"Carl Ferrer, the chief executive of Backpage.com whose name was conspicuously absent from an indictment of seven other Backpage officials unsealed Monday, has pleaded guilty in state courts in California and Texas and federal court in Arizona to charges of money laundering and conspiracy to facilitate prostitution. In addition, he agreed to testify against the men who co-founded Backpage with him, Michael Lacey and James Larkin, who remained in jail Thursday in Arizona on facilitating prostitution charges. Backpage, in addition to hosting thinly veiled ads for prostitution since 2004, was accused of hosting child sex trafficking ads on its site... Court records show that Ferrer pleaded guilty to conspiracy to facilitate prostitution and money laundering in federal court in Phoenix on April 5, with the hearing and documents sealed. Backpage.com also pleaded guilty, by Ferrer as the CEO, to a money laundering conspiracy in Phoenix, where Backpage was created. Ferrer then on Monday appeared in state court in Corpus Christi, Texas, where he personally pleaded guilty to money laundering..."
In February 2017, in response to a ProPublica investigation, Facebook pledged to crack down on efforts by advertisers of rental housing to discriminate against tenants based on race, disability, gender and other characteristics.
But a new lawsuit, filed Tuesday by the National Fair Housing Alliance in U.S. District Court in the Southern District of New York, alleges that the world’s largest social network still allows advertisers to discriminate against legally protected groups, including mothers, the disabled and Spanish-language speakers.
Since 2018 marks the 50th anniversary of the Fair Housing Act, "it is all the more egregious and shocking" that "Facebook continues to enable landlords and real estate brokers to bar families with children, women and others from receiving rental and sales ads or housing," the lawsuit states. It asks the court, among other things, to declare that Facebook’s policies violate fair housing laws, to bar the company from publishing discriminatory ads, and to require it to develop and make public a written fair housing policy for advertising.
Diane Houk, lead counsel for the alliance, said this type of discrimination is especially difficult to uncover and combat. "The person who is being discriminated against has no way to know" it, because the technology "keeps the discrimination hidden in hopes that it will not be caught," she said.
Facebook disputes the housing groups’ allegations. "There is absolutely no place for discrimination on Facebook. We believe this lawsuit is without merit, and we will defend ourselves vigorously," said Facebook spokesman Joe Osborne.
The lawsuit adds to Facebook’s woes, which are mounting on multiple fronts. The company’s stock plunged last week on the news that it had allowed a voter-profiling outfit, Cambridge Analytica, to obtain data on 50 million of its users without their knowledge or consent. The news came after a troubling year in which, among other things, Facebook admitted that it unwittingly allowed a Russian disinformation operation on its platform and had been promoting fake news in its News Feed algorithm. As a result, lawmakers and regulators around the world have launched investigations into Facebook.
Discrimination in housing advertising has been a persistent problem for Facebook. In October 2016, we described how Facebook let advertisers exclude specific groups with what it called "ethnic affinities," including blacks and Hispanics, from seeing ads. Although Facebook responded by announcing it had built a system to flag and reject these ads, we bought dozens of rental housing ads in November 2017 that we specified would not be shown to blacks, Jews, people interested in wheelchair ramps and other groups.
It wasn’t until ProPublica brought the issue of advertising discrimination on Facebook to light, Houk said, that fair housing advocates learned of it. Emulating ProPublica’s technique, the Washington, D.C.-based national fair housing group, along with member groups in New York, San Antonio and Miami created fake housing companies and placed discriminatory ads on Facebook. The ads were approved by Facebook over a period of a few months, with the most recent buys occurring on Feb. 23.
Using Facebook’s dropdown "exclusion" menu, they were able to buy housing ads that blocked groups such as "trendy moms," "soccer moms," "parents with teenagers," people interested in a disabled parking permit and people interested in Telemundo, the Spanish-language television network.
The Fair Housing Act makes it illegal to publish any advertisement "with respect to the sale or rental of a dwelling that indicates any preference, limitation or discrimination based on race, color, religion, sex, handicap, familial status or national origin." Violators may face tens of thousands of dollars in fines.
After ProPublica’s investigation, Facebook added a self-certification option, which asks housing advertisers to certify that their advertisement is not discriminatory. In some cases, Houk said, the housing groups encountered the self-certification option, and did not submit the ads to Facebook for approval and publication. But that only happened in some of the ad buys, she said.
Since advertisers can falsely attest to fairness, the self-certification screens don’t "seem like a whole-hearted commitment to trying to change the advertising platform to comply with the Fair Housing Act and local fair housing laws," Houk said.
A couple of weeks after the groups bought housing ads, so did ProPublica (independently) — and we excluded some of the same categories, such as "soccer moms." In most of those tests, we encountered self-certification screens. However, when we bought another housing ad this week, we were able to exclude people interested in Telemundo.
Houk said there were so many possible explanations for the difference in results — such as the number of categories excluded or the types of exclusions sought — that it was impossible to speculate about what caused many of her clients’ ad purchases to be approved but not ProPublica’s.
Both the fair housing groups and ProPublica found that Facebook has blocked the use of race as an exclusion category — as it promised to do in November. Facebook rejected a ProPublica housing ad that was specifically aimed at African Americans. It also denied our attempts to buy employment ads targeted by race, and removed a job listing with a question designed to filter by race. However, the housing groups’ and ProPublica’s ability to exclude people interested in Telemundo suggests that advertisers could still discriminate by using proxies for race or ethnicity.
In a separate federal case in California, challenging Facebook’s use of racial exclusions in ad targeting, Facebook has argued that it has immunity against liability for such discrimination. It cited Section 230 of the 1996 federal Communications Decency Act, which protects internet companies from liability for third-party content.
"Advertisers, not Facebook, are responsible for both the content of their ads and what targeting criteria to use, if any," Facebook contended.
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.
Last week, the U.S. Securities and Exchange Commission (SEC) charged a former Equifax executive with insider trading. While an employee, Jun Ying allegedly used confidential information to dump stock and avoid losses before Equifax announced its massive data breach in September, 2017.
"... charged a former chief information officer of a U.S. business unit of Equifax with insider trading in advance of the company’s September 2017 announcement about a massive data breach that exposed the social security numbers and other personal information of about 148 million U.S. customers... The SEC’s complaint charges Ying with violating the antifraud provisions of the federal securities laws and seeks disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief... According to the SEC’s complaint, Jun Ying, who was next in line to be the company’s global CIO, allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach. The SEC alleges that before Equifax’s public disclosure of the data breach, Ying exercised all of his vested Equifax stock options and then sold the shares, reaping proceeds of nearly $1 million. According to the complaint, by selling before public disclosure of the data breach, Ying avoided more than $117,000 in losses... The U.S. Attorney’s Office for the Northern District of Georgia today announced parallel criminal charges against Ying."
"... found out about the breach on Friday afternoon, August 25, 2017... The SEC complaint says that Ying’s internet browsing history shows he learned that Experian’s stock price had dropped approximately 4% after the public announcement of [a prior 2015] Experian breach. Later Monday morning, Ying exercised all of his available stock options for 6,815 shares of Equifax stock that he immediately sold for over $950,000, and a gain of over $480,000... on Aug. 30, the global CIO for Equifax officially told Ying that it was Equifax that had been breached. One of the company’s attorneys, unaware that Ying had already traded on the information, told Ying that the news about the breach was confidential, should not be shared with anyone, and that Ying should not trade in Equifax securities. According the SEC complaint, Ying did not volunteer the fact that he had exercised and sold all of his vested Equifax options two days before. Equifax finally announced the breach on Sept. 7, and Equifax common stock closed at $123.23 the next day, a drop of $19.49 or nearly 14%..."
"When the 9th U.S. Circuit Court of Appeals ruled, in September 2016, that the Federal Trade Commission did not have the authority to regulate AT&T because it was a “common carrier,” which only the Federal Communications Commission can regulate, the decision created what many in privacy foresaw as a “regulatory doughnut hole.” Indeed, when the FCC, in repealing its broadband privacy rules, decided to hand over all privacy regulation of internet service providers to the FTC, the predicted situation came about: The courts said “common carriers” could only be regulated by the FCC, but the FCC says only the FTC should be regulating privacy. So, was there no regulator to oversee a company like AT&T’s privacy practices?
Indeed, argued Gigi Sohn, formerly counsel to then-FCC Chair Tom Wheeler, “The new FCC/FTC relationship lets consumers know they’re getting screwed. But much beyond that, they don’t have any recourse.” Now, things have changed once again. With an en banc decision, the 9th Circuit has reversed itself... This reversal of its previous decision by the 9th Circuit now allows the FTC to go forward with its case against AT&T and what it says were deceptive throttling practices, but it also now allows the FTC to once again regulate internet service providers’ data-handling and cybersecurity practices if they come in the context of activities that are outside their activities as common carriers."
"No touch" is probably a more accurate description. A prior blog post listed many historical problems and abuses of consumers by some ISPs. Consumers should buckle up, as ISPs slowly unveiled their plans in a world without net neutrality protections for consumers. What might that look like? What has AT&T said about this?
"Net neutrality has been an emotional issue for a lot of people over the past 10 years... For much of those 10 years, there has been relative agreement over what those rules should be: don’t block websites; censor online content; or throttle, degrade or discriminate in network performance based on content; and disclose to consumers how you manage your network to make that happen. AT&T has been publicly committed to those principles... But no discussion of net neutrality would be complete without also addressing the topic of paid prioritization. Let me start by saying that the issue of paid prioritization has always been hazy and theoretical. The business models for services that would require end-to-end management have only recently begun to come into focus... Let me clear about this – AT&T is not interested in creating fast lanes and slow lanes on anyone’s internet."
"AT&T is talking up the benefits of paid prioritization schemes in preparation for the death of net neutrality rules while claiming that charging certain content providers for priority access won't create fast lanes and slow lanes... What Quinn did not mention is that the net neutrality rules have a specific carve-out that already allows such services to exist... without violating the paid prioritization ban. Telemedicine, automobile telematics, and school-related applications and content are among the services that can be given isolated capacity... The key is that the FCC maintained the right to stop ISPs from using this exception to violate the spirit of the net neutrality rules... In contrast, AT&T wants total control over which services are allowed to get priority."
Moreover, fast and slow lanes by AT&T already exist:
"... AT&T provides only DSL service in many rural areas, with speeds of just a few megabits per second or even less than a megabit. AT&T has a new fixed wireless service for some rural areas, but the 10Mbps download speeds fall well short of the federal broadband standard of 25Mbps. In areas where AT&T has brought fiber to each home, the company might be able to implement paid prioritization and manage its network in a way that prevents most customers from noticing any slowdown in other services..."
So, rural (e.g., DSL) consumers are more likely to suffer and notice service slowdowns. Once the final FCC rules are available without net neutrality protections for consumers and the lawsuits have been resolved, then AT&T probably won't have to worry about violating any prioritization bans.
The bottom line for consumers: expect ISPs to implement first changes consumers won't see directly. Remember the old story about a frog stuck in a pot of water? The way to kill it is to slowly turn up the heat. You can expect ISPs to implement this approach in a post-net-neutrality world. (Yes, in this analogy we consumers are the frog, and the heat is higher internet prices.) Paid prioritization is one method consumers won't directly see. It forces content producers, and not ISPs, to raise prices on consumers. Make no mistake about where the money will go.
Consumers will likely see ISPs introduce tiered broadband services, with lower-priced service options that exclude video streaming content... spun as greater choice for consumers. (Some hotels in the United States already sell to their guests WiFi services with tiered content.) Also, expect to see more "sponsored data programs," where video content owned by your ISP doesn't count against wireless data caps. Read more about other possible changes.
Seems to me the 9th Circuit Appeals Court made the best of a bad situation. I look forward to the FTC doing an important job which the FCC chose to run away from. What do you think?
"... an advertising agency that created and disseminated allegedly deceptive radio ads for weight-loss products marketed by its client, Direct Alternatives, has agreed to pay $2 million to the Federal Trade Commission and State of Maine Attorney General’s Office to settle their complaint..."
First, some background. According to the FTC, MAI created advertising for several products (e.g., Puranol, Pur-Hoodia Plus, Acai Fresh, AF Plus, and Final Trim) by Direct Alternatives from 2006 through February 2015. Then, in 2016 the FTC and the State of Maine settled allegations against Direct Alternatives, which required the company to halt deceptive advertising and illegal billing practices.
"... receiving FTC’s Sensa order, MAI was previously made aware of the need to have competent and reliable scientific evidence to back up health claims. Among other things, the complaint alleges that Direct Alternatives provided MAI with documents indicating that some of the weight-loss claims later challenged by the FTC needed to be supported by scientific evidence.
The complaint further charges that MAI developed and disseminated fictitious weight-loss testimonials and created radio ads for weight-loss products falsely disguised as news stories. Finally, the complaint charges MAI with creating inbound call scripts that failed to adequately disclose that consumers would be automatically enrolled in negative-option (auto-ship) continuity plans."
"... requires MAI to have competent and reliable scientific evidence to support any other claims about the health benefits or efficacy of weight-loss products, and prohibits it from misrepresenting the existence or outcome of tests or studies. In addition, the order prohibits MAI from misrepresenting the experience of consumer testimonialists or that paid commercial advertising is independent programming."
This action is a reminder to advertising and digital agency executives everywhere: ensure that claims are supported by competent, reliable scientific evidence.
Good. Kudos to the FTC for these enforcement actions and for protecting consumers.
Fresenius Medical Care Holdings, Inc. has agreed to a $3.5 million settlement agreement regarding five small data breaches the Massachusetts-based healthcare organization experienced during 2012. Fresenius Medical Care Holdings, Inc. does business under the name Fresenius Medical Care North America (FMCNA). This represents one of the largest HIPAA settlements ever by the U.S. Department of Health & Human Services (HHS).
The five small data breaches, at different locations across the United States, affected about 521 persons:
Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility: On February 23, 2012, two desktop computers were stolen during a break-in. One of the computers contained the electronic Protected Health Information (ePHI) of 200 persons, including patient name, admission date, date of first dialysis, days and times of treatments, date of birth, and Social Security number
Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove: On April 3, 2012, an unencrypted USB drive was stolen from a worker's car while parked in the organization's parking lot. The USB device contained the ePHI of 245 persons, including patient name, address, date of birth, telephone number, insurance company, insurance account number (a potential social security number derivative for some patients) and the covered entity location where each patient was seen.
Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin: On June 18, 2012, an anonymous phone tip reported that a hard drive was missing from a desktop computer, which had been taken out of service. The hard drive contained the ePHI of 35 persons, including name, date of birth, Social Security number and Zip code. While the worker notified a manager about the missing hard drive, the manager failed t notify the FMCNA Corporate Risk Management Department.
Fresenius Vascular Care Augusta, LLC: On June 16, 2012, a worker's unencrypted laptop was stolen from her car while parked overnight at home. The laptop bag also include a list of her passwords. The laptop contained the ePHI of 10 persons, including patient name, insurance account number (which could be a social security number derivative) and other insurance information.
WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis: On or about June 17 - 18, 2012, three desktop computers and one encrypted laptop were stolen from the office. One of the desktop computers contained the ePHI of 31 persons, including patient name, dates of birth, address, telephone number, and either full or partial Social Security numbers.
Besides the hefty payment, terms of the settlement agreement (Adobe PDF) require FMCNA to implement and complete a Corrective Action Plan:
Conduct a risk analysis,
Develop and implement a risk management plan,
Implement a process for evaluating workplace operational changes,
Develop an Encryption Report,
Review and revise internal policies and procedures to control devices and storage media,
Review and revise policies to control access to facilities,
Develop a privacy and security awareness training program for workers, and
Submit progress reports at regular intervals to HHS.
The Encryption report identifies and describes the devices and equipment (e.g., desktops, laptops, tables smartphones, etc.) that may be used to access, store, and transmit patients' ePHI information; records the number of devices including which utilize encrypted information; and provides a detailed plan for implementing encryption on devices and media which should contain encrypted information and currently don't.
Some readers may wonder why a large fine for relatively small data breaches, since news reports often cite data breaches affecting thousands or millions of persons. HHS explained that the investigation by its Office For Civil Rights (OCR) unit:
"... revealed FMCNA covered entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI. The FMCNA covered entities impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule... Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules.."
OCR Director Roger Severino added:
"The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity... Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law."
The Attorney General (AG) for the Commonwealth of Massachusetts is suing the U.S. Federal Communications Commission (FCC) after the FCC voted on December 14th to repeal existing net neutrality rules protecting consumers. Maura Healey, the Massachusetts AG, announced that her office has joined a multi-state lawsuit with the New York State AG:
"... joined New York Attorney General Eric T. Schneiderman in announcing that they will be filing a multi-state lawsuit against the Federal Communications Commission (FCC) over its vote to rollback net neutrality protections...The FCC recently issued a proposed final order rolling back net neutrality protections and on December 14th, voted 3-2 on party lines to implement the final order. On December 13th, AG Healey joined a coalition of 18 attorneys general in sending a letter to the FCC after reports emerged that nearly two million comments submitted in support of the agency were fake."
AG Healey said about the multi-state lawsuit:
"With the FCC vote, Americans will pay more for the internet and will have fewer options... The agency has completely failed to justify this decision and we will be suing to stand up for the free exchange of ideas and to keep the American people in control of internet access."
"One of the most important roles that we perform is to prosecute fraud. It is a role we take extremely seriously, and one that is essential to a fair marketplace... The ‘Restore Internet Freedom’ proposal, also known as net neutrality rollback (WC Docket No. 17- 108) has far-reaching implications for the everyday life of Americans... Recent attempts by New York Attorney General Schneiderman to investigate supposed comments received by the FCC have revealed a pattern of facts that should raise alarm bells for every American about the integrity of the democratic process. A careful review of the publicly available information revealed a pattern of fake submissions using the names of real people. In fact, there may be over one million fake submissions from across the country. This is akin to identity theft on a massive scale – and theft of someone’s voice in a democracy is particularly concerning.
As state Attorneys General, many of our offices have received complaints from consumers indicating their distress over their names being used in such a manner. While we will investigate these consumer complaints through our normal processes, we urge the Commission to take immediate action and to cooperate with law enforcement investigations. Woven throughout the Administrative Procedures Act is a duty for rulemakers to provide information to the public and to listen to the public. We know from advising our rulemakers at the state level that listening to the public provides insights from a diversity of viewpoints. But, if the well of public comment has been poisoned by falsified submissions, the Commission may be unable to rely on public comments that would help it reach a legitimate conclusion to the rulemaking process. Or, it must give less weight to the public comments submitted which also undermines the process..."
The FCC ignored the AGs' joint letter about fraud and proceeded with its net-neutrality vote on December 14. FCC Chairman Ajit Pai had blown off the identity theft and fraud charges as maneuvers by desperate net neutrality advocates.
"... the FCC failed to do what is right... The FCC decided thatconsumers do not deserve free, open, and equal access to the internet. It decided to ignore the millions of Americans who voiced their strong support for our existing net neutrality rules. Here in California – a state that is home to countless start-ups and technology giants alike – we know that a handful of powerful companies should not dictate the sources for the information we seek..."
Residents in some states can use special sites to notify their state's AG about the misuse of their identity data in fake comments submitted to the FCC: Pennsylvania, New York.
The FCC under Chairman Pai seems to listen and respond to the needs of corporate internet service providers (ISPs), and not to consumers. A November 21 - 25 poll found that 52 percent of registered voters support the current rules, including 55 percent of Democrats and 53 percent of Republicans.
While that is down from prior polls, a majority support net neutrality rules. A poll by Mozilla and Ipsos in June, 2017 found overwhelming support across party lines: 76% of Americans, 81% of Democrats, and 73% of Republicans favor keeping net neutrality rules. The poll included approximately 1,000 American adults across the U.S. with 354 Democrats, 344 Republicans, and 224 Independents.
"... About 81 percent of Americans oppose allowing Internet providers like Comcast and Verizon to charge Web sites and services more if they want to reach customers more quickly... Republicans were slightly more likely to support net neutrality than Democrats. 81 percent of Democrats and 85 percent of Republicans in the survey said they opposed fast lanes."
Experts have debated the various ways of moving forward after the December 14th FCC vote. Wired reported:
"Most immediately, the activity will move to the courts... The most likely argument: that the commission’s decision violates federal laws barring agencies from crafting “arbitrary and capricious” regulations. After all, the FCC’s net neutrality rules were just passed in 2015... as capricious as the current FCC's about-face may seem, legal experts say the challenges won’t be a slam-dunk case. Federal agencies are allowed to change their minds about previous regulations, so long as they adequately explain their reasoning... The FCC's main argument for revoking the 2015 rules is that the regulations hurt investment in broadband infrastructure. But, as WIRED recently detailed, many broadband providers actually increased their investments, while those that cut back on spending told shareholders that the net neutrality rules didn't affect their plans. University of Pennsylvania Law School professor Christopher Yoo says courts generally defer to an agency's expertise in interpreting evidence submitted into the record... net neutrality advocates could also argue that the agency's decision-making process was corrupted by the flood of fake comments left by bots. But FCC Chair AJit Pai will argue that the agency discarded low-quality and repeated comments and focused only on matters of substance... A long-term solution to net neutrality will require Congress to pass laws that won't change every time control of the White House passes to another party... Senator John Thune (R-South Dakota) recently called for Congress to pass bipartisan net neutrality legislation. In 2015, Thune and Representative Fred Upton (R-Michigan) introduced a bill that would have banned blocking or slowing legal content, but limited the FCC's authority over internet service providers. It never moved forward. Thune is clearly hoping that growing demand from the public for net neutrality protections will bring more Republicans to the table... Senator Ron Wyden (D-Oregon) told WIRED earlier this year that he won't support a bill with weaker protections than the 2015 rules..."
President Trump appointed Pai as FCC Chairman in January, giving the Republican commissioners at the FCC a voting majority. Neither the President nor the White House staff said anything in its daily e-mail blast or in their website about the FCC vote; and instead discussed tax reform, general remarks about reducing regulation, and infrastructure (e.g., roads, bridges, tunnels).
Seems to me the internet is a key component of our country's infrastructure. What are your opinions? If your state isn't in the above list, we'd like to hear from you, too.
Last week, 32 states inked a settlement agreement with Nationwide Mutual Insurance for the insurance company's data breach in 2012. The Attorney General's Office for the Commonwealth of Massachusetts participated in the agreement, and explained in an announcement: that the data breach reach in 2012 was:
"... allegedly caused by Nationwide’s failure to apply a critical software security patch. The breach resulted in the loss of personal information belonging to 1.27 million consumers, with nearly 950 in Massachusetts, including their social security numbers, driver’s license numbers, credit scoring information, and other personal data. The lost personal information was collected by Nationwide in order to provide insurance quotes to consumers applying for insurance. AG Healey’s Office is not aware of any fraud or identity theft involving Massachusetts residents related to this data breach."
Other states participating in the settlement agreement include the Attorneys General of Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, and the District of Columbia. Terms of the settlement agreement require Nationwide to:
"... both generally update its security practices and to ensure that it keeps software up-to-date, including timely applying patches and other updates to its software. Nationwide must also hire a technology officer responsible for monitoring and managing software and application security updates, including supervising employees responsible for evaluating and coordinating the maintenance, management, and application of all security patches and software and application security updates.
Many of the consumers whose data was lost as a result of the data breach were consumers who never became Nationwide’s insureds, but whose information was retained by the company in order to provide the consumers re-quotes at a later date. The settlement requires Nationwide to be more transparent about its data collection practices by requiring it to disclose to consumers that it retains their personal information even if they do not become its customers."
950 Massachusetts residents were affected. Massachusetts' share of the payment is $100,000. Massachusetts Attorney General (AG) Maura Healey said in a statement:
"People shopping for financial products should be assured that companies collecting their personal information will protect it no matter what... Nationwide knew their software was vulnerable to hacking but did not promptly address it, leaving sensitive data vulnerable to identity thieves. This settlement holds the company accountable for subjecting our residents to this avoidable risk."
2,810 New York residents were affected. New York State's share of the payment is $107,736. New York State AG Eric T. Schneiderman said:
"Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process... This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers..."
774 Connecticut residents were affected. Connecticut's share of the payment is $256,559. Connecticut AG George Jepsen said:
"Connecticut law requires that anyone in possession of another person's personal information safeguard that data... It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols..."
Last week, the Attorney General's office for the Commonwealth of Massachusetts announced the results of a post-settlement agreement audit with American Security Insurance Company, a subsidiary of Assurant, Inc., where homeowners in the state will receive $6.3 million in refunds for improper "forced-place insurance" charges. The announcement explained:
"Force-placed insurance is a type of property insurance that mortgage servicers can purchase on behalf of borrowers if they fail to maintain adequate homeowners insurance coverage on mortgaged properties. Mortgage servicers often hire insurance companies like Assurant to monitor whether borrowers are maintaining adequate homeowners insurance coverage and to issue force-placed insurance policies when appropriate homeowners coverage is not in place.
Premiums for force-placed policies are high—often two or three times as expensive as regular homeowners insurance—and the coverage provided is quite limited. Some mortgage servicers accept commission payments from force-placed insurers, which contribute to the high cost of force-placed insurance and create conflicts of interest for mortgage servicers."
"Although force-placed insurance is only intended for circumstances in which the borrower has failed to adequately insure the mortgaged property, the Attorney General’s audit of Assurant found thousands of cases of duplicative insurance coverage for Massachusetts homeowners. Borrowers eligible for settlement money were previously required by their mortgage servicer to purchase force-placed insurance from Assurant, or were overcharged for force-placed insurance because they were mistakenly sold commercial policies rather than less expensive residential policies..."
4,500 homeowners were improperly charged. The average refund per homeowner is about $1,400. Refund checks were mailed last week to affected homeowners.
The Daily Beast explained how Microsoft fights cyber criminals and spies, some of whom with alleged ties to the Kremlin:
"Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft’s trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls “the most vulnerable point” in Fancy Bear’s espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers. These servers can be thought of as the spymasters in Russia's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents.
Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company’s approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like “livemicrosoft[.]net” or “rsshotmail[.]com” that Fancy Bear registers under aliases for about $10 each. Once under Microsoft’s control, the domains get redirected from Russia’s servers to the company’s, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers’ network of automated spies."
On Thursday, the U.S. Department of the Treasury fined ExxonMobil Corporation $2 million for violations of sanctions while current Secretary of State Rex Tillerson was the company's Chief Executive Officer. The Office of Foreign Assets Control (OFAC) within the Treasury Department issued the fine. According to the announcement:
"Between on or about May 14, 2014 and on or about May 23, 2014, ExxonMobil violated § 589.201 of the Ukraine-Related Sanctions Regulations when the presidents of its U.S. subsidiaries dealt in services of an individual whose property and interests in property were blocked, namely, by signing eight legal documents related to oil and gas projects in Russia with Igor Sechin, the President of Rosneft OAO, and an individual identified on OFAC’s List of Specially Designated Nationals and Blocked Persons.
OFAC determined that ExxonMobil did not voluntarily self-disclose the violations to OFAC, and that the violations constitute an egregious case."
"... ExxonMobil did not voluntarily self-disclose the violations to OFAC and that the violations constitute an egregious case. Both the base civil monetary penalty and the statutory maximum civil monetary penalty amounts for the violations were $2,000,000. OFAC thoroughly considered the arguments ExxonMobil set forth in its submissions to OFAC, and the penalty amount reflects OFAC's consideration of the following facts and circumstances... OFAC considered the following to be aggravating factors: (1) ExxonMobil demonstrated reckless disregard for U.S. sanctions requirements when it failed to consider warning signs associated with dealing in the blocked services of an SDN; (2) ExxonMobil's senior-most executives knew of Sechin's status as an SDN when they dealt in the blocked services of Sechin; (3) ExxonMobil caused significant harm to the Ukraine-related sanctions program objectives by engaging the services of an SDN designated on the basis that he is an official of the Government of the Russian Federation contributing to the crisis in Ukraine; and (4) ExxonMobil is a sophisticated and experienced oil and gas company that has global operations and routinely deals in goods, services, and technology subject to U.S economic sanctions and U.S. export controls. OFAC considered the following to be a mitigating factor: ExxonMobil has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the first transaction giving rise to the violation..."
ExxonMobil issued a press release on July 20 which denied the violations and claimed that it had received clear guidance from the Treasury Department that the transactions were legal, "so long as the activity related to Rosneft’s business and not Sechin’s personal business." The press release also cited several news sources. You'd think that the company's executive would simply have gone straight to the source, the OFAC, and bypassed intermediaries.
The OFAC Enforcement Information document debunked the energy company's claim:
"ExxonMobil claims that it interpreted press statements as establishing a distinction between Sechin's "professional" and "personal" capacity, in part citing to a news article published in April 2014 that quoted a Department of the Treasury representative as saying that a U.S. person would not be prohibited from participating in a meeting of Rosneft' s board of directors. However, that brief statement did not address the conduct in this case.
Furthermore, the plain language of the Ukraine-Related Sanctions Regulations (which were issued after the Executive branch statements) and E.O. 13661 do not contain a "personal" versus "professional" distinction, and OFAC has neither interpreted its Regulations in that manner nor endorsed such a distinction. The press release statements provided context for the policy rationale surrounding the targeted approach during the early days of the Ukraine crisis, which was to isolate designated individuals who were targeted as a result of the crisis in Ukraine, rather than imposing blocking sanctions on the large companies that they managed. No materials issued by the White House or the Department of the Treasury asserted an exception or carve-out for the professional conduct of designated or blocked persons, nor did any materials suggest that U.S. persons could continue to conduct or engage in business with such individuals.
Separately, there was a Frequently Asked Question (FAQ) publicly available on the OFAC website at the time of the violations that specifically spoke to the conduct at issue in this case..."
While at the Treasury Department's website, I noticed that the Treasury Notes blog stopped publishing on January 19, 2017 -- about the same time as the Presidential Inauguration. What's up with that? Does the Treasury Department, under the Trump Administration, believe that it is okay not to inform citizens, taxpayers, and voters?
The Office of the Attorney General (AG) for the Commonwealth of Massachusetts announced on Wednesday that the state will receive $625,000 as part of the settlement agreement with Target Corporation. The settlement agreement, which includes 47 states plus the District of Colombia, resolves claims by states about the retailer's massive data breach in 2013.
"The investigation found that the stolen credentials were used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database, install malware on the system and then capture data from credit or debit card transactions at Target stores (including stores in Massachusetts) from Nov. 27, 2013 to Dec. 15, 2013. The stolen data included consumers’ full names, telephone numbers, email addresses, mailing addresses, payment card numbers, expiration dates, security codes, and encrypted debit PINs... The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers nationwide. In Massachusetts, the breach compromised information from approximately 947,000 customer payment card accounts and other personally-identifying information of about 1.5 million Massachusetts residents."
Terms of the settlement require Target:
"... to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment... to maintain and support software on its network; to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts."
"New Yorkers need to know that when they shop, their data will be protected... This settlement marks an important win for New Yorkers – bringing over $635,000 into the state, in addition to the free credit monitoring services for those impacted by the data breach, and key security improvements to help protect Target consumers moving forward."
Yes, indeed. Shoppers everywhere need to know their data will be protected.
Besides Massachusetts, New York and California, the other states participating in this settlement include Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, and the District of Columbia.
"Alabama won't be cashing in on the largest multi-state data breach settlement in history, however. The reason, according to the Alabama Attorney General's Office, is the absence of a state law that requires entities to notify customers whose information could have been exposed in a breach and then take steps to remediate any injuries.
"Alabama is one of the few states in the nation that is not a party to the recent Target settlement because our state does not have data breach notification law," said Mike Lewis, Communications Director for the Office of the Alabama Attorney General."
Connecticut and Illinois led the states' investigation. The participating states have not yet announced how the settlement money will be distributed.
[Editor's Note: a prior version of this blog post did not include the report by AL.com.]
Recently, a reader wrote via e-mail with feedback about this December 2014 blog post which discussed a lawsuit filed by the U.S. Federal Trade Commission (FTC) against a data broker, LeapLab, and other defendants. The suit alleged that the defendants sold consumers' sensitive personal information to fraudsters.
The reader was unhappy because he was unable to submit a comment on that blog post. The policy of this blog is to close comments on all blog posts after a year. The reader seemed to interpret that policy as a slight against one of the defendants. No. The closing of comments after a year is equal, consistent treatment.
The reader was also unhappy with comments posted by other readers to that 2014 blog post. Like other blogs, readers freely share their opinions and feedback in the comments section. Like other blogs, I am not responsible for readers' comments. Nor do I censor comments for content. I remind everyone to read the Terms of Service.
The reader's e-mail feedback claimed the blog post was incomplete and one sided. Today's blog post reports the rest of the story.
"A group of defendants have settled Federal Trade Commission charges that they knowingly provided scammers with hundreds of thousands of consumers’ sensitive personal information – including Social Security and bank account numbers. The proposed federal court orders prohibit John Ayers, LeapLab and Leads Company from selling or transferring sensitive personal information about consumers to third parties. The defendants will also be prohibited from misleading consumers about the terms of a loan offer or the likelihood of getting a loan. In addition, the settlements require the defendants to destroy any consumer data in their possession within 30 days.
You can follow the above links to the settlement agreements between each defendant and the FTC, which were approved by the court. Links are also available on the FTC-Leaplab proceedings page.
As a solo blogger with limited resources, I do my best to get it right. There's plenty of privacy news to cover, and I should have reported the above settlement agreements sooner. Hopefully, today's blog post corrects that oversight. I sincerely thank all readers for their feedback and comments.
A class-action lawsuit against Uber claims that the ride-sharing company manipulated its mobile app to simultaneously short-change drivers and over-charge riders. Ars Technica reported:
"When a rider uses Uber's app to hail a ride, the fare the app immediately shows to the passenger is based on a slower and longer route compared to the one displayed to the driver. The software displays a quicker, shorter route for the driver. But the rider pays the higher fee, and the driver's commission is paid from the cheaper, faster route, according to the lawsuit.
"Specifically, the Uber Defendants deliberately manipulated the navigation data used in determining the fare amount paid by its users and the amount reported and paid to its drivers," according to the suit filed in federal court in Los Angeles."
A Minnesota court judge has signed what appears to be a stunningly broad search warrant to compel Google to provide search information to local law enforcement. The request for search data is part of an identity theft and fraud case.
The search warrant requests information about anyone searching for variations of the name "Douglas" between December 1, 2016 and January 7, 2017. Using a fake passport with the victim's photo and name, identified only as "Douglas" in the warrant, a fraudster fraudulently obtained $28,000 via a wire transfer from a credit union bank account. The credit union relied upon the passport as identification.
During their investigation, the Edina Police Department searched for images with the victim's name using several search engines (e.g., Yahoo, Bing, Google), and found images on all, but only Google's search results included an image of the photo used on the fake passport. Based upon these facts, Hennepin County Judge Gary Larson signed the warrant requiring Google to turn over information about anyone who searched for variations of Douglas's full name. The warrant requests the following information about search engine users: names, addresses, e-mail addresses, phone numbers, Social Security numbers, birth dates, IP (Internet protoccol) addresses, MAC addresses, and dates/times the searches were performed.
The search warrant also requests, "Information related to the content the user is viewing/using." What exactly is that? Does that refer to other information collected by Google in each user's Google account (e.g., passwords, Google Drive documents, Gmail messages, calendar appointments, Google Chat sessions, etc.)?
"Privacy law experts say that the warrant is based on an unusually broad definition of probable cause that could set a troubling precedent. "This kind of warrant is cause for concern because it’s closer to these dragnet searches that the Fourth Amendment is designed to prevent," said William McGeveran, a law professor at the University of Minnesota... McGeveran said it’s unusual for a judge to sign off on a warrant that bases probable cause on so few facts. "It’s much more usual for a search warrant to be used to gather evidence for a suspect that’s already identified, instead of using evidence to find a suspect... If the standards for getting a broad warrant like this are not strong, you can have a lot of police fishing expeditions." "
Judge Larson signed the warrant on February 1, 2017. Reportedly, Google will fight in court against the demands in the search warrant.
This warrant seems stunningly broad since it does not contain the name of a specific suspect, suspects, and/or criminal organization. There are many legitimate reasons for persons to search using the victim's name. Chiefly, many other people have the same name.
Other questions remain. The warrant did not state whether or not law enforcement searched social networking accounts for the victim's image. Many social networking accounts include profile photos of users. How certain are lawn enforcement officials that the fraudster didn't obtain the photo from a social networking account? Plus, many social networking users don't utilize the privacy controls available for their online accounts and photos.
We-Vibe, a maker of vibrators for better sex, will pay U.S. $3.75 million to settle a class action lawsuit involving allegations that the company tracked users without their knowledge nor consent. The Guardian reported:
"Following a class-action lawsuit in an Illinois federal court, We-Vibe’s parent company Standard Innovation has been ordered to pay a total of C$4m to owners, with those who used the vibrators associated app entitled to the full amount each. Those who simply bought the vibrator can claim up to $199... the app came with a number of security and privacy vulnerabilities... The app that controls the vibrator is barely secured, allowing anyone within bluetooth range to seize control of the device. In addition, data is collected and sent back to Standard Innovation, letting the company know about the temperature of the device and the vibration intensity – which, combined, reveal intimate information about the user’s sexual habits..."
We-Vibe's products are available online at the Canadian company's online store and at Amazon. This Youtube video (warning: not safe for work) promotes the company's devices. Consumers can use the smart vibrator with or without the mobile app on their smartphones. The app is available at both the Apple iTunes and Google Play online stores.
"... two security researchers who go by the names followr and g0ldfisk found flaws in the software that controls the [We-Vibe 4Plus] device. It could potentially let a hacker take over the vibrator while it's in use. But that's -- at this point -- only theoretical. What the researchers found more concerning was the device's use of personal data. Standard Innovation collects information on the temperature of the device and the intensity at which it's vibrating, in real time, the researchers found..."
In the September 2016 complaint (Adobe PDF; 601 K bytes), the plaintiffs sought to stop Standard Innovation from "monitoring, collecting, and transmitting consumers’ usage information," collect damages due to the alleged unauthorized data collection and privacy violations, and reimburse users from their purchase of their We-Vibe devices (because a personal vibrator with this alleged data collection is worth less than a personal vibrator without data collection). That complaint alleged:
"Unbeknownst to its customers, however, Defendant designed We-Connect to (i) collect and record highly intimate and sensitive data regarding consumers’ personal We-Vibe use, including the date and time of each use and the selected vibration settings, and (ii) transmit such usage data — along with the user’s personal email address — to its servers in Canada... By design, the defining feature of the We-Vibe device is the ability to remotely control it through We-Connect. Defendant requires customers to use We-Connect to fully access the We-Vibe’s features and functions. Yet, Defendant fails to notify or warn customers that We-Connect monitors and records, in real time, how they use the device. Nor does Defendant disclose that it transmits the collected private usage information to its servers in Canada... Defendant programmed We-Connect to secretly collect intimate details about its customers’ use of the We-Vibe, including the date and time of each use, the vibration intensity level selected by the user, the vibration mode or patterns selected by the user, and incredibly, the email address of We-Vibe customers who had registered with the App, allowing Defendant to link the usage information to specific customer accounts... In addition, Defendant designed We-Connect to surreptitiously route information from the “connect lover” feature to its servers. For instance, when partners use the “connect lover” feature and one takes remote control of the We-Vibe device or sends a [text or video chat] communication, We-Connect causes all of the information to be routed to its servers, and then collects, at a minimum, certain information about the We-Vibe, including its temperature and battery life. That is, despite promising to create “a secure connection between your smartphones,” Defendant causes all communications to be routed through its servers..."
The We-Vibe Nova product page lists ten different vibration modes (e.g., Crest, Pulse, Wave, Echo, Cha-cha-cha, etc.), or users can create their own custom modes. The settlement agreement defined two groups of affected consumers:
"... the proposed Purchaser Class, consisting of: all individuals in the United States who purchased a Bluetooth-enabled We-Vibe Brand Product before September 26, 2016. As provided in the Settlement Agreement, “We-Vibe Brand Product” means the “We-Vibe® Classic; We-Vibe® 4 Plus; We-Vibe® 4 Plus App Only; Rave by We-VibeTM and Nova by We-VibeTM... the proposed App Class, consisting of: all individuals in the United States who downloaded the We-Connect application and used it to control a We-Vibe Brand Product before September 26, 2016."
According to the settlement agreement, affected users will be notified by e-mail addresses, with notices in the We-Connect mobile app, a settlement website (to be created), a "one-time half of a page summary publication notice in People Magazine and Sports Illustrated," and by online advertisements in several websites such as Google, YouTube, Facebook, Instagram, Twitter, and Pinterest. The settlement site will likely specify additional information including any deadlines and additional notices.
"... we updated the We-ConnectTM app and our app privacy notice. That update includes: a) Enhanced communication regarding our privacy practices and data collection – in both the onboarding process and in the app settings; b) No registration or account creation. Customers do not provide their name, email or phone number or other identifying information to use We-Connect; c) An option for customers to opt-out of sharing anonymous app usage data is available in the We-Connect settings; d) A new plain language Privacy Notice outlines how we collect and use data for the app to function and to improve We-Vibe products."
"Collection And Use of Information: You can use We-Vibe products without the We-Connect app. No information related to your use of We-Vibe products is collected from you if you don’t install and use the app."
"We collect and use information for the purposes identified below... To access and use certain We-Vibe product features, the We-Connect app must be installed on an iOS or Android enabled device and paired with a We-Vibe product. We do not ask you to provide your name, address or other personally identifying information as part of the We-Connect app installation process or otherwise... The first time you launch the We-Connect app, our servers will provide you with an anonymous token. The We-Connect app will use this anonymous token to facilitate connections and share control of your We-Vibe with your partner using the Connect Lover feature... certain limited data is required for the We-Connect app to function on your device. This data is collected in a way that does not personally identify individual We-Connect app users. This data includes the type of device hardware and operating system, unique device identifier, IP address, language settings, and the date and time the We-Connect app accesses our servers. We also collect certain information to facilitate the exchange of messages between you and your partner, and to enable you to adjust vibration controls. This data is also collected in a way that does not personally identify individual We-Connect app users."
In a way that does not personally identify individuals? What way? Is that the "anonymous token" or something else? More clarity seems necessary.
And since partner(s) can remotely control a user's We-Vibe device, their information is collected, too. Persons with multiple partners (and/or multiple We-Vibe devices) should thoroughly consider the implications.
The About Us page in the We-Vibe site contains this company description:
"We-Vibe designs and manufactures world-leading couples and solo vibrators. Our world-class engineers and industrial designers work closely with sexual wellness experts, doctors and consumers to design and develop intimate products that work in sync with the human body. We use state-of-the-art techniques and tools to make sure our products set new industry standards for ergonomic design and high performance while remaining eco‑friendly and body-safe."
Hmmmm. No mentions of privacy nor security. Hopefully, a future About Us page revision will mention privacy and security. Hopefully, no government officials use these or other branded smart sex toys. This is exactly the type of data collection spies will use to embarrass and/or blackmail targets.
The settlement is a reminder that companies are willing, eager, and happy to exploit consumers' failure to read privacy policies. A study last year found that 74 percent of consumers surveyed never read privacy policies.
All of this should be a reminder to consumers that companies highly value the information they collect about their users, and generate additional revenue streams by selling information collected to corporate affiliates, advertisers, marketing partners, and/or data brokers. Consumers' smartphones are central to that data collection.
What are your opinions of the We-Vibe settlement? Of its products and security?
The U.S. Department of Justice (DOJ) announced yesterday that a grand jury in the Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses related to the massive hack of millions of Yahoo webmail accounts. The charges were announced by Attorney General Jeff Sessions of the U.S. Department of Justice, Director James Comey of the Federal Bureau of Investigation (FBI), Acting Assistant Attorney General Mary McCord of the National Security Division, U.S. Attorney Brian Stretch for the Northern District of California and Executive Assistant Director Paul Abbate of the FBI’s Criminal, Cyber, Response and Services Branch.
"... unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies. One of the defendants also exploited his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign."
The four defendants are:
Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident
Igor Anatolyevich Sushchin, 43, a Russian national and resident,
Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident, and
Karim Baratov (a/k/a "Kay," "Karim Taloverov," and "Karim Akehmet Tokbergenov") 22, a Canadian and Kazakh national and a resident of Canada.
Attorney General Sessions said about the charges against four defendants:
"Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history... But thanks to the tireless efforts of U.S. prosecutors and investigators, as well as our Canadian partners, today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users’ accounts. The United States will vigorously investigate and prosecute the people behind such attacks..."
FBI Director said:
"... we continue to pierce the veil of anonymity surrounding cyber crimes... We are shrinking the world to ensure that cyber criminals think twice before targeting U.S. persons and interests."
Acting Assistant Attorney General McCord said:
"The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale... hackers around the world can and will be exposed and held accountable. State actors may be using common criminals to access the data they want..."
Today's blog post highlights how easy it is for manufacturers to make and sell smart-home devices that spy on consumers without notice nor consent. VIZIO, Inc., one of the largest makers of smart televisions, agreed to pay $2.2 million to settle privacy abuse charges by the U.S. Federal Trade Commission (FTC) and the State of New Jersey Attorney General. The FTC announcement explained:
"... starting in February 2014, VIZIO, Inc. and an affiliated company have manufactured VIZIO smart TVs that capture second-by-second information about video displayed on the smart TV, including video from consumer cable, broadband, set-top box, DVD, over-the-air broadcasts, and streaming devices. In addition, VIZIO facilitated appending specific demographic information to the viewing data, such as sex, age, income, marital status, household size, education level, home ownership, and household value... VIZIO sold this information to third parties, who used it for various purposes, including targeting advertising to consumers across devices... VIZIO touted its “Smart Interactivity” feature that “enables program offers and suggestions” but failed to inform consumers that the settings also enabled the collection of consumers’ viewing data. The complaint alleges that VIZIO’s data tracking—which occurred without viewers’ informed consent—was unfair and deceptive, in violation of the FTC Act and New Jersey consumer protection laws."
The FTC complaint (Adobe PDF) named as defendants VIZIO, Inc. and VIZIO Inscape Services, LLC, its wholly-owned subsidiary. VIZIO has designed and sold televisions in the United States since 2002, and has sold more than 11 million Internet-connected televisions since 2010. The complaint also mentioned:
"... the successor entity to Cognitive Media Services, Inc., which developed proprietary automated content recognition (“ACR”) software to detect the content on internet-connected televisions and monitors."
This merits emphasis because consumers thinking that they can watch DVD or locally recorded content in the privacy of their home with advertisers knowing it really can't because the ACR software can easily identify, archive, and transmit it. The complaint also explained:
"Through the ACR software, VIZIO’s televisions transmit information about what a consumer is watching on a second-by-second basis. Defendants’ ACR software captures information about a selection of pixels on the screen and sends that data to VIZIO servers, where it is uniquely matched to a database of publicly available television, movie, and commercial content. Defendants collect viewing data from cable or broadband service providers, set-top boxes, external streaming devices, DVD players, and over-the-air broadcasts... the ACR software captures up to 100 billion data points each day from more than 10 million VIZIO televisions. Defendants store this data indefinitely. Defendants’ ACR software also periodically collects other information about the television, including IP address, wired and wireless MAC addresses, WiFi signal strength, nearby WiFi access points, and other items."
That's impressive. The ACR software enabled VIZIO to know and collect information about other devices (e.g., computers, tablets, phones, printers) connected to your home WiFi network. Then, besides the money consumers paid for their VIZIO smart TVs, the company also made money by reselling the information it collected to third parties... probably data brokers and advertisers. You'd think that the company might lower the price of its smart TVs given that additional revenue stream, but I guess not.
Now, here is where VIZIO created problems for itself:
30 seconds? Really?! If a consumer left the room to grab a bite to eat or visit the bathroom for a bio break, they easily missed this pop-up message. No notice? Neither are good. VIZIO released a statement about the settlement:
"VIZIO is pleased to reach this resolution with the FTC and the New Jersey Division of Consumer Affairs. Going forward, this resolution sets a new standard for best industry privacy practices for the collection and analysis of data collected from today’s internet-connected televisions and other home devices,” stated Jerry Huang, VIZIO General Counsel. “The ACR program never paired viewing data with personally identifiable information such as name or contact information, and the Commission did not allege or contend otherwise. Instead, as the Complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors... the FTC has made clear that all smart TV makers should get people’s consent before collecting and sharing television viewing information and VIZIO now is leading the way,” concluded Huang."
Terms of the settlement agreement and the Court Order (Adobe PDF) require VIZIO to:
B. Obtain the consumer’s affirmative express consent (1) at the time the disclosure...
C. Provide instructions, at any time the consumer’s affirmative express consent is sought under Part II.B, for how the consumer may revoke consent to collection of Viewing Data.
D. For the purposes of this Order, “Prominently” means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers..."
The Order also defines that disclosure must be visual, audible, in all formats which VIZIO uses, in easy-to-understand language, and not contradicted by any legal statements elsewhere. Terms of the settlement require VIZIO to pay $1.5 million to the FTC, $1.0 million to the New Jersey Division of Consumer Affairs (which includes a $915,940.00 civil penalty and $84,060.00 for attorneys’ fees and investigative costs). VIZIO will not have to pay $300,000 due to the N.j> Division of consumer affairs it the company complies with court order, and does not engage in acts that violate the New Jersey Consumer Fraud Act (CFA) during the next five years.
Additional terms of the settlement agreement require VIZIO to destroy information collected before March 1, 2016, establish and implement a privacy program, designate one or several employees responsible for that program, identify and risks of internal processes that cause the company to collect consumer information it shouldn't, design and implement a program to address those risks, develop and implement processes to identify service providers that will comply with the privacy program, and hire an independent third-party to audit the privacy program every two years.
I guess the FTC and New Jersey AG felt this level of specificity was necessary given VIZIO's past behaviors. Kudos to the FTC and to the New Jersey AG for enforcing and protecting consumers' privacy. Given the rapid pace of technological change and the complexity of today's devices, oversight is required. Consumers simply don't have the skills nor resources to do these types of investigations.
A news item you may have missed during the run-up to the Presidential Inauguration. The U.S. Federal Trade Commission (FTC) announced settlement agreements with Western Union where the company admitted to money-laundering charges and agreed to pay $586 million in fines and restitution.
Western Union inked settlement agreements with the FTC, the Justice Department (DOJ), and with several U.S. Attorneys’ Offices: the Middle District of Pennsylvania, the Central District of California, the Eastern District of Pennsylvania and the Southern District of Florida. The FTC announcement stated:
"In its agreement with the Justice Department, Western Union admits to criminal violations including willfully failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud... According to admissions contained in the deferred prosecution agreement (DPA) with the Justice Department and the accompanying statement of facts, Western Union violated U.S. laws—the Bank Secrecy Act (BSA) and anti-fraud statutes—by processing hundreds of thousands of transactions for Western Union agents and others involved in an international consumer fraud scheme. As part of the scheme, fraudsters contacted victims in the U.S. and falsely posed as family members in need or promised prizes or job opportunities. The fraudsters directed the victims to send money through Western Union to help their relative or claim their prize. Various Western Union agents were complicit in these fraud schemes, often processing the fraud payments for the fraudsters in return for a cut of the fraud proceeds."
The FTC alleged in a complaint filed in U.S. District Court for the Middle District of Pennsylvania that the company’s conduct violated the FTC Act. The complaint alleged that fraudsters globally used Western Union’s money transfer system for many years, even after the company was aware of the problems. The complaint also alleged that some Western Union agents were complicit in fraud. Also, the FTC’s complaint alleged that Western Union failed to implement effective anti-fraud policies and procedures, and it failed to act promptly against problem agents (e.g., suspensions, terminations).
Also, the announcement described the extent and duration of the fraud:
"The BSA requires financial institutions, including money services businesses such as Western Union, to file currency transaction reports (CTRs) for transactions in currency greater than $10,000 in a single day. To evade the filing of a CTR and identification requirements, criminals will often structure their currency transactions so that no single transaction exceeds the $10,000 threshold. Financial institutions are required to report suspected structuring... Western Union knew that certain of its U.S. Agents were allowing or aiding and abetting structuring by their customers. Rather than taking corrective action to eliminate structuring at and by its agents, Western Union, among other things, allowed agents to continue sending transactions... Beginning in at least 2004, Western Union recorded customer complaints about fraudulently induced payments in what are known as consumer fraud reports (CFRs). In 2004, Western Union’s Corporate Security Department proposed global guidelines for discipline and suspension of Western Union agents that processed a materially elevated number of fraud transactions. In these guidelines, the Corporate Security Department effectively recommended automatically suspending any agent that paid 15 CFRs within 120 days. Had Western Union implemented these proposed guidelines, it would have prevented significant fraud losses to victims and would have resulted in corrective action against more than 2,000 agents worldwide between 2004 and 2012."
U.S. Attorney Eileen M. Decker of the Central District of California said:
"Our investigation uncovered hundreds of millions of dollars being sent to China in structured transactions designed to avoid the reporting requirements of the Bank Secrecy Act, and much of the money was sent to China by illegal immigrants to pay their human smugglers... In a case being prosecuted by my office, a Western Union agent has pleaded guilty to federal charges of structuring transactions – illegal conduct the company knew about for at least five years. Western Union documents indicate that its employees fought to keep this agent – as well as several other high-volume independent agents in New York City – working for Western Union because of the high volume of their activity. This action today will ensure that Western Union effectively controls its agents and prevents the use of its money transfer system for illegal purposes."
U.S. Attorney Bruce D. Brandler said:
"The U.S. Attorney’s Office for the Middle District of Pennsylvania has a long history of prosecuting corrupt Western Union Agents... Since 2001 our office, in conjunction with the U.S. Postal Inspection Service, has charged and convicted 26 Western Union Agents in the United States and Canada who conspired with international fraudsters to defraud tens of thousands of U.S. residents via various forms of mass marketing schemes. I am gratified that the deferred prosecution agreement reached today with Western Union ensures that $586 million will be available to compensate the many victims of these frauds."
Terms of the settlement agreements require Western union to:
Pay a monetary judgment of $586 million,
Implement and maintain a comprehensive anti-fraud program with training for its agents and their front line associates,
Monitor to detect and prevent fraud-induced money transfers,
Conduct due diligence on all new and renewing company agents, plus suspend or terminate non-compliant agents,
Stop transmitting money transfers it knows or reasonably should know are fraud-induced,
Block money transfers sent to any person who is the subject of a fraud report,
Provide clear and conspicuous consumer fraud warnings on its paper and electronic money transfer forms,
Increase the availability of websites and telephone numbers that enable consumers to file fraud complaints,
Refund fraudulent money transfers if it failed to comply with its anti-fraud procedures, and
Not process money transfers it knows or should know are payments for telemarketing transactions.
"The Western Union Company (NYSE: WU) today announced agreements with the U.S. Department of Justice (DOJ) and Federal Trade Commission (FTC) that resolve previously disclosed investigations focused primarily on the Company’s oversight of certain agents and whether its anti-fraud program, as well as its anti-money laundering controls, adequately prevented misconduct by those agents and third parties. The conduct at issue mainly occurred from 2004 to 2012."
"As part of this resolution, Western Union will enter into a deferred prosecution agreement with the DOJ and a consent order with the FTC. The Company will pay a total of $586 million to the federal government, which is to be used to reimburse consumers who were victims of fraud during the relevant period. Western Union also will take specific actions to further enhance its oversight of agents and its protection of customers... Over the past five years, Western Union increased overall compliance funding by more than 200 percent, and now spends approximately $200 million per year on compliance, with more than 20 percent of its workforce currently dedicated to compliance functions. The comprehensive improvements undertaken by the Company have added more employees with law enforcement and regulatory expertise, strengthened its consumer education and agent training, bolstered its technology-driven controls and changed its governance structure so that its Chief Compliance Officer is a direct report to the Compliance Committee of the Board of Directors."
"... [Western Union] will simultaneously resolve, without any additional payment or non-monetary obligations, potential claims by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) relating to conduct in the 2010 to 2012 period that FinCEN contended violated the Bank Secrecy Act. The Company received a notice of investigation from FinCEN in mid-December 2016. The separate agreement with FinCEN sets forth a civil penalty of $184 million, the full amount of which will be deemed satisfied by the $586 million compensation payment under the DOJ and FTC agreements."
In case you missed it, the U.S. Department of Justice (DOJ) announced last week several settlement agreements and fines against several banks. First, for conduct with the packaging, securitization, issuance, marketing and sale of residential mortgage-backed securities (RMBS) between 2005 and 2007, Credit Suisse will pay about $5.3 billion in fines and relief. That includes $2.48 billion as a civil penalty under the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA), and $2.8 billion in:
"... relief to underwater homeowners, distressed borrowers and affected communities, in the form of loan forgiveness and financing for affordable housing. Investors, including federally-insured financial institutions, suffered billions of dollars in losses from investing in RMBS issued and underwritten by Credit Suisse between 2005 and 2007."
Principal Deputy Associate Attorney General Bill Baer said:
"Credit Suisse claimed its mortgage backed securities were sound, but in the settlement announced today the bank concedes that it knew it was peddling investments containing loans that were likely to fail... That behavior is unacceptable. Today's $5.3 billion resolution is another step towards holding financial institutions accountable for misleading investors and the American public."
Second, for conduct with the packaging, securitization, marketing, sale and issuance of residential mortgage-backed securities (RMBS) between 2006 and 2007, Deutsche Bank will pay $7.2 billion in fines and relief. That includes a $3.1 billion civil penalty under the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA), and $4.1 billion in relief to underwater homeowners, distressed borrowers and affected communities.
Principal Deputy Associate Attorney General Bill Baer said:
"This $7.2 billion resolution – the largest of its kind – recognizes the immense breadth of Deutsche Bank’s unlawful scheme by demanding a painful penalty from the bank, along with billions of dollars of relief to the communities and homeowners that continue to struggle because of Wall Street’s greed... The Department will remain relentless in holding financial institutions accountable for the harm their misconduct inflicted on investors, our economy and American consumers."
Principal Deputy Assistant Attorney General Benjamin C. Mizer, head of the Justice Department’s Civil Division, said:
"In the Statement of Facts accompanying this settlement, Deutsche Bank admits making false representations and omitting material information from disclosures to investors about the loans included in RMBS securities sold by the Bank. This misconduct, combined with that of the other banks we have already settled with, hurt our economy and threatened the banking system... To make matters worse, the Bank’s conduct encouraged shoddy mortgage underwriting and improvident lending that caused borrowers to lose their homes because they couldn’t pay their loans. Today’s settlement shows once again that the Department will aggressively pursue misconduct that hurts the American public."
"... entered into a deferred prosecution agreement and agreed to pay a $32.3 million criminal penalty to resolve charges that it engaged in a scheme to defraud a number of the bank’s clients by secretly applying commissions to billions of dollars of securities trades. State Street also agreed to offer an equal amount as a civil penalty to the U.S. Securities and Exchange Commission (SEC)."
Acting Assistant Attorney General Bitkower said:
"State Street engaged in a concerted effort to fleece its clients by secretly charging unwarranted commissions... The bank fundamentally abused its clients’ trust and inflicted very real financial losses. The department will hold responsible those who engage in this type of criminal conduct."
Acting U.S. Attorney Weinreb said:
"State Street cheated its customers by agreeing to charge one price for its services and then secretly charging them something else... Banks that defraud their clients in this way must be held accountable, no matter how big they are."
Kudos to the DOJ for its enforcement actions. If this wrongdoing is ever going to stop, then jail time for executives needs to be applied.