It has been an interesting week for Hold Securities, LLC, an information security, risk management, and incident response company. In an August 5 news release with the sensational headline, "You Have Been Hacked," the company announced:
"... Hold Security’s Deep Web Monitoring practice in conjunction with our Credential Integrity Services discovered what could be arguably the largest data breach known to date... After more than seven months of research, Hold Security identified a Russian cyber gang which is currently in possession of the largest cache of stolen data... over 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion e-mail addresses. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites..."
Hold Security named the gang of Russian hackers "CyberVors." The company's news release also described how the hack happened:
"Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks... These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited..."
Reportedly, the total hack was 4.5 billion username/e-mail and password pairs... a stunning total. The haul included some duplicates and passwords no longer used:
"If we narrow it down by unique e-mail addresses, we still have over half a billion records since there may be multiple password corresponding to a single e-mail address. Not all of them are valid or current. Some people use fake e-mail addresses, in other cases the CyberVor gang might have stolen credentials that belonged to an e-mail address that you no longer have... or a password that you haven’t used for over a decade, or even a default password automatically assigned to you by a website."
News about the hacking was widely reported by news organizations, including the New York Times on August 5:
"Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information."
Also on August 5, Forbes magazine reported:
"The story provides few details beyond hyperbolic numbers: 1.2 billion username and password combinations... No specifics about the state of those passwords: whether they’re in clear-text — the worst case scenario — or in encrypted form.... "
Users in multiple countries were affected, and Hold Security did not provide a list of countries. The Forbes article described Hold Security's announcement of its subscription service including continuous monitoring for firms and consumers:
"You can pay “as low as $120″ to Hold Security monthly to find out if your site is affected by the breach. Hold Security put a page up on its site about its new breach notification service around the same time the New York Times story went up... Shortly after Wall Street Journal reporter Danny Yadron linked to the page on Twitter and asked questions about it, the firm replaced the description of the service with a “coming soon” message. Holden says by email that the service will actually be $10/month and $120/year."
The Forbes article was critical of both Hold Security and the New York Times:
"Yes, I expect security firms to make money for making the Internet more secure, but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic. If nothing else, it should be disclosed in the New York Times story that the firm that reported a major breach hoped to directly profit from it."
I agree with that criticism of Hold Security. The same Hold Security news release also appeared to be a product announcement:
"Companies -- check if your website is susceptible to a SQL injection... Hold Security is proud to announce our new Breach Notification Service (BNS). After we verify your identity and entitlements to the website(s) or domain(s), we can tell you if you have been impacted by this or other breaches..."
"Individuals -- the ultimate victims of the CyberVor gang are the end-users. Hold Security is proud to announce that we will be providing full electronic identity monitoring service to all the individuals within the next 60 days. Even if you are currently using another Identity Protection Service, your electronic identity may still be vulnerable..."
I would have liked the New York Times reporters to have use more skepticism. The Guardian UK reported on August 6:
"Security researchers from Kaspersky, Symantec and University College London have questioned the news reported on Tuesday that private security firm Hold Security had identified a Russian cybercriminal gang called CyberVor, which had amassed a database of more than 4.5bn stolen records... Cybersecurity experts are concerned that Hold Security has not yet made the data public or available for confirmation by users."
The Guardian UK article concluded with this advice for consumers:
"Security experts are advising that users keep aware of developments with the CyberVor breach, but that immediately changing all their passwords is not yet the appropriate action."
Experts also advised consumers not to use the same password in multiple sites (e.g., bank accounts, social networking sites, e-mail services, etc.). When you do, it makes it easy for criminals to hack into your accounts and steal money.
"If CyberVor were shopping for the Fortune 500 data instead of cracking systems, on the other hand, the group would have had plenty of options. The data could have come from Target, LinkedIn, or an upstream breach like the Global Payments hack in 2012. All that data is still kicking around the darker corners of the web, available to anyone willing to pay for it. The usernames get cheaper as they get older, so in the case of a two-year-old hack like Global Payments, counting to a billion wouldn't even be that expensive. The biggest red flag of all, though, is that CyberVor isn't trying to sell the data or use it to steal actual money... If there were anything else they could do with these passwords, it would be more lucrative and more sustainable than spamming..."
You can read about the Target and Global Payments breaches in this blog. After reading about the CyberVors hack, I had two reactions:
1. Something doesn't seem quite right.
During the past seven years I've written this blog, I have learned that companies experiencing data breaches usually hire a security firm to assist with the breach investigation and post-breach incident management. Companies usually notify users and customers affected by the data breach. That notice often includes some period (e.g., one or two years) of free credit monitoring services. The security firm rarely, if ever, marketed any subscription monitoring services directly to consumers without a client company.
So, what Hold Security has done seemed to have skipped a couple steps... important steps. It's critical for the affected companies to do their own breach investigations and notify their affected users and/or customers. The breach notification laws in many states require such notice.
2. There may be an unreported story that needs to be told.
The New York Times article reported this about its conversations with Alex Holden, the founder and chief information officer at Hold Security:
"“They audited the Internet,” Mr. Holden said."
Assuming that the "they" refers to the CyberVors hacking gang, it suggested that the gang may have capabilities to analyze e-mail and password combinations. Do hackers employ state-of-the art data mining or "bigdata" analysis techniques? If so, that is a scary thought with consequences.
Such analyses could make it easier to guess passwords. If a database of stolen e-mail and password pairs includes the history of a user's passwords, it could make it easier to predict a current passwords. Here's a simple example (using an extremely poorly constructed password). A consumer used the "123password" password in 2013, then changed it to "234password" in 2014. It doesn't take a genius to guess that the user's probable next password would be "345password". If criminals are analyzing the databases they've compiled of stolen e-mail/password pairs, we need to know. I would expect security companies and news organizations to investigate, confirm, alert consumers.
What are your opinions of the CyberVors hacking? Of Hold Security's subscription services?
The Office of the Attorney General (AG) for the state of Oregon has filed a lawsuit against the manufacturer of 5-Hour Energy drink. Oregon AG Ellen Rosenblum filed the suit on July 17, 2014 aagainst Living Essentials and Innovation Ventures. The suit alleged the defendants:
"... used print, television, Internet and radio advertising to claim that 5-hour ENERGY® contains a unique blend of ingredients that provide consumers with energy, alertness and focus, when in reality the only ingredient that provides any effect is the concentrated dose of caffeine.... The lawsuit, which was filed in Multnomah Circuit Court, also targets allegedly misleading claims that the product will not cause consumers to experience a ‘crash’. The suit also focuses on claims that the product has been recommended by doctors in a way that it has not..."
In a wide-ranging and arrogant blog post to promote his new book, Christian Rudder, the co-founder of the OKCupid dating website, described several experiments the site performed on its customers:
"... chose to celebrate the app’s release by removing all the pictures from OkCupid on launch day. “Love Is Blind Day” on OkCupid—January 15, 2013... But by comparing Love Is Blind Day to a normal Tuesday, we learned some very interesting things. In those 7 hours without photos: people responded to first messages 44% more often; conversations went deeper; contact details were exchanged more quickly; in short, OKCupid worked better..."
In another experiment, the OKCupid site changed its display parameters telling some users with poor matched that the matches were excellent and the reverse:
"... the “match percentage” we calculate for users is very good at predicting relationships. It correlates with message success, conversation length, whether people actually exchange contact information, and so on... To test this, we took pairs of bad matches (actual 30% match) and told them they were exceptionally good for each other (displaying a 90% match.)† Not surprisingly, the users sent more first messages when we said they were compatible..."
"Because of a diagnostic test, your match percentage with XXX was misstated as 31%. It is really 91%. We wanted to let you know."
Diagnostic test? That explanation doesn't sound entirely accurate. It sounds like some type of error-checking routine, and not a true admission or notification of an intentional marketing test. Were customers offered refunds for "misstated" compatibility matches? If I were an OKCupid customer, I'd demand a refund as the service didn't seem to deliver what was promised.
Rudder's blog post provides plenty of statistics about what the company learned from its live tests with customers. Rudder's blog post gave the impression that the ends justify the means -- that the wealth of data the company collected justified the test approach. Rudder also defended Facebook, after that social networking site had been criticized for performing experiments on its members without notice nor explicit consent:
"We noticed recently that people didn’t like it when Facebook “experimented” with their news feed. Even the FTC is getting involved. But guess what, everybody: if you use the Internet, you’re the subject of hundreds of experiments at any given time, on every site. That’s how websites work."
All websites? For sure, at least Facebook and OKCupid.
I am no prude. I fully expect websites to explore and implement new services, content, and functionality. How one does it matters. The ends do not justify the means.
During the last 20 years, as a usability professional I have built dozens of websites in a variety of industries: telecommunications, petroleum, travel, banking, insurance, higher education, food, consumer packaged goods, and more. In all instances, we used a variety of standard, proven test methods to collect users' opinions and reactions to proposed website features and functionality. Usually, we started by asking users -- customers and prospective customers -- what they wanted in the site that they couldn't get today. Many users will tell you. Man users are happy to tell you.
Frankly, it makes sense -- time wise and financially -- to build features that users want. No matter how curious OKCupid executives may be, I highly doubt that the site's users wanted the service to lie to them about compatibility matches.
After compiling a list of requested features (e.g., content and/or functionality), we tested implementation approaches... not on the live site, but in usability sessions with mockups or with prototypes. That approach builds users' trust. Many users appreciated the opportunity to view and comment on new features before those features are added to the live site.
In other cases, we used focus group sessions to uncover users' needs and to explore their reactions and attitudes. We often used rigorous questionnaires (sometimes in combination with other test methods), so that we could analyze the results later. In some instances, we included survey forms with the live site.
My point: we never adjusted the live site's core functions and contents without notice. We didn't add new features to live sites until after all testing was finished, the new features were built, and all "bugs" or code glitches were fixed. Anyone experienced with website development knows that it takes time to get the bugs out. When you add new features, they often affect, or break, something else -- unintended consequences.
Users' trust and reliability are critical. Frankly, we trusted uses to ask them what they wanted. We trusted users enough to inform them of tests. We respected users enough to compensate test participants for their time. We respected users enough to acknowledge that some have a right to not participate in tests.
After reading Mr. Rudder's blog post, I began to wonder how trustworthy the OKCupid site really is. The good: OKCupid executives are curious, want to continually improve their site, and act quickly. The not-so-good: curiosity and acting quickly aren't enough. Users rely on the live site to to operate as advertised and promised. Deviations from that with unannounced tests that users can't opt out of, erode users' confidence and trust.
All of the tests Rudder described could have been performed with standard testing methods, some of which I have described above; without directly changing the live site. Maybe the OKCupid executives aren't aware of or wanted to skip the costs and time of traditional testing methods. Maybe speed is their primary goal. In their rush to improve things, Mr. Rudder and his executive team seem comfortable to unnecessarily risk consumers' trust and respect.
If this is the current state of social networking sites, then the industry has fallen. It has moved beyond simply collecting, archiving, and analyzing massive amounts of consumers' personal information for advertising revenues. It also operates arrogantly: making any changes they please to live sites, while ignoring users' trust nor respect. That's not something I look for in a site. Nor will I buy Mr. Rudder's book.
What are your opinions of OKCupid's tests?
Everyone uses USB flash drives (a/k/a thumb drives) to store and share information. Consumers rely upon anti-virus software to scan and detect any computer viruses infecting USB drives. According to a Wired report, researchers have created a proof-of-concept demonstrating the difficulty -- or impossibility -- to detect and remove malware from USB devices:
"... researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken... Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it... The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic..."
A wide variety of devices employ USB technology: mice, keyboards, desktop computers, laptops, smartphones, tablets, and more. Experts advise consumers to:
What are your opinions of USB sticks? USB security?
The Office of the Massachusetts Attorney General (AG) announced a settlement with Travel Services regarding the firm's marketing tactics:
"... Illinois-based Travel Services, Inc. and its principals have agreed to a $50,000 judgment that permanently prohibits them from selling and marketing vacation club memberships in Massachusetts... The consent judgment, filed Monday in Suffolk Superior Court, settles allegations that Travel Services – formerly known as Funseekers Vacations, Inc. and operating in Massachusetts as “Outrigger Vacation Club” – along with President Christy Spensberger and Vice President William Bailey, facilitated unfair and highly deceptive sales operations at Plymouth-based Only Way 2 Go Travel and Methuen-based Fantasia Travel. "
The 2010 lawsuit alleged that the defendants:
"... conspired to lure consumers to sales presentations using deceptive mail and telephone solicitations and then subject them to high pressure sales pitches containing myriad misrepresentations and omissions designed to induce consumers to purchase Outrigger Vacation Club memberships serviced by Travel Services... consumers entered into the membership contracts based upon false promises that they would receive better-than-Internet wholesale prices on vacation packages, cruises, accommodations and other travel services. Instead, consumers allegedly left sales presentation venues having spent thousands of dollars on vacation club memberships that were essentially worthless..."
Consumers love being connected online. Perhaps, too much. According to the results of a recent survey posted on the Social Times site:
View more stats from the survey in the Social Times infographic.
If you are going to spend this much time and effort on the toilet, then you might consider upgrading to a "smart toilet." Several smart toilets are for sale on Ebay, and you can follow tweets by a smart toilet on Twitter. Smart crappers (electronic thrones?) are part of the coming Internet of Things (ioT) for consumers' homes. However, like any other Internet-connected device, smart toilets can be hacked.
In the future, I guess that teenagers won't toilet paper victims' front lawns. Instead, they'll hack and remotely operate/flush unsuspecting victims' smart crappers.
What are your opinions of the Social Times survey? Of smart crappers? If you have bought a smart toilet, please share below your opinions of it.
You may remember the massive data breach in 2011 at Sony Playstation Network (PSN) that affected about 77 million users worldwide. Sony executives apologized to users. Several lawsuits resulted which were combined into a single class-action suit.
InfoSecurity reported that a settlement agreement is pending where Sony would pay about $15 million to users in the United States. Proposed settlement terms:
"... Those who didn’t participate in Sony’s “Welcome Back” package will be entitled to one out of 14 PlayStation 3 or PlayStation Portable games and a choice of three out of six PS3 themes or a three month subscription to PlayStation Plus. However, there’s a $6m limit on these claims... Qriocity users will get a month’s free access to the music streaming service and those who can prove their identity was stolen could receive up to $2,500 in compensation..."
The United Kingdom's Information Commissioner's Office (ICO) fined Sony £250,000 ($395k) in January 2013. The ICO said in a January 2013 announcement:
"If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.
“There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.
“The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft."
The proposed settlement has not been approved by a judge, so it is not final. You can read the proposed settlement agreement.
Last week, the Office of the Massachusetts Attorney General (AG) announced a settlement with Apple Inc. regarding electronic book (a/k/a e-book) price fixing allegations. AGs from 33 states had filed lawsuits against the company:
"Contingent upon the resolution of Apple’s appeal of a U.S. District Court verdict from 2013, consumers nationwide will receive a total of $400 million, with Massachusetts consumers estimated to receive more than $12 million in refunds.The agreement also remains subject to approval by the U.S. District Court for the Southern District of New York."
Additional details about the Apple settlement:
"The exact amount of consumer relief is contingent upon the affirmation of a U.S. District Court’s July 2013 verdict that Apple violated federal and state antitrust laws by orchestrating a conspiracy with five publishers – Penguin Group (USA), Inc. (now part of Penguin Random House); Holtzbrinck Publishers LLC d/b/a Macmillan; Hachette Book Group Inc.; HarperCollins Publishers LLC; and Simon & Schuster Inc. – to artificially raise prices for E-books between 2010 and 2012 in order to eliminate retail price competition."
Information about the publishers' settlement:
"E-book purchasers nationwide are already entitled to refunds totaling $166 million in settlement funds paid by the five publishers involved in the conspiracy. Massachusetts consumers are due more than $5 million from these funds in compensation pursuant to these settlements."
Martha Coakley, the Massachusetts AG, said in a statement:
“Price collusion amongst competitors is unacceptable and this agreement will ensure that those responsible are held accountable... We are hopeful that this settlement will go through so that affected consumers can receive significant refunds as a result of these violations.”
New York State AG Eric T. Schneiderman said in a statement:
"... the biggest, most powerful companies in the world must play by the same rules as everyone else... We will continue to work with our colleagues in other states to ensure that all companies compete fairly with the knowledge that no one is above the law.”
Good. I applaud the AGs with this enforcement action. In related news, Apple announced a partnership with IBM Inc. to:
"... redefine the way work will get done, address key industry mobility challenges and spark true mobile-led business change—grounded in four core capabilities:
1. a new class of more than 100 industry-specific enterprise solutions including native apps, developed exclusively from the ground up, for iPhone and iPad;
2. unique IBM cloud services optimized for iOS, including device management, security, analytics and mobile integration;
3. new AppleCare® service and support offering tailored to the needs of the enterprise; and
4. new packaged offerings from IBM for device activation, supply and management."
Meanwhile, many parents in Europe are concerned about how app-based games are marketed. Engadget reported last week:
"... while Google addressed its concerns around games with in-app purchasing, Apple has yet to offer a strategy. Following hordes of complaints by outraged parents, the EU asked both companies to implement changes to the way they sell such apps in their stores. Those include not misleading consumers about supposedly "free" games, not "directly exhorting" children to buy in-game items, thoroughly informing customers about payment arrangements and forcing game-makers to provide contact information."
The request by the European Commission and the Consumer Protection Cooperation (CPC) Network included:
"1. Games advertised as "free" should not mislead consumers about the true costs involved;
2. Games should not contain direct exhortation to children to buy items in a game or to persuade an adult to buy items for them;
3. Consumers should be adequately informed about the payment arrangements for purchases and should not be debited through default settings without consumers’ explicit consent;
4. Traders should provide an email address so that consumers can contact them in case of queries or complaints."
The Engadget news article also included this statement by Apple:
"... over the last year we made sure any app which enables customers to make in-app purchases is clearly marked. We've also created a Kids Section on the App Store with even stronger protections to cover apps designed for children younger than 13. These controls go far beyond the features of others in the industry. But we are always working to strengthen the protections we have in place, and we're adding great new features with iOS 8, such as Ask to Buy, giving parents even more control over what their kids can buy on the App Store..."
This statement was after a $32.5 million settlement in March 2014 with the U.S. Federal Trade Commission (FTC):
"... a final order resolving FTC allegations that Apple Inc. unfairly charged consumers for in-app purchases incurred by children without their parents’ consent... by March 31, 2014, Apple must change its billing practices to ensure that it has obtained express, informed consent from consumers before charging them for in-app purchases. Apple also must provide full refunds, totaling a minimum of $32.5 million, to consumers who were billed for in-app purchases that were incurred by children... Should Apple issue less than $32.5 million in refunds to consumers within the 12 months after the settlement becomes final, the company must remit the balance to the Commission. By April 15, 2014, Apple must notify all consumers charged for in-app purchases with instructions on how to obtain a refund for unauthorized purchases by kids."
In-app purchases can be expensive. Experts advise parents to closely monitor their children's game activity.
"Canvas fingerprinting" is the latest technique entities use to identify and track consumers' online habits and movements. I use the word "entities" since both private-sector corporations and public-sector government agencies use the technique in their websites. The BBC described it well:
"This technique forces a web browser to create a hidden image. Subtle differences in the set-up of a computer mean almost every machine will render the image in a different way enabling that device to be identified consistently."
Those subtle differences include the many features that distinguish your computer's configuration from others: clock setting, default font, software installed, operating system brand and version, browser brand and version, and more. Researchers at Princeton University in the United States and at the University of Leuven in Belgium analyzed tracking techniques at 100,000 websites. They announced their findings in a draft report dated July 1, 2014:
"We present the first large-scale studies of three advanced web tracking mechanisms -- canvas fingerprinting, evercookies, and use of cookie syncing" in conjunction with evercookies. Canvas fingerprinting, a recently developed form of browser fingerprinting, has not previously been reported in the wild; our results show that over 5% of the top 100,000 websites employ it... The tracking mechanisms studied in this paper can be differentiated from their conventional counterparts by their potential to circumvent users' tracking preferences, being hard to discover and resilient to removal."
The researchers emphasized the extremely difficulty confronting consumers:
"Canvas fingerprinting uses the browser's Canvas API to draw invisible images and extract a persistent, long-term fingerprint without the user's knowledge. There doesn't appear to be a way to automatically block canvas fingerprinting without false positives that block legitimate functionality; even a partial fix requires a browser source-code patch. Evercookies actively circumvent users' deliberate attempts to start with a fresh profile by abusing different browser storage mechanisms to store removed cookies. Cookie syncing... allows different trackers to share user identifiers with each other. Besides being hard to detect, cookie syncing enables back-end server-to-server data merges hidden from public view."
Why the researchers produced this report:
"Our goal is to improve transparency of web tracking in general and advanced tracking techniques in particular.We hope that our techniques and results will lead to better defenses, increased accountability for companies deploying exotic tracking techniques and an invigorated and informed public and regulatory debate on increasingly persistent tracking techniques."
The researchers concluded the following about consumers' ability to maintain their privacy online:
"Current options for users to mitigate these threats are limited, in part due to the difficulty of distinguishing unwanted tracking from benign behavior. In the long run, a viable approach to online privacy must go beyond add-ons and browser extensions. These technical efforts can be buttressed by regulatory oversight. In addition, privacy-friendly browser vendors who have hitherto attempted to take a neutral stance should consider integrating defenses more deeply into the browser."
"The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish."
I strongly encourage consumers to read the ProPublica article, since it includes an interview with an executive from AddThis. The article also lists five recommendations consumers can do to minimize the online tracking. However, some of the recommendations require technical knowledge and skills beyond what many consumers have.
One recommendation includes using Chameleon with the Google Chrome browser. A reader, who asked me not to mention their name, shared this opinion:
Is this an over-reaction? Consider... earlier this year, Google changed its policy to reflect its continued scanning of all inbound e-mails from non-Gmail users. About the scanning, a United Kingdom newspaper wrote this headline, "Google: Don't Expect Privacy When Sending to Gmail." A simple online search found this review of Google Chrome privacy. Several news organizations reported in December 2013 about how spy agencies in the U.S. and U.K. use Google's proprietary cookie technology.
Plus, MediaPost reported yesterday:
So, there seems to be enough happening that some consumers understandably might try to minimize or avoid interactions with any Google products and services.
Several news organizations have reported about the high-profile websites that use canvas fingerprinting, including several porn sites and WhiteHouse.gov. Interested readers can browse this list of websites the researchers found that perform canvas fingerprinting.
I would like to thank the researchers for this report. It is greatly appreciated and very valuable. Consumers need to be informed and the websites (e.g., marketers and advertisers) aren't doing it. Tracking methods need to be disclosed and opt-in based.
During the last 7+ years, this blog has covered stories about several technologies (e.g., cookies, “zombie cookies,” Flash cookies, “zombie e-tags,” super cookies, “zombie databases” on mobile devices, etc.) entities have used to persistently track consumers online without their knowledge nor consent; and circumvent consumers' efforts to maintain privacy online. Proponents usually justify the tracking as needed for consumers interested in seeing relevant, target advertisements online (a/k/a "behavioral advertising). Given this history of repeated privacy abuses, sadly I am not surprised about canvas fingerprinting. Frustrated, yes. Surprised, no.
Many of these tracking technologies have resulted in class-action lawsuits, which has been good because the speed of technological change is far faster than both the laws and legislators’ abilities to understand the emerging technologies. I fear that class-actions, as a protection tool for consumers and/or a method to hold privacy abusers accountable, will be more difficult in the future as many banks, telephone, Internet service providers, consumer electronics, software, nursing, and health care companies have added binding arbitration clauses to agreements with their customers.
This persistent tracking raises other issues. Consumers need new browser features to stop this persistent online tracking, as companies user creative ways to restore browser cookies that users have deleted to maintain privacy online. For consumers, help may be on the way in the form of the Privacy Badger tool from the Electronic Frontier Foundation.
A prior blog post discussed the DuckDuckGo search engine as an alternative to traditional search engines (e.g., Google, Bing, Yahoo) for privacy-conscious users. While there was a discussion on one DuckDuckGo community board about canvas fingerprinting, a DuckDuckGo provided the this explanation:
"We removed the canvas check when we launched our reimagined/redesigned version earlier this year. This is no longer a concern. On the old DuckDuckGo, it's function was to detect if anti-aliasing was turned on, because our old default font (Segoe UI) broke when anti-aliasing was off."
So, the revised DuckDuckGo maintains privacy by design. Consumers can continue using the search engine with confidence for privacy.
Some consumers may conclude that using apps on their mobile devices instead of a web browser is an effective way to avoid the online tracking. Assuming this would be foolish given the Google lawsuit mentioned above. Plus, the unique device ID numbers (UDID) on all mobile devices are simply a very tempting identifier and tracking mechanism. It is one reason why so many apps want access to consumers' entire address books and other files on their mobile devices.
Download the researchers' report, "The Web Never Forgets: Persistent Tracking In The Wild" (Adobe PDF, 903 K bytes).
What are your opinions of the researchers' report? Of canvas fingerprinting? Of AddThis? Of Google? Of the failure of websites to inform consumers of the online tracking methods used? If you operate a blog or website using technologies from known canvas fingerprinters, please share your thoughts and/or whether you continue to use these technologies.
[Correction: an earlier version of this blog post mentioned a possible privacy problem with the DuckDuckGo.com search engine. The revised blog post above includes an explanation from DuckDuckGo about how their search engines maintains privacy and avoids canvas fingerprinting.]
On Monday, Facebook announced a new feature allowing members to save links to read later. The new feature is aptly called "Save," will be available during the coming days. Facebook described the new feature:
"... people find all sorts of interesting items on Facebook that they don’t have time to explore right away. Now you can save items that you find on Facebook to check out later when you have more time. You can save items like links, places, movies, TV and music. Only you can see the items you save unless you choose to share them with friends."
The announcement described how members can use the Save feature on mobile devices and via the website. If you read news items via Facebook, the new feature is beneficial.
Facebook's Save feature is long overdue as Twitter provided its users with the "Favorite" feature for many years. Seems like Facebook is playing catchup. It introduced searchable Hashtags in 2013, and now the Save feature.
The not-so-good elements of FIPA:
"... notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals who se personal information has been accessed. Such a determination must be documented in writing and maintained for at least 5 years. The covered entity shall provide the written determination to the department within 30 days after the determination."
47 states now have passed, amended or proposed data breach notification laws. Shame on the three laggards. I applaud Florida officials for strengthening their state's privacy and data breach notification law, but wish they'd gone further and addressed the above not-so-good items.
What are your opinions of FIPA?
Tuesday evening, House Representative Marsha Blackburn (R-Tennessee) attached an amendment to an existing bill. That amendment was designed to block the Federal Communications Commission (FCC) from stopping existing state laws that prevent broadband competition.
I'll repeat that: 20 states already have laws that prevent broadband competition. In June 2014, the FCC announced plans to challenge these restrictive state laws that limit competition, and keep your Internet prices high. Blackburn and her corporate supporters want to stop the FCC from doing the right thing to protect consumers -- you.
"... to a general government appropriations bill that would prohibit taxpayer funds from being used by the FCC to preempt state laws governing municipal broadband. While Blackburn thinks the FCC shouldn't interfere with states' rights, she doesn't seem to be concerned about states interfering with municipalities' rights to offer their own broadband services..."
The likely reasons why Blackburn introduced this amendment:
"Blackburn received $10,000 from the National Cable & Telecommunications Association this year and last year, according to OpenSecrets.org. She received $12,500 in contributions from Verizon, $10,000 from AT&T, $7,500 from Comcast, and $7,000 from representatives of Time Warner Cable..."
Blackburn provided this spin in her website:
"Blackburn Works To Prevent FCC From Trampling on States' Right"
Blackburn either ignores or doesn't care that in many areas of the country, consumers have only one or two choices for high-speed Internet access, called broadband. Local laws in 20 states already prevent broadband competition by stopping cities and towns from building their own (low-cost to users) fiber Internet services. This keeps monthly prices by your Internet Service Provider (ISP) high. This limits the freedom of consumers to build broadband alternatives through their cities and towns. Bad for you; good for your ISP.
Consumers clearly want and support the freedom to develop local broadband projects. The Electronic Frontier Foundation (EFF) reported:
"Projects like community mesh networks and mayors’ attempts to bring fiber to their cities should never be illegal or stifled by misguided state laws. On the contrary, they should be encouraged. That’s because community and municipal high-speed Internet projects provide users more options."
Without competition, you have no alternatives should your current ISP treat you badly, provide poor customer service, or raise prices. Some consumers already recognize the benefits that come from the freedom to build local (e.g., municipal) broadband services:
"Consider Chattanooga, Tennessee, a city that has better broadband than San Francisco. Chattanooga is home to one of the nation’s least expensive, most robust municipally owned broadband networks. There, users have access to a gigabit (1,000 megabits) per second Internet connection. That’s far ahead of the average US connection speed, which typically clocks in at 9.8 megabits per second. And in the Mt. Pleasant neighborhood of Washington, DC, residents have built their own community-controlled alternative to expensive Internet companies, and it’s free."
Think about that. Faster Internet access at a lower price. I see nothing wrong with that.
Yet, Blackburn sees that as wrong. By working to keep these local laws in 20 states in place, Blackburn and her supporters are basically saying it is okay for corporations to develop broadband services and not people; that corporations have more rights than people.
And, Blackburn tried to camouflage a pro-big-business, anti-consumer, anti-competition, anti-consumer-freedom amendment in "states rights" language. The last time I heard the "states rights" claim was 50 years ago during the 1964 national campaigns, and when some people opposed the Civil rights Act of 1964 because they wanted to give businesses to arbitrarily refuse service to whomever they wanted. It seems that Representative Blackburn is still stuck in 1964.
"States rights" proponents often advocate a strict adherence to the U.S. Constitution. Last time I looked at the Constitution, it mentioned, "We the people..." and not corporations. To give corporations more rights than the people seems counter to the Constitution.
So, there are two reasons to contact your elected officials, and contact the FCC this week:
What are your opinions of the amendment Blackburn introduced? Of the state laws that already prevent broadband competition?
Based upon files released by former government contractor Edward Snowden, law-abiding people far outnumber the bad guys caught in dragnet surveillance programs by the National Security Agency (NSA). The Washington post reported:
"Ordinary Internet users, American and non-American alike, far outnumber legally targeted foreigners in the communications intercepted... from U.S. digital networks, according to a four-month investigation by The Washington Post. Nine of 10 account holders found in a large cache of intercepted conversations, which former NSA contractor Edward Snowden provided in full to The Post, were not the intended surveillance targets but were caught in a net the agency had cast for somebody else... Nearly half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents..."
The specific activity volume:
"In a June 26 “transparency report,” the Office of the Director of National Intelligence disclosed that 89,138 people were targets of last year’s collection under FISA Section 702. At the 9-to-1 ratio of incidental collection in Snowden’s sample, the office’s figure would correspond to nearly 900,000 accounts, targeted or not, under surveillance."
So, there's probably data collected about a million or more people. In its efforts to target the bad guys the NSA collected lots of data about everyone else. Now we learn that most -- 90 percent -- of that data collected isn't about the bad guys or people legally targeted.
What does this data collection contain? The Washington Post described it:
"Many other files, described as useless by the analysts but nonetheless retained, have a startlingly intimate, even voyeuristic quality. They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes... medical records sent from one family member to another, résumés from job hunters and academic transcripts of schoolchildren. In one photo, a young girl in religious dress beams at a camera... Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers..."
That sounds like information the people involved probably don't want disclosed. To understand the nature of the data collected:
"The Post reviewed roughly 160,000 intercepted e-mail and instant-message conversations, some of them hundreds of pages long, and 7,900 documents taken from more than 11,000 online accounts."
This data collection highlights the failed oversight mechanisms within government:
"No government oversight body, including the Justice Department, the Foreign Intelligence Surveillance Court, intelligence committees in Congress or the president’s Privacy and Civil Liberties Oversight Board, has delved into a comparably large sample of what the NSA actually collects..."
This data collection highlights what the NSA shares with other agencies:
"The NSA treats all content intercepted incidentally from third parties as permissible to retain, store, search and distribute to its government customers. Raj De, the agency’s general counsel, has testified that the NSA does not generally attempt to remove irrelevant personal content, because it is difficult for one analyst to know what might become relevant to another."
This data collection highlights the rationale NSA analysts use to classify targets as foreign:
"The rationales they use to judge foreignness sometimes stretch legal rules or well-known technical facts to the breaking point.... colleagues and supervisors often remind the analysts that PRISM and Upstream collection have a “lower threshold for foreignness ‘standard of proof’ ” than a traditional surveillance warrant from a FISA judge... One analyst rests her claim that a target is foreign on the fact that his e-mails are written in a foreign language... Others are allowed to presume that anyone on the chat “buddy list” of a known foreign national is also foreign. In many other cases, analysts seek and obtain approval to treat an account as “foreign” if someone connects to it from a computer address that seems to be overseas..."
So, if you or I use a computer in an Internet cafe in another country -- say, Paris, France -- we are likely to be categorized by spy analysts as foreign. That strikes me as very lazy, sloppy, and highly inaccurate spy work. It makes me wonder why our elected officials in Congress that are charged with oversight haven't fought against this lazy, sloppy, and inaccurate classification method.
And, this inacccurate data collection is also wasteful:
"Apart from the fact that tens of millions of Americans live and travel overseas, additional millions use simple tools called proxies to redirect their data traffic around the world, for business or pleasure. World Cup fans this month have been using a browser extension called Hola to watch live-streamed games that are unavailable from their own countries. The same trick is routinely used by Americans who want to watch BBC video. The NSA also relies routinely on locations embedded in Yahoo tracking cookies, which are widely regarded by online advertisers as unreliable."
So, the NSA is wasting taxpayers' money by collecting a lot of irrelevant data about people not targeted. If that bothers you, I hope that it does. It bothers me, too.
That the NSA collects and archives this sensitive data about people not targeted (and innocent), it highlights the related and important question: how well does the NSA protect this sensitive data collected? Once again, I thank Edward Snowden for sharing this information so we U.S. citizens can have an informed conversation about our government's spy activities; and if we want this to continue, changed, and if so how.
What are your opinions of these latest surveillance revelations?
The age of mufti-billion dollar settlements by banks is fully upon us. On Monday, The U.S. Department of Justice (DOJ) and several states attorneys general (AGs) announced settlements with Citigroup to resolve allegations that the bank mislead investors about toxic mortgage-backed securities. The DOJ announcement:
"... a $7 billion settlement with Citigroup Inc. to resolve federal and state civil claims related to Citigroup’s conduct in the packaging, securitization, marketing, sale and issuance of residential mortgage-backed securities (RMBS) prior to Jan. 1, 2009. The resolution includes a $4 billion civil penalty – the largest penalty to date under the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA). As part of the settlement, Citigroup acknowledged it made serious misrepresentations to the public – including the investing public – about the mortgage loans it securitized in RMBS."
The settlement includes a payment of $4.5 billion to resolve federal and state claims, and $2.5 billion in relief to affected consumers. Attorney General Eric Holder said about the settlement:
“The bank's activities contributed mightily to the financial crisis that devastated our economy in 2008. Taken together, we believe the size and scope of this resolution goes beyond what could be considered the mere cost of doing business. Citi is not the first financial institution to be held accountable by this Justice Department, and it will certainly not be the last.”
The announcement described the bank's unlawful activities:
"... Citigroup made representations to RMBS investors about the quality of the mortgage loans it securitized and sold to investors. Contrary to those representations, Citigroup securitized and sold RMBS with underlying mortgage loans that it knew had material defects. As the statement of facts explains, on a number of occasions, Citigroup employees learned that significant percentages of the mortgage loans reviewed in due diligence had material defects..."
The breakdown of the $4.5 billion payment to settle federal and state claims:
The $2.5 billion payment of relief to affected consumers will include:
An independent monitor will review the payments to ensure that the bank satisfies its obligations. If Citigroup fails to satisfy the settlement agreement by December 2018, it must pay liquidated damages in the amount of the shortfall to NeighborWorks America. Perhaps, most importantly the DOJ stated in its settlement announcement:
"The settlement does not absolve Citigroup or its employees from facing any possible criminal charges."
The bank's quarterly earning fell by 96 percent due to the settlement payment. This latest settlement part of a long list of RBMS settlements by the Massachusetts Attorney General:
In response to intelligence reports about possible terrorist attacks Al Qaeda groups in Yemen, the Transportation Security Administration (TSA) issued new rules for flights inbound to the USA. The New York Times reported:
"... the United States has, for the first time, asked officials at more than a dozen foreign airports to confiscate from passengers any electronic devices that cannot be turned on, American officials said on Monday... Passengers will have to turn on the electronic devices while being screened by security personnel to prove that the devices are harmless, the T.S.A. said Sunday. The fear is that unresponsive phones have been hollowed out and filled with explosives..."
The affected airports are in Europe, the Middle East and Africa. The TSA does not screen passengers at foreign airports. The government agencies in each country perform that task, but:
If you will travel abroad, this means you should make sure that all of your electronic devices (e.g., laptops, smartphones, tablets, etc.) are charged because you will be asked to turn them on in order to board your flight to the USA. Otherwise, you may have to leave behind your powerless device.
What are your opinions of the new T.S.A. rules?
[Editor's Note: on July 14th the FCC extended the deadline for comments to midnight on Friday, July 18.]
If you care about keeping an open, fair Internet (commonly referred to as "Net Neutrality"), the deadline to submit comments to the Federal Communications Commission (FCC) is Tuesday, July 15. The On May 15, 2014
On May 15, the FCC released this Fact Sheet, which started a four-month period of seeking comments from the public:
"Since February, tens of thousands of Americans have offered their views to the Commission on how to protect an Open Internet. The proposal reflects the substantial public input we have received. The Commission wants to continue to hear from Americans across the country throughout this process. An extended four-month public comment period on the Commission’s proposal will be opened on May 15 – 60 days (until July 15) to submit initial comments and another 57 days (until September 10) for reply comments."
The Fact Sheet also stated:
"This Notice seeks public comment on the benefits of applying Section 706 of the Telecommunications Act of 1996 and Title II of the Communications Act, including the benefits of one approach over the other, to ensure the Internet remains an open platform for innovation and expression. While the Notice reflects a tentative conclusion that Section 706 presents the quickest and most resilient path forward..."
As I explained in a May 15 blog post, this legalese about Section 706 refers to the current classification of broadband as an "information service," meaning slow and fast lanes are allowed, as said by the courts. Title II refers to re-classifying broadband as a telecommunications service (e.g., utility), which allows the FCC to enforce strict net neutrality as we've all known the Internet to be until now.
Strict net neutrality means that you, the consumer, decides where you go on the Internet. Your Internet Service Provider (ISP) provides you with bandwidth and you decide where to go and what to do with that bandwidth. Without net neutrality, your ISP decides.
The phrase "quickest and most resilient path forward" probably refers to FCC Chairman Tom Wheeler's preference not to re-classify broadband as a telecommunications service, and avoid a long political battle aggains ISPs and their lobbyists. Reclassification would allow the FCC to enforce strict net neutrality and prohibit the ISPs from charging both fees to certain website operators (e.g., Netflix and others) and higher fees to consumers for "fast lane" Internet access to those websites that have paid fees, while relegating website operators that don't pay the fees to the "slow lane."
If you want to learn more, read this analysis by the Center For Internet and Society at Stanford Law School, this summary by the Electronic Frontier Foundation (EFF), and/or the Internet Access section of this blog. What the FCC Fact Sheet omitted was the fact the FCC first classified broadband as an "information service" in 2002, after President George W. Bush had appointed Michael Powell as FCC Chairman in 2001. Before President Obama appointed Wheeler as FCC Chairman, Wheeler served as an industry lobbyist.
To make matters worse, the corporate ISPs have already gained restrictive laws in some states that prevent towns and municipalities from operating their own fiber Internet services. If is fair to ask: how many more jobs and new businesses would have been created in your state (or city) if it had fiber Internet access everywhere? Some local towns tried and got squashed:
"In North Carolina a couple of years ago lobbyists for Time Warner persuaded the state legislature to make it almost impossible, virtually impossible for municipalities to get their own utility... And so now North Carolina, after being beaten up by the incumbents is at the near the bottom of broadband rankings for the United States... All those students in North Carolina, all those businesses that otherwise would be forming, they don't have adequate connections in their towns to allow this to happen..."
Is this fair? Not to me, and I believe you feel similarly. ISPs can't have it both ways, less regulation by killing net neutrality and restrictive local laws to limit true competition. If you believe that more competition leads to lower prices, then it is fair to wonder how many more jobs would have been created in the USA with broadband reclassified as a telecommunications service (e.g., a utility)?
So, it is time for all consumers to do their part and contact the FCC. You have several options:
Of course, besides submitting comments directly to the FCC you should also contact your elected officials. What to tell the FCC? That's your decision. A good first step is to read the FCC's May 15 Fact Sheet, so you submit comments that are brief, relevant and specific to each Proceeding Number, when using method #1 above.
Also, I suggest:
Read and learn more:
Just before the July 4th holiday weekend, the State of California Office of the Attorney General filed a motion in its lawsuit against Corinthian Colleges, Inc. (CCI):
"... asking San Francisco Superior Court for permission to move on an expedited basis to file a supplemental complaint enhancing the original complaint Harris filed against CCI in October 2013, which accused the company of false and predatory advertising, intentional misrepresentations to students, securities fraud, and unlawful use of military seals in advertisements. Wednesday’s motion also indicates Attorney General Harris’ intention to subsequently move for a temporary restraining order and/or preliminary injunction against CCI to force the company to immediately cease its misleading advertisements and inform prospective students about its dire finances."
The California AG office had filed a lawsuit against CCI in October 2013. In a document filed with the U.S. Securities and Exchange Commission on June 19th, CCI informed investors of its serious financial troubles and plans to close or sell its campuses. During the last week of June, CCI signed an agreement with the U.S. Department of Education to close or sell its campuses.
On Monday of this week, the Denver Post reported that the company will sell 85 campuses:
"... including three Everest College campuses in Colorado and WyoTech in Laramie... Corinthian spokesman Kent Jenkins Jr. said WyoTech and Everest College campuses in Colorado Springs, Aurora and Thornton continue to enroll new students and hold classes for those seeking associate's degrees or diploma certifications. A fourth Everest Campus, in North Aurora, was put up for sale in September and stopped enrolling students in February. Corinthian enrolls 72,000 students nationwide, who receive $1.4 billion of federal financial aid annually..."
False and deceptive advertising by for-profit schools is a problem. Consumers don't get the benefits they paid for and taxpayer money (federal and state) is wasted for veterans' education. According to the Center For Investigative Reporting:
"... $600 million dollars in GI bill money had gone to hundreds of for-profit schools in California with low graduation rates and high rates of student loan default."
California AG Kamala D. Harris said in a statement:
"It is unacceptable yet not surprising that Corinthian Colleges continues to illegally target vulnerable Californians—including low income individuals, single mothers and veterans returning from combat—by lying about its dire finances and failing to tell prospective students that the schools to which they apply will all be sold or closed... My office is seeking expedited action to force Corinthian Colleges to put the interests of its students above its rapidly shrinking profits.”
It is a stark and sad reminder that for-profit entities, by design, will put their interests in profit-making ahead of all other interests.
[Editor's Note: Corinthian spokesperson Kent Jenkins, Jr. and I are not related.]