banking accounts opened over a nearly eight-year period – from January 2009 through September 2016 – and identified a new total of approximately 3.5 million potentially unauthorized consumer and small business accounts... In connection with these 3.5 million potentially unauthorized accounts, approximately 190,000 accounts incurred fees and charges, up from 130,000 previously identified accounts that incurred fees and charges, and Wells Fargo will provide a total of $2.8 million in additional refunds and credits on top of the $3.3 million previously refunded as a result of the original account review... a review of online bill pay services, as required by the Sept. 8, 2016, consent orders... the analysis identified approximately 528,000 potentially unauthorized online bill pay enrollments and Wells Fargo will refund $910,000 to customers who incurred fees or charges. "

To summarize: the latest investigation went two years further back in time, found about 1.4 million more phony accounts, found more customers affected by unauthorized bank accounts, and found possibly more phony online bill-pay enrollments. In a settlement agreement last year with the Consumer Financial Protection Bureau (CFPB), Wells Fargo paid a $185 million fine last year for alleged unlawful sales practices with the number of phony accounts known then.

Of course, the bank tried a different spin in its news release about the investigation's findings:

"... the completion of its previously announced expanded third-party review of retail banking accounts dating back to the beginning of 2009. Combined with a recent class action settlement and ongoing broad customer outreach and complaint resolution, the completion of the analysis further paves the way for making things right for Wells Fargo customers who may have been harmed by unacceptable retail sales practices."

Yeah, right. That sounds like some wayward teenager wanting praise for providing a complete list of damage to the family car which they didn't have permission nor a license to drive in the first place.

Much of Wall Street has seen through the spin. Some financial experts advise investors to sell Well Fargo shares and buy other banks' shares instead. One of the world's largest fund managers withheld support for three of the bank's directors. Some news headlines focused on the growing estimate of phony accounts uncovered. MSN Money listed reasons why the bank may not survive the growing scandal.

There is plenty of bad news. The Los Angels Times reported a lawsuit by former bank executives who claimed they were scapegoated and fired earlier this year after reporting unethical sales practices. News reports broke earlier this month about alleged insurance abuses of the bank's auto-loan customers.

Well, we now know more about the bank's retail banking practices. The latest announcement makes one wonder, a) how much damage one bank can do, and b) how many more phony accounts would have been uncovered if the investigation started before 2009. What are your opinions?


Neighbor Spoofing: What It Is And The Best Way To Stop It

A friend recently posted on social media:

"I get five to seven phone calls daily from a 617-388-(random) number. I keep blocking them but new ones keep calling. My number is a 617-388- number. I've called a few back and they're actually people's personal mobile numbers. What is going on?! Anyone know how to stop it?"

This is neighbor spoofing... where robocallers pretend to be neighbors with familiar looking phone numbers. NPR explained neighbor spoofing is:

"... when callers disguise their real phone numbers with a fake phone number that has the same area code and prefix as yours. The idea is you might be more likely to pick up because maybe you're thinking, this call could be my neighbor or my kid's school, someone I know... Even the chairman of the Federal Communications Commission, Ajit Pai, cannot escape... The calls have gotten so aggravating to Pai, he is doubling down and making the fight against spoofers a top priority for the FCC. Robocalls and telemarketers are the No. 1 complaint the agency gets from the public. New technology has made spoofing easier to do and harder to detect. Last year, people received about 2.5 billion robocalls every month...this spring, the FCC started investigating ways to let phone carriers block calls from spoofers..."

The best solution is a system where phone companies authenticate callers. That would stop or block neighbor spoofing. Until then, the FCC is using deterrence. Back in June, the FCC proposed a $120 million fine against a habitual robocall scammer, Adrian Abramovich, based in Florida:

"Over the course of several years, Abramovich's companies disrupted emergency services, bilked vulnerable consumers out of thousands of dollars and hurt legitimate businesses, the FCC contends... TripAdvisor was deluged by consumer complaints about robocalls that the company had not initiated or authorized. After conducting an internal investigation, TripAdvisor determined that the offending calls were linked to a Mexican hotel and resort chain that had contracted with Abramovich for advertising services."

Consumers interested in something they could do might consider Nomorobo, which works (landline or mobile) with many service providers. Users of Apple and Andorid OS phones might investigate Hiya. Windows and BlackBerry phone users can check the CTIA Wireless Association's guide for free (or low-cost) mobile apps to block robocalls.

Robocalls from schools, physicians, airlines, and law enforcement are helpful, while robocalls from scammers aren't. The best solution -- true authentication -- can't come fast enough. Consumers and businesses are suffering.

While I don't wish anything bad on anyone, I am happy that FCC Chairmann Pai is also directly feeling the pain. Perhaps, now he knows how consumers feel. The loss of broadband privacy and Pai's push to kill net neutrality annoy consumers almost as much as neighbor spoofing.


Despite Disavowals, Leading Tech Companies Help Extremist Sites Monetize Hate

[Editor's note: today's guest post, by reporters at ProPublica, explores how hate sites maintain an online presence. It is reprinted with permission.]

By Julia Angwin, Jeff Larson, Madeleine Varner and Lauren Kirchner. ProPublica

Because of its "extreme hostility toward Muslims," the website Jihadwatch.org is considered an active hate group by the Southern Poverty Law Center and the Anti-Defamation League. The views of the site's director, Robert Spencer, on Islam led the British Home Office to ban him from entering the country in 2013.

But its designation as a hate site hasn't stopped tech companies -- including PayPal, Amazon and Newsmax -- from maintaining partnerships with Jihad Watch that help to sustain it financially. PayPal facilitates donations to the site. Newsmax -- the online news network run by President Donald Trump's close friend Chris Ruddy -- pays Jihad Watch in return for users clicking on its headlines. Until recently, Amazon allowed Jihad Watch to participate in a program that promised a cut of any book sales that the site generated. All three companies have policies that say they don't do business with hate groups.

Jihad Watch is one of many sites that monetize their extremist views through relationships with technology companies. ProPublica surveyed the most visited websites of groups designated as extremist by either the SPLC or the Anti-Defamation League. We found that more than half of them -- 39 out of 69 -- made money from ads, donations or other revenue streams facilitated by technology companies. At least 10 tech companies played a role directly or indirectly in supporting these sites.

Traditionally, tech companies have justified such relationships by contending that it's not their role to censor the Internet or to discourage legitimate political expression. Also, their management wasn't necessarily aware that they were doing business with hate sites because tech services tend to be automated and based on algorithms tied to demographics.

In the wake of last week's violent protest by alt-right groups in Charlottesville, more tech companies have disavowed relationships with extremist groups. During just the last week, six of the sites on our list were shut down. Even the web services company Cloudflare, which had long defended its laissez-faire approach to political expression, finally ended its relationship with the neo-Nazi site The Daily Stormer last week.

"I can't recall a time where the tech industry was so in step in their response to hate on their platforms," said Oren Segal, director of the ADL's Center on Extremism. "Stopping financial support to hate sites seems like a win-win for everyone."

But ProPublica's findings indicate that some tech companies with anti-hate policies may have failed to establish the monitoring processes needed to weed out hate sites. PayPal, the payment processor, has a policy against working with sites that use its service for "the promotion of hate, violence, [or] racial intolerance." Yet it was by far the top tech provider to the hate sites with donation links on 23 sites, or about one-third of those surveyed by ProPublica. In response to ProPublica's inquiries, PayPal spokesman Justin Higgs said in a statement that the company "strives to conscientiously assess activity and review accounts reported to us."

After Charlottesville, PayPal stopped accepting payments or donations for several high-profile white nationalist groups that participated in the march. It posted a statement that it would remain "vigilant on hate, violence & intolerance." It addresses each case individually, and "strives to navigate the balance between freedom of expression" and the "limiting and closing" of hate sites, it said.

After being contacted by ProPublica, Newsmax said it was unaware that the three sites that it had relationships with were considered hateful. "We will review the content of these sites and make any necessary changes after that review," said Andy Brown, chief operating officer of Newsmax.

Amazon spokeswoman Angie Newman said the company had previously removed Jihad Watch and three other sites identified by ProPublica from its program sharing revenue for book sales, which is called Amazon Associates. When ProPublica pointed out that the sites still carried working links to the program, she said that it was their responsibility to remove the code. "They are no longer paid as an Associate regardless of what links are on their site once we remove them from the Associates Program," she said.

Where to set the boundaries between hate speech and legitimate advocacy for perspectives on the edge of the political spectrum, and who should set them, are complex and difficult questions. Like other media outlets, we relied in part on the Southern Poverty Law Center's public list of "Active Hate Groups 2016." This list is controversial in some circles, with critics questioning whether the SPLC is too quick to brand organizations on the right as hate groups.

Still, the center does provide detailed explanations for many of its designations. For instance, the SPLC documents its decision to include the Family Research Council by citing the evangelical lobbying group's promotion of discredited science and unsubstantiated attacks on gay and lesbian people. We also consulted a list from ADL, which is not public and that was provided to us for research purposes. See our methodology here.

The sites that we identified from the ADL and SPLC lists vehemently denied that they are hate sites.

"It is not hateful, racist or extremist to oppose jihad terror," said Spencer, the director of Jihad Watch. He added that the true extremism was displayed by groups that seek to censor the Internet and that by asking questions about the tech platforms on his site, we were "aiding and abetting a quintessentially fascist enterprise."

Spencer made these comments in response to questions emailed by ProPublica reporter Lauren Kirchner. Afterwards, Spencer posted an item on Jihad Watch alleging that "leftist 'journalist'" Kirchner had threatened the site. He also posted Kirchner's photo and email, as well as his correspondence with her. After being contacted by ProPublica, another anti-Islam activist, Pamela Geller, also posted an attack on Kirchner, calling her a "senior reporting troll." Like Spencer, Geller was banned by the British Home Office; her eponymous site is on the SPLC and ADL lists.

Donations -- and the ability to accept them online through PayPal and similar companies -- are a lifeline for sites like Jihad Watch. In 2015, the nonprofit website disclosed that three quarters of its roughly $100,000 in revenues came from donations, according to publicly available tax records.

In recent weeks, PayPal has been working to shut down donations to extremist sites. This week, it pulled the plug on VDARE.com, an anti-immigration website designated as "white nationalist" by the SPLC and as a hate site by the ADL. VDARE, which denies being white nationalist, immediately switched to its backup system, Stripe.

Stripe, a private company recently described by Bloomberg Businessweek as a $9 billion startup, is unusual in not having a policy against working with hate sites. It does, however, prohibit financial transactions that support drugs, pornography and "psychic services." Stripe provided donation links for 10 sites, second only to PayPal on our list. Stripe did not respond to a request for comment.

VDARE editor Peter Brimelow declared on his site that the PayPal shutdown was likely part of a purge by the "authoritarian Communist Left to punish anyone who disagrees with their anti-American violence against patriotic people." He urged his readers to donate through other channels such as Bitcoins. "We need your help desperately," he wrote. "We must have the resources to defend ourselves and our people."

In 2015, VDARE received nearly all of its revenue -- $267,038 out of total $293,663 -- from donations, according to publicly available tax return forms that the Internal Revenue Service requires nonprofits to disclose.

Brimelow did not respond to our questions, instead characterizing ProPublica as the "Totalitarian Left."

Some sites also supplement their donations with revenue from online advertising. For instance, SonsofLibertyMedia.com, which is on the SPLC list, generated about 10 percent of its revenue -- $37,828 -- from advertising in 2015, according to its tax documents.

The site, which describes itself as promoting a "Judeo-Christian ethic," and recently posted an article declaring that a black activist protesting Confederate statues needed "a serious beat down," does not appear to attract advertisers directly.

Instead, Sons of Liberty benefits from a type of ad-piggybacking arrangement that is becoming more common in the tech industry. The website runs sponsored news articles from a company called Taboola, which shares ad revenues with it. Known for being at the forefront of "click-bait," Taboola places links on websites to articles about celebrities and popular culture.

Taboola's policy prohibits working with sites that have "politically religious agendas" or use hate speech. "We strive to ensure the safety of our network but from time to time, unfortunately, mistakes can happen," said Taboola spokeswoman Dana Miller. "We will ask our Content Policy group to review this site again and take action if needed."

Sons of Liberty founder Bradlee Dean said that he forwarded our questions to his attorney. The lawyer did not respond.

Hate sites can initiate relationships with tech companies with little scrutiny.

Any website can fill out an online form asking to join, for instance, Amazon's network, and often can get approved instantly. Once a website has joined a tech network, it can quickly start earning money through advertising, donations, or content farms such as Taboola that share ad revenues with websites that distribute their articles.

Some companies, such as Newsmax, say that joining their ad network requires explicit prior approval.

But, according to a former Newsmax employee, the only criterion for this approval was whether traffic to the site reached a minimum threshold. There was no content review. Salespeople were told to be aggressive in signing up publishing partners.

"We'd put our news feed on anybody's page, anyone who was willing to listen," he said, "it's about email addresses, it's about marketing, they don't care about ultra conservative or left wing."

Dylan Roof frequented a website described by the SPLC as "white nationalist." He said in a manifesto posted online that finding the website was a turning point in his life. He went on to murder nine African-American churchgoers in Charleston, South Carolina, in 2015. That year, USA Today found Newsmax ads on the site.

They no longer appear there.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


'Map Your Orgasm' - A New Smart Device For Women

Recently, Mashable reported about a new smart device for women:

"The Lioness looks like a pretty standard vibrator on the outside, but inside it has four sensors that measure temperature, the force of muscle contractions, and track the movement of the device. When you’re done with your session, you can sync the Lioness with its app (available for iOS and Android). It then provides you with easy-to-read visualization of what was happening to your body while you were busy getting off. So, yes, essentially it gives you a map of your orgasm. You can also tag each session with different terms so you can track how your health, sleep, alcohol consumption, mood, etc. affect your experiences."

Gives you a map of your orgasm? That's a surprising description. Perhaps, I shouldn't have been surprised. First, there were online tools such as "map my ride" and map my run." Good stuff to help consumers stay healthy. I guess a tool resembling 'map your orgasm' was bound to happen.

Lioness sounds like a much better product name. To learn more, I visited the Lioness site. The home page featured this statement: "Don't worry, we will never share your email or spam you." That's a good start.

Privacy is important; especially with smart devices which collect intimate data about consumers. Earlier this year, news reports described a plan by a smart-device maker to resell the interior home maps its robovacs created. And, another smart vibrator maker paid hefty fines to settle allegations that it tracked users without their knowledge nor consent.

A wise person once said, "the devil is in the details." The privacy policy in a company's website is a good place to hunt for details. While blogging about privacy and identity theft during the last 10 years, I've read plenty of privacy policies. Plenty. I read the Lioness Privacy Policy (dated May 1) and found some notable sections:

"This Privacy Policy applies to our vibrators and other devices (“Devices”), our websites, including but not limited to lioness.io (individually a “Site” and collectively “Sites”), the Lioness software (“Software”) and Lioness mobile applications (the “Apps”). The Devices, Sites, Software and Apps are collectively referred to in this Policy as the “Lioness Service,” and by proceeding to use the Lioness Service you consent that we may handle the data that we collect from you in accordance with this Privacy Policy."

Pretty standard stuff so far. Warning: I'm not an attorney. If you want legal advice, hire an attorney. Like you, I'm just a regular consumer trying to understand smart devices while maintaining as much privacy as possible. Additional sections in the policy I found interesting:

"Sync Your Device
When you sync your Device through an App or the Software, data recorded on your Device is transferred from your Device to our servers. This data is stored and used to provide the Lioness Service and is associated with your account. Each time a sync occurs, we log data about the transmission. Some examples of the log data are the sync time and date, device battery level, and the IP address used when syncing."

Let's unpack that. The vibrator and its mobile app, record the date, time, and battery usage. Combine this with data collected from the four sensors and Lioness will know plenty about your usage: when (date and time), location, duration, preferred movement patterns, and more. It indeed could create a map. More sections in the policy:

"WHY WE COLLECT DATA
Lioness uses your data to provide you with the best experience possible, to help you learn about your body, and to improve and protect the Lioness Service. Here are some examples: i) Contact information is used to send you notifications and to inform you about new features or products... ii) Data and logs are used in research to understand and improve the Lioness Device and Lioness Service; to troubleshoot the Lioness Service; to detect and protect against error, fraud or other criminal activity; and to enforce the Lioness Terms of Service; iii) Aggregate data that does not identify you may be used to inform the health community about trends; for marketing and promotional use..."

Data That Could Identify You
Personally Identifiable Information (PII) is data that includes a personal identifier like your name, email or address, or data that could reasonably be linked back to you."

Hmmm. The policy does not list all data elements that personally identify you. For me, that's important to know. And, anything recorded on a smartphone can easily be linked to a person using her 10-digit phone number or the mobile device's serial number.

Informed shoppers probably want to know before purchase which other companies (e.g., business partners, affiliates, advertisers, etc.) Lioness shares data with. Its May 1, 2017 privacy policy also states:

"... companies that are contractually engaged in providing Lioness with services, such as order fulfillment, email management and credit card processing. These companies are obligated by contract to safeguard any PII they receive from us..."

"THIRD PARTIES
Lioness will not be responsible for the practices of third parties that Lioness does not own or control or individuals that Lioness does not employ or manage. The information provided by you to other third parties may be subject to their own privacy policies, which may differ from Lioness’s privacy policy. The Lioness Service may contain links to other sites, and we make every effort to only link to sites that share our high standards and respect for privacy. However, we are not responsible for the privacy practices employed by other sites..."

"DATA RETENTION
Lioness reserves the right to retain your PII for as long as your account remains active..."

So, the policy doesn't mention other companies by name. Not good. That makes it tough for consumers to make informed decisions.

Fitness tracking with the MapMyRide app On Facebook, many of my friends regularly share visual maps of their workouts. (See example on right.) That's their freedom of choice. So, some consumers are probably wondering if Lioness offers a similar share function. Again from the privacy policy:

"Community Posts
The Lioness Service may offer discussion forums, message boards, social networking opportunities, chat pages and other public forums or features in which you may provide personal information, materials and related content. If you submit personal information when using these public features, please note that such personal information may be publicly posted and otherwise disclosed and used without limitation or restriction."

So, the policy doesn't mention literal maps, per se. They might or might not provide the feature to users. The key takeaway: the responsibility rests upon the user. Don't share it if you don't want it made public.

It's probably helpful to also know that the product uses Bluetooth technology to perform data syncing. From the Lioness FAQ page:

"Wait...will there be bluetooth in my vagina?
Nope. We know that there are a lot of people who don’t like the idea of bluetooth being on while in use, so we made it so bluetooth automatically turns off when you use it."

Also, the FAQ page mentioned:

"Is my data stored securely and kept confidential?
Absolutely. We thought about privacy and security from the beginning for this product. You are the only one who can access your individual data. Everything is encrypted and we fully anonymize the data..."

That's good, but the privacy policy didn't mention data encryption. I expected it would. Not sure what to make of that.

Is the Lioness a good deal? Only you can decide for yourself -- and you should after reading both the privacy and terms-of-service policies.

Me? In my opinion, there seems to be too much wiggle-room for data sharing. The policy contains a lot of words and nothing special compared to other policies I've read. What are your opinions?