1,062 posts categorized "Corporate Responsibility" Feed

Equifax Data Breach: 11 Reasons Why It Is Worse Than You Think

Equifax logo Equifax, one of the three major credit reporting agencies, announced on September 7 a massive data breach where criminals accessed the company's computer systems. How bad is it? It is instructive to analyze the text of Equifax's breach announcement:

"... a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed."

First, this is huge. Do the math 143 million persons is about 44 percent of the United States population of 325 million on July 4, 2017. So, almost half of the population was affected. Not good. But, there's more to this than size.

Second, the announcement stated "approximately." So, the true number could be lower or higher. The vagueness suggests that Equifax doesn't really know exactly how many consumers were affected. Not good. And, other details support this assumption that Equifax really doesn't know.

Third, the announcement stated "accessed." During the 10+ years I've written this blog, I've read dozens or hundreds of breach announcements. Many use this term. While the term may accurately describe what's Equifax knows, it also can be misleading. Criminals don't access companies' systems simply to window-shop or read files. They access systems to download and steal valuable information they can either use to make money, or resell to others. It's what online criminals do.

Fourth, the data elements accessed stolen allow criminals to do a lot of damage. That might include: a) obtain fraudulent loans or credit in breach victims' names; b) impersonate breach victims (it's called pretexting) to access online accounts; c) with online access withdraw money from victims' bank accounts; and much more. With online access, criminals can change passwords and take over victims' accounts effectively locking out victims.

Fifth, the breach investigation isn't finished:

"Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company's investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks."

The announcement didn't state when Equifax expected the investigation to be finished. Days? Weeks? Months? Not good.

Equifax hired an outside, independent technology firm to investigate its breach. That's what companies usually do during their post-breach response. This tiny bit of good news is quickly overshadowed by the bad. Without a completed breach investigation, Equifax can't really know whether the breach was caused by a technical systems problem, employee error, management oversight lapses, a sloppy or incompetent subcontractor, something else, or a combination of items. Only after a completed breach investigation can Equifax implement one or several fixes so this won't happen again. Not good.

Sixth, without knowing how criminals accessed their systems it is unlikely Equifax also can't know with certainty what data elements about consumers were stolen. More data elements could have been stolen, perhaps entire credit reports. Not good.

Seventh, it seems that Equifax's intrusion detection systems failed. Just look at the timeline. The breach started in mid-May and Equifax discovered it near the end of July. So, criminals had at least 2 full months to steal whatever they could find. Not good. Plus, after discovering the breach it would take Equifax another 5 weeks later to announce it. Why the delays? The breach announcement doesn't explain why. Not good.

Eighth, Equifax seems to take shortcuts with its breach notification:

"Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection."

Setting up a website to convey breach updates to consumers is a good thing, but using the site to notify consumers about the breach is not good for two reasons: a) the site requires consumers to enter many of the same sensitive, valuable data elements criminals want to steal; and b) it forces consumers to trust that the breach site is secure, when we know that the breach investigation is incomplete. This is a breach notification failure.

In the 10+ years I've written this blog, trustworthy companies notify breach victims via postal mail. Why won't Equifax notify all breach victims directly via postal mail? It has consumers' residential addresses in its databases. (That is a benefit for its lending customers.) So, the lack of data is not an excuse. Plus, the credit reporting agency is willing to notify some consumers directly:

"In addition to the website, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted."

Rather than notify all breach victims directly, Equifax seems to want to take shortcuts. Maybe it is to save money, laziness, or poor decisions by its executives. The announcement doesn't explain why, so consumers are left to draw their own conclusions. Not good.

Ninth, technologists have questioned the security of Equifax's new breach site. Ars Technica reported:

"... the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details..."

Reportedly, the domain name registration problem was fixed on Sunday. Still, Equifax's post-breach response appears amateurish. Meanwhile, data security problems persisted in its main website. According to Ars Technica:

"... in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks."

So, Equifax hasn't completed its breach investigation, doesn't know how its systems were hacked, has vulnerabilities in its main site, but wants consumers to trust that its breach site is secure. Not good.

Tenth, the Equifax announcement promoted its credit monitoring service (emphasis added):

"Equifax has established a dedicated website... to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers - all complimentary to U.S. consumers for one year."

One year? Are Equifax executives serious? Stolen consumers' credentials don't magically lose value after one year. Criminals will use stolen credentials (e.g., name, address, Social Security Number, birth date, etc.) as long as they can. Criminals will resell stolen data to other criminals as long as the data has value. In my opinion, Equifax should provide complimentary lifetime credit monitoring indefinitely to all breach victims.

Why lifetime? Because the data elements accessed stolen have ongoing value. The cynical part of me wonders if some finance executives have done the math. As long as credit reporting agency executives believe that one year of free credit monitoring will appease breach victims, it's cheaper to pay that cost (plus a few out-of-court settlements), rather than implement more robust data security.

Eleventh, there is a history of questionable decisions by Equifax executives. In 2007, it paid a $2.7 million fine for violating federal credit laws. In 2009, it paid a $65,000 fine to the state of Indiana for violating the state's security freeze law. In 2012, Equifax and some of its customers paid $1.6 million to settle allegations of improper list sales. Earlier this year, Equifax and TransUnion paid $23.1 million to settle allegations of deceptive advertising about credit scores.

This history provides some context to news reports that three Equifax executives sold about $1.8 million in stock after the breach was discovered and before the public breach announcement. Equifax stock fell about 13 percent after the breach announcement. The company said on Thursday that these executives didn't know about the intrusion when they sold shares. Even if true, the optics of this look absolutely terrible.

The whole sordid affair should be a reminder to consumers that we are the product. Credit reporting agencies' true customers are lenders - the companies that lend money and make loans to consumers. Equifax makes its money selling credit reports to lenders.

What to make of this? I see several considerations for consumers:

  1. Assume the worst. Every time you hear or read the word "accessed" by Equifax, replace it with "stolen." Then, make your data security decisions accordingly.
  2. If you don't trust the security of Equifax's breach site, then call the company instead via the hotline listed in the breach announcement (preferably using a landline phone) to see if you are affected.
  3. Carefully consider the advantages and disadvantages of Equifax's offer of free credit monitoring and identity theft protection. Equifax has been criticized for forcing arbitration on consumers who accept the free credit monitoring offer. In a September 11th update in its breach site, Equifax reversed course and said the arbitration clause and class-action waiver don't apply in this incident. Regardless, read the fine print before signing up. They may try to re-insert it later. If you don't know what it is, learn about arbitration. A variety of companies have inserted these clauses into their user agreements policies. You'll need to learn about arbitration anyway in order to make informed purchase decisions about other products and services.
  4. If you don't need credit, consider a Security Freeze to lock down your Equifax credit reports. Then, Equifax can't sell your credit report to lenders. You can do this at all three major credit reporting agencies. I did this several years ago after a data breach by a former employer. Know that a Security Freeze is not a cure-all, since it won't stop data breaches and it won't stop all forms of identity theft and fraud. To learn more, this blog has plenty of information about credit reporting agencies, credit monitoring services, fraud alerts for your credit reports, and security freezes.
  5. If you dislike Equifax's post-breach response, then contact your elected officials and demand that they pressure Equifax to do the right thing: a) notify all breach victims directly via postal mail; and b) implement better data security.
  6. Equifax's post-breach response makes me question whether the company is really up to the data security task -- it's responsibility -- to adequately protect consumers' sensitive information. All credit reporting agencies are high-value targets by criminals. If Equifax's executives didn't understand this before, they should now -- and take actions to demonstrate to consumers they realize the seriousness of the breach. Words are not enough.
  7. Consumers lack choices. Citizens cannot opt in nor opt out of the data collection by credit reporting agencies. (Consumers can opt out of pre-approved credit offers, but can't opt out of the data collection. There's a difference.) Also, the Equifax breach highlights the hypocrisy of pundits and politicians who object to the mandate within Obamacare (e.g., the Affordable Care Act) legislation -- some called it socialism -- while remaining remain silent about a similarly socialistic mandate with credit reporting.

While writing a post recently about misdeeds at Wells Fargo, I asked the question: "How much damage can one bank do?" Now, I find myself asking a similar question about Equifax: "How much damage can one company do?" Credit and lending are essential to the United States economy. In my opinion, all credit reporting agencies should have NSA-level data security for their networks and computer systems. The data they archive is that critical.

And: if you can't protect it, don't collect it. It's that simple.

As more issues emerge about this breach, I will address them in subsequent posts. What are your opinions of the Equifax breach? Did you lock down your credit reports with a Security Freeze?


Wells Fargo: 1.4 Million More Fake Accounts Found By Latest Investigation

Wells Fargo logo Just before the long holiday weekend, Wells Fargo Bank announced in an August 31 news release the latest results of a third-party investigation into its retail bank account practices since 2009:

"The original account analysis reviewed 93.5 million current and former customer accounts opened in an approximately four and half year time period – from May 2011 through mid-2015 – and identified approximately 2.1 million potentially unauthorized accounts. The expanded analysis reviewed more than 165 million retail banking accounts opened over a nearly eight-year period – from January 2009 through September 2016 – and identified a new total of approximately 3.5 million potentially unauthorized consumer and small business accounts... In connection with these 3.5 million potentially unauthorized accounts, approximately 190,000 accounts incurred fees and charges, up from 130,000 previously identified accounts that incurred fees and charges, and Wells Fargo will provide a total of $2.8 million in additional refunds and credits on top of the $3.3 million previously refunded as a result of the original account review... a review of online bill pay services, as required by the Sept. 8, 2016, consent orders... the analysis identified approximately 528,000 potentially unauthorized online bill pay enrollments and Wells Fargo will refund $910,000 to customers who incurred fees or charges. "

To summarize: the latest investigation went two years further back in time, found about 1.4 million more phony accounts, found more customers affected by unauthorized bank accounts, and found possibly more phony online bill-pay enrollments. In a settlement agreement last year with the Consumer Financial Protection Bureau (CFPB), Wells Fargo paid a $185 million fine last year for alleged unlawful sales practices with the number of phony accounts known then.

Of course, the bank tried a different spin in its news release about the investigation's findings:

"... the completion of its previously announced expanded third-party review of retail banking accounts dating back to the beginning of 2009. Combined with a recent class action settlement and ongoing broad customer outreach and complaint resolution, the completion of the analysis further paves the way for making things right for Wells Fargo customers who may have been harmed by unacceptable retail sales practices."

Yeah, right. That sounds like some wayward teenager wanting praise for providing a complete list of damage to the family car which they didn't have permission nor a license to drive in the first place.

Much of Wall Street has seen through the spin. Some financial experts advise investors to sell Well Fargo shares and buy other banks' shares instead. One of the world's largest fund managers withheld support for three of the bank's directors. Some news headlines focused on the growing estimate of phony accounts uncovered. MSN Money listed reasons why the bank may not survive the growing scandal.

There is plenty of bad news. The Los Angels Times reported a lawsuit by former bank executives who claimed they were scapegoated and fired earlier this year after reporting unethical sales practices. News reports broke earlier this month about alleged insurance abuses of the bank's auto-loan customers.

Well, we now know more about the bank's retail banking practices. The latest announcement makes one wonder, a) how much damage one bank can do, and b) how many more phony accounts would have been uncovered if the investigation started before 2009. What are your opinions?


Neighbor Spoofing: What It Is And The Best Way To Stop It

A friend recently posted on social media:

"I get five to seven phone calls daily from a 617-388-(random) number. I keep blocking them but new ones keep calling. My number is a 617-388- number. I've called a few back and they're actually people's personal mobile numbers. What is going on?! Anyone know how to stop it?"

This is neighbor spoofing... where robocallers pretend to be neighbors with familiar looking phone numbers. NPR explained neighbor spoofing is:

"... when callers disguise their real phone numbers with a fake phone number that has the same area code and prefix as yours. The idea is you might be more likely to pick up because maybe you're thinking, this call could be my neighbor or my kid's school, someone I know... Even the chairman of the Federal Communications Commission, Ajit Pai, cannot escape... The calls have gotten so aggravating to Pai, he is doubling down and making the fight against spoofers a top priority for the FCC. Robocalls and telemarketers are the No. 1 complaint the agency gets from the public. New technology has made spoofing easier to do and harder to detect. Last year, people received about 2.5 billion robocalls every month...this spring, the FCC started investigating ways to let phone carriers block calls from spoofers..."

The best solution is a system where phone companies authenticate callers. That would stop or block neighbor spoofing. Until then, the FCC is using deterrence. Back in June, the FCC proposed a $120 million fine against a habitual robocall scammer, Adrian Abramovich, based in Florida:

"Over the course of several years, Abramovich's companies disrupted emergency services, bilked vulnerable consumers out of thousands of dollars and hurt legitimate businesses, the FCC contends... TripAdvisor was deluged by consumer complaints about robocalls that the company had not initiated or authorized. After conducting an internal investigation, TripAdvisor determined that the offending calls were linked to a Mexican hotel and resort chain that had contracted with Abramovich for advertising services."

Consumers interested in something they could do might consider Nomorobo, which works (landline or mobile) with many service providers. Users of Apple and Andorid OS phones might investigate Hiya. Windows and BlackBerry phone users can check the CTIA Wireless Association's guide for free (or low-cost) mobile apps to block robocalls.

Robocalls from schools, physicians, airlines, and law enforcement are helpful, while robocalls from scammers aren't. The best solution -- true authentication -- can't come fast enough. Consumers and businesses are suffering.

While I don't wish anything bad on anyone, I am happy that FCC Chairmann Pai is also directly feeling the pain. Perhaps, now he knows how consumers feel. The loss of broadband privacy and Pai's push to kill net neutrality annoy consumers almost as much as neighbor spoofing.


Despite Disavowals, Leading Tech Companies Help Extremist Sites Monetize Hate

[Editor's note: today's guest post, by reporters at ProPublica, explores how hate sites maintain an online presence. It is reprinted with permission.]

By Julia Angwin, Jeff Larson, Madeleine Varner and Lauren Kirchner. ProPublica

Because of its "extreme hostility toward Muslims," the website Jihadwatch.org is considered an active hate group by the Southern Poverty Law Center and the Anti-Defamation League. The views of the site's director, Robert Spencer, on Islam led the British Home Office to ban him from entering the country in 2013.

But its designation as a hate site hasn't stopped tech companies -- including PayPal, Amazon and Newsmax -- from maintaining partnerships with Jihad Watch that help to sustain it financially. PayPal facilitates donations to the site. Newsmax -- the online news network run by President Donald Trump's close friend Chris Ruddy -- pays Jihad Watch in return for users clicking on its headlines. Until recently, Amazon allowed Jihad Watch to participate in a program that promised a cut of any book sales that the site generated. All three companies have policies that say they don't do business with hate groups.

Jihad Watch is one of many sites that monetize their extremist views through relationships with technology companies. ProPublica surveyed the most visited websites of groups designated as extremist by either the SPLC or the Anti-Defamation League. We found that more than half of them -- 39 out of 69 -- made money from ads, donations or other revenue streams facilitated by technology companies. At least 10 tech companies played a role directly or indirectly in supporting these sites.

Traditionally, tech companies have justified such relationships by contending that it's not their role to censor the Internet or to discourage legitimate political expression. Also, their management wasn't necessarily aware that they were doing business with hate sites because tech services tend to be automated and based on algorithms tied to demographics.

In the wake of last week's violent protest by alt-right groups in Charlottesville, more tech companies have disavowed relationships with extremist groups. During just the last week, six of the sites on our list were shut down. Even the web services company Cloudflare, which had long defended its laissez-faire approach to political expression, finally ended its relationship with the neo-Nazi site The Daily Stormer last week.

"I can't recall a time where the tech industry was so in step in their response to hate on their platforms," said Oren Segal, director of the ADL's Center on Extremism. "Stopping financial support to hate sites seems like a win-win for everyone."

But ProPublica's findings indicate that some tech companies with anti-hate policies may have failed to establish the monitoring processes needed to weed out hate sites. PayPal, the payment processor, has a policy against working with sites that use its service for "the promotion of hate, violence, [or] racial intolerance." Yet it was by far the top tech provider to the hate sites with donation links on 23 sites, or about one-third of those surveyed by ProPublica. In response to ProPublica's inquiries, PayPal spokesman Justin Higgs said in a statement that the company "strives to conscientiously assess activity and review accounts reported to us."

After Charlottesville, PayPal stopped accepting payments or donations for several high-profile white nationalist groups that participated in the march. It posted a statement that it would remain "vigilant on hate, violence & intolerance." It addresses each case individually, and "strives to navigate the balance between freedom of expression" and the "limiting and closing" of hate sites, it said.

After being contacted by ProPublica, Newsmax said it was unaware that the three sites that it had relationships with were considered hateful. "We will review the content of these sites and make any necessary changes after that review," said Andy Brown, chief operating officer of Newsmax.

Amazon spokeswoman Angie Newman said the company had previously removed Jihad Watch and three other sites identified by ProPublica from its program sharing revenue for book sales, which is called Amazon Associates. When ProPublica pointed out that the sites still carried working links to the program, she said that it was their responsibility to remove the code. "They are no longer paid as an Associate regardless of what links are on their site once we remove them from the Associates Program," she said.

Where to set the boundaries between hate speech and legitimate advocacy for perspectives on the edge of the political spectrum, and who should set them, are complex and difficult questions. Like other media outlets, we relied in part on the Southern Poverty Law Center's public list of "Active Hate Groups 2016." This list is controversial in some circles, with critics questioning whether the SPLC is too quick to brand organizations on the right as hate groups.

Still, the center does provide detailed explanations for many of its designations. For instance, the SPLC documents its decision to include the Family Research Council by citing the evangelical lobbying group's promotion of discredited science and unsubstantiated attacks on gay and lesbian people. We also consulted a list from ADL, which is not public and that was provided to us for research purposes. See our methodology here.

The sites that we identified from the ADL and SPLC lists vehemently denied that they are hate sites.

"It is not hateful, racist or extremist to oppose jihad terror," said Spencer, the director of Jihad Watch. He added that the true extremism was displayed by groups that seek to censor the Internet and that by asking questions about the tech platforms on his site, we were "aiding and abetting a quintessentially fascist enterprise."

Spencer made these comments in response to questions emailed by ProPublica reporter Lauren Kirchner. Afterwards, Spencer posted an item on Jihad Watch alleging that "leftist 'journalist'" Kirchner had threatened the site. He also posted Kirchner's photo and email, as well as his correspondence with her. After being contacted by ProPublica, another anti-Islam activist, Pamela Geller, also posted an attack on Kirchner, calling her a "senior reporting troll." Like Spencer, Geller was banned by the British Home Office; her eponymous site is on the SPLC and ADL lists.

Donations -- and the ability to accept them online through PayPal and similar companies -- are a lifeline for sites like Jihad Watch. In 2015, the nonprofit website disclosed that three quarters of its roughly $100,000 in revenues came from donations, according to publicly available tax records.

In recent weeks, PayPal has been working to shut down donations to extremist sites. This week, it pulled the plug on VDARE.com, an anti-immigration website designated as "white nationalist" by the SPLC and as a hate site by the ADL. VDARE, which denies being white nationalist, immediately switched to its backup system, Stripe.

Stripe, a private company recently described by Bloomberg Businessweek as a $9 billion startup, is unusual in not having a policy against working with hate sites. It does, however, prohibit financial transactions that support drugs, pornography and "psychic services." Stripe provided donation links for 10 sites, second only to PayPal on our list. Stripe did not respond to a request for comment.

VDARE editor Peter Brimelow declared on his site that the PayPal shutdown was likely part of a purge by the "authoritarian Communist Left to punish anyone who disagrees with their anti-American violence against patriotic people." He urged his readers to donate through other channels such as Bitcoins. "We need your help desperately," he wrote. "We must have the resources to defend ourselves and our people."

In 2015, VDARE received nearly all of its revenue -- $267,038 out of total $293,663 -- from donations, according to publicly available tax return forms that the Internal Revenue Service requires nonprofits to disclose.

Brimelow did not respond to our questions, instead characterizing ProPublica as the "Totalitarian Left."

Some sites also supplement their donations with revenue from online advertising. For instance, SonsofLibertyMedia.com, which is on the SPLC list, generated about 10 percent of its revenue -- $37,828 -- from advertising in 2015, according to its tax documents.

The site, which describes itself as promoting a "Judeo-Christian ethic," and recently posted an article declaring that a black activist protesting Confederate statues needed "a serious beat down," does not appear to attract advertisers directly.

Instead, Sons of Liberty benefits from a type of ad-piggybacking arrangement that is becoming more common in the tech industry. The website runs sponsored news articles from a company called Taboola, which shares ad revenues with it. Known for being at the forefront of "click-bait," Taboola places links on websites to articles about celebrities and popular culture.

Taboola's policy prohibits working with sites that have "politically religious agendas" or use hate speech. "We strive to ensure the safety of our network but from time to time, unfortunately, mistakes can happen," said Taboola spokeswoman Dana Miller. "We will ask our Content Policy group to review this site again and take action if needed."

Sons of Liberty founder Bradlee Dean said that he forwarded our questions to his attorney. The lawyer did not respond.

Hate sites can initiate relationships with tech companies with little scrutiny.

Any website can fill out an online form asking to join, for instance, Amazon's network, and often can get approved instantly. Once a website has joined a tech network, it can quickly start earning money through advertising, donations, or content farms such as Taboola that share ad revenues with websites that distribute their articles.

Some companies, such as Newsmax, say that joining their ad network requires explicit prior approval.

But, according to a former Newsmax employee, the only criterion for this approval was whether traffic to the site reached a minimum threshold. There was no content review. Salespeople were told to be aggressive in signing up publishing partners.

"We'd put our news feed on anybody's page, anyone who was willing to listen," he said, "it's about email addresses, it's about marketing, they don't care about ultra conservative or left wing."

Dylan Roof frequented a website described by the SPLC as "white nationalist." He said in a manifesto posted online that finding the website was a turning point in his life. He went on to murder nine African-American churchgoers in Charleston, South Carolina, in 2015. That year, USA Today found Newsmax ads on the site.

They no longer appear there.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


'Map Your Orgasm' - A New Smart Device For Women

Recently, Mashable reported about a new smart device for women:

"The Lioness looks like a pretty standard vibrator on the outside, but inside it has four sensors that measure temperature, the force of muscle contractions, and track the movement of the device. When you’re done with your session, you can sync the Lioness with its app (available for iOS and Android). It then provides you with easy-to-read visualization of what was happening to your body while you were busy getting off. So, yes, essentially it gives you a map of your orgasm. You can also tag each session with different terms so you can track how your health, sleep, alcohol consumption, mood, etc. affect your experiences."

Gives you a map of your orgasm? That's a surprising description. Perhaps, I shouldn't have been surprised. First, there were online tools such as "map my ride" and map my run." Good stuff to help consumers stay healthy. I guess a tool resembling 'map your orgasm' was bound to happen.

Lioness sounds like a much better product name. To learn more, I visited the Lioness site. The home page featured this statement: "Don't worry, we will never share your email or spam you." That's a good start.

Privacy is important; especially with smart devices which collect intimate data about consumers. Earlier this year, news reports described a plan by a smart-device maker to resell the interior home maps its robovacs created. And, another smart vibrator maker paid hefty fines to settle allegations that it tracked users without their knowledge nor consent.

A wise person once said, "the devil is in the details." The privacy policy in a company's website is a good place to hunt for details. While blogging about privacy and identity theft during the last 10 years, I've read plenty of privacy policies. Plenty. I read the Lioness Privacy Policy (dated May 1) and found some notable sections:

"This Privacy Policy applies to our vibrators and other devices (“Devices”), our websites, including but not limited to lioness.io (individually a “Site” and collectively “Sites”), the Lioness software (“Software”) and Lioness mobile applications (the “Apps”). The Devices, Sites, Software and Apps are collectively referred to in this Policy as the “Lioness Service,” and by proceeding to use the Lioness Service you consent that we may handle the data that we collect from you in accordance with this Privacy Policy."

Pretty standard stuff so far. Warning: I'm not an attorney. If you want legal advice, hire an attorney. Like you, I'm just a regular consumer trying to understand smart devices while maintaining as much privacy as possible. Additional sections in the policy I found interesting:

"Sync Your Device
When you sync your Device through an App or the Software, data recorded on your Device is transferred from your Device to our servers. This data is stored and used to provide the Lioness Service and is associated with your account. Each time a sync occurs, we log data about the transmission. Some examples of the log data are the sync time and date, device battery level, and the IP address used when syncing."

Let's unpack that. The vibrator and its mobile app, record the date, time, and battery usage. Combine this with data collected from the four sensors and Lioness will know plenty about your usage: when (date and time), location, duration, preferred movement patterns, and more. It indeed could create a map. More sections in the policy:

"WHY WE COLLECT DATA
Lioness uses your data to provide you with the best experience possible, to help you learn about your body, and to improve and protect the Lioness Service. Here are some examples: i) Contact information is used to send you notifications and to inform you about new features or products... ii) Data and logs are used in research to understand and improve the Lioness Device and Lioness Service; to troubleshoot the Lioness Service; to detect and protect against error, fraud or other criminal activity; and to enforce the Lioness Terms of Service; iii) Aggregate data that does not identify you may be used to inform the health community about trends; for marketing and promotional use..."

Data That Could Identify You
Personally Identifiable Information (PII) is data that includes a personal identifier like your name, email or address, or data that could reasonably be linked back to you."

Hmmm. The policy does not list all data elements that personally identify you. For me, that's important to know. And, anything recorded on a smartphone can easily be linked to a person using her 10-digit phone number or the mobile device's serial number.

Informed shoppers probably want to know before purchase which other companies (e.g., business partners, affiliates, advertisers, etc.) Lioness shares data with. Its May 1, 2017 privacy policy also states:

"... companies that are contractually engaged in providing Lioness with services, such as order fulfillment, email management and credit card processing. These companies are obligated by contract to safeguard any PII they receive from us..."

"THIRD PARTIES
Lioness will not be responsible for the practices of third parties that Lioness does not own or control or individuals that Lioness does not employ or manage. The information provided by you to other third parties may be subject to their own privacy policies, which may differ from Lioness’s privacy policy. The Lioness Service may contain links to other sites, and we make every effort to only link to sites that share our high standards and respect for privacy. However, we are not responsible for the privacy practices employed by other sites..."

"DATA RETENTION
Lioness reserves the right to retain your PII for as long as your account remains active..."

So, the policy doesn't mention other companies by name. Not good. That makes it tough for consumers to make informed decisions.

Fitness tracking with the MapMyRide app On Facebook, many of my friends regularly share visual maps of their workouts. (See example on right.) That's their freedom of choice. So, some consumers are probably wondering if Lioness offers a similar share function. Again from the privacy policy:

"Community Posts
The Lioness Service may offer discussion forums, message boards, social networking opportunities, chat pages and other public forums or features in which you may provide personal information, materials and related content. If you submit personal information when using these public features, please note that such personal information may be publicly posted and otherwise disclosed and used without limitation or restriction."

So, the policy doesn't mention literal maps, per se. They might or might not provide the feature to users. The key takeaway: the responsibility rests upon the user. Don't share it if you don't want it made public.

It's probably helpful to also know that the product uses Bluetooth technology to perform data syncing. From the Lioness FAQ page:

"Wait...will there be bluetooth in my vagina?
Nope. We know that there are a lot of people who don’t like the idea of bluetooth being on while in use, so we made it so bluetooth automatically turns off when you use it."

Also, the FAQ page mentioned:

"Is my data stored securely and kept confidential?
Absolutely. We thought about privacy and security from the beginning for this product. You are the only one who can access your individual data. Everything is encrypted and we fully anonymize the data..."

That's good, but the privacy policy didn't mention data encryption. I expected it would. Not sure what to make of that.

Is the Lioness a good deal? Only you can decide for yourself -- and you should after reading both the privacy and terms-of-service policies.

Me? In my opinion, there seems to be too much wiggle-room for data sharing. The policy contains a lot of words and nothing special compared to other policies I've read. What are your opinions?


Bungled Software Update Renders Customers' Smart Door Locks Inoperable

Image of Lockstate RemoteLock 6i device. Click to view larger version A bungled software update by Lockstate, maker of WiFi-enabled door locks, rendered many customers' locks inoperable -- or "bricked." Lockstate notified affected customers in this letter:

"Dear Lockstate Customer,
We notified you earlier today of a potential issue with your LS6i lock. We are sorry to inform you about some unfortunate news. Your lock is among a small subset of locks that had a fatal error rendering it inoperable. After a software update was sent to your lock, it failed to reconnect to our web service making a remote fix impossible...

Many AirBnb operators use smart locks by Lockstate to secure their properties. In its website, Lockstate promotes the LS6i lock as:

"... perfect for your rental property, home or office use. This robust WiFi enabled door lock allows users to lock or unlock doors remotely, know when people unlock your door, and even receive text alerts when codes are used. Issue new codes or delete codes from your computer or phone. Even give temporary codes to guests or office personnel."

Reportedly, about 200 Airbnb customers were affected. The company said 500 locks were affected. ArsTechnica explained how the bungled software update happened:

"The failure occurred last Monday when LockState mistakenly sent some 6i lock models a firmware update developed for 7i locks. The update left earlier 6i models unable to be locked and no longer able to receive over-the-air updates."

Some affected customers shared their frustrations on the company's Twitter page. Lockstate said the affected locks can still be operated with physical keys. While that is helpful, it isn't a solution since customers rely upon the remote features. Affected customers have two repair options: 1) return the back portion of the lock (repair time about 5 to 7 days), or 2) request a replace (response time about 14 to 18 days).

The whole situation seems to be another reminder of the limitations when companies design smart devices with security updates delivered via firmware. And, a better disclosure letter by Lockstate would have explained corrections to internal systems and managerial processes, so this doesn't happen again during another software update.

What are your opinions?


$5.5 Million Settlement Agreement Between Nationwide Insurance And 32 States

Nationwide Mutual Insurance Company logo Last week, 32 states inked a settlement agreement with Nationwide Mutual Insurance for the insurance company's data breach in 2012. The Attorney General's Office for the Commonwealth of Massachusetts participated in the agreement, and explained in an announcement: that the data breach reach in 2012 was:

"... allegedly caused by Nationwide’s failure to apply a critical software security patch. The breach resulted in the loss of personal information belonging to 1.27 million consumers, with nearly 950 in Massachusetts, including their social security numbers, driver’s license numbers, credit scoring information, and other personal data. The lost personal information was collected by Nationwide in order to provide insurance quotes to consumers applying for insurance. AG Healey’s Office is not aware of any fraud or identity theft involving Massachusetts residents related to this data breach."

Other states participating in the settlement agreement include the Attorneys General of Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, and the District of Columbia. Terms of the settlement agreement require Nationwide to:

"... both generally update its security practices and to ensure that it keeps software up-to-date, including timely applying patches and other updates to its software. Nationwide must also hire a technology officer responsible for monitoring and managing software and application security updates, including supervising employees responsible for evaluating and coordinating the maintenance, management, and application of all security patches and software and application security updates.

Many of the consumers whose data was lost as a result of the data breach were consumers who never became Nationwide’s insureds, but whose information was retained by the company in order to provide the consumers re-quotes at a later date. The settlement requires Nationwide to be more transparent about its data collection practices by requiring it to disclose to consumers that it retains their personal information even if they do not become its customers."

950 Massachusetts residents were affected. Massachusetts' share of the payment is $100,000. Massachusetts Attorney General (AG) Maura Healey said in a statement:

"People shopping for financial products should be assured that companies collecting their personal information will protect it no matter what... Nationwide knew their software was vulnerable to hacking but did not promptly address it, leaving sensitive data vulnerable to identity thieves. This settlement holds the company accountable for subjecting our residents to this avoidable risk."

2,810 New York residents were affected. New York State's share of the payment is $107,736. New York State AG Eric T. Schneiderman said:

"Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process... This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers..."

774 Connecticut residents were affected. Connecticut's share of the payment is $256,559. Connecticut AG George Jepsen said:

"Connecticut law requires that anyone in possession of another person's personal information safeguard that data... It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols..."


Homeowners Receive $6.3 Million In Refunds Due To Improper Charges By Insurance Company

Assurant logo Last week, the Attorney General's office for the Commonwealth of Massachusetts announced the results of a post-settlement agreement audit with American Security Insurance Company, a subsidiary of Assurant, Inc., where homeowners in the state will receive $6.3 million in refunds for improper "forced-place insurance" charges. The announcement explained:

"Force-placed insurance is a type of property insurance that mortgage servicers can purchase on behalf of borrowers if they fail to maintain adequate homeowners insurance coverage on mortgaged properties. Mortgage servicers often hire insurance companies like Assurant to monitor whether borrowers are maintaining adequate homeowners insurance coverage and to issue force-placed insurance policies when appropriate homeowners coverage is not in place.

Premiums for force-placed policies are high—often two or three times as expensive as regular homeowners insurance—and the coverage provided is quite limited. Some mortgage servicers accept commission payments from force-placed insurers, which contribute to the high cost of force-placed insurance and create conflicts of interest for mortgage servicers."

The settlement agreement was first announced in November, 2015. The latest announcement described the results of the audit:

"Although force-placed insurance is only intended for circumstances in which the borrower has failed to adequately insure the mortgaged property, the Attorney General’s audit of Assurant found thousands of cases of duplicative insurance coverage for Massachusetts homeowners. Borrowers eligible for settlement money were previously required by their mortgage servicer to purchase force-placed insurance from Assurant, or were overcharged for force-placed insurance because they were mistakenly sold commercial policies rather than less expensive residential policies..."

4,500 homeowners were improperly charged. The average refund per homeowner is about $1,400. Refund checks were mailed last week to affected homeowners.


Wells Fargo Forced Customers To Buy Unwanted And Unnecessary Auto Insurance

Wells Fargo logo Just when it seems that executives at Wells Fargo Bank have seen the light and turned the ethics corner, along comes a news report about another fraudulent program at the bank. The New York Times reported:

"More than 800,000 people who took out car loans from Wells Fargo were charged for auto insurance they did not need, and some of them are still paying for it, according to an internal report prepared for the bank’s executives.

The expense of the unneeded insurance, which covered collision damage, pushed roughly 274,000 Wells Fargo customers into delinquency and resulted in almost 25,000 wrongful vehicle repossessions, according to the 60-page report, which was obtained by The New York Times. Among the Wells Fargo customers hurt by the practice were military service members on active duty."

The internal report, by the consulting firm Oliver Wyman, investigated auto insurance policies sold from January 2012 through July 2016. While this was happening, the bank has been recovering from a scandal where employees opened millions of phony accounts in order to game an incentive system.

Wells Fargo released a statement about how it will help affected with unwanted and unnecessary insurance, and fix its Collateral Protection Insurance (CPI) policies:

"Wells Fargo reviewed policies placed between 2012 and 2017 and identified approximately 570,000 customers who may have been impacted and will receive refunds and other payments as compensation. In total, approximately $64 million of cash remediation will be sent to customers in the coming months, along with $16 million of account adjustments, for a total of approximately $80 million in remediation... in July 2016 Wells Fargo initiated a review of the CPI program and related third-party vendor practices. Based on the initial findings, the company discontinued its CPI program in September 2016... Wells Fargo’s review determined that certain external vendor processes and internal controls were inadequate. As a result, customers may have been charged premiums for CPI even if they were paying for their own vehicle insurance, as required, and in some cases the CPI premiums may have contributed to a default that led to their vehicle’s repossession... Wells Fargo already has been providing CPI-related refunds to some customers and, beginning in August, will send letters and refund checks to customers who are due additional payments. The process is expected to be complete by the end of the year and is as follows:

i) Approximately 490,000 customers had CPI placed for some or all of the time they had adequate vehicle insurance coverage of their own... These customers will receive additional refunds of certain fees and some additional interest. Refunds for this group total approximately $25 million;

ii) In five states that have specific notification and disclosure requirements, approximately 60,000 customers did not receive complete disclosures from our vendor as required prior to CPI placement. In these cases, even if CPI was required, customers will receive a refund including premiums, fees and interest. Refunds for this group total approximately $39 million:

iii) For approximately 20,000 customers, the additional costs of the CPI could have contributed to a default that resulted in the repossession of their vehicle. Those customers will receive additional payments as compensation for the loss of their vehicle. The payment amount will depend on each customer’s situation..."

Do the math. 490,000 customers were overcharged about $25 million, or about $51 per person. 60,000 customers were overcharged $39 million or about $1,950 per person. 34 percent of borrowers (274,000 divided by 800,000) were reportedly pushed into delinquency. Substantial amounts.

Besides reimbursements, the bank said it will work with credit reporting agencies to correct affected borrowers’ credit records. That seems to be the minimum solution. Not only did the bank overcharge some customers, but it also had inadequate controls for both internal processes and external vendors. Which managers were reprimanded, or fired, for those lapses? The bank's statement didn't say. Where were the bank's auditors throughout this mess?

National General Insurance (NGI) underwrote the auto insurance policies for Wells Fargo. A lawsuit by customers named both Wells Fargo and NGI as defendants. And, at least one other law firm is investigating a possible class-action suit.

How does unwanted and unnecessary insurance help customers? Not in any way I can see. Well, it probably helped the bank's profitability for a while.

Reportedly, military service members and their families were among the affected borrowers. And, this latest program isn't the first abuse by the bank of military members and their families. Last fall, the U.S. Justice Department (DOJ) sanctioned the bank for improperly repossessing cars owned by members of the military. The DOJ alleged 413 violations of the Servicemembers Civil Relief Act, and the bank agreed to pay more than $4 million to compensate borrowers affected by seven years of unlawful repossessions.

In June, one U.S. Senator called for the firing of all 12 board members for failing to protect account holders. It seems that unethical executive behavior at the bank will stop only when guilty executives serve jail time; not fines the bank can easily afford.

The whole sordid affair makes one wonder what other programs at the bank remain hidden. What are your opinions? If you received a refund letter and check, please share what you safely can about it below.


Survey: 90 Percent Of Consumers Want Smart Devices With Security Built In

A recent survey of consumers in six countries found that 90 percent believe it is important for smart devices to have security built into the products. Also, 78 percent said they are aware that any smart device connected to their home WiFi network is vulnerable to attacks by hackers wanting to steal personal data stored on the device.

Security importance by country. Irdeto Global Consumer IoT Security Survey. Select to view larger version The Irdeto Global Consumer IoT Security Survey, conducted online from June 22, 2017 to July 10, 2017 by YouGov Plc for Irdeto, included 7,882 adults (aged 18 or older) in six countries: Brazil, China, Germany, India, United Kingdom, and United States. Irdeto provides security solutions to protect platforms and applications for media, entertainment, automotive and Internet-of-things (IoT) connected industries.

Additional key findings:

"... 72% of millennials (ages 18-24 years) indicated that they are aware that any smart device connected to the Wi-Fi in their home has the potential to be targeted by a hacker, compared to 82% of consumers 55+. This indicates that older generations may be more savvy about IoT security or more cautious... More than half of consumers around the globe (56%) think that it is the responsibility of both the end-user and the manufacturer of the product to prevent hacking of smart devices. Alternatively, only 15% of consumers globally think they are responsible, while 20% feel the manufacturer of the device is responsible for cybersecurity. In China, more consumers than any other country surveyed (31%) stated that it is the responsibility of manufacturers. Brazilians led all countries surveyed (23%) in the belief that it is the responsibility of the end-user to prevent hacking of connected devices... Germans expressed the least concern with nearly half (42%) stating that they are not concerned about smart devices being hacked. On the opposite end of the spectrum, Brazilian smart device owners expressed the most concern with 88% of those surveyed saying they were concerned...

And, smart device usage varies by country:

"Regarding the number of smart devices consumers own, 89% of those surveyed have at least one connected device in their home. In addition, 81% of consumers across the globe admitted to having more than one connected device in the home. India led all countries with a staggering 97% of consumers stating that they have at least one smart device in the home, compared to only 80% of US consumers..."

Read the announcement by Irdeto. View the full infographic.

Device security responsibility. Irdeto Global Consumer IoT Security Survey. Select to view larger version


The Myth Of Drug Expiration Dates

[Editor's Note: some politicians and pundits repeatedly claim that the private sector is more efficient than the public sector. Today's blog post explores waste in the healthcare industry. Today's post is reprinted with permission.]

By Marshall Allen, ProPublica

The box of prescription drugs had been forgotten in a back closet of a retail pharmacy for so long that some of the pills predated the 1969 moon landing. Most were 30 to 40 years past their expiration dates -- possibly toxic, probably worthless.

But to Lee Cantrell, who helps run the California Poison Control System, the cache was an opportunity to answer an enduring question about the actual shelf life of drugs: Could these drugs from the bell-bottom era still be potent?

Cantrell called Roy Gerona, a University of California, San Francisco, researcher who specializes in analyzing chemicals. Gerona had grown up in the Philippines and had seen people recover from sickness by taking expired drugs with no apparent ill effects.

"This was very cool," Gerona says. "Who gets the chance of analyzing drugs that have been in storage for more than 30 years?"

The age of the drugs might have been bizarre, but the question the researchers wanted to answer wasn't. Pharmacies across the country -- in major medical centers and in neighborhood strip malls -- routinely toss out tons of scarce and potentially valuable prescription drugs when they hit their expiration dates.

Gerona and Cantrell, a pharmacist and toxicologist, knew that the term "expiration date" was a misnomer. The dates on drug labels are simply the point up to which the Food and Drug Administration and pharmaceutical companies guarantee their effectiveness, typically at two or three years. But the dates don't necessarily mean they're ineffective immediately after they "expire" -- just that there's no incentive for drugmakers to study whether they could still be usable.

ProPublica has been researching why the U.S. health care system is the most expensive in the world. One answer, broadly, is waste -- some of it buried in practices that the medical establishment and the rest of us take for granted. We've documented how hospitals often discard pricey new supplies, how nursing homes trash valuable medications after patients pass away or move out, and how drug companies create expensive combinations of cheap drugs. Experts estimate such squandering eats up about $765 billion a year -- as much as a quarter of all the country's health care spending.

What if the system is destroying drugs that are technically "expired" but could still be safely used?

In his lab, Gerona ran tests on the decades-old drugs, including some now defunct brands such as the diet pills Obocell (once pitched to doctors with a portly figurine called "Mr. Obocell") and Bamadex. Overall, the bottles contained 14 different compounds, including antihistamines, pain relievers and stimulants. All the drugs tested were in their original sealed containers.

The findings surprised both researchers: A dozen of the 14 compounds were still as potent as they were when they were manufactured, some at almost 100 percent of their labeled concentrations.

"Lo and behold," Cantrell says, "The active ingredients are pretty darn stable."

Cantrell and Gerona knew their findings had big implications. Perhaps no area of health care has provoked as much anger in recent years as prescription drugs. The news media is rife with stories of medications priced out of reach or of shortages of crucial drugs, sometimes because producing them is no longer profitable.

Tossing such drugs when they expire is doubly hard. One pharmacist at Newton-Wellesley Hospital outside Boston says the 240-bed facility is able to return some expired drugs for credit, but had to destroy about $200,000 worth last year. A commentary in the journal Mayo Clinic Proceedings cited similar losses at the nearby Tufts Medical Center. Play that out at hospitals across the country and the tab is significant: about $800 million per year. And that doesn't include the costs of expired drugs at long-term care pharmacies, retail pharmacies and in consumer medicine cabinets.

After Cantrell and Gerona published their findings in Archives of Internal Medicine in 2012, some readers accused them of being irresponsible and advising patients that it was OK to take expired drugs. Cantrell says they weren't recommending the use of expired medication, just reviewing the arbitrary way the dates are set.  

"Refining our prescription drug dating process could save billions," he says.

But after a brief burst of attention, the response to their study faded. That raises an even bigger question: If some drugs remain effective well beyond the date on their labels, why hasn't there been a push to extend their expiration dates?

It turns out that the FDA, the agency that helps set the dates, has long known the shelf life of some drugs can be extended, sometimes by years.

In fact, the federal government has saved a fortune by doing this.

For decades, the federal government has stockpiled massive stashes of medication, antidotes and vaccines in secure locations throughout the country. The drugs are worth tens of billions of dollars and would provide a first line of defense in case of a large-scale emergency.

Maintaining these stockpiles is expensive. The drugs have to be kept secure and at the proper humidity and temperature so they don't degrade. Luckily, the country has rarely needed to tap into many of the drugs, but this means they often reach their expiration dates. Though the government requires pharmacies to throw away expired drugs, it doesn't always follow these instructions itself. Instead, for more than 30 years, it has pulled some medicines and tested their quality.

The idea that drugs expire on specified dates goes back at least a half-century, when the FDA began requiring manufacturers to add this information to the label. The time limits allow the agency to ensure medications work safely and effectively for patients. To determine a new drug's shelf life, its maker zaps it with intense heat and soaks it with moisture to see how it degrades under stress. It also checks how it breaks down over time. The drug company then proposes an expiration date to the FDA, which reviews the data to ensure it supports the date and approves it. Despite the difference in drugs' makeup, most "expire" after two or three years.

Once a drug is launched, the makers run tests to ensure it continues to be effective up to its labeled expiration date. Since they are not required to check beyond it, most don't, largely because regulations make it expensive and time-consuming for manufacturers to extend expiration dates, says Yan Wu, an analytical chemist who is part of a focus group at the American Association of Pharmaceutical Scientists that looks at the long-term stability of drugs. Most companies, she says, would rather sell new drugs and develop additional products.

Pharmacists and researchers say there is no economic "win" for drug companies to investigate further. They ring up more sales when medications are tossed as "expired" by hospitals, retail pharmacies and consumers despite retaining their safety and effectiveness.

Industry officials say patient safety is their highest priority. Olivia Shopshear, director of science and regulatory advocacy for the drug industry trade group Pharmaceutical Research and Manufacturers of America, or PhRMA, says expiration dates are chosen "based on the period of time when any given lot will maintain its identity, potency and purity, which translates into safety for the patient."

That being said, it's an open secret among medical professionals that many drugs maintain their ability to combat ailments well after their labels say they don't. One pharmacist says he sometimes takes home expired over-the-counter medicine from his pharmacy so he and his family can use it.

The federal agencies that stockpile drugs -- including the military, the Centers for Disease Control and Prevention and the Department of Veterans Affairs -- have long realized the savings in revisiting expiration dates.

In 1986, the Air Force, hoping to save on replacement costs, asked the FDA if certain drugs' expiration dates could be extended. In response, the FDA and Defense Department created the Shelf Life Extension Program.

Each year, drugs from the stockpiles are selected based on their value and pending expiration and analyzed in batches to determine whether their end dates could be safely extended. For several decades, the program has found that the actual shelf life of many drugs is well beyond the original expiration dates.

A 2006 study of 122 drugs tested by the program showed that two-thirds of the expired medications were stable every time a lot was tested. Each of them had their expiration dates extended, on average, by more than four years, according to research published in the Journal of Pharmaceutical Sciences.

Some that failed to hold their potency include the common asthma inhalant albuterol, the topical rash spray diphenhydramine, and a local anesthetic made from lidocaine and epinephrine, the study said. But neither Cantrell nor Dr. Cathleen Clancy, associate medical director of National Capital Poison Center, a nonprofit organization affiliated with the George Washington University Medical Center, had heard of anyone being harmed by any expired drugs. Cantrell says there has been no recorded instance of such harm in medical literature.

Marc Young, a pharmacist who helped run the extension program from 2006 to 2009, says it has had a "ridiculous" return on investment. Each year the federal government saved $600 million to $800 million because it did not have to replace expired medication, he says.

An official with the Department of Defense, which maintains about $13.6 billion worth of drugs in its stockpile, says that in 2016 it cost $3.1 million to run the extension program, but it saved the department from replacing $2.1 billion in expired drugs. To put the magnitude of that return on investment into everyday terms: It's like spending a dollar to save $677.

"We didn't have any idea that some of the products would be so damn stable -- so robustly stable beyond the shelf life," says Ajaz Hussain, one of the scientists who formerly helped oversee the extension program.

Hussain is now president of the National Institute for Pharmaceutical Technology and Education, an organization of 17 universities that's working to reduce the cost of pharmaceutical development. He says the high price of drugs and shortages make it time to reexamine drug expiration dates in the commercial market.

"It's a shame to throw away good drugs," Hussain says.

Some medical providers have pushed for a changed approach to drug expiration dates -- with no success. In 2000, the American Medical Association, foretelling the current prescription drug crisis, adopted a resolution urging action. The shelf life of many drugs, it wrote, seems to be "considerably longer" than their expiration dates, leading to "unnecessary waste, higher pharmaceutical costs, and possibly reduced access to necessary drugs for some patients."

Citing the federal government's extension program, the AMA sent letters to the FDA, the U.S. Pharmacopeial Convention, which sets standards for drugs, and PhRMA asking for a re-examination of expiration dates.

No one remembers the details -- just that the effort fell flat.

"Nothing happened, but we tried," says rheumatologist Roy Altman, now 80, who helped write the AMA report. "I'm glad the subject is being brought up again. I think there's considerable waste."

At Newton-Wellesley Hospital, outside Boston, pharmacist David Berkowitz yearns for something to change.

On a recent weekday, Berkowitz sorted through bins and boxes of medication in a back hallway of the hospital's pharmacy, peering at expiration dates. As the pharmacy's assistant director, he carefully manages how the facility orders and dispenses drugs to patients. Running a pharmacy is like working in a restaurant because everything is perishable, he says, "but without the free food."

Federal and state laws prohibit pharmacists from dispensing expired drugs and The Joint Commission, which accredits thousands of health care organizations, requires facilities to remove expired medication from their supply. So at Newton-Wellesley, outdated drugs are shunted to shelves in the back of the pharmacy and marked with a sign that says: "Do Not Dispense." The piles grow for weeks until they are hauled away by a third-party company that has them destroyed. And then the bins fill again.

"I question the expiration dates on most of these drugs," Berkowitz says.

One of the plastic boxes is piled with EpiPens -- devices that automatically inject epinephrine to treat severe allergic reactions. They run almost $300 each. These are from emergency kits that are rarely used, which means they often expire. Berkowitz counts them, tossing each one with a clatter into a separate container, " 'that's 45, 46, 47' " He finishes at 50. That's almost $15,000 in wasted EpiPens alone.

In May, Cantrell and Gerona published a study that examined 40 EpiPens and EpiPen Jrs., a smaller version, that had been expired for between one and 50 months. The devices had been donated by consumers, which meant they could have been stored in conditions that would cause them to break down, like a car's glove box or a steamy bathroom. The EpiPens also contain liquid medicine, which tends to be less stable than solid medications.

Testing showed 24 of the 40 expired devices contained at least 90 percent of their stated amount of epinephrine, enough to be considered as potent as when they were made. All of them contained at least 80 percent of their labeled concentration of medication. The takeaway? Even EpiPens stored in less than ideal conditions may last longer than their labels say they do, and if there's no other option, an expired EpiPen may be better than nothing, Cantrell says.

At Newton-Wellesley, Berkowitz keeps a spreadsheet of every outdated drug he throws away. The pharmacy sends what it can back for credit, but it doesn't come close to replacing what the hospital paid.

Then there's the added angst of tossing drugs that are in short supply. Berkowitz picks up a box of sodium bicarbonate, which is crucial for heart surgery and to treat certain overdoses. It's being rationed because there's so little available. He holds up a purple box of atropine, which gives patients a boost when they have low heart rates. It's also in short supply. In the federal government's stockpile, the expiration dates of both drugs have been extended, but they have to be thrown away by Berkowitz and other hospital pharmacists.

The 2006 FDA study of the extension program also said it pushed back the expiration date on lots of mannitol, a diuretic, for an average of five years. Berkowitz has to toss his out. Expired naloxone? The drug reverses narcotic overdoses in an emergency and is currently in wide use in the opioid epidemic. The FDA extended its use-by date for the stockpiled drugs, but Berkowitz has to trash it.

On rare occasions, a pharmaceutical company will extend the expiration dates of its own products because of shortages. That's what happened in June, when the FDA posted extended expiration dates from Pfizer for batches of its injectable atropine, dextrose, epinephrine and sodium bicarbonate. The agency notice included the lot numbers of the batches being extended and added six months to a year to their expiration dates.

The news sent Berkowitz running to his expired drugs to see if any could be put back into his supply. His team rescued four boxes of the syringes from destruction, including 75 atropine, 15 dextrose, 164 epinephrine and 22 sodium bicarbonate. Total value: $7,500. In a blink, "expired" drugs that were in the trash heap were put back into the pharmacy supply.

Berkowitz says he appreciated Pfizer's action, but feels it should be standard to make sure drugs that are still effective aren't thrown away.

"The question is: Should the FDA be doing more stability testing?" Berkowitz says. "Could they come up with a safe and systematic way to cut down on the drugs being wasted in hospitals?"

Four scientists who worked on the FDA extension program told ProPublica something like that could work for drugs stored in hospital pharmacies, where conditions are carefully controlled.

Greg Burel, director of the CDC's stockpile, says he worries that if drugmakers were forced to extend their expiration dates it could backfire, making it unprofitable to produce certain drugs and thereby reducing access or increasing prices.

The 2015 commentary in Mayo Clinic Proceedings, called "Extending Shelf Life Just Makes Sense," also suggested that drugmakers could be required to set a preliminary expiration date and then update it after long-term testing. An independent organization could also do testing similar to that done by the FDA extension program, or data from the extension program could be applied to properly stored medications.

ProPublica asked the FDA whether it could expand its extension program, or something like it, to hospital pharmacies, where drugs are stored in stable conditions similar to the national stockpile.

"The Agency does not have a position on the concept you have proposed," an official wrote back in an email.

Whatever the solution, the drug industry will need to be spurred in order to change, says Hussain, the former FDA scientist. "The FDA will have to take the lead for a solution to emerge," he says. "We are throwing away products that are certainly stable, and we need to do something about it."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Wisconsin Employer To Offer Its Employees ID Microchip Implants

Microchip implant to be used by Three Square Market. Click to view larger version A Wisconsin company said it will offer to its employees starting August 1 the option of having microchip identification implants. The company, Three Square Market (32M), will allow employees with the microchip implants to make purchases in the employee break room, open locked doors, login to computers, use the copy machine, and related office tasks.

Each microchip, about the size of a grain of rice (see photo on the right), would be implanted under the skin in an employee's hand. The microchips use radio-frequency identification (RFID), a technology that's existed for a while and has been used in variety of devices: employee badges, payment cards, passports, package tracking, and more. Each microchip electronically stores identification information about the user, and uses near-field communications (NFC). Instead of swiping a payment card, employee badge, or their smartphone, instead the employee can unlock a device by waving their hand near a chip reader attached to that device. Purchases in the employee break room can be made by waving their hand near a self-serve kiosk.

Reportedly, 32M would be the first employer in the USA to microchip its employees. CBS News reported in April about Epicenter, a startup based in Sweden:

"The [implant] injections have become so popular that workers at Epicenter hold parties for those willing to get implanted... Epicenter, which is home to more than 100 companies and some 2,000 workers, began implanting workers in January 2015. Now, about 150 workers have [chip implants]... as with most new technologies, it raises security and privacy issues. While biologically safe, the data generated by the chips can show how often an employee comes to work or what they buy. Unlike company swipe cards or smartphones, which can generate the same data, a person cannot easily separate themselves from the chip."

In an interview with Saint Paul-based KSTP, Todd Westby, the Chief Executive Officer at 32M described the optional microchip program as:

"... the next thing that's inevitably going to happen, and we want to be a part of it..."

To implement its microchip implant program, 32M has partnered with Sweden-based BioHax International. Westby explained in a company announcement:

"Eventually, this technology will become standardized allowing you to use this as your passport, public transit, all purchasing opportunities... We see chip technology as the next evolution in payment systems, much like micro markets have steadily replaced vending machines... it is important that 32M continues leading the way with advancements such as chip implants..."

"Mico markets" are small stores located within employers' offices; typically the break rooms where employees relax and/or purchase food. 32M estimates 20,000 micro markets nationwide in the USA. According to its website, the company serves markets in North America, Europe, Asia, and Australia. 32M believes that micro markets, aided by chip implants and self-serve kiosk, offer employers greater employee productivity with lower costs.

Yes, the chip implants are similar to the chip implants many pet owners have inserted to identify their dogs or cats. 32M expects 50 employees to enroll in its chip implant program.

Reportedly, companies in Belgium and Sweden already use chip implants to identify employees. 32M's announcement did not list the data elements each employee's microchip would contain, nor whether the data in the microchips would be encrypted. Historically, unencrypted data stored by RFID technology has been vulnerable to skimming attacks by criminals using portable or hand-held RFID readers. Stolen information would be used to cloned devices to commit identity theft and fraud.

Some states, such as Washington and California, passed anti-skimming laws. Prior government-industry workshops about RFID usage focused upon consumer products, and not employment concerns. Earlier this year, lawmakers in Nevada introduced legislation making it illegal to require employees to accept microchip implants.

A BBC News reporter discussed in 2015 what it is like to be "chipped." And as CBS News reported:

"... hackers could conceivably gain huge swathes of information from embedded microchips. The ethical dilemmas will become bigger the more sophisticated the microchips become. The data that you could possibly get from a chip that is embedded in your body is a lot different from the data that you can get from a smartphone..."

Example: employers installing RFID readers for employees to unlock bathrooms means employers can track when, where, how often, and the duration employees use bathrooms. How does that sound?

Hopefully, future announcements by 32M will discuss the security features and protections. What are your opinions? Are you willing to be an office cyborg? Should employees have a choice, or should employers be able to force their employees to accept microchip implants? How do you feel about your employer tracking what you eat and drink via purchases with your chip implant?

Many employers publish social media policies covering what employees should (shouldn't, or can't) publish online. Should employers have microchip implant policies, too? If so, what should these policies state?


Microsoft Fights Foreign Cyber Criminals And Spies

The Daily Beast explained how Microsoft fights cyber criminals and spies, some of whom with alleged ties to the Kremlin:

"Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft’s trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls “the most vulnerable point” in Fancy Bear’s espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers. These servers can be thought of as the spymasters in Russia's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents.

Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company’s approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like “livemicrosoft[.]net” or “rsshotmail[.]com” that Fancy Bear registers under aliases for about $10 each. Once under Microsoft’s control, the domains get redirected from Russia’s servers to the company’s, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers’ network of automated spies."

Kudos to Microsoft and its attorneys.


U.S. Treasury Department Fined ExxonMobil $2 Million For Sanction Violations

ExxonMobil logo On Thursday, the U.S. Department of the Treasury fined ExxonMobil Corporation $2 million for violations of sanctions while current Secretary of State Rex Tillerson was the company's Chief Executive Officer. The Office of Foreign Assets Control (OFAC) within the Treasury Department issued the fine. According to the announcement:

"Between on or about May 14, 2014 and on or about May 23, 2014, ExxonMobil violated § 589.201 of the Ukraine-Related Sanctions Regulations when the presidents of its U.S. subsidiaries dealt in services of an individual whose property and interests in property were blocked, namely, by signing eight legal documents related to oil and gas projects in Russia with Igor Sechin, the President of Rosneft OAO, and an individual identified on OFAC’s List of Specially Designated Nationals and Blocked Persons.

OFAC determined that ExxonMobil did not voluntarily self-disclose the violations to OFAC, and that the violations constitute an egregious case."

During March of 2014, Russia officially annexed Crimea, a peninsula in the Black Sea, from Ukraine. Moscow retaliated by banning nine U.S. officials and lawmakers from entering Russia. Then, President Obama ordered more sanctions against two-dozen members of Putin's inner circle and against Bank Rossiya, the Russian bank supporting them.

During August of 2014, Russian troops invaded eastern areas of Ukraine along the country's southeast coast. Reportedly, Russian troops fought with pro-Russia rebels against Ukrainian military.

 The Treasury Department released an "Enforcement Information for July 20, 2017" document which stated in part:

"... ExxonMobil did not voluntarily self-disclose the violations to OFAC and that the violations constitute an egregious case. Both the base civil monetary penalty and the statutory maximum civil monetary penalty amounts for the violations were $2,000,000. OFAC thoroughly considered the arguments ExxonMobil set forth in its submissions to OFAC, and the penalty amount reflects OFAC's consideration of the following facts and circumstances... OFAC considered the following to be aggravating factors: (1) ExxonMobil demonstrated reckless disregard for U.S. sanctions requirements when it failed to consider warning signs associated with dealing in the blocked services of an SDN; (2) ExxonMobil's senior-most executives knew of Sechin's status as an SDN when they dealt in the blocked services of Sechin; (3) ExxonMobil caused significant harm to the Ukraine-related sanctions program objectives by engaging the services of an SDN designated on the basis that he is an official of the Government of the Russian Federation contributing to the crisis in Ukraine; and (4) ExxonMobil is a sophisticated and experienced oil and gas company that has global operations and routinely deals in goods, services, and technology subject to U.S economic sanctions and U.S. export controls. OFAC considered the following to be a mitigating factor: ExxonMobil has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the first transaction giving rise to the violation..."

It seems that OFAC would have fined ExxonMobil more if it could have. During 2016, ExxonMobil generated sales revenues of $197.52 billion and net income of $7.84 billion. So, the company can easily afford this fine.

ExxonMobil issued a press release on July 20 which denied the violations and claimed that it had received clear guidance from the Treasury Department that the transactions were legal, "so long as the activity related to Rosneft’s business and not Sechin’s personal business." The press release also cited several news sources. You'd think that the company's executive would simply have gone straight to the source, the OFAC, and bypassed intermediaries.

The OFAC Enforcement Information document debunked the energy company's claim:

"ExxonMobil claims that it interpreted press statements as establishing a distinction between Sechin's "professional" and "personal" capacity, in part citing to a news article published in April 2014 that quoted a Department of the Treasury representative as saying that a U.S. person would not be prohibited from participating in a meeting of Rosneft' s board of directors. However, that brief statement did not address the conduct in this case.

Furthermore, the plain language of the Ukraine-Related Sanctions Regulations (which were issued after the Executive branch statements) and E.O. 13661 do not contain a "personal" versus "professional" distinction, and OFAC has neither interpreted its Regulations in that manner nor endorsed such a distinction. The press release statements provided context for the policy rationale surrounding the targeted approach during the early days of the Ukraine crisis, which was to isolate designated individuals who were targeted as a result of the crisis in Ukraine, rather than imposing blocking sanctions on the large companies that they managed. No materials issued by the White House or the Department of the Treasury asserted an exception or carve-out for the professional conduct of designated or blocked persons, nor did any materials suggest that U.S. persons could continue to conduct or engage in business with such individuals.

Separately, there was a Frequently Asked Question (FAQ) publicly available on the OFAC website at the time of the violations that specifically spoke to the conduct at issue in this case..."

The Enforcement Information document is available at the Treasury Department's website and here (Adobe PDF).

While at the Treasury Department's website, I noticed that the Treasury Notes blog stopped publishing on January 19, 2017 -- about the same time as the Presidential Inauguration. What's up with that? Does the Treasury Department, under the Trump Administration, believe that it is okay not to inform citizens, taxpayers, and voters?


CFPB Issues New Rule Governing Arbitration Clauses

The products and services many consumers purchases include contractual agreements with arbitration clauses, which prohibit consumers from getting relief by joining class-action lawsuits. Those clauses also specify the out-of-court process to resolve disagreements and the upfront fees consumers must pay.

Many you have heard of the phrase, "binding arbitration." Regular readers of this blog are familiar with the issues with binding arbitration. Many popular mobile apps, websites, streaming video services, and some augmented-reality (AR) mobile games contain these clauses. The Public Citizen website lists the banks, retail stores, entertainment, online shopping, telecommunications, consumer electronics, software, nursing homes, and health care companies that include binding arbitration clauses in their contracts with customers.

To achieve a better balance between the needs of consumers versus the needs of corporations, the Consumer Financial Protection Bureau (CFPB) has issued new rules governing arbitration clauses. The CFPB explained:

"No matter how many people are harmed by the same conduct, most arbitration clauses require people to bring claims individually against the company, outside the court system, before a private individual (an arbitrator). Companies know that people almost never spend the time or money to pursue relief when the amounts at stake are small, so few people do this. Our new rule will restore the ability of groups of people to file or join group lawsuits. In some cases, not only will companies have to provide relief, they will also have to change their behavior moving forward.

People who would otherwise have to go it alone or give up, will be able to join with others to pursue justice and some remedy for their harm."

Richard Cordray, the Director of the CFPB, in a statement briefly discussed the history:

"Originally, arbitration was primarily used for disagreements between two businesses. But over the last quarter century or so, companies started adding arbitration clauses to their consumer contracts... In 2007, Congress passed the Military Lending Act, which disallows mandatory arbitration clauses in connection with certain loans made to servicemembers. Three years later, in the Dodd-Frank Wall Street Reform and Consumer Protection Act, Congress went further and banned mandatory arbitration clauses in most residential mortgage contracts."

Supporters of binding arbitration clauses have long fought pro-consumer action by the CFPB. Director Cordray also discussed the new CFPB rule:

"A cherished tenet of our justice system is that no one, no matter how big or how powerful, should escape accountability if they break the law. But right now, many contracts for consumer financial products like bank accounts and credit cards come with a mandatory arbitration clause that makes it virtually impossible for people to sue the company as a group if things go wrong. On paper, these clauses simply say that either party can opt to have disputes resolved by private individuals known as arbitrators rather than by the court system. In practice, companies use these clauses to bar groups of consumers from joining together to seek justice by vindicating their legal rights..."

"The breadth and application of these clauses can be unexpected and severe. For example, when Wells Fargo opened millions of deposit and credit card accounts without the knowledge or consent of consumers, arbitration clauses in existing account contracts blocked their customers from bringing group lawsuits for the unauthorized account openings. Companies have argued that group lawsuits are unnecessary because the government can pursue enforcement actions to address the same problems. But consumers should be able to stand up for themselves and pursue their own legal rights without having to wait on the government. And the government has limited resources..."

The CFPB also produced this video:

What are your opinions of binding arbitration clauses? Were you aware of them? What are your opinions of the new CFPB rule?


Data Breach Exposes Information Of Millions Of Verizon Customers

Verizon logo A data breach at Verizon has exposed the sensitive information of millions of customers. ZD Net reported:

"As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of NICE Systems, a Ra'anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address."

Many businesses use cloud services vendors  -- Amazon Web Services and other vendors -- to outsource the storage of customers' information in online databases. While the practice isn't new, a problem is that customers aren't always informed of the business practice using their sensitive information.

Founded in 1986, NICE Systems has 3,500 employees, serves about 25,000 customers in 150 countries, and provides services to 85 percent of Fortune 100 companies. The exact number of affected Verizon customers is disputed.

The security firm Upguard found the unprotected cloud-based storage server:

"Upguard's Cyber Risk Team can now report that a mis-configured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon. (UPDATE: July 12, 3 PM PST - Both NICE Systems and Verizon have since confirmed the veracity of the exposure, while a Verizon spokesperson has claimed that only 6 million customers had data exposed)."

Whether the total number of breach victims is 6 or 14 million customers, neither is good. The phrase "account details" is troubling. That could mean anything from e-mail addresses to payment information to residential addresses, or more.

Upguard's announcement added:

"Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.

Finally, this exposure is a potent example of the risks of third-party vendors handling sensitive data... Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises."

Agreed. This outsourcing business practice may be profitable for all companies involved, but the outsourcing practice does not decrease the risks. Not good. Mis-configured cloud servers should not happen. Not good. The event raises the question: when has this happened before, but went undetected?

Verizon released a statement about the incident:

"... an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.

By way of background, the vendor was supporting an approved initiative to help us improve a residential and small business wireline self-service call center portal and required certain data for the project. The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area.

To further clarify, the data supports a wireline portal and only includes a limited number of cell phone numbers for customer contact purposes. In addition, to the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts..."

Typically, after a breach companies hire independent security experts to investigate breaches and the contributing causes. Verizon's announcement did not state who, if anyone, it hired to perform a post-breach investigation nor when. So, according to Verizon: no big deal. No problem. Hmmmmm.

Reportedly, Upguard notified Verizon about the breach on June 13, and the breach was fixed on June 22. Upguard added:

"The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling."

Troubling, indeed. What took Verizon (and/or Nice Systems) so long? Verizon's statement didn't say. And what is Verizon (and/or NICE Systems) doing so this type of breach doesn't happen again? I look forward to upcoming explanations by both companies.

Readers: what are your opinions of this data breach? Of how long it took Verizon to fix things? Of the outsourcing practice? Verizon customers:

  • Is Verizon doing enough to protect your sensitive data?
  • Should affected customers be notified directly?
  • Have you received a breach notice from Verizon? If so, share some of its details.

ProPublica Seeks Input From Former IBM Employees

IBM logo This news item immediately caught my attention, since a data breach in 2007 at IBM Inc. was the original inspiration for this blog. And the tech company had another breach in 2009. The company has struggled against other tech companies.

Earlier this month, IBM completed a blockchain trial with Westpack and ANZ. According to Yahoo News and Zacks Equity Research, blockchain:

"... is a kind of distributed database and works as an online ledger that cannot be altered or breached easily. The use of such technologies in the banking and finance sector is aimed at reducing the possibility of losing valuable data as well as minimizing the rate of cybercrime in the finance industry.

Notably, IBM is one of major players in the Blockchain market. This is the second significant deal for the company in this technology space..."

The reporters at ProPublica seek input from former IBM employees who left the company during the last few years. Why? The computing and technology company has:

"... been upending its workforce, often with painful results for longtime employees. According to one estimate, IBM’s U.S. employment, which peaked at 230,000, had dropped to about 70,000 by mid-2015, largely the product of layoffs and retirements. And six weeks ago, IBM told thousands of its telecommuting employees to start reporting to particular offices, which in many cases would involve long-distance moves. That, or resign. As a result, hundreds, perhaps thousands, more IBMers are leaving the company.

IBM has long been a corporate leader in employment practices. That means the way it treats its employees speaks volumes about what lies ahead for working people everywhere. But IBM executives won’t tell their workers or the public how many people are leaving this year. They refuse to provide the numbers for 2016, 2015, or 2014 either, to explain the logic behind who gets tapped to go, or exactly how the departures fit into a larger strategy.

We’re asking you to help us get the numbers and, with them, answers."

Former IBM employees interested in providing input should complete this brief questionnaire at the ProPublica site.


Facebook's Secret Censorship Rules Protect White Men from Hate Speech But Not Black Children

[Editor's Note: today's guest post, by the reporters at ProPublica, explores how social networking practice censorship to combat violence and hate speech, plus related practices such as "geo-blocking." It is reprinted with permission.]

Facebook logo by Julia Angwin, ProPublica, and Hannes Grassegger, special to ProPublica

In the wake of a terrorist attack in London earlier this month, a U.S. congressman wrote a Facebook post in which he called for the slaughter of "radicalized" Muslims. "Hunt them, identify them, and kill them," declared U.S. Rep. Clay Higgins, a Louisiana Republican. "Kill them all. For the sake of all that is good and righteous. Kill them all."

Higgins' plea for violent revenge went untouched by Facebook workers who scour the social network deleting offensive speech.

But a May posting on Facebook by Boston poet and Black Lives Matter activist Didi Delgado drew a different response.

"All white people are racist. Start from this reference point, or you've already failed," Delgado wrote. The post was removed and her Facebook account was disabled for seven days.

A trove of internal documents reviewed by ProPublica sheds new light on the secret guidelines that Facebook's censors use to distinguish between hate speech and legitimate political expression. The documents reveal the rationale behind seemingly inconsistent decisions. For instance, Higgins' incitement to violence passed muster because it targeted a specific sub-group of Muslims -- those that are "radicalized" -- while Delgado's post was deleted for attacking whites in general.

Over the past decade, the company has developed hundreds of rules, drawing elaborate distinctions between what should and shouldn't be allowed, in an effort to make the site a safe place for its nearly 2 billion users. The issue of how Facebook monitors this content has become increasingly prominent in recent months, with the rise of "fake news" -- fabricated stories that circulated on Facebook like "Pope Francis Shocks the World, Endorses Donald Trump For President, Releases Statement" -- and growing concern that terrorists are using social media for recruitment.

While Facebook was credited during the 2010-2011 "Arab Spring" with facilitating uprisings against authoritarian regimes, the documents suggest that, at least in some instances, the company's hate-speech rules tend to favor elites and governments over grassroots activists and racial minorities. In so doing, they serve the business interests of the global company, which relies on national governments not to block its service to their citizens.

One Facebook rule, which is cited in the documents but that the company said is no longer in effect, banned posts that praise the use of "violence to resist occupation of an internationally recognized state." The company's workforce of human censors, known as content reviewers, has deleted posts by activists and journalists in disputed territories such as Palestine, Kashmir, Crimea and Western Sahara.

One document trains content reviewers on how to apply the company's global hate speech algorithm. The slide identifies three groups: female drivers, black children and white men. It asks: Which group is protected from hate speech? The correct answer: white men.

The reason is that Facebook deletes curses, slurs, calls for violence and several other types of attacks only when they are directed at "protected categories" -- based on race, sex, gender identity, religious affiliation, national origin, ethnicity, sexual orientation and serious disability/disease. It gives users broader latitude when they write about "subsets" of protected categories. White men are considered a group because both traits are protected, while female drivers and black children, like radicalized Muslims, are subsets, because one of their characteristics is not protected. (The exact rules are in the slide show below.)

The Facebook Rules

Facebook has used these rules to train its "content reviewers" to decide whether to delete or allow posts. Facebook says the exact wording of its rules may have changed slightly in more recent versions. ProPublica recreated the slides.

Behind this seemingly arcane distinction lies a broader philosophy. Unlike American law, which permits preferences such as affirmative action for racial minorities and women for the sake of diversity or redressing discrimination, Facebook's algorithm is designed to defend all races and genders equally.

"Sadly," the rules are "incorporating this color-blindness idea which is not in the spirit of why we have equal protection," said Danielle Citron, a law professor and expert on information privacy at the University of Maryland. This approach, she added, will "protect the people who least need it and take it away from those who really need it."

But Facebook says its goal is different -- to apply consistent standards worldwide. "The policies do not always lead to perfect outcomes," said Monika Bickert, head of global policy management at Facebook. "That is the reality of having policies that apply to a global community where people around the world are going to have very different ideas about what is OK to share."

Facebook's rules constitute a legal world of their own. They stand in sharp contrast to the United States' First Amendment protections of free speech, which courts have interpreted to allow exactly the sort of speech and writing censored by the company's hate speech algorithm. But they also differ -- for example, in permitting postings that deny the Holocaust -- from more restrictive European standards.

The company has long had programs to remove obviously offensive material like child pornography from its stream of images and commentary. Recent articles in the Guardian and Süddeutsche Zeitung have detailed the difficult choices that Facebook faces regarding whether to delete posts containing graphic violence, child abuse, revenge porn and self-mutilation.

The challenge of policing political expression is even more complex. The documents reviewed by ProPublica indicate, for example, that Donald Trump's posts about his campaign proposal to ban Muslim immigration to the United States violated the company's written policies against "calls for exclusion" of a protected group. As The Wall Street Journal reported last year, Facebook exempted Trump's statements from its policies at the order of Mark Zuckerberg, the company's founder and chief executive.

The company recently pledged to nearly double its army of censors to 7,500, up from 4,500, in response to criticism of a video posting of a murder. Their work amounts to what may well be the most far-reaching global censorship operation in history. It is also the least accountable: Facebook does not publish the rules it uses to determine what content to allow and what to delete.

Users whose posts are removed are not usually told what rule they have broken, and they cannot generally appeal Facebook's decision. Appeals are currently only available to people whose profile, group or page is removed.

The company has begun exploring adding an appeals process for people who have individual pieces of content deleted, according to Bickert. "I'll be the first to say that we're not perfect every time," she said.

Facebook is not required by U.S. law to censor content. A 1996 federal law gave most tech companies, including Facebook, legal immunity for the content users post on their services. The law, section 230 of the Telecommunications Act, was passed after Prodigy was sued and held liable for defamation for a post written by a user on a computer message board.

The law freed up online publishers to host online forums without having to legally vet each piece of content before posting it, the way that a news outlet would evaluate an article before publishing it. But early tech companies soon realized that they still needed to supervise their chat rooms to prevent bullying and abuse that could drive away users.

America Online convinced thousands of volunteers to police its chat rooms in exchange for free access to its service. But as more of the world connected to the internet, the job of policing became more difficult and companies started hiring workers to focus on it exclusively. Thus the job of content moderator -- now often called content reviewer -- was born.

In 2004, attorney Nicole Wong joined Google and persuaded the company to hire its first-ever team of reviewers, who responded to complaints and reported to the legal department. Google needed "a rational set of policies and people who were trained to handle requests," for its online forum called Groups, she said.

Google's purchase of YouTube in 2006 made deciding what content was appropriate even more urgent. "Because it was visual, it was universal," Wong said.

While Google wanted to be as permissive as possible, she said, it soon had to contend with controversies such as a video mocking the King of Thailand, which violated Thailand's laws against insulting the king. Wong visited Thailand and was impressed by the nation's reverence for its monarch, so she reluctantly agreed to block the video -- but only for computers located in Thailand.

Since then, selectively banning content by geography -- called "geo-blocking" -- has become a more common request from governments. "I don't love traveling this road of geo-blocking," Wong said, but "it's ended up being a decision that allows companies like Google to operate in a lot of different places."

For social networks like Facebook, however, geo-blocking is difficult because of the way posts are shared with friends across national boundaries. If Facebook geo-blocks a user's post, it would only appear in the news feeds of friends who live in countries where the geo-blocking prohibition doesn't apply. That can make international conversations frustrating, with bits of the exchange hidden from some participants.

As a result, Facebook has long tried to avoid using geography-specific rules when possible, according to people familiar with the company's thinking. However, it does geo-block in some instances, such as when it complied with a request from France to restrict access within its borders to a photo taken after the Nov. 13, 2015, terrorist attack at the Bataclan concert hall in Paris.

Bickert said Facebook takes into consideration the laws in countries where it operates, but doesn't always remove content at a government's request. "If there is something that violates a country's law but does not violate our standards," Bickert said, "we look at who is making that request: Is it the appropriate authority? Then we check to see if it actually violates the law. Sometimes we will make that content unavailable in that country only."

Facebook's goal is to create global rules. "We want to make sure that people are able to communicate in a borderless way," Bickert said.

Founded in 2004, Facebook began as a social network for college students. As it spread beyond campus, Facebook began to use content moderation as a way to compete with the other leading social network of that era, MySpace.

MySpace had positioned itself as the nightclub of the social networking world, offering profile pages that users could decorate with online glitter, colorful layouts and streaming music. It didn't require members to provide their real names and was home to plenty of nude and scantily clad photographs. And it was being investigated by law-enforcement agents across the country who worried it was being used by sexual predators to prey on children. (In a settlement with 49 state attorneys general, MySpace later agreed to strengthen protections for younger users.)

By comparison, Facebook was the buttoned-down Ivy League social network -- all cool grays and blues. Real names and university affiliations were required. Chris Kelly, who joined Facebook in 2005 and was its first general counsel, said he wanted to make sure Facebook didn't end up in law enforcement's crosshairs, like MySpace.

"We were really aggressive about saying we are a no-nudity platform," he said.

The company also began to tackle hate speech. "We drew some difficult lines while I was there -- Holocaust denial being the most prominent," Kelly said. After an internal debate, the company decided to allow Holocaust denials but reaffirmed its ban on group-based bias, which included anti-Semitism. Since Holocaust denial and anti-Semitism frequently went together, he said, the perpetrators were often suspended regardless.

"I've always been a pragmatist on this stuff," said Kelly, who left Facebook in 2010. "Even if you take the most extreme First Amendment positions, there are still limits on speech."

By 2008, the company had begun expanding internationally but its censorship rulebook was still just a single page with a list of material to be excised, such as images of nudity and Hitler. "At the bottom of the page it said, 'Take down anything else that makes you feel uncomfortable,'" said Dave Willner, who joined Facebook's content team that year.

Willner, who reviewed about 15,000 photos a day, soon found the rules were not rigorous enough. He and some colleagues worked to develop a coherent philosophy underpinning the rules, while refining the rules themselves. Soon he was promoted to head the content policy team.

By the time he left Facebook in 2013, Willner had shepherded a 15,000-word rulebook that remains the basis for many of Facebook's content standards today.

"There is no path that makes people happy," Willner said. "All the rules are mildly upsetting." Because of the volume of decisions -- many millions per day -- the approach is "more utilitarian than we are used to in our justice system," he said. "It's fundamentally not rights-oriented."

Willner's then-boss, Jud Hoffman, who has since left Facebook, said that the rules were based on Facebook's mission of "making the world more open and connected." Openness implies a bias toward allowing people to write or post what they want, he said.

But Hoffman said the team also relied on the principle of harm articulated by John Stuart Mill, a 19th-century English political philosopher. It states "that the only purpose for which power can be rightfully exercised over any member of a civilized community, against his will, is to prevent harm to others." That led to the development of Facebook's "credible threat" standard, which bans posts that describe specific actions that could threaten others, but allows threats that are not likely to be carried out.

Eventually, however, Hoffman said "we found that limiting it to physical harm wasn't sufficient, so we started exploring how free expression societies deal with this."

The rules developed considerable nuance. There is a ban against pictures of Pepe the Frog, a cartoon character often used by "alt-right" white supremacists to perpetrate racist memes, but swastikas are allowed under a rule that permits the "display [of] hate symbols for political messaging." In the documents examined by ProPublica, which are used to train content reviewers, this rule is illustrated with a picture of Facebook founder Mark Zuckerberg that has been manipulated to apply a swastika to his sleeve.

The documents state that Facebook relies, in part, on the U.S. State Department's list of designated terrorist organizations, which includes groups such as al-Qaida, the Taliban and Boko Haram. But not all groups deemed terrorist by one country or another are included: A recent investigation by the Pakistan newspaper Dawn found that 41 of the 64 terrorist groups banned in Pakistan were operational on Facebook.

There is also a secret list, referred to but not included in the documents, of groups designated as hate organizations that are banned from Facebook. That list apparently doesn't include many Holocaust denial and white supremacist sites that are up on Facebook to this day, such as a group called "Alt-Reich Nation." A member of that group was recently charged with murdering a black college student in Maryland.

As the rules have multiplied, so have exceptions to them. Facebook's decision not to protect subsets of protected groups arose because some subgroups such as "female drivers" didn't seem especially sensitive. The default position was to allow free speech, according to a person familiar with the decision-making.

After the wave of Syrian immigrants began arriving in Europe, Facebook added a special "quasi-protected" category for migrants, according to the documents. They are only protected against calls for violence and dehumanizing generalizations, but not against calls for exclusion and degrading generalizations that are not dehumanizing. So, according to one document, migrants can be referred to as "filthy" but not called "filth." They cannot be likened to filth or disease "when the comparison is in the noun form," the document explains.

Facebook also added an exception to its ban against advocating for anyone to be sent to a concentration camp. "Nazis should be sent to a concentration camp," is allowed, the documents state, because Nazis themselves are a hate group.

The rule against posts that support violent resistance against a foreign occupier was developed because "we didn't want to be in a position of deciding who is a freedom fighter," Willner said. Facebook has since dropped the provision and revised its definition of terrorism to include nongovernmental organizations that carry out premeditated violence "to achieve a political, religious or ideological aim," according to a person familiar with the rules.

The Facebook policy appears to have had repercussions in many of the at least two dozen disputed territories around the world. When Russia occupied Crimea in March 2014, many Ukrainians experienced a surge in Facebook banning posts and suspending profiles. Facebook's director of policy for the region, Thomas Myrup Kristensen, acknowledged at the time that it "found a small number of accounts where we had incorrectly removed content. In each case, this was due to language that appeared to be hate speech but was being used in an ironic way. In these cases, we have restored the content."

Katerina Zolotareva, 34, a Kiev-based Ukrainian working in communications, has been blocked so often that she runs four accounts under her name. Although she supported the "Euromaidan" protests in February 2014 that antagonized Russia, spurring its military intervention in Crimea, she doesn't believe that Facebook took sides in the conflict. "There is war in almost every field of Ukrainian life," she says, "and when war starts, it also starts on Facebook."

In Western Sahara, a disputed territory occupied by Morocco, a group of journalists called Equipe Media say their account was disabled by Facebook, their primary way to reach the outside world. They had to open a new account, which remains active.

"We feel we have never posted anything against any law," said Mohammed Mayarah, the group's general coordinator. "We are a group of media activists. We have the aim to break the Moroccan media blockade imposed since it invaded and occupied Western Sahara."

In Israel, which captured territory from its neighbors in a 1967 war and has occupied it since, Palestinian groups are blocked so often that they have their own hashtag, #FbCensorsPalestine, for it. Last year, for instance, Facebook blocked the accounts of several editors for two leading Palestinian media outlets from the West Bank -- Quds News Network and Sheebab News Agency. After a couple of days, Facebook apologized and un-blocked the journalists' accounts. Earlier this year, Facebook blocked the account of Fatah, the Palestinian Authority's ruling party -- then un-blocked it and apologized.

Last year India cracked down on protesters in Kashmir, shooting pellet guns at them and shutting off cellphone service. Local insurgents are seeking autonomy for Kashmir, which is also caught in a territorial tussle between India and Pakistan. Posts of Kashmir activists were being deleted, and members of a group called the Kashmir Solidarity Network found that all of their Facebook accounts had been blocked on the same day.

Ather Zia, a member of the network and a professor of anthropology at the University of Northern Colorado, said that Facebook restored her account without explanation after two weeks. "We do not trust Facebook any more," she said. "I use Facebook, but it's almost this idea that we will be able to create awareness but then we might not be on it for long."

The rules are one thing. How they're applied is another. Bickert said Facebook conducts weekly audits of every single content reviewer's work to ensure that its rules are being followed consistently. But critics say that reviewers, who have to decide on each post within seconds, may vary in both interpretation and vigilance.

Facebook users who don't mince words in criticizing racism and police killings of racial minorities say that their posts are often taken down. Two years ago, Stacey Patton, a journalism professor at historically black Morgan State University in Baltimore, posed a provocative question on her Facebook page. She asked why "it's not a crime when White freelance vigilantes and agents of 'the state' are serial killers of unarmed Black people, but when Black people kill each other then we are 'animals' or 'criminals.'"

Although it doesn't appear to violate Facebook's policies against hate speech, her post was immediately removed, and her account was disabled for three days. Facebook didn't tell her why. "My posts get deleted about once a month," said Patton, who often writes about racial issues. She said she also is frequently put in Facebook "jail" -- locked out of her account for a period of time after a posting that breaks the rules.

"It's such emotional violence," Patton said. "Particularly as a black person, we're always have these discussions about mass incarceration, and then here's this fiber-optic space where you can express yourself. Then you say something that some anonymous person doesn't like and then you're in 'jail.'"

Didi Delgado, whose post stating that "white people are racist" was deleted, has been banned from Facebook so often that she has set up an account on another service called Patreon, where she posts the content that Facebook suppressed. In May, she deplored the increasingly common Facebook censorship of black activists in an article for Medium titled "Mark Zuckerberg Hates Black People."

Facebook also locked out Leslie Mac, a Michigan resident who runs a service called SafetyPinBox where subscribers contribute financially to "the fight for black liberation," according to her site. Her offense was writing a post stating "White folks. When racism happens in public -- YOUR SILENCE IS VIOLENCE."

The post does not appear to violate Facebook's policies. Facebook apologized and restored her account after TechCrunch wrote an article about Mac's punishment. Since then, Mac has written many other outspoken posts. But, "I have not had a single peep from Facebook," she said, while "not a single one of my black female friends who write about race or social justice have not been banned."

"My takeaway from the whole thing is: If you get publicity, they clean it right up," Mac said. Even so, like most of her friends, she maintains a separate Facebook account in case her main account gets blocked again.

Negative publicity has spurred other Facebook turnabouts as well. Consider the example of the iconic news photograph of a young naked girl running from a napalm bomb during the Vietnam War. Kate Klonick, a Ph.D. candidate at Yale Law School who has spent two years studying censorship operations at tech companies, said the photo had likely been deleted by Facebook thousands of times for violating its ban on nudity.

But last year, Facebook reversed itself after Norway's leading newspaper published a front-page open letter to Zuckerberg accusing him of "abusing his power" by deleting the photo from the newspaper's Facebook account.

Klonick said that while she admires Facebook's dedication to policing content on its website, she fears it is evolving into a place where celebrities, world leaders and other important people "are disproportionately the people who have the power to update the rules."

In December 2015, a month after terrorist attacks in Paris killed 130 people, the European Union began pressuring tech companies to work harder to prevent the spread of violent extremism online.

After a year of negotiations, Facebook, Microsoft, Twitter and YouTube agreed to the European Union's hate speech code of conduct, which commits them to review and remove the majority of valid complaints about illegal content within 24 hours and to be audited by European regulators. The first audit, in December, found that the companies were only reviewing 40 percent of hate speech within 24 hours, and only removing 28 percent of it. Since then, the tech companies have shortened their response times to reports of hate speech and increased the amount of content they are deleting, prompting criticism from free-speech advocates that too much is being censored.

Now the German government is considering legislation that would allow social networks such as Facebook to be fined up to 50 million euros if they don't remove hate speech and fake news quickly enough. Facebook recently posted an article assuring German lawmakers that it is deleting about 15,000 hate speech posts a month. Worldwide, over the last two months, Facebook deleted about 66,000 hate speech posts per week, vice president Richard Allan said in a statement Tuesday on the company's site.

Among posts that Facebook didn't delete were Donald Trump's comments on Muslims. Days after the Paris attacks, Trump, then running for president, posted on Facebook "calling for a total and complete shutdown of Muslims entering the United States until our country's representatives can figure out what is going on."

Candidate Trump's posting -- which has come back to haunt him in court decisions voiding his proposed travel ban -- appeared to violate Facebook's rules against "calls for exclusion" of a protected religious group. Zuckerberg decided to allow it because it was part of the political discourse, according to people familiar with the situation.

However, one person close to Facebook's decision-making said Trump may also have benefited from the exception for sub-groups. A Muslim ban could be interpreted as being directed against a sub-group, Muslim immigrants, and thus might not qualify as hate speech against a protected category.

Hannes Grassegger is a reporter for Das Magazin and Reportagen Magazine based in Zurich.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Bank Of New York Mellon Corporation Fined For 'Unsafe And Unsound' Practices

The Federal Reserve Board (FRB) announced on Tuesday that it had levied a $3 million fine against the Bank of New York Mellon Corporation (BNY Mellon) for "unsafe and unsound practices." The FRB announcement explained:

"In 2010, following a change in the relevant accounting rules, BNY Mellon consolidated a portfolio of collateralized loan obligations onto its balance sheet. BNY Mellon incorrectly assigned the assets a zero-risk weighting, which was improper under the rules in place at the time. As a result of its improper treatment of the portfolio BNY Mellon understated its reported risk-weighted assets and overstated its risk-based capital ratios for nearly 14 quarters."

When the errors were identified, BNY Mellon has since taken corrective action and is now in compliance. The Consent Order (Adobe PDF) dated June 26, 2017 stated:

"The Board of Governors hereby assesses BNY Mellon a civil money penalty in the amount of $3,000,000.00 which shall be paid upon the execution of this Order by Fedwire transfer of immediately available funds to the Federal Reserve Bank of Richmond... This penalty is a penalty paid to a government agency for a violation of law for purposes of 26 U.S.C. § 162(f) and 26 C.F.R. § 1.162-21. The Federal Reserve Bank of Richmond, on behalf of the Board of Governors, shall distribute this sum to the U.S. Department of the Treasury... Each provision of this Consent Penalty Assessment shall remain effective and enforceable until stayed, modified, terminated, or suspended in writing by the Board of Governors.

The Board of Governors hereby agrees not to initiate any further enforcement actions, including for civil money penalties, against BNY Mellon and its affiliates, successors, and assigns, with respect to the conduct that has been or might have been asserted by the Board of Governors described..."

Earlier this month, the FRB barred two former employees of Regions Bank from working within the banking industry, after both men -- Richard Henderson and Philip Cooper -- pled guilty to conspiracy to commit money laundering, and conspiracy to commit bank bribery and wire fraud. In late May, the FRB levied a $41 million penalty, plus a cease-and-desist order, against the U.S. operations of Deutsche Bank AG for anti-money laundering deficiencies.

BNY Mellon can easily afford this fine. In April, the bank reported first quarter earnings of $880 million on revenues of $3.84 billion. The bank has about $29 trillion in assets under custody and administration, and $1.6 trillion in assets under management.