Chicago Theft Ring Received Sentences For Card Skimming Crimes

In a Chicago court, several defendants were sentenced for card skimming thefts and fraud. The sentences ranged from six years of prison time for the ringleader to two years of probation for other members of the theft ring.

The thieves, working with employees at several fast-food restaurants in Chicago, had allegedly swiped consumers' debit/credit cards through small portable readers to obtain their card numbers. The theft ring then allegedly created fake cards with the stolen card numbers and purchased about $200,000 in merchandise.

Affected consumers had accounts at several banks: Chase, Citibank, Fifth Third Bank Harris Bank, U.S. Bank, Bank of America, and American Express. Reportedly, the banks assisted local law enforcement with the investigations. The seven defendants included:

• Joseph Woods, 33 (the ringleader)
• William Washington, 31
• Alex Houston, 23
• Britain Woods, 34
• Jenette Farrar, 35
• Essence Houston, 29
• Kenyetta Davis, 33,

Congratulations to both local law enforcement and the judicial system.

Former Employee At Web Hosting Service Arrested And Charged With Felony Computer Breaches

Ars Technica reported that Eric Gunnar Gisse, a former Hostgator employee, has been arrested and charged with felony computer breaches. Gisse allegedly used his position to install secret code that allowed him unauthorized, "back door" access to more than 2,700 Internet-connected computer servers. Gisse, of San Antonio, Texas is being held on $20,000 bail in the Harris County jail.

This highlights one risk with cloud computing services. Many companies outsource the operation of their website to third-party vendors, such as Houston-based Hostgator, that offer what the industry calls "web hosting services." This is not new.

As a usability professional who has worked with several digital agencies, I have seen this outsourcing repeatedly work well and data maintain security. The issue is when employees abuse their positions and either steal or expose the sensitive information of people who use the compromised web servers.

The C/Net website lists companies that provide web hosting services.

ACLU Files FTC Complaint Against Mobile Carriers About Smartphone Security Failures

The American Civil Liberties Union (ACLU) has filed a complaint via the U.S. Federal Trade Commission (FTC) against several mobile carriers for:

"... failing to warn their customers about unpatched security flaws in the software running on their phones... running versions of Google’s Android operating system. Unfortunately, the vast majority of these phones never receive critical software security updates, exposing consumers and their private data to significant cybersecurity-related risks."

The mobile carriers named in the complaint include AT&T Inc., Verizon Wireless, Sprint Nextel Corp., and T-Mobile USA. In its announcement, the ACLU also said:

"Google’s Android operating system now has more than 75% of the smartphone market, yet the majority of these devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched. For consumers running these devices, there is no legitimate software upgrade path... Although Google’s engineers regularly fix software flaws in the Android operating system, these fixes aren’t packaged up and pushed to consumers by the wireless carriers and their handset manufacturer partners."

Download the ACLU complaint (Adobe PDF, 438k bytes).

Hacker Sentenced To Prison For Sony Data Breach

You may remember a series of data breaches during 2011 at Sony Online Entertainment and the Sony Playstation Network. ComputerWorld reported that 25-year-old Cody Andrew Kretzinger was sentenced to one year plus one day in prison for his role in the May 2011 hack into Sony Picture's systems and databases. After serving prison time, Kretzinger will also serve one year of home detention.

Kretzinger was a member of the LulzSec hacker group. Another group member, Hector Xavier Monsegur, was arrested in June 2011 and then served as an F.B.I. informant. Monsegur will be sentenced in August 2013.

The Mugshot Industry. Accurate Information That Is Beneficial For Consumers?

Thursday night, ABC Nightline reported about problems consumers encountered with the mugshot industry -- websites that publish online photos of citizens arrested by law enforcement. While there have been very public, high-profile cases of celebrities' mugshots, the reality is that many consumers have been affected.

You've never heard of the mugshot industry? Neither had I until this Nightline report:

"Here's how it works, the sites legally download the latest mug shots from police web sites [that] published the faces of alleged lawbreakers on the Internet. And then often charge the accused of -- sometimes hundreds of dollars to pull all the photos..."

That's right. The sites charge consumers a fee, sometimes called a "take-down fee," to remove their mugshot photos. There are several problems with this. First, after paying one website to remove their mugshot photo, many consumers find that their mugshot photos re-appear on another website. Second, many sites don't consistently remove mugshot photos of consumers wrongfully arrested or found innocent by a court:

"... Sofia on Roddy says that was not her experience dealing with other companies she says she explained over and over again how she was the victim. And how the photos were preventing her from obtaining employment. And she provided these court document showing that prosecutors cleared her case. This was a wrongful arrests. And the case was dismissed by the state attorney's office. But her picture remains published..."

That does not sound good at all. According to ABC Nightline, there are 60 such mugshot websites. I searched online and easily found several within five minutes:

• Tampa Bay Mugshots (Florida)
• Busted! Mugshots
• Sarasota Mugshots (Florida)
• Springfield Mugshots (Missouri)
• Just Mugshots
• Shasta Mugshots (California)
• Gwinnett County Mugshots (Georgia)
• Mugshots Ocala (Florida)
• Mugshots Atlanta (Georgia)
• Go Upstate Mugshots (South Carolina)
• Cincy Mugshots (Ohio)
• Mugshots Gainsville (Florida)
• Who's Arrested

Some sites focus on a specific city or country, while others include several states and/or geographic areas. I am sure that some sites operate responsibly. Some are operated by newspapers. Why is this industry growing quickly? The ABC Nightline report interviewed one mugshot website operator, who admitted:

"Think of how many people have been arrested. Now put a small service fee on data -- of people and you can see why the industry is sort of taken off..."

Some consumers are fighting back. First, there is at least one blog about the mugshot industry. Increasing awareness among consumers is always good.

Second, in Florida legislators introduced a new bill (HB 677) to require mugshot website operators to automatically take down photos when consumers are found not guilty, or the charges were later dropped. That seems to be a very appropriate common-sense law.

Third, there is a class-action lawsuit in Ohio against several mugshot websites. According to Findlaw, the lawsuit claims:

"... these mugshot websites violate a person's right to publicity... to control how their own names and likenesses are used in the public domain, similar to how someone would own a copyright or patent... these mugshot websites may not publish such photos for the sole purpose of profiting off them, the lawsuit claims. The suit asserts that the websites' primary purpose for publishing these mugshot photos is so that those charged with a crime will pay money to remove their pictures."

The credit reporting industry is catching some most-deserved criticism about high error rates in credit reports. Plus, a couple federal laws govern and dictate a consistent process for consumers to report and challenge errors in credit reports. Accuracy seems important for the mugshot industry. HB 677 is a good start, but that is only one state. Issues with the mugshot industry are likely to continue until consumers pressure their elected officials for improved laws that better balance the privacy rights of consumers with the publishing rights of mugshot websites.

Watch the ABC News/Nightline report. And, learn more about the class-action lawsuit in Ohio.

What do you think of the mugshot industry? If you have been affected by, or paid a take-down fee to a mugshot website, what was your experience?

Michaels Stores Provide Policies And Class Action Notice On Sales Receipts

My wife and many of her friends like to quilt. They regularly visit retail stores and quilt shops for quilting supplies. This past weekend, my wife visited a Michaels store in Massachusetts. After paying (with cash) for her purchases, she received the following sales receipt:

The sales receipt mentions the store's coupon, exchanges, and returns policies, plus a recent class action lawsuit. The Michaels sales receipt says:

"Dear Valued Customer:

Our coupon policy is to accept one coupon per customer per day. Certain exclusions apply. Please review the exclusion on the coupon and speak with the manager on duty for any questions you may have. Thank You.

To return or exchange an item, customer is required to present a valid photo ID that will be swiped/recorded at the time of the return or exchange for return authorization purposes only. Receipt required within 60 days for refund on most products. Alternate rules apply to books, magazines, and technology and custom products. Returns without receipt will receive Store Return Card. Refunded amount will be the lowest sales price of the item within the last 90 days. Return polices are available at Michaels.com and in store."

One coupon per customer per day? That sounds very stingy and customer unfriendly, as if the store really doesn't want to accept any coupons. And, why use the sales receipt to deliver policy information? This seems customer unfriendly. I've seen promotions and contest information on sales receipts, but not detailed policy information. Simply, print the complete information on regular 8.5 x 11 inch sized paper which is more legible; and insert in each customer's bag. Plus, some customers prefer or require large-print notices.

If you compare the returns/exchanges language on the sales receipt to the store's online Return Policy for US residents (there is a separate Return Policy for Canadian residents), you will find that the online policy has additional language. Customers should not assume that the sales receipt mentions the entire return policy.

More importantly, I want to know why Michaels' return/exchange policy requires the scanning and retention of consumers' identification documents (e.g., driver's licenses, state-issued ID's, passports, and military ID's) even when customers have a receipt. This seems customer unfriendly. When a store requires a document like a driver's license to process a return or exchange, the store collects everything on that document: your address, Driver ID number, height, weight, hair and eye color, and birth date.

Does Michaels really need all of this information (e.g., my weight, eye and hair color) to process a return with a valid receipt? This data collection is legal when performed for fraud prevention. There seems to be nothing stopping retailers from using the data collected for other purposes, such as data mining and marketing.

If a consumer has a receipt, that should be all that is necessary. I did some brief checking and at least one' competitor, Jo-Ann Fabric & Craft Stores, does not require IDs for in-store product returns. Smaller local and mom-and-pop fabric/crafts stores probably have more customer-friendly policies, too.

The sales receipt does not mention a privacy policy. It should, since Michaels does have a privacy policy online at its website, with specific additions for residents of California, Nevada, Vermont, and Canada. However, that online privacy policy does not seem to mention its data retention and sharing polices with ID information collected via returns or exchanges.

Given its return/exchange policy, I want to know how long Michaels retains ID information and what other companies (by name) it shares that ID information with -- items a privacy policy typically state. Without a statement in its privacy policy, a retailer can do anything with that data collected. This ID information is very sensitive data. Customers need to know how long a store retains this information and who it is shared with. Otherwise, consumers cannot make an informed choice.

The sales receipt also says (links enabled):

"Michaels Data Breach Class Action (for more information, please go to www.michaelsdatasettlement.com)

Michaels has settled a lawsuit that allowed certain of its customer suffered damages as a result of a data breach at selected Michaels stores between January 1, 2011 and May 12, 2011. Michaels denies all of the claims."

Unfortunately, that last sentence is vague. It refers to claims alleged in the lawsuit and not claims submitted by data breach victims seeking reimbursement for damages. In May 2011, Michaels stores warned customers in Illinois, New Jersey, California, and 15 other states about the data breach. Criminals had reportedly tampered with in-store PIN pads in checkout lines (e.g., skimming) to steal debit and credit card data. Reportedly, 90 PIN pads were initially affected, but the retail chain later replaced about 7,200 PIN pads. About 94,000 consumer accounts were affected.

Browse the list of Michaels stores (Adobe PDF) affected by the data breach. The list included several stores in Massachusetts in Braintree, Burlington, Danvers, Everett, and Hanover. Customers can also visit the Consumer Notices page at the Michaels.com.

Skimming is a worldwide identity theft and fraud problem. Besides supermarkets and retail stores, criminals target bank ATM machines, gas station pumps, and contact-less (e.g., RFID) payment methods. Several states, including California and Washington, have already banned RFID skimming. Stolen debit card and PIN data gives thieves direct access to consumers' checking bank accounts.

The sales receipt also says:

"You are included in the class if you shopped in this Michaels store or in other selected Michaels stores during that period and your Payment Card was swiped on a PIN Pad terminal from which credit or debit card information was stolen. A complete list of affected Michaels stores can be found at www.michaelsdatasettlement.com. Customers whose credit or debit card information was stolen may receive monetary payment for documented unreimbursed monetary damages and/or credit monitoring services. To request such relief, you must submit a claim postmarked by May 25, 2013.

Unless you exclude yourself from the class by March 5, 2013, you will give up the right to ever sue Michaels about the legal claims the settlement resolves. If you stay in the class, you may object to the settlement by March 5, 2013.

The Court will hold a hearing on April 4, 2013, to consider whether to approve the settlement and payment of attorneys' fees and expenses. You may ask to appear and speak at the hearing."

The settlement agreement includes a $600,000 payment by Michaels stores, which could increase to $800,000 depending upon the volume of claims and reimbursements. If the entire $600,000 is not used, then the remainder will be donated to the Starlight Childrens Foundation, which works with seriously ill children.

I'm glad that my wife paid with cash. I hope that she buys her quilting supplies elsewhere in the future, and doesn't have to return or exchange any of her purchases made at Michaels stores.

Path Inc. Settles With FTC For COPPA And Privacy Violations With Its Mobile Apps

This morning, the U.S. Federal Trade Commission (FTC) announced that it had reached a settlement with mobile app developer Path for COPPA and privacy violations where users' entire address books were uploaded and stored without notice nor consent. The terms of the settlement require Path Inc. to:

"... establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. The company also will pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent."

The Path mobile app enables consumers to create and share journals with up to 150 friends. The app also enables users to upload, store, and share photos, notes, songs they are listening to, and their geolocation. At registration, users share their gender, phone number, and date of birth. The lawsuit filed by the FTC (Adobe PDF, 918 kbytes) alleged that Path:

"Congress enacted COPPA in 1998 to protect the safety and privacy of children online by prohibiting the unauthorized or unnecessary collection of children's personal information online by operators of lnternet websites or online services... In version 2.0 of the Path App for iOS, regardless of whether the user elected to "Add Friends," Defendant automatically collected personal information from users' mobile device contacts (also known as the user's "address book") and stored the personal information on Defendant's servers. For each contact in the user's mobile device address book, Defendant automatically collected and stored the following personal information, if available: first name; last name; address; phone numbers; email addresses; Facebook username; Twitter username; and date of birth. The automatic collection and storage of personal information from the user's mobile device contacts occurred the first time the user launched version 2.0 of the Path App and, if the user signed out of the service, each time the user signed in again. This practice continued until February 8, 2012."

The complaint also alleged:

"From November 14, 2010, through May 4, 2012, Defendant accepted registrations from users who entered a date of birth indicating that the user was under the age of 13. As a result, Defendant knowingly collected email address, first name, last name, date of birth, and if provided, gender and phone number, from approximately 3,000 children under age 13... From November 29, 2011, through February 8, 2012, Defendant also knowingly collected from these children the following personal information for each contact in the child's mobile device address book, if available: first name, last name, address, phone numbers, email addresses, and date of birth... Defendant did not provide parents with a direct notice of its information practices prior to collecting, using, or disclosing children's personal information. Defendant did not obtain verifiable consent from parents prior to collecting, using, or disclosing children's personal information."

The FTC also alleged that Path’s privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information. Kudos to the FTC for this settlement, although I wish the fine was far more.

However, Path Inc. faces other legal challenges including a class-action lawsuit about similar privacy violations. The class-action suit included more allegations that Path collected and shared more data with other companies, and tracked users with geo-tags.

To learn more, read about the COPPA Rule in the 2013 U.S. Federal Register (Adobe PDF, 590 kbytes).

Lawsuit Claims Instagram Performed Data Collection, Retention, And Tracking Via Its Mobile App Without Notice Or Users Consent

While Instagram, the popular photo-sharing website, made a fast retreat last month after releasing new Terms of Service and Privacy policies, it appears that there are more issues. During the holidays last month, a class-action lawsuit was filed against Instagram claiming unauthorized data collection, retention, and tracking via the photo sharing site's mobile app.

The complaint alleges that Instagram uploaded via its mobile app users' entire address books, accessed and modified both the geolocation and meta data in users' photos uploaded, collected and stored users' fine geolocation data, accessed users' data stored within Amazon-provided cloud-based services, and distributed users' sensitive personal data to third-party companies without notice nor consent. The complaint alleged that Instagram:

"... used Plaintiff's and Class Members' computing devices to access, use, disclose, retain, and store personal information ("PI"), personal identifying information ("PII"), and/or sensitive identifying information ("SII") derived in whole, or part, from Plaintiff and Class members' computing devices' contact address book, aggregating such data derived from the unauthorized access to, and use of Plaintiff and Class members' photo metadata, for purposes not granted..."

There is more. The complaint also states that the plaintiffs:

"... were unaware of the harm that would be imposed... including use, retention, and storage of their computing devices contact address data, installation of geo-tags for tracking, the misappropriate of their Mobile Device resources and bandwith... [the plaintiffs] had not knowledge that contact book data was obtained and stored on Defendant's servers and/or third-party servers, such as on Amazon EC2's remote servers and was stored in an unreasonably insecure manner contrary to accepted standards... [the plaintiffs] did not consent to having their data collected by Defendant. Had [the plaintiffs} known of Defendant's practices, they would not have downloaded its app..."

Of course, mobile apps that consume large amounts of consumers' data plan minutes are undesirable, and consumers should be provided with warnings by these apps. The suit was filed December 27, 2012 in Northern California District Court by attorneys Parisi & Havens LLP, Strange and Carpenter LLP, and the Law Office of Joseph H. Malley, P.C.. Recently, Facebook purchased Instagram in 2012 for $1 billion.

While reading the complaint, I recognized Malley's name, since he is often referred to as a "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, these attorneys know what they are doing.

For the lead plaintiff, Steven Gutierrez, the alleged data collection, retention, and tracking by Instagram affected his minor child and warnings weren't timely enough for consumers who registered and installed the Instagram app early on:

"... ignoring the intent of [the plaintiffs] that used Defendant's application to up upload and/or take photos using Defendant's application and also creating a digital dataset, link to their exact location, posted to a publicly accessible form that revealed their exact fine GPS settings, violating not only their privacy rights, but also posing a security risk, as evidenced by Plaintiff Steven Gutierrez, with his one year old daughter, pictured above, that included within the photo's metadata, the exact location where the picture was taken, his home, and a detailed map of the home's exact location... Defendant failed to adequately disclose, or obtain permission for such activities, evidenced by failing to provide a Terms of Service or Privacy Policy within its application or website for a period in excess of a year after its initial operation... Defendant's access to, deletion, modification, and use of Plaintiff and Class Members' metadata within their photos, was without notice or authorization, and is evidenced by an analysis of the photo metadata at various stages. In order to view such activity, a software program is required, such as the one at [Jeffrey's EXIF Viewer]... Defendant's alteration of the digital content's metadata, in addition to the inclusion of fine GPS actual coordinates, provided a Unique Identifier..."

Photo metadata includes a lot of descriptive information, including but not limited to a photo description (e.g., title, subject, tags, comments), author, date and time created, copyright information, image description (e.g., dimensions, resolution, color details, compression), camera description (e.g., make, model, F-stop, exposure, flash mode, zoom setting, lens maker, lens model, serial number, EXIF version), and file information (e.g., date created, date modified, file type, file name, size, attributes, owner, computer name). From photo metadata, a company can tell a lot about you, your purchases, and your lifestyle.

If Instagram adds fine geolocation data to photos after upload, then this is very troubling. For privacy reasons and safety, many consumers turn off the camera setting on their smart phones that automatically adds GPS data to each photo and video taken. By re-adding this geolocaton data later to photos/videos uploaded, Instragram is overriding and ignoring users' privacy choices, and enabling tracking of consumers in the real world.

The complaint is rich with detail. Of course it provides background information on the Instagram service, its mobile apps, and usage terms/policy. The complaint also includes information about the public outcry about the new usage terms/policy which it later reversed, smart phone technologies, online tracking, cloud computing, photo metadata, and U.S. Congressional correspondence about app privacy. About the data collection, the complaint states:

"Defendant did not deny it had obtained Plaintiff's and Class Members' contact address data, but attempted to diminish the impact of its public relations nightmare by providing an immediate "Mea Culpa," of sorts, staying out of the press, and quietly adding a new pop-up requesting user authority to obtain contact address data information all users... Defendant's public response that it's activities were a common practice was without merit upon review of the app store guidelines..."

For consumers, letting mobile apps upload your entire address book is a bad idea for several reasons. First, the contact data is valuable to spammers and identity criminals because both issue fake messages (e-mail or text) pretending to be a relative or friend to trick consumers to making payments or disclosing other sensitive data. Second, many consumers use their smart phones for both business and pleasure. That means, the data collected contains valuable business contacts, useful to both advertisers and spies -- a corporate espionage risk.

I really like how the complaint describes in great detail the damages with specific dollar amounts for affected smart phone users. The lawsuit also highlights the issue of who ultimately controls image (e.g., photograph, video) metadata -- the consumer or the social networking service.

View the Gutierrez et. al. vs Instagram Inc. complaint (Adobe PDF, 1.8 Mbytes). Learn more about:

• Amazon Web Services
• How Facebook handles photo metadata
• A new web app by students at Rutgers University that combines Google Street View with GPS metadata from photos uploaded to Instagram to track where photos were taken

California AG Files Lawsuit Against Delta Airlines For Mobile App

Earlier this month, the California Attorney General (AG) announced a lawsuit against Delta Airlines regarding the company's mobile app for failing to comply with the state's Online Privacy Protection Act:

"The complaint alleges that since at least 2010, Delta has operated a mobile app called “Fly Delta” for use on smartphones and other electronic devices. The Fly Delta app may be used to check-in online for an airplane flight, view reservations for air travel, rebook cancelled or missed flights, pay for checked baggage, track checked baggage, access a user’s frequent flyer account, take photographs, and even save a user’s geo-location. Despite collecting substantial personally identifiable information such as a user’s full name, telephone number, email address, frequent flyer account number and pin code, photographs, and geo-location, the Fly Delta application does not have a privacy policy."

In November of this year, the California Attorney General's office notified several mobilde device app developers that their apps were in violation of the state's privacy law. The consequences for a non-compliant app includes $2,500 for each violation.

Giving Thanks Where Thanks Are Due: The Privacy Crusader

Readers of this blog know that I've written about several high-profile data breaches and the class-action lawsuits associated with them. As the Thanksgiving holiday approaches here in the United States, it is time to give thanks where thanks are due.

I would like to give a warm, heartfelt thanks to the Privacy Crusader, attorney Joseph Malley, for all of his hard work protecting consumers -- both adults and children. You may not know of all of the cases he has been involved in, and the results:

Class Action	Year	Results
1. Stealth tracking of Safari browser users class-action / Villegas et al v. Google and Google Inc. Cookie Placement Consumer Privacy Litigation	2012	Several class-action combined. Selected as co-lead counsel
2. Mobile app collects address book data without notice nor consent / Hernandez et al v. Path	2012	Federal judge rules class action can proceed on several counts
3. Zombie E-tags / Couch et. al. v Space Pencil (DBA KISSmetrics) and Hulu	2011-12	KISSmetrics to pay about $500,000 to settle
4. Mobile apps tracking children / Hines et al. v OpenFeint	2011	Lorem ipsum
5. Hillman et al. v Ringleader et al	2010-11	Ringleader may have ceased operations
6. Zombie cookies tracking / Valdez et al. v Quantcast et al.	2010	Quantcast pays $2.4 million to settle
7. Simon et al. v. Adzilla et al.	2009-10	Adzilla quietly settles
8. Deep packet inspection / Valentine et al. v NebuAd et. al.	2008-09	NebuAd closes after lawsuit and lost clients
9. Facebook Beacon Program / Lane et al. v Facebook et al.	2009-10	Facebook settles for $9.5 million

When the U.S. Congress fails to provide timely, appropriate legislation to protect consumers, it is a perfectly natural result for consumers to band together legally to protect themselves and their sensitive personal information; regardless of companies that insert clauses in their service agreements that limit consumers' rights by preventing class-action suits.

If you are a consumer who has suffered from a company data breach or privacy abuse, you now know who to call.

Microsoft Adds No-Class-Action Clause To Its Services Agreement

During the weekend, I spent some time reading the new Microsoft Services Agreement, which includes a clause prohibiting users from suing the company in a class-action lawsuit. Microsoft updated its agreement on August 19, 2012 and the new clauses wnet into effect on October 19. 2012. The new no-class-action clause is important because it affects consumers' rights to sue collectively.

The updated agreement:

"IF YOU LIVE IN THE UNITED STATES, SECTION 10 CONTAINS A BINDING ARBITRATION CLAUSE AND CLASS ACTION WAIVER. IT AFFECTS YOUR RIGHTS ABOUT HOW TO RESOLVE ANY DISPUTE WITH MICROSOFT. PLEASE READ IT... "

If you use any of the following Microsoft services, then this applies to you: Microsoft Hotmail, Microsoft SkyDrive, Microsoft account, Windows Live Messenger, Windows Photo Gallery, Windows Movie Maker, Microsoft Mail Desktop, Windows Live Writer Bing, MSN, Office.com, and any other Microsoft products or services that refer to this service agreement. A portion of the new clause:

"This section applies to any dispute EXCEPT IT DOESN'T INCLUDE A DISPUTE RELATING TO THE ENFORCEMENT OR VALIDITY OF YOUR, MICROSOFT’S, OR EITHER OF OUR LICENSORS’ INTELLECTUAL PROPERTY RIGHTS. The term “dispute” means any dispute, action, or other controversy between you and Microsoft concerning the services (including their price) or this agreement... In the event of a dispute, you or Microsoft must give the other a Notice of Dispute, which is a written statement that sets forth the name, address, and contact information of the party giving it, the facts giving rise to the dispute, and the relief requested. You must send any Notice of Dispute by U.S. Mail to Microsoft Corporation, ATTN: LCA ARBITRATION, One Microsoft Way, Redmond, WA 98052-6399, US. A form is available on the Legal and Corporate Affairs (LCA)website..."

This is also important for several reasons. First, because it limits consumers' rights. Class-action lawsuits are one method available to consumers when state, local, or federal laws provide no or insufficient protections. Examples include new marketing programs or data breaches that fail to protect users' sensitive personal information.

Second, Microsoft is one of several companies that have included no-class-action lawsuits in their service agreements. The MediaPost Daily Examiner reported:

"Since the Supreme Court upheld AT&T's mandatory arbitration clause last year, more and more tech companies -- including Netflix, eBay, and Paypal -- are revising their terms of service to provide that consumers have no right to bring class-actions."

Of course, companies have a write to add clauses into their agreements, where allowed by federal, state, or local laws. And consumers have a right to accept or reject new clauses like this.

Companies with no-class-action clauses are effectively saying publicly that they want to limit their liability when bad things happen. For consumers that prefer products andr services that stands by their users when bad things happen, this new clause means you should shop around for an alternative.

What is your opinion of the new clause?

Class Action Settlement Proceeds With Bank Of America Credit Protection Service Customers

Back in August 2012, Bank of America agreed to pay $20 million to settle a class-action lawsuit about alleged deceptive marketing with its credit protection services. Also in August, the bank announced that it had decided to independently stop accepting new customers for its credit protection services and to terminate its credit protection services in 2013.

Recently, a relative received the postcard below from Gilardi & Company LLC, the administrator for the class-action settlement. Because the reply mechanism with the postcard asked for sensitive personal information, that relative asked me to investigate:

Gilardi has set up www.creditprotectionsettlement.com for consumers who subscribed to a credit protection service from Bank of America between January 1, 2006 and July 17, 2012. You may be eligible for a payment, which could be $50 or $100 depending upon your situation. You must submit a claim to receive payment. Key upcoming deadline dates:

• December 13, 2012 to opt out of the settlement agreement
• December 13, 2012 to submit objections about why you do not like the settlement agreement
• January 14, 2013: Fairness Hearing
• February 26, 2013 to submit a claim

Compete Settles With FTC About Alleged Secret Tracking And Data Security

In a press release, the U.S. Federal Trade Commission (FTC) announced that it had reached a settlement with Compete Inc., a Boston-based Internet analytics firm, about alleged data collection without fully notifying consumers and failures to adequately protect the collected information. According to the FTC:

"... Compete got consumers to download its tracking software in several ways, including by urging them to join a “Consumer Input Panel” that was promoted using ads that pointed consumers to Compete’s website, www.consumerinput.com. Compete told consumers that by joining the “Panel” they could win rewards while sharing their opinions about products and services... The proposed settlement will require that Compete obtain consumers’ express consent before collecting any data from Compete software downloaded onto consumers’ computers, that the company delete or anonymize the use of the consumer data it already has collected, and that it provide directions to consumers for uninstalling its software... the settlement bars misrepresentations about the company’s privacy and data security practices and requires that it implement a comprehensive information security program with independent third-party audits every two years for 20 years."

The proposed settlement is open for comment by the public until November 19, 2012. After that time, the FTC will decide whether or not to make the proposed settlement final.

KISSmetrics To Pay About $500,000 To Settle Class Action Lawsuit

Several news sources reported that KISSmetrics, an online analytics company, agreed to pay about $500,000 to settle a class-action lawsuit, which alleged that the company used a combination of newer Internet technologies, commonly referred to as "Zombie E-tags," to track consumers without notice nor consent. Reportedly, terms of the proposed settlement include a $2,500 payment to each plaintiff and $500,000 to the attorneys.

MediaPost reported:

"The proposed settlement calls for an injunction banning KISSmetrics from using ETags (or other hard-to-delete cookies) to "repopulate HTTP cookies or as an alternative method to HTTP cookies for acquiring or storing information about a user’s Web browsing activity and history, without reasonable notice and choice..."

A federal judge must approve the proposed settlement. Congratulations to the attorneys and to the plaintiffs. A second class-action lawsuit is still in play.

Federal Judge Rules Class Action Against Path Can Proceed On Several Counts

On October 17, a federal judge ruled that a class-action lawsuit against Path Inc. can proceed on several counts. Earlier this year, the class-action suit was filed in federal court in northern California for alleged unfair, deceptive, and unlawful business practices that abused consumers' privacy with a mobile device app that collected address book information without notice nor consent, and allegedly had also installed tracking software on mobile devices without notice nor consent.

In the lawsuit, the plaintiffs had identified three areas of harm by the Path app:

"... (1) diminished mobile device resources, such as storage, battery life, and bandwidth; (2) increased, unexpected, and unreasonable risk to the security of sensitive personal information; and (3) future costs to remove embedded code from media files uploaded through the Path App."

While the court rejected two of these three, it agreed with the plaintiffs who had documented the substantial cost to removed the tracking software from their mobile devices. The court upheld that the plaintiffs had sufficient "standing" to proceed with the class-action. This is good because courts have ruled that some prior class-action suits have failed to show the harm.

Below are the court's rulings on each of the ten (10) claims listed in the original complaint:

Plaintiffs' Claims	Court Ruling On Defendant's Motions To Dismiss
1. Violations of the Electronic Communications Privacy Act 18 U.S.C. 2510	Granted, but claim can be included in suit if amended
2. Violations of the Stored Communications Act	Granted, but claim can be included in suit if amended
3. Violations of the California Computer Crime Law, California Penal Code § 502	Denied
4. Violations of California’s Invasion of Privacy Act, California Penal Code 630	Granted, but claim can be included in suit if amended
5. Violations of the California Unfair Competition Law, California Business and Professions Code 17200	Denied
6. Invasion of Privacy and Seclusion and Public Disclosure of Private Facts	Granted, but claim can be included in suit if amended
7. Negligence	Denied
8. Conversion	Granted, but claim can be included in suit if amended
9. Trespass to Personal Property	Granted, but claim can be included in suit if amended
10. Unjust Enrichment	Denied

Download the court order (322 K bytes; Adobe PDF) in Hernandez v Path.

Equifax And Its Customers To Pay $1.6 Million In FTC Settlement About Alleged Improper List Sales

This morning, the U.S. Federal Trade Commission (FTC) announced that Equifax Information Services LLC., the credit reporting agency, and some of its customers, had agreed to pay $1.6 million to settle allegations about the improper sales of customer lists between January 2008 and early 2010. In a lawsuit (Adobe PDF) filed in U.S. Distrcit Court in Southern California, the FTC alleged that the sales of customer lists violated the Fair Credit Reporting Act (FCRA):

"Defendants buy and sell “prescreened lists,” which are lists of consumers that meet certain pre-selected credit criteria. For example, in this case, Defendants bought and sold “prescreened lists” of consumers who were, among other things, 30, 60, or 90 days late on their mortgage payments... Information such as whether a consumer is 30, 60, or 90 days late on their mortgage bears on, among other things, a consumer’s credit worthiness and credit standing and is used or expected to be used as a factor in determining a consumer’s eligibility for credit. Section 604(f) of the FCRA, 15 U.S.C. §1681b(f), prohibits persons from using or obtaining consumer reports in the absence of a “permissible purpose.” In addition, Section 607(e) of the FCRA, 15 U.S.C. § 1681e(e), requires persons who procure consumer reports for resale to establish and comply with reasonable procedures designed to ensure that the consumer reports are only resold for a permissible purpose. The only permissible purpose for using a prescreened list is to make a firm offer of credit or insurance..."

The following companies and individuals were named as defendants in the complaint:

• Equifax Information Services
• Direct Lending Source, Inc., based in Key Largo, Florida
• Bailey & Associates Advertising, Inc., based in Florida and with in El Paso, Texas and San Diego, California
  Virtual Lending Source, LLC, based in San Diego, California
• Robert M. Bailey, Jr., the Executive Vice President of Direct Lending, Bailey & Associates, and Virtual Lending
• Linda Giordano, President of Direct Lending, Bailey & Associates, and Virtual Lending and an owner of Bailey & Associates and Virtual Lending

Terms of the settlements require Equifax to pay $393,000 for alleged inadequate procedures that led to the sale of lists of consumer information to companies that it should not have sold the information to. According to the FTC, Equifax sold more than 17,000 prescreened lists of consumers to companies including Direct Lending Source, Inc., which subsequently resold some lists to third parties, who used their data to pitch loan modification and debt relief services to people in financial distress. Direct Lending Source will pay a $1.2 million civil penalty,and will be barred from using or selling prescreened lists.

American Express Centurion Bank To Pay $112 Million To Settle Deceptive Credit Card Marketing And Debt Collection Practices

American Express Centurion Bank has agreed to pay $112 million to settle allegations of deceptive credit card marketing and debt collection practices. The Consumer Financial Protection Bureau (CFPB) and the Federal Deposit Insurance Corporation (FDIC) announced the settlement this week.

The FDIC, the Utah Department of Financial Institutions (UDFI), the CFPB, and the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System had all took separate actions against the bank. The settlement agreement requires the bank to pay $85 million to reimburse more than 250,000 affected consumers, and to pay $27 million in civil penalties.

The investigations found violations between 2003 and the spring of 2012. The affected consumers included people who had signed up for the American Express "Blue Sky"credit card program. The bank promised them $300 in bonus points that were never provided. According to the CFPB:

"... American Express Centurion Bank and American Express Bank, FSB billed late fees on certain cards based on a percentage of the debt in violation of the Credit CARD Act... American Express Centurion Bank used a credit scoring system that treated charge card applicants differently on the basis of age. For a period of time, the bank did not fully implement the system for applicants over the age of 35. This violated the Equal Credit Opportunity Act because it requires credit scoring systems that take age into account to be properly designed and implemented... American Express Centurion Bank and American Express Bank, FSB failed to report the existence of certain customer disputes to credit bureaus, which is a violation of the Fair Credit Reporting Act... All three of the American Express subsidiaries deceived consumers into believing there were certain benefits to paying off old debt. Consumers were wrongly told that if they paid off the old debt, the payment would be reported to credit bureaus and could improve their credit scores. In fact, American Express was not reporting the payments and the debts were so old that even if they had tried to report them, many of the payments would not have appeared on these consumers’ credit reports or affected their credit scores..."

American Express Centurion Bank, a subsidiary of American Express Travel Related Services Inc., is based in Salt Lake City, Utah. In a press release, the CFPB emphasized that affected consumers do not need to do anything to receive payments:

"...If the consumer no longer holds the American Express card, American Express will mail a check or credit any outstanding balance.Customers who were promised $300 for signing up for a Blue Sky Credit Card will get the $300. Consumers who paid an illegal late fee will be reimbursed, with interest. Consumers who paid old debt in response to deceptive promises to report payment to credit bureaus will be reimbursed the money they paid plus interest. Consumers who were promised their debt would be forgiven but were denied new American Express cards because the debt was not really forgiven, will receive $100 and a pre-approved offer for a new card with terms we and the FDIC find acceptable. If the consumer already paid the waived or forgiven amount in order to get a new card, they will be refunded that amount plus interest."

[Correction: an earlier version mentioned $102 million. The correct amount of reimbursements and penalties equals $112 million.]

Anthem Blue Cross Settles With California Attorney General Over Data Breach

Everyone who is security conscious knows that a business should never printer consumers' Social Security numbers on health care identification cards, statements, and letters. Doing so facilitates identity theft, fraud, and medical identity theft -- a big help for identity thieves.

Yesterday, the California Attorney General announced both a lawsuit and settlement involving Blue Cross of California, which operates under the name Anthem Blue Cross. The lawsuit, filed in Los Angeles Superior Court today along with the settlement, alleged that Anthem printed Social Security numbers on letters it mailed to more than 33,000 from April 2011 and March 2012. The lawsuit claimed that this violate state law prohibiting the disclosure of Social Security numbers. After the breach, Anthem offered those subscribers one year of free credit monitoring.

This blog has discussed repeatedly how the risk of identity theft doesn't end after a year or two - typically the period businesses offer breach victims free credit monitoring services. Identity criminals will use stolen credentials until they know the credentials are no longer usable.

Terms of the settlement include a $150,000 payment and:

"... requires Anthem to implement new technical safeguards for its data management system, restrict employee access to members’ Social Security numbers and provide enhanced data security training for all of its associates."

The fine seems light since this is not the first breach involving Anthem. A breach of the company's website in June 2010 affected about 470,000 subscribers nationwide.

Mobile Marketing Company To Pay $500K Settlement Fine For Text Message Spam

This past weekend, the office of the New York State Attorney General announced a settlement with Game Theory LLC, a mobile content company. Game Theory agreed to pay a $500,000 settlement for allegedly sending deceptive text messages that tricked New York State residents into signing up for monthly text messages costing $9.99 per month:

"These charges appeared on the victim’s wireless telephone bill in a way that was difficult to detect. For months, consumers would pay for text messages they did not want before they realized they were being charged. For example, between May 23, 2011 and July 5, 2011, Game Theory sent text messages claiming that the recipients had a “secret crush,” and that the recipient needed to respond “yes” to find out who it was. However, in the process of finding out the identity of the “secret crush,” the recipient was also unknowingly signing-up for a text message service..."

Game Theory reportedly sent 150,000 such text messages to the mobile phones of New York State residents. Terms of the settlement require the company to exit the text messaging business.

Security experts advise consumers to never respond to unsolicited text messages, including those that claim a reply is necessary to stop any charges. Consumers should report text message spam and fraudulent mobile phone charges to their mobile service provider, and ask their provider to block those third-party charges. Consumers can also report this fraud to their state consumer protection agency, and to the U.S. Federal Trade Commission (FTC).

It is important for parents to remind and teach their children of good mobile device security habits, including how to recognize and delete smishing text messages.

Court Rules Online Video Streaming Is Protected By VPPA

If you have a broadband Internet connection at home, you probably download or stream videos and movies. What you may not know is that several companies are working and lobbying to roll back privacy protections for consumers regarding your video and movie usage.

Fierce Online Video reported (links added):

"A Northern California court has ruled that the Video Privacy Protection Act (VPPA), a 1998 law enacted during the era of movie rental stores, applies to online video service providers as the modern-day extensions of those old brick-and-mortar structures... Hulu, which is owned by News Corp., Comcast's NBCUniversal, Providence Equity Partners and Walt Disney Co. had claimed that VPPA was not relevant because it covered only information about consumers who obtained physical objects from physical stores."

The ruling occurred in the Northern District Court of California (San Francisco). The suit (Garvey et al v KISSmetrics) included Hulu as a co-defendant, and was the consolidation of several class-action lawsuits, one of which was Couch et. al v KISSmetrics et. al (PDF - 6.3 MBytes). The plaintiffs in that complaint were represented by a familiar name: the Law Office of Joseph Malley. The Privacy Cruasader strikes again!

Some news outlets reported that Hulu.com was sued because of the VPPA. That isn't accurate. Hulu.com, and several other companies, were sued becuase they allegedly used "Zombie E-Tags" to track consumers without notice and without consent. This blog reported about that suit back in October, 2011. Hulu.com (and several  defendant companies) attempted to use the VPPA as a defense, which the court rejected.

So, for better (or worse) the actions of these defendant companies have brought attention to the VPPA, which some lawmakers in Congress believe needs to be modified. Later during 2011, Hulu stopped using KISSmetrics to track subscribers' online usage after researchers documented that consumers could not avoid nor opt out of it. Fierce Online Video also reported (links added):

"... other streaming video services are watching intently. Netflix, for instance, wants to create a similar link between its video service and Facebook."

So, it will be very interesting to watch how various online video/movie distribution outlets respond, given the court's rejection of the VPPA as a defense. Earlier this year, Netflix paid $9 million to settle a class-action  lawsuit which alleged that the company illegally retained and shared subscribers' video habits.

Providence Equity Partners is a global private equity firm (similar to Bain & Company) with $23 billion under management. It invests in media, entertainment, and education companies. The Providence, Rhode Island-based firm has offices in Beijing, Hong Kong, London, New Delhi, and New York. Rumors suggest that the firm wants to invest in Electronic Arts, a video game company. In its website, the firm describes itself:

"We partner with companies across different stages in their development, from growth capital and complex recapitalizations of family-owned businesses to large buyouts and take-privates. We can employ a variety of financing structures and target equity investments of $150 million to $800 million. We prefer to lead our investments, serve on company boards, and work collaboratively with company management. From broadband to broadcast, music to film, wireline to wireless, publishing to Internet, we bring unparalleled industry, financial and operational expertise to each of our portfolio companies."

News Corporation owns several newspaper and media companies, including the Wall Street Journal, Fox News, and several British newspapers recently involved in the bribery and mobile phone hacking scandals. The scandals resulted in numerous arrests, several lawsuits, and have cost the company about $224 million. Comcast delivers cable television services throughout most of the United States.

To learn more about the VPPA, visit the EPIC site. Several states have enacted similar legislation to provide consumers with greater protections. You can also read the full text of the VPPA, which is also available here.

Consumer privacy protections will become increasingly more important as video content migrates from older distribution channels to newer ones. Companies would love to profit by selling your movie-viewing habits to marketers and other third-party companies. (And, it's probably easier to profit when there are fewer laws protecting consumers' privacy.) What you watch says a lot about you, your values, your health, and your lifestyle. Fortunately, the judge ruled that when it comes to movies, video is video no matter how it is delivered.

Astute readers noticed that I mentioned the word "lobbying" in the opening paragraph. This blog will discuss that later this week.