270 posts categorized "Court Cases" Feed

FTC Lawsuit Claims D-Link Products Have Inadequate Security

Do you use D-Link modem/routers or routers? Do you have or plan to buy smart home appliances or electronics (a/k/a the Internet of Things or IoT) you want to connect via your home WiFi network to these or other brand routers? Are you concerned about the security of IoT devices? If you answered yes to any of these questions, then today's blog post is for you.

The U.S. Federal Trade Commission (FTC) has filed a complaint against Taiwan-based D-Link Corporation and its U.S. subsidiary alleging the tech company didn't do enough to make its products secure from hacking. The FTC announcement stated that its complaint alleged:

"... that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras... D-Link promoted the security of its routers on the company’s website, which included materials headlined “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” But despite the claims made by D-Link, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws, such as: a) "hard-coded" login credentials integrated into D-Link camera software -- such as the username “guest” and the password “guest” -- that could allow unauthorized access to the cameras’ live feed; b) a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet; c) the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and d) leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information."

Besides the D-Link shopping site, the company's products are available at many online stores, including Best Buy, Target, Walmart, and Amazon. The FTC complaint (Adobe PDF) stated 5 Counts describing in detail the alleged security lapses, some of  which allegedly contradict advertising claims. The redacted complaint did not list specific product model numbers. Apple Insider reported:

"The security lapses also extended to mobile apps offered by D-Link to access and manage IP cameras and routers from a smartphone or tablet."

If these allegations are true, then item "C" is troubling. it raises questions about how and why a private key code were available on a public, unprotected server and for so long. It raises questions why this information wasn't encrypted. Access codes on a public server may help government intelligence agencies perform their tasks, but it suggests insufficient security for consumers. Access codes and login credentials are the holy grail for criminals. This is the information they seek in order to hack accounts and hijack devices.

Consumers connect via home routers a variety of IoT or smart devices: security systems, cameras, baby monitors, thermostats, home electronics, home appliances, toys, lawn mowers, and more. If true, the vulnerabilities could allow criminals to case home furnishings, eavesdrop on conversations, watch residents' patterns and discover when they are away from home, disable security systems, access tax and financial records, redirect users' Internet usage to fraudulent sites, and more.

The risks are real. A prior blog post discussed some of the security issues with IoT devices. Home routers have been hijacked and used to shut down targeted sites. ZDNet warned in May 2015:

"According to a report released by cybersecurity firm Incapsula on Wednesday, lax security practices concerning small office and home office (SOHO) routers has resulted in tens of thousands of routers becoming hijacked -- ending up as slave systems in the botnet network. Distributed denial-of-service (DDoS) attacks are a common way to disrupt networks and online services. The networks are often made up of compromised PCs, routers and other devices. Attackers control the botnet through a command and control center (C&C) in order to flood specific domains with traffic... ISPs, vendors and users themselves -- who do not lay down basic security foundations such as changing default passwords and keeping networks locked -- have likely caused the slavery of "hundreds of thousands [...] more likely millions" of routers now powering DDoS botnets which can cause havoc for both businesses and consumers..."

And a December 7, 2016 report by Incapsula listed about 18 vendors, including D-Link, that were susceptible to the Mirai malware used by botnets. So, the threat is real. Home routers have already been hijacked by bad guys to attack sites.

D-Link posted on its site a response to the FTC complaint:

"D-Link Systems, Inc. will vigorously defend itself against the unwarranted and baseless charges made by the Federal Trade Commission (FTC)... D-Link Systems maintains a robust range of procedures to address potential security issues, which exist in all Internet of Things (IOT) devices. Notably, the complaint does not allege any breach of a D-Link Systems device. Instead, the FTC speculates that consumers were placed “at risk” to be hacked, but fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries."

That response raises more questions. Breaches involve unauthorized persons accessing computers and/or networks. Clearly, botnets are collections of hijacked devices controlled by unauthorized persons using malware. The Incapsula reports clearly documented this. So, how are hijacked home routers and IoT devices with malware not breaches? And, botnets are designed to attack targeted sites, and not necessarily the hijacked routers and devices. So, the "actual substantial injuries" argument falls apart.

Aware consumers don't want their smart televisions, refrigerators, dishwashers, home security systems, baby monitors, cameras, and other devices hijacked by bad guys. The whole situation seems to provide two important reminders for consumers: 1) protect your IoT devices, and 2) be informed shoppers.

Protecting your IoT devices means changing the default passwords, especially on your routers and disabling remote access features. Informed shoppers Inquire before purchase about software security updates for IoT devices. Are those updates included in the product price, available in a separate subscription, or not at all? There are plenty of examples of smart home products with vulnerabilities and questionable security. Informed shoppers know before purchase.

If the product offers a separate subscription for software security updates, the money spent will be well worth it to protect your sensitive personal and financial information, to protect your family's privacy, and to avoid hijacked devices. If the product lacks software security updates, you want to know what you're buying and maybe barter for a lower price. Me? I'd keep shopping for alternatives with better security.

Protect your WiFi-connected home electronics, devices, and appliances. Don't contribute to Internet security problems.

Since most consumers lack the technical expertise to understand and detect breaches on their IoT devices, I am grateful for the FTC enforcement action; and for its guidelines in 2015 for companies offering IoT devices. Plus, the FTC is concerned with industry-wide threats that could hamper commerce. Perhaps, an economist can calculate the negative impacts upon commerce, the U.S. economy, and GDP from botnet attacks.

What are your opinions of the FTC lawsuit against D-Link Corporation? Of the security of IoT devices?


Federal Reserve Bars Two Bank Executives From Working Within Industry

The Federal Reserve Board announced this enforcement action:

"Richard Henderson and Philip Cooper, who held senior positions at Regions Equipment Finance Corporation (REFCO), Regions' subsidiary, were recently indicted for bank bribery, wire fraud, money laundering, and conspiracy. According to the indictment, Henderson and Cooper conspired to defraud Regions and REFCO by directing REFCO to purchase insurance policies from a shell company that paid kickbacks to Henderson and Cooper. The indictment further alleges that Henderson and Cooper attempted to conceal those kickbacks by establishing additional shell companies to receive the kickbacks.

In issuing today's enforcement actions, the Board found that, given the indictment, Henderson's and Cooper's continued participation in any depository institution may impair public confidence in that institution. The prohibition is effective until the criminal charges against Henderson and Cooper are resolved or disposed of, or until the Board terminates the prohibition."

REFCO was founded in 1972 and is based in Birmingham, Alabama. It is a subsidiary of Regions Bank.


Ashley Madison Operators Agree to Settlement With FTC And States

Ashley Madison home page image

The operators of the AshleyMadison.com dating site have agreed to settlement with the U.S. Federal Trade Commission (FTC) for security lapses in a massive 2015 data breach. 37 million subscribers were affected and site's poor handling of its password-reset mechanism made accounts discover-able while the site had promised otherwise. The site was know for helping married persons find extra-marital affairs.

The FTC complaint against Avid Life Media Inc. sought relief and refunds for subscribers. The complaint alleged that the dating site:

"... Defendants collect, maintain, and transmit a host of personal information including: full name; username; gender; address, including zip codes; relationship status; date of birth; ethnicity; height; weight; email address; sexual preferences and desired encounters; desired activities; photographs; payment card numbers; hashed passwords; answers to security questions; and travel locations and dates. Defendants also collect and maintain consumers’ communications with each other, such as messages and chats... Until August 2014, Defendants engaged in a practice of using “engager profiles” — that is, fake profiles created by Defendants’ staff who communicate with consumers in the same way that consumers would communicate with each other—as a way to engage or attract additional consumers to AshleyMadison.com. In 2014, there were 28,417 engager profiles on the website. All but 3 of the engager profiles were female. Defendants created these profiles using profile information, including photographs, from existing members who had not had any account activity within the preceding one or more years... Because these engager profiles contained the same type of information as someone who was actually using the website, there was no way for a consumer to determine whether an engager profile was fake or real. To consumers using AshleyMadison.com, the communications generated by engager profiles were indistinguishable from communications generated by actual members... When consumers signed up for AshleyMadison.com, Defendants explained that their system is “100% secure” because consumers can delete their “digital trail”.

More importantly, the complaint alleged that the operators of the site failed to protect subscribers' information in several key ways:

"a. failed to have a written organizational information security policy;
b. failed to implement reasonable access controls. For example, they: i) failed to regularly monitor unsuccessful login attempts; ii) failed to secure remote access; iii) failed to revoke passwords for ex-employees of their service providers; iv) failed to restrict access to systems based on employees’ job functions; v) failed to deploy reasonable controls to identify, detect, and prevent the retention of passwords and encryption keys in clear text files on Defendants’ network; and vi) allowed their employees to reuse passwords to access multiple servers and services;
c. failed to adequately train Defendants’ personnel to perform their data security- related duties and responsibilities;
d. failed to ascertain that third-party service providers implemented reasonable security measures to protect personal information. For example, Defendants failed to contractually require service providers to implement reasonable security; and
e. failed to use readily available security measures to monitor their system and assets at discrete intervals to identify data security events and verify the effectiveness of protective measures."

The above items read like a laundry list of everything not to do regarding information security. Several states also sued the site's operators. Toronto, Ontario-based Ruby Corporation (Formerly called Avid Life media), ADL Media Inc. (based in Delaware), and Ruby Life Inc. (d/b/a Ashley Madison) were named as defendants in the lawsuit. According to its website, Ruby Life operates several adult dating sites: Ashley Madison, Cougar Life, and Established Men.

The Ashley Madison site generated about $47 million in revenues in the United States during 2015. The site has members in 46 countries, and almost 19 million subscribers in the United States created profiles since 2002. About 16 million of those profiles were male.

Terms of the settlement agreement require the operators to pay $1.6 million to settle FTC and state actions, and to implement a comprehensive data-security program with third-party assessments. About $828,500 is payable directly to the FTC within seven days, with an equal amount divided among participating states. If the defendants fail to make that payment to the FTC, then the full judgment of $8.75 million becomes due.

The defendants must submit to the FTC a compliance report one year after the settlement agreement. The third-party assessment programs starts within 180 days of the settlement agreement and continues for 20 years with reports every two years. The terms prohibit the site's operators and defendants from misrepresenting to persons in the United States how their online site and mobile app operate. Clearly, the use of fake profiles is prohibited.

The JD Supra site discussed the fake profiles:

"AshleyMadison/Ruby’s use of chat-bot-based fake or “engager profiles” that lured users into upgrading/paying for full memberships was also addressed in the complaint. According to a report in Fortune Magazine, men who signed up for a free AshleyMadison account would be immediately contacted by a bot posing as an interested woman, but would have to buy credits from AshleyMadison to reply.

Gizmodo, among many other sites, has examined the allegations of fake female bots or “engager profiles” used to entice male users who were using Ashley Madison’s free services to convert to paid services: “Ashley Madison created more than 70,000 female bots to send male users millions of fake messages, hoping to create the illusion of a vast playland of available women.” "

13 states worked on this case with the FTC: Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, Vermont, and the District of Columbia. The State of Tennessee's share was about $57,000. Vermont Attorney General William H. Sorrell said:

“Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website... I was pleased to see the FTC and the state attorneys general working together in such a productive and cooperative manner. Vermont has a long history of such cooperation, and it’s great to see that continuing.”

The Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner reached their own separate settlements with the company. Commissioner Daniel Therrien of the Office of the Privacy Commissioner of Canada said:

“In the digital age, privacy issues can impact millions of people around the world. It’s imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live.”

Australian Privacy Commissioner Timothy Pilgrim stated:

"My office was pleased to work with the FTC and the Office of the Canadian Privacy Commissioner on this investigation through the APEC cross-border enforcement framework... Cross-border cooperation and enforcement is the future for privacy regulation in the global consumer age, and this cooperative approach provides an excellent model for enforcement of consumer privacy rights.”

Kudos to the FTC for holding a company's feet (and its officers' and executives' feet) to the fire to protect consumers' information.


Health App Developer Settles With FTC For Deceptive Marketing Claims

The U.S. Federal Trade Commission (FTC) announced a settlement agreement with Aura Labs, Inc. regarding alleged deceptive claims about its product: the Instant Blood Pressure App. Aura sold the app from at least June 2014 to at least July 31, 2015 at the Apple App Store and at the Google Play marketplace for $3.99 (or $4.99). Sales of the app totaled about $600,000 during this period. Ryan Archdeacon, the Chief Executive Officer and President of Aura, was named as a co-defendant in the suit.

The FTC alleged that the defendants violated the FTC Act. The complaint alleged deceptive marketing claims by Aura about its blood pressure app:

"Although Defendants represent that the Instant Blood Pressure App measures blood pressure as accurately as a traditional blood pressure cuff and serves as a replacement for a traditional cuff, in fact, studies demonstrate clinically and statistically significant deviations between the App’s measurements and those from a traditional blood pressure cuff."

iMedicalApps reported on March 2, 2016:

"A study presented today at the American Heart Association EPI & Lifestyle (AHA EPI) meeting in Phoenix has shown the shocking inaccuracy of a popular medical app, Instant Blood Pressure... Back in 2014, we raised concerns about the Instant Blood Pressure medical app which claimed to measure blood pressure just by having users put their finger over their smartphone’s camera and microphone over their heart presumably to use something akin to a pulse wave velocity... Dr. Timothy Plante, a fellow in general internal medicine at Johns Hopkins, led the study in which a total of 85 participants were recruited to test the accuracy of the Instant Blood Pressure app... When looking at individuals with low blood pressure or high blood pressure, they found that the Instant Blood Pressure app gave falsely normal values. In other words, someone with high blood pressure who used the app would be falsely reassured their blood pressure was normal... the sensitivity for high blood pressure was an abysmal 20%. These results, while striking, should not be surprising. This medical app had no publicly available validation data, despite reassurance from the developer back in 2014 that such data was forthcoming. The use of things like pulse wave velocity as surrogates for blood pressure has been tried and is fraught with problems..."

The FTC complaint listed the problems with an online review posted in the Apple App Store:

"Defendant Ryan Archdeacon left the following review of the Instant Blood Pressure App in the Apple App Store: "Great start by ARCHIE1986 – Version – 1.0.1 – Jun 11, 2014. This app is a breakthrough for blood pressure monitoring. There are some kinks to work out and you do need to pay close attention to the directions in order to get a successful measurement but all-in-all it’s a breakthrough product. For those having connection problems, consider trying again. I have experienced a similar issue. It is also great that the developer is committed to continual improvements. This is a great start!!!" That the review was left by the Chief Executive Officer and President of Aura was not disclosed to consumers and would materially affect the weight and credibility consumers assigned to the endorsement."

The complaint also cited problems with endorsements posted at Aura's web site:

"At times material to this Complaint, the What People Think portion of Defendants’ website contained three endorsements, including the following endorsement from relatives of Aura’s Chairman of the Board and co-founder Aaron Giroux: "This is such a smart idea that will benefit many of us in monitoring our health in an easy and convenient way." That the endorsement was left by relatives of Aura’s Chairman of the Board and co-founder Aaron Giroux was not disclosed to consumers and would materially affect the weight and credibility consumers assigned to the endorsement."

Terms of the settlement prohibit the defendants from making such unsubstantiated claims in the future, refund money to affected customers, reimburse plaintiffs for the costs of this lawsuit, and additional unspecified items. The FTC announcement also stated that the court order imposed:

"... a judgment of $595,945.27, which is suspended based on the defendants’ inability to pay. The full amount will become due, however, it they are later found to have misrepresented their financial condition."

Copies of the complaint are available at the FTC site and here (Adobe PDF). Kudos tot he FTC for its enforcement action. Product claims and endorsements should be truthful and accurate. And consumers still need to do research before purchase. Just because there's an app for it doesn't mean the results promised are guaranteed.

Got an unresolved problem with a product, service, or app? Consumers can file a complaint online with the FTC. What are your opinions of the Aura-FTC settlement? Of claims by app developers?


You Gave President Elect Donald Trump a Whale Of A Holiday Gift

Just before the long holiday weekend, the Attorney General (AG) for New York State announced a settlement agreement with President Elect Donald J. Trump regarding his now defunct, educational business Trump University. Reportedly, the $25 million settlement agreement resolves two class-action lawsuits and an action by the New York State AG.

About 7,000 students paid up to $35,000 in tuition and allegedly received little to no education. Terms of the settlement require Mr. Trump to pay $21 million to settle the two class-action lawsuits and $4 million to New York State. The New York Times reported:

"Trump University, which operated from 2004 to 2010, included free introductory seminars across the country, focusing largely on real estate investing and learning Mr. Trump’s secrets... Documents made public through the litigation revealed that some former Trump University managers had given testimony about its unscrupulous and exploitative business practices. One sales executive testified that the operation was “a facade, a total lie.” Another manager called it a “fraudulent scheme.” Other records showed how Mr. Trump had overstated the depth of his involvement in the programs. Despite claims that Mr. Trump had handpicked instructors, he acknowledged in testimony that he had not... the conclusion of the Trump University cases brings vindication to former students, mostly ordinary people across the country who felt they had been robbed of their savings by Mr. Trump..."

The settlement terms did not require Mr. Trump to admit any wrongdoing:

"At a hearing on the case in San Diego on Friday, [Trump's attorney] Daniel Petrocelli said Mr. Trump had settled the case “without an acknowledgment of fault or liability.” "

Why settle now? The Los Angeles Times reported:

"The law firm Zeldes, Haeggquist & Eck, which helped represent the plaintiffs, said in a statement Friday that it was “incredibly painful” to end the legal battle now. “We stand behind their claims 100%,” the firm said, “but there is always risk in taking a case to trial and that was particularly so here, when the defendant was poised to be the next president of the United States.” The lawsuits dogged Trump on the campaign trail, and he denied the allegations many times and said he would not settle the cases."

Some might conclude that not having to admit wrongdoing is a whale of gift. Reportedly, attorneys for the students waived their fees so the students would receive more compensation. Students would received 55 to 100 percent of the money they spent. Some might also say that settling 3 lawsuits for pennies on the dollar is also a whale of a holiday gift. Sadly, there is more.

Much more. Forbes Magazine explained:

"Of course, the real cost to Mr. Trump is after tax, not before it. And most business settlements are fully tax deductible. The only part that arguably may not be here is the $1 million in penalties. But barring express non-deductibility commitments, many penalties can be deducted, too. In general, fines and penalties paid to the government are not deductible. Section 162(f) of the tax code prohibits deducting "any fine or similar penalty paid to a government for the violation of any law."

Despite punitive sounding names, though, some fines and penalties are considered remedial and deductible. That allows some flexibility. Companies often deduct ‘compensatory penalties,’ a maneuver affirmed in a recent Circuit Court ruling. Some defendants insist that their settlement agreement confirms that the payments are not penalties and are remedial. Conversely, some government entities insist on the reverse.  Explicit provisions about taxes in settlement agreements are becoming more common."

You may remember the fines and payments paid by JPMorgan bank in a 2013 settlement agreement. Frobes explained that only $2 billion of the $13 billion was not tax-deductible. So, taxpayers nationwide have given Mr. Trump a whale of a holiday gift similar to gifts given repeatedly to big banks: tax-deductible payments in settlement agreements that allow them to pay less taxes. You'd think that the tax-deductible benefit would come with a price: having to admit wrongdoing.

Is this fair? Is it right? A 2014 survey by the U.S. Public Interest Research Group Education Fund found that most Americans disapprove of tax-deductible payments in settlement agreements, and want more transparency and disclosures about the contents of settlement agreements.

It is infuriating to this taxpayer. Hopefully it infuriates you, too. It seems that often payments and fines to resolve and penalize a defendant for wrongdoing are anything but. What are your opinions?


JPMorgan Chase Bank Fined $61.9 Million Fine For Improper Hiring Practices

JPMorgan Chase logo The Federal Reserve Board has levied a $61.9 million fine against JPMorgan bank for "unsafe and unsound" hiring practices. The Federal Reserve Board announced:

"In levying the fine on JPMorgan Chase, the Federal Reserve Board found that the firm's Asia-Pacific investment bank operated an improper referral hiring program. The firm offered internships, trainings, and other employment opportunities to candidates who were referred by foreign government officials and existing or prospective commercial clients to obtain improper business advantages.

The Federal Reserve found that the firm did not have adequate enterprise-wide controls to ensure that referred candidates were appropriately vetted and hired in accordance with applicable anti-bribery laws and firm policies."

To obtain improper business advantages, the bank operated the improper hiring program from at least 2008 through 2013. The FRB found that the program generally produced lesser qualified candidates. The Order to Cease and Desist and Order to Assess a Civil Monetary Penalty (Adobe PDF) stated:

"... from at least 2008 through 2013, JPMC’s APAC investment banking group operated a referral hiring program whereby candidates who were referred, directly or indirectly, by foreign government officials and existing or prospective commercial clients, and who in most instances were less qualified than non-referred candidates who were hired through the Firm’s standard hiring programs, were offered internships, training, and other employment opportunities in order to obtain improper business advantages for the Firm... Federal law and JPMC’s firm-wide policies prohibit the Firm’s employees from offering, directly or indirectly, anything of value, including the offer of internships, training, or other employment opportunities for relatives of a foreign government official, to foreign government officials in order to obtain improper business advantages... the laws in many foreign jurisdictions in which the Firm conducts business and JPMC’s firm-wide policies prohibit the Firm’s employees from offering, directly or indirectly, anything of value to existing or prospective commercial clients in order to obtain improper business advantages..."

JPMorgan has spotty history worth reviewing briefly. In January 2015, it was one of four banks that settled illegal foreclosure charges with the Massachusetts Attorney General with a $2.7 million payment. In November 2014, both RBS and JPMorgan were part of a group of banks that paid $4.2 billion in fines to U.S., U.K., and Swiss regulators for rigging the foreign exchange, or FX, market. In December 2013, JPMorgan paid $515.4 million to the Federal Deposit Insurance Company (FDIC), $300 million to the California Attorney General, and $13 billion with the U.S. Justice Department to settle charges about the misrepresentation of offering documents for residential mortgage-backed securities (RMBS).

In December 2013, JPMorgan Chase announced a data breach that affected half a million prepaid card customers. U.S. taxpayers also learned that month that much of the huge fines JPMorgan paid were tax-deductible and reduced the bank's tax payments. in September 2013, the Consumer Financial Protection Bureau (CFPB) ordered both Chase Bank USA, N.A. and JPMorgan Chase Bank, N.A. to refund about $309 million to more than 2.1 million customers for illegal credit card practices, where customers were enrolled in credit monitoring services without their authorization and charged for services not delivered.

The latest Consent Order also includes a clause not to prosecute executives. Additional terms of the fine require the bank to modify its hiring practices with oversight by the U.S. Justice Department (DOJ) and the U.S. Securities and Exchange Commission (SEC). Those modifications require improved oversight by senior management and anti-bribery policies.


Facebook Says it Will Stop Allowing Some Advertisers to Exclude Users by Race

Facebook logo [Editor's note: Today's guest post was originally published by ProPublica on November 11, 2016. It is reprinted with permission. This prior post explained the problems with Facebook's racial advertising filters.]

by Julia Angwin, ProPublica

Facing a wave of criticism for allowing advertisers to exclude anyone with an "affinity" for African-American, Asian-American or Hispanic people from seeing ads, Facebook said it would build an automated system that would let it better spot ads that discriminate illegally.

Federal law prohibits ads for housing, employment and credit that exclude people by race, gender and other factors.

Facebook said it would build an automated system to scan advertisements to determine if they are services in these categories. Facebook will prohibit the use of its "ethnic affinities" for such ads.

Facebook said its new system should roll out within the next few months. "We are going to have to build a solution to do this. It is not going to happen overnight," said Steve Satterfield, privacy and public policy manager at Facebook.

He said that Facebook would also update its advertising policies with "stronger, more specific prohibitions" against discriminatory ads for housing, credit and employment.

In October, ProPublica purchased an ad that targeted Facebook members who were house hunting and excluded anyone with an "affinity" for African-American, Asian-American or Hispanic people. When we showed the ad to a civil rights lawyer, he said it seemed like a blatant violation of the federal Fair Housing Act.

After ProPublica published an article about its ad purchase, Facebook was deluged with criticism. Four members of Congress wrote Facebook demanding that the company stop giving advertisers the option of excluding by ethnic group.

The federal agency that enforces the nation's fair housing laws said it was "in discussions" with Facebook to address what it termed "serious concerns" about the social network's advertising practices.

And a group of Facebook users filed a&n class-action lawsuit against Facebook, alleging that the company's ad-targeting technology violates the Fair Housing Act and the Civil Rights Act of 1964.

Facebook's Satterfield said that today's changes are the result of "a lot of conversations with stakeholders."

Facebook said the new system would not only scan the content of ads, but could also inject pop-up notices alerting buyers when they are attempting to purchase ads that might violate the law or Facebook's ad policies.

"We're glad to see Facebook recognizing the important civil rights protections for housing, credit and employment," said Rachel Goodman, staff attorney with the racial justice program at the American Civil Liberties Union. "We hope other online advertising platforms will recognize that ads in these areas need to be treated differently."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Adobe Settles With 15 States Regarding 2013 Data Breach

The Indiana Attorney General announced a multi-state $1.0 million settlement agreement with Adobe Systems, Inc. after a data breach in 2013 where the information about 2.9 million customers nationwide was stolen. The data elements stolen included names, addresses, telephone numbers, e-mail addresses, usernames, encrypted payment card numbers and expiration dates.

14 states which joined Indiana in the settlement agreement: Arkansas, Connecticut, Illinois, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania, and Vermont. The states alleged in a lawsuit that Adobe failed to use reasonable security measures to protect its computing systems from hacks or had proper intrusion detection methods installed. The multi-state settlement agreement covers about 552,000 residents from the 15 states.

Indiana's share of the settlement was $53,718.36 for 24,049 Indiana residents affected by the breach. Indiana AG Greg Zoeller said:

"This case is yet another example of the importance of protecting your personal and financial information... I continue to be an advocate for Indiana’s credit freeze protections and encourage all Hoosiers to place credit freezes with the major credit bureaus.”

Connecticut's share was $135,095.71. Connecticut AT George Jepsen  said:

"Consumers should have a reasonable expectation that their personal and financial information is properly safeguarded from unauthorized access... Adobe worked in good faith with my office and the states affected by this incident to better protect consumer information going forward, and for that it deserves some credit. My office will continue to be diligent in protecting Connecticut consumers by strictly enforcing our privacy laws."

46,465 Maryland residents were affected by the breach. Maryland AG Brian E. Frosh said:

“Reasonable security measures must be implemented to maintain the safety and security of consumers’ personal information... As a result of this agreement, Adobe has agreed to bolster its security to prevent another similar occurrence.”

More settlement agreements may be forthcoming.


Comcast Fined $2.3 Million For Charging Customers For Unrequested Services

Federal communications Commission logo After receiving numerous complaints from consumers, the U.S. Federal Communications Commission (FCC) investigated and announced yesterday that Comcast will pay a $2.3 million fine for charging its customers for services and equipment they did not request. The FCC announcement explained:

"The Communications Act and the FCC’s rules prohibit a cable provider from charging its subscribers for services or equipment they did not affirmatively request, a practice known as “negative option billing.”  Negative option billing burdens customers with the responsibility of contacting a cable company to dispute the charges and obtain refunds. The Communications Act and the FCC’s rules prohibit a similar practice by telecommunications carriers when unauthorized charges are placed on customers’ phone bills, an abuse known as cramming."

Comcast logo The complaints by consumers included:

"... unordered services or products, such as premium channels, set-top boxes, or digital video recorders (DVRs). In some complaints, subscribers claimed that they were billed despite specifically declining service or equipment upgrades offered by Comcast. In others, customers claimed that they had no knowledge of the unauthorized charges until they received unordered equipment in the mail, obtained notifications of unrequested account changes by email, or conducted a review of their monthly bills. Consumers described expending significant time and energy to attempt to remove the unauthorized charges from their bills and obtain refunds..."

This is the largest civil penalty assessed by the FCC to a cable provider. Additional terms of the settlement agreement require Comcast to implement a five-year compliance plan:

"Specifically, Comcast will adopt processes and procedures designed to obtain affirmative informed consent from customers prior to charging them for any new services or equipment. Comcast will also send customers an order confirmation separate from any other bill, clearly and conspicuously describing newly added products and their associated charges. Further, Comcast will offer to customers, at no cost, the ability to block the addition of new services or equipment to their accounts. In addition, the settlement requires Comcast to implement a detailed program for redressing disputed charges in a standardized and expedient fashion, and limits adverse action (such as referring an account to collections or suspending service) while a disputed charge is being investigated."

Comcast customers experiencing unresolved problems are encouraged to submit complaints online to the FCC, or contact the FCC Consumer Center at 1-888-225-5322, TTY at 1-888-835-5322, fax at 1-866-418-0232, or via postal mail:

Federal Communications Commission
Consumer and Governmental Affairs Bureau
Consumer Inquiries and Complaints Division
445 12th Street, SW
Washington, DC 20554

Comcast has a checkered history of customer service. In 2014, the Internet service provider (ISP) began to convert customers home wireless routers to public hotspots, which placed the burden on customers to opt out. A customer-friendly approach instead would have asked interested customers to opt in.

In 2015, reports surfaced that 13,000 consumers had filed complaints about the ISP's usage-based pricing services. The same year, Comcast paid $33 million to settle privacy violations affecting its VOIP phone customers. Earlier this year, Comcast proposed the idea of charging customers (phone, Internet, TV, cable) additional fees for privacy.

Comcast issued a statement down-playing the FCC fine and consent order:

"We have been working very hard on improving the experience of our customers in all respects and are laser-focused on this. We acknowledge that, in the past, our customer service should have been better and our bills clearer, and that customers have at times been unnecessarily frustrated or confused. That’s why we had already put in place many improvements to do better for our customers even before the FCC’s Enforcement Bureau started this investigation almost two years ago. The changes the Bureau asked us to make were in most cases changes we had already committed to make, and many were already well underway or in our work plan to implement in the near future.

We do not agree with the Bureau’s legal theory here, and in our view, after two years, it is telling that it found no problematic policy or intentional wrongdoing, but just isolated errors or customer confusion. We agree those issues should be fixed and are pleased to put this behind us and proceed with these customer service-enhancing changes."

This latest incident with Comcast reminds me of the unlawful sales practices at Wells Fargo, where bank staff created new accounts without customers' consent or notice, all to game the sales incentive system. The CFPB assessed a massive fine on the bank earlier this year. Both incidents seem to indicate poor or asleep management and a lack of internal oversight and controls. 13,000 consumer complaints seems substantial.

What are your opinions of Comcast and the FCC fine?


Federal Reserve Bars 2 HSBC Foreign Exchange Traders From Working In The Industry

HSBC Holdings logo The Federal Reserve Board (FRB) has prohibited two former foreign exchange (FX) traders from working in the banking industry. Both persons, Mark Johnson and Stuart Scott were managers at London-based HSBC Bank plc, a subsidiary of HSBC bank Johnson had been a managing director and the global head of FX cash trading. Scott reported to Johnson and had managed the bank's FX trading for Europe, the Middle East, and Africa.

The FRB's press release explained the reasons for its actions:

"Mark Johnson and Stuart Scott, former senior HSBC managers, were recently indicted for criminal wire fraud in connection with their trading activities... According to the indictment, Johnson and Scott made multiple misrepresentations to an FX client of HSBC in connection with a large pre-arranged currency transaction. The indictment also alleges Johnson and Scott engaged in conduct to trade to the detriment of HSBC's client and for their own (and HSBC's) benefit... the Board found that given the indictment, Johnson's and Scott's continued participation in any depository institution may threaten to impair public confidence in that institution."

The U.S. Department of Justice filed criminal charges on July 16, 2016 against Johnson and Scott in U.S. District Court for the Eastern District of New York. On August 16, 2016, a federal grand jury indicted Johnson and Scott with multiple counts of wire fraud and conspiracy to commit wire fraud. The alleged fraud happened during November and December, 2011, in part, in New York City at the offices of HSBC Bank USA National Association, a unit of HSBC.

HSBC Bank plc is a unit of HSBC Holdings plc (HSBC). HSBC's website says it has 4,400 offices in 71 countries that serve 46 million customers worldwide.  Bloomberg described HSBC Bank plc's activities:

"HSBC Bank plc provides various banking products and services worldwide. The company operates through Retail Banking and Wealth Management, Commercial Banking, Global Banking and Markets, and Global Private Banking segments. It accepts various deposits, such as current, savings, and business bank accounts..."

The prohibition is effective immediately and until the criminal charges against Johnson and Scott are resolved.


4 Website Operators Settle With New York State Attorney General For Illegal Tracking of Children

Earlier this month, the Attorney General for the State of New York (NYSAG) announced settlement agreements with the operators of several popular websites for the illegal online tracking of children, which violated the Children's Online Privacy Protection Act (COPPA). The website operators agreed to pay a total of $835,000 in fines, comply with, and implement a comprehensive set of requirements and changes.

COPPA, passed by Congress in 1998 and updated in 2013, prohibits the unauthorized collection, use, and disclosure of children’s personal information (e.g., first name, last name, e-mail address, IP address, etc.) on websites directed to children under the age of 13, including the collection of information for tracking a child’s movements across the Internet. The 2013 update expanded the list of personal information items, and prohibits covered operators from using cookies, IP addresses, and other persistent identifiers to track users across websites for most advertising purposes, amassing profiles on individual users, and serving targeted behavioral advertisements.

The NYSAG operated a program titled "Operation Child Tracker," which analyzed the most popular children’s websites for any unauthorized tracking. The analysis found that four website operators include third-party tracking on their websites -- which is prohibited by COPPA -- and failed to properly evaluate third-party companies, such as advertisers, advertising networks, and marketers. The website operators and their properties included Viacom (websites associated with Nick Jr. and Nickelodeon), Mattel (Barbie, Hot Wheels, and American Girl), JumpStart (Neopets), and Hasbro (My Little Pony, Littlest Pet Shop, and Nerf).

Regular readers of this blog are familiar with the variety of technologies and mechanisms companies have used to track consumers online: web browser cookies, “zombie cookies,” Flash cookies, “zombie e-tags,” super cookies, “zombie databases” on mobile devices, canvas fingerprinting, and augmented reality (which tracks consumers both online and in the physical world). For example, the web browser cookie is a small text file placed by a website on a user’s computer which is stored by the user’s web browser.  Every time a user visits the website, the website retrieves all cookies files stored by that website on the user’s computer. Some website operators shared the information contained in web browser cookies with third-party companies, such as marketing affiliates, advertisers, and tracking companies. This allows web browser cookies to be used to track a user’s browsing history across several websites.

All of this happens in the background without explicit notices in the web browser software, unless the user configures their web browser to provide notice and/or to delete all browser cookies stored. The other technologies represent alternative methods with more technical sophistication and stealth.

The announcement by the NYSAG described each website operator's activities:

"Viacom operates the Nick Jr. website, at www.nickjr.com, and the Nickelodeon website, at www.nick.com... The office of the Attorney General found a variety of improper third party tracking on the Nick Jr. and Nickelodeon websites. These included:

1. Many advertisers and agencies that placed advertisements on Nick Jr. and Nickelodeon websites introduced tracking technologies of third parties that routinely engage in the type of tracking, profiling, and targeted advertising prohibited by COPPA. Viacom considered several approaches to mitigate the risk of COPPA violations from these third parties, including removing adult advertising from a child-directed section of the Nick Jr. website and monitoring advertisements for unexpected tracking... However, Viacom did not timely take either approach and did not implement sufficient safeguards for its users.

2. Some visitors to the homepage of the Nick Jr. website were served behavioral advertising and tracked through a third party advertising platform Viacom used to serve advertisements. Although Viacom considered the homepage of the Nick Jr. website to be parent-directed, and thus not covered by COPPA, the homepage had content that appealed to children. Under COPPA, website operators must treat mixed audience pages as child-directed..."

Mattel logo The NYSAG also found:

"... 26 of Mattel’s websites feature content for young children, including online games, animated cartoons, and downloadable content such as posters, computer desktop wallpaper, and pages for young children to color... The office of the Attorney General found that a variety of improper third party tracking technologies were present on Mattel’s child-directed websites and sections of websites. These included:

1. Mattel deployed a tracking technology supplied by a third party data broker across its Barbie, Hot Wheels, Fisher-Price, Monster High, Ever After High, and Thomas & Friends websites. Mattel used the tracking technology for measuring website metrics, such as the number of visitors to each site, a practice permitted under COPPA. However, the tracking technology supplied by the data broker introduced many other third party tracking technologies in a process known as “piggy backing.” Many of these third parties engage in the type of tracking, profiling, and targeted advertising prohibited by COPPA.

2. A tracking technology that Mattel deployed on the e-commerce portion of the American Girl website, which is not directed to children or covered by COPPA, was inadvertently introduced onto certain child-directed webpages of the American Girl website.

3. Mattel uploaded videos to Google’s YouTube.com, a video hosting platform, and then embedded some of these videos onto the child-directed portion of several Mattel websites, including the Barbie website. When the embedded videos were played by children, it enabled Google tracking technologies, which were used to serve behavioral advertisements.

JumpStart logo Regarding JumpStart, the NYSAG found:

"... several improper third party tracking technologies were present on the Neopets website, both for logged-in users under the age of 13 and users who were not logged-in. These included:

1. JumpStart failed to configure the advertising platform used to serve ads on the Neopets website in a manner that would comply with COPPA. As a result, users under the age of 13 were served behavioral advertising and tracked through the advertising platform.

2. JumpStart integrated a Facebook plug-in into the Neopets website... Facebook uses the tracking information for serving behavioral advertising, among other things, unless the website operator notifies Facebook with a COPPA flag that the website falls is subject to COPPA. JumpStart did not notify Facebook that the Neopets website was directed to children."

Hasbro logo For Hasbro, the NYSAG found:

"... several improper third party tracking technologies were present on Hasbro’s child-directed websites and sections of websites. These included:

1. Hasbro engaged in an advertising campaign that tracked visitors to the Nerf section of Hasbro’s website in order to serve Hasbro advertisements to those same users as they visited other websites at a later time, a type of online behavioral advertising prohibited by COPPA known as “remarketing.”

2. Hasbro integrated a third-party plug-in into many of its websites, that allowed users to be tracked across websites and introduced other third parties that engaged in the type of tracking, profiling, and targeted advertising prohibited under COPPA.

It is important to note that Hasbro participated in a safe harbor program. A website operator that complies with the rules of an FTC-approved safe harbor program is deemed in compliance with COPPA. However, safe harbor programs rely on full disclosure of the operator’s practices and Hasbro failed to disclose the existence of the remarketing campaign through the Nerf website."

The terms of the settlement agreements require the website operators to:

  1. Conduct regular electronic scans for unexpected third party tracking technologies that may appear on their children’s websites. Three of the companies, Viacom, Mattel, and JumpStart will provide regular reports to the office regarding the results of the scans.
  2. Adopt procedures to evaluate third-party companies before they are introduced onto their children’s websites. the evaluation should determine whether and how the third parties collect, use, and disclose, and allow others to collect, use, and disclose, personal information from users.
  3. Provide notice to third parties that collect, use, or disclose personal information of users with information sufficient to enable the third parties to identify the websites or sections of websites that are child directed pursuant to COPPA.
  4. Update website privacy policies with either, a) information sufficient to enable parents and others to identify the websites and portions of websites that are directed to children under COPPA, or b) a means of contacting the company so that parents and others may request such information.

Kudos to the NYSAG office and staff for a comprehensive analysis and enforcement to protect children's online privacy. This type of analysis and enforcement is critical as companies introduce more Internet-connected toys and products classified as part of the Internet of Things (ioT).


Wells Fargo Bank Fined $185 Million For Unlawful Sales Practices. Questions Remain

Wells Fargo logo Last week, the Consumer Financial Protection Bureau (CFPB) announced a settlement agreement where Wells Fargo will pay $185 million in fines for alleged unlawful sales practices during the past five years. While many news outlets have reported about the fines and fired employees, many unanswered questions remain.

The CFPB announcement described how the fraud worked:

"Spurred by sales targets and compensation incentives, employees boosted sales figures by covertly opening accounts and funding them by transferring funds from consumers’ authorized accounts without their knowledge or consent, often racking up fees or other charges... thousands of Wells Fargo employees illegally enrolled consumers in these products and services without their knowledge or consent in order to obtain financial compensation for meeting sales targets..."

To perpetuate the unlawful activities, employees allegedly created bogus email accounts, and both issued and activated debit cards associated with the secret accounts. Then, employees also created PIN numbers without customers' knowledge nor consent:

"... employees opened roughly 1.5 million deposit accounts that may not have been authorized by consumers. Employees then transferred funds from consumers’ authorized accounts to temporarily fund the new, unauthorized accounts. This widespread practice gave the employees credit for opening the new accounts, allowing them to earn additional compensation and to meet the bank’s sales goals... employees applied for roughly 565,000 credit card accounts that may not have been authorized by consumers. On those unauthorized credit cards, many consumers incurred annual fees, as well as associated finance or interest charges and other fees..."

The Consent Order (Adobe PDF) described the unlawful sales activities in greater detail:

"[Wells fargo's] analysis concluded that its employees opened 1,534,280 deposit accounts that may not have been authorized and that may have been funded through simulated funding, or transferring funds from consumers’ existing accounts without their knowledge or consent. That analysis determined that roughly 85,000 of those accounts incurred about $2 million in fees, which [Wells Fargo] is in the process of refunding... [Wells Fargo's] analysis concluded that its employees submitted applications for 565,443 credit-card accounts that may not have been authorized by using consumers’ information without their knowledge or consent. That analysis determined that roughly 14,000 of those accounts incurred $403,145 in fees, which Respondent is in the process of refunding. Fees incurred by consumers on such accounts included annual fees and overdraft-protection fees, as well as associated finance or interest charges and other late fees..."

The numbers are shocking: 1.5 million secret checking accounts created; $2 million in fees generated by 85,000 secret checking accounts generated; 565 thousand secret credit-card accounts; $403 thousand in fees generated by 14,000 secret credit-card accounts; and 5,300 employees fired due to the unlawful sales activities.

The Consent Order also stated:

"... (3) enrolled consumers in online banking services that they did not request... 12. Respondent’s employees used email addresses not belonging to consumers to enroll consumers in online-banking services without their knowledge or consent..."

This suggests that the employees knowingly attempted to circumvent the bank's internal systems designed to provide alerts and confirmation messages to customers about new accounts, and perhaps, targeted customers who weren't Internet-savvy or were perceived to be less likely to notice changes. That raises ethical issues. Also, 12 percent of consumers are "under-banked," the industry term for people with a bank account, but don't have both savings and checking accounts (and use some other payment method outside the banking system). If that ratio applies to the bank's customers, then this group was targeted, too. About 43 percent of consumers with both smartphones and bank accounts use online banking services. So, the 57-percent group of non-users were targeted, too.

Terms of the settlement agreements require the bank to pay full restitution to all victims, pay a $100 million fine to the CFPB’s Civil Penalty Fund, hire an independent consultant to review its procedures to prevent improper sales practices, pay a $35 million penalty to the Office of the Comptroller of the Currency (OCC), and pay $50 million to the City and County of Los Angeles. Additional terms require the bank to hire within 45 days of the Consent Order a consultant to independently audit the bank's processes.

Within 180 days after hiring a consultant, a written report reviewing of the bank's processes must be submitted to the bank's board of directors. Within 90 days after that, the Board and consultant must develop a compliance plan to correct problems and explain why each action is the plan is accepted or rejected. The compliance plan must be submitted to the CFPB for review.

The settlement terms suggest that the banks internal controls may be unreliable, employees and management were unreliable, or both. Context matters.

During the past five years while the unlawful sales activities occurred, Wells Fargo paid in 2011 an $85 million civil penalty to settle allegations that its employees steered potential prime borrowers into more costly subprime loans and separately falsified income information in mortgage applications. In 2015, Wells Fargo was one of four banks that paid $2.7 million to settle allegations of violations of Massachusetts foreclosure law and the Massachusetts Consumer Protection Act by illegally foreclosing upon Massachusetts residents’ homes when the banks lacked the legal authority to do so. Last month, the bank was fined $3.6 million for illegal practices while servicing private student loans.

Some customers noticed the unauthorized accounts, complained, and have moved their money to other banks or to credit unions. Wells Fargo issued a statement which said it had already prepared $5 million to refund to customers:

"The amount of the settlements, which Wells Fargo had fully accrued for at June 30, 2016, totaled $185 million, plus $5 million in customer remediation... Wells Fargo is committed to putting our customers’ interests first 100 percent of the time, and we regret and take responsibility for any instances where customers may have received a product that they did not request. Our commitment to addressing the concerns covered by these agreements has included:
- An extensive review by a third party consulting firm going back into 2011, which we completed prior to these settlements. The review included consumer and small business retail banking deposit accounts and unsecured credit cards opened during the period reviewed;
- As a result of this review, $2.6 million has been refunded to customers for any fees associated with products customers received that they may not have requested. Accounts refunded represented a fraction of one percent of the accounts reviewed, and refunds averaged $25;
- Disciplinary actions, including terminations of managers and team members who acted counter to our values;
- Investments in enhanced team-member training and monitoring and controls;
- Strengthened performance measures that are tied to customer satisfaction, loyalty and ethics; and
- Sending customers a confirming email within one hour of opening any deposit account, and sending an application acknowledgement and decision status letter after submitting an application for a credit card.”

That last item is troubling. It suggests that the bank's existing processes didn't provide confirmation emails within one hour, or did so inconsistently, or failed to do so entirely. Both traditional and online banking customers deserve prompt, consistent confirmation notices. This suggests that the bank's system may not be state-of-the-art.

During my career, I built websites in a variety of industries, including financial services, with usability best practices. Well built sites (and apps): a) provide immediate, consistent confirmation email and messages, b) provide postal confirmations for customers without email or online banking services, c) send confirmation emails to both new and old email addresses when there are changes, d) display confirmation messages (about any profile changes) to online customers after sign-on, and e) provide online customers with the option to consolidate multiple accounts (e.g., mortgage, educational loan, checking, savings, money market, credit line, credit card, etc.) under a single sign-on.

If the bank's online site and systems contained these tasks and features but were deactivated, then it suggests broader problems beyond the sales department. If the tasks weren't built or were partially built, then hopefully the compliance report and/or the CFPB review will address them.

Kudos to the CFPB, the OCC, and local Los Angeles government for holding Wells Fargo accountable; and for a correction plan with a detailed schedule and deadlines. It seems unwise to trust the bank to correct things on its own. Yet, many questions remain unanswered:

  1. What other tasks in the user experience (e.g., new account, new/edited/additional email address,  new/edited account profile elements, etc.) did the bank's systems fail to provide prompt, consistent confirmation messaging to customers (e.g., traditional offline, online banking)?
  2. How exactly did these illegal sales activities and secret accounts go undetected for so long?
  3. What was the average lifespan of a secret account? Were they permanent? Or were they temporary -- open long enough for employees to collect the compensation, and then closed? If the latter, it is disturbing how internal systems failed to notice the account churn.
  4. What percentage of the fired employees were managers? And, will more employees be fired?
  5. Will the bank "claw-back" bonuses from employees (e.g., fired, still employed) who benefited from the unlawfully sales activities? And why or why not?
  6. Were any fired employees prosecuted? And why or why not?
  7. The restitution amounts seem to focus upon only fees. If the bank's employees transferred their money from interest-bearing accounts to set up the secret credit card and checking accounts, then some customers lost interest. This seems likely since we know that 12 percent of consumers are under-banked (e.g., have a checking or savings account, but not both). Did the bank conduct a forensic audit to determine the customers and lost interest amounts? That could be substantial over five years with compounding. Then, the $5 million restitution amount set aside would be insufficient.
  8. Are any of the fines tax deductible? Prior wrongdoing by banks often resulted in fines that were tax deductible. This meant the banks wrote off the fines to decrease their taxes, and taxpayers took it on the chin to make up any tax revenue shortfalls. That's not right, since taxpayers didn't commit any unlawful acts.

What are your opinions? If you are a Wells Fargo customer, what was your experience? What questions do you have?


Google Pays $5.5 Million To Settle Lawsuit Alleging Safari Browser Privacy Abuses

Google logo Last week, Google settled a long-running class-action lawsuit by agreeing to a $5.5 million payment for ignoring the privacy settings used by Safari browser users. Silicon Beat reported:

"The lawsuit arose out of the 2012 discovery by a Stanford researcher that Google had used a workaround to track Safari users’ web browsing habits. Apple, which owns Safari, had built into it privacy controls that blocked certain cookies, small files that store information that can identify users or track their activities. Google used the improperly harvested user data to dramatically boost ad revenue, the lawsuit suggested. “Behaviorally targeted advertisements based on a user’s tracked internet activity generally sell for at least twice as much as non-targeted, run-of-network ads,” the suit said."

Fortune Magazine reported:

"After Google’s practice came to light, the company agreed to pay $17 million to state attorneys general over privacy violations, and another $22.5 million to the Federal Trade Commission for violating the terms of an earlier settlement. In both cases, Google denied any wrong-doing—an outcome an FTC Commissioner then described as “inexplicable.”

According to the settlement agreement:

"Plaintiffs centrally allege in the Complaint that Defendant Google circumvented Plaintiffs' Safari and Internet Explorer and defeated the default cookie settings of such browsers in violation of federal and state laws. More particularly, Plaintiffs allege that when Plaintiffs and Class Members visited a website containing an advertisement placed by certain Defendants in this case, tracking cookies were placed on Plaintiffs' computers that circumvented Plaintiffs' and Class Members' browser settings that blocked such cookies... The Settlement Class consists of all persons in the United States of America who used the Apple Safari or Microsoft Internet Explorer web browser and who visited a website from which a Doubleclick.net (Google's advertising serving service) from which cookies were placed by the means alleged in the Complaint..."

The terms of the settlement agreement require Google to make payments to counsel and to several nonprofit technology and privacy advocacy groups (instead of class members): the Berkeley Center for Law & Technology, the Berkman Center for Internet & Society at Harvard University, the Center for Democracy & Technology (Privacy and Data Project), Privacy Rights Clearinghouse, and the Center for Internet & Society at Stanford University (Consumer Privacy Project).

The technology giant paid $7 million in 2013 to 38 states to settle unauthorized wireless data collection by Google Streetview cars. Also in 2013, the company admitted its Android operating-system software included code by the NSA. In 2015, Google's holding company dropped the "Don't be evil" motto.

Do no wrong? Apparently, that ship has sailed and isn't returning. "Catch us if you can" might be a more accurate motto.


Honolulu Newspaper Studies Police Officer Misconduct

On Tuesday, the Honolulu Star-Advertiser reported the results of its survey:

"Nearly 1 of every 6 current Honolulu Police Department officers have been taken to court over criminal or civil allegations of wrongdoing, ranging from excessive force to domestic abuse, according to a first-of-its-kind analysis by the Honolulu Star-Advertiser. Just since 2010, an officer has been arrested or prosecuted at the rate of one every 5.7 weeks... more than 330 officers, or nearly 16 percent of the 2,100-member squad, have been named as defendants in criminal cases, temporary restraining orders and wrongful-conduct lawsuits since joining the force. Most of the lawsuits alleged on-duty civil rights violations, while most of the TROs involved off-duty conduct... about 5 percent of officers account for a disproportionate share of complaints against police..."

Some convictions have resulted:

"Of the 55 criminal cases from the past six years that the newspaper examined, more than half resulted in convictions or deferred pleas of guilty or no contest. The deferrals give the defendants the opportunity to keep their records clean if they stay out of trouble for a certain length of time. Most of the 18 officers whose pleas were deferred remain on the job. Only one of the 14 who were convicted is still an HPD officer."

How this compares to other cities in the United States:

"Although the department has not been hit by the racial strife over high-profile fatalities that has rocked some mainland police forces, it has had a steady dose of controversial cases, including ones that have cost taxpayers millions of dollars in lawsuit settlements... Although the Star-Advertiser was unable to compare HPD’s 1-in-6 ratio with rates at other comparable departments, it was able to crunch numbers from a recent national study that Stinson and several of his Bowling Green colleagues published on officer arrests. HPD did not fare well. Using Google-based searches of news articles, the researchers compiled data on arrests from 2005 to 2011 involving officers at hundreds of law enforcement agencies across the country. Based on those data, HPD had the 10th-worst rate per 100,000 population among the more than 80 police departments with at least 1,000 full-time officers. It was 11th worst on a per-1,000 officers basis."

Kudos to the Star-Advertiser for an informative report. Transparency matters. Accountability matters.

Read the Bowling Green State University (BGSU) announcement about the April, 2016 study by Philip Matthew Stinson, Sr., J.D, Ph.D. and associates titled, "Police Integrity Lost: A Study of Law Enforcement Officers Arrested" (Adobe PDF).

The Star-Advertiser's report seems to highlight an opportunity for newspapers across the United States. I am sure that readers are curious about how their local police department rates. Ideally, follow-up studies will also include data about convictions. What do you think?


Federal Court Upholds State Laws To Restrict And Prevent City-Run Broadband Services

Last week, a federal appeals court overturned a Federal Communications Commission (FCC) ruling allowing community (a/k/a "city-run" or municipal) high-speed Internet service providers (ISPs) to expand into areas not served by commercial providers. The court decision immediately affects the expansion plans of community ISPs in Tennessee and North Carolina.

Community high-speed or broadband ISPs typically provide faster speeds (e.g., upload, download) and lower prices compared to commercial ISPs. Both states had passed laws preventing community ISPs from expanding, or making it onerous to expand. he FCC sought to stop such laws to encourage more competition, more choices, and lower prices for consumers.

The initial Reuters news report did not explain the rationale the court used. ABC News reported:

"The appeals court said that the FCC's order pre-empted the state laws and "the allocation of power between a state and its subdivisions." The court said the FCC's action requires a "clear statement" of authority in federal law, but the law does not contain a clear statement authorizing pre-emption of Tennessee's and North Carolina's laws... The appeals court said its ruling was a limited one, and it does not address other issues debated in the case, including whether the FCC has any pre-emptive power at all under the Telecommunications Act of 1996."

Chattanooga, Tennessee advertises itself as "Gig City," and is proud of its fiber broadband network:

"Only in Chattanooga, Tennessee is 1 Gigabit-per-second Internet speed available to every home and business - over 150,000 of them - throughout the entire community. Urban or rural, business or residence, Internet speeds that are unsurpassed in the Western Hemisphere – from 50 Megabits-per-second all the way up to one gigabit-per-second are accessible here. Today... Chattanooga's Fiber Optic network enables upload and download speeds 200 times faster than the current national average, and 10 times faster than the FCC's National Broadband Plan (a decade ahead of schedule)."

How fast is that? You can download a full-length movie in about 2 minutes. Is that faster than the broadband speed you get in your town or city? Probably. Is it cheaper than what you're paying? Probably.

The Attorneys Generals in several states have worked to prevent their residents from forming city-run ISPs. Tennessee Attorney General Herbert H. Slattery III released a statement:

"We are pleased with the 6th Circuit decision reversing the FCC’s Order. As we have stated from the outset, this case was not about access to broadband. Instead, it was about preventing the federal government from exercising power over the state of Tennessee that it does not have. Current state law allows a municipal Power Board to provide internet service only within its electric service area. Today’s decision preserves Tennessee’s right to determine the authority and market area of a political subdivision organized under Tennessee law."

The trade associations that represents corporate ISPs, US Telecom released a statement:

"Today’s decision is a victory for the rule of law. The FCC’s authority is not unbridled, it is limited to powers specifically delegated by the Congress, and it does not extend to preemption of state legislatures’ exercise of jurisdiction over their own political subdivisions. As an industry that shares the commission’s interest in accelerating broadband deployment, we would suggest that the best way for the FCC to accomplish its goals is to concentrate on eliminating federal regulatory impediments to innovation and investment – where there remains to be much that can and should be done."

Of course, the trade group is happy with the court decision. State laws that restrict or prevent city-run ISPs mean less competition, which makes it easier for corporate ISPs to maintain higher prices and slower speeds (which equals greater profits).

Community ISPs provide benefits for small businesses, and not only consumers. The benefits include more jobs, better services, and the ability of local towns to attract new businesses and start-ups. These benefits apply to rural areas, too; especially rural areas not served by corporate ISPs.

The Community Broadband Networks site described the benefits for small businesses of community broadband in North Carolina:

"... Speed is important, but so is Internet choice, reliable service, and respectful customer service... Before Greenlight began serving Pinetops, the best community members could get was sluggish Centurylink DSL - or Internet access offered over the phone lines... Suzanne Coker Craig, owner of CuriosiTees, described the situation... Her business, a custom screen printing shop, uses an “on-time” inventory system, so speed and reliability is critical for last-minute or late orders... She also subscribes to Greenlight from home and her fiber connection is able to manage data intense uploads required for sending artwork, sales reports, and other large document transfers... Brent Wooten is a sales agent and Manager for Mercer Transportation, a freight management business... moving freight across the country via trucks, requires being on time; he’s an information worker in a knowledge economy... Before Greenlight came to town, Brent’s business paid Centurylink $425 per month for a few phone lines, long distance, an 800 number, and Internet access at 10 Megabits per second (Mbps) download and 1.5 Mbps upload. He was also wasting hours and even days each month trying to get his Internet fixed... When Greenlight came to the community, Centurylink changed their tune. Within hours of his business phone being ported to Greenlight, a Centurylink representative called him. “He offered to cut my current prices in half and double my Internet speed, from 10 to 20 Mbps…My Centurylink 10 Mbps speed never tested at more than 6 Mbps.” Brent chose to keep his Centurylink phone service, but he kept his 25 Mbps symmetrical Greenlight Internet service because upload speed is critical to his business..."

Will these rural consumers and small businesses lose their community broadband services? Given the court decision, that is possible. Will the court decision negatively affect jobs? Probably, since many small businesses depend upon the faster community ISPs. FCC Chairman Wheeler stated:

"While we continue to review the decision, it appears to halt the promise of jobs, investment and opportunity that community broadband has provided in Tennessee and North Carolina. In the end, I believe the Commission’s decision to champion municipal efforts highlighted the benefits of competition and the need of communities to take their broadband futures in their own hands.

In the past 18 months, over 50 communities have taken steps to build their own bridges across the digital divide. The efforts of communities wanting better broadband should not be thwarted by the political power of those who, by protecting their monopoly, have failed to deliver acceptable service at an acceptable price. The FCC’s mandate is to make sure that Americans have access to the best possible broadband. We will consider all our legal and policy options to remove barriers to broadband deployment wherever they exist so that all Americans can have access to 21st Century communications. Should states seek to repeal their anti-competitive broadband statutes, I will be happy to testify on behalf of better broadband and consumer choice. Should states seek to limit the right of people to act for better broadband, I will be happy to testify on behalf of consumer choice...”

In January 2015, several U.S. Senators introduced the Community Broadband Act legislation in to block these restrictive laws in 20 states and to encourage more competition and lower prices for more consumers by allowing residents the right to operate city-run ISPs offering faster speeds and lower prices. Last week, Senator Ron Wyden (Oregon - Democrat) tweeted about the federal court decision:

Tweet by Senator Ron Wyden about Community Broadband Act

The legislation has stalled in the Republican-led Congress. Once again, you will hear politicians shout about the importance of defending state's rights against the FCC, while ignoring the rights of rural and small town residents to form community ISPs. Hypocritical politicians do this to protect their corporate ISPs donors from competition, which basically screws over residents by keeping prices high and speeds slow.

Residents in rural areas, small towns, and cities can claim, "we've been mugged" by state' legislatures that enacted laws preventing competition (and lower prices) from community ISPs.

Researchers compared high-speed Internet services worldwide, and found that consumers in the USA pay more and get slower speedsAnd Get Slower Speeds. That's great for corporate ISP profits and bad for consumers. The Community Broadband Act is an attempt to solve this problem.

Read the court decision: State of Tennessee, and the State of North Carolina; versus the U.S. Federal Communications Commission - (Adobe PDF). The FCC is reviewing the court's decision, and has not decided whether to appeal it.

The court decision is definitely pro-state law and anti-consumer. The court decision basically allows states to continue with laws that deny residents in local cities and towns the right to form, operate, and expand their own municipal broadband services to get lower prices and better services. That means less competition and higher prices for consumers living in states with these laws. Consider that when you vote in November.


Appeals Court Backs FCC Net Neutrality Rules: Internet Access is a Utility

Federal communications Commission logo Yesterday, the D.C. Court of Appeals issued its decision, which supported the new Open Internet Rules by the Federal Communication Commission (FCC) to ensure open access to the Internet by all Americans. The new rules, commonly referred to as Net Neutrality and developed in 2015, apply to both wireless and wired connects; and are based upon no blocking, no throttling, no paid prioritization, and greater transparency. Cable, telecommunications, and wireless companies have fought the new rules.

The New York Times reported:

"The court’s decision upheld the F.C.C. on the historic declaration of broadband as a utility, the most significant aspect of the rules. That has broad-reaching implications for web and telecommunications companies and signals a shift in the government’s view of broadband as a service that should be equally accessible to all Americans, rather than a luxury that does not need close government supervision... The 184-page ruling opens a path for new limits on broadband providers."

Some of the companies support the FCC's new rules:

"Google and Netflix support net neutrality rules and have warned government officials that without regulatory limits, broadband providers would have an incentive to create business models that could harm consumers. They argue that broadband providers could degrade the quality of downloads and streams of online services to extract tolls from web companies or to promote unfairly their own competing services or the content of partners."

Some of the companies against the FCC's new rules:

"The legal battle from the broadband industry is far from over. The cable and telecom industries have signaled their intent to challenge any unfavorable decision, possibly taking the case to the Supreme Court. AT&T immediately said it would continue to fight."

A spokesperson for AT&T said that it hopes the U.S. Supreme Court will ultimately decide the matter. Corporate ISPs don't want Internet access reclassified as a utility. The Republican party promoted Senator Thune's proposed legislation in Congress to undo all of the good in the latest FCC rules. I called the proposed legislation a bait and switch. Read it and you'll probably agree.

U.S. Senator Edward J. Markey (D-Mass.) said in a statement:

"... net neutrality is here to stay... The court decision affirms what we already know to be true: that the FCC has the power to classify broadband Internet access service according to its best and current understanding of the technology, and how consumers harness that technology. The battle for net neutrality is the battle for our online future, and today’s ruling is a victory for consumers, innovators, entrepreneurs, and anyone who counts on the Internet to connect to the world. This decision celebrates the free and democratic expression of ideas that is the hallmark of our online ecosystem. Protecting net neutrality ensures that the best ideas, and not merely the best-funded ideas, will rule the day.”

The D.C. Appeals Court decision is indeed good news for consumers. Both consumers and businesses use the Internet daily... need the Internet... for a variety of applications. It has become essential to everyday life. Internet access is like water o electricity. We all need it to live, to work, to attend school.

Open Internet rules makes sense. When a consumer pays for Internet access, he or she should decide what they use that access for... not the Internet Service Provider (ISP). Large, corporate ISPs have amassed a variety of programming content in divisions and subsidiaries. The rule reflects this reality, and helps ensure that when YOU, the consumer, access the Internet you choose where to go -- and not your ISP, which has their own internal, financial bias toward content at owned affiliates, divisions, or business units.

The FCC has already proposed new privacy rules for high-speed ISPs, and unlocking cable set-top boxes to encourage innovation, competition, more choice, and lower prices for consumers. All of these rules make sense, complement each other, and help consumers.

The 184-page decision by the D.C. Appellate Court is available here and here (Adobe PDF; 1,001K bytes).


Courts To Use Risk Scores More Frequently. Analysis Found Scores Unreliable And Racial Bias

ProPublica investigated the use of risk assessment scores by the courts and justice system in the United States:

"... risk assessments — are increasingly common in courtrooms across the nation. They are used to inform decisions about who can be set free at every stage of the criminal justice system, from assigning bond amounts... to even more fundamental decisions about defendants’ freedom. In Arizona, Colorado, Delaware, Kentucky, Louisiana, Oklahoma, Virginia, Washington and Wisconsin, the results of such assessments are given to judges during criminal sentencing. Rating a defendant’s risk of future crime is often done in conjunction with an evaluation of a defendant’s rehabilitation needs. The Justice Department’s National Institute of Corrections now encourages the use of such combined assessments at every stage of the criminal justice process. And a landmark sentencing reform bill currently pending in Congress would mandate the use of such assessments in federal prisons."

Some important background:

"In 2014, then U.S. Attorney General Eric Holder warned that the risk scores might be injecting bias into the courts. He called for the U.S. Sentencing Commission to study their use... The sentencing commission did not, however, launch a study of risk scores. So ProPublica did, as part of a larger examination of the powerful, largely hidden effect of algorithms in American life. [ProPublica] obtained the risk scores assigned to more than 7,000 people arrested in Broward County, Florida, in 2013 and 2014 and checked to see how many were charged with new crimes over the next two years, the same benchmark used by the creators of the algorithm."

ProPublica analyzed data for Broward County in the State of Florida, and found the risk assessment scores to be unreliable:

"... in forecasting violent crime: Only 20 percent of the people predicted to commit violent crimes actually went on to do so. When a full range of crimes were taken into account — including misdemeanors such as driving with an expired license — the algorithm was somewhat more accurate than a coin flip. Of those deemed likely to re-offend, 61 percent were arrested for any subsequent crimes within two years."

ProPublica also found biases based upon race:

"In forecasting who would re-offend, the algorithm made mistakes with black and white defendants at roughly the same rate but in very different ways. The formula was particularly likely to falsely flag black defendants as future criminals, wrongly labeling them this way at almost twice the rate as white defendants. White defendants were mislabeled as low risk more often than black defendants."

Northpointe logo ProPublica re-checked the analysis. Same results. Northpointe, the for-profit company that produced the Broward County, Florida risk scores disagreed:

"... it criticized ProPublica’s methodology and defended the accuracy of its test: “Northpointe does not agree that the results of your analysis, or the claims being made based upon that analysis, are correct or that they accurately reflect the outcomes from the application of the model.” Northpointe’s software is among the most widely used assessment tools in the country. The company does not publicly disclose the calculations used to arrive at defendants’ risk scores, so it is not possible for either defendants or the public to see what might be driving the disparity... Northpointe’s core product is a set of scores derived from 137 questions that are either answered by defendants or pulled from criminal records. Race is not one of the questions..."

Formed in 1989, Northpointe is a wholly owned subsidiary of the Volaris Group. Northpointe works with a variety ot federal, state, and local justice agencies in the United States and Canada. The company's website also states that it also works with policy makers.

Besides Northpointe, several companies provide risk assessment tools to courts and the judicial system. The National Center For State Courts (NCSC) provides a list of risk assessment tools (Adobe PDF).

All of this points to a larger problem suggesting risk scores still haven't been adequately studied nor techniques vetted:

"There have been few independent studies of these criminal risk assessments. In 2013, researchers Sarah Desmarais and Jay Singh examined 19 different risk methodologies used in the United States and found that “in most cases, validity had only been examined in one or two studies” and that “frequently, those investigations were completed by the same people who developed the instrument.” Their analysis of the research through 2012 found that the tools “were moderate at best in terms of predictive validity,”... there have been some attempts to explore racial disparities in risk scores. One 2016 study examined the validity of a risk assessment tool, not Northpointe’s, used to make probation decisions for about 35,000 federal convicts. The researchers, Jennifer Skeem at University of California, Berkeley, and Christopher T. Lowenkamp from the Administrative Office of the U.S. Courts, found that blacks did get a higher average score but concluded the differences were not attributable to bias."

I wonder if the biases found started in the data rather than in the algorithm. The algorithm may have been developed and tested using existing prison populations which are known to be skewed, plus overly aggressive policing via school-to-prison pipelines and for-profit prisons in many states. Both the State of Florida and Broward County have histories with school-to-prison pipelines.

Plus, It seems crazy to make decisions about persons' lives based upon scores without knowing how the scores were calculated, and without adequate research or vetting of techniques. Transparency matters.

Thoughts? Opinions?


Your Fingerprints. A Key or Testimony? Why It Matters Legally

Apple Inc. logo Many people use the fingerprint recognition feature on newer Apple iPhones and iPads. Consumers view the optional feature, called Touch ID, as a more convenient way to secure their phones versus passcodes. (The feature still requires a passcode, is not foolproof, and is hackable, but let's put those issues aside for now.) Most consumers probably aren't aware of the legal considerations. How the law and courts treat your fingerprints matters... specifically when used to access devices or accounts.

The basic question which the law has not settled, yet, is: are your fingerprints like a key to, say an electronic file cabinet, or are they the equivalent of testimony? The distinction matters when the government forces people to unlock their phones. The Los Angeles Times reported:

"... authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone... The phone contained Apple's fingerprint identification system... It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common..."

Why this matters:

"... the prevailing legal stance toward fingerprints. Law enforcement routinely obtains search warrants to examine property or monitor telecommunications, even swab inside an inmate's mouth for DNA. But fingerprints have long remained in the class of evidence that doesn't require a warrant... Courts have categorized fingerprints as "real or physical evidence" sourced from the body, unlike communications or knowledge, which cannot be compelled without violating the 5th Amendment... How far can the government go to obtain biometric markers such as fingerprints and hair? The U.S. Supreme Court has held that police can search phones with a valid warrant and compel a person in custody to provide physical evidence such as fingerprints without a judge's permission. But some legal experts say there should be a higher bar for biometric data because providing a fingerprint to open a digital device gives the state access to a vast trove of personal information and could be a form of self-incrimination."

Providing a fingerprint used to be only about identification... identifying a person under arrest. Now, the same fingerprint can also be used to access electronic documents:

"... the act of compelling a person in custody to press her finger against a phone breached the 5th Amendment's protection against self-incrimination. It forced [the defendant] to testify —without uttering a word — because by moving her finger and unlocking the phone, she authenticated its contents."

Legal experts disagree about whether fingerprints are the equivalent of keys or testimony:

"... Albert Gidari, the director of privacy at Stanford Law School's Center for Internet and Society, said the action might not violate the 5th Amendment prohibition of self-incrimination... George M. Dery III, a lawyer and criminal justice professor at California State University, Fullerton, likened the warrant to the government's request for a key..."

Your opinions? Thoughts?


Justice Department Withdraws Lawsuit in Brooklyn To Force Apple To Unlock iPhone

Federal Bureau of Investigation logo The U.S. Department of Justice (DOJ) has withdrawn its lawsuit in Brooklyn, New York to force Apple Inc. to unlock the iPhone of a convicted drug dealer. The DOJ had appealed a judge's decision In February which denied the DOJ Reportedly, the DOJ can access the iPhone since an unnamed party provided it with the user's passcode.

In February, a judge had denied a request by the Federal Bureau of Investigation (FBI) in Brooklyn to force Apple to unlock the iPhone.The DOJ had appealed that decision. The DOJ had dropped a similar lawsuit in California to force Apple to unlock an iPhone used by one of the San Bernardino attackers after the FBI purchased a tool from an unnamed third party to hack the phone. Last week, the FBI revealed that the San Bernardino attacker's iPhone did not contain any information.

The Reuters report about the Brooklyn lawsuit also mentioned:

"Justice Department spokeswoman Emily Pierce said the cases have "never been about setting a court precedent; they are about law enforcement's ability and need to access evidence on devices pursuant to lawful court orders and search warrants." "

Both lawsuits were based upon the 227-year-old All Writs Law. I find Pierce's statement difficult to believe. It's possible, but hard to believe. With a legal precedent to force tech companies to provide "back door" access, the government probably wouldn't have to buy hacking tools from unnamed third parties.

What else might be happening? Perhaps, the government felt it's court cases were weak, and wanted to avoid another unfavorable decision. Perhaps, the government doesn't want to reveal in court any details about its hacking methods. Maybe it didn't hack the phone with a passcode from an unnamed source, but instead used the tool it bought in California -- and didn't want to disclose that the tools could be used widely across iPhone models.

Perhaps, the FBI is relying upon ultimate passage by Congress of the deeply flawed Compliance with Court Orders Act of 2016 (CCOA), written by Senators Richard Burr (R-NC) and Dianne Feinstein (D-Calif.). Passage of that legislation would give the FBI the access it wants to bypass all encryption methods, regardless of the privacy and economic consequences.

What are your opinions?


The Information The FBI Found After Unlocking The San Bernardino Attacker's iPhone

Federal Bureau of Investigation logo Remember the Federal Bureau of Investigation (FBI) lawsuit using a 227-year-old-law to force Apple Inc. to build "back door" software to unlock an iPhone in California? The FBI said it couldn't unlock the phone, claimed the iPhone had important information on it, but later withdrew its lawsuit after it hired an unnamed third party to hack the iPhone. All of of this, you're probably wondering what information the FBI found on that unlocked iPhone.

Guess what they found? Nothing. Nadda. Zilch. Zip. Squat. CNN reported:

"Hacking the San Bernardino terrorist's iPhone has produced data the FBI didn't have before and has helped the investigators answer some remaining questions in the ongoing probe, U.S. law enforcement officials say... Investigators are now more confident that terrorist Syed Farook didn't make contact with another plotter during an 18-minute gap that the FBI said was missing from their time line of the attackers' whereabouts after the mass shooting... The phone didn't contain evidence of contacts with other ISIS supporters or the use of encrypted communications during the period the FBI was concerned about."

More confident? Either you're confident or you aren't. That's like being pregnant. You can't be more pregnant. But hey... you gotta love those unnamed sources. Sometimes they're accurate, and other times not.

Let's translate this into plain English. The attacker's phone contained nothing, which the FBI spun as valuable. Wow! That's like saying the bulk collection (e.g., spying) of all U.S. citizens' phone calls and emails was valuable because not finding anything proved they were not doing anything criminal.

Wow! The arrogance. The waste of time, money, and resources. It takes a brass set of balls to spin crap like this and keep a straight face.

Yet, the legal wrangling ain't over. An FBI versus Apple lawsuit in Brooklyn continues. And, as CNN reported:

"Apple and the FBI are squaring off again Tuesday in testimony at a House hearing on encryption..."

Yesterday's blog post discussed everything that is wrong With the Burr-Feinstein draft anti-encryption proposal circulating the U.S. Senate. The FBI must be feeling pretty cocky, since two Senators have its back while ignoring the consequences.

What are your opinions?