Airlines Want To Extend 'Dynamic Pricing' Capabilities To Set Ticket Prices By Each Person

In the near future, what you post on social media sites (e.g., Facebook, Instagram, Pinterest, etc.) could affect the price you pay for airline tickets. How's that?

First, airlines already use what the travel industry calls "dynamic pricing" to vary prices by date, time of day, and season. We've all seen higher ticket prices during the holidays and peak travel times. The Telegraph UK reported that airlines want to extend dynamic pricing to set fares by person:

"... the advent of setting fares by the person, rather than the flight, are fast approaching. According to John McBride, director of product management for PROS, a software provider that works with airlines including Lufthansa, Emirates and Southwest, a number of operators have already introduced dynamic pricing on some ticket searches. "2018 will be a very phenomenal year in terms of traction," he told Travel Weekly..."

And, there was a preliminary industry study about how to do it:

" "The introduction of a Dynamic Pricing Engine will allow an airline to take a base published fare that has already been calculated based on journey characteristics and broad segmentation, and further adjust the fare after evaluating details about the travelers and current market conditions," explains a white paper on pricing written by the Airline Tariff Publishing Company (ATPCO), which counts British Airways, Delta and KLM among its 430 airline customers... An ATPCO working group met [in late February] to discuss dynamic pricing, but it is likely that any roll out to its customers would be incremental."

What's "incremental" mean? Experts say first step would be to vary ticket prices in search results at the airline's site, or at an intermediary's site. There's virtually no way for each traveler to know they'd see a personal price that's higher (or lower) from prices presented to others.

With dynamic pricing per person, business travelers would pay more. And, an airline could automatically bundle several fees (e.g., priority boarding, luggage, meals, etc.) for its loyalty program members into each person's ticket price, obscuring transparency and avoiding fairness. Of course, airlines would pitch this as convenience, but alert consumers know that any convenience always has its price.

Thankfully, some politicians in the United States are paying attention. The Shear Social Media Law & Technology blog summarized the situation very well:

"[Dynamic pricing by person] demonstrates why technology companies and the data collection industry needs greater regulation to protect the personal privacy and free speech rights of Americans. Until Silicon Valley and data brokers are properly regulated Americans will continue to be discriminated against based upon the information that technology companies are collecting about us."

Just because something can be done with technology, doesn't mean it should be done. What do you think?


The 'CLOUD Act' - What It Is And What You Need To Know

Chances are, you probably have not heard of the "CLOUD Act." I hadn't heard about it until recently. A draft of the legislation is available on the website for U.S. Senator Orrin Hatch (Republican - Utah).

Many people who already use cloud services to store and backup data might assume: if it has to do with the cloud, then it must be good.  Such an assumption would be foolish. The full name of the bill: "Clarifying Overseas Use Of Data." What problem does this bill solve? Senator Hatch stated last month why he thinks this bill is needed:

"... the Supreme Court will hear arguments in a case... United States v. Microsoft Corp., colloquially known as the Microsoft Ireland case... The case began back in 2013, when the US Department of Justice asked Microsoft to turn over emails stored in a data center in Ireland. Microsoft refused on the ground that US warrants traditionally have stopped at the water’s edge. Over the last few years, the legal battle has worked its way through the court system up to the Supreme Court... The issues the Microsoft Ireland case raises are complex and have created significant difficulties for both law enforcement and technology companies... law enforcement officials increasingly need access to data stored in other countries for investigations, yet no clear enforcement framework exists for them to obtain overseas data. Meanwhile, technology companies, who have an obligation to keep their customers’ information private, are increasingly caught between conflicting laws that prohibit disclosure to foreign law enforcement. Equally important, the ability of one nation to access data stored in another country implicates national sovereignty... The CLOUD Act bridges the divide that sometimes exists between law enforcement and the tech sector by giving law enforcement the tools it needs to access data throughout the world while at the same time creating a commonsense framework to encourage international cooperation to resolve conflicts of law. To help law enforcement, the bill creates incentives for bilateral agreements—like the pending agreement between the US and the UK—to enable investigators to seek data stored in other countries..."

Senators Coons, Graham, and Whitehouse, support the CLOUD Act, along with House Representatives Collins, Jeffries, and others. The American Civil Liberties Union (ACLU) opposes the bill and warned:

"Despite its fluffy sounding name, the recently introduced CLOUD Act is far from harmless. It threatens activists abroad, individuals here in the U.S., and would empower Attorney General Sessions in new disturbing ways... the CLOUD Act represents a dramatic change in our law, and its effects will be felt across the globe... The bill starts by giving the executive branch dramatically more power than it has today. It would allow Attorney General Sessions to enter into agreements with foreign governments that bypass current law, without any approval from Congress. Under these agreements, foreign governments would be able to get emails and other electronic information without any additional scrutiny by a U.S. judge or official. And, while the attorney general would need to consider a country’s human rights record, he is not prohibited from entering into an agreement with a country that has committed human rights abuses... the bill would for the first time allow these foreign governments to wiretap in the U.S. — even in cases where they do not meet Wiretap Act standards. Paradoxically, that would give foreign governments the power to engage in surveillance — which could sweep in the information of Americans communicating with foreigners — that the U.S. itself would not be able to engage in. The bill also provides broad discretion to funnel this information back to the U.S., circumventing the Fourth Amendment. This information could potentially be used by the U.S. to engage in a variety of law enforcement actions."

Given that warning, I read the draft legislation. One portion immediately struck me:

"A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."

While I am not an attorney, this bill definitely sounds like an end-run around the Fourth Amendment. The review process is largely governed by the House of Representatives; a body not known for internet knowledge nor savvy. The bill also smells like an attack on internet services consumers regularly use for privacy, such as search engines that don't collect nor archive search data and Virtual Private Networks (VPNs).

Today, for online privacy many consumers in the United States use VPN software and services provided by vendors located offshore. Why? Despite a national poll in 2017 which found the the Republican rollback of FCC broadband privacy rules very unpopular among consumers, the Republican-led Congress proceeded with that rollback, and President Trump signed the privacy-rollback legislation on April 3, 2017. Hopefully, skilled and experienced privacy attorneys will continue to review and monitor the draft legislation.

The ACLU emphasized in its warning:

"Today, the information of global activists — such as those that fight for LGBTQ rights, defend religious freedom, or advocate for gender equality are protected from being disclosed by U.S. companies to governments who may seek to do them harm. The CLOUD Act eliminates many of these protections and replaces them with vague assurances, weak standards, and largely unenforceable restrictions... The CLOUD Act represents a major change in the law — and a major threat to our freedoms. Congress should not try to sneak it by the American people by hiding it inside of a giant spending bill. There has not been even one minute devoted to considering amendments to this proposal. Congress should robustly debate this bill and take steps to fix its many flaws, instead of trying to pull a fast one on the American people."

I agree. Seems like this bill creates far more problems than it solves. Plus, something this important should be openly and thoroughly discussed; not be buried in a spending bill. What do you think?


Securities & Exchange Commission Charges Former Equifax Executive With Insider Trading

Last week, the U.S. Securities and Exchange Commission (SEC) charged a former Equifax executive with insider trading. While an employee, Jun Ying allegedly used confidential information to dump stock and avoid losses before Equifax announced its massive data breach in September, 2017.

The SEC announced on March 14th that it had:

"... charged a former chief information officer of a U.S. business unit of Equifax with insider trading in advance of the company’s September 2017 announcement about a massive data breach that exposed the social security numbers and other personal information of about 148 million U.S. customers... The SEC’s complaint charges Ying with violating the antifraud provisions of the federal securities laws and seeks disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief... According to the SEC’s complaint, Jun Ying, who was next in line to be the company’s global CIO, allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach. The SEC alleges that before Equifax’s public disclosure of the data breach, Ying exercised all of his vested Equifax stock options and then sold the shares, reaping proceeds of nearly $1 million. According to the complaint, by selling before public disclosure of the data breach, Ying avoided more than $117,000 in losses... The U.S. Attorney’s Office for the Northern District of Georgia today announced parallel criminal charges against Ying."

The massive data breach affected about 143 million persons. Equifax announced in March, 2018 that even more people were affected, than originally estimated in its September, 2017 announcement.

MarketWatch reported that Ying:

"... found out about the breach on Friday afternoon, August 25, 2017... The SEC complaint says that Ying’s internet browsing history shows he learned that Experian’s stock price had dropped approximately 4% after the public announcement of [a prior 2015] Experian breach. Later Monday morning, Ying exercised all of his available stock options for 6,815 shares of Equifax stock that he immediately sold for over $950,000, and a gain of over $480,000... on Aug. 30, the global CIO for Equifax officially told Ying that it was Equifax that had been breached. One of the company’s attorneys, unaware that Ying had already traded on the information, told Ying that the news about the breach was confidential, should not be shared with anyone, and that Ying should not trade in Equifax securities. According the SEC complaint, Ying did not volunteer the fact that he had exercised and sold all of his vested Equifax options two days before. Equifax finally announced the breach on Sept. 7, and Equifax common stock closed at $123.23 the next day, a drop of $19.49 or nearly 14%..."


Banking Legislation Advances In U.S. Senate

The Economic Growth, Regulatory Relief, and Consumer Protection Act (Senate Bill 2155) was approved Wednesday by the United States Senate. The vote was 67 for, 31 against, and 2 non voting. The voting roll call by name:

Alexander (R-TN), Yea
Baldwin (D-WI), Nay
Barrasso (R-WY), Yea
Bennet (D-CO), Yea
Blumenthal (D-CT), Nay
Blunt (R-MO), Yea
Booker (D-NJ), Nay
Boozman (R-AR), Yea
Brown (D-OH), Nay
Burr (R-NC), Yea
Cantwell (D-WA), Nay
Capito (R-WV), Yea
Cardin (D-MD), Nay
Carper (D-DE), Yea
Casey (D-PA), Nay
Cassidy (R-LA), Yea
Cochran (R-MS), Yea
Collins (R-ME), Yea
Coons (D-DE), Yea
Corker (R-TN), Yea
Cornyn (R-TX), Yea
Cortez Masto (D-NV), Nay
Cotton (R-AR), Yea
Crapo (R-ID), Yea
Cruz (R-TX), Yea
Daines (R-MT), Yea
Donnelly (D-IN), Yea
Duckworth (D-IL), Nay
Durbin (D-IL), Nay
Enzi (R-WY), Yea
Ernst (R-IA), Yea
Feinstein (D-CA), Nay
Fischer (R-NE), Yea
Flake (R-AZ), Yea
Gardner (R-CO), Yea
Gillibrand (D-NY), Nay
Graham (R-SC), Yea
Grassley (R-IA), Yea
Harris (D-CA), Nay
Hassan (D-NH), Yea
Hatch (R-UT), Yea
Heinrich (D-NM), Not Voting
Heitkamp (D-ND), Yea
Heller (R-NV), Yea
Hirono (D-HI), Nay
Hoeven (R-ND), Yea
Inhofe (R-OK), Yea
Isakson (R-GA), Yea
Johnson (R-WI), Yea
Jones (D-AL), Yea
Kaine (D-VA), Yea
Kennedy (R-LA), Yea
King (I-ME), Yea
Klobuchar (D-MN), Nay
Lankford (R-OK), Yea
Leahy (D-VT), Nay
Lee (R-UT), Yea
Manchin (D-WV), Yea
Markey (D-MA), Nay
McCain (R-AZ), Not Voting
McCaskill (D-MO), Yea
McConnell (R-KY), Yea
Menendez (D-NJ), Nay
Merkley (D-OR), Nay
Moran (R-KS), Yea
Murkowski (R-AK), Yea
Murphy (D-CT), Nay
Murray (D-WA), Nay
Nelson (D-FL), Yea
Paul (R-KY), Yea
Perdue (R-GA), Yea
Peters (D-MI), Yea
Portman (R-OH), Yea
Reed (D-RI), Nay
Risch (R-ID), Yea
Roberts (R-KS), Yea
Rounds (R-SD), Yea
Rubio (R-FL), Yea
Sanders (I-VT), Nay
Sasse (R-NE), Yea
Schatz (D-HI), Nay
Schumer (D-NY), Nay
Scott (R-SC), Yea
Shaheen (D-NH), Yea
Shelby (R-AL), Yea
Smith (D-MN), Nay
Stabenow (D-MI), Yea
Sullivan (R-AK), Yea
Tester (D-MT), Yea
Thune (R-SD), Yea
Tillis (R-NC), Yea
Toomey (R-PA), Yea
Udall (D-NM), Nay
Van Hollen (D-MD), Nay
Warner (D-VA), Yea
Warren (D-MA), Nay
Whitehouse (D-RI), Nay
Wicker (R-MS), Yea
Wyden (D-OR), Nay
Young (R-IN), Yea

The bill now proceeds to the House of Representatives. If it passes the House, then it would be sent to the President for a signature.


Report: Little Progress Since 2016 To Replace Old, Vulnerable Voting Machines In United States

We've know for some time that a sizeable portion of voting machines in the United States are vulnerable to hacking and errors. Too many states, cities, and town use antiquated equipment or equipment without paper backups. The latter makes re-counts impossible.

Has any progress been made to fix the vulnerabilities? The Brennan Center For Justice (BCJ) reported:

"... despite manifold warnings about election hacking for the past two years, the country has made remarkably little progress since the 2016 election in replacing antiquated, vulnerable voting machines — and has done even less to ensure that our country can recover from a successful cyberattack against those machines."

It is important to remember this warning in January 2017 from the Director of National Intelligence (DNI):

"Russian effortsto influence the 2016 US presidential election represent the most recent expression of Moscow’s longstanding desire to undermine the US-led liberal democratic order, but these activities demonstrated a significant escalation in directness, level of activity, and scope of effort compared to previous operations. We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia’s goals were to undermine public faith in the US democratic process... Russian intelligence accessed elements of multiple state or local electoral boards. Since early 2014, Russian intelligence has researched US electoral processes and related technology and equipment. DHS assesses that the types of systems we observed Russian actors targeting or compromising are not involved in vote tallying... We assess Moscow will apply lessons learned from its Putin-ordered campaign aimed at the US presidential election to future influence efforts worldwide, including against US allies and their election processes... "

Detailed findings in the BCJ report about the lack of progress:

  1. "This year, most states will use computerized voting machines that are at least 10 years old, and which election officials say must be replaced before 2020.
    While the lifespan of any electronic voting machine varies, systems over a decade old are far more likely to need to be replaced, for both security and reliability reasons... older machines are more likely to use outdated software like Windows 2000. Using obsolete software poses serious security risks: vendors may no longer write security patches for it; jurisdictions cannot replace critical hardware that is failing because it is incompatible with their new, more secure hardware... In 2016, jurisdictions in 44 states used voting machines that were at least a decade old. Election officials in 31 of those states said they needed to replace that equipment by 2020... This year, 41 states will be using systems that are at least a decade old, and officials in 33 say they must replace their machines by 2020. In most cases, elections officials do not yet have adequate funds to do so..."
  2. "Since 2016, only one state has replaced its paperless electronic voting machines statewide.
    Security experts have long warned about the dangers of continuing to use paperless electronic voting machines. These machines do not produce a paper record that can be reviewed by the voter, and they do not allow election officials and the public to confirm electronic vote totals. Therefore, votes cast on them could be lost or changed without notice... In 2016, 14 states (Arkansas, Delaware, Georgia, Indiana, Kansas, Kentucky, Louisiana, Mississippi, New Jersey, Pennsylvania, South Carolina, Tennessee, Texas, and Virginia) used paperless electronic machines as the primary polling place equipment in at least some counties and towns. Five of these states used paperless machines statewide. By 2018 these numbers have barely changed: 13 states will still use paperless voting machines, and 5 will continue to use such systems statewide. Only Virginia decertified and replaced all of its paperless systems..."
  3. "Only three states mandate post-election audits to provide a high-level of confidence in the accuracy of the final vote tally.
    Paper records of votes have limited value against a cyberattack if they are not used to check the accuracy of the software-generated total to confirm that the veracity of election results. In the last few years, statisticians, cybersecurity professionals, and election experts have made substantial advances in developing techniques to use post-election audits of voter verified paper records to identify a computer error or fraud that could change the outcome of a contest... Specifically, “risk limiting audits” — a process that employs statistical models to consistently provide a high level of confidence in the accuracy of the final vote tally – are now considered the “gold standard” of post-election audits by experts... Despite this fact, risk limiting audits are required in only three states: Colorado, New Mexico, and Rhode Island. While 13 state legislatures are currently considering new post-election audit bills, since the 2016 election, only one — Rhode Island — has enacted a new risk limiting audit requirement."
  4. "43 states are using machines that are no longer manufactured.
    The problem of maintaining secure and reliable voting machines is particularly challenging in the many jurisdictions that use machines models that are no longer produced. In 2015... the Brennan Center estimated that 43 states and the District of Columbia were using machines that are no longer manufactured. In 2018, that number has not changed. A primary challenge of using machines no longer manufactured is finding replacement parts and the technicians who can repair them. These difficulties make systems less reliable and secure... In a recent interview with the Brennan Center, Neal Kelley, registrar of voters for Orange County, California, explained that after years of cannibalizing old machines and hoarding spare parts, he is now forced to take systems out of service when they fail..."

That is embarrassing for a country that prides itself on having an effective democracy. According to BCJ, the solution would be for Congress to fund via grants the replacement of paperless and antiquated equipment; plus fund post-election audits.

Rather than protect the integrity of our democracy, the government passed a massive tax cut which will increase federal deficits during the coming years while pursuing both a costly military parade and an unfunded border wall. Seems like questionable priorities to me. What do you think?


Legislation Moving Through Congress To Loosen Regulations On Banks

Legislation is moving through Congress which will loosen regulations on banks. Is this an improvement? Is it risky? Is it a good deal for consumers? Before answering those questions, a summary of the Economic Growth, Regulatory Relief, and Consumer Protection Act (Senate Bill 2155):

"This bill amends the Truth in Lending Act to allow institutions with less than $10 billion in assets to waive ability-to-repay requirements for certain residential-mortgage loans... The bill amends the Bank Holding Company Act of 1956 to exempt banks with assets valued at less than $10 billion from the "Volcker Rule," which prohibits banking agencies from engaging in proprietary trading or entering into certain relationships with hedge funds and private-equity funds... The bill amends the United States Housing Act of 1937 to reduce inspection requirements and environmental-review requirements for certain smaller, rural public-housing agencies.

Provisions relating to enhanced prudential regulation for financial institutions are modified, including those related to stress testing, leverage requirements, and the use of municipal bonds for purposes of meeting liquidity requirements. The bill requires credit reporting agencies to provide credit-freeze alerts and includes consumer-credit provisions related to senior citizens, minors, and veterans."

Well, that definitely sounds like relief for banks. Fewer regulations means it's easier to do business... and make more money. Next questions: is it good for consumers? Is it risky? Keep reading.

The non-partisan Congressional Budget Office (CBO) analyzed the proposed legislation in the Senate, and concluded (bold emphasis added):

"S. 2155 would modify provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd Frank Act) and other laws governing regulation of the financial industry. The bill would change the regulatory framework for small depository institutions with assets under $10 billion (community banks) and for large banks with assets over $50 billion. The bill also would make changes to consumer mortgage and credit-reporting regulations and to the authorities of the agencies that regulate the financial industry. CBO estimates that enacting the bill would increase federal deficits by $671 million over the 2018-2027 period... CBO’s estimate of the bill’s budgetary effect is subject to considerable uncertainty, in part because it depends on the probability in any year that a systemically important financial institution (SIFI) will fail or that there will be a financial crisis. CBO estimates that the probability is small under current law and would be slightly greater under the legislation..."

So, the propose legislation means there is a greater risk of banks either failing or needing government assistance (e.g., bailout funds). Are there risks to consumers? To taxpayers? CNN interviewed U.S. Senator Elizabeth Warren (Dem- Mass.), who said:

"Frankly, I just don't see how any senator can vote to weaken the regulations on Wall Street banks.. [weakened regulations] puts us at greater risk that there will be another taxpayer bailout, that there will be another crash and another taxpayer bailout..."

So, there are risks for consumers/taxpayers. How? Why? Let's count the ways.

First, the proposed legislation increases federal deficits. Somebody has to pay for that: with either higher taxes, less services, more debt, or a combination of all three. That doesn't sound good. Does it sound good to you?

Second, looser regulations mean some banks may lend money to more people they shouldn't have = persons who default on loan. To compensate, those banks would raise prices (e.g., more fees, higher fees, higher interest rates) to borrowers to cover their losses. If those banks can't cover their losses, then they will fail. If enough banks fail at about the same time, then bingo... another financial crisis.

If key banks fail, then the government will bail out (again) banks to keep the financial system running. (Remember too big to fail banks?) Somebody has to pay for bailouts... with either higher taxes, less services, more debt, or a combination of all three. Does that sound good to you? It doesn't sound good to me. If it doesn't sound good, I encourage you to contact your elected officials.

It's critical to remember banking history in the United States. Nobody wants a repeat of the 2008 melt-down. There are always consequences when government... Congress decides to help bankers by loosening regulations. What do you think?


Verizon FiOS: Poor Message Display And Cumbersome Opt Out Mechanism

Verizon logo Do you use broadband internet from Verizon FiOS? Or are you considering it? The blazing speed is awesome for viewing video content online, but I found portions of the service less than awesome. Which portions? The view/pay bills section of the secure site.

After signing into the secure site recently to pay my monthly bill, the view/pay bill section of the Verizon FiOS site displayed this alert:

The right-column message alert Verizon FiOS displays in its site to signed-in customers

To browse the messages, I selected "View all messages." The site displayed messages in the following overlay window:

The CPNI opt-out message Verizon FiOS displays in its site to signed-in customers

I found this presentation problematic. First, neither the alert nor the text displayed provide a status of the number of unread messages. Had I read any of these before? I couldn't tell. Well-designed sites provide read/unread message status. Second, the overlay window lacked dates. What? I couldn't tell which messages were new or old. Not good

Third, the presentation lacked features to print, save, or delete individual messages. The presentation also lacked a sort feature. That's not state-of-the-art. Strangely, the profile section of the site includes a slightly better presentation of messages with dates and read/unread status. So, Verizon knows how to do it, but seems to have decided not to for this site section. Why deviate? Why not simply link to the profile messages section and display all messages in the profile section?

Fourth, the first message contained important instructions about how to opt out of Verizon's data sharing programs. The full message stated:

"Your Choices to Limit Use and Sharing of Information for Marketing
You have choices about Verizon's use and sharing of certain information for the purpose of marketing new services to you. Verizon offers a full range of services, such as television, telematics, high-speed internet, video, and local and long distance services.Unless you notify us as explained below, we may use or share your information beginning 30 days after the first time we notify you of this policy. Your choice will remain valid until you notify us that you wish to change it, which you have the right to do at any time. Verizon protects your information and your choices won't affect the provision of any services you currently have with us.¿Customer Proprietary Network InformationCustomer Proprietary Network Information (CPNI) is information available to us solely by virtue of our relationship with you that relates to the type, quantity, destination, technical configuration, location, and amount of use of the telecommunications and interconnected VoIP services you purchase from us, as well as related billing information.We may use and share your CPNI among our affiliates and agents to offer you services that are different from the services you currently purchase from us. If you don't want us to use or share your CPNI with our affiliates and agents for this purpose, let us know by calling us any time at 1.866.483.9700.¿Information about Your CreditInformation about your credit includes your credit score, the information found in your consumer reports and your account history with us. We may share this information among the Verizon family of companies for the purpose of marketing new services to you. If you don't want us to share this information among the Verizon family of companies for the purpose of marketing new services to you, let us know by calling us any time at 1.844.366.2879."

If you like online privacy, then opting out of these programs is wise. Regular readers of this blog are familiar with CPNI disclosures from AT&T, and how much that information describes about the specific telecommunications services you use and your associated spending. The failure to display a date makes it impossible for consumers to determine whether or not the 30-day deadline has passed (and Verizon FiOS has already begun sharing customers' information). Not good.

Note: the program default automatically includes customers in Verizon's data-sharing programs after 30 days. A better default would be to not include all customers, and then only include customers who opt in or register. Is this lazy or slick marketing? Probably a little of both since most consumers fail to read legal messages.

Fifth, what's with the funky syntax (e.g., upside-down question marks)? This is English, not Spanish. Sixth, the message presented information as a "wall of words" without paragraph breaks, imagery, or other mechanisms to improve readability. There should be paragraph breaks before both "CreditInformation" and "Customer Proprietary Network Information" -- two critical concepts requiring customers' attention.

Seventh, the opt-out mechanism includes two different phone numbers to fully opt out of the data-sharing programs. Why the complexity? Come on, Verizon. You can do better. You are the phone company. Is a single phone number too difficult? Why put your customers through this hassle? Even worse: the site fails to provide an online opt-out mechanism. What's up with that?

Come on Verizon! You can do better. This poor message display and cumbersome opt-out mechanism makes it easier for Comcast Xfinity. Is that really what you want to do? I think not. Hopefully, FiOS customers will hear from Verizon in the comments section below. If they write to me separately, I'll post that response.

To me, the unnecessary (and avoidable) complexity seems like slick attempts to discourage customers from opting out of the data-sharing programs. What do you think?


Amazon's Virtual Assistant Randomly Laughs. A Fix Is Underway

Image of Amazon Echo Dot virtual assistant
You may have read or viewed news reports about random, loud laughter by Amazon's virtual assistant products. Some users reported that the laughter was unprompted and with a different voice from the standard Alexa voice. Many users were understandably spooked.

Clearly, there is a problem. According to BuzzFeed, Amazon is aware of the problem and replied to its inquiry with this statement:

"In rare circumstances, Alexa can mistakenly hear the phrase 'Alexa, laugh.' We are changing that phrase to be 'Alexa, can you laugh?' which is less likely to have false positives, and we are disabling the short utterance 'Alexa, laugh.' We are also changing Alexa’s response from simply laughter to 'Sure, I can laugh,' followed by laughter..."

Hopefully, that will fix the #AlexaLaugh bug. No doubt, there will be more news to come about this.


Cozy Relationship Between The FBI And A Computer Repair Service Spurs 4th Amendment Concerns

Image of Geek Squad auto and two technicians. Click to view larger version The Electronic Frontier Foundation (EFF) has learned more about the relationship between Geek Squad, a computer repair service, and the U.S. Federal Bureau of Investigation (FBI). In a March 6th announcement, the EFF said it filed a:

"... FOIA lawsuit last year to learn more about how the FBI uses Geek Squad employees to flag illegal material when people pay Best Buy to repair their computers. The relationship potentially circumvents computer owners’ Fourth Amendment rights."

Founded in 1966, the Best Buy retail chain operates more than 1,500 stores in North America and employs more than 125,000 people. The chain sells home appliances and electronics both online and at stores in the United States, Canada, and Mexico. Located in about 1,100 Best Buy stores, Geek Squad provides repair services via phone, in-store, or at home. This means that Geek Squad employees configure and fix popular smart devices many consumers have purchased for their homes: cameras and camcorders, cell phones, computers and tablets, home theater, car electronics, home security (e.g., smart doorbells, smart locks, smart thermostats, wireless cameras), smart appliances (e.g., refrigerators, ovens, washing machines, dryers, etc.), smart speakers, video game consoles, wearables (e.g., fitness bands, smart watches), and more.

The 4th Amendment of the U.S. Constitution states:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

It is most puzzling how a broken computer translates into probable cause for a search. The FOIA request was prompted by the prosecution of a doctor in California, "who was charged with possession of child pornography after Best Buy sent his computer to the Kentucky Geek Squad repair facility."

Logos for Best Buy and Geek Squad The FOIA request yielded documents which showed:

"... that Best Buy officials have enjoyed a particularly close relationship with the agency for at least 10 years. For example, an FBI memo from September 2008 details how Best Buy hosted a meeting of the agency’s “Cyber Working Group” at the company’s Kentucky repair facility... Another document records a $500 payment from the FBI to a confidential Geek Squad informant... over the years of working with Geek Squad employees, FBI agents developed a process for investigating and prosecuting people who sent their devices to the Geek Squad for repairs..."

The EFF announcement described that process in detail:

"... a series of FBI investigations in which a Geek Squad employee would call the FBI’s Louisville field office after finding what they believed was child pornography. The FBI agent would show up, review the images or video and determine whether they believe they are illegal content. After that, they would seize the hard drive or computer and send it to another FBI field office near where the owner of the device lived. Agents at that local FBI office would then investigate further, and in some cases try to obtain a warrant to search the device... For example, documents reflect that Geek Squad employees only alert the FBI when they happen to find illegal materials during a manual search of images on a device and that the FBI does not direct those employees to actively find illegal content. But some evidence in the case appears to show Geek Squad employees did make an affirmative effort to identify illegal material... Other evidence showed that Geek Squad employees were financially rewarded for finding child pornography..."

Finding child pornography and prosecuting perpetrators is a worthy goal, but the FBI-Geek Squad program seems to blur the line between computer repair and law enforcement. The program and FOIA documents raise several questions:

  1. What are the program details (e.g., training, qualifications for informants, payments, conditions for payments, scope, etc.) for financial rewarding Geek Squad employees for finding child pornography?
  2. What other computer/appliance repair vendors does the FBI operate similar programs with?
  3. What quality control measures does the program contain to prevent wrongful prosecutions?
  4. What penalties or consequences, if any, for Geek Squad employees who falsely reported child pornography claims?
  5. Is this Geek Squad program nationwide, or if not, in which states does it operate?
  6. In cases of suspected child pornography, what other information on targets' devices is collected and archived by the FBI through this program?
  7. Were/are whole hard drives copied and archived?
  8. How long is information archived?
  9. Does the program between the FBI and Geek Squad target other types of crime  and threats (e.g., terrorism)?
  10. What other law enforcement or security agencies does Geek Squad have cozy relationships with?

I'm sure there are more questions to be asked. What are your opinions?

Image of Geek Squad services promoted on Best Buy site


2017 FTC Complaints Report: Debt Collection Tops The List. Older Consumers Better At Spotting Scams

Earlier this month,, the U.S. Federal Trade Commission (FTC) released its annual report of complaints submitted by consumers in the United States. The report is helpful is understand the most frequent types of scams and reports consumers experienced.

The latest report, titled 2017 Consumer Sentinel Network Data Book, includes complaints from 2.68 million consumers, a decrease from 2.98 million in 2016. However, consumers reported losing a total of $905 million to fraud in 2017, which is $63 million more than in 2016. The most frequent complaints were about debt collection (23 percent), identity theft (14 percent), and imposter scams (13 percent). The top 20 complaint categories:

Rank Category # Of
Reports
% Of
Reports
1 Debt Collection 608,535 22.74%
2 Identity Theft 371,061 13.87%
3 Imposter Scams 347,829 13.00%
4 Telephone & Mobile Services 149,578 5.59%
5 Banks & Lenders 149,316 5.58%
6 Prizes, Sweepstakes & Lotteries 142,870 5.34%
7 Shop-at-Home & Catalog Sales 126,387 4.72%
8 Credit Bureaus, Information
Furnishers & Report Users
107,473 4.02%
9 Auto Related 86,289 3.23%
10 Television and Electronic Media 47,456 1.77%
11 Credit Cards 45,428 1.70%
12 Internet Services 45,093 1.69%
13 Foreign Money Offers &
Counterfeit Check Scams
31,980 1.20%
14 Health Care 27,660 1.03%
15 Travel, Vacations &
Timeshare Plans
22,264 0.83%
16 Business & Job Opportunities 19,082 0.71%
17 Advance Payments for
Credit Services
17,762 0.66%
18 Investment Related 15,079 0.56%
19 Computer Equipment
& Software
9,762 0.36%
20 Mortgage Foreclosure Relief
& Debt Management
8,973 0.34%

While the median loss for all fraud reports in 2017 was $429, consumers reported larger losses in certain types of scams: travel, vacations and timeshare plans ($1,710); mortgage foreclosure relief and debt management ($1,200); and business/job opportunities ($1,063).

The telephone was the most frequently-reported method (70 percent) scammers used to contact consumers, and  wire transfers was the most frequently-reported payment method for fraud ($333 million in losses reported). Also:

"The states with the highest per capita rates of fraud reports in 2017 were Florida, Georgia, Nevada, Delaware, and Michigan. For identity theft, the top states in 2017 were Michigan, Florida, California, Maryland, and Nevada."

What's new in this report is that it details financial losses by age group. The FTC report concluded:

"Consumers in their twenties reported losing money to fraud more often than those over age 70. For example, among people aged 20-29 who reported fraud, 40 percent indicated they lost money. In comparison, just 18 percent of those 70 and older who reported fraud indicated they lost any money. However, when these older adults did report losing money to a scammer, the median amount lost was greater. The median reported loss for people age 80 and older was $1,092 compared to $400 for those aged 20-29."

Detailed information supporting this conclusion:

2017 FTC Consumer Sentinel complaints report. Reports and losses by age group. Click to view larger image

2017 FTC Consumer Sentinel complaints report. Median losses by age group. Click to view larger image

The second chart is key. Twice as many younger consumers (40 percent, ages 20 - 29) reported fraud losses compared to 18 percent of consumers ages 70 and older. At the same time, those older consumers lost more money. So, older consumers were more skilled at spotting scams and few fell victim to scams. It seems both groups could learn from each other.

CBS News interviewed a millennial who fell victim to a mystery-shopper scam, which seemed to be a slick version of the old check scam. It seems wise for all consumers, regardless of age, to maintain awareness about the types of scams. Pick a news source or blog you trust. Hopefully, this blog.

Below is a graphic summarizing the 2017 FTC report:

Ftc-complaints-report-2017


Update: 2.4 Million More Persons Affected By Massive Data Breach At Equifax In 2017

Equifax logo Equifax, one of the three national credit reporting agencies, announced today that 2.4 million more persons were affected by its massive data breach in 2017. The March 1st announcement stated, in part:

"Equifax Inc. today announced that the company has confirmed the identities of U.S. consumers whose partial driver’s license information was taken. Equifax was able to identify these consumers by referencing other information in proprietary company records that the attackers did not steal, and by engaging the resources of an external data provider.

Through these additional efforts, Equifax was able to identify approximately 2.4 million U.S. consumers whose names and partial driver’s license information were stolen, but who were not in the previously identified affected population discussed in the company’s prior disclosures about the incident. This information was partial because, in the vast majority of cases, it did not include consumers’ home addresses, or their respective driver’s license states, dates of issuance, or expiration dates... Today’s newly identified consumers were not previously informed because their SSNs were not stolen together with their partial driver’s license information..."

Equifax will notify the newly identified breach victims via U.S. Postal mail, and will offer them complimentary identity theft protection and credit file monitoring services.

The timeline for the massive breach: intrusions occurred in May (2017), Equifax staff first discovered the intrusions in July (2017); Equifax notified the publicy in September (2017); and now identified 2.4 million more breach victims (March, 2018).

Equifax said in September (2017) that 143 million persons were affected. That was about 44 percent of the United States population. In October (2017), Equifax revised upward the number affected by 2.5 million to 145.5 million persons. What's the new total? Equifax didn't have the guts to admit it in its March 1st announcement. Since the company doesn't seem to want to admit it, I'm going with 147.9 million persons affected -- about 45.6 percent of the population.

So, it took Equifax almost six months after its initial announcement to determine exactly who was affected during its massive data breach. This does not inspire confidence. Instead, it suggests that the company's internal systems and intrusion detection mechanisms failed miserably.

A breach investigation by U.S. Senator Elizabeth Warren (Democrat - Massachusetts) reported several failures:

  1. Equifax Set up a Flawed System to Prevent and Mitigate Data Security Problems
  2. Equifax Ignored Numerous Warnings of Risks to Sensitive Data
  3. Equifax Failed to Notify Consumers, Investors, and Regulators about the Breach in a Timely and Appropriate Fashion
  4. Equifax Took Advantage of Federal Contracting Loopholes and Failed to Adequately Protect Sensitive IRS Taxpayer Data
  5. Equifax’s Assistance and Information Provided to Consumers Following the Breach was Inadequate.

Equifax's latest breach update highlights item #3: the company's failure to promptly notify consumers. When consumers aren't notified promptly, they are unable to take action to protect their sensitive personal and payment information.

Have we heard the last from Equifax? Will it provide future updates with even more persons affected? I hope not, but the company's track record suggests otherwise.

Equifax has foisted upon the country a cluster f--k of epic proportions = #FUBAR. Businesses and consumers depend upon secure, reliable credit reports. The United States economy relies upon it, too. Equifax executives need to experience direct consequences: fines, terminations, and jail time. Without consequences, executives won't adequately secure sensitive personal and financial information -- and this will happen again. What do you think?


Analysis: Closing The 'Regulatory Donut Hole' - The 9th Circuit Appeals Court, AT&T, The FCC And The FTC

The International Association of Privacy Professionals (IAPP) site has a good article explaining what a recent appeals court decision means for everyone who uses the internet:

"When the 9th U.S. Circuit Court of Appeals ruled, in September 2016, that the Federal Trade Commission did not have the authority to regulate AT&T because it was a “common carrier,” which only the Federal Communications Commission can regulate, the decision created what many in privacy foresaw as a “regulatory doughnut hole.” Indeed, when the FCC, in repealing its broadband privacy rules, decided to hand over all privacy regulation of internet service providers to the FTC, the predicted situation came about: The courts said “common carriers” could only be regulated by the FCC, but the FCC says only the FTC should be regulating privacy. So, was there no regulator to oversee a company like AT&T’s privacy practices?

Indeed, argued Gigi Sohn, formerly counsel to then-FCC Chair Tom Wheeler, “The new FCC/FTC relationship lets consumers know they’re getting screwed. But much beyond that, they don’t have any recourse.” Now, things have changed once again. With an en banc decision, the 9th Circuit has reversed itself... This reversal of its previous decision by the 9th Circuit now allows the FTC to go forward with its case against AT&T and what it says were deceptive throttling practices, but it also now allows the FTC to once again regulate internet service providers’ data-handling and cybersecurity practices if they come in the context of activities that are outside their activities as common carriers."

Somebody has to oversee Internet service providers (ISPs). Somebody has to do their job. It's an important job. The Republicans-led FCC, by Trump appointee Ajit Pai, has clearly stated it won't given its "light touch" approach to broadband regulation, and repeals last year of both broadband privacy and net neutrality rules. Earlier this month, the National Rifle Association (NRA) honored FCC Chairman Pai for repealing net neutrality rules.

"No touch" is probably a more accurate description. A prior blog post listed many historical problems and abuses of consumers by some ISPs. Consumers should buckle up, as ISPs slowly unveiled their plans in a world without net neutrality protections for consumers. What might that look like? What has AT&T said about this?

Bob Quinn, the Vice President of External and Legislative Affairs for AT&T, claimed today in a blog post:

"Net neutrality has been an emotional issue for a lot of people over the past 10 years... For much of those 10 years, there has been relative agreement over what those rules should be: don’t block websites; censor online content; or throttle, degrade or discriminate in network performance based on content; and disclose to consumers how you manage your network to make that happen. AT&T has been publicly committed to those principles... But no discussion of net neutrality would be complete without also addressing the topic of paid prioritization. Let me start by saying that the issue of paid prioritization has always been hazy and theoretical. The business models for services that would require end-to-end management have only recently begun to come into focus... Let me clear about this – AT&T is not interested in creating fast lanes and slow lanes on anyone’s internet."

Really? The Ars Technica blog called out AT&T and Quinn on his claim:

"AT&T is talking up the benefits of paid prioritization schemes in preparation for the death of net neutrality rules while claiming that charging certain content providers for priority access won't create fast lanes and slow lanes... What Quinn did not mention is that the net neutrality rules have a specific carve-out that already allows such services to exist... without violating the paid prioritization ban. Telemedicine, automobile telematics, and school-related applications and content are among the services that can be given isolated capacity... The key is that the FCC maintained the right to stop ISPs from using this exception to violate the spirit of the net neutrality rules... In contrast, AT&T wants total control over which services are allowed to get priority."

Moreover, fast and slow lanes by AT&T already exist:

"... AT&T provides only DSL service in many rural areas, with speeds of just a few megabits per second or even less than a megabit. AT&T has a new fixed wireless service for some rural areas, but the 10Mbps download speeds fall well short of the federal broadband standard of 25Mbps. In areas where AT&T has brought fiber to each home, the company might be able to implement paid prioritization and manage its network in a way that prevents most customers from noticing any slowdown in other services..."

So, rural (e.g., DSL) consumers are more likely to suffer and notice service slowdowns. Once the final FCC rules are available without net neutrality protections for consumers and the lawsuits have been resolved, then AT&T probably won't have to worry about violating any prioritization bans.

The bottom line for consumers: expect ISPs to implement first changes consumers won't see directly. Remember the old story about a frog stuck in a pot of water? The way to kill it is to slowly turn up the heat. You can expect ISPs to implement this approach in a post-net-neutrality world. (Yes, in this analogy we consumers are the frog, and the heat is higher internet prices.) Paid prioritization is one method consumers won't directly see. It forces content producers, and not ISPs, to raise prices on consumers. Make no mistake about where the money will go.

Consumers will likely see ISPs introduce tiered broadband services, with lower-priced service options that exclude video streaming content... spun as greater choice for consumers. (Some hotels in the United States already sell to their guests WiFi services with tiered content.) Also, expect to see more "sponsored data programs," where video content owned by your ISP doesn't count against wireless data caps. Read more about other possible changes.

Seems to me the 9th Circuit Appeals Court made the best of a bad situation. I look forward to the FTC doing an important job which the FCC chose to run away from. What do you think?


Security Experts: Artificial Intelligence Is Ripe For Misuse By Bad Actors

Over the years, bad actors (e.g., criminals, terrorists, rogue states, ethically-challenged business executives) have used a variety of online technologies to remotely hack computers, track users online without consent nor notice, and circumvent privacy settings by consumers on their internet-connected devices. During the past year or two, reports surfaced about bad actors using advertising and social networking technologies to sway public opinion.

Security researchers and experts have warned in a new report that two of the newest technologies can be also be used maliciously:

"Artificial intelligence and machine learning capabilities are growing at an unprecedented rate. These technologies have many widely beneficial applications, ranging from machine translation to medical image analysis... Less attention has historically been paid to the ways in which artificial intelligence can be used maliciously. This report surveys the landscape of potential security threats from malicious uses of artificial intelligence technologies, and proposes ways to better forecast, prevent, and mitigate these threats. We analyze, but do not conclusively resolve, the question of what the long-term equilibrium between attackers and defenders will be. We focus instead on what sorts of attacks we are likely to see soon if adequate defenses are not developed."

Companies currently use or test artificial intelligence (A.I.) to automate mundane tasks, upgrade and improve existing automated processes, and/or personalize employee (and customer) experiences in a variety of applications and business functions, including sales, customer service, and human resources. "Machine learning" refers to the development of digital systems to improve the performance of a task using experience. Both are part of a business trend often referred to as "digital transformation" or the "intelligent workplace." The CXO Talk site, featuring interviews with business leaders and innovators, is a good resource to learn more about A.I. and digital transformation.

A survey last year of employees in the USA, France, Germany, and the United Kingdom found that they, "see A.I. as the technology that will cause the most disruption to the workplace." The survey also found: 70 percent of employees surveyed expect A.I. to impact their jobs during the next ten years, half expect impacts within the next three years, and about a third percent see A.I. as a job creator.

This new report was authored by 26 security experts from a variety of educational institutions including American University, Stanford University, Yale University, the University of Cambridge, the University of Oxford, and others. The report cited three general ways bad actors could misuse A.I.:

"1. Expansion of existing threats. The costs of attacks may be lowered by the scalable use of AI systems to complete tasks that would ordinarily require human labor, intelligence and expertise. A natural effect would be to expand the set of actors who can carry out particular attacks, the rate at which they can carry out these attacks, and the set of potential targets.

2. Introduction of new threats. New attacks may arise through the use of AI systems to complete tasks that would be otherwise impractical for humans. In addition, malicious actors may exploit the vulnerabilities of AI systems deployed by defenders.

3. Change to the typical character of threats. We believe there is reason to expect attacks enabled by the growing use of AI to be especially effective, finely targeted, difficult to attribute, and likely to exploit vulnerabilities in AI systems."

So, A.I. could make it easier for the bad guys to automated labor-intensive cyber-attacks such as spear-fishing. The bad guys could also create new cyber-attacks by combining A.I. with speech synthesis. The authors of the report cited examples of more threats:

"The use of AI to automate tasks involved in carrying out attacks with drones and other physical systems (e.g. through the deployment of autonomous weapons systems) may expand the threats associated with these attacks. We also expect novel attacks that subvert cyber-physical systems (e.g. causing autonomous vehicles to crash) or involve physical systems that it would be infeasible to direct remotely (e.g. a swarm of thousands of micro-drones)... The use of AI to automate tasks involved in surveillance (e.g. analyzing mass-collected data), persuasion (e.g. creating targeted propaganda), and deception (e.g. manipulating videos) may expand threats associated with privacy invasion and social manipulation..."

BBC News reported even more possible threats:

"Technologies such as AlphaGo - an AI developed by Google's DeepMind and able to outwit human Go players - could be used by hackers to find patterns in data and new exploits in code. A malicious individual could buy a drone and train it with facial recognition software to target a certain individual. Bots could be automated or "fake" lifelike videos for political manipulation. Hackers could use speech synthesis to impersonate targets."

From all of this, one can conclude that the 2016 elections interference cited by intelligence officials is probably mild compared to what will come: more serious, sophisticated, and numerous attacks. The report included four high-level recommendations:

"1. Policymakers should collaborate closely with technical researchers to investigate, prevent, and mitigate potential malicious uses of AI.

2. Researchers and engineers in artificial intelligence should take the dual-use nature of their work seriously, allowing misuse-related considerations to influence research priorities and norms, and proactively reaching out to relevant actors when harmful applications are foreseeable.

3. Best practices should be identified in research areas with more mature methods for addressing dual-use concerns, such as computer security, and imported where applicable to the case of AI.

4. Actively seek to expand the range of stakeholders and domain experts involved in discussions of these challenges."

Download the 101-page report titled, "The Malicious Use Of Artificial Intelligence: Forecasting, Prevention, And Mitigation" A copy of the report is also available here (Adobe PDF; 1,400 k bytes)here.

To prepare, both corporate and government executives would be wise to both harden their computer networks and (re)train their employees to recognize and guard against cyber attacks. What do you think?


Investigative Report By Senator Warren Details Failures By Equifax From Massive Data Breach

Equifax logo Earlier this month, U.S. Senator Elizabeth Warren (Democrat - Massachusetts) issued a report about her office's investigation in to the massive Equifax data breach. Key findings from the report:

  1. "Equifax Set up a Flawed System to Prevent and Mitigate Data Security Problems. The breach was made possible because Equifax adopted weak cybersecurity measures that did not adequately protect consumer data. The company failed to prioritize cybersecurity and failed to follow basic procedures that would have prevented or mitigated the impact of the breach. For example, Equifax was warned of the vulnerability in the web application software Apache Struts that was used to breach its system, and emailed staff to tell them to fix the vulnerability – but then failed to confirm that the fixes were made...
  2. Equifax Ignored Numerous Warnings of Risks to Sensitive Data. Equifax had ample warning of weaknesses and risks to its systems. Equifax received a specific warning from the Department of Homeland Security about the precise vulnerability that hackers took advantage of to breach the company’s systems. The company had been subject to several smaller breaches in the years prior to the massive 2017 breach, and several outside experts identified and reported weaknesses...
  3. Equifax Failed to Notify Consumers, Investors, and Regulators about the Breach in a Timely and Appropriate Fashion. The breach occurred on May 13, 2017, and Equifax first observed suspicious signs of a problem on July 29, 2017. But Equifax failed to notify consumers, investors, business partners, and the appropriate regulators until 40 days after the company discovered the breach. By failing to provide adequate information in a timely fashion, Equifax robbed consumers of the ability to take precautionary measures to protect themselves...
  4. Equifax Took Advantage of Federal Contracting Loopholes and Failed to Adequately Protect Sensitive IRS Taxpayer Data. Soon after the breach was announced, Equifax and the IRS were engulfed in controversy amid news that the IRS was signing a new $7.2 mil lion contract with the company. Senator Warren’s investigation revealed that Equifax used contracting loopholes to force the IRS into signing this “bridge” contract, and the contract was finally cancelled weeks later by the IRS after the agency learned of additional weaknesses in Equifax security that potentially endangered taxpayer data.
  5. Equifax’s Assistance and Information Provided to Consumers Following the Breach was Inadequate. Equifax took 40 days to prepare a response for the public before finally announcing the extent of the breach – and e ven after this delay, the company failed to respond appropriately. Equifax had an inadequate crisis management plan and failed to follow their own procedures for notifying consumers. Consumers who called the Equifax call center had hours-long waits. The website set up by Equifax to assist consumers was initially unable to give individuals clarity other than to tell them that their information “may” have been hacked – and that website had a host of security problems in its own right. Equifax delayed their public notice in part because the company spent almost two weeks trying to determine precisely which consumers were affected..."

Senator Warren's investigation was one of several underway. The importance of this investigative report cannot be overstated for several reasons. First, the three national credit reporting agencies (e.g., Equifax, Experian, and TransUnion) maintain reports about the credit histories and worthiness of all adults in the United States. That's extremely sensitive -- and valuable -- information that affects just about everyone. And, the country's economy relies on the accuracy and security of credit reports.

Second, Mick Mulvaney, the interim director appointed by President Trump to head the Consumer Financial Protection Bureau (CFPB), announced a halt to its investigation of the Equifax breach. This makes Senator Warren's investigative report even more important. Third, the massive Equifax data breach affected at least 143 million persons in the United States... about 44 percent of the United States population... almost half. Nobody in their right mind wants to experience that again, so a thorough investigation seems wise, appropriate, and necessary.

The credit reporting industry includes national agencies, regional agencies, and a larger list of "consumer reporting companies" -- businesses that collect information about consumers into reports for a variety of decisions about credit, employment, residential rental housing, insurance, and more. The CFPB compiled this larger list in 2017 (Adobe PDF; 264k bytes).

Senator Warren's report highlighted fixes needed:

"Federal Legislation is Necessary to Prevent and Respond to Future Breaches. Equifax and other credit reporting agencies collect consumer data without permission, and consumers have no way to prevent their data from being collected and held by the company – which was more focused on its own profits and growth than on protecting the sensitive personal information of millions of consumers. This breach and the response by Equifax illustrate the need for federal legislation that (1) establishes appropriate fines for credit reporting agencies that allow serious cybersecurity breaches on their watches; and (2) empowers the Federal Trade Commission to establish basic standards to ensure that credit reporting agencies are adequately protecting consumer data."

Download the full report (Adobe PDF; 672k bytes) titled, "Bad Credit: Uncovering Equifax's Failure to Protect Americans' Personal Information." Senator Warren's report is also available here. The CFPB list of consumer reporting companies is also available here.

My personal view: data breaches like Equifax's will stop only after executives at credit reporting agencies suffer direct consequences for failed information security: jail time or massive personal fines. There has to be consequences. What do you think?


I Approved This Facebook Message — But You Don’t Know That

[Editor's note: today's guest post, by reporters at ProPublica, is the latest in a series about advertising and social networking sites. It is reprinted with permission.]

Facebook logo By Jennifer Valentino-DeVries, ProPublica

Hundreds of federal political ads — including those from major players such as the Democratic National Committee and the Donald Trump 2020 campaign — are running on Facebook without adequate disclaimer language, likely violating Federal Election Commission (FEC) rules, a review by ProPublica has found.

An FEC opinion in December clarified that the requirement for political ads to say who paid for and approved them, which has long applied to print and broadcast outlets, extends to ads on Facebook. So we checked more than 300 ads that had run on the world’s largest social network since the opinion, and that election-law experts told us met the criteria for a disclaimer. Fewer than 40 had disclosures that appeared to satisfy FEC rules.

“I’m totally shocked,” said David Keating, president of the nonprofit Institute for Free Speech in Alexandria, Virginia, which usually opposes restrictions on political advertising. “There’s no excuse,” he said, looking through our database of ads.

The FEC can investigate possible violations of the law and fine people up to thousands of dollars for breaking it — fines double if the violation was “knowing and willful,” according to the regulations. Under the law, it’s up to advertisers, not Facebook, to ensure they have the right disclaimers. The FEC has not imposed penalties on any Facebook advertiser for failing to disclose.

An FEC spokeswoman declined to say whether the commission has any recent complaints about lack of disclosure on Facebook ads. Enforcement matters are confidential until they are resolved, she said.

None of the individuals or groups we contacted whose ads appeared to have inadequate disclaimers, including the Democratic National Committee and the Trump campaign, responded to requests for comment. Facebook declined to comment on ProPublica’s findings or the December opinion. In public documents, the company has urged the FEC to be “flexible” in what it allows online, and to develop a policy for all digital advertising rather than focusing on Facebook.

Insufficient disclaimers can be minor technicalities, not necessarily evidence of intent to deceive. But the pervasiveness of the lapses ProPublica found suggests a larger problem that may raise concerns about the upcoming midterm elections — that political advertising on the world’s largest social network isn’t playing by rules intended to protect the public.

Unease about political ads on Facebook and other social networking sites has intensified since internet companies acknowledged that organizations associated with the Russian government bought ads to influence U.S. voters during the 2016 election. Foreign contributions to campaigns for U.S. federal office are illegal. Online, advertisers can target ads to relatively small groups of people. Once the marketing campaign is over, the ads disappear. This makes it difficult for the public to scrutinize them.

The FEC opinion is part of a push toward more transparency in online political advertising that has come in response to these concerns. In addition to handing down the opinion in a specific case, the FEC is preparing new rules to address ads on social media more broadly. Three senators are sponsoring a bill called the Honest Ads Act, which would require internet companies to provide more information on who is buying political ads. And earlier this month, the election authority in Seattle said Facebook was violating a city law on election-ad disclosures, marking a milestone in municipal attempts to enforce such transparency.

Facebook itself has promised more transparency about political ads in the coming months, including “paid for by” disclosures. Since late October it has been conducting tests in Canada that publish ads on an advertiser’s Facebook page, where people can see them even without being part of the advertiser’s target audience. Those ads are only up while the ad campaign is running, but Facebook says it will create a searchable archive for federal election advertising in the U.S. starting this summer.

ProPublica found the ads using a tool called the Political Ad Collector, which allows Facebook users to automatically send us the political ads that were displayed on their news feeds. Because they reflect what users of the tool are seeing, the ads in our database aren’t a representative sample.

The disclaimers required by the FEC are familiar to anyone who has seen a print or television political ad — think of a candidate saying, “I’m ____, and I approved this message,” at the end of a TV commercial, or a “paid for by” box at the bottom of a newspaper advertisement. They’re intended to make sure the public knows who is paying to support a candidate, and to prevent people from falsely claiming to speak on a candidate’s behalf.

The system does have limitations, reflecting concerns that overuse of disclaimers could inhibit free speech. For starters, the rules apply only to certain types of political ads. Political committees and candidates have to include disclaimers, as do people seeking donations or conducting “express advocacy.” To count as express advocacy, an ad typically must mention a candidate and use certain words clearly campaigning for or against a candidate — such as “vote for,” “reject” or “re-elect.” And the regulations only apply to federal elections, not state and local ones.

The rules also don’t address so-called “issue” ads that advocate a policy stance. These ads may include a candidate’s name without a disclaimer, as long as they aren’t funded by a political committee or candidate and don’t use express-advocacy language. Many of the political ads purchased by Russian groups in 2016 attempted to influence public opinion without mentioning candidates at all — and would not require disclosure even today.

Enforcement of the law often relies on political opponents or a member of the public complaining to the FEC. If only supporters see an ad, as might be the case online, a complaint may never come.

The disclaimer law was last amended in 2002, but online advertising has changed so rapidly that several experts said the FEC has had trouble keeping up. In 2002, the commission found that paid text message ads were exempt from disclosure under the “small-items exception” originally intended for buttons, pins and the like. What counts as small depends on the situation and is up to the FEC.

In 2010, the FEC considered ads on Google that had no graphics or photos and were limited to 95 characters of text. Google proposed that disclaimers not be part of the ads themselves but be included on the web pages that users would go to after clicking on the ads; the FEC agreed.

In 2011, Facebook asked the FEC to allow political ads on the social network to run without disclosures. At the time, Facebook limited all ads on its platform to small, “thumbnail” photos and brief text of only 100 or 160 characters, depending on the type of ad. In that case, the six-person FEC couldn’t muster the four votes needed to issue an opinion, with three commissioners saying only limited disclosure was required and three saying the ads needed no disclosure at all, because it would be “impracticable” for political ads on Facebook to contain more text than other ads. The result was that political ads on Facebook ran without the disclaimers seen on other types of election advertising.

Since then, though, ads on Facebook have expanded. They can now include much more text, as well as graphics or photos that take up a large part of the news feed’s width. Video ads can run for many minutes, giving advertisers plenty of time to show the disclaimer as text or play it in a voiceover.

Last October, a group called Take Back Action Fund decided to test whether these Facebook ads should still be exempt from the rules.

“For years now, people have said, ‘Oh, don’t worry about the rules, because the FEC doesn’t enforce anything on Facebook,’” said John Pudner, president of Take Back Action Fund, which advocates for campaign finance reform. Many political consultants “didn’t think you ever needed a disclaimer on a Facebook ad,” said Pudner, a longtime campaign consultant to conservative candidates.

Take Back Action Fund came up with a plan: Ask the FEC whether it should include disclosures on ads that the group thought clearly needed them.

The group told the FEC it planned to buy “express advocacy” ads on Facebook that included large images or videos on the news feed. In its filing, Take Back Action Fund provided some sample text it said it was thinking of using: “While [Candidate Name] accuses the Russians of helping President Trump get elected, [s/he] refuses to call out [his/her] own Democrat Party for paying to create fake documents that slandered Trump during his presidential campaign. [Name] is unfit to serve.”

In a comment filed with the FEC in the matter, the Internet Association trade group, of which Facebook is a member, asked the commission to follow the precedent of the 2010 Google case and allow a “one-click” disclosure that didn’t need to be on the ad itself but could be on the web page the ad led to.

The FEC didn’t follow that recommendation. It said unanimously that the ads needed full disclaimers.

The opinion, handed down Dec. 15, was narrow, saying that if any of the “facts or assumptions” presented in another case were different in a “material” way, the opinion could not be relied upon. But several legal experts who spoke with ProPublica said the opinion means anyone who would have to include disclaimers in traditional advertising should now do so on large Facebook image ads or video ads — including candidates, political committees and anyone using express advocacy.

“The functionality and capabilities of today’s Facebook Video and Image ads can accommodate the information without the same constrictions imposed by the character-limited ads that Facebook presented to the Commission in 2011,” three commissioners wrote in a concurring statement. A fourth commissioner went further, saying the commission’s earlier decision in the text messaging case should now be completely superseded. The remaining two commissioners didn’t comment beyond the published opinion.

“We are overjoyed at the decision and hope it will have the effect of stopping anonymous attacks,” said Pudner, of Take Back Action Fund. “We think that this is a matter of the voter’s right to know.” He added that the group doesn’t intend to purchase the ads.

This year, the FEC plans to tackle concerns about digital political advertising more generally. Facebook favors such an industry-wide approach, partly for competitive reasons, according to a comment it submitted to the commission.

“Facebook strongly supports the Commission providing further guidance to committees and other advertisers regarding their disclaimer obligations when running election-related Internet communications on any digital platform,” Facebook General Counsel Colin Stretch wrote to the FEC.

Facebook was concerned that its own transparency efforts “will apply only to advertising on Facebook’s platform, which could have the unintended consequence of pushing purchasers who wish to avoid disclosure to use other, less transparent platforms,” Stretch wrote.

He urged the FEC to adopt a “flexible” approach, on the grounds that there are many different types of online ads. “For example, allowing ads to include an icon or other obvious indicator that more information about an ad is available via quick navigation (like a single click) would give clear guidance.”

To test whether political advertisers were following the FEC guidelines, we searched for large U.S. political ads that our tool gathered between Dec. 20 — five days after the opinion — and Feb. 1. We excluded the small ads that run on the right column of Facebook’s website. To find ads that were most likely to fall under the purview of the FEC regulations, we searched for terms like “committee,” “donate” and “chip in.” We also searched for ads that used express advocacy language such as, “for Congress,” “vote against,” “elect” or “defeat.” We left out ads with state and local terms such as “governor” or “mayor,” as well as ads from groups such as the White House Historical Association or National Audubon Society that were obviously not election-oriented. Then we examined the ads, including the text and photos or graphics.

Of nearly 70 entities that ran ads with a large photo or graphic in addition to text, only two used all of the required disclaimer language. About 20 correctly indicated in some fashion the name of the committee associated with the ad but omitted other language, such as whether the ad was endorsed by a candidate. The rest had more significant shortcomings. Many of those that didn’t include disclosures were for relatively inexperienced candidates for Congress, but plenty of seasoned lawmakers and major groups failed to use the proper language as well.

For example, one ad said, “It’s time for Donald Trump, his family, his campaign, and all of his cronies to come clean about their collusion with Russia.” A photo of Donald Trump appeared over a black and red map of Russia, overlaid by the text, “Stop the Lies.” The ad urged people to “Demand Answers Today” and “Sign Up.”

At the top, the ad identified the Democratic Party as the sponsor, and linked to the party’s Facebook page. But, under FEC rules, it should have named the funder, the Democratic National Committee, and given the committee’s address or website. It should also have said whether the ad was endorsed by any candidate. It didn’t. The only nod to the national committee was a link to my.democrats.org, which is paid for by the DNC, at the bottom of the ad. As on all Facebook ads, the word “Sponsored” was included at the top.

Advertisers seemed more likely to put the proper disclaimers on video ads, especially when those ads appeared to have been created for television, where disclaimers have been mandatory for years. Videos that didn’t look made for TV were less likely to include a disclaimer.

One ad that said it was from Donald J. Trump consisted of 20 seconds of video with an American flag background and stirring music. The words “Donate Now! And Enter for a Chance To Win Dinner With Trump!” materialized on the screen with dramatic thuds and crashes. The ad linked to Trump’s Facebook page, and a “Donate” button at the bottom of the ad linked to a website that identified the president’s re-election committee, Donald J. Trump for President, Inc., as its funder. It wasn’t clear on the ad whether Trump himself or his committee paid for it, which should have been specified under FEC rules.

The large majority of advertisements we collected — both those that used disclosures and those that didn’t — were for liberal groups and politicians, possibly reflecting the allegiances of the ProPublica readers who installed our ad-collection tool. There were only four Republican advertisers among the ads we analyzed.

It’s not clear why advertisers aren’t following the FEC regulations. Keating, of the Institute for Free Speech, suggested that advertisers might think the word “Sponsored” and a link to their Facebook page are enough and that reasonable people would know they had paid for the ad.

Others said social media marketers may simply be slow in adjusting to the FEC opinion.

“It’s entirely possible that because disclaimers haven’t been included for years now, candidates and committees just aren’t used to putting them on there,” said Brendan Fischer, director of the Federal and FEC Reform Program at the Campaign Legal Center, the group that provided legal services to Take Back Action Fund. “But they should be on notice,” he added.

There were only two advertisers we saw that included the full, clear disclosures required by the FEC on their large image ads. One was Amy Klobuchar, a Democratic senator from Minnesota who is a co-sponsor of the Honest Ads Act. The other was John Moser, an IT security professional and Democratic primary candidate in Maryland’s 7th Congressional District who received $190 in contributions last year, according to his FEC filings.

Reached by Facebook Messenger, Moser said he is running because he has a plan for ending poverty in the U.S. by restructuring Social Security into a “universal dividend” that gives everyone over age 18 a portion of the country’s per capita income. He complained that Facebook doesn’t make it easy for political advertisers to include the required disclosures. “You have to wedge it in there somewhere,” said Moser, who faces an uphill battle against longtime U.S. Rep. Elijah Cummings. “They need to add specific support for that, honestly.”

Asked why he went to the trouble to put the words on his ad, Moser’s answer was simple: “I included a disclosure because you're supposed to.”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Unilever To Social Networking Sites: Drain The Online Swamp Or Lose Business

Unilever logo Unilever has placed tech companies and social networking sites on notice... chiefly Facebook and Google. Adweek reported:

"Unilever CMO Keith Weed put the advertising community on notice Monday during a keynote speech at the Interactive Advertising Bureau’s Annual Leadership Meeting in Palm Desert, Calif. Weed called for tech platforms—namely Facebook and YouTube—to step up their efforts in combating divisive content, hate speech and fake news. “I don’t think for a second where the internet right now is how the platforms dreamt it would be,” Weed told Adweek in an interview at the event."

After promising promised to improve the transparency of advertising on its platform, Facebook's program hasn't proceeded smoothly. Unilever spends about $9 billion annually in advertising, with more than 140 brands globally -- all spanning several categories including food and drink (e.g., Ben & Jerry's, Breyers, Country Crock, Hellmann's, Mazola, Knorr, Lipton, Promise), home care, and personal care products (e.g., Axe, Caress, Degree, Dove, Sunsilk, TRESemme, Vaseline). Adweek also reported:

"Much like Procter & Gamble CMO Marc Pritchard—who spoke at the IAB’s 2017 event and outlined a multipronged, yearlong plan—Weed is looking to pressure tech companies to increase their resources on cleaning up the platforms..."

BBC News reported:

"Unilever has pledged to: a) Not invest in platforms that do not protect children or create division in society; b) Only invest in platforms that make a positive contribution to society; c) Tackle gender stereotypes in advertising; and d) Only partner with companies creating a responsible digital infrastructure... At the World Economic Forum in Davos last month Prime Minister Theresa May called on investors to put pressure on tech firms to tackle the problem much more quickly. In December, the European Commission warned the likes of Facebook, Google, YouTube, Twitter and other firms that it was considering legislation if self-regulation continued to fail."

That's great. It'll be interesting to see which, if any other corporate marketers, make pledges similar to Unilever's. Susan Wojcicki, the CEO of Google's YouTube, issued a brief response. MediaPost reported:

"We want to do the right set of things to build [Unilever’s] trust. They are building brands on YouTube, and we want to be sure that our brand is the right place to build their brand."She added that "based on the feedback we had from them," YouTube changed its rules for what channels could be monetized, and began to have humans review all videos uploaded to Google Preferred..."

In December 2017, Youtube pledged a staff of 10,000 to root out divisive video content in 2018. We'll see if tech companies meet their promises. Consumers don't want to wade through social sites filled with divisive, hate, and fake-news content.


Facebook’s Experiment in Ad Transparency Is Like Playing Hide And Seek

[Editor's note: today's guest post, by the reporters at ProPublica, explores a new global program Facebook introduced in Canada. It is reprinted with permission.]

Facebook logo By Jennifer Valentino-DeVries, ProPublica

Shortly before a Toronto City Council vote in December on whether to tighten regulation of short-term rental companies, an entity called Airbnb Citizen ran an ad on the Facebook news feeds of a selected audience, including Toronto residents over the age of 26 who listen to Canadian public radio. The ad featured a photo of a laughing couple from downtown Toronto, with the caption, “Airbnb hosts from the many wards of Toronto raise their voices in support of home sharing. Will you?”

Placed by an interested party to influence a political debate, this is exactly the sort of ad on Facebook that has attracted intense scrutiny. Facebook has acknowledged that a group with ties to the Russian government placed more than 3,000 such ads to influence voters during the 2016 U.S. presidential campaign.

Facebook has also said it plans to avoid a repeat of the Russia fiasco by improving transparency. An approach it’s rolling out in Canada now, and plans to expand to other countries this summer, enables Facebook users outside an advertiser’s targeted audience to see ads. The hope is that enhanced scrutiny will keep advertisers honest and make it easier to detect foreign interference in politics. So we used a remote connection, called a virtual private network, to log into Facebook from Canada and see how this experiment is working.

The answer: It’s an improvement, but nowhere near the openness sought by critics who say online political advertising is a Wild West compared with the tightly regulated worlds of print and broadcast.

The new strategy — which Facebook announced in October, just days before a U.S. Senate hearing on the Russian online manipulation efforts — requires every advertiser to have a Facebook page. Whenever the advertiser is running an ad, the post is automatically placed in a new “Ads” section of the Facebook page, where any users in Canada can view it even if they aren’t part of the intended audience.

Facebook has said that the Canada experiment, which has been running since late October, is the first step toward a more robust setup that will let users know which group or company placed an ad and what other ads it’s running. “Transparency helps everyone, especially political watchdog groups and reporters, keep advertisers accountable for who they say they are and what they say to different groups,” Rob Goldman, Facebook’s vice president of ads, wrote before the launch.

While the new approach makes ads more accessible, they’re only available temporarily, can be hard to find, and can still mislead users about the advertiser’s identity, according to ProPublica’s review. The Airbnb Citizen ad — which we discovered via a ProPublica tool called the Political Ad Collector — is a case in point. Airbnb Citizen professed on its Facebook page to be a “community of hosts, guests and other believers in the power of home sharing to help tackle economic, environmental and social challenges around the world.” Its Facebook page didn’t mention that it is actually a marketing and public policy arm of Airbnb, a for-profit company.

Propublica-airbnb-citizen-adThe ad was part of an effort by the company to drum up support as it fought rental restrictions in Toronto. “These ads were one of the many ways that we engaged in the process before the vote,” Airbnb said. However, anyone who looked on Airbnb’s own Facebook page wouldn’t have found it.

Airbnb told ProPublica that it is clear about its connection to Airbnb Citizen. Airbnb’s webpage links to Airbnb Citizen’s webpage, and Airbnb Citizen’s webpage is copyrighted by Airbnb and uses part of the Airbnb logo. Airbnb said Airbnb Citizen provides information on local home-sharing rules to people who rent out their homes through Airbnb. “Airbnb has always been transparent about our advertising and public engagement efforts,” the statement said.

Political parties in Canada are already benefiting from the test to investigate ads from rival groups, said Nader Mohamed, digital director of Canada’s New Democratic Party, which has the third largest representation in Canada’s Parliament. “You’re going to be more careful with what you put out now, because you could get called on it at any time,” he said. Mohamed said he still expects heavy spending on digital advertising in upcoming campaigns.

After launching the test, Facebook demonstrated its new process to Elections Canada, the independent agency responsible for conducting federal elections there. Elections Canada recommended adding an archive function, so that ads no longer running could still be viewed, said Melanie Wise, the agency’s assistant director for media relations and issues management. The initiative is “helpful” but should go further, Wise said.

Some experts were more critical. Facebook’s new test is “useless,” said Ben Scott, a senior advisor at the think tank New America and a fellow at the Brookfield Institute for Innovation + Entrepreneurship in Toronto who specializes in technology policy. “If an advertiser is inclined to do something unethical, this level of disclosure is not going to stop them. You would have to have an army of people checking pages constantly.”

More effective ways of policing ads, several experts said, might involve making more information about advertisers and their targeting strategies readily available to users from links on ads and in permanent archives. But such tactics could alienate advertisers reluctant to share information with competitors, cutting into Facebook’s revenue. Instead, in Canada, Facebook automatically puts ads up on the advertiser’s Facebook page, and doesn’t indicate the target audience there.

Facebook’s test represents the least the company can do and still avoid stricter regulation on political ads, particularly in the U.S., said Mark Surman, a Toronto resident and executive director of Mozilla, a nonprofit Internet advocacy group that makes the Firefox web browser. “There are lots of people in the company who are trying to do good work. But it’s obvious if you’re Facebook that you’re trying not to get into a long conversation with Congress,” Surman said.

Facebook said it’s listening to its critics. “We’re talking to advertisers, industry folks and watchdog groups and are taking this kind of feedback seriously,” Rob Leathern, Facebook director of product management for ads, said in an email. “We look forward to continue working with lawmakers on the right solution, but we also aren’t waiting for legislation to start getting solutions in place,” he added. The company declined to provide data on how many people in Canada were using the test tools.

Facebook is not the only internet company facing questions about transparency in advertising. Twitter also pledged in October before the Senate hearing that “in the coming weeks” it would build a platform that would “offer everyone visibility into who is advertising on Twitter, details behind those ads, and tools to share your feedback.” So far, nothing has been launched.

Facebook has more than 23 million monthly users in Canada, according to the company. That’s more than 60 percent of Canada’s population but only about 1 percent of Facebook’s user base. The company has said it is launching its new ad-transparency plan in Canada because it already has a program there called the Canadian Election Integrity Initiative. That initiative was in response to a Canadian federal government report, “Cyber Threats to Canada’s Democratic Process,” which warned that “multiple hacktivist groups will very likely deploy cyber capabilities in an attempt to influence the democratic process during the 2019 federal election.” The election integrity plan promotes news literacy and offers a guide for politicians and political parties to avoid getting hacked.

Compared to the U.S., Canada’s laws allow for much stricter government regulation of political advertising, said Michael Pal, a law professor at the University of Ottawa. He said Facebook’s transparency initiative was a good first step but that he saw the extension of strong campaign rules into internet advertising as inevitable in Canada. “This is the sort of question that, in Canada, is going to be handled by regulation,” Pal said.

Several Canadian technology policy experts who spoke with ProPublica said Facebook’s new system was too inconvenient for the average user. There’s no central place where people can search the millions of ads on Facebook to see what ads are running about a certain subject, so unless users are part of the target audience, they wouldn’t necessarily know that a group is even running an ad. If users somehow hear about an ad or simply want to check whether a company or group is running one, they must first navigate to the group’s Facebook page and then click a small tab on the side labeled “Ads” that runs alongside other tabs such as “Videos” and “Community.” Once the user clicks the “Ads” tab, a page opens showing every ad that the page owner is running at that time, one after another.

The group’s Facebook page isn’t always linked from the text of the ad. If it isn’t, users can still find the Facebook page by navigating to the “Why am I seeing this?” link in a drop-down menu at the top right of each ad in their news feed.

As soon as a marketing campaign is over, an ad can no longer be found on the “Ads” page at all. When ProPublica checked the Airbnb Citizen Facebook page a week after collecting the ad, it was no longer there.

Because the “Ads” page also doesn’t disclose the demographics of the advertiser’s target audience, people can only see that data on ads that were aimed at them and were on their own Facebook news feed. Without this information, people outside an ad’s selected audience can’t see to whom companies or politicians are tailoring their messages. ProPublica reported last year that dozens of major companies directed recruitment ads on Facebook only to younger people — information that would likely interest older workers, but would still be concealed from them under the new policy. One recent ad by Prime Minister Justin Trudeau was directed at “people who may be similar to” his supporters, according to the Political Ad Collector data. Under the new system, people who don’t support Trudeau could see the ad on his Facebook page, but wouldn’t know why it was excluded from their news feeds.

Facebook has promised new measures to make political ads more accessible. When it expands the initiative to the U.S., it will start building a searchable electronic archive of ads related to U.S. federal elections. This archive will include details on the amount of money spent and demographic information about the people the ads reached. Facebook will initially limit its definition of political ads to those that “refer to or discuss a political figure” in a federal election, the company said.

The company hasn’t said what, if any, archive will be created for ads for state and local contests, or for political ads in other countries. It has said it will eventually require political advertisers in other countries, and in state elections in the U.S., to provide more documentation, but it’s not clear when that will happen.

Ads that aren’t political will be available under the same system being tested in Canada now.

Even an archive of the sort Facebook envisions wouldn’t solve the problems of misleading advertising on Facebook, Surman said. “It would be interesting to journalists and researchers trying to track this issue. But it won’t help users make informed choices about what ads they see,” he said. That’s because users need more information alongside the ads they are seeing on their news feeds, not in a separate location, he said.

The Airbnb Citizen ad wasn’t the only tactic that Airbnb adopted in an apparent attempt to sway the Toronto City Council. It also packed the council galleries with supporters on the morning of the vote, according to The Globe and Mail. Still, its efforts appear to have been unsuccessful.

On Dec. 6, two days after a reader sent us the ad, the City Council voted to keep people from renting a space that wasn’t their primary residence and stop homeowners from listing units such as basement apartments.

Filed under: Technology

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Advertising Agency Paid $2 Million To Settle Deceptive Advertising Charges

Marketing Architects inc. The U.S. Federal Trade Commission (FTC) announced that Minneapolis-based Marketing Architects, Inc. (MAI):

"... an advertising agency that created and disseminated allegedly deceptive radio ads for weight-loss products marketed by its client, Direct Alternatives, has agreed to pay $2 million to the Federal Trade Commission and State of Maine Attorney General’s Office to settle their complaint..."

First, some background. According to the FTC, MAI created advertising for several products (e.g., Puranol, Pur-Hoodia Plus, Acai Fresh, AF Plus, and Final Trim) by Direct Alternatives from 2006 through February 2015. Then, in 2016 the FTC and the State of Maine settled allegations against Direct Alternatives, which required the company to halt deceptive advertising and illegal billing practices.

Additional background according to the FTC: MAI previously created weight-loss ads for Sensa Products, LLC between March 2009 and May 2011. The FTC filed a complaint against Sensa in 2014, and subsequently Sensa agreed to refund $26.5 million to defrauded consumers. So, there's important, relevant history.

In the latest action, the joint complaint alleged that MAI created and disseminated radio ads with false or unsubstantiated weight-loss claims for AF Plus and Final Trim. Besides:

"... receiving FTC’s Sensa order, MAI was previously made aware of the need to have competent and reliable scientific evidence to back up health claims. Among other things, the complaint alleges that Direct Alternatives provided MAI with documents indicating that some of the weight-loss claims later challenged by the FTC needed to be supported by scientific evidence.

The complaint further charges that MAI developed and disseminated fictitious weight-loss testimonials and created radio ads for weight-loss products falsely disguised as news stories. Finally, the complaint charges MAI with creating inbound call scripts that failed to adequately disclose that consumers would be automatically enrolled in negative-option (auto-ship) continuity plans."

The latest action includes a proposed court order to ban MAI from making weight-loss claims about products the FTC has already advised as false, and:

"... requires MAI to have competent and reliable scientific evidence to support any other claims about the health benefits or efficacy of weight-loss products, and prohibits it from misrepresenting the existence or outcome of tests or studies. In addition, the order prohibits MAI from misrepresenting the experience of consumer testimonialists or that paid commercial advertising is independent programming."

This action is a reminder to advertising and digital agency executives everywhere: ensure that claims are supported by competent, reliable scientific evidence.

Good. Kudos to the FTC for these enforcement actions and for protecting consumers.


Mystery Package Scam Operating on Amazon Site. What It Is, The Implications, And Advice For Victims

Amazon logo Last fall, a couple living in a Boston suburb started receiving packages they didn't order from Amazon, the popular online retailer. The Boston Globe reported that the couple living in Acton, Massachusetts:

"... contacted Amazon, only to be told that the merchandise was paid for with a gift card. No sender’s name, no address. While they’ve never been charged for anything, they fear they are being used in a scam... The first package from Amazon landed on Mike and Kelly Gallivan’s front porch in October. And they have continued to arrive, packed with plastic fans, phone chargers, and other cheap stuff, at a rate of one or two a week."

The packages were delivered to the intended recipient. Nobody knows who sent the items: wireless chargers, a high-intensity flashlight, a Bluetooth speaker, a computer vacuum cleaner, LED tent lamps, USB cables, and more. After receiving 25 packages since October, the couple now wants it to stop. What seemed funny at first, is now a nuisance.

The Gallivans are not alone. CBC News reported that students at several universities in Canada have also received mystery packages containing a variety of items they didn't order:

"The items come in Amazon packaging, but there's no indication who's ordering the goods from the online retail giant. "We're definitely confused by it," said Shawn Wiskar, University of Regina Students' Union vice-president of student affairs. His student union has received about 15 anonymous packages from Amazon since late November, many of which contained multiple items. Products sent so far include iPad cases, a kitchen scale and a "fleshlight" — a male sex toy in the shape of a flashlight... Six other university student unions — Dalhousie in Halifax; St. Francis Xavier in Antigonish (Nova Scotia); Ryerson in Toronto; Wilfrid Laurier in Waterloo, Ontario; Royal Roads in Victoria; and the University of Manitoba in Winnipeg — have also confirmed that they've been receiving mysterious Amazon packages since the fall."

Experts speculate that the mystery packages were sent by fraudsters trying to game the retailer's review system. Consumers buy products on Amazon.com either directly from the retailer or from independent sellers listed on the site. The Boston Globe explained:

"Here’s how two experts who used to work for Amazon, James Thomson and Chris McCabe, say it probably works: A seller trying to prop up a product would set up a phony e-mail account that would be used to establish an Amazon account. Then the seller would purchase merchandise with a gift card — no identifying information there — and send it to a random person, in this case the Gallivans. Then, the phantom seller, who controls the “buyer’s” e-mail account, writes glowing reviews of the product, thus boosting the Amazon ranking of the product."

If true, then there probably are a significant number of bogus reviews on the Amazon site. The Boston Globe's news item also suggested that a data breach within a seller's firm might have provided scammers with valid mailing addresses:

"How did Mike, to whom the packages are addressed, get drawn into this? On occasion he’s ordered stuff on Amazon and received it directly from a manufacturer, once from China. That manufacturer or some affiliate may have scooped Mike’s name and address."

If true, then that highlights the downside of offshore outsourcing, where other countries don't mandate data breach disclosures. Earlier in 2017, a resident of Queens in New York City received packages with products she didn't order:

"... All she knows is that the sender is some guy named Kevin who uses Amazon gift cards... And she’s reported the packages to the NYPD, the FBI and the Better Business Bureau since Amazon hasn’t made the deliveries stop."

In that news report, a security expert speculated that criminals were testing stolen debit- and gift-card numbers. Did a seller have a data breach which went unreported? Lots of questions and few answers.

Security experts advise consumers to report packages they didn't order to various law enforcement and agencies, as the Queens resident did. Ultimately, her deliveries stopped, but not for the Gallivans.

Amazon has been unable to identify the perpetrators. At press time, a search of Amazon's Help and Customer Service site section failed to find content helping consumers victimized by this scam.

Perhaps, it is time for law enforcement and the U.S. Federal Trade Commission to step in. Regardless, we consumers will probably hear more news in the future about this scam.


CFPB Backs Off Investigating The Massive Equifax Breach

Logo for Consumer Financial Protection Bureau MarketWatch reported on Monday that the Consumer Financial Protection Bureau (CFPB) has:

"...  scaled back its investigation into a data breach at credit reporting agency Equifax Reuters reported Monday. The CFPB's interim director Mick Mulvaney, appointed by the Trump administration, has not followed "routine steps" that would be involved in a probe, including issuing subpoenas against Equifax and seeking sworn testimony from its executives, Reuters reported.

And when regulators at the Federal Reserve, Federal Deposit Insurance Corp. and Office of the Comptroller of the Currency have offered to help examine the credit bureaus, the CFPB reportedly declined the help... several politicians and consumer advocates said this is the latest sign the CFPB under Mulvaney will be weak in its prosecution of financial firms... The Federal Trade Commission is also investigating the breach, but imposes financial penalties more rarely than the CFPB does... Mulvaney wrote in an op-ed published in January The Wall Street Journal that the bureau will no longer “push the envelope.” “When it comes to enforcement, we will focus on quantifiable and unavoidable harm to the consumer,” he wrote..."

Equifax logo The massive Equifax data breach affected at least 143 million persons in the United States. That was about 44 percent of the United States population... almost half. Nobody in their right mind wants to experience that again, so a thorough investigation seems wise, appropriate, and necessary.

The CFPB began supervision of the credit reporting industry in 2012. While the news report by MarketWatch is very troubling, sadly there is even more bad news:

"Consumer advocates are also concerned that the CFPB will get rid of the database of complaints related to current investigations, which allows the public to air complaints publicly. It also provided a direct way for the public to engage with the CFPB’s activities. The database contains hundreds of thousands of complaints filed by consumers about issues ranging from predatory debt collectors to errors on credit reports. Republicans have argued that the database shouldn’t be public, while consumer advocates say the public list of complaints is an important tool for consumers.

A public database has been “a powerful mechanism for keeping financial predators accountable to consumers,” Melissa Stegman, senior policy counsel at the Center for Responsible Lending, a nonprofit based in Durham, N.C., told MarketWatch... Mulvaney announced in January the CFPB may reconsider a rule Cordray implemented for payday lenders that was designed to protect consumers and limit the amount lenders are allowed to loan them, if they do not meet certain borrowing criteria."

Now, you know why you should be concerned, too, about foot-dragging by the CFPB's Equifax probe. There is plenty of evidence that the CFPB has done a spectacular job protecting consumers and their money:

While campaigning for President, Donald Trump positioned himself as a populist... promoting "populist nationalism." A true populist would not appoint a CFPB director that weakens or abandons protection for consumers. What do you think?