131 posts categorized "Internet Access" Feed

Experts Find Security Flaw In Wireless Encryption Software. Most Mobile Devices At Risk

Researchers have found a new security vulnerability which places most computers, smartphones, and wireless routers at risk. The vulnerability allows hackers to decrypt and eavesdrop on victims' wireless network traffic; plus inject content (e.g., malware) into users' wireless data streams. ZDNet reported yesterday:

"The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network... The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk."

Reportedly, the vulnerability was confirmed on Monday by U.S. Homeland Security's cyber-emergency unit US-CERT, which had warned vendors about two months ago.

What should consumers do? Experts advise consumers to update the software in all mobile devices connected to their home wireless router. Obviously, that means first contacting the maker of your home wireless router, or your Internet Service Provider (ISP), for software patches to fix the security vulnerability.

ZDNet also reported that the security flaw:

"... could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems in the supply chain, which has already led to millions of vulnerable and unpatched Internet-of-things (IoT) devices being exposed for use by botnets."

So, plenty of home devices must also be updated. That includes both devices you'd expect (e.g., televisions, printers, smart speakers and assistants, security systems, door locks and cameras, utility meters, hot water heaters, thermostats, refrigerators, robotic vacuum cleaners, lawn mowers) and devices you might not expect (e.g., mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins). One "price" of wireless convenience is the responsibility for consumers and device makers to continually update the security software in internet-connected devices. Nobody wants their home router and devices participating in scammers' and fraudsters' botnets with malicious software.

ZDNet also listed software patches by vendor. And:

"In general, Windows and newer versions of iOS are unaffected, but the bug can have a serious impact on Android 6.0 Marshmallow and newer... At the time of writing, neither Toshiba and Samsung responded to our requests for comment..."

Hopefully, all of the Internet-connected devices in your home provide for software updates. If not, then you probably have some choices ahead: whether to keep that device or upgrade to better device for security. Comments?


Here Comes The Post-Equifax-Breach Spam From Scammers

If you haven't received them yet, you probably will soon. Here comes the spam - unwanted e-mail messages - from scammers, supposedly related to the massive Equifax data breach. The spam will likely include phishing attacks: attempts to trick consumers into disclosing sensitive bank account and payment data.

What might this spam look like? The spam filter by my e-mail provider recently trapped the message below in my spam folder:

Suspected spam email. Click to view larger version

The sender's intent is to clearly leverage consumers' anxieties and fears about the massive, horrific Equifax breach. The e-mail message also states:

Suspected spam email. Click to view larger version

The message offers both three free credit scores and free credit reports. The problems I see with this e-mail:

  1. The message doesn't list a price for its offer. The company name -- FreeCreditClick -- implies the offer is free.
  2. Key items in the e-mail don't match. The company name in the "From" field doesn't match the e-mail address. Nor does the company name in the "From" field match the company name in the body of the message.
  3. The sender's e-mail address in the "From" field includes a version of an e-mail address I've seen before in other spam.
  4. The Equifax site already directs consumers affected by the data breach to an Equifax site to learn how to get protection (e.g., credit monitoring and fraud resolution services) for free.
  5.  The e-mail offers credit reports from the three major credit reporting agencies: Experian, Equifax, and TransUnion. Informed consumers know that the official website for free credit reports is annualcreditreport.com.
  6. Informed consumers know that while there are several brands of credit scores, they probably need a single good one.
  7. The e-mail contains order and unsubscribe links with destinations that doesn't match either the company's name in "1" nor "2."

To understand #7, I reviewed the underlying HTML markup language used to create this e-mail message:

HTML markup of the suspected spam email. Click to view larger version

The destinations for both the order link (A) and the unsubscribe link (B) contain the "proffbuilder.com" site and embedded redirect commands. The redirect commands could take your web browser anywhere. Too risky, so I did not click on them.

As best I can tell, this definitely is spam. I don't trust it. What do you think?


FCC: You Really Don't Need High-Speed Internet Services

The U.S. Federal Communications Commission (FCC) seeks to lower key internet standards: the minimum download and upload speeds for services to qualify as high-speed internet (a/k/a broadband). What the heck you ask? Sadly, this is no joke.

First, some background. Section 706 of the Telecommunications Act requires the FCC to determine whether broadband services are deployed to all Americans in a reasonable and timely manner. In 2015, the FCC raised the standard after a 2015 report found that that broadband deployment wasn't keeping pace in the United States with its citizens needs nor with the rest of the planet:

"Congress directed us to evaluate annually "whether advanced telecommunications capability is being deployed to all Americans in a reasonable and timely fashion." For a service to be considered advanced, it must enable Americans "to originate and receive high-quality voice, data, graphics, and video telecommunications." We can no longer conclude that broadband at speeds of 4 megabits per second (Mbps) download and 1 Mbps upload (4 Mbps/1 Mbps)—a benchmark established in 2010 and relied on in the last three Reports—supports the “advanced” functions Congress identified. Trends in deployment and adoption, the speeds that providers are offering today, and the speeds required to use high-quality video, data, voice, and other broadband applications all point at a new benchmark. The average household has more than 2.5 people, and for family households, the average household size is as high as 4.3... we find that, having “advanced telecommunications capability” requires access to actual download speeds of at least 25 Mbps and actual upload speeds of at least 3 Mbps (25 Mbps/3 Mbps)... Although public- and private-sector initiatives continue to advance deployment, these advances are not occurring broadly enough or quickly enough. Recent data show that approximately 55 million Americans (17 percent) live in areas unserved by fixed 25 Mbps/3 Mbps broadband or higher service, and that gap closed only by three percentage points in the last year... Americans living in rural areas and on Tribal lands disproportionately lack access to broadband. Our data show that 25 Mbps/3 Mbps capability is unavailable to 8 percent of Americans living in urban areas, compared to 53 percent of Americans living in rural areas and 63 percent of Americans living on Tribal lands and in the U.S. Territories. The gap between those with and without access declined by only 2 percent in rural areas..."

Note: the FCC phrase "advanced telecommunications capability" equals broadband. The vote in 2015 by FCC commissioners to raise the standard was 3-2 along party lines. (Democrats held a majority.) Third, the FCC released a Fact Sheet on January 7, 2016 which (again) highlighted the broadband deployment shortfalls:

"While the nation continues to make progress in broadband deployment, advanced telecommunications capability is not being deployed in a reasonable and timely fashion to all Americans. Factors leading to this conclusion are as follows: a) Approximately 34 million Americans still lack access to fixed broadband at the FCC’s benchmark speed of 25 Mbps for downloads, 3 Mbps for uploads; b) A persistent urban-rural digital divide has left 39 percent of the rural population without access to fixed broadband. By comparison, only 4 percent living in urban areas lack access. 10 percent lack access nationwide; c) 41 percent of Tribal Lands residents lack access; d) 41 percent of schools have not met the Commission’s short-term goal of 100 Mbps per 1,000 students/staff. These schools educate 47 percent of the nation’s students... Internationally, the U.S. continues to lag behind a number of other developed nations, ranking 16th out of 34 countries."

16th place is not American excellence. Not even close. We can and should do much better. The Fact Sheet also concluded that everyone needs both fixed and mobile internet access:

"Fixed and mobile service offer distinct functions meeting both complementary and distinct needs: a) Fixed broadband offers high -speed, high-capacity connections capable of supporting bandwidth-intensive uses, such as streaming video, by multiple users in a household; b) But fixed broadband can’t provide consumers with the mobile Internet access required to support myriad needs outside the home and while working remotely.

Mobile devices provide access to the web while on the go, and are especially useful for real-time two-way interactions, mapping applications, and social media. But consumers who rely solely on mobile broadband tend to perform a more limited range of tasks and are significantly more likely to incur additional usage fees or forgo use of the Internet."

We all need fast, wired internet at home, at work, and in school. We all need fast, wireless internet when traveling on business, vacation, or working away from the office or school. Sensible.

On Thursday, Jessica Rosenworcel, one of the commissioners at the FCC, posted on Twitter:

What gives? Last month, the FCC filed a Notice of Inquiry (a/k/a "Inquiry Concerning Deployment of Advanced Telecommunications Capability to All Americans in a Reasonable and Timely Fashion" - document #17-109A1) which attempts to consolidate the fixed and mobile broadband speeds into a single standard:

"...We propose to incorporate both fixed and mobile advanced telecommunications services into our Section 706 inquiry... According to the Pew Research Center, the percentage of Americans subscribing to fixed broadband has reached an all-time high of approximately 73 percent. At the same time, 13 percent of Americans across all demographic groups are relying solely on smartphones for home internet access. Given that Americans use both fixed and mobile broadband technologies, we seek comment on whether we should evaluate the deployment of fixed and mobile broadband as separate and distinct ways to achieve advanced telecommunications capability... Alternatively, we seek comment on whether we should evaluate the deployment based on the presence of both fixed and mobile services... We seek comment on the appropriate benchmark for fixed advanced telecommunications capability. Should we maintain the 25 Mbps download, 3 Mbps upload (25 Mbps/3 Mbps) speed benchmark, and to apply it to all forms of fixed broadband?... The [FCC] has not previously set a mobile speed benchmark... Should the Commission set a mobile speed benchmark, and if so, what it should be? We anticipate that any speed benchmark we set would be lower than the 25 Mbps/3 Mbps benchmark adopted for fixed broadband services, given differing capabilities of mobile broadband... We seek comment on whether a mobile speed benchmark of 10 Mbps/1 Mbps is appropriate for mobile broadband services. Would a download speed benchmark higher or lower than 10 Mbps be appropriate for the purpose of assessing American consumers’ access to advanced telecommunications capability?"

A subsequent FCC document extended the comment period. The first deadline for the public -- you -- to submit comments ended Thursday, September 21, 2017. The next deadline for comments is October 6, 2017. You can still submit comments to the FCC until October 6 during the reply comment period (Filing 17-199).

To recap the decision: the FCC could use two different standards (one for fixed internet and a second for wireless internet), or go with a lower, lower standard which (supposedly) accommodates both.

Some readers are probably wondering: a lower broadband standard seems like taking the country backwards. During both the 2016 campaign and after entering office, President Trump promised to improve the country's crumbling infrastructure. Faster internet seems to be a pretty damn important part of the country's infrastructure. And, President Trump appointed Ajit Pai as the new Chairman at the FCC, which gave Republicans a majority of the voting commissioners.

Ars Technica reported:

"Democratic Commissioner Mignon Clyburn objected to parts of the Notice of Inquiry when it was released, saying that the home broadband speed standard should be raised and that mobile should not be considered a substitute for home Internet... Rosenworcel didn't make an official statement when the Notice of Inquiry was released because she wasn't on the commission at that time; she was sworn in for a new term just days later. She previously served on the FCC before a temporary departure caused by political haggling in the Senate."

Rosenworcel released a statement:

"... It’s time to dream big. This is the country that put a man on the moon. We invented the Internet. We can do audacious things — if we set big goals. So I believe we need big broadband goals... I am glad that last year we upped the ante and changed that threshold to 25 Megabits. I support the continued use of this standard today. But I think we need to go big and be bold. I think our new threshold should be 100 Megabits — and Gigabit speed should be in our sights. I believe anything short of goals like this shortchanges our children, our future, and our digital economy."

I agree with Rosenworcel. Moreover, the Pai-led FCC seems intent upon doing what corporate broadband services demand: roll back privacy, roll back net neutrality, and next a lower broadband standards. In 2015, Pai (then a commissioner) opposed the increase in standards.

The skeptic in me worries that a lower, slower standard allows corporate broadband providers to rely solely upon wireless to serve consumers and businesses -- especially those in rural areas. A single, lower standard allows broadband providers to take the foot off the gas pedal of building out the fixed broadband infrastructure -- the fiber-optic and other cabling we all use and need. In this scenario, consumers (yet again) take it on the chin with slower wireless speeds compared to a built-out fixed broadband infrastructure.

Those supporting a single, lower, slower broadband standard might as well yell: "We are number 16. Yeah!" What do you think?


A Greater Volume Of Bogus Email Messages

Have you checked your e-mail spam folder? Your e-mail provider's spam filter is a highly valuable tool which identifies and collects bogus, unwanted messages; which often either contain malware or link to sites which do. I happily use my e-mail provider's spam tool. It saves me plenty of time and aggravation.

You don't have to read the messages collected in your spam folder by your e-mail service. I do occasionally because I've taken my online security a step further. I configured the spam filter to trap all inbound messages not in my e-mail address book, and not only the messages it identified as spam. For me, nothing gets through unless I already know you. I don't want any of this garbage downloaded to my laptop's hard drive.

Call me extra careful.

Recently, when I scanned my spam folder I found a flood of messages up from three or five daily to 30 or 40. The subject lines of the bogus messages included a wide variety of offers: timeshare rentals, hair removal products, credit scores, credit cards, dating services, pet products, wrinkle removal products, home refinance loans, ink for computer printers, and much more. Often, the bogus messages pretended to be valid businesses, such as Amazon and Walmart. A partial list of the messages in my spam folder:

Partial list of messages in a spam folder. Click to view a larger version

Clearly, the spammers hope to trick users into opening these messages. Don't. Experts advise consumers not to reply to these bogus e-mails. If you do, you'll only get more.

If you know where to look, it's fairly easy to spot the spam. All of the messages include the same e-mail reply address. In this instance it is contact@cron-job.org. Unfortunately, Cron-Job is a valid business which did not send out this spam. According to the Denver Post:

"Cron-jobs is a non-profit organization supporting Cron, a Unix-software utility. The site was spoofed! Cron-jobs documents what happened here: cron-job.org/en/spam- statement... The messages are not from them, thus they cannot stop them. They don’t even use the “contact@cron-job.org” email... The messages are likely being sent on a bot-network. These are computers that have malware on them and their owners don’t know the machines were hijacked..."

So, a word to the wise. Regularly scan you computer (e.g., laptop, desktop, tablet, phone) to identify and remove malware. You don't want to contribute to the e-mail spam problem.

I noticed another sender's e-mail address generating lots of spam: XXXXXXXXXXXXaolea.us. The spammers vary the numbers and letters in the XXX portion of the e-mail address, but my e-mail service provider is skilled at identifying bogus messages.

Last, if you haven't activated the spam filter offered by your e-mail provider, now is a good time to do so.


Despite Disavowals, Leading Tech Companies Help Extremist Sites Monetize Hate

[Editor's note: today's guest post, by reporters at ProPublica, explores how hate sites maintain an online presence. It is reprinted with permission.]

By Julia Angwin, Jeff Larson, Madeleine Varner and Lauren Kirchner. ProPublica

Because of its "extreme hostility toward Muslims," the website Jihadwatch.org is considered an active hate group by the Southern Poverty Law Center and the Anti-Defamation League. The views of the site's director, Robert Spencer, on Islam led the British Home Office to ban him from entering the country in 2013.

But its designation as a hate site hasn't stopped tech companies -- including PayPal, Amazon and Newsmax -- from maintaining partnerships with Jihad Watch that help to sustain it financially. PayPal facilitates donations to the site. Newsmax -- the online news network run by President Donald Trump's close friend Chris Ruddy -- pays Jihad Watch in return for users clicking on its headlines. Until recently, Amazon allowed Jihad Watch to participate in a program that promised a cut of any book sales that the site generated. All three companies have policies that say they don't do business with hate groups.

Jihad Watch is one of many sites that monetize their extremist views through relationships with technology companies. ProPublica surveyed the most visited websites of groups designated as extremist by either the SPLC or the Anti-Defamation League. We found that more than half of them -- 39 out of 69 -- made money from ads, donations or other revenue streams facilitated by technology companies. At least 10 tech companies played a role directly or indirectly in supporting these sites.

Traditionally, tech companies have justified such relationships by contending that it's not their role to censor the Internet or to discourage legitimate political expression. Also, their management wasn't necessarily aware that they were doing business with hate sites because tech services tend to be automated and based on algorithms tied to demographics.

In the wake of last week's violent protest by alt-right groups in Charlottesville, more tech companies have disavowed relationships with extremist groups. During just the last week, six of the sites on our list were shut down. Even the web services company Cloudflare, which had long defended its laissez-faire approach to political expression, finally ended its relationship with the neo-Nazi site The Daily Stormer last week.

"I can't recall a time where the tech industry was so in step in their response to hate on their platforms," said Oren Segal, director of the ADL's Center on Extremism. "Stopping financial support to hate sites seems like a win-win for everyone."

But ProPublica's findings indicate that some tech companies with anti-hate policies may have failed to establish the monitoring processes needed to weed out hate sites. PayPal, the payment processor, has a policy against working with sites that use its service for "the promotion of hate, violence, [or] racial intolerance." Yet it was by far the top tech provider to the hate sites with donation links on 23 sites, or about one-third of those surveyed by ProPublica. In response to ProPublica's inquiries, PayPal spokesman Justin Higgs said in a statement that the company "strives to conscientiously assess activity and review accounts reported to us."

After Charlottesville, PayPal stopped accepting payments or donations for several high-profile white nationalist groups that participated in the march. It posted a statement that it would remain "vigilant on hate, violence & intolerance." It addresses each case individually, and "strives to navigate the balance between freedom of expression" and the "limiting and closing" of hate sites, it said.

After being contacted by ProPublica, Newsmax said it was unaware that the three sites that it had relationships with were considered hateful. "We will review the content of these sites and make any necessary changes after that review," said Andy Brown, chief operating officer of Newsmax.

Amazon spokeswoman Angie Newman said the company had previously removed Jihad Watch and three other sites identified by ProPublica from its program sharing revenue for book sales, which is called Amazon Associates. When ProPublica pointed out that the sites still carried working links to the program, she said that it was their responsibility to remove the code. "They are no longer paid as an Associate regardless of what links are on their site once we remove them from the Associates Program," she said.

Where to set the boundaries between hate speech and legitimate advocacy for perspectives on the edge of the political spectrum, and who should set them, are complex and difficult questions. Like other media outlets, we relied in part on the Southern Poverty Law Center's public list of "Active Hate Groups 2016." This list is controversial in some circles, with critics questioning whether the SPLC is too quick to brand organizations on the right as hate groups.

Still, the center does provide detailed explanations for many of its designations. For instance, the SPLC documents its decision to include the Family Research Council by citing the evangelical lobbying group's promotion of discredited science and unsubstantiated attacks on gay and lesbian people. We also consulted a list from ADL, which is not public and that was provided to us for research purposes. See our methodology here.

The sites that we identified from the ADL and SPLC lists vehemently denied that they are hate sites.

"It is not hateful, racist or extremist to oppose jihad terror," said Spencer, the director of Jihad Watch. He added that the true extremism was displayed by groups that seek to censor the Internet and that by asking questions about the tech platforms on his site, we were "aiding and abetting a quintessentially fascist enterprise."

Spencer made these comments in response to questions emailed by ProPublica reporter Lauren Kirchner. Afterwards, Spencer posted an item on Jihad Watch alleging that "leftist 'journalist'" Kirchner had threatened the site. He also posted Kirchner's photo and email, as well as his correspondence with her. After being contacted by ProPublica, another anti-Islam activist, Pamela Geller, also posted an attack on Kirchner, calling her a "senior reporting troll." Like Spencer, Geller was banned by the British Home Office; her eponymous site is on the SPLC and ADL lists.

Donations -- and the ability to accept them online through PayPal and similar companies -- are a lifeline for sites like Jihad Watch. In 2015, the nonprofit website disclosed that three quarters of its roughly $100,000 in revenues came from donations, according to publicly available tax records.

In recent weeks, PayPal has been working to shut down donations to extremist sites. This week, it pulled the plug on VDARE.com, an anti-immigration website designated as "white nationalist" by the SPLC and as a hate site by the ADL. VDARE, which denies being white nationalist, immediately switched to its backup system, Stripe.

Stripe, a private company recently described by Bloomberg Businessweek as a $9 billion startup, is unusual in not having a policy against working with hate sites. It does, however, prohibit financial transactions that support drugs, pornography and "psychic services." Stripe provided donation links for 10 sites, second only to PayPal on our list. Stripe did not respond to a request for comment.

VDARE editor Peter Brimelow declared on his site that the PayPal shutdown was likely part of a purge by the "authoritarian Communist Left to punish anyone who disagrees with their anti-American violence against patriotic people." He urged his readers to donate through other channels such as Bitcoins. "We need your help desperately," he wrote. "We must have the resources to defend ourselves and our people."

In 2015, VDARE received nearly all of its revenue -- $267,038 out of total $293,663 -- from donations, according to publicly available tax return forms that the Internal Revenue Service requires nonprofits to disclose.

Brimelow did not respond to our questions, instead characterizing ProPublica as the "Totalitarian Left."

Some sites also supplement their donations with revenue from online advertising. For instance, SonsofLibertyMedia.com, which is on the SPLC list, generated about 10 percent of its revenue -- $37,828 -- from advertising in 2015, according to its tax documents.

The site, which describes itself as promoting a "Judeo-Christian ethic," and recently posted an article declaring that a black activist protesting Confederate statues needed "a serious beat down," does not appear to attract advertisers directly.

Instead, Sons of Liberty benefits from a type of ad-piggybacking arrangement that is becoming more common in the tech industry. The website runs sponsored news articles from a company called Taboola, which shares ad revenues with it. Known for being at the forefront of "click-bait," Taboola places links on websites to articles about celebrities and popular culture.

Taboola's policy prohibits working with sites that have "politically religious agendas" or use hate speech. "We strive to ensure the safety of our network but from time to time, unfortunately, mistakes can happen," said Taboola spokeswoman Dana Miller. "We will ask our Content Policy group to review this site again and take action if needed."

Sons of Liberty founder Bradlee Dean said that he forwarded our questions to his attorney. The lawyer did not respond.

Hate sites can initiate relationships with tech companies with little scrutiny.

Any website can fill out an online form asking to join, for instance, Amazon's network, and often can get approved instantly. Once a website has joined a tech network, it can quickly start earning money through advertising, donations, or content farms such as Taboola that share ad revenues with websites that distribute their articles.

Some companies, such as Newsmax, say that joining their ad network requires explicit prior approval.

But, according to a former Newsmax employee, the only criterion for this approval was whether traffic to the site reached a minimum threshold. There was no content review. Salespeople were told to be aggressive in signing up publishing partners.

"We'd put our news feed on anybody's page, anyone who was willing to listen," he said, "it's about email addresses, it's about marketing, they don't care about ultra conservative or left wing."

Dylan Roof frequented a website described by the SPLC as "white nationalist." He said in a manifesto posted online that finding the website was a turning point in his life. He went on to murder nine African-American churchgoers in Charleston, South Carolina, in 2015. That year, USA Today found Newsmax ads on the site.

They no longer appear there.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 


The Bogus Claims By Broadband Providers And Their Allies About Net Neutrality

The Techdirt blog has called out -- in plain language -- the bogus claims and distortions by broadband providers about net neutrality rules. Techdirt reported:

"... one of AT&T, Comcast and Verizon's favorite bogus claims about net neutrality rules is that such consumer protections will somehow prevent the sick or disabled from getting the essential internet connectivity they need. For example, Verizon once tried to claim that the deaf and disabled would be harmed if large ISPs weren't allowed to create fast or slow lanes.. this claim that net neutrality rules somehow prevent ISPs from prioritizing essential medical technologies or other priority traffic has always been bullshit. The FCC's 2015 open internet rules (pdf) are embedded with numerous, significant caveats when it comes to creating fast and slow lanes... In fact, the existing rules go to great lengths to differentiate "Broadband Internet Access Service (BIAS),” (your e-mail, Netflix streams and other more ordinary traffic) from “Non-BIAS data services,” which can include everything from priority VoIP traffic to your heart monitor and other Telemedicine systems."

The U.S. Federal Communications Commission (FCC), led by Ajit Pai a former lawyer at Verizon, moved closer to eliminating net neutrality with a preliminary vote in May. For those who don't know or have forgotten, net neutrality is when consumers are in control -- consumers choose where to go online with the broadband they've purchased, and ISPs must treat all content equally. That means no blocking, no throttling, and no paid prioritization. Net neutrality means consumers stay in control of where they go online.

Without net neutrality, consumers lose the freedom of choice. ISPs will decide where consumers can go online, which sites you can visit, and which sites you can visit only if you pay more. ISPs will likely group web sites into tiers (e.g., slow vs. fast "lanes"), similar to premium cable-TV channels. Do you want your monthly internet bill as confusing, complicated, and expensive as your cable-TV bill? I don't, and I doubt you do either.

TechDirt highlighted other bogus claims:

... how net neutrality kills network investment) doesn't stop it from being circulated repeatedly by the army of politicians, think tankers, consultants, fauxcademics, and lobbyists paid to pee in the net neutrality discourse pool.

One of the core perpetrators of this myth is AT&T, which just scored a massive, lucrative $6.5 billion contract to build the nation's first, unified emergency first responder network: aka FirstNet... AT&T isn't worried about net neutrality rules harming medical services, since they've long-been exempted. AT&T's worried about one thing: any rules stopping it from abusing a lack of broadband competition to drive up prices and engage in anti-competitive behavior."

Back in May, the U.S. Federal Communications Commission (FCC) tmoved closer to eliminating net neutrality with a preliminary vote in May.

What can you do? Plenty. Now is the time for more concerned citizens to rise, speak up, and fight back. Write to your elected officials. Tell your friends, classmates, coworkers, and family members. Use this action form to contact your elected officials. Participate in local marches and protests. Join the Fight For The Future. Support the EFF.


Data Breach Exposes Information Of Millions Of Verizon Customers

Verizon logo A data breach at Verizon has exposed the sensitive information of millions of customers. ZD Net reported:

"As many as 14 million records of subscribers who called the phone giant's customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of NICE Systems, a Ra'anana, Israel-based company. The data was downloadable by anyone with the easy-to-guess web address."

Many businesses use cloud services vendors  -- Amazon Web Services and other vendors -- to outsource the storage of customers' information in online databases. While the practice isn't new, a problem is that customers aren't always informed of the business practice using their sensitive information.

Founded in 1986, NICE Systems has 3,500 employees, serves about 25,000 customers in 150 countries, and provides services to 85 percent of Fortune 100 companies. The exact number of affected Verizon customers is disputed.

The security firm Upguard found the unprotected cloud-based storage server:

"Upguard's Cyber Risk Team can now report that a mis-configured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon. (UPDATE: July 12, 3 PM PST - Both NICE Systems and Verizon have since confirmed the veracity of the exposure, while a Verizon spokesperson has claimed that only 6 million customers had data exposed)."

Whether the total number of breach victims is 6 or 14 million customers, neither is good. The phrase "account details" is troubling. That could mean anything from e-mail addresses to payment information to residential addresses, or more.

Upguard's announcement added:

"Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.

Finally, this exposure is a potent example of the risks of third-party vendors handling sensitive data... Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises."

Agreed. This outsourcing business practice may be profitable for all companies involved, but the outsourcing practice does not decrease the risks. Not good. Mis-configured cloud servers should not happen. Not good. The event raises the question: when has this happened before, but went undetected?

Verizon released a statement about the incident:

"... an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access. We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.

By way of background, the vendor was supporting an approved initiative to help us improve a residential and small business wireline self-service call center portal and required certain data for the project. The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area.

To further clarify, the data supports a wireline portal and only includes a limited number of cell phone numbers for customer contact purposes. In addition, to the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts..."

Typically, after a breach companies hire independent security experts to investigate breaches and the contributing causes. Verizon's announcement did not state who, if anyone, it hired to perform a post-breach investigation nor when. So, according to Verizon: no big deal. No problem. Hmmmmm.

Reportedly, Upguard notified Verizon about the breach on June 13, and the breach was fixed on June 22. Upguard added:

"The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling."

Troubling, indeed. What took Verizon (and/or Nice Systems) so long? Verizon's statement didn't say. And what is Verizon (and/or NICE Systems) doing so this type of breach doesn't happen again? I look forward to upcoming explanations by both companies.

Readers: what are your opinions of this data breach? Of how long it took Verizon to fix things? Of the outsourcing practice? Verizon customers:

  • Is Verizon doing enough to protect your sensitive data?
  • Should affected customers be notified directly?
  • Have you received a breach notice from Verizon? If so, share some of its details.

Verizon To Exit Its Copper Wire Telephone Business In Several States In 2018

Verizon logo If your home uses a copper wire telephone service, often called a "landline" or POTS (e.g., Plain Old Telephone Service), you may soon have to make a change. In Boston, Verizon will abandon its landline business in June 2018.

On Saturday, my wife received a letter via postal mail from Verizon. We live in Boston. The "Notice of Copper Retirement" stated:

"Currently, Verizon brings voice and/or data services to your home over copper cables. However, the company is updating to fiber-optic technology in your area, and will be retiring its copper facilities that currently serve you and your neighbors.

To continue to provide you service, Verizon will have to move your service to these fiber-optic facilities. If fiber is available to your home now, we will be contacting you individually soon to schedule an appointment to transition your services to fiber. Otherwise, we will be contacting you once fiber is available. In either case, we will need to move your service well before we retire the copper in your area which is scheduled for on or after June 1, 2018

We will transfer your voice services from copper to fiber at no cost to you. This transfer will not result in any change to the voice service that you currently receive from Verizon. You may continue to subscribe to the same voice service at the same price, terms, and conditions. In addition, any devices that rely upon your voice service, such as fax machines, medical devices, or security alarms connected to a central station, will continue to work in the same way as they currently do over copper. We will also provide you with a battery backup device at no charge. For almost all residential customers, that device uses standard D-cell batteries that can support up to 24 hours of standby voice service during a commercial power outage. In case of a prolonged power outage, you can simply replace the batteries and extend the backup power.

If you subscribe to our High Speed Internet service, the migration to fiber will require a change since that service is not available on our fiber facilities. The Internet access service that we offer on fiber is FiOS Internet. FiOS Internet is available at significantly faster speeds than High Speed Internet. We will offer the service at a special rate for customers who migrate from copper to fiber facilities as a result of the retirement of our copper facilities. In some cases, this price may be lower or higher than what you currently pay for internet access.

Please review the Frequently Asked Questions for additional information about the fiber update or visit us at verizon.com/fiberupgrade. If you still have questions, please call us Monday through Friday, 8 a.m. - 8 p.m., or Saturday 9 a.m. - 5 p.n. at 1-877-439-7442.

You may also contact the Federal Communications Commission or your State Commission if you have any questions. Thank you for continuing to be a loyal customer. We greatly appreciate your business.

Sincerely

Janet Gazlay Martin
Director, Network Transformation

I visited the website mentioned in the notice. That site pitches the FiOS Internet service, and doesn't explain the company's copper landline retirement activities. You have to do a little digging online to find the locations where Verizon announced its retirement of copper-wire telephone services. The locations include several states in the Northeast and Middle Atlantic regions. Earlier this month, Verizon announced the retirement of copper landlines next year in the following states, cities, and towns:

  • Delaware: Newark, Ocean View
  • Maryland: Bethesda, Columbia, Glen Burnie, Rockville, Towson
  • Massachusetts: Danvers, Dorchester, Framingham, Hanover, Lawrence, Leominster, Marblehead, Newton, North Chelmsford, Roxbury, Stoughton, West Roxbury
  • New Jersey: Bergen, Berlin, Cape May, Cranford, East Dover, East Orange, Ewing, Freehold, Hackensack, Haddonfield, Journal Square, Marlton, Medford, Merchantville, Morristown, New Brunswick, Red Bank, Somerville, Toms River, Union City, Wall Township, Woodbury
  • New York: Cayuga Williamsville, Cornwall, Mineola, Mount Vernon, Plainview Central, Skaneateles, White Plains, and multiple areas within all of the five boroughs of New York City
  • Pennsylvania: Allentown, Dormont, Glenolden, Jefferson, Jenkintown, Mayfair, Mechanicsburg, portions of Philadelphia, Pilgrim, Turtle Creek, Wilkinsburg
  • Rhode Island: portions of Providence
  • Virginia: Arlington, Falls Church, Reston, Springfield, Virginia Beach, and portions of Richmond

The telecommunications company made similar announcements during February, 2017 about other areas within the same states. Verizon is not alone. Telephone companies have planned for years to abandon their their copper landline services. In August 2015, the Institute of Electrical and Electronics Engineers (IEEE) reported that the U.S. Federal Communications Commission (FCC):

"... set new ground rules for carriers seeking to replace their old copper telephone networks. Approved by a 3-2 vote at an open meeting yesterday, the rules require carriers to notify customers in advance and to seek FCC approval before reducing services... FCC chairman Tom Wheeler and others have been pushing to shift telephone traffic to fiber optics and the Internet. Critics have charged that phone companies are allowing their old copper networks to decay to force customers to shift to fiber service. But some 37 million households —- many of them headed by elderly people —- remain on legacy copper, commissioner Mignon Clyburn noted at the hearing. Other holdouts live in rural areas that lack cellular and broadband service. Some prefer copper connections because they are independent of local power lines, and offer better 911 emergency service.

The FCC ruling requires that carriers notify retail customers at least three months before shutting down a copper network, and provide six-months notice to interconnecting carriers using the old lines. (Clyburn complained that that's much less time than the FCC gave before shutting down analog broadcast television, but voted for the measure anyway.) Carriers also must seek FCC approval if the telephone changeover would "discontinue, reduce or impair" service... In a separate vote, all five FCC commissioners agreed to require carriers to offer customers backup power supplies that maintain their phone service during prolonged power outages..."

You can read announcements by AT&T about copper landline retirements. CenturyLink notified the FCC last year about copper landline retirements in eight states: in Alabama, Florida, Michigan, Minnesota, Pennsylvania, Virginia, Washington, and Wisconsin.

Since the FCC set copper-retirement rules in 2015, technology adoption has climbed slightly. In January of this year, Pew Research reported that 77 percent of adults in the USA own a smartphone and 73 percent have broadband internet at home. However, while:

"... broadband adoption has increased to its highest level since the Center began tracking this topic in early 2000, not all Americans have shared in these gains. For instance, those who have not graduated from high school are nearly three times less likely than college graduates to have home broadband service (34 percent vs. 91 percent)... 12 percent of Americans say they are “smartphone dependent” when it comes to their online access – meaning they own a smartphone but lack traditional broadband service at home. The share of Americans who are smartphone dependent has increased 4 percentage points since 2013, and smartphone reliance is especially pronounced among young adults, nonwhites and those with relatively low household incomes."

While more people have smartphones and internet access at home, a sizeable number still have copper landlines. Phys.org reported in November 2016 the results of a recent survey:

"... 20 percent of the nation's households still view having a landline or fixed telephone as the most important of their telecommunications choices, according to a survey that queried consumers about their telephone and internet preferences... The study also found that for the average consumer, having mobile telephone service is about 3.5 times more important than a landline or fixed telephone service... Study findings suggest about 90 percent of American households have at least one mobile phone, 75 percent have fixed internet service, 58 percent have mobile internet service and 49 percent have fixed telephone service. Mobile telephone service was the most important service for the typical respondent, followed by fixed internet service, mobile internet service and fixed telephone service, although a portion rank fixed telephone first."

According to the 2012 United States Census, there are about 117 million households in the United States, and 2.59 persons on average per household. So, a substantial portion of the population will probably view negatively the termination of copper wire telephone services in their homes.

Verizon's copper termination notice was unnecessarily complicated, which could confuse many consumers. The portion of its notice which said "If fiber is available to your home..." was laughable. FiOS is already available in our neighborhood. Verizon notified me months ago, and I already migrated my antiquated DSL (Digital Subscriber Line) internet service on my phone line to FiOS. Verizon's landline business unit should know what its FiOS division is doing.The left hand should know what the right hand is doing.

So, Verizon's notice wasn't as customized nor as relevant as it could have been. It makes one wonder if, in its zeal to terminate its copper wire phone business, Verizon rushed the customer letters.

Readers of this blog remember the Boston City Council's hearings in 2015 about residents' requests for FiOS. In 2015, Verizon hadn't deployed FiOS even though it had been available in several suburban towns for many years. Example: a friend in Lexington has had FiOS since at least 2009. So, Verizon could have deployed FiOS far sooner, providing consumers more time to migrate their phone service without rushing.

What should consumers do? It depends upon your lifestyle. If you already have a smartphone, you may want to simply terminate your landline phone service and use your smartphone instead. If you don't have a smartphone, you can migrate your copper landline phone service to Verizon's FiOS fiber connection, to a smartphone, or to another telephone service provider. For example, many cable-TV providers, such as Comcast, provide phone service in residences.

Some consumers value security and privacy. If you perform phone-based banking or online banking with your desktop/laptop computer, then security is a concern. Since smartphones or wireless phones using home WiFi networks transmit using radio waves, you'll probably want to encrypt you wireless online banking transmissions to protect against theft by criminals or hackers. Several brands of Virtual Private Network (VPN) software and apps are available to encrypt your wireless transmissions. If you are unfamiliar with VPN software, this prior blog post contains links to online primers and tutorials.

If you received a copper termination letter from your phone company, what were your opinions of it? Did you switch to fiber landlines or to wireless?


FCC Voted Yesterday To Start To Overturn Net Neutrality Rules

Federal communications Commission logo Yesterday, the Federal Communications Commission (FCC) voted to kill net neutrality rules it enacted a couple years ago. The FCC announcement:

"The Federal Communications Commission today took the first step toward restoring Internet freedom and promoting infrastructure investment, innovation, and choice by proposing to end utility-style regulation of broadband Internet access service. In a Notice of Proposed Rulemaking, the FCC proposes to return to the bipartisan framework that preserved a flourishing free and open Internet for almost 20 years.  First, the Notice proposes to reverse the FCC’s 2015 decision to impose heavy-handed Title II utility-style government regulation on Internet service providers (ISPs) and return to the longstanding, successful light-touch framework under Title I of the Communications Act.

Second, the Notice proposes to return to the Commission’s original classification of mobile broadband Internet access service as a private mobile service.  Given the historical innovation and success of the wireless marketplace prior to the Title II Order, this proposal is expected to substantially benefit consumers and the marketplace.

Third, the Notice proposes to eliminate the catch-all Internet conduct standard created by the Title II Order.  Because the Internet conduct standard is extremely vague and expansive, ISPs must guess at what they are permitted to do.  Eliminating the Internet conduct standard is therefore expected to promote innovation and network investment by eliminating regulatory uncertainty."

The vote happened on the scheduled date, despite the unavailability for several hours Sunday morning, May 7, of the FCC website for public comments. The FCC said its site crashed due to a DDoS attack. Before the vote, more than 2 million persons and organizations submitted feedback to the FCC.

The vote was expected since Republicans dominate the three-member committee. FCC Chairman Pai and Commissioner Michael O'Rielly, voted for the change. Commissioner Mignon Clyburn, the only Democrat on the three-member committee, voted against it. In January of this year, President Donald Trump appointed Ajit Pai, a former lawyer with Verizon, as the FCC Chairman.

In a statement about the vote, FCC Chairman Ajit Pai repeated prior claims about "heavy-handed" regulation, an internet that wasn't broken, and decreased infrastructure investment by internet service providers (ISPs). All of these claims were discussed and debunked previously after Chairman Pai's speech in April.

C/Net reported:

"Eliminating the Open Internet Order takes away the internet's level playing field and would allow a select few corporations to choose winners and losers, preventing consumers from accessing the content that they want, when they want it," said Jonathan Schwantes, senior policy counsel for Consumers Union. Democratic Senator Al Franken of Minnesota called it "a major step toward destroying the internet as we know it."

CNN reported:

"More than 1,000 startups and investors have now signed an open letter to Pai opposing the proposal. The Internet Association, a trade group representing bigger companies like Facebook, Google, and Amazon, has also condemned the plan. "The current FCC rules are working for consumers and the protections need to be kept in tact," Michael Beckerman, president and CEO of the Internet Association, said at a press conference Wednesday."

USA Today reported:

"Congress could eventually have a say on the issue. At about the same time the FCC was considering the issue, Sen. John Thune, R-S.D., called for Congress to pass legislation "to protect the internet." Thune, who is the chairman of the Senate Commerce Committee, urged colleagues "to begin bipartisan work on such legislation without any further delay. Innovation and job creation should no longer take a backseat to partisan point-scoring," he said..."

After re-reading the FCC announcement several times, I noticed that it failed to mention nor summarize the feedback received from the public. This makes one wonder if Chairman Pai and the committee took the time to review the comments submitted. During the last thirty (3) days, the public submitted 2,174,196 filings and comments. (See image below.) The feedback included a mix of comments for and against the latest changes.

Did Chairman Pai and the committee read this feedback, or were their minds already made up? And if so, did they simply ignore more than 2 million comments? Fortunately, the public can continue to submit feedback about Proceeding 17-108 until August for the subsequent final FCC vote.

Image of most active items in the FCC Electronic Comment Filing System as of May 19, 2017. Click to view larger version


Any Half-Decent Hacker Could Break Into Mar-a-Lago

[Editor's Note: Today's guest blog post is by the reporters at ProPublica. The article explores the security issues about key locations the President visits repeatedly and does business at. It was originally published yesterday, and is reprinted with permission.]

by Jeff Larson and Julia Angwin, ProPublica; and by Surya Mattu, Gizmodo

Two weeks ago, on a sparkling spring morning, we went trawling along Florida's coastal waterway. But not for fish.

We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained.

A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, New Jersey, with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation.

We have also visited two of President Donald Trump's other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Virginia. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.

The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises.

"Those networks all have to be crawling with foreign intruders, not just ProPublica," said Dave Aitel, chief executive officer of Immunity, Inc., a digital security company, when we told him what we found.

Security lapses are not uncommon in the hospitality industry, which -- like most industries and government agencies -- is under increasing attack from hackers. But they are more worrisome in places where the president of the United States, heads of state and public officials regularly visit.

U.S. leaders can ill afford such vulnerabilities. As both the U.S. and French presidential campaigns showed, hackers increasingly exploit weaknesses in internet security systems in an effort to influence elections and policy. Last week, cyberattacks using software stolen from the National Security Agency paralyzed operations in at least a dozen countries, from Britain's National Health Service to Russia's Interior Ministry.

Since the election, Trump has hosted Chinese President Xi Jinping, Japanese Prime Minister Shinzo Abe and British politician Nigel Farage at his properties. The cybersecurity issues we discovered could have allowed those diplomatic discussions -- and other sensitive conversations at the properties -- to be monitored by hackers.

The Trump Organization follows "cybersecurity best practices," said spokeswoman Amanda Miller. "Like virtually every other company these days, we are routinely targeted by cyberterrorists whose only focus is to inflict harm on great American businesses. While we will not comment on specific security measures, we are confident in the steps we have taken to protect our business and safeguard our information. Our teams work diligently to deploy best-in-class firewall and anti-vulnerability platforms with constant 24/7 monitoring."

The White House did not respond to repeated requests for comment.

Trump properties have been hacked before. Last year, the Trump hotel chain paid $50,000 to settle charges brought by the New York attorney general that it had not properly disclosed the loss of more than 70,000 credit card numbers and 302 Social Security numbers. Prosecutors alleged that hotel credit card systems were "the target of a cyber-attack" due to poor security. The company agreed to beef up its security; it's not clear if the vulnerabilities we found violate that agreement. A spokesman for the New York attorney general declined comment.

Our experience also indicates that it's easy to gain physical access to Trump properties, at least when the president is not there. As Politico has previously reported, Trump hotels and clubs are poorly guarded. We drove a car past the front of Mar-a-Lago and parked a boat near its lawn. We drove through the grounds of the Bedminster golf course and into the parking lot of the golf course in Sterling, Virginia. No one questioned us.

Both President Obama and President Bush often vacationed at the more traditional presidential retreat, the military-run Camp David. The computers and networks there and at the White House are run by the Defense Information Systems Agency.

In 2016, the military spent $64 million on maintaining the networks at the White House and Camp David, and more than $2 million on "defense solutions, personnel, techniques, and best practices to defend, detect, and mitigate cyber-based threats" from hacking those networks.

Even after spending millions of dollars on security, the White House admitted in 2015 that it was hacked by Russians. After the hack, the White House replaced all its computer systems, according to a person familiar with the matter. All staffers who work at the White House are told that "there are people who are actively watching what you are doing," said Mikey Dickerson, who ran the U.S. Digital Service in the Obama administration.

By comparison, Mar-a-Lago budgeted $442,931 for security in 2016 -- slightly more than double the $200,000 initiation fee for one new member. The Trump Organization declined to say how much Mar-a-Lago spends specifically on digital security. The club, last reported to have almost 500 members paying annual dues of $14,000 apiece, allotted $1,703,163 for all administration last year, according to documents filed in a lawsuit Trump brought against Palm Beach County in an effort to halt commercial flights from flying over Mar-a-Lago. The lawsuit was dropped, but the FAA now restricts flights over the club when the president is there.

It is not clear whether Trump connects to the insecure networks while at his family's properties. When he travels, the president is provided with portable secure communications equipment. Trump tracked the military strike on a Syrian air base last month from a closed-door situation room at Mar-a-Lago with secure video equipment.

However, Trump has held sensitive meetings in public spaces at his properties. Most famously, in February, he and the Japanese prime minister discussed a North Korean missile test on the Mar-a-Lago patio. Over the course of that weekend in February, the president's Twitter account posted 21 tweets from an Android phone. An analysis by an Android-focused website showed that Trump had used the same make of phone since 2015. That phone is an older model that isn't approved by the NSA for classified use.

Photos of Trump and Abe taken by diners on that occasion prompted four Democratic senators to ask the Government Accountability Office to investigate whether electronic communications were secure at Mar-a-Lago.

In March, the GAO agreed to open an investigation. Chuck Young, a spokesman for the office, said in an interview that the work was in "the early stages," and did not offer an estimate for when the report would be completed.

So, we decided to test the cybersecurity of Trump's favorite hangouts ourselves.

Our first stop was Mar-a-Lago, a Trump country club in Palm Beach, Florida, where the president has spent most weekends since taking office. Driving past the club, we picked up the signal for a Wi-Fi-enabled combination printer and scanner that has been accessible since at least February 2016, according to a public Wi-Fi database.

An open printer may sound innocuous, but it can be used by hackers for everything from capturing all the documents sent to the device to trying to infiltrate the entire network.

To prevent such attacks, the Defense Information Systems Agency, which secures the White House and other military networks, forbids installing printers that anyone can connect to from outside networks. It also warns against using printers that do more than printing, such as faxing. "If an attacker gains network access to one of these devices, a wide range of exploits may be possible," the agency warns in its security guide.

We also were able to detect a misconfigured and unencrypted router, which could potentially provide a gateway for hackers.

To get a better line of sight, we rented a boat and piloted it to within sight of the club. There, we picked up signals from the club's wireless networks, three of which were protected with a weak and outmoded form of encryption known as WEP. In 2005, an FBI agent publicly broke this type of encryption in minutes.

By comparison, the military limits the signal strength of networks at places such as Camp David and the White House so that they are not reachable from a car driving by. It also requires wireless networks to use the strongest available form of encryption.

From our desks in New York, we were also able to determine that the club's website hosts a database with an insecure login page that is not protected by standard internet encryption. Login forms like this are considered a severe security risk, according to the Defense Information Systems Agency.

Without encryption, spies could eavesdrop on the network until a club employee logs in, and then steal his or her username and password. They then could download a database that appears to include sensitive information on the club's members and their families, according to videos posted by the club's software provider.

This is "bad, very bad," said Jeremiah Grossman, chief of Security Strategy for cybersecurity firm SentinelOne, when we described Mar-a-Lago's systems. "I'd assume the data is already stolen and systems compromised."

A few days later, we took our equipment to another Trump club in Bedminster, New Jersey. During the transition, Trump had interviewed candidates for top administration positions there, including James Mattis, now secretary of defense.

We drove on a dirt access road through the middle of the golf course and spotted two open Wi-Fi networks, TrumpMembers and WelcomeToTrumpNationalGolfClub, that did not require a password to join.

Such open networks allow anyone within range to scoop up all unencrypted internet activity taking place there, which could, on insecure sites, include usernames, passwords and emails.

Robert Graham, an Atlanta, Georgia, cybersecurity expert, said that hackers could use the open Wi-Fi to remotely turn on the microphones and cameras of devices connected to the network. "What you're describing is typical hotel security," he said, but "it's pretty concerning" that an attacker could listen to sensitive national security conversations.

Two days after we visited the Bedminster club, Trump arrived for a weekend stay.

Then we visited the Trump International Hotel in Washington, D.C., where Trump often dines with his son-in-law and senior adviser Jared Kushner, whose responsibilities range from Middle East diplomacy to revamping the federal bureaucracy. We surveyed the networks from a Starbucks in the hotel basement.

From there, we could tell there were two Wi-Fi networks at the hotel protected with what's known as a captive portal. These login screens are often used at airports and hotels to ensure that only paying customers can access the network.

However, we gained access to both networks just by typing "457" into the room number field. Because we provided a room number, the system assumed we were guests. We looked up the hotel's public IP address before logging off.

From our desks in New York, we could also tell that the hotel is using a server that is accessible from the public internet. This server is running software that was released almost 13 years ago.

Finally, we visited the Trump National Golf Club in Sterling, Virginia, where the president sometimes plays golf. From the parking lot, we recognized three encrypted wireless networks, an encrypted wireless phone and two printers with open Wi-Fi access.

The Trump club websites are hosted by an Ohio-based company called Clubessential. It offers everything from back-office management and member communications to tee time and room reservations.

In a 2014 presentation, a company sales director warned that the club industry as a whole is "too lax" in managing and protecting passwords. There has been a "rising number of attacks on club websites over the last two years," according to the presentation. Clubessential "performed [an] audit of security in the club industry" and "found thousands of sensitive documents from clubs exposed on [the] Internet," such as "lists of members and staff, and their contact info; board minutes, financial statements, etc."

Still, the club software company has set up a backend server accessible on the internet, and configured its encryption incorrectly. Anyone who reaches the login page is greeted with a warning that the encryption is broken. In its documentation, the company advises club administrators to ignore these warnings and log in regardless. That means that anybody snooping on the unprotected connection could intercept the administrators' passwords and gain access to the entire system.

The company also publishes online, without a password, many of the default settings and usernames for its software 2014 essentially providing a roadmap for intruders.

Clubessential declined comment.

Aitel, the CEO of Immunity, said the problems at Trump properties would be difficult to fix: "Once you are at a low level of security it is hard to develop a secure network system. You basically have to start over."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


FCC Says Denial-Of-Service Attacks Caused Its Site To Crash Sunday Morning

Federal communications Commission logo Last weekend, the U.S. Federal Communications Commission (FCC) website crashed during a key period when the public relied upon it to submit feedback about proposed changes to net neutrality rules. Dr. David Bray, the FCC Chief Information Officer, released a statement on Monday that the crash was due to a distributed denial-of-service (DDoS) attack:

"Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDos). These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC. While the comment system remained up and running the entire time, these DDoS events tied up the servers and prevented them from responding to people attempting to submit comments. We have worked with our commercial partners to address this situation and will continue to monitor developments going forward."

The FCC’s , Electronic Comment Filing System (ECFS) is the site the public users to submit and review feedback about proposed changes. Bray's statement did not identify the "bad actors" responsible for the DDoS attack, did not state the countries or locations of the illegitimate site traffic, nor offer much in the way of any substantial details.

A DDoS attack is when hundreds or thousands of internet-connected devices, often coordinated by malware and/or criminals, overwhelm a targeted website by trying to access it simultaneously. This type of attack prevents legitimate users from accessing the targeted site to perform desired tasks (view/buy products, register for services, view videos, get help, contact representatives, etc.). This can easily disable the targeted website for hours, days, or weeks. It can also disrupt businesses, and cause financial losses.

This blog and its hosting service experienced a DDoS attack in 2014 when offshore advertisers retaliated after the hosting service implemented stronger measures to block illegitimate traffic. An October, 2016 DDoS attack against Dyn, a major DNS provider, interrupted many popular websites and services including Spotify, Reddit, and Twitter. Some DDoS attacks are about politics or censorship. A September, 2016 DDoS attack disabled the Krebs On Security blog.

Generally, security experts are concerned about botnets, collections of internet-connected devices used to perform DDoS attacks. These devices can include home WiFi routers, security cameras, and unprotected computers infected with malware. Often, home devices are used without consumers' knowledge nor consent.

Others were skeptical of the FCC's explanation. Some people attributed the crash to John Oliver, the host of the "This Week Tonight" show on HBO. In 2014, the show's viewers crashed the FCC site trying to submit feedback about net neutrality. Oliver published a similar video this past weekend in support of net neutrality.

Broadcasting & Cable reported:

"Fight for the Future is calling on the FCC to release logs on the attack to an independent third party—a security researcher or media outlet—to independently verify the attack. "The agency has a responsibility to maintain a functioning website to receive large numbers of comments and feedback from the public," said Evan Greer campaign director for Fight for the Future. "They can't blame DDoS attacks without proof, they need to fix this problem and ensure that comments on this important issue are not lost."

MediaPost reported that at least two U.S. Senators have demanded answers:

"Senators Ron Wyden (D-Oregon) and Brain Schatz (D-Hawaii) are also seeking answers from the FCC. "As you know, it is critical to the rulemaking and regulatory process that the public be able to take part without unnecessary technical or administrative burdens," the lawmakers write. "Any potentially hostile cyber activities that prevent Americans from being able to participate in a fair and transparent process must be treated as a serious issue."

They are asking the FCC to provide details about any malicious traffic, including how many devices sent malicious traffic to the agency. The lawmakers also have asked the FCC whether it requested investigatory assistance from other federal agencies, and whether it uses any commercial protection services."

A reasonable demand for the FCC to provide proof. If the DDoS attack was a new form of 21st-centry censorship to stop concerned citizens (e.g., voters) from submitting feedback in support of net neutrality, then we all need to know. And, we need to know what the FCC is doing to protect its systems.


Seattle Strengthens Privacy Protections For Broadband And Cable Users

The city of Seattle has strengthened it privacy rules to better protect residents using cable-TV services and high-speed internet services (a/k/a broadband). The new rules go into effect on May 24, and mirrors the FCC broadband privacy rules which Congress revoked earlier this year.

The announcement by the Seattle Mayor's office explained:

"Seattle Municipal Code (SMC 21.60) grants the City of Seattle authority to issue rules related to the privacy practices of cable operators. These rules govern not only cable television services but also non-cable services, such as internet service. The new rule states cable operators must obtain opt-in consent before sharing a customer’s web browsing history or otherwise using such information for a purpose other than providing a customer with their requested service.

Comcast, CenturyLink, and Wave have cable franchise agreements with the City of Seattle and will be subject to the new rule. Under the terms of the rule, these cable operators must report their compliance by Sept. 30, 2017 and annually thereafter."

Earlier this year, a national poll found the the Republican rollback of FCC broadband privacy rules very unpopular among consumers. Despite this, President Trump signed the privacy-rollback legislation on April 3.

The new rules in Seattle, ITD Director's Rule 2017-10 (Adobe PDF), state in part:

"- Prohibit Cable Operators from collecting or disclosing any information regarding the extent of any individual customer's viewing habits, or other use by a customer of a cable service or other service provided such as web browsing activity, without the prior affirmative consent of the customer, unless such information is necessary to render a service requested by the customer, or a legitimate business purpose related to the service.
- Require Cable Operators to fully and completely disclose customer rights and the limitations imposed on a Cable Operator's collection, use, and disclosure of Personally Identifiable Information (PII) in clear language that a customer can radily understand.
- Require Cable Operators to destroy within 90 days any PII if the PII is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to shuch PII... Require Cable Operators to provide stamped, self-addressed post cards that customers can mail in to have their names and addresses removed form any lists the Cable Operators might use for purposes other than the direct provision of service to those customers.
- Establish without ambiguity that a customer, once "opting out" of the Cable Operator's mailing list, is permanently removed from that list unless that customer subsequently requests inclusion on such list."

This is a great start. The rules define PII as:

"... specific information about a customer, including, but not not limited to, a customer's (a) login information, (b) extent of viewing of video programming or other services, (c) shopping choices, (d) interests and opinions, (e) energy uses, (f) medical information, (g) banking data or information, (h) web browsing activities, or (i) any other personal or private information..."

Mayor Edward B. Murray commented about the new rules:

"Where the Trump administration continues to roll back critical consumer protections, Seattle will act... I believe protecting the privacy of internet users is essential and this policy allows the City to do just that. Because of regulation repeals at the national level, we must use all of the powers at our disposal to protect the rights of our residents."

Citizens in other major cities across the United States may want to ask what consumer-friendly privacy actions their mayors are taking.


Update: Net Neutrality, Adminstrative Law, The Courts, And Next Steps

Federal communications Commission logo A lot has happened since Federal Communications Commission (FCC) Chairman Ajit Pai disclosed his plan last week to kill net neutrality. While the FCC commissioners will vote on May 18 about the rules changes, a federal law could affect the outcome. First, Wired reported:

"A 1946 law called the Administrative Procedure Act bans federal agencies making “capricious” decisions. The law is meant, in part, to keep regulations from yo-yoing back and forth every time a new party gained control of the White House. The FCC successfully argued in favor of Title II reclassification in federal court just last summer. That effort means Pai might have to make the case that things had changed enough since then to justify a complete reversal in policy."

Read the text of the Administrative Procedure Act (APA). Learn more here.

The recent actions (e.g., privacy, net neutrality) by the Republican-led FCC have definitely resulted in both uncertainty and a yo-yoing of rules. At times, it feels like watching a tennis match. While Pai and other advocates of killing net neutrality have claimed that infrastructure investment has declined due to the reclassification by the FCC, the reality:

"During a hearing earlier this year, senator Edward Markey (D-Massachusetts) pointed to US Census Bureau estimates that broadband investment increased slightly from $86.6 in 2014 to $87.2 billion in 2015..."

Data for 2016 isn't available yet. As I mentioned in a prior post, telecommunications companies made conscious decisions and could have diverted money from other spending to infrastructure. They didn't and chose this legislation path instead. Again from Wired's analysis:

"Other business considerations could also play into changes in telecom spending on network infrastructure, such as a desire to wait and let previous investments pay for themselves before making new ones. The CEO of Verizon, for example, told shareholders that Title II didn’t affect the company’s investment plans. And Martin points out that a recent auction in which companies spent $19.8 billion to buy rights to use more of the wireless spectrum doesn’t exactly look like an industry shy of investing."

"If the infrastructure argument doesn’t fly, Pai could also argue that the rules are unnecessary because proverbial fast and slow lanes for the internet never existed. The problem is that’s not true. The Bush-era FCC ordered Comcast to stop throttling BitTorrent traffic in 2008... Under a secret agreement with AT&T, Apple blocked iPhone users from making Skype calls over the carrier’s network until the FCC pressured the companies into reversing the policy in 2009..."

Read the entire Wired analysis. It makes it crystal clear how corporate ISPs are trying to rig the system for themselves and against consumers.

Second, a recent decision by a federal court rejected big telecom's petition to have the existing FCC's net neutrality rules overturned. On Monday, Ars Technica reported:

"The US Court of Appeals for the District of Columbia Circuit denied the broadband industry's petition for a rehearing of a case that upheld net neutrality rules last year. A three-judge panel ruled 2-1 in favor of the FCC in June 2016, but ISPs wanted an en banc review in front of all of the court's judges. The request for an en banc review was denied in the order issued today."

What to make of this? The bottom line is that the circuit court decided to uphold the reclassification of broadband ISPs as common carriers and the FCC's net neutrality rules. While big telecom could appeal the decision with the Supreme Court, that seems unlikely since they know that the FCC, led by Chairman Ajit Pai, a Republican, has a majority of Republican commissioners who will vote to overturn net neutrality rules on May 18. And, Chairman Pai will have to overcome any challenges with the APA.

In response to the court decision, FCC Chairman Pai issued this statement:

"In light of the fact that the Commission on May 18 will begin the process of repealing the FCC’s Title II regulations, it is not surprising, as Judges Srinivasan and Tatel pointed out, that the D.C. Circuit would decide not to grant the petitions for rehearing en banc. Their opinion is important going forward, however, because it makes clear that the FCC has the authority to classify broadband Internet access service as an information service..."

Chairman Pai seems hell-bent upon ignoring the historical problems in the broadband industry that plagued consumers, in order to change the rules in favor of big telecom. Those problems led to the reclassification by the FCC. A prior blog post listed some of those problems:

"The lack of ISP competition in key markets meant consumers in the United States pay more for broadband and get slower speeds compared to other countries. Rural consumers and low-income areas lacked broadband services. There were numerous complaints by consumers about usage Based Internet Pricing. There were privacy abuses and settlement agreements by ISPs involving technologies such as deep-packet inspection and 'Supercookies' to track customers online, despite consumers' wishes not to be tracked. Many consumers didn't get the broadband speeds ISP promised. Some consumers sued their ISPs, and the New York State Attorney General invited residents to check their broadband speed with this tool. Tim Berners-Lee, the founder of the internet, cited in March three reasons why the Internet is in trouble. His number one reason: consumers had lost control of their personal information... Some consumers found that their ISP hijacked their online search results without notice nor consent. An ISP in Kansas admitted in 2008 to secret snooping after pressure from Congress."

Third, big telecom is engaged in some savvy, deceptive maneuvering. Ars Technica discussed bizarre claims by Verizon:

"... Verizon's general counsel, Craig Silliman, wants you to believe that Verizon never opposed net neutrality rules, even though it sued the FCC to eliminate them. He's also making the claim that the FCC isn't even talking about eliminating the net neutrality rules, even though FCC Chairman Ajit Pai is proposing to do exactly that."

Watch the Verizon video with Verizon's Silliman. When Silliman said, "changing the legal footing," he is referring to comments by others that the FTC should regulate broadband services, and not the FCC. That places the burden on consumers and the FTC to sue when broadband providers don't deliver the services promised; assuming that broadband providers disclose in their terms-of-service and privacy policies what they will deliver. With regulation by the FCC, consumers would have been in charge of their privacy, big telecom would have been forced to be transparent and explain what they were doing, and big telecom couldn't slice up the internet into slow and fast lanes forcing consumers to pay more to access certain sites.

During the last fight about neutrality in 2014, about about 90 tech companies sent a letter to FCC Chairman Tom Wheeler (Adobe PDF) encouraging the FCC to support for a free and open internet, where consumers decide where to go online with the broadband services purchased. Several notable companies signed that 2014 letter: Amazon, Dropbox, Ebay, Facebook, Gawker, Google, Microsoft, Mozilla, Netflix, Twitter, Vonage, and Yahoo. I did not see Verizon (nor Comcast) in the list of signers.

That's some brilliant and deceptive maneuvering. Big telcom can appear reasonable and deny talking about killing net neutrality rules while knowing that their representative, Chairman Pai and his fellow Republican commissioners at the FCC, will do it for them. Again, from Ars Technica:

"No major Internet service provider has done more to prevent implementation of net neutrality rules in the US than Verizon. After years of fighting the rules in courts of law and public opinion, Verizon is about to get what it wants as the FCC—now led by a former Verizon lawyer—prepares to eliminate the rules and the legal authority that allows them to be enforced."

Fourth, the FCC released its Notice of Proposed Rule Making (NPRM): Proceeding 17-108, "Restoring Internet Freedom" - April 26, 2017 (Adobe PDF). Just as before in 2014 - 15, the new rule is open to public comments. This means, it is time for citizens and voters to take action.

FCC Chairman Pai and others claim that the Internet was working well before, and net neutrality rules are unnecessary and a government intrusion. Ordinary broadband customers can have a great impact. It is time for consumers to submit comments to the FCC. About 25,578 people have already submitted comments. For example, a comment by Darion from Austin, Texas:

"The FCC Open Internet Rules (net neutrality rules) are extremely important to me. I urge you to protect them. Most Americans only have one choice for true high speed Internet access: our local cable company. Cable companies (and wireless carriers) are actively lobbying Congress and the FCC for the power to: i) Block sites and apps, to charge them "access fees;" ii) Slow sites and apps to a crawl, to establish paid "fast lanes" (normal speed) and slow lanes (artificially low speeds); and iii) Impose arbitrarily low data caps, so they can charge sites to escape those caps, or privilege their own services ("zero rating").
They're doing it so they can use their monopoly power to stand between me and the sites I want to access, extorting money from us both. I'll be forced to pay more to access the sites I want, and sites will have to pay a kind of protection money to every major cable company or wireless carrier—just to continue working properly!

The FCC's Open Internet Rules are the only thing standing in their way. I'm sending this to letter to my two senators, my representative, the White House, and the FCC. First, to the FCC: don’t interfere with my ability to access what I want on the Internet, or with websites' ability to reach me. You should leave the existing rules in place, and enforce them.

To my senators: you have the power to stop FCC Chair Ajit Pai from abusing the rules by refusing to vote for his reconfirmation. I expect you to use that power. Pai, a former Verizon employee, has made it clear he intends to gut the rules to please his former employer and other major carriers, despite overwhelming support for the rules from voters in both parties... To the White House: Ajit Pai, a former Verizon employee, is acting in the interests of his former employer, not the American people. America deserves better... To my representative: please publicly oppose Ajit Pai's plan to oppose the rules... I would be happy to speak more with anyone on your staff about the rules and why they’re so important to me. Please notify me of any opportunities to meet with you or your staff."

Be brief. Use your own words. Submit your comments soon, since the deadline fast approaches. Also, tell your elected officials. Participate in local marches and protests. Join the Fight For The Future. Support the EFF.


Speech By FCC Chairman. Time For Citizens To Fight To Keep Net Neutrality Protections

Federal communications Commission logo Earlier today, Ajit Pai, the Chairman of the U.S. Federal Communications Commission (FCC), gave a speech titled, "The Future Of Internet Freedom" at the Newseum in Washington, DC. He discussed the history of the Internet, regulation, business investment, innovation, and jobs. He also shared his views on regulation and a desire for the FCC's to pursue a "light touch" regulatory approach:

"First, we are proposing to return the classification of broadband service from a Title II telecommunications service to a Title I information service—that is, light-touch regulation drawn from the Clinton Administration.  As I mentioned earlier, this Title I classification was expressly upheld by the Supreme Court in 2005, and it’s more consistent with the facts and the law.

Second, we are proposing to eliminate the so-called Internet conduct standard. This 2015 rule gives the FCC a roving mandate to micromanage the Internet... The FCC used the Internet conduct standard to launch a wide-ranging investigation of free-data programs. Under these programs, wireless companies offer their customers the ability to stream music, video, and the like free from any data limits. They are very popular among consumers, particularly lower-income Americans... Following the presidential election, we terminated this investigation before the FCC was able to take any formal action. But we shouldn’t leave the Internet conduct standard on the books for a future Commission to make mischief.

And third, we are seeking comment on how we should approach the so-called bright-line rules adopted in 2015. But you won’t just have to take my word about what is in the Notice of Proposed Rulemaking. I will be publicly releasing the entire text of the document tomorrow afternoon..."

This should not be a surprise. We've heard much of this before from Congresswoman Blackburn, the author of the recently passed House legislation to roll back consumers' online privacy protection. Blackburn said the same about FCC reclassification; that it was bad, and that the internet wasn't broken. Well it was broken prior to to 2014, and in several specific ways.

The lack of ISP competition in key markets meant consumers in the United States pay more for broadband and get slower speeds compared to other countries. Rural consumers and low-income areas lacked broadband services. There were numerous complaints by consumers about usage Based Internet Pricing. There were privacy abuses and settlement agreements by ISPs involving technologies such as deep-packet inspection and 'Supercookies' to track customers online, despite consumers' wishes not to be tracked. Many consumers didn't get the broadband speeds ISP promised. Some consumers sued their ISPs, and the New York State Attorney General invited residents to check their broadband speed with this tool. Tim Berners-Lee, the founder of the internet, cited in March three reasons why the Internet is in trouble. His number one reason: consumers had lost control of their personal information. With all of this evidence, how can Pai and Blackburn claim the internet wasn't broken?

There are more examples. Some consumers found that their ISP hijacked their online search results without notice nor consent. An ISP in Kansas admitted in 2008 to secret snooping after pressure from Congress. Given all of this, something had to be done. The FCC stepped up to the plate and acted when it was legally able to; and reclassified broadband after open hearings. Then, the FCC adopted new privacy rules in November, 2016. Proposed rules were circulated prior to adoption. It was done in the open. It made sense.

Meanwhile, the rollback of FCC broadband privacy rules is very unpopular among consumers. Comments by Pai and Blackburn seem to ignore both that and key events (listed above) in broadband history. That is practicing the "revisionist history" Pai said in his speech he disliked. That leaves me questioning whether they can be trusted to develop reasonable solutions that serve the interests of consumers.

With their victory last month to roll back the FCC's online privacy protections, pro-big-telecom advocates claim they are acting in consumers' best interests. What bull. With that rollback, consumers are no longer in control of their information. (The opt-in and other controls were killed.) Plus, we live in a capitalist society where the information that describes us is valuable property. That's why so many companies want to collect it. Consumers should be in control of their online privacy and the information that describes them, not corporate ISPs.

Corporate ISPs' next target is "net neutrality." Pai referred to it in the "bright lines" portion of his speech. For those who don't know or have forgotten, net neutrality is when consumers are in control -- consumers choose where to go online with the broadband they've purchased, and when ISPs must treat all content equally. That means no blocking, no throttling, and no paid prioritization. Net neutrality means consumers stay in control of where they go online.

Pai claimed this was unclear. Again, more bull. The FCC's no blocking, no throttling, and no paid prioritization position was crystal clear.

Without net neutrality, ISPs decide where consumers can go online, which sites you can visit, and which sites you can visit only if you pay more. ISPs would likely group web sites into tiers (e.g., slow vs. fast "lanes"), similar to premium cable-TV channels. Do you want your monthly internet bill as confusing, complicated, and expensive as your cable-TV bill? I don't, and I doubt you do either.

Pai and Blackburn claim that net neutrality (and privacy) kills innovation. I guess that depends how you define "innovation." If you define innovation as the ability of ISPs to carve up the internet to maximize they profits where consumers pay more, then it should be killed. That's not innovation. That's customer segmentation by price and paid prioritization.

In his speech, Pai provided an appealing explanation about how ISPs spent less on infrastructure. He neglected to mention that decreased infrastructure spending was a choice by ISPs. They could have cut expenses elsewhere and continued infrastructure spending, but they didn't. Instead, ISPs chose the path we see: utilize a compliant, sympathetic Republican-led Congress and White House to get what they wanted -- the ability to charge higher broadband prices -- and use slick, misleading language to appear to be consumer friendly.

Take action today to defend net neutrality protections. Fight For The Future The Pai-led FCC isn't consumer friendly. The GOP-led Congress isn't, either. Regardless of how they spin it. Don't be fooled.

Anyone paying attention already knows this. Concerned citizens fought for and won net neutrality in 2014. Sadly, we might fight the net neutrality fight again.

It will be an uphill fight for two reasons. First, Republicans control the White House, House of Representatives, and Senate. Second, the Trump Administration is working simultaneously on rollbacks for several key issues (e.g., health care, immigration, wall along Mexican border, tax reform, environment, education, terrorism, etc.), making it easier to distract opponents with other issues (and with outrageous midnight tweets). Yet, people demonstrated last week at an open FCC meeting. (Video is also available here.) Now is the time for more concerned citizens to rise, speak up, and fight back. Write to your elected officials. Tell your friends, classmates, coworkers, and family members. Use this action form to contact your elected officials. Participate in local marches and protests. Join the Fight For The Future. Support the EFF.

Some elected officials have already committed to defend net neutrality protections:

What about your elected officials? Have they made a commitment to defend net neutrality? Ask them. Don't be silent. Now is not the time to sit on the sideline and wait for others to do the fighting for you.


Poll Finds Republicans Rollback of Broadband Privacy Very Unpopular

A recent poll found that the Republican rollback of broadband privacy rules is very unpopular. Very unpopular. The poll included 1,000 Americans, and the results cut across age, gender, and political affiliations. Despite this, President Trump signed the privacy-rollback legislation on April 3. Since then, many consumers have sought online tools to protect their privacy.

Vox reported the survey results:

Image of Yougov poll results about Republican rollback of broadband privacy. Click to view larger version

Late last week, several Republicans in the House of Representatives sent a letter (Adobe PDF) to Ajit Pai, the Chairman of the U.S. Federal Communications Commission (FCC), urging the FCC to regulate broadband service providers. The letter read, in part:

"We write to ensure that the Federal Communications Commission (FCC) stands ready to protect consumer privacy... The Federal Trade Commission (FTC) has long been the standard bearer for striking the right balance of consumer protection with a pro-innovative construct that encourages consumer choice, opportunities, and new jobs... An FCC approach that mirrors the FTC will continue to protect consumers in this tumultuous time... Until such time as the FCC rectifies the Title II reclassification that inappropriately removed ISPs from the FTC's jurisdiction, we urge the FCC to hold Internet service providers (ISPs) to their privacy promises..."

The letter was signed by Greg Walden (Chairman, Committee on Energy & Commerce), Marsha Blackburn (Chairman, Subcommittee on Communications & Technology), and 48 other representatives.

Tumultuous times? The tumult was created by the rollback of privacy rules -- a situation created by Republicans. All would have been fine if they'd left the FCC's broadband privacy rules in place; rules consumers clear want -- rules that keep users in control of their online privacy.

Representative Blackburn and her fellow Republicans either doesn't know history or have chosen to ignore it. Several problems have plagued the industry: a lack of ISP competition in key markets, consumers in the United States pay more for broadband and get slower speeds compared to other countries, and numerous privacy violations and lawsuits:

Clearly, the FCC had to act, it did, it held hearings, and then finalized improved broadband privacy rules to help consumers. Now, the Congress and President undid all of that creating the tumult they now claim to want to solve.

Clearly, Representative Blackburn and others are happy to comply with the wishes of their corporate donors -- who don't want broadband classified as a utility. Internet access is a basic consumer need for work, entertainment, and school -- just like water, electricity, and natural gas (for cooking). Internet access is a utility, like it or not. The FCC under Chairman Wheeler had the right consumer-friendly approach, despite the spin by Blackburn and others.

What are your opinions?


President Trump Signed Legislation Revoking FCC's Broadband Privacy Rules. Lots Of Consequences

Late yesterday, President Trump signed legislation revoking broadband privacy rules adopted by the Federal Communications Commission (FCC). The rules would have kept consumers in control of their information online. Instead, internet service providers (ISPs) are free to collect, archive, and share at will without notice nor consent information about consumers' online activities (e.g., far more than browsing histories).

The legislation narrowly passed both in the Senate (50 - 48) and in the House (210 - 205). Proponents of the legislation claimed duplicate legislation. Representative Marsha Blackburn (R-Tenn.), who introduced the legislation in the House, said plenty recently according to Breitbart News:

"What we are doing is recalling a privacy rule that the FCC issued right at the end of the Obama administration, and the reason we are doing this is because it is additional and duplicative regulation... What the FCC did was clearly overreach. It gives you two sets of regulators that you’re trying to comply with, not one. So we are recalling the FCC’s rule, and that authority will go back to the FTC...”

"What the Obama administration did... they reclassified your Internet service as Title II, which is a common carrier classification. It is the rule that governs telephone usage... Those rules were put on the books in the thirties. So what the Democrats did... they reclassified Internet, which is an information service, as a telephone service, and then put those 1930s-era rules on top of your Internet service... They did that so they could tax it, so they could begin to regulate it..."

"You don’t need another layer of regulation. It’s like flashing alerts: We don’t need net neutrality. We don’t need Title II. We don’t need additional regulations heaped on the Internet under Title II. The Internet is not broken. It has done just fine without the government controlling it."

Not broken? The founder of the internet, Tim Berners-Lee gave three solid reasons why the internet is broken. His number one reason: consumers have lost control over their personal information.

And, Representative Blackburn either doesn't know history or has chosen to ignore it. Several problems have plagued the industry: a lack of ISP competition in key markets, consumers in the United States pay more for broadband and get slower speeds compared to other countries, and numerous privacy violations and lawsuits:

Clearly, the FCC had to act, it did, it held hearings, and then finalized improved broadband privacy rules to help consumers. Now, the Congress and President undid all of that.

There are plenty of consequences. To regain some online privacy lost due to the new legislation, many consumers have considered Virtual Private Networks (VPNs) and other online tools to prevent ISPs from spying on them. VPNs are not a cure-all. ISPs can still block or throttle consumers' VPN connection, and VPNs won't protect e-mail nor internet-of-things devices installed in homes.

Basically, there is no substitute for consumers being in control of their online privacy with transparent notice by ISPs. The impact upon consumers: less online privacy and higher internet prices. Consumers are forced to spend more money on VPN and other tools.

Blackburn and others claimed that the U.S. Federal Trade Commission (FTC) should regulate ISPs. Regulation by the FTC is not a slam-dunk. AdAge reported:

"If the FTC does regain its oversight, the result is likely to be weaker privacy protections than what the FCC intended with its rules, as well as a relatively clear path for telcos to pursue their data-revenue-generating goals... One legal peak to climb: precedent set by a U.S district court ruling siding with AT&T against the FTC last year which carved out an exemption for companies that provide bundled phone and ISP services which effectively protected AT&T from FTC regulations protecting consumers from unfair or deceptive practices.

Even if the FTC eventually garners ISP jurisdiction, argued [Gigi Sohn, a senior counselor to former FCC Chairman Tom Wheeler], "it will lead to some privacy protection but much weaker than what people just lost." She pointed to FTC Chairman Ohlausen's high bar for showing harm against consumers before actions against companies are taken, noting, "She wants to see harm first. Well, rules protect you before you're harmed." "

Despite the claims by Blackburn and others, the bottom line is:

"... what we're left with is a period of uncertainty where the carriers may do certain things but it's unclear. Does the FCC have jurisdiction or does the FTC have jurisdiction?"

The Los Angeles Times reported:

"The FTC is empowered to bring lawsuits against companies that violate its privacy guidelines, but it has no authority to create new rules for industry. It also cannot enforce its own guidelines against Internet providers because of a government rule that places those types of companies squarely within the jurisdiction of the FCC and out of the reach of the FTC. As a result, Internet providers exist in a "policy gap" in which the only privacy regulators for the industry operate at the state, not federal, level, analysts say."

Ambiguity. Lack of clarity. Policy gap. None of those are good for business, or for consumers.

Read more about President Trump's signing of the legislation at C/Net and Reuters.


Tools For Consumers To Regain Some Online Privacy. Higher Internet Prices Likely

Now that the Republican-led Congress and President Trump have dismantled broadband privacy rules, internet service providers (ISPs) are free to collect, archive, and share at will without disclosure consumers' complete online activities (e.g., far more than browsing histories) to maximize their profits. Just about all of your online activities are harvested by ISPs, not just your browsing histories. Readers of this blog may remember the Deep-Packet Inspection software some ISPs installed on their servers to track their customers' online usage without notice nor consent.

To combat this, many consumers seek technical solutions, such as a virtual private network (VPN), to maintain as much privacy online as possible. Consumers will need to locate VPN and other tools than run on several devices (e.g., phones, tablets, laptops, desktops, etc.) and browsers (e.g., Firefox, Opera, etc.). Resources about several tools including VPNs:

Reviews and comparisons about VPN providers:

Some recommended, paid VPNs run on several platforms including Apple brand devices: F-Secure Freedome, Private Internet Access, and SurfEasy. Some VPNs offer a lower monthly price for a longer contract term. Look for pricing that covers multiple devices.

All of the above resources contain links to specific VPN brands. Experts recommend that consumers shop around for a paid VPN, since many of the free VPNs collect and resell consumers' information to make money. Some VPN providers offer phone customer service and support. This may be especially helpful for inexperienced users.

If a (free or paid) VPN saves usage logs of its customers' online activity and shares those logs with others (e.g., advertisers, affiliates, marketing partners, law enforcement, etc.), then that totally defeats the purpose of using a VPN service for privacy. So wise consumers shop around, read the terms of service, and read the privacy policy before signing up for a VPN.

Just like anti-virus software, several VPNs running on the same device can cause problems. So, you'll need to spend time sorting that out, too.

Sadly, VPNs are not a cure-all. Your ISP can still block or throttle your connection. Basically, there is no substitute for consumers being in control of their online privacy with transparent notice by ISPs. And, VPNs won't protect internet-of-things devices (e.g., appliances, refrigerators, thermostats, security systems, televisions, etc.) connected in to the WiFi router in your home. Tech Dirt reported:

"VPN clients are typically for desktop machines and, in some cases, mobile devices such as phones and tablets. As previously discussed, IoT devices in homes will continue to generate more traffic. Most such devices do not support VPN software. While it is conceivable that a user could set up an encrypted VPN tunnel from the home router and route all home traffic through a VPN, typical home gateways don’t easily support this functionality at this point, and configuring such a setup would be cumbersome for the typical user."

Note: VPN services don't protect e-mail. ISPs user a different set of servers for e-mail (e.g., SMTP, SMTPS) versus web browsing (e.g., HTTP, HTTPS). You might consider a secure e-mail service like ProtonMail. You might find this review of ProtonMail helpful.

Do you use Gmail? Remember Google scans both inbound and outbound e-mail messages supposedly to serve up relevant ads. While a certain amount of message scanning is appropriate to identify spam and malware, last month a federal court judge rejected a proposed settlement offer with non-Gmail users who had filed a class-action lawsuit because their e-mail messages had been scanned by Google (and they couldn't opt out of the scanning).

So, internet costs for consumers are going up with thanks to privacy-busting legislation passed by a Republican-led Congress. Consumers will pay more, perhaps an additional $50 - $80 yearly for VPN services, on top of already high monthly internet prices -- with a marginal increase in privacy; not the better, more complete solution consumers would have received with the FCC broadband privacy rules. Add in the value of your time spent shopping around for VPN and privacy tools, and the price increase is even greater.

Plus, monthly internet costs for consumers could go far higher if ISPs charge for online privacy. Is that possible you ask? Yep. Comcast and industry lobbyists have already stated that they want "pay-for-privacy" schemes. Congress seems happy to oblige corporate ISPs and stick it to consumers.

Petition to keep FCC broadband privacy rules and nullify Senate Joint Resolution 34 Mad about all of this? You probably are, too. I am. Be sure to tell your Senators and House representatives that voted to revoke FCC online privacy rules. Tell them you dislike the higher prices you're forced to pay to maintain privacy online.

Do any VPN providers act as fronts for government intelligence and spy agencies? I do not have the resources to determine this. Perhaps, some enterprising white-hat users can shed some light on this.

What online privacy resources have you found?


Congress Passed Joint Resolution To Revoke New Online Privacy Rules By The FCC. Plenty of Consequences

On Tuesday, the U.S. House of Representatives approved legislation to revoke new online privacy rules the U.S. Federal Communications Commission (FCC) adopted in 2016 to protect consumers by govern the data collection and sharing of consumers' personal information by Internet Service providers (ISPs). Several cable, telecommunications, and advertising lobbies sent a letter in January asking Congress to remove the new broadband privacy rules, which they viewed as burdensome.

Congress quickly complied. The new legislation consisted of two companion bills: Senate Joint Resolution 34 (S.J. Res. 34) and House Joint Resolution 86 (H.J. Res. 86). The House vote was close: 210 to 205 with 215 Republican representatives voting for S.J. Res. 34. 190 Democratic and 15 Republican representatives voted against it. Consumers can view H.J. Res. 86 votes by their elected officials.

Representative Marsha Blackburn (R-Tenn.) introduced the legislation in the House. Blackburn said plenty in an interview published on Breitbart News:

"What we are doing is recalling a privacy rule that the FCC issued right at the end of the Obama administration, and the reason we are doing this is because it is additional and duplicative regulation... What the FCC did was clearly overreach. It gives you two sets of regulators that you’re trying to comply with, not one. So we are recalling the FCC’s rule, and that authority will go back to the FTC...”

"What the Obama administration did... they reclassified your Internet service as Title II, which is a common carrier classification. It is the rule that governs telephone usage... Those rules were put on the books in the thirties. So what the Democrats did... they reclassified Internet, which is an information service, as a telephone service, and then put those 1930s-era rules on top of your Internet service... They did that so they could tax it, so they could begin to regulate it..."

"You don’t need another layer of regulation. It’s like flashing alerts: We don’t need net neutrality. We don’t need Title II. We don’t need additional regulations heaped on the Internet under Title II. The Internet is not broken. It has done just fine without the government controlling it."

Not broken? Really? The founder of the internet, Tim Berners-Lee gave three solid reasons why the internet is broken. His number one reason on his list: consumers have lost control over their personal information.

Plus, Representative Blackburn either doesn't know history or has chosen to ignore it. Several problems have plagued the industry: a lack of ISP competition in key markets, consumers in the United States pay more for broadband and get slower speeds compared to other countries, and numerous privacy violations and lawsuits:

Clearly, the FCC had to act; and it did. Congress held hearings, too.

Advertisement in the New York Times newspaper after the Senate vote. Click to view larger version The Senate passed S.J. Res. 34 about a week before the House vote Tuesday. The Senate vote was also close: 50 to 48. Senator Jeff Flake (R-Arizona) introduced the legislation in the Senate, and he repeated the same over-reach claims:

"The FCC’s midnight regulation has the potential to limit consumer choice, stifle innovation, and jeopardize data security by destabilizing the internet ecosystem. Passing my resolution is the first step toward restoring a consumer-friendly approach to internet privacy regulation that empowers consumers to make informed choices on if and how their data can be shared. It will not change or lessen existing consumer privacy protections.”

Consumers can view S.J. Res 34 votes by their elected officials. The press release by Senator Flake's office also stated:

"Flake’s resolution, S.J.Res. 34, would not change or lessen existing consumer privacy regulations. It is designed to block an attempt by the Federal Communications Commission (FCC) to expand its regulatory jurisdiction and impose prescriptive data restrictions on internet service providers. These restrictions have the potential to negatively impact consumers and the future of internet innovation."

Federal communications Commission logo Flake's spin of "midnight regulation" is unfair and inaccurate. The new FCC privacy rules were proposed in April 2016, and enacted in October. That provided plenty of time for discussion and input from consumers, experts, and companies. In March 2016, the FCC released a broadband privacy Fact Sheet, which explained the need for the new privacy rules:

"Telephone networks have had clear, enforceable privacy rules for decades, but broadband networks currently do not... An ISP handles all of its customers’ network traffic, which means it has an unobstructed view of all of their unencrypted online activity – the websites they visit, the applications they use. If customers have a mobile device, their provider can track their physical and online activities throughout the day in real time. Even when data is encrypted, broadband providers can still see the websites that a customer visits, how often they visit them, and the amount of time they spend on each website. Using this information, ISPs can piece together enormous amounts of information about their customers – including private information such as a chronic medical condition or financial problems. A consumer’s relationship with her ISP is very different than the one she has with a website or app. Consumers can move instantaneously to a different website, search engine or application. But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee."

To distinguish spin from facts, it is critical to read the FCC announcement of its new broadband privacy rules from last year:

"Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.

Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.

Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences;

A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.

Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information."

Sounds clear, reasonable, and appropriate. Not perfect, but an improvement of what was before. Addressed transparency concerns, too. To summarize, the new FCC broadband privacy rules kept consumers in control of their sensitive personal information. By revoking those rules, Congress is effectively telling consumers they shouldn't be in control of their own information and ISPs should be in control.

Do you want to be in control of your personal information online? I do, and I suspect you do, too.

Think about the consequences. Once the legislation is signed by President Trump, ISPs will be free to collect, use, and share information describing your online activities. Your ISP is in a unique position because it can scan all un-encrypted data flowing through your internet connection. That typically includes: a) the websites you visit and apps you use; b) which items in "a" you use repeatedly, when and how long; c) the searches you perform online at search engine sites, and via personal assistants, d) activity generated by appliances, televisions, thermostats, security systems, and other devices connected to your home WiFi; and d) the geo-location or where in the physical world your perform online activities. (Besides your smartphone, several devices including your car, fitness bands, smart watches, and wearables collect and share your geo-location data.) Perhaps most importantly, your ISP won't need your consent and probably won't tell you what it is sharing and with whom.

Think about the consequences.

It's not just porn. Your online activities reveal plenty: 1) appointment confirmation emails from your doctor reveal the type of doctor and imply certain medical conditions or procedures; 2) online visits to your bank(s) reveal the types of money and the location of your bank accounts; 3) online activities by your CHILDREN reveal much, including the types of toys and devices they use; 4) work-from-home can reveal proprietary information your employer does not want disclosed; and 5) simple curiosity becomes dangerous. Example: a rash appears on your skin, so you surf over to WebMD to read about symptoms and what it might be. Or, maybe you're reading about a condition of an elderly parentor family member. Problem is: your ISP can infer from your online activities conditions and diseases relate to you, even though they may not. Another example: health care organizations have to comply with HIPPA regulations to protect patients' privacy. Many patients use online healthcare portals by their hospital to coordinate care by several doctors and surgeons. Will your ISP honor HIPPA regulations? They probably won't.

Think about the consequences.

All of that information collected about your online activities could be used against you someday... when you apply for a job, when you sign up for insurance, when you apply for a loan, when you try to adopt a baby or child. Remember, two huge industries exist to help companies buy, sell, and trade information (data brokers); the second (data mining) to help companies merge, manipulate, and analyze the data they've collected and bought.

Comcast logo Think about the consequences. Your ISP may not allow you to decline (e.g., opt out of) the data collection, tracking, usage, and sharing. Or your ISP may charge more fees for online privacy. Don't think that can't happen. Comcast and industry lobbyists have already stated that they want "pay-for-privacy" schemes. So, with Congress' latest action, consumers may soon see price increases and higher monthly internet and wireless bills.

Some consumers are worried, and are exploring technical solutions to thwart ISPs that snoop. The problem: there is no cure-all solution. Some people are angry. To show lawmakers how terrible their decision was, a crowd-funding campaign was started to raise money to buy (and then publish publicly) the internet histories of leading Republicans (e.g., Senate Majority Leader Mitch McConnell, House Speaker Paul Ryan, House Representative Marsh Blackburn) and FCC members who voted for and support the privacy-busting legislation. So, we may then learn which members of Congress watch the most porn.

Lawmakers in some states are already responding to voters' online privacy concerns. In Illinois, lawmakers have introduced two items of legislation: the Geolocation Privacy Protection Act (GPPA) and the Right To Know Act (RTKA). Lawmakers in Nevada introduced geolocation privacy legislation. More states will likely follow.

With the FCC broadband privacy rules revoked, there are five creepy things your ISP could do. What are your opinions of Congress revoking FCC broadband privacy rules?

[Editor's note: this blog post was revised on Friday, March 31 with links to new legislation in Illinois and Nevada.]


Study: Many Consumers Don't Secure Their Mobile Devices

Many consumers in the United States don't take the steps experts recommend to secure their mobile devices. Pew Research reported the findings of a recent survey:

"More than a quarter (28%) of smartphone owners say they do not use a screen lock or other security features to access their phone. And while a majority of smartphone users say they have updated their phone’s apps or operating system, about 40% say they only update when it’s convenient for them. Meanwhile, some users forgo updating their phones altogether: Around one-in-ten  smartphone owners report they never update their phone’s operating system (14%) or update the apps on their phone (10%)."

And, there are differences by the age of phone owners:

"owners ages 65 and older are much less likely than adults younger than 65 to use a screen lock and regularly update their phone’s apps and operating system (13% vs. 23%). Smartphone users 65 and older are also more than twice as likely as younger users to report that they do not take any of these actions to secure their phones (8% vs. 3%)..."

Other risky behaviors consumers perform:

"... 54% of internet users use public Wi-Fi networks, and many of these users are performing sensitive activities such online shopping (21%) or online banking (20%)."