558 posts categorized "Privacy" Feed

Report: Several Impacts From Technology Changes Within The Financial Services Industry

For better or worse, the type of smart device you use can identify you in ways you may not expect. First, a report by London-based Privacy International highlighted the changes within the financial services industry:

"Financial services are changing, with technology being a key driver. It is affecting the nature of financial services from credit and lending through to insurance and even the future of money itself. The field known as “fintech” is where the attention and investment is flowing. Within it, new sources of data are being used by existing institutions and new entrants. They are using new forms of data analysis. These changes are significant to this sector and the lives of the people it serves. We are seeing dramatic changes in the ways that financial products make decisions. The nature of the decision-making is changing, transforming the products in the market and impacting on end results and bottom lines. However, this also means that treatment of individuals will change. This changing terrain of finance has implications for human rights, privacy and identity... Data that people would consider as having nothing to do with the financial sphere, such as their text-messages, is being used at an increasing rate by the financial sector...  Yet protections are weak or absent... It is essential that these innovations are subject to scrutiny... Fintech covers a broad array of sectors and technologies. A non-exhaustive list includes:

  • Alternative credit scoring (new data sources for credit scoring)
  • Payments (new ways of paying for goods and services that often have implications for the data generated)
  • Insurtech (the use of technology in the insurance sector)
  • Regtech (the use of technology to meet regulatory requirements)."

"Similarly, a breadth of technologies are used in the sector, including: Artificial Intelligence; Blockchain; the Internet of Things; Telematics and connected cars..."

While the study focused upon India and Kenya, it has implications for consumers worldwide. More observations and concerns:

"Social media is another source of data for companies in the fintech space. However, decisions are made not on just on the content of posts, but rather social media is being used in other ways: to authenticate customers via facial recognition, for instance... blockchain, or distributed ledger technology, is still best known for cryptocurrencies like BitCoin. However, the technology is being used more broadly, such as the World Bank-backed initiative in Kenya for blockchain-backed bonds10. Yet it is also used in other fields, like the push in digital identities11. A controversial example of this was a very small-scale scheme in the UK to pay benefits using blockchain technology, via an app developed by the fintech GovCoin12 (since renamed DISC). The trial raised concerns, with the BBC reporting a former member of the Government Digital Service describing this as "a potentially efficient way for Department of Work and Pensions to restrict, audit and control exactly what each benefits payment is actually spent on, without the government being perceived as a big brother13..."

Many consumers know that you can buy a wide variety of internet-connected devices for your home. That includes both devices you'd expect (e.g., televisions, printers, smart speakers and assistants, security systems, door locks and cameras, utility meters, hot water heaters, thermostats, refrigerators, robotic vacuum cleaners, lawn mowers) and devices you might not expect (e.g., sex toys, smart watches for children, mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins). Add your car or truck to the list:

"With an increasing number of sensors being built into cars, they are increasingly “connected” and communicating with actors including manufacturers, insurers and other vehicles15. Insurers are making use of this data to make decisions about the pricing of insurance, looking for features like sharp acceleration and braking and time of day16. This raises privacy concerns: movements can be tracked, and much about the driver’s life derived from their car use patterns..."

And, there are hidden prices for the convenience of making payments with your favorite smart device:

"The payments sector is a key area of growth in the fintech sector: in 2016, this sector received 40% of the total investment in fintech22. Transactions paid by most electronic means can be tracked, even those in physical shops. In the US, Google has access to 70% of credit and debit card transactions—through Google’s "third-party partnerships", the details of which have not been confirmed23. The growth of alternatives to cash can be seen all over the world... There is a concerted effort against cash from elements of the development community... A disturbing aspect of the cashless debate is the emphasis on the immorality of cash—and, by extension, the immorality of anonymity. A UK Treasury minister, in 2012, said that paying tradesman by cash was "morally wrong"26, as it facilitated tax avoidance... MasterCard states: "Contrary to transactions made with a MasterCard product, the anonymity of digital currency transactions enables any party to facilitate the purchase of illegal goods or services; to launder money or finance terrorism; and to pursue other activity that introduces consumer and social harm without detection by regulatory or police authority."27"

The report cited a loss of control by consumers over their personal information. Going forward, the report included general and actor-specific recommendations. General recommendations:

  • "Protecting the human right to privacy should be an essential element of fintech.
  • Current national and international privacy regulations should be applicable to fintech.
  • Customers should be at the centre of fintech, not their product.
  • Fintech is not a single technology or business model. Any attempt to implement or regulate fintech should take these differences into account, and be based on the type activities they perform, rather than the type of institutions involved."

Want to learn more? Follow Privacy International on Facebook, on Twitter, or read about 10 ways of "Invisible Manipulation" of consumers.


Security Researchers Announce Another Method To Defeat Apple Face ID

Bkav-artificial-mask
You may remember, earlier this year Apple launched its iPhone X with Face ID feature for users to unlock their phones:

"Your face is now your password. Face ID is a secure and private new way to unlock, authenticate, and pay... Face ID is enabled by the TrueDepth camera and is simple to set up. It projects and analyzes more than 30,000 invisible dots to create a precise depth map of your face."

Like it or not, there is no security system for your smartphone that can't be defeated. Mashable reported yesterday that security researchers have found another method to defeat Face ID:

"The same Vietnamese team that managed to trick Face ID with an elaborately constructed mask now says it has found a way to create a replicated face capable of unlocking Apple's latest and greatest biometric using a series of surreptitiously snagged photographs. Apple has copped to the fact that Face ID, for all its technical prowess, isn't perfect. It can be tricked by twins. For

The Bkav researchers explained in a blog post how their crude mask defeated Face ID:

"Bkav used a 3D mask (which costs ~200 USD), made of stone powder, with glued 2D images of the eyes. Bkav experts found out that stone powder can replace paper tape (used in previous mask) to trick Face ID' AI at higher scores. The eyes are printed infrared images – the same technology that Face ID itself uses to detect facial image. These materials and tools are casual for anyone. An iPhone X has its highest security options enabled, then has the owner's face enrolled to set up Face ID, then is immediately put in front of the mask, iPhone X is unlocked immediately. There is absolutely no learning of Face ID with the new mask in this experiment."

The same blog post also explained how a three-dimensional model can defeat Face ID:

"Bkav researchers said that making 3D model is very simple. A person can be secretly taken photos in just a few seconds when entering a room containing a pre-setup system of cameras located at different angles. Then, the photos will be processed by algorithms to make a 3D object.

It can be said that, until now, Fingerprint is still the most secure biometric technology. Collecting a fingerprint is much harder than taking photos from a distance. Meanwhile, just by taking photos from a distance to create 3D objects as mentioned above, both Apple's Face ID and Samsung's Iris Scanner can be bypassed easily."

Experts advise consumers to continue using passcodes, especially for online banking apps. And high-value targets (e.g., senior corporate executives, government officials, politicians, attorneys, etc.) probably shouldn't use facial recognition features to unlock their mobile devices.

I guess that 3-D models will provide law enforcement (and spy agencies) with new ways to use their archived collections of facial images. The Guardian reported earlier this year:

"Approximately half of adult Americans’ photographs are stored in facial recognition databases that can be accessed by the FBI, without their knowledge or consent, in the hunt for suspected criminals. About 80% of photos in the FBI’s network are non-criminal entries, including pictures from driver’s licenses and passports. The algorithms used to identify matches are inaccurate about 15% of the time, and are more likely to misidentify black people than white people."

What do you think?


German Regulator Bans Smartwatches For Children

VTech Kidizoom DX smartwatch for children. Select for larger version Parents: considering a smartwatch for your children or grandchildren? Consider the privacy implications first. Bleeping Computer reported on Friday:

"Germany's Federal Network Agency (Bundesnetzagentur), the country's telecommunications agency, has banned the sale of children's smartwatches after it classified such devices as "prohibited listening devices." The ban was announced earlier today... parents are using their children's smartwatches to listen to teachers in the classroom. Recording or listening to private conversations is against the law in Germany without the permission of all recorded persons."

Some smartwatches are designed for children as young as four years of age. Several brands are available at online retailers, such as Amazon and Best Buy.

Why the ban? Gizmodo explained:

"Saying the technology more closely resembles a “spying device” than a toy... Last month, the European Consumer Organization (BEUC) warned that smartwatches marketed to kids were a serious threat to children’s privacy. A report published by the Norwegian Consumer Council in mid-October revealed serious flaws in several of the devices that could easily allow hackers to seize control. "

Clearly, this is another opportunity for parents to carefully research and consider smart device purchases for their family, to teach their children about privacy, and to not record persons without their permission.


Hacked Butt Plug Highlights Poor Security Of Many Mobile Devices

Image of butt plug, Hush by Lovense. Click to view larger version

In a blog post on Tuesday, security researcher Giovanni Mellini  discussed how easy it was to hack a Bluetooth-enabled butt plug. Why this Internet-connected sex toy? Mellini explained that after what started as a joke he'd bought a few weeks ago:

"... a Bluetooth Low Energy (BLE) butt plug to test the (in)security of BLE protocol. This caught my attention after researchers told us that a lot of sex toys use this protocol to allow remote control that is insecure by design."

Another security researcher, Simone Margaritelli had previously discussed a BLE scanner he wrote called BLEAH and how to use it to hack BLE-connected devices. Mellini sought to replicate Margaritelli's hack, and was successful:

"The butt plug can be remotely controlled with a mobile application called Lovense Remote (download here). With jadx you can disassemble the java application and find the Bluetooth class used to control the device. Inside you can find the strings to be sent to the toy to start vibration... So we have all the elements to hack the sex toy with BLEAH... At the end is very easy to hack BLE protocol due to poor design choices. Welcome to 2017."

Welcome, indeed, to 2017. The seems to be the year of hacked mobile devices. Too many news reports about devices with poor (or no) security: the encryption security flaw in many home wireless routers and devices, patched Macs still vulnerable to firmware hacks, a robovac maker's plans to resell interior home maps its devices created, a smart vibrator maker paid hefty fines to settle allegations it tracked users without their knowledge nor consent, security researchers hacked a popular smart speaker, and a bungled software update bricked many customers' smart door locks.

In 2016, security researchers hacked an internet-connected vibrator.

And, that's some of the reports. All of this runs counter to consumers' needs. In August, a survey of consumers in six countries found that 90 percent believe it is important for smart devices to have security built in. Are device makers listening?

Newsweek reported:

"Lovense did not immediately respond to a request for comment from Newsweek but the sex toy company has spoken previously about the security of its products. "There are three layers of security," Lovense said in a statement last year. "The server side, the way we transfer information from the user’s phone to our server and on the client side. We take our customer’s private data very seriously, which is why we don’t serve any on our servers." "

I have nothing against sex toys. Use one or not. I don't care. My concern: supposedly smart devices should have robust security to protect consumers' privacy.

Smart shoppers want persons they authorize -- and not unknown hackers -- to remotely control their vibrators. Thoughts? Comments?


Consequences And New Threats From The Massive Equifax Breach

Equifax logo To protect themselves and their sensitive information, many victims of the massive Equifax data breach have signed up for the free credit monitoring and fraud resolution services Equifax arranged. That's a good start. Some victims have gone a step further and placed Fraud Alerts or Security Freezes on their credit reports at Equifax, Experian, and TransUnion. That's good, too. But, is that enough?

The answer to that question requires an understanding of what criminals can do with the sensitive information accessed stolen during the Equifax breach. Criminals can commit types of fraud which credit monitoring, credit report alerts, and freezes cannot stop. Consumer Reports (CR) explained:

"Freezing your credit report specifically at Equifax will also prevent crooks from registering as you at the government website, my Social Security, and block them from attempting to steal your Social Security benefits. But taking these steps won't protect you against every identity fraud threat arising from the Equifax data breach."

Sadly, besides credit and loan fraud the Equifax breach exposed breach victims to tax refund fraud, health care fraud, and driver's license (identity) fraud. This is what makes the data breach particularly nasty. CR also listed the data elements criminals use with each type of fraud:

"With your Social Security number, crooks can file false income tax returns in your name, take bogus deductions, and steal the resulting refund. More than 14,000 fraudulent 2016 tax returns, with $92 million in unwarranted refunds, were detected and stopped by the Internal Revenue Service (IRS) as of last March... Data from the Equifax breach can be used to steal your benefits from private health insurance, Medicare, or Medicaid when the identity thief uses your coverage to pay for his own medical treatment and prescriptions... Using your driver’s license number, identity thieves can create bogus driver’s licenses and hang their moving violations on you...."

The CR article suggested several ways for consumers to protect themselves from each type of fraud: a) request an Identity Protection PIN number from the IRS; b) request copies of your medical file from your providers and review your MIB Consumer File each year; and c) request a copy of your driving license record and get your free annual consumer report from ChexSystemsCertegy, and TeleCheck -  the three major check verification companies.

Never considered reviewing your tax account with the IRS? You can. Never heard of a Consumer MIB File? I'm not surprised. Most people haven't. I encourage consumers to read the entire CR article. While at the CR site, read their review of TrustedID Premier service which Equifax arranged for breach victims. It's an eye-opener.

Do these solutions sound like a lot of preventative work? They are. You have Equifax to thank for that. Will Equifax help breach victims with the time and effort required to research and implement the solutions CR recommended? Will Equifax compensate breach victims for the costs incurred with these solutions? These are questions breach victims should ask Equifax and TrustedID Premier.

Consumers and breach victims are slowly learning the consequences of a data breach are extensive. The consequences include time, effort, money, and aggravation. You might say breach victims have been mugged. Worse, consumers are saddled the burden from the consequences. That isn't fair. The companies making money by selling consumers' credit reports and information should be responsible for the burdens. Things are out of balance.

What are your opinions?


Experts Say the Use of Private Email by Trump’s Voter Fraud Commission Isn’t Legal

[Editor's note: today's guest post is by the reporters at ProPublica. It is reprinted with permission.]

By Jessica Huseman, ProPublica

President Donald Trump’s voter fraud commission came under fire earlier this month when a lawsuit and media reports revealed that the commissioners were using private emails to conduct public business. Commission co-chair Kris Kobach confirmed this week that most of them continue to do so.

Experts say the commission’s email practices do not appear to comport with federal law. "The statute here is clear," said Jason R. Baron, a lawyer at Drinker Biddle and former director of litigation at the National Archives and Records Administration.

Essentially, Baron said, the commissioners have three options: 1. They can use a government email address; 2. They can use a private email address but copy every message to a government account; or 3. They can use a private email address and forward each message to a government account within 20 days. According to Baron, those are the requirements of the Presidential Records Act of 1978, which the commission must comply with under its charter.

"All written communications between or among its members involving commission business are permanent records destined to be preserved at the National Archives," said Baron. "Without specific guidance, commission members may not realize that their email communications about commission business constitute White House records."

ProPublica reviewed dozens of emails to and from members of the commission as well as written directives on records retention. The commissioners appear to have been given no instructions to use government email or copy or forward messages to a government account.

Commissioner Matthew Dunlap, the secretary of state for Maine, confirmed that he’d received no such directives. "That’s news to me," he said, when read the PRA provision governing emails. "I think it would be a little cleaner if I had a us.gov email account."

Dunlap’s account is disputed by Andrew Kossack, the executive director of the commission. Kossack said attorneys from the Government Services Administration provided training on the PRA before the commission’s first meeting on July 19. Kossack provided a copy of the PowerPoint presentation. However, the word "email" appears in only a single slide — with no mention of anything relating to the use of government email.

Notably, the commission did not receive any training in records retention until the July 19 meeting, even though the commission was formed in May and had been actively engaged in commission business.

Indeed, the commission had kicked into high gear on June 28, when it sent a letter to all 50 secretaries of state requesting publicly available voter rolls. The response was swift and negative, and commissioners began receiving a wave of messages from election officials and the public.

Despite this, the commissioners were offered no instructions then on how to preserve communications. Baron said such messages would presumptively be considered presidential records, and "the obligation to preserve such records would have arisen on day one."

In a statement, Kossack denied there is an obligation to provide commissioners with government email addresses. He maintained that the commission is required only to "preserve emails and other records related to work on commission matters, regardless of the forum on which the records are created or sent, which the commission and its members are doing."

After the commission’s most recent meeting, on Tuesday, Kobach confirmed that he plans to continue to use his personal Gmail account to conduct commission business. Using his Kansas secretary of state email address, he said, would be a "waste of state resources" as he’s acting as a private citizen on the commission and not in his role as secretary of state.

Dunlap has interpreted the requirements differently. He’s trying to ensure his state email account is used so that emails can be made available to constituents under Maine state law. Even this is a struggle, he said, asserting that commissioners continue to email him at his personal account despite multiple requests that they send email to his government account.

"I really don’t understand why they keep using my personal Gmail account instead of my official state email. But I’m saving everything!" Dunlap wrote to himself on August 7, when he forwarded a communication from the commission to his government address. He has, it appears, continued to immediately forward all emails sent to his personal address by the commission to his state address.

At ProPublica’s request, Dunlap shared every email he has received or sent relating to the commission. The majority went to personal email accounts.

At their recent meeting in New Hampshire, Kossack provided commissioners printed instructions on how to retain their own emails related to a lawsuit filed against the commission by the Lawyers Committee for Civil Rights Under Law.

Dunlap said these instructions are the only written set of instructions on records retention he recalls receiving. (The instructions leave records retention entirely to the discretion of each member of the commission, which Dunlap said concerns him.)

Past commissions with similar missions were not allowed such wide discretion. The Presidential Commission on Election Administration, formed by the Obama administration in March 2013, provided ethics and records retention training days after commissioners were nominated. Each commissioner was provided with a federal email address that automatically archived all messages. PCEA documents show extensive, specific instructions on records retention and compliance with FACA.

Richard Painter, who served as the George W. Bush administration’s chief ethics lawyer from 2005 to 2007, expressed shock that the current commission is being allowed to rely on personal email accounts (which are to be forwarded to Kossack at their discretion). "This is just sloppy," he said, adding that waiting more than two months to offer ethics training was just another sign that the Trump administration "doesn’t take ethics training seriously."

One footnote: Among the emails provided by Dunlap was a message from Carter Page, a former policy adviser to the Trump campaign who has reportedly attracted the attention of investigators probing the Russia imbroglio. Page sent an email on July 5 to three accounts associated with Kobach and cc’d Dunlap, New Hampshire Secretary of State Bill Gardner and Indiana Secretary of State Connie Lawson. In it, he implored the commission to investigate "the Obama administration’s misuse of federal resources of the Intelligence Community in their unjustified attacks on myself and other volunteers who peacefully supported [Trump’s] campaign as private citizens."

"The work of your commission offers an essential opportunity to take further steps toward helping to further restore the integrity of the American democracy following their abuses of last year," he wrote.

There is no evidence this email was forwarded to a federal email account. Page, Kossack and Kobach did not respond to requests for comment about the email.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


'Map Your Orgasm' - A New Smart Device For Women

Recently, Mashable reported about a new smart device for women:

"The Lioness looks like a pretty standard vibrator on the outside, but inside it has four sensors that measure temperature, the force of muscle contractions, and track the movement of the device. When you’re done with your session, you can sync the Lioness with its app (available for iOS and Android). It then provides you with easy-to-read visualization of what was happening to your body while you were busy getting off. So, yes, essentially it gives you a map of your orgasm. You can also tag each session with different terms so you can track how your health, sleep, alcohol consumption, mood, etc. affect your experiences."

Gives you a map of your orgasm? That's a surprising description. Perhaps, I shouldn't have been surprised. First, there were online tools such as "map my ride" and map my run." Good stuff to help consumers stay healthy. I guess a tool resembling 'map your orgasm' was bound to happen.

Lioness sounds like a much better product name. To learn more, I visited the Lioness site. The home page featured this statement: "Don't worry, we will never share your email or spam you." That's a good start.

Privacy is important; especially with smart devices which collect intimate data about consumers. Earlier this year, news reports described a plan by a smart-device maker to resell the interior home maps its robovacs created. And, another smart vibrator maker paid hefty fines to settle allegations that it tracked users without their knowledge nor consent.

A wise person once said, "the devil is in the details." The privacy policy in a company's website is a good place to hunt for details. While blogging about privacy and identity theft during the last 10 years, I've read plenty of privacy policies. Plenty. I read the Lioness Privacy Policy (dated May 1) and found some notable sections:

"This Privacy Policy applies to our vibrators and other devices (“Devices”), our websites, including but not limited to lioness.io (individually a “Site” and collectively “Sites”), the Lioness software (“Software”) and Lioness mobile applications (the “Apps”). The Devices, Sites, Software and Apps are collectively referred to in this Policy as the “Lioness Service,” and by proceeding to use the Lioness Service you consent that we may handle the data that we collect from you in accordance with this Privacy Policy."

Pretty standard stuff so far. Warning: I'm not an attorney. If you want legal advice, hire an attorney. Like you, I'm just a regular consumer trying to understand smart devices while maintaining as much privacy as possible. Additional sections in the policy I found interesting:

"Sync Your Device
When you sync your Device through an App or the Software, data recorded on your Device is transferred from your Device to our servers. This data is stored and used to provide the Lioness Service and is associated with your account. Each time a sync occurs, we log data about the transmission. Some examples of the log data are the sync time and date, device battery level, and the IP address used when syncing."

Let's unpack that. The vibrator and its mobile app, record the date, time, and battery usage. Combine this with data collected from the four sensors and Lioness will know plenty about your usage: when (date and time), location, duration, preferred movement patterns, and more. It indeed could create a map. More sections in the policy:

"WHY WE COLLECT DATA
Lioness uses your data to provide you with the best experience possible, to help you learn about your body, and to improve and protect the Lioness Service. Here are some examples: i) Contact information is used to send you notifications and to inform you about new features or products... ii) Data and logs are used in research to understand and improve the Lioness Device and Lioness Service; to troubleshoot the Lioness Service; to detect and protect against error, fraud or other criminal activity; and to enforce the Lioness Terms of Service; iii) Aggregate data that does not identify you may be used to inform the health community about trends; for marketing and promotional use..."

Data That Could Identify You
Personally Identifiable Information (PII) is data that includes a personal identifier like your name, email or address, or data that could reasonably be linked back to you."

Hmmm. The policy does not list all data elements that personally identify you. For me, that's important to know. And, anything recorded on a smartphone can easily be linked to a person using her 10-digit phone number or the mobile device's serial number.

Informed shoppers probably want to know before purchase which other companies (e.g., business partners, affiliates, advertisers, etc.) Lioness shares data with. Its May 1, 2017 privacy policy also states:

"... companies that are contractually engaged in providing Lioness with services, such as order fulfillment, email management and credit card processing. These companies are obligated by contract to safeguard any PII they receive from us..."

"THIRD PARTIES
Lioness will not be responsible for the practices of third parties that Lioness does not own or control or individuals that Lioness does not employ or manage. The information provided by you to other third parties may be subject to their own privacy policies, which may differ from Lioness’s privacy policy. The Lioness Service may contain links to other sites, and we make every effort to only link to sites that share our high standards and respect for privacy. However, we are not responsible for the privacy practices employed by other sites..."

"DATA RETENTION
Lioness reserves the right to retain your PII for as long as your account remains active..."

So, the policy doesn't mention other companies by name. Not good. That makes it tough for consumers to make informed decisions.

Fitness tracking with the MapMyRide app On Facebook, many of my friends regularly share visual maps of their workouts. (See example on right.) That's their freedom of choice. So, some consumers are probably wondering if Lioness offers a similar share function. Again from the privacy policy:

"Community Posts
The Lioness Service may offer discussion forums, message boards, social networking opportunities, chat pages and other public forums or features in which you may provide personal information, materials and related content. If you submit personal information when using these public features, please note that such personal information may be publicly posted and otherwise disclosed and used without limitation or restriction."

So, the policy doesn't mention literal maps, per se. They might or might not provide the feature to users. The key takeaway: the responsibility rests upon the user. Don't share it if you don't want it made public.

It's probably helpful to also know that the product uses Bluetooth technology to perform data syncing. From the Lioness FAQ page:

"Wait...will there be bluetooth in my vagina?
Nope. We know that there are a lot of people who don’t like the idea of bluetooth being on while in use, so we made it so bluetooth automatically turns off when you use it."

Also, the FAQ page mentioned:

"Is my data stored securely and kept confidential?
Absolutely. We thought about privacy and security from the beginning for this product. You are the only one who can access your individual data. Everything is encrypted and we fully anonymize the data..."

That's good, but the privacy policy didn't mention data encryption. I expected it would. Not sure what to make of that.

Is the Lioness a good deal? Only you can decide for yourself -- and you should after reading both the privacy and terms-of-service policies.

Me? In my opinion, there seems to be too much wiggle-room for data sharing. The policy contains a lot of words and nothing special compared to other policies I've read. What are your opinions?


The Bogus Claims By Broadband Providers And Their Allies About Net Neutrality

The Techdirt blog has called out -- in plain language -- the bogus claims and distortions by broadband providers about net neutrality rules. Techdirt reported:

"... one of AT&T, Comcast and Verizon's favorite bogus claims about net neutrality rules is that such consumer protections will somehow prevent the sick or disabled from getting the essential internet connectivity they need. For example, Verizon once tried to claim that the deaf and disabled would be harmed if large ISPs weren't allowed to create fast or slow lanes.. this claim that net neutrality rules somehow prevent ISPs from prioritizing essential medical technologies or other priority traffic has always been bullshit. The FCC's 2015 open internet rules (pdf) are embedded with numerous, significant caveats when it comes to creating fast and slow lanes... In fact, the existing rules go to great lengths to differentiate "Broadband Internet Access Service (BIAS),” (your e-mail, Netflix streams and other more ordinary traffic) from “Non-BIAS data services,” which can include everything from priority VoIP traffic to your heart monitor and other Telemedicine systems."

The U.S. Federal Communications Commission (FCC), led by Ajit Pai a former lawyer at Verizon, moved closer to eliminating net neutrality with a preliminary vote in May. For those who don't know or have forgotten, net neutrality is when consumers are in control -- consumers choose where to go online with the broadband they've purchased, and ISPs must treat all content equally. That means no blocking, no throttling, and no paid prioritization. Net neutrality means consumers stay in control of where they go online.

Without net neutrality, consumers lose the freedom of choice. ISPs will decide where consumers can go online, which sites you can visit, and which sites you can visit only if you pay more. ISPs will likely group web sites into tiers (e.g., slow vs. fast "lanes"), similar to premium cable-TV channels. Do you want your monthly internet bill as confusing, complicated, and expensive as your cable-TV bill? I don't, and I doubt you do either.

TechDirt highlighted other bogus claims:

... how net neutrality kills network investment) doesn't stop it from being circulated repeatedly by the army of politicians, think tankers, consultants, fauxcademics, and lobbyists paid to pee in the net neutrality discourse pool.

One of the core perpetrators of this myth is AT&T, which just scored a massive, lucrative $6.5 billion contract to build the nation's first, unified emergency first responder network: aka FirstNet... AT&T isn't worried about net neutrality rules harming medical services, since they've long-been exempted. AT&T's worried about one thing: any rules stopping it from abusing a lack of broadband competition to drive up prices and engage in anti-competitive behavior."

Back in May, the U.S. Federal Communications Commission (FCC) tmoved closer to eliminating net neutrality with a preliminary vote in May.

What can you do? Plenty. Now is the time for more concerned citizens to rise, speak up, and fight back. Write to your elected officials. Tell your friends, classmates, coworkers, and family members. Use this action form to contact your elected officials. Participate in local marches and protests. Join the Fight For The Future. Support the EFF.


Google And Massachusetts Transportation Department Provide GPS Signals In Tunnels

Smartphone users love their phones. That includes Global Positioning System (GPS) navigation services for driving directions. However, those driving directions don't work in tunnels where phones can't get GPS signals. That is changing.

Google and the Massachusetts Department of Transportation (MassDOT) have entered a partnership to provide GPS navigation services for drivers inside tunnels. If you've familiar with Boston, then you know that portions of both Interstate 93 and the Massachusetts Turnpike include tunnels. The ABC affiliate in Boston, WCVB reported last month that the partnership, part of the Connected Citizens Program, will:

"... install beacons inside Boston's tunnels to help GPS connection stay strong underground. Around 850 beacons are being installed, free of charge, as a part of an ongoing partnership between the state and the traffic app... Installation is scheduled to be complete by the end of July... The beacons are not limited to improving their own app's signal. As long as you are using Bluetooth, they are able to help improve any traffic app's connection."

For those unfamiliar with the technology, beacons are low-powered transmitters which, in this particular application, are installed in the tunnels' walls and provide geographic location information usable by drivers' (or passengers') smartphones passing by (assuming the phones' Bluetooth features are enabled).

Bluetooth beacons are used in a variety of applications and locations. The Privacy SOS blog explained:

"... They’re useful in places where precise location information is necessary but difficult to acquire via satellite. For that reason, they’ve been field tested in museums such as New York’s Metropolitan Museum of Art and airports like London Gatwick. At Gatwick, beacons deliver turn-by-turn directions to users’ phones to help them navigate the airport terminals..."

Within large airports such as Gatwick, the technology can present more precise geolocation data of nearby dining and shopping venues to travelers. According to Bluetooth SIG, Inc., the community of 30,000 companies that use the technology:

"The proliferation and near universal availability of Bluetooth® technology is opening up new markets at all ends of the spectrum. Beacons or iBeacons—small objects transmitting location information to smartphones and powered by Bluetooth with low energy—make the promise of a mobile wallet, mobile couponing, and location-based services possible... The retail space is the first to envision a future for beacons using for everything from in-store analytics to proximity marketing, indoor navigation and contactless payments. Think about a customer who is looking at a new TV and he/she gets a text with a 25 percent off coupon for that same TV and then pays automatically using an online account..."

iBeacons are the version for Apple branded mobile devices. All 12 major automobile makers offer hands-free phone calling systems using the technology. And, social network giant Facebook has developed its own proprietary Bluetooth module for an undisclosed upcoming consumer electronics device.

So, the technology provides new marketing and revenue opportunities to advertisers. TechCrunch explained:

"The Beacons program isn’t looking to get help from individual-driver Wazers in this case, but is looking for cities and tunnel owners who might be fans of the service to step up and apply to its program. The program is powered by Eddystone, a Bluetooth Low Energy beacon profile created by Google that works with cheap, battery-powered BLE Waze Beacon hardware to be installed in participating tunnels. These beacons would be configured to transmit signals to Bluetooth-enabled smartphones... There is a cost to participate — each beacon is $28.50, Waze notes, and a typical installation requires around 42 beacons per mile of tunnel. But for municipalities and tunnel operators, this would actually be a service they can provide drivers, which might actually eliminate frustration and traffic..."

There are several key takeaways here:

  1. GPS navigation services can perform better in previously unavailable areas,
  2. Companies can collect (and share) more precise geolocation data about consumers and our movements,
  3. Consumers' GPS data can now be collected in previously unattainable locations,
  4. What matters aren't the transmissions by beacons, but rather the GPS and related data collected by your phone and the apps you use, which are transmitted back to the apps' developers, and then shared by developers with their business partners (e.g., mobile service providers, smartphone operating system developers, advertisers, and affiliates
  5. You don't have to be a Google user for Google to collect GPS data about you, and
  6. Consumers can expect a coming proliferation of Bluetooth modules in a variety of locations, retail stores, and devices.

So, now you know more about how Google and other companies collect GPS data about you. After analyzing the geolocation data collected, they know not only when and where you go, but also your patterns in the physical world: where you go on certain days and times, how long you stay, where and what you've done before (and after), who you associate with, and more.

Don't like the more precise tracking? Then, don't use the Waze app or Google Maps, delete the blabbermouth apps, or turn off the Bluetooth feature on your phone.

A noted economist once said, "There is no free lunch." And that applies to GPS navigation in tunnels. The price for "free," convenient navigation services means mobile users allow companies to collect and analyze mountains of data about their movements in the physical world.

What are your opinions of GPS navigation services in tunnels? If the city or town where you live has tunnels, have beacons been installed?


Hacked Amazon Echo Converted Into Always-On Surveillance Device

Image of amazon Echo Wired reported how a white-hat hacker provided proof-of-concept that a popular voice-activated, smart home speaker could easily be hacked:

"... British security researcher Mark Barnes detailed a technique anyone can use to install malware on an Amazon Echo, along with his proof-of-concept code that would silently stream audio from the hacked device to his own faraway server. The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. But there's no software fix for older units, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion."

Amazon sells both new and refurbished speakers. Newer models also include cameras. All are probably high-value targets of hackers and spy agencies.

Reportedly, Amazon has fixed the security vulnerability in newer (2017) models. The company advises customers to keep the software on their speakers current, and purchase speakers from trusted retailers. However (bold emphasis added):

"... Barnes agrees that his work should serve as a warning that Echo devices bought from someone other than Amazon—like a secondhand seller—could be compromised. But he also points out that, contrary to the implication of the company's statement, no software update will protect earlier versions of the Echo, since the problem is in the physical connection its hardware exposes.

Instead, he says that people should think twice about the security risks of using an Echo in public or semipublic places, like plans for the Wynn Hotel in Las Vegas to put an Echo in every room."

Voice-activated smart speakers in hotel lobbies and rooms. Nothing could go wrong with that. All it takes is a prior guest, or criminal posing as a hotel staff or cleaning person, to hack and compromise one or more older devices. Will hotels install the newer devices? Will they inform guests?

For guaranteed privacy, it seems hotel guests may soon have to simply turn off (or mute) smart speakers, smart televisions, and personal assistants. Convenience definitely has its price (e.g., security and privacy). What do you think?


Survey: 90 Percent Of Consumers Want Smart Devices With Security Built In

A recent survey of consumers in six countries found that 90 percent believe it is important for smart devices to have security built into the products. Also, 78 percent said they are aware that any smart device connected to their home WiFi network is vulnerable to attacks by hackers wanting to steal personal data stored on the device.

Security importance by country. Irdeto Global Consumer IoT Security Survey. Select to view larger version The Irdeto Global Consumer IoT Security Survey, conducted online from June 22, 2017 to July 10, 2017 by YouGov Plc for Irdeto, included 7,882 adults (aged 18 or older) in six countries: Brazil, China, Germany, India, United Kingdom, and United States. Irdeto provides security solutions to protect platforms and applications for media, entertainment, automotive and Internet-of-things (IoT) connected industries.

Additional key findings:

"... 72% of millennials (ages 18-24 years) indicated that they are aware that any smart device connected to the Wi-Fi in their home has the potential to be targeted by a hacker, compared to 82% of consumers 55+. This indicates that older generations may be more savvy about IoT security or more cautious... More than half of consumers around the globe (56%) think that it is the responsibility of both the end-user and the manufacturer of the product to prevent hacking of smart devices. Alternatively, only 15% of consumers globally think they are responsible, while 20% feel the manufacturer of the device is responsible for cybersecurity. In China, more consumers than any other country surveyed (31%) stated that it is the responsibility of manufacturers. Brazilians led all countries surveyed (23%) in the belief that it is the responsibility of the end-user to prevent hacking of connected devices... Germans expressed the least concern with nearly half (42%) stating that they are not concerned about smart devices being hacked. On the opposite end of the spectrum, Brazilian smart device owners expressed the most concern with 88% of those surveyed saying they were concerned...

And, smart device usage varies by country:

"Regarding the number of smart devices consumers own, 89% of those surveyed have at least one connected device in their home. In addition, 81% of consumers across the globe admitted to having more than one connected device in the home. India led all countries with a staggering 97% of consumers stating that they have at least one smart device in the home, compared to only 80% of US consumers..."

Read the announcement by Irdeto. View the full infographic.

Device security responsibility. Irdeto Global Consumer IoT Security Survey. Select to view larger version


Robotic Vacuum Cleaner Maker To Resell Data Collected Of Customers' Home Interiors

iRobot Roomba autonomous vacuum. Click to view larger image Do you use a robovac -- an autonomous WiFi-connected robotic vacuum cleaner -- in your home? Do you use the mobile app to control your robovac?

Gizmodo reports that iRobot, the maker of the Roomba robotic vacuum cleaner, plans to resell maps generated by robovacs to other smart-home device manufacturers:

"While it may seem like the information that a Roomba could gather is minimal, there’s a lot to be gleaned from the maps it’s constantly updating. It knows the floor plan of your home, the basic shape of everything on your floor, what areas require the most maintenance, and how often you require cleaning cycles, along with many other data points... If a company like Amazon, for example, wanted to improve its Echo smart speaker, the Roomba’s mapping info could certainly help out. Spatial mapping could improve audio performance by taking advantage of the room’s acoustics. Do you have a large room that’s practically empty? Targeted furniture ads might be quite effective. The laser and camera sensors would paint a nice portrait for lighting needs..."

Think about it. The maps identify whether you have one, none, or several sofas -- or other large furniture items. The maps also identify the size, square footage, of your home and the number of rooms. Got a hairy pet? If your robovac needs more frequently cleaning, that data is collected, too.

One can easily confirm this by reading the iRobot Privacy Policy:

"... Some of our Robots are equipped with smart technology which allows the Robots to transmit data wirelessly to the Service. For example, the Robot could collect and transmit information about the Robot’s function and use statistics, such as battery life and health, number of missions, the device identifier, and location mapping. When you register your Robot with the online App, the App will collect and maintain information about the Robot and/or App usage, feature usage, in-App transactions, technical specifications, crashes, and other information about how you use your Robot and the product App. We also collect information provided during set-up.

We use this information to collect and analyze statistics and usage data, diagnose and fix technology problems, enhance device performance, and improve user experience. We may use this information to provide you personalized communications, including marketing and promotional messages... Our Robots do not transmit this information unless you register your device online and connect to WiFi, Bluetooth, or connect to the internet via another method."

Everything seems focused upon making your robovac perform optimally. Seems. Read on:

"When you access the Service by or through a mobile device, we may receive or collect and store a unique identification numbers associated with your device or our mobile application (including, for example, a UDID, Unique ID for Advertisers (“IDFA”), Google Ad ID, or Windows Advertising ID), mobile carrier, device type, model and manufacturer, mobile device operating system brand and model, phone number, and, depending on your mobile device settings, your geographical location data, including GPS coordinates (e.g. latitude and/or longitude) or similar information regarding the location of your mobile device..."

Use the mobile app and your robovac's unique ID number can easily be associated with other data describing you, where you live, and your lifestyle. Valuable stuff.

Another important section of the privacy policy:

"We may share your personal information in the instances described... i) Other companies owned by or under common ownership as iRobot, which also includes our subsidiaries or our ultimate holding company and any subsidiaries it owns. These companies will use your personal information in the same way as we can under this Policy; ii) Third party vendors, affiliates, and other service providers that perform services on our behalf, solely in order to carry out their work for us, which may include identifying and serving targeted advertisements, providing e-commerce services, content or service fulfillment, billing, web site operation, payment processing and authorization, customer service, or providing analytics services.

Well, there seems to be plenty of wiggle room for iRobot to resell your data. And, that assumes it doesn't change its privacy policy to make resales easier. Note: this is not legal advice. If you want legal advice, hire an attorney. I am not an attorney.

The policy goes on to describe customers' choices with stopping or opting out of data collection programs for some data elements. If you've read that, then you know how to opt out of as much as possible of the data collection.

The whole affairs highlights the fact that the data collected from different brands of smart devices in consumers' homes can be combined, massaged, and analyzed in new ways -- ways in which probably are not apparent to consumers, and which reveal more about you than often desired. And, the whole affair is a reminder to read privacy policies before purchases. Know what valuable personal data you will give away for convenience.

Eyes wide open.

Got an autonomous robotic lawn mower? You might re-read the privacy policy for that, too.


Wisconsin Employer To Offer Its Employees ID Microchip Implants

Microchip implant to be used by Three Square Market. Click to view larger version A Wisconsin company said it will offer to its employees starting August 1 the option of having microchip identification implants. The company, Three Square Market (32M), will allow employees with the microchip implants to make purchases in the employee break room, open locked doors, login to computers, use the copy machine, and related office tasks.

Each microchip, about the size of a grain of rice (see photo on the right), would be implanted under the skin in an employee's hand. The microchips use radio-frequency identification (RFID), a technology that's existed for a while and has been used in variety of devices: employee badges, payment cards, passports, package tracking, and more. Each microchip electronically stores identification information about the user, and uses near-field communications (NFC). Instead of swiping a payment card, employee badge, or their smartphone, instead the employee can unlock a device by waving their hand near a chip reader attached to that device. Purchases in the employee break room can be made by waving their hand near a self-serve kiosk.

Reportedly, 32M would be the first employer in the USA to microchip its employees. CBS News reported in April about Epicenter, a startup based in Sweden:

"The [implant] injections have become so popular that workers at Epicenter hold parties for those willing to get implanted... Epicenter, which is home to more than 100 companies and some 2,000 workers, began implanting workers in January 2015. Now, about 150 workers have [chip implants]... as with most new technologies, it raises security and privacy issues. While biologically safe, the data generated by the chips can show how often an employee comes to work or what they buy. Unlike company swipe cards or smartphones, which can generate the same data, a person cannot easily separate themselves from the chip."

In an interview with Saint Paul-based KSTP, Todd Westby, the Chief Executive Officer at 32M described the optional microchip program as:

"... the next thing that's inevitably going to happen, and we want to be a part of it..."

To implement its microchip implant program, 32M has partnered with Sweden-based BioHax International. Westby explained in a company announcement:

"Eventually, this technology will become standardized allowing you to use this as your passport, public transit, all purchasing opportunities... We see chip technology as the next evolution in payment systems, much like micro markets have steadily replaced vending machines... it is important that 32M continues leading the way with advancements such as chip implants..."

"Mico markets" are small stores located within employers' offices; typically the break rooms where employees relax and/or purchase food. 32M estimates 20,000 micro markets nationwide in the USA. According to its website, the company serves markets in North America, Europe, Asia, and Australia. 32M believes that micro markets, aided by chip implants and self-serve kiosk, offer employers greater employee productivity with lower costs.

Yes, the chip implants are similar to the chip implants many pet owners have inserted to identify their dogs or cats. 32M expects 50 employees to enroll in its chip implant program.

Reportedly, companies in Belgium and Sweden already use chip implants to identify employees. 32M's announcement did not list the data elements each employee's microchip would contain, nor whether the data in the microchips would be encrypted. Historically, unencrypted data stored by RFID technology has been vulnerable to skimming attacks by criminals using portable or hand-held RFID readers. Stolen information would be used to cloned devices to commit identity theft and fraud.

Some states, such as Washington and California, passed anti-skimming laws. Prior government-industry workshops about RFID usage focused upon consumer products, and not employment concerns. Earlier this year, lawmakers in Nevada introduced legislation making it illegal to require employees to accept microchip implants.

A BBC News reporter discussed in 2015 what it is like to be "chipped." And as CBS News reported:

"... hackers could conceivably gain huge swathes of information from embedded microchips. The ethical dilemmas will become bigger the more sophisticated the microchips become. The data that you could possibly get from a chip that is embedded in your body is a lot different from the data that you can get from a smartphone..."

Example: employers installing RFID readers for employees to unlock bathrooms means employers can track when, where, how often, and the duration employees use bathrooms. How does that sound?

Hopefully, future announcements by 32M will discuss the security features and protections. What are your opinions? Are you willing to be an office cyborg? Should employees have a choice, or should employers be able to force their employees to accept microchip implants? How do you feel about your employer tracking what you eat and drink via purchases with your chip implant?

Many employers publish social media policies covering what employees should (shouldn't, or can't) publish online. Should employers have microchip implant policies, too? If so, what should these policies state?


CBP Responds To Senator's Query About Border Searches Of Returning Travelers' Devices

This has implications for all U.S. citizens returning to the country from international travel; business or vacation. An important exchange occurred recently between government officials about Fourth Amendment rights and protections, or the lack thereof, for citizens.

Earlier this year, U.S. Senator Ron Wyden (D-Oregon) sent a letter (Adobe PDF) asking the Department of Homeland Security (DHS), the parent agency of U.S. Customs & Border Protection (CBP), about CBP's detaining of citizens returning from international travel, and warrantless demands to access citizens' locked mobile devices. The Senator's letter read in part:

U.S. Department of Homeland Security logo "Dear Secretary Kelly,
I am alarmed by recent media reports of Americans being detained by CBP and pressured to give CBP agents access to their smartphone PIN numbers or otherwise provide access to locked devices. These reports are particularly troubling, particularly in light of your recent comments suggesting that CBP might begin demanding social media passwords from visitors to the United States. With those passwords, CBP may then be able to log into accounts and access data that they would only be able to get from Internet companies with a warrant. Circumventing the normal protections for such private information is simply unacceptable.

There are well-established rules governing how law enforcement agencies may obtain data from social media companies and email providers... In addition to violating the privacy and civil liberties of travelers, these digital dragnet border search practices weaken our national and economic security. Indiscriminate digital searches distract CBP from its core mission and needlessly divert agency resources away from those who truly threaten our nation. Likewise, if businesses fear their data can be seized when employees cross the border, they may reduce non-essential employee international travel, or deploy technical countermeasures..."

Senator Wyden's concerns focus upon the rights of companies and individuals to protect intellectual property, without which many businesses -- large, small, startups, and journalists -- cannot operate. Senator Wyden asked for a response from DHS by March 20, 2017 with answers to five questions (links added):

"1. What legal authority permits CBP to ask for, or demand, as a condition of entry, that a U.S. person disclose their social media or email password?
2. How is CBP use of a traveler's password to gain access to data stored in the cloud consistent with the Computer Fraud And Abuse Act?
3. What legal authority permits CBP to ask for, or demand, as a condition of entry, that a U.S. person turn over their device PIN or password to gain access to encrypted data? How are such demands consistent with the Fifth Amendment?
4. How many times in each calendar year 2012 - 2016 did CBP ask for, or demand, as a condition of entry, that a U.S. person disclose a smartphone or computer password, or otherwise provide access to a locked smartphone or computer? How many times has this occurred since January 20, 2017?
5. How many times in each calendar year 2012, 2013, 2014, 2015,and 2016 did CBP ask for, or demand, as a condition of entry, that a U.S. person disclose a social media or email account password, or otherwise provide CBP personnel access to data stored in an online account? How many times has this occurred since January 20, 2017?"

In April, Senator Wyden, with Senator Rand Paul (R-Kentucky), Representative Jared Polis (D-Colorado), and Representative Blake Farenthold (R-Texas) introduced the Protecting Data at the Border Act (PDBA) to ensure that U.S. citizens are not forced to endure indiscriminate and suspicion-less searches of their phones, laptops and other digital devices when crossing the United State's borders.

U.S. Customs and Border Protection logo On June 20, Kevin McAleenan, the Nominee for CBP Commissioner, responded to Senator's Wyden's letter. NBC News reported:

"U.S. border officers aren't allowed to look at any data stored only in the "cloud" — including social media data — when they search U.S. travelers' phones, Customs and Border Protection acknowledged in a letter obtained Wednesday by NBC News. The letter (PDF), sent in response to inquiries by Sen. Ron Wyden, D-Ore., and verified by Wyden's office, not only states that CBP doesn't search data stored only with remote cloud services, but also — apparently for the first time — declares that it doesn't have that authority in the first place... McAleenan's letter says officers can search a phone without consent and, except in very limited cases, without a warrant or even suspicion — but only for content that is saved directly to the device, like call histories, text messages, contacts, photos and videos... Travelers don't even have to unlock their devices or hand over their passwords when asked — but if they refuse, officers can "detain" the phone, McAleenan wrote."

When your phone or mobile device is detained, that means CBP agents keep it for a time before returning it to you. So, while you may enter the country fairly quickly, your seized device(s) may not. There are notable horror stories about travelers returning to the United States. It doesn't matter if the device is yours or your employer's.

McAleenan's letter did not answer questions #4 and #5 about search activity. Not good. In fact, the letter stated:

"DHS's May 9, 2017 letter stated that CBP did not have data responsive to this request."

Huh? This seems incredulous. Consider this scenario: a CBP agent detains a citizen's device(s) and inspects those devices (with or without the assistance of another federal agency). McAleenan's response would have us believe that the CBP doesn't have data documenting this event. This implies that the CBP either doesn't collect or doesn't maintain records of how its agents account for their time: when, where, why, the duration, which agents inspected, and types of devices inspected; nor when the detained device was ultimately returned to its owner. It also implies that the CBP doesn't have any records (e.g., doesn't know) about when, where, or the amount of data uploaded from detained devices and stored in CBP databases. This seems unbelievable and a huge managerial failure.

During my business career I had to submit and complete data into several online time-tracking systems; which tracked workers' time down to 15 minute intervals. Perhaps, it is appropriate to query the CBP about its time-tracking systems. Some ad hoc queries may yield responsive data.

Moreover, the CBP site contains and displays plenty of statistics about the agency's operations (e.g., staffing, sector performance, etc.) and enforcement (e.g., "inadmissibles," illegal aliens apprehended, arrests of wanted criminals, drug seizures, gang affiliated enforcement, etc.), but nothing about citizens detained for device searches nor the volume of passwords collected.

More about that in a few minutes. So, keep reading.

What to make of this? U.S. citizens have no Fourth Amendment rights when traveling across our borders. Not good. It doesn't matter whether you are law-abiding or not. Not good. Why? How? McAleenan's letter confirmed it:

"While 8 U.S.C. 1357 is an example of CBP's authority to conduct a search in the immigration context, CBP currently operates under a host of additional statutory authorities that more broadly provide that all persons, baggage, and merchandise arriving, or departing from, the United States are subject to search, inspection, and detention. See, e.g., 19 U.S.C. 1461; 1496; 1499. Those statutory Customs authorities are applicable to all travelers entering the United States, regardless of their citizenship.

"On this point, because CBP must determine the admissibility of both the traveler and his or her goods and baggage, even after a returning U.S. citizen has established their identity and U.S. citizenship, CBP may conduct a border search of the goods he or she is seeking to bring into the country to ensure that those goods are permitted to enter. In other words, because any traveler may be carrying an electronic device that contains evidence relating to offenses such as terrorism, illegal smuggling, child pornography, CBP's authority to search such a device at the border does not depend upon the citizenship of the traveler.

In the exceedingly rare instances when CBP seeks to conduct a border search of information in an electronic device -- which affects less than one-hundredth of one percent of travelers arriving to the United States because of a need to inspect that traveler's device. Therefore, although CBP may detain an arriving traveler's electronic device for further examination, in the limited circumstances when that is appropriate, CBP will not prevent a traveler who is confirmed to be a U.S. citizen from entering the country because of a need to conduct that additional examination..."

U.S. international travel statistics for Fiscal year 2016. The U.S. Customs and Border Protection. Click to view larger version Exceedingly rare? Perhaps on a percentage basis. We know from the CBP statistics page:

"CBP officers processed more than 390 million travelers at air, land, and sea ports of entry in FY2016, including more than 119 million travelers at air ports of entry..."

Some simple math using data supplied by the CBP: 0.01 percent X 390 million = 39,000 passengers during 2016 who have had their electronic devices detained and searched for information. Next, multiple that annual total by 10 or more years. The true total fast approaches half a million incidents.

Plus, the detainment and search rate may not be rare at all for frequent travelers. Some jobs require employees to travel frequently to international destinations.

Also, the above statement highlights the CBP approach: all travelers entering the country are presumed to be threats without any supporting data or evidence. No Fourth Amendment protections for U.S. citizens at our borders. Do you find this troubling? I hope that you do. Contact your elected representatives and demand that they support the Protecting Data at the Border Act.

A wise friend once said, "You just can't run away from the Fourth Amendment." I agree. What do you think?


Coming Soon: A New HD Video Standard For TV. Will Over-The-Air Broadcasts Remain Free?

Federal communications Commission logo Soon, consumers will hear about improvements in over-the-air broadcast television. Free, broadcast television has been around since forever, and High Definition (HD) broadcast signals have been around since 2009. Many consumers have chosen free, over-the-air broadcast television to avoid expensive monthly cable-TV bills.

Consumer Reports explained:

"Technically called ATSC 3.0, the new broadcast standard is—thankfully—being more generally billed as "Next-Gen Broadcast TV." There are a few big differences between our current ATSC 1.0 broadcasts and the new ones we'll receive as part of ATSC 3.0. A key one is that the new standard is IP (internet protocol)-based, which means it can carry internet content alongside traditional TV broadcasts. The broadcasts can also include 4K video and high dynamic range (HDR) content—the two biggest selling points in TVs right now."

And, consumers will be able to receive the new HD broadcast signals on their smart phones. Reportedly, the coming ATSC 3.0 standard will use a more efficient video format, called HEVC or H.265, which streaming services already use.

Last year, WRAL-TV in Raleigh, North Carolina began to broadcast using the new standard with a documentary, "Take Me Out To the Bulls' Game." The U.S. Federal Communications Commission (FCC) announced in February a Notice of Proposed Rulemaking (NPRM) which sought comments from the public about the new HD broadcast standard. That FCC announcement stated, in part:

"ATSC 3.0 has the potential to greatly improve broadcast signal reception on mobile devices and television receivers without outdoor antennas.  It is also intended to enable broadcasters to offer enhanced and innovative new features to consumers, including Ultra High Definition picture and immersive audio, more localized programming content, an advanced emergency alert system capable of waking up sleeping devices to warn consumers of imminent emergencies, improved accessibility options, and interactive services.

A coalition of broadcast and consumer electronics industry representatives petitioned the Commission to allow the use of the new standard. The upgraded technology is intended to merge the capabilities of over-the-air broadcasting with the broadband viewing and information delivery methods of the Internet using the same 6 MHz channels presently allocated for digital television (DTV)."

Like most things in life, details matter. Consumer Reports warned:

"... Jonathan Schwantes, senior policy counsel at Consumers Union, the policy and mobilization arm of Consumer Reports, says that some consumers could lose the ability to get some ATSC 1.0 signals if the host station is located farther away than their current broadcaster.

"Our position is that next-gen TV can and will be beneficial to consumers if implemented by the FCC in a measured and conscientious manner," he says. That could include making sure the current coverage areas are preserved as much as possible, not allowing broadcasters to downgrade the quality of ATSC 1.0 broadcasts from high to standard definition, and providing consumers with education on issues such as the timing of the transition and what new equipment they may need."

So, some broadcasters might choose to cut corners while migrating to the new standard: reduce their existing HD over-the-air signal strength, degrade their existing HD signal quality, or both. Not good.

And, there's more bad news for consumers. The new HD broadcast standard may cost more. You're probably wondering how, since over-the-air broadcasts have been free since television was introduced. Consumer Reports explained:

"... broadcasters could encrypt at least part of their programming, and require users to create an account and pay for access to certain features. No details are available on how this would work from the consumer's point of view. Consumers Union and other groups say they will insist that consumers continue to have access to free over-the air high-definition TV reception."

The new HD broadcast standard should not include hidden costs or new fees for consumers. For many consumers, new televisions are expensive and out of reach. Many consumers have chosen to "cut the cord" to save money. For these consumers, free over-the-air broadcast television is vital.

Nor should broadcasters be able to cut corners and force consumers to the new HD standard by degrading their existing HD signal strength and/or quality. The new HD broadcast standard should be voluntary for consumers. Nor should consumers be forced to submit to broadcasters their personal, contact, and payment information. One of the benefits of over-the-air broadcasts is privacy.

The next-gen TV standard offers benefits to both consumers and broadcasters. The FCC must balance the needs of both, and not serve only one group. The industry uses the term "Multi-channel Video Programming Distributors" (MVPD) to describe companies that provide video content. These MVPD companies include video producers and distributors: legacy cable-TV providers, TV networks, and others that provide programming via cable, the Internet, and over-the-air broadcasts.

Some MVPDs do both: produce and distribute video content. These MVPDs have a financial bias to force consumers from free over-the-air broadcasts to their proprietary, higher cost distribution networks (e.g., cable, internet). Consumers must have the freedom to choose how they consumer video content, and not have a distribution network forced upon them via bundling, "retransmission consent system," or other MVPD tactics.

What are retransmission consent systems? This 16-142 filing by Consumer's Union, Public Knowledge, and New America's Open Technology Institute explained (Adobe PDF):

"It is increasingly axiomatic that, when MVPDs and broadcast groups engage in retransmission consent negotiations, consumers end up suffering, or footing the bill, or both. Increased broadcast retransmission consent fees are passed on to consumers by MVPDs who have little choice but to accept most broadcaster demands or face crippling blackouts.... Large MVPDs, and those which also own broadcast interests, also use the retransmission consent process to extract favorable terms, potentially limiting the growth or viability of competitive video services. Comcast, for example, is rumored to have fleshed out its fledgling over-the-top (OTT) service by exercising most-favored-nation clauses in many of its carriage contracts. Comcast can only demand such favorable contract terms due to its dominant position in the video delivery marketplace, and once again, consumers are left holding the bag..."

So, the FCC must not make things worse for consumers by allowing the new HD broadcast standard to reduce competition and raise prices. Higher prices may be good for MVPDs (and their stockholders) but not for consumers.

If you want to submit a comment or read comments already submitted about the new HD broadcast standard, search for the 16-142 Filing within the FCC's Electronic Filing & Comment System (ECFS). At press time, only 167 persons, companies, and entities had submitted filings and comments (compared to 2,869,632 comments via ECFS about Net Neutrality). Not good.

What are your opinions about the new HD video broadcast standard?


Hacking Group Reported Security Issues With Samsung 8 Phone's Iris Recognition

Image of Samsung Galaxy S8 phones. Click to view larger version The Computer Chaos Club (CCC), a German hacking group founded in 1981, posted the following report on Monday:

"The iris recognition system of the new Samsung Galaxy S8 was successfully defeated by hackers... The Samsung Galaxy S8 is the first flagship smartphone with iris recognition. The manufacturer of the biometric solution is the company Princeton Identity Inc. The system promises secure individual user authentication by using the unique pattern of the human iris.

A new test conducted by CCC hackers shows that this promise cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner. A video shows the simplicity of the method."

The Samsung Galaxy S8 runs the Android operating system, claims a talk time of up to 30 hours, has a screen optimized for virtual reality (VR) apps, and features Bixby, an "... intelligent interface that is built into the Galaxy S8. With every interaction, Bixby can learn, evolve and adapt to you. Whether it's through touch, type or voice, Bixby will seamlessly help you get things done. (Voice coming soon)"

The CCC report also explained:

"Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone. "If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication," says Dirk Engling, spokesperson for the CCC."

Phys.org reported that Samsung executives are investigating the CCC report. Samsung views the Galaxy S8 as critical to the company's performance given the Note 7 battery issues and fires last year.

Some consumers might conclude from the CCC report that the best defense against against iris hacks would be to stop posting selfies. This would be wrong to conclude, and an insufficient defense:

"The easiest way for a thief to capture iris pictures is with a digital camera in night-shot mode or the infrared filter removed... Starbug was able to demonstrate that a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems."

So, more photos besides selfies could reveal your iris details. The CCC report also reminded consumers of the security issues with using fingerprints to protect their devices:

"CCC member and biometrics security researcher starbug has demonstrated time and again how easily biometrics can be defeated with his hacks on fingerprint authentication systems – most recently with his successful defeat of the fingerprint sensor "Touch ID" on Apple’s iPhone. "The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris," Dirk Engling remarked."

What are your opinions of the CCC report?


The Guardian Site Reviews Documents Used By Facebook Executives To Moderate Content

Facebook logo The Guardian news site in the United Kingdom (UK) published the findings of its review of "The Facebook Files" -- a collection of documents which comprise the rules used by executives at the social site to moderate (e.g., review, approve, and delete) content posted by the site's members. Reporters at The Guardian reviewed:

"... more than 100 internal training manuals, spreadsheets and flowcharts that give unprecedented insight into the blueprints Facebook has used to moderate issues such as violence, hate speech, terrorism, pornography, racism and self-harm. There are even guidelines on match-fixing and cannibalism.

The Facebook Files give the first view of the codes and rules formulated by the site, which is under huge political pressure in Europe and the US. They illustrate difficulties faced by executives scrabbling to react to new challenges such as “revenge porn” – and the challenges for moderators, who say they are overwhelmed by the volume of work, which means they often have “just 10 seconds” to make a decision..."

The Guardian summarized what it learned about Facebook's revenge porn rules for moderators:

Revenge porn content rules found by The Guardian's review of Facebook documents

Reportedly, Facebook moderators reviewed as many as 54,000 cases in a single month related to revenge porn and "sextortion." In January of 2017, the site disabled 14,000 accounts due to this form of sexual violence. Previously, these rules were not available publicly. Findings about other rules are available at The Guardian site.

Other key findings found by The Guardian during its document review:

"One document says Facebook reviews more than 6.5m reports a week relating to potentially fake accounts – known as FNRP (fake, not real person)... Many moderators are said to have concerns about the inconsistency and peculiar nature of some of the policies. Those on sexual content, for example, are said to be the most complex and confusing... Anyone with more than 100,000 followers on a social media platform is designated as a public figure – which denies them the full protections given to private individuals..."

The social site struggles with how to handle violent language:

"Facebook’s leaked policies on subjects including violent death, images of non-sexual physical child abuse and animal cruelty show how the site tries to navigate a minefield... In one of the leaked documents, Facebook acknowledges “people use violent language to express frustration online” and feel “safe to do so” on the site. It says: “They feel that the issue won’t come back to them and they feel indifferent towards the person they are making the threats about because of the lack of empathy created by communication via devices as opposed to face to face..."

Some industry watchers in Europe doubt that Facebook can do what it has set out to accomplish, lacks sufficient staff to effectively moderate content posted by almost 2 billion users, and Facebook management should be more transparent about its content moderation rules. Others believe that Facebook and other social sites should be heavily fined "for failing to remove extremist and hate-crime material."

To learn more, The Guardian site includes at least nine articles about its review of The Facebook Files:

Collection of articles by The Guardian which review Facebook's content policies. Click to view larger version


Any Half-Decent Hacker Could Break Into Mar-a-Lago

[Editor's Note: Today's guest blog post is by the reporters at ProPublica. The article explores the security issues about key locations the President visits repeatedly and does business at. It was originally published yesterday, and is reprinted with permission.]

by Jeff Larson and Julia Angwin, ProPublica; and by Surya Mattu, Gizmodo

Two weeks ago, on a sparkling spring morning, we went trawling along Florida's coastal waterway. But not for fish.

We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained.

A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, New Jersey, with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation.

We have also visited two of President Donald Trump's other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Virginia. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.

The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises.

"Those networks all have to be crawling with foreign intruders, not just ProPublica," said Dave Aitel, chief executive officer of Immunity, Inc., a digital security company, when we told him what we found.

Security lapses are not uncommon in the hospitality industry, which -- like most industries and government agencies -- is under increasing attack from hackers. But they are more worrisome in places where the president of the United States, heads of state and public officials regularly visit.

U.S. leaders can ill afford such vulnerabilities. As both the U.S. and French presidential campaigns showed, hackers increasingly exploit weaknesses in internet security systems in an effort to influence elections and policy. Last week, cyberattacks using software stolen from the National Security Agency paralyzed operations in at least a dozen countries, from Britain's National Health Service to Russia's Interior Ministry.

Since the election, Trump has hosted Chinese President Xi Jinping, Japanese Prime Minister Shinzo Abe and British politician Nigel Farage at his properties. The cybersecurity issues we discovered could have allowed those diplomatic discussions -- and other sensitive conversations at the properties -- to be monitored by hackers.

The Trump Organization follows "cybersecurity best practices," said spokeswoman Amanda Miller. "Like virtually every other company these days, we are routinely targeted by cyberterrorists whose only focus is to inflict harm on great American businesses. While we will not comment on specific security measures, we are confident in the steps we have taken to protect our business and safeguard our information. Our teams work diligently to deploy best-in-class firewall and anti-vulnerability platforms with constant 24/7 monitoring."

The White House did not respond to repeated requests for comment.

Trump properties have been hacked before. Last year, the Trump hotel chain paid $50,000 to settle charges brought by the New York attorney general that it had not properly disclosed the loss of more than 70,000 credit card numbers and 302 Social Security numbers. Prosecutors alleged that hotel credit card systems were "the target of a cyber-attack" due to poor security. The company agreed to beef up its security; it's not clear if the vulnerabilities we found violate that agreement. A spokesman for the New York attorney general declined comment.

Our experience also indicates that it's easy to gain physical access to Trump properties, at least when the president is not there. As Politico has previously reported, Trump hotels and clubs are poorly guarded. We drove a car past the front of Mar-a-Lago and parked a boat near its lawn. We drove through the grounds of the Bedminster golf course and into the parking lot of the golf course in Sterling, Virginia. No one questioned us.

Both President Obama and President Bush often vacationed at the more traditional presidential retreat, the military-run Camp David. The computers and networks there and at the White House are run by the Defense Information Systems Agency.

In 2016, the military spent $64 million on maintaining the networks at the White House and Camp David, and more than $2 million on "defense solutions, personnel, techniques, and best practices to defend, detect, and mitigate cyber-based threats" from hacking those networks.

Even after spending millions of dollars on security, the White House admitted in 2015 that it was hacked by Russians. After the hack, the White House replaced all its computer systems, according to a person familiar with the matter. All staffers who work at the White House are told that "there are people who are actively watching what you are doing," said Mikey Dickerson, who ran the U.S. Digital Service in the Obama administration.

By comparison, Mar-a-Lago budgeted $442,931 for security in 2016 -- slightly more than double the $200,000 initiation fee for one new member. The Trump Organization declined to say how much Mar-a-Lago spends specifically on digital security. The club, last reported to have almost 500 members paying annual dues of $14,000 apiece, allotted $1,703,163 for all administration last year, according to documents filed in a lawsuit Trump brought against Palm Beach County in an effort to halt commercial flights from flying over Mar-a-Lago. The lawsuit was dropped, but the FAA now restricts flights over the club when the president is there.

It is not clear whether Trump connects to the insecure networks while at his family's properties. When he travels, the president is provided with portable secure communications equipment. Trump tracked the military strike on a Syrian air base last month from a closed-door situation room at Mar-a-Lago with secure video equipment.

However, Trump has held sensitive meetings in public spaces at his properties. Most famously, in February, he and the Japanese prime minister discussed a North Korean missile test on the Mar-a-Lago patio. Over the course of that weekend in February, the president's Twitter account posted 21 tweets from an Android phone. An analysis by an Android-focused website showed that Trump had used the same make of phone since 2015. That phone is an older model that isn't approved by the NSA for classified use.

Photos of Trump and Abe taken by diners on that occasion prompted four Democratic senators to ask the Government Accountability Office to investigate whether electronic communications were secure at Mar-a-Lago.

In March, the GAO agreed to open an investigation. Chuck Young, a spokesman for the office, said in an interview that the work was in "the early stages," and did not offer an estimate for when the report would be completed.

So, we decided to test the cybersecurity of Trump's favorite hangouts ourselves.

Our first stop was Mar-a-Lago, a Trump country club in Palm Beach, Florida, where the president has spent most weekends since taking office. Driving past the club, we picked up the signal for a Wi-Fi-enabled combination printer and scanner that has been accessible since at least February 2016, according to a public Wi-Fi database.

An open printer may sound innocuous, but it can be used by hackers for everything from capturing all the documents sent to the device to trying to infiltrate the entire network.

To prevent such attacks, the Defense Information Systems Agency, which secures the White House and other military networks, forbids installing printers that anyone can connect to from outside networks. It also warns against using printers that do more than printing, such as faxing. "If an attacker gains network access to one of these devices, a wide range of exploits may be possible," the agency warns in its security guide.

We also were able to detect a misconfigured and unencrypted router, which could potentially provide a gateway for hackers.

To get a better line of sight, we rented a boat and piloted it to within sight of the club. There, we picked up signals from the club's wireless networks, three of which were protected with a weak and outmoded form of encryption known as WEP. In 2005, an FBI agent publicly broke this type of encryption in minutes.

By comparison, the military limits the signal strength of networks at places such as Camp David and the White House so that they are not reachable from a car driving by. It also requires wireless networks to use the strongest available form of encryption.

From our desks in New York, we were also able to determine that the club's website hosts a database with an insecure login page that is not protected by standard internet encryption. Login forms like this are considered a severe security risk, according to the Defense Information Systems Agency.

Without encryption, spies could eavesdrop on the network until a club employee logs in, and then steal his or her username and password. They then could download a database that appears to include sensitive information on the club's members and their families, according to videos posted by the club's software provider.

This is "bad, very bad," said Jeremiah Grossman, chief of Security Strategy for cybersecurity firm SentinelOne, when we described Mar-a-Lago's systems. "I'd assume the data is already stolen and systems compromised."

A few days later, we took our equipment to another Trump club in Bedminster, New Jersey. During the transition, Trump had interviewed candidates for top administration positions there, including James Mattis, now secretary of defense.

We drove on a dirt access road through the middle of the golf course and spotted two open Wi-Fi networks, TrumpMembers and WelcomeToTrumpNationalGolfClub, that did not require a password to join.

Such open networks allow anyone within range to scoop up all unencrypted internet activity taking place there, which could, on insecure sites, include usernames, passwords and emails.

Robert Graham, an Atlanta, Georgia, cybersecurity expert, said that hackers could use the open Wi-Fi to remotely turn on the microphones and cameras of devices connected to the network. "What you're describing is typical hotel security," he said, but "it's pretty concerning" that an attacker could listen to sensitive national security conversations.

Two days after we visited the Bedminster club, Trump arrived for a weekend stay.

Then we visited the Trump International Hotel in Washington, D.C., where Trump often dines with his son-in-law and senior adviser Jared Kushner, whose responsibilities range from Middle East diplomacy to revamping the federal bureaucracy. We surveyed the networks from a Starbucks in the hotel basement.

From there, we could tell there were two Wi-Fi networks at the hotel protected with what's known as a captive portal. These login screens are often used at airports and hotels to ensure that only paying customers can access the network.

However, we gained access to both networks just by typing "457" into the room number field. Because we provided a room number, the system assumed we were guests. We looked up the hotel's public IP address before logging off.

From our desks in New York, we could also tell that the hotel is using a server that is accessible from the public internet. This server is running software that was released almost 13 years ago.

Finally, we visited the Trump National Golf Club in Sterling, Virginia, where the president sometimes plays golf. From the parking lot, we recognized three encrypted wireless networks, an encrypted wireless phone and two printers with open Wi-Fi access.

The Trump club websites are hosted by an Ohio-based company called Clubessential. It offers everything from back-office management and member communications to tee time and room reservations.

In a 2014 presentation, a company sales director warned that the club industry as a whole is "too lax" in managing and protecting passwords. There has been a "rising number of attacks on club websites over the last two years," according to the presentation. Clubessential "performed [an] audit of security in the club industry" and "found thousands of sensitive documents from clubs exposed on [the] Internet," such as "lists of members and staff, and their contact info; board minutes, financial statements, etc."

Still, the club software company has set up a backend server accessible on the internet, and configured its encryption incorrectly. Anyone who reaches the login page is greeted with a warning that the encryption is broken. In its documentation, the company advises club administrators to ignore these warnings and log in regardless. That means that anybody snooping on the unprotected connection could intercept the administrators' passwords and gain access to the entire system.

The company also publishes online, without a password, many of the default settings and usernames for its software 2014 essentially providing a roadmap for intruders.

Clubessential declined comment.

Aitel, the CEO of Immunity, said the problems at Trump properties would be difficult to fix: "Once you are at a low level of security it is hard to develop a secure network system. You basically have to start over."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


60 Minutes Re-Broadcast Its 2014 Interview With FBI Director Comey

60 Minutes logo Last night, the 60 Minutes television show re-broadcast its 2014 interview with former Federal Bureau of Investigation (FBI) Director James Comey. The interview is important for several reasons.

Politically liberal people have criticized Comey for mentioning to Congress just before the 2016 election the FBI investigation of former Secretary of State Hilary Clinton's private e-mail server. Many believe that Comey's comments helped candidate Donald Trump win the Presidential election. Politically conservative people criticized Comey for not recommending prosecution of former Secretary Clinton.

The interview is a reminder of history and that reality is often far more nuanced and complicated. Back in 2004, when the George W. Bush administration sought a re-authorization of warrant-less e-mail/phone searches, 60 Minutes explained:

"At the time, Comey was in charge at the Justice Department because Attorney General John Ashcroft was in intensive care with near fatal pancreatitis. When Comey refused to sign off, the president's Chief of Staff Andy Card headed to the hospital to get Ashcroft's OK."

In the 2014 interview, Comey described his concerns in 2004 about key events:

"... [the government] cannot read your emails or listen to your calls without going to a federal judge, making a showing of probable cause that you are a terrorist, an agent of a foreign power, or a serious criminal of some sort, and get permission for a limited period of time to intercept those communications. It is an extremely burdensome process. And I like it that way... I was the deputy attorney general of the United States. We were not going to authorize, reauthorize or participate in activities that did not have a lawful basis."

During the interview in 2014 by 60 Minutes, then FBI Director Comey warned all Americans:

"I believe that Americans should be deeply skeptical of government power. You cannot trust people in power. The founders knew that. That's why they divided power among three branches, to set interest against interest... The promise I've tried to honor my entire career, that the rule of law and the design of the founders, right, the oversight of courts and the oversight of Congress will be at the heart of what the FBI does. The way you'd want it to be..."

The interview highlighted the letter Comey kept on his desk as a cautionary reminder of the excesses of government. That letter was about former FBI Director Herbert Hoover's investigations and excessive surveillance of the late Dr. Martin Luther King, Jr. Is Comey the bad guy that people on both sides of the political spectrum claim? Yes, history is far more complicated and nuanced.

So, history is complex and nuanced... far more than a simplistic, self-serving tweet:

Many have paid close attention for years. After the Snowden disclosures in 2013 about broad, warrantless searches and data collection programs by government intelligence agencies, in 2014 Comey urged all USA citizens to participate in a national discussion about the balance between privacy and surveillance.

You can read the full transcript of the 60 Minutes interview in 2014, watch this preview on Youtube, or watch last night's re-broadcast by 60 Minutes of the 2014 interview.