261 posts categorized "Court Cases" Feed

Federal Reserve Bars 2 HSBC Foreign Exchange Traders From Working In The Industry

HSBC Holdings logo The Federal Reserve Board (FRB) has prohibited two former foreign exchange (FX) traders from working in the banking industry. Both persons, Mark Johnson and Stuart Scott were managers at London-based HSBC Bank plc, a subsidiary of HSBC bank Johnson had been a managing director and the global head of FX cash trading. Scott reported to Johnson and had managed the bank's FX trading for Europe, the Middle East, and Africa.

The FRB's press release explained the reasons for its actions:

"Mark Johnson and Stuart Scott, former senior HSBC managers, were recently indicted for criminal wire fraud in connection with their trading activities... According to the indictment, Johnson and Scott made multiple misrepresentations to an FX client of HSBC in connection with a large pre-arranged currency transaction. The indictment also alleges Johnson and Scott engaged in conduct to trade to the detriment of HSBC's client and for their own (and HSBC's) benefit... the Board found that given the indictment, Johnson's and Scott's continued participation in any depository institution may threaten to impair public confidence in that institution."

The U.S. Department of Justice filed criminal charges on July 16, 2016 against Johnson and Scott in U.S. District Court for the Eastern District of New York. On August 16, 2016, a federal grand jury indicted Johnson and Scott with multiple counts of wire fraud and conspiracy to commit wire fraud. The alleged fraud happened during November and December, 2011, in part, in New York City at the offices of HSBC Bank USA National Association, a unit of HSBC.

HSBC Bank plc is a unit of HSBC Holdings plc (HSBC). HSBC's website says it has 4,400 offices in 71 countries that serve 46 million customers worldwide.  Bloomberg described HSBC Bank plc's activities:

"HSBC Bank plc provides various banking products and services worldwide. The company operates through Retail Banking and Wealth Management, Commercial Banking, Global Banking and Markets, and Global Private Banking segments. It accepts various deposits, such as current, savings, and business bank accounts..."

The prohibition is effective immediately and until the criminal charges against Johnson and Scott are resolved.


4 Website Operators Settle With New York State Attorney General For Illegal Tracking of Children

Earlier this month, the Attorney General for the State of New York (NYSAG) announced settlement agreements with the operators of several popular websites for the illegal online tracking of children, which violated the Children's Online Privacy Protection Act (COPPA). The website operators agreed to pay a total of $835,000 in fines, comply with, and implement a comprehensive set of requirements and changes.

COPPA, passed by Congress in 1998 and updated in 2013, prohibits the unauthorized collection, use, and disclosure of children’s personal information (e.g., first name, last name, e-mail address, IP address, etc.) on websites directed to children under the age of 13, including the collection of information for tracking a child’s movements across the Internet. The 2013 update expanded the list of personal information items, and prohibits covered operators from using cookies, IP addresses, and other persistent identifiers to track users across websites for most advertising purposes, amassing profiles on individual users, and serving targeted behavioral advertisements.

The NYSAG operated a program titled "Operation Child Tracker," which analyzed the most popular children’s websites for any unauthorized tracking. The analysis found that four website operators include third-party tracking on their websites -- which is prohibited by COPPA -- and failed to properly evaluate third-party companies, such as advertisers, advertising networks, and marketers. The website operators and their properties included Viacom (websites associated with Nick Jr. and Nickelodeon), Mattel (Barbie, Hot Wheels, and American Girl), JumpStart (Neopets), and Hasbro (My Little Pony, Littlest Pet Shop, and Nerf).

Regular readers of this blog are familiar with the variety of technologies and mechanisms companies have used to track consumers online: web browser cookies, “zombie cookies,” Flash cookies, “zombie e-tags,” super cookies, “zombie databases” on mobile devices, canvas fingerprinting, and augmented reality (which tracks consumers both online and in the physical world). For example, the web browser cookie is a small text file placed by a website on a user’s computer which is stored by the user’s web browser.  Every time a user visits the website, the website retrieves all cookies files stored by that website on the user’s computer. Some website operators shared the information contained in web browser cookies with third-party companies, such as marketing affiliates, advertisers, and tracking companies. This allows web browser cookies to be used to track a user’s browsing history across several websites.

All of this happens in the background without explicit notices in the web browser software, unless the user configures their web browser to provide notice and/or to delete all browser cookies stored. The other technologies represent alternative methods with more technical sophistication and stealth.

The announcement by the NYSAG described each website operator's activities:

"Viacom operates the Nick Jr. website, at www.nickjr.com, and the Nickelodeon website, at www.nick.com... The office of the Attorney General found a variety of improper third party tracking on the Nick Jr. and Nickelodeon websites. These included:

1. Many advertisers and agencies that placed advertisements on Nick Jr. and Nickelodeon websites introduced tracking technologies of third parties that routinely engage in the type of tracking, profiling, and targeted advertising prohibited by COPPA. Viacom considered several approaches to mitigate the risk of COPPA violations from these third parties, including removing adult advertising from a child-directed section of the Nick Jr. website and monitoring advertisements for unexpected tracking... However, Viacom did not timely take either approach and did not implement sufficient safeguards for its users.

2. Some visitors to the homepage of the Nick Jr. website were served behavioral advertising and tracked through a third party advertising platform Viacom used to serve advertisements. Although Viacom considered the homepage of the Nick Jr. website to be parent-directed, and thus not covered by COPPA, the homepage had content that appealed to children. Under COPPA, website operators must treat mixed audience pages as child-directed..."

Mattel logo The NYSAG also found:

"... 26 of Mattel’s websites feature content for young children, including online games, animated cartoons, and downloadable content such as posters, computer desktop wallpaper, and pages for young children to color... The office of the Attorney General found that a variety of improper third party tracking technologies were present on Mattel’s child-directed websites and sections of websites. These included:

1. Mattel deployed a tracking technology supplied by a third party data broker across its Barbie, Hot Wheels, Fisher-Price, Monster High, Ever After High, and Thomas & Friends websites. Mattel used the tracking technology for measuring website metrics, such as the number of visitors to each site, a practice permitted under COPPA. However, the tracking technology supplied by the data broker introduced many other third party tracking technologies in a process known as “piggy backing.” Many of these third parties engage in the type of tracking, profiling, and targeted advertising prohibited by COPPA.

2. A tracking technology that Mattel deployed on the e-commerce portion of the American Girl website, which is not directed to children or covered by COPPA, was inadvertently introduced onto certain child-directed webpages of the American Girl website.

3. Mattel uploaded videos to Google’s YouTube.com, a video hosting platform, and then embedded some of these videos onto the child-directed portion of several Mattel websites, including the Barbie website. When the embedded videos were played by children, it enabled Google tracking technologies, which were used to serve behavioral advertisements.

JumpStart logo Regarding JumpStart, the NYSAG found:

"... several improper third party tracking technologies were present on the Neopets website, both for logged-in users under the age of 13 and users who were not logged-in. These included:

1. JumpStart failed to configure the advertising platform used to serve ads on the Neopets website in a manner that would comply with COPPA. As a result, users under the age of 13 were served behavioral advertising and tracked through the advertising platform.

2. JumpStart integrated a Facebook plug-in into the Neopets website... Facebook uses the tracking information for serving behavioral advertising, among other things, unless the website operator notifies Facebook with a COPPA flag that the website falls is subject to COPPA. JumpStart did not notify Facebook that the Neopets website was directed to children."

Hasbro logo For Hasbro, the NYSAG found:

"... several improper third party tracking technologies were present on Hasbro’s child-directed websites and sections of websites. These included:

1. Hasbro engaged in an advertising campaign that tracked visitors to the Nerf section of Hasbro’s website in order to serve Hasbro advertisements to those same users as they visited other websites at a later time, a type of online behavioral advertising prohibited by COPPA known as “remarketing.”

2. Hasbro integrated a third-party plug-in into many of its websites, that allowed users to be tracked across websites and introduced other third parties that engaged in the type of tracking, profiling, and targeted advertising prohibited under COPPA.

It is important to note that Hasbro participated in a safe harbor program. A website operator that complies with the rules of an FTC-approved safe harbor program is deemed in compliance with COPPA. However, safe harbor programs rely on full disclosure of the operator’s practices and Hasbro failed to disclose the existence of the remarketing campaign through the Nerf website."

The terms of the settlement agreements require the website operators to:

  1. Conduct regular electronic scans for unexpected third party tracking technologies that may appear on their children’s websites. Three of the companies, Viacom, Mattel, and JumpStart will provide regular reports to the office regarding the results of the scans.
  2. Adopt procedures to evaluate third-party companies before they are introduced onto their children’s websites. the evaluation should determine whether and how the third parties collect, use, and disclose, and allow others to collect, use, and disclose, personal information from users.
  3. Provide notice to third parties that collect, use, or disclose personal information of users with information sufficient to enable the third parties to identify the websites or sections of websites that are child directed pursuant to COPPA.
  4. Update website privacy policies with either, a) information sufficient to enable parents and others to identify the websites and portions of websites that are directed to children under COPPA, or b) a means of contacting the company so that parents and others may request such information.

Kudos to the NYSAG office and staff for a comprehensive analysis and enforcement to protect children's online privacy. This type of analysis and enforcement is critical as companies introduce more Internet-connected toys and products classified as part of the Internet of Things (ioT).


Wells Fargo Bank Fined $185 Million For Unlawful Sales Practices. Questions Remain

Wells Fargo logo Last week, the Consumer Financial Protection Bureau (CFPB) announced a settlement agreement where Wells Fargo will pay $185 million in fines for alleged unlawful sales practices during the past five years. While many news outlets have reported about the fines and fired employees, many unanswered questions remain.

The CFPB announcement described how the fraud worked:

"Spurred by sales targets and compensation incentives, employees boosted sales figures by covertly opening accounts and funding them by transferring funds from consumers’ authorized accounts without their knowledge or consent, often racking up fees or other charges... thousands of Wells Fargo employees illegally enrolled consumers in these products and services without their knowledge or consent in order to obtain financial compensation for meeting sales targets..."

To perpetuate the unlawful activities, employees allegedly created bogus email accounts, and both issued and activated debit cards associated with the secret accounts. Then, employees also created PIN numbers without customers' knowledge nor consent:

"... employees opened roughly 1.5 million deposit accounts that may not have been authorized by consumers. Employees then transferred funds from consumers’ authorized accounts to temporarily fund the new, unauthorized accounts. This widespread practice gave the employees credit for opening the new accounts, allowing them to earn additional compensation and to meet the bank’s sales goals... employees applied for roughly 565,000 credit card accounts that may not have been authorized by consumers. On those unauthorized credit cards, many consumers incurred annual fees, as well as associated finance or interest charges and other fees..."

The Consent Order (Adobe PDF) described the unlawful sales activities in greater detail:

"[Wells fargo's] analysis concluded that its employees opened 1,534,280 deposit accounts that may not have been authorized and that may have been funded through simulated funding, or transferring funds from consumers’ existing accounts without their knowledge or consent. That analysis determined that roughly 85,000 of those accounts incurred about $2 million in fees, which [Wells Fargo] is in the process of refunding... [Wells Fargo's] analysis concluded that its employees submitted applications for 565,443 credit-card accounts that may not have been authorized by using consumers’ information without their knowledge or consent. That analysis determined that roughly 14,000 of those accounts incurred $403,145 in fees, which Respondent is in the process of refunding. Fees incurred by consumers on such accounts included annual fees and overdraft-protection fees, as well as associated finance or interest charges and other late fees..."

The numbers are shocking: 1.5 million secret checking accounts created; $2 million in fees generated by 85,000 secret checking accounts generated; 565 thousand secret credit-card accounts; $403 thousand in fees generated by 14,000 secret credit-card accounts; and 5,300 employees fired due to the unlawful sales activities.

The Consent Order also stated:

"... (3) enrolled consumers in online banking services that they did not request... 12. Respondent’s employees used email addresses not belonging to consumers to enroll consumers in online-banking services without their knowledge or consent..."

This suggests that the employees knowingly attempted to circumvent the bank's internal systems designed to provide alerts and confirmation messages to customers about new accounts, and perhaps, targeted customers who weren't Internet-savvy or were perceived to be less likely to notice changes. That raises ethical issues. Also, 12 percent of consumers are "under-banked," the industry term for people with a bank account, but don't have both savings and checking accounts (and use some other payment method outside the banking system). If that ratio applies to the bank's customers, then this group was targeted, too. About 43 percent of consumers with both smartphones and bank accounts use online banking services. So, the 57-percent group of non-users were targeted, too.

Terms of the settlement agreements require the bank to pay full restitution to all victims, pay a $100 million fine to the CFPB’s Civil Penalty Fund, hire an independent consultant to review its procedures to prevent improper sales practices, pay a $35 million penalty to the Office of the Comptroller of the Currency (OCC), and pay $50 million to the City and County of Los Angeles. Additional terms require the bank to hire within 45 days of the Consent Order a consultant to independently audit the bank's processes.

Within 180 days after hiring a consultant, a written report reviewing of the bank's processes must be submitted to the bank's board of directors. Within 90 days after that, the Board and consultant must develop a compliance plan to correct problems and explain why each action is the plan is accepted or rejected. The compliance plan must be submitted to the CFPB for review.

The settlement terms suggest that the banks internal controls may be unreliable, employees and management were unreliable, or both. Context matters.

During the past five years while the unlawful sales activities occurred, Wells Fargo paid in 2011 an $85 million civil penalty to settle allegations that its employees steered potential prime borrowers into more costly subprime loans and separately falsified income information in mortgage applications. In 2015, Wells Fargo was one of four banks that paid $2.7 million to settle allegations of violations of Massachusetts foreclosure law and the Massachusetts Consumer Protection Act by illegally foreclosing upon Massachusetts residents’ homes when the banks lacked the legal authority to do so. Last month, the bank was fined $3.6 million for illegal practices while servicing private student loans.

Some customers noticed the unauthorized accounts, complained, and have moved their money to other banks or to credit unions. Wells Fargo issued a statement which said it had already prepared $5 million to refund to customers:

"The amount of the settlements, which Wells Fargo had fully accrued for at June 30, 2016, totaled $185 million, plus $5 million in customer remediation... Wells Fargo is committed to putting our customers’ interests first 100 percent of the time, and we regret and take responsibility for any instances where customers may have received a product that they did not request. Our commitment to addressing the concerns covered by these agreements has included:
- An extensive review by a third party consulting firm going back into 2011, which we completed prior to these settlements. The review included consumer and small business retail banking deposit accounts and unsecured credit cards opened during the period reviewed;
- As a result of this review, $2.6 million has been refunded to customers for any fees associated with products customers received that they may not have requested. Accounts refunded represented a fraction of one percent of the accounts reviewed, and refunds averaged $25;
- Disciplinary actions, including terminations of managers and team members who acted counter to our values;
- Investments in enhanced team-member training and monitoring and controls;
- Strengthened performance measures that are tied to customer satisfaction, loyalty and ethics; and
- Sending customers a confirming email within one hour of opening any deposit account, and sending an application acknowledgement and decision status letter after submitting an application for a credit card.”

That last item is troubling. It suggests that the bank's existing processes didn't provide confirmation emails within one hour, or did so inconsistently, or failed to do so entirely. Both traditional and online banking customers deserve prompt, consistent confirmation notices. This suggests that the bank's system may not be state-of-the-art.

During my career, I built websites in a variety of industries, including financial services, with usability best practices. Well built sites (and apps): a) provide immediate, consistent confirmation email and messages, b) provide postal confirmations for customers without email or online banking services, c) send confirmation emails to both new and old email addresses when there are changes, d) display confirmation messages (about any profile changes) to online customers after sign-on, and e) provide online customers with the option to consolidate multiple accounts (e.g., mortgage, educational loan, checking, savings, money market, credit line, credit card, etc.) under a single sign-on.

If the bank's online site and systems contained these tasks and features but were deactivated, then it suggests broader problems beyond the sales department. If the tasks weren't built or were partially built, then hopefully the compliance report and/or the CFPB review will address them.

Kudos to the CFPB, the OCC, and local Los Angeles government for holding Wells Fargo accountable; and for a correction plan with a detailed schedule and deadlines. It seems unwise to trust the bank to correct things on its own. Yet, many questions remain unanswered:

  1. What other tasks in the user experience (e.g., new account, new/edited/additional email address,  new/edited account profile elements, etc.) did the bank's systems fail to provide prompt, consistent confirmation messaging to customers (e.g., traditional offline, online banking)?
  2. How exactly did these illegal sales activities and secret accounts go undetected for so long?
  3. What was the average lifespan of a secret account? Were they permanent? Or were they temporary -- open long enough for employees to collect the compensation, and then closed? If the latter, it is disturbing how internal systems failed to notice the account churn.
  4. What percentage of the fired employees were managers? And, will more employees be fired?
  5. Will the bank "claw-back" bonuses from employees (e.g., fired, still employed) who benefited from the unlawfully sales activities? And why or why not?
  6. Were any fired employees prosecuted? And why or why not?
  7. The restitution amounts seem to focus upon only fees. If the bank's employees transferred their money from interest-bearing accounts to set up the secret credit card and checking accounts, then some customers lost interest. This seems likely since we know that 12 percent of consumers are under-banked (e.g., have a checking or savings account, but not both). Did the bank conduct a forensic audit to determine the customers and lost interest amounts? That could be substantial over five years with compounding. Then, the $5 million restitution amount set aside would be insufficient.
  8. Are any of the fines tax deductible? Prior wrongdoing by banks often resulted in fines that were tax deductible. This meant the banks wrote off the fines to decrease their taxes, and taxpayers took it on the chin to make up any tax revenue shortfalls. That's not right, since taxpayers didn't commit any unlawful acts.

What are your opinions? If you are a Wells Fargo customer, what was your experience? What questions do you have?


Google Pays $5.5 Million To Settle Lawsuit Alleging Safari Browser Privacy Abuses

Google logo Last week, Google settled a long-running class-action lawsuit by agreeing to a $5.5 million payment for ignoring the privacy settings used by Safari browser users. Silicon Beat reported:

"The lawsuit arose out of the 2012 discovery by a Stanford researcher that Google had used a workaround to track Safari users’ web browsing habits. Apple, which owns Safari, had built into it privacy controls that blocked certain cookies, small files that store information that can identify users or track their activities. Google used the improperly harvested user data to dramatically boost ad revenue, the lawsuit suggested. “Behaviorally targeted advertisements based on a user’s tracked internet activity generally sell for at least twice as much as non-targeted, run-of-network ads,” the suit said."

Fortune Magazine reported:

"After Google’s practice came to light, the company agreed to pay $17 million to state attorneys general over privacy violations, and another $22.5 million to the Federal Trade Commission for violating the terms of an earlier settlement. In both cases, Google denied any wrong-doing—an outcome an FTC Commissioner then described as “inexplicable.”

According to the settlement agreement:

"Plaintiffs centrally allege in the Complaint that Defendant Google circumvented Plaintiffs' Safari and Internet Explorer and defeated the default cookie settings of such browsers in violation of federal and state laws. More particularly, Plaintiffs allege that when Plaintiffs and Class Members visited a website containing an advertisement placed by certain Defendants in this case, tracking cookies were placed on Plaintiffs' computers that circumvented Plaintiffs' and Class Members' browser settings that blocked such cookies... The Settlement Class consists of all persons in the United States of America who used the Apple Safari or Microsoft Internet Explorer web browser and who visited a website from which a Doubleclick.net (Google's advertising serving service) from which cookies were placed by the means alleged in the Complaint..."

The terms of the settlement agreement require Google to make payments to counsel and to several nonprofit technology and privacy advocacy groups (instead of class members): the Berkeley Center for Law & Technology, the Berkman Center for Internet & Society at Harvard University, the Center for Democracy & Technology (Privacy and Data Project), Privacy Rights Clearinghouse, and the Center for Internet & Society at Stanford University (Consumer Privacy Project).

The technology giant paid $7 million in 2013 to 38 states to settle unauthorized wireless data collection by Google Streetview cars. Also in 2013, the company admitted its Android operating-system software included code by the NSA. In 2015, Google's holding company dropped the "Don't be evil" motto.

Do no wrong? Apparently, that ship has sailed and isn't returning. "Catch us if you can" might be a more accurate motto.


Honolulu Newspaper Studies Police Officer Misconduct

On Tuesday, the Honolulu Star-Advertiser reported the results of its survey:

"Nearly 1 of every 6 current Honolulu Police Department officers have been taken to court over criminal or civil allegations of wrongdoing, ranging from excessive force to domestic abuse, according to a first-of-its-kind analysis by the Honolulu Star-Advertiser. Just since 2010, an officer has been arrested or prosecuted at the rate of one every 5.7 weeks... more than 330 officers, or nearly 16 percent of the 2,100-member squad, have been named as defendants in criminal cases, temporary restraining orders and wrongful-conduct lawsuits since joining the force. Most of the lawsuits alleged on-duty civil rights violations, while most of the TROs involved off-duty conduct... about 5 percent of officers account for a disproportionate share of complaints against police..."

Some convictions have resulted:

"Of the 55 criminal cases from the past six years that the newspaper examined, more than half resulted in convictions or deferred pleas of guilty or no contest. The deferrals give the defendants the opportunity to keep their records clean if they stay out of trouble for a certain length of time. Most of the 18 officers whose pleas were deferred remain on the job. Only one of the 14 who were convicted is still an HPD officer."

How this compares to other cities in the United States:

"Although the department has not been hit by the racial strife over high-profile fatalities that has rocked some mainland police forces, it has had a steady dose of controversial cases, including ones that have cost taxpayers millions of dollars in lawsuit settlements... Although the Star-Advertiser was unable to compare HPD’s 1-in-6 ratio with rates at other comparable departments, it was able to crunch numbers from a recent national study that Stinson and several of his Bowling Green colleagues published on officer arrests. HPD did not fare well. Using Google-based searches of news articles, the researchers compiled data on arrests from 2005 to 2011 involving officers at hundreds of law enforcement agencies across the country. Based on those data, HPD had the 10th-worst rate per 100,000 population among the more than 80 police departments with at least 1,000 full-time officers. It was 11th worst on a per-1,000 officers basis."

Kudos to the Star-Advertiser for an informative report. Transparency matters. Accountability matters.

Read the Bowling Green State University (BGSU) announcement about the April, 2016 study by Philip Matthew Stinson, Sr., J.D, Ph.D. and associates titled, "Police Integrity Lost: A Study of Law Enforcement Officers Arrested" (Adobe PDF).

The Star-Advertiser's report seems to highlight an opportunity for newspapers across the United States. I am sure that readers are curious about how their local police department rates. Ideally, follow-up studies will also include data about convictions. What do you think?


Federal Court Upholds State Laws To Restrict And Prevent City-Run Broadband Services

Last week, a federal appeals court overturned a Federal Communications Commission (FCC) ruling allowing community (a/k/a "city-run" or municipal) high-speed Internet service providers (ISPs) to expand into areas not served by commercial providers. The court decision immediately affects the expansion plans of community ISPs in Tennessee and North Carolina.

Community high-speed or broadband ISPs typically provide faster speeds (e.g., upload, download) and lower prices compared to commercial ISPs. Both states had passed laws preventing community ISPs from expanding, or making it onerous to expand. he FCC sought to stop such laws to encourage more competition, more choices, and lower prices for consumers.

The initial Reuters news report did not explain the rationale the court used. ABC News reported:

"The appeals court said that the FCC's order pre-empted the state laws and "the allocation of power between a state and its subdivisions." The court said the FCC's action requires a "clear statement" of authority in federal law, but the law does not contain a clear statement authorizing pre-emption of Tennessee's and North Carolina's laws... The appeals court said its ruling was a limited one, and it does not address other issues debated in the case, including whether the FCC has any pre-emptive power at all under the Telecommunications Act of 1996."

Chattanooga, Tennessee advertises itself as "Gig City," and is proud of its fiber broadband network:

"Only in Chattanooga, Tennessee is 1 Gigabit-per-second Internet speed available to every home and business - over 150,000 of them - throughout the entire community. Urban or rural, business or residence, Internet speeds that are unsurpassed in the Western Hemisphere – from 50 Megabits-per-second all the way up to one gigabit-per-second are accessible here. Today... Chattanooga's Fiber Optic network enables upload and download speeds 200 times faster than the current national average, and 10 times faster than the FCC's National Broadband Plan (a decade ahead of schedule)."

How fast is that? You can download a full-length movie in about 2 minutes. Is that faster than the broadband speed you get in your town or city? Probably. Is it cheaper than what you're paying? Probably.

The Attorneys Generals in several states have worked to prevent their residents from forming city-run ISPs. Tennessee Attorney General Herbert H. Slattery III released a statement:

"We are pleased with the 6th Circuit decision reversing the FCC’s Order. As we have stated from the outset, this case was not about access to broadband. Instead, it was about preventing the federal government from exercising power over the state of Tennessee that it does not have. Current state law allows a municipal Power Board to provide internet service only within its electric service area. Today’s decision preserves Tennessee’s right to determine the authority and market area of a political subdivision organized under Tennessee law."

The trade associations that represents corporate ISPs, US Telecom released a statement:

"Today’s decision is a victory for the rule of law. The FCC’s authority is not unbridled, it is limited to powers specifically delegated by the Congress, and it does not extend to preemption of state legislatures’ exercise of jurisdiction over their own political subdivisions. As an industry that shares the commission’s interest in accelerating broadband deployment, we would suggest that the best way for the FCC to accomplish its goals is to concentrate on eliminating federal regulatory impediments to innovation and investment – where there remains to be much that can and should be done."

Of course, the trade group is happy with the court decision. State laws that restrict or prevent city-run ISPs mean less competition, which makes it easier for corporate ISPs to maintain higher prices and slower speeds (which equals greater profits).

Community ISPs provide benefits for small businesses, and not only consumers. The benefits include more jobs, better services, and the ability of local towns to attract new businesses and start-ups. These benefits apply to rural areas, too; especially rural areas not served by corporate ISPs.

The Community Broadband Networks site described the benefits for small businesses of community broadband in North Carolina:

"... Speed is important, but so is Internet choice, reliable service, and respectful customer service... Before Greenlight began serving Pinetops, the best community members could get was sluggish Centurylink DSL - or Internet access offered over the phone lines... Suzanne Coker Craig, owner of CuriosiTees, described the situation... Her business, a custom screen printing shop, uses an “on-time” inventory system, so speed and reliability is critical for last-minute or late orders... She also subscribes to Greenlight from home and her fiber connection is able to manage data intense uploads required for sending artwork, sales reports, and other large document transfers... Brent Wooten is a sales agent and Manager for Mercer Transportation, a freight management business... moving freight across the country via trucks, requires being on time; he’s an information worker in a knowledge economy... Before Greenlight came to town, Brent’s business paid Centurylink $425 per month for a few phone lines, long distance, an 800 number, and Internet access at 10 Megabits per second (Mbps) download and 1.5 Mbps upload. He was also wasting hours and even days each month trying to get his Internet fixed... When Greenlight came to the community, Centurylink changed their tune. Within hours of his business phone being ported to Greenlight, a Centurylink representative called him. “He offered to cut my current prices in half and double my Internet speed, from 10 to 20 Mbps…My Centurylink 10 Mbps speed never tested at more than 6 Mbps.” Brent chose to keep his Centurylink phone service, but he kept his 25 Mbps symmetrical Greenlight Internet service because upload speed is critical to his business..."

Will these rural consumers and small businesses lose their community broadband services? Given the court decision, that is possible. Will the court decision negatively affect jobs? Probably, since many small businesses depend upon the faster community ISPs. FCC Chairman Wheeler stated:

"While we continue to review the decision, it appears to halt the promise of jobs, investment and opportunity that community broadband has provided in Tennessee and North Carolina. In the end, I believe the Commission’s decision to champion municipal efforts highlighted the benefits of competition and the need of communities to take their broadband futures in their own hands.

In the past 18 months, over 50 communities have taken steps to build their own bridges across the digital divide. The efforts of communities wanting better broadband should not be thwarted by the political power of those who, by protecting their monopoly, have failed to deliver acceptable service at an acceptable price. The FCC’s mandate is to make sure that Americans have access to the best possible broadband. We will consider all our legal and policy options to remove barriers to broadband deployment wherever they exist so that all Americans can have access to 21st Century communications. Should states seek to repeal their anti-competitive broadband statutes, I will be happy to testify on behalf of better broadband and consumer choice. Should states seek to limit the right of people to act for better broadband, I will be happy to testify on behalf of consumer choice...”

In January 2015, several U.S. Senators introduced the Community Broadband Act legislation in to block these restrictive laws in 20 states and to encourage more competition and lower prices for more consumers by allowing residents the right to operate city-run ISPs offering faster speeds and lower prices. Last week, Senator Ron Wyden (Oregon - Democrat) tweeted about the federal court decision:

Tweet by Senator Ron Wyden about Community Broadband Act

The legislation has stalled in the Republican-led Congress. Once again, you will hear politicians shout about the importance of defending state's rights against the FCC, while ignoring the rights of rural and small town residents to form community ISPs. Hypocritical politicians do this to protect their corporate ISPs donors from competition, which basically screws over residents by keeping prices high and speeds slow.

Residents in rural areas, small towns, and cities can claim, "we've been mugged" by state' legislatures that enacted laws preventing competition (and lower prices) from community ISPs.

Researchers compared high-speed Internet services worldwide, and found that consumers in the USA pay more and get slower speedsAnd Get Slower Speeds. That's great for corporate ISP profits and bad for consumers. The Community Broadband Act is an attempt to solve this problem.

Read the court decision: State of Tennessee, and the State of North Carolina; versus the U.S. Federal Communications Commission - (Adobe PDF). The FCC is reviewing the court's decision, and has not decided whether to appeal it.

The court decision is definitely pro-state law and anti-consumer. The court decision basically allows states to continue with laws that deny residents in local cities and towns the right to form, operate, and expand their own municipal broadband services to get lower prices and better services. That means less competition and higher prices for consumers living in states with these laws. Consider that when you vote in November.


Appeals Court Backs FCC Net Neutrality Rules: Internet Access is a Utility

Federal communications Commission logo Yesterday, the D.C. Court of Appeals issued its decision, which supported the new Open Internet Rules by the Federal Communication Commission (FCC) to ensure open access to the Internet by all Americans. The new rules, commonly referred to as Net Neutrality and developed in 2015, apply to both wireless and wired connects; and are based upon no blocking, no throttling, no paid prioritization, and greater transparency. Cable, telecommunications, and wireless companies have fought the new rules.

The New York Times reported:

"The court’s decision upheld the F.C.C. on the historic declaration of broadband as a utility, the most significant aspect of the rules. That has broad-reaching implications for web and telecommunications companies and signals a shift in the government’s view of broadband as a service that should be equally accessible to all Americans, rather than a luxury that does not need close government supervision... The 184-page ruling opens a path for new limits on broadband providers."

Some of the companies support the FCC's new rules:

"Google and Netflix support net neutrality rules and have warned government officials that without regulatory limits, broadband providers would have an incentive to create business models that could harm consumers. They argue that broadband providers could degrade the quality of downloads and streams of online services to extract tolls from web companies or to promote unfairly their own competing services or the content of partners."

Some of the companies against the FCC's new rules:

"The legal battle from the broadband industry is far from over. The cable and telecom industries have signaled their intent to challenge any unfavorable decision, possibly taking the case to the Supreme Court. AT&T immediately said it would continue to fight."

A spokesperson for AT&T said that it hopes the U.S. Supreme Court will ultimately decide the matter. Corporate ISPs don't want Internet access reclassified as a utility. The Republican party promoted Senator Thune's proposed legislation in Congress to undo all of the good in the latest FCC rules. I called the proposed legislation a bait and switch. Read it and you'll probably agree.

U.S. Senator Edward J. Markey (D-Mass.) said in a statement:

"... net neutrality is here to stay... The court decision affirms what we already know to be true: that the FCC has the power to classify broadband Internet access service according to its best and current understanding of the technology, and how consumers harness that technology. The battle for net neutrality is the battle for our online future, and today’s ruling is a victory for consumers, innovators, entrepreneurs, and anyone who counts on the Internet to connect to the world. This decision celebrates the free and democratic expression of ideas that is the hallmark of our online ecosystem. Protecting net neutrality ensures that the best ideas, and not merely the best-funded ideas, will rule the day.”

The D.C. Appeals Court decision is indeed good news for consumers. Both consumers and businesses use the Internet daily... need the Internet... for a variety of applications. It has become essential to everyday life. Internet access is like water o electricity. We all need it to live, to work, to attend school.

Open Internet rules makes sense. When a consumer pays for Internet access, he or she should decide what they use that access for... not the Internet Service Provider (ISP). Large, corporate ISPs have amassed a variety of programming content in divisions and subsidiaries. The rule reflects this reality, and helps ensure that when YOU, the consumer, access the Internet you choose where to go -- and not your ISP, which has their own internal, financial bias toward content at owned affiliates, divisions, or business units.

The FCC has already proposed new privacy rules for high-speed ISPs, and unlocking cable set-top boxes to encourage innovation, competition, more choice, and lower prices for consumers. All of these rules make sense, complement each other, and help consumers.

The 184-page decision by the D.C. Appellate Court is available here and here (Adobe PDF; 1,001K bytes).


Courts To Use Risk Scores More Frequently. Analysis Found Scores Unreliable And Racial Bias

ProPublica investigated the use of risk assessment scores by the courts and justice system in the United States:

"... risk assessments — are increasingly common in courtrooms across the nation. They are used to inform decisions about who can be set free at every stage of the criminal justice system, from assigning bond amounts... to even more fundamental decisions about defendants’ freedom. In Arizona, Colorado, Delaware, Kentucky, Louisiana, Oklahoma, Virginia, Washington and Wisconsin, the results of such assessments are given to judges during criminal sentencing. Rating a defendant’s risk of future crime is often done in conjunction with an evaluation of a defendant’s rehabilitation needs. The Justice Department’s National Institute of Corrections now encourages the use of such combined assessments at every stage of the criminal justice process. And a landmark sentencing reform bill currently pending in Congress would mandate the use of such assessments in federal prisons."

Some important background:

"In 2014, then U.S. Attorney General Eric Holder warned that the risk scores might be injecting bias into the courts. He called for the U.S. Sentencing Commission to study their use... The sentencing commission did not, however, launch a study of risk scores. So ProPublica did, as part of a larger examination of the powerful, largely hidden effect of algorithms in American life. [ProPublica] obtained the risk scores assigned to more than 7,000 people arrested in Broward County, Florida, in 2013 and 2014 and checked to see how many were charged with new crimes over the next two years, the same benchmark used by the creators of the algorithm."

ProPublica analyzed data for Broward County in the State of Florida, and found the risk assessment scores to be unreliable:

"... in forecasting violent crime: Only 20 percent of the people predicted to commit violent crimes actually went on to do so. When a full range of crimes were taken into account — including misdemeanors such as driving with an expired license — the algorithm was somewhat more accurate than a coin flip. Of those deemed likely to re-offend, 61 percent were arrested for any subsequent crimes within two years."

ProPublica also found biases based upon race:

"In forecasting who would re-offend, the algorithm made mistakes with black and white defendants at roughly the same rate but in very different ways. The formula was particularly likely to falsely flag black defendants as future criminals, wrongly labeling them this way at almost twice the rate as white defendants. White defendants were mislabeled as low risk more often than black defendants."

Northpointe logo ProPublica re-checked the analysis. Same results. Northpointe, the for-profit company that produced the Broward County, Florida risk scores disagreed:

"... it criticized ProPublica’s methodology and defended the accuracy of its test: “Northpointe does not agree that the results of your analysis, or the claims being made based upon that analysis, are correct or that they accurately reflect the outcomes from the application of the model.” Northpointe’s software is among the most widely used assessment tools in the country. The company does not publicly disclose the calculations used to arrive at defendants’ risk scores, so it is not possible for either defendants or the public to see what might be driving the disparity... Northpointe’s core product is a set of scores derived from 137 questions that are either answered by defendants or pulled from criminal records. Race is not one of the questions..."

Formed in 1989, Northpointe is a wholly owned subsidiary of the Volaris Group. Northpointe works with a variety ot federal, state, and local justice agencies in the United States and Canada. The company's website also states that it also works with policy makers.

Besides Northpointe, several companies provide risk assessment tools to courts and the judicial system. The National Center For State Courts (NCSC) provides a list of risk assessment tools (Adobe PDF).

All of this points to a larger problem suggesting risk scores still haven't been adequately studied nor techniques vetted:

"There have been few independent studies of these criminal risk assessments. In 2013, researchers Sarah Desmarais and Jay Singh examined 19 different risk methodologies used in the United States and found that “in most cases, validity had only been examined in one or two studies” and that “frequently, those investigations were completed by the same people who developed the instrument.” Their analysis of the research through 2012 found that the tools “were moderate at best in terms of predictive validity,”... there have been some attempts to explore racial disparities in risk scores. One 2016 study examined the validity of a risk assessment tool, not Northpointe’s, used to make probation decisions for about 35,000 federal convicts. The researchers, Jennifer Skeem at University of California, Berkeley, and Christopher T. Lowenkamp from the Administrative Office of the U.S. Courts, found that blacks did get a higher average score but concluded the differences were not attributable to bias."

I wonder if the biases found started in the data rather than in the algorithm. The algorithm may have been developed and tested using existing prison populations which are known to be skewed, plus overly aggressive policing via school-to-prison pipelines and for-profit prisons in many states. Both the State of Florida and Broward County have histories with school-to-prison pipelines.

Plus, It seems crazy to make decisions about persons' lives based upon scores without knowing how the scores were calculated, and without adequate research or vetting of techniques. Transparency matters.

Thoughts? Opinions?


Your Fingerprints. A Key or Testimony? Why It Matters Legally

Apple Inc. logo Many people use the fingerprint recognition feature on newer Apple iPhones and iPads. Consumers view the optional feature, called Touch ID, as a more convenient way to secure their phones versus passcodes. (The feature still requires a passcode, is not foolproof, and is hackable, but let's put those issues aside for now.) Most consumers probably aren't aware of the legal considerations. How the law and courts treat your fingerprints matters... specifically when used to access devices or accounts.

The basic question which the law has not settled, yet, is: are your fingerprints like a key to, say an electronic file cabinet, or are they the equivalent of testimony? The distinction matters when the government forces people to unlock their phones. The Los Angeles Times reported:

"... authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone... The phone contained Apple's fingerprint identification system... It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common..."

Why this matters:

"... the prevailing legal stance toward fingerprints. Law enforcement routinely obtains search warrants to examine property or monitor telecommunications, even swab inside an inmate's mouth for DNA. But fingerprints have long remained in the class of evidence that doesn't require a warrant... Courts have categorized fingerprints as "real or physical evidence" sourced from the body, unlike communications or knowledge, which cannot be compelled without violating the 5th Amendment... How far can the government go to obtain biometric markers such as fingerprints and hair? The U.S. Supreme Court has held that police can search phones with a valid warrant and compel a person in custody to provide physical evidence such as fingerprints without a judge's permission. But some legal experts say there should be a higher bar for biometric data because providing a fingerprint to open a digital device gives the state access to a vast trove of personal information and could be a form of self-incrimination."

Providing a fingerprint used to be only about identification... identifying a person under arrest. Now, the same fingerprint can also be used to access electronic documents:

"... the act of compelling a person in custody to press her finger against a phone breached the 5th Amendment's protection against self-incrimination. It forced [the defendant] to testify —without uttering a word — because by moving her finger and unlocking the phone, she authenticated its contents."

Legal experts disagree about whether fingerprints are the equivalent of keys or testimony:

"... Albert Gidari, the director of privacy at Stanford Law School's Center for Internet and Society, said the action might not violate the 5th Amendment prohibition of self-incrimination... George M. Dery III, a lawyer and criminal justice professor at California State University, Fullerton, likened the warrant to the government's request for a key..."

Your opinions? Thoughts?


Justice Department Withdraws Lawsuit in Brooklyn To Force Apple To Unlock iPhone

Federal Bureau of Investigation logo The U.S. Department of Justice (DOJ) has withdrawn its lawsuit in Brooklyn, New York to force Apple Inc. to unlock the iPhone of a convicted drug dealer. The DOJ had appealed a judge's decision In February which denied the DOJ Reportedly, the DOJ can access the iPhone since an unnamed party provided it with the user's passcode.

In February, a judge had denied a request by the Federal Bureau of Investigation (FBI) in Brooklyn to force Apple to unlock the iPhone.The DOJ had appealed that decision. The DOJ had dropped a similar lawsuit in California to force Apple to unlock an iPhone used by one of the San Bernardino attackers after the FBI purchased a tool from an unnamed third party to hack the phone. Last week, the FBI revealed that the San Bernardino attacker's iPhone did not contain any information.

The Reuters report about the Brooklyn lawsuit also mentioned:

"Justice Department spokeswoman Emily Pierce said the cases have "never been about setting a court precedent; they are about law enforcement's ability and need to access evidence on devices pursuant to lawful court orders and search warrants." "

Both lawsuits were based upon the 227-year-old All Writs Law. I find Pierce's statement difficult to believe. It's possible, but hard to believe. With a legal precedent to force tech companies to provide "back door" access, the government probably wouldn't have to buy hacking tools from unnamed third parties.

What else might be happening? Perhaps, the government felt it's court cases were weak, and wanted to avoid another unfavorable decision. Perhaps, the government doesn't want to reveal in court any details about its hacking methods. Maybe it didn't hack the phone with a passcode from an unnamed source, but instead used the tool it bought in California -- and didn't want to disclose that the tools could be used widely across iPhone models.

Perhaps, the FBI is relying upon ultimate passage by Congress of the deeply flawed Compliance with Court Orders Act of 2016 (CCOA), written by Senators Richard Burr (R-NC) and Dianne Feinstein (D-Calif.). Passage of that legislation would give the FBI the access it wants to bypass all encryption methods, regardless of the privacy and economic consequences.

What are your opinions?


The Information The FBI Found After Unlocking The San Bernardino Attacker's iPhone

Federal Bureau of Investigation logo Remember the Federal Bureau of Investigation (FBI) lawsuit using a 227-year-old-law to force Apple Inc. to build "back door" software to unlock an iPhone in California? The FBI said it couldn't unlock the phone, claimed the iPhone had important information on it, but later withdrew its lawsuit after it hired an unnamed third party to hack the iPhone. All of of this, you're probably wondering what information the FBI found on that unlocked iPhone.

Guess what they found? Nothing. Nadda. Zilch. Zip. Squat. CNN reported:

"Hacking the San Bernardino terrorist's iPhone has produced data the FBI didn't have before and has helped the investigators answer some remaining questions in the ongoing probe, U.S. law enforcement officials say... Investigators are now more confident that terrorist Syed Farook didn't make contact with another plotter during an 18-minute gap that the FBI said was missing from their time line of the attackers' whereabouts after the mass shooting... The phone didn't contain evidence of contacts with other ISIS supporters or the use of encrypted communications during the period the FBI was concerned about."

More confident? Either you're confident or you aren't. That's like being pregnant. You can't be more pregnant. But hey... you gotta love those unnamed sources. Sometimes they're accurate, and other times not.

Let's translate this into plain English. The attacker's phone contained nothing, which the FBI spun as valuable. Wow! That's like saying the bulk collection (e.g., spying) of all U.S. citizens' phone calls and emails was valuable because not finding anything proved they were not doing anything criminal.

Wow! The arrogance. The waste of time, money, and resources. It takes a brass set of balls to spin crap like this and keep a straight face.

Yet, the legal wrangling ain't over. An FBI versus Apple lawsuit in Brooklyn continues. And, as CNN reported:

"Apple and the FBI are squaring off again Tuesday in testimony at a House hearing on encryption..."

Yesterday's blog post discussed everything that is wrong With the Burr-Feinstein draft anti-encryption proposal circulating the U.S. Senate. The FBI must be feeling pretty cocky, since two Senators have its back while ignoring the consequences.

What are your opinions?


Report: Lawsuits Resulting From Corporate Data Breaches

Chart 1: Bryan Cave LLP: 2016 Breach Litigation Report. Click to view larger version

This week, the law firm of Bryan Cave LLP released its annual review of litigation related to data breaches. 83 cases were filed, representing a 25 percent decline compared to the prior year. Other Key findings from the 2016 report:

"Approximately 5% of publicly reported data breaches led to class action litigation. The conversion rate has remained relatively consistent as compared to prior years... When multiple filings against single defendants are removed, there were only 21 unique defendants during the Period. This indicates a continuation of the “lightning rod” effect noted in the 2015 Report, wherein plaintiffs’ attorneys are filing multiple cases against companies connected to the largest and most publicized breaches, and are not filing cases against the vast majority of other companies that experience data breaches..."

Slightly more than half (51 percent) of all cases were national. The most popular locations were lawsuits were filed included the Northern District of Georgia, the Central District of California, the Northern District of California, and the Northern District of Illinois. However:

"Choice of forum, however, continues to be primarily motivated by the states in which the company-victims of data breaches are based."

Charges of negligence were cited in 75 percent of lawsuits. Which industry were frequently sued and which weren't:

"... the medical industry was disproportionately targeted by the plaintiffs’ bar. While only 24% of publicly reported breaches related to the medical industry, nearly 33% of data breach class actions targeted medical or insurance providers. The overweighting of the medical industry was due, however, to multiple lawsuits filed in connection with two large scale breaches... There was a 76% decline in the percentage of class actions involving the breach of credit cards... The decline most likely reflects a reduction in the quantity of high profile credit card breaches, difficulties by plaintiffs’ attorneys to prove economic harm following such breaches, and relatively small awards and settlements.."

57 percent of cases included sensitive personal information (e.g., Social Security numbers), 23 percent of cases included debit/credit card information, and 18 percent of cases included credit reports. The law firm reviewed lawsuits occurring during a 15-month period ending in December, 2015. Data sources included Westlaw Pleadings, Westlaw Dockets, and PACER databases.

Historically, some lawsuits by consumers haven't succeeded when courts have dismissed cases because plaintiffs weren't able to prove injuries. According to the Financial Times:

"However, decisions from a number of high-profile cases are likely to make it easier for consumers to bring suits against companies in the event of a data breach... For example, in July 2015, the Seventh US Circuit Court of Appeals, overturning a previous judgment, ruled that customers of Neiman marcus could potentially sue the retailer because they were at substantial risk of identity theft or becoming victims of fraud..."

Learn more about the Neiman Marcus class-action. Criminals hack corporate databases specifically to reuse (or resell) victims' stolen sensitive personal and payment information to obtain fraudulent credit, drain bank accounts, and/or hack online accounts -- injuries which often don't happen immediately after the breach. That's what identity thieves do. Hopefully, courts will take a broader, more enlightened view.

I look forward to reading future reports which discuss drivers' licenses data and children's online privacy, and the Internet of Things (ioT). View the "2016 Data Breach Litigation Report" by Bryan Cave LLP. Below is another chart from the report.

Chart 2: Bryan Cave LLP: 2016 Breach Litigation Report. Click to view larger version


Goldman Sachs Bank To Pay $5 Billion To Settle Charges About Mortgage Abuses

Department of Justice logo The U.S. Justice Department announced on Monday a $5.06 billion settlement agreement with Goldman Sachs for the bank's conduct with packaging, marketing, and sales of mortgage-backed securities (RMBS) between 2005 and 2007. Terms of the agreement require the bank to:

  • Pay $2.385 billion in a civil penalty under the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA),
  • Pay $875 million to resolve claims by other federal and state entities. This includes $575 million to the National Credit Union Administration, $37.5 million to the Federal Home Loan Bank of Des Moines (as successor to the Federal Home Loan Bank of Seattle), $37.5 million to the Federal Home Loan Bank of Chicago, $190 million to the state of New York, $25 million to the state of Illinois, and $10 million to the state of California. And,
  • Provide $1.8 billion in other relief for underwater homeowners, distressed borrowers, and affected communities. Some of that relief includes loan forgiveness and financing for affordable housing.

The announcement described activities by specific departments in the bank:

"Goldman’s Mortgage Capital Committee, which included senior mortgage department personnel and employees from Goldman’s credit and legal departments, was required to approve every RMBS issued by Goldman.  Goldman has now acknowledged that “[t]he Mortgage Capital Committee typically received . . . summaries of Goldman’s due diligence results for certain of the loan pools backing the securitization,” but that “[d]espite the high numbers of loans that Goldman had dropped from the loan pools, the Mortgage Capital Committee approved every RMBS that was presented to it between December 2005 and 2007.”  As one example, in early 2007, Goldman approved and issued a subprime RMBS backed by loans originated by New Century Mortgage Corporation, after Goldman’s due diligence process found that one of the loan pools to be securitized included loans originated with “[e]xtremely aggressive underwriting,” and where Goldman dropped 25 percent of the loans from the due diligence sample on that pool without reviewing the unsampled 70 percent of the pool to determine whether those loans had similar problems."

U.S. Attorney Benjamin B. Wagner of the Eastern District of California described the settlement agreement:

“Today’s settlement is yet another acknowledgment by one of our leading financial institutions that it did not live up to the representations it made to investors about the products it was selling... Goldman’s conduct in exploiting the RMBS market contributed to an international financial crisis that people across the country, including many in the Eastern District of California, continue to struggle to recover from. I am gratified that this office has developed investigations, first against JPMorgan Chase and now against Goldman Sachs, that have led to significant civil settlements that hold bad actors in this market accountable. The results obtained by this office and other members of the RMBS Working Group continue to send a message to Wall Street that we remain committed to pursuing those responsible for the financial crisis.”

The Working Group was formed in 2012, and Goldman is the last of the banks to reach at settlement. Prior RMBS settlement agreements included $16.65 billion with Bank of America, $13 billion with JPMorgan, $7 billion with Citibank, and $1 billion with SunTrust. Yes, there have been so many it can be confusing or difficult to keep track.

The settlement agreement has already received much criticism. The New York Times reported:

“They appear to have grossly inflated the settlement amount for P.R. purposes to mislead the public, while in the fine print, enabling Goldman Sachs to pay 50 to 75 percent less,” said Dennis Kelleher, the founder of the advocacy organization Better Markets, referring to the government announcement. “The problem all along, with all of these settlements — and this one highlights it even more — is that they are carefully crafted more to conceal than reveal to the American public what really happened here — and what the so-called penalty is.”

And:

"... Goldman bought loans issued by subprime mortgage specialists like Countrywide Financial. Goldman then packaged these loans into bonds that were able to get the highest rating from credit rating agencies. The loans were sold to investors, who sustained losses when the loans went sour. Over the course of 2006, Goldman employees took note of the decreasing quality of loans that it was buying... When an outside analyst wrote a positive report about Countrywide’s stock in April 2006, the head of due diligence at Goldman wrote in an email: “If they only knew.”Despite the worrying signs, Goldman did not alert investors who were buying the bonds it was packaging..."

Also, Goldman Sachs will receive credits that reduce the total amount of taxes the bank will pay:

"... any money that Goldman spends on consumer relief will be deductible from its corporate tax bill. If Goldman spends $2.5 billion on consumer relief, and pays the maximum United States corporate tax rate of 35 percent, it could, in theory, reap $875 million in tax savings. But Goldman could easily pay less than $2.5 billion in consumer relief because of the sections of the settlement that give it extra credit for certain types of activity."

This means that taxpayers effectively pay for part of the fine or penalty payment. That is nuts, since taxpayers did nothing wrong. The bank did. Unfortunately, we've seen tax-deductible portions before with multi-billion- dollar bank settlement agreements. The Justice Department comment about "pursuing those responsible" seems directed at companies and never at individuals. Nobody has gone to jail, even after reports last year about possible criminal charges against bank executives.

It seems that the threat of criminal charges is a "stick" or feeble attempt the Justice Department uses during settlement negotiations. The Justice Department announcement also stated:

"The settlement expressly preserves the government’s ability to bring criminal charges against Goldman, and does not release any individuals from potential criminal or civil liability."

Enough words. We taxpayers demand action. Many consumers lost homes and others had lives disrupted during and after the financial meltdown of 2007-08, fueled largely by banks' wrongdoing. The settlement agreements haven't been only about mortgage abuses. Several banks paid billions in fines to settle foreign exchange market abuses, and unlawful foreclosures on homeowners. Add to this: a 2012 survey found many bank executives view unethical or illegal behavior as necessary to advance. A 2013 survey of bank executives found two key results: a) bad actors don't act alone nor unseen, and b) junior executives were more likely than older executives to know about, accept, and participate in illegal and/or unethical activities.

The long list of multi-billion settlements suggest the industry is unable (or unwilling) to fix its ethics problem. Those junior executives are now several years older, more experienced, and probably in managerial positions. When for criminal prosecutions of bank executives?


Justice Department Withdraws Lawsuit Against Apple. Confirms Third Party Successfully Unlocked Attacker's iPhone

Federal Bureau of Investigation logo The U.S. Justice Department (DOJ) announced on Monday its decision to withdraw its lawsuit to force Apple, Inc. to unlock an iPhone used by one of the San Bernardino attackers. U.S. Attorney Eileen M. Decker, of the Central District in California, made the two-paragraph announcement:

"The government has asked a United States Magistrate Judge in Riverside, California to vacate her order compelling Apple to assist the FBI in unlocking the iPhone that was used by one of the terrorists who murdered 14 innocent Americans in San Bernardino on December 2nd of last year. Our decision to conclude the litigation was based solely on the fact that, with the recent assistance of a third party, we are now able to unlock that iPhone without compromising any information on the phone.

We sought an order compelling Apple to help unlock the phone to fulfill a solemn commitment to the victims of the San Bernardino shooting – that we will not rest until we have fully pursued every investigative lead related to the vicious attack. Although this step in the investigation is now complete, we will continue to explore every lead, and seek any appropriate legal process, to ensure our investigation collects all of the evidence related to this terrorist attack. The San Bernardino victims deserve nothing less."

The announcement confirmed that a undisclosed third party had successfully unlocked the attacker's newer model iPhone and retrieved information from it without triggering the auto-erase security feature. Rumors have speculated that Israel-based Cellebrite is the third party assisting the Federal Bureau of Investigation (FBI). There also was speculation that the National Security Agency (NSA) assisted the FBI.

After a cancelled March 22 court hearing, the government had an April 5 deadline to provide a status to the court. In its original complaint, the government used a 227-year-old law to force the tech company to build software to unlock the newer model iPhone and bypass its security features. The judge agreed and Apple appealed the decision.

The announcement did not mention what, if any, useful information the phone revealed. The government had suspected the device may contain information about other persons working with the attackers.

The legal fight between the FBI and Apple probably is not over. The New York Times reported:

"... what happened in the San Bernardino case doesn’t mean the fight is over,” said Esha Bhandari, a staff lawyer at the American Civil Liberties Union. She notes that the government generally goes through a process whereby it decides whether to disclose information about certain vulnerabilities so that manufacturers can patch them. “I would hope they would give that information to Apple so that it can patch any weaknesses,” she said, “but if the government classifies the tool, that suggests it may not.”

Apple released a brief statement yesterday:

"From the beginning, we objected to the FBI’s demand that Apple build a backdoor into the iPhone because we believed it was wrong and would set a dangerous precedent. As a result of the government’s dismissal, neither of these occurred. This case should never have been brought.

We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated. Apple believes deeply that people in the United States and around the world deserve data protection, security and privacy. Sacrificing one for the other only puts people and countries at greater risk..."

At least for now, engineers at Apple can refocus on improving the device's security without being forced to do investigative work the government should have done. According to TechCrunch:

"... the Department of Justice said the method only works on this phone in particular. But it’s hard to believe this argument as there’s no reason the FBI wouldn’t be able to unlock other iPhones 5c running the same version of iOS 9. Moreover, if the FBI found a software exploit, this exploit should work with all iPhones running on this version of iOS 9 (and most likely the current version of iOS, iOS 9.3)..."

What to make of these events?

If the government didn't find any useful information on the attacker's phone, then this court case has been a huge waste of time and taxpayer's money. There was speculation that the government's strategy was to gain broader legal powers to force tech companies to help it break into encrypted devices. (Reread Decker's announcement above, including "... seek any appropriate legal process...") It didn't get that legal precedent by abandoning the case.

However, two U.S. Senators have drafted proposed legislation giving federal judges such broader powers. The latest proposal was drafted by Senators Richard Burr (Rep.-North Carolina) and Dianne Feinstein (Dem.-California), leading members of the Senate Intelligence Committee. Will this proposal continue now that the government has withdrawn its lawsuit? Should this proposal continue? If it does, that bears watching. I guess the DOJ didn't want to wait for a gridlocked Congress to act next year after elections.

What are your opinions of these events?


FBI vs. Apple: Cancelled Hearing, Draft Legislation, New Decryption Capabilities, And An Outside Party

Federal Bureau of Investigation logo A lot happened this week. A lot. Below is a recap of key headlines and events involving Apple, Inc. and the U.S. Federal Bureau of Investigation (FBI).

Late during the day on Monday, the government's lawyers got U.S. Magistrate Sheri Pym to cancel a Tuesday March 22 hearing between Apple and the FBI about an earlier court decision forcing Apple to unlock the iPhone used by one of the San Bernardino attackers. Apple did not object to the cancelled hearing. The FBI was ordered to file a status by April 5, 2016. The government filed court papers on Monday explaining why:

"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone. Testing is required whether it is a viable method that will not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for assistance from Apple Inc. set forth in the All Writs Act Order in this case."

So, on or before April 5 we will learn if this outside party successfully demonstrated the ability to unlock and decrypt information stored on this newer model iPhone without any loss of damage to the information stored on it.

Are these decryption capabilities a good thing? Ars Technica reported:

"Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society, said that these new government decryption capabilities are not good for privacy and ever-expanding government surveillance. "The DOJ doesn't want bad precedent, and I think Apple had the better side in this argument," she told Ars. "Being able to hack helps DOJ for a while. Apple could upgrade beyond the capability..."

Meanwhile, two U.S. Senators have drafted proposed legislation giving federal judges broad powers to force technology companies like Apple to help law enforcement break into encrypted devices. Prior proposals died in Congress. The latest proposal was drafted by Senators Richard Burr (Rep.-North Carolina) and Dianne Feinstein (Dem.-California), leading members of the Senate Intelligence Committee.

Apple Inc. logo Who is this mysterious outside party helping the FBI unlock and decrypt information on newer model iPhones? There has been speculation that the National Security Agency (NSA) was helping the FBI. One would expect the NSA to have the decryption capabilities. BGR explored this on March 4:

"... the NSA can hack into the device but that it doesn’t want to tell that to the FBI because it never likes to reveal what it’s capable of doing. If that were the case, however, why wouldn’t the NSA help the FBI behind the scenes before the FBI went public with its request for Apple’s assistance? And besides, as The Intercept notes, “courts have affirmed the NSA’s legal right to keep its investigative methods secret.” In fact, security experts explained to Wired earlier this week that the FBI could recruit the NSA to connect the iPhone 5c to a Stingray-like rogue cellular network as it’s booting up, which could give the agency the ability to control the device before it even gets to the unlock screen..."

However, Inverse reported on Thursday who else it might be and why:

"Sun Corporation, the company currently getting rich off public speculation that it can help the FBI break into the notorious San Bernardino iPhone was not always such a fierce competitor. While it’s seen the value of its stock rise 36 percent since Reuters reported that the FBI had enlisted its subsidiary, an Israeli-firm called Cellebrite, to unlock the iPhone..."

NPR reported that it might be a publicity stunt by Cellebrite. Will the FBI meet its April 5 deadline? The NPR report discussed a possible decryption approach:

"Computer forensics researcher Jonathan Zdziarski argues that because the FBI has asked courts for only two weeks to test the viability of the new method, it's likely not highly experimental. It's also likely not something destructive, like the "decapping" method that relies on physically shaving off tiny layers of the microprocessor inside the phone to reveal a special code that would let investigators move the data and crack the passcode. The idea that's garnering the most focus is something called chip cloning, or mirroring or transplantation..."

During a press conference on Friday, FBI Director James Comey wouldn't disclose the name of the outside party. USA Today also reported:

"Law enforcement officials Thursday threw cold water on two recent theories on how the FBI was attempting to hack into an iPhone used by one of the San Bernardino terrorists... FBI Director James Comey, in response to a reporter's question at a briefing, said making a copy of the iPhone’s chip in an effort to circumvent the password lockout “doesn’t work”... A widely discussed scenario in the security world, put forward by a staff technologist at the ACLU, has been that the FBI had found a way to remove crucial chips from the iPhone, make digital copies of them and then run multiple passcode attempts against the digital copies, while keeping the phone's software itself untouched. That would avoid tripping the self-erase program built into the iPhone..."

So, who is helping the FBI -- Cellebrite, the NSA, or both? Or another entity?

Another line of speculation is that the FBI has received assistance from the NSA and has decided to use Cellebrite as a false front. Why might this be true? It allows the FBI to reveal (some) investigation methods without revealing the NSA's real methods. I'm no legal expert, but if this is true, I can't see any judge being pleased about being lied to.

We shall see on or before April 5. What are your opinions? Speculation?


Apple Engineers Consider Their Options, The FBI's Goals, And 'Warrant-Proof Phones' Spin

Apple Inc. logo The encryption engineers at Apple are considering their options, if the U.S. Federal Bureau of Investigation (FBI) is successful at forcing their employer to build back doors into one or several iPhones. The New York Times reported: that

"Apple employees are already discussing what they will do if ordered to help law enforcement authorities. Some say they may balk at the work, while others may even quit their high-paying jobs rather than undermine the security of the software they have already created, according to more than a half-dozen current and former Apple employees. Among those interviewed were Apple engineers who are involved in the development of mobile products and security, as well as former security engineers and executives."

One explanation for this:

“It’s an independent culture and a rebellious one,” said Jean-Louis Gassée, a venture capitalist who was once an engineering manager at Apple. “If the government tries to compel testimony or action from these engineers, good luck with that.”

The tech company estimated it would take 10 engineers about a month to develop the back-door software, some have called, "GovtOS." That estimate assumed the encryption engineers would be on staff and available. Security experts have warned that more court orders to unlock iPhones will likely follow, if the FBI is successful with forcing Apple to unlock the San Bernardino attacker's phone. 

Since the "back doors" are really software, that software must be developed, debugged, tested, and documented like any other. Those tasks require a broader team across multiple disciplines; all of which could be working (instead) on other projects that generate revenue. Then, multiply this by multiple unlock demands. Will the government reimburse Apple for the new, broader project team it creates to build back-door software? Will the government reimburse Apple for the opportunity cost from lost projects and revenues the team members could have completed instead? Will the government reimburse Apple for the costs of hiring engineers and workers to replace those who quit? It will be interesting to see how the financial markets evaluate all of this, if the FBI successfully forces Apple to unlock iPhones.

By using a 227-year-old law, it seems that the FBI and Director James Comey want to direct the development work of private companies to do tasks they should do themselves, while ignoring the unintended consequences to business and jobs. (Remember, experts warned in 2014 that NSA spying could cost the tech industry billions of dollars.) Has the government really thought this through? It seems like they haven't.

Federal Bureau of Investigation logo What are the FBI's goals? An article in Quartz suggested that the FBI is:

"... worried about is the fast-approaching future when its best hackers will be stymied by powerful corporate encryption and security systems. Federal law, in its current state, is of little help. There is no precedent that will allow the government to force a private company to change its security systems so that the FBI can get inside and take a peek. In fact, the Communications Assistance for Law Enforcement Act (CALEA) could be interpreted to restrict the government from doing so. The FBI has apparently decided that it’s time for federal law to change. So its officials have been searching for a particular case that would give them a shot at changing the established legal precedent.."

Learn more about CALEA and the FBI's attempts since 2010 to expand it. An MIT Technology Review article debunked the government's spin and fear-mongering claims of a new period of "warrant-proof phones" (e.g., newer iPhones) and "going dark." There have always been warrant-proof products and services because these (analog or paper-based) items historically didn't archive or store information. So, historical government surveillance was always "dark." While law enforcement may lose some information surveillance sources in the future due to encryption, the multitude of new technologies, products, services, companies, web sites, and mobile apps during the past few years have provided it with far more sources with far more detailed information than it ever had. The old saying seems to apply: can't see the forest for the trees.

I agree. We definitely live in the golden age of surveillance.

The government's argument is weak also because it ignores the option that the well-funded bad guys, such as drug cartels and terrorist networks, can, a) purchase encrypted communications products and services elsewhere outside the USA, and b) hire engineers and programs to maintain their own encrypted systems.

What are your opinions?


ExxonMobil CEO Sues To Stop Fracking Near His Mansion

This news story highlights corporate executive hypocrisy. The Nation reported that Rex Tillerson, the Chief Executive Officer (CEO) at ExxonMobil, has sued to stop fracking activities near his mansion:

"... Tillerson, a vocal proponent of hydraulic fracking, who is suing to prevent the construction of a water tower near his eighty-three-acre, $5 million horse ranch in Bartonville, Texas. The purpose of the tower? Storing water for fracking. Tillerson and his super-wealthy neighbors are concerned, the lawsuit states, that the fracking tower might “devalue their properties..."

By implication, this means it is better to locate fracking activities in or near neighborhoods of poor and middle-income people. They won't mind, right?

Is Mr. Tillerson's hypocritical actions atypical at ExxonMobil? I think not. Why? It's important to remember history. The Guardian UK reported in July 2015:

"ExxonMobil, the world’s biggest oil company, knew as early as 1981 of climate change – seven years before it became a public issue, according to a newly discovered email from one of the firm’s own scientists. Despite this the firm spent millions over the next 27 years to promote climate denial. The email from Exxon’s in-house climate expert provides evidence the company was aware of the connection between fossil fuels and climate change, and the potential for carbon-cutting regulations that could hurt its bottom line, over a generation ago... Exxon’s public position was marked by continued refusal to acknowledge the dangers of climate change, even in response to appeals from the Rockefellers, its founding family... Over the years, Exxon spent more than $30m on think tanks and researchers that promoted climate denial, according to Greenpeace. Exxon said on Wednesday that it now acknowledges the risk of climate change and does not fund climate change denial groups."

What are your opinions?


The NFL (Finally) Admits A Link Between Football And Degenerative Brain Disease

National Football League logo This week, the National Football League (NFL) admitted a link between football and degenerative brain disease. Frontline reported:

"After years of skepticism, professed doubts and at times outright denial, the NFL has acknowledged a link between playing football and the degenerative brain disease known as chronic traumatic encephalopathy. The acknowledgment came one day after Jeff Miller, the NFL’s senior vice president for health and safety, told the House of Representatives’ Committee on Energy and Commerce, that football-related head trauma can lead to brain disease."

It's important to remember how we got this admission. The problem has been brewing for a long time:

"Miller’s admission broke with the NFL’s past stances on the issue. In a series of scientific papers published between 2003 and 2009, members of the league’s since disbanded “Mild Traumatic Brain Injury Committee” wrote that “no NFL player” had ever suffered chronic brain damage as a result of repeat concussions... As recently as Super Bowl week, Dr. Mitch Berger, the neurosurgeon who leads the NFL’s subcommittee on long-term brain injury, said there was still no direct link between football and CTE."

Geez.

I've watched the sport most of my life. In 2013, I wrote an open letter to the NFL detailing my dissatisfaction with the league's progress, or lack thereof, with addressing head injuries. Back then, the league had just settled a lawsuit with former players... a woefully inadequate settlement, given a $9 billion per year business built by former players -- many of whom suffer with CTE. Disgusting. So I stopped watching NFL games... all of them... even when my favorite team won Super Bowl XLIX.

This week's admission was long overdue. The league still has a lot to do to earn back my trust and support. A lot.

What next will the NFL do -- not say -- to help former players? What next to better protect players? What next to present the science to youth (before high school) so they can make informed choices? Hopefully, the league will move with more speed that it did during the last 20 years.


Apple News: eBook Price Fixing, Brooklyn, And San Bernardino

Apple Inc. logo Apple, Inc. Has been in the news a lot recently. So, it can be a little confusing to keep track of events. Below is a brief summary of three separate court cases.

First, the U.S. Supreme Court (SCOTUS) declined to hear an appeal by the tech giant about ebook price-fixing with book publishers. The U.S. Justice Department had sued Apple and several book publishers in April, 2012. A lower court decision in 2013 found Apple guilty. Since the SCOTUS declined to hear the appeal, then the lower court decision stands, and Apple must pay a $450 million class-action settlement. Fortune Magazine reported:

"The publishers—Hachette, Penguin, Simon & Schuster, HarperCollins and Macmillan—promptly settled the case, but Apple chose to fight the charges in court. This led to a highly publicized trial in which U.S. District Judge Denise Cote issued a lengthy ruling that Apple had clearly violated Section 1 of the Sherman Act... The price-fixing case, which transfixed the publishing industry, began in 2010 when Apple’s late CEO, Steve Jobs, persuaded five major publishers to sell books on the iPod. Under the arrangement, which was designed to wrest pricing power from Amazon, the publishers shifted to a so-called “agency pricing” model in which they set the price and passed along a commission to Apple."

Second, in California Apple has appealed a lower court's decision forcing it to unlock an iPhone (running iOS 9) used by one of the San Bernardino attackers. A decision in that appeal is pending. The Federal Bureau of Investigation (FBI) admitted during testimony before Congress that it had erred when it reset the associated iCloud password, making it more difficult to access the attacker's iPhone.

Third, a court in Brooklyn (New York) ruled late in February that Apple did not have to unlock a Brooklyn drug dealer's iPhone running the iOS 7 operating system.The tech giant had initially agreed to unlock the phone, but then declined when the court demanded first more information before issuing a search warrant. Bloomberg Business reported:

"When the government first contacted Apple about the drug dealer’s phone, an Apple “data extraction specialist” said it could find data on pre-iOS 8 phones after receiving a search warrant. The next day, the government sought a warrant from [Judge] Orenstein..."

Federal Bureau of Investigation logo Prosecutors have used the All Writs Act in both the Brooklyn and San Bernardino cases. Bloomberg Business reported that prosecutors In the Brooklyn case argued:

That Apple routinely extracted data from such devices shows the government’s request is not “burdensome” and doesn’t violate the All Writs Act, a 1789 law that prosecutors used to demand that Apple help access data on locked phones, the U.S. said. In refusing the government, Orenstein sided with the company’s claim that prosecutors were taking the law too far. He said Congress should resolve the issue. In their appeal, prosecutors said the All Writs Act authorizes courts to issue such warrants and that Orenstein’s “analysis goes far afield of the circumstances of this case and sets forth an unprecedented limitation of federal courts’ authority.”

Bloomberg Business also reported:

"Apple helped the government access data on at least 70 iPhones before it stopped cooperating, according to prosecutors. For phones using older operating systems, the company can extract data from locked devices at its headquarters, according to a guide it produced for law enforcement..."


Verizon Wireless Settles With The FCC Regarding 'Supercookies' And Online Tracking

Verizon logo Yesterday, the Federal Communications Commission (FCC) announced a settlement agreement with Verizon Wireless regarding the company's use of "Supercookies" to track mobile users. The FCC alleged that that Verizon Wireless inserted:

"... unique identifier headers or so-called “supercookies” into its customers’ mobile Internet traffic without their knowledge or consent. These unique, undeletable identifiers – referred to as UIDH – are inserted into web traffic and used to identify customers in order to deliver targeted ads from Verizon and other third parties."

Terms of the settlement agreement require Verizon Wireless to notify consumers about its targeted advertising programs, obtain customers’ opt-in consent before sharing UIDH with third-party companies and affiliates, and obtain customers’ opt-in (or opt-out) consent before sharing UIDH internally among Verizon's companies and business units. The settlement terms also require the company to pay a $1.35 million fine and adopt a three-year compliance plan.

Federal communications Commission logo The FCC's announcement also noted that the company was slow to update its privacy policy (bold added):

"It was not until late March 2015, over two years after Verizon Wireless first began inserting UIDH, that the company updated its privacy policy to disclose its use of UIDH and began to offer consumers the opportunity to opt-out of the insertion of unique identifier headers into their Internet traffic... Section 222 of the Communications Act imposes a duty on carriers to protect their customers’ proprietary information and use such information only for authorized purposes. It also expressly prohibits carriers that obtain proprietary information from other carriers for the provision of telecommunications services to use such information for any other purpose. Section 8.3 of the Commission’s rules, known as the Open Internet Transparency Rule, requires every fixed and mobile broadband Internet access provider to publicly disclose accurate information regarding the network management practices, performance, and commercial terms of its broadband Internet access services sufficient for consumers to make informed choices regarding use of such services and for content, application, service, and device providers to develop, market, and maintain Internet offerings."

The FCC began its investigation in December, 2014. At that time, the concern was:

"... whether Verizon Wireless failed to appropriately protect customer proprietary information and whether the company failed to disclose accurate and adequate information regarding its insertion of UIDH into consumer Internet traffic over its wireless network, in violation of the FCC’s 2010 Open Internet Transparency Rule and Section 222 of the Communications Act."

Verizon Wireless began inserting UIDH into consumer Internet traffic in December 2012, and didn't disclose this practice until October 2014. After acknowledging this practice, the company claimed that third-party advertising companies were unlikely to use their supercookies to build consumer profiles or other purposes. The Washington Post reported in November 2014:

"Verizon and AT&T have been quietly tracking the Internet activity of more than 100 million cellular customers with what critics have dubbed “supercookies”... The technology has allowed the companies to monitor which sites their customers visit, cataloging their tastes and interests. Consumers cannot erase these supercookies or evade them by using browser settings, such as the “private” or “incognito” modes that are popular among users wary of corporate or government surveillance.

Also in November 2014, the Electronic Frontier foundation (EFF) discovered the tracking, and asked Verizon to both notify users and get their consent before using supercookies:

"Verizon users might want to start looking for another provider. In an effort to better serve advertisers, Verizon Wireless has been silently modifying its users' web traffic on its network to inject a cookie-like tracker. This tracker, included in an HTTP header called X-UIDH, is sent to every unencrypted website a Verizon customer visits from a mobile device. It allows third-party advertisers and websites to assemble a deep, permanent profile of visitors' web browsing habits without their consent. Verizon apparently created this mechanism to expand their advertising programs, but it has privacy implications far beyond those programs."

The EFF said that the Verizon Wireless settlement agreement:

"... is a huge win for Internet privacy. ISPs are trusted carriers of our communications. They should be supporting individuals' privacy rights, not undermining them."

The EFF tempered its comments with a warning how ISPs can still secretly track consumers:

"... They can send tracking data only to selected web sites, hindering detection by third parties. ISPs can (and some very likely do) hide tracking data in a lower protocol layer, like TCP or IP, setting fields that are normally random based on an agreed-upon code. Or they could log all user browsing activity themselves and share it upon request. Detecting these more pernicious methods will require ongoing skilled technical work by the FCC and other watchdog organizations.."

This is why both a skilled oversight agency and watchdog groups are necessary. The average consumer cannot perform this technical analysis. FCC Enforcement Bureau Chief Travis LeBlanc said:

"Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they’re doing online... Privacy and innovation are not incompatible. This agreement shows that companies can offer meaningful transparency and consumer choice while at the same time continuing to innovate...”

Yes! Innovation and privacy are compatible. Yes, we consumers care... care greatly about privacy. Relevant advertising is not an excuse to do anything without notification and without consent. Kudos to the FCC. View the Verizon Wireless Order and Consent Decree (Adobe PDF).