396 posts categorized "Government" Feed

For-Profit School Chain Camelot Suffers Setback Following Abuse Allegations

[Editor's note: today's guest post, by the reporters at ProPublica, provides an update about a for-profit school operating in the State of Georgia. The article was originally published on April 12, 2017 and is reprinted with permission.]

by Zoë Kirsch, The Teacher Project, ProPublica

The Muscogee County School Board in Columbus, Georgia, dealt another blow to embattled Camelot Education when it voted Monday night on April 10 to delay for three months a decision on whether to hire the company to run its alternative education programs.

The delay in awarding the $6.4 million annual contract comes in the wake of a recent report by ProPublica and Slate that more than a dozen Camelot students were allegedly shoved, beaten or thrown by staff members -- incidents almost always referred to as "slamming." The for-profit Camelot runs alternative programs across the country for more than 3,000 students, most of whom have emotional or behavioral difficulties or have fallen far behind academically.

"The abuse allegations were one of many red flags for me," said Muscogee school board member Frank Myers, one of five board members who supported postponement, while three were opposed. If the district is going to privatize such an important service, he said, "You ought to have an outfit that has a pristine record."

The board bucked the wishes of school district officials, including Superintendent of Education David Lewis, who pushed to hire Camelot. "There was no transparency," Myers said. "They wanted us to rush this thing."

Instead, a community advisory council will be created, and additional public hearings will be held. The council is expected to report back within three months.

Efforts to reach Lewis were unsuccessful. Camelot spokesman Kirk Dorn said in an email that the company often encounters delays when it enters new partnerships. The company expects to meet with the community later this month "and will continue to ensure that those who still have questions get answers," Dorn said. "We know from experience that the more a community learns about how we help students succeed the more reassured they become that we will be an asset."

Camelot has faced recent setbacks in other states as well. On March 9, the day after the report was published, the Houston school board voted unanimously not to renew its contract with Camelot, instead bringing management of its alternative program in house. And a Philadelphia city councilwoman called for more information about the city's alternative schools, including their disciplinary practices.

About half a million people in the United States attend alternative schools, which are publicly funded but often managed by private, for-profit companies such as Camelot, which was founded in 2002. They frequently serve as a last resort for struggling low-income and minority students.

The Columbus branch of the NAACP announced last week that it opposed hiring Camelot, citing the Slate and ProPublica investigation. "Abuse is failure," branch president Tonza Thomas told the Columbus Ledger-Enquirer.

"Our community has competent educators that assist our children with challenges daily," the organization said in a news release. "Yet they were not consulted before a decision was made to introduce an out-of-state, for profit, security-corporation to our school district."

Abuse allegations made by teachers and students against Camelot span ten years and four states: Pennsylvania, New Jersey, Florida and Louisiana. For the most part, staffers who allegedly assaulted students have faced no criminal charges or internal discipline; some have even been promoted.

In written statements, Camelot and its chief executive, Todd Bock, have said it provides effective and supportive services to thousands of the country's most challenging and needy students, and have denied any claims of systemic abuse across its programs.

"The idea of 'slamming' a student is offensive and counter to Camelot's values, culture and procedures," the company said on March 22. "Camelot does not currently practice nor has it ever practiced 'slamming' kids."

Monday night's decision in Muscogee County, located in western Georgia, was the second delay for Camelot there since Superintendent Lewis recommended hiring the company. On March 27, the school board postponed its vote for two weeks so that residents could attend two public forums about the proposal.

At those forums, both Camelot executives and Lewis touted the company's potential benefits, according to Fife Whiteside, a local attorney who served on the Muscogee school board from 1993 to 2008. Lewis told community members that hiring Camelot could help the district save money by cutting staffing costs.

At the start of one forum, Marianne Young, the parent of a child with special needs, tried to hand out fliers that were critical of Camelot. Young said in an interview that a security guard initially told her she couldn't distribute the fliers.

Another parent called a school board member to complain, Young said. Lewis then allowed Young to give out the fliers, she said. "I have a lot of concerns" about this contract, Young said, including "the abuse allegations, and the lack of oversight that our district has for these situations."

Whiteside, the former school board member, said he was surprised that the board opposed the superintendent. The reports of abuse allegations played a role in turning some board members against Camelot, he said. "The board rarely fails to support the superintendent in his initiatives," Whiteside said.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Tax Day Protest in Cambridge, Massachusetts. Protesters Demand President Releases His Tax Returns

Rallies and marches in more than 190 cities and towns were held on Saturday April 15 to demand more transparency and fairness related to taxes. The transparency demand is for the 45th President of the United States. During the 2016 presidential campaign, candidate Trump promised to release his tax returns after an Internal Revenue Service (IRS) audit was completed. After winning the election and entering office, President Trump refused to release his tax returns.

The issue is partisan. A Yougov survey in May 2016 found that 61 percent of Americans, 81 percent of Democrats, 60 percent of Independents, and 38 percent of Republicans wanted candidate Trump to release his detailed tax returns.

An estimated 2,500 persons attended the greater Boston area event held on the Cambridge Commons in Cambridge, Massachusetts. The emcee was Mike Connolly, a Massachusetts State representative for Somerville and Cambridge. Several local organizers spoke, including calls for fairness with taxes and the federal budget. The entire rally paused for a moment of silence to remember the victims in the Boston Marathon bombing four years ago.

Future rallies are scheduled to support science, public education, and recognition of climate change. Learn more about today's event at #TaxDayMarch and at #TaxMarchBoston. Photographs of today's event in Cambridge appear below.

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017


Minnesota Judge Signed Warrant For Users' Google Search Data About A Person's Name

A Minnesota court judge has signed what appears to be a stunningly broad search warrant to compel Google to provide search information to local law enforcement. The request for search data is part of an identity theft and fraud case.

The search warrant requests information about anyone searching for variations of the name "Douglas" between December 1, 2016 and January 7, 2017. Using a fake passport with the victim's photo and name, identified only as "Douglas" in the warrant, a fraudster fraudulently obtained $28,000 via a wire transfer from a credit union bank account. The credit union relied upon the passport as identification.

During their investigation, the Edina Police Department searched for images with the victim's name using several search engines (e.g., Yahoo, Bing, Google), and found images on all, but only Google's search results included an image of the photo used on the fake passport. Based upon these facts, Hennepin County Judge Gary Larson signed the warrant requiring Google to turn over information about anyone who searched for variations of Douglas's full name. The warrant requests the following information about search engine users: names, addresses, e-mail addresses, phone numbers, Social Security numbers, birth dates, IP (Internet protoccol) addresses, MAC addresses, and dates/times the searches were performed.

The search warrant also requests, "Information related to the content the user is viewing/using." What exactly is that? Does that refer to other information collected by Google in each user's Google account (e.g., passwords, Google Drive documents, Gmail messages, calendar appointments, Google Chat sessions, etc.)?

The Minneapolis Star-Tribune newspaper reported:

"Privacy law experts say that the warrant is based on an unusually broad definition of probable cause that could set a troubling precedent. "This kind of warrant is cause for concern because it’s closer to these dragnet searches that the Fourth Amendment is designed to prevent," said William McGeveran, a law professor at the University of Minnesota... McGeveran said it’s unusual for a judge to sign off on a warrant that bases probable cause on so few facts. "It’s much more usual for a search warrant to be used to gather evidence for a suspect that’s already identified, instead of using evidence to find a suspect... If the standards for getting a broad warrant like this are not strong, you can have a lot of police fishing expeditions." "

Judge Larson signed the warrant on February 1, 2017. Reportedly, Google will fight in court against the demands in the search warrant.

This warrant seems stunningly broad since it does not contain the name of a specific suspect, suspects, and/or criminal organization. There are many legitimate reasons for persons to search using the victim's name. Chiefly, many other people have the same name.

Other questions remain. The warrant did not state whether or not law enforcement searched social networking accounts for the victim's image. Many social networking accounts include profile photos of users. How certain are lawn enforcement officials that the fraudster didn't obtain the photo from a social networking account? Plus, many social networking users don't utilize the privacy controls available for their online accounts and photos.

What are your opinions?


Maker Of Smart Vibrators To Pay $3.75 Million To Settle Privacy Lawsuit

Today's smart homes contain a variety of internet-connected appliances -- televisions, utility meters, hot water heaters, thermostats, refrigerators, security systems-- and devices you might not expect to have WiFi connections:  mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins. Add smart vibrators to the list.

We-Vibe logo We-Vibe, a maker of vibrators for better sex, will pay U.S. $3.75 million to settle a class action lawsuit involving allegations that the company tracked users without their knowledge nor consent. The Guardian reported:

"Following a class-action lawsuit in an Illinois federal court, We-Vibe’s parent company Standard Innovation has been ordered to pay a total of C$4m to owners, with those who used the vibrators associated app entitled to the full amount each. Those who simply bought the vibrator can claim up to $199... the app came with a number of security and privacy vulnerabilities... The app that controls the vibrator is barely secured, allowing anyone within bluetooth range to seize control of the device. In addition, data is collected and sent back to Standard Innovation, letting the company know about the temperature of the device and the vibration intensity – which, combined, reveal intimate information about the user’s sexual habits..."

Image of We-Vibe 4 Plus product with phone. Click to view larger version We-Vibe's products are available online at the Canadian company's online store and at Amazon. This Youtube video (warning: not safe for work) promotes the company's devices. Consumers can use the smart vibrator with or without the mobile app on their smartphones. The app is available at both the Apple iTunes and Google Play online stores.

Like any other digital device, security matters. C/Net reported last summer:

"... two security researchers who go by the names followr and g0ldfisk found flaws in the software that controls the [We-Vibe 4Plus] device. It could potentially let a hacker take over the vibrator while it's in use. But that's -- at this point -- only theoretical. What the researchers found more concerning was the device's use of personal data. Standard Innovation collects information on the temperature of the device and the intensity at which it's vibrating, in real time, the researchers found..."

In the September 2016 complaint (Adobe PDF; 601 K bytes), the plaintiffs sought to stop Standard Innovation from "monitoring, collecting, and transmitting consumers’ usage information," collect damages due to the alleged unauthorized data collection and privacy violations, and reimburse users from their purchase of their We-Vibe devices (because a personal vibrator with this alleged data collection is worth less than a personal vibrator without data collection). That complaint alleged:

"Unbeknownst to its customers, however, Defendant designed We-Connect to (i) collect and record highly intimate and sensitive data regarding consumers’ personal We-Vibe use, including the date and time of each use and the selected vibration settings, and (ii) transmit such usage data — along with the user’s personal email address — to its servers in Canada... By design, the defining feature of the We-Vibe device is the ability to remotely control it through We-Connect. Defendant requires customers to use We-Connect to fully access the We-Vibe’s features and functions. Yet, Defendant fails to notify or warn customers that We-Connect monitors and records, in real time, how they use the device. Nor does Defendant disclose that it transmits the collected private usage information to its servers in Canada... Defendant programmed We-Connect to secretly collect intimate details about its customers’ use of the We-Vibe, including the date and time of each use, the vibration intensity level selected by the user, the vibration mode or patterns selected by the user, and incredibly, the email address of We-Vibe customers who had registered with the App, allowing Defendant to link the usage information to specific customer accounts... In addition, Defendant designed We-Connect to surreptitiously route information from the “connect lover” feature to its servers. For instance, when partners use the “connect lover” feature and one takes remote control of the We-Vibe device or sends a [text or video chat] communication, We-Connect causes all of the information to be routed to its servers, and then collects, at a minimum, certain information about the We-Vibe, including its temperature and battery life. That is, despite promising to create “a secure connection between your smartphones,” Defendant causes all communications to be routed through its servers..."

The We-Vibe Nova product page lists ten different vibration modes (e.g., Crest, Pulse, Wave, Echo, Cha-cha-cha, etc.), or users can create their own custom modes. The settlement agreement defined two groups of affected consumers:

"... the proposed Purchaser Class, consisting of: all individuals in the United States who purchased a Bluetooth-enabled We-Vibe Brand Product before September 26, 2016. As provided in the Settlement Agreement, “We-Vibe Brand Product” means the “We-Vibe® Classic; We-Vibe® 4 Plus; We-Vibe® 4 Plus App Only; Rave by We-VibeTM and Nova by We-VibeTM... the proposed App Class, consisting of: all individuals in the United States who downloaded the We-Connect application and used it to control a We-Vibe Brand Product before September 26, 2016."

According to the settlement agreement, affected users will be notified by e-mail addresses, with notices in the We-Connect mobile app, a settlement website (to be created), a "one-time half of a page summary publication notice in People Magazine and Sports Illustrated," and by online advertisements in several websites such as Google, YouTube, Facebook, Instagram, Twitter, and Pinterest. The settlement site will likely specify additional information including any deadlines and additional notices.

We-Vibe announced in its blog on October 3, 2016 several security improvements:

"... we updated the We-ConnectTM app and our app privacy notice. That update includes: a) Enhanced communication regarding our privacy practices and data collection – in both the onboarding process and in the app settings; b) No registration or account creation. Customers do not provide their name, email or phone number or other identifying information to use We-Connect; c) An option for customers to opt-out of sharing anonymous app usage data is available in the We-Connect settings; d) A new plain language Privacy Notice outlines how we collect and use data for the app to function and to improve We-Vibe products."

I briefly reviewed the We-Connect App Privacy Policy (dated September 26, 2016) linked from the Google Play store. When buying digital products online, often the privacy policy for the mobile app is different than the privacy policy for the website. (Informed shoppers read both.) Some key sections from the app privacy policy:

"Collection And Use of Information: You can use We-Vibe products without the We-Connect app. No information related to your use of We-Vibe products is collected from you if you don’t install and use the app."

I don't have access to the prior version of the privacy policy. That last sentence seems clear and should be a huge warning to prospective users about the data collection. More from the policy:

"We collect and use information for the purposes identified below... To access and use certain We-Vibe product features, the We-Connect app must be installed on an iOS or Android enabled device and paired with a We-Vibe product. We do not ask you to provide your name, address or other personally identifying information as part of the We-Connect app installation process or otherwise... The first time you launch the We-Connect app, our servers will provide you with an anonymous token. The We-Connect app will use this anonymous token to facilitate connections and share control of your We-Vibe with your partner using the Connect Lover feature... certain limited data is required for the We-Connect app to function on your device. This data is collected in a way that does not personally identify individual We-Connect app users. This data includes the type of device hardware and operating system, unique device identifier, IP address, language settings, and the date and time the We-Connect app accesses our servers. We also collect certain information to facilitate the exchange of messages between you and your partner, and to enable you to adjust vibration controls. This data is also collected in a way that does not personally identify individual We-Connect app users."

In a way that does not personally identify individuals? What way? Is that the "anonymous token" or something else? More clarity seems necessary.

Consumers should read the app privacy policy and judge for themselves. Me? I am skeptical. Why? The "unique device identifier" can be used exactly for that... to identify a specific phone. The IP address associated with each mobile device can also be used to identify specific persons. Match either number to the user's 10-digit phone number (readily available on phones), and it seems that one can easily re-assemble anonymously collected data afterwards to make it user-specific.

And since partner(s) can remotely control a user's We-Vibe device, their information is collected, too. Persons with multiple partners (and/or multiple We-Vibe devices) should thoroughly consider the implications.

The About Us page in the We-Vibe site contains this company description:

"We-Vibe designs and manufactures world-leading couples and solo vibrators. Our world-class engineers and industrial designers work closely with sexual wellness experts, doctors and consumers to design and develop intimate products that work in sync with the human body. We use state-of-the-art techniques and tools to make sure our products set new industry standards for ergonomic design and high performance while remaining eco‑friendly and body-safe."

Hmmmm. No mentions of privacy nor security. Hopefully, a future About Us page revision will mention privacy and security. Hopefully, no government officials use these or other branded smart sex toys. This is exactly the type of data collection spies will use to embarrass and/or blackmail targets.

The settlement is a reminder that companies are willing, eager, and happy to exploit consumers' failure to read privacy policies. A study last year found that 74 percent of consumers surveyed never read privacy policies.

All of this should be a reminder to consumers that companies highly value the information they collect about their users, and generate additional revenue streams by selling information collected to corporate affiliates, advertisers, marketing partners, and/or data brokers. Consumers' smartphones are central to that data collection.

What are your opinions of the We-Vibe settlement? Of its products and security?


4 Charged, Including Russian Government Agents, In Massive Yahoo Hack

Department of Justice logo The U.S. Department of Justice (DOJ) announced yesterday that a grand jury in the Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses related to the massive hack of millions of Yahoo webmail accounts. The charges were announced by Attorney General Jeff Sessions of the U.S. Department of Justice, Director James Comey of the Federal Bureau of Investigation (FBI), Acting Assistant Attorney General Mary McCord of the National Security Division, U.S. Attorney Brian Stretch for the Northern District of California and Executive Assistant Director Paul Abbate of the FBI’s Criminal, Cyber, Response and Services Branch.

The announcement described how the defendants, beginning in January 2014:

"... unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies. One of the defendants also exploited his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign."

The four defendants are:

  1. Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident
  2. Igor Anatolyevich Sushchin, 43, a Russian national and resident,
  3. Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident, and
  4. Karim Baratov (a/k/a "Kay," "Karim Taloverov," and "Karim Akehmet Tokbergenov") 22, a Canadian and Kazakh national and a resident of Canada.

Several lawsuits have resulted from the Yahoo breach including a shareholder lawsuit alleging a breach of fiduciary duty by the directors of the tech company, and a class-action regarding stolen credit card payment information.

Attorney General Sessions said about the charges against four defendants:

"Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history... But thanks to the tireless efforts of U.S. prosecutors and investigators, as well as our Canadian partners, today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users’ accounts. The United States will vigorously investigate and prosecute the people behind such attacks..."

FBI Director said:

"... we continue to pierce the veil of anonymity surrounding cyber crimes... We are shrinking the world to ensure that cyber criminals think twice before targeting U.S. persons and interests."

Acting Assistant Attorney General McCord said:

"The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale... hackers around the world can and will be exposed and held accountable. State actors may be using common criminals to access the data they want..."


Boston Public Library Offers Workshop About How To Spot Fake News

Fake news image The Boston Public Library (BPL) offers a wide variety of programs, events and workshops for the public. The Grove Hall branch is offering several sessions of the free workshop titled, "Recognizing Fake News."The workshop description:

"Join us for a workshop to learn how to critically watch the news on television and online in order to detect "fake news." Using the News Literacy Project's interactive CheckologyTM curriculum, leading journalists and other experts guide participants through real-life examples from the news industry."

What is fake news? The Public Libraries Association (PLA) offered this definition:

"Fake news is just as it sounds: news that is misleading and not based on fact or, simply put, fake. Unfortunately, the literal defi­nition of fake news is the least complicated aspect of this com­plex topic. Unlike satire news... fake news has the intention of disseminat­ing false information, not for comedy, but for consumption. And without the knowledge of appropriately identifying fake news, these websites can do an effective job of tricking the untrained eye into believing it’s a credible source. Indeed, its intention is deception.

To be sure, fake news is nothing new... The Internet, particularly social media, has completely manipulated the landscape of how information is born, consumed, and shared. No longer is content creation reserved for official publishing houses or media outlets. For better or for worse, anybody can form a platform on the Inter­net and gain a following. In truth, we all have the ability to create viral news—real or fake—with a simple tweet or Facebook post."

The News Literacy Project is a nonpartisan national nonprofit organization that works with educators and journalists to teach middle school and high school students how to distinguish fact from fiction.

The upcoming workshop sessions at the BPL Grove Hall branch are tomorrow, March 11 at 3:00 pm, and Wednesday, March 29 at 1:00 pm. Participants will learn about the four main types of content (e.g., news, opinion, entertainment, and advertising), and the decision processes journalists use to decide which news to publish. The workshop presents real examples enabling workshop participants to test their skills at recognizing the four types of content and "fake news."

While much of the workshop content is targeted at students, adults can also benefit. Nobody wants to be duped by fake or misleading news. Nobody wants to mistake advertising or opinion for news. The sessions include opportunities for participants to ask questions. The workshop lasts about an hour and registration is not required.

Many public libraries across the nation offer various workshops about how to spot "fake news," including Athens (Georgia), Austin (Texas), Bellingham (Washington), Chicago (Illinois), Clifton Park (New York), Davenport (Iowa), Elgin (Illinois), Oakland (California), San Jose (California), and Topeka (Kansas). Some colleges and universities offer similar workshops, including American University and Cornell University. Some workshops included panelists or speakers from local news organizations.

The BPL Grove Hall branch is located at 41 Geneva Avenue in the Roxbury section of Boston. The branch's phone is (617) 427-3337.

Have you attended a "fake news" workshop at a local public library in your town or city? If so, share your experience below.


EU Privacy Watchdogs Ask Microsoft For Explanations About Data Collection About Users

A privacy watchdog group in the European Union (EU) are concerned about privacy and data collection practices by Microsoft. The group, comprising 28 agencies and referred to as the Article 29 Working Party, sent a letter to Microsoft asking for explanations about privacy concerns with the software company's Windows 10 operating system software.

The February 2017 letter to Brendon Lynch, Chief Privacy Officer, and to Satya Nadella, Chief Executive Officer, was a follow-up to a prior letter sent in January. The February letter explained:

"Following the launch of Windows 10, a new version of the Windows operating system, a number of concerns have been raised, in the media and in signals from concerned citizens to the data protection authorities, regarding protection of your users’ personal data... the Working Party expressed significant concerns about the default installation settings and an apparent lack of control for a user to prevent collection or further processing of data, as well as concerns about the scope of data that are being collected and further processed... "

Microsoft logo While Microsoft has been cooperative so far, the group's specific privacy concerns:

"... user consent can only be valid if fully informed, freely given and specific. Whilst it is clear that the proposed new express installation screen will present users with five options to limit or switch off certain kinds of data processing it is not clear to what extent both new and existing users will be informed about the specific data that are being collected and processed under each of the functionalities. The proposed new explanation when, for example, a user switches the level of telemetry data from 'full' to 'basic' that Microsoft will collect 'less data' is insufficient without further explanation. Such information currently is also not available in the current version of the privacy policy.

Additionally, the purposes for which Microsoft collects personal data have to be specified, explicit and legitimate, and the data may not be further processed in a way incompatible with those purposes. Microsoft processes data collected through Windows 10 for different purposes, including personalised advertising. Microsoft should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid..."

Visit this EU link for more information about the Article 29 Working Party, or download the Article 29 Working Party letter to Microsoft (Adobe PDF).


GOP Legislation In Congress To Revoke Consumer Privacy And Protections

Logo for Republican Party, also known as the GOP The MediaPost Policy Blog reported:

"Republican Senator Jeff Flake, who opposes the Federal Communications Commission's broadband privacy rules, says he's readying a resolution to rescind them, Politico reports. Flake's confirmation to Politico comes days after Rep. Marsha Blackburn (R-Tennessee), the head of the House Communications Subcommittee, said she intends to work with the Senate to revoke the privacy regulations."

Blackburn's name is familiar. She was a key part of the GOP effort in 2014 to keep state laws in place to limit broadband competition by preventing citizens from forming local broadband providers. To get both higher speeds and lower prices compared to offerings by corporate internet service providers (ISPs), many people want to form local broadband providers. They can't because 20 states have laws preventing broadband competition. A worldwide study in 2014 found the consumers in the United States get poor broadband value: pay more and get slower speeds. Plus, the only consumers getting good value were community broadband customers. In June 2014, the FCC announced plans to challenge these restrictive state laws that limit competition, and keep your Internet prices high. That FCC effort failed. To encourage competition and lower prices, several Democratic representatives introduced the Community Broadband Act in 2015.That legislation went nowhere in a GOP-controlled Congress.

Pause for a moment and let that sink in. Blackburn and other GOP representatives have pursued policies where we consumers all pay more for broadband due to the lack of competition. The GOP, a party that supposedly dislikes regulation and prefers free-market competition, is happy to do the opposite to help their corporate donors. The GOP, a party that historically has promoted states' rights, now uses state laws to restrict the freedoms of constituents at the city, town, and local levels. And, that includes rural constituents.

Too many GOP voters seem oblivious to this. Why Democrats failed to capitalize on this broadband issue, especially during the Presidential campaign last year, is puzzling. Everyone needs broadband: work, play, school, travel, entertainment.

Now, back to the effort to revoke the FCC's broadband privacy rules. Several cable, telecommunications, and advertising lobbies sent a letter in January asking Congress to remove the broadband privacy rules. That letter said in part:

"... in adopting new broadband privacy rules late last year, the Federal Communications Commission (“FCC”) took action that jeopardizes the vibrancy and success of the internet and the innovations the internet has and should continue to offer. While the FCC’s Order applies only to Internet Service Providers (“ISPs”), the onerous and unnecessary rules it adopted establish a very harmful precedent for the entire internet ecosystem. We therefore urge Congress to enact a resolution of disapproval pursuant to the Congressional Review Act (“CRA”) vitiating the Order."

The new privacy rules by the FCC require broadband providers (a/k/a ISPs) to obtain affirmative “opt-in” consent from consumers before using and sharing consumers' sensitive information; specify the types of information that are sensitive (e.g., geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications); stop using and sharing information about consumers that have opted out of information sharing; meet transparency requirements to clearly notify customers about the information collection sharing and how to change their opt-in or opt-out preferences, prohibit "take-it-or-leave-it" offers where ISPs can refuse to serve customers who don't consent to the information collection and sharing; and comply with "reasonable data security practices and guidelines" to protect the sensitive information collected and shared.

The new FCC privacy rules are common sense stuff, but clearly these companies view common-sense methods as a burden. They want to use consumers' information however they please without limits, and without consideration for consumers' desire to control their own personal information. And, GOP representatives in Congress are happy to oblige these companies in this abuse.

Alarmingly, there is more. Lots more.

The GOP-led Congress also seeks to roll back consumer protections in banking and financial services. According to Consumer Reports, the issue arose earlier this month in:

"... a memo by House Financial Services Committee Chairman Rep. Jeb Hensarling (R-Tex), which was leaked to the press yesterday... The fate of the database was first mentioned [February 9th] when Bloomberg reported on a memo by Hensarling, an outspoken critic of the CFPB. The memo outlined a new version of the Financial CHOICE Act (Creating Hope and Opportunity for Investors, Consumers and Entrepreneurs), a bill originally advanced by the House Financial Services Committee in September. The new bill would lead to the repeal of the Consumer Complaint Database. It would also eliminate the CFPB's authority to punish unfair, deceptive or abusive practices among banks and other lenders, and it would allow the President to handpick—and fire—the bureau's director at will."

Banks have paid billions in fines to resolve a variety of allegations and complaints about wrongdoing. Consumers have often been abused by banks. You may remember the massive $185 million fine for the phony accounts scandal at Wells Fargo. Or, you may remember consumers forced to use prison-release cards. Or, maybe you experienced debt collection scams. And, this blog has covered extensively much of the great work by the CFPB which has helped consumers.

Does these two legislation items bother you? I sincerely hope that they do bother you. Contact your elected officials today and demand that they support the FCC privacy rules.


Travelers Face Privacy Issues When Crossing Borders

If you travel for business, pleasure, or both then today's blog post will probably interest you. Wired Magazine reported:

"In the weeks since President Trump’s executive order ratcheted up the vetting of travelers from majority Muslim countries, or even people with Muslim-sounding names, passengers have experienced what appears from limited data to be a “spike” in cases of their devices being seized by customs officials. American Civil Liberties Union attorney Nathan Wessler says the group has heard scattered reports of customs agents demanding passwords to those devices, and even social media accounts."

Devices include smartphones, laptops, and tablets. Many consumers realize that relinquishing passwords to social networking sites (e.g., Facebook, Instagram, etc.) discloses sensitive information not just about themselves, but also all of their friends, family, classmates, neighbors, and coworkers -- anyone they are connected with online. The "Bring Your Own Device" policies by many companies and employers means that employees (and contractors) can use their personal devices in the workplace and/or connected remotely to company networks. Those connected devices can easily divulge company trade secrets and other sensitive information when seized by Customs and Border Patrol (CBP) agents for analysis and data collection.

Plus, professionals such as attorneys and consultants are required to protect their clients' sensitive information. These professionals, who also must travel, require data security and privacy for business.

Wired also reported:

"In fact, US Customs and Border Protection has long considered US borders and airports a kind of loophole in the Constitution’s Fourth Amendment protections, one that allows them wide latitude to detain travelers and search their devices. For years, they’ve used that opportunity to hold border-crossers on the slightest suspicion, and demand access to their computers and phones with little formal cause or oversight.

Even citizens are far from immune. CBP detainees from journalists to filmmakers to security researchers have all had their devices taken out of their hands by agents."

For travelers wanting privacy, what are the options? Remain at home? This may not be an option for workers who must travel for business. Leave your devices at home? Again, impractical for many. The Wired article provided several suggestions, including:

"If customs officials do take your devices, don’t make their intrusion easy. Encrypt your hard drive with tools like BitLocker, TrueCrypt, or Apple’s Filevault, and choose a strong passphrase. On your phone—preferably an iPhone, given Apple’s track record of foiling federal cracking—set a strong PIN and disable Siri from the lockscreen by switching off “Access When Locked” under the Siri menu in Settings.

Remember also to turn your devices off before entering customs: Hard drive encryption tools only offer full protection when a computer is fully powered down. If you use TouchID, your iPhone is safest when it’s turned off, too..."

What are the consequences when travelers refuse to disclose passwords and encrpt devices? Ars Technica also explored the issues:

"... Ars spoke with several legal experts, and contacted CBP itself (which did not provide anything beyond previously-published policies). The short answer is: your device probably will be seized (or "detained" in CBP parlance), and you might be kept in physical detention—although no one seems to be sure exactly for how long.

An unnamed CBP spokesman told The New York Times on Tuesday that such electronic searches are extremely rare: he said that 4,444 cellphones and 320 other electronic devices were inspected in 2015, or 0.0012 percent of the 383 million arrivals (presuming that all those people had one device)... The most recent public document to date on this topic appears to be an August 2009 Department of Homeland Security paper entitled "Privacy Impact Assessment for the Border Searches of Electronic Devices." That document states that "For CBP, the detention of devices ordinarily should not exceed five (5) days, unless extenuating circumstances exist." The policy also states that CBP or Immigration and Customs Enforcement "may demand technical assistance, including translation or decryption," citing a federal law, 19 US Code Section 507."

The Electronic Frontier Foundation (EFF) collects stories from travelers who've been detained and had their devices seized. Clearly, we will hear a lot more in the future about these privacy issues. What are your opinions of this?


Town Hall With Congressman Stephen Lynch About Security And Rights

Official photo of Congressman Stephen F. Lynch. Click to view larger version Congressman Stephen F. Lynch (Democrat, 8th District of Massachusetts) held a town hall meeting on Friday February 3, 2017 titled, “Keeping America Safe While Preserving Our Constitutional Rights.” The 7:00 pm event at the Milton High School auditorium was heavily attended (see photos below) with an estimated attendance of about 500 to 700 persons. The website and e-mail invitation from Congressman Lynch’s office described the meeting agenda:

"The Town Hall will be an opportunity for constituents to come together to discuss the legal implications of President Trump’s executive actions, to discuss what can be done to resist any infringements of Constitutional rights and discuss existing and ongoing efforts to ensure safety in our homeland, and to provide resources for those who may need assistance."

Representative Lynch serves on the Oversight and Government Reform Committee and the Financial Services Committee. He is the lead Democrat on the National Security Subcommittee, responsible for overseeing the Departments of State, Defense and Homeland Security, and the United States Agency for International Development. He was sworn in to the United States Congress in October 2001, after the sudden passing of Congressman John Joseph Moakley.

Partial view of February 3, 2017 town hall session. Milton HS auditorium. Click to view larger version Representative Lynch opened the meeting with remarks about his experience in Congress, the heavier than usual volume of emails, phone calls, and visits to his office since the flurry of Executive Orders by President Trump, his 17 trips to the Middle East including Iraq and Turkey, his visits to refugee camps, and his familiarity with the vetting process for immigrants wanting to relocate to the United States.

Representative Lynch said regarding refugees and immigrants that the "facts on the ground" are often very different than what is reported in the news media or by the current White House. He explained that many Syrians spend several years in refugee camps, since many want to return to their homes and not immigrate to other countries. And, the United States is probably number 10 in a list of desired locations of refugees wanting to relocate to another country.

He also described an overview of the vetting process, which includes interviews, biometrics, retina scans, and follow-up sessions with about 18 steps lasting 14 to 18 months. Several U.S. Federal government agencies are involved in the vetting process. Congressman Lynch described President Trump's Executive Order banning immigrants from seven Middle East countries as "wrong and unnecessary," and was conducted carelessly.

Congressman Lynch held an hour-long telephone town hall on January 24, 2017. He has co-sponsored H.R.852 in the 115th Congress (2017-2018) to:

"... amend the Immigration and Nationality Act to provide that an alien may not be denied admission or entry to the United States, or other immigration benefits, because of the alien's religion, and for other purposes."

H.R. 852 was sponsored by Representative Donald S. Beyer, Jr. (Democrat, Virginia) and introduced On February 3, 2017. It is in committee. View the list of bills sponsored or co-sponsored by Congressman Lynch.

The February 3 town hall session started at 7:00 pm. Carl Williams, a staff attorney with the American Civil Liberties Union (ACLU), also spoke and briefly discussed recent decisions by several federal court judges about President Trump's immigration ban, which applies to seven majority Muslim countries: Iraq, Syria, Iran, Libya, Somalia, Sudan, and Yemen. Late on Friday February 3, a federal court judge in Seattle decided to halt the immigration ban. This was the third major decision after one in New York and a second in Boston.

Partial view of February 3, 2017 town hall session. Milton HS auditorium. Click to view larger version The question-and-answer session started at about 7:55 pm and at least 20 constituents immediately lined up in the auditorium to ask questions. At the check-in table, Congressman Lynch's staff provided index cards for constituents to write and submit questions. During the session, constituents asked a variety of questions at the microphones, including (partial list):

  • How can we help refugees?
  • What will Congressman Lynch do to keep us safe?
  • How do we get our voices heard in other states?
  • Will Congressman Lynch fight for single payer healthcare plan as Republicans propose an alternative to the Affordable Care Act (a/k/a "Obamacare)?
  • How do we get Steve Bannon off the National Security Council?

Representative Lynch reminded constituents that due to the "Separation of Powers" built into our government, the legislative branch has no power to affect how the White House chooses to organize itself. He also reminded attendees of the 55-seat advantage the Republican party has in the House.

Besides several Executive Orders by President Trump, the House of Representatives has taken several actions and votes. I have found the E-Update Newsletter by Congressman Michael Capuano (Democrat, 7th District of Massachusetts) very informative with summaries about recent House activities in easy-to-understand language; plus a running list of activities. Representative Capuano's summaries also include the vote total by party. For example:

Excerpt from February 3, 2017 E-Update Newsletter by Representative Michael Capuano. Click to view larger version

Friday's town hall's agenda was scheduled to end at 9:00 pm. I left at that time, and hadn't heard any mention of security issues about the proposed wall between the United States and Mexico. The town hall was also Live on Facebook, but I found the audio quality poor at times. Always better to attend in person and ask questions directly of a Congressperson.

I did not see any reporters from local news media at the town hall session. If you attended the town hall session, what were your questions or comments? Below is a tweet by Representative Lynch about the town hall.


Boston Women's March And Local Law Enforcement

On Saturday, January 21, 2017 the Boston Police Department (BPD) posted on its Facebook page at 5:45 pm the following about the Women's March:

"To the tens of thousands who participated in today’s Women’s March on Boston Common earlier today, Saturday, January 21, 2017, the men and women of the Boston Police Department would like to thank you for the high levels of respectful and responsible behavior on display throughout the day. Said Commissioner Evans: "Really impressed with the amount of respect and courtesy shown to my officers by everybody attending today's Women’s March and I’d just like to personally thank everybody who demonstrated in a peaceful, polite and respectful manner."

The Boston Globe newspaper reported about the event:

"... the enormous crowd began streaming from Boston Common onto Charles Street, heading to Clarendon Street, where they turned around. So many people marched that it took more than an hour and a half to file out of the Common. City officials estimated that 175,000 attended the demonstration... The Boston event was one of more than 600 marches being held nationwide and globally, on the day after Trump took office... Speakers at the Boston kickoff included Warren, Mayor Martin J. Walsh of Boston, US Senator Edward J. Markey, and Attorney General Maura Healey... By about 1 p.m., marchers began to hit the streets, though the crowd was so big that many had to wait before they could get out of the Common. The gathering was almost evenly split between men and women, and a diverse range of agendas was represented: climate change, antiracism, and Trump’s ties to Russia. On Twitter, Boston police thanked protesters for remaining peaceful."

There more demonstrations in Massachusetts in Falmouth, Greenfield, Nantucket, Provincetown, Northampton, and Pittsfield. Social networking posts about the Boston event by the BPD on Twitter:

Tweet about Womens March by Boston Police Department. Click to view larger version

Tweets about Womens March by Boston Police Department. Click to view larger version

Respectful behavior all around: marchers and law enforcement. Congratulations and thanks to everyone involved, plus very respectful messages on social networking sites by the BPD. Hopefully, in the future more citizens and police departments around the country will follow Boston's lead. That is truly #BostonStrong.

Yes, I live and work in Boston. What happened in your city? How did your city's law enforcement respond. Share below.


FINRA Fined 12 Brokerage Firms $14.4 Million For Inadequate Data Security

Just before the long holiday break, the Financial Industry Regulatory Authority (FINRA) announced that it fined 12 banks and brokerage firms a total of $14.4 million for failing to adequately protect information in electronic broker-dealer and customer records. The FINRA announcement explained:

"... at various times, and in most cases for prolonged periods, the firms failed to maintain electronic records in “write once, read many,” or WORM, format, which prevents the alteration or destruction of records stored electronically... Federal securities laws and FINRA rules require that business-related electronic records be kept in WORM format to prevent alteration. The SEC has stated that these requirements are an essential part of the investor protection function... FINRA found that each of these 12 firms had WORM deficiencies that affected millions, and in some cases, hundreds of millions, of records pivotal to the firms’ brokerage businesses, spanning multiple systems and categories of records... each of the firms had related procedural and supervisory deficiencies affecting their ability to adequately retain and preserve broker-dealer records stored electronically. In addition, FINRA found that three of the firms failed to retain certain broker-dealer records the firms were required to keep under applicable record retention rules. In settling this matter, the firms neither admitted nor denied the charges, but consented to the entry of FINRA's findings."

The firms fined and the amounts for each:

"Wells Fargo Securities, LLC and Wells Fargo Prime Services, LLC were jointly fined $4 million. RBC Capital Markets LLC and RBC Capital Markets Arbitrage S.A. were jointly fined $3.5 million. RBS Securities, Inc. was fined $2 million. Wells Fargo Advisors, LLC, Wells Fargo Advisors Financial Network, LLC and First Clearing, LLC were jointly fined $1.5 million. SunTrust Robinson Humphrey, Inc. was fined $1.5 million. LPL Financial LLC was fined $750,000. Georgeson Securities Corporation was fined $650,000. PNC Capital Markets LLC was fined $500,000.

In September, Wells Fargo bank paid $185 million in fines to settle charges of alleged unlawful sales practices during the past five years. LPL Financial had several data breaches during 2007 to 2009.

For readers seeking more information, the FINRA announcement includes links to the settlement agreements.


The Boston Keep ACA Rally on January 15 And Senator Warren's Remarks

Crowd gathering an hour before Boston healthcare rally. January 15,, 2017. click to view larger version On Sunday January 15, 2017 I attended the healthcare rally in Boston at iconic Faneuil Hall. It was one of a dozen rallies around the United States. Several people spoke, including Boston Mayor Marty Walsh, U.S. Senator Elizabeth Warren, activist Sarah Grow, Carla Leviano, and U.S. Senator Edward Markey. The attendance was great and far exceeded the capacity for the auditorium inside Faneuil Hall, where it was originally planned.

The event continued outside with what I estimated at least five thousand people standing in the cold 27 degrees Fahrenheit temperature. This blog post contains several photographs I took. The photo on the right shows the crowd gather more than hour before the official 1:00 pm start of the rally.

Carla Lievano, a single-mother whose family is on MassHealth, is worried about losing her health benefits if the Affordable Care Act is repealed. She said:

"I could lose my health benefits... I’m very low income. I don’t know how I would take care of [my daughter]..."

Senator Warren speaking at January 15, 2017 healthcare rally in Boston. Click to view larger version Grow shared the story of her mother's battle against cancer, and how the Affordable Care Act (ACA and a//k/a Obamacare) saved her mother's life. Her mother was able to find a replacement plan under the ACA. Below is the transcript of Senator Elizabeth Warren's remarks (courtesy of the Boston Globe):

"For eight years, Republicans in Congress have complained about health care in America, heaping most of the blame on President Obama. Meanwhile, they’ve hung out on the sidelines making doomsday predictions and cheering every stumble, but refusing to lift a finger to actually improve our health care system.

The GOP is about to control the White House, Senate, and House. So what’s the first thing on their agenda? Are they working to bring down premiums and deductibles? Are they making fixes to expand the network of doctors and the number of plans people can choose from? Nope. The number one priority for congressional Republicans is repealing the Affordable Care Act and breaking up our health care system while offering zero solutions.

Their strategy? Repeal and run.

Many Massachusetts families are watching this play out, worried about what will happen — including thousands from across the Commonwealth that I joined at Faneuil Hall on Sunday to rally in support of the ACA. Hospitals and insurers are watching too, concerned that repealing the ACA will create chaos in the health insurance market and send costs spiraling out of control.

Health care reform in Massachusetts wasn’t partisan. Democrats, Republicans, business leaders, hospitals, insurers, doctors, and consumers all came together behind a commitment that every single person in our Commonwealth deserves access to affordable, high-quality care. When Republican Governor Mitt Romney signed Massachusetts health reform into law in 2006, our state took huge strides toward offering universal health care coverage and financial security to millions of Bay State residents.

That law was a major step forward. Today, more than 97 percent of Bay Staters are covered — the highest rate of any state in the country.

But Massachusetts still has a lot to lose if the ACA is repealed. One big reason for our state’s health care success is that we took advantage of the new opportunities offered under the ACA. In addition to making care more accessible and efficient, our state expanded Medicaid, using federal funds to help even more people. And we combined federal and state dollars to help reduce the cost of insurance on the Health Connector.

When the ACA passed, Massachusetts already had in place some of the best consumer protections in the nation. But the ACA still made a big difference. It strengthened protections for people in Massachusetts with pre-existing conditions, allowed for free preventive care visits, and — for the first time in our state — banned setting lifetime caps on benefits.

If the ACA is repealed, our health care system would hang in the balance. Half a million people in the Commonwealth would risk losing their coverage. People who now have an iron-clad guarantee that they can’t be turned away due to their pre-existing conditions or discriminated against because of their gender could lose that security. Preventive health care, community health centers, and rural hospitals could lose crucial support. In short, the Massachusetts health care law is a big achievement and a national model, but it also depends on the ACA and a strong partnership with the federal government.

If the cost-sharing subsidies provided by the ACA are slashed to zero, Massachusetts will have a tough time keeping down the cost of plans on the Health Connector. The state can’t make funds appear out of thin air to help families on the Medicaid expansion if Republicans yank away support. And our ability to address the opioid crisis will be severely hampered if people lose access to health insurance or if the federal funding provided through the Medicaid waiver disappears. Even in states with strong health care systems — states like Massachusetts — the ACA is critical.

The current system isn’t perfect — not by a long shot. There are important steps Congress could take to lower deductibles and premiums, to expand the network of doctors people can see on their plans, and to increase the stability and predictability of the market. We should be working together to make health care better all across the country, just like we’ve tried to do here in Massachusetts.

This doesn’t need to be a partisan fight. But if congressional Republicans continue to pursue repeal of the ACA with nothing more than vague assurances that they might — someday — think up a replacement plan, the millions of Americans who believe in guaranteeing people’s access to affordable health care will fight back every step of the way.

Repeal and run is for cowards."

Want to read more? Try these hashtags on social networking sites: #repealandrun #ourfirststand #savehealthcare #CareNotChaos. Below are more photos from Sunday's event in Boston.

Protester sign at Boston healthcare rally
Protester sign. Boston healthcare rally. 1/15/17

Protester sign at Boston healthcare rally
Protester sign at Boston healthcare rally. 1/15/17

Boston Mayor Marty Walsh speaking at healthcare rally January 15, 2017
Mayor Marty Walsh speaking at healthcare rally. 1/15/17

View of crowd at Boston healthcare rally January 15, 2017
View from crowd at Boston healthcare rally. 1/15/17


The State of Massachusetts Data Breach Archive Is Available Online

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) announced the public availability online of its data breach notification archive. To comply with Massachusetts state laws enacted in 2007, companies and entities must notify both the OCABR and the Attorney General's Office anytime personal information is accidentally or intentionally compromised.

Consumer Affairs Undersecretary John Chapman stated:

“The Data Breach Notification Archive is a public record that the public and media have every right to view... Making it easily accessible by putting it online is not only in keeping with the guidelines suggested in the new Public Records law, but also with Governor Baker’s commitment to greater transparency throughout the Executive Office.”

The OCABR breach archive includes a tabular listing of data breaches in Adobe PDF format. Each listing includes the following data elements: date the breach was reported, organization name, breach type, number of residents affected, types of sensitive personal data (e.g., Social Security Number, account number, driver's license identifier, credit card number) exposed or stolen, whether the organization offered free credit monitoring to affected residents, if the data was encrypted, and if the breach included mobile devices. The archive does not include the full text of the breach notification letters received. The breach archive also includes summary information:

Breaches and Residents Affected By Year
Year # Notifications # Affected Residents
2007 (Nov to Dec) 30 8,499
2008 413 700,918
2009 437 357,869
2010 473 1,015,693
2011 614 1,163,917
2012 1,139 326,411
2013 1,829 1,163,643
2014 1,603 354,130
2015 1,834 1,338,048
2016 1,866 188,809
Total 10,238 5,454,294

According to the Census Bureau, Massachusetts' population was just under 6.8 million in 2015. So, the total number of affected residents equals about 80 percent of the state's population.

Nebraska, Nevada, Rhode Island, and Tennessee recently strengthened their breach laws with expanded definitions, encryption, requirements to notify the state's attorney general, and requirements to notify affected persons within forty-five (45) days. While most states -- 46 have some type of breach laws, some (California, Indiana, Iowa, Maryland, Montana, New Hampshire, Oregon, Vermont, Washington, Wisconsin) post online breach notices they have received.

Some states' sites provide their breach archives using static Adobe PDF file formats. The better-designed sites make it easy for residents to search and view information about specific breach incidents. these sites feature interactive search mechanisms that allow users to enter the name of company or state agency, date range filters, and file download options compatible with spreadsheet software. Some states -- California, South Carolina, and Washington -- produce detailed breach reports explaining the breaches by industry, type, and cause.

Without the full text, interactive search, and filter mechanisms, the OCABR breach archive is a marginally helpful resource. Consumers can still use it to verify the breach notices they have received via postal mail, since identity thieves often send fake breach notices trying to trick consumers into revealing their sensitive personal information. Using the OCABR breach archive is slow and awkward, since users must download each PDF file and perform a text search for an organization with each file. Plus, the archive lacks both street address and company business unit information, making it impossible for users to distinguish between entries with the same organization name.

Basically, something is better than nothing.

What are your opinions of the breach archive by Massachusetts? If I missed any states that provide beach notices online, please share below.


Researchers Conclude Voting Systems In the USA Are Vulnerable To Hacking And Errors

McClatchyDC reported:

"Pennsylvania is one of 11 states where the majority of voters use antiquated machines that store votes electronically, without printed ballots or other paper-based backups that could be used to double-check the balloting. There's almost no way to know if they've accurately recorded individual votes — or if anyone tampered with the count... These paperless digital voting machines, used by roughly 1 in 5 U.S. voters last month, present one of the most glaring dangers to the security of the rickety, underfunded U.S. election system."

I strongly suggest that all voters read the entire McClatchyDC article. It is an eye-opener. Let's unpack the above paragraph. There's plenty to consider.

First, a significant number of voting districts across the nation use only paperless digital voting machines. A prior blog post confirmed this usage:

"... half of registered voters (47%) live in jurisdictions that use only optical-scan as their standard voting system, and about 28% live in DRE-only jurisdictions... Another 19% of registered voters live in jurisdictions where both optical-scan and DRE systems are in use... Around 5% of registered voters live in places that conduct elections entirely by mail – the states of Colorado, Oregon and Washington, more than half of the counties in North Dakota, 10 counties in Utah and two in California. And in more than 1,800 small counties, cities and towns – mostly in New England, the Midwest and the inter-mountain West – more than a million voters still use paper ballots that are counted by hand."

That prior blog post also included a map with voting technologies by district. Second, the paperless digital voting machines make recounts difficult to impossible. Why? They lack printed ballots or paper backups to re-scan and verify against the machines' recorded totals. Optical-scan voting machines are better since they use paper ballots. Those paper ballots can be re-scanned during a recount to verify the machines' totals. Reportedly, advanced countries including Germany, Britain, Japan and Singapore all require scannable paper ballots.

Third, all of this means paperless digital voting machines are a hacker's delight. Or a corrupt politician's delight. If one is going to hack voting systems with a low to zero chance of getting caught, then smart hackers would target machines without paper backups where tampering would be impossible to detect during recounts.

Fourth, the vulnerabilities aren't just theory, or what-ifs. The McClathcyDC article also reported:

"But a cadre of computer scientists from major universities backed Stein's recounts to underscore the vulnerability of U.S. elections. These researchers have been successfully hacking e-voting machines for more than a decade in tests commissioned by New York, California, Ohio and other states."

You can easily find reports online about the vulnerable machines, such as the Sequoia AVC Advantage used in Louisiana, New Jersey, Virginia, and Pennsylvania. Another example: last year, the State of Virginia de-certified using the AVS WINVote made by Advanced Voting Solutions, which had previously been used also in Pennsylvania and Mississippi. The security review by the Virginia Information Technologies Agency (Adobe PDF) is available online.

The Brennan Center for Justice (BCJ) produced a report in 2015: "America's Voting Machines At Risk" (Adobe PDF). The BCJ interviewed more than 30 state and 80 local election officials, plus dozens of election technology, administration and security experts. They also gathered input from "computer scientists, policy analysts, usability experts, election security experts, voting equipment vendors, and various innovators in the field of election technology." The BCJ's report summarized the problem:

"... an impending crisis... from the widespread wearing out of voting machines purchased a decade ago... Jurisdictions do not have the money to purchase new machines, and legal and market constraints prevent the development of machines they would want even if they had funds..."

The BCJ found:

"Unlike voting machines used in past eras, today’s systems were not designed to last for decades. In part this is due to the pace of technological change... although today’s machines debuted at the beginning of this century, many were designed and engineered in the 1990s... experts agree that for those purchased since 2000, the expected lifespan for the core components of electronic voting machines is between 10 and 20 years, and for most systems it is probably closer to 10 than 20... 43 states are using some machines that will be at least 10 years old in 2016. In most of these states, the majority of election districts are using machines that are at least 10 years old. In 14 states, machines will be 15 or more years old.

Nearly every state is using some machines that are no longer manufactured and many election officials struggle to find replacement parts. The longer we delay purchasing new equipment, the more problems we risk. The biggest risk is increased failures and crashes, which can lead to long lines and lost votes.

Older machines can also have serious security and reliability flaws that are unacceptable today. For example, Virginia recently decertified a voting system used in 24 percent of precincts after finding that an external party could access the machine’s wireless features to “record voting data or inject malicious data... Several election officials mentioned “flipped votes” on touch screen machines, where a voter touches the name of one candidate, but the machine registers it as a selection for another... Election jurisdictions in at least 31 states want to purchase new voting machines in the next five years. Officials from 22 of these states said they did not know where they would get the money to pay for them."

The USA can do better. It must do better. State and local elections officials must find the money. Elected politicians must help them find the money. Our democracy is at stake.

There is a glimmer of good news. Researchers at Rice University have developed a digital voting machine prototype that prints a paper trail. The paper trail provide verification of voters' selections, which would facilitate recounts and should replace the paperless DRE equipment. It is one of three publicly funded projects across the country. Bidding is open for manufacturers to produce the equipment.

While Stein's recount efforts ultimately failed, the vulnerabilities still exist. As McClatchyDC reported:

"The U.S. voting system — a loosely regulated, locally managed patchwork of more than 3,000 jurisdictions overseen by the states — employs more than two dozen types of machinery from 15 manufacturers.

So, something needs to be done soon to increase the security of DRE or paperless digital voting machines. It's time for voters to demand better voting security and accountability from state and local elections officials (and their politicians) who selected paperless voting equipment for their districts. It seems foolish to tighten voter ID and registration procedures while both under-funding and ignoring the vulnerabilities with paperless digital voting machines.

What are your opinions?


Trump's Treasury Pick Excelled at Kicking Elderly People Out of Their Homes

[Editor's note: today's guest post is by reporters at ProPublica. This news story was originally published on December 27, 2016. It is reprinted with permission.]

by Paul Kiel and Jesse EisingerProPublica

In 2015, OneWest Bank moved to foreclose on John Yang, an 80-year-old Korean immigrant living in Orange Park, Florida, a small suburb of Jacksonville. The bank believed he wasn't living in his home, violating the terms of its loan. It dispatched an agent to give him legal notification of the foreclosure.

Where did the bank find him? At the same single-story home the bank had said in court papers he did not occupy.

Still OneWest pressed on, forcing Yang, a former Christian missionary, to seek help from legal aid attorneys. This year, during a deposition, an employee of OneWest's servicing division was asked the obvious question: Why would the bank pursue a foreclosure that seemed so clearly unjustified by the facts?

The employee's response was blunt: "You're trying to make logic out of an illogical situation."

Yang was lucky. The bank eventually dropped its efforts against him. But others were not so fortunate. In recent years, OneWest has foreclosed on at least 50,000 people, often in circumstances that consumer advocates say run counter to federal rules and, as in Yang's case, common sense.

President-elect Donald Trump's nomination of Steven Mnuchin as Treasury Secretary has prompted new scrutiny of OneWest's foreclosure practices. Mnuchin was the lead investor and chairman of the company during the years it ramped up its foreclosure efforts. Representatives from the company and the Trump transition team did not respond to requests for comment.

Records show the attempt to push Mr. Yang out of his home was not an unusual one for OneWest's Financial Freedom unit, which focused on controversial home loans known as reverse mortgages. Regulators and consumer advocates have long worried that these loans, popular during the height of the housing bubble, exploit elderly homeowners.

The loans allow people to benefit from the equity they have built up over many years without selling their houses. The money is paid in a variety of ways, from lump sums to a stream of monthly checks. Borrowers are allowed to stay in their homes for as long as they live.

The loans are guaranteed by the U.S. Department of Housing and Urban Development, meaning the agency pays lenders like Freedom Financial the difference between the ultimate sale price of the home and the size of the reverse mortgage.

But the fees are often high and the interest charges mount up quickly because the homeowner isn't paying down any of the principal on the loan. Homeowners remain on the hook for property taxes and insurance and can lose their homes if they miss those payments.

A 2012 report to Congress by the Consumer Financial Protection Bureau said that "vigorous enforcement is necessary to ensure that older homeowners are not defrauded of a lifetime of home equity."

ProPublica found numerous examples where Financial Freedom had foreclosed for legally questionable reasons. The company served several other homeowners at their homes to let them know they were being sued for not occupying their homes. In Florida, a shortfall of only $0.27 led to a foreclosure attempt. In Atlanta, the company sought to foreclose on a widow after her husband's death, but backed down when a legal aid attorney sued, citing federal law that allowed the surviving spouse to remain in the home.

"It appears their business approach is scorched earth, in a way that doesn't serve communities, homeowners or the taxpayer," said Alys Cohen, a staff attorney for the National Consumer Law Center in Washington D.C.

Since the financial crisis, OneWest, through Financial Freedom, has conducted a disproportionate number of the nation's reverse mortgage foreclosures. It was responsible for 16,200 foreclosures on government-backed reverse mortgages, or 39 percent of all foreclosures nationwide, from 2009 through late 2014, even though it only serviced about 17 percent of the loans, according to government data analyzed by the California Reinvestment Coalition, an advocacy group for low-income consumers. While some foreclosures were justified, legal aid attorneys say Financial Freedom has refused to work with borrowers in foreclosure to establish payment plans, in contrast with other servicers of reverse mortgages.

Experts say the companies are not entirely to blame for the wave of foreclosures. HUD oversees standards on most reverse mortgages. In the years after the housing crash, HUD's rules evolved, creating a miasma of confusion for mortgage servicers. Companies say the new federal rules required them to foreclose when borrowers fell far behind on property and insurance costs, rather than work out payment plans.

OneWest's rough treatment of homeowners extended to its behavior toward borrowers with standard mortgages in the aftermath of the housing crash. In 2009, the Obama administration launched a program to encourage mortgage servicers to work out affordable mortgage modifications with borrowers. OneWest, weighed down by several hundred thousand souring mortgages, signed up.

It didn't go well. About three-quarters of homeowners who sought a modification from OneWest through the program were denied, according to the latest figures from the Treasury Department. OneWest was among the worst performing large servicers in the program by that measure. In 2011, activists protested OneWest's indifference at Mnuchin's Bel Air mansion in Los Angeles.

"We're in a difficult economic environment and very sympathetic to the problems many homeowners face, but under the government's program there's not a solution in every case," Mnuchin told the Wall Street Journal in that year.

Despite the controversy, Mnuchin and the other investors in OneWest made a killing on their purchase. In 2009, Mnuchin's investment group bought the failed mortgage bank IndyMac, which had been taken over by the Federal Deposit Insurance Corporation after the financial crisis, changing the name to OneWest. They paid about $1.5 billion, with the FDIC sharing the ongoing mortgage losses. George Soros, a Clinton backer at whose hedge fund Mnuchin had worked, and John Paulson, a hedge fund manager who also supported Trump, invested alongside Mnuchin in IndyMac.

In 2015, CIT, a lender to small and medium-sized businesses, bought OneWest for $3.4 billion, more than doubling the Mnuchin group's initial investment. Mnuchin personally made about $380 million on the sale, according to Bloomberg estimates. He retains around a 1 percent stake in CIT, worth around $100 million, which he may have to divest if confirmed.

CIT has found the reverse mortgage business to be a headache. Recently, CIT took a $230 million pretax charge after it discovered that OneWest had mistakenly charged the government for payments that the company should have shouldered itself. An investigation of Financial Freedom's practices by HUD's inspector general is ongoing.

Yang's lawyers at Jacksonville Area Legal Aid fought his foreclosure for a year. Though Yang had run a dry cleaning business in Florida and roamed the world as a missionary, working in North Korea, China, and Afghanistan, the bank's torrent of paperwork had overwhelmed him. Yang didn't speak English well. OneWest claimed it had sent him forms to verify he was living at his home, but that he never sent them back.

Under HUD rules, OneWest was required to verify that each borrower continued to use the property as a principal residence. It is a condition of all the HUD-backed loans in order to help ensure the government subsidy goes to those who need it.

But Yang can be forgiven for thinking that OneWest could not have doubted that he was still in his home. During the same period that OneWest was moving to foreclose on Yang for not living in his home, another arm of the bank regularly spoke and corresponded with him at his home about a delinquent insurance payment, according to court documents.

A Financial Freedom employee testified in the case that the department that handled delinquent insurance payments and the department that handled occupancy did not communicate with each other in those circumstances.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Driver's Licenses For 9 States Won't Be Valid ID For Domestic Flights In 2018

Residents in nine states wanting to travel domestically via commercial airlines may need to obtain alternative identification documents. Why? While new identification requirements will become effective in 2018, starting in 2017 federal agencies may no longer accept driver's licenses from these nine states.

On December 12, the Department of Homeland Security (DHS) announcement explained:

"The Transportation Security Administration (TSA) will begin posting signs at airports this week notifying travelers that beginning January 2018 it will start enforcing REAL ID requirements at airport security checkpoints, meaning that travelers seeking to use their state-issued driver’s license or identification card for boarding commercial aircraft may only use such documents if they are issued by a REAL ID compliant state or a non-compliant state with an extension."

The U.S. Congress passed the REAL ID Act in 2005 to establish minimum security standards for state-issued driver’s licenses and identification cards. The Act prohibits federal agencies, including the TSA, from accepting licenses and identification cards for certain official purposes (e.g., boarding federally regulated commercial aircraft) from states that do not meet these minimum standards and have not received an extension for compliance from DHS.

If the nine states change their procedures, then the government may grant each state an extension or approval, as warranted. The nine states which did not receive extensions for 2016 or 2017 are Kentucky, Maine, Minnesota, Missouri, Montana, Oklahoma, Pennsylvania, South Carolina, and Washington. So, starting January 30, 2017 federal agencies and nuclear power plants may not accept driver's licenses and state IDs from these nine states for identification. Federal officials may continue to accept Enhanced Driver’s Licenses from Minnesota and Washington.

See the DHS site for the compliance status for all states and territories. See the TSAa.gov site for a complete list of identification documents accepted at TSA checkpoints. Below are the notices you may see while traveling through airports.

Generic TSA notice about changing ID requirements

TSA notice for noncompliant states about changing ID requirements


Ashley Madison Operators Agree to Settlement With FTC And States

Ashley Madison home page image

The operators of the AshleyMadison.com dating site have agreed to settlement with the U.S. Federal Trade Commission (FTC) for security lapses in a massive 2015 data breach. 37 million subscribers were affected and site's poor handling of its password-reset mechanism made accounts discover-able while the site had promised otherwise. The site was know for helping married persons find extra-marital affairs.

The FTC complaint against Avid Life Media Inc. sought relief and refunds for subscribers. The complaint alleged that the dating site:

"... Defendants collect, maintain, and transmit a host of personal information including: full name; username; gender; address, including zip codes; relationship status; date of birth; ethnicity; height; weight; email address; sexual preferences and desired encounters; desired activities; photographs; payment card numbers; hashed passwords; answers to security questions; and travel locations and dates. Defendants also collect and maintain consumers’ communications with each other, such as messages and chats... Until August 2014, Defendants engaged in a practice of using “engager profiles” — that is, fake profiles created by Defendants’ staff who communicate with consumers in the same way that consumers would communicate with each other—as a way to engage or attract additional consumers to AshleyMadison.com. In 2014, there were 28,417 engager profiles on the website. All but 3 of the engager profiles were female. Defendants created these profiles using profile information, including photographs, from existing members who had not had any account activity within the preceding one or more years... Because these engager profiles contained the same type of information as someone who was actually using the website, there was no way for a consumer to determine whether an engager profile was fake or real. To consumers using AshleyMadison.com, the communications generated by engager profiles were indistinguishable from communications generated by actual members... When consumers signed up for AshleyMadison.com, Defendants explained that their system is “100% secure” because consumers can delete their “digital trail”.

More importantly, the complaint alleged that the operators of the site failed to protect subscribers' information in several key ways:

"a. failed to have a written organizational information security policy;
b. failed to implement reasonable access controls. For example, they: i) failed to regularly monitor unsuccessful login attempts; ii) failed to secure remote access; iii) failed to revoke passwords for ex-employees of their service providers; iv) failed to restrict access to systems based on employees’ job functions; v) failed to deploy reasonable controls to identify, detect, and prevent the retention of passwords and encryption keys in clear text files on Defendants’ network; and vi) allowed their employees to reuse passwords to access multiple servers and services;
c. failed to adequately train Defendants’ personnel to perform their data security- related duties and responsibilities;
d. failed to ascertain that third-party service providers implemented reasonable security measures to protect personal information. For example, Defendants failed to contractually require service providers to implement reasonable security; and
e. failed to use readily available security measures to monitor their system and assets at discrete intervals to identify data security events and verify the effectiveness of protective measures."

The above items read like a laundry list of everything not to do regarding information security. Several states also sued the site's operators. Toronto, Ontario-based Ruby Corporation (Formerly called Avid Life media), ADL Media Inc. (based in Delaware), and Ruby Life Inc. (d/b/a Ashley Madison) were named as defendants in the lawsuit. According to its website, Ruby Life operates several adult dating sites: Ashley Madison, Cougar Life, and Established Men.

The Ashley Madison site generated about $47 million in revenues in the United States during 2015. The site has members in 46 countries, and almost 19 million subscribers in the United States created profiles since 2002. About 16 million of those profiles were male.

Terms of the settlement agreement require the operators to pay $1.6 million to settle FTC and state actions, and to implement a comprehensive data-security program with third-party assessments. About $828,500 is payable directly to the FTC within seven days, with an equal amount divided among participating states. If the defendants fail to make that payment to the FTC, then the full judgment of $8.75 million becomes due.

The defendants must submit to the FTC a compliance report one year after the settlement agreement. The third-party assessment programs starts within 180 days of the settlement agreement and continues for 20 years with reports every two years. The terms prohibit the site's operators and defendants from misrepresenting to persons in the United States how their online site and mobile app operate. Clearly, the use of fake profiles is prohibited.

The JD Supra site discussed the fake profiles:

"AshleyMadison/Ruby’s use of chat-bot-based fake or “engager profiles” that lured users into upgrading/paying for full memberships was also addressed in the complaint. According to a report in Fortune Magazine, men who signed up for a free AshleyMadison account would be immediately contacted by a bot posing as an interested woman, but would have to buy credits from AshleyMadison to reply.

Gizmodo, among many other sites, has examined the allegations of fake female bots or “engager profiles” used to entice male users who were using Ashley Madison’s free services to convert to paid services: “Ashley Madison created more than 70,000 female bots to send male users millions of fake messages, hoping to create the illusion of a vast playland of available women.” "

13 states worked on this case with the FTC: Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, Vermont, and the District of Columbia. The State of Tennessee's share was about $57,000. Vermont Attorney General William H. Sorrell said:

“Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website... I was pleased to see the FTC and the state attorneys general working together in such a productive and cooperative manner. Vermont has a long history of such cooperation, and it’s great to see that continuing.”

The Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner reached their own separate settlements with the company. Commissioner Daniel Therrien of the Office of the Privacy Commissioner of Canada said:

“In the digital age, privacy issues can impact millions of people around the world. It’s imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live.”

Australian Privacy Commissioner Timothy Pilgrim stated:

"My office was pleased to work with the FTC and the Office of the Canadian Privacy Commissioner on this investigation through the APEC cross-border enforcement framework... Cross-border cooperation and enforcement is the future for privacy regulation in the global consumer age, and this cooperative approach provides an excellent model for enforcement of consumer privacy rights.”

Kudos to the FTC for holding a company's feet (and its officers' and executives' feet) to the fire to protect consumers' information.


How To Spot Fake News And Not Get Duped

You may have heard about the "pizzagate" conspiracy -- fake news about a supposed child-sex ring operating from a pizzeria in Washington, DC. A heavily armed citizen drove from North Carolina to the pizzeria to investigate to investigate the bogus child-sex ring supposedly run by Presidential candidate Hillary Clinton. The reality: no sex ring. That citizen had been duped by fake news. Shots were fired, and thankfully nobody was hurt.

CBS News reported that the pizzagate conspiracy had been promoted by Michael G. Flynn, son of retired General Michael T. Flynn, Donald Trump's pick for national security adviser. As a result, the younger Flynn resigned Tuesday from President-Elect Trump's transition team.

I use the phrase "fake news" for several types of misleading content: propaganda, unproven or fact-free conspiracy theories, disinformation, and clickbait. The pizzagate incident highlighted two issues: a) fake news has consequences, and b) many people don't know how to distinguish real news from fake news. So, while political operatives reportedly have used a combination of fake news, ads, and social media to both encourage supporters to vote and discourage opponents from voting, there clearly are other real-life consequences.

To help people spot fake news, NPR reported:

"Stopping the proliferation of fake news isn't just the responsibility of the platforms used to spread it. Those who consume news also need to find ways of determining if what they're reading is true. We offer several tips below. The idea is that people should have a fundamental sense of media literacy. And based on a study recently released by Stanford University researchers, many people don't."

The report is enlightening. In the "Evaluating Information: The Cornerstone of Civic Online Reasoning" report, researchers at Stanford University tested about 7,804 students in 12 states between January 2015 and June 2016. They found:

"... at each level—middle school, high school, and college—these variations paled in comparison to a stunning and dismaying consistency. Overall, young people’s ability to reason about the information on the Internet can be summed up in one word: bleak. Our “digital natives” may be able to flit between Facebook and Twitter while simultaneously uploading a selfie to Instagram and texting a friend. But when it comes to evaluating information that flows through social media channels, they are easily duped... We would hope that middle school students could distinguish an ad from a news story. By high school, we would hope that students reading about gun laws would notice that a chart came from a gun owners’ political action committee. And, in 2016, we would hope college students, who spend hours each day online, would look beyond a .org URL and ask who’s behind a site that presents only one side of a contentious issue. But in every case and at every level, we were taken aback by students’ lack of preparation... Many [people] assume that because young people are fluent in social media they are equally savvy about what they find there. Our work shows the opposite."

This is important for both individuals and the future of the nation because:

"For every challenge facing this nation, there are scores of websites pretending to be something they are not. Ordinary people once relied on publishers, editors, and subject matter experts to vet the information they consumed. But on the unregulated Internet, all bets are off... Never have we had so much information at our fingertips. Whether this bounty will make us smarter and better informed or more ignorant and narrow-minded will depend on our awareness of this problem and our educational response to it. At present, we worry that democracy is threatened by the ease at which disinformation about civic issues is allowed to spread and flourish."

While the study focused upon students, but older persons have been duped, too. The suspect in the pizzeria incident was 28 years old. The Stanford report focused upon what teachers and educators can do to better prepare students. According to the researchers, additional solutions are forthcoming.

What can you do to spot fake news? Don't wait for sites and/or social media to do it for you. Become a smarter consumer. The NPR report suggested:

  1. Pay attention to the domain and URL
  2. Read the "About Us" section of the site
  3. Look at the quotes in a story
  4. Look at who said the quotes

All of the suggestions require readers to take the time to understand the website, publication, and/or publisher. A little skepticism is healthy. Also verify the persons quoted and whether the persons quoted are who the article claims. And, verify that any images used actually relate to the event.

We all have to be smarter consumers of news in order to stay informed and meet our civic duties, which includes voting. Nobody wants to vote for politicians that don't represent their interests because they've been duped. To the above list, I would add:

  • Read news wires. These sites include the raw, unfiltered news about who, when, where, and what happened. Some suggested sources: : Associated Press (AP), Reuters, and United Press International (UPI)
  • Learn to recognize advertisements
  • Learn the differences between different types of content: news, opinion, analysis, satire/humor, and entertainment. Reputable sites will label them to help readers.

If you don't know the differences and can't spot each type, then you are likely to get duped.


High Tech Companies And A Muslim Registry

Since the Snowden disclosures in 2013, there have been plenty of news reports about how technology companies have assisted the U.S. government with surveillance programs. Some of these activities included surveillance programs by the U.S. National Security Agency (NSA) including innocent citizens, bulk phone calls metadata collection, warrantless searches by the NSA of citizen's phone calls and emails, facial image collection, identification of the best collaborator with NSA spying, fake cell phone towers (a/k/a 'stingrays') used by both federal government agencies and local police departments, and automated license plate readers to track drivers.

You may also remember, after Apple Computer's refusal to build a backdoor into its smartphones, the U.S. Federal Bureau of Investigation bought a hacking tool from a third party. Several tech companies built the reform government surveillance site, while others actively pursue "Surveillance Capitalism" business goals.

During the 2016 political campaign, candidate (and now President Elect) Donald Trump said he would require all Muslims in the United States to register. Mr. Trump's words matter greatly given his lack of government experience. His words are all voters had to rely upon.

So, The Intercept asked several technology companies a key question about the next logical step: whether or not they are willing to help build and implement a Muslim registry:

"Every American corporation, from the largest conglomerate to the smallest firm, should ask itself right now: Will we do business with the Trump administration to further its most extreme, draconian goals? Or will we resist? This question is perhaps most important for the country’s tech companies, which are particularly valuable partners for a budding authoritarian."

The companies queried included IBM, Microsoft, Google, Facebook, Twitter, and others. What's been the response? Well, IBM focused on other areas of collaboration:

"Shortly after the election, IBM CEO Ginni Rometty wrote a personal letter to President-elect Trump in which she offered her congratulations, and more importantly, the services of her company. The six different areas she identified as potential business opportunities between a Trump White House and IBM were all inoffensive and more or less mundane, but showed a disturbing willingness to sell technology to a man with open interest in the ways in which technology can be abused: Mosque surveillance, a “virtual wall” with Mexico, shutting down portions of the internet on command, and so forth."

The response from many other companies has mostly been crickets. So far, only executives at Twitter have flatly refused, and included with its reply a link to its blog post about developer policies:

"Recent reports about Twitter data being used for surveillance, however, have caused us great concern. As a company, our commitment to social justice is core to our mission and well established. And our policies in this area are long-standing. Using Twitter’s Public APIs or data products to track or profile protesters and activists is absolutely unacceptable and prohibited.

To be clear: We prohibit developers using the Public APIs and Gnip data products from allowing law enforcement — or any other entity — to use Twitter data for surveillance purposes. Period. The fact that our Public APIs and Gnip data products provide information that people choose to share publicly does not change our policies in this area. And if developers violate our policies, we will take appropriate action, which can include suspension and termination of access to Twitter’s Public APIs and data products.

We have an internal process to review use cases for Gnip data products when new developers are onboarded and, where appropriate, we may reject all or part of a requested use case..."

Recently, a Trump-Pence supporter floated this trial balloon to justify such a registry:

"A prominent supporter of Donald J. Trump drew concern and condemnation from advocates for Muslims’ rights on Wednesday after he cited World War II-era Japanese-American internment camps as a “precedent” for an immigrant registry suggested by a member of the president-elect’s transition team. The supporter, Carl Higbie, a former spokesman for Great America PAC, an independent fund-raising committee, made the comments in an appearance on “The Kelly File” on Fox News...

“We’ve done it based on race, we’ve done it based on religion, we’ve done it based on region,” Mr. Higbie said. “We’ve done it with Iran back — back a while ago. We did it during World War II with Japanese.”

You can read the replies from nine technology companies at the Intercept site. Will other companies besides Twitter show that they have a spine? Whether or not such a registry ultimately violates the U.S. Constitution, we will definitely hear a lot more about this subject in the near future.