340 posts categorized "Mobile" Feed

A New Design For The I've Been Mugged Blog!

Returning readers have probably noticed the new design for this blog, which went live this past Sunday. The new design better supports the wide variety of mobile devices, and automatically adapts to devices with differing screen widths. All of the content published is still available.

The new design should also provide a better reading and site experience for all users. If you have any questions or comments about the design, we welcome your feedback. Thanks for your readership!

George

 


Hacking Group Reported Security Issues With Samsung 8 Phone's Iris Recognition

Image of Samsung Galaxy S8 phones. Click to view larger version The Computer Chaos Club (CCC), a German hacking group founded in 1981, posted the following report on Monday:

"The iris recognition system of the new Samsung Galaxy S8 was successfully defeated by hackers... The Samsung Galaxy S8 is the first flagship smartphone with iris recognition. The manufacturer of the biometric solution is the company Princeton Identity Inc. The system promises secure individual user authentication by using the unique pattern of the human iris.

A new test conducted by CCC hackers shows that this promise cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner. A video shows the simplicity of the method."

The Samsung Galaxy S8 runs the Android operating system, claims a talk time of up to 30 hours, has a screen optimized for virtual reality (VR) apps, and features Bixby, an "... intelligent interface that is built into the Galaxy S8. With every interaction, Bixby can learn, evolve and adapt to you. Whether it's through touch, type or voice, Bixby will seamlessly help you get things done. (Voice coming soon)"

The CCC report also explained:

"Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone. "If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication," says Dirk Engling, spokesperson for the CCC."

Phys.org reported that Samsung executives are investigating the CCC report. Samsung views the Galaxy S8 as critical to the company's performance given the Note 7 battery issues and fires last year.

Some consumers might conclude from the CCC report that the best defense against against iris hacks would be to stop posting selfies. This would be wrong to conclude, and an insufficient defense:

"The easiest way for a thief to capture iris pictures is with a digital camera in night-shot mode or the infrared filter removed... Starbug was able to demonstrate that a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems."

So, more photos besides selfies could reveal your iris details. The CCC report also reminded consumers of the security issues with using fingerprints to protect their devices:

"CCC member and biometrics security researcher starbug has demonstrated time and again how easily biometrics can be defeated with his hacks on fingerprint authentication systems – most recently with his successful defeat of the fingerprint sensor "Touch ID" on Apple’s iPhone. "The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris," Dirk Engling remarked."

What are your opinions of the CCC report?


FCC Voted Yesterday To Start To Overturn Net Neutrality Rules

Federal communications Commission logo Yesterday, the Federal Communications Commission (FCC) voted to kill net neutrality rules it enacted a couple years ago. The FCC announcement:

"The Federal Communications Commission today took the first step toward restoring Internet freedom and promoting infrastructure investment, innovation, and choice by proposing to end utility-style regulation of broadband Internet access service. In a Notice of Proposed Rulemaking, the FCC proposes to return to the bipartisan framework that preserved a flourishing free and open Internet for almost 20 years.  First, the Notice proposes to reverse the FCC’s 2015 decision to impose heavy-handed Title II utility-style government regulation on Internet service providers (ISPs) and return to the longstanding, successful light-touch framework under Title I of the Communications Act.

Second, the Notice proposes to return to the Commission’s original classification of mobile broadband Internet access service as a private mobile service.  Given the historical innovation and success of the wireless marketplace prior to the Title II Order, this proposal is expected to substantially benefit consumers and the marketplace.

Third, the Notice proposes to eliminate the catch-all Internet conduct standard created by the Title II Order.  Because the Internet conduct standard is extremely vague and expansive, ISPs must guess at what they are permitted to do.  Eliminating the Internet conduct standard is therefore expected to promote innovation and network investment by eliminating regulatory uncertainty."

The vote happened on the scheduled date, despite the unavailability for several hours Sunday morning, May 7, of the FCC website for public comments. The FCC said its site crashed due to a DDoS attack. Before the vote, more than 2 million persons and organizations submitted feedback to the FCC.

The vote was expected since Republicans dominate the three-member committee. FCC Chairman Pai and Commissioner Michael O'Rielly, voted for the change. Commissioner Mignon Clyburn, the only Democrat on the three-member committee, voted against it. In January of this year, President Donald Trump appointed Ajit Pai, a former lawyer with Verizon, as the FCC Chairman.

In a statement about the vote, FCC Chairman Ajit Pai repeated prior claims about "heavy-handed" regulation, an internet that wasn't broken, and decreased infrastructure investment by internet service providers (ISPs). All of these claims were discussed and debunked previously after Chairman Pai's speech in April.

C/Net reported:

"Eliminating the Open Internet Order takes away the internet's level playing field and would allow a select few corporations to choose winners and losers, preventing consumers from accessing the content that they want, when they want it," said Jonathan Schwantes, senior policy counsel for Consumers Union. Democratic Senator Al Franken of Minnesota called it "a major step toward destroying the internet as we know it."

CNN reported:

"More than 1,000 startups and investors have now signed an open letter to Pai opposing the proposal. The Internet Association, a trade group representing bigger companies like Facebook, Google, and Amazon, has also condemned the plan. "The current FCC rules are working for consumers and the protections need to be kept in tact," Michael Beckerman, president and CEO of the Internet Association, said at a press conference Wednesday."

USA Today reported:

"Congress could eventually have a say on the issue. At about the same time the FCC was considering the issue, Sen. John Thune, R-S.D., called for Congress to pass legislation "to protect the internet." Thune, who is the chairman of the Senate Commerce Committee, urged colleagues "to begin bipartisan work on such legislation without any further delay. Innovation and job creation should no longer take a backseat to partisan point-scoring," he said..."

After re-reading the FCC announcement several times, I noticed that it failed to mention nor summarize the feedback received from the public. This makes one wonder if Chairman Pai and the committee took the time to review the comments submitted. During the last thirty (3) days, the public submitted 2,174,196 filings and comments. (See image below.) The feedback included a mix of comments for and against the latest changes.

Did Chairman Pai and the committee read this feedback, or were their minds already made up? And if so, did they simply ignore more than 2 million comments? Fortunately, the public can continue to submit feedback about Proceeding 17-108 until August for the subsequent final FCC vote.

Image of most active items in the FCC Electronic Comment Filing System as of May 19, 2017. Click to view larger version


Any Half-Decent Hacker Could Break Into Mar-a-Lago

[Editor's Note: Today's guest blog post is by the reporters at ProPublica. The article explores the security issues about key locations the President visits repeatedly and does business at. It was originally published yesterday, and is reprinted with permission.]

by Jeff Larson and Julia Angwin, ProPublica; and by Surya Mattu, Gizmodo

Two weeks ago, on a sparkling spring morning, we went trawling along Florida's coastal waterway. But not for fish.

We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained.

A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, New Jersey, with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation.

We have also visited two of President Donald Trump's other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Virginia. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.

The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises.

"Those networks all have to be crawling with foreign intruders, not just ProPublica," said Dave Aitel, chief executive officer of Immunity, Inc., a digital security company, when we told him what we found.

Security lapses are not uncommon in the hospitality industry, which -- like most industries and government agencies -- is under increasing attack from hackers. But they are more worrisome in places where the president of the United States, heads of state and public officials regularly visit.

U.S. leaders can ill afford such vulnerabilities. As both the U.S. and French presidential campaigns showed, hackers increasingly exploit weaknesses in internet security systems in an effort to influence elections and policy. Last week, cyberattacks using software stolen from the National Security Agency paralyzed operations in at least a dozen countries, from Britain's National Health Service to Russia's Interior Ministry.

Since the election, Trump has hosted Chinese President Xi Jinping, Japanese Prime Minister Shinzo Abe and British politician Nigel Farage at his properties. The cybersecurity issues we discovered could have allowed those diplomatic discussions -- and other sensitive conversations at the properties -- to be monitored by hackers.

The Trump Organization follows "cybersecurity best practices," said spokeswoman Amanda Miller. "Like virtually every other company these days, we are routinely targeted by cyberterrorists whose only focus is to inflict harm on great American businesses. While we will not comment on specific security measures, we are confident in the steps we have taken to protect our business and safeguard our information. Our teams work diligently to deploy best-in-class firewall and anti-vulnerability platforms with constant 24/7 monitoring."

The White House did not respond to repeated requests for comment.

Trump properties have been hacked before. Last year, the Trump hotel chain paid $50,000 to settle charges brought by the New York attorney general that it had not properly disclosed the loss of more than 70,000 credit card numbers and 302 Social Security numbers. Prosecutors alleged that hotel credit card systems were "the target of a cyber-attack" due to poor security. The company agreed to beef up its security; it's not clear if the vulnerabilities we found violate that agreement. A spokesman for the New York attorney general declined comment.

Our experience also indicates that it's easy to gain physical access to Trump properties, at least when the president is not there. As Politico has previously reported, Trump hotels and clubs are poorly guarded. We drove a car past the front of Mar-a-Lago and parked a boat near its lawn. We drove through the grounds of the Bedminster golf course and into the parking lot of the golf course in Sterling, Virginia. No one questioned us.

Both President Obama and President Bush often vacationed at the more traditional presidential retreat, the military-run Camp David. The computers and networks there and at the White House are run by the Defense Information Systems Agency.

In 2016, the military spent $64 million on maintaining the networks at the White House and Camp David, and more than $2 million on "defense solutions, personnel, techniques, and best practices to defend, detect, and mitigate cyber-based threats" from hacking those networks.

Even after spending millions of dollars on security, the White House admitted in 2015 that it was hacked by Russians. After the hack, the White House replaced all its computer systems, according to a person familiar with the matter. All staffers who work at the White House are told that "there are people who are actively watching what you are doing," said Mikey Dickerson, who ran the U.S. Digital Service in the Obama administration.

By comparison, Mar-a-Lago budgeted $442,931 for security in 2016 -- slightly more than double the $200,000 initiation fee for one new member. The Trump Organization declined to say how much Mar-a-Lago spends specifically on digital security. The club, last reported to have almost 500 members paying annual dues of $14,000 apiece, allotted $1,703,163 for all administration last year, according to documents filed in a lawsuit Trump brought against Palm Beach County in an effort to halt commercial flights from flying over Mar-a-Lago. The lawsuit was dropped, but the FAA now restricts flights over the club when the president is there.

It is not clear whether Trump connects to the insecure networks while at his family's properties. When he travels, the president is provided with portable secure communications equipment. Trump tracked the military strike on a Syrian air base last month from a closed-door situation room at Mar-a-Lago with secure video equipment.

However, Trump has held sensitive meetings in public spaces at his properties. Most famously, in February, he and the Japanese prime minister discussed a North Korean missile test on the Mar-a-Lago patio. Over the course of that weekend in February, the president's Twitter account posted 21 tweets from an Android phone. An analysis by an Android-focused website showed that Trump had used the same make of phone since 2015. That phone is an older model that isn't approved by the NSA for classified use.

Photos of Trump and Abe taken by diners on that occasion prompted four Democratic senators to ask the Government Accountability Office to investigate whether electronic communications were secure at Mar-a-Lago.

In March, the GAO agreed to open an investigation. Chuck Young, a spokesman for the office, said in an interview that the work was in "the early stages," and did not offer an estimate for when the report would be completed.

So, we decided to test the cybersecurity of Trump's favorite hangouts ourselves.

Our first stop was Mar-a-Lago, a Trump country club in Palm Beach, Florida, where the president has spent most weekends since taking office. Driving past the club, we picked up the signal for a Wi-Fi-enabled combination printer and scanner that has been accessible since at least February 2016, according to a public Wi-Fi database.

An open printer may sound innocuous, but it can be used by hackers for everything from capturing all the documents sent to the device to trying to infiltrate the entire network.

To prevent such attacks, the Defense Information Systems Agency, which secures the White House and other military networks, forbids installing printers that anyone can connect to from outside networks. It also warns against using printers that do more than printing, such as faxing. "If an attacker gains network access to one of these devices, a wide range of exploits may be possible," the agency warns in its security guide.

We also were able to detect a misconfigured and unencrypted router, which could potentially provide a gateway for hackers.

To get a better line of sight, we rented a boat and piloted it to within sight of the club. There, we picked up signals from the club's wireless networks, three of which were protected with a weak and outmoded form of encryption known as WEP. In 2005, an FBI agent publicly broke this type of encryption in minutes.

By comparison, the military limits the signal strength of networks at places such as Camp David and the White House so that they are not reachable from a car driving by. It also requires wireless networks to use the strongest available form of encryption.

From our desks in New York, we were also able to determine that the club's website hosts a database with an insecure login page that is not protected by standard internet encryption. Login forms like this are considered a severe security risk, according to the Defense Information Systems Agency.

Without encryption, spies could eavesdrop on the network until a club employee logs in, and then steal his or her username and password. They then could download a database that appears to include sensitive information on the club's members and their families, according to videos posted by the club's software provider.

This is "bad, very bad," said Jeremiah Grossman, chief of Security Strategy for cybersecurity firm SentinelOne, when we described Mar-a-Lago's systems. "I'd assume the data is already stolen and systems compromised."

A few days later, we took our equipment to another Trump club in Bedminster, New Jersey. During the transition, Trump had interviewed candidates for top administration positions there, including James Mattis, now secretary of defense.

We drove on a dirt access road through the middle of the golf course and spotted two open Wi-Fi networks, TrumpMembers and WelcomeToTrumpNationalGolfClub, that did not require a password to join.

Such open networks allow anyone within range to scoop up all unencrypted internet activity taking place there, which could, on insecure sites, include usernames, passwords and emails.

Robert Graham, an Atlanta, Georgia, cybersecurity expert, said that hackers could use the open Wi-Fi to remotely turn on the microphones and cameras of devices connected to the network. "What you're describing is typical hotel security," he said, but "it's pretty concerning" that an attacker could listen to sensitive national security conversations.

Two days after we visited the Bedminster club, Trump arrived for a weekend stay.

Then we visited the Trump International Hotel in Washington, D.C., where Trump often dines with his son-in-law and senior adviser Jared Kushner, whose responsibilities range from Middle East diplomacy to revamping the federal bureaucracy. We surveyed the networks from a Starbucks in the hotel basement.

From there, we could tell there were two Wi-Fi networks at the hotel protected with what's known as a captive portal. These login screens are often used at airports and hotels to ensure that only paying customers can access the network.

However, we gained access to both networks just by typing "457" into the room number field. Because we provided a room number, the system assumed we were guests. We looked up the hotel's public IP address before logging off.

From our desks in New York, we could also tell that the hotel is using a server that is accessible from the public internet. This server is running software that was released almost 13 years ago.

Finally, we visited the Trump National Golf Club in Sterling, Virginia, where the president sometimes plays golf. From the parking lot, we recognized three encrypted wireless networks, an encrypted wireless phone and two printers with open Wi-Fi access.

The Trump club websites are hosted by an Ohio-based company called Clubessential. It offers everything from back-office management and member communications to tee time and room reservations.

In a 2014 presentation, a company sales director warned that the club industry as a whole is "too lax" in managing and protecting passwords. There has been a "rising number of attacks on club websites over the last two years," according to the presentation. Clubessential "performed [an] audit of security in the club industry" and "found thousands of sensitive documents from clubs exposed on [the] Internet," such as "lists of members and staff, and their contact info; board minutes, financial statements, etc."

Still, the club software company has set up a backend server accessible on the internet, and configured its encryption incorrectly. Anyone who reaches the login page is greeted with a warning that the encryption is broken. In its documentation, the company advises club administrators to ignore these warnings and log in regardless. That means that anybody snooping on the unprotected connection could intercept the administrators' passwords and gain access to the entire system.

The company also publishes online, without a password, many of the default settings and usernames for its software 2014 essentially providing a roadmap for intruders.

Clubessential declined comment.

Aitel, the CEO of Immunity, said the problems at Trump properties would be difficult to fix: "Once you are at a low level of security it is hard to develop a secure network system. You basically have to start over."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Seattle Strengthens Privacy Protections For Broadband And Cable Users

The city of Seattle has strengthened it privacy rules to better protect residents using cable-TV services and high-speed internet services (a/k/a broadband). The new rules go into effect on May 24, and mirrors the FCC broadband privacy rules which Congress revoked earlier this year.

The announcement by the Seattle Mayor's office explained:

"Seattle Municipal Code (SMC 21.60) grants the City of Seattle authority to issue rules related to the privacy practices of cable operators. These rules govern not only cable television services but also non-cable services, such as internet service. The new rule states cable operators must obtain opt-in consent before sharing a customer’s web browsing history or otherwise using such information for a purpose other than providing a customer with their requested service.

Comcast, CenturyLink, and Wave have cable franchise agreements with the City of Seattle and will be subject to the new rule. Under the terms of the rule, these cable operators must report their compliance by Sept. 30, 2017 and annually thereafter."

Earlier this year, a national poll found the the Republican rollback of FCC broadband privacy rules very unpopular among consumers. Despite this, President Trump signed the privacy-rollback legislation on April 3.

The new rules in Seattle, ITD Director's Rule 2017-10 (Adobe PDF), state in part:

"- Prohibit Cable Operators from collecting or disclosing any information regarding the extent of any individual customer's viewing habits, or other use by a customer of a cable service or other service provided such as web browsing activity, without the prior affirmative consent of the customer, unless such information is necessary to render a service requested by the customer, or a legitimate business purpose related to the service.
- Require Cable Operators to fully and completely disclose customer rights and the limitations imposed on a Cable Operator's collection, use, and disclosure of Personally Identifiable Information (PII) in clear language that a customer can radily understand.
- Require Cable Operators to destroy within 90 days any PII if the PII is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to shuch PII... Require Cable Operators to provide stamped, self-addressed post cards that customers can mail in to have their names and addresses removed form any lists the Cable Operators might use for purposes other than the direct provision of service to those customers.
- Establish without ambiguity that a customer, once "opting out" of the Cable Operator's mailing list, is permanently removed from that list unless that customer subsequently requests inclusion on such list."

This is a great start. The rules define PII as:

"... specific information about a customer, including, but not not limited to, a customer's (a) login information, (b) extent of viewing of video programming or other services, (c) shopping choices, (d) interests and opinions, (e) energy uses, (f) medical information, (g) banking data or information, (h) web browsing activities, or (i) any other personal or private information..."

Mayor Edward B. Murray commented about the new rules:

"Where the Trump administration continues to roll back critical consumer protections, Seattle will act... I believe protecting the privacy of internet users is essential and this policy allows the City to do just that. Because of regulation repeals at the national level, we must use all of the powers at our disposal to protect the rights of our residents."

Citizens in other major cities across the United States may want to ask what consumer-friendly privacy actions their mayors are taking.


Update: Net Neutrality, Adminstrative Law, The Courts, And Next Steps

Federal communications Commission logo A lot has happened since Federal Communications Commission (FCC) Chairman Ajit Pai disclosed his plan last week to kill net neutrality. While the FCC commissioners will vote on May 18 about the rules changes, a federal law could affect the outcome. First, Wired reported:

"A 1946 law called the Administrative Procedure Act bans federal agencies making “capricious” decisions. The law is meant, in part, to keep regulations from yo-yoing back and forth every time a new party gained control of the White House. The FCC successfully argued in favor of Title II reclassification in federal court just last summer. That effort means Pai might have to make the case that things had changed enough since then to justify a complete reversal in policy."

Read the text of the Administrative Procedure Act (APA). Learn more here.

The recent actions (e.g., privacy, net neutrality) by the Republican-led FCC have definitely resulted in both uncertainty and a yo-yoing of rules. At times, it feels like watching a tennis match. While Pai and other advocates of killing net neutrality have claimed that infrastructure investment has declined due to the reclassification by the FCC, the reality:

"During a hearing earlier this year, senator Edward Markey (D-Massachusetts) pointed to US Census Bureau estimates that broadband investment increased slightly from $86.6 in 2014 to $87.2 billion in 2015..."

Data for 2016 isn't available yet. As I mentioned in a prior post, telecommunications companies made conscious decisions and could have diverted money from other spending to infrastructure. They didn't and chose this legislation path instead. Again from Wired's analysis:

"Other business considerations could also play into changes in telecom spending on network infrastructure, such as a desire to wait and let previous investments pay for themselves before making new ones. The CEO of Verizon, for example, told shareholders that Title II didn’t affect the company’s investment plans. And Martin points out that a recent auction in which companies spent $19.8 billion to buy rights to use more of the wireless spectrum doesn’t exactly look like an industry shy of investing."

"If the infrastructure argument doesn’t fly, Pai could also argue that the rules are unnecessary because proverbial fast and slow lanes for the internet never existed. The problem is that’s not true. The Bush-era FCC ordered Comcast to stop throttling BitTorrent traffic in 2008... Under a secret agreement with AT&T, Apple blocked iPhone users from making Skype calls over the carrier’s network until the FCC pressured the companies into reversing the policy in 2009..."

Read the entire Wired analysis. It makes it crystal clear how corporate ISPs are trying to rig the system for themselves and against consumers.

Second, a recent decision by a federal court rejected big telecom's petition to have the existing FCC's net neutrality rules overturned. On Monday, Ars Technica reported:

"The US Court of Appeals for the District of Columbia Circuit denied the broadband industry's petition for a rehearing of a case that upheld net neutrality rules last year. A three-judge panel ruled 2-1 in favor of the FCC in June 2016, but ISPs wanted an en banc review in front of all of the court's judges. The request for an en banc review was denied in the order issued today."

What to make of this? The bottom line is that the circuit court decided to uphold the reclassification of broadband ISPs as common carriers and the FCC's net neutrality rules. While big telecom could appeal the decision with the Supreme Court, that seems unlikely since they know that the FCC, led by Chairman Ajit Pai, a Republican, has a majority of Republican commissioners who will vote to overturn net neutrality rules on May 18. And, Chairman Pai will have to overcome any challenges with the APA.

In response to the court decision, FCC Chairman Pai issued this statement:

"In light of the fact that the Commission on May 18 will begin the process of repealing the FCC’s Title II regulations, it is not surprising, as Judges Srinivasan and Tatel pointed out, that the D.C. Circuit would decide not to grant the petitions for rehearing en banc. Their opinion is important going forward, however, because it makes clear that the FCC has the authority to classify broadband Internet access service as an information service..."

Chairman Pai seems hell-bent upon ignoring the historical problems in the broadband industry that plagued consumers, in order to change the rules in favor of big telecom. Those problems led to the reclassification by the FCC. A prior blog post listed some of those problems:

"The lack of ISP competition in key markets meant consumers in the United States pay more for broadband and get slower speeds compared to other countries. Rural consumers and low-income areas lacked broadband services. There were numerous complaints by consumers about usage Based Internet Pricing. There were privacy abuses and settlement agreements by ISPs involving technologies such as deep-packet inspection and 'Supercookies' to track customers online, despite consumers' wishes not to be tracked. Many consumers didn't get the broadband speeds ISP promised. Some consumers sued their ISPs, and the New York State Attorney General invited residents to check their broadband speed with this tool. Tim Berners-Lee, the founder of the internet, cited in March three reasons why the Internet is in trouble. His number one reason: consumers had lost control of their personal information... Some consumers found that their ISP hijacked their online search results without notice nor consent. An ISP in Kansas admitted in 2008 to secret snooping after pressure from Congress."

Third, big telecom is engaged in some savvy, deceptive maneuvering. Ars Technica discussed bizarre claims by Verizon:

"... Verizon's general counsel, Craig Silliman, wants you to believe that Verizon never opposed net neutrality rules, even though it sued the FCC to eliminate them. He's also making the claim that the FCC isn't even talking about eliminating the net neutrality rules, even though FCC Chairman Ajit Pai is proposing to do exactly that."

Watch the Verizon video with Verizon's Silliman. When Silliman said, "changing the legal footing," he is referring to comments by others that the FTC should regulate broadband services, and not the FCC. That places the burden on consumers and the FTC to sue when broadband providers don't deliver the services promised; assuming that broadband providers disclose in their terms-of-service and privacy policies what they will deliver. With regulation by the FCC, consumers would have been in charge of their privacy, big telecom would have been forced to be transparent and explain what they were doing, and big telecom couldn't slice up the internet into slow and fast lanes forcing consumers to pay more to access certain sites.

During the last fight about neutrality in 2014, about about 90 tech companies sent a letter to FCC Chairman Tom Wheeler (Adobe PDF) encouraging the FCC to support for a free and open internet, where consumers decide where to go online with the broadband services purchased. Several notable companies signed that 2014 letter: Amazon, Dropbox, Ebay, Facebook, Gawker, Google, Microsoft, Mozilla, Netflix, Twitter, Vonage, and Yahoo. I did not see Verizon (nor Comcast) in the list of signers.

That's some brilliant and deceptive maneuvering. Big telcom can appear reasonable and deny talking about killing net neutrality rules while knowing that their representative, Chairman Pai and his fellow Republican commissioners at the FCC, will do it for them. Again, from Ars Technica:

"No major Internet service provider has done more to prevent implementation of net neutrality rules in the US than Verizon. After years of fighting the rules in courts of law and public opinion, Verizon is about to get what it wants as the FCC—now led by a former Verizon lawyer—prepares to eliminate the rules and the legal authority that allows them to be enforced."

Fourth, the FCC released its Notice of Proposed Rule Making (NPRM): Proceeding 17-108, "Restoring Internet Freedom" - April 26, 2017 (Adobe PDF). Just as before in 2014 - 15, the new rule is open to public comments. This means, it is time for citizens and voters to take action.

FCC Chairman Pai and others claim that the Internet was working well before, and net neutrality rules are unnecessary and a government intrusion. Ordinary broadband customers can have a great impact. It is time for consumers to submit comments to the FCC. About 25,578 people have already submitted comments. For example, a comment by Darion from Austin, Texas:

"The FCC Open Internet Rules (net neutrality rules) are extremely important to me. I urge you to protect them. Most Americans only have one choice for true high speed Internet access: our local cable company. Cable companies (and wireless carriers) are actively lobbying Congress and the FCC for the power to: i) Block sites and apps, to charge them "access fees;" ii) Slow sites and apps to a crawl, to establish paid "fast lanes" (normal speed) and slow lanes (artificially low speeds); and iii) Impose arbitrarily low data caps, so they can charge sites to escape those caps, or privilege their own services ("zero rating").
They're doing it so they can use their monopoly power to stand between me and the sites I want to access, extorting money from us both. I'll be forced to pay more to access the sites I want, and sites will have to pay a kind of protection money to every major cable company or wireless carrier—just to continue working properly!

The FCC's Open Internet Rules are the only thing standing in their way. I'm sending this to letter to my two senators, my representative, the White House, and the FCC. First, to the FCC: don’t interfere with my ability to access what I want on the Internet, or with websites' ability to reach me. You should leave the existing rules in place, and enforce them.

To my senators: you have the power to stop FCC Chair Ajit Pai from abusing the rules by refusing to vote for his reconfirmation. I expect you to use that power. Pai, a former Verizon employee, has made it clear he intends to gut the rules to please his former employer and other major carriers, despite overwhelming support for the rules from voters in both parties... To the White House: Ajit Pai, a former Verizon employee, is acting in the interests of his former employer, not the American people. America deserves better... To my representative: please publicly oppose Ajit Pai's plan to oppose the rules... I would be happy to speak more with anyone on your staff about the rules and why they’re so important to me. Please notify me of any opportunities to meet with you or your staff."

Be brief. Use your own words. Submit your comments soon, since the deadline fast approaches. Also, tell your elected officials. Participate in local marches and protests. Join the Fight For The Future. Support the EFF.


How To Control The Ads Facebook Displays

If you use Facebook, then you know that the social networking site serves ads based upon your interests. And, you''d probably be surprised at what Facebook thinks you are interested in versus what you are really interested in.

To see what Facebook thinks you are interested in, you will need to access your Ad Preferences page. Sign into your Facebook account using the browser interface, and click on the triangle drop-down menu icon in the upper right corner. Next select Settings, and then select Ads in the left column. Your Ad Preferences page looks like this:

Default view of the Facebook Ad Preferences page. Click to view larger version

Facebook has neatly organized what it thinks your interests are into several categories: Your Interests, Advertisers You've Interacted With, Your Information, and Ad Settings. Open the Your Interests module:

Your Interests module within Facebook Ad Preferences. Click to view larger version

This module includes several sub-categories: News & Entertainment, Business & Industry, Hobbies & Activities, Travel Places, & Events, People, Technology, and Lifestyle. Mouse over an item to reveal both an explanation why that item appears in your list and the "X" delete button. Click on the "X" button to remove that item.

Facebook has collected impressively long lists about what it thinks your interests are. So, click on the "See More" links within each sub-category. Facebook ads interest items based upon links you've selected, groups you've joined, ads you have viewed, the photos/videos you have uploaded, items (e.g., groups, events, status messages) you have "Liked," and more. There's plenty to browse, so you'll probably want to set aside 15 minutes to review and delete items.

There is a sneaky aspect to Facebook's interface. An item may appear in several categories. So, if you delete it in one category don't assume it was deleted in other categories. You'll have to visit each sub-category and delete it there, too. And, there is no guarantee Facebook won't re-add that item later based upon your activities within the site and/or mobile app.

Caution: even if you delete everything, Facebook will still show advertisements. Why? That's what the social networking service is designed to do. That's its business model. Even if you stop clicking "Like" buttons, Facebook will use alternate criteria to display ads. You can control or limit the topics for ads, but you can't stop ads entirely.

The Your Information module includes toggle switches to either activate or deactivate groups of items within your profile which Facebook uses to display ads:

Your Information module within Facebook Ad Preferences. Click to view larger version

It's probably wise to re-visit your Ad Preference page once yearly to delete items. What do you think?


Security Experts State Privacy Issues With Proposed NHTSA Rules For Vehicle Automation

The Center For Democracy & Technology (CDT) and four cryptographers have stated their security and privacy concerns regarding proposed rules by the National Highway Traffic Safety Administration (NHTSA) for vehicle automation and communications. In a CDT blog post, Chief Technologist Lorenzo Hall stated that the group's concerns about NHTSA's:

"... proposed rulemaking to establish a new Federal Motor Vehicle Safety Standard (FMVSS), No. 150, which intends to mandate and standardize vehicle-to-vehicle (V2V) communications for new light vehicles... Our comments highlight our concern that NHTSA’s proposal standard may not contain adequate measures to protect consumer privacy from third parties who may choose to listen in on the Basic Safety Message (BSM) broadcast by vehicles. Inexpensive real-time tracking of vehicles is not a distant future hypothetical. Vehicle tracking will be exploited by a multitude of companies, governments, and criminal elements for a variety of purposes such as vehicle repossession, blackmail, gaining an advantage in a divorce settlement, mass surveillance, commercial espionage, organized crime, burglary, or stalking.

Our concern is that the privacy protections currently proposed for V2V communications may be easily circumvented by any party determined to perform large-scale real-time tracking of multiple vehicles at once. This poses a serious costs for both individual privacy and society at large..."

FMVSS Standards include regulations automobile and vehicle manufacturers must comply with. Read the proposed FMVSS Rule 150 in the Federal Register. The proposed rule specifies how vehicles will automatically broadcast Basic Safety Messages (BSM).

The group's detailed submission (Adobe PDF) to the U.S. Department of Transportation (DOT) described specific privacy concerns. One example:

"2.1 Linking a vehicle to an individual
The NPRM proposes that vehicle location accurate to within 1.5 meters be included in every BSM. Such high accuracy is sufficient to identify a vehicle’s specific parking spot. Assuming a suburban environment where the parking spot is a driveway, this information is enough to identify the owners or tenants... Vehicles can be further disambiguated among members of a household or people sharing parking spots by when they leave and where they go. For instance, shift workers, 9-to-5 office workers, high school students, and stay-at-home parents will all have different, distinguishable patterns of vehicle use. Even among office commuters, the first few turns after leaving the driveway will be very useful for disambiguating people working at different locations..."

So, when you leave home and the route you take can easily identify individuals. You don't have to be the registered owner of the car. Yes, your smartphone broadcasts to the nearest cellular tower and that identifies your location, but not as precisely. Privacy is needed because the bad guys -- stalkers, criminals -- could also use BSMs to spy upon individuals.

The security experts found the proposed BSM privacy statement by NHTSA to be one-sided and incomplete:

"The examples of third-party collection provided in paragraph (b) of the privacy statement mention only benign collection for beneficial purposes, such as accident avoidance, transit maintenance, or valuable commercial services. They selectively highlight the socially beneficial uses of V2V information without mentioning commercial services [which] may not [be] valuable for consumers; or other potential, detrimental, or even criminal uses. This is especially troubling..."

The CDT and security experts recommended that due to the privacy risks described:

"... we firmly believe that, unless a considerably more privacy-conscious proposal is put forward, consumers should be given the choice to opt-in or opt-out (without a default opt-in), and should be made clearly aware of what they are opting in to..."

I agree. A totally sensible and appropriate approach. The group's detailed submission also compared several vehicle tracking methods:

"... physically following a car or placing a GPS device on it, do not allow for mass tracking of most vehicles in a given area. Some options, such as cellphone tracking or toll collection history, require specialized access to a private infrastructure. Cellular data does not provide precise position information to just anyone who listens in... Moreover, cellular technology is evolving rapidly — today it provides more privacy than in the past... license-plate-based tracking requires a line of sight to a given vehicle, and thus is usually neither pervasive nor real-time. A vehicle can be observed driven or parked, but not tracked continuously unless followed. Only a few vehicles can be observed by a camera at any given time. Thus, license-plate-based tracking provides only episodic reports of locations for most vehicles. In contrast, because receiving the BSM does not require a line of sight and the BSM is transmitted ten times per second, multiple vehicles can be tracked simultaneously, continuously, and in real time.

The Privacy Technical Analysis Report concluded that the only option other than BSMs that may be viable for large-scale real-time tracking without any infrastructure access is via toll transponders."

License-plate tracking and the cameras used are often referred to as Automated License Plate Readers (ALPR). Law enforcement uses four types of ALPR technologies: mobile cameras, stationary cameras, semi-stationary cameras, and ALPR databases.

So, BSM provides large-scale real-time tracking. And, while toll transponders provide consumers with a convenient method to pay and zoom through tolls, the technology can be used to track you. Read the full CDT blog post.


Security Expert Says Protecting Driverless Cars From Hackers Is Hard

Wired Magazine recently interviewed Charlie Miller, an automobile security expert, about the security of driverless cars. You may remember Miller. He and an associated remotely hacked a moving Jeep vehicle in 2015 to demonstrate security vulnerabilities in autos. Miller later worked for Uber, and recently joined Didi.

Wired Magazine reported:

"Autonomous vehicles are at the apex of all the terrible things that can go wrong,” says Miller, who spent years on the NSA’s Tailored Access Operations team of elite hackers before stints at Twitter and Uber. “Cars are already insecure, and you’re adding a bunch of sensors and computers that are controlling them…If a bad guy gets control of that, it’s going to be even worse."

The article highlights the security issues with driverless used by ride-sharing companies. Simply, the driverless taxi or ride-share car is unattended for long periods of time.. That is a huge opportunity for hackers posing as riders to directly access and hack driverless cars:

"There’s going to be someone you don’t necessarily trust sitting in your car for an extended period of time,” says Miller. “The OBD2 port is something that’s pretty easy for a passenger to plug something into and then hop out, and then they have access to your vehicle’s sensitive network."

The article also highlights some of the differences between driverless cars used as personal vehicles versus as ride-sharing (or taxi) cars. In a driverless personal vehicle, the owner -- who is also the inattentive driver -- can regain control after a remote hack and steer/brake to safety. Not so in a driverless ride-sharing car or taxi.

Do you believe that criminals won't try to hack driverless (ride-sharing and taxi) cars? History strongly suggests otherwise. Since consumers love the convenience of pay-at-the-pump in gas stations, criminals have repeatedly installed skimming devices in unattended gas station pumps to steal drivers' debit/credit payment information. No doubt, criminals will want to hack driverless cars to steal riders' payment information.

What are your opinions of the security of driverless cars?


Researchers: Thousands of Android Apps Collude To Spy on Users

Got an Android phone or tablet? Considering an Android phone? Then, pay close attention. Researchers have found that more than 20,000 pairs of Android apps work together to spy on users: collect, track, and share information without notice nor consent. The Atlantic magazine explained:

"Security researchers don’t have much trouble figuring out if a single app is gathering sensitive data and secretly sending it off to a server somewhere. But when two apps team up, neither may show definitive signs of thievery alone... A study released this week developed a new way to tackle this problem—and found more than 20,000 app pairings that leak data... Their system—DIALDroid—then couples apps to simulate how they’d interact, and whether they could potentially work together to leak sensitive information. When the researchers set DIALDroid loose on the 100,206 most downloaded Android apps, they turned up nearly 23,500 app pairs that leak data..."

Researchers at Southern Illinois University and at Virginia Tech collaborated on the highly technical report titled, "Collusive Data Leak And More: Large-Scale Threat Analysis of Inter-App Communications" (Adobe PDF). The report compared DIALDroid to other inter-app analysis tools, and analyzed whether the data leaks were intentional or unintentional (e.g., due to poor design).

The vulnerabilities the researchers found seem three-fold. First, there is the stealth collusion described above. Second, how the data collected and where it is sent are problematic. The Atlantic article explained:

"When they analyzed the the final destination for leaked data, the Virginia Tech researchers found that nearly half of the receivers in leaky app pairs sent the sensitive data to a log file. Generally, logged information is only available to the app that created it—but some cyberattacks can extract data from log files, which means the leak could still be dangerous. Other more immediately dangerous app pairings send data away from the phone over the internet, or even over SMS."

Third, the vulnerabilities apply to apps operating on corporate networks. The researchers warned in their technical report:

"User Applications. Although DIALDroid is for marketplace owners, Android users can also benefit from this tool. For example, enterprise users can check possible inter-app collusions using DI-ALDroid before allowing certain apps to be installed on the devices of their employees. Moreover, a large-scale public database similar to ours, when regularly updated, can be queried by users to find out possible inter-app communications to or from a particular app."

"Marketplace owners" refers to organizations running online app stores. "Enterprise users" refers to information technology (I.T.) professionals managing (and securing) internal organization networks containing highly sensitive, confidential, and/or proprietary information. Corporate, government, health care organizations, and law firms immediately come to mind.

Prior blog posts and firmware reports have identified numerous vulnerabilities with Android devices. Now, we know a little more about how some apps work together secretly. Add this new item to the list of vulnerabilities.

Android phones may be cheaper than other brands, but that comes at a very steep cost. What are your opinions?


Poll Finds Republicans Rollback of Broadband Privacy Very Unpopular

A recent poll found that the Republican rollback of broadband privacy rules is very unpopular. Very unpopular. The poll included 1,000 Americans, and the results cut across age, gender, and political affiliations. Despite this, President Trump signed the privacy-rollback legislation on April 3. Since then, many consumers have sought online tools to protect their privacy.

Vox reported the survey results:

Image of Yougov poll results about Republican rollback of broadband privacy. Click to view larger version

Late last week, several Republicans in the House of Representatives sent a letter (Adobe PDF) to Ajit Pai, the Chairman of the U.S. Federal Communications Commission (FCC), urging the FCC to regulate broadband service providers. The letter read, in part:

"We write to ensure that the Federal Communications Commission (FCC) stands ready to protect consumer privacy... The Federal Trade Commission (FTC) has long been the standard bearer for striking the right balance of consumer protection with a pro-innovative construct that encourages consumer choice, opportunities, and new jobs... An FCC approach that mirrors the FTC will continue to protect consumers in this tumultuous time... Until such time as the FCC rectifies the Title II reclassification that inappropriately removed ISPs from the FTC's jurisdiction, we urge the FCC to hold Internet service providers (ISPs) to their privacy promises..."

The letter was signed by Greg Walden (Chairman, Committee on Energy & Commerce), Marsha Blackburn (Chairman, Subcommittee on Communications & Technology), and 48 other representatives.

Tumultuous times? The tumult was created by the rollback of privacy rules -- a situation created by Republicans. All would have been fine if they'd left the FCC's broadband privacy rules in place; rules consumers clear want -- rules that keep users in control of their online privacy.

Representative Blackburn and her fellow Republicans either doesn't know history or have chosen to ignore it. Several problems have plagued the industry: a lack of ISP competition in key markets, consumers in the United States pay more for broadband and get slower speeds compared to other countries, and numerous privacy violations and lawsuits:

Clearly, the FCC had to act, it did, it held hearings, and then finalized improved broadband privacy rules to help consumers. Now, the Congress and President undid all of that creating the tumult they now claim to want to solve.

Clearly, Representative Blackburn and others are happy to comply with the wishes of their corporate donors -- who don't want broadband classified as a utility. Internet access is a basic consumer need for work, entertainment, and school -- just like water, electricity, and natural gas (for cooking). Internet access is a utility, like it or not. The FCC under Chairman Wheeler had the right consumer-friendly approach, despite the spin by Blackburn and others.

What are your opinions?


Lawsuit Claims The Uber Mobile App Scams Both Riders And Drivers

Uber logo A class-action lawsuit against Uber claims that the ride-sharing company manipulated its mobile app to simultaneously short-change drivers and over-charge riders. Ars Technica reported:

"When a rider uses Uber's app to hail a ride, the fare the app immediately shows to the passenger is based on a slower and longer route compared to the one displayed to the driver. The software displays a quicker, shorter route for the driver. But the rider pays the higher fee, and the driver's commission is paid from the cheaper, faster route, according to the lawsuit.

"Specifically, the Uber Defendants deliberately manipulated the navigation data used in determining the fare amount paid by its users and the amount reported and paid to its drivers," according to the suit filed in federal court in Los Angeles."

Controversy surrounds Uber after several high-level executive changes, an investigative news report alleging a worldwide program to thwart oversight by local governments, and a key lawsuit challenging the company's technology.


A Cautionary Tale About The Internet Of Things And The CRFA

The internet-of-things devices consumers installed in their homes aren't really theirs. Oh, consumers paid good money for these smart devices, but the devices aren't really theirs. How so you ask? The cautionary tale below explains.

Unhappy with Garadget, an internet-connected garage-door opener he bought, Robert Martin posted negative reviews on both Garadget's official discussion board (username: rdmart7) and on Garadget's Amazon page. Unhappy with those negative reviews, Denis Grisak, the device's creator, responded initially by disabling internet access to the mobile app Martin used to operate his device. Grisak angrily said Martin could return his device for a refund.

You might call that a digital mugging.

The disagreement escalated and Grisak also disabled Martin's access to the Garadget discussion board and to Martin's online profile. You can read the entire story by The Atlantic. There are several items to learn from this incident. First, as The Atlantic concluded:

"Even just an angry moment can turn a smart device into a dead one."

Clearly, the device creator overreacted by disabling internet access. Grisak later softened his position and restored Martin's online connections. However, the incident highlights the fact that in the heat of the moment, angry (or ethically-challenged) and revengeful device makers can easily and quickly disable smart devices. It doesn't matter that consumers legally paid for those devices.

Second, end-user license agreements (EULA) matter. Terms of service policies matter. Most consumers never read these documents, and they matter greatly. The incident is a reminder of the "gag clauses" some companies insert into policies to silence negative reviews. This incident highlights a technical tactic ethically-challenged device makers can use to enforce gag clauses.

And it's not only device makers. In 2009, some physicians tried to force patients to sign, “Consent And Mutual Agreement to Maintain Privacy” (MAMP) policy documents. Don’t be fooled by the policy name, which is a fancy label for a gag clause. The policy document usually requires the patient to give up their rights to mention that physician on any social networking sites.

Third, legislation and consumer protections matter. The Atlantic reported:

"Some commenters on Amazon and Hacker News wondered whether Grisak’s public online revenge was legal. One person encouraged Martin to reach out to his state attorney general’s office. That’s a complicated question... A bill signed into law signed in December prohibits companies from including “gag clauses” in the contracts they enter into with customers, meaning they can’t bring legal action against someone just for a negative review."

That new law is the "Consumer Review Fairness Act" (CRFA - H.R. 5111) which protects consumers' rights to share their honest opinions online about any product or service.The U.S. Federal Trade Commission (FTC) explains the CRFA and provides guidance:

"The law protects a broad variety of honest consumer assessments, including online reviews, social media posts, uploaded photos, videos, etc. And it doesn’t just cover product reviews. It also applies to consumer evaluations of a company’s customer service... the Act makes it illegal for a company to use a contract provision that: a) bars or restricts the ability of a person who is a party to that contract to review a company’s products, services, or conduct; b) imposes a penalty or fee against someone who gives a review; or c) requires people to give up their intellectual property rights in the content of their reviews.

The [CRFA] makes it illegal for companies to include standardized provisions that threaten or penalize people for posting honest reviews. For example, in an online transaction, it would be illegal for a company to include a provision in its terms and conditions that prohibits or punishes negative reviews by customers. (The law doesn’t apply to employment contracts or agreements with independent contractors, however.) The law says it’s OK to prohibit or remove a review that: 1) contains confidential or private information – for example, a person’s financial, medical, or personnel file information or a company’s trade secrets; 2) is libelous, harassing, abusive, obscene, vulgar, sexually explicit, or is inappropriate with respect to race, gender, sexuality, ethnicity, or other intrinsic characteristic; 3) is unrelated to the company’s products or services; or 4) is clearly false or misleading."

However, the CRFA won't stop device makers from disabling the mobile apps and/or smart devices of consumers who have posted negative reviews. And, an online search easily retrieves physicians' sites still displaying MAMP policy documents. I guess that not everyone is aware of the CRFA.

Fourth, the consumer backlash has begun against smart devices with allegedly poor security. The @Internetofshit blogger (on Twitter and on Facebook) tracks and discusses such devices and device makers' actions that allegedly violate the CRFA. The discussion recently included Garadget:

Tweet by Internetofshit blogger about Garadget. Click to view larger version

What are your opinions of the Garadget incident? Of the CRFA? Of smart device security?


President Trump Signed Legislation Revoking FCC's Broadband Privacy Rules. Lots Of Consequences

Late yesterday, President Trump signed legislation revoking broadband privacy rules adopted by the Federal Communications Commission (FCC). The rules would have kept consumers in control of their information online. Instead, internet service providers (ISPs) are free to collect, archive, and share at will without notice nor consent information about consumers' online activities (e.g., far more than browsing histories).

The legislation narrowly passed both in the Senate (50 - 48) and in the House (210 - 205). Proponents of the legislation claimed duplicate legislation. Representative Marsha Blackburn (R-Tenn.), who introduced the legislation in the House, said plenty recently according to Breitbart News:

"What we are doing is recalling a privacy rule that the FCC issued right at the end of the Obama administration, and the reason we are doing this is because it is additional and duplicative regulation... What the FCC did was clearly overreach. It gives you two sets of regulators that you’re trying to comply with, not one. So we are recalling the FCC’s rule, and that authority will go back to the FTC...”

"What the Obama administration did... they reclassified your Internet service as Title II, which is a common carrier classification. It is the rule that governs telephone usage... Those rules were put on the books in the thirties. So what the Democrats did... they reclassified Internet, which is an information service, as a telephone service, and then put those 1930s-era rules on top of your Internet service... They did that so they could tax it, so they could begin to regulate it..."

"You don’t need another layer of regulation. It’s like flashing alerts: We don’t need net neutrality. We don’t need Title II. We don’t need additional regulations heaped on the Internet under Title II. The Internet is not broken. It has done just fine without the government controlling it."

Not broken? The founder of the internet, Tim Berners-Lee gave three solid reasons why the internet is broken. His number one reason: consumers have lost control over their personal information.

And, Representative Blackburn either doesn't know history or has chosen to ignore it. Several problems have plagued the industry: a lack of ISP competition in key markets, consumers in the United States pay more for broadband and get slower speeds compared to other countries, and numerous privacy violations and lawsuits:

Clearly, the FCC had to act, it did, it held hearings, and then finalized improved broadband privacy rules to help consumers. Now, the Congress and President undid all of that.

There are plenty of consequences. To regain some online privacy lost due to the new legislation, many consumers have considered Virtual Private Networks (VPNs) and other online tools to prevent ISPs from spying on them. VPNs are not a cure-all. ISPs can still block or throttle consumers' VPN connection, and VPNs won't protect e-mail nor internet-of-things devices installed in homes.

Basically, there is no substitute for consumers being in control of their online privacy with transparent notice by ISPs. The impact upon consumers: less online privacy and higher internet prices. Consumers are forced to spend more money on VPN and other tools.

Blackburn and others claimed that the U.S. Federal Trade Commission (FTC) should regulate ISPs. Regulation by the FTC is not a slam-dunk. AdAge reported:

"If the FTC does regain its oversight, the result is likely to be weaker privacy protections than what the FCC intended with its rules, as well as a relatively clear path for telcos to pursue their data-revenue-generating goals... One legal peak to climb: precedent set by a U.S district court ruling siding with AT&T against the FTC last year which carved out an exemption for companies that provide bundled phone and ISP services which effectively protected AT&T from FTC regulations protecting consumers from unfair or deceptive practices.

Even if the FTC eventually garners ISP jurisdiction, argued [Gigi Sohn, a senior counselor to former FCC Chairman Tom Wheeler], "it will lead to some privacy protection but much weaker than what people just lost." She pointed to FTC Chairman Ohlausen's high bar for showing harm against consumers before actions against companies are taken, noting, "She wants to see harm first. Well, rules protect you before you're harmed." "

Despite the claims by Blackburn and others, the bottom line is:

"... what we're left with is a period of uncertainty where the carriers may do certain things but it's unclear. Does the FCC have jurisdiction or does the FTC have jurisdiction?"

The Los Angeles Times reported:

"The FTC is empowered to bring lawsuits against companies that violate its privacy guidelines, but it has no authority to create new rules for industry. It also cannot enforce its own guidelines against Internet providers because of a government rule that places those types of companies squarely within the jurisdiction of the FCC and out of the reach of the FTC. As a result, Internet providers exist in a "policy gap" in which the only privacy regulators for the industry operate at the state, not federal, level, analysts say."

Ambiguity. Lack of clarity. Policy gap. None of those are good for business, or for consumers.

Read more about President Trump's signing of the legislation at C/Net and Reuters.


Tools For Consumers To Regain Some Online Privacy. Higher Internet Prices Likely

Now that the Republican-led Congress and President Trump have dismantled broadband privacy rules, internet service providers (ISPs) are free to collect, archive, and share at will without disclosure consumers' complete online activities (e.g., far more than browsing histories) to maximize their profits. Just about all of your online activities are harvested by ISPs, not just your browsing histories. Readers of this blog may remember the Deep-Packet Inspection software some ISPs installed on their servers to track their customers' online usage without notice nor consent.

To combat this, many consumers seek technical solutions, such as a virtual private network (VPN), to maintain as much privacy online as possible. Consumers will need to locate VPN and other tools than run on several devices (e.g., phones, tablets, laptops, desktops, etc.) and browsers (e.g., Firefox, Opera, etc.). Resources about several tools including VPNs:

Reviews and comparisons about VPN providers:

Some recommended, paid VPNs run on several platforms including Apple brand devices: F-Secure Freedome, Private Internet Access, and SurfEasy. Some VPNs offer a lower monthly price for a longer contract term. Look for pricing that covers multiple devices.

All of the above resources contain links to specific VPN brands. Experts recommend that consumers shop around for a paid VPN, since many of the free VPNs collect and resell consumers' information to make money. Some VPN providers offer phone customer service and support. This may be especially helpful for inexperienced users.

If a (free or paid) VPN saves usage logs of its customers' online activity and shares those logs with others (e.g., advertisers, affiliates, marketing partners, law enforcement, etc.), then that totally defeats the purpose of using a VPN service for privacy. So wise consumers shop around, read the terms of service, and read the privacy policy before signing up for a VPN.

Just like anti-virus software, several VPNs running on the same device can cause problems. So, you'll need to spend time sorting that out, too.

Sadly, VPNs are not a cure-all. Your ISP can still block or throttle your connection. Basically, there is no substitute for consumers being in control of their online privacy with transparent notice by ISPs. And, VPNs won't protect internet-of-things devices (e.g., appliances, refrigerators, thermostats, security systems, televisions, etc.) connected in to the WiFi router in your home. Tech Dirt reported:

"VPN clients are typically for desktop machines and, in some cases, mobile devices such as phones and tablets. As previously discussed, IoT devices in homes will continue to generate more traffic. Most such devices do not support VPN software. While it is conceivable that a user could set up an encrypted VPN tunnel from the home router and route all home traffic through a VPN, typical home gateways don’t easily support this functionality at this point, and configuring such a setup would be cumbersome for the typical user."

Note: VPN services don't protect e-mail. ISPs user a different set of servers for e-mail (e.g., SMTP, SMTPS) versus web browsing (e.g., HTTP, HTTPS). You might consider a secure e-mail service like ProtonMail. You might find this review of ProtonMail helpful.

Do you use Gmail? Remember Google scans both inbound and outbound e-mail messages supposedly to serve up relevant ads. While a certain amount of message scanning is appropriate to identify spam and malware, last month a federal court judge rejected a proposed settlement offer with non-Gmail users who had filed a class-action lawsuit because their e-mail messages had been scanned by Google (and they couldn't opt out of the scanning).

So, internet costs for consumers are going up with thanks to privacy-busting legislation passed by a Republican-led Congress. Consumers will pay more, perhaps an additional $50 - $80 yearly for VPN services, on top of already high monthly internet prices -- with a marginal increase in privacy; not the better, more complete solution consumers would have received with the FCC broadband privacy rules. Add in the value of your time spent shopping around for VPN and privacy tools, and the price increase is even greater.

Plus, monthly internet costs for consumers could go far higher if ISPs charge for online privacy. Is that possible you ask? Yep. Comcast and industry lobbyists have already stated that they want "pay-for-privacy" schemes. Congress seems happy to oblige corporate ISPs and stick it to consumers.

Petition to keep FCC broadband privacy rules and nullify Senate Joint Resolution 34 Mad about all of this? You probably are, too. I am. Be sure to tell your Senators and House representatives that voted to revoke FCC online privacy rules. Tell them you dislike the higher prices you're forced to pay to maintain privacy online.

Do any VPN providers act as fronts for government intelligence and spy agencies? I do not have the resources to determine this. Perhaps, some enterprising white-hat users can shed some light on this.

What online privacy resources have you found?


Study: Many Consumers Don't Secure Their Mobile Devices

Many consumers in the United States don't take the steps experts recommend to secure their mobile devices. Pew Research reported the findings of a recent survey:

"More than a quarter (28%) of smartphone owners say they do not use a screen lock or other security features to access their phone. And while a majority of smartphone users say they have updated their phone’s apps or operating system, about 40% say they only update when it’s convenient for them. Meanwhile, some users forgo updating their phones altogether: Around one-in-ten  smartphone owners report they never update their phone’s operating system (14%) or update the apps on their phone (10%)."

And, there are differences by the age of phone owners:

"owners ages 65 and older are much less likely than adults younger than 65 to use a screen lock and regularly update their phone’s apps and operating system (13% vs. 23%). Smartphone users 65 and older are also more than twice as likely as younger users to report that they do not take any of these actions to secure their phones (8% vs. 3%)..."

Other risky behaviors consumers perform:

"... 54% of internet users use public Wi-Fi networks, and many of these users are performing sensitive activities such online shopping (21%) or online banking (20%)."


Uber: President Resigns, Greyball, A Major Lawsuit, Corporate Culture, And Lingering Questions

Uber logo Several executive changes are underway at Uber. The President of Uber's Ridesharing unit, Jeff Jones, resigned after only six months at the company. The Recode site posted a statement by Jones:

"Jones also confirmed the departure with a blistering assessment of the company. "It is now clear, however, that the beliefs and approach to leadership that have guided my career are inconsistent with what I saw and experienced at Uber, and I can no longer continue as president of the ride-sharing business," he said in a statement to Recode."

Prior to joining Uber, Jones had been the Chief Marketing Officer (CMO) at Target stores. Travis Kalanick, the Chief Executive Officer at Uber, disclosed that he met Jones at a Ted conference in Vancouver, British Columbia, Canada.

There have been more executive changes at Uber. The company announced on March 7 its search for a Chief Operating Officer (COO). It announced on March 14 the appointment of Zoubin Ghahramani as its new Chief Scientist based San Francisco. Ghahramani will lead Uber’s AI Labs, our recently created machine learning and artificial intelligence research unit and associated business strategy. Zoubin, a Professor of Information Engineering at the University of Cambridge, joined Uber when it acquired Geometric Intelligence.

In February 2017, CEO Travis Kalanick asked Amit Singhal to resign. Singhal, the company's senior vice president of engineering, had joined Uber a month after 15 years at Google. Reportedly, Singhal was let go for failing to disclose reasons for his departure from Google, including sexual harassment allegations.

Given these movements by executives, one might wonder what is happening at Uber. A brief review of the company's history found controversy accompanying its business practices. Earlier this month, an investigative report by The New York Times described a worldwide program by Uber executives to thwart code enforcement inspections by governments:

"The program, involving a tool called Greyball, uses data collected from the Uber app and other techniques to identify and circumvent officials who were trying to clamp down on the ride-hailing service. Uber used these methods to evade the authorities in cities like Boston, Paris and Las Vegas, and in countries like Australia, China and South Korea.

Greyball was part of a program called VTOS, short for “violation of terms of service,” which Uber created to root out people it thought were using or targeting its service improperly. The program, including Greyball, began as early as 2014 and remains in use, predominantly outside the United States. Greyball was approved by Uber’s legal team."

An example of how the program and Greyball work:

"Uber’s use of Greyball was recorded on video in late 2014, when Erich England, a code enforcement inspector in Portland, Ore., tried to hail an Uber car downtown in a sting operation against the company... officers like Mr. England posed as riders, opening the Uber app to hail a car and watching as miniature vehicles on the screen made their way toward the potential fares. But unknown to Mr. England and other authorities, some of the digital cars they saw in the app did not represent actual vehicles. And the Uber drivers they were able to hail also quickly canceled."

The City of Portland sued Uber in December 2014 and issued a Cease And Desist Order. Uber continued operations in the city, and a pilot program in Portland began in April, 2015. Later in 2015, the City of Portland authorized Uber''s operations. In March 2017, Oregon Live reported a pending investigation:

"An Uber spokesman said Friday that the company has not used the Greyball program in Portland since then. Portland Commissioner Dan Saltzman said Monday that the investigation will focus on whether Uber has used Greyball, or any form of it, to obstruct the city's enforcement of its regulations. The review would examine information the companies have already provided the city, and potentially seeking additional data from them... The investigation also will affect Uber's biggest competitor, Lyft, Saltzman said, though Lyft did not operate in Portland until after its business model was legalized, and there's no indication that it similarly screened regulators... Commissioner Nick Fish earlier called for a broader investigation and said the City Council should seek subpoena powers to determine the extent of Uber's "Greyball" usage..."

This raises questions about other locations Uber may have used its Greyball program. The San Francisco District Attorney's office is investigating, as are government officials in Sydney, Australia. Also this month, the Upstate Transportation Association (UTA), a trade group of taxi companies in New York State, asked government officials to investigate. The Albany Times Union reported:

"In a Tuesday letter to Governor Andrew Cuomo, Assembly Speaker Carl Heastie and Senate Majority Leader John Flanagan, UTA President John Tomassi wrote accused the company of possibly having used the Greyball technology in New York to evade authorities in areas where ride-hailing is not allowed. Uber and companies like it are authorized to operate only in New York City, where they are considered black cars. But UTA’s concerns about Greyball are spurred in part by reported pick-ups in some suburban areas."

A look at Uber's operations in Chicago sheds some light on how the company operates. NBC Channel 5 reported in 2014:

"... news that President Barack Obama's former adviser and campaign strategist David Plouffe has joined the company as senior VP of policy and strategy delivers a strong message to its enemies: Uber means business. How dare you disrupt our disruption? You're going down.

Here in the Land of Lincoln, Plouffe's hiring adds another layer of awkward personal politics to the Great Uber Debate. It's an increasingly tangled web: Plouffe worked in the White House alongside Rahm Emanuel when the Chicago mayor was Chief of Staff. Emanuel, trying to strike a balance between Uber-friendly and cabbie-considerate, recently passed a bill that restricts Uber drivers from picking up passengers at O'Hare, Midway and McCormick Place... Further complicating matters, Emanuel's brother, Hollywood super-agent Ari Emanuel, has invested in Uber..."

That debate also included the Illinois Governor, as politicians try to balance the competing needs of traditional taxi companies, ride-sharing companies, and consumers. The entire situation raises questions about why there aren't Greyball investigations by more cities. Is it due to local political interference?

That isn't all. In 2014, Uber's "God View" tool raised concerns about privacy, the company's tracking of its customers, and a questionable corporate culture. At that time, an Uber executive reportedly suggested that the company hire opposition researchers to dig up dirt about its critics in the news media.

Uber's claims in January 2015 of reduced drunk-driving accidents due to its service seemed dubious after scrutiny. ProPublica explained:

"Uber reported that cities using its ridesharing service have seen a reduction in drunk driving accidents, particularly among young people. But when ProPublica data reporter Ryann Grochowski Jones took a hard look at the numbers, she found the company's claim that it had "likely prevented" 1,800 crashes over the past 2.5 years to be lacking... the first red flag was that Uber didn't include a methodology with its report. A methodology is crucial to show how the statistician did the analysis... Uber eventually sent her a copy of the methodology separately, which showed that drunk-driving accidents involving drivers under 30 dropped in California after Uber's launch. The math itself is fine, Grochowski Jones says, but Uber offers no proof that those under 30 and Uber users are actually the same population.

This seems like one of those famous moments in intro statistics courses where we talk about correlation and causality, ProPublica Editor-in-Chief Steve Engelberg says. Grochowski Jones agrees, showcasing how drowning rates are higher in the summer as are ice cream sales but clearly one doesn't cause the other."

Similar claims by Uber about the benefits of "surge pricing" seemed to wilter under scrutiny. ProPublica reported in October, 2015:

"The company has always said the higher prices actually help passengers by encouraging more drivers to get on the road. But computer scientists from Northeastern University have found that higher prices don’t necessarily result in more drivers. Researchers Le Chen, Alan Mislove and Christo Wilson created 43 new Uber accounts and virtually hailed cars over four weeks from fixed points throughout San Francisco and Manhattan. They found that many drivers actually leave surge areas in anticipation of fewer people ordering rides. "What happens during a surge is, it just kills demand," Wilson told ProPublica."

Another surge-pricing study in 2016 concluded with a positive spin:

"... that consumers can benefit from surge pricing. They find this is the case when a market isn’t fully served by traditional taxis when demand is high. In short, if you can’t find a cab on New Year’s Eve, Daniels’ research says you’re better off with surge pricing... surge pricing allows service to expand during peak demand without creating idleness for drivers during normal demand. This means that more peak demand customers get rides, albeit at a higher price. This also means that the price during normal demand settings drops, allowing more customers service at these normal demand times."

In other words, "can benefit" doesn't ensure that riders will benefit. And "allows service to expand" doesn't ensure that service will expand during peak demand periods. "Surge pricing" does ensure higher prices. A better solution might be surge payments to drivers during peak hours to expand services. Uber will still make more money with more rides during peak periods.

The surge-pricing concept is a reminder of basic economics when prices are raised by suppliers. Demand decreases. A lower price should follow, but the surge-price prevents that. As the prior study highlighted, drivers have learned from this: additional drivers don't enter the market to force down the higher surge-price.

And, there is more. In 2015, the State of California Labor Commission ruled that Uber drivers are employees and not independent contractors, as the company claimed. Concerns about safety and criminal background checks have been raised. Last year, BuzzFeed News analyzed ride data from Uber:

"... the company received five claims of rape and “fewer than” 170 claims of sexual assault directly related to an Uber ride as inbound tickets to its customer service database between December 2012 and August 2015. Uber provided these numbers as a rebuttal to screenshots obtained by BuzzFeed News. The images that were provided by a former Uber customer service representative (CSR) to BuzzFeed News, and subsequently confirmed by multiple other parties, show search queries conducted on Uber’s Zendesk customer support platform from December 2012 through August 2015... In one screenshot, a search query for “sexual assault” returns 6,160 Uber customer support tickets. A search for “rape” returns 5,827 individual tickets."

That news item is interesting since it includes several images of video screens from the company's customer support tool. Uber's response:

"The ride-hail giant repeatedly asserted that the high number of queries from the screenshots is overstated, however Uber declined BuzzFeed News’ request to grant direct access to the data, or view its data analysis procedures. When asked for any additional anonymous data on the five rape complaint tickets it claims to have received between December 2012 and August 2015, Uber declined to provide any information."

Context matters about ride safety and corporate culture. A former Uber employee shared a disturbing story with allegations of sexual harassment:

"I joined Uber as a site reliability engineer (SRE) back in November 2015, and it was a great time to join as an engineer... After the first couple of weeks of training, I chose to join the team that worked on my area of expertise, and this is where things started getting weird. On my first official day rotating on the team, my new manager sent me a string of messages over company chat. He was in an open relationship, he said, and his girlfriend was having an easy time finding new partners but he wasn't. He was trying to stay out of trouble at work, he said, but he couldn't help getting in trouble, because he was looking for women to have sex with... Uber was a pretty good-sized company at that time, and I had pretty standard expectations of how they would handle situations like this. I expected that I would report him to HR, they would handle the situation appropriately, and then life would go on - unfortunately, things played out quite a bit differently. When I reported the situation, I was told by both HR and upper management that even though this was clearly sexual harassment and he was propositioning me, it was this man's first offense, and that they wouldn't feel comfortable giving him anything other than a warning and a stern talking-to... I was then told that I had to make a choice: (i) I could either go and find another team and then never have to interact with this man again, or (ii) I could stay on the team, but I would have to understand that he would most likely give me a poor performance review when review time came around, and there was nothing they could do about that. I remarked that this didn't seem like much of a choice..."

Her story seems very credible. Based upon this and other events, some industry watchers question Uber's value should it seek more investors via an initial public offering (IPO):

"Uber has hired two outside law firms to conduct investigations related to the former employee's claims. One will investigate her claims specifically, the other is conducting a broader investigation into Uber's workplace practices...Taken together, the recent reports paint a picture of a company where sexual harassment is tolerated, laws are seen as inconveniences to be circumvented, and a showcase technology effort might be based on stolen secrets. That's all bad for obvious reasons... What will Uber's valuation look like the next time it has to raise money -- or when it attempts to go public?"

To understand the "might be based on stolen secrets" reference, the San Francisco Examiner newspaper explained on March 20:

"In the past few weeks, Uber’s touted self-driving technology has come under both legal and public scrutiny after Alphabet — Google’s parent company — sued Uber over how it obtained its technology. Alphabet alleges that the technology for Otto, a self-driving truck company acquired by Uber last year, was stolen from Alphabet’s own Waymo self-driving technology... Alphabet alleges Otto founder Anthony Levandowski downloaded proprietary data from Alphabet’s self-driving files. In December 2015, Levandowski download 14,000 design files onto a memory card reader and then wiped all the data from the laptop, according to the lawsuit.

The lawsuit also lays out a timeline where Levandowski and Uber were in cahoots with one another before the download operation. Alphabet alleges the two parties were in communications with each other since the summer of 2015, when Levandowski still worked for Waymo. Levandowski left Waymo in January 2016, started Otto the next month and joined Uber in August as vice president of Uber’s self-driving technology after Otto was purchased by Uber for $700 million... This may become the biggest copyright infringement case brought forth in Silicon Valley since Apple v. Microsoft in 1994, when Apple sued Microsoft over the alleged likeness in the latter’s graphic user interface."

And, just this past Saturday Uber suspended its driverless car program in Arizona after a crash. Reportedly, Uber's driverless car programs in Arizona, Pittsburgh and San Francisco are suspended pending the results of the crash investigation.

No doubt, there will be more news about the lawsuit, safety issues, sexual harassment, Greyball, and investigations by local cities. What are your opinions?


Maker Of Smart Vibrators To Pay $3.75 Million To Settle Privacy Lawsuit

Today's smart homes contain a variety of internet-connected appliances -- televisions, utility meters, hot water heaters, thermostats, refrigerators, security systems-- and devices you might not expect to have WiFi connections:  mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins. Add smart vibrators to the list.

We-Vibe logo We-Vibe, a maker of vibrators for better sex, will pay U.S. $3.75 million to settle a class action lawsuit involving allegations that the company tracked users without their knowledge nor consent. The Guardian reported:

"Following a class-action lawsuit in an Illinois federal court, We-Vibe’s parent company Standard Innovation has been ordered to pay a total of C$4m to owners, with those who used the vibrators associated app entitled to the full amount each. Those who simply bought the vibrator can claim up to $199... the app came with a number of security and privacy vulnerabilities... The app that controls the vibrator is barely secured, allowing anyone within bluetooth range to seize control of the device. In addition, data is collected and sent back to Standard Innovation, letting the company know about the temperature of the device and the vibration intensity – which, combined, reveal intimate information about the user’s sexual habits..."

Image of We-Vibe 4 Plus product with phone. Click to view larger version We-Vibe's products are available online at the Canadian company's online store and at Amazon. This Youtube video (warning: not safe for work) promotes the company's devices. Consumers can use the smart vibrator with or without the mobile app on their smartphones. The app is available at both the Apple iTunes and Google Play online stores.

Like any other digital device, security matters. C/Net reported last summer:

"... two security researchers who go by the names followr and g0ldfisk found flaws in the software that controls the [We-Vibe 4Plus] device. It could potentially let a hacker take over the vibrator while it's in use. But that's -- at this point -- only theoretical. What the researchers found more concerning was the device's use of personal data. Standard Innovation collects information on the temperature of the device and the intensity at which it's vibrating, in real time, the researchers found..."

In the September 2016 complaint (Adobe PDF; 601 K bytes), the plaintiffs sought to stop Standard Innovation from "monitoring, collecting, and transmitting consumers’ usage information," collect damages due to the alleged unauthorized data collection and privacy violations, and reimburse users from their purchase of their We-Vibe devices (because a personal vibrator with this alleged data collection is worth less than a personal vibrator without data collection). That complaint alleged:

"Unbeknownst to its customers, however, Defendant designed We-Connect to (i) collect and record highly intimate and sensitive data regarding consumers’ personal We-Vibe use, including the date and time of each use and the selected vibration settings, and (ii) transmit such usage data — along with the user’s personal email address — to its servers in Canada... By design, the defining feature of the We-Vibe device is the ability to remotely control it through We-Connect. Defendant requires customers to use We-Connect to fully access the We-Vibe’s features and functions. Yet, Defendant fails to notify or warn customers that We-Connect monitors and records, in real time, how they use the device. Nor does Defendant disclose that it transmits the collected private usage information to its servers in Canada... Defendant programmed We-Connect to secretly collect intimate details about its customers’ use of the We-Vibe, including the date and time of each use, the vibration intensity level selected by the user, the vibration mode or patterns selected by the user, and incredibly, the email address of We-Vibe customers who had registered with the App, allowing Defendant to link the usage information to specific customer accounts... In addition, Defendant designed We-Connect to surreptitiously route information from the “connect lover” feature to its servers. For instance, when partners use the “connect lover” feature and one takes remote control of the We-Vibe device or sends a [text or video chat] communication, We-Connect causes all of the information to be routed to its servers, and then collects, at a minimum, certain information about the We-Vibe, including its temperature and battery life. That is, despite promising to create “a secure connection between your smartphones,” Defendant causes all communications to be routed through its servers..."

The We-Vibe Nova product page lists ten different vibration modes (e.g., Crest, Pulse, Wave, Echo, Cha-cha-cha, etc.), or users can create their own custom modes. The settlement agreement defined two groups of affected consumers:

"... the proposed Purchaser Class, consisting of: all individuals in the United States who purchased a Bluetooth-enabled We-Vibe Brand Product before September 26, 2016. As provided in the Settlement Agreement, “We-Vibe Brand Product” means the “We-Vibe® Classic; We-Vibe® 4 Plus; We-Vibe® 4 Plus App Only; Rave by We-VibeTM and Nova by We-VibeTM... the proposed App Class, consisting of: all individuals in the United States who downloaded the We-Connect application and used it to control a We-Vibe Brand Product before September 26, 2016."

According to the settlement agreement, affected users will be notified by e-mail addresses, with notices in the We-Connect mobile app, a settlement website (to be created), a "one-time half of a page summary publication notice in People Magazine and Sports Illustrated," and by online advertisements in several websites such as Google, YouTube, Facebook, Instagram, Twitter, and Pinterest. The settlement site will likely specify additional information including any deadlines and additional notices.

We-Vibe announced in its blog on October 3, 2016 several security improvements:

"... we updated the We-ConnectTM app and our app privacy notice. That update includes: a) Enhanced communication regarding our privacy practices and data collection – in both the onboarding process and in the app settings; b) No registration or account creation. Customers do not provide their name, email or phone number or other identifying information to use We-Connect; c) An option for customers to opt-out of sharing anonymous app usage data is available in the We-Connect settings; d) A new plain language Privacy Notice outlines how we collect and use data for the app to function and to improve We-Vibe products."

I briefly reviewed the We-Connect App Privacy Policy (dated September 26, 2016) linked from the Google Play store. When buying digital products online, often the privacy policy for the mobile app is different than the privacy policy for the website. (Informed shoppers read both.) Some key sections from the app privacy policy:

"Collection And Use of Information: You can use We-Vibe products without the We-Connect app. No information related to your use of We-Vibe products is collected from you if you don’t install and use the app."

I don't have access to the prior version of the privacy policy. That last sentence seems clear and should be a huge warning to prospective users about the data collection. More from the policy:

"We collect and use information for the purposes identified below... To access and use certain We-Vibe product features, the We-Connect app must be installed on an iOS or Android enabled device and paired with a We-Vibe product. We do not ask you to provide your name, address or other personally identifying information as part of the We-Connect app installation process or otherwise... The first time you launch the We-Connect app, our servers will provide you with an anonymous token. The We-Connect app will use this anonymous token to facilitate connections and share control of your We-Vibe with your partner using the Connect Lover feature... certain limited data is required for the We-Connect app to function on your device. This data is collected in a way that does not personally identify individual We-Connect app users. This data includes the type of device hardware and operating system, unique device identifier, IP address, language settings, and the date and time the We-Connect app accesses our servers. We also collect certain information to facilitate the exchange of messages between you and your partner, and to enable you to adjust vibration controls. This data is also collected in a way that does not personally identify individual We-Connect app users."

In a way that does not personally identify individuals? What way? Is that the "anonymous token" or something else? More clarity seems necessary.

Consumers should read the app privacy policy and judge for themselves. Me? I am skeptical. Why? The "unique device identifier" can be used exactly for that... to identify a specific phone. The IP address associated with each mobile device can also be used to identify specific persons. Match either number to the user's 10-digit phone number (readily available on phones), and it seems that one can easily re-assemble anonymously collected data afterwards to make it user-specific.

And since partner(s) can remotely control a user's We-Vibe device, their information is collected, too. Persons with multiple partners (and/or multiple We-Vibe devices) should thoroughly consider the implications.

The About Us page in the We-Vibe site contains this company description:

"We-Vibe designs and manufactures world-leading couples and solo vibrators. Our world-class engineers and industrial designers work closely with sexual wellness experts, doctors and consumers to design and develop intimate products that work in sync with the human body. We use state-of-the-art techniques and tools to make sure our products set new industry standards for ergonomic design and high performance while remaining eco‑friendly and body-safe."

Hmmmm. No mentions of privacy nor security. Hopefully, a future About Us page revision will mention privacy and security. Hopefully, no government officials use these or other branded smart sex toys. This is exactly the type of data collection spies will use to embarrass and/or blackmail targets.

The settlement is a reminder that companies are willing, eager, and happy to exploit consumers' failure to read privacy policies. A study last year found that 74 percent of consumers surveyed never read privacy policies.

All of this should be a reminder to consumers that companies highly value the information they collect about their users, and generate additional revenue streams by selling information collected to corporate affiliates, advertisers, marketing partners, and/or data brokers. Consumers' smartphones are central to that data collection.

What are your opinions of the We-Vibe settlement? Of its products and security?


Can Customs and Border Officials Search Your Phone? These Are Your Rights

[Editor's note: today's guest post is by the reporters at ProPublica. Past actions by CBP, including the search of a domestic flight, have raised privacy concerns among many citizens. Informed consumers know their privacy rights before traveling. This news article first appeared on March 13 and is reprinted with permission.]

by Patrick G. Lee, ProPublica

A NASA scientist heading home to the U.S. said he was detained in January at a Houston airport, where Customs and Border Protection officers pressured him for access to his work phone and its potentially sensitive contents.

Last month, CBP agents checked the identification of passengers leaving a domestic flight at New York's John F. Kennedy Airport during a search for an immigrant with a deportation order.

And in October, border agents seized phones and other work-related material from a Canadian photojournalist. They blocked him from entering the U.S. after he refused to unlock the phones, citing his obligation to protect his sources.

These and other recent incidents have revived confusion and alarm over what powers border officials actually have and, perhaps more importantly, how to know when they are overstepping their authority.

The unsettling fact is that border officials have long had broad powers -- many people just don't know about them. Border officials, for instance, have search powers that extend 100 air miles inland from any external boundary of the U.S. That means border agents can stop and question people at fixed checkpoints dozens of miles from U.S. borders. They can also pull over motorists whom they suspect of a crime as part of "roving" border patrol operations.

Sowing even more uneasiness, ambiguity around the agency's search powers -- especially over electronic devices -- has persisted for years as courts nationwide address legal challenges raised by travelers, privacy advocates and civil-rights groups.

We've dug out answers about the current state-of-play when it comes to border searches, along with links to more detailed resources.

Doesn't the Fourth Amendment protect us from "unreasonable searches and seizures"?

Yes. The Fourth Amendment to the Constitution articulates the "right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures." However, those protections are lessened when entering the country at international terminals at airports, other ports of entry and subsequently any location that falls within 100 air miles of an external U.S. boundary.

How broad is Customs and Border Protection's search authority?

According to federal statutes, regulations and court decisions, CBP officers have the authority to inspect, without a warrant, any person trying to gain entry into the country and their belongings. CBP can also question individuals about their citizenship or immigration status and ask for documents that prove admissibility into the country.

This blanket authority for warrantless, routine searches at a port of entry ends when CBP decides to undertake a more invasive procedure, such as a body cavity search. For these kinds of actions, the CBP official needs to have some level of suspicion that a particular person is engaged in illicit activity, not simply that the individual is trying to enter the U.S.

Does CBP's search authority cover electronic devices like smartphones and laptops?

Yes. CBP refers to several statutes and regulations in justifying its authority to examine "computers, disks, drives, tapes, mobile phones and other communication devices, cameras, music and other media players, and any other electronic or digital devices."

According to current CBP policy, officials should search electronic devices with a supervisor in the room, when feasible, and also in front of the person being questioned "unless there are national security, law enforcement, or other operational considerations" that take priority. For instance, if allowing a traveler to witness the search would reveal sensitive law enforcement techniques or compromise an investigation, "it may not be appropriate to allow the individual to be aware of or participate in a border search," according to a 2009 privacy impact assessment by the Department of Homeland Security.

CBP says it can conduct these searches "with or without" specific suspicion that the person who possesses the items is involved in a crime.

With a supervisor's sign-off, CBP officers can also seize an electronic device -- or a copy of the information on the device -- "for a brief, reasonable period of time to perform a thorough border search." Such seizures typically shouldn't exceed five days, although officers can apply for extensions in up to one-week increments, according to CBP policy. If a review of the device and its contents does not turn up probable cause for seizing it, CBP says it will destroy the copied information and return the device to its owner.

Can CBP really search my electronic devices without any specific suspicion that I might have committed a crime?

The Supreme Court has not directly ruled on this issue. However, a 2013 decision from the U.S. Court of Appeals for the Ninth Circuit -- one level below the Supreme Court -- provides some guidance on potential limits to CBP's search authority.

In a majority decision, the court affirmed that cursory searches of laptops -- such as having travelers turn their devices on and then examining their contents -- does not require any specific suspicions about the travelers to justify them.

The court, however, raised the bar for a "forensic examination" of the devices, such as using "computer software to analyze a hard drive." For these more powerful, intrusive and comprehensive searches, which could provide access to deleted files and search histories, password-protected information and other private details, border officials must have a "reasonable suspicion" of criminal activity -- not just a hunch.

As it stands, the 2013 appeals court decision legally applies only to the nine Western states in the Ninth Circuit, including California, Arizona, Nevada, Oregon and Washington. It's not clear whether CBP has taken the 2013 decision into account more broadly: The last time the agency publicly updated its policy for searching electronic devices was in 2009. CBP is currently reviewing that policy and there is "no specific timeline" for when an updated version might be announced, according to the agency.

"Laptop computers, iPads and the like are simultaneously offices and personal diaries. They contain the most intimate details of our lives," the court's decision said. "It is little comfort to assume that the government -- for now -- does not have the time or resources to seize and search the millions of devices that accompany the millions of travelers who cross our borders. It is the potential unfettered dragnet effect that is troublesome."

During the 2016 fiscal year, CBP officials conducted 23,877 electronic media searches, a five-fold increase from the previous year. In both the 2015 and 2016 fiscal years, the agency processed more than 380 million arriving travelers.

Am I legally required to disclose the password for my electronic device or social media, if CBP asks for it?

That's still an unsettled question, according to Liza Goitein, co-director of the Liberty and National Security Program at the Brennan Center for Justice. "Until it becomes clear that it's illegal to do that, they're going to continue to ask," she said.

The Fifth Amendment says that no one shall be made to serve as "a witness against himself" in a criminal case. Lower courts, however, have produced differing decisions on how exactly the Fifth Amendment applies to the disclosure of passwords to electronic devices.

Customs officers have the statutory authority "to demand the assistance of any person in making any arrest, search, or seizure authorized by any law enforced or administered by customs officers, if such assistance may be necessary." That statute has traditionally been invoked by immigration agents to enlist the help of local, state and other federal law enforcement agencies, according to Nathan Wessler, a staff attorney with the ACLU's Speech, Privacy and Technology Project. Whether the statute also compels individuals being interrogated by border officials to divulge their passwords has not been directly addressed by a court, Wessler said.

Even with this legal uncertainty, CBP officials have broad leverage to induce travelers to share password information, especially when someone just wants to catch their flight, get home to family or be allowed to enter the country. "Failure to provide information to assist CBP may result in the detention and/or seizure of the electronic device," according to a statement provided by CBP.

Travelers who refuse to give up passwords could also be detained for longer periods and have their bags searched more intrusively. Foreign visitors could be turned away at the border, and green card holders could be questioned and challenged about their continued legal status.

"People need to think about their own risks when they are deciding what to do. US citizens may be comfortable doing things that non-citizens aren't, because of how CBP may react," Wessler said.

What is some practical advice for protecting my digital information?

Consider which devices you absolutely need to travel with, and which ones you can leave at home. Setting a strong password and encrypting your devices are helpful in protecting your data, but you may still lose access to your devices for undefined periods should border officials decide to seize and examine their contents.

Another option is to leave all of your devices behind and carry a travel-only phone free of most personal information. However, even this approach carries risks. "We also flag the reality that if you go to extreme measures to protect your data at the border, that itself may raise suspicion with border agents," according to Sophia Cope, a staff attorney at the Electronic Frontier Foundation. "It's so hard to tell what a single border agent is going to do."

The EFF has released an updated guide to data protection options here.

Does CBP recognize any exceptions to what it can examine on electronic devices?

If CBP officials want to search legal documents, attorney work product or information protected by attorney-client privilege, they may have to follow "special handling procedures," according to agency policy. If there's suspicion that the information includes evidence of a crime or otherwise relates to "the jurisdiction of CBP," the border official must consult the CBP associate/assistant chief counsel before undertaking the search.

As for medical records and journalists' notes, CBP says its officers will follow relevant federal laws and agency policies in handling them. When asked for more information on these procedures, an agency spokesperson said that CBP has "specific provisions" for dealing with this kind of information, but did not elaborate further. Questions that arise regarding these potentially sensitive materials can be handled by the CBP associate/assistant chief counsel, according to CBP policy. The agency also says that it will protect business or commercial information from "unauthorized disclosure."

Am I entitled to a lawyer if I'm detained for further questioning by CBP?

No. According to a statement provided by CBP, "All international travelers arriving to the U.S. are subject to CBP processing, and travelers bear the burden of proof to establish that they are clearly eligible to enter the United States. Travelers are not entitled to representation during CBP administrative processing, such as primary and secondary inspection."

Even so, some immigration lawyers recommend that travelers carry with them the number for a legal aid hotline or a specific lawyer who will be able to help them, should they get detained for further questioning at a port of entry.

"It is good practice to ask to speak to a lawyer," said Paromita Shah, associate director at the National Immigration Project of the National Lawyers Guild. "We always encourage people to have a number where their attorney can be reached, so they can explain what is happening and their attorney can try to intervene. It's definitely true that they may not be able to get into the actual space, but they can certainly intervene."

Lawyers who fill out this form on behalf of a traveler headed into the United States might be allowed to advocate for that individual, although local practices can vary, according to Shah.

Can I record my interaction with CBP officials?

Individuals on public land are allowed to record and photograph CBP operations so long as their actions do not hinder traffic, according to CBP. However, the agency prohibits recording and photography in locations with special security and privacy concerns, including some parts of international airports and other secure port areas.

Does CBP's power to stop and question people extend beyond the border and ports of entry?

Yes. Federal statutes and regulations empower CBP to conduct warrantless searches for people travelling illegally from another country in any "railway car, aircraft, conveyance, or vehicle" within 100 air miles from "any external boundary" of the country. About two-thirds of the U.S. population live in this zone, including the residents of New York City, Los Angeles, Chicago, Philadelphia and Houston, according to the ACLU.

As a result, CBP currently operates 35 checkpoints, where they can stop and question motorists traveling in the U.S. about their immigration status and make "quick observations of what is in plain view" in the vehicle without a warrant, according to the agency. Even at a checkpoint, however, border officials cannot search a vehicle's contents or its occupants unless they have probable cause of wrongdoing, the agency says. Failing that, CBP officials can ask motorists to allow them to conduct a search, but travelers are not obligated to give consent.

When asked how many people were stopped at CBP checkpoints in recent years, as well as the proportion of those individuals detained for further scrutiny, CBP said they didn't have the data "on hand" but that the number of people referred for secondary questioning was "minimum." At the same time, the agency says that checkpoints "have proven to be highly effective tools in halting the flow of illegal traffic into the United States."

Within 25 miles of any external boundary, CBP has the additional patrol power to enter onto private land, not including dwellings, without a warrant.

Where can CBP set up checkpoints?

CBP chooses checkpoint locations within the 100-mile zone that help "maximize border enforcement while minimizing effects on legitimate traffic," the agency says.

At airports that fall within the 100-mile zone, CBP can also set up checkpoints next to airport security to screen domestic passengers who are trying to board their flights, according to Chris Rickerd, a policy counsel at the ACLU's National Political Advocacy Department.

"When you fly out of an airport in the southwestern border, say McAllen, Brownsville or El Paso, you have Border Patrol standing beside TSA when they're doing the checks for security. They ask you the same questions as when you're at a checkpoint. 'Are you a US citizen?' They're essentially doing a brief immigration inquiry in the airport because it's part of the 100-mile zone," Rickerd said. "I haven't seen this at the northern border."

Can CBP do anything outside of the 100-mile zone?

Yes. Many of CBP's law enforcement and patrol activities, such as questioning individuals, collecting evidence and making arrests, are not subject to the 100-mile rule, the agency says. For instance, the geographical limit does not apply to stops in which border agents pull a vehicle over as part of a "roving patrol" and not a fixed checkpoint, according to Rickerd of the ACLU. In these scenarios, border agents need reasonable suspicion that an immigration violation or crime has occurred to justify the stop, Rickerd said. For stops outside the 100-mile zone, CBP agents must have probable cause of wrongdoing, the agency said.

The ACLU has sued the government multiple times for data on roving patrol and checkpoint stops. Based on an analysis of records released in response to one of those lawsuits, the ACLU found that CBP officials in Arizona failed "to record any stops that do not lead to an arrest, even when the stop results in a lengthy detention, search, and/or property damage."

The lack of detailed and easily accessible data poses a challenge to those seeking to hold CBP accountable to its duties.

"On the one hand, we fight so hard for reasonable suspicion to actually exist rather than just the whim of an officer to stop someone, but on the other hand, it's not a standard with a lot of teeth," Rickerd said. "The courts would scrutinize it to see if there's anything impermissible about what's going on. But if we don't have data, how do you figure that out?"

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.