1,069 posts categorized "Corporate Responsibility" Feed

Uber's Ripley Program To Thwart Law Enforcement

Uber logo Uber is in the news again, and not in a good way. TechCrunch reported:

"Between spring 2015 until late 2016 the ride-hailing giant routinely used a system designed to thwart police raids in foreign countries, according to Bloomberg, citing three people with knowledge of the system. It reports that Uber’s San Francisco office used the protocol — which apparently came to be referred to internally as ‘Ripley’ — at least two dozen times. The system enabled staff to remotely change passwords and “otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices”, it reports. We’ve also been told — via our own sources — about multiple programs at Uber intended to prevent company data from being accessed by oversight authorities... according to Bloomberg Uber created the system in response to raids on its offices in Europe: Specifically following a March 2015 raid on its Brussel’s office in which police gained access to its payments system and financial documents as well as driver and employee information; and after a raid on its Paris office in the same week."

In November of last year, reports emerged that the popular ride-sharing service experienced a data breach affecting 57 million users. Regulators said then that Uber tried to cover it up.

In March of last year, reports surfaced about Greyball, a worldwide program within Uber to thwart code enforcement inspections by governments. TechCrunch also described uLocker:

"We’ve also heard of the existence of a program at Uber called uLocker, although one source with knowledge of the program told us that the intention was to utilize a ransomware cryptolocker exploit and randomize the tokens — with the idea being that if Uber got raided it would cryptolocker its own devices in order to render data inaccessible to oversight authorities. The source said uLocker was being written in-house by Uber’s eng-sec and Marketplace Analytics divisions..."

Geez. First Greyball. Then Reipley and uLocker. And these are the known programs. This raises the question: how many programs are there?

Earlier today, Wired reported:

"The engineer at the heart of the upcoming Waymo vs Uber trial is facing dramatic new allegations of commercial wrongdoing, this time from a former nanny. Erika Wong, who says she cared for Anthony Levandowski’s two children from December 2016 to June 2017, filed a lawsuit in California this month accusing him of breaking a long list of employment laws. The complaint alleges the failure to pay wages, labor and health code violations... In her complaint, Wong alleges that Levandowski was paying a Tesla engineer for updates on its electric truck program, selling microchips abroad, and creating new startups using stolen trade secrets. Her complaint also describes Levandowski reacting to the arrival of the Waymo lawsuit against Uber, strategizing with then-Uber CEO Travis Kalanick, and discussing fleeing to Canada to escape prosecution... Levandowski’s outside dealings while employed at Google and Uber have been central themes in Waymo’s trade secrets case. Waymo says that Levandowski took 14,000 technical files related to laser-ranging lidar and other self-driving technologies with him when he left Google to work at Uber..."

Is this a corporation or organized crime? It seems difficult to tell the difference. What do you think?


Google Photos: Still Blind After All These Years

Earlier today, Wired reported:

"In 2015, a black software developer embarrassed Google by tweeting that the company’s Photos service had labeled photos of him with a black friend as "gorillas." Google declared itself "appalled and genuinely sorry." An engineer who became the public face of the clean-up operation said the label gorilla would no longer be applied to groups of images, and that Google was "working on longer-term fixes."

More than two years later, one of those fixes is erasing gorillas, and some other primates, from the service’s lexicon. The awkward workaround illustrates the difficulties Google and other tech companies face in advancing image-recognition technology... WIRED tested Google Photos using a collection of 40,000 images well-stocked with animals. It performed impressively at finding many creatures, including pandas and poodles. But the service reported "no results" for the search terms "gorilla," "chimp," "chimpanzee," and "monkey."

This is the best facial-recognition software solution Google can do, while it also wants consumers to trust the software in its driver-less vehicles? Geez. #fubar Well, maybe this video will help Google engineers feel better:


Telecoms Fired Workers After Lobbying For, And Getting, Tax Cuts And Net Neutrality Repeal

Comcast logo Last week, The Philadelphia Inquirer reported:

"Managers, supervisors, and direct sales people in Chicago, Florida, and other parts of Comcast’s Central region, mostly in the Midwest and Southeastern United States, were terminated around Dec. 15... More than 500 sales employees were terminated, company sources said... Comcast has not reorganized the direct sales forces and approach in the company’s two other big divisions, which include Pennsylvania, New Jersey, and Delaware. Comcast/NBCUniversal employs about 159,000.

In late December, Comcast announced that it would hand out $1,000 bonuses to full-time employees, in response to the Trump tax cut that will slash its corporate tax rate. The fired employees will be eligible for a “$1,000 supplemental severance payment,” Comcast said... Comcast direct sales employees earned $50,000 to $100,000 through a low base salary and commissions, the terminated employee said. The commissions ranged between roughly $75 for a new Internet Plus customer to $350 for a new customer who ordered a triple-play package with home security, the former employee said. Internet Plus is a package of television and broadband services..."

Reportedly, fired employees received severance pay only if they accepted non-disclosure agreements. Also, Comcast fired about 405 workers in Georgia.

Context matters. Earlier this week, Vox reported in December before the tax bill was passed:

"... the prospect for a deal on tax reform looking promising, lobbying reached a pinnacle this year, with 2,065 groups pushing their cause, according to reports published by the nonpartisan Center for Responsive Politics. The efforts are employing more than 6,000 lobbyists, the nonpartisan Public Citizen counted. The four organizations that reported the most lobbying activity on tax issues so far this year are Fortune 500 companies with a huge stake in the outcome: Comcast, Microsoft, Altria Group (formerly Philip Morris), and NextEra Energy."

Many politicians have repeated claimed that tax cuts will create new jobs, and that repeal of net neutrality rules would encourage investment by ISPs. And, after the U.S. Federal Communications Commission (FCC) voted in December to repeal existing net neutrality rules, Comcast issued this statement:

"We commend Chairman Pai for his leadership and FCC Commissioners O’Rielly and Carr for their support in adopting the Restoring Internet Freedom Order, returning to a regulatory environment that allowed the Internet to thrive for decades by eliminating burdensome Title II regulations and opening the door for increased investment and digital innovation. Today’s action does not mark the ‘end of the Internet as we know it;’ rather it heralds in a new era of light regulation that will benefit consumers."

So, let's summarize events. After receiving two huge benefits (e.g., tax cuts, repeal of net neutrality rules), Comcast immediately terminated workers. Ars Technica asked Comcast why they fired workers when tax cuts were supposed to create new jobs:

"... Comcast gave us this statement but offered no further details: "Periodically, we reorganize groups of employees and adjust our sales tactics and talent. This change in the Central Division is an example of this practice and occurred in the context of our adding hundreds of frontline and sales employees. All these employees were offered generous severance and an opportunity to apply for other jobs at Comcast." "

One of the claims by corporate ISPs and by FCC Chairman Ajit Pai has been that net neutrality rules killed infrastructure investments by telecoms. Ars analyzed this claim:

"The firings happened around December 15. On December 20, Comcast announced that, because of the pending tax cut and recent repeal of net neutrality rules, it would give "special bonuses" of $1,000 to more than 100,000 employees and invest more than $50 billion in infrastructure over the next five years. "With these investments, we expect to add thousands of new direct and indirect jobs," Comcast said at the time.

We examined Comcast's investment claims in an article on December 21. As it turns out, Comcast's annual investments already soared during the two-plus years that net neutrality rules were on the books, and the $50 billion amount could be achieved if those investments simply continued increasing by a modest amount."

AT&T logo So, a few workers received bigger bonuses while others lost their jobs. And,, it is worse. AT&T fired about 700 workers after promising to increase investments by $1 billion of Congress passed the tax cuts bill. Congress did, and AT&T didn't wait to terminate workers.

One can conclude:

  1.  The investment claims, by ISPs and advocates of repealing net neutrality rules, were bogus,
  2. Voters either didn't pay attention or were duped by claims that net neutrality rules killed investments by telecoms,
  3. Voters were duped during the 2016 election into believing claims that tax cuts would create jobs,
  4. Voters accepted these job-creation promises without demanding any guarantees, and
  5. Tax cuts are being used to reward employees and managers with bigger bonuses.

The bigger bonuses are great, if you have a job. Regardless, we now see the results: tax cuts help companies and fewer jobs hurt workers. Repeal of net neutrality rules will hurt public libraries, the poor, and disabled persons. And, there's more to come as ISPs roll out their revised broadband services (with higher prices) without net neutrality rules.

Yes, this stinks. What do you think? Is this what you expected?


Facebook CEO Admits His Social Service Has Problems, And Promises To Do Better In 2018

Facebook logo Mark Zuckerberg, the CEO at Facebook, recently admitted that his social networking service has problems. And, he promised to do better in 2018. The article is important since it highlights the issues causing concerns for Mr. Zuckerberg. The Independent UK reported:

"Each year, the Facebook boss takes on a challenge to complete over the year. For 2018, he has promised to try and fix his company... He said that he had made the decision to concentrate on his own company this year because the world was so divided and he thinks he will "learn more by focusing intensely on these issues..." "

Huh? What else was he focused on instead? You'd think that he'd be focused 24/7/365 on a service with 23,265 employees and 2 billion monthly users worldwide.

The report by the Independent UK also described for Mr. Zuckerberg's concerns, which have implications for everyone:

"... Facebook has been blamed for helping spread hatred and division in the wake of the [2016 U.S.] election, as well as potentially helping with the spread of fake news that allowed it to tip in Donald Trump's favour. Even the site itself has admitted that it can be upsetting and disruptive for those who use it, in a press release that said using the site might be bad for you... He pointed to the fact that the rise of tech companies like Facebook and their increasing power over the internet meant that the internet was becoming centralized in a few powerful hands. He pointed to other technologies like crypto-currency as challenges to that, but said that overall people had "lost faith" in the power of the internet to decentralize things.

A number of complaints have pointed at Facebook's unprecedented power over the way the internet works as a danger. Facebook's ability to control much of the news people read has been blamed for the spread of fake reporting, for instance, and projects like Facebook's Free Basics tools have been blamed for undermining net neutrality. But many of those same projects have been attempts by Facebook to grow its user base... He said he would look at using new technologies – encryption as well as cryptocurrency – to help improve Facebook and the internet by allowing it to stop being controlled by just a few people..."

Regular readers of this blog are aware of the problems, many of which were discussed in prior posts:

Will Mr. Zuckerberg and his senior management team fix these problems? Can they? Some of the ad-targeting mechanisms (that create abuses) have been around for years. Given its history, the cynic in me thinks that Facebook can only get better. Will Facebook do better in 2018? Tell us what you think.


Report: Air Travel Globally During 2017 Was The Safest Year On Record

The Independent UK newspaper reported:

"The Dutch-based aviation consultancy, To70, has released its Civil Aviation Safety Review for 2017. It reports only two fatal accidents, both involving small turbo-prop aircraft, with a total of 13 lives lost. No jets crashed in passenger service anywhere in the world... The chances of a plane being involved in a fatal accident is now one in 16 million, according to the lead researcher, Adrian Young... The report warns that electronic devices in checked-in bags pose a growing potential danger: “The increasing use of lithium-ion batteries in electronics creates a fire risk on board aeroplanes as such batteries are difficult to extinguish if they catch fire... The UK has the best air-safety record of any major country. No fatal accidents involving a British airline have happened since the 1980s. The last was on 10 January 1989... In contrast, sub-Saharan Africa has an accident rate 44 per cent worse than the global average, according to the International Air Transport Association (IATA)..."

Read the full 2017 aviation safety report by To70. Below is a chart from the report.

Accident Data Chart from To70 Air Safety Review for 2017. Click to view larger version


Dozens of Companies Are Using Facebook to Exclude Older Workers From Job Ads

[Editor's note: everyone looks for a new job during their life. Today's guest blog post, by the reporters at ProPublica, explores an advertising practice by recruiters using social networking sites. Today's post is reprinted with permission.]

By Julia Angwin and Ariana Tobin of ProPublica, with Noam Scheiber, of The New York Times

A few weeks ago, Verizon placed an ad on Facebook to recruit applicants for a unit focused on financial planning and analysis. The ad showed a smiling, millennial-aged woman seated at a computer and promised that new hires could look forward to a rewarding career in which they would be "more than just a number."

Some relevant numbers were not immediately evident. The promotion was set to run on the Facebook feeds of users 25 to 36 years old who lived in the nation’s capital, or had recently visited there, and had demonstrated an interest in finance. For a vast majority of the hundreds of millions of people who check Facebook every day, the ad did not exist.

Verizon is among dozens of the nation's leading employers — including Amazon, Goldman Sachs, Target and Facebook itself — that placed recruitment ads limited to particular age groups, an investigation by ProPublica and The New York Times has found.

The ability of advertisers to deliver their message to the precise audience most likely to respond is the cornerstone of Facebook’s business model. But using the system to expose job opportunities only to certain age groups has raised concerns about fairness to older workers.

Several experts questioned whether the practice is in keeping with the federal Age Discrimination in Employment Act of 1967, which prohibits bias against people 40 or older in hiring or employment. Many jurisdictions make it a crime to “aid” or “abet” age discrimination, a provision that could apply to companies like Facebook that distribute job ads.

"It’s blatantly unlawful," said Debra Katz, a Washington employment lawyer who represents victims of discrimination.

Facebook defended the practice. "Used responsibly, age-based targeting for employment purposes is an accepted industry practice and for good reason: it helps employers recruit and people of all ages find work," said Rob Goldman, a Facebook vice president.

The revelations come at a time when the unregulated power of the tech companies is under increased scrutiny, and Congress is weighing whether to limit the immunity that it granted to tech companies in 1996 for third-party content on their platforms.

Facebook has argued in court filings that the law, the Communications Decency Act, makes it immune from liability for discriminatory ads.

Although Facebook is a relatively new entrant into the recruiting arena, it is rapidly gaining popularity with employers. Earlier this year, the social network launched a section of its site devoted to job ads. Facebook allows advertisers to select their audience, and then Facebook finds the chosen users with the extensive data it collects about its members.

The use of age targets emerged in a review of data originally compiled by ProPublica readers for a project about political ad placement on Facebook. Many of the ads include a disclosure by Facebook about why the user is seeing the ad, which can be anything from their age to their affinity for folk music.

The precision of Facebook’s ad delivery has helped it dominate an industry once in the hands of print and broadcast outlets. The system, called microtargeting, allows advertisers to reach essentially whomever they prefer, including the people their analysis suggests are the most plausible hires or consumers, lowering the costs and vastly increasing efficiency.

Targeted Facebook ads were an important tool in Russia’s efforts to influence the 2016 election. The social media giant has acknowledged that 126 million people saw Russia-linked content, some of which was aimed at particular demographic groups and regions. Facebook has also come under criticism for the disclosure that it accepted ads aimed at "Jew-haters" as well as housing ads that discriminated by race, gender, disability and other factors.

Other tech companies also offer employers opportunities to discriminate by age. ProPublica bought job ads on Google and LinkedIn that excluded audiences older than 40 — and the ads were instantly approved. Google said it does not prevent advertisers from displaying ads based on the user’s age. After being contacted by ProPublica, LinkedIn changed its system to prevent such targeting in employment ads.

The practice has begun to attract legal challenges. On Wednesday, a class-action complaint alleging age discrimination was filed in federal court in San Francisco on behalf of the Communications Workers of America and its members — as well as all Facebook users 40 or older who may have been denied the chance to learn about job openings. The plaintiffs’ lawyers said the complaint was based on ads for dozens of companies that they had discovered on Facebook.

The database of Facebook ads collected by ProPublica shows how often and precisely employers recruit by age. In a search for “part-time package handlers,” United Parcel Service ran an ad aimed at people 18 to 24. State Farm pitched its hiring promotion to those 19 to 35.

Some companies, including Target, State Farm and UPS, defended their targeting as a part of a broader recruitment strategy that reached candidates of all ages. The group of companies making this case included Facebook itself, which ran career ads on its own platform, many aimed at people 25 to 60. "We completely reject the allegation that these advertisements are discriminatory," said Goldman of Facebook.

After being contacted by ProPublica and the Times, other employers, including Amazon, Northwestern Mutual and the New York City Department of Education, said they had changed or were changing their recruiting strategies.

"We recently audited our recruiting ads on Facebook and discovered some had targeting that was inconsistent with our approach of searching for any candidate over the age of 18," said Nina Lindsey, a spokeswoman for Amazon, which targeted some ads for workers at its distribution centers between the ages of 18 and 50. "We have corrected those ads."

Verizon did not respond to requests for comment.

Several companies argued that targeted recruiting on Facebook was comparable to advertising opportunities in publications like the AARP magazine or Teen Vogue, which are aimed at particular age groups. But this obscures an important distinction. Anyone can buy Teen Vogue and see an ad. Online, however, people outside the targeted age groups can be excluded in ways they will never learn about.

"What happens with Facebook is you don’t know what you don’t know," said David Lopez, a former general counsel for the Equal Employment Opportunity Commission who is one of the lawyers at the firm Outten & Golden bringing the age-discrimination case on behalf of the communication workers union.

‘They Know I’m Dead’

Age discrimination on digital platforms is something that many workers suspect is happening to them, but that is often difficult to prove.

Mark Edelstein, a fitfully employed social-media marketing strategist who is 58 and legally blind, doesn’t pretend to know what he doesn’t know, but he has his suspicions.

Edelstein, who lives in St. Louis, says he never had serious trouble finding a job until he turned 50. “Once you reach your 50s, you may as well be dead,” he said. "I’ve gone into interviews, with my head of gray hair and my receding hairline, and they know I’m dead."

Edelstein spends most of his days scouring sites like LinkedIn and Indeed and pitching hiring managers with personalized appeals. When he scrolled through his Facebook ads on a Wednesday in December, he saw a variety of ads reflecting his interest in social media marketing: ads for the marketing software HubSpot ("15 free infographic templates!") and TripIt, which he used to book a trip to visit his mother in Florida.

What he didn’t see was a single ad for a job in his profession, including one identified by ProPublica that was being shown to younger users: a posting for a social media director job at HubSpot. The company asked that the ad be shown to people aged 27 to 40 who live or were recently living in the United States.

"Hypothetically, had I seen a job for a social media director at HubSpot, even if it involved relocation, I ABSOLUTELY would have applied for it," Edelstein said by email when told about the ad.

A HubSpot spokeswoman, Ellie Botelho, said that the job was posted on many sites, including LinkedIn, The Ladders and Built in Boston, and was open to anyone meeting the qualifications regardless of age or any other demographic characteristic.

She added that “the use of the targeted age-range selection on the Facebook ad was frankly a mistake on our part given our lack of experience using that platform for job postings and not a feature we will use again.”

For his part, Edelstein says he understands why marketers wouldn’t want to target ads at him: "It doesn’t surprise me a bit. Why would they want a 58-year-old white guy who’s disabled?"

Looking for ’Younger Blood’

Although LinkedIn is the leading online recruitment platform, according to an annual survey by SourceCon, an industry website. Facebook is rapidly increasing in popularity for employers.

One reason is that Facebook’s sheer size — two billion monthly active users, versus LinkedIn’s 530 million total members — gives recruiters access to types of workers they can’t find elsewhere.

Consider nurses, whom hospitals are desperate to hire. “They’re less likely to use LinkedIn,” said Josh Rock, a recruiter at a large hospital system in Minnesota who has expertise in digital media. "Nurses are predominantly female, there’s a larger volume of Facebook users. That’s what they use."

There are also millions of hourly workers who have never visited LinkedIn, and may not even have a résumé, but who check Facebook obsessively.

Deb Andrychuk, chief executive of the Arland Group, which helps employers place recruitment ads, said clients sometimes asked her firm to target ads by age, saying they needed “to start bringing younger blood” into their organizations. “It’s not necessarily that we wouldn’t take someone older,” these clients say, according to Andrychuk, “but if you could bring in a younger set of applicants, it would definitely work out better.”

Andrychuk said that “we coach clients to be open and not discriminate” and that after being contacted by The Times, her team updated all their ads to ensure they didn’t exclude any age groups.

But some companies contend that there are permissible reasons to filter audiences by age, as with an ad for entry-level analyst positions at Goldman Sachs that was distributed to people 18 to 64. A Goldman Sachs spokesman, Andrew Williams, said showing it to people above that age range would have wasted money: roughly 25 percent of those who typically click on the firm’s untargeted ads are 65 or older, but people that age almost never apply for the analyst job.

"We welcome and actively recruit applicants of all ages," Williams said. "For some of our social-media ads, we look to get the content to the people most likely to be interested, but do not exclude anyone from our recruiting activity."

Pauline Kim, a professor of employment law at Washington University in St. Louis, said the Age Discrimination in Employment Act, unlike the federal anti-discrimination statute that covers race and gender, allows an employer to take into account “reasonable factors” that may be highly correlated with the protected characteristic, such as cost, as long as they don’t rely on the characteristic explicitly.

The Question of Liability

In various ways, Facebook and LinkedIn have acknowledged at least a modest obligation to police their ad platforms against abuse.

Earlier this year, Facebook said it would require advertisers to "self-certify" that their housing, employment and credit ads were compliant with anti-discrimination laws, but that it would not block marketers from purchasing age-restricted ads.

Still, Facebook didn’t promise to monitor those certifications for accuracy. And Facebook said the self-certification system, announced in February, was still being rolled out to all advertisers.

LinkedIn, in response to inquiries by ProPublica, added a self-certification step that prevents employers from using age ranges once they confirm that they are placing an employment ad.

With these efforts evolving, legal experts say it is unclear how much liability the tech platforms could have. Some civil rights laws, like the Fair Housing Act, explicitly require publishers to assume liability for discriminatory ads.

But the Age Discrimination in Employment Act assigns liability only to employers or employment agencies, like recruiters and advertising firms.

The lawsuit filed against Facebook on behalf of the communications workers argues that the company essentially plays the role of an employment agency — collecting and providing data that helps employers locate candidates, effectively coordinating with the employer to develop the advertising strategies, informing employers about the performance of the ads, and so forth.

Regardless of whether courts accept that argument, the tech companies could also face liability under certain state or local anti-discrimination statutes. For example, California’s Fair Employment and Housing Act makes it unlawful to "aid, abet, incite, compel or coerce the doing" of discriminatory acts proscribed by the statute.

"They may have an obligation there not to aid and abet an ad that enables discrimination," said Cliff Palefsky, an employment lawyer based in San Francisco.

The question may hinge on Section 230 of the federal Communications Decency Act, which protects internet companies from liability for third-party content.

Tech companies have successfully invoked this law to avoid liability for offensive or criminal content — including sex trafficking, revenge porn and calls for violence against Jews. Facebook is currently arguing in Federal court that Section 230 immunizes it against liability for ad placement that blocks members of certain racial and ethnic groups from seeing the ads.

Related Reading ad object. List of coompanies and their age-based ads "Advertisers, not Facebook, are responsible for both the content of their ads and what targeting criteria to use, if any," Facebook argued in its motion to dismiss allegations that its ads violated a host of civil rights laws. The case does not allege age discrimination.

Eric Goldman, professor and co-director of the High Tech Law Institute at the Santa Clara University School of Law, who has written extensively about Section 230, says it is hard to predict how courts would treat Facebook’s age-targeting of employment ads.

Goldman said the law covered the content of ads, and that courts have made clear that Facebook would not be liable for an advertisement in which an employer wrote, say, “no one over 55 need apply.” But it is not clear how the courts would treat Facebook’s offering of age-targeted customization.

According to a federal appellate court decision in a fair-housing case, a platform can be considered to have helped “develop unlawful content” that users play a role in generating, which would negate the immunity.

"Depending on how the targeting is happening, you can make potentially different sorts of arguments about whether or not Google or Facebook or LinkedIn is contributing to the development" of the ad, said Deirdre K. Mulligan, a faculty director of the Berkeley Center for Law and Technology.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


FCC Action To Kill Net Neutrality Will Likely Hurt Public Libraries, The Poor, And The Disabled

American Library Association logo Jim Neal, the president of the American Library Association, released a statement condemning the December 14th vote by the Republican-led U.S. Federal Communications Commission (FCC) to kill net neutrality protections for internet users:

"The majority of the FCC has just dealt a blow to equitable access to online information and services which puts libraries, our patrons, and America’s communities at risk... By rolling back essential and enforceable net neutrality protections, the FCC has enabled commercial interests at the expense of the public who depends on the internet as their primary means of information gathering, learning, and communication. We will continue to fight the FCC’s decision and advocate for strong, enforceable net neutrality protections."

New York Public Library logo The Verge interviewed New York Public Library (NYPL) president Tony Marx, and Greg Cam the NYPL director of information policy. During 2017, the NYPL provided 3.1 million computer sessions across all branches (using 4,700 computers), plus 3 million wireless sessions. Based upon that activity, Marx said:

"... the simple fact is that the poorest of New York rely on the library as the only place they can go and get free use of computers and free Wi-Fi. It’s one of the reasons why the library is the most visited civic institution in New York. We have also, in recent years, been lending people what we call hot spots, which are Wi-Fi boxes they can take home, typically for a year. That gives them digital access at home — broadband access — which something like 2 million New Yorkers can’t afford and don’t have..."

And, New York City is one of the more prosperous areas of the country. It makes one wonder how citizens in poor or rural areas; or in areas without any public libraries will manage. Disabled users will also be negatively affected by the FCC vote. Marx explained:

"... the New York Public Library runs the Andrew Heiskell Library for the visually impaired. I believe it is a three-state depository, so it plays a role in getting access in all the ways you described — not just in New York City but way beyond. A lot of that now happens online and it could simply stop working, which means they’re gonna cut people off completely."

Cram explained the wide range of tasks people use the internet for at public libraries:

"Our users depend on the library, and libraries in general, for things like completing homework assignments, locating e-government resources, e-government services, accessing oral histories and primary source materials. Things that are resource-intensive like video and audio and image collections are dependent on a free and open internet. Also things like applying and interviewing for jobs. More and more jobs involve a first round of interviews that are done over the internet. If we have to put things in the slow lane, we’re worried about those interview services being downgraded."

"Slow lanes" are one of about five possible consequences by the FCC decision to kill net neutrality. Marx summarized the concerns of many library managers:

"We live in a world where access to information is essential for opportunity, for learning, for success, for civic life, for checking facts. Anything that reduces that, particularly for people who can’t afford alternatives, is a body blow to the basic democratic principles that the library stands for. Whether people or the library are shoved to the slow lane, and/or forced to pay to be in the fast lane with resources that are already stretched thin, is really sort of shocking. To put it sort of bluntly, the FCC should be defending communications."

Basically, internet access is a utility like water or electricity; something corporate providers have long denied and fought. Everyone needs and uses broadband internet. What are your opinions?


The Limitations And Issues With Facial Recognition Software

We've all seen television shows where police technicians use facial recognition software to swiftly and accurately identify suspects, or catch the bad guys. How accurate is that? An article in The Guardian newspaper discussed the promises, limitations, and issues with facial recognition software used by law enforcement:

"The software, which has taken an expanding role among law enforcement agencies in the US over the last several years, has been mired in controversy because of its effect on people of color. Experts fear that the new technology may actually be hurting the communities the police claims they are trying to protect... "It’s considered an imperfect biometric," said Clare Garvie, who in 2016 created a study on facial recognition software, published by the Center on Privacy and Technology at Georgetown Law, called The Perpetual Line-Up. "There’s no consensus in the scientific community that it provides a positive identification of somebody"... [Garvie's] report found that black individuals, as with so many aspects of the justice system, were the most likely to be scrutinized by facial recognition software in cases. It also suggested that software was most likely to be incorrect when used on black individuals – a finding corroborated by the FBI's own research. This combination, which is making Lynch’s and other black Americans’ lives excruciatingly difficult, is born from another race issue that has become a subject of national discourse: the lack of diversity in the technology sector... According to a 2011 study by the National Institute of Standards and Technologies (Nist), facial recognition software is actually more accurate on Asian faces when it’s created by firms in Asian countries, suggesting that who makes the software strongly affects how it works... Law enforcement agencies often don’t review their software to check for baked-in racial bias – and there aren’t laws or regulations forcing them to."


Facebook to Temporarily Block Advertisers From Excluding Audiences by Race

[Editor's note: today's guest blog post, by the reporters at ProPublica, discusses advertising practices by both Facebook, a popular social networking site, and some advertisers using the site. Today's post is reprinted with permission.]

By Julia Angwin, ProPublica

Facebook said it would temporarily stop advertisers from being able to exclude viewers by race while it studies the use of its ad targeting system.

“Until we can better ensure that our tools will not be used inappropriately, we are disabling the option that permits advertisers to exclude multicultural affinity segments from the audience for their ads,” Facebook Sheryl Sandberg wrote in a letter to the Congressional Black Caucus.

ProPublica disclosed last week that Facebook was still allowing advertisers to buy housing ads that excluded audiences by race, despite its promises earlier this year to reject such ads. ProPublica also found that Facebook was not asking housing advertisers that blocked other sensitive audience categories — by religion, gender, or disability — to “self-certify” that their ads were compliant with anti-discrimination laws.

Under the Fair Housing Act of 1968, it’s illegal to “to make, print, or publish, or cause to be made, printed, or published any notice, statement, or advertisement, with respect to the sale or rental of a dwelling that indicates any preference, limitation, or discrimination based on race, color, religion, sex, handicap, familial status, or national origin.” Violators face tens of thousands of dollars in fines.

In her letter, Sandberg said the company will examine how advertisers are using its exclusion tool — “focusing particularly on potentially sensitive segments” such as ads that exclude LGBTQ communities or people with disabilities. “During this review, no advertisers will be able to create ads that exclude multicultural affinity groups,” Facebook Vice President Rob Goldman said in an e-mailed statement.

Goldman said the results of the audit would be shared with “groups focused on discrimination in ads,” and that Facebook would work with them to identify further improvements and publish the steps it will take.

Sandberg’s letter to the Congressional Black Caucus is the outgrowth of a dialogue that has been ongoing since last year when ProPublica published its first article revealing Facebook was allowing advertisers to exclude people with an “ethnic affinity” for various minority groups, including African Americans, Asian Americans and Hispanics, from viewing their ads.

At that time, four members of the Congressional Black Caucus reached out to Facebook for an explanation. “This is in direct violation of the Fair Housing Act of 1968, and it is our strong desire to see Facebook address this issue immediately,” wrote the lawmakers.

The U.S. Department of Housing and Urban Development, which enforces the nation’s fair housing laws, opened an inquiry into Facebook’s practices.

But in February, Facebook said it had solved the problem — by building an algorithm that would allow it to spot and reject housing, employment and credit ads that discriminated using racial categories. For audiences not selected by race, Facebook said it would require advertisers to “self-certify” that their ads were compliant with the law.

HUD closed its inquiry. But last week, ProPublica successfully purchased dozens of racist, sexist and otherwise discriminatory ads for a fictional housing company advertising a rental. None of the ads were rejected and none required a self-certification. Facebook said it was a “technical failure” and vowed to fix the problem.

U.S. Rep. Robin Kelly, D-Ill., said that Facebook’s actions to disable the feature are “an appropriate action.” “When I first raised this issue with Facebook, I was disappointed. When it became necessary to raise the issue again, I was irritated,” she said. “I will continue watching this issue very closely to ensure these issues do not raise again.”

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


Security Researchers Announce Another Method To Defeat Apple Face ID

Bkav-artificial-mask
You may remember, earlier this year Apple launched its iPhone X with Face ID feature for users to unlock their phones:

"Your face is now your password. Face ID is a secure and private new way to unlock, authenticate, and pay... Face ID is enabled by the TrueDepth camera and is simple to set up. It projects and analyzes more than 30,000 invisible dots to create a precise depth map of your face."

Like it or not, there is no security system for your smartphone that can't be defeated. Mashable reported yesterday that security researchers have found another method to defeat Face ID:

"The same Vietnamese team that managed to trick Face ID with an elaborately constructed mask now says it has found a way to create a replicated face capable of unlocking Apple's latest and greatest biometric using a series of surreptitiously snagged photographs. Apple has copped to the fact that Face ID, for all its technical prowess, isn't perfect. It can be tricked by twins. For

The Bkav researchers explained in a blog post how their crude mask defeated Face ID:

"Bkav used a 3D mask (which costs ~200 USD), made of stone powder, with glued 2D images of the eyes. Bkav experts found out that stone powder can replace paper tape (used in previous mask) to trick Face ID' AI at higher scores. The eyes are printed infrared images – the same technology that Face ID itself uses to detect facial image. These materials and tools are casual for anyone. An iPhone X has its highest security options enabled, then has the owner's face enrolled to set up Face ID, then is immediately put in front of the mask, iPhone X is unlocked immediately. There is absolutely no learning of Face ID with the new mask in this experiment."

The same blog post also explained how a three-dimensional model can defeat Face ID:

"Bkav researchers said that making 3D model is very simple. A person can be secretly taken photos in just a few seconds when entering a room containing a pre-setup system of cameras located at different angles. Then, the photos will be processed by algorithms to make a 3D object.

It can be said that, until now, Fingerprint is still the most secure biometric technology. Collecting a fingerprint is much harder than taking photos from a distance. Meanwhile, just by taking photos from a distance to create 3D objects as mentioned above, both Apple's Face ID and Samsung's Iris Scanner can be bypassed easily."

Experts advise consumers to continue using passcodes, especially for online banking apps. And high-value targets (e.g., senior corporate executives, government officials, politicians, attorneys, etc.) probably shouldn't use facial recognition features to unlock their mobile devices.

I guess that 3-D models will provide law enforcement (and spy agencies) with new ways to use their archived collections of facial images. The Guardian reported earlier this year:

"Approximately half of adult Americans’ photographs are stored in facial recognition databases that can be accessed by the FBI, without their knowledge or consent, in the hunt for suspected criminals. About 80% of photos in the FBI’s network are non-criminal entries, including pictures from driver’s licenses and passports. The algorithms used to identify matches are inaccurate about 15% of the time, and are more likely to misidentify black people than white people."

What do you think?


Uber: Data Breach Affected 57 Million Users. Some Say A Post Breach Coverup, Too

Uber logo Uber is in the news again. And not in a good way. The popular ride-sharing service experienced a data breach affecting 57 million users. While many companies experience data breaches, regulators say Uber went further and tried to cover it up.

First, details about the data breach. Bloomberg reported:

"Hackers stole the personal data of 57 million customers and drivers... Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers..."

Second, details about the coverup:

"... the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers... At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet."

Geez. Not tell regulators about a breach? Not tell affected users? 48 states have data breach notification laws requiring various levels of notifications. Consumers need notice in order to take action to protect themselves and their sensitive personal and payment information.

Third, Uber executives learned about the breach soon thereafter:

"Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said. Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. Kalanick declined to comment on the hack."

Reportedly, breach victims with stolen drivers license information will be offered free credit monitoring and identity theft services. Uber said that no Social Security numbers and credit card information was stolen during the breach, but one wonders if Uber and its executives can be trusted.

The company has a long history of sketchy behavior including the 'Greyball' worldwide program by executives to thwart code enforcement inspections by governments, dozens of employees fired or investigated for sexual harassment, a lawsuit descrbing how the company's mobile app allegedly scammed both riders and drivers, and privacy abuses with the 'God View' tool. TechCrunch reported that Uber:

"... reached a settlement with [New York State Attorney General] Schneiderman’s office in January 2016 over its abuse of private data in a rider-tracking system known as “God View” and its failure to disclose a previous data breach that took place in September 2014 in a timely manner."

Several regulators are investigating Uber's latest breach and alleged coverup. CNet reported:

"The New York State Attorney General has opened an investigation into the incident, which Uber made public Tuesday. Officials for Connecticut, Illinois and Massachusetts also confirmed they're investigating the hack. The New Mexico Attorney General sent Uber a letter asking for details of the hack and how the company responded. What's more, Uber appears to have broken a promise made in a Federal Trade Commission settlement not to mislead users about data privacy and security, a legal expert says... In addition to its agreement with the FTC, Uber is required to follow laws in New York and 47 other states that mandate companies to tell people when their drivers' license numbers are breached. Uber acknowledged Tuesday it had a legal requirement to disclose the breach."

The Financial Times reported that the U.K. Information Commissioner's Office is investigating the incident, along with the National Crime Agency and the National Cyber Security Centre. New data protection rules will go into effect in May, 2018 which will require companies to notify regulators within 72 hours of a cyber attack, or incur fines of up to 20 million Euro-dollars or 4 percent of annual global revenues.

Let's summarize the incident. It seems that a few months after settling a lawsuit about a data breach and its data security practices, the company had another data breach, paid the hackers to keep quiet about the breach and what they stole, and then allegedly chose not to tell affected users nor regulators about it, as required by prior settlement agreements, breach laws in most states, and breach laws in some international areas. Geez. What chutzpah!

What are your opinions of the incident? Can Uber and its executives be trusted?


Some U.S. Hospitals Don’t Put Americans First for Liver Transplants

[Editor's note: today's guest blog post, by the reporters at ProPublica, discusses a largely unknown practice by some hospitals in the health care industry. Is this practice right? Ethical? Today's post is reprinted with permission.]

By Charles Ornstein, ProPublica

Earlier this fall, a leader of the busiest hospital for organ transplants in New York state — where livers are particularly scarce — pleaded for fairer treatment for ailing New Yorkers.

“Patients in equal need of a liver transplant should not have to wait and suffer differently because of the U.S. state where they reside,” wrote Dr. Herbert Pardes, former chief executive and now executive vice president of the board at NewYork-Presbyterian Hospital.

But Pardes left out his hospital’s own contribution to the shortage: From 2013 to 2016, it gave 20 livers to foreign nationals who came to the United States solely for a transplant — essentially exporting the organs and removing them from the pool available to New Yorkers.

That represented 5.2 percent of the hospital’s liver transplants during that time, one of the highest ratios in the country.

Little known to the public, or to sick patients and their families, organs donated domestically are sometimes given to patients flying in from other countries, who often pay a premium. Some hospitals even seek out foreign patients in need of a transplant. A Saudi Arabian company, Ansaq Medical Co., whose stated aim is to “facilitate the procedures and mechanisms of ‘medical tourism,’” said it signed an agreement with Ochsner Medical Center in New Orleans in 2015.

The practice is legal, and foreign nationals must wait their turn for an organ in the same way as domestic patients. Transplant centers justify it on medical and humanitarian grounds. But at a time when President Donald Trump is espousing an “America First” policy and seeking to ban visitors and refugees from certain countries, allocating domestic organs to foreigners may run counter to the national mood.

Even beyond the realm of health care, some are questioning whether foreigners should be able to access limited spots that might otherwise be available to U.S. citizens. For instance, public colleges compensate for reductions in state funding by accepting more foreign students paying higher tuition, and critics say in-state students are being denied opportunities as a result.

Dr. Sander Florman, director of the transplant institute at the Mount Sinai Hospital in New York, said he struggles with “in essence, selling the organs we do have to foreign nationals with bushels of money.”

Mount Sinai has not performed any transplants on patients who came to this country specifically for that purpose, but it has done so for international patients here for other reasons.

Between 2013 and 2016, 252 foreigners came to the U.S. purely to receive livers at American hospitals. In 2016, the most recent year for which data is available, the majority of foreign recipients were from countries in the Middle East, including Saudi Arabia, Kuwait, Israel and United Arab Emirates. Another 100 foreigners staying in the U.S. as non-residents also received livers.

All the while, more than 14,000 people, nearly all of them American citizens, are waiting for liver transplants, a figure that has remained stubbornly high for decades. By comparison, fewer than 8,000 liver transplants were performed last year in the United States — and that was an all-time high. The national median wait time for a liver is more than 14 months, and in states like New York, the wait is far longer. (The wait for livers varies from one state to the next, depending on such factors as the number of organ donors, and the resourcefulness of organ procurement agencies.)

Many patients die before reaching the front of the line. In 2016, more than 2,600 patients were removed from waiting lists nationally because they either died or were too sick to receive a liver transplant.

Most transplant centers only serve American citizens or residents, either by happenstance or by design. Foreign transplants are concentrated among a handful of centers, including NewYork-Presbyterian, Memorial Hermann-Texas Medical Center in Houston (31 such transplants from 2013 to 2016), Ochsner (30), and Cleveland Clinic in Ohio (21).

“When you take people from other parts of the world and provide an organ transplant to them rather than someone who’s here, there’s a real cost, there’s a real life that’s lost,” said Jane Hartsock, a visiting assistant professor of medical humanities and health studies at the Indiana University School of Liberal Arts. Hartsock and her colleagues wrote a journal article published last year saying foreigners should be last in line for a transplant.

NewYork-Presbyterian said it does not advertise its transplant program to foreign patients and that the majority of the transplants it performed on foreign nationals traveling to New York for that reason — 11 of the 20 — were on children under 18.

In a statement, the hospital and its academic partner Columbia University said they follow federal guidelines. “We strongly support efforts that aim to address the critical issue of equitable distribution of livers for transplant and are working closely with a wide range of stakeholders to help increase the number of organ donor registrations in New York State.”

A spokeswoman for the Cleveland Clinic, Eileen Sheil, said her hospital does not actively seek out foreign national business and has a “thoughtful and ethical approach that is well within the rules and aligned with our overall mission for taking care of patients.” Ochsner similarly said, “patients seek out Ochsner’s expertise because of our relentless commitment to provide the highest-quality, complex care.” Memorial Hermann did not respond to requests for comment.

To be sure, the proportion of available livers that go to foreigners is tiny — slightly less than 1 percent of liver transplants nationwide from 2013 to 16. The figure appears to be dropping further in 2017. Even if all recipients were Americans, wait times would still be substantial. Moreover, foreigners queue up on the waitlist like everybody else — although it may be easier for them, since they aren’t rooted in any particular state, to choose a hospital in an area with a shorter wait, such as Ochsner. And some Americans discouraged by the lengthy wait in this country have gone abroad for transplants.

The transplant figures in this article do not include transplants involving living donors, meaning a relative or friend who donates part of his or her liver to a patient. No one interviewed for this story said it is inappropriate for a foreign national to come to the U.S. for a procedure with a living donor.

There’s also an important distinction between giving an organ to a foreigner who happens to be in the U.S. — someone on a student visa or even an undocumented immigrant — and giving one to someone flying over just for surgery. Someone in the first group would be eligible to donate an organ if something happened to them in this country; someone in the latter group would not because livers must be transplanted quickly and there wouldn’t be enough time to ship them.

“If you live in the United States, no matter what your [citizenship] status is, you could potentially be an organ donor if you get hit by a car or something happens to you,” said Dr. Gabriel M. Danovitch, medical director of the kidney and pancreas transplant program at Ronald Reagan UCLA Medical Center, who previously led the UNOS international relations committee. “But if your home is somewhere else, a long way away, there’s no way that you can be a donor or your family or your friends could be donors.

“And in some respects, when you then come to the United States, you are using up a valuable resource that is in great shortage here.”

Foreign patients generally are not entitled to the same discounts as those with private insurance or Medicare, the federal insurance program for seniors and the disabled. In 2015, for instance, the average sticker price for a liver transplant at NewYork-Presbyterian was $371,203, but the average payment for patients in Medicare was less than one-third of that, $112,469, according to data from the Centers for Medicare and Medicaid Services, which runs Medicare. In the case of Saudi Arabia, its embassy in Washington often guarantees payment for patients.

The topic is emerging now because the nation’s transplant leaders will meet next month to consider rewriting the rules governing how livers are distributed, giving programs in New York City, Los Angeles, Chicago and other areas greater access to organs from people who die in nearby regions. The proposal by a committee of the United Network for Organ Sharing, the federal contractor that runs the national transplant system, faces opposition from programs and regions that stand to lose organs. Pardes’ comments were posted in an online comment forum devoted to the proposal, which does not address the issue of transplants for foreigners.

UNOS said it has worked to get better data on foreigners that receive transplants in this country but ultimately, federal law doesn’t prohibit these transplants.

“This is an individual medical decision that the individual transplant hospital makes,” spokesman Joel Newman said. “If we addressed citizenship or residency as a particular reason for whether to accept a patient or not, then that would open up the door to lots of other nonmedical criteria — religion, race, political preference, any number of things that as a community we have decided from an ethical standpoint not to consider.”

UNOS has the authority to ask questions of transplant centers about surgeries on foreign nationals, but Newman said UNOS committees are still trying to figure out what information they would want, and, in any event, the transplant centers don’t have to answer the questions.

The federal rules governing the transplant system, written more than three decades ago, say organ allocation decisions must be based on medical criteria, which would exclude consideration of a person’s nationality or citizenship. While centers can perform as many transplants on foreigners as they want, many programs have tried to keep them below 5 percent of all transplants for each organ type. Until several years ago, 5 percent was the threshold above which UNOS could audit a program. No programs were ever formally audited, and the cutoff was eventually eliminated.

It’s time to revisit the rules, some lawmakers say.

“As a general rule, you’ve got to take care of Americans first as long as you have more demand than supply,” said Sen. John Kennedy, R-La., whose state is home to Ochsner, a leader in transplants for foreign nationals. Kennedy said he would favor curbing transplants for foreigners, while creating a national board that could make exceptions. “But what you don’t want to get into, it seems to me, is subjective areas like well, ‘If this person could live an extra few years, what could they contribute to society?’”

There have been scandals in the past about foreigners and organ transplants. In 2005, a liver transplant center in Los Angeles shut its doors after disclosing that its team had taken a liver that should have gone to a patient at another hospital and instead had implanted it in a Saudi national. The hospital said its staff members falsified documents to cover up the incident.

The University of California, Los Angeles, came under fire in 2008 for performing liver transplants on a powerful Japanese gang boss and other men linked to Japanese gangs, and then receiving donations afterward from at least two of the men. The hospital and its surgeon said they do not make moral judgments about patients.

Further complicating matters is a 2008 document endorsed by transplant organizations around the world, called the Declaration of Istanbul, which seeks to eliminate organ trafficking and reduce transplant tourism internationally. One concern was that patients went to China and received transplants using organs from prisoners. (China said it was stopping the practice in 2015, but experts question whether that has happened.) Another concern was that if a country’s wealthiest or most powerful residents could get transplants overseas, its leaders may not have an incentive to set up a system of their own.

The non-binding declaration also says that there should be a ban on “soliciting, or brokering for the purpose of transplant commercialism, organ trafficking, or transplant tourism.” It was endorsed by UNOS and other national transplant groups.

Former Ochsner employees say they recall Saudi nationals coming for transplants, some wealthy and some not. A New Orleans bar posted a photo on Facebook in 2015 of a young man who brought his mom from Saudi Arabia for a transplant.

Ochsner said in a statement that it was proud of its liver transplant program, which is the nation’s largest. It said that it is willing to accept donated organs that other centers turn down for medical reasons, expanding its ability to help patients while keeping its survival rate high. And it noted that the median waiting time for its patients is only 2.1 months, far below the national median.

“UNOS does not have any restrictions preventing transplant for international patients and they are subject to the same guidelines as domestic patients,” the statement said.

Still, many American candidates for livers don’t make Ochsner’s waiting list. It refused to put Brian “Bubba” Greenlee Jr. on its list right after Christmas in 2015, because of his “poor insight into his drinking and lack of proper social support,” his medical records show. He had cirrhosis and died weeks later at age 45.

His sister, Theresa Greenlee-Jeffers, said Ochsner led her brother to believe that he would get a new liver. Her brother had stopped drinking and she had volunteered to take care of him after a transplant, but then the hospital suddenly reversed course.

“His last Christmas, he was given false hope that he was going to get a transplant. That’s not OK. You don’t play with somebody’s emotions like that,” Greenlee-Jeffers said.

Ocshner did not answer questions about Greenlee’s care but said in its statement, “Not every patient is a candidate for transplant.” It said its criteria are similar to those of other liver transplant centers.

“At Ochsner, we are caregivers, dedicated to providing our patients with high-quality care, improved outcomes and the gift of a second chance at life,” its statement said.

Greenlee-Jeffers wonders if Ochsner excluded her brother and other Americans to make room for foreigners willing to pay more. “It’s not OK,” she said. “We need to take care of our people here at home first. We don’t have enough of this to go around.”

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


FCC Approved Plan To Allow Telecom Companies To Block Robocalls

Last week, commissioners at the U.S. Federal Communications Commission (FCC) voted to allow telecommunications companies to block automated phone calls, known as robocalls, by scammers.

Unwanted calls, including illegal robocalls, are a leading complaint by consumers. Some experts estimated that consumers in the United States received about 2.4 billion robocalls per month during 2016. Many tools make it cheap and easy to make for scammers to both make robocalls and to "spoof" -- or hide -- the caller’s true identity (e.g.,, Caller ID information). The robocalls usually try to trick consumers into revealing sensitive personal and financial information.

The FCC announcement stated that the agency:

"... approved new rules to protect consumers from unwanted robocalls, allowing phone companies to proactively block calls that are likely to be fraudulent because they come from certain types of phone numbers... For example, perpetrators have used IRS phone numbers that don’t dial out to impersonate the tax agency, informing the people who answer that they are calling to collect money owed to the U.S. government. Such calls appear to be legitimate to those who receive them and can result in fraud or identity theft.

To combat these scams, the new rules approved today expressly authorize voice service providers to block robocalls that appear to be from telephone numbers that do not or cannot make outgoing calls... [telecommunications companies] will be allowed to block calls purporting to be from a phone number placed on a “do not originate” list by the number’s subscriber. They will also be allowed to block calls purporting to be from invalid numbers, like those with area codes that don’t exist..."

Neighbor spoofing is a huge problem and part of the robocall fraud. FCC Chairman Ajit Pai released a statement, which said:

"... the FCC’s top consumer protection priority is aggressively pursuing the scourge of illegal robocalls.  This Report and Order and Further Notice of Proposed Rulemaking is one more step toward fulfilling that commitment... It is important to stress that today’s action is deregulatory in nature. We aren’t piling more rules upon industry. Instead, we’re providing relief from FCC rules that are having the perverse effect of facilitating unlawful and unwanted robocalls."

Pai's statement failed to mention exactly which rules facilitated unlawful and unwanted robocalls. President Trump appointed Pai as FCC Chairman in January.

While this latest FCC action will somewhat help consumers, it won't stop all robocalls. Why? Consumer Reports explained:

"... that only a small percentage of the calls will end up being blocked. David Frankel, a California-based telecommunications professional who has taken up the fight against robocalls, says his analysis of 3.5 million robocall complaints to the Federal Trade Commission shows that the new rules would block only 10 percent of robocalls, at best. And that would probably last for only a short period, he says, as robocallers no doubt change the techniques they use."

Commissioner Clyburn's comments acknowledged the limitations in her comments accompanying the FCC's announcement. Kudos to the agency for trying to help consumers. Hopefully, the FCC will do more for consumers especially since the agency under Chairman Pai's leadership has already hurt consumers by revoking broadband privacy rules, lowering broadband standards, and by moving to overturn net neutrality protections for consumers.

A final FCC vote to kill net neutrality is expected on December 14. Consumers want to decide how to use their high-speed internet connections to visit the sites they want to visit. Killing net neutrality would prevent this and allow internet service providers to create higher-cost "fast lanes" to some websites with "paid prioritization." That would be great for telecommunications companies' profits and bad for consumers with price increases; and internet bills as complicated and convoluted as cable TV bills.

Chairman Pai seems intent upon pleasing his corporate overlords while doing little to help consumers.


Do Social Media Pose Threats To Democracies?

November 4th cover of The Economist magazine The November 4th issue of The Economist magazine discussed whether social networking sites threaten democracy in the United States and elsewhere. Social media were supposed to better connect us with accurate and reliable information. What we know so far (links added):

"... Facebook acknowledged that before and after last year’s American election, between January 2015 and August this year, 146m users may have seen Russian misinformation on its platform. Google’s YouTube admitted to 1,108 Russian-linked videos and Twitter to 36,746 accounts. Far from bringing enlightenment, social media have been spreading poison. Russia’s trouble-making is only the start. From South Africa to Spain, politics is getting uglier... by spreading untruth and outrage, corroding voters’ judgment and aggravating partisanship, social media erode the conditions..."

You can browse some of the ads Russia bought on Facebook during 2016. (Hopefully, you weren't tricked by any of them.) We also know from this United Press International (UPI) report about social media companies' testimony before Congress:

"Senator Patrick Leahy (D-Vt) said Facebook still has many pages that appear to have been created by the Internet Research Agency, a pro-Kremlin group that bought advertising during the campaign. Senator Al Franken (D-Minn.) said some Russian-backed advertisers even paid for the ads in Russian currency.

"How could you not connect those two dots?" he asked Facebook general council Colin Stretch. "It's a signal we should have been alert to and, in hindsight, one we missed," Stretch answered."

Google logo And during the Congressional testimony:

"Google attorney Richard Salgado said his company's platform is not a newspaper, which has legal responsibilities different from technology platforms. "We are not a newspaper. We are a platform that shares information," he said. "This is a platform from which news can be read from many sources."

Separate from the Congressional testimony, Kent Walker, a Senior Vice President and General Counsel at Google, released a statement which read in part:

"... like other internet platforms, we have found some evidence of efforts to misuse our platforms during the 2016 U.S. election by actors linked to the Internet Research Agency in Russia... We have been conducting a thorough investigation related to the U.S. election across our products drawing on the work of our information security team, research into misinformation campaigns from our teams, and leads provided by other companies. Today, we are sharing results from that investigation... We will be launching several new initiatives to provide more transparency and enhance security, which we also detail in these information sheets: what we found, steps against phishing and hacking, and our work going forward..."

This matters greatly. Why? by The Economist explained that the disinformation distributed via social media and other websites:

"... aggravates the politics of contempt that took hold, in the United States at least, in the 1990s. Because different sides see different facts, they share no empirical basis for reaching a compromise. Because each side hears time and again that the other lot are good for nothing but lying, bad faith and slander, the system has even less room for empathy. Because people are sucked into a maelstrom of pettiness, scandal and outrage, they lose sight of what matters for the society they share. This tends to discredit the compromises and subtleties of liberal democracy, and to boost the politicians who feed off conspiracy and nativism..."

When citizens (via their elected representatives) can't agree nor compromise, then government gridlock results. Nothing gets done. Frustration builds among voters.

What solutions to fix these problems? The Economist article discussed several remedies: better critical-thinking skills by social media users, holding social-media companies accountable, more transparency around ads, better fact checking, anti-trust actions, and/or disallow bots (automated accounts). It will take time for social media users to improve their critical-thinking skills. Considerations about fact checking:

"When Facebook farms out items to independent outfits for fact-checking, the evidence that it moderates behavior is mixed. Moreover, politics is not like other kinds of speech; it is dangerous to ask a handful of big firms to deem what is healthy for society.

Considerations about anti-trust actions:

"Breaking up social-media giants might make sense in antitrust terms, but it would not help with political speech—indeed, by multiplying the number of platforms, it could make the industry harder to manage."

All of the solutions have advantages and disadvantages. It seems the problems will be with us for a long while. Social media has been abused... and will continue to be abused. Comments? What solutions do you think would be best?


Considerations For Consumers Affected By The Equifax Breach

Earlier this month, Discover sent me a replacement credit card. The letter with the replacement card stated:

"Notice of Data Breach
What happened: we recently learned your Discover card account might have been part of a data breach. Please know, this breach did not involve Discover card systems.
What we are doing to resolve: we are issuing you a new card with a new account number, security code, and expiration date to reduce the possibility of fraud on your account... So as a safety precaution, we are issuing you a new card to protect your Discover card account information from being misused"

Good. I like the proactive protection, and hope that the retailer absorbed the costs of replacement cards for all affected consumers like me. However, the letter from Discover didn't identify the retailer. I called Discover's customer service hotline. The phone representative wouldn't identify the retailer, either. I'd shopped at four retail stores during the past month, and assumed it was one of them. It wasn't.

Equifax logo On Saturday, I received via postal mail a breach notification letter from Equifax dated October 23, 2017:

"We are writing with regard to the cybersecurity incident Equifax announced on September 7, 2017. At Equifax, our priorities with regard to this incident are transparency and continuing to provide timely, reassuring support to every consumer. You are receiving this letter because the credit or debit card number used to pay for a freeze service, credit score, or disclosure of your Equifax credit file was accessed. We have no evidence that your credit file itself was accessed."

So, confirmation that it was Equifax's fault. What to make of this? Keep reading.

First, thanks Equifax for the postal mail notice. However, this isn't timely communication. Why? Equifax considers it's September 7th press release timely communication. How many consumers read Equifax press releases? Did you? My guess, most don't.

Thankfully, I read online newspapers and was aware of the breach soon after Equifax's September 7th announcement. Yet, my postal letter from Equifax arrived seven weeks after its September 7th press release (and almost three months after it first discovered the breach on July 29).  This incident is a reminder for consumers not to rely upon postal mail for breach notices. Many states' breach notice laws allow for companies to post public notices online in websites and/or in newspaper advertisements. This allows companies to skip (the expense of) mailing individual breach notices via postal mail.

The October 23rd Equifax breach letter also stated:

"On September 7, 2017, Equifax notified U.S. customers of the data security incident, including that 143 million U.S. consumers were impacted. On October 2, 2017, following the completion of the forensic portion of the investigation of the incident, Equifax announced that the review determined that approximately 2.5 million additional U.S. consumers were potentially impacted. Equifax also announced that credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182, 000 consumers were accessed."

So, I am one of the "lucky" 209,000 consumers in the United States whose payment information was exposed stolen in addition to other sensitive personal information. Thanks Equifax for failing to protect my sensitive personal -- and payment -- information you are entrusted to protect.

Second, to upgrade earlier this year from slow, antiquated DSL to fiber broadband from Verizon, I used my credit card to pay for a temporary lift of the security freeze on my Equifax credit report. Why did Equifax retain my payment information for this transaction? Why did it retain that payment information in a complete and UN-encrypted format?

Discover's Frequently Asked Questions page for merchants advises merchants to do the following to protect consumers' highly sensitive payment card information:

"Tips for protecting customer information: a) Truncate all credit card information; b) Avoid storing CID data in your records or within sales data; c) Secure your site; d) Store data securely; e) Protect your data with firewalls; f) Limit authorized use and require passwords; g) Avoid storing customer or credit card information on your web server
Refer to your Merchant Operating Regulations for further card-not-present (CNP) requirements for the submission of sales."

So, it seems that Equifax failed to follow Discover's data security guidelines for merchants. (Browse privacy guidelines for merchants by other card issuers.) I do not have any ongoing services or subscriptions with Equifax, so there seems to be no need for it to retain my full credit card payment information. Not good. I called the Equifax customer service hotline. The phone representative could not explain why Equifax retained my payment information. Not good.

Third, Equifax failed to customize the letter for my situation. In 2008, I placed security freezes on my credit reports at Equifax, Experian, and TransUnion. So, Equifax already knows I have a security freeze in place, and failed to customize the letter accordingly. Rather than explain what applies to customers in my situation, instead the letter repeated the same general fraud-prevention advice for all consumers: how to contact the FTC, visit annualcreditreport.com for free copies of credit reports, file a police report if a victim of identity theft, place a fraud alert or security freeze on my credit reports for protections, and how to lift/remove an existing security freeze. Not good.

This was fast becoming a crappy customer experience.

Fourth, while on the phone with Equifax's customer service I asked if the TrustedID Premier credit monitoring service it ofered would work with the security freezes in place at all three credit reporting agencies. The phone representative said yes, but that the "credit file lock feature" would not work. What's that? According to the Equifax FAQ page:

"What is the difference between a credit file lock and a security freeze?
At their most basic level, both prevent new creditors from accessing your Equifax credit report, unless you give permission or take an action such as removing, unlocking or lifting the freeze or lock. Both a security freeze and a credit file lock help prevent a lender or other creditor from accessing a consumer’s credit report to open unauthorized new accounts.

  • Security freezes were created in the early 2000’s, are subject to regulation by each state and use a PIN based system for authentication.
  • Credit file locks were created more recently, are mobile-enabled and use modern authentication techniques, such as username and passwords and one-time passcodes for better user experience."

So, the "credit file lock" feature is new and different from a security freeze. The new feature allows mobile users to easily and quickly unlock/lock your Equifax credit reports. That seems beneficial for consumers needing frequent and quick access to credit. According to the FAQ page, the new feature will be "free, for life." The above description gives the impression that security freezes are antiquated.

To further understand this new feature, I visited the TrustedID Premier Privacy Policy page, which stated:

"The types of personal information we collect and share depend on the product or service you have with us. This information can include: Social Security number and credit card information; Payment history and transaction history; Credit scores and credit history"

The "depend on the product or service you have" seems vague and broad. Just tell me! Plus, "transaction history" could include geo-location: where you bought something since some purchases are made at brick-and-mortar retail stores. It could also include when and where you use the "credit file lock" feature. So, even though the policy doesn't explicitly mention geo-location data collection, it seems wise to assume that it does. For the new "credit file lock" feature to work on your phone, it probably needs to know your location -- where you and your phone are.

So, this new feature seems to be a slick way for Equifax to collect (and archive) location data about when, where, the duration, and frequency of consumers' travels in the physical world -- something it couldn't get previously through the traditional security freeze process. Remember, any app on your smartphone can collect location data.

Plus, the "credit file lock" feature won't work with a security freeze in place. According to the customer service representative, consumers need to remove a security freeze for the credit file lock feature to work. This is a new, important wrinkle which consumers must understand in order to make informed decisions.

The representative said it would be free to remove the security freeze on my Equifax credit report in order to use the new feature. I asked if the TrustedID Premier service Equifax offers would work with credit reports from Innovis. The rep said no. The duration of my phone call was long since the representative needed to place me on hold and check with others in order to answer my questions. This did not instill confidence.

Plus, this lengthy question-and-answer page about Equifax's services indicates that many consumers (and perhaps some Equifax customer service representatives) don't fully understand the differences between security freezes, credit file locks, and other service features.

Fifth, the letter from Equifax did not mention any of the new threats nor the additional protection steps consumers must take, both of which you can read about in this October 10th blog post. Even though I've written about privacy, data breaches and credit monitor for the past 10+ years, like you there are new things to learn. It seems that Equifax is hoping that breach victims will take the easy route: enroll in TrustedID Premier -- which is free for now, but will likely cost you later.

Overall, for me it was a crappy post-breach customer experience with Equifax. I expected better -- better data security and a better post-breach support. Plenty of news articles have documented the security problems, failures, and post-breach problems with Equifax's breach site.

What are your opinions? What do you think of the new credit file lock feature? If you've used it, share your experience in the comments section below the image.

Overview of features. TrustedID Premier service. Click to view larger version


Security Researcher Finds Unprotected Voter Files Online Affecting Up To 1.8 Million Chicagoans

While looking for unprotected data in cloud storage services, a security researcher found unprotected information for as many as 1.8 million voters in Chicago. CBS Chicago reported:

"It was Friday Aug. 11 in Silicon Valley. John Hendren, a marketing representative for IT security firm UpGuard, was looking for insecure data in the cloud. He randomly plugged in "Chicago … db," for “Chicago database,” and hit the jackpot. He found names, addresses, birth dates, driver’s license numbers and the last four digits of Social Security numbers for up to 1.8 million Chicago voters..."

How the breach happened:

"Chicago’s vendor is ES&S, out of Omaha, Nebraska. The company has been paid more than $5 million since 2014 by the Chicago Board of Elections. The company placed the data folder on Amazon Web Services (AWS) with the wrong security settings, Tom Burt, the firm’s CEO, recently told Chicago officials. Burt says managers missed the gaffe, and the database remained online for six months, until UpGuard found it. Company officials say they don’t believe the information ended up on the “dark web” for identity thieves to attain..."

The CBE's breach notice (Adobe PDF) provided a more complete list of the data elements exposed:

"... The personal information contained in the back-up files included voter names, addresses, and dates of birth, and many voters’ driver’s license and State ID numbers and the last four digits of Social Security numbers. Upon discovery of the Incident, ES&S promptly took the AWS server off-line, secured the back-up files, and commenced a forensics investigation. ES&S also hired two specialized third-party vendors to conduct searches to determine whether any personal information stored on the back-up files was available on the Dark Web. The results of ES&S’ investigations have not uncovered any evidence that any voter’s personal information stored on the AWS server was misused..."

This is bad for several reasons. First, the data elements exposed or stolen are enough for cyber criminals to do sufficient damage to breach victims. Second, just because the post-breach investigation didn't find misuse of data doesn't mean there wasn't any. It simply means they didn't find any misuse.

Third, it would be unwise to assume that the breach wasn't that bad because only the last 4 digits of Social Security numbers were exposed. Security researchers have known for a long time that Social Security numbers are easy to guess:

"... a crook need only figure out where and when you were born--information often easily found on social networking sites like Facebook--to guess your number in as few as 1000 tries... Social Security numbers were never meant to be used for widespread identification. They were conceived solely to track taxes and benefits... Every Social Security number starts with three digits known as an "area number." Smaller states might have only one, whereas New York, for example, has 85. The next two digits are "group numbers," which can be anything from 01-99, but don't correspond to anything specific. The last four digits, the "serial number," are assigned sequentially..."

So, it's long past time to stop using the last four digits of Social Security numbers as identification. Fourth, the incident makes one wonder when -- if ever -- the unprotected data folder would have been discovered by ES&S or CBE, if the security researcher hadn't found it. That's unsettling. It calls into question the security methods and managerial oversight at ES&S.

This isn't the first breach at the Chicago Board of Elections (CBE). A CBE breach in 2012 exposed the sensitive personal information of at least 1,000 voters, after initial reports estimated the number of affected voters at 1.7 million. Before that, the CBE faced several lawsuits in 2007 claiming negligence after:

"... it distributed more than 100 computer disks containing Social Security numbers and other personal data on more than 1.3 million voters to alderman and ward committee members."

Reportedly, in 2016 foreign cyber criminals hacked the Illinois Board of Elections' voter registration system. A similar attack happened in Arizona. The main takeaway: voter registration databases are high-value targets.

So, strong data security measures and methods seem wise; if not necessary. The latest incident makes one wonder about: a) the data security language and provisions in CBE's outsourcing contract with ES&S, and b) the agency's vendor oversight.

Will Chicago residents demand better data security? I hope so. What do you think?


What We Do and Don’t Know About Facebook’s New Political Ad Transparency Initiative

[Editor's note: today's guest post is by the reporters at ProPublica. It is reprinted with permission.]

The short answer: It leaves the company some wiggle room.

Facebook logo By Julia Angwin, ProPublica

On Thursday September 21, Facebook Chief Executive Mark Zuckerberg announced several steps to make political ads on the world’s largest social network more transparent. The changes follow Facebook’s acknowledgment in September that $100,000 worth of political ads were placed during the 2016 election cycle by “inauthentic accounts” linked to Russia.

The changes also follow ProPublica’s launch of a crowdsourcing effort during September to collect political advertising from Facebook. Our goal was to ensure that political ads on Facebook, which until now have largely avoided scrutiny, receive the same level of fact-checking by journalists, advocacy groups and political opponents as do print, broadcast and radio political ads. We hope to have some results to share soon.

In the meantime, here’s what we do and don’t know about how Facebook’s changes could play out.

How does Facebook plan to increase disclosure of funders of political ads?
In his statement, Zuckerberg said that Facebook will start requiring political advertisers to disclose “which page paid for an ad.”

This is a reversal for Facebook. In 2011, the company argued to the Federal Election Commission that it would be “inconvenient and impracticable” to include disclaimers in political ads because the ads are so small in size.

While the commission was too divided to make a decision on Facebook’s request for an advisory ruling, the deadlock effectively allowed the company to continue omitting disclosures. (The commission has just reopened discussion of whether to require disclosure for internet advertising).

Now Facebook appears to have dropped its objections to adding disclosures. However, the problem with Facebook’s plan of only revealing which page purchased the ad is that the source of the money behind the page is not always clear.

What is Facebook doing to make political ads more transparent to the public?
Zuckerberg also said that Facebook will start to require political advertisers to place on their pages all the ads they are “currently running to any audience on Facebook.”

This requirement could mean the end of the so-called “dark posts” on Facebook — political ads whose origins were not easily traced. Now, theoretically, each Facebook political ad would be associated with and published on a Facebook page — either for candidates, political action committees or interest groups.

However, the word “currently” suggests that such disclosure could be fleeting. After all, ads can run on Facebook for as little as a few minutes or a few hours. And since campaigns can run dozens, hundreds or even thousands of variations of a single ad — to test which one gets the best response — it will be interesting to see whether and how they manage to display all those ads on their pages simultaneously.

“It would require a lot of vigilance on the part of users and voters to be on those pages at the exact time” that campaigns posted all of their ads, said Brendan Fischer, a lawyer at the Campaign Legal Center, a campaign finance reform watchdog group.

How will Facebook decide which ads are political?
It’s not clear how Facebook will decide which ads are political and which aren’t. There are several existing definitions they could choose from.

The Federal Communications Commission defines political advertising as anything that “communicates a message relating to any political matter of national importance,” but those rules only apply to television and radio broadcasters. FCC rules require extensive disclosure, including the amount paid for the ads, the audiences targeted and how many times the ads run.

The Federal Election Commission has traditionally defined two major types of campaign ads. “Independent expenditures” are ads that expressly advocate the election or defeat of a “clearly identified candidate.” A slightly broader definition, “electioneering communications,” encompasses so-called “issue ads” that mention a candidate but may not directly advocate for his or her election or defeat.

The FEC only requires spending on electioneering ads to be disclosed in the 60 days leading up to a general election or the 30 days leading up to a primary election. And the electioneering communications rule does not apply to online advertising.

Of course, Facebook doesn’t have to choose of any of the existing definitions of political advertising. It could do what it did with hate speech — and make up its own rules.

How will Facebook catch future political ads secretly placed by foreigners?
The law prohibits a foreign national from making any contribution or expenditure in any U.S. election. That means that Russians who bought the ads may have broken the law, but it also means that any American who “knowingly provided substantial assistance” may also have broken the law.

In mid-September, when Facebook disclosed the Russian ad purchase, the company said it was increasing its technical efforts to identify fake and inauthentic pages and to prevent them from running ads.

Zuckerberg said the company would “strengthen our ad review process for political ads” but didn’t specify exactly how. (Separately, Facebook Chief Operating Officer Sheryl Sandberg said in September that the company is adding more human review to its ad-buying categories, after ProPublica revealed that it allowed advertisers to target ads toward “Jew haters.”)

Zuckerberg also said Facebook will work with other tech companies and governments to share information about online risks during elections.

Will ProPublica continue crowd-sourcing Facebook political ads?
Yes, we plan to keep using our tool to monitor political advertising. In September, we worked with news outlets in Germany — Spiegel Online, Süddeutsche Zeitung and Tagesschau — to collect more than 600 political ads during the parliamentary elections.

We believe there is value to creating a permanent database of political ads that can be inspected by the public, and we intend to track whether Facebook lives up to its promises. If you want to help us, download our tool for Firefox or Chrome web browsers.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Equifax Reported 15.2 Million Records Of U.K. Persons Exposed

Equifax logo Yesterday, Equifax's United Kingdom (UK) unit released a press release about the credit reporting agency's massive data breach and the number of breach victims. A portion of the statement:

"It has always been Equifax’s intention to write to those consumers whose information had been illegally compromised, but it would have been inappropriate and irresponsible of us to do so before we had absolute clarity on what data had been accessed. Following the completion of an independent investigation into the attack, and with agreement from appropriate investigatory authorities, Equifax has begun corresponding with affected consumers.

We would like to take this opportunity to emphasize that Equifax correspondence will never ask consumers for money or cite personal details to seek financial information, and if they receive such correspondence they should not respond. For security reasons, we will not be making any outbound telephone calls to consumers. However, customers can call our Freephone number on 0800 587 1584 for more information.

Today Equifax can confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. Regrettably this file contained data relating to actual consumers as well as sizeable test data-sets, duplicates and spurious fields... we have been able to place consumers into specific risk categories and define the services to offer them in order to protect against those risks and send letters to offer them Equifax and third-party safeguards with instructions on how to get started. This work has enabled us to confirm that we will need to contact 693,665 consumers by post... The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry that this data may have been accessed."

Below is the tabular information of risk categories from the Equifax UK announcement:

Consumer groups Remedial action
12,086 consumers who had an email address associated with their Equifax.co.uk account in 2014 accessed

14,961 consumers who had portions of their Equifax.co.uk membership details such as username, password, secret questions and answers and partial credit card details - from 2014 accessed

29,188 consumers who had their driving license number accessed

We will offer Equifax Protect for free. This is an identity protection service which monitors personal data. Products and services from third party organizations will also be offered at no cost to consumers. In addition to the services set-out above, further information will be outlined in the correspondence.

637,430 consumers who had their phone numbers accessed Consumers who had a phone number accessed will be offered a leading identity monitoring service for free.

Some observations seem warranted.

First, the announcement was vague about whether the 15.2 million U.K. persons affected were included in the prior breach total, or in addition to the prior total. Second, the U.K. unit will send written breach notices to all affected consumers via postal mail, while the U.S. unit refused. The U.K. unit did the right thing, so their users are confused by and don't have to access a hastily built site to see if they were affected.

Third, given the data elements stolen some U.K. breach victims are vulnerable to additional frauds and threats like breach victims in the USA.

Kudos to the Equifax U.K. unit for the postal breach notices and for clearly stating the above risk categories.


Without Fanfare, Equifax Makes Bankruptcy Change That Affects Hundreds of Thousands

[Editor's note: today's guest post, by the reporters at ProPublica, highlights how credit reporting agencies treat certain information contained in consumers' credit reports. It is reprinted with permission.]

By Paul Kiel. ProPublica

For what appears to be decades, the credit rating agency Equifax has quietly layered three more years of tarnish on the credit histories of hundreds of thousands of people who had filed for bankruptcy under Chapter 13.

While its competitors, TransUnion and Experian, placed a flag on such histories for seven years, Equifax left it on the reports of Chapter 13 filers who failed to complete their bankruptcy plans for 10.

After ProPublica asked about the difference in its policy, the company said it now leaves the flag on for seven years, but refused to say when and why the change was made.

The consequences of Equifax’s harsher policy were likely life-changing for some unlucky people. As Experian warns consumers on its website, “having a bankruptcy in your credit history will seriously affect your ability to obtain credit for as long as it remains on your report. It can also affect your ability to qualify for things like an apartment, utilities, and even employment. Even car insurance rates may be affected.” Without knowing why, consumers could have been turned down for apartments because landlords checked their Equifax report rather than those from Experian or TransUnion.

Why Equifax’s policy was different is unclear and the company would not address it. But that such a discrepancy had gone unnoticed and unaddressed for so long underscores how lightly regulated the industry is.

ProPublica contacted all of the major credit agencies earlier this year as part of our ongoing series on consumer bankruptcy. The policies of TransUnion and Experian were similar: People who filed under Chapter 7, which wipes out most debts, would have a flag on their report for 10 years; those who filed under Chapter 13, which usually involves five years of payments before debts are forgiven, would have a flag for seven.

Equifax had the same Chapter 7 policy. But the company had a key difference in its policy for Chapter 13 filers: Those who were unable to complete their five years of payments and had their cases dismissed were saddled with a flag for three additional years.

This difference had the potential for widespread impact. About half of Chapter 13 cases are dismissed, usually because debtors fall behind on payments. From 2008 through 2010, 574,000 Chapter 13 cases were filed and subsequently dismissed, according to our analysis of filings. Under Equifax’s policy of keeping the flag on for 10 years, all those debtors would have a flag on their Equifax report through the end of 2017, but not on their TransUnion and Experian histories.

“It’s a problem, because you have a disparate treatment of debtors depending on which credit rating agency is reporting,” said Tara Twomey, an attorney with the National Consumer Law Center. “We really need consistent credit reporting for this system to work.”

Equifax’s policy also disproportionately affected black consumers, because, as our analysis showed, black debtors are more likely than whites to choose Chapter 13 and have their cases dismissed.

ProPublica wrote the company again in July, prior to its recent disclosure that its records had been hacked, laying out the potential impact of its policy on consumers and asking why it differed from competitors. In an email, Equifax spokeswoman Nancy Bistritz-Balkan wrote that the company had “recently modified the length of time for how long a dismissed Chapter 13 bankruptcy remains on file.” Under the new policy, she wrote, “Equifax removes the flag for a Chapter 13 bankruptcy after seven years, regardless of outcome.”

She would not say what “recently” meant, only saying, “The change we referenced was not implemented after we received your inquiry.” As to why Equifax made the change, she wrote, “At this time, I do not have additional details about how the change was made.”

It might seem puzzling that such a meaningful policy is not governed by law. While some aspects of credit reporting are, others are simply decided among the agencies themselves. Bankruptcy is a mix of the two. Under the Fair Credit Reporting Act, the longest a bankruptcy can stay on someone’s credit report is 10 years. The credit rating agencies have voluntarily decided to treat Chapter 13 cases differently because Chapter 13 typically involves the repayment of some debt, while Chapter 7 does not. Bistritz-Balkan made a point of saying that Equifax’s previous policy had been legal.

Initially, Chapter 7 and Chapter 13 have a similar effect on debtors’ credit scores, one that diminishes over time. Bankruptcy is a negative mark on a debtor’s history, but that doesn’t mean that declaring bankruptcy will invariably damage someone’s credit score. In fact, research shows that most people who declare bankruptcy actually see their score rise in the following months. That’s because the typical score is so low that the negative effect of the bankruptcy is outweighed by the positive effect of wiping out debt.

According to Zachary Anderson, a spokesman for FICO, the median FICO score for consumers who declared bankruptcy between October 2009 and October 2010, when filings peaked during the Great Recession, was 558 — lower than all but 20 percent of consumers with a credit score.

A recent analysis of credit files by Paul Goldsmith-Pinkham, an economist with the Federal Reserve Bank of New York, shows how scores change before and after bankruptcy. In the months prior to filing, as consumers fall deeper into debt, the average credit score plunges. The analysis, using a credit score generated by Equifax that works similarly to a FICO score, found that the average score fell to a low around 520-530, but recovered sharply over the next 6 months, then gradually increased thereafter.

Chart. Average Credit Scores Plunge Before Bankruptcy, Rise After. Click to view larger version

The next noticeable bump was seven or 10 years later, depending on the chapter, when the bankruptcy flags were removed. Consumers’ credit scores then jumped by about 10 points.

The consumers with the lowest credit scores, the analysis found, were those who had their Chapter 13 cases dismissed. That would be due, in part, to the fact that they tend to be disproportionately low-income and black, two groups with lower credit scores on average.

As we showed in our story about bankruptcy in Memphis, where Chapter 13 dismissals are incredibly common, these debtors can find themselves worse off for having tried bankruptcy. They might be even further behind on their debts after their cases are dismissed, making it harder to re-establish their credit. The effect of a dismissal lasts for years. At the very least, Equifax’s change in how it handles Chapter 13s means that the shadow cast by a past bankruptcy isn’t quite as long.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Why The IRS Gave Equifax A No-Bid Contract Extension

You've probably heard the news. The Internal Revenue Service (IRS) gave a no-bid contract to Equifax, even after knowing about the credit reporting agency's massive data breach and arguably lackadaisical data security approaches by management.

Why would the IRS do this? The contract's synopsis in the Federal Business Opportunities (FBO) site stated on September 30:

"This action was to establish an order for third party data services from Equifax to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service. A sole source order is required to cover the timeframe needed to resolve the protest on contract TIRNO-17-Z-00024. This is considered a critical service that cannot lapse."

C/Net explained the decision and sequence of key events:

"The IRS already had enough trouble dealing with tax fraud, losing $5.8 billion to scammers in 2013... The contract, first reported by Politico,... describes the agreement as a "sole source order," calling Equifax's help a "critical service." When it comes to credit monitoring, there are really only three major names in the US: Equifax, Experian and TransUnion. Experian has also suffered a breach... The IRS actually awarded its authentication service contract to another company in July, Jeffrey Tribiano, the agency's deputy commissioner for operations support told members of Congress. Equifax protested losing the contract to the US Government Accountability Office on July 7, according to documents. The office will decide on the protest by October 16. Until then, the IRS could not move onto its new partner. That meant that when the IRS' old contract with Equifax was supposed to expire on Friday (Sept. 29), Tribiano said, millions of Americans would not have been able to verify their identity with the agency for more than two weeks."

Wow! So, the IRS was caught between a rock and a hard place... or "caught between a rock and a hacked place" as C/Net described. Apparently, consumers taxpayers are also caught.

Once again, another mess involving Equifax gives consumers that "I've been mugged" feeling.