121 posts categorized "Europe" Feed

German Regulator Bans Smartwatches For Children

VTech Kidizoom DX smartwatch for children. Select for larger version Parents: considering a smartwatch for your children or grandchildren? Consider the privacy implications first. Bleeping Computer reported on Friday:

"Germany's Federal Network Agency (Bundesnetzagentur), the country's telecommunications agency, has banned the sale of children's smartwatches after it classified such devices as "prohibited listening devices." The ban was announced earlier today... parents are using their children's smartwatches to listen to teachers in the classroom. Recording or listening to private conversations is against the law in Germany without the permission of all recorded persons."

Some smartwatches are designed for children as young as four years of age. Several brands are available at online retailers, such as Amazon and Best Buy.

Why the ban? Gizmodo explained:

"Saying the technology more closely resembles a “spying device” than a toy... Last month, the European Consumer Organization (BEUC) warned that smartwatches marketed to kids were a serious threat to children’s privacy. A report published by the Norwegian Consumer Council in mid-October revealed serious flaws in several of the devices that could easily allow hackers to seize control. "

Clearly, this is another opportunity for parents to carefully research and consider smart device purchases for their family, to teach their children about privacy, and to not record persons without their permission.


Security Experts: Massive Botnet Forming. A 'Botnet Storm' Coming

Online security experts have detected a massive botnet -- a network of zombie robots -- forming. Its operator and purpose are both unknown. Check Point Software Technologies, a cyber security firm, warned in a blog post that its researchers:

"... had discovered of a brand new Botnet evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016... Ominous signs were first picked up via Check Point’s Intrusion Prevention System (IPS) in the last few days of September. An increasing number of attempts were being made by hackers to exploit a combination of vulnerabilities found in various IoT devices.

With each passing day the malware was evolving to exploit an increasing number of vulnerabilities in Wireless IP Camera devices such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others..."

Reportedly, the botnet has been named either "Reaper" or "IoTroop." The McClatchy news wire reported:

"A Chinese cybersecurity firm, Qihoo 360, says the botnet is swelling by 10,000 devices a day..."

Criminals use malware or computer viruses to add to the botnet weakly protected or insecure Internet-connect devices (commonly referred to as the internet of things, or IoT) in homes and businesses. Then, criminals use botnets to overwhelm a targeted website with page requests. This type of attack, called a Distributed Denial of Service (DDoS), prevents valid users from accessing the targeted site; knocking the site offline. If the attack is large enough, it can disable large portions of the Internet.

A version of the attack could also include a ransom demand, where the criminals will stop the attack only after a large cash payment by the targeted company or website. With multiple sites targeted, either version of cyber attack could have huge, negative impacts upon businesses and users.

How bad was the Mirai botnet? According to the US-CERT unit within the U.S. Department of Homeland Security:

"On September 20, 2016, Brian Krebs’ security blog was targeted by a massive DDoS attack, one of the largest on record... The Mirai malware continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices... The purported Mirai author claimed that over 380,000 IoT devices were enslaved by the Mirai malware in the attack..."

Wired reported last year that after the attack on Krebs' blog, the Mirai botnet:

"... managed to make much of the internet unavailable for millions of people by overwhelming Dyn, a company that provides a significant portion of the US internet's backbone... Mirai disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, and infected almost 2,400 TalkTalk routers in the UK. This week, researchers published evidence that 80 models of Sony cameras are vulnerable to a Mirai takeover..."

The Wired report also explained the difficulty with identifying and cleaning infected devices:

"One reason Mirai is so difficult to contain is that it lurks on devices, and generally doesn't noticeably affect their performance. There's no reason the average user would ever think that their webcam—or more likely, a small business's—is potentially part of an active botnet. And even if it were, there's not much they could do about it, having no direct way to interface with the infected product."

It this seems scary, it is. The coming botnet storm has the potential to do lots of damage.

So, a word to the wise. Experts advise consumers to, a) disconnect the device from your network and reboot it before re-connecting it to the internet, b) buy internet-connected devices that support security software updates, c) change the passwords on your devices from the defaults to strong passwords, d) update the operating system (OS) software on your devices with security patches as soon as they are available, e) keep the anti-virus software on your devices current, and f) regularly backup the data on your devices.

US-CERT also advised consumers to:

"Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary. Purchase IoT devices from companies with a reputation for providing secure devices... Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected."


Equifax Reported 15.2 Million Records Of U.K. Persons Exposed

Equifax logo Yesterday, Equifax's United Kingdom (UK) unit released a press release about the credit reporting agency's massive data breach and the number of breach victims. A portion of the statement:

"It has always been Equifax’s intention to write to those consumers whose information had been illegally compromised, but it would have been inappropriate and irresponsible of us to do so before we had absolute clarity on what data had been accessed. Following the completion of an independent investigation into the attack, and with agreement from appropriate investigatory authorities, Equifax has begun corresponding with affected consumers.

We would like to take this opportunity to emphasize that Equifax correspondence will never ask consumers for money or cite personal details to seek financial information, and if they receive such correspondence they should not respond. For security reasons, we will not be making any outbound telephone calls to consumers. However, customers can call our Freephone number on 0800 587 1584 for more information.

Today Equifax can confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. Regrettably this file contained data relating to actual consumers as well as sizeable test data-sets, duplicates and spurious fields... we have been able to place consumers into specific risk categories and define the services to offer them in order to protect against those risks and send letters to offer them Equifax and third-party safeguards with instructions on how to get started. This work has enabled us to confirm that we will need to contact 693,665 consumers by post... The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry that this data may have been accessed."

Below is the tabular information of risk categories from the Equifax UK announcement:

Consumer groups Remedial action
12,086 consumers who had an email address associated with their Equifax.co.uk account in 2014 accessed

14,961 consumers who had portions of their Equifax.co.uk membership details such as username, password, secret questions and answers and partial credit card details - from 2014 accessed

29,188 consumers who had their driving license number accessed

We will offer Equifax Protect for free. This is an identity protection service which monitors personal data. Products and services from third party organizations will also be offered at no cost to consumers. In addition to the services set-out above, further information will be outlined in the correspondence.

637,430 consumers who had their phone numbers accessed Consumers who had a phone number accessed will be offered a leading identity monitoring service for free.

Some observations seem warranted.

First, the announcement was vague about whether the 15.2 million U.K. persons affected were included in the prior breach total, or in addition to the prior total. Second, the U.K. unit will send written breach notices to all affected consumers via postal mail, while the U.S. unit refused. The U.K. unit did the right thing, so their users are confused by and don't have to access a hastily built site to see if they were affected.

Third, given the data elements stolen some U.K. breach victims are vulnerable to additional frauds and threats like breach victims in the USA.

Kudos to the Equifax U.K. unit for the postal breach notices and for clearly stating the above risk categories.


Equifax: 2.5 Million More Persons Affected By Massive Data Breach

Equifax logo Equifax disclosed on Monday, October 2, that 2.5 more persons than originally announced were affected by its massive data breach earlier this year. According to the Equifax breach website:

"... cybersecurity firm Mandiant has completed the forensic portion of its investigation of the cybersecurity incident disclosed on September 7 to finalize the consumers potentially impacted... The completed review determined that approximately 2.5 million additional U.S. consumers were potentially impacted, for a total of 145.5 million. Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables. Instead, this additional population of consumers was confirmed during Mandiant’s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process."

The September breach announcement said that persons outside the United States may have been affected. The October 2nd update addressed that, too:

"The completed review also has concluded that there is no evidence the attackers accessed databases located outside of the United States. With respect to potentially impacted Canadian citizens, the company previously had stated that there may have been up to 100,000 Canadian citizens impacted... The completed review subsequently determined that personal information of approximately 8,000 Canadian consumers was impacted. In addition, it also was determined that some of the consumers with affected credit cards announced in the company’s initial statement are Canadian. The company will mail written notice to all of the potentially impacted Canadian citizens."

So, things are worse than originally announced in September: more United States citizens affected, fewer Canadian citizens affected overall but more Canadians' credit card information exposed, and we still don't know the number of United Kingdom residents affected:

"The forensic investigation related to United Kingdom consumers has been completed and the resulting information is now being analyzed in the United Kingdom. Equifax is continuing discussions with regulators in the United Kingdom regarding the scope of the company’s consumer notifications...

And, there's this statement by Paulino do Rego Barros, Jr., the newly appointed interim CEO (after former CEO Richard Smith resigned):

"... As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements..."

To review? That means Equifax has not finished the job of making its systems and websites more secure with security fixes based upon how the attackers broke in, which identify attacks earlier, and which prevent future breaches. As bad as this sounds, the reality is probably worse.

After testimony before Congress by former Equifax CEO Richard Smith, Wired documented "six fresh horrors" about the breach and the leisurely approach by the credit reporting agency's executives. First, this about the former CEO:

"... during Tuesday's hearing, former CEO Smith added that he first heard about "suspicious activity" in a customer-dispute portal, where Equifax tracks customer complaints and efforts to correct mistakes in their credit reports, on July 31. He moved to hire cybersecurity experts from the law firm King & Spalding to start investigating the issue on August 2. Smith claimed that, at that time, there was no indication that any customer's personally identifying information had been compromised. As it turns out, after repeated questions from lawmakers, Smith admitted he never asked at the time whether PII being affected was even a possibility. Smith further testified that he didn't ask for a briefing about the "suspicious activity" until August 15, almost two weeks after the special investigation began and 18 days after the initial red flag."

Didn't ask about PII? Geez! PII describes the set of data elements which are the most sensitive information about consumers. It's the business of being a credit reporting agency. Waited 2 weeks for a briefing? Not good either. And, that is a most generous description since some experts question whether the breach actually started in March -- about four months before the July event.

Wired reported the following about Smith's Congressional testimony and the March breach:

"Attackers initially got into the affected customer-dispute portal through a vulnerability in the Apache Struts platform, an open-source web application service popular with corporate clients. Apache disclosed and patched the relevant vulnerability on March 6... Smith said there are two reasons the customer-dispute portal didn't receive that patch, known to be critical, in time to prevent the breach. The first excuse Smith gave was "human error." He says there was a particular (unnamed) individual who knew that the portal needed to be patched but failed to notify the appropriate IT team. Second, Smith blamed a scanning system used to spot this sort of oversight that did not identify the customer-dispute portal as vulnerable. Smith said forensic investigators are still looking into why the scanner failed."

Geez! Sounds like a managerial failure, too. Nobody followed up with the unnamed persons responsible for patching the portal? And Equifax executives took a leisurely (and perhaps lackadaisical) approach to protecting sensitive information about consumers:

"When asked by representative Adam Kinzinger of Illinois about what data Equifax encrypts in its systems, Smith admitted that the data compromised in the customer-dispute portal was stored in plaintext and would have been easily readable by attackers... It’s unclear exactly what of the pilfered data resided in the portal versus other parts of Equifax’s system, but it turns out that also didn’t matter much, given Equifax's attitude toward encryption overall. “OK, so this wasn’t [encrypted], but your core is?” Kinzinger asked. “Some, not all," Smith replied. "There are varying levels of security techniques that the team deploys in different environments around the business."

Geez! So, we now have confirmation that the "core" information -- the most sensitive data about consumers -- in Equifax's databases is only partially encrypted.

Context matters. In January of this year, the Consumer Financial Protection Bureau (CFPB) took punitive action against TransUnion and Equifax for deceptive marketing practices involving credit scores and related subscription services. That action included $23.1 million in fines and penalties.

Thanks to member of Congress for asking the tough questions. No thanks to Equifax executives for taking lackadaisical approaches to data security. (TransUnion, Innovis, and Experian executives: are you watching? Learning what mistakes not to repeat?) Equifax has lost my trust.

Until Equifax hardens its systems (I prefer NSA-level hardness), it shouldn't be entrusted with consumers' sensitive personal and payment information. Consumers should be able to totally opt out of credit reporting agencies that fail with data security. This would allow the marketplace to govern things and stop the corporate socialism benefiting credit reporting agencies.

What are your opinions?

[Editor's note: this post was amended on October 7 with information about the CFPB fines.]


Experts Call For Ban of Killer Robotic Weapons

116 robotics and artificial intelligence experts from 26 countries sent a letter to the United Nations (UN) warning against the deployment of lethal autonomous weapons. The Guardian reported:

"The UN recently voted to begin formal discussions on such weapons which include drones, tanks and automated machine guns... In their letter, the [experts] warn the review conference of the convention on conventional weapons that this arms race threatens to usher in the “third revolution in warfare” after gunpowder and nuclear arms... The letter, launching at the opening of the International Joint Conference on Artificial Intelligence (IJCAI) in Melbourne on Monday, has the backing of high-profile figures in the robotics field and strongly stresses the need for urgent action..."

The letter stated in part:

"Once developed, lethal autonomous weapons will permit armed conflict to be fought at a scale greater than ever, and at timescales faster than humans can comprehend. These can be weapons of terror, weapons that despots and terrorists use against innocent populations, and weapons hacked to behave in undesirable ways."

"We do not have long to act. Once this Pandora’s box is opened, it will be hard to close."

This is not science fiction. Autonomous weapons are already deployed:

"Samsung’s SGR-A1 sentry gun, which is reportedly technically capable of firing autonomously but is disputed whether it is deployed as such, is in use along the South Korean border of the 2.5m-wide Korean Demilitarized Zone. The fixed-place sentry gun, developed on behalf of the South Korean government, was the first of its kind with an autonomous system capable of performing surveillance, voice-recognition, tracking and firing with mounted machine gun or grenade launcher... The UK’s Taranis drone, in development by BAE Systems, is intended to be capable of carrying air-to-air and air-to-ground ordnance intercontinentally and incorporating full autonomy..."

Ban, indeed. Your thoughts? Opinions? Reaction?


Russian Malware Targets Hotels In Europe And Middle East

FireEye, a security firm, has issued a warning about malware targeting the hotel industry within both Europe and the Middle East. The warning:

"... a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic... Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks... in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network..."

The key takeaway: criminals use malware to infiltrate the WiFi networks at hotels in order to steal the login credentials (IDs, passwords) of traveling business and government executives. The criminals know that executives conduct business while traveling -- log into their employers' computer networks. Stealing those login credentials provides criminals with access to the computer networks operated by corporations and governments. Once inside those networks, the criminals can steal whatever of value they can access: proprietary information, trade secrets, customer lists, executives' and organization payment information, money, or more.

A variety of organizations in both the public and private sectors use software by FireEye to detect intrusions into their computer networks by unauthorized persons. FireEye software detected the breach at Target (which Target employees later ignored). Security researchers at FireEye discovered vulnerabilities in HTC smartphones which failed to adequately protect users' fingerprint data for unlocking phones.

Security warnings earlier this year mentioned malware by the APT28 group targeting Apple Mac users. The latest warning by FireEye also described the 2016 hack in more detail:

"... the victim was compromised after connecting to a hotel Wi-Fi network. Twelve hours after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen credentials. These 12 hours could have been used to crack a hashed password offline. After successfully accessing the machine, the attacker deployed tools on the machine, spread laterally through the victim's network, and accessed the victim's OWA account. The login originated from a computer on the same subnet, indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network..."

So, travelers aren't safe even when they use strong passwords. How should travelers protect themselves and their sensitive information? FireEye warned:

"Travelers must be aware of the threats posed when traveling – especially to foreign countries – and take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible."


Wisconsin Employer To Offer Its Employees ID Microchip Implants

Microchip implant to be used by Three Square Market. Click to view larger version A Wisconsin company said it will offer to its employees starting August 1 the option of having microchip identification implants. The company, Three Square Market (32M), will allow employees with the microchip implants to make purchases in the employee break room, open locked doors, login to computers, use the copy machine, and related office tasks.

Each microchip, about the size of a grain of rice (see photo on the right), would be implanted under the skin in an employee's hand. The microchips use radio-frequency identification (RFID), a technology that's existed for a while and has been used in variety of devices: employee badges, payment cards, passports, package tracking, and more. Each microchip electronically stores identification information about the user, and uses near-field communications (NFC). Instead of swiping a payment card, employee badge, or their smartphone, instead the employee can unlock a device by waving their hand near a chip reader attached to that device. Purchases in the employee break room can be made by waving their hand near a self-serve kiosk.

Reportedly, 32M would be the first employer in the USA to microchip its employees. CBS News reported in April about Epicenter, a startup based in Sweden:

"The [implant] injections have become so popular that workers at Epicenter hold parties for those willing to get implanted... Epicenter, which is home to more than 100 companies and some 2,000 workers, began implanting workers in January 2015. Now, about 150 workers have [chip implants]... as with most new technologies, it raises security and privacy issues. While biologically safe, the data generated by the chips can show how often an employee comes to work or what they buy. Unlike company swipe cards or smartphones, which can generate the same data, a person cannot easily separate themselves from the chip."

In an interview with Saint Paul-based KSTP, Todd Westby, the Chief Executive Officer at 32M described the optional microchip program as:

"... the next thing that's inevitably going to happen, and we want to be a part of it..."

To implement its microchip implant program, 32M has partnered with Sweden-based BioHax International. Westby explained in a company announcement:

"Eventually, this technology will become standardized allowing you to use this as your passport, public transit, all purchasing opportunities... We see chip technology as the next evolution in payment systems, much like micro markets have steadily replaced vending machines... it is important that 32M continues leading the way with advancements such as chip implants..."

"Mico markets" are small stores located within employers' offices; typically the break rooms where employees relax and/or purchase food. 32M estimates 20,000 micro markets nationwide in the USA. According to its website, the company serves markets in North America, Europe, Asia, and Australia. 32M believes that micro markets, aided by chip implants and self-serve kiosk, offer employers greater employee productivity with lower costs.

Yes, the chip implants are similar to the chip implants many pet owners have inserted to identify their dogs or cats. 32M expects 50 employees to enroll in its chip implant program.

Reportedly, companies in Belgium and Sweden already use chip implants to identify employees. 32M's announcement did not list the data elements each employee's microchip would contain, nor whether the data in the microchips would be encrypted. Historically, unencrypted data stored by RFID technology has been vulnerable to skimming attacks by criminals using portable or hand-held RFID readers. Stolen information would be used to cloned devices to commit identity theft and fraud.

Some states, such as Washington and California, passed anti-skimming laws. Prior government-industry workshops about RFID usage focused upon consumer products, and not employment concerns. Earlier this year, lawmakers in Nevada introduced legislation making it illegal to require employees to accept microchip implants.

A BBC News reporter discussed in 2015 what it is like to be "chipped." And as CBS News reported:

"... hackers could conceivably gain huge swathes of information from embedded microchips. The ethical dilemmas will become bigger the more sophisticated the microchips become. The data that you could possibly get from a chip that is embedded in your body is a lot different from the data that you can get from a smartphone..."

Example: employers installing RFID readers for employees to unlock bathrooms means employers can track when, where, how often, and the duration employees use bathrooms. How does that sound?

Hopefully, future announcements by 32M will discuss the security features and protections. What are your opinions? Are you willing to be an office cyborg? Should employees have a choice, or should employers be able to force their employees to accept microchip implants? How do you feel about your employer tracking what you eat and drink via purchases with your chip implant?

Many employers publish social media policies covering what employees should (shouldn't, or can't) publish online. Should employers have microchip implant policies, too? If so, what should these policies state?


Microsoft Fights Foreign Cyber Criminals And Spies

The Daily Beast explained how Microsoft fights cyber criminals and spies, some of whom with alleged ties to the Kremlin:

"Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft’s trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls “the most vulnerable point” in Fancy Bear’s espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers. These servers can be thought of as the spymasters in Russia's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents.

Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company’s approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like “livemicrosoft[.]net” or “rsshotmail[.]com” that Fancy Bear registers under aliases for about $10 each. Once under Microsoft’s control, the domains get redirected from Russia’s servers to the company’s, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers’ network of automated spies."

Kudos to Microsoft and its attorneys.


Facebook's Secret Censorship Rules Protect White Men from Hate Speech But Not Black Children

[Editor's Note: today's guest post, by the reporters at ProPublica, explores how social networking practice censorship to combat violence and hate speech, plus related practices such as "geo-blocking." It is reprinted with permission.]

Facebook logo by Julia Angwin, ProPublica, and Hannes Grassegger, special to ProPublica

In the wake of a terrorist attack in London earlier this month, a U.S. congressman wrote a Facebook post in which he called for the slaughter of "radicalized" Muslims. "Hunt them, identify them, and kill them," declared U.S. Rep. Clay Higgins, a Louisiana Republican. "Kill them all. For the sake of all that is good and righteous. Kill them all."

Higgins' plea for violent revenge went untouched by Facebook workers who scour the social network deleting offensive speech.

But a May posting on Facebook by Boston poet and Black Lives Matter activist Didi Delgado drew a different response.

"All white people are racist. Start from this reference point, or you've already failed," Delgado wrote. The post was removed and her Facebook account was disabled for seven days.

A trove of internal documents reviewed by ProPublica sheds new light on the secret guidelines that Facebook's censors use to distinguish between hate speech and legitimate political expression. The documents reveal the rationale behind seemingly inconsistent decisions. For instance, Higgins' incitement to violence passed muster because it targeted a specific sub-group of Muslims -- those that are "radicalized" -- while Delgado's post was deleted for attacking whites in general.

Over the past decade, the company has developed hundreds of rules, drawing elaborate distinctions between what should and shouldn't be allowed, in an effort to make the site a safe place for its nearly 2 billion users. The issue of how Facebook monitors this content has become increasingly prominent in recent months, with the rise of "fake news" -- fabricated stories that circulated on Facebook like "Pope Francis Shocks the World, Endorses Donald Trump For President, Releases Statement" -- and growing concern that terrorists are using social media for recruitment.

While Facebook was credited during the 2010-2011 "Arab Spring" with facilitating uprisings against authoritarian regimes, the documents suggest that, at least in some instances, the company's hate-speech rules tend to favor elites and governments over grassroots activists and racial minorities. In so doing, they serve the business interests of the global company, which relies on national governments not to block its service to their citizens.

One Facebook rule, which is cited in the documents but that the company said is no longer in effect, banned posts that praise the use of "violence to resist occupation of an internationally recognized state." The company's workforce of human censors, known as content reviewers, has deleted posts by activists and journalists in disputed territories such as Palestine, Kashmir, Crimea and Western Sahara.

One document trains content reviewers on how to apply the company's global hate speech algorithm. The slide identifies three groups: female drivers, black children and white men. It asks: Which group is protected from hate speech? The correct answer: white men.

The reason is that Facebook deletes curses, slurs, calls for violence and several other types of attacks only when they are directed at "protected categories" -- based on race, sex, gender identity, religious affiliation, national origin, ethnicity, sexual orientation and serious disability/disease. It gives users broader latitude when they write about "subsets" of protected categories. White men are considered a group because both traits are protected, while female drivers and black children, like radicalized Muslims, are subsets, because one of their characteristics is not protected. (The exact rules are in the slide show below.)

The Facebook Rules

Facebook has used these rules to train its "content reviewers" to decide whether to delete or allow posts. Facebook says the exact wording of its rules may have changed slightly in more recent versions. ProPublica recreated the slides.

Behind this seemingly arcane distinction lies a broader philosophy. Unlike American law, which permits preferences such as affirmative action for racial minorities and women for the sake of diversity or redressing discrimination, Facebook's algorithm is designed to defend all races and genders equally.

"Sadly," the rules are "incorporating this color-blindness idea which is not in the spirit of why we have equal protection," said Danielle Citron, a law professor and expert on information privacy at the University of Maryland. This approach, she added, will "protect the people who least need it and take it away from those who really need it."

But Facebook says its goal is different -- to apply consistent standards worldwide. "The policies do not always lead to perfect outcomes," said Monika Bickert, head of global policy management at Facebook. "That is the reality of having policies that apply to a global community where people around the world are going to have very different ideas about what is OK to share."

Facebook's rules constitute a legal world of their own. They stand in sharp contrast to the United States' First Amendment protections of free speech, which courts have interpreted to allow exactly the sort of speech and writing censored by the company's hate speech algorithm. But they also differ -- for example, in permitting postings that deny the Holocaust -- from more restrictive European standards.

The company has long had programs to remove obviously offensive material like child pornography from its stream of images and commentary. Recent articles in the Guardian and Süddeutsche Zeitung have detailed the difficult choices that Facebook faces regarding whether to delete posts containing graphic violence, child abuse, revenge porn and self-mutilation.

The challenge of policing political expression is even more complex. The documents reviewed by ProPublica indicate, for example, that Donald Trump's posts about his campaign proposal to ban Muslim immigration to the United States violated the company's written policies against "calls for exclusion" of a protected group. As The Wall Street Journal reported last year, Facebook exempted Trump's statements from its policies at the order of Mark Zuckerberg, the company's founder and chief executive.

The company recently pledged to nearly double its army of censors to 7,500, up from 4,500, in response to criticism of a video posting of a murder. Their work amounts to what may well be the most far-reaching global censorship operation in history. It is also the least accountable: Facebook does not publish the rules it uses to determine what content to allow and what to delete.

Users whose posts are removed are not usually told what rule they have broken, and they cannot generally appeal Facebook's decision. Appeals are currently only available to people whose profile, group or page is removed.

The company has begun exploring adding an appeals process for people who have individual pieces of content deleted, according to Bickert. "I'll be the first to say that we're not perfect every time," she said.

Facebook is not required by U.S. law to censor content. A 1996 federal law gave most tech companies, including Facebook, legal immunity for the content users post on their services. The law, section 230 of the Telecommunications Act, was passed after Prodigy was sued and held liable for defamation for a post written by a user on a computer message board.

The law freed up online publishers to host online forums without having to legally vet each piece of content before posting it, the way that a news outlet would evaluate an article before publishing it. But early tech companies soon realized that they still needed to supervise their chat rooms to prevent bullying and abuse that could drive away users.

America Online convinced thousands of volunteers to police its chat rooms in exchange for free access to its service. But as more of the world connected to the internet, the job of policing became more difficult and companies started hiring workers to focus on it exclusively. Thus the job of content moderator -- now often called content reviewer -- was born.

In 2004, attorney Nicole Wong joined Google and persuaded the company to hire its first-ever team of reviewers, who responded to complaints and reported to the legal department. Google needed "a rational set of policies and people who were trained to handle requests," for its online forum called Groups, she said.

Google's purchase of YouTube in 2006 made deciding what content was appropriate even more urgent. "Because it was visual, it was universal," Wong said.

While Google wanted to be as permissive as possible, she said, it soon had to contend with controversies such as a video mocking the King of Thailand, which violated Thailand's laws against insulting the king. Wong visited Thailand and was impressed by the nation's reverence for its monarch, so she reluctantly agreed to block the video -- but only for computers located in Thailand.

Since then, selectively banning content by geography -- called "geo-blocking" -- has become a more common request from governments. "I don't love traveling this road of geo-blocking," Wong said, but "it's ended up being a decision that allows companies like Google to operate in a lot of different places."

For social networks like Facebook, however, geo-blocking is difficult because of the way posts are shared with friends across national boundaries. If Facebook geo-blocks a user's post, it would only appear in the news feeds of friends who live in countries where the geo-blocking prohibition doesn't apply. That can make international conversations frustrating, with bits of the exchange hidden from some participants.

As a result, Facebook has long tried to avoid using geography-specific rules when possible, according to people familiar with the company's thinking. However, it does geo-block in some instances, such as when it complied with a request from France to restrict access within its borders to a photo taken after the Nov. 13, 2015, terrorist attack at the Bataclan concert hall in Paris.

Bickert said Facebook takes into consideration the laws in countries where it operates, but doesn't always remove content at a government's request. "If there is something that violates a country's law but does not violate our standards," Bickert said, "we look at who is making that request: Is it the appropriate authority? Then we check to see if it actually violates the law. Sometimes we will make that content unavailable in that country only."

Facebook's goal is to create global rules. "We want to make sure that people are able to communicate in a borderless way," Bickert said.

Founded in 2004, Facebook began as a social network for college students. As it spread beyond campus, Facebook began to use content moderation as a way to compete with the other leading social network of that era, MySpace.

MySpace had positioned itself as the nightclub of the social networking world, offering profile pages that users could decorate with online glitter, colorful layouts and streaming music. It didn't require members to provide their real names and was home to plenty of nude and scantily clad photographs. And it was being investigated by law-enforcement agents across the country who worried it was being used by sexual predators to prey on children. (In a settlement with 49 state attorneys general, MySpace later agreed to strengthen protections for younger users.)

By comparison, Facebook was the buttoned-down Ivy League social network -- all cool grays and blues. Real names and university affiliations were required. Chris Kelly, who joined Facebook in 2005 and was its first general counsel, said he wanted to make sure Facebook didn't end up in law enforcement's crosshairs, like MySpace.

"We were really aggressive about saying we are a no-nudity platform," he said.

The company also began to tackle hate speech. "We drew some difficult lines while I was there -- Holocaust denial being the most prominent," Kelly said. After an internal debate, the company decided to allow Holocaust denials but reaffirmed its ban on group-based bias, which included anti-Semitism. Since Holocaust denial and anti-Semitism frequently went together, he said, the perpetrators were often suspended regardless.

"I've always been a pragmatist on this stuff," said Kelly, who left Facebook in 2010. "Even if you take the most extreme First Amendment positions, there are still limits on speech."

By 2008, the company had begun expanding internationally but its censorship rulebook was still just a single page with a list of material to be excised, such as images of nudity and Hitler. "At the bottom of the page it said, 'Take down anything else that makes you feel uncomfortable,'" said Dave Willner, who joined Facebook's content team that year.

Willner, who reviewed about 15,000 photos a day, soon found the rules were not rigorous enough. He and some colleagues worked to develop a coherent philosophy underpinning the rules, while refining the rules themselves. Soon he was promoted to head the content policy team.

By the time he left Facebook in 2013, Willner had shepherded a 15,000-word rulebook that remains the basis for many of Facebook's content standards today.

"There is no path that makes people happy," Willner said. "All the rules are mildly upsetting." Because of the volume of decisions -- many millions per day -- the approach is "more utilitarian than we are used to in our justice system," he said. "It's fundamentally not rights-oriented."

Willner's then-boss, Jud Hoffman, who has since left Facebook, said that the rules were based on Facebook's mission of "making the world more open and connected." Openness implies a bias toward allowing people to write or post what they want, he said.

But Hoffman said the team also relied on the principle of harm articulated by John Stuart Mill, a 19th-century English political philosopher. It states "that the only purpose for which power can be rightfully exercised over any member of a civilized community, against his will, is to prevent harm to others." That led to the development of Facebook's "credible threat" standard, which bans posts that describe specific actions that could threaten others, but allows threats that are not likely to be carried out.

Eventually, however, Hoffman said "we found that limiting it to physical harm wasn't sufficient, so we started exploring how free expression societies deal with this."

The rules developed considerable nuance. There is a ban against pictures of Pepe the Frog, a cartoon character often used by "alt-right" white supremacists to perpetrate racist memes, but swastikas are allowed under a rule that permits the "display [of] hate symbols for political messaging." In the documents examined by ProPublica, which are used to train content reviewers, this rule is illustrated with a picture of Facebook founder Mark Zuckerberg that has been manipulated to apply a swastika to his sleeve.

The documents state that Facebook relies, in part, on the U.S. State Department's list of designated terrorist organizations, which includes groups such as al-Qaida, the Taliban and Boko Haram. But not all groups deemed terrorist by one country or another are included: A recent investigation by the Pakistan newspaper Dawn found that 41 of the 64 terrorist groups banned in Pakistan were operational on Facebook.

There is also a secret list, referred to but not included in the documents, of groups designated as hate organizations that are banned from Facebook. That list apparently doesn't include many Holocaust denial and white supremacist sites that are up on Facebook to this day, such as a group called "Alt-Reich Nation." A member of that group was recently charged with murdering a black college student in Maryland.

As the rules have multiplied, so have exceptions to them. Facebook's decision not to protect subsets of protected groups arose because some subgroups such as "female drivers" didn't seem especially sensitive. The default position was to allow free speech, according to a person familiar with the decision-making.

After the wave of Syrian immigrants began arriving in Europe, Facebook added a special "quasi-protected" category for migrants, according to the documents. They are only protected against calls for violence and dehumanizing generalizations, but not against calls for exclusion and degrading generalizations that are not dehumanizing. So, according to one document, migrants can be referred to as "filthy" but not called "filth." They cannot be likened to filth or disease "when the comparison is in the noun form," the document explains.

Facebook also added an exception to its ban against advocating for anyone to be sent to a concentration camp. "Nazis should be sent to a concentration camp," is allowed, the documents state, because Nazis themselves are a hate group.

The rule against posts that support violent resistance against a foreign occupier was developed because "we didn't want to be in a position of deciding who is a freedom fighter," Willner said. Facebook has since dropped the provision and revised its definition of terrorism to include nongovernmental organizations that carry out premeditated violence "to achieve a political, religious or ideological aim," according to a person familiar with the rules.

The Facebook policy appears to have had repercussions in many of the at least two dozen disputed territories around the world. When Russia occupied Crimea in March 2014, many Ukrainians experienced a surge in Facebook banning posts and suspending profiles. Facebook's director of policy for the region, Thomas Myrup Kristensen, acknowledged at the time that it "found a small number of accounts where we had incorrectly removed content. In each case, this was due to language that appeared to be hate speech but was being used in an ironic way. In these cases, we have restored the content."

Katerina Zolotareva, 34, a Kiev-based Ukrainian working in communications, has been blocked so often that she runs four accounts under her name. Although she supported the "Euromaidan" protests in February 2014 that antagonized Russia, spurring its military intervention in Crimea, she doesn't believe that Facebook took sides in the conflict. "There is war in almost every field of Ukrainian life," she says, "and when war starts, it also starts on Facebook."

In Western Sahara, a disputed territory occupied by Morocco, a group of journalists called Equipe Media say their account was disabled by Facebook, their primary way to reach the outside world. They had to open a new account, which remains active.

"We feel we have never posted anything against any law," said Mohammed Mayarah, the group's general coordinator. "We are a group of media activists. We have the aim to break the Moroccan media blockade imposed since it invaded and occupied Western Sahara."

In Israel, which captured territory from its neighbors in a 1967 war and has occupied it since, Palestinian groups are blocked so often that they have their own hashtag, #FbCensorsPalestine, for it. Last year, for instance, Facebook blocked the accounts of several editors for two leading Palestinian media outlets from the West Bank -- Quds News Network and Sheebab News Agency. After a couple of days, Facebook apologized and un-blocked the journalists' accounts. Earlier this year, Facebook blocked the account of Fatah, the Palestinian Authority's ruling party -- then un-blocked it and apologized.

Last year India cracked down on protesters in Kashmir, shooting pellet guns at them and shutting off cellphone service. Local insurgents are seeking autonomy for Kashmir, which is also caught in a territorial tussle between India and Pakistan. Posts of Kashmir activists were being deleted, and members of a group called the Kashmir Solidarity Network found that all of their Facebook accounts had been blocked on the same day.

Ather Zia, a member of the network and a professor of anthropology at the University of Northern Colorado, said that Facebook restored her account without explanation after two weeks. "We do not trust Facebook any more," she said. "I use Facebook, but it's almost this idea that we will be able to create awareness but then we might not be on it for long."

The rules are one thing. How they're applied is another. Bickert said Facebook conducts weekly audits of every single content reviewer's work to ensure that its rules are being followed consistently. But critics say that reviewers, who have to decide on each post within seconds, may vary in both interpretation and vigilance.

Facebook users who don't mince words in criticizing racism and police killings of racial minorities say that their posts are often taken down. Two years ago, Stacey Patton, a journalism professor at historically black Morgan State University in Baltimore, posed a provocative question on her Facebook page. She asked why "it's not a crime when White freelance vigilantes and agents of 'the state' are serial killers of unarmed Black people, but when Black people kill each other then we are 'animals' or 'criminals.'"

Although it doesn't appear to violate Facebook's policies against hate speech, her post was immediately removed, and her account was disabled for three days. Facebook didn't tell her why. "My posts get deleted about once a month," said Patton, who often writes about racial issues. She said she also is frequently put in Facebook "jail" -- locked out of her account for a period of time after a posting that breaks the rules.

"It's such emotional violence," Patton said. "Particularly as a black person, we're always have these discussions about mass incarceration, and then here's this fiber-optic space where you can express yourself. Then you say something that some anonymous person doesn't like and then you're in 'jail.'"

Didi Delgado, whose post stating that "white people are racist" was deleted, has been banned from Facebook so often that she has set up an account on another service called Patreon, where she posts the content that Facebook suppressed. In May, she deplored the increasingly common Facebook censorship of black activists in an article for Medium titled "Mark Zuckerberg Hates Black People."

Facebook also locked out Leslie Mac, a Michigan resident who runs a service called SafetyPinBox where subscribers contribute financially to "the fight for black liberation," according to her site. Her offense was writing a post stating "White folks. When racism happens in public -- YOUR SILENCE IS VIOLENCE."

The post does not appear to violate Facebook's policies. Facebook apologized and restored her account after TechCrunch wrote an article about Mac's punishment. Since then, Mac has written many other outspoken posts. But, "I have not had a single peep from Facebook," she said, while "not a single one of my black female friends who write about race or social justice have not been banned."

"My takeaway from the whole thing is: If you get publicity, they clean it right up," Mac said. Even so, like most of her friends, she maintains a separate Facebook account in case her main account gets blocked again.

Negative publicity has spurred other Facebook turnabouts as well. Consider the example of the iconic news photograph of a young naked girl running from a napalm bomb during the Vietnam War. Kate Klonick, a Ph.D. candidate at Yale Law School who has spent two years studying censorship operations at tech companies, said the photo had likely been deleted by Facebook thousands of times for violating its ban on nudity.

But last year, Facebook reversed itself after Norway's leading newspaper published a front-page open letter to Zuckerberg accusing him of "abusing his power" by deleting the photo from the newspaper's Facebook account.

Klonick said that while she admires Facebook's dedication to policing content on its website, she fears it is evolving into a place where celebrities, world leaders and other important people "are disproportionately the people who have the power to update the rules."

In December 2015, a month after terrorist attacks in Paris killed 130 people, the European Union began pressuring tech companies to work harder to prevent the spread of violent extremism online.

After a year of negotiations, Facebook, Microsoft, Twitter and YouTube agreed to the European Union's hate speech code of conduct, which commits them to review and remove the majority of valid complaints about illegal content within 24 hours and to be audited by European regulators. The first audit, in December, found that the companies were only reviewing 40 percent of hate speech within 24 hours, and only removing 28 percent of it. Since then, the tech companies have shortened their response times to reports of hate speech and increased the amount of content they are deleting, prompting criticism from free-speech advocates that too much is being censored.

Now the German government is considering legislation that would allow social networks such as Facebook to be fined up to 50 million euros if they don't remove hate speech and fake news quickly enough. Facebook recently posted an article assuring German lawmakers that it is deleting about 15,000 hate speech posts a month. Worldwide, over the last two months, Facebook deleted about 66,000 hate speech posts per week, vice president Richard Allan said in a statement Tuesday on the company's site.

Among posts that Facebook didn't delete were Donald Trump's comments on Muslims. Days after the Paris attacks, Trump, then running for president, posted on Facebook "calling for a total and complete shutdown of Muslims entering the United States until our country's representatives can figure out what is going on."

Candidate Trump's posting -- which has come back to haunt him in court decisions voiding his proposed travel ban -- appeared to violate Facebook's rules against "calls for exclusion" of a protected religious group. Zuckerberg decided to allow it because it was part of the political discourse, according to people familiar with the situation.

However, one person close to Facebook's decision-making said Trump may also have benefited from the exception for sub-groups. A Muslim ban could be interpreted as being directed against a sub-group, Muslim immigrants, and thus might not qualify as hate speech against a protected category.

Hannes Grassegger is a reporter for Das Magazin and Reportagen Magazine based in Zurich.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Russian Cyber Attacks Against US Voting Systems Wider Than First Thought

Cyber attacks upon electoral systems in the United States are wider than originally thought. The attacks occurred in at least 39 states. The Bloomberg report described online attacks in Illinois as an example:

"... investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016... In early July 2016, a contractor who works two or three days a week at the state board of elections detected unauthorized data leaving the network, according to Ken Menzel, general counsel for the Illinois board of elections. The hackers had gained access to the state’s voter database, which contained information such as names, dates of birth, genders, driver’s licenses and partial Social Security numbers on 15 million people, half of whom were active voters. As many as 90,000 records were ultimately compromised..."

Politicians have emphasized that the point of the disclosures isn't to embarrass any specific state, but to alert the public to past activities and to the ongoing threat. The Intercept reported:

"Russian military intelligence executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election, according to a highly classified intelligence report obtained by The Intercept.

The top-secret National Security Agency document, which was provided anonymously to The Intercept and independently authenticated, analyzes intelligence very recently acquired by the agency about a months-long Russian intelligence cyber effort against elements of the U.S. election and voting infrastructure. The report, dated May 5, 2017, is the most detailed U.S. government account of Russian interference in the election that has yet come to light."

Spear-fishing is the tactic criminals use by sending malware-laden e-mail messages to targeted individuals, whose names and demographic details may have been collected from social networking sites and other sources. The spam e-mail uses those details to pretend to be valid e-mail from a coworker, business associate, or friend. When the target opens the e-mail attachment, their computer and network are often infected with malware to collect and transmit log-in credentials to the criminals; or to remotely take over the targets' computers (e.g., ransomware) and demand ransom payments. Stolen log-in credentials are how criminals steal consumers' money by breaking into online bank accounts.

The Intercept report explained how the elections systems hackers adopted this tactic:

"... the Russian plan was simple: pose as an e-voting vendor and trick local government employees into opening Microsoft Word documents invisibly tainted with potent malware that could give hackers full control over the infected computers. But in order to dupe the local officials, the hackers needed access to an election software vendor’s internal systems to put together a convincing disguise. So on August 24, 2016, the Russian hackers sent spoofed emails purporting to be from Google to employees of an unnamed U.S. election software company... The spear-phishing email contained a link directing the employees to a malicious, faux-Google website that would request their login credentials and then hand them over to the hackers. The NSA identified seven “potential victims” at the company. While malicious emails targeting three of the potential victims were rejected by an email server, at least one of the employee accounts was likely compromised, the agency concluded..."

Experts believe the voting equipment company targeted was VR Systems, based in Florida. Reportedly, it's electronic voting services and equipment are used in eight states. VR Systems posted online a Frequently Asked Questions document (adobe PDF) about the cyber attacks against elections systems:

"Recent reports indicate that cyber actors impersonated VR Systems and other elections companies. Cyber actors sent an email from a fake account to election officials in an unknown number of districts just days before the 2016 general election. The fraudulent email asked recipients to open an attachment, which would then infect their computer, providing a gateway for more mischief... Because the spear-phishing email did not originate from VR Systems, we do not know how many jurisdictions were potentially impacted. Many election offices report that they never received the email or it was caught by their spam filters before it could reach recipients. It is our understanding that all jurisdictions, including VR Systems customers, have been notified by law enforcement agencies if they were a target of this spear-phishing attack... In August, a small number of phishing emails were sent to VR Systems. These emails were captured by our security protocols and the threat was neutralized. No VR Systems employee’s email was compromised. This prevented the cyber actors from accessing a genuine VR Systems email account. As such, the cyber actors, as part of their late October spear-phishing attack, resorted to creating a fake account to use in that spear-phishing campaign."

It is good news that VR Systems protected its employees' e-mail accounts. Let's hope that those employees were equally diligent about protecting their personal e-mail accounts and home computers, networks, and phones. We all know employees that often work from home.

The Intercept report highlighted a fact about life on the internet, which all internet users should know: stolen log-in credentials are highly valued by criminals:

"Jake Williams, founder of computer security firm Rendition Infosec and formerly of the NSA’s Tailored Access Operations hacking team, said stolen logins can be even more dangerous than an infected computer. “I’ll take credentials most days over malware,” he said, since an employee’s login information can be used to penetrate “corporate VPNs, email, or cloud services,” allowing access to internal corporate data. The risk is particularly heightened given how common it is to use the same password for multiple services. Phishing, as the name implies, doesn’t require everyone to take the bait in order to be a success — though Williams stressed that hackers “never want just one” set of stolen credentials."

So, a word to the wise for all internet users: don't use the same log-in credentials at multiple site. Don't open e-mail attachments from strangers. If you weren't expecting an e-mail attachment from a coworker/friend/business associate, call them on the phone first and verify that they indeed sent an attachment to you. The internet has become a dangerous place.


Hacking Group Reported Security Issues With Samsung 8 Phone's Iris Recognition

Image of Samsung Galaxy S8 phones. Click to view larger version The Computer Chaos Club (CCC), a German hacking group founded in 1981, posted the following report on Monday:

"The iris recognition system of the new Samsung Galaxy S8 was successfully defeated by hackers... The Samsung Galaxy S8 is the first flagship smartphone with iris recognition. The manufacturer of the biometric solution is the company Princeton Identity Inc. The system promises secure individual user authentication by using the unique pattern of the human iris.

A new test conducted by CCC hackers shows that this promise cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner. A video shows the simplicity of the method."

The Samsung Galaxy S8 runs the Android operating system, claims a talk time of up to 30 hours, has a screen optimized for virtual reality (VR) apps, and features Bixby, an "... intelligent interface that is built into the Galaxy S8. With every interaction, Bixby can learn, evolve and adapt to you. Whether it's through touch, type or voice, Bixby will seamlessly help you get things done. (Voice coming soon)"

The CCC report also explained:

"Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone. "If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication," says Dirk Engling, spokesperson for the CCC."

Phys.org reported that Samsung executives are investigating the CCC report. Samsung views the Galaxy S8 as critical to the company's performance given the Note 7 battery issues and fires last year.

Some consumers might conclude from the CCC report that the best defense against against iris hacks would be to stop posting selfies. This would be wrong to conclude, and an insufficient defense:

"The easiest way for a thief to capture iris pictures is with a digital camera in night-shot mode or the infrared filter removed... Starbug was able to demonstrate that a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems."

So, more photos besides selfies could reveal your iris details. The CCC report also reminded consumers of the security issues with using fingerprints to protect their devices:

"CCC member and biometrics security researcher starbug has demonstrated time and again how easily biometrics can be defeated with his hacks on fingerprint authentication systems – most recently with his successful defeat of the fingerprint sensor "Touch ID" on Apple’s iPhone. "The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris," Dirk Engling remarked."

What are your opinions of the CCC report?


The Guardian Site Reviews Documents Used By Facebook Executives To Moderate Content

Facebook logo The Guardian news site in the United Kingdom (UK) published the findings of its review of "The Facebook Files" -- a collection of documents which comprise the rules used by executives at the social site to moderate (e.g., review, approve, and delete) content posted by the site's members. Reporters at The Guardian reviewed:

"... more than 100 internal training manuals, spreadsheets and flowcharts that give unprecedented insight into the blueprints Facebook has used to moderate issues such as violence, hate speech, terrorism, pornography, racism and self-harm. There are even guidelines on match-fixing and cannibalism.

The Facebook Files give the first view of the codes and rules formulated by the site, which is under huge political pressure in Europe and the US. They illustrate difficulties faced by executives scrabbling to react to new challenges such as “revenge porn” – and the challenges for moderators, who say they are overwhelmed by the volume of work, which means they often have “just 10 seconds” to make a decision..."

The Guardian summarized what it learned about Facebook's revenge porn rules for moderators:

Revenge porn content rules found by The Guardian's review of Facebook documents

Reportedly, Facebook moderators reviewed as many as 54,000 cases in a single month related to revenge porn and "sextortion." In January of 2017, the site disabled 14,000 accounts due to this form of sexual violence. Previously, these rules were not available publicly. Findings about other rules are available at The Guardian site.

Other key findings found by The Guardian during its document review:

"One document says Facebook reviews more than 6.5m reports a week relating to potentially fake accounts – known as FNRP (fake, not real person)... Many moderators are said to have concerns about the inconsistency and peculiar nature of some of the policies. Those on sexual content, for example, are said to be the most complex and confusing... Anyone with more than 100,000 followers on a social media platform is designated as a public figure – which denies them the full protections given to private individuals..."

The social site struggles with how to handle violent language:

"Facebook’s leaked policies on subjects including violent death, images of non-sexual physical child abuse and animal cruelty show how the site tries to navigate a minefield... In one of the leaked documents, Facebook acknowledges “people use violent language to express frustration online” and feel “safe to do so” on the site. It says: “They feel that the issue won’t come back to them and they feel indifferent towards the person they are making the threats about because of the lack of empathy created by communication via devices as opposed to face to face..."

Some industry watchers in Europe doubt that Facebook can do what it has set out to accomplish, lacks sufficient staff to effectively moderate content posted by almost 2 billion users, and Facebook management should be more transparent about its content moderation rules. Others believe that Facebook and other social sites should be heavily fined "for failing to remove extremist and hate-crime material."

To learn more, The Guardian site includes at least nine articles about its review of The Facebook Files:

Collection of articles by The Guardian which review Facebook's content policies. Click to view larger version


4 Charged, Including Russian Government Agents, In Massive Yahoo Hack

Department of Justice logo The U.S. Department of Justice (DOJ) announced yesterday that a grand jury in the Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses related to the massive hack of millions of Yahoo webmail accounts. The charges were announced by Attorney General Jeff Sessions of the U.S. Department of Justice, Director James Comey of the Federal Bureau of Investigation (FBI), Acting Assistant Attorney General Mary McCord of the National Security Division, U.S. Attorney Brian Stretch for the Northern District of California and Executive Assistant Director Paul Abbate of the FBI’s Criminal, Cyber, Response and Services Branch.

The announcement described how the defendants, beginning in January 2014:

"... unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies. One of the defendants also exploited his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign."

The four defendants are:

  1. Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident
  2. Igor Anatolyevich Sushchin, 43, a Russian national and resident,
  3. Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident, and
  4. Karim Baratov (a/k/a "Kay," "Karim Taloverov," and "Karim Akehmet Tokbergenov") 22, a Canadian and Kazakh national and a resident of Canada.

Several lawsuits have resulted from the Yahoo breach including a shareholder lawsuit alleging a breach of fiduciary duty by the directors of the tech company, and a class-action regarding stolen credit card payment information.

Attorney General Sessions said about the charges against four defendants:

"Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history... But thanks to the tireless efforts of U.S. prosecutors and investigators, as well as our Canadian partners, today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users’ accounts. The United States will vigorously investigate and prosecute the people behind such attacks..."

FBI Director said:

"... we continue to pierce the veil of anonymity surrounding cyber crimes... We are shrinking the world to ensure that cyber criminals think twice before targeting U.S. persons and interests."

Acting Assistant Attorney General McCord said:

"The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale... hackers around the world can and will be exposed and held accountable. State actors may be using common criminals to access the data they want..."


Smart Mouse Traps: A Good Deal For Consumers?

Rentokil logo Rentokil, a pest control company, has introduced in the United Kingdom a new pest-control device for consumers wanting the latest WiFi technology. The company introduced ResiConnect, an Internet-connected mouse trap. A Rentokil representative explained to the Register UK newspaper:

“This is a trap that’s connected to the internet, essentially. Whereas there are other standard traps on the market that just catch and kill the mouse, that mouse can be caught in that trap for several weeks or several months. What this does is sends us a signal to notify us the trap has been activated, which allows us to respond... What this allows us to do is catch, kill and contain the mouse... and provide the best solution to the customer as well.”

Rentokil technician and vehicle Reportedly, the device sells for about £1,300, or about U.S. $1,300. Last summer, Rentokil Initial Plc announced a partnership with Google and PA Consulting Group (PA) to deploy globally the company's:

"... innovative digital pest control products and, in the future, to the development of ‘next generation’ services to offer customers new levels of proactive risk management against the threat of pest infestation... Rentokil has developed and begun to roll out its range of connected rodent control products particularly to customers in the tightly regulated food and pharmaceutical industries. In the field today, Rentokil has over 20,000 digital devices running in 12 countries which have now sent more than 3 million pieces of data.

The new digital pest control services use connected rodent devices with embedded sensors and mobile connectivity. The units communicate with Rentokil’s online ‘Command Centre’ and when they've caught a rodent, the technician is automatically alerted while customers are kept informed through myRentokil, the industry’s leading online portal... Built on Google’s Cloud Platform, and delivered by PA using Agile techniques, this technology is highly scalable and is now ready to be deployed more widely to existing and new customers from Q4 2016 and to other parts of the company..."

It seems that Rentokil is making available to consumers smart traps similar to those already deployed in the commercial market, such as fast food restaurants with multiple locations. Rentokil sells in the United States a device that uses radar to detect and capture mice. This raises the question: do consumers really need a smart mouse trap?

I have direct experience with mice. The building where I live is contains condominiums, and I have the responsibility to pay the condo association's monthly bills (e.g., water, insurance, and electricity), plus hire vendors and contractors, as needed, for repairs and maintenance. That includes pest control companies. Last week, our pest-control vendor deployed bait traps (e.g., poison and glue strips) in all units, plus the basement (with utilities and storage areas).

Obviously, owners of retail stores with multiple locations (e.g., fast food restaurants) would benefit from smart mouse traps. It seems cost-prohibitive to send (and pay for) technicians to visit each store and check multiple traps, while only selective traps would have caught rodents.

First, the benefit for residential customers sees marginal. Internet-connected mouse trap might appeal to squeamish consumers, who are afraid or unsure what to do, but it's hard to beat the convenience and low cost of a phone call. For our condo association, it was easy to know when a trap has caught a mouse. You heard the squeaking.

For us, the rodent removal process was easy. After a quick phone call the evening the mouse was caught, a pest-control technician arrived the next morning. The company sent a technician that was already in the area for nearby service calls. The technician removed the mouse stuck on a glue strip, checked, and re-baited several traps. That visit was included in the price we paid, and the phone call cost was negligible.

Second, the price seems expensive. The $1,600 price for a smart mouse trap equals about three years of what our condo association pays for pest control services.

Reliability and trust with smart devices are critical for consumers. A recent global study found that 44 percent of consumers are concerned about financial information theft via smart home devices, and 37 percent are concerned about identity theft.

Informed shoppers know that not all smart devices are built equally. Some have poor security features or lack software upgrades. These vulnerabilities create opportunities for bad guys to hack and infect consumers' home WiFi networks with malware to steal passwords and money, create spam, and use infected devices as part of DDoS attacks targeting businesses. (Yes, even the hosting service for this blog was targeted.) So, it is wise to understand any smart trap's software and security features before purchase.

What do you think? Are smart mouse traps worthwhile?


EU Privacy Watchdogs Ask Microsoft For Explanations About Data Collection About Users

A privacy watchdog group in the European Union (EU) are concerned about privacy and data collection practices by Microsoft. The group, comprising 28 agencies and referred to as the Article 29 Working Party, sent a letter to Microsoft asking for explanations about privacy concerns with the software company's Windows 10 operating system software.

The February 2017 letter to Brendon Lynch, Chief Privacy Officer, and to Satya Nadella, Chief Executive Officer, was a follow-up to a prior letter sent in January. The February letter explained:

"Following the launch of Windows 10, a new version of the Windows operating system, a number of concerns have been raised, in the media and in signals from concerned citizens to the data protection authorities, regarding protection of your users’ personal data... the Working Party expressed significant concerns about the default installation settings and an apparent lack of control for a user to prevent collection or further processing of data, as well as concerns about the scope of data that are being collected and further processed... "

Microsoft logo While Microsoft has been cooperative so far, the group's specific privacy concerns:

"... user consent can only be valid if fully informed, freely given and specific. Whilst it is clear that the proposed new express installation screen will present users with five options to limit or switch off certain kinds of data processing it is not clear to what extent both new and existing users will be informed about the specific data that are being collected and processed under each of the functionalities. The proposed new explanation when, for example, a user switches the level of telemetry data from 'full' to 'basic' that Microsoft will collect 'less data' is insufficient without further explanation. Such information currently is also not available in the current version of the privacy policy.

Additionally, the purposes for which Microsoft collects personal data have to be specified, explicit and legitimate, and the data may not be further processed in a way incompatible with those purposes. Microsoft processes data collected through Windows 10 for different purposes, including personalised advertising. Microsoft should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid..."

Visit this EU link for more information about the Article 29 Working Party, or download the Article 29 Working Party letter to Microsoft (Adobe PDF).


Travelers Face Privacy Issues When Crossing Borders

If you travel for business, pleasure, or both then today's blog post will probably interest you. Wired Magazine reported:

"In the weeks since President Trump’s executive order ratcheted up the vetting of travelers from majority Muslim countries, or even people with Muslim-sounding names, passengers have experienced what appears from limited data to be a “spike” in cases of their devices being seized by customs officials. American Civil Liberties Union attorney Nathan Wessler says the group has heard scattered reports of customs agents demanding passwords to those devices, and even social media accounts."

Devices include smartphones, laptops, and tablets. Many consumers realize that relinquishing passwords to social networking sites (e.g., Facebook, Instagram, etc.) discloses sensitive information not just about themselves, but also all of their friends, family, classmates, neighbors, and coworkers -- anyone they are connected with online. The "Bring Your Own Device" policies by many companies and employers means that employees (and contractors) can use their personal devices in the workplace and/or connected remotely to company networks. Those connected devices can easily divulge company trade secrets and other sensitive information when seized by Customs and Border Patrol (CBP) agents for analysis and data collection.

Plus, professionals such as attorneys and consultants are required to protect their clients' sensitive information. These professionals, who also must travel, require data security and privacy for business.

Wired also reported:

"In fact, US Customs and Border Protection has long considered US borders and airports a kind of loophole in the Constitution’s Fourth Amendment protections, one that allows them wide latitude to detain travelers and search their devices. For years, they’ve used that opportunity to hold border-crossers on the slightest suspicion, and demand access to their computers and phones with little formal cause or oversight.

Even citizens are far from immune. CBP detainees from journalists to filmmakers to security researchers have all had their devices taken out of their hands by agents."

For travelers wanting privacy, what are the options? Remain at home? This may not be an option for workers who must travel for business. Leave your devices at home? Again, impractical for many. The Wired article provided several suggestions, including:

"If customs officials do take your devices, don’t make their intrusion easy. Encrypt your hard drive with tools like BitLocker, TrueCrypt, or Apple’s Filevault, and choose a strong passphrase. On your phone—preferably an iPhone, given Apple’s track record of foiling federal cracking—set a strong PIN and disable Siri from the lockscreen by switching off “Access When Locked” under the Siri menu in Settings.

Remember also to turn your devices off before entering customs: Hard drive encryption tools only offer full protection when a computer is fully powered down. If you use TouchID, your iPhone is safest when it’s turned off, too..."

What are the consequences when travelers refuse to disclose passwords and encrpt devices? Ars Technica also explored the issues:

"... Ars spoke with several legal experts, and contacted CBP itself (which did not provide anything beyond previously-published policies). The short answer is: your device probably will be seized (or "detained" in CBP parlance), and you might be kept in physical detention—although no one seems to be sure exactly for how long.

An unnamed CBP spokesman told The New York Times on Tuesday that such electronic searches are extremely rare: he said that 4,444 cellphones and 320 other electronic devices were inspected in 2015, or 0.0012 percent of the 383 million arrivals (presuming that all those people had one device)... The most recent public document to date on this topic appears to be an August 2009 Department of Homeland Security paper entitled "Privacy Impact Assessment for the Border Searches of Electronic Devices." That document states that "For CBP, the detention of devices ordinarily should not exceed five (5) days, unless extenuating circumstances exist." The policy also states that CBP or Immigration and Customs Enforcement "may demand technical assistance, including translation or decryption," citing a federal law, 19 US Code Section 507."

The Electronic Frontier Foundation (EFF) collects stories from travelers who've been detained and had their devices seized. Clearly, we will hear a lot more in the future about these privacy issues. What are your opinions of this?


Big Data Brokers: Failing With Privacy

You may not know that hedge funds, in both the United Kingdom and in the United States, buy and sell a variety of information from data brokers: mobile app purchases, credit card purchases, posts at social networking sites, and lots more. You can bet that a lot of that mobile information includes geo-location data. The problem: consumers' privacy isn't protected consistently.

The industry claims the information sold is anonymous (e.g., doesn't identify specific persons), but researchers have it easy to de-anonymize the information. The Financial Times reported:

"The “alternative data” industry, which sells information such as app downloads and credit card purchases to investment groups, is failing to adequately erase personal details before sharing the material... big data is seen as an increasingly attractive source of information for asset managers seeking a vital investment edge, with data providers selling everything from social media chatter and emailed receipts to federal lobbying data and even satellite images from space..."

One part of the privacy problem:

“The vendors claim to strip out all the personal information, but we occasionally find phone numbers, zip codes and so on,” said Matthew Granade, chief market intelligence officer at Steven Cohen’s Point72. “It’s a big enough deal that we have a couple of full-time tech people wash the data ourselves.” The head of another major hedge fund said that even when personal information had been scrubbed from a data set, it was far too easy to restore..."

A second part of the privacy problem:

“... there is no overarching US privacy law to protect consumers, with standards set individually by different states, industries and even companies, according to Albert Gidari, director of privacy at the Stanford Center for Internet and Society..."

The third part of the privacy problem: consumers are too willing to trade personal information for convenience.


German Regulators Ask Tesla To Stop Advertising 'Autopilot' Term

Government regulators have asked the automaker Tesla to stop using the term "autopilot" for its driver-assist feature. Deutsche Welle (DW) reported that a letter:

"... published in the newspaper "Bild am Sonntag," called on Tesla to take urgent action "in order to prevent misunderstandings and false expectations from clients." The KBA transport regulator said the term "autopilot" was misleading, and called for it to be removed in future advertisements for Tesla products. The self-driving feature has been available on the California-based automaker's Model S since October 2015."

The Autopilot feature manages the car's speed, steers within a lane, changes lanes (when the driver taps a turn signal), scan for a parking space, and parallel parks on command. Officials in Germany are still conducting an investigation into the car's capabilities.

After the fatal crash in May of a Tesla Model S car operating beta-version software for its Autopilot feature, Tesla engineers said in August the problem was with the car's brakes and not its Autopilot feature.

DW also reported:

"... the German transport regulator wrote to Tesla owners warning them that the autopilot function was purely to assist the driver and did not turn the car into a highly-automated vehicle. The feature still required the driver's unrestricted attention at all times, the letter said. Under German road traffic regulations, the driver is required to remain alert and in control of the vehicle at all times when using the system, the letter added."

The Los Angeles Times reported:

"Tesla Chief Executive Elon Musk has repeatedly said he’s sticking with the name, and the company responded to the German report as it does every time the subject comes up: The term “autopilot” has a long history in aerospace, where human pilots and autopilot systems work together to fly a plane."


Federal Reserve Bars 2 HSBC Foreign Exchange Traders From Working In The Industry

HSBC Holdings logo The Federal Reserve Board (FRB) has prohibited two former foreign exchange (FX) traders from working in the banking industry. Both persons, Mark Johnson and Stuart Scott were managers at London-based HSBC Bank plc, a subsidiary of HSBC bank Johnson had been a managing director and the global head of FX cash trading. Scott reported to Johnson and had managed the bank's FX trading for Europe, the Middle East, and Africa.

The FRB's press release explained the reasons for its actions:

"Mark Johnson and Stuart Scott, former senior HSBC managers, were recently indicted for criminal wire fraud in connection with their trading activities... According to the indictment, Johnson and Scott made multiple misrepresentations to an FX client of HSBC in connection with a large pre-arranged currency transaction. The indictment also alleges Johnson and Scott engaged in conduct to trade to the detriment of HSBC's client and for their own (and HSBC's) benefit... the Board found that given the indictment, Johnson's and Scott's continued participation in any depository institution may threaten to impair public confidence in that institution."

The U.S. Department of Justice filed criminal charges on July 16, 2016 against Johnson and Scott in U.S. District Court for the Eastern District of New York. On August 16, 2016, a federal grand jury indicted Johnson and Scott with multiple counts of wire fraud and conspiracy to commit wire fraud. The alleged fraud happened during November and December, 2011, in part, in New York City at the offices of HSBC Bank USA National Association, a unit of HSBC.

HSBC Bank plc is a unit of HSBC Holdings plc (HSBC). HSBC's website says it has 4,400 offices in 71 countries that serve 46 million customers worldwide.  Bloomberg described HSBC Bank plc's activities:

"HSBC Bank plc provides various banking products and services worldwide. The company operates through Retail Banking and Wealth Management, Commercial Banking, Global Banking and Markets, and Global Private Banking segments. It accepts various deposits, such as current, savings, and business bank accounts..."

The prohibition is effective immediately and until the criminal charges against Johnson and Scott are resolved.


News About The Massive Data Breach At Yahoo Isn't Pretty

Yahoo logo The news about Yahoo's massive data breach seems to be getting worse. The Oregonian reported:

" "Data breaches on the scale of Yahoo are the security equivalent of ecological disasters," said Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania, in a message posted to Twitter. A big worry is a cybercriminal technique known as "credential stuffing," which works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous. Credential stuffing typically succeeds between 0.1 percent and 2 percent of the time..."

Apply those success rates to half a billion stolen credentials and criminals have plenty of opportunities to break into consumers' online accounts. And, this list of seven ways the breach has exposed consumers to online banking fraud is definitely accurate.

The tech company's stock has dropped 4 percent since September 22. During an interview, Tim Amstrong, the head of Verizon's AOL would not comment about whether Verizon might renegotiate its $4.8 billion purchase price cash offer for Yahoo's core business. Experts have speculated about whether or not the breach might trigger the "material adverse effect" clause in the purchase transaction.

Tech Week Europe reported:

"Cybersecurity specialist Venafi conducted research into how well Yahoo reacted to the breach, in particular the cryptographic controls Yahoo still has in place, and said the results were “damning.” Researchers said Yahoo had still not “taken the action necessary to ensure they are not still exposed and that the hackers do not still have access to their systems and encrypted communications.” Furthermore Venafi warned that “Yahoo is still using cryptography (MD5) that has been known to be vulnerable for many years now.” "

On Monday, U.S. Senator Mark R. Warner (D-VA) requested that the U.S. Securities and Exchange Commission (SEC) investigate Yahoo and its executives. Senator Warner said in a statement:

"Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications," wrote Sen. Warner, a former technology executive. "Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public. The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it."

Senator Warner called on the SEC:

"... to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems. Additionally, since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature,

Also, six U.S. Senators sent a letter on September 27 to Marissa Meyer, the Chief executive Officer at Yahoo, demanding answers about precisely how and why the massive breach went undetected for so long. The letter by Senators Richard Blumenthal (D-CT), Al Franken (D-MN), Patrick Leahy (D-VT), Edward J. Markey (D-MA), Elizabeth Warren (D-MA), and Ron Wyden read in part:

"We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans' data may have been compromised for two years. That is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of Americans in recent years, but it is by far the largest. Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps to be taken to protect that information."

Indeed. Consumers have these reasonable and valid expectations. The letter demands that the tech company provide a briefing to the Senators' staffs with answers to a set of eight questions including a detailed timeline of events, specific systems and services affected, steps being taken to prevent a massive breach from happening again, and how it responded to any communications and warnings by government officials about state-sponsored hacking activity.

Elizabeth Denham, the Information Commissioner of the United Kingdom (UK), released a statement on September 23 demanding answers from Yahoo:

"The vast number of people affected by this cyber attack is staggering and demonstrates just how severe the consequences of a security hack can be. The US authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens and I am doing that today. We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected..."

Some consumers aren't waiting for lawmakers. The Mercury News reported:

"... a class-action suit accusing the Sunnyvale tech firm of putting their finances at risk and failing to notify them earlier about the breach. “While investigating another potential data breach, Yahoo uncovered this data breach, dating back to 2014,” the lawsuit, filed Thursday in U.S. District Court in San Diego, said. “Two years is unusually long period of time in which to identify a data breach.” On Friday in U.S. District Court in San Jose, a second class-action suit was filed over the hack. Plaintiff Ronald Schwartz, of New York, claims his personal information was stolen. His suit calls Yahoo’s treatment of users’ data “grossly negligent” and alleges that circumstantial evidence indicates “Yahoo insiders” knew of the breach “long before it was disclosed.” "

Reportedly, one of the plaintiffs has already experienced financial fraud as a result of identity theft from the data breach.