69 posts categorized "Internet of Things" Feed

Experts Call For Ban of Killer Robotic Weapons

116 robotics and artificial intelligence experts from 26 countries sent a letter to the United Nations (UN) warning against the deployment of lethal autonomous weapons. The Guardian reported:

"The UN recently voted to begin formal discussions on such weapons which include drones, tanks and automated machine guns... In their letter, the [experts] warn the review conference of the convention on conventional weapons that this arms race threatens to usher in the “third revolution in warfare” after gunpowder and nuclear arms... The letter, launching at the opening of the International Joint Conference on Artificial Intelligence (IJCAI) in Melbourne on Monday, has the backing of high-profile figures in the robotics field and strongly stresses the need for urgent action..."

The letter stated in part:

"Once developed, lethal autonomous weapons will permit armed conflict to be fought at a scale greater than ever, and at timescales faster than humans can comprehend. These can be weapons of terror, weapons that despots and terrorists use against innocent populations, and weapons hacked to behave in undesirable ways."

"We do not have long to act. Once this Pandora’s box is opened, it will be hard to close."

This is not science fiction. Autonomous weapons are already deployed:

"Samsung’s SGR-A1 sentry gun, which is reportedly technically capable of firing autonomously but is disputed whether it is deployed as such, is in use along the South Korean border of the 2.5m-wide Korean Demilitarized Zone. The fixed-place sentry gun, developed on behalf of the South Korean government, was the first of its kind with an autonomous system capable of performing surveillance, voice-recognition, tracking and firing with mounted machine gun or grenade launcher... The UK’s Taranis drone, in development by BAE Systems, is intended to be capable of carrying air-to-air and air-to-ground ordnance intercontinentally and incorporating full autonomy..."

Ban, indeed. Your thoughts? Opinions? Reaction?


'Map Your Orgasm' - A New Smart Device For Women

Recently, Mashable reported about a new smart device for women:

"The Lioness looks like a pretty standard vibrator on the outside, but inside it has four sensors that measure temperature, the force of muscle contractions, and track the movement of the device. When you’re done with your session, you can sync the Lioness with its app (available for iOS and Android). It then provides you with easy-to-read visualization of what was happening to your body while you were busy getting off. So, yes, essentially it gives you a map of your orgasm. You can also tag each session with different terms so you can track how your health, sleep, alcohol consumption, mood, etc. affect your experiences."

Gives you a map of your orgasm? That's a surprising description. Perhaps, I shouldn't have been surprised. First, there were online tools such as "map my ride" and map my run." Good stuff to help consumers stay healthy. I guess a tool resembling 'map your orgasm' was bound to happen.

Lioness sounds like a much better product name. To learn more, I visited the Lioness site. The home page featured this statement: "Don't worry, we will never share your email or spam you." That's a good start.

Privacy is important; especially with smart devices which collect intimate data about consumers. Earlier this year, news reports described a plan by a smart-device maker to resell the interior home maps its robovacs created. And, another smart vibrator maker paid hefty fines to settle allegations that it tracked users without their knowledge nor consent.

A wise person once said, "the devil is in the details." The privacy policy in a company's website is a good place to hunt for details. While blogging about privacy and identity theft during the last 10 years, I've read plenty of privacy policies. Plenty. I read the Lioness Privacy Policy (dated May 1) and found some notable sections:

"This Privacy Policy applies to our vibrators and other devices (“Devices”), our websites, including but not limited to lioness.io (individually a “Site” and collectively “Sites”), the Lioness software (“Software”) and Lioness mobile applications (the “Apps”). The Devices, Sites, Software and Apps are collectively referred to in this Policy as the “Lioness Service,” and by proceeding to use the Lioness Service you consent that we may handle the data that we collect from you in accordance with this Privacy Policy."

Pretty standard stuff so far. Warning: I'm not an attorney. If you want legal advice, hire an attorney. Like you, I'm just a regular consumer trying to understand smart devices while maintaining as much privacy as possible. Additional sections in the policy I found interesting:

"Sync Your Device
When you sync your Device through an App or the Software, data recorded on your Device is transferred from your Device to our servers. This data is stored and used to provide the Lioness Service and is associated with your account. Each time a sync occurs, we log data about the transmission. Some examples of the log data are the sync time and date, device battery level, and the IP address used when syncing."

Let's unpack that. The vibrator and its mobile app, record the date, time, and battery usage. Combine this with data collected from the four sensors and Lioness will know plenty about your usage: when (date and time), location, duration, preferred movement patterns, and more. It indeed could create a map. More sections in the policy:

"WHY WE COLLECT DATA
Lioness uses your data to provide you with the best experience possible, to help you learn about your body, and to improve and protect the Lioness Service. Here are some examples: i) Contact information is used to send you notifications and to inform you about new features or products... ii) Data and logs are used in research to understand and improve the Lioness Device and Lioness Service; to troubleshoot the Lioness Service; to detect and protect against error, fraud or other criminal activity; and to enforce the Lioness Terms of Service; iii) Aggregate data that does not identify you may be used to inform the health community about trends; for marketing and promotional use..."

Data That Could Identify You
Personally Identifiable Information (PII) is data that includes a personal identifier like your name, email or address, or data that could reasonably be linked back to you."

Hmmm. The policy does not list all data elements that personally identify you. For me, that's important to know. And, anything recorded on a smartphone can easily be linked to a person using her 10-digit phone number or the mobile device's serial number.

Informed shoppers probably want to know before purchase which other companies (e.g., business partners, affiliates, advertisers, etc.) Lioness shares data with. Its May 1, 2017 privacy policy also states:

"... companies that are contractually engaged in providing Lioness with services, such as order fulfillment, email management and credit card processing. These companies are obligated by contract to safeguard any PII they receive from us..."

"THIRD PARTIES
Lioness will not be responsible for the practices of third parties that Lioness does not own or control or individuals that Lioness does not employ or manage. The information provided by you to other third parties may be subject to their own privacy policies, which may differ from Lioness’s privacy policy. The Lioness Service may contain links to other sites, and we make every effort to only link to sites that share our high standards and respect for privacy. However, we are not responsible for the privacy practices employed by other sites..."

"DATA RETENTION
Lioness reserves the right to retain your PII for as long as your account remains active..."

So, the policy doesn't mention other companies by name. Not good. That makes it tough for consumers to make informed decisions.

Fitness tracking with the MapMyRide app On Facebook, many of my friends regularly share visual maps of their workouts. (See example on right.) That's their freedom of choice. So, some consumers are probably wondering if Lioness offers a similar share function. Again from the privacy policy:

"Community Posts
The Lioness Service may offer discussion forums, message boards, social networking opportunities, chat pages and other public forums or features in which you may provide personal information, materials and related content. If you submit personal information when using these public features, please note that such personal information may be publicly posted and otherwise disclosed and used without limitation or restriction."

So, the policy doesn't mention literal maps, per se. They might or might not provide the feature to users. The key takeaway: the responsibility rests upon the user. Don't share it if you don't want it made public.

It's probably helpful to also know that the product uses Bluetooth technology to perform data syncing. From the Lioness FAQ page:

"Wait...will there be bluetooth in my vagina?
Nope. We know that there are a lot of people who don’t like the idea of bluetooth being on while in use, so we made it so bluetooth automatically turns off when you use it."

Also, the FAQ page mentioned:

"Is my data stored securely and kept confidential?
Absolutely. We thought about privacy and security from the beginning for this product. You are the only one who can access your individual data. Everything is encrypted and we fully anonymize the data..."

That's good, but the privacy policy didn't mention data encryption. I expected it would. Not sure what to make of that.

Is the Lioness a good deal? Only you can decide for yourself -- and you should after reading both the privacy and terms-of-service policies.

Me? In my opinion, there seems to be too much wiggle-room for data sharing. The policy contains a lot of words and nothing special compared to other policies I've read. What are your opinions?


Bungled Software Update Renders Customers' Smart Door Locks Inoperable

Image of Lockstate RemoteLock 6i device. Click to view larger version A bungled software update by Lockstate, maker of WiFi-enabled door locks, rendered many customers' locks inoperable -- or "bricked." Lockstate notified affected customers in this letter:

"Dear Lockstate Customer,
We notified you earlier today of a potential issue with your LS6i lock. We are sorry to inform you about some unfortunate news. Your lock is among a small subset of locks that had a fatal error rendering it inoperable. After a software update was sent to your lock, it failed to reconnect to our web service making a remote fix impossible...

Many AirBnb operators use smart locks by Lockstate to secure their properties. In its website, Lockstate promotes the LS6i lock as:

"... perfect for your rental property, home or office use. This robust WiFi enabled door lock allows users to lock or unlock doors remotely, know when people unlock your door, and even receive text alerts when codes are used. Issue new codes or delete codes from your computer or phone. Even give temporary codes to guests or office personnel."

Reportedly, about 200 Airbnb customers were affected. The company said 500 locks were affected. ArsTechnica explained how the bungled software update happened:

"The failure occurred last Monday when LockState mistakenly sent some 6i lock models a firmware update developed for 7i locks. The update left earlier 6i models unable to be locked and no longer able to receive over-the-air updates."

Some affected customers shared their frustrations on the company's Twitter page. Lockstate said the affected locks can still be operated with physical keys. While that is helpful, it isn't a solution since customers rely upon the remote features. Affected customers have two repair options: 1) return the back portion of the lock (repair time about 5 to 7 days), or 2) request a replace (response time about 14 to 18 days).

The whole situation seems to be another reminder of the limitations when companies design smart devices with security updates delivered via firmware. And, a better disclosure letter by Lockstate would have explained corrections to internal systems and managerial processes, so this doesn't happen again during another software update.

What are your opinions?


Google And Massachusetts Transportation Department Provide GPS Signals In Tunnels

Smartphone users love their phones. That includes Global Positioning System (GPS) navigation services for driving directions. However, those driving directions don't work in tunnels where phones can't get GPS signals. That is changing.

Google and the Massachusetts Department of Transportation (MassDOT) have entered a partnership to provide GPS navigation services for drivers inside tunnels. If you've familiar with Boston, then you know that portions of both Interstate 93 and the Massachusetts Turnpike include tunnels. The ABC affiliate in Boston, WCVB reported last month that the partnership, part of the Connected Citizens Program, will:

"... install beacons inside Boston's tunnels to help GPS connection stay strong underground. Around 850 beacons are being installed, free of charge, as a part of an ongoing partnership between the state and the traffic app... Installation is scheduled to be complete by the end of July... The beacons are not limited to improving their own app's signal. As long as you are using Bluetooth, they are able to help improve any traffic app's connection."

For those unfamiliar with the technology, beacons are low-powered transmitters which, in this particular application, are installed in the tunnels' walls and provide geographic location information usable by drivers' (or passengers') smartphones passing by (assuming the phones' Bluetooth features are enabled).

Bluetooth beacons are used in a variety of applications and locations. The Privacy SOS blog explained:

"... They’re useful in places where precise location information is necessary but difficult to acquire via satellite. For that reason, they’ve been field tested in museums such as New York’s Metropolitan Museum of Art and airports like London Gatwick. At Gatwick, beacons deliver turn-by-turn directions to users’ phones to help them navigate the airport terminals..."

Within large airports such as Gatwick, the technology can present more precise geolocation data of nearby dining and shopping venues to travelers. According to Bluetooth SIG, Inc., the community of 30,000 companies that use the technology:

"The proliferation and near universal availability of Bluetooth® technology is opening up new markets at all ends of the spectrum. Beacons or iBeacons—small objects transmitting location information to smartphones and powered by Bluetooth with low energy—make the promise of a mobile wallet, mobile couponing, and location-based services possible... The retail space is the first to envision a future for beacons using for everything from in-store analytics to proximity marketing, indoor navigation and contactless payments. Think about a customer who is looking at a new TV and he/she gets a text with a 25 percent off coupon for that same TV and then pays automatically using an online account..."

iBeacons are the version for Apple branded mobile devices. All 12 major automobile makers offer hands-free phone calling systems using the technology. And, social network giant Facebook has developed its own proprietary Bluetooth module for an undisclosed upcoming consumer electronics device.

So, the technology provides new marketing and revenue opportunities to advertisers. TechCrunch explained:

"The Beacons program isn’t looking to get help from individual-driver Wazers in this case, but is looking for cities and tunnel owners who might be fans of the service to step up and apply to its program. The program is powered by Eddystone, a Bluetooth Low Energy beacon profile created by Google that works with cheap, battery-powered BLE Waze Beacon hardware to be installed in participating tunnels. These beacons would be configured to transmit signals to Bluetooth-enabled smartphones... There is a cost to participate — each beacon is $28.50, Waze notes, and a typical installation requires around 42 beacons per mile of tunnel. But for municipalities and tunnel operators, this would actually be a service they can provide drivers, which might actually eliminate frustration and traffic..."

There are several key takeaways here:

  1. GPS navigation services can perform better in previously unavailable areas,
  2. Companies can collect (and share) more precise geolocation data about consumers and our movements,
  3. Consumers' GPS data can now be collected in previously unattainable locations,
  4. What matters aren't the transmissions by beacons, but rather the GPS and related data collected by your phone and the apps you use, which are transmitted back to the apps' developers, and then shared by developers with their business partners (e.g., mobile service providers, smartphone operating system developers, advertisers, and affiliates
  5. You don't have to be a Google user for Google to collect GPS data about you, and
  6. Consumers can expect a coming proliferation of Bluetooth modules in a variety of locations, retail stores, and devices.

So, now you know more about how Google and other companies collect GPS data about you. After analyzing the geolocation data collected, they know not only when and where you go, but also your patterns in the physical world: where you go on certain days and times, how long you stay, where and what you've done before (and after), who you associate with, and more.

Don't like the more precise tracking? Then, don't use the Waze app or Google Maps, delete the blabbermouth apps, or turn off the Bluetooth feature on your phone.

A noted economist once said, "There is no free lunch." And that applies to GPS navigation in tunnels. The price for "free," convenient navigation services means mobile users allow companies to collect and analyze mountains of data about their movements in the physical world.

What are your opinions of GPS navigation services in tunnels? If the city or town where you live has tunnels, have beacons been installed?


Hacked Amazon Echo Converted Into Always-On Surveillance Device

Image of amazon Echo Wired reported how a white-hat hacker provided proof-of-concept that a popular voice-activated, smart home speaker could easily be hacked:

"... British security researcher Mark Barnes detailed a technique anyone can use to install malware on an Amazon Echo, along with his proof-of-concept code that would silently stream audio from the hacked device to his own faraway server. The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. But there's no software fix for older units, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion."

Amazon sells both new and refurbished speakers. Newer models also include cameras. All are probably high-value targets of hackers and spy agencies.

Reportedly, Amazon has fixed the security vulnerability in newer (2017) models. The company advises customers to keep the software on their speakers current, and purchase speakers from trusted retailers. However (bold emphasis added):

"... Barnes agrees that his work should serve as a warning that Echo devices bought from someone other than Amazon—like a secondhand seller—could be compromised. But he also points out that, contrary to the implication of the company's statement, no software update will protect earlier versions of the Echo, since the problem is in the physical connection its hardware exposes.

Instead, he says that people should think twice about the security risks of using an Echo in public or semipublic places, like plans for the Wynn Hotel in Las Vegas to put an Echo in every room."

Voice-activated smart speakers in hotel lobbies and rooms. Nothing could go wrong with that. All it takes is a prior guest, or criminal posing as a hotel staff or cleaning person, to hack and compromise one or more older devices. Will hotels install the newer devices? Will they inform guests?

For guaranteed privacy, it seems hotel guests may soon have to simply turn off (or mute) smart speakers, smart televisions, and personal assistants. Convenience definitely has its price (e.g., security and privacy). What do you think?


Survey: 90 Percent Of Consumers Want Smart Devices With Security Built In

A recent survey of consumers in six countries found that 90 percent believe it is important for smart devices to have security built into the products. Also, 78 percent said they are aware that any smart device connected to their home WiFi network is vulnerable to attacks by hackers wanting to steal personal data stored on the device.

Security importance by country. Irdeto Global Consumer IoT Security Survey. Select to view larger version The Irdeto Global Consumer IoT Security Survey, conducted online from June 22, 2017 to July 10, 2017 by YouGov Plc for Irdeto, included 7,882 adults (aged 18 or older) in six countries: Brazil, China, Germany, India, United Kingdom, and United States. Irdeto provides security solutions to protect platforms and applications for media, entertainment, automotive and Internet-of-things (IoT) connected industries.

Additional key findings:

"... 72% of millennials (ages 18-24 years) indicated that they are aware that any smart device connected to the Wi-Fi in their home has the potential to be targeted by a hacker, compared to 82% of consumers 55+. This indicates that older generations may be more savvy about IoT security or more cautious... More than half of consumers around the globe (56%) think that it is the responsibility of both the end-user and the manufacturer of the product to prevent hacking of smart devices. Alternatively, only 15% of consumers globally think they are responsible, while 20% feel the manufacturer of the device is responsible for cybersecurity. In China, more consumers than any other country surveyed (31%) stated that it is the responsibility of manufacturers. Brazilians led all countries surveyed (23%) in the belief that it is the responsibility of the end-user to prevent hacking of connected devices... Germans expressed the least concern with nearly half (42%) stating that they are not concerned about smart devices being hacked. On the opposite end of the spectrum, Brazilian smart device owners expressed the most concern with 88% of those surveyed saying they were concerned...

And, smart device usage varies by country:

"Regarding the number of smart devices consumers own, 89% of those surveyed have at least one connected device in their home. In addition, 81% of consumers across the globe admitted to having more than one connected device in the home. India led all countries with a staggering 97% of consumers stating that they have at least one smart device in the home, compared to only 80% of US consumers..."

Read the announcement by Irdeto. View the full infographic.

Device security responsibility. Irdeto Global Consumer IoT Security Survey. Select to view larger version


Robotic Vacuum Cleaner Maker To Resell Data Collected Of Customers' Home Interiors

iRobot Roomba autonomous vacuum. Click to view larger image Do you use a robovac -- an autonomous WiFi-connected robotic vacuum cleaner -- in your home? Do you use the mobile app to control your robovac?

Gizmodo reports that iRobot, the maker of the Roomba robotic vacuum cleaner, plans to resell maps generated by robovacs to other smart-home device manufacturers:

"While it may seem like the information that a Roomba could gather is minimal, there’s a lot to be gleaned from the maps it’s constantly updating. It knows the floor plan of your home, the basic shape of everything on your floor, what areas require the most maintenance, and how often you require cleaning cycles, along with many other data points... If a company like Amazon, for example, wanted to improve its Echo smart speaker, the Roomba’s mapping info could certainly help out. Spatial mapping could improve audio performance by taking advantage of the room’s acoustics. Do you have a large room that’s practically empty? Targeted furniture ads might be quite effective. The laser and camera sensors would paint a nice portrait for lighting needs..."

Think about it. The maps identify whether you have one, none, or several sofas -- or other large furniture items. The maps also identify the size, square footage, of your home and the number of rooms. Got a hairy pet? If your robovac needs more frequently cleaning, that data is collected, too.

One can easily confirm this by reading the iRobot Privacy Policy:

"... Some of our Robots are equipped with smart technology which allows the Robots to transmit data wirelessly to the Service. For example, the Robot could collect and transmit information about the Robot’s function and use statistics, such as battery life and health, number of missions, the device identifier, and location mapping. When you register your Robot with the online App, the App will collect and maintain information about the Robot and/or App usage, feature usage, in-App transactions, technical specifications, crashes, and other information about how you use your Robot and the product App. We also collect information provided during set-up.

We use this information to collect and analyze statistics and usage data, diagnose and fix technology problems, enhance device performance, and improve user experience. We may use this information to provide you personalized communications, including marketing and promotional messages... Our Robots do not transmit this information unless you register your device online and connect to WiFi, Bluetooth, or connect to the internet via another method."

Everything seems focused upon making your robovac perform optimally. Seems. Read on:

"When you access the Service by or through a mobile device, we may receive or collect and store a unique identification numbers associated with your device or our mobile application (including, for example, a UDID, Unique ID for Advertisers (“IDFA”), Google Ad ID, or Windows Advertising ID), mobile carrier, device type, model and manufacturer, mobile device operating system brand and model, phone number, and, depending on your mobile device settings, your geographical location data, including GPS coordinates (e.g. latitude and/or longitude) or similar information regarding the location of your mobile device..."

Use the mobile app and your robovac's unique ID number can easily be associated with other data describing you, where you live, and your lifestyle. Valuable stuff.

Another important section of the privacy policy:

"We may share your personal information in the instances described... i) Other companies owned by or under common ownership as iRobot, which also includes our subsidiaries or our ultimate holding company and any subsidiaries it owns. These companies will use your personal information in the same way as we can under this Policy; ii) Third party vendors, affiliates, and other service providers that perform services on our behalf, solely in order to carry out their work for us, which may include identifying and serving targeted advertisements, providing e-commerce services, content or service fulfillment, billing, web site operation, payment processing and authorization, customer service, or providing analytics services.

Well, there seems to be plenty of wiggle room for iRobot to resell your data. And, that assumes it doesn't change its privacy policy to make resales easier. Note: this is not legal advice. If you want legal advice, hire an attorney. I am not an attorney.

The policy goes on to describe customers' choices with stopping or opting out of data collection programs for some data elements. If you've read that, then you know how to opt out of as much as possible of the data collection.

The whole affairs highlights the fact that the data collected from different brands of smart devices in consumers' homes can be combined, massaged, and analyzed in new ways -- ways in which probably are not apparent to consumers, and which reveal more about you than often desired. And, the whole affair is a reminder to read privacy policies before purchases. Know what valuable personal data you will give away for convenience.

Eyes wide open.

Got an autonomous robotic lawn mower? You might re-read the privacy policy for that, too.


The Need For A Code Of Ethics With The Internet Of Things

Earlier this week, The Atlantic website published and interview with Francine Berman, a computer-science professor at Rensselaer Polytechnic Institute, about the need for a code of ethics for connected, autonomous devices, commonly referred to as the internet-of-things (IoT). The IoT is exploding.

Experts forecast 8.4 billion connected devices in use worldwide in 2017, up 31 percent from 2016. Total spending for those devices will reach almost $2 trillion in 2017, and $20.4 billion by 2020. North America, Western Europe, and China, which already comprise 67 percent of the installed base, will drive much of this growth.

In a February, 2017 article (Adobe PDF) in the journal Communications of the Association for Computing Machinery, Berman and Vint Cerf, an engineer, discussed the need for a code of ethics:

"Last October, millions of interconnected devices infected with malware mounted a "denial-of-service" cyberattack on Dyn, a company that operates part of the Internet’s directory service. Such attacks require us to up our technical game in Internet security and safety. They also expose the need to frame and enforce social and ethical behavior, privacy, and appropriate use in Internet environments... At present, policy and laws about online privacy and rights to information are challenging to interpret and difficult to enforce. As IoT technologies become more pervasive, personal information will become more valuable to a diverse set of actors that include organizations, individuals, and autonomous systems with the capacity to make decisions about you."

Given this, it seems wise for voters to consider whether or not elected officials in state, local, and federal government understand the issues. Do they understand the issues? If they understand the issues, are they taking appropriate action? If they aren't taking appropriate action, is due to other priorities? Or are different elected officials needed? At the federal level, recent events with broadband privacy indicate a conscious decision to ignore consumers' needs in favor of business.

In their ACM article, Bermand and Cerf posed three relevant questions:

  1. "What are your rights to privacy in the internet-of-things?
  2. Who is accountable for decisions made by autonomous systems?
  3. How do we promote the ethical use of IoT technologies?"

Researchers and technologists have already raised concerns about the ethical dilemmas of self-driving cars. Recent events have also highlighted the issues.

Some background. Last October, a denial-of-service attack against a hosting service based in France utilized a network of more than 152,000 IoT devices, including closed-circuit-television (CCTV) cameras and DVRs. The fatal crash in May of a Tesla Model S car operating in auto-pilot mode and the crash in February of a Google self-driving car raised concerns. According to researchers, 75 percent of all cars shipped globally will have internet connectivity by 2020. Last month, a security expert explained the difficulty with protecting connected cars from hackers.

And after a customer posted a negative review online, a developer of connected garage-door openers disabled both the customer's device and online account. (Service was later restored.) Earlier this year, a smart TV maker paid $2.2 million to settle privacy abuse charges by the U.S. Federal Trade Commission (FTC). Consumers buy and use a wide variety of connected devices: laptops, tablets, smartphones, personal assistants, printers, lighting and temperature controls, televisions, home security systems, fitness bands, smart watches, toys, smart wine bottles, and home appliances (e.g., refrigerators, hot water heaters, coffee makers, crock pots, etc.). Devices with poor security features don't allow operating system and security software updates, don't encrypt key information such as PIN numbers and passwords, and build the software into the firmware where it cannot be upgraded. In January, the FTC filed a lawsuit against a modem/router maker alleging poor security in its products.

Consumers have less control over many IoT devices, such as smart utility meters, which collect information about consumers. Typically, the devices are owned and maintained by utility companies while installed in or on consumers' premises.

Now, back to the interview in The Atlantic. Professor Berman reminded us that society has met the ethical challenge before:

"Think about the Industrial Revolution: The technologies were very compelling—but perhaps the most compelling part were the social differences it created. During the Industrial Revolution, you saw a move to the cities, you saw the first child-labor laws, you saw manufacturing really come to the fore. Things were available that had not been very available before..."

Well, another revolution is upon us. This time, it includes changes brought about by the internet and the IoT. Berman explained today's challenges include considerations:

"... we never even imagined we’d have to think about. A great example: What if self-driving cars have to make bad choices? How do they do that? Where are the ethics? And then who is accountable for the choices that are made by autonomous systems? This needs to be more of a priority, and we need to be thinking about it more broadly. We need to start designing the systems that are going to be able to support social regulation, social policy, and social practice, to bring out the best of the Internet of Things... Think about designing a car. I want to design it so it’s safe, and so that the opportunity to hack my car is minimized. If I design Internet of Things systems that are effective, provide me a lot of opportunities, and are adaptive, but I only worry about really important things like security and privacy and safety afterwards, it’s much less effective than designing them with those things in mind. We can lessen the number of unintended consequences if we start thinking from the design stage and the innovation stage how we’re going to use these technologies. Then, we put into place the corresponding social framework."

Perhaps, most importantly:

"There’s a shared responsibility between innovators, companies, the government, and the individual, to try and create and utilize a framework that assigns responsibility and accountability based on what promotes the public good."

Will we meet the challenge of this revolution? Will innovators, companies, government, and individuals share responsibility? Will we work for the public good or solely for business growth and profitability?

What do you think?


Security Experts State Privacy Issues With Proposed NHTSA Rules For Vehicle Automation

The Center For Democracy & Technology (CDT) and four cryptographers have stated their security and privacy concerns regarding proposed rules by the National Highway Traffic Safety Administration (NHTSA) for vehicle automation and communications. In a CDT blog post, Chief Technologist Lorenzo Hall stated that the group's concerns about NHTSA's:

"... proposed rulemaking to establish a new Federal Motor Vehicle Safety Standard (FMVSS), No. 150, which intends to mandate and standardize vehicle-to-vehicle (V2V) communications for new light vehicles... Our comments highlight our concern that NHTSA’s proposal standard may not contain adequate measures to protect consumer privacy from third parties who may choose to listen in on the Basic Safety Message (BSM) broadcast by vehicles. Inexpensive real-time tracking of vehicles is not a distant future hypothetical. Vehicle tracking will be exploited by a multitude of companies, governments, and criminal elements for a variety of purposes such as vehicle repossession, blackmail, gaining an advantage in a divorce settlement, mass surveillance, commercial espionage, organized crime, burglary, or stalking.

Our concern is that the privacy protections currently proposed for V2V communications may be easily circumvented by any party determined to perform large-scale real-time tracking of multiple vehicles at once. This poses a serious costs for both individual privacy and society at large..."

FMVSS Standards include regulations automobile and vehicle manufacturers must comply with. Read the proposed FMVSS Rule 150 in the Federal Register. The proposed rule specifies how vehicles will automatically broadcast Basic Safety Messages (BSM).

The group's detailed submission (Adobe PDF) to the U.S. Department of Transportation (DOT) described specific privacy concerns. One example:

"2.1 Linking a vehicle to an individual
The NPRM proposes that vehicle location accurate to within 1.5 meters be included in every BSM. Such high accuracy is sufficient to identify a vehicle’s specific parking spot. Assuming a suburban environment where the parking spot is a driveway, this information is enough to identify the owners or tenants... Vehicles can be further disambiguated among members of a household or people sharing parking spots by when they leave and where they go. For instance, shift workers, 9-to-5 office workers, high school students, and stay-at-home parents will all have different, distinguishable patterns of vehicle use. Even among office commuters, the first few turns after leaving the driveway will be very useful for disambiguating people working at different locations..."

So, when you leave home and the route you take can easily identify individuals. You don't have to be the registered owner of the car. Yes, your smartphone broadcasts to the nearest cellular tower and that identifies your location, but not as precisely. Privacy is needed because the bad guys -- stalkers, criminals -- could also use BSMs to spy upon individuals.

The security experts found the proposed BSM privacy statement by NHTSA to be one-sided and incomplete:

"The examples of third-party collection provided in paragraph (b) of the privacy statement mention only benign collection for beneficial purposes, such as accident avoidance, transit maintenance, or valuable commercial services. They selectively highlight the socially beneficial uses of V2V information without mentioning commercial services [which] may not [be] valuable for consumers; or other potential, detrimental, or even criminal uses. This is especially troubling..."

The CDT and security experts recommended that due to the privacy risks described:

"... we firmly believe that, unless a considerably more privacy-conscious proposal is put forward, consumers should be given the choice to opt-in or opt-out (without a default opt-in), and should be made clearly aware of what they are opting in to..."

I agree. A totally sensible and appropriate approach. The group's detailed submission also compared several vehicle tracking methods:

"... physically following a car or placing a GPS device on it, do not allow for mass tracking of most vehicles in a given area. Some options, such as cellphone tracking or toll collection history, require specialized access to a private infrastructure. Cellular data does not provide precise position information to just anyone who listens in... Moreover, cellular technology is evolving rapidly — today it provides more privacy than in the past... license-plate-based tracking requires a line of sight to a given vehicle, and thus is usually neither pervasive nor real-time. A vehicle can be observed driven or parked, but not tracked continuously unless followed. Only a few vehicles can be observed by a camera at any given time. Thus, license-plate-based tracking provides only episodic reports of locations for most vehicles. In contrast, because receiving the BSM does not require a line of sight and the BSM is transmitted ten times per second, multiple vehicles can be tracked simultaneously, continuously, and in real time.

The Privacy Technical Analysis Report concluded that the only option other than BSMs that may be viable for large-scale real-time tracking without any infrastructure access is via toll transponders."

License-plate tracking and the cameras used are often referred to as Automated License Plate Readers (ALPR). Law enforcement uses four types of ALPR technologies: mobile cameras, stationary cameras, semi-stationary cameras, and ALPR databases.

So, BSM provides large-scale real-time tracking. And, while toll transponders provide consumers with a convenient method to pay and zoom through tolls, the technology can be used to track you. Read the full CDT blog post.


Security Expert Says Protecting Driverless Cars From Hackers Is Hard

Wired Magazine recently interviewed Charlie Miller, an automobile security expert, about the security of driverless cars. You may remember Miller. He and an associated remotely hacked a moving Jeep vehicle in 2015 to demonstrate security vulnerabilities in autos. Miller later worked for Uber, and recently joined Didi.

Wired Magazine reported:

"Autonomous vehicles are at the apex of all the terrible things that can go wrong,” says Miller, who spent years on the NSA’s Tailored Access Operations team of elite hackers before stints at Twitter and Uber. “Cars are already insecure, and you’re adding a bunch of sensors and computers that are controlling them…If a bad guy gets control of that, it’s going to be even worse."

The article highlights the security issues with driverless used by ride-sharing companies. Simply, the driverless taxi or ride-share car is unattended for long periods of time.. That is a huge opportunity for hackers posing as riders to directly access and hack driverless cars:

"There’s going to be someone you don’t necessarily trust sitting in your car for an extended period of time,” says Miller. “The OBD2 port is something that’s pretty easy for a passenger to plug something into and then hop out, and then they have access to your vehicle’s sensitive network."

The article also highlights some of the differences between driverless cars used as personal vehicles versus as ride-sharing (or taxi) cars. In a driverless personal vehicle, the owner -- who is also the inattentive driver -- can regain control after a remote hack and steer/brake to safety. Not so in a driverless ride-sharing car or taxi.

Do you believe that criminals won't try to hack driverless (ride-sharing and taxi) cars? History strongly suggests otherwise. Since consumers love the convenience of pay-at-the-pump in gas stations, criminals have repeatedly installed skimming devices in unattended gas station pumps to steal drivers' debit/credit payment information. No doubt, criminals will want to hack driverless cars to steal riders' payment information.

What are your opinions of the security of driverless cars?


A Cautionary Tale About The Internet Of Things And The CRFA

The internet-of-things devices consumers installed in their homes aren't really theirs. Oh, consumers paid good money for these smart devices, but the devices aren't really theirs. How so you ask? The cautionary tale below explains.

Unhappy with Garadget, an internet-connected garage-door opener he bought, Robert Martin posted negative reviews on both Garadget's official discussion board (username: rdmart7) and on Garadget's Amazon page. Unhappy with those negative reviews, Denis Grisak, the device's creator, responded initially by disabling internet access to the mobile app Martin used to operate his device. Grisak angrily said Martin could return his device for a refund.

You might call that a digital mugging.

The disagreement escalated and Grisak also disabled Martin's access to the Garadget discussion board and to Martin's online profile. You can read the entire story by The Atlantic. There are several items to learn from this incident. First, as The Atlantic concluded:

"Even just an angry moment can turn a smart device into a dead one."

Clearly, the device creator overreacted by disabling internet access. Grisak later softened his position and restored Martin's online connections. However, the incident highlights the fact that in the heat of the moment, angry (or ethically-challenged) and revengeful device makers can easily and quickly disable smart devices. It doesn't matter that consumers legally paid for those devices.

Second, end-user license agreements (EULA) matter. Terms of service policies matter. Most consumers never read these documents, and they matter greatly. The incident is a reminder of the "gag clauses" some companies insert into policies to silence negative reviews. This incident highlights a technical tactic ethically-challenged device makers can use to enforce gag clauses.

And it's not only device makers. In 2009, some physicians tried to force patients to sign, “Consent And Mutual Agreement to Maintain Privacy” (MAMP) policy documents. Don’t be fooled by the policy name, which is a fancy label for a gag clause. The policy document usually requires the patient to give up their rights to mention that physician on any social networking sites.

Third, legislation and consumer protections matter. The Atlantic reported:

"Some commenters on Amazon and Hacker News wondered whether Grisak’s public online revenge was legal. One person encouraged Martin to reach out to his state attorney general’s office. That’s a complicated question... A bill signed into law signed in December prohibits companies from including “gag clauses” in the contracts they enter into with customers, meaning they can’t bring legal action against someone just for a negative review."

That new law is the "Consumer Review Fairness Act" (CRFA - H.R. 5111) which protects consumers' rights to share their honest opinions online about any product or service.The U.S. Federal Trade Commission (FTC) explains the CRFA and provides guidance:

"The law protects a broad variety of honest consumer assessments, including online reviews, social media posts, uploaded photos, videos, etc. And it doesn’t just cover product reviews. It also applies to consumer evaluations of a company’s customer service... the Act makes it illegal for a company to use a contract provision that: a) bars or restricts the ability of a person who is a party to that contract to review a company’s products, services, or conduct; b) imposes a penalty or fee against someone who gives a review; or c) requires people to give up their intellectual property rights in the content of their reviews.

The [CRFA] makes it illegal for companies to include standardized provisions that threaten or penalize people for posting honest reviews. For example, in an online transaction, it would be illegal for a company to include a provision in its terms and conditions that prohibits or punishes negative reviews by customers. (The law doesn’t apply to employment contracts or agreements with independent contractors, however.) The law says it’s OK to prohibit or remove a review that: 1) contains confidential or private information – for example, a person’s financial, medical, or personnel file information or a company’s trade secrets; 2) is libelous, harassing, abusive, obscene, vulgar, sexually explicit, or is inappropriate with respect to race, gender, sexuality, ethnicity, or other intrinsic characteristic; 3) is unrelated to the company’s products or services; or 4) is clearly false or misleading."

However, the CRFA won't stop device makers from disabling the mobile apps and/or smart devices of consumers who have posted negative reviews. And, an online search easily retrieves physicians' sites still displaying MAMP policy documents. I guess that not everyone is aware of the CRFA.

Fourth, the consumer backlash has begun against smart devices with allegedly poor security. The @Internetofshit blogger (on Twitter and on Facebook) tracks and discusses such devices and device makers' actions that allegedly violate the CRFA. The discussion recently included Garadget:

Tweet by Internetofshit blogger about Garadget. Click to view larger version

What are your opinions of the Garadget incident? Of the CRFA? Of smart device security?


Maker Of Smart Vibrators To Pay $3.75 Million To Settle Privacy Lawsuit

Today's smart homes contain a variety of internet-connected appliances -- televisions, utility meters, hot water heaters, thermostats, refrigerators, security systems-- and devices you might not expect to have WiFi connections:  mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins. Add smart vibrators to the list.

We-Vibe logo We-Vibe, a maker of vibrators for better sex, will pay U.S. $3.75 million to settle a class action lawsuit involving allegations that the company tracked users without their knowledge nor consent. The Guardian reported:

"Following a class-action lawsuit in an Illinois federal court, We-Vibe’s parent company Standard Innovation has been ordered to pay a total of C$4m to owners, with those who used the vibrators associated app entitled to the full amount each. Those who simply bought the vibrator can claim up to $199... the app came with a number of security and privacy vulnerabilities... The app that controls the vibrator is barely secured, allowing anyone within bluetooth range to seize control of the device. In addition, data is collected and sent back to Standard Innovation, letting the company know about the temperature of the device and the vibration intensity – which, combined, reveal intimate information about the user’s sexual habits..."

Image of We-Vibe 4 Plus product with phone. Click to view larger version We-Vibe's products are available online at the Canadian company's online store and at Amazon. This Youtube video (warning: not safe for work) promotes the company's devices. Consumers can use the smart vibrator with or without the mobile app on their smartphones. The app is available at both the Apple iTunes and Google Play online stores.

Like any other digital device, security matters. C/Net reported last summer:

"... two security researchers who go by the names followr and g0ldfisk found flaws in the software that controls the [We-Vibe 4Plus] device. It could potentially let a hacker take over the vibrator while it's in use. But that's -- at this point -- only theoretical. What the researchers found more concerning was the device's use of personal data. Standard Innovation collects information on the temperature of the device and the intensity at which it's vibrating, in real time, the researchers found..."

In the September 2016 complaint (Adobe PDF; 601 K bytes), the plaintiffs sought to stop Standard Innovation from "monitoring, collecting, and transmitting consumers’ usage information," collect damages due to the alleged unauthorized data collection and privacy violations, and reimburse users from their purchase of their We-Vibe devices (because a personal vibrator with this alleged data collection is worth less than a personal vibrator without data collection). That complaint alleged:

"Unbeknownst to its customers, however, Defendant designed We-Connect to (i) collect and record highly intimate and sensitive data regarding consumers’ personal We-Vibe use, including the date and time of each use and the selected vibration settings, and (ii) transmit such usage data — along with the user’s personal email address — to its servers in Canada... By design, the defining feature of the We-Vibe device is the ability to remotely control it through We-Connect. Defendant requires customers to use We-Connect to fully access the We-Vibe’s features and functions. Yet, Defendant fails to notify or warn customers that We-Connect monitors and records, in real time, how they use the device. Nor does Defendant disclose that it transmits the collected private usage information to its servers in Canada... Defendant programmed We-Connect to secretly collect intimate details about its customers’ use of the We-Vibe, including the date and time of each use, the vibration intensity level selected by the user, the vibration mode or patterns selected by the user, and incredibly, the email address of We-Vibe customers who had registered with the App, allowing Defendant to link the usage information to specific customer accounts... In addition, Defendant designed We-Connect to surreptitiously route information from the “connect lover” feature to its servers. For instance, when partners use the “connect lover” feature and one takes remote control of the We-Vibe device or sends a [text or video chat] communication, We-Connect causes all of the information to be routed to its servers, and then collects, at a minimum, certain information about the We-Vibe, including its temperature and battery life. That is, despite promising to create “a secure connection between your smartphones,” Defendant causes all communications to be routed through its servers..."

The We-Vibe Nova product page lists ten different vibration modes (e.g., Crest, Pulse, Wave, Echo, Cha-cha-cha, etc.), or users can create their own custom modes. The settlement agreement defined two groups of affected consumers:

"... the proposed Purchaser Class, consisting of: all individuals in the United States who purchased a Bluetooth-enabled We-Vibe Brand Product before September 26, 2016. As provided in the Settlement Agreement, “We-Vibe Brand Product” means the “We-Vibe® Classic; We-Vibe® 4 Plus; We-Vibe® 4 Plus App Only; Rave by We-VibeTM and Nova by We-VibeTM... the proposed App Class, consisting of: all individuals in the United States who downloaded the We-Connect application and used it to control a We-Vibe Brand Product before September 26, 2016."

According to the settlement agreement, affected users will be notified by e-mail addresses, with notices in the We-Connect mobile app, a settlement website (to be created), a "one-time half of a page summary publication notice in People Magazine and Sports Illustrated," and by online advertisements in several websites such as Google, YouTube, Facebook, Instagram, Twitter, and Pinterest. The settlement site will likely specify additional information including any deadlines and additional notices.

We-Vibe announced in its blog on October 3, 2016 several security improvements:

"... we updated the We-ConnectTM app and our app privacy notice. That update includes: a) Enhanced communication regarding our privacy practices and data collection – in both the onboarding process and in the app settings; b) No registration or account creation. Customers do not provide their name, email or phone number or other identifying information to use We-Connect; c) An option for customers to opt-out of sharing anonymous app usage data is available in the We-Connect settings; d) A new plain language Privacy Notice outlines how we collect and use data for the app to function and to improve We-Vibe products."

I briefly reviewed the We-Connect App Privacy Policy (dated September 26, 2016) linked from the Google Play store. When buying digital products online, often the privacy policy for the mobile app is different than the privacy policy for the website. (Informed shoppers read both.) Some key sections from the app privacy policy:

"Collection And Use of Information: You can use We-Vibe products without the We-Connect app. No information related to your use of We-Vibe products is collected from you if you don’t install and use the app."

I don't have access to the prior version of the privacy policy. That last sentence seems clear and should be a huge warning to prospective users about the data collection. More from the policy:

"We collect and use information for the purposes identified below... To access and use certain We-Vibe product features, the We-Connect app must be installed on an iOS or Android enabled device and paired with a We-Vibe product. We do not ask you to provide your name, address or other personally identifying information as part of the We-Connect app installation process or otherwise... The first time you launch the We-Connect app, our servers will provide you with an anonymous token. The We-Connect app will use this anonymous token to facilitate connections and share control of your We-Vibe with your partner using the Connect Lover feature... certain limited data is required for the We-Connect app to function on your device. This data is collected in a way that does not personally identify individual We-Connect app users. This data includes the type of device hardware and operating system, unique device identifier, IP address, language settings, and the date and time the We-Connect app accesses our servers. We also collect certain information to facilitate the exchange of messages between you and your partner, and to enable you to adjust vibration controls. This data is also collected in a way that does not personally identify individual We-Connect app users."

In a way that does not personally identify individuals? What way? Is that the "anonymous token" or something else? More clarity seems necessary.

Consumers should read the app privacy policy and judge for themselves. Me? I am skeptical. Why? The "unique device identifier" can be used exactly for that... to identify a specific phone. The IP address associated with each mobile device can also be used to identify specific persons. Match either number to the user's 10-digit phone number (readily available on phones), and it seems that one can easily re-assemble anonymously collected data afterwards to make it user-specific.

And since partner(s) can remotely control a user's We-Vibe device, their information is collected, too. Persons with multiple partners (and/or multiple We-Vibe devices) should thoroughly consider the implications.

The About Us page in the We-Vibe site contains this company description:

"We-Vibe designs and manufactures world-leading couples and solo vibrators. Our world-class engineers and industrial designers work closely with sexual wellness experts, doctors and consumers to design and develop intimate products that work in sync with the human body. We use state-of-the-art techniques and tools to make sure our products set new industry standards for ergonomic design and high performance while remaining eco‑friendly and body-safe."

Hmmmm. No mentions of privacy nor security. Hopefully, a future About Us page revision will mention privacy and security. Hopefully, no government officials use these or other branded smart sex toys. This is exactly the type of data collection spies will use to embarrass and/or blackmail targets.

The settlement is a reminder that companies are willing, eager, and happy to exploit consumers' failure to read privacy policies. A study last year found that 74 percent of consumers surveyed never read privacy policies.

All of this should be a reminder to consumers that companies highly value the information they collect about their users, and generate additional revenue streams by selling information collected to corporate affiliates, advertisers, marketing partners, and/or data brokers. Consumers' smartphones are central to that data collection.

What are your opinions of the We-Vibe settlement? Of its products and security?


Smart Mouse Traps: A Good Deal For Consumers?

Rentokil logo Rentokil, a pest control company, has introduced in the United Kingdom a new pest-control device for consumers wanting the latest WiFi technology. The company introduced ResiConnect, an Internet-connected mouse trap. A Rentokil representative explained to the Register UK newspaper:

“This is a trap that’s connected to the internet, essentially. Whereas there are other standard traps on the market that just catch and kill the mouse, that mouse can be caught in that trap for several weeks or several months. What this does is sends us a signal to notify us the trap has been activated, which allows us to respond... What this allows us to do is catch, kill and contain the mouse... and provide the best solution to the customer as well.”

Rentokil technician and vehicle Reportedly, the device sells for about £1,300, or about U.S. $1,300. Last summer, Rentokil Initial Plc announced a partnership with Google and PA Consulting Group (PA) to deploy globally the company's:

"... innovative digital pest control products and, in the future, to the development of ‘next generation’ services to offer customers new levels of proactive risk management against the threat of pest infestation... Rentokil has developed and begun to roll out its range of connected rodent control products particularly to customers in the tightly regulated food and pharmaceutical industries. In the field today, Rentokil has over 20,000 digital devices running in 12 countries which have now sent more than 3 million pieces of data.

The new digital pest control services use connected rodent devices with embedded sensors and mobile connectivity. The units communicate with Rentokil’s online ‘Command Centre’ and when they've caught a rodent, the technician is automatically alerted while customers are kept informed through myRentokil, the industry’s leading online portal... Built on Google’s Cloud Platform, and delivered by PA using Agile techniques, this technology is highly scalable and is now ready to be deployed more widely to existing and new customers from Q4 2016 and to other parts of the company..."

It seems that Rentokil is making available to consumers smart traps similar to those already deployed in the commercial market, such as fast food restaurants with multiple locations. Rentokil sells in the United States a device that uses radar to detect and capture mice. This raises the question: do consumers really need a smart mouse trap?

I have direct experience with mice. The building where I live is contains condominiums, and I have the responsibility to pay the condo association's monthly bills (e.g., water, insurance, and electricity), plus hire vendors and contractors, as needed, for repairs and maintenance. That includes pest control companies. Last week, our pest-control vendor deployed bait traps (e.g., poison and glue strips) in all units, plus the basement (with utilities and storage areas).

Obviously, owners of retail stores with multiple locations (e.g., fast food restaurants) would benefit from smart mouse traps. It seems cost-prohibitive to send (and pay for) technicians to visit each store and check multiple traps, while only selective traps would have caught rodents.

First, the benefit for residential customers sees marginal. Internet-connected mouse trap might appeal to squeamish consumers, who are afraid or unsure what to do, but it's hard to beat the convenience and low cost of a phone call. For our condo association, it was easy to know when a trap has caught a mouse. You heard the squeaking.

For us, the rodent removal process was easy. After a quick phone call the evening the mouse was caught, a pest-control technician arrived the next morning. The company sent a technician that was already in the area for nearby service calls. The technician removed the mouse stuck on a glue strip, checked, and re-baited several traps. That visit was included in the price we paid, and the phone call cost was negligible.

Second, the price seems expensive. The $1,600 price for a smart mouse trap equals about three years of what our condo association pays for pest control services.

Reliability and trust with smart devices are critical for consumers. A recent global study found that 44 percent of consumers are concerned about financial information theft via smart home devices, and 37 percent are concerned about identity theft.

Informed shoppers know that not all smart devices are built equally. Some have poor security features or lack software upgrades. These vulnerabilities create opportunities for bad guys to hack and infect consumers' home WiFi networks with malware to steal passwords and money, create spam, and use infected devices as part of DDoS attacks targeting businesses. (Yes, even the hosting service for this blog was targeted.) So, it is wise to understand any smart trap's software and security features before purchase.

What do you think? Are smart mouse traps worthwhile?


FCC Announced Approval ot LTE-U Mobile Devices

On Wednesday, the Office of Engineering and Technology (OET) within the U.S. Federal Communications announced the authorization of unlicensed wireless (a/k/a LTE-U) devices to operate in the 5 GHz band:

"This action follows a collaborative industry process to ensure LTE-U with Wi-Fi and other unlicensed devices operating in the 5 GHz band. The Commission’s provisions for unlicensed devices are designed to prevent harmful interference to radio communications services and stipulate that these devices must accept any harmful interference they receive. Industry has developed various standards within the framework of these rules such as Wi-Fi, Bluetooth and Zigbee that are designed to coexist in shared spectrum. These and other unlicensed technologies have been deployed extensively and are used by consumers and industry for a wide variety of applications.

LTE-U is a specification that was developed and supported by a group of companies within the LTE-U Forum... The LTE-U devices that were certified today have been tested to show they meet all of the FCC’s rules. We understand that the LTE-U devices were evaluated successfully under the co-existence test plan. However, this is not an FCC requirement and similar to conformity testing for private sector standards the co-existence test results are not included in the FCC’s equipment certification records."

ComputerWorld explained in 2015 the strain on existing wireless capabilities and why several technology companies pursued the technology:

"According to the wireless providers and Qualcomm, the technology will make use of the existing unlicensed spectrum most commonly used for Wi-Fi. LTE-U is designed to deliver a similar capability as Wi-Fi, namely short-range connectivity to mobile devices.

As billions of mobile devices and Web video continue to strain wireless networks and existing spectrum allocations, the mobile ecosphere is looking for good sources of spectrum. The crunch is significant, and tangible solutions take a long time to develop... as former FCC Chairman Julius Genachowski and FCC Commissioner Robert McDowell recently remarked, “mobile data traffic in the U.S. will grow sevenfold between 2014 and 2019” while “wearable and connected devices in the U.S. will double” in that same period."

Some cable companies, such as Comcast, opposed LTE-U based upon concerns about the technology conflicting with existing home WiFi. According to Computerworld:

"In real-world tests so far, LTE-U delivers better performance than Wi-Fi, doesn’t degrade nearby Wi-Fi performance and may in fact improve the performance of nearby Wi-Fi networks."

Reportedly, in August 2016 Verizon viewed the testing as "fundamentally unfair and biased." Ajit Pai, the new FCC Chairman, said in a statement on Wednesday:

"LTE-U allows wireless providers to deliver mobile data traffic using unlicensed spectrum while sharing the road, so to speak, with Wi-Fi. The excellent staff of the FCC’s Office of Engineering and Technology has certified that the LTE-U devices being approved today are in compliance with FCC rules. And voluntary industry testing has demonstrated that both these devices and Wi-Fi operations can co-exist in the 5 GHz band. This heralds a technical breakthrough in the many shared uses of this spectrum.

This is a great deal for wireless consumers, too. It means they get to enjoy the best of both worlds: a more robust, seamless experience when their devices are using cellular networks and the continued enjoyment of Wi-Fi, one of the most creative uses of spectrum in history..."


Your Smart TV Is A Blabbermouth. How To Stop Its Spying On You

Internet-connected televisions, often referred to as "smart TVs," collect a wide variety of information about consumers. The devices track the videos you watch from several sources: cable, broadband, set-top box, DVD player, over-the-air broadcasts, and streaming devices. The devices collect a wide variety of information about consumers, including items such as as sex, age, income, marital status, household size, education level, home ownership, and household value. The TV makers sell this information to third parties, such as advertisers and data brokers.

Some people might call this "surveillance capitalism."

Reliability and trust with smart devices are critical for consumers. Earlier this month, Vizio agreed to pay $2.2 million to settle privacy abuse charges by the U.S. Federal Trade Commission (FTC).

What's a consumer to do to protect their privacy? This C/Net article provides good step-by-step instructions to turn off or to minimize the tracking by your smart television. The instructions include several smart TV brands: Samsung, Vizio, LG, Sony, and others. Sample instructions for one brand:

"Samsung: On 2016 TVs, click the remote's Home button, go to Settings (gear icon), scroll down to Support, then down to Terms & Policy. Under "Interest Based Advertisement" click "Disable Interactive Services." Under "Viewing Information Services" unclick "I agree." And under "Voice Recognition Services" click "Disable advanced features of the Voice Recognition services." If you want you can also disagree with the other two, Nuance Voice Recognition and Online Remote Management.

On older Samsung TVs, hit the remote's Menu button (on 2015 models only, then select Menu from the top row of icons), scroll down to Smart Hub, then select Terms & Policy. Disable "SynchPlus and Marketing." You can also disagree with any of the other policies listed there, and if your TV has them, disable the voice recognition and disagree with the Nuance privacy notice described above."

Browse the step-by-step instructions for your brand of television. If you disabled the tracking features on your smart TV, how did it go? If you used a different resource to learn about your smart TV's tracking features, please share it below.


Espionage Groups Target Apple Devices With New Malware

ZDNet reported about a group performing multiple online espionage campaigns which targeted:

"... Mac users with malware designed to steal passwords, take screenshots, and steal backed-up iPhone data. This malware, discovered by cybersecurity researchers at Bitdefender, is thought to be linked to the APT28 group, which was accused of interferring in the United States presidential election. Bitdefender notes a number of similarities between the malware attacks against Macs -- which have been taking place since September 2016 -- and previous campaigns by the group, believed to be closely linked to Russia military intelligence and also dubbed Fancy Bear. Known as Xagent, the new form of malware targets victims running Mac OS X and installs a modular backdoor onto the system which enables the perpetrators to carry out cyberespionage activities... Xagent is also capable of stealing iPhone backups stored on a compromised Mac, an action which opens up even more capabilities for conducting cyberespionage, providing the perpetrators with access to additional files..."


Survey: Internet of Evil Things Report

Pwnie 2017 Internet of Evil Things report A recent survey of information technology (IT) professionals by Pwnie Express, an information security vendor, found that connected devices bring risks into corporate networks and IT professionals are not keeping up. 90 percent of IT professionals surveyed view connected devices as a security threat to their corporate systems and networks. 66 percent aren't sure how many connected devices are in their organizations.

These findings have huge implications as the installed base of connected devices (a/k/a the "Internet of things" or ioT) takes off. Experts forecast 8.4 billion connected devices in use worldwide in 2017, up 31 percent from 2016. Total spending for those devices will reach almost $2 trillion in 2017, and $20.4 billion by 2020. The regions that will drive this growth include North America, Western Europe, and China; which already comprise 67 percent of the installed base.

Key results from the latest survey by Pwnie Express:

"One in five of the survey respondents (20%) said their IoT devices were hit with ransomware attacks last year. 16 percent of respondents say they experienced Man-in-the-middle attacks through IoT devices. Devices continue to lend themselves to problematic configurations. The default network from common routers “linksys” and “Netgear” were two of the top 10 most common “open default” wireless SSID’s (named networks), and the hotspot network built-in for the configuration and setup of HP printers - “hpsetup”- is #2."

An SSID, or Service Set Identifier, is the name a wireless network broadcasts. Manufacturers ship them with default names, which the bad guys often look for to find open, unprotected networks. While businesses purchase and deploy a variety of connected devices (e.g., smart meters, manufacturing field devices, process sensors for electrical generating plants, real-time location devices for healthcare) and some for "smart buildings" (e.g., LED lighting, HVAC sensors, security systems), other devices are brought into the workplace by workers.

Most companies have Bring Your Own Device (BYOD) policies allowing employees to bring and use in the workplace personal devices (e.g., phones, tablets, smart watches, fitness bands). The risk for corporate IT professionals is that when employees, contractors, and consultants bring their personal devices into the workplace, and connect to corporate networks. A mobile device infected with malware from a wireless home network, or from a public hot-spot (e.g., airport, restaurant) can easily introduce that malware into office networks.

Consumers connect a wide variety of items to their wireless home networks: laptops, tablets, smartphones, printers, lighting and temperature controls, televisions, home security systems, fitness bands, smart watches, toys, smart wine bottles, and home appliances (e.g., refrigerators, hot water heaters, coffee makers, crock pots, etc.). Devices with poor security features don't allow operating system and security software updates, don't encrypt key information such as PIN numbers and passwords, and build the software into the firmware where it cannot be upgraded. Last month, the U.S. Federal Trade Commission (FTC) filed a lawsuit against a modem/router maker alleging poor security in its products.

Security experts advise consumers to perform several steps to protect their wireless home networks: change the SSID name, change all default passwords, enable encryption (e.g., WEP, WPA, WPA2, etc.), create a special password for guests, and enable a firewall. While security experts have warned consumers for years, too many still don't heed the advice.

The survey respondents identified the top connected device threats:

"1. Misconfigured healthcare, security, and IoT devices will provide another route for ransomware and malware to cause harm and affect organizations.

2. Unresolved vulnerabilities or the misconfiguration of popular connected devices, spurred by the vulnerabilities being publicized by botnets, including Mirai and newer, “improved” versions, in the hands of rogue actors will compromise the security of organizations purchasing these devices.

3. Mobile phones will be the attack vector of the future, becoming an extra attack surface and another mode of rogue access points taking advantage of unencrypted Netgear, AT&T, and hpsetup wireless networks to set up man-in-the-middle attacks."

The survey included more than 800 IT security professionals in several industries: financial services, hospitality, retail, manufacturing, professional services, technology, healthcare, energy and more. Download the "2017 Internet of Evil Things Report" by Pwnie.


Are Smart Television Makers Gaming The Energy-Efficiency Tests?

After yesterday's blog post about the settlement agreement by VIZIO with the U.S. Federal Trade Commission (FTC) and the New Jersey Attorney General, a reader mentioned an Economist article about smart televisions. It seems there is an ongoing investigation into whether or not manufacturers, similar to the Volkswagon emissions scandal, misrepresented the energy-efficiency test results of their televisions.

The Economist reported:

"South Korea’s Samsung and LG, along with Vizio, a Californian firm, stand accused of misrepresenting the energy efficiency of large-screen sets. Together, they sell over half of all TVs in America. In September 2016 the Natural Resources Defense Council (NRDC), an environmental group, published research on the energy consumption of TVs, showing that those made by Samsung, LG and Vizio performed far better during short government tests than they did the rest of the time. Some TVs consumed double the amount of energy suggested by manufacturers’ marketing bumpf. America’s Department of Energy (DoE) has also conducted tests of its own that have turned up big inconsistencies.

Not all TV-makers are at fault: the NRDC found no difference in energy-consumption levels for TVs made by Sony and Philips. But class-action lawsuits have already been filed against the three companies highlighted by the tests—the latest was lodged against Samsung in New York on January 30th. The industry is now waiting to see whether regulators will take action... Televisions made by Samsung and LG (but not Vizio) appear to recognize the test clip that the American government uses to rate energy consumption and to advise consumers on how much it will cost to operate the set over a whole year. The DoE’s ten-minute test clip has a lot of motion and scene changes in short succession, with each clip lasting only 2.3 seconds before flashing to a new one (most TV content is made up of scenes that last more than double that length). During these tests the TVs’ backlight dims, resulting in substantial energy savings. For the rest of the time, during typical viewing conditions, the backlight stays bright..."

If true, then those new televisions many consumers bought may cost them a lot more energy and electricity costs. The September 2016 NRDC press release:

"There are flaws in the government’s method for testing the energy use of televisions and three major TV manufacturers representing half of the U.S. market appear to be exploiting them, which could cost owners of recently purchased models an extra $1.2 billion on their utility bills... The global standard video clip on which the DOE test method is based is eight years old and needs a major overhaul. DOE should update its test method with more realistic video content... It appears that some major manufacturers have modified their TV designs to get strong energy-use marks during government testing but they may not perform as well in consumers’ homes. These ‘under the hood’ changes dramatically increase a TV’s energy use and environmental impact, usually without the user’s knowledge. While this may not be illegal, it smacks of bad-faith conduct that falls outside the intent of the government test method designed to accurately measure TV energy use..."

The consequences and impacts go far beyond possible bad-faith conduct:

"The latest version of ultra high-definition (UHD) TVs used approximately 30 to 50 percent more energy when playing content produced with High Dynamic Range (HDR) than conventional UHD content... With millions of televisions purchased annually across America, all of this extra energy use has a major impact on national energy consumption, consumer utility bills, and the environment..."

You can learn more about the DoE test procedures here. What are your opinions of this?


VIZIO To Pay $2.2 Million To Settle Privacy Charges About Its Smart TVs

VIZIO Inc. logo Today's blog post highlights how easy it is for manufacturers to make and sell smart-home devices that spy on consumers without notice nor consent. VIZIO, Inc., one of the largest makers of smart televisions, agreed to pay $2.2 million to settle privacy abuse charges by the U.S. Federal Trade Commission (FTC) and the State of New Jersey Attorney General. The FTC announcement explained:

"... starting in February 2014, VIZIO, Inc. and an affiliated company have manufactured VIZIO smart TVs that capture second-by-second information about video displayed on the smart TV, including video from consumer cable, broadband, set-top box, DVD, over-the-air broadcasts, and streaming devices. In addition, VIZIO facilitated appending specific demographic information to the viewing data, such as sex, age, income, marital status, household size, education level, home ownership, and household value... VIZIO sold this information to third parties, who used it for various purposes, including targeting advertising to consumers across devices... VIZIO touted its “Smart Interactivity” feature that “enables program offers and suggestions” but failed to inform consumers that the settings also enabled the collection of consumers’ viewing data. The complaint alleges that VIZIO’s data tracking—which occurred without viewers’ informed consent—was unfair and deceptive, in violation of the FTC Act and New Jersey consumer protection laws."

The FTC complaint (Adobe PDF) named as defendants VIZIO, Inc. and VIZIO Inscape Services, LLC, its wholly-owned subsidiary. VIZIO has designed and sold televisions in the United States since 2002, and has sold more than 11 million Internet-connected televisions since 2010. The complaint also mentioned:

"... the successor entity to Cognitive Media Services, Inc., which developed proprietary automated content recognition (“ACR”) software to detect the content on internet-connected televisions and monitors."

This merits emphasis because consumers thinking that they can watch DVD or locally recorded content in the privacy of their home with advertisers knowing it really can't because the ACR software can easily identify, archive, and transmit it. The complaint also explained:

"Through the ACR software, VIZIO’s televisions transmit information about what a consumer is watching on a second-by-second basis. Defendants’ ACR software captures information about a selection of pixels on the screen and sends that data to VIZIO servers, where it is uniquely matched to a database of publicly available television, movie, and commercial content. Defendants collect viewing data from cable or broadband service providers, set-top boxes, external streaming devices, DVD players, and over-the-air broadcasts... the ACR software captures up to 100 billion data points each day from more than 10 million VIZIO televisions. Defendants store this data indefinitely. Defendants’ ACR software also periodically collects other information about the television, including IP address, wired and wireless MAC addresses, WiFi signal strength, nearby WiFi access points, and other items."

That's impressive. The ACR software enabled VIZIO to know and collect information about other devices (e.g., computers, tablets, phones, printers) connected to your home WiFi network. Then, besides the money consumers paid for their VIZIO smart TVs, the company also made money by reselling the information it collected to third parties... probably data brokers and advertisers. You'd think that the company might lower the price of its smart TVs given that additional revenue stream, but I guess not.

Now, here is where VIZIO created problems for itself:

"Consumers that purchased new VIZIO televisions beginning in August 2014, with ACR tracking preinstalled and enabled by default, received no onscreen notice of the collection of viewing data. For televisions that were updated in February 2014 to install default ACR tracking after purchase, an initial pop-up notification appeared on the screen that said: "The VIZIO Privacy Policy has changed. Smart Interactivity has been enabled on your TV, but you may disable it in the settings menu. See www.vizio.com/privacy for more details. This message will time out in 1 minute." This notification provided no information about the collection of viewing data or ACR software. Nor did it directly link to the settings menu or privacy policy... In March 2016, while Plaintiffs’ investigations were pending, [VIZIO and VIZIO Inscape] sent another pop-up notification to televisions that, for the first time, referenced the collection of television viewing data. This notification timed out after 30 seconds without input from the household member who happened to be viewing the screen at the time, and did not provide easy access to the settings menu... In all televisions enabled with ACR tracking, VIZIO televisions had a setting, available through the settings menu, called “Smart Interactivity.” This setting included the description: “Enables program offers and suggestions.” Similarly, in the manual for some VIZIO televisions, a section entitled “Smart Interactivity” described the practice as “Your TV can display program-related information as part of the broadcast.” Neither description provided information about the collection of viewing data..."

30 seconds? Really?! If a consumer left the room to grab a bite to eat or visit the bathroom for a bio break, they easily missed this pop-up message. No notice? Neither are good. VIZIO released a statement about the settlement:

"VIZIO is pleased to reach this resolution with the FTC and the New Jersey Division of Consumer Affairs.  Going forward, this resolution sets a new standard for best industry privacy practices for the collection and analysis of data collected from today’s internet-connected televisions and other home devices,” stated Jerry Huang, VIZIO General Counsel. “The ACR program never paired viewing data with personally identifiable information such as name or contact information, and the Commission did not allege or contend otherwise. Instead, as the Complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors... the FTC has made clear that all smart TV makers should get people’s consent before collecting and sharing television viewing information and VIZIO now is leading the way,” concluded Huang."

Terms of the settlement agreement and the Court Order (Adobe PDF) require VIZIO to:

"A. Prominently disclose to the consumer, separate and apart from any “privacy policy,” “terms of use” page, or other similar document: (1) the types of Viewing Data that will be collected and used, (2) the types of Viewing Data that will be shared with third parties; (3) the identity or specific categories of such third parties; and (4) all purposes for Defendants’ sharing of such information;

B. Obtain the consumer’s affirmative express consent (1) at the time the disclosure...

C. Provide instructions, at any time the consumer’s affirmative express consent is sought under Part II.B, for how the consumer may revoke consent to collection of Viewing Data.

D. For the purposes of this Order, “Prominently” means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers..."

The Order also defines that disclosure must be visual, audible, in all formats which VIZIO uses, in easy-to-understand language, and not contradicted by any legal statements elsewhere. Terms of the settlement require VIZIO to pay $1.5 million to the FTC, $1.0 million to the New Jersey Division of Consumer Affairs (which includes a $915,940.00 civil penalty and $84,060.00 for attorneys’ fees and investigative costs). VIZIO will not have to pay $300,000 due to the N.j> Division of consumer affairs it the company complies with court order, and does not engage in acts that violate the New Jersey Consumer Fraud Act (CFA) during the next five years.

Additional terms of the settlement agreement require VIZIO to destroy information collected before March 1, 2016, establish and implement a privacy program, designate one or several employees responsible for that program, identify and risks of internal processes that cause the company to collect consumer information it shouldn't, design and implement a program to address those risks, develop and implement processes to identify service providers that will comply with the privacy program, and hire an independent third-party to audit the privacy program every two years.

I guess the FTC and New Jersey AG felt this level of specificity was necessary given VIZIO's past behaviors. Kudos to the FTC and to the New Jersey AG for enforcing and protecting consumers' privacy. Given the rapid pace of technological change and the complexity of today's devices, oversight is required. Consumers simply don't have the skills nor resources to do these types of investigations.

What are your opinions of the VIZIO settlement?