404 posts categorized "Government" Feed

Russian Cyber Attacks Against US Voting Systems Wider Than First Thought

Cyber attacks upon electoral systems in the United States are wider than originally thought. The attacks occurred in at least 39 states. The Bloomberg report described online attacks in Illinois as an example:

"... investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016... In early July 2016, a contractor who works two or three days a week at the state board of elections detected unauthorized data leaving the network, according to Ken Menzel, general counsel for the Illinois board of elections. The hackers had gained access to the state’s voter database, which contained information such as names, dates of birth, genders, driver’s licenses and partial Social Security numbers on 15 million people, half of whom were active voters. As many as 90,000 records were ultimately compromised..."

Politicians have emphasized that the point of the disclosures isn't to embarrass any specific state, but to alert the public to past activities and to the ongoing threat. The Intercept reported:

"Russian military intelligence executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election, according to a highly classified intelligence report obtained by The Intercept.

The top-secret National Security Agency document, which was provided anonymously to The Intercept and independently authenticated, analyzes intelligence very recently acquired by the agency about a months-long Russian intelligence cyber effort against elements of the U.S. election and voting infrastructure. The report, dated May 5, 2017, is the most detailed U.S. government account of Russian interference in the election that has yet come to light."

Spear-fishing is the tactic criminals use by sending malware-laden e-mail messages to targeted individuals, whose names and demographic details may have been collected from social networking sites and other sources. The spam e-mail uses those details to pretend to be valid e-mail from a coworker, business associate, or friend. When the target opens the e-mail attachment, their computer and network are often infected with malware to collect and transmit log-in credentials to the criminals; or to remotely take over the targets' computers (e.g., ransomware) and demand ransom payments. Stolen log-in credentials are how criminals steal consumers' money by breaking into online bank accounts.

The Intercept report explained how the elections systems hackers adopted this tactic:

"... the Russian plan was simple: pose as an e-voting vendor and trick local government employees into opening Microsoft Word documents invisibly tainted with potent malware that could give hackers full control over the infected computers. But in order to dupe the local officials, the hackers needed access to an election software vendor’s internal systems to put together a convincing disguise. So on August 24, 2016, the Russian hackers sent spoofed emails purporting to be from Google to employees of an unnamed U.S. election software company... The spear-phishing email contained a link directing the employees to a malicious, faux-Google website that would request their login credentials and then hand them over to the hackers. The NSA identified seven “potential victims” at the company. While malicious emails targeting three of the potential victims were rejected by an email server, at least one of the employee accounts was likely compromised, the agency concluded..."

Experts believe the voting equipment company targeted was VR Systems, based in Florida. Reportedly, it's electronic voting services and equipment are used in eight states. VR Systems posted online a Frequently Asked Questions document (adobe PDF) about the cyber attacks against elections systems:

"Recent reports indicate that cyber actors impersonated VR Systems and other elections companies. Cyber actors sent an email from a fake account to election officials in an unknown number of districts just days before the 2016 general election. The fraudulent email asked recipients to open an attachment, which would then infect their computer, providing a gateway for more mischief... Because the spear-phishing email did not originate from VR Systems, we do not know how many jurisdictions were potentially impacted. Many election offices report that they never received the email or it was caught by their spam filters before it could reach recipients. It is our understanding that all jurisdictions, including VR Systems customers, have been notified by law enforcement agencies if they were a target of this spear-phishing attack... In August, a small number of phishing emails were sent to VR Systems. These emails were captured by our security protocols and the threat was neutralized. No VR Systems employee’s email was compromised. This prevented the cyber actors from accessing a genuine VR Systems email account. As such, the cyber actors, as part of their late October spear-phishing attack, resorted to creating a fake account to use in that spear-phishing campaign."

It is good news that VR Systems protected its employees' e-mail accounts. Let's hope that those employees were equally diligent about protecting their personal e-mail accounts and home computers, networks, and phones. We all know employees that often work from home.

The Intercept report highlighted a fact about life on the internet, which all internet users should know: stolen log-in credentials are highly valued by criminals:

"Jake Williams, founder of computer security firm Rendition Infosec and formerly of the NSA’s Tailored Access Operations hacking team, said stolen logins can be even more dangerous than an infected computer. “I’ll take credentials most days over malware,” he said, since an employee’s login information can be used to penetrate “corporate VPNs, email, or cloud services,” allowing access to internal corporate data. The risk is particularly heightened given how common it is to use the same password for multiple services. Phishing, as the name implies, doesn’t require everyone to take the bait in order to be a success — though Williams stressed that hackers “never want just one” set of stolen credentials."

So, a word to the wise for all internet users: don't use the same log-in credentials at multiple site. Don't open e-mail attachments from strangers. If you weren't expecting an e-mail attachment from a coworker/friend/business associate, call them on the phone first and verify that they indeed sent an attachment to you. The internet has become a dangerous place.


Trump Is Not the Only One Blocking Constituents on Twitter

[Editor's note: today's guest blog post, by the reporters at ProPublica, explores the emerging debate about whether the appropriate, perhaps ethical, use of social media by publicly elected officials and persons campaigning for office. Should they be able to block constituents posting views they dislike or disagree with? Is it really public speech on a privately-run social networking sites? Would you vote for person who blocks constituents? Do companies operating social networking site have a responsibility in this? Today's post is reprinted with permission.]

by Charles Ornstein, ProPublica

As President Donald Trump faces criticism for blocking users on his Twitter account, people across the country say they, too, have been cut off by elected officials at all levels of government after voicing dissent on social media.

In Arizona, a disabled Army veteran grew so angry when her congressman blocked her and others from posting dissenting views on his Facebook page that she began delivering actual blocks to his office.

A central Texas congressman has barred so many constituents on Twitter that a local activist group has begun selling T-shirts complaining about it.

And in Kentucky, the Democratic Party is using a hashtag, #BevinBlocked, to track those who've been blocked on social media by Republican Gov. Matt Bevin. (Most of the officials blocking constituents appear to be Republican.)

The growing combat over social media is igniting a new-age legal debate over whether losing this form of access to public officials violates constituents' First Amendment rights to free speech and to petition the government for a redress of grievances. Those who've been blocked say it's akin to being thrown out of a town hall meeting for holding up a protest sign.

On Tuesday, the Knight First Amendment Institute at Columbia University called upon Trump to unblock people who've disagreed with him or directed criticism at him or his family via the @realdonaldtrump account, which he used prior to becoming president and continues to use as his principal Twitter outlet.

Trump blocked me after this tweet.Let's all hope the courts continue to protect us. Never stop resisting. pic.twitter.com/TlR4zgHCoU

-- Nick Jack Pappas (@Pappiness) June 5, 2017

"Though the architects of the Constitution surely didn't contemplate presidential Twitter accounts, they understood that the president must not be allowed to banish views from public discourse simply because he finds them objectionable," Jameel Jaffer, the Knight Institute's executive director, said in a statement.

The White House did not respond to a request for comment, but press secretary Sean Spicer said earlier Tuesday that statements the president makes on Twitter should be regarded as official statements.

Similar flare-ups have been playing out in state after state.

Earlier this year, the American Civil Liberties Union of Maryland called on Governor Larry Hogan, a Republican, to stop deleting critical comments and barring people from commenting on his Facebook page. (The Washington Post reported that the governor had blocked 450 people as of February.)

Deborah Jeon, the ACLU's legal director, said Hogan and other elected officials are increasingly foregoing town hall meetings and instead relying on social media as their primary means of communication with constituents. "That's why it's so problematic," she said. "If people are silenced in that medium," they can't effectively interact with their elected representative.

The governor's office did not respond to a request for comment this week. After the letter, however, it reinstated six of the seven people specifically identified by the ACLU (it said it couldn't find the seventh). "While the ACLU should be focusing on much more important activities than monitoring the governor's Facebook page, we appreciated them identifying a handful of individuals -- out of the over 1 million weekly viewers of the page -- that may have been inadvertently denied access," a spokeswoman for the governor told the Post.

Practically speaking, being blocked cuts off constituents from many forms of interacting with public officials. On Facebook, it means no posts, no likes and no questions or comments during live events on the page of the blocker. Even older posts that may not be offensive are taken down. On Twitter, being blocked prevents a user from seeing the other person's tweets on his or her timeline.

Moreover, while Twitter and Facebook themselves usually suspend account holders only temporarily for breaking rules, many elected officials don't have established policies for constituents who want to be reinstated. Sometimes a call is enough to reverse it, other times it's not.

Eugene Volokh, a constitutional law professor at the UCLA School of Law, said that for municipalities and public agencies, such as police departments, social media accounts would generally be considered "limited public forums" and therefore, should be open to all.

"Once they open it up to public comments, they can't then impose viewpoint-based restrictions on it," he said, for instance allowing only supportive comments while deleting critical ones.

But legislators are different because they are people. Elected officials can have personal accounts, campaign accounts and officeholder accounts that may appear quite similar. On their personal and campaign accounts, there's little disagreement that officials can engage with -- or block -- whoever they want. Last month, for instance, ProPublica reported how Rep. Peter King (Republican, New York) blocked users on his campaign account after they criticized his positions on health reform and other issues.

But what about their officeholder social media accounts?

The ACLU's Jeon says that they should be public if they use government resources, including staff time and office equipment to maintain the page. "Where that's the situation and taxpayer resources are going to it, then the full power of the First Amendment applies," she said. "It doesn't matter if they're members of Congress or the governor or a local councilperson."

Volokh of UCLA disagreed. He said that members of Congress are entitled to their own private speech, even on official pages. That's because each is one voice among many, as opposed to a governor or mayor. "It's clear that whatever my senator is, she's not the government. She is one person who is part of a legislative body," he said. "She was elected because she has her own views and it makes sense that if she has a Twitter feed or a Facebook page, that may well be seen as not government speech but the voice of somebody who may be a government official."

Volokh said he's inclined to see Trump's @realdonaldtrump account as a personal one, though other legal experts disagree.

"You could imagine actually some other president running this kind of account in a way that's very public minded -- 'I'm just going to express the views of the executive branch,'" he said. "The @realdonaldtrump account is very much, 'I'm Donald Trump. I'm going to be expressing my views, and if you don't like it, too bad for you.' That sounds like private speech, even done by a government official on government property."

It's possible the fight over the president's Twitter account will end up in court, as such disputes have across the country. Generally, in these situations, the people contesting the government's social media policies have reached settlements ending the questionable practices.

After being sued by the ACLU, three cities in Indiana agreed last year to change their policies by no longer blocking users or deleting comments.

In 2014, a federal judge ordered the City and County of Honolulu to pay $31,000 in attorney's fees to people who sued, contending that the Honolulu Police Department violated their constitutional rights by deleting their critical Facebook posts.

And San Diego County agreed to pay the attorney's fees of a gun parts dealer who sued after its Sheriff's Department deleted two Facebook posts that were critical of the sheriff and banned the dealer from commenting. The department took down its Facebook page after being sued and paid the dealer $20 as part of the settlement.

Angela Greben, a California paralegal, has spent the past two years gathering information about agencies and politicians that have blocked people on social media -- Democrats and Republican alike -- filing ethics complaints and even a lawsuit against the city of San Mateo, California, its mayor and police department. (They settled with her, giving her some of what she wanted.)

Greben has filed numerous public-records requests to agencies as varied as the Transportation Security Administration, the Seattle Police Department and the Connecticut Lottery seeking lists of people they block. She's posted the results online.

"It shouldn't be up to the elected official to decide who can tweet them and who can't," she said. "Everybody deserves to be treated equally and fairly under the law."

Even though she lives in California, Greben recently filed an ethics complaint against Atlanta Mayor Kasim Reed, a Democrat, who has been criticized for blocking not only constituents but also journalists who cover him. Reed has blocked Greben since 2015 when she tweeted about him... well, blocking people on Twitter. "He's notorious for blocking and muting people," she said, meaning he can't see their tweets but they can still see his.

@LizLemeryJoy @KasimReed Mr. Mayor you are violating the #civilrights of all you have #blocked! @Georgia_AG @FOX5Atlanta @11AliveNews

-- Angela Greben (@AngelaGreben) March 7, 2015

In a statement, a city spokeswoman defended the mayor, saying he's now among the top five most-followed mayors in the country. "Mayor Reed uses social media as a personal platform to engage directly with constituents and some journalists. 2026 Like all Twitter users, Mayor Reed has the right to stop engaging in conversations when he determines they are unproductive, intentionally inflammatory, dishonest and/or misleading."

Asked how many people he has blocked, she replied that the office doesn't keep such a list.

J'aime Morgaine, the Arizona veteran who delivered blocks to the office of Rep. Paul Gosar, a Republican, said being blocked on Facebook matters because her representative no longer hosts in-person town hall meetings and has started to answer questions on Facebook Live. Now she can't ask questions or leave comments.

"I have lost and other people who have been blocked have lost our right to participate in the democratic process," said Morgaine, leader of Indivisible Kingman, a group that opposes the president's agenda. "I am outraged that my congressman is blocking my voice and trampling upon my constitutional rights."

@RepGosar ..You weren't home when I delivered this message to your office, but no worries...there WILL be more!Stop BLOCKING Constituents! pic.twitter.com/JTWGQwhxKt

-- Indivisible Kingman (@IndivisibleCD4) May 13, 2017

Morgaine said the rules are not being applied equally. "They're not blocking everybody who's angry," she said. "They're blocking the voices of dissent, and there's no process for getting unblocked. There's no appeals process. There's no accountability."

A spokeswoman for Gosar defended his decision to block constituents but did not answer a question about how many have been blocked.

"Congressman Gosar's policy has been consistent since taking office in January 2010," spokeswoman Kelly Roberson said in an email. "In short: 2018Users whose comments or posts consist of profanity, hate speech, personal attacks, homophobia or Islamophobia may be banned.'"

On his Facebook page, Gosar posts the policy that guides his actions. It says in part, "Users are banned to promote healthy, civil dialogue on this page but are welcome to contact Congressman Gosar using other methods," including phone calls, emails and letters.

Sometimes, users are blocked repeatedly.

Community volunteer Gayle Lacy was named 2015 Wacoan of the Year for her effort to have the site of mammoth fossils in Waco, Texas, designated a national monument. Lacy's latest fight has been with her congressman, Bill Flores, who was with her in the Oval Office when Obama designated the site a national monument in 2015. She has been blocked three times by Flores' congressional Twitter account and once by his campaign account. One of those blocks happened after she tweeted at him: "My father died in service for this country, but you are not representative of that country and neither is your dear leader."

Lacy said she was able to get unblocked each time from Flores' congressional account by calling his office but remains blocked on the campaign one. "I don't know where to call," she said. "I asked in his D.C. office who I needed to call and I was told that they don't have that information."

Lacy and others said Flores blocks those who question him. Austin lawyer Matt Miller said he was blocked for asking when Flores would hold a town hall meeting. "It's totally inappropriate to block somebody, especially for asking a legitimate question of my elected representative," Miller said.

In a statement, Flores spokesman Andre Castro said Flores makes his policies clear on Twitter and on Facebook. "We reserve the right to block users whose comments include profanity, name-calling, threats, personal attacks, constant harping, inappropriate or false accusations, or other inappropriate comments or material. As the Congressman likes to say 2014 2018If you would not say it to your grandmother, we will not allow it here.'"

Ricardo Guerrero, an Austin marketer who is one of the leaders of a local group opposed to Trump's agenda, said he has gotten unblocked by Flores twice but then was blocked again and "just kind of gave up."

"He's creating an echo chamber of only the people that agree with him," Guerrero said of Flores. "He's purposefully removing any semblance of debate or alternative ideas or ideas that challenge his own -- and that seems completely undemocratic. That's the bigger issue in my mind."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Study: Police Officers Talk More Respectfully To White Residents Than Non-White Residents

Researchers analyzed the language recorded by body cameras during police stops, and concluded that police officers talk more respectfully to White residents than non-White residents. The study, published Monday in the Proceedings of the National Academy of Sciences, included 183 hours of body camera footage taken during 981 routine traffic stops in April 2014 by 245 different officers in the Oakland Police Department.

The researchers found:

"Police officers speak significantly less respectfully to black than to white community members in everyday traffic stops, even after controlling for officer race, infraction severity, stop location, and stop outcome. This paper presents a systematic analysis of officer body-worn camera footage, using computational linguistic techniques to automatically measure the respect level that officers display to community members. This work demonstrates that body camera footage can be used as a rich source of data rather than merely archival evidence, and paves the way for developing powerful language-based tools for studying and potentially improving police–community relations. "

The study included random selections of 312 utterances spoken to black residents and 102 utterances spoken to white residents. Next, 10 volunteers rated each interaction without knowing the names, races, or identifying information of the police officers. Then, the researchers used a computer model to analyze the ratings based upon scientific literature about respect.

Why this study is important:

"Despite the rapid proliferation of body-worn cameras, no law enforcement agency has systematically analyzed the massive amounts of footage these cameras produce. Instead, the public and agencies alike tend to focus on the fraction of videos involving high-profile incidents, using footage as evidence of innocence or guilt in individual encounters... Previous research on police–community interactions has relied on citizens’ recollection of past interactions or researcher observation of officer behavior to assess procedural fairness. Although these methods are invaluable, they offer an indirect view of officer behavior and are limited to a small number of interactions...

Key findings from the full report:

"... white community members are 57% more likely to hear an officer say one of the most respectful utterances in our dataset, whereas black community members are 61% more likely to hear an officer say one of the least respectful utterances in our dataset. (Here we define the top 10% of utterances to be most respectful and the bottom 10% to be least respectful.) This work demonstrates the power of body camera footage as an important source of data, not just as evidence, addressing limitations with methodologies that rely on citizens’ recollection of past interactions..."

Perhaps, most importantly (bold emphasis added):

"The racial disparities in officer respect are clear and consistent, yet the causes of these disparities are less clear. It is certainly possible that some of these disparities are prompted by the language and behavior of the community members themselves, particularly as historical tensions in Oakland and preexisting beliefs about the legitimacy of the police may induce fear, anger, or stereotype threat. However, community member speech cannot be the sole cause of these disparities... We observe racial disparities in officer respect even in police utterances from the initial 5% of an interaction, suggesting that officers speak differently to community members of different races even before the driver has had the opportunity to say much at all."

"Regardless of cause, we have found that police officers’ interactions with blacks tend to be more fraught, not only in terms of disproportionate outcomes (as previous work has shown) but also interpersonally, even when no arrest is made and no use of force occurs. These disparities could have adverse downstream effects, as experiences of respect or disrespect in personal interactions with police officers play a central role in community members’ judgments of how procedurally fair the police are as an institution, as well as the community’s willingness to support or cooperate with the police."

The findings indicate training opportunities for law enforcement, and apply only to the Oakland, California police department. Additional studies are needed to draw conclusions about other police departments. CNN interviewed Rob Voigt, the lead author of the study at Stanford University:

"We're also hoping it inspires police departments to consider cooperating with researchers more. And facilitating this kind of analysis of body camera footage will help police departments improve their relationship with the community, and it will give them techniques for better communication... When people feel they're respected by the police, they are more likely to trust the police, they are more likely to cooperate with the police, and so on and so forth. So we have reason to expect that these differences that we find have real-world effects."

I look forward to future studies. What are your opinions?


Attorneys General In Several States Announce Settlement Agreements With Target

Target Bullseye logo The Office of the Attorney General (AG) for the Commonwealth of Massachusetts announced on Wednesday that the state will receive $625,000 as part of the settlement agreement with Target Corporation. The settlement agreement, which includes 47 states plus the District of Colombia, resolves claims by states about the retailer's massive data breach in 2013.

Card issuers had also sued the retailer. Target settled with Visa in August, 2015 to resolve claims in which 110 million consumers' records were stolen, including 40 million credit- and debit-card numbers. Also, debit card PIN numbers were stolen.

The announcement by Massachusetts AG Maura Healey explained:

"The investigation found that the stolen credentials were used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database, install malware on the system and then capture data from credit or debit card transactions at Target stores (including stores in Massachusetts) from Nov. 27, 2013 to Dec. 15, 2013. The stolen data included consumers’ full names, telephone numbers, email addresses, mailing addresses, payment card numbers, expiration dates, security codes, and encrypted debit PINs... The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers nationwide. In Massachusetts, the breach compromised information from approximately 947,000 customer payment card accounts and other personally-identifying information of about 1.5 million Massachusetts residents."

Terms of the settlement require Target:

"... to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment... to maintain and support software on its network; to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts."

California will receive $1.4 million from the settlement. New York AG Eric T. Schneiderman said about the settlement agreement:

"New Yorkers need to know that when they shop, their data will be protected... This settlement marks an important win for New Yorkers – bringing over $635,000 into the state, in addition to the free credit monitoring services for those impacted by the data breach, and key security improvements to help protect Target consumers moving forward."

Yes, indeed. Shoppers everywhere need to know their data will be protected.

Besides Massachusetts, New York and California, the other states participating in this settlement include Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, and the District of Columbia.

AL.com reported:

"Alabama won't be cashing in on the largest multi-state data breach settlement in history, however. The reason, according to the Alabama Attorney General's Office, is the absence of a state law that requires entities to notify customers whose information could have been exposed in a breach and then take steps to remediate any injuries.

"Alabama is one of the few states in the nation that is not a party to the recent Target settlement because our state does not have data breach notification law," said Mike Lewis, Communications Director for the Office of the Alabama Attorney General."

Connecticut and Illinois led the states' investigation. The participating states have not yet announced how the settlement money will be distributed.

[Editor's Note: a prior version of this blog post did not include the report by AL.com.]


60 Minutes Re-Broadcast Its 2014 Interview With FBI Director Comey

60 Minutes logo Last night, the 60 Minutes television show re-broadcast its 2014 interview with former Federal Bureau of Investigation (FBI) Director James Comey. The interview is important for several reasons.

Politically liberal people have criticized Comey for mentioning to Congress just before the 2016 election the FBI investigation of former Secretary of State Hilary Clinton's private e-mail server. Many believe that Comey's comments helped candidate Donald Trump win the Presidential election. Politically conservative people criticized Comey for not recommending prosecution of former Secretary Clinton.

The interview is a reminder of history and that reality is often far more nuanced and complicated. Back in 2004, when the George W. Bush administration sought a re-authorization of warrant-less e-mail/phone searches, 60 Minutes explained:

"At the time, Comey was in charge at the Justice Department because Attorney General John Ashcroft was in intensive care with near fatal pancreatitis. When Comey refused to sign off, the president's Chief of Staff Andy Card headed to the hospital to get Ashcroft's OK."

In the 2014 interview, Comey described his concerns in 2004 about key events:

"... [the government] cannot read your emails or listen to your calls without going to a federal judge, making a showing of probable cause that you are a terrorist, an agent of a foreign power, or a serious criminal of some sort, and get permission for a limited period of time to intercept those communications. It is an extremely burdensome process. And I like it that way... I was the deputy attorney general of the United States. We were not going to authorize, reauthorize or participate in activities that did not have a lawful basis."

During the interview in 2014 by 60 Minutes, then FBI Director Comey warned all Americans:

"I believe that Americans should be deeply skeptical of government power. You cannot trust people in power. The founders knew that. That's why they divided power among three branches, to set interest against interest... The promise I've tried to honor my entire career, that the rule of law and the design of the founders, right, the oversight of courts and the oversight of Congress will be at the heart of what the FBI does. The way you'd want it to be..."

The interview highlighted the letter Comey kept on his desk as a cautionary reminder of the excesses of government. That letter was about former FBI Director Herbert Hoover's investigations and excessive surveillance of the late Dr. Martin Luther King, Jr. Is Comey the bad guy that people on both sides of the political spectrum claim? Yes, history is far more complicated and nuanced.

So, history is complex and nuanced... far more than a simplistic, self-serving tweet:

Many have paid close attention for years. After the Snowden disclosures in 2013 about broad, warrantless searches and data collection programs by government intelligence agencies, in 2014 Comey urged all USA citizens to participate in a national discussion about the balance between privacy and surveillance.

You can read the full transcript of the 60 Minutes interview in 2014, watch this preview on Youtube, or watch last night's re-broadcast by 60 Minutes of the 2014 interview.


America's Other Drug Problem

[Editor's Note: today's guest blog post, by reporters at ProPublica, explores the waste problem in the health care industry, and the accompanying pollution. It is reprinted with permission.]

by Marshall Allen, ProPublica

Every week in Des Moines, Iowa, the employees of a small nonprofit collect bins of unexpired prescription drugs tossed out by nursing homes after residents died, moved out or no longer needed them. The drugs are given to patients who couldn't otherwise afford them.

But travel 1,000 miles east to Long Island, New York, and you'll find nursing homes flushing similar leftover drugs down the toilet, alarming state environmental regulators worried they'll further contaminate the water supply.

In Baltimore, Maryland, a massive incinerator burns up tons of the drugs each year -- for a fee -- from nursing homes across the Eastern seaboard.

If you want to know why the nation's health care costs are among the highest in the world, a good place to start is with what we throw away. Across the country, nursing homes routinely toss large quantities of perfectly good prescription medication: tablets for diabetes, syringes of blood thinners, pricey pills for psychosis and seizures.

At a time when anger over soaring drug costs has perhaps never been more intense, redistributing discarded drugs seems like a no-brainer. Yet it's estimated that American taxpayers, through Medicare, spend hundreds of millions of dollars each year on drugs for nursing home patients -- much of which literally go down the tubes.

"It would not surprise me if as much as 20 percent of the medications we receive we end up having to destroy," said Mark Coggins, who oversees the pharmacy services for Diversicare, a chain of more than 70 nursing homes in 10 states. "It's very discouraging throwing away all those drugs when you know it can benefit somebody."

No one tracks this waste nationwide, but estimates show it's substantial. Colorado officials have said the state's 220 long-term care facilities throw away a whopping 17.5 tons of potentially reusable drugs every year, with a price tag of about $10 million. The Environmental Protection Agency estimated in 2015 that about 740 tons of drugs are wasted by nursing homes each year.

This is, of course, part of a bigger problem. The National Academy of Medicine estimated in 2012 that the United States squanders more than a quarter of what it spends on health care 2014 about $765 billion a year.

ProPublica is investigating the types of waste in health care that academics and politicians typically overlook. Our first installment examined the tens of millions worth of equipment and brand new supplies that hospitals jettison.

Today we look at the wasteful, and potentially harmful, ways nursing homes dispose of leftover meds -- and how some states, like Iowa, have found a solution.

On a recent Wednesday in Des Moines, Ami Bradwell, a certified pharmacy technician, popped open the lids of several 31-gallon bins full of prescription drugs. In each were hundreds of what are known as "bingo cards" filled with rows of pills in sealed bubbles.

"Metformin -- for diabetics," Bradwell said, holding up a card of large white pills. "It's not crazy expensive, but it's in high demand."

She held up an entire box of the anti-nausea drug Ondansetron. It goes for about $5 a pill, according to the website drugs.com. "Expensive."

Another card had three large pills stuffed in each chamber, a find Bradwell called "a 'jackpot' card. You can't live without it because it's a seizure medication."

Image from SafeNetRx Drug Donation Repository Bradwell works for the nonprofit SafeNetRx. Each week the group takes in dozens of bins full of such drugs, as well as boxes mailed in from across Iowa and several other states -- pharmaceutical trash that exists because, for convenience and cost, long-term care pharmacies often dispense nursing home patients' medications in bulk, a month's worth at a time.

Should a patient die, leave or stop taking the drug, what's left is typically tossed. The drugs have already been paid for, by Medicare in most cases, so there's little incentive to try to recycle them. In some states, such reuse is against the law.

Some of the cards Bradwell examined that day were missing only a few pills. One card had been thrown out even though it only lacked one of its 31 doses of oxybutynin, which reduces muscle spasms of the bladder. The remaining 30 are worth more than $13.

"There are literally millions of dollars of prescription medications thrown away every day in this country," said John Forbes, an Iowa pharmacist who dispenses SafeNetRx's recovered drugs to his low-income patients.

Although most states technically allow some leftover drugs to be recycled, Iowa is one of the few rescuing a significant percentage of the drugs from destruction. The state funds the program for about $600,000 a year, said SafeNetRx CEO Jon Rosmann, who calls it a "common sense" solution. In fiscal 2016 the program recovered and distributed drugs valued at about $3.4 million. This year it's on pace to top $5 million.

Forbes, who is also an Iowa state representative, said there are additional savings when low-income patients have access to the drugs they need. Patients who don't take their drugs "end up in the emergency room," he said, "which will wind up costing our health care system way more money."

At SafeNetRx, the drugs are sorted and organized in a 1,500-square-foot room lined with shelves stacked with bins of drugs. In the center, folding tables hold hundreds of bingo cards, sorted alphabetically by generic drug name, from the blood pressure drug acebutolol to the antipsychotic ziprasidone. None of the medications are controlled substances, though those may be included in the future.

Pharmacy officials say there may be a million dollars' worth of drugs in this small room. The 30 mg syringes of the blood thinner Enoxaparin are used by patients for weeks before and after heart surgery. They can go for $13 per dose.

One box contains scores of doses of Spiriva, inhalation capsules for chronic obstructive pulmonary disease that would sell for about $18 each. The antipsychotic Abilify runs about $46 per pill.

The biggest ticket items are the cancer drugs. They are typically donated directly from patients or their families. Those can run $8,000 or more per month.

The cancer drugs are passed on to people like Amber Judge, a patient advocate at Medical Oncology and Hematology Associates, a cancer clinic in Des Moines. Judge is accustomed to patients coming into her office in a panic. They've just learned they have cancer, only to find out they can't afford the drugs they need to battle the disease. That's when Judge opens one of the file drawers in her office, which are filled with tens of thousands of dollars' worth of the drugs recovered by SafeNetRx.

In one filing drawer she has about 30 boxes of Tasigna, which costs about $100 per pill. In another drawer she has a gallon-sized plastic bag with bottles of Stivarga, about $188 per pill.

The process is similar to patients receiving drug samples at a doctor's office. They leave her office with the drugs they need -- for free.

"I give them a month's supply if I have it," Judge said. "They're so thankful. They're incredulous."

In many places in the United States, however, these leftover drugs meet a very different end, one that is not only wasteful, but potentially harmful.

In recent years, scientists have detected something disturbing in the Long Island's aquifer: low levels of pharmaceuticals.

Though consumers have been warned not to flush their drugs down the toilet because sewer waste can contaminate groundwater, many still do it; more worrisome still, flushing remains a common practice at nursing homes in New York and across the country. The effects of such contamination on humans are unclear, but it has been shown to slow the metamorphosis of frogs and increase the feminization of fish.

Three years ago, New York's Department of Environmental Conservation started an annual program, funded by the state legislature, to scoop up unused medications before they were flushed. Even though the pickup service is free to facilities, only two dozen of 169 eligible Long Island nursing homes participated this February, turning over 660 pounds of drugs.

Those valuable medications didn't go into the water supply, but they didn't go to needy patients, either, though such recycling is now allowed in New York. Instead, they went to an incinerator company. Experts, including the EPA, have recommended incineration for getting rid of pharmaceuticals.

Destroying the unused drugs is always going to have environmental implications, said Carrie Meek Gallagher, region 1 director for the department. "It's always a trade-off of what's most harmful. For us, anything getting into the water is the worst solution."

The National Conference of State Legislatures said 39 states had passed laws that allowed the donation of drugs. But almost half of these states with laws lack programs to get the drugs safely from one appropriate user to another, and many of those that do have programs are focused on cancer drugs, the analysis showed.

There hasn't been a lot of public opposition to redistributing the drugs, even among drugmakers. Most concerns circle around logistics, although in Illinois trial attorneys have lobbied against a proposed program, saying it muddies liability issues.

Richard Cauchi, program director for health for the conference of state legislatures, said just passing laws doesn't guarantee success. A state agency or organization needs to oversee the program, encouraging participation and streamlining its administration so it's not a burden for pharmacies and nursing homes.

"It's a lot of work, and from a retail point of view, an expense," Cauchi said. "How do you accept these drugs? How do you confirm their safety? How do you know they meet the proper standards?"

Federal agencies are of little help, each pursuing their own, often contradictory, agendas.

The EPA discourages flushing drugs because they contaminate the water supply. But it doesn't have the authority to prohibit "sewering" the medications. Only local authorities can take that stance. It has, however, proposed reclassifying the unused drugs as hazardous waste, which would then prohibit flushing them.

The Food and Drug Administration says certain medications are so dangerous that they should be disposed of immediately, even if that means flushing them. It even provides a list of drugs recommended for flushing, mostly controlled substances like diazepam, better known as Valium, and the potent painkiller fentanyl.

The Drug Enforcement Administration wants to ensure controlled substances, like narcotic painkillers, aren't diverted to the illegal drug market. It has recommended that long-term pharmacies collect leftover drugs by placing boxes in nursing homes that must be emptied at least every three days, but that creates expense, hassle and potential liability.

Some advocates say the makers of the drugs should be responsible for disposing or recycling them. Scott Cassel, CEO of the Product Stewardship Institute, a nonprofit organization dedicated to reducing the environmental impact of consumer products, said the producers of batteries, electronics, paint and other products are required by law in some areas to pay for the safe disposal of their products. Similar laws require drug makers to pay for the destruction of leftover household drugs in two states and about a dozen counties, but no laws address nursing homes.

Coggins, who leads the pharmacy services for the Diversicare chain, said people in the nursing home industry would like to do something about the waste. But their options are dictated by laws and regulations, and there's been a lack of investment in cost-effective solutions like the one in Iowa.

About half the states where Diversicare operates allow the donation of unused drugs, but the programs required too much work sorting and inventorying the drugs without any reimbursement, he said. "It's like people have created legislation and it's a feel-good thing, but nobody's come back to see why it's not working."

Diversicare avoids flushing drugs whenever possible, Coggins said, but it still occurs sometimes. The organization has switched to a product called Rx Destroyer that chemically deactivates the medication so it can be put in the trash, he said, but even that is controversial because it goes into a landfill.

In many nursing homes, flushing is just part of the routine.

"Oh my goodness, it's so sad," said Jennifer Ramsey, a nurse who formerly worked as a house supervisor for a nursing home in South Haven, Mississippi. Once a month she and another nurse would gather all the unused blister packs of medication, she said, piles of them, probably worth tens of thousands of dollars. Then they would pop the pills one by one into the toilet.

"You would spend almost your whole eight-hour day doing it," Ramsey recalled.

Ramsey now works for the nonprofit Good Shepherd Pharmacy in Memphis. In Tennessee, the law requires nursing homes to destroy unused drugs on site. Good Shepherd's founder is pressing to change the law so the drugs can be saved and donated.

In March, state Rep. Cameron Sexton, a Republican whose wife is a pharmacist, introduced a bill that would allow unexpired medications to be donated in Tennessee. "Unfortunately, we don't have a process set up to do that so all these drugs have to be destroyed," he said.

Perhaps the most graphic way to see the waste firsthand is a visit to the Curtis Bay Medical Waste facility on the south side of Baltimore, home of the largest incinerator of its kind in the country.

Here Curtis Bay's fleet of trucks delivers load after load of unused, unexpired drugs from hundreds of nursing homes and other facilities and clinics up and down the East Coast. Drugs also come from medical waste companies like SteriCycle and Daniels Sharpsmart. In 2015, 204 tons of non-hazardous pharmaceutical waste came from the Daniels location in the Bronx, according to records filed in New York. Such waste includes not only drugs tossed by nursing homes, but also those from hospitals, doctors' offices and other facilities.

Inside Curtis Bay, the drugs are processed and destroyed in an area the size of several hockey rinks. A conveyor belt about 15 feet off the ground snakes through the facility loaded with hundreds of boxes of pharmaceutical and medical waste 2014 all leading to the two incineration chambers.

On a recent visit, the chamber was over 2,000 degrees, a heat that could be felt from 20 feet away.

From a platform above the incinerator's maw, you can watch as thousands of dollars of potentially lifesaving pills and medications tumble, box by box, into the steaming opening. Then they are shoveled into the blaze.

Experts say incineration is the least environmentally objectionable end-of-life option for unused drugs. But it's also the most expensive destruction method -- from 50 cents to a dollar per pound, paid for by the facilities themselves -- which is why many nursing homes resort to flushing.

Nursing homes save the disposal fees in Iowa, because they can donate them to SafeNetRx, where they benefit needy patients like Max Armstrong.

The 82-year-old suffers from multiple chronic conditions -- emphysema, congestive heart failure and more. The ailments were manageable until 2015, when he suffered blood clots in his leg and lung. Doctors put him on the generic blood thinner warfarin, but it "almost killed me," he said, so he switched to Xarelto, a newer brand name drug that costs about $700 a month.

The total tab for the Xarelto and the other 14 medications Armstrong must take each month would cost at least $1,200, according to his daughter. Armstrong, whose savings took a hit during the financial crisis, lives on $1,158 a month in Social Security.

It's "stupid" to throw away drugs that can keep so many other people healthy, Armstrong said. "There's a lot of people out there in this world who need help."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Seattle Strengthens Privacy Protections For Broadband And Cable Users

The city of Seattle has strengthened it privacy rules to better protect residents using cable-TV services and high-speed internet services (a/k/a broadband). The new rules go into effect on May 24, and mirrors the FCC broadband privacy rules which Congress revoked earlier this year.

The announcement by the Seattle Mayor's office explained:

"Seattle Municipal Code (SMC 21.60) grants the City of Seattle authority to issue rules related to the privacy practices of cable operators. These rules govern not only cable television services but also non-cable services, such as internet service. The new rule states cable operators must obtain opt-in consent before sharing a customer’s web browsing history or otherwise using such information for a purpose other than providing a customer with their requested service.

Comcast, CenturyLink, and Wave have cable franchise agreements with the City of Seattle and will be subject to the new rule. Under the terms of the rule, these cable operators must report their compliance by Sept. 30, 2017 and annually thereafter."

Earlier this year, a national poll found the the Republican rollback of FCC broadband privacy rules very unpopular among consumers. Despite this, President Trump signed the privacy-rollback legislation on April 3.

The new rules in Seattle, ITD Director's Rule 2017-10 (Adobe PDF), state in part:

"- Prohibit Cable Operators from collecting or disclosing any information regarding the extent of any individual customer's viewing habits, or other use by a customer of a cable service or other service provided such as web browsing activity, without the prior affirmative consent of the customer, unless such information is necessary to render a service requested by the customer, or a legitimate business purpose related to the service.
- Require Cable Operators to fully and completely disclose customer rights and the limitations imposed on a Cable Operator's collection, use, and disclosure of Personally Identifiable Information (PII) in clear language that a customer can radily understand.
- Require Cable Operators to destroy within 90 days any PII if the PII is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to shuch PII... Require Cable Operators to provide stamped, self-addressed post cards that customers can mail in to have their names and addresses removed form any lists the Cable Operators might use for purposes other than the direct provision of service to those customers.
- Establish without ambiguity that a customer, once "opting out" of the Cable Operator's mailing list, is permanently removed from that list unless that customer subsequently requests inclusion on such list."

This is a great start. The rules define PII as:

"... specific information about a customer, including, but not not limited to, a customer's (a) login information, (b) extent of viewing of video programming or other services, (c) shopping choices, (d) interests and opinions, (e) energy uses, (f) medical information, (g) banking data or information, (h) web browsing activities, or (i) any other personal or private information..."

Mayor Edward B. Murray commented about the new rules:

"Where the Trump administration continues to roll back critical consumer protections, Seattle will act... I believe protecting the privacy of internet users is essential and this policy allows the City to do just that. Because of regulation repeals at the national level, we must use all of the powers at our disposal to protect the rights of our residents."

Citizens in other major cities across the United States may want to ask what consumer-friendly privacy actions their mayors are taking.


The Need For A Code Of Ethics With The Internet Of Things

Earlier this week, The Atlantic website published and interview with Francine Berman, a computer-science professor at Rensselaer Polytechnic Institute, about the need for a code of ethics for connected, autonomous devices, commonly referred to as the internet-of-things (IoT). The IoT is exploding.

Experts forecast 8.4 billion connected devices in use worldwide in 2017, up 31 percent from 2016. Total spending for those devices will reach almost $2 trillion in 2017, and $20.4 billion by 2020. North America, Western Europe, and China, which already comprise 67 percent of the installed base, will drive much of this growth.

In a February, 2017 article (Adobe PDF) in the journal Communications of the Association for Computing Machinery, Berman and Vint Cerf, an engineer, discussed the need for a code of ethics:

"Last October, millions of interconnected devices infected with malware mounted a "denial-of-service" cyberattack on Dyn, a company that operates part of the Internet’s directory service. Such attacks require us to up our technical game in Internet security and safety. They also expose the need to frame and enforce social and ethical behavior, privacy, and appropriate use in Internet environments... At present, policy and laws about online privacy and rights to information are challenging to interpret and difficult to enforce. As IoT technologies become more pervasive, personal information will become more valuable to a diverse set of actors that include organizations, individuals, and autonomous systems with the capacity to make decisions about you."

Given this, it seems wise for voters to consider whether or not elected officials in state, local, and federal government understand the issues. Do they understand the issues? If they understand the issues, are they taking appropriate action? If they aren't taking appropriate action, is due to other priorities? Or are different elected officials needed? At the federal level, recent events with broadband privacy indicate a conscious decision to ignore consumers' needs in favor of business.

In their ACM article, Bermand and Cerf posed three relevant questions:

  1. "What are your rights to privacy in the internet-of-things?
  2. Who is accountable for decisions made by autonomous systems?
  3. How do we promote the ethical use of IoT technologies?"

Researchers and technologists have already raised concerns about the ethical dilemmas of self-driving cars. Recent events have also highlighted the issues.

Some background. Last October, a denial-of-service attack against a hosting service based in France utilized a network of more than 152,000 IoT devices, including closed-circuit-television (CCTV) cameras and DVRs. The fatal crash in May of a Tesla Model S car operating in auto-pilot mode and the crash in February of a Google self-driving car raised concerns. According to researchers, 75 percent of all cars shipped globally will have internet connectivity by 2020. Last month, a security expert explained the difficulty with protecting connected cars from hackers.

And after a customer posted a negative review online, a developer of connected garage-door openers disabled both the customer's device and online account. (Service was later restored.) Earlier this year, a smart TV maker paid $2.2 million to settle privacy abuse charges by the U.S. Federal Trade Commission (FTC). Consumers buy and use a wide variety of connected devices: laptops, tablets, smartphones, personal assistants, printers, lighting and temperature controls, televisions, home security systems, fitness bands, smart watches, toys, smart wine bottles, and home appliances (e.g., refrigerators, hot water heaters, coffee makers, crock pots, etc.). Devices with poor security features don't allow operating system and security software updates, don't encrypt key information such as PIN numbers and passwords, and build the software into the firmware where it cannot be upgraded. In January, the FTC filed a lawsuit against a modem/router maker alleging poor security in its products.

Consumers have less control over many IoT devices, such as smart utility meters, which collect information about consumers. Typically, the devices are owned and maintained by utility companies while installed in or on consumers' premises.

Now, back to the interview in The Atlantic. Professor Berman reminded us that society has met the ethical challenge before:

"Think about the Industrial Revolution: The technologies were very compelling—but perhaps the most compelling part were the social differences it created. During the Industrial Revolution, you saw a move to the cities, you saw the first child-labor laws, you saw manufacturing really come to the fore. Things were available that had not been very available before..."

Well, another revolution is upon us. This time, it includes changes brought about by the internet and the IoT. Berman explained today's challenges include considerations:

"... we never even imagined we’d have to think about. A great example: What if self-driving cars have to make bad choices? How do they do that? Where are the ethics? And then who is accountable for the choices that are made by autonomous systems? This needs to be more of a priority, and we need to be thinking about it more broadly. We need to start designing the systems that are going to be able to support social regulation, social policy, and social practice, to bring out the best of the Internet of Things... Think about designing a car. I want to design it so it’s safe, and so that the opportunity to hack my car is minimized. If I design Internet of Things systems that are effective, provide me a lot of opportunities, and are adaptive, but I only worry about really important things like security and privacy and safety afterwards, it’s much less effective than designing them with those things in mind. We can lessen the number of unintended consequences if we start thinking from the design stage and the innovation stage how we’re going to use these technologies. Then, we put into place the corresponding social framework."

Perhaps, most importantly:

"There’s a shared responsibility between innovators, companies, the government, and the individual, to try and create and utilize a framework that assigns responsibility and accountability based on what promotes the public good."

Will we meet the challenge of this revolution? Will innovators, companies, government, and individuals share responsibility? Will we work for the public good or solely for business growth and profitability?

What do you think?


For-Profit School Chain Camelot Suffers Setback Following Abuse Allegations

[Editor's note: today's guest post, by the reporters at ProPublica, provides an update about a for-profit school operating in the State of Georgia. The article was originally published on April 12, 2017 and is reprinted with permission.]

by Zoë Kirsch, The Teacher Project, ProPublica

The Muscogee County School Board in Columbus, Georgia, dealt another blow to embattled Camelot Education when it voted Monday night on April 10 to delay for three months a decision on whether to hire the company to run its alternative education programs.

The delay in awarding the $6.4 million annual contract comes in the wake of a recent report by ProPublica and Slate that more than a dozen Camelot students were allegedly shoved, beaten or thrown by staff members -- incidents almost always referred to as "slamming." The for-profit Camelot runs alternative programs across the country for more than 3,000 students, most of whom have emotional or behavioral difficulties or have fallen far behind academically.

"The abuse allegations were one of many red flags for me," said Muscogee school board member Frank Myers, one of five board members who supported postponement, while three were opposed. If the district is going to privatize such an important service, he said, "You ought to have an outfit that has a pristine record."

The board bucked the wishes of school district officials, including Superintendent of Education David Lewis, who pushed to hire Camelot. "There was no transparency," Myers said. "They wanted us to rush this thing."

Instead, a community advisory council will be created, and additional public hearings will be held. The council is expected to report back within three months.

Efforts to reach Lewis were unsuccessful. Camelot spokesman Kirk Dorn said in an email that the company often encounters delays when it enters new partnerships. The company expects to meet with the community later this month "and will continue to ensure that those who still have questions get answers," Dorn said. "We know from experience that the more a community learns about how we help students succeed the more reassured they become that we will be an asset."

Camelot has faced recent setbacks in other states as well. On March 9, the day after the report was published, the Houston school board voted unanimously not to renew its contract with Camelot, instead bringing management of its alternative program in house. And a Philadelphia city councilwoman called for more information about the city's alternative schools, including their disciplinary practices.

About half a million people in the United States attend alternative schools, which are publicly funded but often managed by private, for-profit companies such as Camelot, which was founded in 2002. They frequently serve as a last resort for struggling low-income and minority students.

The Columbus branch of the NAACP announced last week that it opposed hiring Camelot, citing the Slate and ProPublica investigation. "Abuse is failure," branch president Tonza Thomas told the Columbus Ledger-Enquirer.

"Our community has competent educators that assist our children with challenges daily," the organization said in a news release. "Yet they were not consulted before a decision was made to introduce an out-of-state, for profit, security-corporation to our school district."

Abuse allegations made by teachers and students against Camelot span ten years and four states: Pennsylvania, New Jersey, Florida and Louisiana. For the most part, staffers who allegedly assaulted students have faced no criminal charges or internal discipline; some have even been promoted.

In written statements, Camelot and its chief executive, Todd Bock, have said it provides effective and supportive services to thousands of the country's most challenging and needy students, and have denied any claims of systemic abuse across its programs.

"The idea of 'slamming' a student is offensive and counter to Camelot's values, culture and procedures," the company said on March 22. "Camelot does not currently practice nor has it ever practiced 'slamming' kids."

Monday night's decision in Muscogee County, located in western Georgia, was the second delay for Camelot there since Superintendent Lewis recommended hiring the company. On March 27, the school board postponed its vote for two weeks so that residents could attend two public forums about the proposal.

At those forums, both Camelot executives and Lewis touted the company's potential benefits, according to Fife Whiteside, a local attorney who served on the Muscogee school board from 1993 to 2008. Lewis told community members that hiring Camelot could help the district save money by cutting staffing costs.

At the start of one forum, Marianne Young, the parent of a child with special needs, tried to hand out fliers that were critical of Camelot. Young said in an interview that a security guard initially told her she couldn't distribute the fliers.

Another parent called a school board member to complain, Young said. Lewis then allowed Young to give out the fliers, she said. "I have a lot of concerns" about this contract, Young said, including "the abuse allegations, and the lack of oversight that our district has for these situations."

Whiteside, the former school board member, said he was surprised that the board opposed the superintendent. The reports of abuse allegations played a role in turning some board members against Camelot, he said. "The board rarely fails to support the superintendent in his initiatives," Whiteside said.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Tax Day Protest in Cambridge, Massachusetts. Protesters Demand President Releases His Tax Returns

Rallies and marches in more than 190 cities and towns were held on Saturday April 15 to demand more transparency and fairness related to taxes. The transparency demand is for the 45th President of the United States. During the 2016 presidential campaign, candidate Trump promised to release his tax returns after an Internal Revenue Service (IRS) audit was completed. After winning the election and entering office, President Trump refused to release his tax returns.

The issue is partisan. A Yougov survey in May 2016 found that 61 percent of Americans, 81 percent of Democrats, 60 percent of Independents, and 38 percent of Republicans wanted candidate Trump to release his detailed tax returns.

An estimated 2,500 persons attended the greater Boston area event held on the Cambridge Commons in Cambridge, Massachusetts. The emcee was Mike Connolly, a Massachusetts State representative for Somerville and Cambridge. Several local organizers spoke, including calls for fairness with taxes and the federal budget. The entire rally paused for a moment of silence to remember the victims in the Boston Marathon bombing four years ago.

Future rallies are scheduled to support science, public education, and recognition of climate change. Learn more about today's event at #TaxDayMarch and at #TaxMarchBoston. Photographs of today's event in Cambridge appear below.

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017

Greater Boston area Tax Rally. April 15, 2017


Minnesota Judge Signed Warrant For Users' Google Search Data About A Person's Name

A Minnesota court judge has signed what appears to be a stunningly broad search warrant to compel Google to provide search information to local law enforcement. The request for search data is part of an identity theft and fraud case.

The search warrant requests information about anyone searching for variations of the name "Douglas" between December 1, 2016 and January 7, 2017. Using a fake passport with the victim's photo and name, identified only as "Douglas" in the warrant, a fraudster fraudulently obtained $28,000 via a wire transfer from a credit union bank account. The credit union relied upon the passport as identification.

During their investigation, the Edina Police Department searched for images with the victim's name using several search engines (e.g., Yahoo, Bing, Google), and found images on all, but only Google's search results included an image of the photo used on the fake passport. Based upon these facts, Hennepin County Judge Gary Larson signed the warrant requiring Google to turn over information about anyone who searched for variations of Douglas's full name. The warrant requests the following information about search engine users: names, addresses, e-mail addresses, phone numbers, Social Security numbers, birth dates, IP (Internet protoccol) addresses, MAC addresses, and dates/times the searches were performed.

The search warrant also requests, "Information related to the content the user is viewing/using." What exactly is that? Does that refer to other information collected by Google in each user's Google account (e.g., passwords, Google Drive documents, Gmail messages, calendar appointments, Google Chat sessions, etc.)?

The Minneapolis Star-Tribune newspaper reported:

"Privacy law experts say that the warrant is based on an unusually broad definition of probable cause that could set a troubling precedent. "This kind of warrant is cause for concern because it’s closer to these dragnet searches that the Fourth Amendment is designed to prevent," said William McGeveran, a law professor at the University of Minnesota... McGeveran said it’s unusual for a judge to sign off on a warrant that bases probable cause on so few facts. "It’s much more usual for a search warrant to be used to gather evidence for a suspect that’s already identified, instead of using evidence to find a suspect... If the standards for getting a broad warrant like this are not strong, you can have a lot of police fishing expeditions." "

Judge Larson signed the warrant on February 1, 2017. Reportedly, Google will fight in court against the demands in the search warrant.

This warrant seems stunningly broad since it does not contain the name of a specific suspect, suspects, and/or criminal organization. There are many legitimate reasons for persons to search using the victim's name. Chiefly, many other people have the same name.

Other questions remain. The warrant did not state whether or not law enforcement searched social networking accounts for the victim's image. Many social networking accounts include profile photos of users. How certain are lawn enforcement officials that the fraudster didn't obtain the photo from a social networking account? Plus, many social networking users don't utilize the privacy controls available for their online accounts and photos.

What are your opinions?


Maker Of Smart Vibrators To Pay $3.75 Million To Settle Privacy Lawsuit

Today's smart homes contain a variety of internet-connected appliances -- televisions, utility meters, hot water heaters, thermostats, refrigerators, security systems-- and devices you might not expect to have WiFi connections:  mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins. Add smart vibrators to the list.

We-Vibe logo We-Vibe, a maker of vibrators for better sex, will pay U.S. $3.75 million to settle a class action lawsuit involving allegations that the company tracked users without their knowledge nor consent. The Guardian reported:

"Following a class-action lawsuit in an Illinois federal court, We-Vibe’s parent company Standard Innovation has been ordered to pay a total of C$4m to owners, with those who used the vibrators associated app entitled to the full amount each. Those who simply bought the vibrator can claim up to $199... the app came with a number of security and privacy vulnerabilities... The app that controls the vibrator is barely secured, allowing anyone within bluetooth range to seize control of the device. In addition, data is collected and sent back to Standard Innovation, letting the company know about the temperature of the device and the vibration intensity – which, combined, reveal intimate information about the user’s sexual habits..."

Image of We-Vibe 4 Plus product with phone. Click to view larger version We-Vibe's products are available online at the Canadian company's online store and at Amazon. This Youtube video (warning: not safe for work) promotes the company's devices. Consumers can use the smart vibrator with or without the mobile app on their smartphones. The app is available at both the Apple iTunes and Google Play online stores.

Like any other digital device, security matters. C/Net reported last summer:

"... two security researchers who go by the names followr and g0ldfisk found flaws in the software that controls the [We-Vibe 4Plus] device. It could potentially let a hacker take over the vibrator while it's in use. But that's -- at this point -- only theoretical. What the researchers found more concerning was the device's use of personal data. Standard Innovation collects information on the temperature of the device and the intensity at which it's vibrating, in real time, the researchers found..."

In the September 2016 complaint (Adobe PDF; 601 K bytes), the plaintiffs sought to stop Standard Innovation from "monitoring, collecting, and transmitting consumers’ usage information," collect damages due to the alleged unauthorized data collection and privacy violations, and reimburse users from their purchase of their We-Vibe devices (because a personal vibrator with this alleged data collection is worth less than a personal vibrator without data collection). That complaint alleged:

"Unbeknownst to its customers, however, Defendant designed We-Connect to (i) collect and record highly intimate and sensitive data regarding consumers’ personal We-Vibe use, including the date and time of each use and the selected vibration settings, and (ii) transmit such usage data — along with the user’s personal email address — to its servers in Canada... By design, the defining feature of the We-Vibe device is the ability to remotely control it through We-Connect. Defendant requires customers to use We-Connect to fully access the We-Vibe’s features and functions. Yet, Defendant fails to notify or warn customers that We-Connect monitors and records, in real time, how they use the device. Nor does Defendant disclose that it transmits the collected private usage information to its servers in Canada... Defendant programmed We-Connect to secretly collect intimate details about its customers’ use of the We-Vibe, including the date and time of each use, the vibration intensity level selected by the user, the vibration mode or patterns selected by the user, and incredibly, the email address of We-Vibe customers who had registered with the App, allowing Defendant to link the usage information to specific customer accounts... In addition, Defendant designed We-Connect to surreptitiously route information from the “connect lover” feature to its servers. For instance, when partners use the “connect lover” feature and one takes remote control of the We-Vibe device or sends a [text or video chat] communication, We-Connect causes all of the information to be routed to its servers, and then collects, at a minimum, certain information about the We-Vibe, including its temperature and battery life. That is, despite promising to create “a secure connection between your smartphones,” Defendant causes all communications to be routed through its servers..."

The We-Vibe Nova product page lists ten different vibration modes (e.g., Crest, Pulse, Wave, Echo, Cha-cha-cha, etc.), or users can create their own custom modes. The settlement agreement defined two groups of affected consumers:

"... the proposed Purchaser Class, consisting of: all individuals in the United States who purchased a Bluetooth-enabled We-Vibe Brand Product before September 26, 2016. As provided in the Settlement Agreement, “We-Vibe Brand Product” means the “We-Vibe® Classic; We-Vibe® 4 Plus; We-Vibe® 4 Plus App Only; Rave by We-VibeTM and Nova by We-VibeTM... the proposed App Class, consisting of: all individuals in the United States who downloaded the We-Connect application and used it to control a We-Vibe Brand Product before September 26, 2016."

According to the settlement agreement, affected users will be notified by e-mail addresses, with notices in the We-Connect mobile app, a settlement website (to be created), a "one-time half of a page summary publication notice in People Magazine and Sports Illustrated," and by online advertisements in several websites such as Google, YouTube, Facebook, Instagram, Twitter, and Pinterest. The settlement site will likely specify additional information including any deadlines and additional notices.

We-Vibe announced in its blog on October 3, 2016 several security improvements:

"... we updated the We-ConnectTM app and our app privacy notice. That update includes: a) Enhanced communication regarding our privacy practices and data collection – in both the onboarding process and in the app settings; b) No registration or account creation. Customers do not provide their name, email or phone number or other identifying information to use We-Connect; c) An option for customers to opt-out of sharing anonymous app usage data is available in the We-Connect settings; d) A new plain language Privacy Notice outlines how we collect and use data for the app to function and to improve We-Vibe products."

I briefly reviewed the We-Connect App Privacy Policy (dated September 26, 2016) linked from the Google Play store. When buying digital products online, often the privacy policy for the mobile app is different than the privacy policy for the website. (Informed shoppers read both.) Some key sections from the app privacy policy:

"Collection And Use of Information: You can use We-Vibe products without the We-Connect app. No information related to your use of We-Vibe products is collected from you if you don’t install and use the app."

I don't have access to the prior version of the privacy policy. That last sentence seems clear and should be a huge warning to prospective users about the data collection. More from the policy:

"We collect and use information for the purposes identified below... To access and use certain We-Vibe product features, the We-Connect app must be installed on an iOS or Android enabled device and paired with a We-Vibe product. We do not ask you to provide your name, address or other personally identifying information as part of the We-Connect app installation process or otherwise... The first time you launch the We-Connect app, our servers will provide you with an anonymous token. The We-Connect app will use this anonymous token to facilitate connections and share control of your We-Vibe with your partner using the Connect Lover feature... certain limited data is required for the We-Connect app to function on your device. This data is collected in a way that does not personally identify individual We-Connect app users. This data includes the type of device hardware and operating system, unique device identifier, IP address, language settings, and the date and time the We-Connect app accesses our servers. We also collect certain information to facilitate the exchange of messages between you and your partner, and to enable you to adjust vibration controls. This data is also collected in a way that does not personally identify individual We-Connect app users."

In a way that does not personally identify individuals? What way? Is that the "anonymous token" or something else? More clarity seems necessary.

Consumers should read the app privacy policy and judge for themselves. Me? I am skeptical. Why? The "unique device identifier" can be used exactly for that... to identify a specific phone. The IP address associated with each mobile device can also be used to identify specific persons. Match either number to the user's 10-digit phone number (readily available on phones), and it seems that one can easily re-assemble anonymously collected data afterwards to make it user-specific.

And since partner(s) can remotely control a user's We-Vibe device, their information is collected, too. Persons with multiple partners (and/or multiple We-Vibe devices) should thoroughly consider the implications.

The About Us page in the We-Vibe site contains this company description:

"We-Vibe designs and manufactures world-leading couples and solo vibrators. Our world-class engineers and industrial designers work closely with sexual wellness experts, doctors and consumers to design and develop intimate products that work in sync with the human body. We use state-of-the-art techniques and tools to make sure our products set new industry standards for ergonomic design and high performance while remaining eco‑friendly and body-safe."

Hmmmm. No mentions of privacy nor security. Hopefully, a future About Us page revision will mention privacy and security. Hopefully, no government officials use these or other branded smart sex toys. This is exactly the type of data collection spies will use to embarrass and/or blackmail targets.

The settlement is a reminder that companies are willing, eager, and happy to exploit consumers' failure to read privacy policies. A study last year found that 74 percent of consumers surveyed never read privacy policies.

All of this should be a reminder to consumers that companies highly value the information they collect about their users, and generate additional revenue streams by selling information collected to corporate affiliates, advertisers, marketing partners, and/or data brokers. Consumers' smartphones are central to that data collection.

What are your opinions of the We-Vibe settlement? Of its products and security?


4 Charged, Including Russian Government Agents, In Massive Yahoo Hack

Department of Justice logo The U.S. Department of Justice (DOJ) announced yesterday that a grand jury in the Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses related to the massive hack of millions of Yahoo webmail accounts. The charges were announced by Attorney General Jeff Sessions of the U.S. Department of Justice, Director James Comey of the Federal Bureau of Investigation (FBI), Acting Assistant Attorney General Mary McCord of the National Security Division, U.S. Attorney Brian Stretch for the Northern District of California and Executive Assistant Director Paul Abbate of the FBI’s Criminal, Cyber, Response and Services Branch.

The announcement described how the defendants, beginning in January 2014:

"... unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies. One of the defendants also exploited his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign."

The four defendants are:

  1. Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident
  2. Igor Anatolyevich Sushchin, 43, a Russian national and resident,
  3. Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident, and
  4. Karim Baratov (a/k/a "Kay," "Karim Taloverov," and "Karim Akehmet Tokbergenov") 22, a Canadian and Kazakh national and a resident of Canada.

Several lawsuits have resulted from the Yahoo breach including a shareholder lawsuit alleging a breach of fiduciary duty by the directors of the tech company, and a class-action regarding stolen credit card payment information.

Attorney General Sessions said about the charges against four defendants:

"Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history... But thanks to the tireless efforts of U.S. prosecutors and investigators, as well as our Canadian partners, today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users’ accounts. The United States will vigorously investigate and prosecute the people behind such attacks..."

FBI Director said:

"... we continue to pierce the veil of anonymity surrounding cyber crimes... We are shrinking the world to ensure that cyber criminals think twice before targeting U.S. persons and interests."

Acting Assistant Attorney General McCord said:

"The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale... hackers around the world can and will be exposed and held accountable. State actors may be using common criminals to access the data they want..."


Boston Public Library Offers Workshop About How To Spot Fake News

Fake news image The Boston Public Library (BPL) offers a wide variety of programs, events and workshops for the public. The Grove Hall branch is offering several sessions of the free workshop titled, "Recognizing Fake News."The workshop description:

"Join us for a workshop to learn how to critically watch the news on television and online in order to detect "fake news." Using the News Literacy Project's interactive CheckologyTM curriculum, leading journalists and other experts guide participants through real-life examples from the news industry."

What is fake news? The Public Libraries Association (PLA) offered this definition:

"Fake news is just as it sounds: news that is misleading and not based on fact or, simply put, fake. Unfortunately, the literal defi­nition of fake news is the least complicated aspect of this com­plex topic. Unlike satire news... fake news has the intention of disseminat­ing false information, not for comedy, but for consumption. And without the knowledge of appropriately identifying fake news, these websites can do an effective job of tricking the untrained eye into believing it’s a credible source. Indeed, its intention is deception.

To be sure, fake news is nothing new... The Internet, particularly social media, has completely manipulated the landscape of how information is born, consumed, and shared. No longer is content creation reserved for official publishing houses or media outlets. For better or for worse, anybody can form a platform on the Inter­net and gain a following. In truth, we all have the ability to create viral news—real or fake—with a simple tweet or Facebook post."

The News Literacy Project is a nonpartisan national nonprofit organization that works with educators and journalists to teach middle school and high school students how to distinguish fact from fiction.

The upcoming workshop sessions at the BPL Grove Hall branch are tomorrow, March 11 at 3:00 pm, and Wednesday, March 29 at 1:00 pm. Participants will learn about the four main types of content (e.g., news, opinion, entertainment, and advertising), and the decision processes journalists use to decide which news to publish. The workshop presents real examples enabling workshop participants to test their skills at recognizing the four types of content and "fake news."

While much of the workshop content is targeted at students, adults can also benefit. Nobody wants to be duped by fake or misleading news. Nobody wants to mistake advertising or opinion for news. The sessions include opportunities for participants to ask questions. The workshop lasts about an hour and registration is not required.

Many public libraries across the nation offer various workshops about how to spot "fake news," including Athens (Georgia), Austin (Texas), Bellingham (Washington), Chicago (Illinois), Clifton Park (New York), Davenport (Iowa), Elgin (Illinois), Oakland (California), San Jose (California), and Topeka (Kansas). Some colleges and universities offer similar workshops, including American University and Cornell University. Some workshops included panelists or speakers from local news organizations.

The BPL Grove Hall branch is located at 41 Geneva Avenue in the Roxbury section of Boston. The branch's phone is (617) 427-3337.

Have you attended a "fake news" workshop at a local public library in your town or city? If so, share your experience below.


EU Privacy Watchdogs Ask Microsoft For Explanations About Data Collection About Users

A privacy watchdog group in the European Union (EU) are concerned about privacy and data collection practices by Microsoft. The group, comprising 28 agencies and referred to as the Article 29 Working Party, sent a letter to Microsoft asking for explanations about privacy concerns with the software company's Windows 10 operating system software.

The February 2017 letter to Brendon Lynch, Chief Privacy Officer, and to Satya Nadella, Chief Executive Officer, was a follow-up to a prior letter sent in January. The February letter explained:

"Following the launch of Windows 10, a new version of the Windows operating system, a number of concerns have been raised, in the media and in signals from concerned citizens to the data protection authorities, regarding protection of your users’ personal data... the Working Party expressed significant concerns about the default installation settings and an apparent lack of control for a user to prevent collection or further processing of data, as well as concerns about the scope of data that are being collected and further processed... "

Microsoft logo While Microsoft has been cooperative so far, the group's specific privacy concerns:

"... user consent can only be valid if fully informed, freely given and specific. Whilst it is clear that the proposed new express installation screen will present users with five options to limit or switch off certain kinds of data processing it is not clear to what extent both new and existing users will be informed about the specific data that are being collected and processed under each of the functionalities. The proposed new explanation when, for example, a user switches the level of telemetry data from 'full' to 'basic' that Microsoft will collect 'less data' is insufficient without further explanation. Such information currently is also not available in the current version of the privacy policy.

Additionally, the purposes for which Microsoft collects personal data have to be specified, explicit and legitimate, and the data may not be further processed in a way incompatible with those purposes. Microsoft processes data collected through Windows 10 for different purposes, including personalised advertising. Microsoft should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid..."

Visit this EU link for more information about the Article 29 Working Party, or download the Article 29 Working Party letter to Microsoft (Adobe PDF).


GOP Legislation In Congress To Revoke Consumer Privacy And Protections

Logo for Republican Party, also known as the GOP The MediaPost Policy Blog reported:

"Republican Senator Jeff Flake, who opposes the Federal Communications Commission's broadband privacy rules, says he's readying a resolution to rescind them, Politico reports. Flake's confirmation to Politico comes days after Rep. Marsha Blackburn (R-Tennessee), the head of the House Communications Subcommittee, said she intends to work with the Senate to revoke the privacy regulations."

Blackburn's name is familiar. She was a key part of the GOP effort in 2014 to keep state laws in place to limit broadband competition by preventing citizens from forming local broadband providers. To get both higher speeds and lower prices compared to offerings by corporate internet service providers (ISPs), many people want to form local broadband providers. They can't because 20 states have laws preventing broadband competition. A worldwide study in 2014 found the consumers in the United States get poor broadband value: pay more and get slower speeds. Plus, the only consumers getting good value were community broadband customers. In June 2014, the FCC announced plans to challenge these restrictive state laws that limit competition, and keep your Internet prices high. That FCC effort failed. To encourage competition and lower prices, several Democratic representatives introduced the Community Broadband Act in 2015.That legislation went nowhere in a GOP-controlled Congress.

Pause for a moment and let that sink in. Blackburn and other GOP representatives have pursued policies where we consumers all pay more for broadband due to the lack of competition. The GOP, a party that supposedly dislikes regulation and prefers free-market competition, is happy to do the opposite to help their corporate donors. The GOP, a party that historically has promoted states' rights, now uses state laws to restrict the freedoms of constituents at the city, town, and local levels. And, that includes rural constituents.

Too many GOP voters seem oblivious to this. Why Democrats failed to capitalize on this broadband issue, especially during the Presidential campaign last year, is puzzling. Everyone needs broadband: work, play, school, travel, entertainment.

Now, back to the effort to revoke the FCC's broadband privacy rules. Several cable, telecommunications, and advertising lobbies sent a letter in January asking Congress to remove the broadband privacy rules. That letter said in part:

"... in adopting new broadband privacy rules late last year, the Federal Communications Commission (“FCC”) took action that jeopardizes the vibrancy and success of the internet and the innovations the internet has and should continue to offer. While the FCC’s Order applies only to Internet Service Providers (“ISPs”), the onerous and unnecessary rules it adopted establish a very harmful precedent for the entire internet ecosystem. We therefore urge Congress to enact a resolution of disapproval pursuant to the Congressional Review Act (“CRA”) vitiating the Order."

The new privacy rules by the FCC require broadband providers (a/k/a ISPs) to obtain affirmative “opt-in” consent from consumers before using and sharing consumers' sensitive information; specify the types of information that are sensitive (e.g., geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications); stop using and sharing information about consumers that have opted out of information sharing; meet transparency requirements to clearly notify customers about the information collection sharing and how to change their opt-in or opt-out preferences, prohibit "take-it-or-leave-it" offers where ISPs can refuse to serve customers who don't consent to the information collection and sharing; and comply with "reasonable data security practices and guidelines" to protect the sensitive information collected and shared.

The new FCC privacy rules are common sense stuff, but clearly these companies view common-sense methods as a burden. They want to use consumers' information however they please without limits, and without consideration for consumers' desire to control their own personal information. And, GOP representatives in Congress are happy to oblige these companies in this abuse.

Alarmingly, there is more. Lots more.

The GOP-led Congress also seeks to roll back consumer protections in banking and financial services. According to Consumer Reports, the issue arose earlier this month in:

"... a memo by House Financial Services Committee Chairman Rep. Jeb Hensarling (R-Tex), which was leaked to the press yesterday... The fate of the database was first mentioned [February 9th] when Bloomberg reported on a memo by Hensarling, an outspoken critic of the CFPB. The memo outlined a new version of the Financial CHOICE Act (Creating Hope and Opportunity for Investors, Consumers and Entrepreneurs), a bill originally advanced by the House Financial Services Committee in September. The new bill would lead to the repeal of the Consumer Complaint Database. It would also eliminate the CFPB's authority to punish unfair, deceptive or abusive practices among banks and other lenders, and it would allow the President to handpick—and fire—the bureau's director at will."

Banks have paid billions in fines to resolve a variety of allegations and complaints about wrongdoing. Consumers have often been abused by banks. You may remember the massive $185 million fine for the phony accounts scandal at Wells Fargo. Or, you may remember consumers forced to use prison-release cards. Or, maybe you experienced debt collection scams. And, this blog has covered extensively much of the great work by the CFPB which has helped consumers.

Does these two legislation items bother you? I sincerely hope that they do bother you. Contact your elected officials today and demand that they support the FCC privacy rules.


Travelers Face Privacy Issues When Crossing Borders

If you travel for business, pleasure, or both then today's blog post will probably interest you. Wired Magazine reported:

"In the weeks since President Trump’s executive order ratcheted up the vetting of travelers from majority Muslim countries, or even people with Muslim-sounding names, passengers have experienced what appears from limited data to be a “spike” in cases of their devices being seized by customs officials. American Civil Liberties Union attorney Nathan Wessler says the group has heard scattered reports of customs agents demanding passwords to those devices, and even social media accounts."

Devices include smartphones, laptops, and tablets. Many consumers realize that relinquishing passwords to social networking sites (e.g., Facebook, Instagram, etc.) discloses sensitive information not just about themselves, but also all of their friends, family, classmates, neighbors, and coworkers -- anyone they are connected with online. The "Bring Your Own Device" policies by many companies and employers means that employees (and contractors) can use their personal devices in the workplace and/or connected remotely to company networks. Those connected devices can easily divulge company trade secrets and other sensitive information when seized by Customs and Border Patrol (CBP) agents for analysis and data collection.

Plus, professionals such as attorneys and consultants are required to protect their clients' sensitive information. These professionals, who also must travel, require data security and privacy for business.

Wired also reported:

"In fact, US Customs and Border Protection has long considered US borders and airports a kind of loophole in the Constitution’s Fourth Amendment protections, one that allows them wide latitude to detain travelers and search their devices. For years, they’ve used that opportunity to hold border-crossers on the slightest suspicion, and demand access to their computers and phones with little formal cause or oversight.

Even citizens are far from immune. CBP detainees from journalists to filmmakers to security researchers have all had their devices taken out of their hands by agents."

For travelers wanting privacy, what are the options? Remain at home? This may not be an option for workers who must travel for business. Leave your devices at home? Again, impractical for many. The Wired article provided several suggestions, including:

"If customs officials do take your devices, don’t make their intrusion easy. Encrypt your hard drive with tools like BitLocker, TrueCrypt, or Apple’s Filevault, and choose a strong passphrase. On your phone—preferably an iPhone, given Apple’s track record of foiling federal cracking—set a strong PIN and disable Siri from the lockscreen by switching off “Access When Locked” under the Siri menu in Settings.

Remember also to turn your devices off before entering customs: Hard drive encryption tools only offer full protection when a computer is fully powered down. If you use TouchID, your iPhone is safest when it’s turned off, too..."

What are the consequences when travelers refuse to disclose passwords and encrpt devices? Ars Technica also explored the issues:

"... Ars spoke with several legal experts, and contacted CBP itself (which did not provide anything beyond previously-published policies). The short answer is: your device probably will be seized (or "detained" in CBP parlance), and you might be kept in physical detention—although no one seems to be sure exactly for how long.

An unnamed CBP spokesman told The New York Times on Tuesday that such electronic searches are extremely rare: he said that 4,444 cellphones and 320 other electronic devices were inspected in 2015, or 0.0012 percent of the 383 million arrivals (presuming that all those people had one device)... The most recent public document to date on this topic appears to be an August 2009 Department of Homeland Security paper entitled "Privacy Impact Assessment for the Border Searches of Electronic Devices." That document states that "For CBP, the detention of devices ordinarily should not exceed five (5) days, unless extenuating circumstances exist." The policy also states that CBP or Immigration and Customs Enforcement "may demand technical assistance, including translation or decryption," citing a federal law, 19 US Code Section 507."

The Electronic Frontier Foundation (EFF) collects stories from travelers who've been detained and had their devices seized. Clearly, we will hear a lot more in the future about these privacy issues. What are your opinions of this?


Town Hall With Congressman Stephen Lynch About Security And Rights

Official photo of Congressman Stephen F. Lynch. Click to view larger version Congressman Stephen F. Lynch (Democrat, 8th District of Massachusetts) held a town hall meeting on Friday February 3, 2017 titled, “Keeping America Safe While Preserving Our Constitutional Rights.” The 7:00 pm event at the Milton High School auditorium was heavily attended (see photos below) with an estimated attendance of about 500 to 700 persons. The website and e-mail invitation from Congressman Lynch’s office described the meeting agenda:

"The Town Hall will be an opportunity for constituents to come together to discuss the legal implications of President Trump’s executive actions, to discuss what can be done to resist any infringements of Constitutional rights and discuss existing and ongoing efforts to ensure safety in our homeland, and to provide resources for those who may need assistance."

Representative Lynch serves on the Oversight and Government Reform Committee and the Financial Services Committee. He is the lead Democrat on the National Security Subcommittee, responsible for overseeing the Departments of State, Defense and Homeland Security, and the United States Agency for International Development. He was sworn in to the United States Congress in October 2001, after the sudden passing of Congressman John Joseph Moakley.

Partial view of February 3, 2017 town hall session. Milton HS auditorium. Click to view larger version Representative Lynch opened the meeting with remarks about his experience in Congress, the heavier than usual volume of emails, phone calls, and visits to his office since the flurry of Executive Orders by President Trump, his 17 trips to the Middle East including Iraq and Turkey, his visits to refugee camps, and his familiarity with the vetting process for immigrants wanting to relocate to the United States.

Representative Lynch said regarding refugees and immigrants that the "facts on the ground" are often very different than what is reported in the news media or by the current White House. He explained that many Syrians spend several years in refugee camps, since many want to return to their homes and not immigrate to other countries. And, the United States is probably number 10 in a list of desired locations of refugees wanting to relocate to another country.

He also described an overview of the vetting process, which includes interviews, biometrics, retina scans, and follow-up sessions with about 18 steps lasting 14 to 18 months. Several U.S. Federal government agencies are involved in the vetting process. Congressman Lynch described President Trump's Executive Order banning immigrants from seven Middle East countries as "wrong and unnecessary," and was conducted carelessly.

Congressman Lynch held an hour-long telephone town hall on January 24, 2017. He has co-sponsored H.R.852 in the 115th Congress (2017-2018) to:

"... amend the Immigration and Nationality Act to provide that an alien may not be denied admission or entry to the United States, or other immigration benefits, because of the alien's religion, and for other purposes."

H.R. 852 was sponsored by Representative Donald S. Beyer, Jr. (Democrat, Virginia) and introduced On February 3, 2017. It is in committee. View the list of bills sponsored or co-sponsored by Congressman Lynch.

The February 3 town hall session started at 7:00 pm. Carl Williams, a staff attorney with the American Civil Liberties Union (ACLU), also spoke and briefly discussed recent decisions by several federal court judges about President Trump's immigration ban, which applies to seven majority Muslim countries: Iraq, Syria, Iran, Libya, Somalia, Sudan, and Yemen. Late on Friday February 3, a federal court judge in Seattle decided to halt the immigration ban. This was the third major decision after one in New York and a second in Boston.

Partial view of February 3, 2017 town hall session. Milton HS auditorium. Click to view larger version The question-and-answer session started at about 7:55 pm and at least 20 constituents immediately lined up in the auditorium to ask questions. At the check-in table, Congressman Lynch's staff provided index cards for constituents to write and submit questions. During the session, constituents asked a variety of questions at the microphones, including (partial list):

  • How can we help refugees?
  • What will Congressman Lynch do to keep us safe?
  • How do we get our voices heard in other states?
  • Will Congressman Lynch fight for single payer healthcare plan as Republicans propose an alternative to the Affordable Care Act (a/k/a "Obamacare)?
  • How do we get Steve Bannon off the National Security Council?

Representative Lynch reminded constituents that due to the "Separation of Powers" built into our government, the legislative branch has no power to affect how the White House chooses to organize itself. He also reminded attendees of the 55-seat advantage the Republican party has in the House.

Besides several Executive Orders by President Trump, the House of Representatives has taken several actions and votes. I have found the E-Update Newsletter by Congressman Michael Capuano (Democrat, 7th District of Massachusetts) very informative with summaries about recent House activities in easy-to-understand language; plus a running list of activities. Representative Capuano's summaries also include the vote total by party. For example:

Excerpt from February 3, 2017 E-Update Newsletter by Representative Michael Capuano. Click to view larger version

Friday's town hall's agenda was scheduled to end at 9:00 pm. I left at that time, and hadn't heard any mention of security issues about the proposed wall between the United States and Mexico. The town hall was also Live on Facebook, but I found the audio quality poor at times. Always better to attend in person and ask questions directly of a Congressperson.

I did not see any reporters from local news media at the town hall session. If you attended the town hall session, what were your questions or comments? Below is a tweet by Representative Lynch about the town hall.


Boston Women's March And Local Law Enforcement

On Saturday, January 21, 2017 the Boston Police Department (BPD) posted on its Facebook page at 5:45 pm the following about the Women's March:

"To the tens of thousands who participated in today’s Women’s March on Boston Common earlier today, Saturday, January 21, 2017, the men and women of the Boston Police Department would like to thank you for the high levels of respectful and responsible behavior on display throughout the day. Said Commissioner Evans: "Really impressed with the amount of respect and courtesy shown to my officers by everybody attending today's Women’s March and I’d just like to personally thank everybody who demonstrated in a peaceful, polite and respectful manner."

The Boston Globe newspaper reported about the event:

"... the enormous crowd began streaming from Boston Common onto Charles Street, heading to Clarendon Street, where they turned around. So many people marched that it took more than an hour and a half to file out of the Common. City officials estimated that 175,000 attended the demonstration... The Boston event was one of more than 600 marches being held nationwide and globally, on the day after Trump took office... Speakers at the Boston kickoff included Warren, Mayor Martin J. Walsh of Boston, US Senator Edward J. Markey, and Attorney General Maura Healey... By about 1 p.m., marchers began to hit the streets, though the crowd was so big that many had to wait before they could get out of the Common. The gathering was almost evenly split between men and women, and a diverse range of agendas was represented: climate change, antiracism, and Trump’s ties to Russia. On Twitter, Boston police thanked protesters for remaining peaceful."

There more demonstrations in Massachusetts in Falmouth, Greenfield, Nantucket, Provincetown, Northampton, and Pittsfield. Social networking posts about the Boston event by the BPD on Twitter:

Tweet about Womens March by Boston Police Department. Click to view larger version

Tweets about Womens March by Boston Police Department. Click to view larger version

Respectful behavior all around: marchers and law enforcement. Congratulations and thanks to everyone involved, plus very respectful messages on social networking sites by the BPD. Hopefully, in the future more citizens and police departments around the country will follow Boston's lead. That is truly #BostonStrong.

Yes, I live and work in Boston. What happened in your city? How did your city's law enforcement respond. Share below.


FINRA Fined 12 Brokerage Firms $14.4 Million For Inadequate Data Security

Just before the long holiday break, the Financial Industry Regulatory Authority (FINRA) announced that it fined 12 banks and brokerage firms a total of $14.4 million for failing to adequately protect information in electronic broker-dealer and customer records. The FINRA announcement explained:

"... at various times, and in most cases for prolonged periods, the firms failed to maintain electronic records in “write once, read many,” or WORM, format, which prevents the alteration or destruction of records stored electronically... Federal securities laws and FINRA rules require that business-related electronic records be kept in WORM format to prevent alteration. The SEC has stated that these requirements are an essential part of the investor protection function... FINRA found that each of these 12 firms had WORM deficiencies that affected millions, and in some cases, hundreds of millions, of records pivotal to the firms’ brokerage businesses, spanning multiple systems and categories of records... each of the firms had related procedural and supervisory deficiencies affecting their ability to adequately retain and preserve broker-dealer records stored electronically. In addition, FINRA found that three of the firms failed to retain certain broker-dealer records the firms were required to keep under applicable record retention rules. In settling this matter, the firms neither admitted nor denied the charges, but consented to the entry of FINRA's findings."

The firms fined and the amounts for each:

"Wells Fargo Securities, LLC and Wells Fargo Prime Services, LLC were jointly fined $4 million. RBC Capital Markets LLC and RBC Capital Markets Arbitrage S.A. were jointly fined $3.5 million. RBS Securities, Inc. was fined $2 million. Wells Fargo Advisors, LLC, Wells Fargo Advisors Financial Network, LLC and First Clearing, LLC were jointly fined $1.5 million. SunTrust Robinson Humphrey, Inc. was fined $1.5 million. LPL Financial LLC was fined $750,000. Georgeson Securities Corporation was fined $650,000. PNC Capital Markets LLC was fined $500,000.

In September, Wells Fargo bank paid $185 million in fines to settle charges of alleged unlawful sales practices during the past five years. LPL Financial had several data breaches during 2007 to 2009.

For readers seeking more information, the FINRA announcement includes links to the settlement agreements.