In August, Matt Honan wrote an interesting article in Wired about his social networking experiment. He clicked on all Facebook's "Like" buttons everywhere for two days. It ruined his life. Then, Elan Morgan wrote in Medium about a similar experiment. He didn't click on any Facebook "Like" buttons for two straight weeks. Being curious, I decided to perform my own experiment.
Like Morgan, I decided not to on any Facebook "Like" buttons for two weeks. That meant avoiding both buttons on posts and links in comments. It also meant not clicking on any "Like" buttons on Websites around the Internet that displayed them.
I use Facebook for personal posts, and to supplement this blog since many readers use Facebook a lot. So, for my experiment I decided not to click on any "Like" buttons nor links on the I've Been Mugged page on Facebook.
To start, I announced my experiment to my Facebook "friends," which includes friends, acquaintances, family, coworkers, former classmates, and former coworkers. An announcement seemed wise since some of them pursue "Likes" passionately. Many of those former coworkers also work in the digital advertising industry. I asked for their understanding and patience during my informal week-long experiment. My August 17 status message on Facebook:
"Notice for all my Facebook friends: during the next week, I will perform an experiment on Facebook by NOT clicking on any "Like" buttons on posts ,comments, photos, videos, and pages. I want to see how this changes my experience with Facebook. You'll probably see me write comments more. So, you have been warned. Please don't feel offended."
Nobody complained. Several wrote comments, which included predictions:
"You will most likely not be bombarded with advertisements or "links you may like". Good!"
"Love to hear your methodology. Are you studying adds to your feed by the hour? something else?"
And, tips aboou thow deal with advertising on Facebook (link added):
"I don't see ads because I use adblock. So I really don't know what they'd be trying to sell me."
I used the Web version of Facebook. For a couple years, I used the mobile version on a Windows phone for a couple years until I accidentally broke the screen. The mobile version was fun for a while, but the novelty soon wore thin. Spending $10 to $15 monthly for a data plan mostly for Facebook, Twitter, e-mail, and IMDB searches seemed an expensive indulgence. So, when the phone broke, I took that as a sign, ditched the mobile apps, and returned to the fuller Web version. While mobile apps are convenient, they are still pieces of a site. I prefer the entire experience, not pieces. About the only pieces I enjoy are candy, like Reese's Pieces. Maybe Facebook should have named its app "Facebook Pieces," but that is a discussion for another time.
I use Facebook to post and view articles, status messages, photos, and videos. I have family members who post plenty of photos. Plenty. For privacy and security, I don't play Facebook games nor apps, having years ago disabled all Facebook apps in my account settings. (To learn about how to use Facebook securely, there are plenty of posts in this blog. Follow any of the links in this post. In the right column, enter "Facebook" in the search mechanism, or select "Social Networking" in the tag cloud.) Facebook has made some stunning privacy missteps and reversals about how much of your data apps harvest. And, there's more about apps privacy here.
Test Goals and Methodology
I performed this test to see how my experience with Facebook might change. Would Facebook display different content? If so, what might that different content be? Posts by friends, ads, the pages I follow, or what?
My hypothesis going in was that my news feed would probably change. I wasn't sure how. Would I see different ads? Fewer ads? More ads? I didn't expect ads to disappear because that how Facebook makes money. I knew that Facebook performs behavioral targeting, in order to present relevant ads to its users.
My hope was that my news feed would change because my new behavior would influence Facebook's display algorithm. Ideally, I might see more status messages by friends that it previously hadn't shown. If you didn't know, Facebook uses an algorithm to selectively display about 12 percent of the total status messages by all of your friends. Simply, you don't see everything. You never did; and probably never will. Similarly, your friends don't see everything you post. This 12 percent delivery rate makes "frictionless sharing" claims sound like a bunch of BS.
For my experiment, I decided not to change my profile by "un-Likeing" any Facebook pages (e.g., newspapers, magazines, celebrities, television shows, musicians, comedians, pundits, etc.) I had previously "Liked." Frankly, I wanted to continue reading content from these news and entertainment sources; and not live in a virtual cave.
For the first two or three days, not clicking on "Like" buttons felt like a burden. I was used to the convenience. It took little effort or thought to click "Like" buttons and links. Maybe, I was going through "Like" withdrawal. After a couple days, it became easy to not click "Like" buttons. I noticed several things. The first thing I noticed was that I had to change. I had to decide what to type instead.
Use Your Words
When my son was 10 to 20 months old, he often greeted a parent by extending his arms upward and grunting. That was his preferred way to ask a parent or adult to pick him up. My wife and I constantly reminded him to use his words. As soon I stopped clicking "Like" buttons, I realized that I had to change: use my words.
What to type? It had been so easy before to simply click "Like" buttons and links. Like many Facebook users, I often clicked only the "Like" button without entering any comments. Now, I had to give Facebook more thought and effort.
What words did I use? I went through predictable variations: "Ha," "LOL," "ROTFL," "WTH," "WTF," "Great photo," "I agree," "Awesome," "Nice," and several more. Had Facebook made me lazy? Perhaps. Probably. Typing the word "Like" seemed stupid with so many "Like" button and links nearby. For a couple days, I used "Likey" in a feeble attempt to merge liking and humor. I quickly abandoned that.
Nobody asked why I was only entering comments and not clicking "Like" buttons nor links.
Life Without Likes
The first week of my experiment flew by. I posted on my personal news feed on August 25:
"A week has passed and I haven't clicked on a single "Like" button. None. Anywhere. Was easier than I thought it would be."
For me, it felt like cable TV or the Major League Baseball strike during 1995. Once you learn to live without it, you soon find it's easy to live without it. You find other things to do instead; often, more enjoyable things to do. So, I decided to extend my experiment to two weeks. I'm glad I did.
One friend suggested a reason why I found it easy to not click "Like" buttons:
"Of course it's easy. You are not young enough to really be stricken with FOMO...."
If you don't know: Fear Of Missing Out. Convenience and fear seem to drive so much of our social media usage. We love the convenience being able to post/read/watch anywhere and anytime. When you and everyone acts this way, you quickly fall into the FOMO trap: if you stop acting this way, you'll miss out. You may or may not actually miss anything. It's the fear that you might. During my experment, I didn't have any feelings of fear. None.
How My Facebook Experience Changed
With a two-week experiment, I noticed several changes. First, before starting my experiment, I often clicked on "Like" buttons for artices from news and entertainment sources. When I did, Facebook dutifully displayed related ads in the right column about the brand or company I just "Liked." Example: after "Liking" a news article about Comcast customer service, Facebook dutifully presented in the right column area ads by Comcast or by other cable/TV/Internet service providers. Now, Facebook seemed to have to work harder to determine what I "liked."
During the first week of my experiment, the links to related articles disappeared. You've probably seen the three related articles the Facebook interface displays when you "Like" an article. During the first week of my experiment, they went away. During the second week, those related articles re-appeared only when I entered a comment. That's good or bad depending upon whether you consider those related articles relevant or not. In my experience, the relevancy is hit or miss. Before my experiment, I rarely clicked on a related-article link. That didn't change during my experiment.
Second, Facebook seemed to work harder by focus on the content I entered into comments. If I mentioned a brand in a comment or status message, then an ad for that brand soon appeared in the right column ad area. Example; while answering a friend's post for advice about leasing automobiles, I mentioned in a comment my experience with leasing a Honda Civic hatchback. Bingo! Facebook soon displayed a Honda ad, assuming I wanted to buy or lease a Honda car. Maybe Facebook did this all along and I just never noticed before. I can say is this: in a life without "Liking" anything, it is more easily noticed. Mention brand names in your comments and Facebook will most likely display ads by those brands.
Third, Facebook seemed to work harder by using my profile data to display ads. I live in Boston and before the experiment had specified Boston in my profile. I noticed ads by Facebook for free movies at the Prudential Mall ( a local shopping area), dentists, and other local services. Those of you who know me, know that I don't like to shop. And, I already have a dentist I am satisfied with. So, irrelevant ads.
In a life without "Likes," it seems that Facebook will dig deeper into your profile and use data from it to display targeted ads. This seems consistent with the targeting options Facebook provides advertisers:
"You can choose the location, gender, age, likes and interests, relationship status, workplace and education of your target audience. If you have a Facebook Page, event or app, you can also target your ad to people who are already connected to you."
The targeting of some of those ads was dubious. I never entered any comments about shopping, dentists, or dental hygiene, but Facebook showed ads anyway.
Fourth, I saw more generic ads, or what seemed to me to be generic ads. I say generic because the ads were for brands I had not "Liked" at all: Verizon Wireless phone service, 1-800-Flowers, customized pen writing instruments, and such.
During my experiment, I did not click on any ads. None. Why? I hadn't clicked on any ads before.
In his experiment, Morgan concluded:
"Now that I am commenting more on Facebook and not clicking Like on anything at all, my feed has relaxed and become more conversational. It’s like all the shouty attention-getters were ushered out of the room as soon as I stopped incidentally asking for those kinds of updates by using the Like function. I have not seen a single repugnant image of animal torture, been exposed to much political wingnuttery, or continued to drown under the influx of über-cuteness that liking kitten posters can bring on."
My experience was similar in some wasys and different inother. Consistent with Morgan's "conversational" conclusion, I saw more posts by "friends" and fewer posts with news articles in my news feed. It also had implications.
Since I wasn't clicking "Like" buttons for news articles, Facebook's algorithm concluded I must not like them -- and it showed fewer in my news feed. So, to read news content I had to go to my Pages Feed. This behavior change by Facebook makes it a less-than-ideal tool to read news, since I had clearly "Liked" previously several agencies (e.g., CFPB, FTC, FDIC, CUNA, NCUA, advocacy (e.g., CSIPA, ACLU, EFF, Stanford CIS), and news sources (e.g., Mashable, FactCheck, ProPublica, Dorchester Reporter, Bill Moyers). I conclude that Twitter is a better source of news because it doesn't have a filtering algorithm. I see all tweets from the news sources I follow there, making Twitter more reliable and relevant -- for me.
In contrast to Morgan's conclusion, I still saw posts (often articles) by Facebook "friends" who are passionate about animal cruelty. Those posts never bothered me. That didn't change. I still saw posts by friends with photos and video of cute animals. That didn't change, either. I still saw article posts by friends who are passionate about politics. Heck, I post a lot about politics. That didn't change, either.
Given the ease at not "Liking" things on Facebook, I extended my experiment from one to two weeks. I was generally happy with my new experience on Facebook. (Yes, I will admit that there is a part of me that felt glee with thwarting Facebook's algorithm.) I had to work a little harder to view and read articles by the entities I followed. Facebook is still a less-than-optimal way to read news.
Also, I learned a little about how Facebook displays targeted ads. It'll dig deepeer into your profile data to do so. And, it'll use your comments text more. I had wanted to see what ads appeared. I saw lots of Verizon Wireless ads -- every day, all day long. I still haven't bought a single thing from that store.
My experiment reinforced my view that Facebook isn't really a social networking service. Why? First, there is the 12-percent delivery rate of your friends' status messages. So, you can't assume you've seen everything by your friends, nor that your friends have seen all of your posts. Not very social. Second, in a life without "Liking" things, as Facebook digs deeper into your profile to target ads, it becomes clear that the service is really a gigantic, worldwide advertising delivery and distribution system.
Will I resume clicking "Like" buttons and links? I haven't decided, yet. I may. I may not. If you want to reduce your use of Facebook without deleting your account, not "Liking" things is an attractive option. A more conversational Facebook is a good thing.
Opinions? Could you use Facebook without clicking "Like" buttons? Would you? Have you? Why or why not?
Maybe you were away on vacation and missed this. On August 21, the U.S. Justice Department (DOJ) and several states' attorney generals announced the largest civil settlement ever with a single entity.
The $16.65 billion settlement agreement with Bank of America resolves both federal and state civil investigations into activities by the bank's former and current subsidiaries, including Countrywide Financial Corporation and Merrill Lynch, related to the packaging, marketing, sale, and issuance of residential mortgage-backed securities (RMBS). The bank acquired Merrill Lynch in 2009., and Countrywide in 2008.
According to the DOJ announcement, the bank agreed to pay:
"... a $5 billion penalty under the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA) – the largest FIRREA penalty ever – and provide billions of dollars of relief to struggling homeowners, including funds that will help defray tax liability as a result of mortgage modification, forbearance or forgiveness. The settlement does not release individuals from civil charges, nor does it absolve Bank of America, its current or former subsidiaries and affiliates or any individuals from potential criminal prosecution."
This settlement is part of President Obama’s Financial Fraud Enforcement Task Force and its Residential Mortgage-Backed Securities (RMBS) Working Group, which has recovered $36.65 billion to date for American consumers and investors. The RMBS Working Group is led by Director Geoffrey Graber and five co-chairs: Assistant Attorney General for the Civil Division Stuart Delery, Assistant Attorney General for the Criminal Division Leslie Caldwell, Director of the SEC’s Division of Enforcement Andrew Ceresney, U.S. Attorney for the District of Colorado John Walsh, and New York Attorney General Eric Schneiderman.
Additional terms of the settlement:
"...includes a statement of facts, in which the bank has acknowledged that it sold billions of dollars of RMBS without disclosing to investors key facts about the quality of the securitized loans. When the RMBS collapsed, investors, including federally insured financial institutions, suffered billions of dollars in losses.."
These losses and other activities contributed to the economic recession during 207 to 2009, from which the country is still trying to recover. Additional terms of the settlement:
"... almost $10 billion will be paid to settle federal and state civil claims by various entities related to RMBS, CDOs and other types of fraud. Bank of America will pay a $5 billion civil penalty to settle the Justice Department claims under FIRREA. Approximately $1.8 billion will be paid to settle federal fraud claims related to the bank’s origination and sale of mortgages, $1.03 billion will be paid to settle federal and state securities claims by the Federal Deposit Insurance Corporation (FDIC), $135.84 million will be paid to settle claims by the Securities and Exchange Commission. In addition, $300 million will be paid to settle claims by the state of California, $45 million to settle claims by the state of Delaware, $200 million to settle claims by the state of Illinois, $23 million to settle claims by the Commonwealth of Kentucky, $75 million to settle claims by the state of Maryland, and $300 million to settle claims by the state of New York."
The settlment includes relief for consumers:
"... $7 billion in the form of relief to aid hundreds of thousands of consumers harmed... That relief will take various forms, including principal reduction loan modifications that result in numerous homeowners no longer being underwater on their mortgages and finally having substantial equity in their homes. It will also include new loans to credit worthy borrowers struggling to get a loan, donations to assist communities in recovering from the financial crisis, and financing for affordable rental housing.... $490 million in a tax relief fund to be used to help defray some of the tax liability that will be incurred by consumers receiving certain types of relief if Congress fails to extend the tax relief coverage of the Mortgage Forgiveness Debt Relief Act of 2007."
Related announcements were made by several states' attorney generals, including California, Florida, and Maryland. The settlement also resolves an August 2013 complaint against the bank by the U.S. Attorney’s Office for the Western District of North Carolina about $850 million of RMBS activities.
I encourage consumers to read the entire DOJ announcement, the 37-page settlement agreement (Adobe PDF), and the 30-page statement of facts addendum (Adobe PDF). The relief programs and payments to homeowners and consumers are good, but as former U.S. Labor Secretary Robert Reich said in September 2013 on Twitter.com:
"Fines effective only if risk of being caught x probability of being prosecuted x amount of fine > profits to be made."
This wrongdoing by bank executives will stop also when individual bank executives are convicted of fraud and are sent to prison for lengthy periods (with the loss of significant personal assets). Until then, the country will have two sets of laws where poor people who commit crimes and are caught go to prison, while rich people (including bank and corporate executives) who commit crimes and are caught have their employers pay modest fines.
Fraud is fraud. Theft is theft. Consequences need to be consistent. What are your opinions of the settlement agreement?
This seemed like timely content for a Labor Day holiday.
On Thursday, the New Hampshire Union Leader reported that a deal had been reached regarding the confrontation at the Market Basket supermarkets in Massachusetts and New Hampshire. Arthur T. Demoulas will acquire a 50.5 percent ownerhsip of the company and return to managing it. He had been ousted last year by the company's Board of Directors, which included other family members. Reportedly, the company issued a statement that Arthur T. Demoulas:
"... and his management team will return to Market Basket during the interim period while the transaction to purchase the company is completed... All associates are welcome back to work with the former management team to restore the company back to normal operations.”
A grassroots effort of managers and employees had stopped work, promising to return to work when Arthur T. Demoulas was reinstated. Supporting this effort, most customers stopped shopping at the supermarket chain, whose revenues dropped more than 90 percent. Store shelves became bare, and many workers had their hours reduced. The confrontation lasted about five weeks and made news headlines worldwide.
Reportedly, the sale will be completed in a couple months. Mr Arthur T. Demoulas thanked cheering employees and supporters.
I cannot recall a time in history when a group of managers and employees banded together to support a senior executive of a corporation. When Arthur T. Demoulas previously managed Market Basket, he managed it more like a benefit corporation -- a joint enterprise between the company, its owners, and the community. He kept prices lower than competitors' prices, paid employees more, and gave both employees and managers more authority.
Professor and former U.S. Labor Secretary Robert Reich posted on August 28 via Facebook:
"In a big win for employees, managers, and customers of “Market Basket” -- the supermarket chain in Massachusetts, New Hampshire, and Maine whose beloved CEO, Arthur T. Demoulas, was fired by a greedy board of directors who thought him too generous – Arthur T. is now back. Yesterday the board relented and agreed to sell the company to him. Arthur T. told cheering workers at the company’s headquarters in Tewksbury that he loved them, appreciated their efforts helping him gain control of the company, and was “in awe of what you have all accomplished.” Over the last several weeks, the sacrifices of employees, managers, and customers of “Market Basket” gives new meaning to the old term “solidarity.” It also illustrates the power of treating such people as partners in an enterprise rather than as costs to be cut. When all benefit from a business's success, all will sacrifice to keep it successful. May the rest of American business take note."
Note: workers as partners, not a cost to be cut. And... a sacrifice, indeed, by managers, employees, and customers. It showed what solidarity can achieve. Congratulations!
Media Shift reported recently:
"... Internet.org announced free, limited mobile broadband in Zambia, with plans to expand to more developing countries. But there are some downsides: New users must create Facebook accounts that act as portals to the web. If users want to venture beyond the Zuckerberg-free zone and into the whole of the internet, you’ve got to pay. This makes Facebook a broker between the developing world and the open Internet, one that can set prices for visiting certain sites or could undermine privacy, according to GigaOm’s David Meyer. Similarly, Google has plans to connect some of the two-thirds of the world’s population who remain offline, spending more than $1 billion on low-orbiting satellites, and a balloon-based delivery system called Project Loon."
Opinions about these efforts?
This morning, several news sources reported that Burger King, the fast-food chain, and Tim Horton's restaurants have agreed to merge. Horton's is based in Canada. The merger allows Burger King to benefit from a tax inversion, where:
"The combined Canadian coffee chain and U.S. burger chain will have its global headquarters in Canada... In a tax inversion, two international companies merge and move their tax domicile to the lower tax country."
Last month, Bloomberg BusinessWeek published an interesting and informative analysis of the company, its young management, corporate history, and current marketplace challenges. You'll probably want to read the BusinessWeek report titled, "Burger King Is Run By Children."
Professor and former U.S. Labor Secretary Robert Reich posted on Facebook the following about the merger (links added):
"BK’s profits have been flat, mainly because its mostly lower-income customers don’t have enough money to boost sales. So the pending deal is welcome news to investors, who today sent its stock up nearly 20 percent. But it’s a lousy deal for you and me and other Americans because we’ll have to make up for the taxes Burger King stops paying. We’re already subsidizing Burger King because it refuses to raise the pay of its frontline workers, who are now at or near the minimum wage. So we're paying for the food stamps, Medicaid, and wage subsidies its workers need in order to stay out of poverty. That means when BK deserts America to cut its tax bill, we’ll be paying twice. That's a whopper of a slap at America."
A whopper of a slap, indeed. Mr. Reich posted in an update (link added):
"It’s one thing when a company the Pfizer flirts with corporation desertion (technically, a tax “inversion”) to become a foreign company and lower its tax bill. But Burger King, like Walgreen, is highly visible to consumers. Walgreen dropped its plan to desert the United States after a customer backlash and bad publicity. So a boycott of Burger King, accompanied by letters to the local press, picketing for the broadcast media, and a general ruckus, should be helpful."
The phrase "tax inverson" sounds clinical and almost meaningless. I like and prefer the phrase, "corporate desertion" since it better describes what is really happening. And, a boycott seems the appropriate consequence for the burger chain's actions.
What are your opinions of Burger King's tax inversion? Of the "corporate desertion" phrase? Of a boycott?
If you have followed the net neutrality issue, then you know that the first deadline has passed for consumers to submit comments to the Federal Communications Commission (FCC). The FCC received more than 1.1 million comments.
If you are wondering how many of your neighbors submitted comments, then you'll want to visit The Verge website. It features an interesting, interactive tool for consumers to view the number of comments by location. You can view the Zip Codes that submitted the most comments, and looup the Zip Code where you live, work, or attend school.
The U.S. Federal Trade Commission (FTC) announced that the U.S. District Court in Southern New York had ordered fraudsters to pay $5.1 million. The court:
"... issued default judgments against fourteen corporate defendants and fourteen individual defendants that allegedly operated the tech support scams. The operations were mostly based in India and targeted English-speaking consumers in the United States and several other countries... The judgments also ban them from continuing their deceptive tactics and from disclosing, selling or failing to dispose of information they obtained from victims."
The defendants are permanently banned from marketing technical support services. The firms the FTC had filed lawsuits against:
Two defendants in the PCCare247 case settled with the FTC in November 2013. Two defendants in the Marczak case settled with the FTC in April 2013. The latest court action applied to all remaining defendants.
The FTC had charged the defendants with violating the FTC Act, which prohibits deceptive marketing tactics. The agency had also charged the defendants with violating the Telemarketing Sales Rule, as they had allegedly called phone numbers illegally on the Do Not Call Registry.
The FTC's complaints described the fraudsters' deceptive marketing tactics:
"... the defendants claimed they were affiliated with legitimate companies, including Dell, Microsoft, McAfee, and Norton, and told consumers they had detected malware that posed an imminent threat to their computers. The defendants then charged these consumers hundreds of dollars to remotely access and “fix” the computers."
This sounds very similar to a tech support phone call I received in February, 2012.
I congratulate the FTC and the Court on this enforcement.
Last week, the Huffington Post and U.S. Senator Elizabeth Warren (D-Massachusetts) posted an interesting infographic about the vast sums banks have paid in settlements for alleged wrongdoing. If you haven't seen the infographic, it is definitely worth a view.
"Since 2009, big banks in the U.S. and Europe have paid at least $128 billion to regulators, according to data compiled by the Wall Street Journal, Reuters, and The Huffington Post, for issues tied to the housing collapse and other financial misdeeds, including aiding and abetting money laundering and tax evasion."
Some statistics from the infographic:
View the infographic to see more. This suggests an industry in crisis and out of control. Consider a 2013 ethics survey which found that young bankers view wrongdoing as a necessary evil and fear reporting misconduct. Sadly, some of these settlements have been tax deductible, but often such details aren't disclosed. When settlements are tax deductible, that means taxpayers -- you and I -- who did nothing wrong, are really paying part of these fines. Do you want to pay part of these fines and settlements? I don't, and I doubt that you do either.
"... the fact that a portion of settlements can be tax-deductible sends the wrong message to the public.... every dollar in tax write-offs for the companies has to be made up for by the government in higher tax rates, cuts to programs or more national debt... The really pernicious thing here is both the (government) agencies and the banks have an incentive to tout larger but illusory pretax numbers. The agency looks good because they get to hold up a bigger number. The company gets a better bottom line because it can get a big write-off... The only one who loses is the public."
On August 12, U.S. Senator Elizabeth Warren posted on Facebook:
"Since 2009, the big banks and financial institutions have paid at least $128 billion to regulators for the tricks and traps that brought down our economy. But they are happy to pay the fines – in fact, JP Morgan gave its CEO Jamie Dimon a 74% raise for negotiating its settlement. If these settlements are so weak that Wall Street is celebrating, it's not a good deal for the American people. That's why I introduced the Truth in Settlements Act to require accessible, detailed disclosures about settlement agreements. Just a couple weeks ago, the bill made it through the Senate Homeland Security & Governmental Affairs Committee and can now receive a full Senate vote. We're one step closer to stronger transparency and accountability."
Executives often use settlements as a way to avoid admitting any wrongdoing (and to avoid jail time), Some highlights from the Truth in Settlements Act (Adobe PDF):
"If enforcement agencies are confident that settlements are a good deal for the people they represent, they should be willing to publicly disclose the key terms of those agreements. The Truth in Settlements Act demands specificity and transparency in all federal agency settlements that include over $1 million in payments. The Act ensures that relevant details and terms of non-confidential settlements are publicized truthfully, and that the process by which settlements are deemed confidential is assessed and monitored..."
Specific provisions in the legislation require federal agencies to:
The Act also requires companies that settlement with federal enforcement agencies to publish in their SEC filings whether they have deducted any settlement payments from their taxes. You can easily track online the progress of S 1898 (The Truth in Settlements Act).
The Act sounds like an excellent deal for consumers and taxpayers. You want to know what your government is doing so you can hold it accountable. Contact your elected officials and demand that they support the Truth in Settlements Act (S 1898).
What are your opinions of the huge banking settlements? About the tax deductions in many settlements? Of the Truth In Settlements Act?
Community Health Systems, Inc. (CHS) announced a data breach that affected 4.5 million patients nationwide. Breach victims are patients who have done business with any CHS hospitals, or whose physicians are associated with CHS hospitals. CHS said in its website that it includes 206 affiliated hospitals in 29 states, with 135,000 employees and 22,000 physicians.
CHS believes the attack, by hackers from China, occurred between April and June of 2014. Sensitive personal data elements stolen included patient names, addresses, birth dates, telephone numbers and social security numbers. This means that breach victims are vulnerable to identity theft and fraud, since the data elements stolen are sufficient for thieves to apply for and/or open fraudulent credit accounts and loans. The only good news was that the breach did not include patients' medical records and payment information (e.g., credit/debit cards).
CHS has notified federal law enforcement agencies and (links added):
"... engaged Mandiant, who has conducted a thorough investigation of this incident and is advising the Company regarding remediation efforts. Immediately prior to the filing of this Report, the Company completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type. The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data."
CHS is notifying breach victims, and will offer identity theft protection services. The announcement did not specify which, if any, data elements were encrypted. Usually, breach announcements state which items were encrypted. Hopefully, future announcements will provide the necessary details.
I browsed the CHS site Monday afternoon expecting to see a notice on the site about the breach. I didn't see one. May it is there and hidden. For context: after its massive breach, Target provided a notice and link on its home page for affected breach victims to easily access important information. CHS needs to do the same.
What's even more troubling is that the Social Security numbers weren't encrypted by CHS. How do I know this? The HIPAA Breach Notification Rule governs when hospitals must disclose data breaches. It says in part (links and bold text added):
"Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance... The guidance... specifies encryption and destruction as the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Additionally, the guidance also applies to unsecured personal health record identifiable health information under the FTC regulations. Covered entities and business associates, as well as entities regulated by the FTC regulations, that secure information as specified by the guidance are relieved from providing notifications following the breach of such information."
In other words, if CHS had encrypted the information stolen, it probably would not have had to issue a breach notification (and incur the related costs). Since it did issue a breach notification, I conclude the data elements stolen -- especially Social Security numbers -- were not encrypted. Even though credit card data wasn't stolen in the breach, this makes one wonder if this payment information is encrypted. Hopefully, CHS will say more soon about what data is encrypted; and why or why not.
While browsing its website, I learned that CHS confirmed in an August 4 press release that it had:
"... resolved the investigation by the U.S. Department of Justice into short stay admissions through emergency departments at certain affiliated hospitals. The parties have entered into a settlement agreement, which concludes the government’s review into whether these 119 hospitals billed Medicare, Medicaid and TRICARE for certain inpatient admissions from January 2005 to December 2010 that the government believed should have been billed as outpatient or observation cases... Under the terms of the agreement, there is no finding of improper conduct by Community Health Systems or its affiliated hospitals, and the Company has denied any wrongdoing. The Company has agreed to pay $88,257,500 in resolution of all federal government claims, including Medicare, TRICARE and the federal share of the Medicaid claims, and an additional $892,500 to the states for their portions of the Medicaid claims."
To see if your hospital was affected, browse the list of CHS locations by state. Have you received a breach notice from CHS? What are your opinions of the notice? Of the identity theft protection services offered?
Earlier this month, the Federal Deposit Insurance Corporation (FDIC) announced a pilot program to encourage school-aged youth to save money. The goals of the program are to collect and share best practices by participating banks.
The pilot program includes two phases:
"... the first covers programs that will be in place during the 2014-2015 school year. Through August 22, 2014, the FDIC is soliciting interest from institutions that will have a youth savings program underway during the 2014-2015 school year. For the second phase, the FDIC will begin soliciting interest in April of 2015 for institutions that will begin new savings programs with schools in the 2015-2016 school year..."
After the "great depression," the U.S. Congress established the FDIC in 1933 to restore public confidence in the nation's banking system. The FDIC insures deposits at the nation's 6,730 banks and savings associations. The agency promotes the safety and soundness of banks by identifying, monitoring and addressing risks.
According to a December 2012 report by the FDIC (Adobe PDF):
"A majority of banks (87 percent) offered at least one of the following specialty savings products: Individual Development Accounts (IDAs), specialized savings clubs, workplace-based savings, or youth (minor) savings accounts. Youth accounts dominated, with 82 percent of financial institutions offering this savings product. Forty-one percent of banks offered specialized savings clubs..."
That same report also concluded about all consumers, not only youth, without bank accounts:
"Community outreach through collaborations with community groups was identified as the most effective strategy for developing relationships with these populations. Despite this recognition, only about half of all banks reported using partnerships with organizations to promote opening checking or savings accounts."
In a 2011 study by researchers at the University of Kansas concluded:
"... that when savings accounts are started for children of low-income families and financial education is included, not only are the families more likely to save, but students can be more likely to attend college and graduate... when money is set aside for college, families save more, find creative ways to save even when money is tight and view attending college as a more realistic possibility."
During its pilot program in 2014-15, the FDIC will document innovative practices and assess the success of participating banks. Participating banks must send in December 2014 a summary of the youth savings programs they implemented during the Fall. The FDIC will collect a variety of data about the pilot program, including:
".... the number of accounts opened, the average saved in the accounts, indications on whether the youth accounts helped the institution establish account relationships with the parents, the on-boarding process for the accounts, the financial education strategy used and its reception, the longevity of account relationships, whether banks felt satisfied with their work with the school, and whether the bank’s expectations were met."
What are your opinions of this pilot program? Do youth need to save more?
Here in Massachusetts, the local news media has reported extensively about the confrontations at Market Basket, a regional, low-price supermarket chain. Perhaps, you have heard about it.
The first confrontation was between family members for control of the company. The company's board of directors fired Arthur T. Demoulas in June 2013 and replaced him with two new managers. After that event, workers and managers at the stores banded together to demand Arthur T's return. That led to the current work stoppage and boycot by many customers. Store sales have declined and shelves in most stores are largely empty. During the last few days, hours for many on-the-job workers have been cut.
Former Labor Secretary Robert Reich explained how Arthur T. Demoulas managed Market Basket:
"... his business model. He kept prices lower than his competitors, paid his employees more and gave them and his managers more authority. Late last year he offered customers an additional four percent discount, arguing they could use the money more than the shareholders. In other words, Arthur T. viewed the company as a joint enterprise from which everyone should benefit, not just shareholders. Which is why the board fired him."
In his article, Mr. Reich concluded, perhaps most importantly:
"... interestingly, we’re beginning to see the Arthur T. business model pop up all over the place."
Mr. Reich explained Arthur T's managerial approach was similar to the "B Corporations" (a/k/a "B Corps"):
"That’s a for-profit company whose articles of incorporation require it to take into account the interests of workers, the community and the environment, as well as shareholders. The performance of B-corporations according to this measure is regularly reviewed and certified by a nonprofit entity called B Lab. To date, over 500 companies in sixty industries have been certified as B-corporations... 27 states have passed laws allowing companies to incorporate as “benefit corporations.” This gives directors legal protection to consider the interests of all stakeholders rather than just the shareholders who elected them."
Take a moment for that to sink in.
Benefit corporations intentionally structured themselves to provide benefits for several groups: workers, the community, the environment, and shareholders. That means other types of corporations focus only on benefits for shareholders. They may provide benefits for groups besides shareholders, but they don't have to. In fact, the dominant, traditional business structure provides incentives to benefit primarily shareholders. Mr. Reich explained how this dominant corporate structure happened:
"In the 1980s, corporate raiders began mounting unfriendly takeovers of companies that could deliver higher returns to their shareholders – if they abandoned their other stakeholders. The raiders figured profits would be higher if the companies fought unions, cut workers’ pay or fired them, automated as many jobs as possible or moved jobs abroad, shuttered factories, abandoned their communities and squeezed their customers. Although the law didn’t require companies to maximize shareholder value, shareholders had the legal right to replace directors. The raiders pushed them to vote out directors who wouldn’t make these changes..."
You're probably wondering if any brands or companies you know are B Corps. Maybe you are curious, or maybe you want to shop only at businesses that are B Corps. Maybe you want to invest in B Corps, or socially responsible corporations.
The folks at B Labs developed a nifty mechanism to search their database. You can search by name, industry, city, state, and/or country. I ran several searches and found:
After searching, you can click through to a detailed report about each company and how it performs against B Corps criteria; often for both the current and prior years. The B Labs site explained it:
"B Corp is to business what Fair Trade certification is to coffee or USDA Organic certification is to milk. B Corps are certified by the nonprofit B Lab to meet rigorous standards of social and environmental performance, accountability, and transparency. Today, there is a growing community of more than 1,000 Certified B Corps from 33 countries and over 60 industries..."
This search tool allows consumers to learn whether your favorite brand walks the talk, or not. Any corporation can hire an advertising agency to develop ads, taglines, slogan, websites, and/or apps that say their company provides benefits to groups beyond shareholders. But do they really? Are they structured to do so? How have they performed? You can use the B Labs site to start answering these questions. You can find corporations that are walking the talk.
It is important to remember that there is a difference between "B Corps" and "Benefits corporations." The Cullinane Law Group emphasized the difference:
"B Corps and Benefit Corporations are distinct terms that are often used interchangeably, but there are clear differences. In short,
- B Corp: a certification or “stamp of approval” by a third-party certifying company.
- Benefit Corporation: is a specific legal corporate structure within a state."
The states that provide the "Benefit Corporation" structure:
"... Arizona (effective December 31, 2014), Arkansas (effective August 2013), California, Colorado (effective April 1, 2014), Hawaii, Illinois, Louisiana, Maryland, Massachusetts, Nevada (effective January 1, 2014), New Jersey, New York, Oregon (effective January 1, 2014), Pennsylvania, South Carolina, Vermont, Virginia, and Washington D.C."
Will Market Basket workers or its board prevail? That remains to be seen. Will Market Basket restructure as a Benefit Corporation? That, too, remains to be seen. Perhaps, if it did the company could have avoided the pain it is now experiencing.
What are your opinions of B Corporations? Of the B Labs search tool? Should more states enact legislation for benefits corporations?
U.S. Senator Charlces Schumer (D-New York) expressed the privacy threat to consumers by fitness apps that collect and share consumers' sensitive fitness and health data with third parties -- without notice nor consent. In an August 10th news conference and press release, the Senator expressed concerns about the privacy threats the privacy concerns:
"... personal health and fitness data – so rich that an individual can be identified by their gait – is being gathered and stored by fitness bracelets like ‘FitBit’ and others like it, and can potentially be sold to third parties, like employers, insurance providers and other companies, without the users’ knowledge or consent. Schumer said that this creates a privacy nightmare, given that these fitness trackers gather highly personal information on steps per day, sleep patterns, calories burned, and GPS locations. Users often input private health information like blood pressure, weight and more...."
While the Senator believes that fitness apps are an effective and helpful technology for better health, the privacy concerns are compounded by the fact that:
"There are currently no federal protections to prevent those developers from then selling that data to a third party without the wearer’s consent. Schumer therefore urged the Federal Trade Commission (FTC) to push for fitness device and app companies to provide a clear and obvious opportunity to “opt-out” before any personal health data is provided to third parties, who could discriminate against the user based on that sensitive and private health information."
A March 3, 2014 blog post explored the massive data collection by Facebook via several fitness apps. The Senator's privacy concerns are valid since we already know that at least one credit reporting agency wants access to consumers' data collected by Facebook and other social networking services. News organizations have widely reported about several problems in the credit reporting industry: failures to fix errors in the reports they sell, data breaches, and settlement agreements about alleged improper list sales.
"What Data May be Shared With Third Parties?
First and foremost: We don’t sell any data that could identify you. We only share data about you when it is necessary to provide our services, when the data is de-identified and aggregated, or when you direct us to share it."
Ways your sensitive data with Fitbit might be shared:
"Other Ways You Might Share Your Data
Default Visibility Settings -- The privacy settings on new Fitbit accounts are set to reveal minimal data about you with the purpose of getting you active and involved with Fitbit...
Fitbit Social Tools -- Fitbit provides many ways for you to share data with other Fitbit users, such as with the 7-day Leaderboard, Challenges, or by posting comments to the Fitbit community message boards. When you interact with others in these ways, you will be displaying your data based upon the visibility settings in your User Account privacy settings...
Community Posts -- To post to Fitbit community message boards, you’ll be asked to create a community username that’s separate from your Fitbit username. This community username will be posted next to any comments you publish on community message boards. Other information, like a profile photo that you’ve added to your Fitbit account may also be visible on message boards, depending on your Fitbit account settings.
Second, Fitbit does not honor Do Not Track browser settings:
"Although we would like to honor the browsers set with a “Do Not Track” signal, we are currently unable to honor those signals. We believe that consumers should exercise choice regarding the collection of this type of data, which is why we disclose the cookies used and provide links to opt-out of those collection practices below."
So, the burden is on the consumer to pay close attention. This brings us to my third observation: the policy does not offer a global opt-out of all data sharing, which Senator Schumer called for. A global opt-out mechanism would make it easy for consumers to ensure that no sensitive health and fitness data is shared with third parties. Instead, the burden is on users to wade through every program, site feature, and mobile app feature and its corresponding rules or policies.
Fourth, the Fitbit policy doesn't indicate what is stored in cloud services; on computers hosted by third party companies. My March 3, 2014 blog post explored the privacy policies of other fitness apps, and some of them mention cloud services. To be informed shoppers, consumers must think about this in the context of the specific mobile platform (e.g., Apple iOS, Android,, etc.). Whatever is transmitted through your mobile device potentially could be shared with the manufacturers of that device, its operating system, and the telephone company.
What are your opinions about the privacy of fitness apps?
Last week, Target announced the impact upon second-quarter expenses related to its December 2013 data breach. The retailer announced in an August 5 news repease:
"... second quarter financial results are expected to include gross expenses of $148 million, partially offset by a $38 million insurance receivable, related to the December 2013 data breach. These expenses include an increase to the accrual for estimated probable losses for what the Company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks. In addition, the Company provided an estimate of costs related to its recently-completed early debt retirement and updated expectations for second-quarter Adjusted1 and GAAP earnings per share..."
The announcement also stated:
"Expenses for the quarter include an increase to the accrual for estimated probable losses for what the Company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks. Given the varying stages of claims and related proceedings, and the inherent uncertainty surrounding them, the Company’s estimates involve significant judgment and are based on currently available information, historical precedents and an assessment of the validity of certain claims. These estimates may change as new information becomes available and, although the Company does not believe it is probable, it is reasonably possible that the Company may incur a material loss in excess of the amount accrued. The Company is unable to estimate the amount of such reasonably possible excess loss exposure at this time. The accrual does not reflect future breach-related legal, consulting or administrative fees, which are expensed as incurred and not expected to be material in any individual period..."
The retailer's stock closed at about $60.70 on August 4. On August 5, the stock opened at about $58.09, and dipped to $57.40 on August 7. The share price closed at $58.56 on Friday, August 8. Prior prices were $63.27 on December 31, 2013 and $71.13 on August 13, 2013. Data and the chart below are from Google Finance.
It has been an interesting week for Hold Securities, LLC, an information security, risk management, and incident response company. In an August 5 news release with the sensational headline, "You Have Been Hacked," the company announced:
"... Hold Security’s Deep Web Monitoring practice in conjunction with our Credential Integrity Services discovered what could be arguably the largest data breach known to date... After more than seven months of research, Hold Security identified a Russian cyber gang which is currently in possession of the largest cache of stolen data... over 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion e-mail addresses. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites..."
Hold Security named the gang of Russian hackers "CyberVors." The company's news release also described how the hack happened:
"Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks... These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited..."
Reportedly, the total hack was 4.5 billion username/e-mail and password pairs... a stunning total. The haul included some duplicates and passwords no longer used:
"If we narrow it down by unique e-mail addresses, we still have over half a billion records since there may be multiple password corresponding to a single e-mail address. Not all of them are valid or current. Some people use fake e-mail addresses, in other cases the CyberVor gang might have stolen credentials that belonged to an e-mail address that you no longer have... or a password that you haven’t used for over a decade, or even a default password automatically assigned to you by a website."
News about the hacking was widely reported by news organizations, including the New York Times on August 5:
"Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information."
Also on August 5, Forbes magazine reported:
"The story provides few details beyond hyperbolic numbers: 1.2 billion username and password combinations... No specifics about the state of those passwords: whether they’re in clear-text — the worst case scenario — or in encrypted form.... "
Users in multiple countries were affected, and Hold Security did not provide a list of countries. The Forbes article described Hold Security's announcement of its subscription service including continuous monitoring for firms and consumers:
"You can pay “as low as $120″ to Hold Security monthly to find out if your site is affected by the breach. Hold Security put a page up on its site about its new breach notification service around the same time the New York Times story went up... Shortly after Wall Street Journal reporter Danny Yadron linked to the page on Twitter and asked questions about it, the firm replaced the description of the service with a “coming soon” message. Holden says by email that the service will actually be $10/month and $120/year."
The Forbes article was critical of both Hold Security and the New York Times:
"Yes, I expect security firms to make money for making the Internet more secure, but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic. If nothing else, it should be disclosed in the New York Times story that the firm that reported a major breach hoped to directly profit from it."
I agree with that criticism of Hold Security. The same Hold Security news release also appeared to be a product announcement:
"Companies -- check if your website is susceptible to a SQL injection... Hold Security is proud to announce our new Breach Notification Service (BNS). After we verify your identity and entitlements to the website(s) or domain(s), we can tell you if you have been impacted by this or other breaches..."
"Individuals -- the ultimate victims of the CyberVor gang are the end-users. Hold Security is proud to announce that we will be providing full electronic identity monitoring service to all the individuals within the next 60 days. Even if you are currently using another Identity Protection Service, your electronic identity may still be vulnerable..."
I would have liked the New York Times reporters to have use more skepticism. The Guardian UK reported on August 6:
"Security researchers from Kaspersky, Symantec and University College London have questioned the news reported on Tuesday that private security firm Hold Security had identified a Russian cybercriminal gang called CyberVor, which had amassed a database of more than 4.5bn stolen records... Cybersecurity experts are concerned that Hold Security has not yet made the data public or available for confirmation by users."
The Guardian UK article concluded with this advice for consumers:
"Security experts are advising that users keep aware of developments with the CyberVor breach, but that immediately changing all their passwords is not yet the appropriate action."
Experts also advised consumers not to use the same password in multiple sites (e.g., bank accounts, social networking sites, e-mail services, etc.). When you do, it makes it easy for criminals to hack into your accounts and steal money.
"If CyberVor were shopping for the Fortune 500 data instead of cracking systems, on the other hand, the group would have had plenty of options. The data could have come from Target, LinkedIn, or an upstream breach like the Global Payments hack in 2012. All that data is still kicking around the darker corners of the web, available to anyone willing to pay for it. The usernames get cheaper as they get older, so in the case of a two-year-old hack like Global Payments, counting to a billion wouldn't even be that expensive. The biggest red flag of all, though, is that CyberVor isn't trying to sell the data or use it to steal actual money... If there were anything else they could do with these passwords, it would be more lucrative and more sustainable than spamming..."
You can read about the Target and Global Payments breaches in this blog. After reading about the CyberVors hack, I had two reactions:
1. Something doesn't seem quite right.
During the past seven years I've written this blog, I have learned that companies experiencing data breaches usually hire a security firm to assist with the breach investigation and post-breach incident management. Companies usually notify users and customers affected by the data breach. That notice often includes some period (e.g., one or two years) of free credit monitoring services. The security firm rarely, if ever, marketed any subscription monitoring services directly to consumers without a client company.
So, what Hold Security has done seemed to have skipped a couple steps... important steps. It's critical for the affected companies to do their own breach investigations and notify their affected users and/or customers. The breach notification laws in many states require such notice.
2. There may be an unreported story that needs to be told.
The New York Times article reported this about its conversations with Alex Holden, the founder and chief information officer at Hold Security:
"“They audited the Internet,” Mr. Holden said."
Assuming that the "they" refers to the CyberVors hacking gang, it suggested that the gang may have capabilities to analyze e-mail and password combinations. Do hackers employ state-of-the art data mining or "bigdata" analysis techniques? If so, that is a scary thought with consequences.
Such analyses could make it easier to guess passwords. If a database of stolen e-mail and password pairs includes the history of a user's passwords, it could make it easier to predict a current passwords. Here's a simple example (using an extremely poorly constructed password). A consumer used the "123password" password in 2013, then changed it to "234password" in 2014. It doesn't take a genius to guess that the user's probable next password would be "345password". If criminals are analyzing the databases they've compiled of stolen e-mail/password pairs, we need to know. I would expect security companies and news organizations to investigate, confirm, alert consumers.
What are your opinions of the CyberVors hacking? Of Hold Security's subscription services?
The Office of the Attorney General (AG) for the state of Oregon has filed a lawsuit against the manufacturer of 5-Hour Energy drink. Oregon AG Ellen Rosenblum filed the suit on July 17, 2014 aagainst Living Essentials and Innovation Ventures. The suit alleged the defendants:
"... used print, television, Internet and radio advertising to claim that 5-hour ENERGY® contains a unique blend of ingredients that provide consumers with energy, alertness and focus, when in reality the only ingredient that provides any effect is the concentrated dose of caffeine.... The lawsuit, which was filed in Multnomah Circuit Court, also targets allegedly misleading claims that the product will not cause consumers to experience a ‘crash’. The suit also focuses on claims that the product has been recommended by doctors in a way that it has not..."
In a wide-ranging and arrogant blog post to promote his new book, Christian Rudder, the co-founder of the OKCupid dating website, described several experiments the site performed on its customers:
"... chose to celebrate the app’s release by removing all the pictures from OkCupid on launch day. “Love Is Blind Day” on OkCupid—January 15, 2013... But by comparing Love Is Blind Day to a normal Tuesday, we learned some very interesting things. In those 7 hours without photos: people responded to first messages 44% more often; conversations went deeper; contact details were exchanged more quickly; in short, OKCupid worked better..."
In another experiment, the OKCupid site changed its display parameters telling some users with poor matched that the matches were excellent and the reverse:
"... the “match percentage” we calculate for users is very good at predicting relationships. It correlates with message success, conversation length, whether people actually exchange contact information, and so on... To test this, we took pairs of bad matches (actual 30% match) and told them they were exceptionally good for each other (displaying a 90% match.)† Not surprisingly, the users sent more first messages when we said they were compatible..."
"Because of a diagnostic test, your match percentage with XXX was misstated as 31%. It is really 91%. We wanted to let you know."
Diagnostic test? That explanation doesn't sound entirely accurate. It sounds like some type of error-checking routine, and not a true admission or notification of an intentional marketing test. Were customers offered refunds for "misstated" compatibility matches? If I were an OKCupid customer, I'd demand a refund as the service didn't seem to deliver what was promised.
Rudder's blog post provides plenty of statistics about what the company learned from its live tests with customers. Rudder's blog post gave the impression that the ends justify the means -- that the wealth of data the company collected justified the test approach. Rudder also defended Facebook, after that social networking site had been criticized for performing experiments on its members without notice nor explicit consent:
"We noticed recently that people didn’t like it when Facebook “experimented” with their news feed. Even the FTC is getting involved. But guess what, everybody: if you use the Internet, you’re the subject of hundreds of experiments at any given time, on every site. That’s how websites work."
All websites? For sure, at least Facebook and OKCupid.
I am no prude. I fully expect websites to explore and implement new services, content, and functionality. How one does it matters. The ends do not justify the means.
During the last 20 years, as a usability professional I have built dozens of websites in a variety of industries: telecommunications, petroleum, travel, banking, insurance, higher education, food, consumer packaged goods, and more. In all instances, we used a variety of standard, proven test methods to collect users' opinions and reactions to proposed website features and functionality. Usually, we started by asking users -- customers and prospective customers -- what they wanted in the site that they couldn't get today. Many users will tell you. Man users are happy to tell you.
Frankly, it makes sense -- time wise and financially -- to build features that users want. No matter how curious OKCupid executives may be, I highly doubt that the site's users wanted the service to lie to them about compatibility matches.
After compiling a list of requested features (e.g., content and/or functionality), we tested implementation approaches... not on the live site, but in usability sessions with mockups or with prototypes. That approach builds users' trust. Many users appreciated the opportunity to view and comment on new features before those features are added to the live site.
In other cases, we used focus group sessions to uncover users' needs and to explore their reactions and attitudes. We often used rigorous questionnaires (sometimes in combination with other test methods), so that we could analyze the results later. In some instances, we included survey forms with the live site.
My point: we never adjusted the live site's core functions and contents without notice. We didn't add new features to live sites until after all testing was finished, the new features were built, and all "bugs" or code glitches were fixed. Anyone experienced with website development knows that it takes time to get the bugs out. When you add new features, they often affect, or break, something else -- unintended consequences.
Users' trust and reliability are critical. Frankly, we trusted uses to ask them what they wanted. We trusted users enough to inform them of tests. We respected users enough to compensate test participants for their time. We respected users enough to acknowledge that some have a right to not participate in tests.
After reading Mr. Rudder's blog post, I began to wonder how trustworthy the OKCupid site really is. The good: OKCupid executives are curious, want to continually improve their site, and act quickly. The not-so-good: curiosity and acting quickly aren't enough. Users rely on the live site to to operate as advertised and promised. Deviations from that with unannounced tests that users can't opt out of, erode users' confidence and trust.
All of the tests Rudder described could have been performed with standard testing methods, some of which I have described above; without directly changing the live site. Maybe the OKCupid executives aren't aware of or wanted to skip the costs and time of traditional testing methods. Maybe speed is their primary goal. In their rush to improve things, Mr. Rudder and his executive team seem comfortable to unnecessarily risk consumers' trust and respect.
If this is the current state of social networking sites, then the industry has fallen. It has moved beyond simply collecting, archiving, and analyzing massive amounts of consumers' personal information for advertising revenues. It also operates arrogantly: making any changes they please to live sites, while ignoring users' trust nor respect. That's not something I look for in a site. Nor will I buy Mr. Rudder's book.
What are your opinions of OKCupid's tests?
Everyone uses USB flash drives (a/k/a thumb drives) to store and share information. Consumers rely upon anti-virus software to scan and detect any computer viruses infecting USB drives. According to a Wired report, researchers have created a proof-of-concept demonstrating the difficulty -- or impossibility -- to detect and remove malware from USB devices:
"... researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken... Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it... The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic..."
A wide variety of devices employ USB technology: mice, keyboards, desktop computers, laptops, smartphones, tablets, and more. Experts advise consumers to:
What are your opinions of USB sticks? USB security?